Merge pull request #473 from freedomofpress/poweroff-on-lid-close

Fully power off workstation after lid close
freedomofpress · Mar 2, 2020 · c54d5dd · c54d5dd
2 parents addae8c + fdd0767
commit c54d5dd
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls
@@ -1,6 +1,8 @@
 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
+{% import_json "sd/config.json" as d %}
+
 set-fedora-as-default-dispvm:
   cmd.run:
     - name: qvm-check fedora-30-dvm && qubes-prefs default_dispvm fedora-30-dvm || qubes-prefs default_dispvm ''
@@ -29,16 +31,24 @@ remove-dom0-sdw-config-files:
       - /home/{{ gui_user }}/Desktop/securedrop-launcher.desktop
       - /home/{{ gui_user }}/.securedrop_launcher
 
-sd-cleanup-crontab:
+sd-cleanup-etc-changes:
   file.replace:
-    - name: /etc/crontab
+    - names:
+      - /etc/crontab
+      - /etc/systemd/logind.conf
     - pattern: '### BEGIN securedrop-workstation ###.*### END securedrop-workstation ###\s*'
     - flags:
       - MULTILINE
       - DOTALL
     - repl: ''
     - backup: no
 
+{% if d.environment == "prod" or d.environment == "staging" %}
+apply-systemd-changes:
+  cmd.run:
+    - name: sudo systemctl restart systemd-logind
+{% endif %}
+
 sd-cleanup-sys-firewall:
   cmd.run:
     - names:

diff --git a/dom0/sd-dom0-systemd.sls b/dom0/sd-dom0-systemd.sls
@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+##
+# Updates to systemd configuration in dom0
+##
+
+{% import_json "sd/config.json" as d %}
+{% if d.environment == "prod" or d.environment == "staging" %}
+# Power off instead of suspend on lid close, for security reasons, but only in
+# prod and staging, to avoid interfering with developer workflows
+dom0-poweroff:
+  file.blockreplace:
+    - name: /etc/systemd/logind.conf
+    - append_if_not_found: True
+    - marker_start: "### BEGIN securedrop-workstation ###"
+    - marker_end: "### END securedrop-workstation ###"
+    - content: |
+        HandleLidSwitch=poweroff
+
+apply-systemd-changes:
+  cmd.run:
+    - name: sudo systemctl restart systemd-logind
+{% endif %}
diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top
@@ -6,6 +6,7 @@ base:
     - sd-sys-vms
     - sd-dom0-files
     - sd-dom0-crontab
+    - sd-dom0-systemd
     - sd-workstation-template
     - sd-upgrade-templates
     - sd-dom0-qvm-rpc