Merge pull request #1088 from freedomofpress/notify-timer-unsalted

Don't enable sdw-notify.timer unit via Salt. Use systemd-rpm-macros and user unit preset file.
freedomofpress · Dec 6, 2024 · 2943c4c · 2943c4c
2 parents a4c6868 + e00a878
commit 2943c4c
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 38 deletions.
diff --git a/files/95-securedrop-systemd-user.preset b/files/95-securedrop-systemd-user.preset
@@ -0,0 +1,6 @@
+# Systemd user unit presets for production SDW configuration.
+# Don't override Qubes systemd settings (75-qubes-dom0-user.preset)
+# or systemd settings (90-systemd.preset).
+enable securedrop-user-xfce-icon-size.service
+enable securedrop-user-xfce-settings.service
+enable sdw-notify.timer
diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec
@@ -83,6 +83,7 @@ install -m 755 -d %{buildroot}/%{_datadir}/icons/hicolor/scalable/apps/
 install -m 755 -d %{buildroot}/%{_sharedstatedir}/%{name}/
 install -m 755 -d %{buildroot}/%{_userunitdir}/
 install -m 755 -d %{buildroot}/%{_unitdir}
+install -m 755 -d %{buildroot}/%{_userpresetdir}/
 install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/%{_datadir}/applications/
 install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/srv/salt/securedrop_salt/press.freedom.SecureDropUpdater.desktop
 install -m 644 files/securedrop-128x128.png %{buildroot}/%{_datadir}/icons/hicolor/128x128/apps/securedrop.png
@@ -93,6 +94,7 @@ install -m 755 files/sdw-login.py %{buildroot}/%{_bindir}/sdw-login
 install -m 644 files/sdw-notify.service %{buildroot}/%{_userunitdir}/
 install -m 644 files/sdw-notify.timer %{buildroot}/%{_userunitdir}/
 install -m 644 files/securedrop-logind-override-disable.service %{buildroot}/%{_unitdir}/
+install -m 644 files/95-securedrop-systemd-user.preset %{buildroot}/%{_userpresetdir}/
 
 install -m 755 -d %{buildroot}/etc/qubes/policy.d/
 install -m 644 files/31-securedrop-workstation.policy %{buildroot}/etc/qubes/policy.d/
@@ -129,6 +131,7 @@ install -m 644 files/securedrop-user-xfce-icon-size.service %{buildroot}/%{_user
 %{_userunitdir}/securedrop-user-xfce-settings.service
 %{_userunitdir}/securedrop-user-xfce-icon-size.service
 %{_unitdir}/securedrop-logind-override-disable.service
+%{_userpresetdir}/95-securedrop-systemd-user.preset
 
 %attr(664, root, root) /etc/qubes/policy.d/31-securedrop-workstation.policy
 %attr(664, root, root) /etc/qubes/policy.d/32-securedrop-workstation.policy
@@ -151,23 +154,27 @@ qubesctl top.enable securedrop_salt.sd-workstation > /dev/null ||:
 # mkdir -p /tmp/sdw-migrations
 # touch /tmp/sdw-migrations/whonix-17-update
 
-# Enables service that conditionally removes our systemd-logind customizations
+# Enable service that conditionally removes our systemd-logind customizations
 # on dev machines only.
 # It's clumsy, but overrides to systemd services can't be conditionally applied.
 # Changes take place after systemd restart.
-systemctl enable securedrop-logind-override-disable.service
+systemctl enable securedrop-logind-override-disable.service ||:
 
-# Customize xfce power settings and icon size. Enabled for all users.
+# Customize xfce power settings and icon size.
 # Power settings changes conditionally disabled in dev environments.
-systemctl --global enable securedrop-user-xfce-icon-size.service ||:
-systemctl --global enable securedrop-user-xfce-settings.service ||:
+%systemd_user_post securedrop-user-xfce-icon-size.service
+%systemd_user_post securedrop-user-xfce-settings.service
+
+# Enable notification timer
+%systemd_user_post sdw-notify.timer
 
 %preun
 # If we're uninstalling (vs upgrading)
 if [ $1 -eq 0 ]; then
-    systemctl disable --now securedrop-logind-override-disable.service
-    systemctl --global disable securedrop-user-xfce-icon-size.service ||:
-    systemctl --global disable securedrop-user-xfce-settings.service ||:
+    %systemd_preun securedrop-logind-override-disable.service
+    %systemd_user_preun securedrop-user-xfce-icon-size.service
+    %systemd_user_preun securedrop-user-xfce-settings.service
+    %systemd_user_preun sdw-notify.timer
 fi
 
 %changelog

diff --git a/securedrop_salt/sd-clean-all.sls b/securedrop_salt/sd-clean-all.sls
@@ -80,15 +80,6 @@ sd-cleanup-whonix-gateway:
       - qvm-run whonix-gateway-17 'sudo apt purge --yes securedrop-keyring securedrop-qubesdb-tools securedrop-whonix-config'
       - qvm-run whonix-gateway-17 'sudo rm -f /etc/apt/sources.list.d/apt-test_freedom_press.sources'
 
-disable-systemd-units:
-  cmd.run:
-    - name: systemctl --user disable sdw-notify.timer
-    - runas: {{ gui_user }}
-    - env:
-      # Even with "runas", "systemctl --user" from root will fail unless we
-      # tell it explicitly how to connect to the user systemd.
-      - XDG_RUNTIME_DIR: /run/user/{{ gui_user_id }}
-
 # Reset desktop icon size to its original value
 dom0-reset-icon-size-xfce:
   cmd.script:

diff --git a/securedrop_salt/sd-dom0-systemd.sls b/securedrop_salt/sd-dom0-systemd.sls
diff --git a/securedrop_salt/sd-workstation.top b/securedrop_salt/sd-workstation.top
@@ -5,7 +5,6 @@ base:
   dom0:
     - securedrop_salt.sd-sys-vms
     - securedrop_salt.sd-dom0-files
-    - securedrop_salt.sd-dom0-systemd
     - securedrop_salt.sd-base-template
     - securedrop_salt.sd-workstation-template
     - securedrop_salt.sd-upgrade-templates