Mirage-firewall - update to release 0.9.3

spec file

3isec-common.spec

@@ -0,0 +1,31 @@
+Name:           3isec-qubes-common
+Version:        1.1
+Release:        3%{?dist}
+Summary:        Common files for 3isec packages
+
+License:        GPLv3+
+SOURCE0:        3isec-common
+
+%description
+This package provides base sls files for use by other 3isec packages
+
+%install
+rm -rf %{buildroot}
+mkdir -p %{buildroot}/srv/salt
+cp -rv %{SOURCE0}/  %{buildroot}/srv/salt
+
+%files
+%defattr(-,root,root,-)
+/srv/salt/3isec-common/*
+
+%post
+
+%preun
+
+%changelog
+* Thu June 13 2024 unman <unman@thirdeyesecurity.org> 1.1.3
+- Add tunnel script
+* Wed May 01 2024 unman <unman@thirdeyesecurity.org> 1.1.2
+- Add store.clone files
+* Mon Mar 11 2024 unman <unman@thirdeyesecurity.org>
+- First Build

3isec-common/in.sh

@@ -7,8 +7,6 @@ Allow remote access to a named qube.
 Syntax: in.sh [-h | [ a|p ]] {add|delete} target {tcp|udp} {port number|service} [external port]
 options:
 h   Print this help
-a   Auto mode
-p   Permanent rules
 
 Specify target qube, action, tcp or udp, and target port, separated by spaces.
 The target port can be given by port number or by name (e.g ssh).
@@ -35,32 +33,29 @@ exit
 
 # Check input port
 check_port(){
-if ! [ "$2" -eq "$2" >& /dev/null ];then
-  status=1
-else
-	if [ $2 -lt 65536 ]; then
-		status=0
+
+status=0
+
+if [[ $2 =~ ^[0-9]+$ ]] ;then
+	if [ "$2" -lt 65536 ]; then
 		portnum=$2
 	else
 		status=1
 	fi
-fi
-if [ $status -ne 0 ]; then
-  if !  grep -q -w ^$2\  /etc/services  ; then
-    echo "Specify usable port number or service name"
-    exit
+else 
+  if !  grep -q -w ^"$2"\  /etc/services  ; then
+    status=1
   else
-    portnum=$( getent services $2 |awk '{split($2,a,"/");print a[1]}')
-    if [ $? -ne 0 ]; then
-      echo "Specify usable port number or service name"
-      exit
-		fi
+    portnum=$( getent services "$2" |awk 'match($0, /[0-9]+/){print substr($0, RSTART, RLENGTH)}') ||  status=1
 	fi
 fi
-echo $portnum
+if [ $status -eq 1 ]; then
+  echo "Specify usable port number or service name" && exit
+else
+  echo "$portnum"
+fi
 }
 
-
 get_handle(){
 local my_handle=$( qvm-run -q -u root -p $1 " nft -a list table $2|awk 'BEGIN{c=0} /$3/{c++; if (c==$4) print \$NF}' " )
 echo $my_handle
@@ -76,7 +71,7 @@ numhops=${#my_ips[@]}
 lasthop=$((numhops-1))
 local i=1
 iface="eth0"
-qvm-run -q -u root ${my_netvms[$lasthop]} " nft list table nat|grep ' $proto dport $portnum dnat to ${my_ips[$numhops-1]}'"
+qvm-run -q -u root ${my_netvms[$lasthop]} " nft list table qubes|grep ' $proto dport $portnum dnat to ${my_ips[$numhops-1]}'"
 if [ $? -eq 0 ]; then
 	echo "Are rules already set?"
 	exit
@@ -94,23 +89,12 @@ do
 	if [ $i -eq $lasthop ]; then
 		iface=$external_iface
 	fi
-	# Is it nft or iptables?
-	local found=$( qvm-run -p -q -u root ${my_netvms[$i]} -- nft list table nat 2>/dev/null )
-	if [[ x$found == 'x' ]]; then
-		qvm-run -q -u root ${my_netvms[$i]} -- "iptables -I QBS-FORWARD -i $iface -p $proto --dport $portnum_target -d ${my_ips[$i-1]} -j ACCEPT"
-		qvm-run -q -u root ${my_netvms[$i]} -- "iptables -t nat -I PR-QBS-SERVICES -i $iface -p $proto --dport $portnum_used -j DNAT --to-destination ${my_ips[$i-1]}:$portnum_target"
-    if [ $permanent -eq 1 ]; then
-      qvm-run -q -u root ${my_netvms[$i]} -- "echo iptables -I QBS-FORWARD -i $iface -p $proto --dport $portnum_target -d ${my_ips[$i-1]} -j ACCEPT >> /rw/config/rc.local"
-      qvm-run -q -u root ${my_netvms[$i]} -- "echo iptables -t nat -I PR-QBS-SERVICES -i $iface -p $proto --dport $portnum_used -j DNAT --to-destination ${my_ips[$i-1]}:$portnum_target >> /rw/config/rc.local"
-    fi
-	else
-		qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target
-		qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept
-    if  [ $permanent -eq 1 ]; then
-      qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target >> /rw/config/rc.local"
-      qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept >> /rw/config/rc.local"
-    fi
-	fi
+	 qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule qubes dnat-dns meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target
+	 qvm-run -q -u root ${my_netvms[$i]} -- nft insert rule qubes custom-forward meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept
+   if  [ $permanent -eq 1 ]; then
+     qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule qubes dnat-dns PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target >> /rw/config/rc.local"
+     qvm-run -q -u root ${my_netvms[$i]} -- "echo nft insert rule qubes dnat-dns meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept >> /rw/config/rc.local"
+   fi
 	((i++))
 done
 }
@@ -128,6 +112,7 @@ iface="eth0"
 echo "Removing firewall rules"
 while [ $i -gt 0 ]
 do
+  echo "${my_netvms[$i]}"
   if [ $i -eq 1 ]; then
     portnum_used=$external_portnum
     portnum_target=$portnum
@@ -135,35 +120,19 @@ do
     portnum_used=$external_portnum
     portnum_target=$external_portnum
   fi
-	# Is it nft or iptables?
-	echo "${my_netvms[$i]}"
-	local found=$( qvm-run -p -q -u root ${my_netvms[$i]} -- "nft list table nat 2>/dev/null" )
- 	if [[ x$found == 'x' ]]; then
-		qvm-run -q -u root ${my_netvms[$i]} -- "iptables -D QBS-FORWARD -i $iface -p $proto --dport $portnum_target -d ${my_ips[$i-1]} -j ACCEPT"
-		qvm-run -q -u root ${my_netvms[$i]} -- "iptables -t nat -D PR-QBS-SERVICES -i $iface -p $proto --dport $external_portnum -j DNAT --to-destination ${my_ips[$i-1]}:$portnum_target"
+		local handle=$( get_handle ${my_netvms[$i]} qubes "dport $external_portnum " 1 )
+		qvm-run -q  -u root ${my_netvms[$i]} -- "nft delete rule qubes custom-forward handle $handle"
+		local handle=$( get_handle ${my_netvms[$i]} qubes "dport $external_portnum " 1 )
+		qvm-run -q -u root ${my_netvms[$i]} -- "nft delete rule qubes dnat-dns handle $handle"
     if [ $permanent -eq 1 ]; then
-      qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/iptables -D QBS-FORWARD -i $iface -p $proto --dport $portnum_target -d ${my_ips[$i-1]} -j ACCEPT/d' /rw/config/rc.local"
-      qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/iptables -t nat -D PR-QBS-SERVICES -i $iface -p $proto --dport $external_portnum -j DNAT --to-destination ${my_ips[$i-1]}:$portnum_target/d' /rw/config/rc.local"
+      qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule qubes dnat-dns meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target/d'  /rw/config/rc.local"
+      qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule qubes QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept/d'  /rw/config/rc.local"
     fi
-	else
-		local handle=$( get_handle ${my_netvms[$i]} nat "dport $external_portnum " 1 )
-		qvm-run -q  -u root ${my_netvms[$i]} -- "nft delete rule nat PR-QBS-SERVICES handle $handle"
-		local handle=$( get_handle ${my_netvms[$i]} filter "dport $external_portnum " 1 )
-		qvm-run -q -u root ${my_netvms[$i]} -- "nft delete rule filter QBS-FORWARD handle $handle"
-    if [ $permanent -eq 1 ]; then
-      qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule nat PR-QBS-SERVICES meta iifname $iface $proto dport $portnum_used dnat to ${my_ips[$i-1]}:$portnum_target/d'  /rw/config/rc.local"
-      qvm-run -q -u root ${my_netvms[$i]} -- "sed -i '/nft insert rule filter QBS-FORWARD meta iifname $iface ip daddr ${my_ips[$i-1]} $proto dport $portnum_target ct state new accept/d'  /rw/config/rc.local"
-    fi
-	fi
 	((i--))
 done
-local found=$( qvm-run -p -q -u root ${my_netvms[$i]} -- nft list table nat 2>/dev/null )
-if [[ x$found == 'x' ]]; then
-	qvm-run -q -u root ${my_netvms[$i]} " iptables -D INPUT -p $proto --dport $external_portnum -j ACCEPT"
-else
-	handle=$( get_handle ${my_netvms[$i]} filter "dport $portnum " 1 )
-	qvm-run -q -u root ${my_netvms[$i]} -- nft delete rule filter INPUT handle $handle
-fi
+local found=$( qvm-run -p -q -u root ${my_netvms[$i]} -- nft list table qubes 2>/dev/null )
+	handle=$( get_handle ${my_netvms[$i]} qubes "dport $portnum " 1 )
+	qvm-run -q -u root ${my_netvms[$i]} -- nft delete rule qubes custom-input handle $handle
 exit
 }
 
@@ -187,6 +156,7 @@ while getopts ${optstring} option ; do
     a)
       auto=1 ;;
     p)
+      exit
       permanent=1 ;;
     ?)
       get_help ;; 
@@ -276,27 +246,16 @@ elif [ $1 == "add" ]; then
 	ips[$hop]=$ip
 
 	# Create tunnel
-	found=$( qvm-run -p -q -u root $qube_name -- nft list table nat 2>/dev/null )
- 	if [[ x$found == 'x' ]]; then
-		found=$(qvm-run -p -u root $qube_name "iptables -L -nv |grep -c '.*ACCEPT.*$proto dpt:$portnum' ")
-		if [ "$found" -gt 0 ]; then
-			echo "Input rule in $qube_name already exists"
-			echo "Please check configuration - exiting now."
-			exit
-		else
-			qvm-run -q -u root $qube_name  "iptables -I INPUT -p $proto --dport $portnum -j ACCEPT "
-		fi
-	else
-		qvm-run -q -u root $qube_name  "nft list table filter|grep '$proto dport $portnum accept' "
+	found=$( qvm-run -p -q -u root $qube_name -- nft list table qubes 2>/dev/null )
+		qvm-run -q -u root $qube_name  "nft list table qubes|grep '$proto dport $portnum accept' "
 		if [ $? -eq 0 ]; then
 			echo "Input rule in $qube_name already exists"
 			echo "Please check configuration - exiting now."
 			exit
 		else
-			handle=$( get_handle $qube_name filter related,established 1)
-			qvm-run -q -u root $qube_name -- nft add rule filter INPUT position $handle iifname eth0 $proto dport $portnum accept
+			#handle=$( get_handle $qube_name qubes related,established 1)
+			qvm-run -q -u root $qube_name -- nft add rule qubes custom-input iifname eth0 $proto dport $portnum accept
 		fi
-	fi
 	tunnel netvms[@] ips[@]
 	if [ $? -ne 0 ]; then
 		teardown netvms[@] ips[@]

3isec-common/mutt/install.sls

@@ -4,12 +4,21 @@
 {% if grains['nodename'] != 'dom0' %}
 
 {% if salt['pillar.get']('update_proxy:caching') %}
+{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %}
+{{ repo }}_baseurl:
+  file.replace:
+    - name: {{ repo }}
+    - pattern: 'https://'
+    - repl: 'http://HTTPS///'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endfor %}
 
 /etc/apt/sources.list:
   file.replace:
     - names:
       - /etc/apt/sources.list
-      - /etc/apt/sources.list.d/qubes-r4.list
     - pattern: 'https://'
     - repl: 'http://HTTPS///'
     - flags: [ 'IGNORECASE', 'MULTILINE' ]
@@ -48,14 +57,14 @@ change_timeout:
 default_muttrc:
   file.managed:
     - name: /etc/skel/.muttrc
-    - source: salt://mutt/muttrc
+    - source: salt://3isec-common/mutt/muttrc
     - user: user
     - group: user
 
 helper_script:
   file.managed:
     - name: /etc/skel/setup_mutt.sh
-    - source: salt://mutt/setup_mutt.sh
+    - source: salt://3isec-common/mutt/setup_mutt.sh
     - user: user
     - group: user
     - mode: 744
@@ -63,7 +72,7 @@ helper_script:
 helper_script_menu:
   file.managed:
     - name: /usr/share/applications/mutt_setup.desktop
-    - source: salt://mutt/mutt_setup.desktop
+    - source: salt://3isec-common/mutt/mutt_setup.desktop
     - user: user
     - group: user
     - mode: 755

3isec-common/store/clone.sls

@@ -0,0 +1,15 @@
+store_precursor:
+  qvm.template_installed:
+    - name: debian-12-minimal
+
+store_clone:
+  qvm.clone:
+    - name: template-store
+    - source: debian-12-minimal
+
+store_menu:
+  qvm.features:
+    - name: template-store
+    - set:
+      - menu-items: "thunar.desktop debian-xterm.desktop"
+      - default-menu-items: "thunar.desktop debian-xterm.desktop"

3isec-common/store/clone.top

@@ -0,0 +1,4 @@
+base:
+  dom0:
+    - match: nodegroup
+    - 3isec-common.store.clone

3isec-common/store/install.sls

@@ -0,0 +1,49 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+#
+#
+#
+{% if grains['nodename'] != 'dom0' %}
+
+{% if salt['pillar.get']('update_proxy:caching') %}
+{% if grains['os_family']|lower == 'debian' %}
+{% if grains['nodename']|lower != 'host' %}
+{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %}
+{{ repo }}_baseurl:
+  file.replace:
+    - name: {{ repo }}
+    - pattern: 'https://'
+    - repl: 'http://HTTPS///'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endfor %}
+
+/etc/apt/sources.list:
+  file.replace:
+    - name: /etc/apt/sources.list
+    - pattern: 'https:'
+    - repl: 'http://HTTPS/'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endif %}
+{% endif %}
+{% endif %}
+
+store_allow-testing:
+  file.uncomment:
+    - name: /etc/apt/sources.list.d/qubes-r4.list
+    - regex: ^deb\s.*qubes-os.org.*-testing
+    - backup: false
+
+store_installed:
+  pkg.installed:
+    - refresh: True
+    - pkgs:
+      - qubes-core-agent-thunar
+      - edbrowse
+      - thunar
+    - install_recommends: False
+
+{% endif %}
+

3isec-common/store/install.top

@@ -1,5 +1,5 @@
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
 base:
-  template-mutt:
-    - mutt.install
+  '*':
+    - 3isec-common.store.install

cacher.spec

@@ -1,5 +1,5 @@
 Name:           3isec-qubes-cacher
-Version:       	1.10
+Version:       	1.16
 Release:        1%{?dist}
 Summary:        A caching proxy in Qubes
 
@@ -7,7 +7,7 @@ License:        GPLv3+
 SOURCE0:        cacher
 
 %description
-This package provides a caching proxy, named cacher.
+This package provides a caching proxy qube, named cacher.
 A caching proxy stores downloaded packages, so that you need only download
 a package once for it to be used when updating many templates.
 The proxy is preconfigured to work out of the box for Debian, Ubuntu,
@@ -15,9 +15,10 @@ Arch, and Fedora templates.
 
 When you install this package your Qubes system will be altered to use
 the proxy by default.
-This is done with an entry in /etc/qubes/policy.d/30-user.policy
+This is done with an entry in /etc/qubes/policy.d/50-config-updates.policy
+in Qubes 4.2
 If you want to change the proxy setting for some/all templates, edit
-that file.
+that file, or use the GUI global settings tool.
 
 So that you can use https:// in your repository definitions, the entries
 will be changed in the templates.
@@ -39,7 +40,7 @@ In dom0 run:
 replacing TEMPLATE with the name of the new template. 
 
 When this package is installed it will attempt to rewrite repository
-definitions in all templates.
+definitions in ALL templates.
 This includes templates that are not under salt control, like Windows
 templates.
 You must manually shutdown those templates.
@@ -78,6 +79,7 @@ if [ $1 -eq 1 ]; then
   qubesctl state.apply cacher.use
   qubesctl --skip-dom0 --templates state.apply cacher.change_templates
 elif [ $1 -eq 2 ]; then
+  qubesctl state.apply cacher.use
   qubesctl --skip-dom0 --targets=template-cacher state.apply cacher.update
 fi
 
@@ -88,10 +90,31 @@ fi
 
 %postun
 if [ $1 -eq 0 ]; then
-  sed -i /qubes.UpdatesProxy.*target=cacher/d /etc/qubes/policy.d/30-user.policy
+  sed -i /qubes.UpdatesProxy.*target=cacher/d /etc/qubes/policy.d/50-config-updates.policy
+  rm /srv/pillar/_tops/base/update_proxy.top
+  rm /srv/pillar/update_proxy/init.top
+  rm /srv/pillar/update_proxy/init.sls
 fi
 
 %changelog
+* Tue June 06 2024 unman <unman@thirdeyesecurity.org> - 1.16.1
+- Update config file for acng 3.7.4
+- Change handling of repository lists installed by package and extra definitions.
+- Improve handling of Fedora repositories.
+* Sun Mar 31 2024 unman <unman@thirdeyesecurity.org> - 1.15.2
+- Make sure that configuration is correctly prepended to policy file. 
+* Thu Feb 22 2024 unman <unman@thirdeyesecurity.org> - 1.15
+- Bug fix
+* Sat Feb 10 2024 unman <unman@thirdeyesecurity.org> - 1.14
+- Bug fix
+* Sat Feb 10 2024 unman <unman@thirdeyesecurity.org> - 1.13
+- mask tinyproxy
+* Tue Jan 30 2024 unman <unman@thirdeyesecurity.org> - 1.12
+- Update file locations for use in Qubes 4.2
+* Thu Nov 30 2023 unman <unman@thirdeyesecurity.org> - 1.11
+- Change base template to Debian-12-minimal for new install.
+- Update fedora mirror list
+- Change packaging logic on handling pillar when deleting package 
 * Mon Feb 20 2023 unman <unman@thirdeyesecurity.org> - 1.10
 - Create pillar for cacher
 * Sun Jan 29 2023 unman <unman@thirdeyesecurity.org> - 1.9

cacher/50_user.conf

@@ -1,2 +1,8 @@
 binds+=( '/var/cache/apt-cacher-ng' )
 binds+=( '/var/log/apt-cacher-ng' )
+binds+=( '/etc/apt-cacher-ng/acng.conf' )
+binds+=( '/etc/apt-cacher-ng/archlx_mirrors_extra' )
+binds+=( '/etc/apt-cacher-ng/debian_mirrors_extra' )
+binds+=( '/etc/apt-cacher-ng/fedora_mirrors_extra' )
+binds+=( '/etc/apt-cacher-ng/blackarch_mirror-list' )
+binds+=( '/etc/apt-cacher-ng/Qubes_mirrors' )

cacher/Qubes_mirrors

@@ -0,0 +1,30 @@
+http://ftp.halifax.rwth-aachen.de/qubes/
+http://ftp.icm.edu.pl/pub/os/qubes/
+https://ftp.cc.uoc.gr/mirrors/linux/qubes/
+https://ftp.qubes-os.org/
+https://ftp.rnl.tecnico.ulisboa.pt/pub/qubesos/
+https://is.mirror.flokinet.net/qubes/
+https://mirror-2.hosthink.net/qubes/
+https://mirror.accum.se/mirror/qubes-os.org/
+https://mirror.hackingand.coffee/qubes/
+https://mirror.koljasagorski.de/qubes/
+https://mirror.krmir.org/qubes/
+https://mirror.leitecastro.com/qubes/
+https://mirror.library.ucy.ac.cy/linux/qubes/
+https://mirrors.aliyun.com/qubes/
+https://mirrors.dgplug.org/qubes/
+https://mirrors.dotsrc.org/qubes/
+https://mirrors.edge.kernel.org/qubes/
+https://mirrors.gigenet.com/qubes/
+https://mirrors.hyperreal.coffee/qubes/
+https://mirrors.nju.edu.cn/qubes/
+https://mirrors.qontinuum.space/qubes-os/
+https://mirrors.tuna.tsinghua.edu.cn/qubesos/
+https://mirrors.ukfast.co.uk/sites/qubes-os.org/
+https://nl.mirror.flokinet.net/qubes/
+https://plug-mirror.rcac.purdue.edu/qubes/
+https://polish-mirror.evolution-host.com/qubes/
+https://quantum-mirror.hu/mirrors/pub/qubes/
+https://qubes-mirror.igniterefereeing.com.au/
+https://qubesos-mirror.applied-privacy.net/
+https://ro.mirror.flokinet.net/qubes/

cacher/README

@@ -18,7 +18,6 @@ qubesctl --skip-dom0 --templates state.apply cacher.change_templates
 Or target individual templates, as you wish:
 qubesctl --skip-dom0 --targets=TEMPLATE1,TEMPLATE2  state.apply cacher.change_templates  
 
-
 N.B
 apt-cacher-ng works well for Debian,Ubuntu,and Arch.  
 It works reasonably well for Fedora, but may require further tweaking of the apt-cacher-ng control file, and the fedora_mirrors lists.
@@ -29,4 +28,7 @@ qubesctl --skip-dom0 --targets=TEMPLATE1,TEMPLATE2  state.apply cacher.restore_t
 
 The qrexec policy file at  /etc/qubes/policy.d/30-user.policy should be edited so that these templates use the default system proxy.
 
