-
Notifications
You must be signed in to change notification settings - Fork 46
/
provision-all
executable file
·29 lines (22 loc) · 1.32 KB
/
provision-all
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/bin/bash
# Create and configure all SecureDrop Workstation VMs.
set -e
set -u
set -o pipefail
# The max concurrency reduction (4->2) was required to avoid "did not return clean data"
# errors from qubesctl. It may be possible to raise this again.
max_concurrency="2"
echo "Configure Fedora-based system VMs"
sudo qubesctl --show-output state.sls sd-sys-vms
sudo qubesctl --show-output --skip-dom0 --targets sys-firewall state.sls sd-sys-firewall-files
# Running only against dom0, to ensure the VMs are created (but not yet configured)
echo "Set up dom0 config files, including RPC policies, and create VMs"
sudo qubesctl --show-output state.highstate
# Format list of all VMs comma-separated, for use as qubesctl target
# We run this after dom0's highstate, so that the VMs are available for listing by tag.
all_sdw_vms_target="$(qvm-ls --tags sd-workstation --raw-list | perl -npE 's/\n/,/g' | perl -npE 's/,$//' )"
# We skip dom0 in the task below, since dom0 highstate was enforced in the previous command.
echo "Provision all SecureDrop Workstation VMs with service-specific configs"
sudo qubesctl --show-output --max-concurrency "$max_concurrency" --skip-dom0 --targets "$all_sdw_vms_target" state.highstate
echo "Add SecureDrop export device handling to sys-usb"
sudo qubesctl --show-output --skip-dom0 --targets sys-usb state.highstate