2023-12-23 02:18:29 -08:00
{{- if (eq .host.distro.id "qubes") -}}
#!/usr/bin/env bash
# @file Qubes Install Templates
# @brief Ensures the templates defined in `.qubes.templates` in the `home/.chezmoidata.yaml` file are installed. It also installs `.qubes.templatesUnofficial`.
# @description
# This script runs in dom0 and ensures the templates defined in `home/.chezmoidata.yaml` are all installed. It also installs `.qubes.templatesUnofficial`.
{{ includeTemplate "universal/profile-before" }}
{{ includeTemplate "universal/logg-before" }}
# @description
# This script first ensures the TemplateVMs are updated and then downloads the Mirage firewall. It configures
# Mirage firewall so it can be used as a unikernel firewall VM.
installMirageFirewall() {
### Ensure mirage-firewall kernel folder setup
if [ ! -d /var/lib/qubes/vm-kernels/mirage-firewall ]; then
2024-05-27 20:50:11 -07:00
gum log -sl info 'Creating the /var/lib/qubes/vm-kernels/mirage-firewall directory'
2023-12-23 02:18:29 -08:00
sudo mkdir -p /var/lib/qubes/vm-kernels/mirage-firewall
fi
### Install the mirage-firewall kernel
if [ ! -f /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz ]; then
2024-05-27 20:50:11 -07:00
gum log -sl info 'Downloading the pre-compiled mirage firewall kernel in the {{ .qubes.provisionVM }} VM'
2023-12-23 02:18:29 -08:00
qvm-run provision 'curl -sSL {{ .qubes.mirageUrl }} > ~/Downloads/mirage-firewall.tar.gz && tar xjf ~/Downloads/mirage-firewall.tar.gz -C ~/Downloads'
2024-05-27 20:50:11 -07:00
gum log -sl info 'Transferring mirage-firewall kernel to dom0 from the {{ .qubes.provisionVM }} VM'
2023-12-23 02:18:29 -08:00
qvm-run --pass-io {{ .qubes.provisionVM }} 'cat /home/user/Downloads/mirage-firewall/vmlinuz' > /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz
fi
### Create dummy initrmfs for the mirage-firewall kernel
if [ ! -f/var/lib/qubes/vm-kernels/mirage-firewall/initramfs ]; then
2024-05-27 20:50:11 -07:00
gum log -sl info 'Adding dummy initrmfs file to the mirage-firewall kernel folder'
2023-12-23 02:18:29 -08:00
gzip -n9 < /dev/null > /var/lib/qubes/vm-kernels/mirage-firewall/initramfs
fi
}
# @description
# This script downloads unofficial templates defined in the `.qubes.templatesUnofficial` data key of `home/.chezmoidata.yaml` and then
# installs them in dom0 after transferring the downloads from a temporary Qube used for downloading the templates.
installUnofficialTemplate() {
2024-05-27 20:50:11 -07:00
gum log -sl info "Template URL: $1"
2023-12-23 02:18:29 -08:00
TEMPLATE="$(echo "$1" | sed 's/^.*\/\(.*\)-\d+.\d+.\d+-\d+.noarch.rpm$/\1/')"
2024-05-27 20:50:11 -07:00
gum log -sl info "Template: $ TEMPLATE "
2023-12-23 02:18:29 -08:00
FILE="$(echo "$1" | sed 's/^.*\/\(.*-\d+.\d+.\d+-\d+.noarch.rpm\)$/\1/')"
2024-05-27 20:50:11 -07:00
gum log -sl info "File: $ FILE "
2023-12-23 02:18:29 -08:00
if [ ! -f "/var/lib/qubes/vm-templates/ $ TEMPLATE " ]; then
2024-05-27 20:50:11 -07:00
gum log -sl info "Downloading the unofficial $ TEMPLATE TemplateVM via {{ .qubes.provisionVM }}"
2023-12-23 02:18:29 -08:00
qvm-run --pass-io "{{ .qubes.provisionVM }}" "curl -sSL " $ TEMPLATE_URL " -o "/home/Downloads/ $ FILE ""
2024-05-27 20:50:11 -07:00
gum log -sl info "Transferring the image to dom0"
2023-12-23 02:18:29 -08:00
qvm-run --pass-io "{{ .qubes.provisionVM }}" "cat /home/Downloads/ $ FILE " > "/tmp/ $ FILE "
2024-05-27 20:50:11 -07:00
gum log -sl info "Installing the TemplateVM via dnf"
2023-12-23 02:18:29 -08:00
sudo dnf install --nogpgcheck "/tmp/ $ FILE "
rm -f "/tmp/ $ FILE "
else
2024-05-27 20:50:11 -07:00
gum log -sl info " $ TEMPLATE is already installed"
2023-12-23 02:18:29 -08:00
fi
}
# @description
# This script ensures the dom0 Qube VM templates are all up-to-date by using the recommended `qubesctl` command.
# Due to issues with the Whonix Qubes, the update process will timeout after 15 minutes which should be enough time
# for the updates to finish.
updateTemplates() {
### Update TemplateVMs
2024-05-27 20:50:11 -07:00
gum log -sl info 'Updating TemplateVMs via qubesctl'
2023-12-23 02:18:29 -08:00
timeout 900 qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm
}
### Ensure Qubes templates exist and download if they are not present
for TEMPLATE of {{ .qubes.templates | toString | replace "[" "" | replace "]" "" }}; do
if [ ! -f "/var/lib/qubes/vm-templates/ $ TEMPLATE " ]; then
2024-05-27 20:50:11 -07:00
gum log -sl info "Installing $ TEMPLATE "
2023-12-24 18:19:52 -08:00
if [ -n " $ DEBUG " ] || [ -n " $ DEBUG_MODE " ]; then
sudo qubes-dom0-update "qubes-template- $ TEMPLATE "
else
sudo qubes-dom0-update "qubes-template- $ TEMPLATE " &
fi
2023-12-23 02:18:29 -08:00
fi
done
### Ensure unofficial templates are installed
for TEMPLATE_URL of {{ .qubes.templatesUnofficial | toString | replace "[" "" | replace "]" "" }}; do
2023-12-24 18:19:52 -08:00
if [ -n " $ DEBUG " ] || [ -n " $ DEBUG_MODE " ]; then
installUnofficialTemplate " $ TEMPLATE_URL "
else
installUnofficialTemplate " $ TEMPLATE_URL " &
fi
2023-12-23 02:18:29 -08:00
done
2023-12-24 18:19:52 -08:00
if [ -n " $ DEBUG " ] || [ -n " $ DEBUG_MODE " ]; then
installMirageFirewall
else
installMirageFirewall &
fi
2023-12-23 02:18:29 -08:00
wait
2024-05-27 23:55:42 -07:00
gum log -sl info 'Finished installing TemplateVMs'
2023-12-23 02:18:29 -08:00
updateTemplates
{{ end -}}
