[Refactor] Move all Salt provisioning files into /srv/salt/securedrop_salt

MANIFEST.in

@@ -1,19 +1,9 @@
-include dom0/*.sls
-include dom0/*.top
-include dom0/*.j2
-include dom0/*.yml
-include dom0/*.conf
-include dom0/remove-tags.py
-include dom0/securedrop-handle-upgrade
+include securedrop_salt/*
 include README.md
 include LICENSE
 include VERSION
-include sd-proxy/*
-include sd-whonix/*
-include sd-workstation/*
 include sdw_updater/*.py
 include sdw_notify/*.py
 include sdw_util/*.py
-include usb-autoattach/*
 include files/*
 include setup.py

Makefile

@@ -60,16 +60,16 @@ clone-norpm: assert-dom0 ## As above, but skip creating RPM
 	@BUILD_RPM=false ./scripts/clone-to-dom0
 
 qubes-rpc: prep-dev ## Places default deny qubes-rpc policies for sd-app and sd-gpg
-	sudo qubesctl --show-output --targets sd-dom0-qvm-rpc state.highstate
+	sudo qubesctl --show-output --targets securedrop_salt.sd-dom0-qvm-rpc state.highstate
 
 add-usb-autoattach: prep-dom0 ## Adds udev rules and scripts to sys-usb
 	sudo qubesctl --show-output --skip-dom0 --targets sys-usb state.highstate
 
 remove-usb-autoattach: prep-dev ## Removes udev rules and scripts from sys-usb
-	sudo qubesctl --show-output state.sls sd-usb-autoattach-remove
+	sudo qubesctl --show-output state.sls securedrop_salt.sd-usb-autoattach-remove
 
 sd-workstation-template: prep-dev ## Provisions base template for SDW AppVMs
-	sudo qubesctl --show-output state.sls sd-base-template
+	sudo qubesctl --show-output state.sls securedrop_salt.sd-base-template
 	sudo qubesctl --show-output --skip-dom0 --targets sd-base-bookworm-template state.highstate
 
 sd-proxy: prep-dev ## Provisions SD Proxy VM

files/clean-salt

@@ -7,7 +7,7 @@ set -o pipefail
 
 
 # Hardcoded location of SecureDrop Workstation salt config files
-SDW_SALT_DIR="/srv/salt/sd"
+SDW_SALT_DIR="/srv/salt/securedrop_salt"
 SALT_DIR="/srv/salt"
 
 echo "Purging Salt config..."
@@ -19,9 +19,10 @@ echo "Purging Salt config..."
 
 if [[ ! -d "$SDW_SALT_DIR" ]]; then
     sudo rm -rf ${SDW_SALT_DIR}
+
+    # Can be removed in future
     sudo rm -rf ${SALT_DIR}/launcher
-    sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'fpf*' -delete
-    sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'sd*' -delete
-    sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'securedrop*' -delete
-    sudo find ${SALT_DIR}/_tops -lname '/srv/salt/sd-*' -delete
+
+    sudo find ${SALT_DIR}/_tops -lname '/srv/salt/securedrop_salt*' -delete
+
 fi

files/provision-all

@@ -10,11 +10,11 @@ set -o pipefail
 max_concurrency="2"
 
 echo "Configure Fedora-based system VMs"
-sudo qubesctl --show-output state.sls sd-sys-vms
+sudo qubesctl --show-output state.sls securedrop_salt.sd-sys-vms
 
 echo ".........................................................................."
 echo "Configure base template"
-sudo qubesctl --show-output state.sls sd-base-template
+sudo qubesctl --show-output state.sls securedrop_salt.sd-base-template
 sudo qubesctl --show-output --skip-dom0 --targets sd-base-bookworm-template state.highstate
 qvm-shutdown --wait sd-base-bookworm-template
 

files/sdw-admin.py

@@ -14,7 +14,7 @@
 import qubesadmin
 
 SCRIPTS_PATH = "/usr/share/securedrop-workstation-dom0-config/"
-SALT_PATH = "/srv/salt/sd/"
+SALT_PATH = "/srv/salt/securedrop_salt/"
 BASE_TEMPLATE = "debian-12-minimal"
 