+Templates or qubes that cannot run over qrexec, can connect to the caching
+server if you set cacher as netvm, or upstream, and configure the qube to use
+Proxy address of CACHER_IP:8082.
 

cacher/acng.conf

@@ -11,14 +11,20 @@
 # software package downloads. It's supposed to be in a directory specified by
 # the -c option of apt-cacher-ng, see apt-cacher-ng(8) for details.
 # RULES:
-# Letter case in variable names does not matter, names and values should be
-# separated with colons. For boolean variables, zero number is considered false,
-# non-zero considered true. If a default value is not explicitly mentioned in
-# the description, the commented value assignments mostly represent the default
-# values of the particular variables.
+# - letter case in variable names does not matter
+# - names and values are separated by colon or equals sign
+# - for boolean variables, zero means false, non-zero means true
+# - "default value" means built-in (!) defaults, i.e. something which the
+#   program uses if the option is not set here or in other config files.
+#   That value might be explicitly mentioned in the description. Where it is
+#   not, there is no reason to assume any of the examples to be the default
+#   value! In doubt, use acngtool to query the value of the particular variable.
 
 # Storage directory for downloaded data and related maintenance activity.
 #
+# Note: When the value for CacheDir is changed, change the file
+# /lib/systemd/system/apt-cacher-ng.service too
+#
 CacheDir: /var/cache/apt-cacher-ng
 
 # Log file directory, can be set empty to disable logging
@@ -34,6 +40,7 @@ SupportDir: /usr/lib/apt-cacher-ng
 # Can be set to 9999 to emulate apt-proxy. Value of 0 turns off TCP server
 # (SocketPath must be set in this case).
 #
+# Port:3142
 Port:8082
 
 # Addresses or hostnames to listen on. Multiple addresses must be separated by
@@ -41,7 +48,9 @@ Port:8082
 # local interface. DNS resolution is performed using getaddrinfo(3) for all
 # available protocols (IPv4, IPv6, ...). Using a protocol specific format will
 # create binding(s) only on protocol specific socket(s), e.g. 0.0.0.0 will
-# listen only to IPv4.
+# listen only to IPv4. The endpoint can also be specified as host:port (or
+# [ipv6-address]:port) which allows binding on non-standard ports (Port
+# directive is ignored in this case).
 #
 # Default: listens on all interfaces and protocols
 #
@@ -59,18 +68,21 @@ Port:8082
 # In this example, some backends files might be generated during package
 # installation using information collected on the system.
 # Examples:
-#Remap-debrep: https://deb.debian.org http://deb.debian.org  file:deb_mirrors.gz /debian ; file:backends_debian # Debian Archives
-#Remap-alxrep: file:archlx_mirrors /archlinux # ; file:backend_archlx # Arch Linux
-Remap-alxrep: file:archlx_mirrors /archlinux 
-Remap-debrep: https://deb.debian.org http://deb.debian.org  file:deb_mirrors.gz /debian 
-Remap-fedora: file:fedora_mirrors # Fedora Linux
+# Remap-alxrep: file:archlx_mirrors /archlinux 
+Remap-alxrep: file:archlx_mirrors file:archlx_mirrors_extra   /archlinux
+Remap-blackarch: file:blackarch_mirror-list  /blackarch
+Remap-debrep: file:deb_mirror*.gz file:debian_mirrors_extra /debian ; file:backends_debian # Debian Archives
+Remap-fedrep: file:fedora_mirrors file:fedora_mirrors_extra ; https://mirrors.kernel.org/fedora/ https://ftp-stud.hs-esslingen.de/pub/fedora/linux/  # Fedora Linux
+
 Remap-uburep: file:ubuntu_mirrors /ubuntu ; file:backends_ubuntu # Ubuntu Archives
+Remap-Qubes: file:Qubes_mirrors
+Remap-klxrep: file:kali_mirrors /kali ; file:backends_kali # Kali Linux Archives
 Remap-cygwin: file:cygwin_mirrors /cygwin # ; file:backends_cygwin # incomplete, please create this file or specify preferred mirrors here
-#Remap-sfnet:  file:sfnet_mirrors # ; file:backends_sfnet # incomplete, please create this file or specify preferred mirrors here
+Remap-sfnet:  file:sfnet_mirrors # ; file:backends_sfnet # incomplete, please create this file or specify preferred mirrors here
 Remap-epel:   file:epel_mirrors # Fedora EPEL
 Remap-slrep:  file:sl_mirrors # Scientific Linux
 Remap-gentoo: file:gentoo_mirrors.gz /gentoo ; file:backends_gentoo # Gentoo Archives
-Remap-secdeb: security.debian.org ; security.debian.org deb.debian.org/debian-security
+Remap-secdeb: https://security.debian.org https://security.debian.org/debian-security https://deb.debian.org/debian-security /debian-security cdn-fastly.deb.debian.org/debian-security #; deb.debian.org/debian-security security.debian.org cdn-fastly.deb.debian.org/debian-security
 
 # Virtual page accessible in a web browser to see statistics and status
 # information, i.e. under http://localhost:3142/acng-report.html
@@ -83,11 +95,12 @@ Remap-secdeb: security.debian.org ; security.debian.org deb.debian.org/debian-se
 ReportPage: acng-report.html
 
 # Socket file for accessing through local UNIX socket instead of TCP/IP. Can be
-# used with inetd (via bridge tool in.acng from apt-cacher-ng package).
+# used with inetd (via bridge tool in.acng from apt-cacher-ng package), is also
+# used internally for administrative purposes.
 #
-# Default: not set, UNIX socket bridge is disabled.
+# Default: /run/apt-cacher-ng/socket
 #
-# SocketPath:/var/run/apt-cacher-ng/socket
+# SocketPath: /var/run/apt-cacher-ng/socket
 
 # If set to 1, makes log files be written to disk on every new line. Default
 # is 0, buffers are flushed after the client disconnects. Technically,
@@ -128,6 +141,18 @@ UnbufferLogs: 1
 #
 ExThreshold: 4
 
+# If set to true, the removal (i.e. response status 404) of remote
+# volatile/index files is considered a hint to consider the local cached
+# versions irrelevant and also expire them just like package files. This adds
+# some risk of removing too much cache contents in cases where a middlebox
+# reports bogus 404 codes.
+#
+# If false (0), a less sloppy algorithm is used to invalidate certain keyfiles
+# first, which might subsequently expire the cache contents but much later or
+# maybe never unless the administrator intervenes.
+#
+FollowIndexFileRemoval: 1
+
 # If the expiration is run daily, it sometimes does not make much sense to do
 # it because the expected changes (i.e. removal of expired files) don't justify
 # the extra processing time or additional downloads for expiration operation
@@ -192,6 +217,17 @@ ExThreshold: 4
 # is refused when this value is reached (below zero = unlimited).
 # MaxConThreads: -1
 #
+# Timeout for a forced disconnect in cases where a client connection is about
+# to be closed but remote refuses to confirm the disconnect request. Setting
+# this to a lower value mitigates the effects of resource starvation in case of
+# a DOS attack but increases the risk of failing to flush the remaining portion
+# of data.
+# DisconnectTimeout: 15
+
+# By default, if a remote suddenly reconnects, ACNG tries at least two times to
+# redownload from the same or different location (if known).
+# DlMaxRetries: 2
+
 # Pigeonholing files (like static vs. volatile contents) is done by (extended)
 # regular expressions.
 #
@@ -219,9 +255,11 @@ ExThreshold: 4
 #
 # To see examples of the expected syntax, run: apt-cacher-ng -p debug=1
 #
-PfilePatternEx: .*yaml.gz$|.*fedora.*arch=x86_64$|.*f35&arch=x86_64|.*f36&arch=x86_64|.*f37&arch=x86_64
-# VfilePatternEx:
-VfilePatternEx: .*fedora.*updateinfo.*xml.zck$|^/\?release=[0-9]+&arch=.*|.*/RPM-GPG-KEY.*|.*\?repo=fedora|.*pkg.tar.zst.sig|.*archlinux.*sha256sums.txt|.*archlinux/iso.*tar.gz.sig
+PfilePatternEx: .*yaml.gz$|.*fedora.*arch=x86_64$|.*f37&arch=x86_64|.*f38&arch=x86_64|.*f39&arch=x86_64
+VfilePatternEx: .*fedora.*updateinfo.*xml.zck$|^/\?release=[0-9]+&arch=.*|.*/RPM-GPG-KEY.*|.*\?repo=fedora|.*archlinux.*sha256sums.txt|.*archlinux/iso.*tar.gz.sig|.*arch*.db|.*arch*.db.sig
+#VfilePatternEx: .*fedora.*updateinfo.*xml.zck$|^/\?release=[0-9]+&arch=.*|.*/RPM-GPG-KEY.*|.*\?repo=fedora|.*archlinux.*sha256sums.txt|.*archlinux/iso.*tar.gz.sig|.*arch*.db|.*arch*.db.sig
+#VfilePatternEx: .*fedora.*updateinfo.*xml.zck$|^/\?release=[0-9]+&arch=.*|.*/RPM-GPG-KEY.*|.*\?repo=fedora|.*pkg.tar.zst.sig|.*archlinux.*sha256sums.txt|.*archlinux/iso.*tar.gz.sig
+
 # SPfilePatternEx:
 # SVfilePatternEx:
 # WfilePatternEx:
@@ -277,7 +315,14 @@ VfilePatternEx: .*fedora.*updateinfo.*xml.zck$|^/\?release=[0-9]+&arch=.*|.*/RPM
 
 # Network timeout for outgoing connections, in seconds.
 #
-# NetworkTimeout: 60
+# NetworkTimeout: 40
+
+# Fast fallback timeout, in seconds. This is the time to wait before
+# alternative target addresses for a client connection are tried, which can be
+# usefull for quick fallback to IPv4 in case of whacky IPv6 configuration.
+#
+# FastTimeout = 4
+FastTimeout = 6
 
 # Sometimes it makes sense to not store the data in cache and just return the
 # package data to client while it comes in. The following DontCache* parameters
@@ -304,8 +349,8 @@ VfilePatternEx: .*fedora.*updateinfo.*xml.zck$|^/\?release=[0-9]+&arch=.*|.*/RPM
 #
 # Example:
 # DontCache: .*.local.university.int
-DontCache: .*fedora.*updates.*updateinfo.xml.zck .*updates/3*/.*repomd.xml
-#DontCache: .*fedora.*updates.*updateinfo.xml.zck
+# DontCache: .*fedora.*updates.*updateinfo.xml.zck  .*fedora.*repomd.xml
+
 
 # Default permission set of freshly created files and directories, as octal
 # numbers (see chmod(1) for details).
@@ -363,6 +408,7 @@ LocalDirs: acng-doc /usr/share/doc/apt-cacher-ng
 # the safety period is over.
 #
 # KeepExtraVersions: 0
+KeepExtraVersions: 1
 
 # Optionally uses TCP access control provided by libwrap, see hosts_access(5)
 # for details. Daemon name is apt-cacher-ng.
@@ -391,6 +437,7 @@ LocalDirs: acng-doc /usr/share/doc/apt-cacher-ng
 # for any port.
 #
 # AllowUserPorts: 80
+AllowUserPorts: 80 443
 
 # Normally the HTTP redirection responses are forwarded to the original caller
 # (i.e. APT) which starts a new download attempt from the new URL. This
@@ -407,12 +454,14 @@ LocalDirs: acng-doc /usr/share/doc/apt-cacher-ng
 
 # There some broken HTTP servers and proxy servers in the wild which don't
 # support the If-Range header correctly and return incorrect data when the
-# contents of a (volatile) file changed. Setting VfileUseRangeOps to zero
-# disables Range-based requests while retrieving volatile files, using
-# If-Modified-Since and requesting the complete file instead. Setting it to
-# a negative value removes even If-Modified-Since headers.
+# contents of a (volatile) file changed. This also applies to incomplete
+# resumed downloads.  Setting VfileUseRangeOps to 0 disables Range-based
+# requests (using purely If-Modified-Since and requesting the complete file
+# instead, if changed). Setting it to a negative value removes even this check
+# and means fetching the whole file from the beginning.
 #
 # VfileUseRangeOps: 1
+VfileUseRangeOps: 0
 
 # Allow data pass-through mode for certain hosts when requested by the client
 # using a CONNECT request. This is particularly useful to allow access to SSL
@@ -424,20 +473,16 @@ LocalDirs: acng-doc /usr/share/doc/apt-cacher-ng
 #
 # Default: ^(bugs\.debian\.org|changelogs\.ubuntu\.com):443$
 # PassThroughPattern: ^(bugs\.debian\.org|changelogs\.ubuntu\.com):443$
-#PassThroughPattern: ^codecs\.fedoraproject\.org:443$|mirrors.rpmfusion.org:443
-PassThroughPattern: ^codecs\.fedoraproject\.org:443$
 
-# It's possible that an evil client requests a volatile file but does not
-# retrieve the response and keeps the connection effectively stuck over
-# many hours, blocking the particular file for other download attempts (which
-# leads to not reporting file changes on server side to other users). The work
-# around is the use of alternative file descriptors inside of apt-cacher-ng,
-# however this might cost some extra download traffic due to worse cache usage.
-# The ResponseFreezeDetectTime value specifies when a file descriptor in the
-# mentioned state is to be considered defect and will require special handling.
-# Default time is 500 seconds.
+# Interval an overaged local cache item (i.e. active file descriptor) can be
+# considered broken so that a new forced download can be started. Such
+# situation can happen when a very slow clients keeps a hot cache item active
+# for extended amounts of time so that even the remote freshness checks
+# intervals might become overrun.
 #
-# ResponseFreezeDetectTime: 500
+# Default time is based on the value of FreshIndexMaxAge with a safety factor.
+#
+# ResponseFreezeDetectTime: 60
 
 # Keep outgoing connections alive and reuse them for later downloads from
 # the same server as long as possible.
@@ -544,3 +589,11 @@ PassThroughPattern: ^codecs\.fedoraproject\.org:443$
 # Set to zero to disable this feature completely. Default: one megabyte
 #
 # ReserveSpace: 1048576
+
+# PermitCacheControl will allow users to specify a few hints for processing
+# of a request, for example bypassing the local cache (see
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control for
+# no-cache, no-store).
+#
+# PermitCacheControl: no-cache, no-store
+

