feat: default to disposable netvm

- Default sys-net and sys-firewall to disposable;
- Set global and per vm preferences by starting the qubes or shutting
  down them when necessary; and
- Less manual steps remaining for the user: just rename the net qube, as
  it can only be done via Qubes Manager.

salt/sys-firewall/README.md

@@ -11,21 +11,29 @@ Firewall in Qubes OS.
 ## Description
 
 Creates firewall qube, an App qube "sys-firewall" and a Disposable qube
-"disp-sys-firewall". By default, "sys-firewall" will be the "updatevm" and the
-"default_netvm", but you can configure "disp-sys-firewall" to take on these
-roles if you prefer, later instructed in the installation section below.
+"disp-sys-firewall". By default, "disp-sys-firewall" will be the "updatevm",
+the "clockvm" and the "default_netvm".
 
 If you want an easy to configure firewall with ad blocking, checkout
 sys-pihole instead.
 
 ## Installation
 
+Before installation, rename your current `sys-firewall` to another name such
+as `sys-firewall-old`, the old qube will be used to install packages required
+for the minimal template. After successful installation and testing the new
+net qube capabilities, you can remove the old one. If you want the default net
+qube back, just set `sys-firewall` template to the full template you are
+using, such as Debian or Fedora. Before starting, turn on `sys-firewall-old`
+or yours `default_netvm` and check if DNS is working, after that, proceed with
+the installation.
+
 - Top:
 ```sh
 qubesctl top.enable sys-firewall
 qubesctl --targets=tpl-sys-firewall state.apply
 qubesctl top.disable sys-firewall
-qubesctl state.apply sys-firewall.prefs
+qubesctl state.apply sys-firewall.prefs-disp
 ```
 
 - State:
@@ -33,13 +41,13 @@ qubesctl state.apply sys-firewall.prefs
 ```sh
 qubesctl state.apply sys-firewall.create
 qubesctl --skip-dom0 --targets=tpl-sys-firewall state.apply sys-firewall.install
-qubesctl state.apply sys-firewall.prefs
+qubesctl state.apply sys-firewall.prefs-disp
 ```
 <!-- pkg:end:post-install -->
 
-Alternatively, if you prefer to have a disposable firewall:
+Alternatively, if you prefer to have an app qube as the firewall:
 ```sh
-qubesctl state.apply sys-firewall.prefs-disp
+qubesctl state.apply sys-firewall.prefs
 ```
 
 ## Usage

salt/sys-firewall/create.sls

@@ -102,3 +102,20 @@ features:
   - service.cups-browsed
 {%- endload %}
 {{ load(defaults) }}
+
+## Anticipate network usage as sys-firewall is turned off at this step.
+## Starting the machine before let's the network be established with enough
+## time for the package installation in the template to work.
+{% set default_netvm = salt['cmd.shell']('qubes-prefs default_netvm') -%}
+{% if default_netvm -%}
+"{{ slsdotpath }}-start-{{ default_netvm }}-anticipate-network-use":
+  qvm.start:
+    - name: {{ default_netvm }}
+{% endif -%}
+
+{% set template_updatevm = salt['cmd.shell']("qrexec-policy tpl-sys-firewall @default qubes.UpdatesProxy 2>/dev/null | awk -F '=' '/^target=/{print $2}'") -%}
+{% if template_updatevm -%}
+"{{ slsdotpath }}-start-{{ template_updatevm }}-anticipate-network-use":
+  qvm.start:
+    - name: {{ template_updatevm }}
+{% endif -%}

salt/sys-firewall/prefs-disp.sls

@@ -4,23 +4,40 @@ SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-include:
-  - .create
+{% set qube = 'disp-' ~ slsdotpath -%}
 
