second

overlay/Linux/usr/local/lib/whonix-libvirt/host-boot-popup

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## https://forums.whonix.org/t/whonix-host-operating-system/3931/236
+
+title="WARNING - Whonix-Host DEVELOPERS-ONLY Preview Version"
+
+text="\
+<p>
+DO NOT USE THIS YET AS A USER!
+<br />
+Whonix-Host is unreleased. Not even available for testers. This version is a preview for developers only.<br />
+<br />
+Missing features the the initial release include
+
+<ul>
+  <li><a href=https://phabricator.whonix.org/T978>Whonix-Host EFI booting support</a></li>
+  <li><a href=https://phabricator.whonix.org/T942>Whonix Host Firewall for Whonix Host</a></li>
+  <li><a href=https://phabricator.whonix.org/T981>Whonix-Host Tor configuration and anon-connection-wizard (ACW)</a></p></li>
+</ul>
+
+See <a href=https://phabricator.whonix.org/maniphest/query/_Obk7yld9FTN/#R>full task list for first release of Whonix-Host</a>.<br />
+<br />
+Help welcome!
+</p>
+"
+
+[ -d ~/.config/whonix/host-boot-popup ] || mkdir -p ~/.config/whonix/host-boot-popup
+[ -z "$DISPLAY" ] || \
+    [ -f /usr/lib/msgcollector/one-time-popup  ] || \
+    /usr/lib/msgcollector/one-time-popup ~/.config/whonix/host-boot-popup/dismissed_version_1 "$title" "$text"

overlay/Linux/usr/local/lib/whonix-libvirt/host-boot-popup.dst

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+## Copyright (C) 2020 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## https://forums.whonix.org/t/whonix-host-operating-system/3931/236
+
+title="WARNING - Whonix-Host DEVELOPERS-ONLY Preview Version"
+
+text="\
+<p>
+DO NOT USE THIS YET AS A USER!
+<br />
+Whonix-Host is unreleased. Not even available for testers. This version is a preview for developers only.<br />
+<br />
+Missing features the the initial release include
+
+<ul>
+  <li><a href=https://phabricator.whonix.org/T978>Whonix-Host EFI booting support</a></li>
+  <li><a href=https://phabricator.whonix.org/T942>Whonix Host Firewall for Whonix Host</a></li>
+  <li><a href=https://phabricator.whonix.org/T981>Whonix-Host Tor configuration and anon-connection-wizard (ACW)</a></p></li>
+</ul>
+
+See <a href=https://phabricator.whonix.org/maniphest/query/_Obk7yld9FTN/#R>full task list for first release of Whonix-Host</a>.<br />
+<br />
+Help welcome!
+</p>
+"
+
+mkdir -p ~/.config/whonix/host-boot-popup
+/usr/lib/msgcollector/one-time-popup ~/.config/whonix/host-boot-popup/dismissed_version_1 "$title" "$text"

