{# SPDX-FileCopyrightText: 2022 Thien Tran <contact@tommytran.io> SPDX-FileCopyrightText: 2023 unman <unman@thirdeyesecurity.org> SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com> SPDX-License-Identifier: MIT #} {%- from "qvm/template.jinja" import load -%} {% set mirage_version = 'v0.9.2' -%} {% set mirage_sha256sum = '78a1ee52574b9a4fc5eda265922bcbcface90f7c43ed7a68dc8e201a2ac0a7dc' %} {% set mirage_file_kernel = 'qubes-firewall.xen' -%} {% set mirage_url_kernel = 'https://github.com/mirage/qubes-mirage-firewall/releases/download/' ~ mirage_version ~ '/' ~ mirage_file_kernel -%} {# Use the netvm of the default_netvm. #} {% set default_netvm = salt['cmd.shell']('qubes-prefs default_netvm') -%} {% set netvm = salt['cmd.shell']('qvm-prefs ' + default_netvm + ' netvm') -%} {# If netvm of default_netvm is empty, user's default_netvm is the first in the chain (sys-net). #} {% if netvm == '' %} {% set netvm = default_netvm %} {% endif %} {# The 'updatevm' has networking and 'curl' present. #} {% set updatevm = salt['cmd.shell']('qubes-prefs updatevm') %} "sys-mirage-firewall-start-updatevm-{{ updatevm }}": qvm.start: - name: {{ updatevm }} "sys-mirage-firewall-fetch-kernel": cmd.run: - require: - qvm: "sys-mirage-firewall-start-updatevm-{{ updatevm }}" - name: | qvm-run {{ updatevm }} -- " mkdir -p -- /tmp/mirage-firewall-download cd /tmp/mirage-firewall-download curl --location \ --connect-timeout 10 \ --tlsv1.3 --proto =https \ --fail --fail-early \ --no-progress-meter --silent --show-error \ --remote-name {{ mirage_url_kernel }}" - timeout: 30 "sys-mirage-firewall-create-temporary-kernel-directory": file.directory: - require: - cmd: "sys-mirage-firewall-fetch-kernel" - name: /tmp/mirage-firewall-download - user: root - group: root - mode: '0700' - makedirs: True "sys-mirage-firewall-bring-kernel-to-dom0": cmd.run: - require: - file: "sys-mirage-firewall-create-temporary-kernel-directory" - name: qvm-run --pass-io {{ updatevm }} -- "cat /tmp/mirage-firewall-download/qubes-firewall.xen" | tee -- /tmp/mirage-firewall-download/vmlinuz >/dev/null - timeout: 10 "sys-mirage-firewall-remove-kernel-from-updatevm": cmd.run: - name: qvm-run {{ updatevm }} -- "rm -rf /tmp/mirage-firewall-download" "sys-mirage-firewall-move-kernel-to-usable-directory": file.managed: - require: - cmd: "sys-mirage-firewall-bring-kernel-to-dom0" - name: /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz - source: /tmp/mirage-firewall-download/vmlinuz - source_hash: sha256={{ mirage_sha256sum }} - user: root - group: root - mode: '0644' "sys-mirage-firewall-remove-temporary-kernel": file.absent: - name: /tmp/mirage-firewall-download "sys-mirage-firewall-save-version": file.managed: - require: - file: "sys-mirage-firewall-move-kernel-to-usable-directory" - name: /var/lib/qubes/vm-kernels/mirage-firewall/version.txt - contents: {{ mirage_version }} - mode: '0644' - user: root - group: root - makedirs: True {% load_yaml as defaults -%} name: tpl-sys-mirage-firewall force: True require: - file: sys-mirage-firewall-save-version present: - class: TemplateVM - label: black prefs: - virt_mode: pvh - label: black - audiovm: "" - memory: 64 - maxmem: 64 - vcpus: 1 - kernel: mirage-firewall - kernelopts: "" - include_in_backups: False {%- endload %} {{ load(defaults) }} {% load_yaml as defaults -%} name: dvm-sys-mirage-firewall force: True require: - qvm: tpl-sys-mirage-firewall present: - template: tpl-sys-mirage-firewall - label: orange prefs: - template: tpl-sys-mirage-firewall - label: orange - netvm: {{ netvm }} - audiovm: "" - memory: 64 - maxmem: 64 - vcpus: 1 - provides-network: True - template_for_dispvms: True - include_in_backups: False features: - enable: - service.qubes-firewall - no-default-kernelopts {%- endload %} {{ load(defaults) }} {% load_yaml as defaults -%} name: disp-sys-mirage-firewall force: True require: - qvm: tpl-sys-mirage-firewall present: - class: DispVM - template: dvm-sys-mirage-firewall - label: orange prefs: - template: dvm-sys-mirage-firewall - label: orange - netvm: {{ netvm }} - audiovm: "" - memory: 64 - maxmem: 64 - vcpus: 1 - provides-network: True - include_in_backups: False features: - enable: - service.qubes-firewall - no-default-kernelopts {%- endload %} {{ load(defaults) }}