-"disp-{{ slsdotpath }}-qubes-prefs-updatevm":
+{% set running = 0 -%}
+{% if salt['cmd.shell']('qvm-ls --no-spinner --raw-list --running ' ~ qube) == qube -%}
+  {% set running = 1 -%}
+{% endif -%}
+
+"{{ qube }}-start":
+  qvm.start:
+    - name: {{ qube }}
+
+"{{ qube }}-qubes-prefs-updatevm":
   cmd.run:
     - require:
-      - sls: {{ slsdotpath }}.clone
-    - name: qubes-prefs updatevm disp-{{ slsdotpath }}
+      - qvm: {{ qube }}-start
+    - name: qubes-prefs updatevm {{ qube }}
 
-"disp-{{ slsdotpath }}-qubes-prefs-default_netvm":
+"{{ qube }}-qubes-prefs-default_netvm":
   cmd.run:
     - require:
-      - sls: {{ slsdotpath }}.clone
-    - name: qubes-prefs default_netvm disp-{{ slsdotpath }}
+      - qvm: {{ qube }}-start
+    - name: qubes-prefs default_netvm {{ qube }}
 
-"disp-{{ slsdotpath }}-qubes-prefs-clockvm":
+"{{ qube }}-qubes-prefs-clockvm":
   cmd.run:
     - require:
-      - sls: {{ slsdotpath }}.create
-    - name: qubes-prefs clockvm disp-{{ slsdotpath }}
+      - qvm: {{ qube }}-start
+    - name: qubes-prefs clockvm {{ qube }}
+
+{% if running == 0 -%}
+"{{ qube }}-shutdown":
+  qvm.shutdown:
+    - name: {{ qube }}
+    - flags:
+      - wait
+      - force
+{% endif -%}

salt/sys-firewall/prefs.sls

@@ -4,23 +4,40 @@ SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-include:
-  - .create
+{% set qube = slsdotpath -%}
 
-"{{ slsdotpath }}-qubes-prefs-updatevm":
+{% set running = 0 -%}
+{% if salt['cmd.shell']('qvm-ls --no-spinner --raw-list --running ' ~ qube) == qube -%}
+  {% set running = 1 -%}
+{% endif -%}
+
+"{{ qube }}-start":
+  qvm.start:
+    - name: {{ qube }}
+
+"{{ qube }}-qubes-prefs-updatevm":
   cmd.run:
     - require:
-      - sls: {{ slsdotpath }}.create
-    - name: qubes-prefs updatevm {{ slsdotpath }}
+      - qvm: {{ qube }}-start
+    - name: qubes-prefs updatevm {{ qube }}
 
-"{{ slsdotpath }}-qubes-prefs-default_netvm":
+"{{ qube }}-qubes-prefs-default_netvm":
   cmd.run:
     - require:
-      - sls: {{ slsdotpath }}.create
-    - name: qubes-prefs default_netvm {{ slsdotpath }}
+      - qvm: {{ qube }}-start
+    - name: qubes-prefs default_netvm {{ qube }}
 
-"{{ slsdotpath }}-qubes-prefs-clockvm":
+"{{ qube }}-qubes-prefs-clockvm":
   cmd.run:
     - require:
-      - sls: {{ slsdotpath }}.create
-    - name: qubes-prefs clockvm {{ slsdotpath }}
+      - qvm: {{ qube }}-start
+    - name: qubes-prefs clockvm {{ qube }}
+
+{% if running == 0 -%}
+"{{ qube }}-shutdown":
+  qvm.shutdown:
+    - name: {{ qube }}
+    - flags:
+      - wait
+      - force
+{% endif -%}

salt/sys-net/README.md

@@ -15,25 +15,26 @@ provides the state "qvm.sys-net", but it will create only "sys-net", which can
 be a disposable or not. This package takes a different approach, it will
 create an AppVM "sys-net" and a DispVM "disp-sys-net".
 
-By default, the chosen one is "sys-net", but you can choose which qube type
-becomes the upstream net qube "default_netvm", the "clockvm" and the fallback
-target for the "qubes.UpdatesProxy" service in case no rule matched before.
+By default, the chosen one is "disp-sys-net", but you can choose which qube
+type becomes the upstream net qube "default_netvm" and the fallback target for
+the "qubes.UpdatesProxy" service in case no rule matched before.
 