overlay/Linux/usr/local/lib/whonix-libvirt/install

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+[ -f /var/lib/whonix-libvirt/install.done ] && exit 0
+
+## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+set -x
+set -e
+
+## {{ Taken from qemu-system-common.postinst.
+# Add the kvm group unless it's already there
+if ! getent group kvm >/dev/null; then
+   addgroup --quiet --system kvm || true
+fi
+## }} Taken from qemu-system-common.postinst.
+
+## {{ Taken from libvirt-bin.postinst.
+if ! getent group libvirt >/dev/null; then
+   addgroup --system libvirt
+fi
+## }} Taken from libvirt-bin.postinst.
+
+## Existence of user "user" is not guaranteed at this point.
+## XXX: Or is it?
+grep -q ^kvm /etc/group || addgroup user kvm
+grep -q ^libvirt /etc/group || addgroup user libvirt
+
+## Create shared directory and adjust permissions
+[ -d /mnt/gateway-shared ] || mkdir --parents /mnt/gateway-shared
+[ -d /mnt/workstation-shared ] || mkdir --parents /mnt/workstation-shared
+chmod 1777 /mnt/gateway-shared
+chmod 1777 /mnt/workstation-shared
+
+## TODO: proper error handling. '|| true' can probably be removed.
+
+virsh -c qemu:///system net-autostart "default" || true
+virsh -c qemu:///system net-start "default" || true
+virsh -c qemu:///system net-define "/usr/local/share/whonix-libvirt/xml/Whonix-External.xml" || true
+virsh -c qemu:///system net-define "/usr/local/share/whonix-libvirt/xml/Whonix-Internal.xml" || true
+virsh -c qemu:///system net-autostart "Whonix-External" || true
+virsh -c qemu:///system net-start "Whonix-External" || true
+virsh -c qemu:///system net-autostart "Whonix-Internal" || true
+virsh -c qemu:///system net-start "Whonix-Internal" || true
+
+## Doing the following in a temporary directory to avoid modified files should
+## this be interrupted in the middle.
+temp_dir="$(mktemp --directory)"
+cp -r /usr/local/share/whonix-libvirt/xml "$temp_dir"
+
+if virsh capabilities | grep "<domain type='kvm'>" ; then
+   true "OK: found KVM"
+else
+   ## replace the 'kvm' domain type with 'qemu'
+   search="<domain type='kvm'>"
+   replace="<domain type='qemu'>"
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
+
+   search="<cpu mode='host-passthrough'/>"
+   replace=""
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
+
+   ## https://forums.whonix.org/t/whonix-host-operating-system/3931/251
+   search="<pvspinlock state='on'/>"
+   replace=""
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
+
+   ## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
+   search="<vcpu placement='static' cpuset='0'>1</vcpu>"
+   replace=""
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
+
+   ## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
+   search="<vcpu placement='static' cpuset='1'>1</vcpu>"
+   replace=""
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
+fi
+
+test -f "$temp_dir/xml/Whonix-Gateway.xml"
+test -f "$temp_dir/xml/Whonix-Workstation.xml"
+
+virsh -c qemu:///system define "$temp_dir/xml/Whonix-Gateway.xml" || true
+virsh -c qemu:///system define "$temp_dir/xml/Whonix-Workstation.xml" || true
+
+virt-xml "Whonix-Gateway" --add-device --filesystem source=/mnt/gateway-shared,target=shared,type=mount,accessmode=mapped || true
+virt-xml "Whonix-Workstation" --add-device --filesystem source=/mnt/workstation-shared,target=shared,type=mount,accessmode=mapped || true
+
+mkdir --parents /var/lib/whonix-libvirt
+touch /var/lib/whonix-libvirt/install.done

