Skip to content

Commit

Permalink
Update provisioning scripts to refer to /srv/salt/securedrop_salt.
Browse files Browse the repository at this point in the history 
Update rpm specfile.
Include all securedrop_salt files in MANIFEST.in.

Use securedrop_salt path in Jinja and sls requirement import statements.
  • Loading branch information
@rocodes
rocodes committed May 31, 2024
1 parent 3662e51 commit 2a9265a
Show file tree
Hide file tree
Showing 35 changed files with 115 additions and 177 deletions.
13 changes: 1 addition & 12 deletions MANIFEST.in
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,9 @@
include securedrop_salt/*.sls
include securedrop_salt/*.top
include securedrop_salt/*.j2
include securedrop_salt/*.yml
include securedrop_salt/*.conf
include securedrop_salt/remove-tags.py
include securedrop_salt/securedrop-handle-upgrade
include securedrop_salt/update-xfce-settings
include securedrop_salt/*
include README.md
include LICENSE
include VERSION
include sd-proxy/*
include sd-whonix/*
include sd-workstation/*
include sdw_updater/*.py
include sdw_notify/*.py
include sdw_util/*.py
include usb-autoattach/*
include files/*
include setup.py
6 changes: 3 additions & 3 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,16 +60,16 @@ clone-norpm: assert-dom0 ## As above, but skip creating RPM
@BUILD_RPM=false ./scripts/clone-to-dom0

qubes-rpc: prep-dev ## Places default deny qubes-rpc policies for sd-app and sd-gpg
sudo qubesctl --show-output --targets sd-dom0-qvm-rpc state.highstate
sudo qubesctl --show-output --targets securedrop_salt.sd-dom0-qvm-rpc state.highstate

add-usb-autoattach: prep-dom0 ## Adds udev rules and scripts to sys-usb
sudo qubesctl --show-output --skip-dom0 --targets sys-usb state.highstate

remove-usb-autoattach: prep-dev ## Removes udev rules and scripts from sys-usb
sudo qubesctl --show-output state.sls sd-usb-autoattach-remove
sudo qubesctl --show-output state.sls securedrop_salt.sd-usb-autoattach-remove

sd-workstation-template: prep-dev ## Provisions base template for SDW AppVMs
sudo qubesctl --show-output state.sls sd-base-template
sudo qubesctl --show-output state.sls securedrop_salt.sd-base-template
sudo qubesctl --show-output --skip-dom0 --targets sd-base-bookworm-template state.highstate

sd-proxy: prep-dev ## Provisions SD Proxy VM
Expand Down
8 changes: 7 additions & 1 deletion files/clean-salt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ set -o pipefail


# Hardcoded location of SecureDrop Workstation salt config files
SDW_SALT_DIR="/srv/salt/sd"
SDW_SALT_DIR="/srv/salt/securedrop_salt"
SALT_DIR="/srv/salt"

echo "Purging Salt config..."
Expand All @@ -19,9 +19,15 @@ echo "Purging Salt config..."

if [[ ! -d "$SDW_SALT_DIR" ]]; then
sudo rm -rf ${SDW_SALT_DIR}

# Can be removed in future
sudo rm -rf ${SALT_DIR}/launcher

# We no longer store salt files directly in /srv/salt, so these next
# 3 checks can be removed at 4.2 cutover
sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'fpf*' -delete
sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'sd*' -delete
sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'securedrop*' -delete
sudo find ${SALT_DIR}/_tops -lname '/srv/salt/sd-*' -delete

fi
4 changes: 2 additions & 2 deletions files/provision-all
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,11 @@ set -o pipefail
max_concurrency="2"

echo "Configure Fedora-based system VMs"
sudo qubesctl --show-output state.sls sd-sys-vms
sudo qubesctl --show-output state.sls securedrop_salt.sd-sys-vms

echo ".........................................................................."
echo "Configure base template"
sudo qubesctl --show-output state.sls sd-base-template
sudo qubesctl --show-output state.sls securedrop_salt.sd-base-template
sudo qubesctl --show-output --skip-dom0 --targets sd-base-bookworm-template state.highstate
qvm-shutdown --wait sd-base-bookworm-template