 ## Installation
 
 Before installation, rename your current `sys-net` to another name such as
-`sys-net-old`, the old qube will be used to install packages require for the
-template. After successful installation and testing the new net qube
+`sys-net-old`, the old qube will be used to install packages required for the
+minimal template. After successful installation and testing the new net qube
 capabilities, you can remove the old one. If you want the default net qube
 back, just set `sys-net` template to the full template you are using, such as
-Debian or Fedora.
+Debian or Fedora. Before starting, turn on the `default_netvm` and check if
+DNS is working, after that, proceed with the installation.
 
 - Top:
 ```sh
 qubesctl top.enable sys-net
 qubesctl --targets=tpl-sys-net state.apply
 qubesctl top.disable sys-net
-qubesctl state.apply sys-net.prefs
+qubesctl state.apply sys-net.prefs-disp
 ```
 
 - State:
@@ -41,7 +42,7 @@ qubesctl state.apply sys-net.prefs
 ```sh
 qubesctl state.apply sys-net.create
 qubesctl --skip-dom0 --targets=tpl-sys-net state.apply sys-net.install
-qubesctl state.apply sys-net.prefs
+qubesctl state.apply sys-net.prefs-disp
 ```
 <!-- pkg:end:post-install -->
 
@@ -50,9 +51,9 @@ If you need to debug a net qube, install some helper tools:
 qubesctl --skip-dom0 --targets=tpl-sys-net state.apply sys-net.install-debug
 ```
 
-If you prefer to have a disposable net qube:
+If you prefer to have an app qube as the net qube:
 ```sh
-qubesctl state.apply sys-net.prefs-disp
+qubesctl state.apply sys-net.prefs
 ```
 
 You might need to install some firmware on the template for your network

salt/sys-net/clone.sls

@@ -6,6 +6,3 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 {% from 'utils/macros/clone-template.sls' import clone_template -%}
 {{ clone_template('debian-minimal', sls_path) }}
-
-{% from 'utils/macros/clone-template.sls' import clone_template -%}
-{{ clone_template('debian', sls_path) }}

salt/sys-net/files/admin/policy/default-disp.policy

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+## Do not modify this file, create a new policy with with a lower number in the
+## file name instead. For example `30-user.policy`.
+qubes.UpdatesProxy  *  @tag:whonix-updatevm  @default  allow target=sys-whonix
+qubes.UpdatesProxy  *  @tag:whonix-updatevm  @anyvm    deny
+qubes.UpdatesProxy  *  @type:TemplateVM      @default  allow target=disp-{{ sls_path }}
+qubes.UpdatesProxy  *  @type:TemplateVM      @anyvm    deny
+## vim:ft=qrexecpolicy

salt/sys-net/files/admin/policy/default.policy

@@ -6,6 +6,6 @@
 ## file name instead. For example `30-user.policy`.
 qubes.UpdatesProxy  *  @tag:whonix-updatevm  @default  allow target=sys-whonix
 qubes.UpdatesProxy  *  @tag:whonix-updatevm  @anyvm    deny
-qubes.UpdatesProxy  *  @type:TemplateVM      @default  allow target=disp-{{ sls_path }}
+qubes.UpdatesProxy  *  @type:TemplateVM      @default  allow target={{ sls_path }}
 qubes.UpdatesProxy  *  @type:TemplateVM      @anyvm    deny
 ## vim:ft=qrexecpolicy

salt/sys-net/prefs-disp.sls

@@ -4,17 +4,46 @@ SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-include:
-  - .create
-
+{% set netvm = 'disp-' ~ slsdotpath -%}
