2023-08-18 00:16:32 +02:00
|
|
|
# How to install the superlight mirage-firewall for Qubes OS by using saltstack
|
|
|
|
# Tested on Qubes v4.1 and mirage v0.8.5
|
|
|
|
# After the install, you have to switch your AppVMs to use the mirage firewall vm created by this script e.g. by using "Qubes Global Settings"
|
|
|
|
# inspired by: https://github.com/one7two99/my-qubes/tree/master/mirage-firewall
|
|
|
|
|
2023-08-23 14:56:47 +02:00
|
|
|
# default template + dispvm template are used. Possible optimization is to use min-dvms
|
|
|
|
{% set DownloadVMTemplate = salt['cmd.shell']("qubes-prefs default_template") %}
|
|
|
|
{% set DispVM = salt['cmd.shell']("qubes-prefs default_dispvm") %}
|
2023-08-18 00:16:32 +02:00
|
|
|
|
|
|
|
{% set DownloadVM = "DownloadVmMirage" %}
|
|
|
|
{% set MirageFW = "sys-mirage-fw" %}
|
|
|
|
{% set GithubUrl = "https://github.com/mirage/qubes-mirage-firewall" %}
|
|
|
|
{% set Filename = "mirage-firewall.tar.bz2" %}
|
|
|
|
{% set MirageInstallDir = "/var/lib/qubes/vm-kernels/mirage-firewall" %}
|
|
|
|
|
|
|
|
#download and install the latest version
|
|
|
|
{% set Release = salt['cmd.shell']("qvm-run --dispvm " ~ DispVM ~ " --pass-io \"curl --silent --location -o /dev/null -w %{url_effective} " ~ GithubUrl ~ "/releases/latest | rev | cut -d \"/\" -f 1 | rev\"") %}
|
|
|
|
|
|
|
|
{% if Release != salt['cmd.shell']("[ ! -f " ~ MirageInstallDir ~ "/version.txt" ~ " ] && touch " ~ MirageInstallDir ~ "/version.txt" ~ ";cat " ~ MirageInstallDir ~ "/version.txt") %}
|
|
|
|
|
|
|
|
create-downloader-VM:
|
|
|
|
qvm.vm:
|
|
|
|
- name: {{ DownloadVM }}
|
|
|
|
- present:
|
|
|
|
- template: {{ DownloadVMTemplate }}
|
|
|
|
- label: red
|
|
|
|
- prefs:
|
|
|
|
- template: {{ DownloadVMTemplate }}
|
|
|
|
- include-in-backups: false
|
|
|
|
|
|
|
|
{% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Filename %}
|
|
|
|
|
|
|
|
download-and-unpack-in-DownloadVM4mirage:
|
|
|
|
cmd.run:
|
|
|
|
- names:
|
2023-08-23 14:56:47 +02:00
|
|
|
- qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadBinary }}
|
2023-08-18 00:16:32 +02:00
|
|
|
- qvm-run --pass-io {{ DownloadVM }} {{ "tar -xvjf " ~ Filename }}
|
|
|
|
- require:
|
|
|
|
- create-downloader-VM
|
|
|
|
|
|
|
|
|
|
|
|
check-checksum-in-DownloadVM:
|
|
|
|
cmd.run:
|
|
|
|
- names:
|
2023-12-26 11:12:06 +01:00
|
|
|
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }}
|
2023-08-18 00:16:32 +02:00
|
|
|
- qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }}
|
2023-12-26 11:12:06 +01:00
|
|
|
- qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img
|
2023-08-18 00:16:32 +02:00
|
|
|
- require:
|
|
|
|
- download-and-unpack-in-DownloadVM4mirage
|
|
|
|
|
|
|
|
copy-mirage-kernel-to-dom0:
|
|
|
|
cmd.run:
|
|
|
|
- name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} "cat ~/mirage-firewall/vmlinuz" > {{ MirageInstallDir ~ "/vmlinuz" }}
|
|
|
|
- require:
|
|
|
|
- download-and-unpack-in-DownloadVM4mirage
|
|
|
|
- check-checksum-in-DownloadVM
|
|
|
|
|
|
|
|
create-initramfs:
|
|
|
|
cmd.run:
|
|
|
|
- names:
|
|
|
|
- gzip -n9 < /dev/null > {{ MirageInstallDir ~ "/initramfs" }}
|
|
|
|
- echo {{ Release }} > {{ MirageInstallDir ~ "/version.txt" }}
|
|
|
|
- require:
|
|
|
|
- copy-mirage-kernel-to-dom0
|
|
|
|
|
|
|
|
create-sys-mirage-fw:
|
|
|
|
qvm.vm:
|
|
|
|
- name: {{ MirageFW }}
|
|
|
|
- present:
|
|
|
|
- class: StandaloneVM
|
|
|
|
- label: black
|
|
|
|
- prefs:
|
|
|
|
- kernel: mirage-firewall
|
|
|
|
- kernelopts:
|
|
|
|
- include-in-backups: False
|
2023-12-26 10:45:13 +01:00
|
|
|
- memory: 32
|
|
|
|
- maxmem: 32
|
2023-08-18 00:16:32 +02:00
|
|
|
- netvm: sys-net
|
|
|
|
- provides-network: True
|
|
|
|
- vcpus: 1
|
|
|
|
- virt-mode: pvh
|
|
|
|
- features:
|
|
|
|
- enable:
|
|
|
|
- qubes-firewall
|
|
|
|
- no-default-kernelopts
|
|
|
|
- require:
|
|
|
|
- copy-mirage-kernel-to-dom0
|
|
|
|
|
|
|
|
|
|
|
|
cleanup-in-DownloadVM:
|
|
|
|
cmd.run:
|
|
|
|
- names:
|
|
|
|
- qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Filename ~ "; rm -R ~/mirage-firewall" }}"
|
|
|
|
- require:
|
|
|
|
- create-initramfs
|
|
|
|
|
|
|
|
remove-DownloadVM4mirage:
|
|
|
|
qvm.absent:
|
|
|
|
- name: {{ DownloadVM }}
|
|
|
|
- require:
|
|
|
|
- cleanup-in-DownloadVM
|
|
|
|
|
|
|
|
{% endif %}
|