Expand Down
10 changes: 6 additions & 4 deletions files/sdw-admin.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
import qubesadmin

SCRIPTS_PATH = "/usr/share/securedrop-workstation-dom0-config/"
SALT_PATH = "/srv/salt/sd/"
SALT_PATH = "/srv/salt/securedrop_salt/"
BASE_TEMPLATE = "debian-12-minimal"

sys.path.insert(1, os.path.join(SCRIPTS_PATH, "scripts/"))
Expand Down Expand Up @@ -76,7 +76,7 @@ def install_pvh_support():

def copy_config():
"""
Copies config.json and sd-journalist.sec to /srv/salt/sd
Copies config.json and sd-journalist.sec to /srv/salt/securedrop_salt
"""
try:
subprocess.check_call(["sudo", "cp", os.path.join(SCRIPTS_PATH, "config.json"), SALT_PATH])
Expand Down Expand Up @@ -141,11 +141,13 @@ def refresh_salt():

def perform_uninstall(keep_template_rpm=False):
try:
subprocess.check_call(["sudo", "qubesctl", "state.sls", "sd-clean-default-dispvm"])
subprocess.check_call(
["sudo", "qubesctl", "state.sls", "securedrop_salt.sd-clean-default-dispvm"]
)
print("Destroying all VMs")
subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/destroy-vm"), "--all"])
print("Reverting dom0 configuration")
subprocess.check_call(["sudo", "qubesctl", "state.sls", "sd-clean-all"])
subprocess.check_call(["sudo", "qubesctl", "state.sls", "securedrop_salt.sd-clean-all"])
subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/clean-salt")])
print("Uninstalling dom0 config package")
subprocess.check_call(
Expand Down
2 changes: 1 addition & 1 deletion files/validate_config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
TOR_V3_HOSTNAME_REGEX = r"^[a-z2-7]{56}\.onion$"
TOR_V3_AUTH_REGEX = r"^[A-Z2-7]{52}$"

# CONFIG_FILEPATH = "/srv/salt/sd/config.json"
# CONFIG_FILEPATH = "/srv/salt/securedrop_salt/config.json"
CONFIG_FILEPATH = "config.json"
SECRET_KEY_FILEPATH = "sd-journalist.sec"

Expand Down
35 changes: 8 additions & 27 deletions rpm-build/SPECS/securedrop-workstation-dom0-config.spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,28 +61,15 @@ configuration over time.
# direct_url.json is is not reproducible and not strictly needed
rm %{buildroot}/%{python3_sitelib}/*%{version}.dist-info/direct_url.json
sed -i "/\.dist-info\/direct_url\.json,/d" %{buildroot}/%{python3_sitelib}/*%{version}.dist-info/RECORD
install -m 755 -d %{buildroot}/srv/salt/sd/sd-proxy
install -m 755 -d %{buildroot}/srv/salt/sd/sd-journalist
install -m 755 -d %{buildroot}/srv/salt/sd/sd-whonix
install -m 755 -d %{buildroot}/srv/salt/sd/sd-workstation
install -m 755 -d %{buildroot}/srv/salt/sd/usb-autoattach

install -m 755 -d %{buildroot}/srv/salt/
cp -a securedrop_salt %{buildroot}/srv/salt/

