2023-11-13 09:33:28 -05:00
|
|
|
{#
|
2024-01-12 11:56:28 -05:00
|
|
|
SPDX-FileCopyrightText: 2022 Thien Tran <contact@tommytran.io>
|
2023-11-13 13:18:06 -05:00
|
|
|
SPDX-FileCopyrightText: 2023 unman <unman@thirdeyesecurity.org>
|
2023-11-13 09:33:28 -05:00
|
|
|
SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
|
|
|
|
|
2024-01-12 11:56:28 -05:00
|
|
|
SPDX-License-Identifier: MIT
|
2023-11-13 09:33:28 -05:00
|
|
|
#}
|
|
|
|
|
|
|
|
{%- from "qvm/template.jinja" import load -%}
|
|
|
|
|
|
|
|
{# Use the netvm of the default_netvm. #}
|
|
|
|
{% set default_netvm = salt['cmd.shell']('qubes-prefs default_netvm') -%}
|
|
|
|
{% set netvm = salt['cmd.shell']('qvm-prefs ' + default_netvm + ' netvm') -%}
|
|
|
|
{#
|
|
|
|
If netvm of default_netvm is empty, user's default_netvm is the first in
|
|
|
|
the chain (sys-net).
|
|
|
|
#}
|
|
|
|
{% if netvm == '' %}
|
|
|
|
{% set netvm = default_netvm %}
|
|
|
|
{% endif %}
|
|
|
|
|
|
|
|
"sys-mirage-firewall-create-vm-kernels-dir":
|
|
|
|
file.directory:
|
|
|
|
- name: /var/lib/qubes/vm-kernels/mirage-firewall
|
|
|
|
- mode: '0755'
|
|
|
|
- user: root
|
|
|
|
- group: root
|
|
|
|
- makedirs: True
|
|
|
|
|
|
|
|
"sys-mirage-firewall-extract-to-vm-kernels":
|
|
|
|
archive.extracted:
|
|
|
|
- name: /var/lib/qubes/vm-kernels/
|
|
|
|
- require:
|
|
|
|
- file: sys-mirage-firewall-create-vm-kernels-dir
|
|
|
|
- source: salt://sys-mirage-firewall/files/admin/mirage-firewall.tar.bz2
|
|
|
|
- source_hash: salt://sys-mirage-firewall/files/admin/mirage-firewall.sha256
|
|
|
|
- archive_format: tar
|
|
|
|
- options: -j
|
|
|
|
|
|
|
|
"sys-mirage-firewall-save-version":
|
|
|
|
file.managed:
|
|
|
|
- name: /var/lib/qubes/vm-kernels/mirage-firewall/version.txt
|
|
|
|
- source: salt://sys-mirage-firewall/files/admin/version.txt
|
|
|
|
- mode: '0644'
|
|
|
|
- user: root
|
|
|
|
- group: root
|
|
|
|
- makedirs: True
|
|
|
|
|
|
|
|
{% load_yaml as defaults -%}
|
2024-01-12 11:56:28 -05:00
|
|
|
name: tpl-sys-mirage-firewall
|
2023-11-13 09:33:28 -05:00
|
|
|
force: True
|
|
|
|
require:
|
2024-01-12 11:56:28 -05:00
|
|
|
- file: sys-mirage-firewall-save-version
|
2023-11-13 09:33:28 -05:00
|
|
|
present:
|
2024-01-12 11:56:28 -05:00
|
|
|
- class: TemplateVM
|
|
|
|
- label: black
|
|
|
|
prefs:
|
2023-11-13 09:33:28 -05:00
|
|
|
- virt_mode: pvh
|
2024-01-12 11:56:28 -05:00
|
|
|
- label: black
|
2024-01-20 13:34:39 -05:00
|
|
|
- audiovm: ""
|
2024-01-12 11:56:28 -05:00
|
|
|
- memory: 64
|
|
|
|
- maxmem: 64
|
|
|
|
- vcpus: 1
|
|
|
|
- kernel: mirage-firewall
|
|
|
|
- kernelopts: ""
|
|
|
|
{%- endload %}
|
|
|
|
{{ load(defaults) }}
|
|
|
|
|
|
|
|
{% load_yaml as defaults -%}
|
|
|
|
name: dvm-sys-mirage-firewall
|
|
|
|
force: True
|
|
|
|
require:
|
|
|
|
- qvm: tpl-sys-mirage-firewall
|
|
|
|
present:
|
|
|
|
- template: tpl-sys-mirage-firewall
|
|
|
|
- label: orange
|
2023-11-13 09:33:28 -05:00
|
|
|
prefs:
|
2024-01-12 11:56:28 -05:00
|
|
|
- template: tpl-sys-mirage-firewall
|
|
|
|
- label: orange
|
|
|
|
- netvm: {{ netvm }}
|
2024-01-20 13:34:39 -05:00
|
|
|
- audiovm: ""
|
2024-01-12 11:56:28 -05:00
|
|
|
- memory: 64
|
|
|
|
- maxmem: 64
|
|
|
|
- vcpus: 1
|
|
|
|
- provides-network: True
|
|
|
|
- template_for_dispvms: True
|
|
|
|
features:
|
|
|
|
- enable:
|
|
|
|
- service.qubes-firewall
|
|
|
|
- no-default-kernelopts
|
|
|
|
{%- endload %}
|
|
|
|
{{ load(defaults) }}
|
|
|
|
|
|
|
|
{% load_yaml as defaults -%}
|
|
|
|
name: disp-sys-mirage-firewall
|
|
|
|
force: True
|
|
|
|
require:
|
|
|
|
- qvm: tpl-sys-mirage-firewall
|
|
|
|
present:
|
|
|
|
- class: DispVM
|
|
|
|
- template: dvm-sys-mirage-firewall
|
|
|
|
- label: orange
|
|
|
|
prefs:
|
|
|
|
- template: dvm-sys-mirage-firewall
|
2023-11-13 09:33:28 -05:00
|
|
|
- label: orange
|
|
|
|
- netvm: {{ netvm }}
|
2024-01-20 13:34:39 -05:00
|
|
|
- audiovm: ""
|
2023-11-13 09:33:28 -05:00
|
|
|
- memory: 64
|
|
|
|
- maxmem: 64
|
|
|
|
- vcpus: 1
|
|
|
|
- provides-network: True
|
|
|
|
features:
|
|
|
|
- enable:
|
|
|
|
- service.qubes-firewall
|
|
|
|
- no-default-kernelopts
|
|
|
|
{%- endload %}
|
|
|
|
{{ load(defaults) }}
|