From d88a114db68451bb0c03ce91fb539c59eed2090d Mon Sep 17 00:00:00 2001
From: Ben Grande <ben.grande.b@gmail.com>
Date: Thu, 4 Jan 2024 21:59:15 +0100
Subject: [PATCH] feat: default to disposable netvm

- Default sys-net and sys-firewall to disposable;
- Set global and per vm preferences by starting the qubes or shutting
  down them when necessary; and
- Less manual steps remaining for the user: just rename the net qube, as
  it can only be done via Qubes Manager.
---
 salt/sys-firewall/README.md                   | 22 ++++++---
 salt/sys-firewall/create.sls                  | 17 +++++++
 salt/sys-firewall/prefs-disp.sls              | 39 +++++++++++-----
 salt/sys-firewall/prefs.sls                   | 39 +++++++++++-----
 salt/sys-net/README.md                        | 21 +++++----
 salt/sys-net/clone.sls                        |  3 --
 .../files/admin/policy/default-disp.policy    | 11 +++++
 .../sys-net/files/admin/policy/default.policy |  2 +-
 salt/sys-net/prefs-disp.sls                   | 45 ++++++++++++++----
 salt/sys-net/prefs.sls                        | 46 +++++++++++++++----
 10 files changed, 186 insertions(+), 59 deletions(-)
 create mode 100644 salt/sys-net/files/admin/policy/default-disp.policy

diff --git a/salt/sys-firewall/README.md b/salt/sys-firewall/README.md
index 9651ab9..dad01f5 100644
--- a/salt/sys-firewall/README.md
+++ b/salt/sys-firewall/README.md
@@ -11,21 +11,29 @@ Firewall in Qubes OS.
 ## Description
 
 Creates firewall qube, an App qube "sys-firewall" and a Disposable qube
-"disp-sys-firewall". By default, "sys-firewall" will be the "updatevm" and the
-"default_netvm", but you can configure "disp-sys-firewall" to take on these
-roles if you prefer, later instructed in the installation section below.
+"disp-sys-firewall". By default, "disp-sys-firewall" will be the "updatevm",
+the "clockvm" and the "default_netvm".
 
 If you want an easy to configure firewall with ad blocking, checkout
 sys-pihole instead.
 
 ## Installation
 
+Before installation, rename your current `sys-firewall` to another name such
+as `sys-firewall-old`, the old qube will be used to install packages required
+for the minimal template. After successful installation and testing the new
+net qube capabilities, you can remove the old one. If you want the default net
+qube back, just set `sys-firewall` template to the full template you are
+using, such as Debian or Fedora. Before starting, turn on `sys-firewall-old`
+or yours `default_netvm` and check if DNS is working, after that, proceed with
+the installation.
+
 - Top:
 ```sh
 qubesctl top.enable sys-firewall
 qubesctl --targets=tpl-sys-firewall state.apply
 qubesctl top.disable sys-firewall
-qubesctl state.apply sys-firewall.prefs
+qubesctl state.apply sys-firewall.prefs-disp
 ```
 
 - State:
@@ -33,13 +41,13 @@ qubesctl state.apply sys-firewall.prefs
 ```sh
 qubesctl state.apply sys-firewall.create
 qubesctl --skip-dom0 --targets=tpl-sys-firewall state.apply sys-firewall.install
-qubesctl state.apply sys-firewall.prefs
+qubesctl state.apply sys-firewall.prefs-disp
 ```
 <!-- pkg:end:post-install -->
 
-Alternatively, if you prefer to have a disposable firewall:
+Alternatively, if you prefer to have an app qube as the firewall:
 ```sh
-qubesctl state.apply sys-firewall.prefs-disp
+qubesctl state.apply sys-firewall.prefs
 ```
 
 ## Usage
diff --git a/salt/sys-firewall/create.sls b/salt/sys-firewall/create.sls
index bfc14c0..c437afb 100644
--- a/salt/sys-firewall/create.sls
+++ b/salt/sys-firewall/create.sls
@@ -102,3 +102,20 @@ features:
   - service.cups-browsed
 {%- endload %}
 {{ load(defaults) }}
+
+## Anticipate network usage as sys-firewall is turned off at this step.
+## Starting the machine before let's the network be established with enough
+## time for the package installation in the template to work.
+{% set default_netvm = salt['cmd.shell']('qubes-prefs default_netvm') -%}
+{% if default_netvm -%}
+"{{ slsdotpath }}-start-{{ default_netvm }}-anticipate-network-use":
+  qvm.start:
+    - name: {{ default_netvm }}
+{% endif -%}
+
+{% set template_updatevm = salt['cmd.shell']("qrexec-policy tpl-sys-firewall @default qubes.UpdatesProxy 2>/dev/null | awk -F '=' '/^target=/{print $2}'") -%}
+{% if template_updatevm -%}
+"{{ slsdotpath }}-start-{{ template_updatevm }}-anticipate-network-use":
+  qvm.start:
+    - name: {{ template_updatevm }}
+{% endif -%}
diff --git a/salt/sys-firewall/prefs-disp.sls b/salt/sys-firewall/prefs-disp.sls
index 11d792b..8b892f3 100644
--- a/salt/sys-firewall/prefs-disp.sls
+++ b/salt/sys-firewall/prefs-disp.sls
@@ -4,23 +4,40 @@ SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-include:
-  - .create
+{% set qube = 'disp-' ~ slsdotpath -%}
 
