Install securedrop-proxy package in template for sd-journalist AppVM

[redshiftzero]

The initial version of securedrop-proxy is here: https://apt-test-qubes.freedom.press/pool/main/s/securedrop-proxy/

We need to:

1. Install this package in the template for sd-journalist (Related: renaming sd-journalist AppVM to sd-proxy (Convert sd-journalist to sd-proxy #138))
2. Create config.yaml on disk in the sd-journalist AppVM, which contains e.g. the onion URL of the journalist interface
3. Make Qubes RPC policy changes in dom0 needed for the proxy's operation as described here

[conorsch]

As discussed during sprint planning today, these changes here should be additions to the sd-journalist config, not replacements. The goal is to preserve a working master branch on this repo, and until the client code is packaged and installed, we'll still need to use Tor Browser to download submissions for testing.

[conorsch]

@redshiftzero Can you provide an example YAML configuration? I'm assuming the format is this: https://github.com/freedomofpress/securedrop-proxy/blob/9d040ce240fb837f34756c65e9f97c938a7c9e7f/config-example.yaml

What should target_vm be, for example?

[redshiftzero]

the config should look like this where the string journalist_interface_url is replaced with whatever the onion service URL is (fetched from the config file in dom0):

host: journalist_interface_url
scheme: http
port: 80
target_vm: sd-svs
dev: False

[conorsch]

Great, thanks, that's clear. Is there a specific filepath that the proxy app expects to find this file at? Reading the code in https://github.com/freedomofpress/securedrop-proxy/, it's not immediately obvious to me. Happy to shove it in /etc/securedrop/sd-proxy-config.yml, for instance, but want to make sure the app picks it up.

[redshiftzero]

in the logic right now we have it at /etc/sd-proxy.yaml (ref)

[conorsch]

Perfect, just what I needed! Get back to ya soon with a candidate PR.