Evaluate: Conditional Salt via includes

Using state file includes doesn't appear to expose vars imported via the include to the state performing the include. If this doesn't work for gathering dev/prod vars, we'll likely have to use pillars.
freedomofpress · Jan 24, 2020 · 824e658 · 824e658
1 parent 87b2c61
commit 824e658
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 4 deletions.
diff --git a/dom0/fpf-apt-test-repo.sls b/dom0/fpf-apt-test-repo.sls
@@ -9,6 +9,7 @@
 #
 include:
   - update.qubes-vm
+  - sd-default-config
 
 # That's right, we need to install a package in order to
 # configure a repo to install another package
@@ -23,9 +24,9 @@ install-python-apt-for-repo-config:
 
 configure-apt-test-apt-repo:
   pkgrepo.managed:
-    - name: "deb [arch=amd64] https://apt-test-qubes.freedom.press {{ grains['oscodename'] }} main"
+    - name: "deb [arch=amd64] {{ sdvars.apt_repo_url }} {{ grains['oscodename'] }} main"
     - file: /etc/apt/sources.list.d/securedrop_workstation.list
-    - key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc"
+    - key_url: "salt://sd/sd-workstation/{{ sdvars.signing_key_filename }}"
     - clean_file: True # squash file to ensure there are no duplicates
     - require:
       - pkg: install-python-apt-for-repo-config
diff --git a/dom0/sd-default-config.sls b/dom0/sd-default-config.sls
@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+# DEBUGGING
+{% set sd_env = salt['environ.get']('SECUREDROP_ENV', default='dev') %}
+# See references:
+#
+#   - https://docs.saltstack.com/en/latest/topics/tutorials/states_pt3.html
+#
+
+
+# Example loading taking from Qubes /srv/salt/top.sls
+
+{% load_yaml as sdvars_defaults %}
+{% include "sd-default-config.yml" %}
+{% endload %}
+
+
+{% if sd_env == "prod" %}
+{% set sdvars = sdvars_defaults['prod'] %}
+{% else %}
+{% set sdvars = sdvars_defaults['dev'] %}
+{% endif %}
diff --git a/dom0/sd-default-config.yml b/dom0/sd-default-config.yml
@@ -0,0 +1,10 @@
+---
+securedrop_defaults:
+  prod:
+    dom0_yum_repo_url: "https://yum.securedrop.org/workstation/dom0/f25"
+    apt_repo_url: "https://apt.freedom.press"
+    signing_key_filename: "securedrop-release-signing-pubkey.asc"
+  dev:
+    dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25"
+    apt_repo_url: "https://apt-test-qubes.freedom.press"
+    signing_key_filename: "apt-test-pubkey.asc"
diff --git a/dom0/sd-dom0-files.sls b/dom0/sd-dom0-files.sls
@@ -11,6 +11,9 @@ include:
   # The anon-whoni config pulls in sys-whonix and sys-firewall,
   # as well as ensures the latest versions of Whonix are installed.
   - qvm.anon-whonix
+  # import vars
+  - sd-default-config
+
 
 dom0-rpm-test-key:
   file.managed:
@@ -19,7 +22,7 @@ dom0-rpm-test-key:
     # we must place the GPG key inside the fedora-30 TemplateVM, then
     # restart sys-firewall.
     - name: /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
-    - source: "salt://sd/sd-workstation/apt-test-pubkey.asc"
+    - source: "salt://sd/sd-workstation/{{ sdvars.signing_key_filename }}"
     - user: root
     - group: root
     - mode: 644
@@ -44,7 +47,7 @@ dom0-workstation-rpm-repo:
         gpgcheck=1
         gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
         enabled=1
-        baseurl=https://yum-test.securedrop.org/workstation/dom0/f25
+        baseurl={{ sdvars.dom0_yum_repo_url }}
         name=SecureDrop Workstation Qubes dom0 repo
     - require:
       - file: dom0-rpm-test-key