Mullvad - update to debian-12

Use Mullvad GUI for VPN choice.
Install Mullvad browser
Make mullvad qube a disposable template

mullvad/browser.sls

@@ -0,0 +1,47 @@
+/etc/skel/Downloads/mullvad_browser-linux-x86_64-13.0.9.tar.xz:
+  file.managed:
+    - source: 
+      - salt://mullvad/mullvad-browser-linux-x86_64-13.0.9.tar.xz
+    - user: root
+    - group: root
+    - makedirs: True
+
+mullvad-browser-linux-x86_64-13.0.9.tar.xz:
+  archive.extracted:
+    - name: /etc/skel
+    - source: /etc/skel/Downloads/mullvad_browser-linux-x86_64-13.0.9.tar.xz
+    - user: user
+
+/etc/skel/.local/share/applications/start-mullvad-browser.desktop:
+  file.managed:
+    - source: salt://mullvad/start-mullvad-browser.desktop
+    - makedirs: True
+    - user: user
+
+/etc/skel/.local/share/applications/mimeinfo.cache:
+  file.managed:
+    - source: salt://mullvad/mimeinfo.cache
+    - makedirs: True
+    - user: user
+
+/home/user/.local/share/applications/start-mullvad-browser.desktop:
+  file.managed:
+    - source: salt://mullvad/start-mullvad-browser.desktop
+    - makedirs: True
+    - user: user
+
+/home/user/.local/share/applications/mimeinfo.cache:
+  file.managed:
+    - source: salt://mullvad/mimeinfo.cache
+    - makedirs: True
+    - user: user
+
+browser_dependencies:
+  pkg.installed:
+    - skip_suggestions: True
+    - install_recommends: False
+    - pkgs:
+      - libdbus-glib-1-2
+      - libnss3
+      - desktop-file-utils
+      - kdialog

mullvad/browser.top

@@ -0,0 +1,3 @@
+base:
+ template-mullvad :
+    - mullvad.browser

mullvad/clone.sls

@@ -1,8 +1,17 @@
 mullvad_precursor:
   qvm.template_installed:
-    - name: debian-11-minimal
+    - name: debian-12-minimal
 
-qvm-clone-id:
+mullvad_clone:
   qvm.clone:
     - name: template-mullvad
-    - source: debian-11-minimal
+    - source: debian-12-minimal
+
+mullvad_menu:
+  qvm.features:
+    - name: template-mullvad
+    - set:
+      - menu-items: "start-mullvad-browser.desktop mullvad-vpn.desktop debian-xterm.desktop"
+      - default-menu-items: "start-mullvad-browser.desktop mullvad-vpn.desktop debian-xterm.desktop" 
+
+

mullvad/clone.top

@@ -1,8 +1,4 @@
-mullvad_precursor:
+base:
-  qvm.template_installed:
+  dom0:
-    - name: debian-11-minimal
+    - match: nodegroup
-
+    - mullvad.clone
-qvm-clone-id:
-  qvm.clone:
-    - name: template-mullvad
-    - source: debian-11-minimal

mullvad/configure.sls

@@ -1,37 +1,17 @@
-/rw/config/rc.local:
+/etc/skel/Downloads/mullvad_browser-linux-x86_64-13.0.9.tar.xz:
-  file.append:
-    - text: wg-quick up /rw/config/wireguard.conf
-
-/rw/config/qubes-firewall-user-script:
-  file.append:
-    - text:
-      - nft insert rule filter FORWARD tcp flags syn tcp option maxseg size set rt mtu
-      - nft insert rule filter FORWARD oifname eth0 drop
-      - nft insert rule filter FORWARD iifname eth0 drop
-
-/rw/config/network-hooks.d/flush.sh:
   file.managed:
     - source: 
-      - salt://mullvad/flush.sh
+      - salt://mullvad/mullvad-browser-linux-x86_64-13.0.9.tar.xz
     - user: root
     - group: root
     - makedirs: True
-    - mode: 755
 
-/rw/config/network-hooks.d/flush:
+mullvad-browser-linux-x86_64-13.0.9.tar.xz:
-  file.managed:
+  module.run:
-    - source:
+    - name: archive.tar
-      - salt://mullvad/flush
+    - tarfile: /etc/skel/Downloads/mullvad_browser-linux-x86_64-13.0.9.tar.xz
-    - user: root
+    - options: -x -f
-    - group: root
+    - runas: root
-    - makedirs: True
+    - dest: /etc/skel
-    - mode: 755
 