 sys.path.insert(1, os.path.join(SCRIPTS_PATH, "scripts/"))
@@ -76,7 +76,7 @@ def install_pvh_support():
 
 def copy_config():
     """
-    Copies config.json and sd-journalist.sec to /srv/salt/sd
+    Copies config.json and sd-journalist.sec to /srv/salt/securedrop_salt
     """
     try:
         subprocess.check_call(["sudo", "cp", os.path.join(SCRIPTS_PATH, "config.json"), SALT_PATH])
@@ -141,11 +141,13 @@ def refresh_salt():
 
 def perform_uninstall(keep_template_rpm=False):
     try:
-        subprocess.check_call(["sudo", "qubesctl", "state.sls", "sd-clean-default-dispvm"])
+        subprocess.check_call(
+            ["sudo", "qubesctl", "state.sls", "securedrop_salt.sd-clean-default-dispvm"]
+        )
         print("Destroying all VMs")
         subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/destroy-vm"), "--all"])
         print("Reverting dom0 configuration")
-        subprocess.check_call(["sudo", "qubesctl", "state.sls", "sd-clean-all"])
+        subprocess.check_call(["sudo", "qubesctl", "state.sls", "securedrop_salt.sd-clean-all"])
         subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/clean-salt")])
         print("Uninstalling dom0 config package")
         subprocess.check_call(

files/sdw-notify.py

@@ -70,7 +70,7 @@ def show_update_warning():
     elif result == NotifyApp.NotifyStatus.DEFER_UPDATES:
         # Currently, `DEFER_UPDATES` is a no-op, because the deferral period is
         # simply the period before the next run of the notify script (defined in
-        # `securedrop-workstation/dom0/sd-dom0-crontab.sls`).
+        # `securedrop-workstation/securedrop_salt/sd-dom0-crontab.sls`).
         log.info(
             "User has deferred update check. sdw-notify will run "
             "again at the next scheduled interval."

files/validate_config.py

@@ -16,7 +16,7 @@
 TOR_V3_HOSTNAME_REGEX = r"^[a-z2-7]{56}\.onion$"
 TOR_V3_AUTH_REGEX = r"^[A-Z2-7]{52}$"
 
-# CONFIG_FILEPATH = "/srv/salt/sd/config.json"
+# CONFIG_FILEPATH = "/srv/salt/securedrop_salt/config.json"
 CONFIG_FILEPATH = "config.json"
 SECRET_KEY_FILEPATH = "sd-journalist.sec"
 

pyproject.toml

@@ -99,8 +99,8 @@ ignore_missing_imports = true
 scripts_are_modules = true
 files = [
     "*.py",
-    "dom0/remove-tags.py",
-    "dom0/securedrop-login",
+    "securedrop_salt/remove-tags.py",
+    "securedrop_salt/securedrop-login",
     "scripts/*.py",
     "files/*.py",
 ]

