From 87f4b244b9f879087e0c4a689cfdf9e53863e277 Mon Sep 17 00:00:00 2001 From: unman Date: Fri, 12 Jul 2024 16:09:22 +0000 Subject: [PATCH] Mullvad - update spec file --- mullvad.spec | 11 ++++--- mullvad/README.md | 59 ++++++++++++++++++++++++++++++++++++++ mullvad/browser_delete.sls | 7 +++++ 3 files changed, 71 insertions(+), 6 deletions(-) create mode 100644 mullvad/README.md create mode 100644 mullvad/browser_delete.sls diff --git a/mullvad.spec b/mullvad.spec index 47c87e4..c41c108 100644 --- a/mullvad.spec +++ b/mullvad.spec @@ -1,6 +1,6 @@ Name: 3isec-qubes-mullvad-vpn Version: 2024.3 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Set up a Mullvad qube and disposable template License: GPLv3+ @@ -45,19 +45,18 @@ cp -rv %{SOURCE0}/ %{buildroot}/srv/salt if [ $1 -eq 1 ]; then qubesctl state.apply mullvad.clone qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.repo - qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.browser qubesctl state.apply mullvad.create_disposable qubesctl --skip-dom0 --targets=sys-mullvad state.apply mullvad.configure elif [ $1 -eq 2 ]; then - qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.browser - qubesctl --skip-dom0 --targets=sys-mullvad state.apply mullvad.browser_client - qubesctl --skip-dom0 --targets=sys-mullvad state.apply mullvad.configure - qubesctl --skip-dom0 --targets=mullvad-dvm state.apply mullvad.browser_client + qubesctl --skip-dom0 --targets=template-mullvad,sys-mullvad,mullvad-dvm state.apply mullvad.browser_delete + qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.repo fi %postun %changelog +* Thu Jul 11 2024 unman - 2024.3.4 +- Update to install browser from Mullvad repository * Thu Jun 13 2024 unman - 2024.3.3 - Update to include new Mullvad Browser 13.0.16 * Mon May 20 2024 unman - 2024.3.2 diff --git a/mullvad/README.md b/mullvad/README.md new file mode 100644 index 0000000..c5919dc --- /dev/null +++ b/mullvad/README.md @@ -0,0 +1,59 @@ +# Introduction +These files create a template, loaded with the MullvadVPN GUI and Mullvad Browser. +An AppVM named sys-mullvad, and a disposable template, mullvad-dvm, are +created from that template. + +## Template +The template, template-mullvad, is cloned from the debian-12-minimal template. +If the debian-12-minimal template is not present, it will be downloaded +and installed - this may take some time depending on your net connection. + +## Usage +Both the AppVM and the disposable template have the Mullvad GUI to +set up a VPN, and the Mullvad browser. You can run the Mullvad Browser +independently of the VPN. +The sys-mullvad AppVM can be used as a standard AppVM or as a vpn gateway +- set the netvm of client qubes to sys-mullvad, and they will use the VPN. No +traffic will pass except through the VPN. + +You can, of course, use template-mullvad to create other qubes for +separate VPN connections, or a qube where you will just use the Mullvad browser. + +Remember that each qube that creates a VPN will count toward the maximum of 5 clients. +Log out and close the VPN when you have finished with it: if you do not, +you will be prompted to log out other clients from the GUI when you reach the maximum. + +## Template creation +Clone the debian-12-minimal template - note the use of `qvm.template_installed` which will install the template if it is not already present +``` +sudo qubesctl state.apply mullvad.clone +``` +`clone.sls` uses `qvm.features` to set the menu. Note that you can do this *before* packages are installed. + +## Package installation +``` +sudo qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.repo + +``` +This state uses `pkg.installed` to install necessary packages in the template. +`cmd.run` is used to create the mullvad respository definition, and the keyring is copied in to place using `file.managed` +Mullvad packages are installed using `pkg.installed`, and desktop files are copied in to `etc/skel` in the template. This is necessary because we need custom versions to run Mullvad programs in Qubes disposables. + + +Note the use of `pillar.get` to check if a caching proxy is present, and the necessary changes to repository defintions are made using `file.replace` within a jinja command structure. + +## Qube creation +`create.sls` is a standard way of creating `sys-mullvad` - qvm.present is used to create the qube, and preferences and features are set. + +`create_disposable.sls` creates a qube and sets it as a disposable template. The Menu is configured and qvm-appmenus` is called using `cmd.run to make sure that menu items are correctly set. + +Note the use of an include statement at the head of the file. This allows a single state execution to call other states. + + +## Qube configuratioon +``` +sudo qubesctl --skip-dom0 --targets=sys-mullvad state.apply mullvad.configure +``` +The qubes firewall is configured using `file.managed` to transfer files to sys-mullvad. These are normal nftables command files. +To make sure that configuration changes are kept after a qubes restart, [bind-dirs](https://www.qubes-os.org/doc/bind-dirs/) is used. +The configuration file is created using `file.managed` diff --git a/mullvad/browser_delete.sls b/mullvad/browser_delete.sls new file mode 100644 index 0000000..f3d80ed --- /dev/null +++ b/mullvad/browser_delete.sls @@ -0,0 +1,7 @@ +# Delete existing browser +delete_browser: + file.absent: + - names: + - /etc/skel/Downloads/mullvad* + - /home/user/Downloads/mullvad* + - /home/user/mullvad-browser