From 94275883880843c18e9141846b3cd88b100bf1fc Mon Sep 17 00:00:00 2001
From: Erik Moeller <eloquence@gmail.com>
Date: Fri, 28 Feb 2020 11:27:24 -0800
Subject: [PATCH 1/2] Power off on lid close, in staging or prod environments

---
 dom0/sd-clean-all.sls    |  6 ++++--
 dom0/sd-dom0-systemd.sls | 19 +++++++++++++++++++
 dom0/sd-workstation.top  |  1 +
 3 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 dom0/sd-dom0-systemd.sls

diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls
index 09c307ef..cc6e1571 100644
--- a/dom0/sd-clean-all.sls
+++ b/dom0/sd-clean-all.sls
@@ -29,9 +29,11 @@ remove-dom0-sdw-config-files:
       - /home/{{ gui_user }}/Desktop/securedrop-launcher.desktop
       - /home/{{ gui_user }}/.securedrop_launcher
 
-sd-cleanup-crontab:
+sd-cleanup-etc-changes:
   file.replace:
-    - name: /etc/crontab
+    - names:
+      - /etc/crontab
+      - /etc/systemd/logind.conf
     - pattern: '### BEGIN securedrop-workstation ###.*### END securedrop-workstation ###\s*'
     - flags:
       - MULTILINE
diff --git a/dom0/sd-dom0-systemd.sls b/dom0/sd-dom0-systemd.sls
new file mode 100644
index 00000000..6f32d207
--- /dev/null
+++ b/dom0/sd-dom0-systemd.sls
@@ -0,0 +1,19 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+##
+# Updates to systemd configuration in dom0
+##
+
+{% import_json "sd/config.json" as d %}
+{% if d.environment == "prod" or d.environment == "staging" %}
+# Power off instead of suspend on lid close, for security reasons, but only in
+# prod and staging, to avoid interfering with developer workflows
+dom0-poweroff:
+  file.blockreplace:
+    - name: /etc/systemd/logind.conf
+    - append_if_not_found: True
+    - marker_start: "### BEGIN securedrop-workstation ###"
+    - marker_end: "### END securedrop-workstation ###"
+    - content: |
+        HandleLidSwitch=poweroff
+{% endif %}
diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top
index e4d73589..55aefbf9 100644
--- a/dom0/sd-workstation.top
+++ b/dom0/sd-workstation.top
@@ -6,6 +6,7 @@ base:
     - sd-sys-vms
     - sd-dom0-files
     - sd-dom0-crontab
+    - sd-dom0-systemd
     - sd-workstation-template
     - sd-upgrade-templates
     - sd-dom0-qvm-rpc

From fdd0767593ec4e549ad2f40df5c6a12c20987f1d Mon Sep 17 00:00:00 2001
From: Erik Moeller <eloquence@gmail.com>
Date: Fri, 28 Feb 2020 12:33:17 -0800
Subject: [PATCH 2/2] Restart systemd-logind after config changes

---
 dom0/sd-clean-all.sls    | 8 ++++++++
 dom0/sd-dom0-systemd.sls | 4 ++++
 2 files changed, 12 insertions(+)

diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls
index cc6e1571..4bc86567 100644
--- a/dom0/sd-clean-all.sls
+++ b/dom0/sd-clean-all.sls
@@ -1,6 +1,8 @@
 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
+{% import_json "sd/config.json" as d %}
+
 set-fedora-as-default-dispvm:
   cmd.run:
     - name: qvm-check fedora-30-dvm && qubes-prefs default_dispvm fedora-30-dvm || qubes-prefs default_dispvm ''
@@ -41,6 +43,12 @@ sd-cleanup-etc-changes:
     - repl: ''
     - backup: no
 
+{% if d.environment == "prod" or d.environment == "staging" %}
+apply-systemd-changes:
+  cmd.run:
+    - name: sudo systemctl restart systemd-logind
+{% endif %}
+
 sd-cleanup-sys-firewall:
   cmd.run:
     - names:
diff --git a/dom0/sd-dom0-systemd.sls b/dom0/sd-dom0-systemd.sls
index 6f32d207..849f7752 100644
--- a/dom0/sd-dom0-systemd.sls
+++ b/dom0/sd-dom0-systemd.sls
@@ -16,4 +16,8 @@ dom0-poweroff:
     - marker_end: "### END securedrop-workstation ###"
     - content: |
         HandleLidSwitch=poweroff
+
+apply-systemd-changes:
+  cmd.run:
+    - name: sudo systemctl restart systemd-logind
 {% endif %}