rpm-build/SPECS/securedrop-workstation-dom0-config.spec

@@ -61,28 +61,15 @@ configuration over time.
 # direct_url.json is is not reproducible and not strictly needed
 rm %{buildroot}/%{python3_sitelib}/*%{version}.dist-info/direct_url.json
 sed -i "/\.dist-info\/direct_url\.json,/d" %{buildroot}/%{python3_sitelib}/*%{version}.dist-info/RECORD
-install -m 755 -d %{buildroot}/srv/salt/sd/sd-proxy
-install -m 755 -d %{buildroot}/srv/salt/sd/sd-journalist
-install -m 755 -d %{buildroot}/srv/salt/sd/sd-whonix
-install -m 755 -d %{buildroot}/srv/salt/sd/sd-workstation
-install -m 755 -d %{buildroot}/srv/salt/sd/usb-autoattach
+
+install -m 755 -d %{buildroot}/srv/salt/
+cp -a securedrop_salt %{buildroot}/srv/salt/
+
 install -m 755 -d %{buildroot}/%{_datadir}/%{name}/scripts
 install -m 755 -d %{buildroot}/%{_bindir}
 install -m 755 -d %{buildroot}/opt/securedrop
 install -m 755 -d %{buildroot}/usr/bin/securedrop
-install -m 644 dom0/*.sls %{buildroot}/srv/salt/
-install -m 644 dom0/*.top %{buildroot}/srv/salt/
-install -m 644 dom0/*.j2 %{buildroot}/srv/salt/
-install -m 644 dom0/*.yml %{buildroot}/srv/salt/
-install -m 644 dom0/*.conf %{buildroot}/srv/salt/
-install -m 755 dom0/remove-tags.py %{buildroot}/srv/salt/remove-tags
-install -m 755 dom0/securedrop-handle-upgrade %{buildroot}/srv/salt/
 install -m 755 files/update-xfce-settings %{buildroot}/usr/bin/securedrop/
-install -m 644 sd-proxy/* %{buildroot}/srv/salt/sd/sd-proxy/
-install -m 644 sd-whonix/* %{buildroot}/srv/salt/sd/sd-whonix/
-install -m 644 sd-workstation/* %{buildroot}/srv/salt/sd/sd-workstation/
-install -m 755 usb-autoattach/sd-attach-export-device %{buildroot}/srv/salt/sd/usb-autoattach/
-install -m 644 usb-autoattach/99-sd-devices.rules %{buildroot}/srv/salt/sd/usb-autoattach/
 install -m 755 files/clean-salt %{buildroot}/%{_datadir}/%{name}/scripts/
 install -m 755 files/destroy-vm.py %{buildroot}/%{_datadir}/%{name}/scripts/destroy-vm
 install -m 755 files/provision-all %{buildroot}/%{_datadir}/%{name}/scripts/
@@ -98,7 +85,7 @@ install -m 755 -d %{buildroot}/%{_sharedstatedir}/%{name}/
 install -m 755 -d %{buildroot}/%{_userunitdir}/
 install -m 755 -d %{buildroot}/%{_unitdir}
 install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/%{_datadir}/applications/
-install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/srv/salt/press.freedom.SecureDropUpdater.desktop
+install -m 644 files/press.freedom.SecureDropUpdater.desktop %{buildroot}/srv/salt/securedrop_salt/press.freedom.SecureDropUpdater.desktop
 install -m 644 files/securedrop-128x128.png %{buildroot}/%{_datadir}/icons/hicolor/128x128/apps/securedrop.png
 install -m 644 files/securedrop-scalable.svg %{buildroot}/%{_datadir}/icons/hicolor/scalable/apps/securedrop.svg
 install -m 755 files/sdw-updater.py %{buildroot}/%{_bindir}/sdw-updater
@@ -127,13 +114,7 @@ install -m 644 files/securedrop-user-xfce-icon-size.service %{buildroot}/%{_user
 %attr(755, root, root) %{_datadir}/%{name}/scripts/validate_config.py
 %attr(755, root, root) %{_bindir}/sdw-admin
 %{_datadir}/%{name}/config.json.example
-/srv/salt/sd*
-/srv/salt/dom0-xfce-desktop-file.j2
-/srv/salt/remove-tags
-/srv/salt/securedrop-*
-/srv/salt/fpf*
-/srv/salt/press.freedom.SecureDropUpdater.desktop
-
+/srv/salt/securedrop_salt/*
 %attr(755, root, root) %{_bindir}/sdw-login
 %attr(755, root, root) %{_bindir}/sdw-notify
 %attr(755, root, root) %{_bindir}/sdw-updater
@@ -166,10 +147,7 @@ install -m 644 files/securedrop-user-xfce-icon-size.service %{buildroot}/%{_user
 %license LICENSE
 
 %post
-find /srv/salt -maxdepth 1 -type f -iname '*.top' \
-    | xargs -n1 basename \
-    | sed -e 's/\.top$$//g' \
-    | xargs qubesctl top.enable > /dev/null
+qubesctl top.enable securedrop_salt.sd-workstation > /dev/null ||:
 
