Skip to main content

View / Edit on GitHub: home/.chezmoiscripts/qubes/run_before_51-install-templates.sh.tmpl

Qubes Install Templates

Ensures the templates defined in .qubes.templates in the home/.chezmoidata.yaml file are installed. It also installs .qubes.templatesUnofficial.

Overview

This script runs in dom0 and ensures the templates defined in home/.chezmoidata.yaml are all installed. It also installs .qubes.templatesUnofficial.

Script Functions

installMirageFirewall

This script first ensures the TemplateVMs are updated and then downloads the Mirage firewall. It configures Mirage firewall so it can be used as a unikernel firewall VM.

installUnofficialTemplate

This script downloads unofficial templates defined in the .qubes.templatesUnofficial data key of home/.chezmoidata.yaml and then installs them in dom0 after transferring the downloads from a temporary Qube used for downloading the templates.

updateTemplates

This script ensures the dom0 Qube VM templates are all up-to-date by using the recommended qubesctl command. Due to issues with the Whonix Qubes, the update process will timeout after 15 minutes which should be enough time for the updates to finish.

Source Code

{{- if (eq .host.distro.id "qubes") -}}
#!/usr/bin/env bash
# @file Qubes Install Templates
# @brief Ensures the templates defined in `.qubes.templates` in the `home/.chezmoidata.yaml` file are installed. It also installs `.qubes.templatesUnofficial`.
# @description
#     This script runs in dom0 and ensures the templates defined in `home/.chezmoidata.yaml` are all installed. It also installs `.qubes.templatesUnofficial`.

{{ includeTemplate "universal/profile-before" }}
{{ includeTemplate "universal/logg-before" }}

# @description
#     This script first ensures the TemplateVMs are updated and then downloads the Mirage firewall. It configures
#     Mirage firewall so it can be used as a unikernel firewall VM.
installMirageFirewall() {
  ### Ensure mirage-firewall kernel folder setup
  if [ ! -d /var/lib/qubes/vm-kernels/mirage-firewall ]; then
    logg info 'Creating the /var/lib/qubes/vm-kernels/mirage-firewall directory'
    sudo mkdir -p /var/lib/qubes/vm-kernels/mirage-firewall
  fi

  ### Install the mirage-firewall kernel
  if [ ! -f /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz ]; then
    logg info 'Downloading the pre-compiled mirage firewall kernel in the {{ .qubes.provisionVM }} VM'
    qvm-run provision 'curl -sSL {{ .qubes.mirageUrl }} > ~/Downloads/mirage-firewall.tar.gz && tar xjf ~/Downloads/mirage-firewall.tar.gz -C ~/Downloads'
    logg info 'Transferring mirage-firewall kernel to dom0 from the {{ .qubes.provisionVM }} VM'
    qvm-run --pass-io {{ .qubes.provisionVM }} 'cat /home/user/Downloads/mirage-firewall/vmlinuz' > /var/lib/qubes/vm-kernels/mirage-firewall/vmlinuz
  fi

  ### Create dummy initrmfs for the mirage-firewall kernel
  if [ ! -f/var/lib/qubes/vm-kernels/mirage-firewall/initramfs ]; then
    logg info 'Adding dummy initrmfs file to the mirage-firewall kernel folder'
    gzip -n9 < /dev/null > /var/lib/qubes/vm-kernels/mirage-firewall/initramfs
  fi
}

# @description
#     This script downloads unofficial templates defined in the `.qubes.templatesUnofficial` data key of `home/.chezmoidata.yaml` and then
#     installs them in dom0 after transferring the downloads from a temporary Qube used for downloading the templates.
installUnofficialTemplate() {
  logg info "Template URL: $1"
  TEMPLATE="$(echo "$1" | sed 's/^.*\/\(.*\)-\d+.\d+.\d+-\d+.noarch.rpm$/\1/')"
  logg info "Template: $TEMPLATE"
  FILE="$(echo "$1" | sed 's/^.*\/\(.*-\d+.\d+.\d+-\d+.noarch.rpm\)$/\1/')"
  logg info "File: $FILE"
  if [ ! -f "/var/lib/qubes/vm-templates/$TEMPLATE" ]; then
    logg info "Downloading the unofficial $TEMPLATE TemplateVM via {{ .qubes.provisionVM }}"
    qvm-run --pass-io "{{ .qubes.provisionVM }}" "curl -sSL "$TEMPLATE_URL" -o "/home/Downloads/$FILE""
    logg info "Transferring the image to dom0"
    qvm-run --pass-io "{{ .qubes.provisionVM }}" "cat /home/Downloads/$FILE" > "/tmp/$FILE"
    logg info "Installing the TemplateVM via dnf"
    sudo dnf install --nogpgcheck "/tmp/$FILE"
    rm -f "/tmp/$FILE"
  else
    logg info "$TEMPLATE is already installed"
  fi
}

# @description
#     This script ensures the dom0 Qube VM templates are all up-to-date by using the recommended `qubesctl` command.
#     Due to issues with the Whonix Qubes, the update process will timeout after 15 minutes which should be enough time
#     for the updates to finish.
updateTemplates() {
  ### Update TemplateVMs
  logg info 'Updating TemplateVMs via qubesctl'
  timeout 900 qubesctl --show-output --skip-dom0 --templates state.sls update.qubes-vm
}

### Ensure Qubes templates exist and download if they are not present
for TEMPLATE of {{ .qubes.templates | toString | replace "[" "" | replace "]" "" }}; do
  if [ ! -f "/var/lib/qubes/vm-templates/$TEMPLATE" ]; then
    logg info "Installing $TEMPLATE"
    if [ -n "$DEBUG" ] || [ -n "$DEBUG_MODE" ]; then
      sudo qubes-dom0-update "qubes-template-$TEMPLATE"
    else
      sudo qubes-dom0-update "qubes-template-$TEMPLATE" &
    fi
  fi
done

### Ensure unofficial templates are installed
for TEMPLATE_URL of {{ .qubes.templatesUnofficial | toString | replace "[" "" | replace "]" "" }}; do
  if [ -n "$DEBUG" ] || [ -n "$DEBUG_MODE" ]; then
    installUnofficialTemplate "$TEMPLATE_URL"
  else
    installUnofficialTemplate "$TEMPLATE_URL" &
  fi
done

if [ -n "$DEBUG" ] || [ -n "$DEBUG_MODE" ]; then
  installMirageFirewall
else
  installMirageFirewall &
fi

wait
logg success 'Finished installing TemplateVMs'

updateTemplates

{{ end -}}

Contents

Edit this page