From b1ad2113d9178536dba4f94facf2301e83c7db16 Mon Sep 17 00:00:00 2001
From: Michael Sheinberg <mike@freedom.press>
Date: Tue, 15 Aug 2017 15:53:46 -0400
Subject: [PATCH] Swap tor apt repo to point to our mirror

This addresses issue #2106 - mitigate side-effects from a tor package
breaking securedrop instances in the field.

The actual logic that creates our mirror is in source control in another repo.
---
 install_files/ansible-base/group_vars/all/securedrop       | 1 +
 .../ansible-base/roles/common/templates/security.list      | 2 +-
 .../roles/tor-hidden-services/tasks/install_tor.yml        | 3 ++-
 install_files/securedrop-app-code/DEBIAN/postinst          | 7 +++++++
 4 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
index 200c64d628c..22b57ff359e 100644
--- a/install_files/ansible-base/group_vars/all/securedrop
+++ b/install_files/ansible-base/group_vars/all/securedrop
@@ -51,3 +51,4 @@ appserver_dependencies:
   - redis-server
   - supervisor
 
+tor_apt_repo_url: http://tor-apt.ops.freedom.press
diff --git a/install_files/ansible-base/roles/common/templates/security.list b/install_files/ansible-base/roles/common/templates/security.list
index 3da170bbda0..c78d12a7900 100644
--- a/install_files/ansible-base/roles/common/templates/security.list
+++ b/install_files/ansible-base/roles/common/templates/security.list
@@ -3,4 +3,4 @@ deb-src http://security.ubuntu.com/ubuntu trusty-security main
 deb http://security.ubuntu.com/ubuntu trusty-security universe
 deb-src http://security.ubuntu.com/ubuntu trusty-security universe
 deb [arch=amd64] {{ apt_repo_url }} trusty main
-deb http://deb.torproject.org/torproject.org trusty main
+deb {{ tor_apt_repo_url }} trusty main
diff --git a/install_files/ansible-base/roles/tor-hidden-services/tasks/install_tor.yml b/install_files/ansible-base/roles/tor-hidden-services/tasks/install_tor.yml
index 7caa1673021..2c34f1e7023 100644
--- a/install_files/ansible-base/roles/tor-hidden-services/tasks/install_tor.yml
+++ b/install_files/ansible-base/roles/tor-hidden-services/tasks/install_tor.yml
@@ -9,7 +9,8 @@
 
 - name: Setup Tor apt repo.
   apt_repository:
-    repo: deb http://deb.torproject.org/torproject.org {{ ansible_lsb.codename }} main
+    filename: deb_torproject_org_torproject_org
+    repo: deb {{ tor_apt_repo_url }} {{ ansible_lsb.codename }} main
     state: present
   register: add_tor_apt_repo
   tags:
diff --git a/install_files/securedrop-app-code/DEBIAN/postinst b/install_files/securedrop-app-code/DEBIAN/postinst
index ffaa26f3fa6..5f93d552147 100755
--- a/install_files/securedrop-app-code/DEBIAN/postinst
+++ b/install_files/securedrop-app-code/DEBIAN/postinst
@@ -55,6 +55,13 @@ case "$1" in
       rm /tmp/securedrop_custom_logo.png
     fi
 
+    # Repoint tor repositories to FPF mirror
+    for file in "sources.list.d/deb_torproject_org_torproject_org.list" "security.list"
+    do
+        if [ -f "/etc/apt/$file" ]; then
+            sed -i 's/deb.torproject.org\/torproject.org/tor-apt.ops.freedom.press/g' "/etc/apt/$file"
+        fi
+    done
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)