cacher/archlx_mirrors

@@ -1,345 +0,0 @@
-http://arch.hu.fo/archlinux/
-http://arch.jensgutermuth.de/
-http://arch.lucassymons.net/
-http://arch.midov.pl/arch/
-http://arch.mirror.constant.com/
-http://arch.mirror.far.fi/
-http://arch.mirror.square-r00t.net/
-http://arch.mirror.zachlge.org/
-http://arch.mirrors.lavatech.top/
-http://arch.mirrors.pair.com/
-http://arch.nimukaito.net/
-http://arch.nixlab.pl/
-http://arch.opnmirror.co.za/
-http://arch.petarmaric.com/
-http://arch.serverspace.co.uk/arch/
-http://arch.softver.org.mk/archlinux/
-http://arch.yourlabs.org/
-http://archimonde.ts.si/archlinux/
-http://archlinux.c3sl.ufpr.br/
-http://archlinux.ccns.ncku.edu.tw/archlinux/
-http://archlinux.cs.nctu.edu.tw/
-http://archlinux.cu.be/
-http://archlinux.de-labrusse.fr/
-http://archlinux.dynamict.se/
-http://archlinux.grena.ge/
-http://archlinux.honkgong.info/
-http://archlinux.ip-connect.vn.ua/
-http://archlinux.iskon.hr/
-http://archlinux.koyanet.lv/archlinux/
-http://archlinux.mailtunnel.eu/
-http://archlinux.mirror.ba/
-http://archlinux.mirror.colo-serv.net/
-http://archlinux.mirror.digitalpacific.com.au/
-http://archlinux.mirror.garr.it/archlinux/
-http://archlinux.mirror.iphh.net/
-http://archlinux.mirror.kangaroot.net/
-http://archlinux.mirror.liquidtelecom.com/
-http://archlinux.mirror.liteserver.nl/
-http://archlinux.mirror.pcextreme.nl/
-http://archlinux.mirror.py/archlinux/
-http://archlinux.mirror.rafal.ca/
-http://archlinux.mirror.root.lu/
-http://archlinux.mirror.server24.net/
-http://archlinux.mirror.wearetriple.com/
-http://archlinux.mirrors.benatherton.com/
-http://archlinux.mirrors.linux.ro/
-http://archlinux.mirrors.ovh.net/archlinux/
-http://archlinux.mirrors.uk2.net/
-http://archlinux.nautile.nc/archlinux/
-http://archlinux.polymorf.fr/
-http://archlinux.pop-es.rnp.br/
-http://archlinux.rezopole.net/
-http://archlinux.surlyjake.com/archlinux/
-http://archlinux.thaller.ws/
-http://archlinux.uib.no/
-http://archlinux.uk.mirror.allworldit.com/archlinux/
-http://archlinux.za.mirror.allworldit.com/archlinux/
-http://archlinux.zepto.cloud/
-http://archmirror.hbit.sztaki.hu/archlinux/
-http://archmirror1.octyl.net/
-http://arlm.tyzoid.com/
-http://artfiles.org/archlinux.org/
-http://br.mirror.archlinux-br.org/
-http://ca.us.mirror.archlinux-br.org/
-http://dfw.mirror.rackspace.com/archlinux/
-http://distro.ibiblio.org/archlinux/
-http://f.archlinuxvn.org/archlinux/
-http://free.nchc.org.tw/arch/
-http://ftp-stud.hs-esslingen.de/pub/Mirrors/archlinux/
-http://ftp.acc.umu.se/mirror/archlinux/
-http://ftp.agdsn.de/pub/mirrors/archlinux/
-http://ftp.byfly.by/pub/archlinux/
-http://ftp.cc.uoc.gr/mirrors/linux/archlinux/
-http://ftp.energia.mta.hu/pub/mirrors/ftp.archlinux.org/
-http://ftp.fau.de/archlinux/
-http://ftp.fi.muni.cz/pub/linux/arch/
-http://ftp.gwdg.de/pub/linux/archlinux/
-http://ftp.halifax.rwth-aachen.de/archlinux/
-http://ftp.harukasan.org/archlinux/
-http://ftp.heanet.ie/mirrors/ftp.archlinux.org/
-http://ftp.hosteurope.de/mirror/ftp.archlinux.org/
-http://ftp.icm.edu.pl/pub/Linux/dist/archlinux/
-http://ftp.iinet.net.au/pub/archlinux/
-http://ftp.jaist.ac.jp/pub/Linux/ArchLinux/
-http://ftp.lanet.kr/pub/archlinux/
-http://ftp.linux.cz/pub/linux/arch/
-http://ftp.linux.org.tr/archlinux/
-http://ftp.lysator.liu.se/pub/archlinux/
-http://ftp.myrveln.se/pub/linux/archlinux/
-http://ftp.nluug.nl/os/Linux/distr/archlinux/
-http://ftp.ntua.gr/pub/linux/archlinux/
-http://ftp.osuosl.org/pub/archlinux/
-http://ftp.otenet.gr/linux/archlinux/
-http://ftp.rediris.es/mirror/archlinux/
-http://ftp.rnl.tecnico.ulisboa.pt/pub/archlinux/
-http://ftp.sh.cvut.cz/arch/
-http://ftp.snt.utwente.nl/pub/os/linux/archlinux/
-http://ftp.spline.inf.fu-berlin.de/mirrors/archlinux/
-http://ftp.sudhip.com/archlinux/
-http://ftp.swin.edu.au/archlinux/
-http://ftp.tku.edu.tw/Linux/ArchLinux/
-http://ftp.tsukuba.wide.ad.jp/Linux/archlinux/
-http://ftp.tu-chemnitz.de/pub/linux/archlinux/
-http://ftp.u-strasbg.fr/linux/distributions/archlinux/
-http://ftp.uni-bayreuth.de/linux/archlinux/
-http://ftp.uni-hannover.de/archlinux/
-http://ftp.uni-kl.de/pub/linux/archlinux/
-http://ftp.vectranet.pl/archlinux/
-http://ftp.wrz.de/pub/archlinux/
-http://ftp.yzu.edu.tw/Linux/archlinux/
-http://ftpmirror.infania.net/mirror/archlinux/
-http://glua.ua.pt/pub/archlinux/
-http://gluttony.sin.cvut.cz/arch/
-http://hkg.mirror.rackspace.com/archlinux/
-http://iad.mirror.rackspace.com/archlinux/
-http://iad.mirrors.misaka.one/archlinux/
-http://il.us.mirror.archlinux-br.org/
-http://linorg.usp.br/archlinux/
-http://linux.rz.rub.de/archlinux/
-http://lon.mirror.rackspace.com/archlinux/
-http://mir.archlinux.fr/
-http://mirroir.wptheme.fr/archlinux/
-http://mirror-archlinux.webruimtehosting.nl/
-http://mirror-hk.koddos.net/archlinux/
-http://mirror.0x.sg/archlinux/
-http://mirror.23media.com/archlinux/
-http://mirror.aktkn.sg/archlinux/
-http://mirror.ams1.nl.leaseweb.net/archlinux/
-http://mirror.anigil.com/archlinux/
-http://mirror.anquan.cl/archlinux/
-http://mirror.archlinux.cl/
-http://mirror.archlinux.ikoula.com/archlinux/
-http://mirror.archlinux.no/
-http://mirror.arctic.lol/ArchMirror/
-http://mirror.arizona.edu/archlinux/
-http://mirror.bizflycloud.vn/archlinux/
-http://mirror.bytemark.co.uk/archlinux/
-http://mirror.cc.columbia.edu/pub/linux/archlinux/
-http://mirror.cedia.org.ec/archlinux/
-http://mirror.cedille.club/archlinux/
-http://mirror.chaoticum.net/arch/
-http://mirror.checkdomain.de/archlinux/
-http://mirror.clientvps.com/archlinux/
-http://mirror.cs.pitt.edu/archlinux/
-http://mirror.cs.vt.edu/pub/ArchLinux/
-http://mirror.csclub.uwaterloo.ca/archlinux/
-http://mirror.cse.iitk.ac.in/archlinux/
-http://mirror.cspacehostings.com/archlinux/
-http://mirror.cyberbits.eu/archlinux/
-http://mirror.dal10.us.leaseweb.net/archlinux/
-http://mirror.datacenter.by/pub/archlinux/
-http://mirror.digitalnova.at/archlinux/
-http://mirror.dkm.cz/archlinux/
-http://mirror.easylee.nl/archlinux/
-http://mirror.easyname.at/archlinux/
-http://mirror.efect.ro/archlinux/
-http://mirror.es.its.nyu.edu/archlinux/
-http://mirror.espoch.edu.ec/archlinux/
-http://mirror.ette.biz/archlinux/
-http://mirror.f4st.host/archlinux/
-http://mirror.faizuladib.com/archlinux/
-http://mirror.fra10.de.leaseweb.net/archlinux/
-http://mirror.fsmg.org.nz/archlinux/
-http://mirror.fsrv.services/archlinux/
-http://mirror.gi.co.id/archlinux/
-http://mirror.guillaumea.fr/archlinux/
-http://mirror.hackingand.coffee/arch/
-http://mirror.host.ag/archlinux/
-http://mirror.hoster.kz/archlinux/
-http://mirror.hosthink.net/archlinux/
-http://mirror.i3d.net/pub/archlinux/
-http://mirror.ibcp.fr/pub/archlinux/
-http://mirror.ihost.md/archlinux/
-http://mirror.init7.net/archlinux/
-http://mirror.internode.on.net/pub/archlinux/
-http://mirror.is.co.za/mirror/archlinux.org/
-http://mirror.isoc.org.il/pub/archlinux/
-http://mirror.its.dal.ca/archlinux/
-http://mirror.juniorjpdj.pl/archlinux/
-http://mirror.kaminski.io/archlinux/
-http://mirror.kku.ac.th/archlinux/
-http://mirror.koddos.net/archlinux/
-http://mirror.kumi.systems/archlinux/
-http://mirror.labkom.id/archlinux/
-http://mirror.lagoon.nc/pub/archlinux/
-http://mirror.lastmikoi.net/archlinux/
-http://mirror.launtel.net.au/repo/arch/
-http://mirror.librelabucm.org/archlinux/
-http://mirror.lnx.sk/pub/linux/archlinux/
-http://mirror.lty.me/archlinux/
-http://mirror.lyrahosting.com/archlinux/
-http://mirror.lzu.edu.cn/archlinux/
-http://mirror.math.princeton.edu/pub/archlinux/
-http://mirror.metalgamer.eu/archlinux/
-http://mirror.metrocast.net/archlinux/
-http://mirror.mia11.us.leaseweb.net/archlinux/
-http://mirror.mijn.host/archlinux/
-http://mirror.mikrogravitation.org/archlinux/
-http://mirror.mirohost.net/archlinux/
-http://mirror.nak-mci.ir/arch/
-http://mirror.neostrada.nl/archlinux/
-http://mirror.netcologne.de/archlinux/
-http://mirror.netweaver.uk/archlinux/
-http://mirror.neuf.no/archlinux/
-http://mirror.nus.edu.sg/archlinux/
-http://mirror.oldsql.cc/archlinux/
-http://mirror.one.com/archlinux/
-http://mirror.onet.pl/pub/mirrors/archlinux/
-http://mirror.onevip.mk/archlinux/
-http://mirror.orbit-os.com/archlinux/
-http://mirror.papua.go.id/archlinux/
-http://mirror.pit.teraswitch.com/archlinux/
-http://mirror.pmf.kg.ac.rs/archlinux/
-http://mirror.poliwangi.ac.id/archlinux/
-http://mirror.premi.st/archlinux/
-http://mirror.ps.kz/archlinux/
-http://mirror.pseudoform.org/
-http://mirror.puzzle.ch/archlinux/
-http://mirror.rackspace.com/archlinux/
-http://mirror.rasanegar.com/archlinux/
-http://mirror.redrock.team/archlinux/
-http://mirror.reisenbauer.ee/archlinux/
-http://mirror.rise.ph/archlinux/
-http://mirror.rol.ru/archlinux/
-http://mirror.satis-faction.de/archlinux/
-http://mirror.scd31.com/arch/
-http://mirror.selfnet.de/archlinux/
-http://mirror.sergal.org/archlinux/
-http://mirror.serverion.com/archlinux/
-http://mirror.sfinae.tech/pub/mirrors/archlinux/
-http://mirror.sfo12.us.leaseweb.net/archlinux/
-http://mirror.siena.edu/archlinux/
-http://mirror.smith.geek.nz/archlinux/
-http://mirror.stephen304.com/archlinux/
-http://mirror.surf/archlinux/
-http://mirror.system.is/arch/
-http://mirror.t-home.mk/archlinux/
-http://mirror.tarellia.net/distr/archlinux/
-http://mirror.telepoint.bg/archlinux/
-http://mirror.telkomuniversity.ac.id/archlinux/
-http://mirror.terrahost.no/linux/archlinux/
-http://mirror.tiguinet.net/arch/
-http://mirror.truenetwork.ru/archlinux/
-http://mirror.ubrco.de/archlinux/
-http://mirror.ufam.edu.br/archlinux/
-http://mirror.ufro.cl/archlinux/
-http://mirror.ufscar.br/archlinux/
-http://mirror.umd.edu/archlinux/
-http://mirror.undisclose.de/archlinux/
-http://mirror.united-gameserver.de/archlinux/
-http://mirror.uta.edu.ec/archlinux/
-http://mirror.veriteknik.net.tr/archlinux/
-http://mirror.vpsfree.cz/archlinux/
-http://mirror.vtti.vt.edu/archlinux/
-http://mirror.wdc1.us.leaseweb.net/archlinux/
-http://mirror.wtnet.de/arch/
-http://mirror.wuki.li/archlinux/
-http://mirror.xeonbd.com/archlinux/
-http://mirror.xtom.com.hk/archlinux/
-http://mirror.yandex.ru/archlinux/
-http://mirror1.cl.netactuate.com/archlinux/
-http://mirror2.evolution-host.com/archlinux/
-http://mirror2.totbb.net/archlinux/
-http://mirrors.163.com/archlinux/
-http://mirrors.acm.wpi.edu/archlinux/
-http://mirrors.advancedhosters.com/archlinux/
-http://mirrors.aggregate.org/archlinux/
-http://mirrors.atviras.lt/archlinux/
-http://mirrors.bfsu.edu.cn/archlinux/
-http://mirrors.cat.net/archlinux/
-http://mirrors.cat.pdx.edu/archlinux/
-http://mirrors.celianvdb.fr/archlinux/
-http://mirrors.chroot.ro/archlinux/
-http://mirrors.cqu.edu.cn/archlinux/
-http://mirrors.dgut.edu.cn/archlinux/
-http://mirrors.dotsrc.org/archlinux/
-http://mirrors.evowise.com/archlinux/
-http://mirrors.gethosted.online/archlinux/
-http://mirrors.gigenet.com/archlinux/
-http://mirrors.go.ro/archlinux/
-http://mirrors.hit.edu.cn/archlinux/
-http://mirrors.hostico.ro/archlinux/
-http://mirrors.ims.nksc.lt/archlinux/
-http://mirrors.kernel.org/archlinux/
-http://mirrors.liquidweb.com/archlinux/
-http://mirrors.lug.mtu.edu/archlinux/
-http://mirrors.m247.ro/archlinux/
-http://mirrors.manchester.m247.com/arch-linux/
-http://mirrors.melbourne.co.uk/archlinux/
-http://mirrors.mit.edu/archlinux/
-http://mirrors.myaegean.gr/linux/archlinux/
-http://mirrors.n-ix.net/archlinux/
-http://mirrors.nav.ro/archlinux/
-http://mirrors.netix.net/archlinux/
-http://mirrors.neusoft.edu.cn/archlinux/
-http://mirrors.nic.cz/archlinux/
-http://mirrors.nix.org.ua/linux/archlinux/
-http://mirrors.niyawe.de/archlinux/
-http://mirrors.nju.edu.cn/archlinux/
-http://mirrors.nxthost.com/archlinux/
-http://mirrors.ocf.berkeley.edu/archlinux/
-http://mirrors.piconets.webwerks.in/archlinux-mirror/
-http://mirrors.pidginhost.com/arch/
-http://mirrors.powernet.com.ru/archlinux/
-http://mirrors.prometeus.net/archlinux/
-http://mirrors.rit.edu/archlinux/
-http://mirrors.rutgers.edu/archlinux/
-http://mirrors.sonic.net/archlinux/
-http://mirrors.standaloneinstaller.com/archlinux/
-http://mirrors.tuna.tsinghua.edu.cn/archlinux/
-http://mirrors.udenar.edu.co/archlinux/
-http://mirrors.ukfast.co.uk/sites/archlinux.org/
-http://mirrors.uni-plovdiv.net/archlinux/
-http://mirrors.urbanwave.co.za/archlinux/
-http://mirrors.ustc.edu.cn/archlinux/
-http://mirrors.xmission.com/archlinux/
-http://mirrors.xtom.com/archlinux/
-http://mirrors.xtom.nl/archlinux/
-http://mirrors.zju.edu.cn/archlinux/
-http://muug.ca/mirror/archlinux/
-http://nova.quantum-mirror.hu/mirrors/pub/archlinux/
-http://ord.mirror.rackspace.com/archlinux/
-http://packages.oth-regensburg.de/archlinux/
-http://phinau.de/arch/
-http://piotrkosoft.net/pub/mirrors/ftp.archlinux.org/
-http://pkg.adfinis.com/archlinux/
-http://plug-mirror.rcac.purdue.edu/archlinux/
-http://quantum-mirror.hu/mirrors/pub/archlinux/
-http://repo.ialab.dsu.edu/archlinux/
-http://repo.inara.pk/archlinux/
-http://repo.iut.ac.ir/repo/archlinux/
-http://repo.miserver.it.umich.edu/archlinux/
-http://shadow.ind.ntou.edu.tw/archlinux/
-http://sharing.thelinuxsect.com/archlinux/
-http://super.quantum-mirror.hu/mirrors/pub/archlinux/
-http://suro.ubaya.ac.id/archlinux/
-http://syd.mirror.rackspace.com/archlinux/
-http://tedwall.se/archlinux/
-http://tux.rainside.sk/archlinux/
-http://vpsmurah.jagoanhosting.com/archlinux/
-http://www.caco.ic.unicamp.br/archlinux/
-http://www.gtlib.gatech.edu/pub/archlinux/
-http://www.gutscheindrache.com/mirror/archlinux/
-http://www.mirrorservice.org/sites/ftp.archlinux.org/
-http://za.mirror.archlinux-br.org/

cacher/archlx_mirrors_extra

@@ -0,0 +1 @@
+https://mirror.osbeck.com/archlinux/

cacher/blackarch_mirror-list

@@ -0,0 +1,154 @@
+http://au.mirrors.cicku.me/blackarch/
+https://au.mirrors.cicku.me/blackarch/
+http://blackarch.mirror.digitalpacific.com.au/
+rsync://mirror.digitalpacific.com.au/blackarch/
+
+http://mirror.easyname.at/blackarch/
+ftp://mirror.easyname.at/blackarch/
+rsync://mirror.easyname.at/blackarch/
+
+http://ca.mirrors.cicku.me/blackarch/
+https://ca.mirrors.cicku.me/blackarch/
+
+https://mirrors.hust.edu.cn/blackarch/
+https://mirrors.nju.edu.cn/blackarch/
+https://mirror.sjtu.edu.cn/blackarch/
+https://mirrors.tuna.tsinghua.edu.cn/blackarch/
+https://mirrors.ustc.edu.cn/blackarch/
+https://mirrors.aliyun.com/blackarch/
+http://mirrors.aliyun.com/blackarch/
+
+http://mirrors.dotsrc.org/blackarch/
+ftp://mirrors.dotsrc.org/blackarch/
+
+http://mirror.uta.edu.ec/blackarch/
+ftp://mirror.uta.edu.ec/blackarch/
+rsync://mirror.uta.edu.ec/blackarch/
+http://mirror.cedia.org.ec/blackarch/
+
+http://blackarch.leneveu.fr/blackarch/
+http://blackarch.pi3rrot.net/blackarch/
+http://mirror.cyberbits.eu/blackarch/
+https://mirror.cyberbits.eu/blackarch/
+rsync://rsync.cyberbits.eu/blackarch/
+
+https://www.blackarch.org/blackarch/blackarch/
+rsync://blackarch.org/blackarch/
+http://de.mirrors.cicku.me/blackarch/
+https://de.mirrors.cicku.me/blackarch/
+https://mirrors.dr460nf1r3.org/repos/blackarch/
+http://ftp.halifax.rwth-aachen.de/blackarch/
+https://ftp.halifax.rwth-aachen.de/blackarch/
+ftp://ftp.halifax.rwth-aachen.de/blackarch/
+rsync://ftp.halifax.rwth-aachen.de/blackarch/
+http://blackarch.unixpeople.org/
+https://blackarch.unixpeople.org/
+rsync://blackarch.unixpeople.org/blackarch/
+http://mirror.undisclose.de/blackarch/
+https://mirror.undisclose.de/blackarch//
+rsync://mirror.undisclose.de/blackarch/
+
+http://ftp.cc.uoc.gr/mirrors/linux/blackarch/
+ftp://ftp.cc.uoc.gr/mirrors/linux/blackarch/
+rsync://blackarch@cc.uoc.gr/blackarch
+
+http://mirrors.cicku.me/blackarch/
+https://mirrors.cicku.me/blackarch/
+http://www.mirrorservice.org/sites/blackarch.org/blackarch/
+rsync://rsync.mirrorservice.org/blackarch.org/blackarch/
+http://mirrors.gethosted.online/blackarch/blackarch/
+https://mirrors.gethosted.online/blackarch/blackarch/
+https://uk.mirrors.fossho.st/blackarch//os/
+
+http://quantum-mirror.hu/mirrors/pub/blackarch/
+https://quantum-mirror.hu/mirrors/pub/blackarch/
+rsync://quantum-mirror.hu/blackarch
+
+http://in.mirrors.cicku.me/blackarch/
+https://in.mirrors.cicku.me/blackarch/
+https://mirror.albony.xyz/blackarch/
+
+http://mirror.blackrepo.com/ https://mirror.blackrepo.com/
+
+http://blackarch.mirror.garr.it/mirrors/blackarch/
+rsync://blackarch.mirror.garr.it/blackarch/
+
+http://jp.mirrors.cicku.me/blackarch/
+https://jp.mirrors.cicku.me/blackarch/
+http://www.ftp.ne.jp/Linux/packages/blackarch/
+http://ftp.kddilabs.jp/Linux/packages/blackarch/
+https://ftp.kddilabs.jp/Linux/packages/blackarch/
+
+http://kr.mirrors.cicku.me/blackarch/
+https://kr.mirrors.cicku.me/blackarch/
+
+http://md.mirrors.hacktegic.com/blackarch/
+https://md.mirrors.hacktegic.com/blackarch/
+rsync://md.mirrors.hacktegic.com/blackarch/
+
+http://mirror.serverion.com/blackarch/
+https://mirror.serverion.com/blackarch/
+ftp://mirror.serverion.com/blackarch/
+rsync://mirror.serverion.com/opnsense
+http://mirror.neostrada.nl/blackarch/
+https://mirror.neostrada.nl/blackarch/
+ftp://mirror.neostrada.nl/blackarch/
+rsync://mirror.neostrada.nl/blackarch/
+
+http://nz-mirror.intergrid.com.au/blackarch/
+ftp://nz-mirror.intergrid.com.au/blackarch
+
+http://ftp.icm.edu.pl/pub/Linux/dist/blackarch/
+ftp://ftp.icm.edu.pl/pub/Linux/dist/blackarch/
+rsync://ftp.icm.edu.pl/pub/Linux/dist/blackarch/
+gopher://ftp.icm.edu.pl/1/pub/Linux/dist/blackarch/
+
+http://eu.mirrors.cicku.me/blackarch/
+https://eu.mirrors.cicku.me/blackarch/
+
+https://repository.su/blackarch/
+rsync://repository.su/blackarch/
+http://mirror.truenetwork.ru/blackarch/
+ftp://mirror.truenetwork.ru/blackarch/
+rsync://mirror.truenetwork.ru/blackarch/
+http://mirror.yandex.ru/mirrors/blackarch/
+ftp://mirror.yandex.ru/mirrors/blackarch/
+rsync://mirror.yandex.ru/mirrors/blackarch/
+
+http://sg.mirrors.cicku.me/blackarch/
+https://sg.mirrors.cicku.me/blackarch/
+http://download.nus.edu.sg/mirror/blackarch/
+https://download.nus.edu.sg/mirror/blackarch/
+
+http://mirror.zetup.net/blackarch/
+
+http://mirror.easyname.ch/blackarch/
+ftp://mirror.easyname.ch/blackarch/
+rsync://mirror.easyname.ch/blackarch/
+https://mirror.tillo.ch/ftp/blackarch/
+http://mirror.tillo.ch/ftp/blackarch/
+ftpes://mirror.tillo.ch/blackarch/
+ftp://mirror.tillo.ch/blackarch/
+rsync://mirror.tillo.ch/blackarch/
+
+http://ftp.linux.org.tr/blackarch/
+ftp://ftp.linux.org.tr/blackarch/
+rsync://rsync.linux.org.tr/blackarch/
+
+http://mirror.archlinux.tw/BlackArch/
+https://mirror.archlinux.tw/BlackArch/
+http://blackarch.cs.nycu.edu.tw/
+https://blackarch.cs.nycu.edu.tw/
+rsync://blackarch.cs.nycu.edu.tw/blackarch/
+
+http://blackarch.pr0s3c.nl/blackarch/
+https://us.mirrors.fossho.st/blackarch/
+https://blackarch.pr0s3c.nl/blackarch/
+http://mirror.math.princeton.edu/pub/blackarch/
+https://mirror.math.princeton.edu/pub/blackarch/
+rsync://mirror.math.princeton.edu/pub/blackarch/
+http://distro.ibiblio.org/blackarch/
+ftp://distro.ibiblio.org/blackarch/
+https://mirror.team-cymru.com/blackarch/
+ftp://mirror.team-cymru.com/blackarch/
+rsync://mirror.team-cymru.com/blackarch/