install -m 755 -d %{buildroot}/%{_datadir}/%{name}/scripts
install -m 755 -d %{buildroot}/%{_bindir}
install -m 755 -d %{buildroot}/opt/securedrop
install -m 755 -d %{buildroot}/usr/bin/securedrop
install -m 644 securedrop_salt/*.sls %{buildroot}/srv/salt/
install -m 644 securedrop_salt/*.top %{buildroot}/srv/salt/
install -m 644 securedrop_salt/*.j2 %{buildroot}/srv/salt/
install -m 644 securedrop_salt/*.yml %{buildroot}/srv/salt/
install -m 644 securedrop_salt/*.conf %{buildroot}/srv/salt/
install -m 755 securedrop_salt/remove-tags.py %{buildroot}/srv/salt/remove-tags
install -m 755 securedrop_salt/securedrop-handle-upgrade %{buildroot}/srv/salt/
install -m 755 securedrop_salt/update-xfce-settings %{buildroot}/srv/salt/
install -m 644 sd-proxy/* %{buildroot}/srv/salt/sd/sd-proxy/
install -m 644 sd-whonix/* %{buildroot}/srv/salt/sd/sd-whonix/
install -m 644 sd-workstation/* %{buildroot}/srv/salt/sd/sd-workstation/
install -m 755 usb-autoattach/sd-attach-export-device %{buildroot}/srv/salt/sd/usb-autoattach/
install -m 644 usb-autoattach/99-sd-devices.rules %{buildroot}/srv/salt/sd/usb-autoattach/
install -m 755 files/update-xfce-settings %{buildroot}/usr/bin/securedrop/
install -m 755 files/clean-salt %{buildroot}/%{_datadir}/%{name}/scripts/
install -m 755 files/destroy-vm.py %{buildroot}/%{_datadir}/%{name}/scripts/destroy-vm
install -m 755 files/provision-all %{buildroot}/%{_datadir}/%{name}/scripts/
Expand All @@ -98,7 +85,7 @@ install -m 755 -d %{buildroot}/%{_sharedstatedir}/%{name}/
install -m 755 -d %{buildroot}/%{_userunitdir}/
install -m 755 -d %{buildroot}/%{_unitdir}
install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/%{_datadir}/applications/
install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/srv/salt/press.freedom.SecureDropUpdater.desktop
install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/srv/salt/securedrop_salt/press.freedom.SecureDropUpdater.desktop
install -m 644 files/securedrop-128x128.png %{buildroot}/%{_datadir}/icons/hicolor/128x128/apps/securedrop.png
install -m 644 files/securedrop-scalable.svg %{buildroot}/%{_datadir}/icons/hicolor/scalable/apps/securedrop.svg
install -m 755 files/sdw-updater.py %{buildroot}/%{_bindir}/sdw-updater
Expand Down Expand Up @@ -127,13 +114,7 @@ install -m 644 files/securedrop-user-xfce-icon-size.service %{buildroot}/%{_user
%attr(755, root, root) %{_datadir}/%{name}/scripts/validate_config.py
%attr(755, root, root) %{_bindir}/sdw-admin
%{_datadir}/%{name}/config.json.example
/srv/salt/sd*
/srv/salt/dom0-xfce-desktop-file.j2
/srv/salt/remove-tags
/srv/salt/securedrop-*
/srv/salt/fpf*
/srv/salt/press.freedom.SecureDropUpdater.desktop

/srv/salt/securedrop_salt/*
%attr(755, root, root) %{_bindir}/sdw-login
%attr(755, root, root) %{_bindir}/sdw-notify
%attr(755, root, root) %{_bindir}/sdw-updater
Expand Down Expand Up @@ -166,7 +147,7 @@ install -m 644 files/securedrop-user-xfce-icon-size.service %{buildroot}/%{_user
%license LICENSE

%post
find /srv/salt -maxdepth 1 -type f -iname '*.top' \
find /srv/salt/securedrop_salt -maxdepth 1 -type f -iname '*.top' \
| xargs -n1 basename \
| sed -e 's/\.top$$//g' \
| xargs qubesctl top.enable > /dev/null
Expand Down
4 changes: 2 additions & 2 deletions scripts/prep-dev
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,6 @@ echo "Copying config secrets into place..."
for f in config.json sd-journalist.sec ; do
sudo cp -v "$f" /usr/share/securedrop-workstation-dom0-config/
sudo chmod ugo+r /usr/share/securedrop-workstation-dom0-config/$f
sudo cp -v "$f" /srv/salt/sd/
sudo chmod ugo+r /srv/salt/sd/$f
sudo cp -v "$f" /srv/salt/securedrop_salt/
sudo chmod ugo+r /srv/salt/securedrop_salt/$f
done
0 usb-autoattach/99-sd-devices.rules → securedrop_salt/99-sd-devices.rules
View file
File renamed without changes.
4 changes: 2 additions & 2 deletions securedrop_salt/fpf-apt-repo.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
# - securedrop_salt.sd-default-config

