Merge pull request #619 from freedomofpress/608-import-export-securit…

…y-rebased Template consolidation via GUI updater
freedomofpress · Oct 27, 2020 · d4a72f0 · d4a72f0
2 parents 6f8a6b9 + c40aa38
commit d4a72f0
Show file tree

Hide file tree

Showing 38 changed files with 509 additions and 294 deletions.
diff --git a/MANIFEST.in b/MANIFEST.in
@@ -8,6 +8,7 @@ include dom0/sdw-admin
 include dom0/securedrop-login
 include dom0/securedrop-launcher.desktop
 include dom0/securedrop-handle-upgrade
+include dom0/securedrop-check-migration
 include dom0/update-xfce-settings
 include config.json.example
 include README.md

diff --git a/Makefile b/Makefile
@@ -48,15 +48,15 @@ sd-workstation-template: prep-dev ## Provisions base template for SDW AppVMs
 
 sd-proxy: prep-dev ## Provisions SD Proxy VM
 	sudo qubesctl --show-output state.sls sd-proxy
-	sudo qubesctl --show-output --skip-dom0 --targets sd-proxy-buster-template,sd-proxy state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-proxy state.highstate
 
 sd-gpg: prep-dev ## Provisions SD GPG keystore VM
 	sudo qubesctl --show-output state.sls sd-gpg
 	sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-buster-template,sd-gpg state.highstate
 
 sd-app: prep-dev ## Provisions SD APP VM
 	sudo qubesctl --show-output state.sls sd-app
-	sudo qubesctl --show-output --skip-dom0 --targets sd-app-buster-template,sd-app state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-app state.highstate
 
 sd-whonix: prep-dev ## Provisions SD Whonix VM
 	sudo qubesctl --show-output state.sls sd-whonix
@@ -72,7 +72,7 @@ sd-devices: prep-dev ## Provisions SD Export VM
 
 sd-log: prep-dev ## Provisions SD logging VM
 	sudo qubesctl --show-output state.sls sd-log
-	sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template,sd-log state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-log state.highstate
 
 prep-dev: assert-dom0 ## Configures Salt layout for SD workstation VMs
 	@./scripts/prep-dev

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.4.0
+0.5.0-rc1
diff --git a/dom0/sd-app.sls b/dom0/sd-app.sls
@@ -12,28 +12,13 @@ include:
   - sd-workstation-template
   - sd-upgrade-templates
 
-sd-app-template:
-  qvm.vm:
-    - name: sd-app-buster-template
-    - clone:
-      - source: securedrop-workstation-buster
-      - label: yellow
-    - tags:
-      - add:
-        - sd-workstation
-        - sd-buster
-        - sd-workstation-updates
-    - require:
-      - sls: sd-workstation-template
-      - sls: sd-upgrade-templates
-
 sd-app:
   qvm.vm:
     - name: sd-app
     - present:
       - label: yellow
     - prefs:
-      - template: sd-app-buster-template
+      - template: sd-small-buster-template
       - netvm: ""
     - tags:
       - add:
@@ -43,7 +28,7 @@ sd-app:
       - enable:
         - service.paxctld
     - require:
-      - qvm: sd-app-buster-template
+      - qvm: sd-small-buster-template
 
 {% import_json "sd/config.json" as d %}
 
@@ -60,9 +45,9 @@ sd-app-private-volume-size:
 sd-app-template-sync-appmenus:
   cmd.run:
     - name: >
-        qvm-start --skip-if-running sd-app-buster-template &&
-        qvm-sync-appmenus sd-app-buster-template
+        qvm-start --skip-if-running sd-small-buster-template &&
+        qvm-sync-appmenus sd-small-buster-template
     - require:
-      - qvm: sd-app-buster-template
+      - qvm: sd-small-buster-template
     - onchanges:
-      - qvm: sd-app-buster-template
+      - qvm: sd-small-buster-template
diff --git a/dom0/sd-devices.sls b/dom0/sd-devices.sls
@@ -9,28 +9,14 @@ include:
   - sd-workstation-template
   - sd-upgrade-templates
 
-sd-devices-template:
-  qvm.vm:
-    - name: sd-devices-buster-template
-    - clone:
-      - source: securedrop-workstation-buster
-      - label: red
-    - tags:
-      - add:
-        - sd-workstation
-        - sd-workstation-updates
-    - require:
-      - sls: sd-workstation-template
-      - sls: sd-upgrade-templates
-
 sd-devices-dvm:
   qvm.vm:
     - name: sd-devices-dvm
     - present:
-      - template: sd-devices-buster-template
+      - template: sd-large-buster-template
       - label: red
     - prefs:
-      - template: sd-devices-buster-template
+      - template: sd-large-buster-template
       - netvm: ""
       - template_for_dispvms: True
     - tags:
@@ -41,19 +27,19 @@ sd-devices-dvm:
       - enable:
         - service.paxctld
     - require:
-      - qvm: sd-devices-buster-template
+      - qvm: sd-large-buster-template
 