cacher/change_templates.sls

@@ -36,6 +36,12 @@
       - backup: False
 
 {% elif grains['os_family']|lower == 'redhat' %}
+
+stop_zchunk:
+  file.append:
+    - name: /etc/dnf/dnf.conf
+    - text: zchunk=False
+
 {% for repo in salt['file.find']('/etc/yum.repos.d/', name='*repo*') %}
 {{ repo }}_baseurl:
     file.replace:
@@ -58,7 +64,6 @@
     file.uncomment:
       - name: {{ repo }}
       - regex : '.*baseurl(.*)'
-      - ignore_missing: True
       - backup: False
 {{ repo }}_comment:
     file.comment:

cacher/clone.sls

@@ -1,8 +1,8 @@
 clone_precursor:
   qvm.template_installed:
-    - name: debian-11-minimal
+    - name: debian-12-minimal
 
 qvm-clone-id:
   qvm.clone:
     - name: template-cacher
-    - source: debian-11-minimal
+    - source: debian-12-minimal

cacher/configure.sls

@@ -2,16 +2,18 @@
 
 {% if grains['nodename'] != 'dom0' %}
 
-/rw/config/rc.local:
+cacher_/rw/config/rc.local:
   file.append:
+    - name: /rw/config/rc.local
     - text: |
         systemctl unmask apt-cacher-ng
         systemctl start apt-cacher-ng
-        /sbin/iptables -I INPUT -p tcp --dport 8082 -j ACCEPT
+        /usr/sbin/nft insert rule qubes custom-input tcp dport 8082 accept
 
-/rw/config/qubes-firewall-user-script:
+cacher_/rw/config/qubes-firewall-user-script:
   file.append:
-    - text: /sbin/iptables -I INPUT -p tcp --dport 8082 -j ACCEPT
+    - name: /rw/config/qubes-firewall-user-script
+    - text: /usr/sbin/nft insert rule qubes custom-input tcp dport 8082 accept
 
 /rw/config/qubes-bind-dirs.d/50_user.conf:
   file.managed:

cacher/create.sls

@@ -23,6 +23,7 @@ qvm-features-id:
       - service.cups
       - service.cups-browsed
       - service.tinyproxy
+      - service.qubes-updates-proxy
 
 'qvm-volume extend cacher:private 20G' :
   cmd.run

cacher/debian_mirrors_extra

@@ -0,0 +1 @@
+https://deb.debian.org/debian/

cacher/fedora_mirrors

@@ -1,160 +0,0 @@
-http://archive.linux.duke.edu/pub/fedora/linux/
-http://fedora.cu.be/linux/
-http://distrib-coffee.ipsl.jussieu.fr/pub/linux/fedora/linux/
-http://download-cc-rdu01.fedoraproject.org/pub/fedora/linux/
-http://download-ib01.fedoraproject.org/pub/fedora/linux
-http://download.fedoraproject.org/pub/fedora/linux/
-http://fedora-mirror01.rbc.ru/pub/fedora/linux/
-http://fedora.blizoo.mk/fedora/linux/
-http://fedora.ip-connect.info/linux/
-http://fedora.ip-connect.vn.ua/linux/
-http://fedora.ipacct.com/fedora/linux/
-http://fedora.is.co.za/linux/
-http://fedora.mirror.angkasa.id/pub/fedora/linux/
-http://fedora.mirror.constant.com
-http://fedora.mirror.digitalpacific.com.au/linux/
-http://fedora.mirror.iweb.com/linux/
-http://fedora.mirror.liteserver.nl/
-http://fedora.mirror.root.lu/
-http://fedora.mirror.tn/pub/fedora/linux/
-http://fedora.mirror.wearetriple.com/linux/
-http://fedora.mirrors.pair.com/linux/
-http://fedora.mirrors.telekom.ro/pub/fedora/linux/
-http://fedora.tu-chemnitz.de/pub/linux/fedora/linux/
-http://forksystems.mm.fcix.net/fedora/linux/
-http://fr2.rpmfind.net/linux/fedora/linux/
-http://free.nchc.org.tw/fedora/linux/
-http://ftp-stud.hs-esslingen.de/pub/fedora/linux/
-http://ftp.acc.umu.se/mirror/fedora/linux/
-http://ftp.byfly.by/pub/fedoraproject.org/linux/
-http://ftp.cc.uoc.gr/pub/linux/fedora/linux/
-http://ftp.cica.es/fedora/linux/
-http://ftp.colocall.net/pub/fedora/linux/
-http://ftp.cse.buffalo.edu/pub/fedora/linux/
-http://ftp.fau.de/fedora/linux/
-http://ftp.fi.muni.cz/pub/linux/fedora/linux/
-http://ftp.halifax.rwth-aachen.de/fedora/linux/
-http://ftp.icm.edu.pl/pub/Linux/fedora/linux/
-http://ftp.iij.ad.jp/pub/linux/Fedora/fedora/linux/
-http://ftp.ines.lug.ro/fedora/linux/
-http://ftp.jaist.ac.jp/pub/Linux/Fedora/
-http://ftp.linux.cz/pub/linux/fedora/linux/
-http://ftp.lip6.fr/ftp/pub/linux/distributions/fedora/
-http://ftp.lysator.liu.se/pub/fedora/linux/
-http://ftp.nluug.nl/pub/os/Linux/distr/fedora/linux/
-http://ftp.ntua.gr/pub/linux/fedora/linux/
-http://ftp.plusline.net/fedora/linux/
-http://ftp.tsukuba.wide.ad.jp/Linux/fedora/linux/
-http://ftp.tudelft.nl/download.fedora.redhat.com/linux/
-http://ftp.uma.es/mirror/fedora/linux/
-http://ftp.uni-bayreuth.de/linux/fedora/linux/
-http://ftp.uni-kl.de/pub/linux/fedora/linux/
-http://ftp.uni-stuttgart.de/epel/
-http://ftp.upjs.sk/pub/fedora/linux/
-http://ftp.yz.yamagata-u.ac.jp/pub/linux/fedora-projects/fedora/linux/
-http://ftp.yzu.edu.tw/Linux/Fedora/linux/
-http://ftp-chi.osuosl.org/pub/fedora/linux
-http://kdeforge2.unl.edu/mirrors/fedora/linux/
-http://linux.mirrors.es.net/fedora/
-http://mirror.1000mbps.com/fedora/linux/
-http://mirror.23m.com/fedora/linux/
-http://mirror.23media.de/fedora/linux/
-http://mirror.aarnet.edu.au/pub/fedora/linux/
-http://mirror.bytemark.co.uk/fedora/epel/
-http://mirror.bytemark.co.uk/fedora/linux/
-http://mirror.cedia.org.ec/fedora/linux/
-http://mirror.chpc.utah.edu/pub/fedora/linux/
-http://mirror.clarkson.edu/fedora/linux/
-http://mirror.cogentco.com/pub/linux/fedora/linux/
-http://mirror.cs.pitt.edu/fedora/linux/
-http://mirror.cs.princeton.edu/pub/mirrors/fedora/linux/
-http://mirror.csclub.uwaterloo.ca/fedora/linux/
-http://mirror.datacenter.by/pub/fedoraproject.org/linux/
-http://mirror.de.leaseweb.net/fedora/linux/
-http://mirror.dogado.de/fedora/linux/
-http://mirror.dst.ca/fedora-linux/fedora/linux/
-http://mirror.easyspeedy.com/fedora/
-http://mirror.epn.edu.ec/fedora/linux/
-http://mirror.etf.bg.ac.rs/fedora/
-http://mirror.euserv.net/linux/fedora/linux/
-http://mirror.globo.com/fedora/linux/
-http://mirror.i3d.net/pub/fedora/linux/
-http://mirror.ihost.md/fedora/
-http://mirror.in2p3.fr/pub/fedora/linux/
-http://mirror.infonline.de/fedora/linux/
-http://mirror.init7.net/fedora/fedora/linux/
-http://mirror.its.dal.ca/pub/fedora/linux/
-http://mirror.karneval.cz/pub/linux/fedora/linux/
-http://mirror.lagoon.nc/pub/fedora/linux/
-http://mirror.library.ucy.ac.cy/linux/fedora/linux/
-http://mirror.linux-ia64.org/fedora/linux/
-http://mirror.math.princeton.edu/pub/fedora/linux/
-http://mirror.metrocast.net/fedora/linux/
-http://mirror.mrjester.net/fedora/linux/
-http://mirror.netcologne.de/fedora/linux/
-http://mirror.netsite.dk/fedora/linux/
-http://mirror.netzwerge.de/fedora/linux/
-http://mirror.nexcess.net/fedora/
-http://mirror.nl.leaseweb.net/fedora/linux/
-http://mirror.nonstop.co.il/fedora/linux/
-http://mirror.onet.pl/pub/mirrors/fedora/linux/
-http://mirror.optus.net/fedora/linux/
-http://mirror.pmf.kg.ac.rs/fedora/linux/
-http://mirror.pnl.gov/fedora/linux/
-http://mirror.prgmr.com/pub/fedora/linux/
-http://mirror.realcompute.io/fedora/linux/
-http://mirror.rise.ph/fedora/linux/
-http://mirror.rnet.missouri.edu/fedora/linux/
-http://mirror.seas.harvard.edu/fedora/linux/
-http://mirror.sfo12.us.leaseweb.net/fedora/linux/
-http://mirror.siena.edu/fedora/linux/
-http://mirror.slu.cz/fedora/linux/
-http://mirror.smartmedia.net.id/fedora/linux/
-http://mirror.steadfast.net/fedora/
-http://mirror.steadfastnet.com/epel/
-http://mirror.stjschools.org/fedora/linux/
-http://mirror.switch.ch/ftp/mirror/fedora/linux/
-http://mirror.szerverem.hu/fedora/linux/
-http://mirror.telepoint.bg/fedora/
-http://mirror.umd.edu/fedora/linux/
-http://mirror.upb.edu.co/fedora/linux/
-http://mirror.us.leaseweb.net/fedora/linux/
-http://mirror.usi.edu/pub/fedora/linux/
-http://mirror.uta.edu.ec/fedora/linux/
-http://mirror.utexas.edu/fedora/linux/
-http://mirror.uv.es/mirror/fedora/linux/
-http://mirror.veriteknik.net.tr/fedora/linux/
-http://mirror.vorboss.net/fedora/linux/
-http://mirror.vpsnet.com/fedora/linux/
-http://mirror.vutbr.cz/fedora/
-http://mirror.xenyth.net/fedora/linux/
-http://mirror.yandex.ru/fedora/linux/
-http://mirror2.totbb.net/fedora/linux/
-http://mirrors.cat.pdx.edu/fedora/linux/
-http://mirrors.dotsrc.org/fedora/linux/
-http://mirrors.ircam.fr/pub/fedora/linux/
-http://mirrors.kernel.org/fedora/
-http://mirrors.lug.mtu.edu/fedora/linux/
-http://mirrors.mit.edu/fedora/linux/
-http://mirrors.n-ix.net/fedora/linux/
-http://mirrors.nav.ro/fedora/linux/
-http://mirrors.netix.net/fedora/linux/
-http://mirrors.nic.cz/fedora/linux/
-http://mirrors.rit.edu/fedora/fedora/linux
-http://mirrors.syringanetworks.net/fedora/linux/
-http://mirrors.uni-ruse.bg/fedora/linux/
-http://mirrors.xmission.com/fedora/linux/
-http://mirrors.xtom.de/fedora/
-http://muug.ca/mirror/fedora/linux/
-http://opencolo.mm.fcix.net/fedora/linux/
-http://opensource.nchc.org.tw/fedora/linux/
-http://pubmirror1.math.uh.edu/fedora-buffet/fedora/linux/
-http://pubmirror2.math.uh.edu/fedora-buffet/fedora/linux/
-http://repo.fedora.md/fedora/linux/
-http://ucmirror.canterbury.ac.nz/linux/fedora/linux/
-http://veronanetworks.mm.fcix.net/fedora/linux/
-http://vesta.informatik.rwth-aachen.de/ftp/pub/Linux/fedora/linux/
-http://www.fedora.is/fedora/
-http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/fedora/linux/
-http://www.nic.funet.fi/pub/mirrors/fedora.redhat.com/pub/fedora/linux/
-http://ziply.mm.fcix.net/fedora/linux/

cacher/fedora_mirrors_extra

@@ -0,0 +1,96 @@
+http://mirror.ox.ac.uk/sites/download.fedora.redhat.com/pub/fedora/linux
+http://ask4.mm.fcix.net/fedora/linux/
+http://b4sh.mm.fcix.net/fedora/linux/
+http://creeperhost.mm.fcix.net/fedora/linux/
+http://distrib-coffee.ipsl.jussieu.fr/pub/linux/fedora/linux/
+http://divergentnetworks.mm.fcix.net/fedora/linux/
+http://download-ib01.fedoraproject.org/pub/fedora/linux
+http://download-ib01.fedoraproject.org/pub/fedora/linux/
+http://fedora-archive.ip-connect.info/fedora/linux/
+http://fedora-mirror01.rbc.ru/pub/fedora/linux/
+http://fedora.blizoo.mk/fedora/linux/
+http://fedora.ip-connect.info/linux/
+http://fedora.ip-connect.vn.ua/linux/
+http://fedora.mirror.constant.com
+http://fedora.mirror.liteserver.nl/
+http://fedora.mirror.tn/pub/fedora/linux/
+http://fedora.mirror.wearetriple.com/linux/
+http://fedora.mirrors.pair.com/linux/
+http://forksystems.mm.fcix.net/fedora/linux/
+http://ftp-chi.osuosl.org/pub/fedora/linux
+http://ftp-chi.osuosl.org/pub/fedora/linux/
+http://ftp-stud.hs-esslingen.de/pub/Mirrors/archive.fedoraproject.org/fedora/linux/
+http://ftp.byfly.by/pub/fedoraproject.org/linux/
+http://ftp.colocall.net/pub/fedora/linux/
+http://ftp.ines.lug.ro/fedora/linux/
+http://ftp.linux.org.tr
+http://ftp.ntua.gr/pub/linux/fedora/linux/
+http://ftp.otenet.gr/linux/fedora/linux/
+http://ftp.tsukuba.wide.ad.jp/Linux/fedora/linux/
+http://ftp.tudelft.nl/download.fedora.redhat.com/linux/
+http://ftp.yzu.edu.tw/Linux/Fedora/linux/
+http://kdeforge2.unl.edu/mirrors/fedora/linux/
+http://level66.mm.fcix.net/fedora/linux/
+http://mirror.1000mbps.com/fedora/linux/
+http://mirror.23media.de/fedora/linux/
+http://mirror.accum.se/mirror/fedora/linux/
+http://mirror.bahnhof.net/fedora/linux/
+http://mirror.bytemark.co.uk/fedora/epel/
+http://mirror.clarkson.edu/fedora/linux/
+http://mirror.cogentco.com/pub/linux/fedora/linux/
+http://mirror.cs.princeton.edu/pub/mirrors/fedora/linux/
+http://mirror.dst.ca/fedora-linux/fedora/linux/
+http://mirror.epn.edu.ec/fedora/linux/
+http://mirror.etf.bg.ac.rs/fedora/
+http://mirror.euserv.net/linux/fedora/linux/
+http://mirror.fcix.net/fedora/linux/
+http://mirror.globo.com/fedora/linux/
+http://mirror.ihost.md/fedora/
+http://mirror.it4i.cz
+http://mirror.lagoon.nc/pub/fedora/linux/
+http://mirror.library.ucy.ac.cy/linux/fedora/linux/
+http://mirror.linux-ia64.org/fedora/fedora/linux/
+http://mirror.math.princeton.edu/pub/fedora/linux/
+http://mirror.mrjester.net/fedora/linux/
+http://mirror.netcologne.de/fedora/linux/
+http://mirror.onet.pl/pub/mirrors/fedora/linux/
+http://mirror.pmf.kg.ac.rs/fedora/linux/
+http://mirror.pnl.gov/fedora/linux/
+http://mirror.seas.harvard.edu/fedora/linux/
+http://mirror.serverion.com/fedora/linux
+http://mirror.smartmedia.net.id/fedora/linux/
+http://mirror.stjschools.org/fedora/linux/
+http://mirror.switch.ch/ftp/mirror/fedora/linux/
+http://mirror.telepoint.bg/fedora/
+http://mirror.upb.edu.co/fedora/linux/
+http://mirror.us.leaseweb.net/fedora/linux/
+http://mirror.usi.edu/pub/fedora/linux/
+http://mirror.uta.edu.ec/fedora/linux/
+http://mirror.utexas.edu/fedora/linux/
+http://mirror.veriteknik.net.tr/fedora/linux/
+http://mirror.vorboss.net/fedora/linux/
+http://mirror.vutbr.cz/fedora/
+http://mirror.xenyth.net/fedora/linux/
+http://mirroronet.pl/pub/mirrors/fedora/linux/
+http://mirrors.cat.pdx.edu/fedora/linux/
+http://mirrors.dotsrc.org/fedora/linux
+http://mirrors.dotsrc.org/fedora/linux/
+http://mirrors.fedoraproject.org
+http://mirrors.fedoraproject.org/fedora/linux
+http://mirrors.netix.net/fedora/linux/
+http://mirrors.nic.cz/fedora/linux/
+http://mirrors.rit.edu/fedora/fedora/linux
+http://mirrors.rit.edu/fedora/fedora/linux/
+http://mirrors.uni-ruse.bg/fedora/linux/
+http://mirrors.xtom.de/fedora/
+http://mirrors.xtom.ee/fedora/linux
+http://nnenix.mm.fcix.net/fedora/linux
+http://nocix.mm.fcix.net/fedora/linux/
+http://opencolo.mm.fcix.net/fedora/linux/
+http://southfront.mm.fcix.net/fedora/linux/
+http://uvermont.mm.fcix.net/fedora/linux
+http://veronanetworks.mm.fcix.net/fedora/linux/
+http://vesta.informatik.rwth-aachen.de/ftp/pub/Linux/fedora/linux/
+http://volico.mm.fcix.net/fedora/linux
+http://www.fedora.is/fedora/
+http://ziply.mm.fcix.net/fedora/linux/

cacher/install.sls

@@ -21,11 +21,27 @@ installed:
       - anacron 
       - apt-cacher-ng 
 
-systemd-disable:
+disable-tinyproxy:
+  cmd.run:
+    - name: systemctl disable tinyproxy
+
+mask-tinyproxy:
+  cmd.run:
+    - name: systemctl mask tinyproxy
+
+disable-qubes-proxy:
+  cmd.run:
+    - name: systemctl disable qubes-updates-proxy
+
+mask-qubes-proxy:
+  cmd.run:
+    - name: systemctl mask qubes-updates-proxy
+
+disable-apt-cacher:
   cmd.run:
     - name: systemctl disable apt-cacher-ng
 