-"disp-{{ slsdotpath }}-qubes-prefs-updatevm":
+{% set running = 0 -%}
+{% if salt['cmd.shell']('qvm-ls --no-spinner --raw-list --running ' ~ qube) == qube -%}
+  {% set running = 1 -%}
+{% endif -%}
+
+"{{ qube }}-start":
+  qvm.start:
+    - name: {{ qube }}
+
+"{{ qube }}-qubes-prefs-updatevm":
   cmd.run:
     - require:
-      - sls: {{ slsdotpath }}.clone
-    - name: qubes-prefs updatevm disp-{{ slsdotpath }}
+      - qvm: {{ qube }}-start
+    - name: qubes-prefs updatevm {{ qube }}
 
-"disp-{{ slsdotpath }}-qubes-prefs-default_netvm":
+"{{ qube }}-qubes-prefs-default_netvm":
   cmd.run:
     - require:
-      - sls: {{ slsdotpath }}.clone
-    - name: qubes-prefs default_netvm disp-{{ slsdotpath }}
+      - qvm: {{ qube }}-start
+    - name: qubes-prefs default_netvm {{ qube }}
 
-"disp-{{ slsdotpath }}-qubes-prefs-clockvm":
+"{{ qube }}-qubes-prefs-clockvm":
   cmd.run:
     - require:
-      - sls: {{ slsdotpath }}.create
-    - name: qubes-prefs clockvm disp-{{ slsdotpath }}
+      - qvm: {{ qube }}-start
+    - name: qubes-prefs clockvm {{ qube }}
+
+{% if running == 0 -%}
+"{{ qube }}-shutdown":
+  qvm.shutdown:
+    - name: {{ qube }}
+    - flags:
+      - wait
+      - force
+{% endif -%}
diff --git a/salt/sys-firewall/prefs.sls b/salt/sys-firewall/prefs.sls
index 1cc2933..4b61c09 100644
--- a/salt/sys-firewall/prefs.sls
+++ b/salt/sys-firewall/prefs.sls
@@ -4,23 +4,40 @@ SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-include:
-  - .create
+{% set qube = slsdotpath -%}
 
-"{{ slsdotpath }}-qubes-prefs-updatevm":
+{% set running = 0 -%}
+{% if salt['cmd.shell']('qvm-ls --no-spinner --raw-list --running ' ~ qube) == qube -%}
+  {% set running = 1 -%}
+{% endif -%}
+
+"{{ qube }}-start":
+  qvm.start:
+    - name: {{ qube }}
+
+"{{ qube }}-qubes-prefs-updatevm":
   cmd.run:
     - require:
-      - sls: {{ slsdotpath }}.create
-    - name: qubes-prefs updatevm {{ slsdotpath }}
+      - qvm: {{ qube }}-start
+    - name: qubes-prefs updatevm {{ qube }}
 
-"{{ slsdotpath }}-qubes-prefs-default_netvm":
+"{{ qube }}-qubes-prefs-default_netvm":
   cmd.run:
     - require:
-      - sls: {{ slsdotpath }}.create
-    - name: qubes-prefs default_netvm {{ slsdotpath }}
+      - qvm: {{ qube }}-start
+    - name: qubes-prefs default_netvm {{ qube }}
 
-"{{ slsdotpath }}-qubes-prefs-clockvm":
+"{{ qube }}-qubes-prefs-clockvm":
   cmd.run:
     - require:
-      - sls: {{ slsdotpath }}.create
-    - name: qubes-prefs clockvm {{ slsdotpath }}
+      - qvm: {{ qube }}-start
+    - name: qubes-prefs clockvm {{ qube }}
+
+{% if running == 0 -%}
+"{{ qube }}-shutdown":
+  qvm.shutdown:
+    - name: {{ qube }}
+    - flags:
+      - wait
+      - force
+{% endif -%}
diff --git a/salt/sys-net/README.md b/salt/sys-net/README.md
index 882bb50..4087627 100644
--- a/salt/sys-net/README.md
+++ b/salt/sys-net/README.md
@@ -15,25 +15,26 @@ provides the state "qvm.sys-net", but it will create only "sys-net", which can
 be a disposable or not. This package takes a different approach, it will
 create an AppVM "sys-net" and a DispVM "disp-sys-net".
 