 # Force full run of all Salt states - uncomment in release branch
 # mkdir -p /tmp/sdw-migrations

scripts/prep-dev

@@ -36,6 +36,6 @@ echo "Copying config secrets into place..."
 for f in config.json sd-journalist.sec ; do
     sudo cp -v "$f" /usr/share/securedrop-workstation-dom0-config/
     sudo chmod ugo+r /usr/share/securedrop-workstation-dom0-config/$f
-    sudo cp -v "$f" /srv/salt/sd/
-    sudo chmod ugo+r /srv/salt/sd/$f
+    sudo cp -v "$f" /srv/salt/securedrop_salt/
+    sudo chmod ugo+r /srv/salt/securedrop_salt/$f
 done

dom0/fpf-apt-repo.sls → securedrop_salt/fpf-apt-repo.sls

@@ -11,10 +11,10 @@
 # the subsequent tasks will fail. For reference
 # include:
 #  - update.qubes-vm
-#  - sd-default-config
+#  - securedrop_salt.sd-default-config
 
 # Imports "sdvars" for environment config
-{% from 'sd-default-config.sls' import sdvars with context %}
+{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %}
 
 # Using apt-get requires manual approval when releaseinfo changes,
 # just get it over with in the beginning
@@ -30,7 +30,7 @@ autoremove-old-packages:
 
 # If we're on a prod environment, ensure there isn't a test .sources
 # file. (Should never happen in real usage, but may in testing)
-{% import_json "sd/config.json" as d %}
+{% import_json "securedrop_salt/config.json" as d %}
 {% if d.environment == "prod" %}
 clean-old-test-sources:
   file.absent:
@@ -41,7 +41,7 @@ clean-old-test-sources:
 configure-fpf-apt-repo:
   file.managed:
     - name: "/etc/apt/sources.list.d/{{ sdvars.apt_sources_filename }}"
-    - source: "salt://sd/sd-workstation/{{ sdvars.apt_sources_filename }}.j2"
+    - source: "salt://securedrop_salt/{{ sdvars.apt_sources_filename }}.j2"
     - template: jinja
     - context:
         codename: {{ grains['oscodename'] }}

dom0/sd-app-files.sls → securedrop_salt/sd-app-files.sls

@@ -9,8 +9,8 @@
 #
 ##
 include:
-  - fpf-apt-repo
-  - sd-logging-setup
+  - securedrop_salt.fpf-apt-repo
+  - securedrop_salt.sd-logging-setup
 
 # FPF repo is setup in "securedrop-workstation-$sdvars.distribution" template,
 # and then cloned as "sd-small-$sdvars.distribution-template"
@@ -19,4 +19,4 @@ install-securedrop-client-package:
     - pkgs:
       - securedrop-client
     - require:
-      - sls: fpf-apt-repo
+      - sls: securedrop_salt.fpf-apt-repo

dom0/sd-app.sls → securedrop_salt/sd-app.sls

@@ -7,11 +7,11 @@
 ##
 
 # Imports "sdvars" for environment config
-{% from 'sd-default-config.sls' import sdvars with context %}
+{% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %}
 
 include:
-  - sd-workstation-template
-  - sd-upgrade-templates
+  - securedrop_salt.sd-workstation-template
+  - securedrop_salt.sd-upgrade-templates
 
 sd-app:
   qvm.vm:
@@ -31,7 +31,7 @@ sd-app:
     - require:
       - qvm: sd-small-{{ sdvars.distribution }}-template
 
-{% import_json "sd/config.json" as d %}
+{% import_json "securedrop_salt/config.json" as d %}
 
 sd-app-config:
   qvm.features:

dom0/sd-base-template-files.sls → securedrop_salt/sd-base-template-files.sls

@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 include:
-  - fpf-apt-repo
+  - securedrop_salt.fpf-apt-repo
 
 # install recommended Qubes VM packages for core functionality
 install-qubes-vm-recommended:
@@ -24,4 +24,4 @@ sd-base-template-install-securedrop-packages:
       - securedrop-workstation-config
       - securedrop-workstation-grsec
     - require:
-      - sls: fpf-apt-repo
+      - sls: securedrop_salt.fpf-apt-repo