diff --git a/salt/sys-mirage-firewall/create.sls b/salt/sys-mirage-firewall/create.sls index 317a455..81a6903 100644 --- a/salt/sys-mirage-firewall/create.sls +++ b/salt/sys-mirage-firewall/create.sls @@ -8,10 +8,10 @@ SPDX-License-Identifier: MIT {%- from "qvm/template.jinja" import load -%} -{% set mirage_version = 'v0.9.1' -%} -{% set mirage_file_archive = 'mirage-firewall.tar.bz2' -%} -{% set mirage_url_archive = 'https://github.com/mirage/qubes-mirage-firewall/releases/download/' ~ mirage_version ~ '/' ~ mirage_file_archive -%} -{% set mirage_sha256sum = 'ea876bc7525811a16b0dfebe7ee1e91661eeecf67d240298d4ffd31b6ee41843' %} +{% set mirage_version = 'v0.9.2' -%} +{% set mirage_sha256sum = '78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc' %} +{% set mirage_file_kernel = 'qubes-firewall.xen' -%} +{% set mirage_url_kernel = 'https://github.com/mirage/qubes-mirage-firewall/releases/download/' ~ mirage_version ~ '/' ~ mirage_file_kernel -%} {# Use the netvm of the default_netvm. #} {% set default_netvm = salt['cmd.shell']('qubes-prefs default_netvm') -%} @@ -31,7 +31,7 @@ the chain (sys-net). qvm.start: - name: {{ updatevm }} -"sys-mirage-firewall-fetch-tarball": +"sys-mirage-firewall-fetch-kernel": cmd.run: - require: - qvm: "sys-mirage-firewall-start-updatevm-{{ updatevm }}" @@ -44,46 +44,49 @@ the chain (sys-net). --tlsv1.3 --proto =https \ --fail --fail-early \ --no-progress-meter --silent --show-error \ - --remote-name {{ mirage_url_archive }}" + --remote-name {{ mirage_url_kernel }}" - timeout: 30 - - runas: user -{# Tarball is brought to dom0 instead of just 'vmlinuz' because: - - checksum on releases is only of the tarball, not of individual files; - - updatevm may not have 'bzip2' and 'tar'; - - if we don't trust the provided tarball, we shouldn't even download it. -#} -"sys-mirage-firewall-bring-tarball-to-dom0": +"sys-mirage-firewall-create-temporary-kernel-directory": + file.directory: + - require: + - cmd: "sys-mirage-firewall-fetch-kernel" + - name: /tmp/mirage-firewall-download + - user: root + - group: root + - mode: '0700' + - makedirs: True + +"sys-mirage-firewall-bring-kernel-to-dom0": cmd.run: - require: - - cmd: "sys-mirage-firewall-fetch-tarball" - - name: - qvm-run --pass-io {{ updatevm }} -- "cat /tmp/mirage-firewall-download/mirage-firewall.tar.bz2" | tee -- /tmp/mirage-firewall.tar.bz2 >/dev/null - - runas: user + - file: "sys-mirage-firewall-create-temporary-kernel-directory" + - name: qvm-run --pass-io {{ updatevm }} -- "cat /tmp/mirage-firewall-download/qubes-firewall.xen" | tee -- /tmp/mirage-firewall-download/vmlinuz >/dev/null - timeout: 10 -"{{ slsdotpath }}-remove-tarball-from-updatevm": +"sys-mirage-firewall-remove-kernel-from-updatevm": cmd.run: - name: qvm-run {{ updatevm }} -- "rm -rf /tmp/mirage-firewall-download" -"sys-mirage-firewall-extract-to-vm-kernels": - archive.extracted: +"sys-mirage-firewall-move-kernel-to-usable-directory": + file.managed: - require: - - cmd: "sys-mirage-firewall-bring-tarball-to-dom0" - - name: /var/lib/qubes/vm-kernels/ - - source: /tmp/mirage-firewall.tar.bz2 + - cmd: "sys-mirage-firewall-bring-kernel-to-dom0" + - name: /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz + - source: /tmp/mirage-firewall-download/vmlinuz - source_hash: sha256={{ mirage_sha256sum }} - - archive_format: tar - - options: -j + - user: root + - group: root + - mode: '0644' -"{{ slsdotpath }}-dom0-archive": +"sys-mirage-firewall-remove-temporary-kernel": file.absent: - - name: /tmp/mirage-firewall.tar.bz2 + - name: /tmp/mirage-firewall-download "sys-mirage-firewall-save-version": file.managed: - require: - - archive: "sys-mirage-firewall-extract-to-vm-kernels" + - file: "sys-mirage-firewall-move-kernel-to-usable-directory" - name: /var/lib/qubes/vm-kernels/mirage-firewall/version.txt - contents: {{ mirage_version }} - mode: '0644'