From d75e470861a7ca059587b98c71591c91265cced1 Mon Sep 17 00:00:00 2001 From: Ro Date: Fri, 24 May 2024 13:01:06 -0400 Subject: [PATCH 1/6] Rename dom0 directory to securedrop_salt --- MANIFEST.in | 15 ++++++++------- files/sdw-notify.py | 2 +- pyproject.toml | 4 ++-- .../securedrop-workstation-dom0-config.spec | 16 ++++++++-------- .../dom0-xfce-desktop-file.j2 | 0 {dom0 => securedrop_salt}/fpf-apt-repo.sls | 2 +- {dom0 => securedrop_salt}/remove-tags.py | 0 {dom0 => securedrop_salt}/sd-app-files.sls | 4 ++-- {dom0 => securedrop_salt}/sd-app.sls | 4 ++-- .../sd-base-template-files.sls | 2 +- {dom0 => securedrop_salt}/sd-base-template.sls | 2 +- {dom0 => securedrop_salt}/sd-clean-all.sls | 2 +- .../sd-clean-default-dispvm.sls | 0 {dom0 => securedrop_salt}/sd-default-config.sls | 0 {dom0 => securedrop_salt}/sd-default-config.yml | 0 {dom0 => securedrop_salt}/sd-devices-files.sls | 4 ++-- {dom0 => securedrop_salt}/sd-devices.sls | 4 ++-- {dom0 => securedrop_salt}/sd-dom0-files.sls | 0 {dom0 => securedrop_salt}/sd-dom0-systemd.sls | 0 {dom0 => securedrop_salt}/sd-gpg-files.sls | 0 {dom0 => securedrop_salt}/sd-gpg.sls | 4 ++-- {dom0 => securedrop_salt}/sd-log.sls | 4 ++-- {dom0 => securedrop_salt}/sd-logging-setup.sls | 0 {dom0 => securedrop_salt}/sd-mime-handling.sls | 0 .../sd-proxy-template-files.sls | 4 ++-- {dom0 => securedrop_salt}/sd-proxy.sls | 4 ++-- .../sd-remove-unused-templates.sls | 0 {dom0 => securedrop_salt}/sd-sys-vms.sls | 0 {dom0 => securedrop_salt}/sd-sys-whonix-vms.sls | 2 +- .../sd-upgrade-templates.sls | 0 .../sd-usb-autoattach-add.sls | 0 .../sd-usb-autoattach-remove.sls | 0 {dom0 => securedrop_salt}/sd-viewer-files.sls | 4 ++-- {dom0 => securedrop_salt}/sd-viewer.sls | 4 ++-- .../sd-whonix-hidserv-key.sls | 0 {dom0 => securedrop_salt}/sd-whonix.sls | 4 ++-- .../sd-workstation-template-files.sls | 2 +- .../sd-workstation-template.sls | 2 +- {dom0 => securedrop_salt}/sd-workstation.top | 0 {dom0 => securedrop_salt}/sdlog.conf | 0 .../securedrop-handle-upgrade | 0 41 files changed, 48 insertions(+), 47 deletions(-) rename {dom0 => securedrop_salt}/dom0-xfce-desktop-file.j2 (100%) rename {dom0 => securedrop_salt}/fpf-apt-repo.sls (98%) rename {dom0 => securedrop_salt}/remove-tags.py (100%) rename {dom0 => securedrop_salt}/sd-app-files.sls (86%) rename {dom0 => securedrop_salt}/sd-app.sls (95%) rename {dom0 => securedrop_salt}/sd-base-template-files.sls (95%) rename {dom0 => securedrop_salt}/sd-base-template.sls (94%) rename {dom0 => securedrop_salt}/sd-clean-all.sls (98%) rename {dom0 => securedrop_salt}/sd-clean-default-dispvm.sls (100%) rename {dom0 => securedrop_salt}/sd-default-config.sls (100%) rename {dom0 => securedrop_salt}/sd-default-config.yml (100%) rename {dom0 => securedrop_salt}/sd-devices-files.sls (89%) rename {dom0 => securedrop_salt}/sd-devices.sls (94%) rename {dom0 => securedrop_salt}/sd-dom0-files.sls (100%) rename {dom0 => securedrop_salt}/sd-dom0-systemd.sls (100%) rename {dom0 => securedrop_salt}/sd-gpg-files.sls (100%) rename {dom0 => securedrop_salt}/sd-gpg.sls (90%) rename {dom0 => securedrop_salt}/sd-log.sls (92%) rename {dom0 => securedrop_salt}/sd-logging-setup.sls (100%) rename {dom0 => securedrop_salt}/sd-mime-handling.sls (100%) rename {dom0 => securedrop_salt}/sd-proxy-template-files.sls (77%) rename {dom0 => securedrop_salt}/sd-proxy.sls (92%) rename {dom0 => securedrop_salt}/sd-remove-unused-templates.sls (100%) rename {dom0 => securedrop_salt}/sd-sys-vms.sls (100%) rename {dom0 => securedrop_salt}/sd-sys-whonix-vms.sls (97%) rename {dom0 => securedrop_salt}/sd-upgrade-templates.sls (100%) rename {dom0 => securedrop_salt}/sd-usb-autoattach-add.sls (100%) rename {dom0 => securedrop_salt}/sd-usb-autoattach-remove.sls (100%) rename {dom0 => securedrop_salt}/sd-viewer-files.sls (88%) rename {dom0 => securedrop_salt}/sd-viewer.sls (92%) rename {dom0 => securedrop_salt}/sd-whonix-hidserv-key.sls (100%) rename {dom0 => securedrop_salt}/sd-whonix.sls (93%) rename {dom0 => securedrop_salt}/sd-workstation-template-files.sls (94%) rename {dom0 => securedrop_salt}/sd-workstation-template.sls (97%) rename {dom0 => securedrop_salt}/sd-workstation.top (100%) rename {dom0 => securedrop_salt}/sdlog.conf (100%) rename {dom0 => securedrop_salt}/securedrop-handle-upgrade (100%) diff --git a/MANIFEST.in b/MANIFEST.in index a0ef0da2..3eb9070a 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -1,10 +1,11 @@ -include dom0/*.sls -include dom0/*.top -include dom0/*.j2 -include dom0/*.yml -include dom0/*.conf -include dom0/remove-tags.py -include dom0/securedrop-handle-upgrade +include securedrop_salt/*.sls +include securedrop_salt/*.top +include securedrop_salt/*.j2 +include securedrop_salt/*.yml +include securedrop_salt/*.conf +include securedrop_salt/remove-tags.py +include securedrop_salt/securedrop-handle-upgrade +include securedrop_salt/update-xfce-settings include README.md include LICENSE include VERSION diff --git a/files/sdw-notify.py b/files/sdw-notify.py index 05b89a85..d0807a2c 100755 --- a/files/sdw-notify.py +++ b/files/sdw-notify.py @@ -70,7 +70,7 @@ def show_update_warning(): elif result == NotifyApp.NotifyStatus.DEFER_UPDATES: # Currently, `DEFER_UPDATES` is a no-op, because the deferral period is # simply the period before the next run of the notify script (defined in - # `securedrop-workstation/dom0/sd-dom0-crontab.sls`). + # `securedrop-workstation/securedrop_salt/sd-dom0-crontab.sls`). log.info( "User has deferred update check. sdw-notify will run " "again at the next scheduled interval." diff --git a/pyproject.toml b/pyproject.toml index 40a98b96..fe88bf84 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -99,8 +99,8 @@ ignore_missing_imports = true scripts_are_modules = true files = [ "*.py", - "dom0/remove-tags.py", - "dom0/securedrop-login", + "securedrop_salt/remove-tags.py", + "securedrop_salt/securedrop-login", "scripts/*.py", "files/*.py", ] diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index 8e23e181..29dcc27e 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -70,14 +70,14 @@ install -m 755 -d %{buildroot}/%{_datadir}/%{name}/scripts install -m 755 -d %{buildroot}/%{_bindir} install -m 755 -d %{buildroot}/opt/securedrop install -m 755 -d %{buildroot}/usr/bin/securedrop -install -m 644 dom0/*.sls %{buildroot}/srv/salt/ -install -m 644 dom0/*.top %{buildroot}/srv/salt/ -install -m 644 dom0/*.j2 %{buildroot}/srv/salt/ -install -m 644 dom0/*.yml %{buildroot}/srv/salt/ -install -m 644 dom0/*.conf %{buildroot}/srv/salt/ -install -m 755 dom0/remove-tags.py %{buildroot}/srv/salt/remove-tags -install -m 755 dom0/securedrop-handle-upgrade %{buildroot}/srv/salt/ -install -m 755 files/update-xfce-settings %{buildroot}/usr/bin/securedrop/ +install -m 644 securedrop_salt/*.sls %{buildroot}/srv/salt/ +install -m 644 securedrop_salt/*.top %{buildroot}/srv/salt/ +install -m 644 securedrop_salt/*.j2 %{buildroot}/srv/salt/ +install -m 644 securedrop_salt/*.yml %{buildroot}/srv/salt/ +install -m 644 securedrop_salt/*.conf %{buildroot}/srv/salt/ +install -m 755 securedrop_salt/remove-tags.py %{buildroot}/srv/salt/remove-tags +install -m 755 securedrop_salt/securedrop-handle-upgrade %{buildroot}/srv/salt/ +install -m 755 securedrop_salt/update-xfce-settings %{buildroot}/srv/salt/ install -m 644 sd-proxy/* %{buildroot}/srv/salt/sd/sd-proxy/ install -m 644 sd-whonix/* %{buildroot}/srv/salt/sd/sd-whonix/ install -m 644 sd-workstation/* %{buildroot}/srv/salt/sd/sd-workstation/ diff --git a/dom0/dom0-xfce-desktop-file.j2 b/securedrop_salt/dom0-xfce-desktop-file.j2 similarity index 100% rename from dom0/dom0-xfce-desktop-file.j2 rename to securedrop_salt/dom0-xfce-desktop-file.j2 diff --git a/dom0/fpf-apt-repo.sls b/securedrop_salt/fpf-apt-repo.sls similarity index 98% rename from dom0/fpf-apt-repo.sls rename to securedrop_salt/fpf-apt-repo.sls index e03afe35..eccf4289 100644 --- a/dom0/fpf-apt-repo.sls +++ b/securedrop_salt/fpf-apt-repo.sls @@ -11,7 +11,7 @@ # the subsequent tasks will fail. For