# Imports "sdvars" for environment config
{% from 'sd-default-config.sls' import sdvars with context %}
{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %}

# Using apt-get requires manual approval when releaseinfo changes,
# just get it over with in the beginning
Expand All @@ -30,7 +30,7 @@ autoremove-old-packages:

# If we're on a prod environment, ensure there isn't a test .sources
# file. (Should never happen in real usage, but may in testing)
{% import_json "sd/config.json" as d %}
{% import_json "securedrop_salt/config.json" as d %}
{% if d.environment == "prod" %}
clean-old-test-sources:
file.absent:
Expand Down
2 changes: 1 addition & 1 deletion securedrop_salt/sd-app-files.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,4 @@ install-securedrop-client-package:
- pkgs:
- securedrop-client
- require:
- sls: fpf-apt-repo
- sls: securedrop_salt.fpf-apt-repo
4 changes: 2 additions & 2 deletions securedrop_salt/sd-app.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
##

# Imports "sdvars" for environment config
{% from 'sd-default-config.sls' import sdvars with context %}
{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %}

include:
- securedrop_salt.sd-workstation-template
Expand All @@ -31,7 +31,7 @@ sd-app:
- require:
- qvm: sd-small-{{ sdvars.distribution }}-template

{% import_json "sd/config.json" as d %}
{% import_json "securedrop_salt/config.json" as d %}

sd-app-config:
qvm.features:
Expand Down
0 usb-autoattach/sd-attach-export-device → securedrop_salt/sd-attach-export-device
View file
File renamed without changes.
2 changes: 1 addition & 1 deletion securedrop_salt/sd-base-template-files.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,4 @@ sd-base-template-install-securedrop-packages:
- securedrop-workstation-config
- securedrop-workstation-grsec
- require:
- sls: fpf-apt-repo
- sls: securedrop_salt.fpf-apt-repo
2 changes: 1 addition & 1 deletion securedrop_salt/sd-base-template.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :

# Imports "sdvars" for environment config
{% from 'sd-default-config.sls' import sdvars with context %}
{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %}

include:
- securedrop_salt.sd-dom0-files
Expand Down
21 changes: 1 addition & 20 deletions securedrop_salt/sd-clean-all.sls
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# -*- coding: utf-8 -*-
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :

{% import_json "sd/config.json" as d %}
{% import_json "securedrop_salt/config.json" as d %}

set-fedora-as-default-dispvm:
cmd.run:
Expand Down Expand Up @@ -48,25 +48,6 @@ include:
- securedrop_salt.sd-usb-autoattach-remove
{% endif %}

<<<<<<< HEAD
=======
# Reset desktop icon size to its original value
dom0-reset-icon-size-xfce:
cmd.script:
- name: salt://securedrop_salt/update-xfce-settings
- args: reset-icon-size
- runas: {{ gui_user }}

# Reset power management options to their original values
{% if d.environment == "prod" or d.environment == "staging" %}
dom0-reset-power-management-xfce:
cmd.script:
- name: salt://securedrop_salt/update-xfce-settings
- args: reset-power-management
- runas: {{ gui_user }}
{% endif %}

>>>>>>> df4a406 (Move all provisioning-related files salt files into securedrop_salt directory.)
# Removes all salt-provisioned files (if these files are also provisioned via
# RPM, they should be removed as part of remove-dom0-sdw-config-files-dev)
remove-dom0-sdw-config-files:
Expand Down
4 changes: 2 additions & 2 deletions securedrop_salt/sd-default-config.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@

