feat: default to disposable netvm

- Default sys-net and sys-firewall to disposable; - Set global and per vm preferences by starting the qubes or shutting down them when necessary; and - Less manual steps remaining for the user: just rename the net qube, as it can only be done via Qubes Manager.
2025-05-02 22:34:53 -04:00 · 2024-01-04 21:59:15 +01:00 · 2024-01-04 21:59:15 +01:00 · 0216297ee6
commit 0216297ee6
parent 8a8252d6f0
10 changed files with 186 additions and 59 deletions
--- a/salt/sys-net/files/admin/policy/default-disp.policy
+++ b/salt/sys-net/files/admin/policy/default-disp.policy
@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+## Do not modify this file, create a new policy with with a lower number in the
+## file name instead. For example `30-user.policy`.
+qubes.UpdatesProxy  *  @tag:whonix-updatevm  @default  allow target=sys-whonix
+qubes.UpdatesProxy  *  @tag:whonix-updatevm  @anyvm    deny
+qubes.UpdatesProxy  *  @type:TemplateVM      @default  allow target=disp-{{ sls_path }}
+qubes.UpdatesProxy  *  @type:TemplateVM      @anyvm    deny
+## vim:ft=qrexecpolicy
--- a/salt/sys-net/files/admin/policy/default.policy
+++ b/salt/sys-net/files/admin/policy/default.policy
@ -6,6 +6,6 @@
 ## file name instead. For example `30-user.policy`.
 qubes.UpdatesProxy  *  @tag:whonix-updatevm  @default  allow target=sys-whonix
 qubes.UpdatesProxy  *  @tag:whonix-updatevm  @anyvm    deny
-qubes.UpdatesProxy  *  @type:TemplateVM      @default  allow target=disp-{{ sls_path }}
+qubes.UpdatesProxy  *  @type:TemplateVM      @default  allow target={{ sls_path }}
 qubes.UpdatesProxy  *  @type:TemplateVM      @anyvm    deny
 ## vim:ft=qrexecpolicy