Use qvm.anon-whonix to download Whonix templates. Use Salt to power o…

…ff sys-whonix instead of securedrop-handle-upgrade script.
freedomofpress · Jan 2, 2025 · b428544 · b428544
1 parent 2943c4c
commit b428544
Showing 1 changed file with 25 additions and 19 deletions.
diff --git a/securedrop_salt/sd-sys-whonix-vms.sls b/securedrop_salt/sd-sys-whonix-vms.sls
@@ -7,39 +7,45 @@
 ##
 
 include:
-  - securedrop_salt.sd-upgrade-templates
+  - qvm.anon-whonix
 
 {% set sd_supported_whonix_version = '17' %}
 
-whonix-gateway-installed:
-  qvm.template_installed:
-    - name: whonix-gateway-{{ sd_supported_whonix_version }}
-    - fromrepo: qubes-templates-community
-
-whonix-workstation-installed:
-  qvm.template_installed:
-    - name: whonix-workstation-{{ sd_supported_whonix_version }}
-    - fromrepo: qubes-templates-community
-
 dom0-enabled-apparmor-on-whonix-gw-template:
   qvm.vm:
     - name: whonix-gateway-{{ sd_supported_whonix_version }}
     - prefs:
       - kernelopts: "apparmor=1 security=apparmor"
     - require:
-      - sls: securedrop_salt.sd-upgrade-templates
-      - qvm: whonix-gateway-installed
-      - qvm: whonix-workstation-installed
+      - sls: qvm.anon-whonix
 
 dom0-enabled-apparmor-on-whonix-ws-template:
   qvm.vm:
     - name: whonix-workstation-{{ sd_supported_whonix_version }}
     - prefs:
       - kernelopts: "apparmor=1 security=apparmor"
     - require:
-      - sls: securedrop_salt.sd-upgrade-templates
-      - qvm: whonix-gateway-installed
-      - qvm: whonix-workstation-installed
+      - sls: qvm.anon-whonix
+
+sys-whonix-poweroff:
+  # Shut down in order to apply template changes
+  qvm.shutdown:
+    - name: sys-whonix
+      - flags:
+        - force
+        - wait
+    - require:
+      - qvm: dom0-enabled-apparmor-on-whonix-gw-template
+
+anon-whonix-poweroff:
+  # Shut down in order to apply template changes
+  qvm.shutdown:
+    - name: anon-whonix
+      - flags:
+        - force
+        - wait
+    - require:
+      - qvm: dom0-enabled-apparmor-on-whonix-ws-template
 
 # The Qubes logic is too polite about enforcing template
 # settings, using "present" rather than "prefs". Below
@@ -50,12 +56,12 @@ sys-whonix-template-config:
     - prefs:
       - template: whonix-gateway-{{ sd_supported_whonix_version }}
     - require:
-      - qvm: dom0-enabled-apparmor-on-whonix-gw-template
+      - qvm: sys-whonix-poweroff
 
 anon-whonix-template-config:
   qvm.vm:
     - name: anon-whonix
     - prefs:
       - template: whonix-workstation-{{ sd_supported_whonix_version }}
     - require:
-      - qvm: dom0-enabled-apparmor-on-whonix-ws-template
+      - qvm: anon-whonix-poweroff