{# SPDX-FileCopyrightText: 2022 Thien Tran <contact@tommytran.io> SPDX-FileCopyrightText: 2023 unman <unman@thirdeyesecurity.org> SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com> SPDX-License-Identifier: MIT #} {%- from "qvm/template.jinja" import load -%} {% set mirage_version = 'v0.9.3' -%} {% set mirage_sha256sum = 'b78d6711b502f8babcc5c4083b0352b78be8e8a6bef044189ce7a00e6e564612' %} {% set mirage_file_kernel = 'qubes-firewall.xen' -%} {% set mirage_url_kernel = 'https://github.com/mirage/qubes-mirage-firewall/releases/download/' ~ mirage_version ~ '/' ~ mirage_file_kernel -%} {# Use the netvm of the default_netvm. #} {% set default_netvm = salt['cmd.shell']('qubes-prefs -- default_netvm') -%} {% set netvm = salt['cmd.shell']('qvm-prefs -- ' + default_netvm + ' netvm') -%} {# If netvm of default_netvm is empty, user's default_netvm is the first in the chain (sys-net). #} {% if netvm == '' %} {% set netvm = default_netvm %} {% endif %} {# The 'updatevm' has networking and 'curl' present. #} {% set updatevm = salt['cmd.shell']('qubes-prefs -- updatevm') %} "sys-mirage-firewall-start-updatevm-{{ updatevm }}": qvm.start: - name: {{ updatevm }} "sys-mirage-firewall-fetch-kernel": cmd.run: - require: - qvm: "sys-mirage-firewall-start-updatevm-{{ updatevm }}" - name: | qvm-run --no-gui -- {{ updatevm }} " mkdir -p -- /tmp/mirage-firewall-download cd /tmp/mirage-firewall-download curl --location \ --connect-timeout 10 \ --tlsv1.3 --proto =https \ --fail --fail-early \ --no-progress-meter --silent --show-error \ --remote-name {{ mirage_url_kernel }}" - timeout: 30 "sys-mirage-firewall-create-temporary-kernel-directory": file.directory: - require: - cmd: "sys-mirage-firewall-fetch-kernel" - name: /tmp/mirage-firewall-download - user: root - group: root - mode: '0700' - makedirs: True "sys-mirage-firewall-bring-kernel-to-dom0": cmd.run: - require: - file: "sys-mirage-firewall-create-temporary-kernel-directory" - name: | qvm-run --no-gui --pass-io -- {{ updatevm }} \ "cat -- /tmp/mirage-firewall-download/qubes-firewall.xen" | \ tee -- /tmp/mirage-firewall-download/vmlinuz >/dev/null - timeout: 10 "sys-mirage-firewall-remove-kernel-from-updatevm": cmd.run: - name: qvm-run --no-gui -- {{ updatevm }} "rm -rf -- /tmp/mirage-firewall-download" "sys-mirage-firewall-move-kernel-to-usable-directory": file.managed: - require: - cmd: "sys-mirage-firewall-bring-kernel-to-dom0" - name: /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz - source: /tmp/mirage-firewall-download/vmlinuz - source_hash: sha256={{ mirage_sha256sum }} - user: root - group: root - mode: '0644' "sys-mirage-firewall-remove-temporary-kernel": file.absent: - name: /tmp/mirage-firewall-download "sys-mirage-firewall-save-version": file.managed: - require: - file: "sys-mirage-firewall-move-kernel-to-usable-directory" - name: /var/lib/qubes/vm-kernels/mirage-firewall/version.txt - contents: {{ mirage_version }} - mode: '0644' - user: root - group: root - makedirs: True {% load_yaml as defaults -%} name: tpl-sys-mirage-firewall force: True require: - file: sys-mirage-firewall-save-version present: - class: TemplateVM - label: black prefs: - virt_mode: pvh - label: black - audiovm: "" - memory: 64 - maxmem: 64 - vcpus: 1 - kernel: mirage-firewall - kernelopts: "" - include_in_backups: False features: - enable: - skip-update {%- endload %} {{ load(defaults) }} {% load_yaml as defaults -%} name: dvm-sys-mirage-firewall force: True require: - qvm: tpl-sys-mirage-firewall present: - template: tpl-sys-mirage-firewall - label: orange prefs: - template: tpl-sys-mirage-firewall - label: orange - netvm: {{ netvm }} - audiovm: "" - memory: 64 - maxmem: 64 - vcpus: 1 - provides-network: True - template_for_dispvms: True - include_in_backups: False features: - enable: - service.qubes-firewall - no-default-kernelopts {%- endload %} {{ load(defaults) }} {% load_yaml as defaults -%} name: disp-sys-mirage-firewall force: True require: - qvm: tpl-sys-mirage-firewall present: - class: DispVM - template: dvm-sys-mirage-firewall - label: orange prefs: - template: dvm-sys-mirage-firewall - label: orange - netvm: {{ netvm }} - audiovm: "" - memory: 64 - maxmem: 64 - vcpus: 1 - provides-network: True - include_in_backups: False features: - enable: - service.qubes-firewall - no-default-kernelopts {%- endload %} {{ load(defaults) }}