-systemd-mask:
+mask-apt-cacher:
   cmd.run:
     - name: systemctl mask apt-cacher-ng
 

cacher/mirrors.sls

@@ -5,18 +5,36 @@
 
 {% if grains['nodename'] != 'dom0' %}
 
-/etc/apt-cacher-ng/fedora_mirrors:
+/etc/apt-cacher-ng/Qubes_mirrors:
   file.managed:
     - source:
-      - salt://cacher/fedora_mirrors
+      - salt://cacher/Qubes_mirrors
     - user: root
     - group: root
+    - makedirs: True
 
-/etc/apt-cacher-ng/archlx_mirrors:
+/etc/apt-cacher-ng/fedora_mirrors_extra:
   file.managed:
     - source:
-      - salt://cacher/archlx_mirrors
+      - salt://cacher/fedora_mirrors_extra
     - user: root
     - group: root
+    - makedirs: True
+
+/etc/apt-cacher-ng/archlx_mirrors_extra:
+  file.managed:
+    - source:
+      - salt://cacher/archlx_mirrors_extra
+    - user: root
+    - group: root
+    - makedirs: True
+
+/etc/apt-cacher-ng/debian_mirrors_extra:
+  file.managed:
+    - source:
+      - salt://cacher/debian_mirrors_extra
+    - user: root
+    - group: root
+    - makedirs: True
 
 {% endif %}

cacher/use.sls

@@ -4,8 +4,9 @@ qvm-present-id:
     - template: template-cacher
     - label: gray
 
-/etc/qubes/policy.d/30-user.policy:
+/etc/qubes/policy.d/50-config-updates.policy:
   file.prepend:
+    - header: True
     - text:
       - "qubes.UpdatesProxy  *  @tag:whonix-updatevm  @default  allow target=sys-whonix"
       - "qubes.UpdatesProxy  *  @tag:whonix-updatevm  @anyvm    deny"

git.spec

@@ -1,10 +1,10 @@
 Name:           3isec-qubes-git
-Version:       	0.2
+Version:       	1.03
 Release:        1%{?dist}
 Summary:        Create sys-git in Qubes
 
 License:        GPLv3+
-SOURCE0:	      git
+SOURCE0:        git
 
 %description
 This package provides a central git qube, named sys-git.
@@ -102,11 +102,9 @@ if [ $1 -eq 1 ]; then
   qubesctl --skip-dom0 --targets=sys-git state.apply git.install
 fi
 
-%postun
-if [ $1 -eq 0 ]; then
-fi
-
 %changelog
+* Tue Feb 06 2024 unman <unman@thirdeyesecurity.org> - 1.03
+- Update for Qubes 4.2
 * Mon Feb 20 2023 unman <unman@thirdeyesecurity.org> - 1.02
 - Use pillar for cacher to determine repo changes
 * Wed Nov 16 2022 unman <unman@thirdeyesecurity.org> - 0.1

git/create.sls

@@ -1,7 +1,11 @@
+create_precursor:
+  qvm.template_installed:
+    - name: debian-12-xfce
+
 git-present-id:
   qvm.present:
     - name: sys-git
-    - template: debian-11
+    - template: debian-12-xfce
     - label: gray
 
 git-prefs-id:

gpg.spec

@@ -42,6 +42,8 @@ fi
 
 
 %changelog
+* Tue Feb 06 2024 unman <unman@thirdeyesecurity.org> - 2.06
+- Upgrade for Qubes 4.2
 * Mon Feb 20 2023 unman <unman@thirdeyesecurity.org> - 2.05
 - Use pillar for cacher to determine repo changes
 * Sat May 21 2022 unman <unman@thirdeyesecurity.org> - 1.4

gpg/clone.sls

@@ -1,11 +1,11 @@
 gpg_precursor:
   qvm.template_installed:
-    - name: debian-11-minimal
+    - name: debian-12-minimal
 
 qvm-clone-id:
   qvm.clone:
     - name: template-gpg
-    - source: debian-11-minimal
+    - source: debian-12-minimal
 
 'sudo qubes-dom0-update qubes-gpg-split-dom0':
   cmd.run

gpg/create.sls

@@ -1,13 +1,13 @@
 include:
   - gpg.clone
 
-qvm-present-id:
+gpg-present-id:
   qvm.present:
     - name: sys-gpg
     - template: template-gpg
     - label: gray
 
-qvm-prefs-id:
+gpg-prefs-id:
   qvm.prefs:
     - name: sys-gpg
     - netvm: none
@@ -15,7 +15,7 @@ qvm-prefs-id:
     - maxmem: 800
     - vcpus: 2
 
-qvm-features-id:
+gpg-features-id:
   qvm.features:
     - name: sys-gpg
     - disable:
@@ -25,7 +25,17 @@ qvm-features-id:
 'qvm-volume extend sys-gpg:private 10G' :
   cmd.run
 
-update_file:
-  file.prepend:
-    - name: '/etc/qubes/policy.d/30-user.policy'
-    - text: 'qubes.Gpg  *  @anyvm  @anyvm ask default_target=sys-gpg'
+check_gpg_policy_file:
+  file.managed:
+    - name: /etc/qubes/policy.d/50-config-splitgpg.policy
+
+update_gpg_policy_file:
+  file.replace:
+    - name: /etc/qubes/policy.d/50-config-splitgpg.policy
+    - pattern: |
+        # Any changes made manually may be overwritten by Qubes Configuration Tools.
+    - repl: | 
+        # Any changes made manually may be overwritten by Qubes Configuration Tools.
+        qubes.Gpg  *  @anyvm  sys-gpg ask 
+    - count: 1
+    - prepend_if_not_found: True

gpg/install.sls

@@ -1,18 +1,30 @@
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
-
 {% if salt['pillar.get']('update_proxy:caching') %}
+{% if grains['os_family']|lower == 'debian' %}
+{% if grains['nodename']|lower != 'host' %}
+{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %}
+{{ repo }}_baseurl:
+  file.replace:
+    - name: {{ repo }}
+    - pattern: 'https://'
+    - repl: 'http://HTTPS///'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endfor %}
 
 /etc/apt/sources.list:
   file.replace:
-    - names:
-      - /etc/apt/sources.list
-      - /etc/apt/sources.list.d/qubes-r4.list
+    - name: /etc/apt/sources.list
     - pattern: 'https:'
     - repl: 'http://HTTPS/'
     - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
 
 {% endif %}
+{% endif %}
+{% endif %}
 
 installed:
   pkg.installed:

mirage.spec

@@ -1,10 +1,10 @@
 Name:           3isec-qubes-mirage-firewall
-Version:       	0.8.4
+Version:       	0.9.3
 Release:        1%{?dist}
 Summary:        Create an Mirage firewall in Qubes
 
 License:        GPLv3+
-SOURCE0:	      mirage
+SOURCE0:        mirage
 
 %description
 This package creates a mirage firewall for use in Qubes.
@@ -14,12 +14,10 @@ https://github.com/mirage/qubes-mirage-firewall
 
 The package creates a qube called mirage-firewall.
 If you want to use this as a firewall, simply change net qube from sys-firewall to mirage-firewall.
-There's a batch file in /srv/salt/mirage to make this change in bulk.
 
 Removing this package will remove the mirage-firewall.
 Qubes that use it will have their net qube unset.
 You will have to change netqube to get those qubes back online.
-There's a batch file in /srv/salt/mirage to help make this change in bulk.
 
 
 %install
@@ -35,7 +33,15 @@ cp -rv %{SOURCE0}/  %{buildroot}/srv/salt
 if [ $1 -eq 1 ]; then
   qubesctl state.apply mirage.install
 elif [ $1 -eq 2 ]; then
-  qubesctl state.apply mirage.extract
+  if [ `qvm-ls --running --raw-list mirage-firewall` == `mirage-firewall` ];then
+  qvm-kill mirage-firewall
+  qubesctl state.apply mirage.absent
+  qubesctl state.apply mirage.install
+  qvm-start mirage-firewall
+  else
+  qubesctl state.apply mirage.absent
+  qubesctl state.apply mirage.install
+  fi
 fi
 
 %postun
@@ -45,5 +51,13 @@ if [ $1 -eq 0 ]; then
 fi
 
 %changelog
+* Fri Feb 07 2025 unman <unman@thirdeyesecurity.org> - 0.9.3
+- Packages qubes-mirage-firewall 0.9.3
+* Mon May 20 2024 unman <unman@thirdeyesecurity.org> - 0.9.1
+- Packages qubes-mirage-firewall 0.9.1
+* Thu May 09 2024 unman <unman@thirdeyesecurity.org> - 0.9.0
+- Packages qubes-mirage-firewall 0.9.0
+* Sat Feb 03 2024 unman <unman@thirdeyesecurity.org> - 0.8.6
+- Packages qubes-mirage-firewall 0.8.6
 * Mon Apr 17 2023 unman <unman@thirdeyesecurity.org> - 0.8.4
 - Packages qubes-mirage-firewall 0.8.4

mirage/absent.sls

@@ -0,0 +1,14 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+#
+#
+#
+
+{% if grains['nodename'] == 'dom0' %}
+
+mirage-firewall-remove-old:
+  file.absent:
+    - names:
+      - /var/lib/qubes/vm-kernels/mirage-firewall/modules.img
+      - /var/lib/qubes/vm-kernels/mirage-firewall/initramfs
+
+{% endif %}

mirage/install.sls

@@ -10,14 +10,6 @@
     - mode: 755
     - makedirs: True
 
-mirage_extracted:
-  archive.extracted:
-    - name: /var/lib/qubes/vm-kernels/
-    - source: salt://mirage/mirage-firewall.tar.bz2
-    - source_hash: 2c985671a5620f395d1cc40f7f505660fd1e07bcaaaf77f698ce13f76f47cc20
-    - archive_format: tar
-    - options: -j
-
 mirage-firewall:
   qvm.present:
     - name: mirage-firewall
@@ -37,6 +29,7 @@ mirage-firewall-prefs:
     - provides-network: True
     - netvm: sys-net
     - default_dispvm: ''
+    - kernelopts: ''
 
 mirage-firewall-features:
   qvm.features:
@@ -45,5 +38,9 @@ mirage-firewall-features:
       - qubes-firewall
       - no-default-kernelopts
 
+mirage-firewall-kernel:
+  file.managed:
+    - name: /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz
+    - source: salt://mirage/qubes-firewall.xen
 
 {% endif %}

monitor.spec

@@ -0,0 +1,44 @@
+Name:           3isec-qubes-monitor
+Version:  	1
+Release:        2%{?dist}
+Summary:        Prepares qube for network monitoring in Qubes
+
+License:        GPLv3+
+SOURCE0:        monitor
+
+%description
+This package creates a template, with tools installed for network monitoring.
+An AppVM named sys-monitor, is created from that template.
+The template, template-monitor, is cloned from the debian-12-minimal template.
+If the debian-12-minimal template is not present, it will be downloaded
+and installed - this may take some time depending on your net connection.
+sys-monitor is created with `provides_network` set, so you can attach qubes to it, setting it as netvm.
+Wireshark, suricata, tcpdump, and tcpflow are installed and ready to run.
+The template has passwordless root installed, so you can run packet captures using `sudo..`.  
+If you want to run wireshark as an ordinary user, you will have to follow the instructions in `/srv/salt/monitor/README.md` to reconfigure the package.
+
+
+%install
+rm -rf %{buildroot}
+mkdir -p %{buildroot}/srv/salt
+cp -rv %{SOURCE0}/  %{buildroot}/srv/salt
+
+%files
+%defattr(-,root,root,-)
+/srv/salt/monitor/*
+
+%post
+if [ $1 -eq 1 ]; then
+  qubesctl state.apply monitor.create
+  qubesctl --skip-dom0 --targets=template-monitor state.apply monitor.install
+  qubesctl --skip-dom0 --targets=sys-monitor state.apply monitor.configure
+fi
+
+%preun
+
+
+%changelog
+* Sat Jul 27 2024 unman <unman@thirdeyesecurity.org> - 1.2
+- Make suricata logs persistent
+* Thu Jul 25 2024 unman <unman@thirdeyesecurity.org> - 1.1
+- First Build

monitor/README.md

@@ -0,0 +1,74 @@
+# Introduction
+These files create a template, with tools installed for network monitoring.
+An AppVM named sys-monitor, is created from that template.
+
+## Template
+The template, template-monitor, is cloned from the debian-12-minimal template.
+If the debian-12-minimal template is not present, it will be downloaded
+and installed - this may take some time depending on your net connection.
+
+The template has passwordless root installed, so you can run packet captures using `sudo..`.  
+If you want to run wireshark as an ordinary user, open a terminal in template-monitor and run
+1. `sudo dpkg-reconfigure wireshark-common`.
+2. Answer `Yes` to the question, "should non-superusers be able to capture packets?"
+3. Run `sudo usermod -a -G wireshark user`.
+4. Shut down the template.
+
+Next time you start a qube using the template-monitor template, you will be able to run Wireshark as an ordinary user.
+
+
+## Usage
+sys-monitor is created with `provides_network` set, so you can attach qubes to it, setting it as netvm.
+Wireshark, suricata, tcpdump, and tcpflow are installed and ready to run.
+For wireshark see the note above about running as an ordinary user - useful if you want to start from the Q Menu.
+
+As with all Debian templates, services are masked in the template.
+This is done in `create.sls`
+The suricata service is *unmasked* in the qube, by an entry in `/rw/config/rc.local` which is created in `config.sls`.
+This means that you can simply run `sudo systemctl start suricata` to have suricata running with default settings.
+Alternatively you can start the service with a custom configuration, as you will.
+
+By default sys-monitor has sys-net as netvm, but you can change this if you wish.
+You can monitor traffic at eth0 or at any of the vif interfaces to downstream qubes.
+
+You can, of course, use template-monitor to create other qubes for monitoring at different positions in the Qubes networking structure..
+
+**Remember that Qubes uses masquerade in the nft qubes table, so that all traffic coming from (e.g) sys-firewall appears to come from the IP address of that qube.
+If you want to see traffic from individual qubes you must attache those qubes directly to sys-monitor**
+
+## Installation
+Copy the monitor folder to /srv/salt.
+```
+qubesctl state.apply monitor.create
+qubesctl --skip-dom0 --targets=template-monitor state.apply monitor.install
+qubesctl --skip-dom0 --targets=sys-monitor state.apply monitor.configure
+```
+### Template creation
+Clone the debian-12-minimal template - note the use of `qvm.template_installed` which will install the template if it is not already present
+```
+sudo qubesctl state.apply monitor.clone
+```
+`clone.sls` uses `qvm.features` to set the menu. Note that you can do this *before* the relevant packages are installed.
+
+### Qube creation
+`create.sls` is a standard way of creating `sys-monitor` - qvm.present is used to create the qube, and preferences and features are set.
+
+Note the use of an `include` statement at the head of the file. This allows a single state execution to call other states.
+So `qubesctl state.apply monitor.create` will call and run `monitor.clone`.
+
+
+### Package installation
+```
+sudo qubesctl --skip-dom0 --targets=template-monitor state.apply monitor.install
+
+```
+This state uses `pkg.installed` to install necessary packages in the template.
+Note the use of `pillar.get` to check if a caching proxy is present: the necessary changes to repository definitions are made using `file.replace` within a jinja command structure.
+
+### Configuration
+```
+sudo qubesctl --skip-dom0 --targets=sys-monitor state.apply monitor.configure
+```
+This state uses `file.append` to make sure that the suricata service is unmasked in the qube.
+The command is run from /rw/config/rc.local: file.append` is used to alter that file.
+`file.append` will only add the text if it is not already present.

monitor/clone.sls

@@ -0,0 +1,16 @@
+monitor_precursor:
+  qvm.template_installed:
+    - name: debian-12-minimal
+
+qvm-clone-monitor:
+  qvm.clone:
+    - name: template-monitor
+    - source: debian-12-minimal
+
+qvm-features-template-monitor:
+  qvm.features:
+    - name: template-monitor
+    - set:
+      - menu-items: "org.wireshark.Wireshark.desktop debian-uxterm.desktop"
+      - default-menu-items: "org.wireshark.Wireshark.desktop debian-uxterm.desktop"
+

monitor/clone.top

@@ -0,0 +1,4 @@
+base:
+  dom0:
+    - match: nodegroup
+    - monitor.clone

monitor/configure.sls

@@ -0,0 +1,16 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+{% if grains['nodename'] != 'dom0' %}
+
+/rw/config/rc.local:
+  file.append:
+    - text: systemctl unmask suricata
+
+# Make settings persistent using bind-dirs
+bind_suricata_logs:
+  file.append:
+    - name: /rw/config/qubes-bind-dirs.d/50_user.conf
+    - text: "binds+=( '/var/log/suricata/' )"
+    - makedirs: True
+
+{% endif %}

monitor/create.sls

@@ -0,0 +1,31 @@
+include:
+  - monitor.clone
+
+qvm-present-monitor:
+  qvm.present:
+    - name: sys-monitor
+    - template: template-monitor
+    - label: green
+
+qvm-prefs-monitor:
+  qvm.prefs:
+    - name: sys-monitor
+    - netvm: sys-net
+    - memory: 400
+    - maxmem: 1500
+    - vcpus: 2
+    - provides-network: True
+
+qvm-features-monitor:
+  qvm.features:
+    - name: sys-monitor
+    - ipv6: ''
+    - disable:
+      - service.cups
+      - service.cups-browsed
+      - service.tinyproxy
+    - set:
+      - menu-items: "org.wireshark.Wireshark.desktop debian-uxterm.desktop"
+
+'qvm-volume extend sys-monitor:private 40G' :
+  cmd.run

monitor/create.top

@@ -0,0 +1,4 @@
+base:
+  dom0:
+    - match: nodegroup
+    - monitor.create

monitor/install.sls

@@ -0,0 +1,56 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+#
+#
+#
+
+{% if salt['pillar.get']('update_proxy:caching') %}
+{% set proxy = 'cacher' %}
+{% endif %}
+
+{% if grains['nodename'] != 'dom0' %}
+{% if grains['os_family']|lower == 'debian' %}
+{% if grains['nodename']|lower != 'host' %}
+{% if proxy  == 'cacher' %}
+{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %}
+{{ repo }}_baseurl:
+  file.replace:
+    - name: {{ repo }}
+    - pattern: 'https://'
+    - repl: 'http://HTTPS///'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endfor %}
+
+/etc/apt/sources.list:
+  file.replace:
+    - name: /etc/apt/sources.list
+    - pattern: 'https:'
+    - repl: 'http://HTTPS/'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endif %}
+
+installed:
+  pkg.installed:
+    - pkgs:
+      - qubes-core-agent-networking
+      - qubes-core-agent-passwordless-root
+      - mate-notification-daemon
+      - suricata
+      - tcpdump
+      - tcpflow
+      - wireshark
+
+systemd-disable-suricata:
+  cmd.run:
+    - name: systemctl disable suricata
+
+systemd-mask-suricata:
+  cmd.run:
+    - name: systemctl mask suricata
+
+{% endif %}
+{% endif %}
+{% endif %}

monitor/install.top

@@ -0,0 +1,5 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  template-monitor:
+    - monitor.install

mullvad.spec

@@ -1,76 +1,75 @@
 Name:           3isec-qubes-mullvad-vpn
-Version:       	1.2
-Release:        1%{?dist}
-Summary:        Set up a Mullvad wireguard proxy in Qubes
+Version:       	2024.3
+Release:        4%{?dist}
+Summary:        Set up a Mullvad qube and disposable template
 
 License:        GPLv3+
-SOURCE0:	      mullvad
+SOURCE0:        mullvad
 
 %description
-This package sets up a VPN gateway, named MullvadVPN
-It follows the method detailed in the Mullvad docs,
-https://mullvad.net/en/help/qubes-os-4-and-mullvad-vpn/
+This package creates a template, loaded with the MullvadVPN GUI and Mullvad Browser. 
+An AppVM named sys-mullvad, and a disposable template, mullvad-dvm, are
+created from that template.
 
