diff --git a/files/95-securedrop-systemd-user.preset b/files/95-securedrop-systemd-user.preset new file mode 100644 index 00000000..6e2461be --- /dev/null +++ b/files/95-securedrop-systemd-user.preset @@ -0,0 +1,6 @@ +# Systemd user unit presets for production SDW configuration. +# Don't override Qubes systemd settings (75-qubes-dom0-user.preset) +# or systemd settings (90-systemd.preset). +enable securedrop-user-xfce-icon-size.service +enable securedrop-user-xfce-settings.service +enable sdw-notify.timer \ No newline at end of file diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index 51fc23e7..14bdaef6 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -83,6 +83,7 @@ install -m 755 -d %{buildroot}/%{_datadir}/icons/hicolor/scalable/apps/ install -m 755 -d %{buildroot}/%{_sharedstatedir}/%{name}/ install -m 755 -d %{buildroot}/%{_userunitdir}/ install -m 755 -d %{buildroot}/%{_unitdir} +install -m 755 -d %{buildroot}/%{_userpresetdir}/ install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/%{_datadir}/applications/ install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/srv/salt/securedrop_salt/press.freedom.SecureDropUpdater.desktop install -m 644 files/securedrop-128x128.png %{buildroot}/%{_datadir}/icons/hicolor/128x128/apps/securedrop.png @@ -93,6 +94,7 @@ install -m 755 files/sdw-login.py %{buildroot}/%{_bindir}/sdw-login install -m 644 files/sdw-notify.service %{buildroot}/%{_userunitdir}/ install -m 644 files/sdw-notify.timer %{buildroot}/%{_userunitdir}/ install -m 644 files/securedrop-logind-override-disable.service %{buildroot}/%{_unitdir}/ +install -m 644 files/95-securedrop-systemd-user.preset %{buildroot}/%{_userpresetdir}/ install -m 755 -d %{buildroot}/etc/qubes/policy.d/ install -m 644 files/31-securedrop-workstation.policy %{buildroot}/etc/qubes/policy.d/ @@ -129,6 +131,7 @@ install -m 644 files/securedrop-user-xfce-icon-size.service %{buildroot}/%{_user %{_userunitdir}/securedrop-user-xfce-settings.service %{_userunitdir}/securedrop-user-xfce-icon-size.service %{_unitdir}/securedrop-logind-override-disable.service +%{_userpresetdir}/95-securedrop-systemd-user.preset %attr(664, root, root) /etc/qubes/policy.d/31-securedrop-workstation.policy %attr(664, root, root) /etc/qubes/policy.d/32-securedrop-workstation.policy @@ -151,23 +154,27 @@ qubesctl top.enable securedrop_salt.sd-workstation > /dev/null ||: # mkdir -p /tmp/sdw-migrations # touch /tmp/sdw-migrations/whonix-17-update -# Enables service that conditionally removes our systemd-logind customizations +# Enable service that conditionally removes our systemd-logind customizations # on dev machines only. # It's clumsy, but overrides to systemd services can't be conditionally applied. # Changes take place after systemd restart. -systemctl enable securedrop-logind-override-disable.service +systemctl enable securedrop-logind-override-disable.service ||: -# Customize xfce power settings and icon size. Enabled for all users. +# Customize xfce power settings and icon size. # Power settings changes conditionally disabled in dev environments. -systemctl --global enable securedrop-user-xfce-icon-size.service ||: -systemctl --global enable securedrop-user-xfce-settings.service ||: +%systemd_user_post securedrop-user-xfce-icon-size.service +%systemd_user_post securedrop-user-xfce-settings.service + +# Enable notification timer +%systemd_user_post sdw-notify.timer %preun # If we're uninstalling (vs upgrading) if [ $1 -eq 0 ]; then - systemctl disable --now securedrop-logind-override-disable.service - systemctl --global disable securedrop-user-xfce-icon-size.service ||: - systemctl --global disable securedrop-user-xfce-settings.service ||: + %systemd_preun securedrop-logind-override-disable.service + %systemd_user_preun securedrop-user-xfce-icon-size.service + %systemd_user_preun securedrop-user-xfce-settings.service + %systemd_user_preun sdw-notify.timer fi %changelog diff --git a/securedrop_salt/sd-clean-all.sls b/securedrop_salt/sd-clean-all.sls index 350aaa95..e9412f37 100644 --- a/securedrop_salt/sd-clean-all.sls +++ b/securedrop_salt/sd-clean-all.sls @@ -80,15 +80,6 @@ sd-cleanup-whonix-gateway: - qvm-run whonix-gateway-17 'sudo apt purge --yes securedrop-keyring securedrop-qubesdb-tools securedrop-whonix-config' - qvm-run whonix-gateway-17 'sudo rm -f /etc/apt/sources.list.d/apt-test_freedom_press.sources' -disable-systemd-units: - cmd.run: - - name: systemctl --user disable sdw-notify.timer - - runas: {{ gui_user }} - - env: - # Even with "runas", "systemctl --user" from root will fail unless we - # tell it explicitly how to connect to the user systemd. - - XDG_RUNTIME_DIR: /run/user/{{ gui_user_id }} - # Reset desktop icon size to its original value dom0-reset-icon-size-xfce: cmd.script: diff --git a/securedrop_salt/sd-dom0-systemd.sls b/securedrop_salt/sd-dom0-systemd.sls deleted file mode 100644 index 9436f233..00000000 --- a/securedrop_salt/sd-dom0-systemd.sls +++ /dev/null @@ -1,20 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: set syntax=yaml ts=2 sw=2 sts=2 et : -## -# Updates to systemd configuration in dom0 -## - -# Identify the GUI user by group membership -{% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %} -{% set gui_user_id = salt['cmd.shell']('id -u ' + gui_user) %} - -enable-user-units: - cmd.run: - - name: | - systemctl --user daemon-reload - systemctl --user enable sdw-notify.timer - - runas: {{ gui_user }} - - env: - # Even with "runas", "systemctl --user" from root will fail unless we - # tell it explicitly how to connect to the user systemd. - - XDG_RUNTIME_DIR: /run/user/{{ gui_user_id }} diff --git a/securedrop_salt/sd-workstation.top b/securedrop_salt/sd-workstation.top index 10f4d689..c90fea12 100644 --- a/securedrop_salt/sd-workstation.top +++ b/securedrop_salt/sd-workstation.top @@ -5,7 +5,6 @@ base: dom0: - securedrop_salt.sd-sys-vms - securedrop_salt.sd-dom0-files - - securedrop_salt.sd-dom0-systemd - securedrop_salt.sd-base-template - securedrop_salt.sd-workstation-template - securedrop_salt.sd-upgrade-templates