Run tag cleanup via Salt to avoid duplication

freedomofpress · Apr 22, 2020 · 49916a2 · 49916a2
1 parent d23dd8c
commit 49916a2
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 3 deletions.
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -3,6 +3,7 @@ include dom0/*.top
 include dom0/*.j2
 include dom0/*.yml
 include dom0/*.conf
+include dom0/remove-tags
 include dom0/securedrop-admin
 include dom0/securedrop-login
 include dom0/securedrop-launcher.desktop

diff --git a/Makefile b/Makefile
@@ -110,7 +110,6 @@ clean: assert-dom0 prep-salt ## Destroys all SD VMs
 	$(MAKE) destroy-all
 	sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.sls sd-clean-whonix
 	sudo qubesctl --show-output state.sls sd-clean-all
-	./scripts/remove-tags
 	sudo dnf -y -q remove securedrop-workstation-dom0-config 2>/dev/null || true
 	$(MAKE) clean-salt
 

diff --git a/scripts/remove-tags → dom0/remove-tags b/scripts/remove-tags → dom0/remove-tags
diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls
@@ -46,13 +46,20 @@ remove-dom0-sdw-config-files:
       - /home/{{ gui_user }}/Desktop/securedrop-launcher.desktop
       - /home/{{ gui_user }}/.securedrop_launcher
 
+
+# Remove any custom RPC policy tags added to non-SecureDrop VMs by the user
+remove-rpc-policy-tags:
+  cmd.script:
+    - name: salt://remove-tags
+
 # Removes files that are provisioned by the dom0 RPM, only for the development
 # environment, since dnf takes care of those provisioned in the RPM
 {% if d.environment == "dev" %}
 remove-dom0-sdw-config-files-dev:
   file.absent:
     - names:
       - /opt/securedrop
+      - /srv/salt/remove-tags
       - /srv/salt/securedrop-update
       - /srv/salt/update-xfce-settings
 {% endif %}

diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec
@@ -59,6 +59,7 @@ install -m 644 dom0/*.top %{buildroot}/srv/salt/
 install -m 644 dom0/*.j2 %{buildroot}/srv/salt/
 install -m 644 dom0/*.yml %{buildroot}/srv/salt/
 install -m 644 dom0/*.conf %{buildroot}/srv/salt/
+install -m 655 dom0/remove-tags %{buildroot}/srv/salt/
 install -m 644 dom0/securedrop-login %{buildroot}/srv/salt/
 install -m 644 dom0/securedrop-launcher.desktop %{buildroot}/srv/salt/
 install -m 655 dom0/securedrop-handle-upgrade %{buildroot}/srv/salt/
@@ -92,6 +93,7 @@ install -m 644 launcher/sdw_util/*.py %{buildroot}/srv/salt/launcher/sdw_util/
 /opt/securedrop/launcher/**/*.py
 /srv/salt/sd*
 /srv/salt/dom0-xfce-desktop-file.j2
+/srv/salt/remove-tags
 /srv/salt/securedrop-*
 /srv/salt/update-xfce-settings
 /srv/salt/fpf*

diff --git a/scripts/securedrop-admin.py b/scripts/securedrop-admin.py
@@ -106,8 +106,6 @@ def perform_uninstall():
         subprocess.check_call(
             ["sudo", "dnf", "-y", "-q", "remove", "qubes-template-securedrop-workstation-buster"]
         )
-        print("Removing SecureDrop tags from remaining VMs")
-        subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/remove-tags")])
         print("Uninstalling dom0 config package")
         subprocess.check_call(
             ["sudo", "dnf", "-y", "-q", "remove", "securedrop-workstation-dom0-config"]