Mullvad - update to debian-12

Use Mullvad GUI for VPN choice.
Install Mullvad browser
Make mullvad qube a disposable template
This commit is contained in:
unman 2024-02-11 15:42:52 +00:00
parent 409c2a1e1f
commit ffc57008ca
No known key found for this signature in database
GPG Key ID: FDD1B8244731B36C
13 changed files with 187 additions and 62 deletions

47
mullvad/browser.sls Normal file
View File

@ -0,0 +1,47 @@
/etc/skel/Downloads/mullvad_browser-linux-x86_64-13.0.9.tar.xz:
file.managed:
- source:
- salt://mullvad/mullvad-browser-linux-x86_64-13.0.9.tar.xz
- user: root
- group: root
- makedirs: True
mullvad-browser-linux-x86_64-13.0.9.tar.xz:
archive.extracted:
- name: /etc/skel
- source: /etc/skel/Downloads/mullvad_browser-linux-x86_64-13.0.9.tar.xz
- user: user
/etc/skel/.local/share/applications/start-mullvad-browser.desktop:
file.managed:
- source: salt://mullvad/start-mullvad-browser.desktop
- makedirs: True
- user: user
/etc/skel/.local/share/applications/mimeinfo.cache:
file.managed:
- source: salt://mullvad/mimeinfo.cache
- makedirs: True
- user: user
/home/user/.local/share/applications/start-mullvad-browser.desktop:
file.managed:
- source: salt://mullvad/start-mullvad-browser.desktop
- makedirs: True
- user: user
/home/user/.local/share/applications/mimeinfo.cache:
file.managed:
- source: salt://mullvad/mimeinfo.cache
- makedirs: True
- user: user
browser_dependencies:
pkg.installed:
- skip_suggestions: True
- install_recommends: False
- pkgs:
- libdbus-glib-1-2
- libnss3
- desktop-file-utils
- kdialog

3
mullvad/browser.top Normal file
View File

@ -0,0 +1,3 @@
base:
template-mullvad :
- mullvad.browser

View File

@ -1,8 +1,17 @@
mullvad_precursor: mullvad_precursor:
qvm.template_installed: qvm.template_installed:
- name: debian-11-minimal - name: debian-12-minimal
qvm-clone-id: mullvad_clone:
qvm.clone: qvm.clone:
- name: template-mullvad - name: template-mullvad
- source: debian-11-minimal - source: debian-12-minimal
mullvad_menu:
qvm.features:
- name: template-mullvad
- set:
- menu-items: "start-mullvad-browser.desktop mullvad-vpn.desktop debian-xterm.desktop"
- default-menu-items: "start-mullvad-browser.desktop mullvad-vpn.desktop debian-xterm.desktop"

View File

@ -1,8 +1,4 @@
mullvad_precursor: base:
qvm.template_installed: dom0:
- name: debian-11-minimal - match: nodegroup
- mullvad.clone
qvm-clone-id:
qvm.clone:
- name: template-mullvad
- source: debian-11-minimal

View File

@ -1,37 +1,17 @@
/rw/config/rc.local: /etc/skel/Downloads/mullvad_browser-linux-x86_64-13.0.9.tar.xz:
file.append:
- text: wg-quick up /rw/config/wireguard.conf
/rw/config/qubes-firewall-user-script:
file.append:
- text:
- nft insert rule filter FORWARD tcp flags syn tcp option maxseg size set rt mtu
- nft insert rule filter FORWARD oifname eth0 drop
- nft insert rule filter FORWARD iifname eth0 drop
/rw/config/network-hooks.d/flush.sh:
file.managed: file.managed:
- source: - source:
- salt://mullvad/flush.sh - salt://mullvad/mullvad-browser-linux-x86_64-13.0.9.tar.xz
- user: root - user: root
- group: root - group: root
- makedirs: True - makedirs: True
- mode: 755
/rw/config/network-hooks.d/flush: mullvad-browser-linux-x86_64-13.0.9.tar.xz:
file.managed: module.run:
- source: - name: archive.tar
- salt://mullvad/flush - tarfile: /etc/skel/Downloads/mullvad_browser-linux-x86_64-13.0.9.tar.xz
- user: root - options: -x -f
- group: root - runas: root
- makedirs: True - dest: /etc/skel
- mode: 755
/home/user/install.sh:
file.managed:
- source:
- salt://mullvad/install.sh
- user: root
- mode: '0755'
- replace: True

View File

@ -23,3 +23,5 @@ qvm-features-id:
- service.cups - service.cups
- service.cups-browsed - service.cups-browsed
- service.tinyproxy - service.tinyproxy
- set:
- menu-items: "start-mullvad-browser.desktop mullvad-vpn.desktop debian-xterm.desktop"

View File

@ -0,0 +1,29 @@
include:
- mullvad.clone
create_mullvad:
qvm.present:
- name: Mullvad
- class: AppVM
- template: template-mullvad
- label: green
mullvad-prefs:
qvm.prefs:
- name: Mullvad
- memory: 400
- maxmem: 800
- vcpus: 2
- template_for_dispvms: True
mullvad-features:
qvm.features:
- name: Mullvad
- disable:
- service.cups
- service.cups-browsed
- service.tinyproxy
- set:
- menu-items: "start-mullvad-browser.desktop mullvad-vpn.desktop debian-xterm.desktop"
- appmenus-dispvm: True

