{{- if (eq .host.distro.id "qubes") -}} #!/usr/bin/env bash # @file Qubes Install Templates # @brief Ensures the templates defined in `.qubes.templates` in the `home/.chezmoidata.yaml` file are installed. It also installs `.qubes.templatesUnofficial`. # @description # This script runs in dom0 and ensures the templates defined in `home/.chezmoidata.yaml` are all installed. It also installs `.qubes.templatesUnofficial`. {{ includeTemplate "universal/profile-before" }} {{ includeTemplate "universal/logg-before" }} # @description # This script first ensures the TemplateVMs are updated and then downloads the Mirage firewall. It configures # Mirage firewall so it can be used as a unikernel firewall VM. installMirageFirewall() { ### Ensure mirage-firewall kernel folder setup if [ ! -d /var/lib/qubes/vm-kernels/mirage-firewall ]; then logg info 'Creating the /var/lib/qubes/vm-kernels/mirage-firewall directory' sudo mkdir -p /var/lib/qubes/vm-kernels/mirage-firewall fi ### Install the mirage-firewall kernel if [ ! -f /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz ]; then logg info 'Downloading the pre-compiled mirage firewall kernel in the {{ .qubes.provisionVM }} VM' qvm-run provision 'curl -sSL {{ .qubes.mirageUrl }} > ~/Downloads/mirage-firewall.tar.gz && tar xjf ~/Downloads/mirage-firewall.tar.gz -C ~/Downloads' logg info 'Transferring mirage-firewall kernel to dom0 from the {{ .qubes.provisionVM }} VM' qvm-run --pass-io {{ .qubes.provisionVM }} 'cat /home/user/Downloads/mirage-firewall/vmlinuz' > /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz fi ### Create dummy initrmfs for the mirage-firewall kernel if [ ! -f/var/lib/qubes/vm-kernels/mirage-firewall/initramfs ]; then logg info 'Adding dummy initrmfs file to the mirage-firewall kernel folder' gzip -n9 < /dev/null > /var/lib/qubes/vm-kernels/mirage-firewall/initramfs fi } # @description # This script downloads unofficial templates defined in the `.qubes.templatesUnofficial` data key of `home/.chezmoidata.yaml` and then # installs them in dom0 after transferring the downloads from a temporary Qube used for downloading the templates. installUnofficialTemplate() { logg info "Template URL: $1" TEMPLATE="$(echo "$1" | sed 's/^.*\/\(.*\)-\d+.\d+.\d+-\d+.noarch.rpm$/\1/')" logg info "Template: $TEMPLATE" FILE="$(echo "$1" | sed 's/^.*\/\(.*-\d+.\d+.\d+-\d+.noarch.rpm\)$/\1/')" logg info "File: $FILE" if [ ! -f "/var/lib/qubes/vm-templates/$TEMPLATE" ]; then logg info "Downloading the unofficial $TEMPLATE TemplateVM via {{ .qubes.provisionVM }}" qvm-run --pass-io "{{ .qubes.provisionVM }}" "curl -sSL "$TEMPLATE_URL" -o "/home/Downloads/$FILE"" logg info "Transferring the image to dom0" qvm-run --pass-io "{{ .qubes.provisionVM }}" "cat /home/Downloads/$FILE" > "/tmp/$FILE" logg info "Installing the TemplateVM via dnf" sudo dnf install --nogpgcheck "/tmp/$FILE" rm -f "/tmp/$FILE" else logg info "$TEMPLATE is already installed" fi } # @description # This script ensures the dom0 Qube VM templates are all up-to-date by using the recommended `qubesctl` command. # Due to issues with the Whonix Qubes, the update process will timeout after 15 minutes which should be enough time # for the updates to finish. updateTemplates() { ### Update TemplateVMs logg info 'Updating TemplateVMs via qubesctl' timeout 900 qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm } ### Ensure Qubes templates exist and download if they are not present for TEMPLATE of {{ .qubes.templates | toString | replace "[" "" | replace "]" "" }}; do if [ ! -f "/var/lib/qubes/vm-templates/$TEMPLATE" ]; then logg info "Installing $TEMPLATE" if [ -n "$DEBUG" ] || [ -n "$DEBUG_MODE" ]; then sudo qubes-dom0-update "qubes-template-$TEMPLATE" else sudo qubes-dom0-update "qubes-template-$TEMPLATE" & fi fi done ### Ensure unofficial templates are installed for TEMPLATE_URL of {{ .qubes.templatesUnofficial | toString | replace "[" "" | replace "]" "" }}; do if [ -n "$DEBUG" ] || [ -n "$DEBUG_MODE" ]; then installUnofficialTemplate "$TEMPLATE_URL" else installUnofficialTemplate "$TEMPLATE_URL" & fi done if [ -n "$DEBUG" ] || [ -n "$DEBUG_MODE" ]; then installMirageFirewall else installMirageFirewall & fi wait logg success 'Finished installing TemplateVMs' updateTemplates {{ end -}}