From 5eaa469d5e6363c90aed441e433c8fbf091f19e7 Mon Sep 17 00:00:00 2001
From: Cory Francis Myers <cory@freedom.press>
Date: Thu, 13 Jun 2024 08:58:47 -0700
Subject: [PATCH] fix: set HiddenServicePoWDefensesEnabled only on explicit
 securedrop_app_pow_on_source_interface=True

Otherwise a "securedrop-admin install" without a prior "securedrop-admin
sdconfig" will default to enabling this feature.  Let's not surprise an
administrator who likely intended to enforce the existing configuration.

Co-authored-by: Kevin O'Gorman <kog@freedom.press>
(cherry picked from commit 02a81f1421496deeea7be2d22eac99e59854747a)
---
 .../ansible-base/roles/tor-hidden-services/templates/torrc      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install_files/ansible-base/roles/tor-hidden-services/templates/torrc b/install_files/ansible-base/roles/tor-hidden-services/templates/torrc
index 529564429d..dfc89e33f6 100644
--- a/install_files/ansible-base/roles/tor-hidden-services/templates/torrc
+++ b/install_files/ansible-base/roles/tor-hidden-services/templates/torrc
@@ -6,7 +6,7 @@ RunAsDaemon 1
 HiddenServiceDir /var/lib/tor/services/sourcev3
 HiddenServicePort 80 127.0.0.1:80
 
-{% if securedrop_app_pow_on_source_interface|default(True) %}
+{% if securedrop_app_pow_on_source_interface|default(False) %}
 HiddenServicePoWDefensesEnabled 1
 {% endif %}