From 4dda3f513c113cdeeb93a4ee009afb74a8338c0b Mon Sep 17 00:00:00 2001 From: 100111001 <43482858+100111001@users.noreply.github.com> Date: Wed, 23 Aug 2023 14:48:29 +0200 Subject: [PATCH 1/2] Added description how to run salt states --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6adf62f..130f602 100644 --- a/README.md +++ b/README.md @@ -86,7 +86,7 @@ qvm-features mirage-firewall no-default-kernelopts 1 ``` ### Deployment using saltstack -If you're familiar how to run salt states in Qubes, you can also use the script `SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls` to automatically deploy the latest version of mirage firewall in your Qubes OS. The script checks the checksum from the integration server and compares with the latest version provided in the github releases. It might be necessary to adjust the VM templates in the script which are used for downloading of the mirage unikernel. Also don't forget to change the VMs in which the uni kernel should be used or adjust the "Qubes Global Settings". +If you're familiar how to run salt states in Qubes, you can also use the script `SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls` to automatically deploy the latest version of mirage firewall in your Qubes OS. An introduction can be found [here](https://forum.qubes-os.org/t/qubes-salt-beginners-guide/20126) and [here](https://www.qubes-os.org/doc/salt/). Following the instructions from the former link, you can run the script in dom0 with the command `sudo qubesctl --show-output state.apply SaltScriptToDownloadAndInstallMirageFirewallInQubes saltenv=user`. The script checks the checksum from the integration server and compares with the latest version provided in the github releases. It might be necessary to adjust the VM templates in the script which are used for downloading of the mirage unikernel, if your default templates do not have the tools `curl` and `tar` installed by default. Also don't forget to change the VMs in which the uni kernel should be used or adjust the "Qubes Global Settings". ## Upgrading From 354c2517016fd5b71e59b5675ce0a3f60ce265fd Mon Sep 17 00:00:00 2001 From: 100111001 <43482858+100111001@users.noreply.github.com> Date: Wed, 23 Aug 2023 14:56:47 +0200 Subject: [PATCH 2/2] Changed hard coded templates to default templates from qubes Also replaced wget by curl to make it compatible additionally for the default template of debian. (wget is not installed by default) --- SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls index ec3a486..1055faa 100644 --- a/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls +++ b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls @@ -3,9 +3,9 @@ # After the install, you have to switch your AppVMs to use the mirage firewall vm created by this script e.g. by using "Qubes Global Settings" # inspired by: https://github.com/one7two99/my-qubes/tree/master/mirage-firewall -# You might want to adjust the following 2 variables to use up-to-date templates on your qubes -{% set DownloadVMTemplate = "fedora-38" %} -{% set DispVM = "fedora-38-dvm" %} +# default template + dispvm template are used. Possible optimization is to use min-dvms +{% set DownloadVMTemplate = salt['cmd.shell']("qubes-prefs default_template") %} +{% set DispVM = salt['cmd.shell']("qubes-prefs default_dispvm") %} {% set DownloadVM = "DownloadVmMirage" %} {% set MirageFW = "sys-mirage-fw" %} @@ -33,7 +33,7 @@ create-downloader-VM: download-and-unpack-in-DownloadVM4mirage: cmd.run: - names: - - qvm-run --pass-io {{ DownloadVM }} {{ "wget " ~ DownloadBinary }} + - qvm-run --pass-io {{ DownloadVM }} {{ "curl -L -O " ~ DownloadBinary }} - qvm-run --pass-io {{ DownloadVM }} {{ "tar -xvjf " ~ Filename }} - require: - create-downloader-VM