From 5805bd79fba7e6fbb31904c3738dcaa4a54ee960 Mon Sep 17 00:00:00 2001
From: Ben Grande <ben.grande.b@gmail.com>
Date: Fri, 12 Jan 2024 17:56:28 +0100
Subject: [PATCH] feat: disposable mirage firewall

---
 salt/sys-mirage-firewall/README.md  | 11 +++---
 salt/sys-mirage-firewall/create.sls | 58 +++++++++++++++++++++++++----
 2 files changed, 56 insertions(+), 13 deletions(-)

diff --git a/salt/sys-mirage-firewall/README.md b/salt/sys-mirage-firewall/README.md
index 61fb2f4d..88157fbe 100644
--- a/salt/sys-mirage-firewall/README.md
+++ b/salt/sys-mirage-firewall/README.md
@@ -11,8 +11,8 @@ Mirage Firewall in Qubes OS.
 
 ## Description
 
-Creates a Mirage Firewall qube named "sys-mirage-firewall". It is an OCaml
-program compiled to run as an operating system kernel, in this case, a
+Creates a Mirage Firewall qube named "disp-sys-mirage-firewall". It is an
+OCaml program compiled to run as an operating system kernel, in this case, a
 MirageOS unikernel replacement for the default firewall (sys-firewall). It
 pulls in just the code it needs as libraries.
 
@@ -42,19 +42,20 @@ qubesctl state.apply sys-mirage-firewall.create
 
 ## Usage
 
-As a started, set qubes `netvm` to `sys-mirage-firewall`:
+As a started, set qubes `netvm` to `disp-sys-mirage-firewall`:
 ```sh
-qvm-prefs --set QUBE netvm sys-mirage-firewall
+qvm-prefs --set QUBE netvm disp-sys-mirage-firewall
 ```
 
 To test the firewall, apply rules with `qvm-firewall`.
 
 For monitoring, inspect the Unikernel console:
 ```sh
-sudo xl console sys-mirage-firewall
+sudo xl console disp-sys-mirage-firewall
 ```
 Exit the console with `Ctrl-]`.
 
 ## Credits
 
 - [Unman](https://github.com/unman/shaker/tree/main/mirage)
+- [Thien Tran](https://privsec.dev/posts/qubes/firewalling-with-mirageos-on-qubes-os/)
diff --git a/salt/sys-mirage-firewall/create.sls b/salt/sys-mirage-firewall/create.sls
index e9601a24..3ef8f9df 100644
--- a/salt/sys-mirage-firewall/create.sls
+++ b/salt/sys-mirage-firewall/create.sls
@@ -1,8 +1,9 @@
 {#
+SPDX-FileCopyrightText: 2022 Thien Tran <contact@tommytran.io>
 SPDX-FileCopyrightText: 2023 unman <unman@thirdeyesecurity.org>
 SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 
-SPDX-License-Identifier: AGPL-3.0-or-later
+SPDX-License-Identifier: MIT
 #}
 
 {%- from "qvm/template.jinja" import load -%}
@@ -46,24 +47,65 @@ the chain (sys-net).
     - makedirs: True
 
 {% load_yaml as defaults -%}
-name: sys-mirage-firewall
+name: tpl-sys-mirage-firewall
 force: True
 require:
-  - file: sys-mirage-firewall-save-version
+- file: sys-mirage-firewall-save-version
 present:
-- class: StandaloneVM
-- label: orange
+- class: TemplateVM
+- label: black
+prefs:
 - virt_mode: pvh
+- label: black
+- memory: 64
+- maxmem: 64
+- vcpus: 1
+- kernel: mirage-firewall
+- kernelopts: ""
+{%- endload %}
+{{ load(defaults) }}
+
+{% load_yaml as defaults -%}
+name: dvm-sys-mirage-firewall
+force: True
+require:
+- qvm: tpl-sys-mirage-firewall
+present:
+- template: tpl-sys-mirage-firewall
+- label: orange
 prefs:
+- template: tpl-sys-mirage-firewall
+- label: orange
+- netvm: {{ netvm }}
+- memory: 64
+- maxmem: 64
+- vcpus: 1
+- provides-network: True
+- template_for_dispvms: True
+features:
+- enable:
+  - service.qubes-firewall
+  - no-default-kernelopts
+{%- endload %}
+{{ load(defaults) }}
+
+{% load_yaml as defaults -%}
+name: disp-sys-mirage-firewall
+force: True
+require:
+- qvm: tpl-sys-mirage-firewall
+present:
+- class: DispVM
+- template: dvm-sys-mirage-firewall
+- label: orange
+prefs:
+- template: dvm-sys-mirage-firewall
 - label: orange
 - netvm: {{ netvm }}
 - memory: 64
 - maxmem: 64
 - vcpus: 1
 - provides-network: True
-- default_dispvm: ""
-- kernel: mirage-firewall
-- kernelopts: ''
 features:
 - enable:
   - service.qubes-firewall