-This package is for use with wireguard.
-If you use openvpn, install the 3isec-qubes-openvpn package.
+The template, template-mullvad, is based on the debian-12-minimal template.
+If the debian-12-minimal template is not present, it will be downloaded
+and installed - this may take some time depending on your net connection.
 
-The package creates a qube called MullvadVPN based on the debian-11-minimal
-template.  If the debian-11-minimal template is not present, it will
-be downloaded and installed - this may take some time depending on your
-net connection.
+Both the AppVM and the disposable template have the Mullvad GUI to
+set up a VPN, and the Mullvad browser. You can run the Mullvad Browser
+independently of the VPN.
+The sys-mullvad AppVM can be used as a standard AppVM or as a vpn gateway
+- set the netvm of client qubes to mullvad, and they will use the VPN. No
+traffic will pass except through the VPN.
 
-There are changes to the firewall rules on MullvadVPN to ensure
-blocking of outbound connections.
-Only traffic to the Mullvad gateway is allowed.
+If you remove this package, the salt files will be removed, but the qubes will not.
+You can manually remove them if you wish.
 
-After installing the package, copy your Mullvad configuration file or
-zip file to MullvadVPN.
-A menu item for "Setup Mullvad VPN" will be created on the main Qubes Menu.
-Run this to set up the VPN.
-When finished, restart MullvadVPN.
+You can, of course, use template-mullvad to create other qubes for
+separate VPN connections, or a qube where you will just use the Mullvad browser.
 
-To use the VPN, set MullvadVPN as the netvm for your qubes(s).
-All traffic will go through the VPN.
-The VPN will fail closed if the connection drops.
-No traffic will go through clear.
-
-If you remove the package, the salt files will be removed.
-**The MullvadVPN gateway will also be removed.**
-To do this ALL qubes will be checked to see if they use MullvadVPN.
-If they do, their netvm will be set to `none`.
-
-You can, of course, use template-mullvad to create other VPN gateways.
+Remember that each qube that creates a VPN will count toward the maximum of 6 clients.
+Log out and close the VPN when you have finished with it: if you do  not,
+you will be prompted to log out other clients from the GUI.
 
 %install
 rm -rf %{buildroot}
 mkdir -p %{buildroot}/srv/salt
-mkdir -p %{buildroot}/usr/bin
-mkdir -p %{buildroot}/usr/share/applications
 cp -rv %{SOURCE0}/  %{buildroot}/srv/salt
-cp -rv %{SOURCE0}/qubes-setup-MullvadVPN.desktop %{buildroot}/usr/share/applications
-cp -rv %{SOURCE0}/setup_MullvadVPN.sh %{buildroot}/usr/bin/setup_MullvadVPN.sh
 
 %files
 %defattr(-,root,root,-)
 /srv/salt/mullvad/*
-/usr/share/applications/qubes-setup-MullvadVPN.desktop
-/usr/bin/setup_MullvadVPN.sh
 
 %post
 if [ $1 -eq 1 ]; then
-  qubesctl state.apply mullvad.create
-  qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.install
-  qubesctl --skip-dom0 --targets=MullvadVPN state.apply mullvad.configure
+  qubesctl state.apply mullvad.clone
+  qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.repo
+  qubesctl state.apply mullvad.create_disposable
+  qubesctl --skip-dom0 --targets=sys-mullvad state.apply mullvad.configure
+elif [ $1 -eq 2 ]; then
+  qubesctl --skip-dom0 --targets=template-mullvad,sys-mullvad,mullvad-dvm state.apply mullvad.browser_delete
+  qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.repo
 fi
 
 %postun
-if [ $1 -eq 0 ]; then
-  for i in `qvm-ls -O NAME,NETVM | awk '/ MullvadVPN/{ print $1 }'`;do qvm-prefs $i netvm none; done
-  qvm-kill MullvadVPN
-  qvm-remove --force MullvadVPN template-mullvad 
-fi
 
 %changelog
+* Thu Jul 11 2024 unman <unman@thirdeyesecurity.org> - 2024.3.4
+- Update to install browser from Mullvad repository
+* Thu Jun 13 2024 unman <unman@thirdeyesecurity.org> - 2024.3.3
+- Update to include new Mullvad Browser 13.0.16
+* Mon May 20 2024 unman <unman@thirdeyesecurity.org> - 2024.3.2
+- Make VPN settings persistent in sys-mullvad
+* Sat May 18 2024 unman <unman@thirdeyesecurity.org> - 2024.3.1
+- Update to Mullvad VPN 2024.3
+- Update to include new Mullvad Browser 13.0.15
+* Sat Mar 16 2024 unman <unman@thirdeyesecurity.org> - 2023.6.2
+- Update to include new Mullvad Browser
+- Use sys-mullvad as transparent VPN proxy
+* Sat Feb 10 2024 unman <unman@thirdeyesecurity.org> - 2.01
+- Rewrite to use Mullvad GUI for connections
+- Include Mullvad Browser
 * Mon Feb 20 2023 unman <unman@thirdeyesecurity.org> - 1.02
 - Use pillar for cacher to determine repo changes
 * Mon Nov 28 2022 unman <unman@thirdeyesecurity.org> - 1.1

mullvad/README.md

@@ -0,0 +1,59 @@
+# Introduction
+These files create a template, loaded with the MullvadVPN GUI and Mullvad Browser. 
+An AppVM named sys-mullvad, and a disposable template, mullvad-dvm, are
+created from that template.
+
+## Template
+The template, template-mullvad, is cloned from the debian-12-minimal template.
+If the debian-12-minimal template is not present, it will be downloaded
+and installed - this may take some time depending on your net connection.
+
+## Usage
+Both the AppVM and the disposable template have the Mullvad GUI to
+set up a VPN, and the Mullvad browser. You can run the Mullvad Browser
+independently of the VPN.
+The sys-mullvad AppVM can be used as a standard AppVM or as a vpn gateway
+- set the netvm of client qubes to sys-mullvad, and they will use the VPN. No
+traffic will pass except through the VPN.
+
+You can, of course, use template-mullvad to create other qubes for
+separate VPN connections, or a qube where you will just use the Mullvad browser.
+
+Remember that each qube that creates a VPN will count toward the maximum of 5 clients.
+Log out and close the VPN when you have finished with it: if you do  not,
+you will be prompted to log out other clients from the GUI when you reach the maximum.
+
+## Template creation
+Clone the debian-12-minimal template - note the use of `qvm.template_installed` which will install the template if it is not already present
+```
+sudo qubesctl state.apply mullvad.clone
+```
+`clone.sls` uses `qvm.features` to set the menu. Note that you can do this *before* packages are installed.
+
+## Package installation
+```
+sudo qubesctl --skip-dom0 --targets=template-mullvad state.apply mullvad.repo
+
+```
+This state uses `pkg.installed` to install necessary packages in the template.
+`cmd.run` is used to create the mullvad respository definition, and the keyring is copied in to place using `file.managed`
+Mullvad packages are installed using `pkg.installed`, and desktop files are copied in to `etc/skel` in the template. This is necessary because we need custom versions to run Mullvad programs in Qubes disposables.
+
+
+Note the use of `pillar.get` to check if a caching proxy is present, and the necessary changes to repository defintions are made using `file.replace` within a jinja command structure.
+
+## Qube creation
+`create.sls` is a standard way of creating `sys-mullvad` - qvm.present is used to create the qube, and preferences and features are set.
+
+`create_disposable.sls` creates a qube and sets it as a disposable template. The Menu is configured and qvm-appmenus` is called using `cmd.run  to make sure that menu items are correctly set.
+
+Note the use of an include statement at the head of the file. This allows a single state execution to call other states.
+
+
+## Qube configuratioon
+```
+sudo qubesctl --skip-dom0 --targets=sys-mullvad state.apply mullvad.configure
+```
+The qubes firewall is configured using `file.managed` to transfer files to sys-mullvad. These are normal nftables command files.
+To make sure that configuration changes are kept after a qubes restart, [bind-dirs](https://www.qubes-os.org/doc/bind-dirs/) is used.
+The configuration file is created using `file.managed`

mullvad/browser_delete.sls

@@ -0,0 +1,7 @@
+# Delete existing browser
+delete_browser:
+  file.absent:
+    - names:
+      - /etc/skel/Downloads/mullvad*
+      - /home/user/Downloads/mullvad*
+      - /home/user/mullvad-browser

mullvad/clone.sls

@@ -1,8 +1,15 @@
 mullvad_precursor:
   qvm.template_installed:
-    - name: debian-11-minimal
+    - name: debian-12-minimal
 
-qvm-clone-id:
+mullvad_clone:
   qvm.clone:
     - name: template-mullvad
-    - source: debian-11-minimal
+    - source: debian-12-minimal
+
+mullvad_menu:
+  qvm.features:
+    - name: template-mullvad
+    - set:
+      - menu-items: "mullvad-vpn.desktop mullvad-browser.desktop debian-xterm.desktop"
+      - default-menu-items: "mullvad-vpn.desktop mullvad-browser.desktop debian-xterm.desktop"

mullvad/clone.top

@@ -1,8 +1,4 @@
-mullvad_precursor:
-  qvm.template_installed:
-    - name: debian-11-minimal
-
-qvm-clone-id:
-  qvm.clone:
-    - name: template-mullvad
-    - source: debian-11-minimal
+base:
+  dom0:
+    - match: nodegroup
+    - mullvad.clone

mullvad/configure.sls

@@ -1,37 +1,33 @@
-/rw/config/rc.local:
-  file.append:
-    - text: wg-quick up /rw/config/wireguard.conf
-
-/rw/config/qubes-firewall-user-script:
-  file.append:
-    - text:
-      - nft insert rule filter FORWARD tcp flags syn tcp option maxseg size set rt mtu
-      - nft insert rule filter FORWARD oifname eth0 drop
-      - nft insert rule filter FORWARD iifname eth0 drop
-
-/rw/config/network-hooks.d/flush.sh:
+/rw/config/qubes-firewall.d/set_forward.sh:
   file.managed:
     - source:
-      - salt://mullvad/flush.sh
+      - salt://mullvad/set_forward.sh
     - user: root
     - group: root
+    - mode: '755'
     - makedirs: True
-    - mode: 755
 
-/rw/config/network-hooks.d/flush:
+/rw/config/network-hooks.d/set_forward.sh:
   file.managed:
     - source:
-      - salt://mullvad/flush
+      - salt://mullvad/set_forward.sh
     - user: root
     - group: root
+    - mode: '755'
     - makedirs: True
-    - mode: 755
 
-/home/user/install.sh:
+/rw/config/qubes-firewall.d/update_dns.nft:
   file.managed:
     - source:
-      - salt://mullvad/install.sh
+      - salt://mullvad/update_dns.nft
     - user: root
-    - mode: '0755'
-    - replace: True
+    - group: root
+    - mode: '755'
+    - makedirs: True
 
+# Make settings persistent using bind-dirs
+bind_mullvad_settings:
+  file.append:
+    - name: /rw/config/qubes-bind-dirs.d/50_user.conf
+    - text: "binds+=( '/etc/mullvad-vpn' )"
+    - makedirs: True

mullvad/configure.top

@@ -0,0 +1,3 @@
+base:
+ sys-mullvad:
+    - mullvad.configure

mullvad/create.sls

@@ -3,23 +3,25 @@ include:
 
 qvm-present-id:
   qvm.present:
-    - name: MullvadVPN
+    - name: sys-mullvad
     - class: AppVM
     - template: template-mullvad
     - label: green
 
 qvm-prefs-id:
   qvm.prefs:
-    - name: MullvadVPN
+    - name: sys-mullvad
     - memory: 400
-    - maxmem: 800
+    - maxmem: 4000
     - vcpus: 2
-    - provides-network: true
+    - provides-network: True
 
 qvm-features-id:
   qvm.features:
-    - name: MullvadVPN
+    - name: sys-mullvad
     - disable:
       - service.cups
       - service.cups-browsed
       - service.tinyproxy
+    - set:
+      - menu-items: "mullvad-vpn.desktop mullvad-browser.desktop debian-xterm.desktop"

mullvad/create_disposable.sls

@@ -0,0 +1,33 @@
+include:
+  - mullvad.clone
+  - mullvad.create
+
+create_mullvad_dvm:
+  qvm.present:
+    - name: mullvad-dvm
+    - class: AppVM
+    - template: template-mullvad
+    - label: green
+
+mullvad-prefs_dvm:
+  qvm.prefs:
+    - name: mullvad-dvm
+    - memory: 400
+    - maxmem: 4000
+    - vcpus: 2
+    - template_for_dispvms: True
+
+mullvad-features_dvm:
+  qvm.features:
+    - name: mullvad-dvm
+    - disable:
+      - service.cups
+      - service.cups-browsed
+      - service.tinyproxy
+    - set:
+      - menu-items: "mullvad-browser.desktop debian-xterm.desktop mullvad-vpn.desktop"
+      - appmenus-dispvm: True
+
+'qvm-appmenus --update mullvad-dvm':
+  cmd.run:
+    - runas: user

mullvad/create_disposable.top

@@ -0,0 +1,4 @@
+base:
+  dom0:
+    - match: nodegroup
+    - mullvad.create_disposable

mullvad/dns_hijack.sh

@@ -1,11 +0,0 @@
-virtualif=`ip -o -4  addr show eth0|awk '{ print $4}'`
-vpndns1=10.8.0.1
-vpndns2=10.14.0.1
-iptables -F OUTPUT
-iptables -I FORWARD -o eth0 -j DROP
-iptables -I FORWARD -i eth0 -j DROP
-iptables -F PR-QBS -t nat
-iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
-iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1
-iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns2
-iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns2

mullvad/firewall.sh

@@ -1,26 +0,0 @@
-#!/bin/bash
-#    Block forwarding of connections through upstream network device
-#    (in case the vpn tunnel breaks):
-iptables -I FORWARD -o eth0 -j DROP
-iptables -I FORWARD -i eth0 -j DROP
-ip6tables -I FORWARD -o eth0 -j DROP
-ip6tables -I FORWARD -i eth0 -j DROP
-
-#    Accept traffic to VPN
-iptables -P OUTPUT DROP
-iptables -F OUTPUT
-iptables -I OUTPUT -o lo -j ACCEPT
-
-#    Add the `qvpn` group to system, if it doesn't already exist
-if ! grep -q "^qvpn:" /etc/group ; then
-     groupadd -rf qvpn
-     sync
-fi
-sleep 2s
-
-#    Block non-VPN traffic to clearnet
-iptables -I OUTPUT -o eth0 -j DROP
-#    Allow traffic from the `qvpn` group to the uplink interface (eth0);
-#    Our VPN client will run with group `qvpn`.
-iptables -I OUTPUT -p all -o eth0 -m owner --gid-owner qvpn -j ACCEPT
-iptables -I OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT

mullvad/flush

@@ -1,5 +0,0 @@
-#!/usr/sbin/nft -f
-define vpndns1 = 10.64.0.1
-flush chain nat PR-QBS
-insert rule nat PR-QBS tcp dport 53 dnat to $vpndns1
-insert rule nat PR-QBS udp dport 53 dnat to $vpndns1

mullvad/flush.sh

@@ -1,2 +0,0 @@
-#!/bin/sh
-nft -f /rw/config/network-hooks.d/flush

mullvad/install.sh

@@ -1,38 +0,0 @@
-#!/usr/bin/bash
-if [ "`id -u`" -ne 0 ]; then
-  exec sudo "$0"
-  exit 99
-fi
-target_file='/rw/config/wireguard.conf'
-cd /rw/config/vpn
-zenity --question --text="Do you have a zip file from Mullvad?" --ok-label="Yes" --cancel-label="No"
-if [ $? = 0 ] ; then
-  client_file=`zenity --file-selection`
-  if  [ $(mimetype -b $client_file) == "application/zip" ]; then
-    unzip -j -d /rw/config/vpn "$client_file"
-  else
-    zenity --error --text="That doesn't look like a zip file"
-    exit
-    fi
-fi
-zenity --question --text="Have you copied the wireguard config file to /rw/config/vpn/ ?" --ok-label="Yes" --cancel-label="No"
-if [ $? = 0 ] ; then
-  zenity --question --text="Please select the wireguard configuration file you want to use" --ok-label="OK" --cancel-label="No"
-  if [ $? = 0 ] ; then
-    client_file=`zenity --file-selection`
-    if grep -q '^PrivateKey' "$client_file" ; then
-      if [ "$client_file" != "$target_file" ]; then
-        cp $client_file $target_file
-      fi
-      zenity --info --text="Restart this qube. The VPN service will start automatically."
-    else
-     zenity --error --text="That doesn't look like a client config file"
-     exit
-    fi
-  else
-    zenity --error --text="You need a config file\nCheck with Mullvad VPN"
-    exit
-  fi
-else
-  exit
-fi

mullvad/install.sls

@@ -1,37 +0,0 @@
-# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
-#
-#
-#
-
-{% if grains['nodename'] != 'dom0' %}
-{% if salt['qvm.exists']('cacher') %}
-
-/etc/apt/sources.list:
-  file.replace:
-    - names:
-      - /etc/apt/sources.list
-      - /etc/apt/sources.list.d/qubes-r4.list
-    - pattern: 'https:'
-    - repl: 'http://HTTPS/'
-    - flags: [ 'IGNORECASE', 'MULTILINE' ]
-{% endif %}
-
-mullvad:
-  pkg.uptodate:
-    - refresh: True
-
-installed:
-  pkg.installed:
-    - pkgs:
-      - qubes-core-agent-networking
-      - qubes-core-agent-passwordless-root
-      - iproute2
-      - libnotify-bin
-      - mate-notification-daemon
-      - resolvconf
-      - unzip
-      - wireguard
-      - wireguard-tools
-      - zenity
-
-{% endif %}

mullvad/mimeinfo.cache

@@ -0,0 +1 @@
+[MIME Cache]

mullvad/mullvad-browser.desktop

@@ -0,0 +1,10 @@
+[Desktop Entry]
+Type=Application
+Name=Mullvad Browser
+GenericName=Web Browser
+Comment=Mullvad Browser is a privacy-focused web browser designed to minimize tracking and fingerprinting.
+Categories=Network;WebBrowser;Security;
+Exec=/usr/lib/mullvad-browser/start-mullvad-browser
+X-MullvadBrowser-ExecShell=/usr/lib/mullvad-browser/start-mullvad-browser
+Icon=mullvad-browser
+StartupWMClass=Mullvad Browser