-/home/user/install.sh:
-  file.managed:
-    - source:
-      - salt://mullvad/install.sh
-    - user: root
-    - mode: '0755'
-    - replace: True
 

mullvad/create.sls

@@ -23,3 +23,5 @@ qvm-features-id:
       - service.cups
       - service.cups-browsed
       - service.tinyproxy
+    - set:
+      - menu-items: "start-mullvad-browser.desktop mullvad-vpn.desktop debian-xterm.desktop"

mullvad/create_disposable.sls

@@ -0,0 +1,29 @@
+include:
+  - mullvad.clone
+
+create_mullvad:
+  qvm.present:
+    - name: Mullvad
+    - class: AppVM
+    - template: template-mullvad
+    - label: green
+
+mullvad-prefs:
+  qvm.prefs:
+    - name: Mullvad
+    - memory: 400
+    - maxmem: 800
+    - vcpus: 2
+    - template_for_dispvms: True
+
+mullvad-features:
+  qvm.features:
+    - name: Mullvad
+    - disable:
+      - service.cups
+      - service.cups-browsed
+      - service.tinyproxy
+    - set:
+      - menu-items: "start-mullvad-browser.desktop mullvad-vpn.desktop debian-xterm.desktop"
+      - appmenus-dispvm: True
+

mullvad/create_disposable.top

@@ -0,0 +1,4 @@
+base:
+  dom0:
+    - match: nodegroup
+    - mullvad.create_disposable

mullvad/install.sls

@@ -38,6 +38,7 @@ mullvad_installed:
       - qubes-core-agent-networking
       - qubes-core-agent-passwordless-root
       - iproute2
+      - libdbus-glib2.0-cil
       - libnotify-bin
       - mate-notification-daemon
       - resolvconf

mullvad/mimeinfo.cache

@@ -0,0 +1 @@
+[MIME Cache]

mullvad/repo.sls

@@ -3,16 +3,14 @@
 #
 #
 
-{% if grains['nodename'] != 'dom0' %}
-
-mullvad_repo:
-  file.append:
-    - name: /etc/apt/sources.list.d/mullvad.list
-    - text: "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main"
-
 {% if salt['pillar.get']('update_proxy:caching') %}
+{% set proxy = 'cacher' %}
+{% endif %}
+
+{% if grains['nodename'] != 'dom0' %}
 {% if grains['os_family']|lower == 'debian' %}
 {% if grains['nodename']|lower != 'host' %}
+{% if proxy  == 'cacher' %}
 {% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %}
 {{ repo }}_baseurl:
   file.replace:
@@ -33,26 +31,47 @@ mullvad_repo:
     - backup: False
 
 {% endif %}
-{% endif %}
-{% endif %}
 
-mullvad_update:
+requirements_installed:
-  pkg.uptodate:
-    - refresh: True
-
-installed:
   pkg.installed:
+    - refresh: True
     - pkgs:
       - qubes-core-agent-networking
       - qubes-core-agent-passwordless-root
       - iproute2
       - libnotify-bin
-      - mate-notification-daemon
+      - lsb-release
-      - resolvconf
+
-      - unzip
+echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main" > /etc/apt/sources.list.d/mullvad.list :
-      - mullvad-vpn
+  cmd.run
-      - wireguard
+
-      - wireguard-tools
+/usr/share/keyrings/mullvad-keyring.asc:
-      - zenity
+  file.managed:
+    - source:
+      - salt://mullvad/mullvad-keyring.asc
+    - user: root
+    - group: root
+    - makedirs: True
+
+{% if proxy == 'cacher' %}
+/etc/apt/sources.list.d/mullvad.list:
+  file.replace:
+    - name: /etc/apt/sources.list.d/mullvad.list
+    - pattern: 'https:'
+    - repl: 'http://HTTPS/'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
 
 {% endif %}
+
+mullvad_installed:
+  pkg.installed:
+    - refresh: True
+    - pkgs:
+      - mullvad-vpn
+
+{% endif %}
+{% endif %}
+
+{% endif %}
+

mullvad/start-mullvad-browser.desktop

@@ -0,0 +1,34 @@
+#!/usr/bin/env ./Browser/execdesktop
+#
+# This file is a self-modifying .desktop file that can be run from the shell.
+# It preserves arguments and environment for the start-mullvad-browser script.
+#
+# Run './start-mullvad-browser.desktop --help' to display the full set of options.
+#
+# When invoked from the shell, this file must always be in a Mullvad Browser root
+# directory. When run from the file manager or desktop GUI, it is relocatable.
+#
+# After first invocation, it will update itself with the absolute path to the
+# current Mullvad Browser location, to support relocation of this .desktop file for GUI
+# invocation. You can also add Mullvad Browser to your desktop's application menu
+# by running './start-mullvad-browser.desktop --register-app'
+#
+# If you use --register-app, and then relocate your Mullvad Browser directory, Mullvad Browser
+# will no longer launch from your desktop's app launcher/dock. However, if you
+# re-run --register-app from inside that new directory, the script
+# will correct the absolute paths and re-register itself.
+#
+# This file will also still function if the path changes when Mullvad Browser is used as a
+# portable app, so long as it is run directly from that new directory, either
+# via the shell or via the file manager.
+
+[Desktop Entry]
+Type=Application
+Name=Mullvad Browser
+GenericName=Web Browser
+Comment=Mullvad Browser  is +1 for privacy and −1 for mass surveillance
+Categories=Network;WebBrowser;Security;
+Exec=sh -c '"/home/user/mullvad-browser/Browser/start-mullvad-browser" || ([ !  -x "/home/user/mullvad-browser/Browser/start-mullvad-browser" ] && "$(dirname "$*")"/Browser/start-mullvad-browser --detach)' dummy %k
+X-MullvadBrowser-ExecShell=./Browser/start-mullvad-browser 
+Icon=/home/user/mullvad-browser/Browser/browser/chrome/icons/default/default128.png
+StartupWMClass=Mullvad Browser