Skip to content

Commit

Permalink
Fixes #440 install securedrop-log and setup
Browse files Browse the repository at this point in the history 
Still missing tests, and we have to make sure
that the sd-log reboots in between.
  • Loading branch information
@kushaldas
kushaldas committed Feb 10, 2020
1 parent 2c45093 commit 134f890
Show file tree
Hide file tree
Showing 12 changed files with 138 additions and 4 deletions.
2 changes: 1 addition & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ sd-app: prep-salt ## Provisions SD APP VM

sd-whonix: prep-salt ## Provisions SD Whonix VM
sudo qubesctl --show-output state.sls sd-whonix
sudo qubesctl --show-output --skip-dom0 --targets sd-whonix-buster-template,sd-whonix state.highstate
sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15,sd-whonix state.highstate

sd-viewer: prep-salt ## Provisions SD Submission Viewing VM
sudo qubesctl --show-output state.sls sd-viewer
Expand Down
15 changes: 15 additions & 0 deletions dom0/sd-app-files.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,18 @@ install-securedrop-client-package:
- securedrop-client
- require:
- sls: fpf-apt-test-repo

install-securedrop-log-package:
pkg.installed:
- pkgs:
- securedrop-log
- require:
- sls: fpf-apt-test-repo

sd-rsyslog-for-sd-app:
file.managed:
- name: /etc/sd-rsyslog.conf
- source: "salt://sd-rsyslog.conf.j2"
- template: jinja
- context:
vmname: sd-app
16 changes: 16 additions & 0 deletions dom0/sd-devices-files.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,19 @@ sd-devices-install-libreoffice:
sd-devices-install-package:
pkg.installed:
- name: securedrop-export


sd-devices-install-securedrop-log-package:
pkg.installed:
- pkgs:
- securedrop-log
- require:
- sls: fpf-apt-test-repo

sd-rsyslog-for-sd-devices:
file.managed:
- name: /etc/sd-rsyslog.conf
- source: "salt://sd-rsyslog.conf.j2"
- template: jinja
- context:
vmname: sd-devices
10 changes: 10 additions & 0 deletions dom0/sd-log-reboot.sls
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# -*- coding: utf-8 -*-
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :

#
# Reboots sd-log vm
##

system.reboot:
module.run:
- startup_state: highstate
10 changes: 10 additions & 0 deletions dom0/sd-log-template-files.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,16 @@ include:
install-securedrop-log-package:
pkg.installed:
- pkgs:
- redis-server
- redis
- securedrop-log
- require:
- sls: fpf-apt-test-repo

redis:
service.running:
- enable: True

securedrop-log:
service.running:
- enable: True
8 changes: 8 additions & 0 deletions dom0/sd-log.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,3 +57,11 @@ sd-log-private-volume-size:
qvm-volume resize sd-log:private {{ d.vmsizes.sd_log }}GiB
- require:
- qvm: sd-log

# Permit the SecureDrop Proxy to manage Client connections
sd-dom-dom0-securedrop.Log:
file.prepend:
- name: /etc/qubes-rpc/policy/securedrop.Log
- text: |
@tag:sd-workstation sd-log allow
@anyvm @anyvm deny
15 changes: 15 additions & 0 deletions dom0/sd-proxy-template-files.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,13 @@ install-securedrop-proxy-package:
- require:
- sls: fpf-apt-test-repo

install-securedrop-log-package:
pkg.installed:
- pkgs:
- securedrop-log
- require:
- sls: fpf-apt-test-repo

{% import_json "sd/config.json" as d %}

install-securedrop-proxy-yaml-config:
Expand All @@ -58,3 +65,11 @@ install-securedrop-proxy-yaml-config:
- context:
hostname: {{ d.hidserv.hostname }}
- mode: 0644

sd-rsyslog-for-sd-proxy:
file.managed:
- name: /etc/sd-rsyslog.conf
- source: "salt://sd-rsyslog.conf.j2"
- template: jinja
- context:
vmname: sd-proxy
3 changes: 3 additions & 0 deletions dom0/sd-rsyslog.conf.j2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
[sd-rsyslog]
remotevm = sd-log
localvm = {{ vmname }}
15 changes: 15 additions & 0 deletions dom0/sd-viewer-files.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,18 @@ sd-viewer-install-libreoffice:
attempts: 3
interval: 60
- install_recommends: False

sd-viewer-install-logging:
pkg.installed:
- pkgs:
- securedrop-log
- require:
- sls: fpf-apt-test-repo

sd-rsyslog-for-sd-viewer:
file.managed:
- name: /etc/sd-rsyslog.conf
- source: "salt://sd-rsyslog.conf.j2"
- template: jinja
- context:
vmname: sd-viewer
29 changes: 29 additions & 0 deletions dom0/sd-whonix-template-files.sls
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
# -*- coding: utf-8 -*-
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :

##
# sd-whonix-files
# ========
#
# Installs configuration packages specific to the sd-whonix
# used for network calls.
#
##

include:
- fpf-apt-test-repo

sd-whonix-install-logging:
pkg.installed:
- pkgs:
- securedrop-log
- require:
- sls: fpf-apt-test-repo

sd-rsyslog-for-sd-whonix:
file.managed:
- name: /etc/sd-rsyslog.conf
- source: "salt://sd-rsyslog.conf.j2"
- template: jinja
- context:
vmname: sd-whonix
8 changes: 8 additions & 0 deletions dom0/sd-workstation-template-files.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,14 @@ sd-workstation-template-install-kernel-config-packages:
- require:
- sls: fpf-apt-test-repo


sd-workstation-install-securedrop-log-package:
pkg.installed:
- pkgs:
- securedrop-log
- require:
- sls: fpf-apt-test-repo

# Ensure that paxctld starts immediately. For AppVMs,
# use qvm.features.enabled = ["paxctld"] to ensure service start.
sd-workstation-template-enable-paxctld:
Expand Down
11 changes: 8 additions & 3 deletions dom0/sd-workstation.top
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,19 @@ base:
- sd-upgrade-templates
- sd-dom0-qvm-rpc
- sd-sys-whonix-vms
- sd-log
- sd-devices
- sd-gpg
- sd-proxy
- sd-viewer
- sd-app
- sd-whonix
- sd-remove-unused-templates
- sd-log

sd-log-buster-template:
- sd-log-template-files
sd-log:
- sd-log-reboot
sd-devices-buster-template:
- sd-devices-files
sd-gpg:
Expand All @@ -33,12 +38,12 @@ base:
- sd-sys-firewall-files
sd-whonix:
- sd-whonix-hidserv-key
sd-log-buster-template:
- sd-log-template-files
securedrop-workstation-buster:
- sd-workstation-template-files
sys-usb:
- sd-usb-autoattach-add
whonix-gw-15:
- sd-whonix-template-files

# "Placeholder" config to trigger TemplateVM boots,
# so upgrades can be applied automatically via cron.
Expand Down

0 comments on commit 134f890

Please sign in to comment.