mullvad/mullvad-keyring.asc

@@ -0,0 +1,84 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFgRmCoBEAChee2rs/braqjqim1D+uvTBpPZzkpccJVb2SqhErQKs54iJVyo
+H5pNrGR4VIzFRUnY7fbATo2Ej+0MlglXahl4ok93XmeDz04P5rH2NKnLvWYdaK1C
+9Lvpq22t1nytJuhc124UBahVVEYjc7l2+JGdTh7WvLj8FXqfnnmI1upVU48S70RL
+oM3tSDZqQaO3OGCc0znMNBGI/uKNNwc6Omm6KPvczOhci7bnKt0b0R6TrXufvgOG
+y1DM9sntIbXtpIjOuZdTWyrGTm/AvT6zddPFjN8SN6ZIfoRmJT6ROB6ZTtiz/d20
+VJ87QPEfVRKrMImZxtkJtSliojZB/I3/bkP7A4pvgJ6cJ+ErwW4cfqc3DrWaZY+D
+4AZnk71FA6C5rQdkFbfkgyUMY1WeKX+8N/R+e5oLGmoVI/fdHu1z0JkJJvEraAO9
++qX2mOcW5h/NRxv0Xw57fjMhnMha7bWs8Jn5AchDPJZs1U64Wr36FuSvcdxc0ON/
+WaX4RL/J5OtJHu+2FB+UB1/JuICdOP07/KFxUJod43KwwBctLUHOOz3m1KIVcnXR
+l6+gNQ7vxGm+xghN/zG7lgPLuw5ToCCkMLkQydsRPRSlm0f2zqbQUD3jn+4zZ2ma
+HBHcu6Ld8SSGPp5XIauAKhqZA9IkD5VPgqlrm0iJ4emzPYGp7PMFFdH3qQARAQAB
+tCpNdWxsdmFkIChjb2RlIHNpZ25pbmcpIDxhZG1pbkBtdWxsdmFkLm5ldD6JAjUE
+EwEIAB8CGwMCHgECF4AFAlgR6R8ECwkIBwUVCgkICwQWAgMBAAoJENWh1PJm3o3f
+muQQAJElHN6lLhpOgrbRprJAR15HfRI0Leoomfu5V53Qieqf+6O3TF4PC9JRn+v8
+NYOMsBmBgosvO8YcABA3wYTW6qyRGr+8zQePltEe/J9SE3oCbb4K5KWEThiicZ6R
+o0sJgXB3l0CIHVP+/3bWeZlBpTJNMLOEM+WsEsTe6v7hZfF7HIubVdKSIbQy7T3X
+nsk8840rt5LjJiNtSpsG+EJOIGEdXH5FAis35pTLrbkgnL3Evyjd2OW1grciqF+v
+7aba2g/2zpEGEdtbJKO5C4nG9CHcN5BlaSev0oQlKWuRSG3igwauZFe/0RQPkH/V
+kCOHA3l8NTlublQCdLLLrJJyX7aODH+AKLaVci17ogtGwwO+xNh0h4ejM0QuMLYV
+giMCpxRT5uUuOHbh3by1rwTSb+8dvIw3KyW1TbZ6LFCQHX+8Zs7xU7KQ6tGZ6Pvr
+Fhk/YiM8J+Fe+rBGwEcUfo/ALv4p7qHpRVA7CvdrzKg66iaN+iPQzsptamoSLsCj
+SYbjIby74X0vppRAg7sDXiAxJSRPXM3h1xO83yk1HMrswwWAUuJeToYRXOHYl5zN
+i3E0D6I5Zk1ioO9XPE7oILwJ7YaO4XuC3UuNMwWPSvOoJxbnsUdHpenITvbpe9DP
+z4HGzZWbUtShFDq77MDhv9vkNaFUOgP7AfO5N/35pVCkI4m1uQINBFgRmCoBEADT
+5YK+TLcGSzC4ML7t8VW+rVpYyY3pswX8dL058LYfCIrlaNa14/UvINvjA5529SWr
+jmmDluD8fqtMSFHw6l+XwPMOwvETAjaMLS6c/MLFmw2gHR2ARHBmLEn/ux9kZ03Y
+dEKak5wvkUVqLV7EgGnvfrI0FUw/gaIfdtAt0dcvpAG0bILXQtcYEj7BtiAdxiWL
+O8HMUzD7kj0Q2IUbA3bO4dAtJtXDyY+Ash/kqLzm+0kZtzk4FLWZT2CMw9l73mIT
+/f03+y8oBe1KhZ5FzqgUxQXdjV5hkWyFNbBn4+dsyoMltnVDPkRznIHDWJXiKUV+
+buSQ+xewO/flwrwcgbdTtH5qfuxtNBA2AkVs/dul8FJHeSCB7at6Vy1m8/xFlxgc
+QOk/wwiDKLBub0uIE6TfNs7SvAOUuZP5syLQq8ZeyYMWGrWQKgAEmHlXr0uCrqVF
+O5vjaja8Zwc6wdApiFxjiBzl3z7UiE3fafpeO9nqLwaZqz0RPCEpvCrkpDi4Gl2W
+nfWmQbj2jEpUER1osJhvNRCEfA12IUWjp1vFJhy31i6gTXdCxVBasQrxpJBEZnuJ
+57yIZ+FbdMI0wQD2OMdUYxx4o9p6aGwhotSBrgpM0cfZ5LruP6MjBfWKqLnZBuYk
+prqWeh5rgtXIebsiGYp7V3Ay9pcoilbzh53/wU6y+wARAQABiQIfBBgBCAAJBQJY
+EZgqAhsMAAoJENWh1PJm3o3fbfoP/RfOil8d3hNK+qgG4Xh46bF/UmGzorYbVzzP
+myXXRHTMh3/Br2tPOOnhP65nKJnv8pqCuK1UOJpfXUXDyRpAP7opiWRaS0gbU9s6
+RBy499P/LyMmvZbM4YkpxwPJkC6JaITQ+ZtnPQp+MYLizsz5OD8utyfoPWDOdaEf
+3JHOvupcItDL3DDKw5zPzrI6pKc0IMObO5VI/uU3BIf0x+FKh2rhMVMI+Psapotm
+qhpaPZoz/QPapS2WiMNr7cInLxx7/fv/RLEr5WSVn1eAKkKuXUO/VB5+h4GdP/YV
+boBW4wMneEEkJX3iLr/IM1GQdQK/db4fyWAKh7LhzS9ZCVMxm5BU6GkId7GI2jFE
+djmedt6iF6Tyk0/49WjU/qAZ9H0IHgpyNCwUqPpzWgRiiIbZryRXycht/rH6zuL1
+8p5N6r7AgT6s6kCHfrNK/zxMOzylUuwng1EnLCmlg88PoCCQpaNFZkqwIR0LCh3p
+Xp8zAp+0Sx2td1FtjbEw+OaNCmmJoMqoejuw0nSOFdQUUNAB5WGeZQLoPaastanW
+ir6XcUChoy/1osuovAPNKpWWUxWDdW+62mV8s2ArkLzhgl0FmLZhu+VBKrQaNUKV
+WmPnMRZF6f1C3M8l5DtT1VzfEr1A9ON6uZzKITLlJdBltVFkV7qJTsxbsoj0AJj7
+0VY4XEjauQINBFgR4mgBEACsFJ+BkT+yBxB0E2MNUAcW5stDgscDOJOAXS/ViYd8
+68FqC87VnG+bgTqG2atRqb493RoCHwZyL3L9JniadSk35d9JEQBWzCPff+kEy5Uc
+bwzvSUJyCfjFdxU4YgH/bMt+RXi1mVjLcGTthRp4IfBxQcluI//rxP1kurrqq+lO
+wj7n+h1wxrdhvXXDiAeBJqlQcBjeT0VLc74PYQJ3SbpeX1aFaxsVATGpgXf3SWp+
+8vRCmzM9CnyZW8BeaXBrkwiZQEOeiqnQ0MWaD/8Fs6WWfiyoObJcadmS7HgqCfw7
+SwjSUjSPAr+Vr02P83S59u8ql0RWtDI8CCXcSc1t4u52lvXBdO3nKa9+PeW64I+A
+UfqgJOmfhWZsoImV1pCx+RzY6luFp7H7JVACAi3Z1s24fsRhN5wVZ/hjKn7xGPv0
+O+zFVGWXs/JKl6Bv7xMR0epL+D0d13ahPZYHyLqLfdeJwg2HT1BUAPy+QCy5rhzS
+iEjeygqVzwNTcBPnu1PFhzXSdGMvHKTFXwO5xPwqanvKUd9zH6Xxan5wAJL7yRPq
+7/MSEqUFiE+OfVTeZ3PDduLrkrQm0ZIgTl4EkUNn70YbzrPnEDh7EMETNnAqjNU3
+5iwELxRyxjUdSaIuF/5gSfc4DG/c8miUrYAaXyqMuJWuF7aNnVnSQJDZCjnf//Yy
+KQARAQABiQQ+BBgBCAAJBQJYEeJoAhsCAikJENWh1PJm3o3fwV0gBBkBCAAGBQJY
+EeJoAAoJEKJlgfIZyDFMyBwP/ih4/pKyfQOdgP03IXK0v9dhKOs+PcSAd4BC+ACV
+kDz+N4Pui7/6FJ7+hSJE7Tf2vcWYYbtTrVCz335VCf5zWC/Tz8aXs9MOBlMeZNOS
+2Fsi8P1KOv2BD7qi+m6fkHJ59hDXp2SzvmYRNRgn3N1QpuJl6bjssLmG7X+8NrNA
+JZedzfXmvxDfnxaqKTwGotlJXVo5b/wB1ZXn7yr3zecuXKvcG1SJTGCSyK98jyip
+S/0qAOqzd6FPbNEl/4ehKPX5STdZytTzN8lcbtfTMUA6qLqe/5Tvt50n8yDD3bEh
+ripRSaC2BoVDADwxo7kDhTO6c1xCNMdG/9dHMelbzOPuxJhVMkNzL+dR5V6Q3Clt
+I2rjANqWq/3G7kA4oaItoYOYnh9J8a7P/bkMFbrGEYmaYu9PCqLY5NzqaCKlNyJP
+Fy8u0TdBhiyoBWWarTN6fZwTG6MotHPi9q0iWPfsb9kyoRJWIcvEJq+Vi0wE0+9/
+kXgibqh76U5JekysGV/dBgXaPF4XAPCpBaEe9sbD2PVeUDZPuVeo3c8iGPK1NxmJ
+dt1ktfCcuV3MYCo1DGifuOCCvVaJms6IEFjLPAEQmTGhRSVzTWZ7J8HoDqulhlJh
+HxLT7KI9z85238zplUarSEZ42gNT5SQd35prGVlJDVBwRm2NmJurcfU/EcPi++eD
+0hJhWrYP/3lW/OOkR5NZCK8HhKYM2kBcAsOC/6x5vV1VISslZY2LB3jKq+XhXlPO
+cEmQVMPliBx4yuFrPOKk1+87D9bEL5LJBQskgQwFe2Pg9QirIYflO+P+1LJK3U/g
+3NnlkSrOTRV0M/AvhtU/8R3V2V423pm3sjQsaRdMMtWGfsFNJxvotBkwgEDwDu7h
+sZqzL0zFucm+iMAhGnqi+EZEPXwbX1Utp7S8edBCztfytQMjnJ6jv4UCz///rc3i
+8IDlMo2d19CW/psPS4v7lns5g9oqCGpRbGRllrBV1M/o7bs7+1NyvPTJm9UAmt5U
+iApao4vt4YOG5w0vYd0t50pDS/j3TGjbakgxZpNUMpAgrhnelClKDsXbCVGCyhlJ
+ZOw9Q9t4vIAhFFSpxEDl1NREOUInoK3R4yo4Ep4sq6cbfZvoyAYZf1zpQHQX9OBN
+DKp1jwGLA3+0Jna2/1QUYFLjFiz9bdL+1nT9k/RStFBauRh529r+M1WlkwqNIL+L
+bRGm0rXbWu9eiLhq2ldnfIADOtccUll10RznrjumqgYYw2CI0YUudzpzIghAKZyo
+THYPADmBfvN2pZa/KU3c1OSKHOH2b91Xi97k3u0fECMHLgXctA3BkQ69fONSzx/c
+abgtcydAU0wAD3mG3mr1XI96uOMeVNK0wgYyO5VhzZNziSFhls0D
+=kwTD
+-----END PGP PUBLIC KEY BLOCK-----

mullvad/mullvad-vpn.desktop

@@ -0,0 +1,9 @@
+[Desktop Entry]
+Name=Mullvad VPN
+Exec="/opt/Mullvad VPN/mullvad-vpn" %U
+Terminal=false
+Type=Application
+Icon=mullvad-vpn
+StartupWMClass=Mullvad VPN
+Comment=Mullvad VPN client
+Categories=Network;

mullvad/mullvad_logout.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Logout Mullvad account at shutdown
+DefaultDependencies=no
+Before=shutdown.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/mullvad_logout.sh
+TimeoutStartSec=0
+
+[Install]
+WantedBy=shutdown.target

mullvad/mullvad_logout.sh

@@ -0,0 +1,2 @@
+#!/bin/sh
+mullvad account logout

mullvad/qubes-setup-MullvadVPN.desktop

@@ -1,10 +0,0 @@
-[Desktop Entry]
-Type=Application
-Exec=setup_MullvadVPN.sh
-Path=/usr/bin
-Icon=qubes-manager
-Terminal=false
-Name=Setup Mullvad VPN
-GenericName=Setup Mullvad VPN
-StartupNotify=false
-Categories=Settings;X-XFCE-SettingsDialog

mullvad/repo.sls

@@ -0,0 +1,94 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+#
+#
+#
+
+{% if salt['pillar.get']('update_proxy:caching') %}
+{% set proxy = 'cacher' %}
+{% endif %}
+
+{% if grains['nodename'] != 'dom0' %}
+{% if grains['os_family']|lower == 'debian' %}
+{% if grains['nodename']|lower != 'host' %}
+{% if proxy  == 'cacher' %}
+{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %}
+{{ repo }}_baseurl:
+  file.replace:
+    - name: {{ repo }}
+    - pattern: 'https://'
+    - repl: 'http://HTTPS///'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endfor %}
+
+/etc/apt/sources.list:
+  file.replace:
+    - name: /etc/apt/sources.list
+    - pattern: 'https:'
+    - repl: 'http://HTTPS/'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endif %}
+
+requirements_installed:
+  pkg.installed:
+    - refresh: True
+    - pkgs:
+      - qubes-core-agent-networking
+      - qubes-core-agent-passwordless-root
+      - iproute2
+      - libnotify-bin
+      - lsb-release
+      - xz-utils
+
+echo "deb [signed-by=/usr/share/keyrings/mullvad-keyring.asc arch=$( dpkg --print-architecture )] https://repository.mullvad.net/deb/stable $(lsb_release -cs) main" > /etc/apt/sources.list.d/mullvad.list :
+  cmd.run
+
+/usr/share/keyrings/mullvad-keyring.asc:
+  file.managed:
+    - source:
+      - salt://mullvad/mullvad-keyring.asc
+    - user: root
+    - group: root
+    - makedirs: True
+
+{% if proxy == 'cacher' %}
+/etc/apt/sources.list.d/mullvad.list:
+  file.replace:
+    - name: /etc/apt/sources.list.d/mullvad.list
+    - pattern: 'https:'
+    - repl: 'http://HTTPS/'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endif %}
+
+mullvad_installed:
+  pkg.installed:
+    - refresh: True
+    - pkgs:
+      - mullvad-vpn
+      - mullvad-browser
+      - libnss3
+
+/etc/skel/.local/share/applications/mullvad-browser.desktop:
+  file.managed:
+    - source: salt://mullvad/mullvad-browser.desktop
+    - user: root
+    - group: root
+    - makedirs: True
+
+/etc/skel/.local/share/applications/mullvad-vpn.desktop:
+  file.managed:
+    - source: salt://mullvad/mullvad-vpn.desktop
+    - user: root
+    - group: root
+    - makedirs: True
+    
+{% endif %}
+{% endif %}
+
+{% endif %}
+

mullvad/set_forward.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/sh
+nft -f /rw/config/qubes-firewall.d/update_dns.nft

mullvad/setup_MullvadVPN.sh

@@ -1,17 +0,0 @@
-#!/usr/bin/bash
-qvm-run MullvadVPN /home/user/install.sh
-if ! (qvm-firewall MullvadVPN|tail -n1 |grep -q '.*drop.*-.*-'.*-);then
-qvm-firewall MullvadVPN add --before 0 drop && qvm-firewall MullvadVPN del --rule-no 1
-fi
-endpoint=$(qvm-run -p MullvadVPN 'awk "/Endpoint/{print \$3}" /rw/config/wireguard.conf')
-IFS=":" read -r server_ip server_port  PORT <<< $endpoint
-if ! (qvm-firewall MullvadVPN |grep -q 'accept.*-.*tcp.*53'); then
-qvm-firewall MullvadVPN add --before 0 proto=tcp dstports=53 accept
-fi
-if ! (qvm-firewall MullvadVPN |grep -q 'accept.*-.*udp.*53'); then
-qvm-firewall MullvadVPN add --before 0 proto=udp dstports=53 accept
-fi
-if ! (qvm-firewall MullvadVPN |grep -q "$server_ip");then
-qvm-firewall MullvadVPN add --before 0 dsthost=$server_ip proto=udp dstports=$server_port accept
-fi
-

mullvad/update_dns.nft

@@ -0,0 +1,8 @@
+#!/usr/sbin/nft -f
+flush chain qubes dnat-dns
+insert rule qubes dnat-dns udp dport 53 dnat to 10.64.0.1
+insert rule qubes dnat-dns tcp dport 53 dnat to 10.64.0.1
+flush chain qubes custom-forward
+insert rule ip qubes custom-forward oifname eth0 drop
+flush chain ip6 qubes custom-forward
+insert rule ip6 qubes custom-forward oifname eth0 drop

multimedia.spec

@@ -1,10 +1,11 @@
 Name:           3isec-qubes-sys-multimedia
-Version:       	2.2
-Release:        1%{?dist}
+Version:       	2.3
+Release:        7%{?dist}
 Summary:        creates multimedia template and qubes
 
 License:        GPLv3+
 SOURCE0:       	multimedia
+Requires:       3isec-qubes-common
 
 %description
  This package sets up qubes to work mith multimedia files in Qubes.
@@ -17,17 +18,20 @@ The multimedia disposable is offline by default.
 You can change this if you wish, but be aware that this may result in
 data leakage.
 