-By default, the chosen one is "sys-net", but you can choose which qube type
-becomes the upstream net qube "default_netvm", the "clockvm" and the fallback
-target for the "qubes.UpdatesProxy" service in case no rule matched before.
+By default, the chosen one is "disp-sys-net", but you can choose which qube
+type becomes the upstream net qube "default_netvm" and the fallback target for
+the "qubes.UpdatesProxy" service in case no rule matched before.
 
 ## Installation
 
 Before installation, rename your current `sys-net` to another name such as
-`sys-net-old`, the old qube will be used to install packages require for the
-template. After successful installation and testing the new net qube
+`sys-net-old`, the old qube will be used to install packages required for the
+minimal template. After successful installation and testing the new net qube
 capabilities, you can remove the old one. If you want the default net qube
 back, just set `sys-net` template to the full template you are using, such as
-Debian or Fedora.
+Debian or Fedora. Before starting, turn on the `default_netvm` and check if
+DNS is working, after that, proceed with the installation.
 
 - Top:
 ```sh
 qubesctl top.enable sys-net
 qubesctl --targets=tpl-sys-net state.apply
 qubesctl top.disable sys-net
-qubesctl state.apply sys-net.prefs
+qubesctl state.apply sys-net.prefs-disp
 ```
 
 - State:
@@ -41,7 +42,7 @@ qubesctl state.apply sys-net.prefs
 ```sh
 qubesctl state.apply sys-net.create
 qubesctl --skip-dom0 --targets=tpl-sys-net state.apply sys-net.install
-qubesctl state.apply sys-net.prefs
+qubesctl state.apply sys-net.prefs-disp
 ```
 <!-- pkg:end:post-install -->
 