 # Ensure the Qubes menu is populated with relevant app entries,
 # so that Nautilus/Files can be started via GUI interactions.
 sd-devices-template-sync-appmenus:
   cmd.run:
     - name: >
-        qvm-start --skip-if-running sd-devices-buster-template &&
-        qvm-sync-appmenus sd-devices-buster-template
+        qvm-start --skip-if-running sd-large-buster-template &&
+        qvm-sync-appmenus sd-large-buster-template
     - require:
-      - qvm: sd-devices-buster-template
+      - qvm: sd-large-buster-template
     - onchanges:
-      - qvm: sd-devices-buster-template
+      - qvm: sd-large-buster-template
 
 sd-devices-create-named-dispvm:
   qvm.vm:

diff --git a/dom0/sd-gpg.sls b/dom0/sd-gpg.sls
@@ -17,10 +17,10 @@ sd-gpg:
   qvm.vm:
     - name: sd-gpg
     - present:
-      - template: securedrop-workstation-buster
+      - template: sd-small-buster-template
       - label: purple
     - prefs:
-      - template: securedrop-workstation-buster
+      - template: sd-small-buster-template
       - netvm: ""
       - autostart: true
     - tags:

diff --git a/dom0/sd-log.sls b/dom0/sd-log.sls
@@ -10,25 +10,14 @@ include:
   - sd-workstation-template
   - sd-upgrade-templates
 
-sd-log-template:
-  qvm.vm:
-    - name: sd-log-buster-template
-    - clone:
-      - source: securedrop-workstation-buster
-      - label: red
-    - tags:
-      - add:
-        - sd-workstation
-    - require:
-      - sls: sd-workstation-template
-
 sd-log:
   qvm.vm:
     - name: sd-log
     - present:
-      - template: sd-log-buster-template
+      - template: sd-small-buster-template
       - label: red
     - prefs:
+      - template: sd-small-buster-template
       - netvm: ""
       - autostart: true
     - tags:
@@ -40,7 +29,7 @@ sd-log:
         - service.redis
         - service.securedrop-log
     - require:
-      - qvm: sd-log-buster-template
+      - qvm: sd-small-buster-template
 
 # Allow any SecureDrop VM to log to the centralized log VM
 sd-log-dom0-securedrop.Log:

diff --git a/dom0/sd-logging-setup.sls b/dom0/sd-logging-setup.sls
@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
-{% if "template" in grains['id'] or grains['id'] in ["securedrop-workstation-buster", "whonix-gw-15"] %}
+{% if "template" in grains['id'] or grains['id'] in ["securedrop-workstation-buster", "sd-small-buster-template", "sd-large-buster-template", "whonix-gw-15"] %}
 include:
   - fpf-apt-test-repo
 
@@ -14,15 +14,12 @@ install-securedrop-log-package:
       - sls: fpf-apt-test-repo
 {% endif %}
 
-{% if grains['id'] == "sd-log-buster-template" %}
+{% if grains['id'] in ["sd-small-buster-template", "sd-large-buster-template"] %}
 install-redis-for-sd-log-template:
   pkg.installed:
     - pkgs:
       - redis-server
       - redis
-remove-sd-rsyslog-config-for-logserver:
-  file.absent:
-    - name: /etc/rsyslog.d/sdlog.conf
 
 {% elif grains['id'] == "sd-log" %}
 # Only for the "sd-log" AppVM, configure /rw/config to disable
@@ -43,6 +40,9 @@ sd-log-remove-rsyslog-qubes-plugin:
     - name: /rw/config/rc.local
     - require:
       - file: sd-log-remove-rsyslog-qubes-plugin
+remove-sd-rsyslog-config-for-logserver:
+  file.absent:
+    - name: /etc/rsyslog.d/sdlog.conf
 
 {% elif grains['id'] == "sd-gpg" %}
 # For sd-gpg, we disable logging altogether, since access

diff --git a/dom0/sd-mime-handling.sls b/dom0/sd-mime-handling.sls
@@ -12,12 +12,34 @@
 # respective AppVMs.
 ##
 