-The idea is that you organise and store media files in the media qube. 
-Opening a file in that qube will open the multimedia disposable and play
+Organise and store media files in the media qube. The media qube has thunar
+installed and is based on a minimal template. This reduces the risk of opening
+a file in the storage qube itself.
+Opening a file in the media qube will open the multimedia disposable and play
 the file there.
+The multimedia disposable will shut down automatically when all active windows
+are closed.
 You can also use the multimedia disposable from any other qube, or use the
 disposable template to create more disposables with different settings -
 perhaps online, or restricted to certain IP addresses.
-Access to the multimedia file is controlled from the policy file in
+Access to the multimedia qube is controlled from the policy file in
 /etc/qubes/policy.d/30-user.policy
 
 
-
 %install
 rm -rf %{buildroot}
 mkdir -p %{buildroot}/srv/salt
@@ -42,13 +46,31 @@ if [ $1 -eq 1 ]; then
   qubesctl state.apply multimedia.clone
   qubesctl --skip-dom0 --targets=template-multimedia state.apply multimedia.install
   qubesctl state.apply multimedia.create
+  qubesctl --skip-dom0 --targets=template-store state.apply 3isec-common.store.install
+  qubesctl --skip-dom0 --targets=media state.apply multimedia.configure
+fi
+if [ $1 -eq 2 ]; then
+  qubesctl --skip-dom0 --targets=template-multimedia state.apply multimedia.install
   qubesctl --skip-dom0 --targets=media state.apply multimedia.configure
 fi
 
 %changelog
+* Thu Jun 13 2024 unman <unman@thirdeyesecurity.org> - 2.3.7
+- Install pipewire-qubes
+* Thu May 02 2024 unman <unman@thirdeyesecurity.org> - 2.3.6
+- Fix installation bug
+* Wed May 01 2024 unman <unman@thirdeyesecurity.org> - 2.3.5
+- Fix installation bug
+* Wed May 01 2024 unman <unman@thirdeyesecurity.org> - 2.3.4
+- Fix installation bug
+* Sun Mar 31 2024 unman <unman@thirdeyesecurity.org> - 2.3.3
+- Make call to disposable-open view-only
+* Fri Mar 15 2024 unman <unman@thirdeyesecurity.org> - 2.3.2
+- Use 3isec-common for thunar install
+* Tue Feb 13 2024 unman <unman@thirdeyesecurity.org> - 2.3
+- Use template-store with thunar for media qube
 * Mon Feb 20 2023 unman <unman@thirdeyesecurity.org> - 2.2
 - Use pillar for cacher to determine repo changes
-dd
 * Sat May 21 2022 unman <unman@thirdeyesecurity.org> - 2.1
 - Standardise package names to 3isec-
 * Sun May 15 2022 unman <unman@thirdeyesecurity.org> - 2.0

multimedia/DisposableOpen.desktop

@@ -1,7 +1,7 @@
 [Desktop Entry]
 Categories=Utility
 Comment=Opens files in DisposableVM
-Exec=qvm-open-in-dvm %u
+Exec=qvm-open-in-dvm --view-only  %u
 Icon=debian-swirl
 Name=DisposableOpen
 MimeType=x-scheme-handler/*;

multimedia/clone.sls

@@ -1,8 +1,8 @@
 multimedia_precursor:
   qvm.template_installed:
-    - name: debian-11-minimal
+    - name: debian-12-minimal
 
 qvm-clone-id:
   qvm.clone:
     - name: template-multimedia
-    - source: debian-11-minimal
+    - source: debian-12-minimal

multimedia/configure.sls

@@ -17,4 +17,5 @@
 
 /rw/config/rc.local:
   file.append:
-    - text: 'cp /rw/config/DisposableOpen.desktop /usr/share/applications/'
+    - text:
+        - 'cp /rw/config/DisposableOpen.desktop /usr/share/applications/'

multimedia/create.sls

@@ -1,4 +1,5 @@
 include:
+  - 3isec-common.store.clone
   - multimedia.clone
 
 qvm-present-id:
@@ -24,6 +25,8 @@ qvm-features-id:
       - service.cups
       - service.cups-browsed
       - service.tinyproxy
+    - enable:
+      - service.shutdown-idle
 
 
 multimedia:
@@ -54,7 +57,7 @@ multimedia-features:
 media-present-id:
   qvm.present:
     - name: media
-    - template: debian-11
+    - template: template-store
     - label: purple
 
 media-prefs:

multimedia/create_multimedia.sls

@@ -55,7 +55,7 @@ multimedia-features:
 media-present-id:
   qvm.present:
     - name: media
-    - template: debian-11
+    - template: debian-12-xfce
     - label: purple
 
 media-prefs:

multimedia/install.sls

@@ -3,11 +3,21 @@
 #
 
 {% if salt['pillar.get']('update_proxy:caching') %}
+{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %}
+{{ repo }}_baseurl:
+  file.replace:
+    - name: {{ repo }}
+    - pattern: 'https://'
+    - repl: 'http://HTTPS///'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endfor %}
+
 update_sources:
   file.replace:
     - names:
       - /etc/apt/sources.list
-      - /etc/apt/sources.list.d/qubes-r4.list
     - pattern: 'https:'
     - repl: 'http://HTTPS/'
     - flags: [ 'IGNORECASE', 'MULTILINE' ]
@@ -21,11 +31,11 @@ vlc.packages:
   pkg.installed:
     - pkgs:
       - vlc
-      - pulseaudio-qubes
 
 other.packages:
   pkg.installed:
     - pkgs:
+      - pipewire-qubes
       - qubes-app-shutdown-idle
       - audacious
       - calibre

multimedia/install.sls.bak

@@ -1,25 +0,0 @@
-# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
-#
-#
-allow-testing:
-  file.uncomment:
-    - name: /etc/apt/sources.list.d/qubes-r4.list
-    - regex: ^deb\s.*qubes-os.org.*-testing
-    - backup: false
-
-/home/user/Downloads/vlc-key:
-  file.managed:
-    - source:
-      - salt://multimedia/vlc-key
-    - user: user
-    - group: user
-
-/usr/bin/apt-key add /home/user/Downloads/vlc-key:
-  cmd.run:
-    - runas: root
-
-vlc.packages:
-  pkg.installed:
-    - pkgs:
-      - vlc
-      - pulseaudio-qubes

mutt.spec

@@ -1,10 +1,11 @@
 Name:           3isec-qubes-mutt
-Version:  	    1.1
+Version:  	2
 Release:        1%{?dist}
 Summary:        Prepares qube for using mutt in Qubes
+Requires:       3isec-qubes-common
 
 License:        GPLv3+
-SOURCE0:	      mutt
+SOURCE0:        mutt
 
 %description
 This package creates a minimal template configured for using mutt in Qubes, including notmuch.
@@ -23,15 +24,20 @@ cp -rv %{SOURCE0}/  %{buildroot}/srv/salt
 %post
 if [ $1 -eq 1 ]; then
   qubesctl state.apply mutt.clone
-  qubesctl --skip-dom0 --targets=template-mutt state.apply mutt.install
+  qubesctl --skip-dom0 --targets=template-mutt state.apply 3isec-common.mutt.install
   qubesctl state.apply mutt.configure
+  qvm-shutdown template-mutt
 fi
 
 %preun
 
 
 %changelog
+* Thu Jun 13 2024 unman <unman@thirdeyesecurity.org> - 2.1
+- Upgrade base to debian 12
+* Mon Mar 11 2024 unman <unman@thirdeyesecurity.org> - 2.0
+- Move common mutt install files to 3isec-common package
 * Mon Feb 20 2023 unman <unman@thirdeyesecurity.org> - 1.1
 - Use pillar for cacher to determine repo changes
-* Wed Jul 15 2021 unman <unman@thirdeyesecurity.org>
+* Wed Jul 14 2021 unman <unman@thirdeyesecurity.org>
 - First Build

mutt/clone.sls

@@ -3,12 +3,12 @@
 
 mutt_precursor:
   qvm.template_installed:
-    - name: debian-11-minimal
+    - name: debian-12-minimal
 
 qvm-clone-id:
   qvm.clone:
     - name: template-mutt
-    - source: debian-11-minimal
+    - source: debian-12-minimal
 
 mutt_menu:
   qvm.features:

openvpn

@@ -1 +1 @@
-Subproject commit 655843cd414ce4632d23e7dbd71a8edd84cd0487
+Subproject commit 6f2f450cb2fc273f6a27d84763d5be013f8679ee

openvpn.spec

@@ -1,5 +1,5 @@
 Name:           3isec-qubes-sys-vpn
-Version:       	1.4
+Version:       	2.01
 Release:        1%{?dist}
 Summary:        Create an openvpn proxy in Qubes
 
@@ -10,15 +10,22 @@ SOURCE0:	      openvpn
 This package sets up a VPN gateway, named sys-vpn, using openvpn.
 It follows the method detailed in the Qubes docs,
  https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/vpn.md
-using iptables and CLI scripts.
+using nftables and CLI scripts.
 
-The package creates a qube called sys-vpn based on the debian-11-minimal
-template.  If the debian-11-minimal template is not present, it will
+The package creates a qube called sys-vpn based on the debian-12-minimal
+template.  If the debian-12-minimal template is not present, it will
 be downloaded and installed - this may take some time depending on your
 net connection.
 
 There are minor changes to the firewall rules on sys-vpn to ensure
-blocking of outbound connections.
+blocking of outbound connections via eth0.
+When the VPN is inactive only DNS traffic is allowed from sys-vpn.
+When the VPN is active, no traffic is allowed except through the VPN
+tunnel.
+If the VPN uses Google's 8.8.8.8 server for DNS, this will be changed
+to use Quad-9 servers.
+sys-vpn will have the netvm set to the global default_netvm. Change this
+as you will.
 
 After installing, copy your openvpn configuration file or zip file
 to sys-vpn.
@@ -65,6 +72,10 @@ if [ $1 -eq 0 ]; then
 fi
 
 %changelog
+* Tue Fri 13 2024 unman <unman@thirdeyesecurity.org> - 2.01
+- Attach sys-vpn to global default_netvm
+* Mon Fri 05 2024 unman <unman@thirdeyesecurity.org> - 2.0
+- Change to nftables implementation
 * Mon Jun 12 2023 unman <unman@thirdeyesecurity.org> - 1.4
 - Fix typo
 * Mon Feb 20 2023 unman <unman@thirdeyesecurity.org> - 1.3

pihole.spec

@@ -1,10 +1,10 @@
 Name:           3isec-qubes-pihole
-Version:  	    1.3
+Version:        1.4
 Release:        1%{?dist}
 Summary:        Creates Pi-hole server for Qubes
 
 License:        GPLv3+
-SOURCE0:	      pihole
+SOURCE0:        pihole
 
 %description
 This is Pi-hole.
@@ -26,10 +26,10 @@ If you do you must manually change the IP address of the clone.
 Pi-hole will be installed with these default settings:
  The DNS provider is Quad9 (filtered, DNSSEC)
  StevenBlack's Unified Hosts List is included
- The web interface is availble at http://localhost
+ The web interface is availble at http://localhost/admin
  Query logging is enabled to show everything.
 
-You can change these settings by logging in to the admin interface at http://localhost.
+You can change these settings by logging in to the admin interface at http://localhost/admin
 The default Admin Webpage login password is UpSNQsy4
 You should change this on first use, by running:
 `pihole -a -p`
@@ -59,6 +59,8 @@ fi
 
 
 %changelog
+* Sat Feb 03 2024 unman <unman@thirdeyesecurity.org> - 1.4
+- Update package for Qubes 4.2
 * Mon Feb 20 2023 unman <unman@thirdeyesecurity.org> - 1.3
 - Use pillar for cacher to determine repo changes
 * Fri Sep 9 2022 unman <unman@thirdeyesecurity.org>

pihole/README

@@ -21,10 +21,10 @@ Run `sudo /srv/salt/pihole/change_netvm.sh` .
 Pi-hole will be installed with these default settings:
  The DNS provider is Quad9 (filtered, DNSSEC)
  StevenBlack's Unified Hosts List is included
- The web interface is availble at http://localhost
+ The web interface is availble at http://localhost/admin
  Query logging is enabled to show everything.
 
-You can change these settings by logging in to the admin interface at http://localhost.
+You can change these settings by logging in to the admin interface at http://localhost/admin
 The default Admin Webpage login password is UpSNQsy4
 You should change this on first use, by running:
 `pihole -a -p`
@@ -32,7 +32,7 @@ You should change this on first use, by running:
 
 The implementation is based on work by Patrizio Tufarolo, 
 (https://blog.tufarolo.eu/how-to-configure-pihole-in-qubesos-proxyvm/ ), 
-and updated for Qubes 4.1
+and updated for Qubes 4.2
 
   for i in `qvm-ls -O NAME,NETVM | awk '/ sys-firewall/{ print $1 }'`; do qvm-prefs $i netvm sys-pihole; done
   if [[ $(qubes-prefs default_netvm sys-firewall |grep sys-firewall ) ]]; then qubes-prefs default_netvm sys-pihole; fi

pihole/create.sls

@@ -1,11 +1,11 @@
 pihole_depends:
   qvm.template_installed:
-    - name: debian-11-minimal
+    - name: debian-12-minimal
 
 pihole-present-id:
   qvm.present:
     - name: sys-pihole
-    - template: debian-11-minimal
+    - template: debian-12-minimal
     - label: green
     - class: StandaloneVM
 

pihole/enX0

@@ -1,5 +1,5 @@
-auto eth0
-iface eth0 inet static
+auto enX0
+iface enX0 inet static
 address
 netmask 255.0.0.0
 gateway

pihole/flush

@@ -1,4 +0,0 @@
-#!/usr/sbin/nft -f
-flush chain nat PR-QBS
-insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
-insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1

pihole/flush.sh

@@ -1,2 +0,0 @@
-#!/bin/sh
-nft -f /rw/config/network-hooks.d/flush

pihole/install.sls

@@ -2,12 +2,21 @@
 #
 
 {% if grains['nodename'] != 'dom0' %}
+{% for repo in salt['file.find']('/etc/apt/sources.list.d/', name='*list') %}
+{{ repo }}_baseurl:
+  file.replace:
+    - name: {{ repo }}
+    - pattern: 'https://'
+    - repl: 'http://HTTPS///'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+    - backup: False
+
+{% endfor %}
 
 /etc/apt/sources.list:
   file.replace:
     - names:
       - /etc/apt/sources.list
-      - /etc/apt/sources.list.d/qubes-r4.list
     - pattern: 'http://HTTPS///'
     - repl: 'https://'
     - flags: [ 'IGNORECASE', 'MULTILINE' ]
@@ -16,24 +25,24 @@
 {% set IP = salt['cmd.shell']('qubesdb-read /qubes-ip') %}
 {% set GW = salt['cmd.shell']('qubesdb-read /qubes-gateway') %}
 
-/etc/network/interfaces.d/eth0:
+/etc/network/interfaces.d/enX0:
   file.managed:
     - source:
-      - salt://pihole/eth0
+      - salt://pihole/enX0
     - user: root
     - group: root
     - makedirs: True
 
 set_ip:
   file.line:
-    - name: /etc/network/interfaces.d/eth0
+    - name: /etc/network/interfaces.d/enX0
     - match: address
     - mode: replace
     - content: "address {{IP}}"
 
 set_gw:
   file.line:
-    - name: /etc/network/interfaces.d/eth0
+    - name: /etc/network/interfaces.d/enX0
     - match: gateway
     - mode: replace
     - content: "gateway {{GW}}"
@@ -67,10 +76,6 @@ Pihole_installed:
       - php-xml
       - unzip
 
-Pihole-systemd-mask:
-  cmd.run:
-    - name: systemctl disable systemd-resolved
-
 https://github.com/pi-hole/pi-hole.git:
   git.latest:
     - name: https://github.com/pi-hole/pi-hole.git
@@ -89,13 +94,6 @@ Pihole-setup:
   cmd.run:
     - name: '/root/pi-hole/automated\ install/basic-install.sh --unattended'
 
-/rw/config/qubes-firewall-user-script:
-  file.append:
-    - text:
-      - nft flush chain nat PR-QBS
-      - nft insert rule nat PR-QBS iifname "vif*" tcp dport 53 dnat to 127.0.0.1
-      - nft insert rule nat PR-QBS iifname "vif*" udp dport 53 dnat to 127.0.0.1
-
 /rw/config/qubes-firewall.d/update_nft.sh:
   file.managed:
     - source:
@@ -105,6 +103,15 @@ Pihole-setup:
     - makedirs: True
     - mode: 755
 
+/rw/config/qubes-firewall.d/update_nft.nft:
+  file.managed:
+    - source:
+      - salt://pihole/update_nft.nft
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
 /rw/config/network-hooks.d/internalise.sh:
   file.managed:
     - source:
@@ -114,19 +121,10 @@ Pihole-setup:
     - makedirs: True
     - mode: 755
 
-/rw/config/network-hooks.d/flush.sh:
+/rw/config/network-hooks.d/update_nft.sh:
   file.managed:
     - source:
-      - salt://pihole/flush.sh
-    - user: root
-    - group: root
-    - makedirs: True
-    - mode: 755
-
-/rw/config/network-hooks.d/flush:
-  file.managed:
-    - source:
-      - salt://pihole/flush
+      - salt://pihole/update_nft.sh
     - user: root
     - group: root
     - makedirs: True

pihole/setupVars.conf

@@ -1,4 +1,4 @@
-PIHOLE_INTERFACE=eth0
+PIHOLE_INTERFACE=enX0
 PIHOLE_DNS_1=9.9.9.9
 PIHOLE_DNS_2=149.112.112.112
 QUERY_LOGGING=true

pihole/update_nft.nft

@@ -0,0 +1,14 @@
+#!/usr/sbin/nft -f
+flush chain qubes dnat-dns
+
+flush chain qubes custom-forward
+insert rule qubes custom-forward tcp dport 53 drop
+insert rule qubes custom-forward udp dport 53 drop
+
+flush chain qubes custom-input
+insert rule qubes custom-input tcp dport 53 accept
+insert rule qubes custom-input udp dport 53 accept
+
+flush chain qubes dnat-dns
+insert rule qubes dnat-dns iifname "vif*" tcp dport 53 dnat to 127.0.0.1
+insert rule qubes dnat-dns iifname "vif*" udp dport 53 dnat to 127.0.0.1

pihole/update_nft.sh

@@ -1,12 +1,3 @@
 #!/bin/sh
-get_handle(){
-local my_handle=$( nft -a list table $1|awk 'BEGIN{c0} /related,established/{c++; if (c==1) print $NF}' )
-echo $my_handle
-}
+nft -f /rw/config/qubes-firewall.d/update_nft.nft
 
-nft insert rule filter FORWARD tcp dport 53 drop
-nft insert rule filter FORWARD udp dport 53 drop
-
-handle=$(get_handle filter)
-nft add rule filter INPUT position $handle iifname "vif*" tcp dport 53 accept
-nft add rule filter INPUT position $handle iifname "vif*" udp dport 53 accept

proton.spec

@@ -0,0 +1,50 @@
+Name:           3isec-qubes-proton-vpn
+Version:       	1.01
+Release:        2%{?dist}
+Summary:        Set up a qube for Proton VPN use
+
+License:        GPLv3+
+SOURCE0:	      proton
+
+%description
+This package creates a template, using the proton repository, and
+with the Proton VPN GUI installed.
+Some useful networking programs (firefox,thunderbird,netcat,ssh,wget), are
+pre-installed
+An AppVM named proton, is created from that template.
+
+The template, template-proton, is based on the debian-12-minimal template.
+If the debian-12-minimal template is not present, it will be downloaded
+and installed - this may take some time depending on your net connection.
+
+If you remove this package, the salt files will be removed, and the proton
+template and qube will be killed and an attempt made to remove them.
+
+You can, of course, use the template-proton to create other qubes for
+separate VPN connections.
+
+%install
+rm -rf %{buildroot}
+mkdir -p %{buildroot}/srv/salt
+cp -rv %{SOURCE0}/  %{buildroot}/srv/salt
+
+%files
+%defattr(-,root,root,-)
+/srv/salt/proton/*
+
+%post
+if [ $1 -eq 1 ]; then
+  qubesctl state.apply proton.create
+  qubesctl --skip-dom0 --targets=template-proton state.apply proton.install_repo
+  qubesctl --skip-dom0 --targets=template-proton state.apply proton.install
+fi
+
+%postun
+if [ $1 -eq 0 ]; then
+  qvm-kill proton template-proton
+  qvm-remove -f proton template-proton
+fi
+
+%changelog
+* Sat Feb 17 2024 unman <unman@thirdeyesecurity.org> - 1.01
+- First Build

proton/clone.sls

@@ -0,0 +1,15 @@
+proton_precursor:
+  qvm.template_installed:
+    - name: debian-12-minimal
+
+proton_clone:
+  qvm.clone:
+    - name: template-proton
+    - source: debian-12-minimal
+
+proton_menu:
+  qvm.features:
+    - name: template-proton
+    - set:
+      - menu-items: "protonvpn-app.desktop firefox-esr.desktop debian-xterm.desktop"
+      - default-menu-items: "protonvpn-app.desktop firefox-esr.desktop debian-xterm.desktop" 

proton/clone.top

@@ -0,0 +1,4 @@
+base:
+  dom0:
+    - match: nodegroup
+    - proton.clone