Methods of installing software in QubesOS with Saltstack

Intro

Here are some various methods of installing software that I’ve used in my personal salt configuration

pkg.installed

Here’s /srv/user_salt/pkgs/accounting.sls as an example. It uses the simplest way of installing programs, which is just listing them under pkg.installed which pulls them from your distros main repositories. This is the most preferable way to install software if it’s available. 

# Install accounting tools
accounting--install-apps:
  pkg.installed:
    - pkgs:
      - hledger # Command-line plain text accounting
      - gnucash # Graphical GNU accounting suite

move a binary file into /usr/bin

Here’s /srv/user_salt/pkgs/st.sls as an example. It takes a binary file that’s part of this salt repository, and moves it into the ~/usr/bin/ directory in a qube. 

# Installs my build of st terminal
/usr/bin/st:
  file.managed:
    - source: salt://pkgs/bin/st.bin
    - user: root
    - group: root
    - mode: 777

Install from third-party repo with a script

Here’s /srv/user_salt/pkgs/signal.sls as an example. It starts by installing some dependencies using the most common pkg.installed method, then moves an install script /srv/user_salt/pkgs/install-scripts/signal-repo.sh into a qube and executes it to install the Signal messenger. 

...

signal--repo-script:
  file.managed: # file.managed lets you place files from your salt repo into qubes
    - name: /usr/bin/install-repo # this is where the installation script is placed
    - source: salt://pkgs/install-scripts/signal-repo.sh # This is where the installation script was sourced
    - user: root # sets the owner of the file, you can usually default to root
    - group: root # sets the group of the file, you can usually default to root
    - mode: 777 # sets the permissions of the file, you can usually default to 777 (any user on the qube has permissions)

# This simply executes the install-repo script in a qube
'install-repo':
  cmd.run

Here’s the installation script that’s ran:

/srv/user_salt/pkgs/install-scripts/signal-repo.sh

# Retrieves Signal's key for verifying the package
# The request is proxied through 127.0.0.1:8082 to allow the template qube to access the internet
sudo curl --proxy 127.0.0.1:8082 -s https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor | sudo tee -a /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null

# Defines Signal's repo in /etc/apt/sources.list.d/
echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' | tee /etc/apt/sources.list.d/signal-xenial.list

# Updates packages and installs signal-desktop through the newly configured repository
sudo apt update
sudo apt install signal-desktop -y

Created: 2025-04-02 Wed 23:33