Writes configs for dom0 via salt

We intend to package these dom0-specific config items into an RPM, but
for now we'll continue to use Salt to copy the files around via the
Makefile.

Note that the `sd-dom0-files.sls` filename implies the list is
comprehensive, but in fact there are dom0-specific configs scattered
through the other SLS files, mostly VM specifications and RPC policy
grants.

Makefile

@@ -8,14 +8,13 @@ endif
 
 ## Builds and provisions all VMs required for testing workstation
 all: assert-dom0 validate clean update-fedora-templates			\
-	update-whonix-templates prep-whonix sd-workstation-template \
+	update-whonix-templates prep-whonix prep-dom0 sd-workstation-template \
 	sd-whonix sd-svs sd-gpg	\
 	sd-journalist sd-svs-disp
 
 clone: assert-dom0 ## Pulls the latest repo from work VM to dom0
 	@./scripts/clone-to-dom0
 
-
 sd-workstation-template: prep-salt ## Provisions base template for SDW AppVMs
 	sudo qubesctl top.enable sd-workstation-template
 	sudo qubesctl top.enable sd-workstation-template-files
@@ -128,6 +127,11 @@ prep-whonix: ## enables apparmor on whonix-ws-14 and whonix-gw-14
 	qvm-prefs -s whonix-gw-14 kernelopts "nopat apparmor=1 security=apparmor"
 	qvm-prefs -s whonix-ws-14 kernelopts "nopat apparmor=1 security=apparmor"
 
+prep-dom0: prep-salt # Copies dom0 config files for VM updates
+	sudo qubesctl top.enable sd-vm-updates
+	sudo qubesctl top.enable sd-dom0-files
+	sudo qubesctl --targets dom0 state.highstate
+
 list-vms: ## Prints all Qubes VMs managed by Workstation salt config
 	@./scripts/list-vms
 

dom0/sd-dom0-files.sls

@@ -0,0 +1,48 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+##
+# Installs dom0 config scripts specific to tracking updates
+# over time. These scripts should be ported to an RPM package.
+##
+
+
+# Copy script to system location so admins can run ad-hoc
+dom0-update-securedrop-script:
+  file.managed:
+    - name: /usr/bin/securedrop-update
+    - source: salt://securedrop-update
+    - user: root
+    - group: root
+    - mode: 755
+
+# Symlink update script into cron, for single point of update
+dom0-update-securedrop-script-cron:
+  file.symlink:
+    - name: /etc/cron.daily/securedrop-update-cron
+    - target: /usr/bin/securedrop-update
+
+# Create directory for storing SecureDrop-specific icons
+dom0-securedrop-icons-directory:
+  file.directory:
+    - name: /usr/share/securedrop/icons
+    - user: root
+    - group: root
+    - mode: 755
+    - makedirs: True
+
+# Copy SecureDrop icon for use in GUI feedback. It's also present in
+# the Salt directory, but the permissions on that dir don't permit
+# normal user reads.
+dom0-securedrop-icon:
+  file.managed:
+    - name: /usr/share/securedrop/icons/sd-logo.png
+    - source: salt://sd/sd-journalist/logo-small.png
+    - user: root
+    - group: root
+    - mode: 644
+  # Dependency on parent dir should be explicitly declared,
+  # but the require syntax below was throwing an error that the
+  # referenced task was "not available".
+  # require:
+  #   - dom0-securedrop-icons-directory

dom0/sd-dom0-files.top

@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  dom0:
+    - sd-dom0-files

dom0/sd-vm-updates.top

@@ -0,0 +1,9 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+# "Placeholder" config to trigger TemplateVM boots,
+# so upgrades can be applied automatically via cron.
+base:
+  qubes:type:template:
+    - match: pillar
+    - topd