reference # include: # - update.qubes-vm -# - sd-default-config +# - securedrop_salt.sd-default-config # Imports "sdvars" for environment config {% from 'sd-default-config.sls' import sdvars with context %} diff --git a/dom0/remove-tags.py b/securedrop_salt/remove-tags.py similarity index 100% rename from dom0/remove-tags.py rename to securedrop_salt/remove-tags.py diff --git a/dom0/sd-app-files.sls b/securedrop_salt/sd-app-files.sls similarity index 86% rename from dom0/sd-app-files.sls rename to securedrop_salt/sd-app-files.sls index e9bb8ea2..6a992654 100644 --- a/dom0/sd-app-files.sls +++ b/securedrop_salt/sd-app-files.sls @@ -9,8 +9,8 @@ # ## include: - - fpf-apt-repo - - sd-logging-setup + - securedrop_salt.fpf-apt-repo + - securedrop_salt.sd-logging-setup # FPF repo is setup in "securedrop-workstation-$sdvars.distribution" template, # and then cloned as "sd-small-$sdvars.distribution-template" diff --git a/dom0/sd-app.sls b/securedrop_salt/sd-app.sls similarity index 95% rename from dom0/sd-app.sls rename to securedrop_salt/sd-app.sls index 151533ce..bba439f5 100644 --- a/dom0/sd-app.sls +++ b/securedrop_salt/sd-app.sls @@ -10,8 +10,8 @@ {% from 'sd-default-config.sls' import sdvars with context %} include: - - sd-workstation-template - - sd-upgrade-templates + - securedrop_salt.sd-workstation-template + - securedrop_salt.sd-upgrade-templates sd-app: qvm.vm: diff --git a/dom0/sd-base-template-files.sls b/securedrop_salt/sd-base-template-files.sls similarity index 95% rename from dom0/sd-base-template-files.sls rename to securedrop_salt/sd-base-template-files.sls index e57cf4d0..adfce845 100644 --- a/dom0/sd-base-template-files.sls +++ b/securedrop_salt/sd-base-template-files.sls @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : include: - - fpf-apt-repo + - securedrop_salt.fpf-apt-repo # install recommended Qubes VM packages for core functionality install-qubes-vm-recommended: diff --git a/dom0/sd-base-template.sls b/securedrop_salt/sd-base-template.sls similarity index 94% rename from dom0/sd-base-template.sls rename to securedrop_salt/sd-base-template.sls index 273157d8..ab88f36a 100644 --- a/dom0/sd-base-template.sls +++ b/securedrop_salt/sd-base-template.sls @@ -5,7 +5,7 @@ {% from 'sd-default-config.sls' import sdvars with context %} include: - - sd-dom0-files + - securedrop_salt.sd-dom0-files # Clones a base templateVM from debian-12-minimal sd-base-template: diff --git a/dom0/sd-clean-all.sls b/securedrop_salt/sd-clean-all.sls similarity index 98% rename from dom0/sd-clean-all.sls rename to securedrop_salt/sd-clean-all.sls index e034f8d8..a8a7d29b 100644 --- a/dom0/sd-clean-all.sls +++ b/securedrop_salt/sd-clean-all.sls @@ -45,7 +45,7 @@ remove-sd-fedora-dispvm: {% else %} # If sys-usb is not disposable, clean up after ourselves include: - - sd-usb-autoattach-remove + - securedrop_salt.sd-usb-autoattach-remove {% endif %} # Removes all salt-provisioned files (if these files are also provisioned via diff --git a/dom0/sd-clean-default-dispvm.sls b/securedrop_salt/sd-clean-default-dispvm.sls similarity index 100% rename from dom0/sd-clean-default-dispvm.sls rename to securedrop_salt/sd-clean-default-dispvm.sls diff --git a/dom0/sd-default-config.sls b/securedrop_salt/sd-default-config.sls similarity index 100% rename from dom0/sd-default-config.sls rename to securedrop_salt/sd-default-config.sls diff --git a/dom0/sd-default-config.yml b/securedrop_salt/sd-default-config.yml similarity index 100% rename from dom0/sd-default-config.yml rename to securedrop_salt/sd-default-config.yml diff --git a/dom0/sd-devices-files.sls b/securedrop_salt/sd-devices-files.sls similarity index 89% rename from dom0/sd-devices-files.sls rename to securedrop_salt/sd-devices-files.sls index 5f154dca..6f0e7673 100644 --- a/dom0/sd-devices-files.sls +++ b/securedrop_salt/sd-devices-files.sls @@ -9,8 +9,8 @@ # ## include: - - fpf-apt-repo - - sd-logging-setup + - securedrop_salt.fpf-apt-repo + - securedrop_salt.sd-logging-setup # Libreoffice needs to be installed here to convert to pdf to allow printing sd-devices-install-libreoffice: diff --git a/dom0/sd-devices.sls b/securedrop_salt/sd-devices.sls similarity index 94% rename from dom0/sd-devices.sls rename to securedrop_salt/sd-devices.sls index f5d78611..2a295166 100644 --- a/dom0/sd-devices.sls +++ b/securedrop_salt/sd-devices.sls @@ -10,8 +10,8 @@ {% from 'sd-default-config.sls' import sdvars with context %} include: - - sd-workstation-template - - sd-upgrade-templates + - securedrop_salt.sd-workstation-template + - securedrop_salt.sd-upgrade-templates sd-devices-dvm: qvm.vm: diff --git a/dom0/sd-dom0-files.sls b/securedrop_salt/sd-dom0-files.sls similarity index 100% rename from dom0/sd-dom0-files.sls rename to securedrop_salt/sd-dom0-files.sls diff --git a/dom0/sd-dom0-systemd.sls b/securedrop_salt/sd-dom0-systemd.sls similarity index 100% rename from dom0/sd-dom0-systemd.sls rename to securedrop_salt/sd-dom0-systemd.sls diff --git a/dom0/sd-gpg-files.sls b/securedrop_salt/sd-gpg-files.sls similarity index 100% rename from dom0/sd-gpg-files.sls rename to securedrop_salt/sd-gpg-files.sls diff --git a/dom0/sd-gpg.sls b/securedrop_salt/sd-gpg.sls similarity index 90% rename from dom0/sd-gpg.sls rename to securedrop_salt/sd-gpg.sls index 0e66a896..b2afa241 100644 --- a/dom0/sd-gpg.sls +++ b/securedrop_salt/sd-gpg.sls @@ -13,8 +13,8 @@ {% from 'sd-default-config.sls' import sdvars with context %} include: - - sd-workstation-template - - sd-upgrade-templates + - securedrop_salt.sd-workstation-template + - securedrop_salt.sd-upgrade-templates sd-gpg: qvm.vm: diff --git a/dom0/sd-log.sls b/securedrop_salt/sd-log.sls similarity index 92% rename from dom0/sd-log.sls rename to securedrop_salt/sd-log.sls index d305c8b7..1eb21b84 100644 --- a/dom0/sd-log.sls +++ b/securedrop_salt/sd-log.sls @@ -11,8 +11,8 @@ {% from 'sd-default-config.sls' import sdvars with context %} include: - - sd-workstation-template - - sd-upgrade-templates + - securedrop_salt.sd-workstation-template + - securedrop_salt.sd-upgrade-templates sd-log: qvm.vm: diff --git a/dom0/sd-logging-setup.sls b/securedrop_salt/sd-logging-setup.sls similarity index 100% rename from dom0/sd-logging-setup.sls rename to securedrop_salt/sd-logging-setup.sls diff --git a/dom0/sd-mime-handling.sls b/securedrop_salt/sd-mime-handling.sls similarity index 100% rename from dom0/sd-mime-handling.sls rename to securedrop_salt/sd-mime-handling.sls diff --git a/dom0/sd-proxy-template-files.sls b/securedrop_salt/sd-proxy-template-files.sls similarity index 77% rename from dom0/sd-proxy-template-files.sls rename to securedrop_salt/sd-proxy-template-files.sls index 1531c676..19b7e38d 100644 --- a/dom0/sd-proxy-template-files.sls +++ b/securedrop_salt/sd-proxy-template-files.sls @@ -1,8 +1,8 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : include: - - fpf-apt-repo - - sd-logging-setup + - securedrop_salt.fpf-apt-repo + - securedrop_salt.sd-logging-setup # Depends on FPF-controlled apt repo install-securedrop-proxy-package: diff --git a/dom0/sd-proxy.sls b/securedrop_salt/sd-proxy.sls similarity index 92% rename from dom0/sd-proxy.sls rename to securedrop_salt/sd-proxy.sls index 535a9dba..54ed517f 100644 --- a/dom0/sd-proxy.sls +++ b/securedrop_salt/sd-proxy.sls @@ -10,8 +10,8 @@ {% from 'sd-default-config.sls' import sdvars with context %} include: - - sd-whonix - - sd-upgrade-templates + - securedrop_salt.sd-whonix + - securedrop_salt.sd-upgrade-templates sd-proxy: qvm.vm: diff --git a/dom0/sd-remove-unused-templates.sls b/securedrop_salt/sd-remove-unused-templates.sls similarity index 100% rename from dom0/sd-remove-unused-templates.sls rename to securedrop_salt/sd-remove-unused-templates.sls diff --git a/dom0/sd-sys-vms.sls b/securedrop_salt/sd-sys-vms.sls similarity index 100% rename from dom0/sd-sys-vms.sls rename to securedrop_salt/sd-sys-vms.sls diff --git a/dom0/sd-sys-whonix-vms.sls b/securedrop_salt/sd-sys-whonix-vms.sls similarity index 97% rename