Merge pull request #179 from 100111001/100111001-Readme-Adjustments

100111001 - SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls
2024-06-18 10:19:50 +00:00 · 2023-08-18 12:59:08 +02:00 · 2023-08-18 12:59:08 +02:00 · 50306112ff
commit 50306112ff
parent a321287f2f 6df70c1b35
2 changed files with 107 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -49,6 +49,7 @@ However, it should still work fine.

 ## Deploy

+### Manual deployment
 If you want to deploy manually, unpack `mirage-firewall.tar.bz2` in domU. The tarball contains `vmlinuz`,
 which is the unikernel itself, plus a dummy initramfs file that Qubes requires:

@ -84,6 +85,9 @@ qvm-features mirage-firewall qubes-firewall 1
 qvm-features mirage-firewall no-default-kernelopts 1
 ```

+### Deployment using saltstack
+If you're familiar how to run salt states in Qubes, you can also use the script `SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls` to automatically deploy the latest version of mirage firewall in your Qubes OS. The script checks the checksum from the integration server and compares with the latest version provided in the github releases. It might be necessary to adjust the VM templates in the script which are used for downloading of the mirage unikernel. Also don't forget to change the VMs in which the uni kernel should be used or adjust the "Qubes Global Settings".
+
 ## Upgrading

 To upgrade from an earlier release, just overwrite `/var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz` with the new version and restart the firewall VM.
--- a/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls
+++ b/SaltScriptToDownloadAndInstallMirageFirewallInQubes.sls
@ -0,0 +1,103 @@
+# How to install the superlight mirage-firewall for Qubes OS by using saltstack
+# Tested on Qubes v4.1 and mirage v0.8.5
+# After the install, you have to switch your AppVMs to use the mirage firewall vm created by this script e.g. by using "Qubes Global Settings"
+# inspired by: https://github.com/one7two99/my-qubes/tree/master/mirage-firewall
+
+# You might want to adjust the following 2 variables to use up-to-date templates on your qubes
+{% set DownloadVMTemplate = "fedora-38" %}
+{% set DispVM = "fedora-38-dvm" %}
+
+{% set DownloadVM = "DownloadVmMirage" %}
+{% set MirageFW = "sys-mirage-fw" %}
+{% set GithubUrl = "https://github.com/mirage/qubes-mirage-firewall" %}
+{% set Filename = "mirage-firewall.tar.bz2" %}
+{% set MirageInstallDir = "/var/lib/qubes/vm-kernels/mirage-firewall" %}
+
+#download and install the latest version
+{% set Release = salt['cmd.shell']("qvm-run --dispvm " ~ DispVM ~ " --pass-io \"curl --silent --location -o /dev/null -w %{url_effective} " ~ GithubUrl ~ "/releases/latest | rev | cut -d \"/\" -f 1 | rev\"") %}
+
+{% if Release != salt['cmd.shell']("[ ! -f " ~ MirageInstallDir ~ "/version.txt" ~ " ] && touch " ~ MirageInstallDir ~ "/version.txt" ~ ";cat " ~ MirageInstallDir ~ "/version.txt") %}
+
+create-downloader-VM:
+  qvm.vm:
+     - name: {{ DownloadVM }}
+     - present:
+       - template: {{ DownloadVMTemplate }}
+       - label: red
+     - prefs:
+       - template: {{ DownloadVMTemplate }}
+       - include-in-backups: false
+
+{% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Filename %}
+
+download-and-unpack-in-DownloadVM4mirage:
+  cmd.run: 
+    - names:
+      - qvm-run --pass-io {{ DownloadVM }} {{ "wget " ~ DownloadBinary }}
+      - qvm-run --pass-io {{ DownloadVM }} {{ "tar -xvjf " ~ Filename }}
+    - require: 
+      - create-downloader-VM
+
+
+check-checksum-in-DownloadVM:
+  cmd.run: 
+    - names:
+      - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with-docker.sh  | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }}
+      - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }}
+      - qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with-docker.sh  | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img
+    - require: 
+      - download-and-unpack-in-DownloadVM4mirage
+
+copy-mirage-kernel-to-dom0:
+  cmd.run: 
+    - name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} "cat ~/mirage-firewall/vmlinuz" > {{ MirageInstallDir ~ "/vmlinuz" }}
+    - require: 
+      - download-and-unpack-in-DownloadVM4mirage
+      - check-checksum-in-DownloadVM
+
+create-initramfs:
+  cmd.run: 
+    - names: 
+      - gzip -n9 < /dev/null > {{ MirageInstallDir ~ "/initramfs" }}
+      - echo {{ Release }} > {{ MirageInstallDir ~ "/version.txt" }}
+    - require: 
+      - copy-mirage-kernel-to-dom0
+
+create-sys-mirage-fw:
+  qvm.vm:
+    - name: {{ MirageFW }}
+    - present:
+      - class: StandaloneVM
+      - label: black
+    - prefs:
+      - kernel: mirage-firewall
+      - kernelopts:
+      - include-in-backups: False
+      - memory: 32
+      - maxmem: 32
+      - netvm: sys-net
+      - provides-network: True
+      - vcpus: 1
+      - virt-mode: pvh
+    - features:
+      - enable:
+        - qubes-firewall
+        - no-default-kernelopts
+    - require: 
+      - copy-mirage-kernel-to-dom0
+
+
+cleanup-in-DownloadVM:
+  cmd.run:
+   - names:
+      - qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Filename ~ "; rm -R ~/mirage-firewall" }}"
+   - require: 
+     - create-initramfs
+
+remove-DownloadVM4mirage:
+  qvm.absent:
+    - name: {{ DownloadVM }}
+    - require: 
+      - cleanup-in-DownloadVM
+
+{% endif %}