+sd-private-volume-mimeapps-config-dir:
+  file.directory:
+    - name: /home/user/.local/share/applications
+    - user: user
+    - group: user
+    - makedirs: True
+    - mode: "0755"
+
 {% if grains['id'] in ["sd-viewer", "sd-app", "sd-devices-dvm"] %}
 
 sd-private-volume-mimeapps-handling:
   file.symlink:
     - name: /home/user/.local/share/applications/mimeapps.list
     - target: /opt/sdw/mimeapps.list.{{ grains['id'] }}
-    - makedirs: True
+    - user: user
+    - group: user
+    - require:
+      - file: sd-private-volume-mimeapps-config-dir
+
+{% else %}
+
+sd-private-volume-mimeapps-handling:
+  file.symlink:
+    - name: /home/user/.local/share/applications/mimeapps.list
+    - target: /opt/sdw/mimeapps.list.default
+    - user: user
+    - group: user
+    - require:
+      - file: sd-private-volume-mimeapps-config-dir
 
 {% endif %}
diff --git a/dom0/sd-proxy-files.sls b/dom0/sd-proxy-files.sls
@@ -0,0 +1,15 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+{% import_json "sd/config.json" as d %}
+
+install-securedrop-proxy-yaml-config:
+  file.managed:
+    - name: /home/user/.securedrop_proxy/sd-proxy.yaml
+    - source: salt://sd/sd-proxy/sd-proxy.yaml
+    - makedirs: True
+    - template: jinja
+    - user: user
+    - group: user
+    - context:
+        hostname: {{ d.hidserv.hostname }}
+    - mode: 0644
diff --git a/dom0/sd-proxy-template-files.sls b/dom0/sd-proxy-template-files.sls
@@ -4,42 +4,6 @@ include:
   - fpf-apt-test-repo
   - sd-logging-setup
 
-sd-proxy-do-not-open-here-script:
-  file.managed:
-    - name: /usr/bin/do-not-open-here
-    - source: salt://sd/sd-proxy/do-not-open-here
-    - user: root
-    - group: root
-    - mode: 755
-
-sd-proxy-do-not-open-here-desktop-file:
-  file.managed:
-    - name: /usr/share/applications/do-not-open.desktop
-    - source: salt://sd/sd-proxy/do-not-open.desktop
-    - user: root
-    - group: root
-    - mode: 644
-    - makedirs: True
-
-sd-proxy-configure-mimetypes:
-  file.managed:
-    - name: /usr/share/applications/mimeapps.list
-    - source: salt://sd/sd-proxy/mimeapps.list
-    - user: user
-    - group: user
-    - mode: 644
-    - makedirs: True
-  cmd.run:
-    - name: sudo update-desktop-database /usr/share/applications
-    - require:
-      - file: sd-proxy-configure-mimetypes
-      - file: sd-proxy-do-not-open-here-desktop-file
-      - file: sd-proxy-do-not-open-here-script
-    - onchanges:
-      - file: sd-proxy-do-not-open-here-script
-      - file: sd-proxy-do-not-open-here-desktop-file
-      - file: sd-proxy-configure-mimetypes
-
 # Depends on FPF-controlled apt repo, already present
 # in underlying "securedrop-workstation" base template.
 install-securedrop-proxy-package:
@@ -49,14 +13,8 @@ install-securedrop-proxy-package:
     - require:
       - sls: fpf-apt-test-repo
 
-
-{% import_json "sd/config.json" as d %}
-
-install-securedrop-proxy-yaml-config:
-  file.managed:
-    - name: /etc/sd-proxy.yaml
-    - source: salt://sd/sd-proxy/sd-proxy.yaml
-    - template: jinja
-    - context:
-        hostname: {{ d.hidserv.hostname }}
-    - mode: 0644
+# Remove the legacy config file location
+remove-legacy-sd-proxy-config:
+  file.absent:
+    - names:
+      - /etc/sd-proxy.yaml
diff --git a/dom0/sd-proxy.sls b/dom0/sd-proxy.sls
@@ -13,25 +13,13 @@ include:
   - sd-whonix
   - sd-upgrade-templates
 
-sd-proxy-template:
-  qvm.vm:
-    - name: sd-proxy-buster-template
-    - clone:
-      - source: securedrop-workstation-buster
-      - label: blue
-    - tags:
-      - add:
-        - sd-workstation
-        - sd-buster
-        - sd-workstation-updates
-
 sd-proxy:
   qvm.vm:
     - name: sd-proxy
     - present:
       - label: blue
     - prefs:
-      - template: sd-proxy-buster-template
+      - template: sd-small-buster-template
       - netvm: sd-whonix
       - autostart: true
     - tags:
@@ -40,7 +28,7 @@ sd-proxy:
         - sd-buster
     - require:
       - qvm: sd-whonix
-      - qvm: sd-proxy-template
+      - qvm: sd-small-buster-template
 
 # Permit the SecureDrop Proxy to manage Client connections
 sd-proxy-dom0-securedrop.Proxy: