Last active
March 7, 2026 13:45
-
-
Save 100111001/4eca0f78ed69d597d562a1515168fa6c to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # How to install the superlight mirage-firewall for Qubes OS by using saltstack | |
| # Tested on Qubes v4.1 and mirage v0.8.4 | |
| # No integrity checks are performed. Latest release version of mirage is downloaded and installed into dom0 | |
| # After the install, you have to switch your AppVMs to use the mirage firewall vm created by this script | |
| # inspired by: https://github.com/one7two99/my-qubes/tree/master/mirage-firewall | |
| # inspired by: https://github.com/one7two99/my-qubes/tree/master/mirage-firewall | |
| {% set DownloadVMTemplate = "fedora-38" %} | |
| {% set DispVM = "fedora-38-dvm" %} | |
| {% set DownloadVM = "DownloadVmMirage" %} | |
| {% set MirageFW = "sys-mirage-fw" %} | |
| {% set GithubUrl = "https://github.com/mirage/qubes-mirage-firewall" %} | |
| {% set Filename = "mirage-firewall.tar.bz2" %} | |
| {% set MirageInstallDir = "/var/lib/qubes/vm-kernels/mirage-firewall" %} | |
| #download and install fixed version | |
| {% set Release = salt['cmd.shell']("qvm-run --dispvm " ~ DispVM ~ " --pass-io \"curl --silent --location -o /dev/null -w %{url_effective} " ~ GithubUrl ~ "/releases/latest | rev | cut -d \"/\" -f 1 | rev\"") %} | |
| {% if Release != salt['cmd.shell']("[ ! -f " ~ MirageInstallDir ~ "/version.txt" ~ " ] && touch " ~ MirageInstallDir ~ "/version.txt" ~ ";cat " ~ MirageInstallDir ~ "/version.txt") %} | |
| create-downloader-VM: | |
| qvm.vm: | |
| - name: {{ DownloadVM }} | |
| - present: | |
| - template: {{ DownloadVMTemplate }} | |
| - label: red | |
| - prefs: | |
| - template: {{ DownloadVMTemplate }} | |
| - include-in-backups: false | |
| {% set DownloadBinary = GithubUrl ~ "/releases/download/" ~ Release ~ "/" ~ Filename %} | |
| download-and-unpack-in-DownloadVM4mirage: | |
| cmd.run: | |
| - names: | |
| - qvm-run --pass-io {{ DownloadVM }} {{ "wget " ~ DownloadBinary }} | |
| - qvm-run --pass-io {{ DownloadVM }} {{ "tar -xvjf " ~ Filename }} | |
| - require: | |
| - create-downloader-VM | |
| check-checksum-in-DownloadVM: | |
| cmd.run: | |
| - names: | |
| - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of last build on github:\\\";curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with-docker.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\"\"" }} | |
| - qvm-run --pass-io {{ DownloadVM }} {{ "\"echo \\\"Checksum of downloaded local file:\\\";sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1\"" }} | |
| - qvm-run --pass-io {{ DownloadVM }} {{ "\"diff <(curl -s https://raw.githubusercontent.com/mirage/qubes-mirage-firewall/main/build-with-docker.sh | grep \\\"SHA2 last known:\\\" | cut -d\' \' -f5 | tr -d \\\\\\\") <(sha256sum ~/mirage-firewall/vmlinuz | cut -d\' \' -f1) && echo \\\"Checksums DO match.\\\" || (echo \\\"Checksums do NOT match.\\\";exit 101)\"" }} #~/mirage-firewall/modules.img | |
| - require: | |
| - download-and-unpack-in-DownloadVM4mirage | |
| copy-mirage-kernel-to-dom0: | |
| cmd.run: | |
| - name: mkdir -p {{ MirageInstallDir }}; qvm-run --pass-io --no-gui {{ DownloadVM }} "cat ~/mirage-firewall/vmlinuz" > {{ MirageInstallDir ~ "/vmlinuz" }} | |
| - require: | |
| - download-and-unpack-in-DownloadVM4mirage | |
| - check-checksum-in-DownloadVM | |
| create-initramfs: | |
| cmd.run: | |
| - names: | |
| - gzip -n9 < /dev/null > {{ MirageInstallDir ~ "/initramfs" }} | |
| - echo {{ Release }} > {{ MirageInstallDir ~ "/version.txt" }} | |
| - require: | |
| - copy-mirage-kernel-to-dom0 | |
| create-sys-mirage-fw: | |
| qvm.vm: | |
| - name: {{ MirageFW }} | |
| - present: | |
| - class: StandaloneVM | |
| - label: black | |
| - prefs: | |
| - kernel: mirage-firewall | |
| - kernelopts: | |
| - include-in-backups: False | |
| - memory: 32 | |
| - maxmem: 32 | |
| - netvm: sys-net | |
| - provides-network: True | |
| - vcpus: 1 | |
| - virt-mode: pvh | |
| - features: | |
| - enable: | |
| - qubes-firewall | |
| - no-default-kernelopts | |
| - require: | |
| - copy-mirage-kernel-to-dom0 | |
| cleanup-in-DownloadVM: | |
| cmd.run: | |
| - names: | |
| - qvm-run -a --pass-io --no-gui {{ DownloadVM }} "{{ "rm " ~ Filename ~ "; rm -R ~/mirage-firewall" }}" | |
| - require: | |
| - create-initramfs | |
| remove-DownloadVM4mirage: | |
| qvm.absent: | |
| - name: {{ DownloadVM }} | |
| - require: | |
| - cleanup-in-DownloadVM | |
| {% endif %} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Would it be possible for you to update this script to exclude the references to fedora 38 and to use whichever template is set to default on the host?