View File

@ -0,0 +1,4 @@
base:
dom0:
- match: nodegroup
- mullvad.create_disposable

View File

@ -38,6 +38,7 @@ mullvad_installed:
- qubes-core-agent-networking - qubes-core-agent-networking
- qubes-core-agent-passwordless-root - qubes-core-agent-passwordless-root
- iproute2 - iproute2
- libdbus-glib2.0-cil
- libnotify-bin - libnotify-bin
- mate-notification-daemon - mate-notification-daemon
- resolvconf - resolvconf

1
mullvad/mimeinfo.cache Normal file
View File

@ -0,0 +1 @@
[MIME Cache]

Binary file not shown.

View File

@ -3,16 +3,14 @@
# #
# #
{% if grains['nodename'] != 'dom0' %}
mullvad_repo:
file.append:
- name: /etc/apt/sources.list.d/mullvad.list
- text: "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main"
{% if salt['pillar.get']('update_proxy:caching') %} {% if salt['pillar.get']('update_proxy:caching') %}
{% set proxy = 'cacher' %}
{% endif %}
{% if grains['nodename'] != 'dom0' %}
{% if grains['os_family']|lower == 'debian' %} {% if grains['os_family']|lower == 'debian' %}
{% if grains['nodename']|lower != 'host' %} {% if grains['nodename']|lower != 'host' %}
{% if proxy == 'cacher' %}
{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %} {% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %}
{{ repo }}_baseurl: {{ repo }}_baseurl:
file.replace: file.replace:
@ -33,26 +31,47 @@ mullvad_repo:
- backup: False - backup: False
{% endif %} {% endif %}
{% endif %}
{% endif %}
mullvad_update: requirements_installed:
pkg.uptodate:
- refresh: True
installed:
pkg.installed: pkg.installed:
- refresh: True
- pkgs: - pkgs:
- qubes-core-agent-networking - qubes-core-agent-networking
- qubes-core-agent-passwordless-root - qubes-core-agent-passwordless-root
- iproute2 - iproute2
- libnotify-bin - libnotify-bin
- mate-notification-daemon - lsb-release
- resolvconf
- unzip echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main" > /etc/apt/sources.list.d/mullvad.list :
- mullvad-vpn cmd.run
- wireguard
- wireguard-tools /usr/share/keyrings/mullvad-keyring.asc:
- zenity file.managed:
- source:
- salt://mullvad/mullvad-keyring.asc
- user: root
- group: root
- makedirs: True
{% if proxy == 'cacher' %}
/etc/apt/sources.list.d/mullvad.list:
file.replace:
- name: /etc/apt/sources.list.d/mullvad.list
- pattern: 'https:'
- repl: 'http://HTTPS/'
- flags: [ 'IGNORECASE', 'MULTILINE' ]
- backup: False
{% endif %} {% endif %}
mullvad_installed:
pkg.installed:
- refresh: True
- pkgs:
- mullvad-vpn
{% endif %}
{% endif %}
{% endif %}

View File

@ -0,0 +1,34 @@
#!/usr/bin/env ./Browser/execdesktop
#
# This file is a self-modifying .desktop file that can be run from the shell.
# It preserves arguments and environment for the start-mullvad-browser script.
#
# Run './start-mullvad-browser.desktop --help' to display the full set of options.
#
# When invoked from the shell, this file must always be in a Mullvad Browser root
# directory. When run from the file manager or desktop GUI, it is relocatable.
#
# After first invocation, it will update itself with the absolute path to the
# current Mullvad Browser location, to support relocation of this .desktop file for GUI
# invocation. You can also add Mullvad Browser to your desktop's application menu
# by running './start-mullvad-browser.desktop --register-app'
#
# If you use --register-app, and then relocate your Mullvad Browser directory, Mullvad Browser
# will no longer launch from your desktop's app launcher/dock. However, if you
# re-run --register-app from inside that new directory, the script
# will correct the absolute paths and re-register itself.
#
# This file will also still function if the path changes when Mullvad Browser is used as a
# portable app, so long as it is run directly from that new directory, either
# via the shell or via the file manager.
[Desktop Entry]
Type=Application
Name=Mullvad Browser
GenericName=Web Browser
Comment=Mullvad Browser is +1 for privacy and 1 for mass surveillance
Categories=Network;WebBrowser;Security;
Exec=sh -c '"/home/user/mullvad-browser/Browser/start-mullvad-browser" || ([ ! -x "/home/user/mullvad-browser/Browser/start-mullvad-browser" ] && "$(dirname "$*")"/Browser/start-mullvad-browser --detach)' dummy %k
X-MullvadBrowser-ExecShell=./Browser/start-mullvad-browser
Icon=/home/user/mullvad-browser/Browser/browser/chrome/icons/default/default128.png
StartupWMClass=Mullvad Browser