from dom0/sd-sys-whonix-vms.sls rename to securedrop_salt/sd-sys-whonix-vms.sls index fcd3325a..e85c940d 100644 --- a/dom0/sd-sys-whonix-vms.sls +++ b/securedrop_salt/sd-sys-whonix-vms.sls @@ -7,7 +7,7 @@ ## include: - - sd-upgrade-templates + - securedrop_salt.sd-upgrade-templates {% set sd_supported_whonix_version = '17' %} diff --git a/dom0/sd-upgrade-templates.sls b/securedrop_salt/sd-upgrade-templates.sls similarity index 100% rename from dom0/sd-upgrade-templates.sls rename to securedrop_salt/sd-upgrade-templates.sls diff --git a/dom0/sd-usb-autoattach-add.sls b/securedrop_salt/sd-usb-autoattach-add.sls similarity index 100% rename from dom0/sd-usb-autoattach-add.sls rename to securedrop_salt/sd-usb-autoattach-add.sls diff --git a/dom0/sd-usb-autoattach-remove.sls b/securedrop_salt/sd-usb-autoattach-remove.sls similarity index 100% rename from dom0/sd-usb-autoattach-remove.sls rename to securedrop_salt/sd-usb-autoattach-remove.sls diff --git a/dom0/sd-viewer-files.sls b/securedrop_salt/sd-viewer-files.sls similarity index 88% rename from dom0/sd-viewer-files.sls rename to securedrop_salt/sd-viewer-files.sls index a944b76a..2c58724a 100644 --- a/dom0/sd-viewer-files.sls +++ b/securedrop_salt/sd-viewer-files.sls @@ -11,8 +11,8 @@ ## include: - - fpf-apt-repo - - sd-logging-setup + - securedrop_salt.fpf-apt-repo + - securedrop_salt.sd-logging-setup sd-viewer-install-metapackage: pkg.installed: diff --git a/dom0/sd-viewer.sls b/securedrop_salt/sd-viewer.sls similarity index 92% rename from dom0/sd-viewer.sls rename to securedrop_salt/sd-viewer.sls index d28e157d..2d7a8655 100644 --- a/dom0/sd-viewer.sls +++ b/securedrop_salt/sd-viewer.sls @@ -15,8 +15,8 @@ {% from 'sd-default-config.sls' import sdvars with context %} include: - - sd-workstation-template - - sd-upgrade-templates + - securedrop_salt.sd-workstation-template + - securedrop_salt.sd-upgrade-templates sd-viewer: qvm.vm: diff --git a/dom0/sd-whonix-hidserv-key.sls b/securedrop_salt/sd-whonix-hidserv-key.sls similarity index 100% rename from dom0/sd-whonix-hidserv-key.sls rename to securedrop_salt/sd-whonix-hidserv-key.sls diff --git a/dom0/sd-whonix.sls b/securedrop_salt/sd-whonix.sls similarity index 93% rename from dom0/sd-whonix.sls rename to securedrop_salt/sd-whonix.sls index 936b7826..d65164b8 100644 --- a/dom0/sd-whonix.sls +++ b/securedrop_salt/sd-whonix.sls @@ -15,8 +15,8 @@ {% from 'sd-default-config.sls' import sdvars with context %} include: - - sd-upgrade-templates - - sd-sys-whonix-vms + - securedrop_salt.sd-upgrade-templates + - securedrop_salt.sd-sys-whonix-vms sd-whonix: qvm.vm: diff --git a/dom0/sd-workstation-template-files.sls b/securedrop_salt/sd-workstation-template-files.sls similarity index 94% rename from dom0/sd-workstation-template-files.sls rename to securedrop_salt/sd-workstation-template-files.sls index b59e5420..3512f4dd 100644 --- a/dom0/sd-workstation-template-files.sls +++ b/securedrop_salt/sd-workstation-template-files.sls @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : include: - - fpf-apt-repo + - securedrop_salt.fpf-apt-repo sd-workstation-template-install-kernel-config-packages: pkg.installed: diff --git a/dom0/sd-workstation-template.sls b/securedrop_salt/sd-workstation-template.sls similarity index 97% rename from dom0/sd-workstation-template.sls rename to securedrop_salt/sd-workstation-template.sls index 49b652be..0d39615a 100644 --- a/dom0/sd-workstation-template.sls +++ b/securedrop_salt/sd-workstation-template.sls @@ -5,7 +5,7 @@ {% from 'sd-default-config.sls' import sdvars with context %} include: - - sd-base-template + - securedrop_salt.sd-base-template # Installs consolidated templateVMs: # Sets virt_mode and kernel to use custom hardened kernel. diff --git a/dom0/sd-workstation.top b/securedrop_salt/sd-workstation.top similarity index 100% rename from dom0/sd-workstation.top rename to securedrop_salt/sd-workstation.top diff --git a/dom0/sdlog.conf b/securedrop_salt/sdlog.conf similarity index 100% rename from dom0/sdlog.conf rename to securedrop_salt/sdlog.conf diff --git a/dom0/securedrop-handle-upgrade b/securedrop_salt/securedrop-handle-upgrade similarity index 100% rename from dom0/securedrop-handle-upgrade rename to securedrop_salt/securedrop-handle-upgrade From 3662e51f9ecf7b98f992606e21980838fcb033a9 Mon Sep 17 00:00:00 2001 From: Ro Date: Fri, 24 May 2024 16:16:37 -0400 Subject: [PATCH 2/6] Move all provisioning-related files salt files into securedrop_salt directory. --- .../app-journalist.yaml | 0 .../apt-test-pubkey.asc | 0 .../apt-test_freedom_press.sources.j2 | 0 .../apt_freedom_press.sources.j2 | 0 securedrop_salt/fpf-apt-repo.sls | 2 +- {sd-proxy => securedrop_salt}/mimeapps.list | 0 securedrop_salt/sd-clean-all.sls | 21 ++++++++++++++- securedrop_salt/sd-dom0-files.sls | 27 ++++++++++++++++--- securedrop_salt/sd-gpg-files.sls | 2 +- securedrop_salt/sd-usb-autoattach-add.sls | 4 +-- securedrop_salt/sd-whonix-hidserv-key.sls | 2 +- ...securedrop-release-signing-pubkey-2021.asc | 0 12 files changed, 49 insertions(+), 9 deletions(-) rename {sd-whonix => securedrop_salt}/app-journalist.yaml (100%) rename {sd-workstation => securedrop_salt}/apt-test-pubkey.asc (100%) rename {sd-workstation => securedrop_salt}/apt-test_freedom_press.sources.j2 (100%) rename {sd-workstation => securedrop_salt}/apt_freedom_press.sources.j2 (100%) rename {sd-proxy => securedrop_salt}/mimeapps.list (100%) rename {sd-workstation => securedrop_salt}/securedrop-release-signing-pubkey-2021.asc (100%) diff --git a/sd-whonix/app-journalist.yaml b/securedrop_salt/app-journalist.yaml similarity index 100% rename from sd-whonix/app-journalist.yaml rename to securedrop_salt/app-journalist.yaml diff --git a/sd-workstation/apt-test-pubkey.asc b/securedrop_salt/apt-test-pubkey.asc similarity index 100% rename from sd-workstation/apt-test-pubkey.asc rename to securedrop_salt/apt-test-pubkey.asc diff --git a/sd-workstation/apt-test_freedom_press.sources.j2 b/securedrop_salt/apt-test_freedom_press.sources.j2 similarity index 100% rename from sd-workstation/apt-test_freedom_press.sources.j2 rename to securedrop_salt/apt-test_freedom_press.sources.j2 diff --git a/sd-workstation/apt_freedom_press.sources.j2 b/securedrop_salt/apt_freedom_press.sources.j2 similarity index 100% rename from sd-workstation/apt_freedom_press.sources.j2 rename to securedrop_salt/apt_freedom_press.sources.j2 diff --git a/securedrop_salt/fpf-apt-repo.sls b/securedrop_salt/fpf-apt-repo.sls index eccf4289..2b0ccd24 100644 --- a/securedrop_salt/fpf-apt-repo.sls +++ b/securedrop_salt/fpf-apt-repo.sls @@ -41,7 +41,7 @@ clean-old-test-sources: configure-fpf-apt-repo: file.managed: - name: "/etc/apt/sources.list.d/{{ sdvars.apt_sources_filename }}" - - source: "salt://sd/sd-workstation/{{ sdvars.apt_sources_filename }}.j2" + - source: "salt://securedrop_salt/{{ sdvars.apt_sources_filename }}.j2" - template: jinja - context: codename: {{ grains['oscodename'] }} diff --git a/sd-proxy/mimeapps.list b/securedrop_salt/mimeapps.list similarity index 100% rename from sd-proxy/mimeapps.list rename to securedrop_salt/mimeapps.list diff --git a/securedrop_salt/sd-clean-all.sls b/securedrop_salt/sd-clean-all.sls index a8a7d29b..35f95e45 100644 --- a/securedrop_salt/sd-clean-all.sls +++ b/securedrop_salt/sd-clean-all.sls @@ -48,6 +48,25 @@ include: - securedrop_salt.sd-usb-autoattach-remove {% endif %} +<<<<<<< HEAD +======= +# Reset desktop icon size to its original value +dom0-reset-icon-size-xfce: + cmd.script: + - name: salt://securedrop_salt/update-xfce-settings + - args: reset-icon-size + - runas: {{ gui_user }} + +# Reset power management options to their original values +{% if d.environment == "prod" or d.environment == "staging" %} +dom0-reset-power-management-xfce: + cmd.script: + - name: salt://securedrop_salt/update-xfce-settings + - args: reset-power-management + - runas: {{ gui_user }} +{% endif %} + +>>>>>>> df4a406 (Move all provisioning-related files salt files into securedrop_salt directory.) # Removes all salt-provisioned files (if these files are also provisioned via # RPM, they should be removed as part of remove-dom0-sdw-config-files-dev) remove-dom0-sdw-config-files: @@ -64,7 +83,7 @@ remove-dom0-sdw-config-files: # Remove any custom RPC policy tags added to non-SecureDrop VMs by the user remove-rpc-policy-tags: cmd.script: - - name: salt://remove-tags + - name: salt://securedrop_salt/remove-tags.py sd-cleanup-sys-firewall: cmd.run: diff --git a/securedrop_salt/sd-dom0-files.sls b/securedrop_salt/sd-dom0-files.sls index 24eeeb54..2c9edf54 100644 --- a/securedrop_salt/sd-dom0-files.sls +++ b/securedrop_salt/sd-dom0-files.sls @@ -16,7 +16,7 @@ dom0-rpm-test-key: # we must place the GPG key inside the fedora TemplateVM, then # restart sys-firewall. - name: /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation - - source: "salt://sd/sd-workstation/{{ sdvars.signing_key_filename }}" + - source: "salt://securedrop_salt/{{ sdvars.signing_key_filename }}" - user: root - group: root - mode: 644 @@ -55,6 +55,16 @@ dom0-install-debian-minimal-template: {% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %} +<<<<<<< HEAD +======= +# Increase the default icon size for the GUI user for usability/accessibility reasons +dom0-adjust-desktop-icon-size-xfce: + cmd.script: + - name: salt://securedrop_salt/update-xfce-settings + - args: adjust-icon-size + - runas: {{ gui_user }} + +>>>>>>> df4a406 (Move all provisioning-related files salt files into securedrop_salt directory.) dom0-login-autostart-directory: file.directory: - name: /home/{{ gui_user }}/.config/autostart @@ -66,7 +76,7 @@ dom0-login-autostart-directory: dom0-login-autostart-desktop-file: file.managed: - name: /home/{{ gui_user }}/.config/autostart/press.freedom.SecureDropUpdater.desktop - - source: "salt://dom0-xfce-desktop-file.j2" + - source: "salt://securedrop_salt/dom0-xfce-desktop-file.j2" - template: jinja - context: desktop_name: SDWLogin @@ -81,7 +91,7 @@ dom0-login-autostart-desktop-file: dom0-securedrop-launcher-desktop-shortcut: file.managed: - name: /home/{{ gui_user }}/Desktop/press.freedom.SecureDropUpdater.desktop - - source: "salt://press.freedom.SecureDropUpdater.desktop" + - source: "salt://securedrop_salt/press.freedom.SecureDropUpdater.desktop" - user: {{ gui_user }} - group: {{ gui_user }} - mode: 755 @@ -98,6 +108,7 @@ dom0-install-securedrop-workstation-dom0-config: - file: dom0-workstation-rpm-repo {% endif %} +<<<<<<< HEAD dom0-environment-directory: file.directory: - name: /var/lib/securedrop-workstation/ @@ -117,3 +128,13 @@ dom0-write-environment-flag: - replace: False - require: - file: dom0-remove-old-environment-flag +======= +# Hide suspend/hibernate options in menus in prod systems +{% if d.environment == "prod" or d.environment == "staging" %} +dom0-disable-unsafe-power-management-xfce: + cmd.script: + - name: salt://securedrop_salt/update-xfce-settings + - args: disable-unsafe-power-management + - runas: {{ gui_user }} +{% endif %} +>>>>>>> df4a406 (Move all provisioning-related files salt files into securedrop_salt directory.) diff --git a/securedrop_salt/sd-gpg-files.sls b/securedrop_salt/sd-gpg-files.sls index d108fe4c..8cbedcbb 100644 --- a/securedrop_salt/sd-gpg-files.sls +++ b/securedrop_salt/sd-gpg-files.sls @@ -28,7 +28,7 @@ sd-gpg-create-keyring-directory: sd-gpg-import-submission-key: file.managed: - name: /home/user/.gnupg/sd-journalist.sec - - source: salt://sd/sd-journalist.sec + - source: salt://securedrop_salt/sd-journalist.sec - user: user - group: user - mode: 600 diff --git a/securedrop_salt/sd-usb-autoattach-add.sls b/securedrop_salt/sd-usb-autoattach-add.sls index 4858c9bd..148da1db 100644 --- a/securedrop_salt/sd-usb-autoattach-add.sls +++ b/securedrop_salt/sd-usb-autoattach-add.sls @@ -18,7 +18,7 @@ sd-udev-rules: file.managed: - name: /rw/config/sd/etc/udev/rules.d/99-sd-devices.rules - - source: salt://sd/usb-autoattach/99-sd-devices.rules + - source: salt://securedrop_salt/99-sd-devices.rules - user: root - group: root - mode: 0444 @@ -44,7 +44,7 @@ sd-rc-local-udev-rules: sd-attach-export-device: file.managed: - name: /usr/local/bin/sd-attach-export-device - - source: salt://sd/usb-autoattach/sd-attach-export-device + - source: salt://securedrop_salt/sd-attach-export-device - user: root - group: root - mode: 0555 diff --git a/securedrop_salt/sd-whonix-hidserv-key.sls b/securedrop_salt/sd-whonix-hidserv-key.sls index 06f56db9..8e3f94fc 100644 --- a/securedrop_salt/sd-whonix-hidserv-key.sls +++ b/securedrop_salt/sd-whonix-hidserv-key.sls @@ -15,7 +15,7 @@ sd-whonix-hidservv3-directory-path: install-sd-whonix-tor-private-key: file.managed: - name: /var/lib/tor/keys/app-journalist.auth_private - - source: salt://sd/sd-whonix/app-journalist.yaml + - source: salt://securedrop_salt/app-journalist.yaml - template: jinja - context: hostname: {{ hostname_without_onion }} diff --git a/sd-workstation/securedrop-release-signing-pubkey-2021.asc b/securedrop_salt/securedrop-release-signing-pubkey-2021.asc similarity index 100% rename from sd-workstation/securedrop-release-signing-pubkey-2021.asc rename to securedrop_salt/securedrop-release-signing-pubkey-2021.asc From 2a9265ac02f1fee390dea177465bf3814c30e912 Mon Sep 17 00:00:00 2001 From: Ro Date: Fri, 24 May 2024 17:03:15 -0400 Subject: [PATCH 3/6] Update provisioning scripts to refer to /srv/salt/securedrop_salt. Update rpm specfile. Include all securedrop_salt files in MANIFEST.in. Use securedrop_salt path in Jinja and sls requirement import statements. --- MANIFEST.in | 13 +--- Makefile | 6 +- files/clean-salt | 8 ++- files/provision-all | 4 +- files/sdw-admin.py | 10 +-- files/validate_config.py | 2 +- .../securedrop-workstation-dom0-config.spec | 35 +++------- scripts/prep-dev | 4 +- .../99-sd-devices.rules | 0 securedrop_salt/fpf-apt-repo.sls | 4 +- securedrop_salt/sd-app-files.sls | 2 +- securedrop_salt/sd-app.sls | 4 +- .../sd-attach-export-device | 0 securedrop_salt/sd-base-template-files.sls | 2 +- securedrop_salt/sd-base-template.sls | 2 +- securedrop_salt/sd-clean-all.sls | 21 +----- securedrop_salt/sd-default-config.sls | 4 +- securedrop_salt/sd-devices-files.sls | 2 +- securedrop_salt/sd-devices.sls | 2 +- securedrop_salt/sd-dom0-files.sls | 25 +------- securedrop_salt/sd-gpg.sls | 6 +- securedrop_salt/sd-log.sls | 4 +- securedrop_salt/sd-logging-setup.sls | 4 +- securedrop_salt/sd-proxy-template-files.sls | 2 +- securedrop_salt/sd-proxy.sls | 4 +- .../sd-remove-unused-templates.sls | 30 ++++----- securedrop_salt/sd-sys-whonix-vms.sls | 4 +- securedrop_salt/sd-upgrade-templates.sls | 2 +- securedrop_salt/sd-viewer-files.sls | 2 +- securedrop_salt/sd-viewer.sls | 2 +- securedrop_salt/sd-whonix-hidserv-key.sls | 2 +- securedrop_salt/sd-whonix.sls | 8 +-- .../sd-workstation-template-files.sls | 2 +- securedrop_salt/sd-workstation-template.sls | 6 +- securedrop_salt/sd-workstation.top | 64 +++++++++---------- 35 files changed, 115 insertions(+), 177 deletions(-) rename {usb-autoattach => securedrop_salt}/99-sd-devices.rules (100%) rename {usb-autoattach => securedrop_salt}/sd-attach-export-device (100%) diff --git a/MANIFEST.in b/MANIFEST.in index 3eb9070a..1258cd98 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -1,20 +1,9 @@ -include securedrop_salt/*.sls -include securedrop_salt/*.top -include securedrop_salt/*.j2 -include securedrop_salt/*.yml -include securedrop_salt/*.conf -include securedrop_salt/remove-tags.py -include securedrop_salt/securedrop-handle-upgrade -include securedrop_salt/update-xfce-settings +include securedrop_salt/* include README.md include LICENSE include VERSION -include sd-proxy/* -include sd-whonix/* -include sd-workstation/* include sdw_updater/*.py include sdw_notify/*.py include sdw_util/*.py -include usb-autoattach/* include files/* include setup.py diff --git a/Makefile b/Makefile index 0af1a9b5..6d9b115e 100644 --- a/Makefile +++ b/Makefile @@ -60,16 +60,16 @@ clone-norpm: assert-dom0 ## As above, but skip creating RPM @BUILD_RPM=false ./scripts/clone-to-dom0 qubes-rpc: prep-dev ## Places default deny qubes-rpc policies for sd-app and sd-gpg - sudo qubesctl --show-output --targets sd-dom0-qvm-rpc state.highstate + sudo qubesctl --show-output --targets securedrop_salt.sd-dom0-qvm-rpc state.highstate add-usb-autoattach: prep-dom0 ## Adds udev rules and scripts to sys-usb sudo qubesctl --show-output --skip-dom0 --targets sys-usb state.highstate remove-usb-autoattach: prep-dev ## Removes udev rules and scripts from sys-usb - sudo qubesctl --show-output state.sls sd-usb-autoattach-remove + sudo qubesctl --show-output state.sls securedrop_salt.sd-usb-autoattach-remove sd-workstation-template: prep-dev ## Provisions base template for SDW AppVMs - sudo qubesctl --show-output state.sls sd-base-template + sudo qubesctl --show-output state.sls securedrop_salt.sd-base-template sudo qubesctl --show-output --skip-dom0 --targets sd-base-bookworm-template state.highstate sd-proxy: prep-dev ## Provisions SD Proxy VM diff --git a/files/clean-salt b/files/clean-salt index 3e62da67..3ab4b23a 100755 --- a/files/clean-salt +++ b/files/clean-salt @@ -7,7 +7,7 @@ set -o pipefail # Hardcoded location of SecureDrop Workstation salt config files -SDW_SALT_DIR="/srv/salt/sd" +SDW_SALT_DIR="/srv/salt/securedrop_salt" SALT_DIR="/srv/salt" echo "Purging Salt config..." @@ -19,9 +19,15 @@ echo "Purging Salt config..." if [[ ! -d "$SDW_SALT_DIR" ]]; then sudo rm -rf ${SDW_SALT_DIR} + + # Can be removed in future sudo rm -rf ${SALT_DIR}/launcher + + # We no longer store salt files directly in /srv/salt, so these next + # 3 checks can be removed at 4.2 cutover sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'fpf*' -delete sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'sd*' -delete sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'securedrop*' -delete sudo find ${SALT_DIR}/_tops -lname '/srv/salt/sd-*' -delete + fi diff --git a/files/provision-all b/files/provision-all index ca225858..d6473704 100755 --- a/files/provision-all +++ b/files/provision-all @@ -10,11 +10,11 @@ set -o pipefail max_concurrency="2" echo "Configure Fedora-based system VMs" -sudo qubesctl --show-output state.sls sd-sys-vms +sudo qubesctl --show-output state.sls securedrop_salt.sd-sys-vms echo ".........................................................................." echo "Configure base template" -sudo qubesctl --show-output state.sls sd-base-template +sudo qubesctl --show-output state.sls securedrop_salt.sd-base-template sudo qubesctl --show-output --skip-dom0 --targets sd-base-bookworm-template state.highstate qvm-shutdown --wait sd-base-bookworm-template diff --git a/files/sdw-admin.py b/files/sdw-admin.py index 51d5151e..ce60012c 100755 --- a/files/sdw-admin.py +++ b/files/sdw-admin.py @@ -14,7 +14,7 @@ import qubesadmin SCRIPTS_PATH = "/usr/share/securedrop-workstation-dom0-config/" -SALT_PATH = "/srv/salt/sd/" +SALT_PATH = "/srv/salt/securedrop_salt/" BASE_TEMPLATE = "debian-12-minimal" sys.path.insert(1, os.path.join(SCRIPTS_PATH, "scripts/")) @@ -76,7 +76,7 @@ def install_pvh_support(): def copy_config(): """ - Copies config.json and sd-journalist.sec to /srv/salt/sd + Copies config.json and sd-journalist.sec to /srv/salt/securedrop_salt """ try: subprocess.check_call(["sudo", "cp", os.path.join(SCRIPTS_PATH, "config.json"), SALT_PATH]) @@ -141,11 +141,13 @@ def refresh_salt(): def perform_uninstall(keep_template_rpm=False): try: - subprocess.check_call(["sudo", "qubesctl", "state.sls", "sd-clean-default-dispvm"]) + subprocess.check_call( + ["sudo", "qubesctl", "state.sls", "securedrop_salt.sd-clean-default-dispvm"] + ) print("Destroying all VMs") subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/destroy-vm"), "--all"]) print("Reverting dom0 configuration") - subprocess.check_call(["sudo", "qubesctl", "state.sls", "sd-clean-all"]) + subprocess.check_call(["sudo", "qubesctl", "state.sls", "securedrop_salt.sd-clean-all"]) subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/clean-salt")]) print("Uninstalling dom0 config package") subprocess.check_call( diff --git a/files/validate_config.py b/files/validate_config.py index 5cab73fc..e73bf9f4 100755 --- a/files/validate_config.py +++ b/files/validate_config.py @@ -16,7 +16,7 @@ TOR_V3_HOSTNAME_REGEX = r"^[a-z2-7]{56}\.onion$" TOR_V3_AUTH_REGEX = r"^[A-Z2-7]{52}$" -# CONFIG_FILEPATH = "/srv/salt/sd/config.json" +# CONFIG_FILEPATH = "/srv/salt/securedrop_salt/config.json" CONFIG_FILEPATH = "config.json" SECRET_KEY_FILEPATH = "sd-journalist.sec" diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index 29dcc27e..840c2d02 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -61,28 +61,15 @@ configuration over time. # direct_url.json is is not reproducible and not strictly needed rm %{buildroot}/%{python3_sitelib}/*%{version}.dist-info/direct_url.json sed -i "/\.dist-info\/direct_url\.json,/d" %{buildroot}/%{python3_sitelib}/*%{version}.dist-info/RECORD -install -m 755 -d %{buildroot}/srv/salt/sd/sd-proxy -install -m 755 -d %{buildroot}/srv/salt/sd/sd-journalist -install -m 755 -d %{buildroot}/srv/salt/sd/sd-whonix -install -m 755 -d %{buildroot}/srv/salt/sd/sd-workstation -install -m 755 -d %{buildroot}/srv/salt/sd/usb-autoattach + +install -m 755 -d %{buildroot}/srv/salt/ +cp -a securedrop_salt %{buildroot}/srv/salt/ + install -m 755 -d %{buildroot}/%{_datadir}/%{name}/scripts install -m 755 -d %{buildroot}/%{_bindir} install -m 755 -d %{buildroot}/opt/securedrop install -m 755 -d %{buildroot}/usr/bin/securedrop -install -m 644 securedrop_salt/*.sls %{buildroot}/srv/salt/ -install -m 644 securedrop_salt/*.top %{buildroot}/srv/salt/ -install -m 644 securedrop_salt/*.j2 %{buildroot}/srv/salt/ -install -m 644 securedrop_salt/*.yml %{buildroot}/srv/salt/ -install -m 644 securedrop_salt/*.conf %{buildroot}/srv/salt/ -install -m 755 securedrop_salt/remove-tags.py %{buildroot}/srv/salt/remove-tags -install -m 755 securedrop_salt/securedrop-handle-upgrade %{buildroot}/srv/salt/ -install -m 755 securedrop_salt/update-xfce-settings %{buildroot}/srv/salt/ -install -m 644 sd-proxy/* %{buildroot}/srv/salt/sd/sd-proxy/ -install -m 644 sd-whonix/* %{buildroot}/srv/salt/sd/sd-whonix/ -install -m 644 sd-workstation/* %{buildroot}/srv/salt/sd/sd-workstation/ -install -m 755 usb-autoattach/sd-attach-export-device %{buildroot}/srv/salt/sd/usb-autoattach/ -install -m 644 usb-autoattach/99-sd-devices.rules %{buildroot}/srv/salt/sd/usb-autoattach/ +install -m 755 files/update-xfce-settings %{buildroot}/usr/bin/securedrop/ install -m 755 files/clean-salt %{buildroot}/%{_datadir}/%{name}/scripts/ install -m 755 files/destroy-vm.py %{buildroot}/%{_datadir}/%{name}/scripts/destroy-vm install -m 755 files/provision-all %{buildroot}/%{_datadir}/%{name}/scripts/ @@ -98,7 +85,7 @@ install -m 755 -d %{buildroot}/%{_sharedstatedir}/%{name}/ install -m 755 -d %{buildroot}/%{_userunitdir}/ install -m 755 -d %{buildroot}/%{_unitdir} install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/%{_datadir}/applications/ -install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/srv/salt/press.freedom.SecureDropUpdater.desktop +install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/srv/salt/securedrop_salt/press.freedom.SecureDropUpdater.desktop install -m 644 files/securedrop-128x128.png %{buildroot}/%{_datadir}/icons/hicolor/128x128/apps/securedrop.png install -m 644 files/securedrop-scalable.svg %{buildroot}/%{_datadir}/icons/hicolor/scalable/apps/securedrop.svg install -m 755 files/sdw-updater.py %{buildroot}/%{_bindir}/sdw-updater @@ -127,13 +114,7 @@ install -m 644 files/securedrop-user-xfce-icon-size.service %{buildroot}/%{_user %attr(755, root, root) %{_datadir}/%{name}/scripts/validate_config.py %attr(755, root, root) %{_bindir}/sdw-admin %{_datadir}/%{name}/config.json.example -/srv/salt/sd* -/srv/salt/dom0-xfce-desktop-file.j2 -/srv/salt/remove-tags -/srv/salt/securedrop-* -/srv/salt/fpf* -/srv/salt/press.freedom.SecureDropUpdater.desktop - +/srv/salt/securedrop_salt/* %attr(755, root, root) %{_bindir}/sdw-login %attr(755, root, root) %{_bindir}/sdw-notify %attr(755, root, root) %{_bindir}/sdw-updater @@ -166,7 +147,7 @@ install -m 644 files/securedrop-user-xfce-icon-size.service %{buildroot}/%{_user %license LICENSE %post -find /srv/salt -maxdepth 1 -type f -iname '*.top' \ +find /srv/salt/securedrop_salt -maxdepth 1 -type f -iname '*.top' \ | xargs -n1 basename \ | sed -e 's/\.top$$//g' \ | xargs qubesctl top.enable > /dev/null diff --git a/scripts/prep-dev b/scripts/prep-dev index ae67cdd5..9375d6b5 100755 --- a/scripts/prep-dev +++ b/scripts/prep-dev @@ -36,6 +36,6 @@ echo "Copying config secrets into place..." for f in config.json sd-journalist.sec ; do sudo cp -v "$f" /usr/share/securedrop-workstation-dom0-config/ sudo chmod ugo+r /usr/share/securedrop-workstation-dom0-config/$f - sudo cp -v "$f" /srv/salt/sd/ - sudo chmod ugo+r /srv/salt/sd/$f + sudo cp -v "$f" /srv/salt/securedrop_salt/ + sudo chmod ugo+r /srv/salt/securedrop_salt/$f done diff --git a/usb-autoattach/99-sd-devices.rules b/securedrop_salt/99-sd-devices.rules similarity index 100% rename from usb-autoattach/99-sd-devices.rules rename to securedrop_salt/99-sd-devices.rules diff --git a/securedrop_salt/fpf-apt-repo.sls b/securedrop_salt/fpf-apt-repo.sls index 2b0ccd24..e2f98d5f 100644 --- a/securedrop_salt/fpf-apt-repo.sls +++ b/securedrop_salt/fpf-apt-repo.sls @@ -14,7 +14,7 @@ # - securedrop_salt.sd-default-config # Imports "sdvars" for environment config -{% from 'sd-default-config.sls' import sdvars with context %} +{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %} # Using apt-get requires manual approval when releaseinfo changes, # just get it over with in the beginning @@ -30,7 +30,7 @@ autoremove-old-packages: # If we're on a prod environment, ensure there isn't a test .sources # file. (Should never happen in real usage, but may in testing) -{% import_json "sd/config.json" as d %} +{% import_json "securedrop_salt/config.json" as d %} {% if d.environment == "prod" %} clean-old-test-sources: file.absent: diff --git a/securedrop_salt/sd-app-files.sls b/securedrop_salt/sd-app-files.sls index 6a992654..d618d2c2 100644 --- a/securedrop_salt/sd-app-files.sls +++ b/securedrop_salt/sd-app-files.sls @@ -19,4 +19,4 @@ install-securedrop-client-package: - pkgs: - securedrop-client - require: - - sls: fpf-apt-repo + - sls: securedrop_salt.fpf-apt-repo diff --git a/securedrop_salt/sd-app.sls b/securedrop_salt/sd-app.sls index bba439f5..9fb4251b 100644 --- a/securedrop_salt/sd-app.sls +++ b/securedrop_salt/sd-app.sls @@ -7,7 +7,7 @@ ## # Imports "sdvars" for environment config -{% from 'sd-default-config.sls' import sdvars with context %} +{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %} include: - securedrop_salt.sd-workstation-template @@ -31,7 +31,7 @@ sd-app: - require: - qvm: sd-small-{{ sdvars.distribution }}-template -{% import_json "sd/config.json" as d %} +{% import_json "securedrop_salt/config.json" as d %} sd-app-config: qvm.features: diff --git a/usb-autoattach/sd-attach-export-device b/securedrop_salt/sd-attach-export-device similarity index 100% rename from usb-autoattach/sd-attach-export-device rename to securedrop_salt/sd-attach-export-device diff --git a/securedrop_salt/sd-base-template-files.sls b/securedrop_salt/sd-base-template-files.sls index adfce845..e72aebc7 100644 --- a/securedrop_salt/sd-base-template-files.sls +++ b/securedrop_salt/sd-base-template-files.sls @@ -24,4 +24,4 @@ sd-base-template-install-securedrop-packages: - securedrop-workstation-config - securedrop-workstation-grsec - require: - - sls: fpf-apt-repo + - sls: securedrop_salt.fpf-apt-repo diff --git a/securedrop_salt/sd-base-template.sls b/securedrop_salt/sd-base-template.sls index ab88f36a..8cc4b2ab 100644 --- a/securedrop_salt/sd-base-template.sls +++ b/securedrop_salt/sd-base-template.sls @@ -2,7 +2,7 @@ # vim: set syntax=yaml ts=2 sw=2 sts=2 et : # Imports "sdvars" for environment config -{% from 'sd-default-config.sls' import sdvars with context %} +{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %} include: - securedrop_salt.sd-dom0-files diff --git a/securedrop_salt/sd-clean-all.sls b/securedrop_salt/sd-clean-all.sls index 35f95e45..346fede3 100644 --- a/securedrop_salt/sd-clean-all.sls +++ b/securedrop_salt/sd-clean-all.sls @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : -{% import_json "sd/config.json" as d %} +{% import_json "securedrop_salt/config.json" as d %} set-fedora-as-default-dispvm: cmd.run: @@ -48,25 +48,6 @@ include: - securedrop_salt.sd-usb-autoattach-remove {% endif %} -<<<<<<< HEAD -======= -# Reset desktop icon size to its original value -dom0-reset-icon-size-xfce: - cmd.script: - - name: salt://securedrop_salt/update-xfce-settings - - args: reset-icon-size - - runas: {{ gui_user }} - -# Reset power management options to their original values -{% if d.environment == "prod" or d.environment == "staging" %} -dom0-reset-power-management-xfce: - cmd.script: - - name: salt://securedrop_salt/update-xfce-settings - - args: reset-power-management - - runas: {{ gui_user }} -{% endif %} - ->>>>>>> df4a406 (Move all provisioning-related files salt files into securedrop_salt directory.) # Removes all salt-provisioned files (if these files are also provisioned via # RPM, they should be removed as part of remove-dom0-sdw-config-files-dev) remove-dom0-sdw-config-files: diff --git a/securedrop_salt/sd-default-config.sls b/securedrop_salt/sd-default-config.sls index 1d397879..8028ca61 100644 --- a/securedrop_salt/sd-default-config.sls +++ b/securedrop_salt/sd-default-config.sls @@ -7,11 +7,11 @@ # Load YAML vars file {% load_yaml as sdvars_defaults %} -{% include "sd-default-config.yml" %} +{% include "securedrop_salt/sd-default-config.yml" %} {% endload %} # Load JSON config file -{% import_json "sd/config.json" as d %} +{% import_json "securedrop_salt/config.json" as d %} # Respect "dev" env if provided, default to "prod" {% if d.environment == "dev" %} diff --git a/securedrop_salt/sd-devices-files.sls b/securedrop_salt/sd-devices-files.sls index 6f0e7673..33f3c2dd 100644 --- a/securedrop_salt/sd-devices-files.sls +++ b/securedrop_salt/sd-devices-files.sls @@ -26,4 +26,4 @@ sd-devices-install-package: pkg.installed: - name: securedrop-export - require: - - sls: fpf-apt-repo + - sls: securedrop_salt.fpf-apt-repo diff --git a/securedrop_salt/sd-devices.sls b/securedrop_salt/sd-devices.sls index 2a295166..45f40f79 100644 --- a/securedrop_salt/sd-devices.sls +++ b/securedrop_salt/sd-devices.sls @@ -7,7 +7,7 @@ ## # Imports "sdvars" for environment config -{% from 'sd-default-config.sls' import sdvars with context %} +{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %} include: - securedrop_salt.sd-workstation-template diff --git a/securedrop_salt/sd-dom0-files.sls b/securedrop_salt/sd-dom0-files.sls index 2c9edf54..ed3ff539 100644 --- a/securedrop_salt/sd-dom0-files.sls +++ b/securedrop_salt/sd-dom0-files.sls @@ -7,7 +7,7 @@ ## # Imports "sdvars" for environment config -{% from 'sd-default-config.sls' import sdvars with context %} +{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %} dom0-rpm-test-key: file.managed: @@ -55,16 +55,6 @@ dom0-install-debian-minimal-template: {% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %} -<<<<<<< HEAD -======= -# Increase the default icon size for the GUI user for usability/accessibility reasons -dom0-adjust-desktop-icon-size-xfce: - cmd.script: - - name: salt://securedrop_salt/update-xfce-settings - - args: adjust-icon-size - - runas: {{ gui_user }} - ->>>>>>> df4a406 (Move all provisioning-related files salt files into securedrop_salt directory.) dom0-login-autostart-directory: file.directory: - name: /home/{{ gui_user }}/.config/autostart @@ -96,7 +86,7 @@ dom0-securedrop-launcher-desktop-shortcut: - group: {{ gui_user }} - mode: 755 -{% import_json "sd/config.json" as d %} +{% import_json "securedrop_salt/config.json" as d %} {% if d.environment != "dev" %} # In the dev environment, we've already installed the rpm from # local sources, so don't also pull in from the yum-test repo. @@ -108,7 +98,6 @@ dom0-install-securedrop-workstation-dom0-config: - file: dom0-workstation-rpm-repo {% endif %} -<<<<<<< HEAD dom0-environment-directory: file.directory: - name: /var/lib/securedrop-workstation/ @@ -128,13 +117,3 @@ dom0-write-environment-flag: - replace: False - require: - file: dom0-remove-old-environment-flag -======= -# Hide suspend/hibernate options in menus in prod systems -{% if d.environment == "prod" or d.environment == "staging" %} -dom0-disable-unsafe-power-management-xfce: - cmd.script: - - name: salt://securedrop_salt/update-xfce-settings - - args: disable-unsafe-power-management - - runas: {{ gui_user }} -{% endif %} ->>>>>>> df4a406 (Move all provisioning-related files salt files into securedrop_salt directory.) diff --git a/securedrop_salt/sd-gpg.sls b/securedrop_salt/sd-gpg.sls index b2afa241..1a293bb8 100644 --- a/securedrop_salt/sd-gpg.sls +++ b/securedrop_salt/sd-gpg.sls @@ -10,7 +10,7 @@ ## # Imports "sdvars" for environment config -{% from 'sd-default-config.sls' import sdvars with context %} +{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %} include: - securedrop_salt.sd-workstation-template @@ -33,5 +33,5 @@ sd-gpg: - add: - sd-workstation - require: - - sls: sd-workstation-template - - sls: sd-upgrade-templates + - sls: securedrop_salt.sd-workstation-template + - sls: securedrop_salt.sd-upgrade-templates diff --git a/securedrop_salt/sd-log.sls b/securedrop_salt/sd-log.sls index 1eb21b84..ffcff087 100644 --- a/securedrop_salt/sd-log.sls +++ b/securedrop_salt/sd-log.sls @@ -8,7 +8,7 @@ ## # Imports "sdvars" for environment config -{% from 'sd-default-config.sls' import sdvars with context %} +{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %} include: - securedrop_salt.sd-workstation-template @@ -36,7 +36,7 @@ sd-log: - require: - qvm: sd-small-{{ sdvars.distribution }}-template -{% import_json "sd/config.json" as d %} +{% import_json "securedrop_salt/config.json" as d %} # The private volume size should be set in config.json sd-log-private-volume-size: diff --git a/securedrop_salt/sd-logging-setup.sls b/securedrop_salt/sd-logging-setup.sls index a54c277a..904bbff1 100644 --- a/securedrop_salt/sd-logging-setup.sls +++ b/securedrop_salt/sd-logging-setup.sls @@ -4,7 +4,7 @@ # TODO: parametrise this {% if grains['id'] in ["sd-small-bookworm-template", "sd-large-bookworm-template"] %} include: - - fpf-apt-repo + - securedrop_salt.fpf-apt-repo # Install securedrop-log package in TemplateVMs only install-securedrop-log-package: @@ -12,7 +12,7 @@ install-securedrop-log-package: - pkgs: - securedrop-log - require: - - sls: fpf-apt-repo + - sls: securedrop_salt.fpf-apt-repo {% endif %} diff --git a/securedrop_salt/sd-proxy-template-files.sls b/securedrop_salt/sd-proxy-template-files.sls index 19b7e38d..13de5116 100644 --- a/securedrop_salt/sd-proxy-template-files.sls +++ b/securedrop_salt/sd-proxy-template-files.sls @@ -10,4 +10,4 @@ install-securedrop-proxy-package: - pkgs: - securedrop-proxy - require: - - sls: fpf-apt-repo + - sls: securedrop_salt.fpf-apt-repo diff --git a/securedrop_salt/sd-proxy.sls b/securedrop_salt/sd-proxy.sls index 54ed517f..85cc2253 100644 --- a/securedrop_salt/sd-proxy.sls +++ b/securedrop_salt/sd-proxy.sls @@ -7,7 +7,7 @@ ## # Imports "sdvars" for environment config -{% from 'sd-default-config.sls' import sdvars with context %} +{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %} include: - securedrop_salt.sd-whonix @@ -30,7 +30,7 @@ sd-proxy: - qvm: sd-whonix - qvm: sd-small-{{ sdvars.distribution }}-template -{% import_json "sd/config.json" as d %} +{% import_json "securedrop_salt/config.json" as d %} sd-proxy-config: qvm.features: diff --git a/securedrop_salt/sd-remove-unused-templates.sls b/securedrop_salt/sd-remove-unused-templates.sls index ca519582..13f0d3ac 100644 --- a/securedrop_salt/sd-remove-unused-templates.sls +++ b/securedrop_salt/sd-remove-unused-templates.sls @@ -5,23 +5,23 @@ # Make sure the "prepare" step has run first, otherwise there's # a race between migration and removal. include: - - sd-upgrade-templates - - sd-log - - sd-devices - - sd-gpg - - sd-proxy - - sd-viewer - - sd-app + - securedrop_salt.sd-upgrade-templates + - securedrop_salt.sd-log + - securedrop_salt.sd-devices + - securedrop_salt.sd-gpg + - securedrop_salt.sd-proxy + - securedrop_salt.sd-viewer + - securedrop_salt.sd-app run-remove-upgrade-scripts: cmd.script: - - name: salt://securedrop-handle-upgrade + - name: salt://securedrop_salt/securedrop-handle-upgrade - args: remove - require: - - sls: sd-upgrade-templates - - sls: sd-log - - sls: sd-devices - - sls: sd-gpg - - sls: sd-proxy - - sls: sd-viewer - - sls: sd-app + - sls: securedrop_salt.sd-upgrade-templates + - sls: securedrop_salt.sd-log + - sls: securedrop_salt.sd-devices + - sls: securedrop_salt.sd-gpg + - sls: securedrop_salt.sd-proxy + - sls: securedrop_salt.sd-viewer + - sls: securedrop_salt.sd-app diff --git a/securedrop_salt/sd-sys-whonix-vms.sls b/securedrop_salt/sd-sys-whonix-vms.sls index e85c940d..07ef44d6 100644 --- a/securedrop_salt/sd-sys-whonix-vms.sls +++ b/securedrop_salt/sd-sys-whonix-vms.sls @@ -27,7 +27,7 @@ dom0-enabled-apparmor-on-whonix-gw-template: - prefs: - kernelopts: "nopat apparmor=1 security=apparmor" - require: - - sls: sd-upgrade-templates + - sls: securedrop_salt.sd-upgrade-templates - qvm: whonix-gateway-installed - qvm: whonix-workstation-installed @@ -37,7 +37,7 @@ dom0-enabled-apparmor-on-whonix-ws-template: - prefs: - kernelopts: "nopat apparmor=1 security=apparmor" - require: - - sls: sd-upgrade-templates + - sls: securedrop_salt.sd-upgrade-templates - qvm: whonix-gateway-installed - qvm: whonix-workstation-installed diff --git a/securedrop_salt/sd-upgrade-templates.sls b/securedrop_salt/sd-upgrade-templates.sls index ca927a0a..acc4e1b7 100644 --- a/securedrop_salt/sd-upgrade-templates.sls +++ b/securedrop_salt/sd-upgrade-templates.sls @@ -13,5 +13,5 @@ run-prep-upgrade-scripts: cmd.script: - - name: salt://securedrop-handle-upgrade + - name: salt://securedrop_salt/securedrop-handle-upgrade - args: prepare diff --git a/securedrop_salt/sd-viewer-files.sls b/securedrop_salt/sd-viewer-files.sls index 2c58724a..e3f681d7 100644 --- a/securedrop_salt/sd-viewer-files.sls +++ b/securedrop_salt/sd-viewer-files.sls @@ -19,7 +19,7 @@ sd-viewer-install-metapackage: - pkgs: - securedrop-workstation-viewer - require: - - sls: fpf-apt-repo + - sls: securedrop_salt.fpf-apt-repo sd-viewer-install-libreoffice: pkg.installed: diff --git a/securedrop_salt/sd-viewer.sls b/securedrop_salt/sd-viewer.sls index 2d7a8655..7502239b 100644 --- a/securedrop_salt/sd-viewer.sls +++ b/securedrop_salt/sd-viewer.sls @@ -12,7 +12,7 @@ ## # Imports "sdvars" for environment config -{% from 'sd-default-config.sls' import sdvars with context %} +{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %} include: - securedrop_salt.sd-workstation-template diff --git a/securedrop_salt/sd-whonix-hidserv-key.sls b/securedrop_salt/sd-whonix-hidserv-key.sls index 8e3f94fc..f86e01fc 100644 --- a/securedrop_salt/sd-whonix-hidserv-key.sls +++ b/securedrop_salt/sd-whonix-hidserv-key.sls @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : -{% import_json "sd/config.json" as d %} +{% import_json "securedrop_salt/config.json" as d %} sd-whonix-hidservv3-directory-path: file.blockreplace: diff --git a/securedrop_salt/sd-whonix.sls b/securedrop_salt/sd-whonix.sls index d65164b8..b1b5615d 100644 --- a/securedrop_salt/sd-whonix.sls +++ b/securedrop_salt/sd-whonix.sls @@ -12,7 +12,7 @@ ## # Imports "sdvars" for environment config -{% from 'sd-default-config.sls' import sdvars with context %} +{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %} include: - securedrop_salt.sd-upgrade-templates @@ -35,10 +35,10 @@ sd-whonix: - sd-workstation - sd-{{ sdvars.distribution }} - require: - - sls: sd-upgrade-templates - - sls: sd-sys-whonix-vms + - sls: securedrop_salt.sd-upgrade-templates + - sls: securedrop_salt.sd-sys-whonix-vms -{% import_json "sd/config.json" as d %} +{% import_json "securedrop_salt/config.json" as d %} sd-whonix-config: qvm.features: diff --git a/securedrop_salt/sd-workstation-template-files.sls b/securedrop_salt/sd-workstation-template-files.sls index 3512f4dd..c700f3b0 100644 --- a/securedrop_salt/sd-workstation-template-files.sls +++ b/securedrop_salt/sd-workstation-template-files.sls @@ -9,7 +9,7 @@ sd-workstation-template-install-kernel-config-packages: - securedrop-workstation-config - securedrop-workstation-grsec - require: - - sls: fpf-apt-repo + - sls: securedrop_salt.fpf-apt-repo # Ensure that paxctld starts immediately. For AppVMs, # use qvm.features.enabled = ["paxctld"] to ensure service start. diff --git a/securedrop_salt/sd-workstation-template.sls b/securedrop_salt/sd-workstation-template.sls index 0d39615a..b25d9994 100644 --- a/securedrop_salt/sd-workstation-template.sls +++ b/securedrop_salt/sd-workstation-template.sls @@ -2,7 +2,7 @@ # vim: set syntax=yaml ts=2 sw=2 sts=2 et : # Imports "sdvars" for environment config -{% from 'sd-default-config.sls' import sdvars with context %} +{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %} include: - securedrop_salt.sd-base-template @@ -30,7 +30,7 @@ sd-small-{{ sdvars.distribution }}-template: - enable: - service.paxctld - require: - - sls: sd-base-template + - sls: securedrop_salt.sd-base-template sd-large-{{ sdvars.distribution }}-template: qvm.vm: @@ -49,4 +49,4 @@ sd-large-{{ sdvars.distribution }}-template: - enable: - service.paxctld - require: - - sls: sd-base-template + - sls: securedrop_salt.sd-base-template diff --git a/securedrop_salt/sd-workstation.top b/securedrop_salt/sd-workstation.top index bd5ae90e..274e3398 100644 --- a/securedrop_salt/sd-workstation.top +++ b/securedrop_salt/sd-workstation.top @@ -3,50 +3,50 @@ base: dom0: - - sd-sys-vms - - sd-dom0-files - - sd-dom0-systemd - - sd-base-template - - sd-workstation-template - - sd-upgrade-templates - - sd-sys-whonix-vms - - sd-log - - sd-devices - - sd-gpg - - sd-proxy - - sd-viewer - - sd-app - - sd-whonix - - sd-remove-unused-templates + - securedrop_salt.sd-sys-vms + - securedrop_salt.sd-dom0-files + - securedrop_salt.sd-dom0-systemd + - securedrop_salt.sd-base-template + - securedrop_salt.sd-workstation-template + - securedrop_salt.sd-upgrade-templates + - securedrop_salt.sd-sys-whonix-vms + - securedrop_salt.sd-log + - securedrop_salt.sd-devices + - securedrop_salt.sd-gpg + - securedrop_salt.sd-proxy + - securedrop_salt.sd-viewer + - securedrop_salt.sd-app + - securedrop_salt.sd-whonix + - securedrop_salt.sd-remove-unused-templates sd-base-bookworm-template: - - sd-base-template-files - - sd-workstation-template-files + - securedrop_salt.sd-base-template-files + - securedrop_salt.sd-workstation-template-files sd-small-bookworm-template: - - sd-logging-setup - - sd-workstation-template-files - - sd-app-files - - sd-proxy-template-files + - securedrop_salt.sd-logging-setup + - securedrop_salt.sd-workstation-template-files + - securedrop_salt.sd-app-files + - securedrop_salt.sd-proxy-template-files sd-large-bookworm-template: - - sd-logging-setup - - sd-workstation-template-files - - sd-devices-files - - sd-viewer-files + - securedrop_salt.sd-logging-setup + - securedrop_salt.sd-workstation-template-files + - securedrop_salt.sd-devices-files + - securedrop_salt.sd-viewer-files sd-gpg: - - sd-gpg-files + - securedrop_salt.sd-gpg-files sd-app: - - sd-mime-handling + - securedrop_salt.sd-mime-handling sd-whonix: - - sd-whonix-hidserv-key + - securedrop_salt.sd-whonix-hidserv-key 'sd-fedora-39-dvm,sys-usb': - match: list - - sd-usb-autoattach-add + - securedrop_salt.sd-usb-autoattach-add sd-viewer: - - sd-mime-handling + - securedrop_salt.sd-mime-handling sd-devices-dvm: - - sd-mime-handling + - securedrop_salt.sd-mime-handling sd-proxy: - - sd-mime-handling + - securedrop_salt.sd-mime-handling # "Placeholder" config to trigger TemplateVM boots, # so upgrades can be applied automatically via cron. From 031604df5fcf9ac3cc78c21b34348eafe1242dae Mon Sep 17 00:00:00 2001 From: Ro Date: Fri, 31 May 2024 13:51:47 -0400 Subject: [PATCH 4/6] Enable only our top file --- .../securedrop-workstation-dom0-config.spec | 5 +--- tests/test_dom0_salt_config.py | 23 +++++++++++++++++++ 2 files changed, 24 insertions(+), 4 deletions(-) create mode 100644 tests/test_dom0_salt_config.py diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index 840c2d02..4da44085 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -147,10 +147,7 @@ install -m 644 files/securedrop-user-xfce-icon-size.service %{buildroot}/%{_user %license LICENSE %post -find /srv/salt/securedrop_salt -maxdepth 1 -type f -iname '*.top' \ - | xargs -n1 basename \ - | sed -e 's/\.top$$//g' \ - | xargs qubesctl top.enable > /dev/null +qubesctl top.enable securedrop_salt.sd-workstation > /dev/null ||: # Force full run of all Salt states - uncomment in release branch # mkdir -p /tmp/sdw-migrations diff --git a/tests/test_dom0_salt_config.py b/tests/test_dom0_salt_config.py new file mode 100644 index 00000000..d7e30e87 --- /dev/null +++ b/tests/test_dom0_salt_config.py @@ -0,0 +1,23 @@ +import subprocess +import unittest + + +class SD_Dom0_Salt_Config_Tests(unittest.TestCase): + def setUp(self): + # Enable full diff output in test report, to aid in debugging + self.maxDiff = None + + def test_is_topfile_enabled(self): + cmd = ["sudo", "qubesctl", "top.enabled"] + wanted = "securedrop_salt.sd-workstation.top" + + try: + all_topfiles = subprocess.check_output(cmd).decode("utf-8") + assert wanted in all_topfiles + + except subprocess.CalledProcessError: + self.fail("Error checking topfiles") + + +def load_tests(loader, tests, pattern): + return unittest.TestLoader().loadTestsFromTestCase(SD_Dom0_Salt_Config_Tests) From 85bcd63e411907a28c3287d07185a004f1ae3020 Mon Sep 17 00:00:00 2001 From: Ro Date: Fri, 31 May 2024 20:55:35 -0400 Subject: [PATCH 5/6] Update dom0 repo test with new pubkey location. --- tests/test_dom0_rpm_repo.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_dom0_rpm_repo.py b/tests/test_dom0_rpm_repo.py index ff93de7a..f0b68f1e 100644 --- a/tests/test_dom0_rpm_repo.py +++ b/tests/test_dom0_rpm_repo.py @@ -9,8 +9,8 @@ class SD_Dom0_Rpm_Repo_Tests(unittest.TestCase): pubkey_wanted = "" yum_repo_url = "" pubkey_actual = "/etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation" - pubkey_wanted_prod = "sd-workstation/securedrop-release-signing-pubkey-2021.asc" - pubkey_wanted_test = "sd-workstation/apt-test-pubkey.asc" + pubkey_wanted_prod = "securedrop_salt/securedrop-release-signing-pubkey-2021.asc" + pubkey_wanted_test = "securedrop_salt/apt-test-pubkey.asc" yum_repo_url_prod = f"https://yum.securedrop.org/workstation/dom0/{FEDORA_VERSION}" yum_repo_url_test = f"https://yum-test.securedrop.org/workstation/dom0/{FEDORA_VERSION}" From 68feb49659b6592e909cbe1f3a9aa7a4dc38a319 Mon Sep 17 00:00:00 2001 From: Ro Date: Sat, 1 Jun 2024 19:51:51 -0400 Subject: [PATCH 6/6] Remove deprecated /srv/salt path from clean-salt and update cleanup of /srv/salt/_tops. --- files/clean-salt | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/files/clean-salt b/files/clean-salt index 3ab4b23a..fcad58dd 100755 --- a/files/clean-salt +++ b/files/clean-salt @@ -23,11 +23,6 @@ if [[ ! -d "$SDW_SALT_DIR" ]]; then # Can be removed in future sudo rm -rf ${SALT_DIR}/launcher - # We no longer store salt files directly in /srv/salt, so these next - # 3 checks can be removed at 4.2 cutover - sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'fpf*' -delete - sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'sd*' -delete - sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'securedrop*' -delete - sudo find ${SALT_DIR}/_tops -lname '/srv/salt/sd-*' -delete + sudo find ${SALT_DIR}/_tops -lname '/srv/salt/securedrop_salt*' -delete fi