 {% set default_netvm = salt['cmd.shell']('qubes-prefs default_netvm') -%}
-"{{ slsdotpath }}-set-{{ default_netvm }}-netvm-to-disp-{{ slsdotpath }}":
+
+{% set running = 0 -%}
+{% if salt['cmd.shell']('qvm-ls --no-spinner --raw-list --running ' ~ default_netvm) == default_netvm -%}
+  {% set running = 1 -%}
+{% endif -%}
+
+"{{ slsdotpath }}-{{ default_netvm }}-shutdown":
+  qvm.shutdown:
+    - name: {{ default_netvm }}
+    - flags:
+      - wait
+      - force
+
+{% set default_netvm_netvm = salt['cmd.shell']('qvm-prefs ' ~ default_netvm ~ ' netvm') -%}
+{% if default_netvm_netvm -%}
+"{{ slsdotpath }}-{{ default_netvm_netvm }}-shutdown":
+  qvm.shutdown:
+    - require:
+      - qvm: "{{ slsdotpath }}-{{ default_netvm }}-shutdown"
+    - name: {{ default_netvm_netvm }}
+    - flags:
+      - wait
+      - force
+{% endif -%}
+
+{% from 'utils/macros/policy.sls' import policy_set_full with context -%}
+{{ policy_set_full(slsdotpath, '/etc/qubes/policy.d/80-' ~ slsdotpath ~ '.policy', 'salt://' ~ slsdotpath ~ '/files/admin/policy/default-disp.policy') }}
+
+"{{ slsdotpath }}-set-{{ default_netvm }}-netvm-to-{{ netvm }}":
   qvm.vm:
     - require:
-      - qvm: disp-{{ slsdotpath }}
+      - qvm: "{{ slsdotpath }}-{{ default_netvm }}-shutdown"
     - name: {{ default_netvm }}
     - prefs:
-      - netvm: disp-{{ slsdotpath }}
+      - netvm: {{ netvm }}
 
-{% from 'utils/macros/policy.sls' import policy_set with context -%}
-{{ policy_set(sls_path, '80') }}
+{% if running == 1 -%}
+"{{ slsdotpath }}-{{ default_netvm }}-start":
+  qvm.start:
+    - name: {{ default_netvm }}
+{% endif -%}

salt/sys-net/prefs.sls

@@ -4,17 +4,47 @@ SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-include:
-  - .create
+{% set netvm = slsdotpath -%}
 
 {% set default_netvm = salt['cmd.shell']('qubes-prefs default_netvm') -%}
-"{{ slsdotpath }}-set-{{ default_netvm }}-netvm-to-{{ slsdotpath }}":
-  qvm.vm:
-    - require:
-      - qvm: {{ slsdotpath }}
+
+{% set running = 0 -%}
+{% if salt['cmd.shell']('qvm-ls --no-spinner --raw-list --running ' ~ default_netvm) == default_netvm -%}
+  {% set running = 1 -%}
+{% endif -%}
+
+"{{ slsdotpath }}-{{ default_netvm }}-shutdown":
+  qvm.shutdown:
     - name: {{ default_netvm }}
-    - prefs:
-      - netvm: {{ slsdotpath }}
+    - flags:
+      - wait
+      - force
+
+{% set default_netvm_netvm = salt['cmd.shell']('qvm-prefs ' ~ default_netvm ~ ' netvm') -%}
+{% if default_netvm_netvm -%}
+"{{ slsdotpath }}-{{ default_netvm_netvm }}-shutdown":
+  qvm.shutdown:
+    - require:
+      - qvm: "{{ slsdotpath }}-{{ default_netvm }}-shutdown"
+    - name: {{ default_netvm_netvm }}
+    - flags:
+      - wait
+      - force
+{% endif -%}
 
 {% from 'utils/macros/policy.sls' import policy_set with context -%}
 {{ policy_set(sls_path, '80') }}
+
+"{{ slsdotpath }}-set-{{ default_netvm }}-netvm-to-{{ netvm }}":
+  qvm.vm:
+    - require:
+      - qvm: "{{ slsdotpath }}-{{ default_netvm }}-shutdown"
+    - name: {{ default_netvm }}
+    - prefs:
+      - netvm: {{ netvm }}
+
+{% if running == 1 -%}
+"{{ slsdotpath }}-{{ default_netvm }}-start":
+  qvm.start:
+    - name: {{ default_netvm }}
+{% endif -%}