# Load YAML vars file
{% load_yaml as sdvars_defaults %}
{% include "sd-default-config.yml" %}
{% include "securedrop_salt/sd-default-config.yml" %}
{% endload %}

# Load JSON config file
{% import_json "sd/config.json" as d %}
{% import_json "securedrop_salt/config.json" as d %}

# Respect "dev" env if provided, default to "prod"
{% if d.environment == "dev" %}
Expand Down
2 changes: 1 addition & 1 deletion securedrop_salt/sd-devices-files.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,4 @@ sd-devices-install-package:
pkg.installed:
- name: securedrop-export
- require:
- sls: fpf-apt-repo
- sls: securedrop_salt.fpf-apt-repo
2 changes: 1 addition & 1 deletion securedrop_salt/sd-devices.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
##

# Imports "sdvars" for environment config
{% from 'sd-default-config.sls' import sdvars with context %}
{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %}

include:
- securedrop_salt.sd-workstation-template
Expand Down
25 changes: 2 additions & 23 deletions securedrop_salt/sd-dom0-files.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
##

# Imports "sdvars" for environment config
{% from 'sd-default-config.sls' import sdvars with context %}
{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %}

dom0-rpm-test-key:
file.managed:
Expand Down Expand Up @@ -55,16 +55,6 @@ dom0-install-debian-minimal-template:
{% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %}

<<<<<<< HEAD
=======
# Increase the default icon size for the GUI user for usability/accessibility reasons
dom0-adjust-desktop-icon-size-xfce:
cmd.script:
- name: salt://securedrop_salt/update-xfce-settings
- args: adjust-icon-size
- runas: {{ gui_user }}

>>>>>>> df4a406 (Move all provisioning-related files salt files into securedrop_salt directory.)
dom0-login-autostart-directory:
file.directory:
- name: /home/{{ gui_user }}/.config/autostart
Expand Down Expand Up @@ -96,7 +86,7 @@ dom0-securedrop-launcher-desktop-shortcut:
- group: {{ gui_user }}
- mode: 755

{% import_json "sd/config.json" as d %}
{% import_json "securedrop_salt/config.json" as d %}
{% if d.environment != "dev" %}
# In the dev environment, we've already installed the rpm from
# local sources, so don't also pull in from the yum-test repo.
Expand All @@ -108,7 +98,6 @@ dom0-install-securedrop-workstation-dom0-config:
- file: dom0-workstation-rpm-repo
{% endif %}

<<<<<<< HEAD
dom0-environment-directory:
file.directory:
- name: /var/lib/securedrop-workstation/
Expand All @@ -128,13 +117,3 @@ dom0-write-environment-flag:
- replace: False
- require:
- file: dom0-remove-old-environment-flag
=======
# Hide suspend/hibernate options in menus in prod systems
{% if d.environment == "prod" or d.environment == "staging" %}
dom0-disable-unsafe-power-management-xfce:
cmd.script:
- name: salt://securedrop_salt/update-xfce-settings
- args: disable-unsafe-power-management
- runas: {{ gui_user }}
{% endif %}
>>>>>>> df4a406 (Move all provisioning-related files salt files into securedrop_salt directory.)
6 changes: 3 additions & 3 deletions securedrop_salt/sd-gpg.sls
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
##

# Imports "sdvars" for environment config
{% from 'sd-default-config.sls' import sdvars with context %}
{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %}

include:
- securedrop_salt.sd-workstation-template
Expand All @@ -33,5 +33,5 @@ sd-gpg:
- add:
- sd-workstation
- require:
- sls: sd-workstation-template
- sls: sd-upgrade-templates
- sls: securedrop_salt.sd-workstation-template
- sls: securedrop_salt.sd-upgrade-templates
Loading

0 comments on commit 2a9265a

Please sign in to comment.