overlay/Linux/usr/local/lib/whonix-libvirt/install.dst

@@ -0,0 +1,90 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+set -x
+set -e
+
+## {{ Taken from qemu-system-common.postinst.
+# Add the kvm group unless it's already there
+if ! getent group kvm >/dev/null; then
+   addgroup --quiet --system kvm || true
+fi
+## }} Taken from qemu-system-common.postinst.
+
+## {{ Taken from libvirt-bin.postinst.
+if ! getent group libvirt >/dev/null; then
+   addgroup --system libvirt
+fi
+## }} Taken from libvirt-bin.postinst.
+
+## Existence of user "user" is not guaranteed at this point.
+## XXX: Or is it?
+addgroup user kvm >/dev/null || true
+addgroup user libvirt >/dev/null || true
+
+## Create shared directory and adjust permissions
+mkdir --parents /mnt/gateway-shared
+mkdir --parents /mnt/workstation-shared
+chmod 777 /mnt/gateway-shared
+chmod 777 /mnt/workstation-shared
+
+## TODO: proper error handling. '|| true' can probably be removed.
+
+virsh -c qemu:///system net-autostart "default" || true
+virsh -c qemu:///system net-start "default" || true
+virsh -c qemu:///system net-define "/usr/share/whonix-libvirt/xml/Whonix-External.xml" || true
+virsh -c qemu:///system net-define "/usr/share/whonix-libvirt/xml/Whonix-Internal.xml" || true
+virsh -c qemu:///system net-autostart "Whonix-External" || true
+virsh -c qemu:///system net-start "Whonix-External" || true
+virsh -c qemu:///system net-autostart "Whonix-Internal" || true
+virsh -c qemu:///system net-start "Whonix-Internal" || true
+
+## Doing the following in a temporary directory to avoid modified files should
+## this be interrupted in the middle.
+temp_dir="$(mktemp --directory)"
+cp -r /usr/share/whonix-libvirt/xml "$temp_dir"
+
+if virsh capabilities | grep "<domain type='kvm'>" ; then
+   true "OK: found KVM"
+else
+   ## replace the 'kvm' domain type with 'qemu'
+   search="<domain type='kvm'>"
+   replace="<domain type='qemu'>"
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
+
+   search="<cpu mode='host-passthrough'/>"
+   replace=""
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
+
+   ## https://forums.whonix.org/t/whonix-host-operating-system/3931/251
+   search="<pvspinlock state='on'/>"
+   replace=""
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
+
+   ## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
+   search="<vcpu placement='static' cpuset='0'>1</vcpu>"
+   replace=""
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Gateway.xml"
+
+   ## https://forums.whonix.org/t/whonix-host-operating-system/3931/284
+   search="<vcpu placement='static' cpuset='1'>1</vcpu>"
+   replace=""
+   str_replace "$search" "$replace" "$temp_dir/xml/Whonix-Workstation.xml"
+fi
+
+test -f "$temp_dir/xml/Whonix-Gateway.xml"
+test -f "$temp_dir/xml/Whonix-Workstation.xml"
+
+virsh -c qemu:///system define "$temp_dir/xml/Whonix-Gateway.xml" || true
+virsh -c qemu:///system define "$temp_dir/xml/Whonix-Workstation.xml" || true
+
+virt-xml "Whonix-Gateway" --add-device --filesystem source=/mnt/gateway-shared,target=shared,type=mount,accessmode=mapped || true
+virt-xml "Whonix-Workstation" --add-device --filesystem source=/mnt/workstation-shared,target=shared,type=mount,accessmode=mapped || true
+
+mkdir --parents /var/lib/whonix-libvirt
+touch /var/lib/whonix-libvirt/install.done

overlay/Linux/usr/local/lib/whonix-libvirt/live-mode-to-read-only

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## Similar to persistent-mode-to-read-write.
+
+set -x
+
+error_handler() {
+   exit_code="1"
+}
+
+trap error_handler ERR
+
+exit_code="0"
+
+vm_names_list="$(virsh list --all | awk '{print $2}'| grep -v Name)"
+
+for vm_name_item in $vm_names_list ; do
+   virt-xml "$vm_name_item" --edit --disk readonly=on
+done
+
+## https://phabricator.whonix.org/T914
+if test -f "/var/lib/libvirt/images/Whonix-Gateway.qcow2" ; then
+   chmod --verbose --recursive ugo-w "/var/lib/libvirt/images/Whonix-Gateway.qcow2"
+fi
+if test -f "/var/lib/libvirt/images/Whonix-Workstation.qcow2" ; then
+   chmod --verbose --recursive ugo-w "/var/lib/libvirt/images/Whonix-Workstation.qcow2"
+fi
+
+## "chmod ugo-r" is set during build in chroot:
+## https://github.com/Whonix/Whonix/blob/master/build-steps.d/1800_copy_vms_into_raw
+
+exit "$exit_code"

overlay/Linux/usr/local/lib/whonix-libvirt/persistent-mode-to-read-write

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## Similar to live-mode-to-read-only.
+
+set -x
+
+error_handler() {
+   exit_code="1"
+}
+
+trap error_handler ERR
+
+exit_code="0"
+
+vm_names_list="$(virsh list --all | awk '{print $2}'| grep -v Name)"
+
+for vm_name_item in $vm_names_list ; do
+   virt-xml "$vm_name_item" --edit --disk readonly=off
+done
+
+chmod --verbose --recursive ug+w "/var/lib/libvirt/images/Whonix-Gateway.qcow2"
+chmod --verbose --recursive ug+w "/var/lib/libvirt/images/Whonix-Workstation.qcow2"
+
+exit "$exit_code"