Qubes configuration: Git tracking of ansible/salt recipes in external repository?

[Johannes Graumann]

Gentlepeople,

I have a conceptual question regarding a sensible layout of VMs and
networking in the context of aiming at a qubes instance fully managed
by scripting (salt or ansible, or shell, or ...).

How would you set up a system that a) allows to automatedly configure
qubes from dom0 (or even better a dedicated management VM) and b)
allows for tracking of the scripting infrastructure using git and a
github account (taking care of script integrity using gpg signing)?

Direct network access of dom0 or the dedicated management VM is a bad
idea, so how to solve this? put the git repo on a device shared
temporarily with a dedicated networked VM that is only used for
pushing/pulling?

Thank you for any insight into how to manage such a setup.

Sincerely, Joh

[unman]

Have you looked at
https://www.qubes-os.org/news/2017/06/27/qubes-admin-api ?
It's clearly envisaged there that the management VM could have internet
access.

If you weren't happy with that you could have a disposableVM pulling from
git, validating with split-gpg. Pull into offline managementVM using
qrexec and validate again. Then apply.
Keeping salt and supporting files in git is definitely the way to go.