@@ -50,9 +51,9 @@ If you need to debug a net qube, install some helper tools:
 qubesctl --skip-dom0 --targets=tpl-sys-net state.apply sys-net.install-debug
 ```
 
-If you prefer to have a disposable net qube:
+If you prefer to have an app qube as the net qube:
 ```sh
-qubesctl state.apply sys-net.prefs-disp
+qubesctl state.apply sys-net.prefs
 ```
 
 You might need to install some firmware on the template for your network
diff --git a/salt/sys-net/clone.sls b/salt/sys-net/clone.sls
index e7c08d4..0554d7f 100644
--- a/salt/sys-net/clone.sls
+++ b/salt/sys-net/clone.sls
@@ -6,6 +6,3 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 {% from 'utils/macros/clone-template.sls' import clone_template -%}
 {{ clone_template('debian-minimal', sls_path) }}
-
-{% from 'utils/macros/clone-template.sls' import clone_template -%}
-{{ clone_template('debian', sls_path) }}
diff --git a/salt/sys-net/files/admin/policy/default-disp.policy b/salt/sys-net/files/admin/policy/default-disp.policy
new file mode 100644
index 0000000..be4b82c
--- /dev/null
+++ b/salt/sys-net/files/admin/policy/default-disp.policy
@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+## Do not modify this file, create a new policy with with a lower number in the
+## file name instead. For example `30-user.policy`.
+qubes.UpdatesProxy  *  @tag:whonix-updatevm  @default  allow target=sys-whonix
+qubes.UpdatesProxy  *  @tag:whonix-updatevm  @anyvm    deny
+qubes.UpdatesProxy  *  @type:TemplateVM      @default  allow target=disp-{{ sls_path }}
+qubes.UpdatesProxy  *  @type:TemplateVM      @anyvm    deny
+## vim:ft=qrexecpolicy
diff --git a/salt/sys-net/files/admin/policy/default.policy b/salt/sys-net/files/admin/policy/default.policy
index be4b82c..0014fa7 100644
--- a/salt/sys-net/files/admin/policy/default.policy
+++ b/salt/sys-net/files/admin/policy/default.policy
@@ -6,6 +6,6 @@
 ## file name instead. For example `30-user.policy`.
 qubes.UpdatesProxy  *  @tag:whonix-updatevm  @default  allow target=sys-whonix
 qubes.UpdatesProxy  *  @tag:whonix-updatevm  @anyvm    deny
-qubes.UpdatesProxy  *  @type:TemplateVM      @default  allow target=disp-{{ sls_path }}
+qubes.UpdatesProxy  *  @type:TemplateVM      @default  allow target={{ sls_path }}
 qubes.UpdatesProxy  *  @type:TemplateVM      @anyvm    deny
 ## vim:ft=qrexecpolicy
diff --git a/salt/sys-net/prefs-disp.sls b/salt/sys-net/prefs-disp.sls
index 4cae319..fffee1b 100644
--- a/salt/sys-net/prefs-disp.sls
+++ b/salt/sys-net/prefs-disp.sls
@@ -4,17 +4,46 @@ SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-include:
-  - .create
-
+{% set netvm = 'disp-' ~ slsdotpath -%}
 {% set default_netvm = salt['cmd.shell']('qubes-prefs default_netvm') -%}
-"{{ slsdotpath }}-set-{{ default_netvm }}-netvm-to-disp-{{ slsdotpath }}":
+
+{% set running = 0 -%}
+{% if salt['cmd.shell']('qvm-ls --no-spinner --raw-list --running ' ~ default_netvm) == default_netvm -%}
+  {% set running = 1 -%}
+{% endif -%}
+
+"{{ slsdotpath }}-{{ default_netvm }}-shutdown":
+  qvm.shutdown:
+    - name: {{ default_netvm }}
+    - flags:
+      - wait
+      - force
+
+{% set default_netvm_netvm = salt['cmd.shell']('qvm-prefs ' ~ default_netvm ~ ' netvm') -%}
+{% if default_netvm_netvm -%}
+"{{ slsdotpath }}-{{ default_netvm_netvm }}-shutdown":
+  qvm.shutdown:
+    - require:
+      - qvm: "{{ slsdotpath }}-{{ default_netvm }}-shutdown"
+    - name: {{ default_netvm_netvm }}
+    - flags:
+      - wait
+      - force
+{% endif -%}
+
+{% from 'utils/macros/policy.sls' import policy_set_full with context -%}
+{{ policy_set_full(slsdotpath, '/etc/qubes/policy.d/80-' ~ slsdotpath ~ '.policy', 'salt://' ~ slsdotpath ~ '/files/admin/policy/default-disp.policy') }}
+
+"{{ slsdotpath }}-set-{{ default_netvm }}-netvm-to-{{ netvm }}":
   qvm.vm:
     - require:
-      - qvm: disp-{{ slsdotpath }}
+      - qvm: "{{ slsdotpath }}-{{ default_netvm }}-shutdown"
     - name: {{ default_netvm }}
     - prefs:
-      - netvm: disp-{{ slsdotpath }}
+      - netvm: {{ netvm }}
 
-{% from 'utils/macros/policy.sls' import policy_set with context -%}
-{{ policy_set(sls_path, '80') }}
+{% if running == 1 -%}
+"{{ slsdotpath }}-{{ default_netvm }}-start":
+  qvm.start:
+    - name: {{ default_netvm }}
+{% endif -%}
diff --git a/salt/sys-net/prefs.sls b/salt/sys-net/prefs.sls
index 31c0de2..3351567 100644
--- a/salt/sys-net/prefs.sls
+++ b/salt/sys-net/prefs.sls
@@ -4,17 +4,47 @@ SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-include:
-  - .create
+{% set netvm = slsdotpath -%}
 
 {% set default_netvm = salt['cmd.shell']('qubes-prefs default_netvm') -%}
-"{{ slsdotpath }}-set-{{ default_netvm }}-netvm-to-{{ slsdotpath }}":
-  qvm.vm:
-    - require:
-      - qvm: {{ slsdotpath }}
+
+{% set running = 0 -%}
+{% if salt['cmd.shell']('qvm-ls --no-spinner --raw-list --running ' ~ default_netvm) == default_netvm -%}
+  {% set running = 1 -%}
+{% endif -%}
+
+"{{ slsdotpath }}-{{ default_netvm }}-shutdown":
+  qvm.shutdown:
     - name: {{ default_netvm }}
-    - prefs:
-      - netvm: {{ slsdotpath }}
+    - flags:
+      - wait
+      - force
+
+{% set default_netvm_netvm = salt['cmd.shell']('qvm-prefs ' ~ default_netvm ~ ' netvm') -%}
+{% if default_netvm_netvm -%}
+"{{ slsdotpath }}-{{ default_netvm_netvm }}-shutdown":
+  qvm.shutdown:
+    - require:
+      - qvm: "{{ slsdotpath }}-{{ default_netvm }}-shutdown"
+    - name: {{ default_netvm_netvm }}
+    - flags:
+      - wait
+      - force
+{% endif -%}
 
 {% from 'utils/macros/policy.sls' import policy_set with context -%}
 {{ policy_set(sls_path, '80') }}
+
+"{{ slsdotpath }}-set-{{ default_netvm }}-netvm-to-{{ netvm }}":
+  qvm.vm:
+    - require:
+      - qvm: "{{ slsdotpath }}-{{ default_netvm }}-shutdown"
+    - name: {{ default_netvm }}
+    - prefs:
+      - netvm: {{ netvm }}
+
+{% if running == 1 -%}
+"{{ slsdotpath }}-{{ default_netvm }}-start":
+  qvm.start:
+    - name: {{ default_netvm }}
+{% endif -%}