Merge pull request #857 from freedomofpress/set-qubes-internal

Make our VMs internal, hiding their applications from the menu
freedomofpress · Jun 5, 2024 · 6627451 · 6627451
2 parents fbaed0d + e6f3fee
commit 6627451
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 6 deletions.
diff --git a/securedrop_salt/sd-app.sls b/securedrop_salt/sd-app.sls
@@ -9,6 +9,9 @@
 # Imports "sdvars" for environment config
 {% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %}
 
+# Check environment
+{% import_json "securedrop_salt/config.json" as d %}
+
 include:
   - securedrop_salt.sd-workstation-template
   - securedrop_salt.sd-upgrade-templates
@@ -26,6 +29,10 @@ sd-app:
         - sd-client
         - sd-workstation
     - features:
+    {% if d.environment == "prod" %}
+      - set:
+        - internal: 1
+    {% endif %}
       - enable:
         - service.paxctld
         - service.securedrop-mime-handling
@@ -34,8 +41,6 @@ sd-app:
     - require:
       - qvm: sd-small-{{ sdvars.distribution }}-template
 
-{% import_json "securedrop_salt/config.json" as d %}
-
 sd-app-config:
   qvm.features:
     - name: sd-app

diff --git a/securedrop_salt/sd-gpg.sls b/securedrop_salt/sd-gpg.sls
@@ -12,6 +12,9 @@
 # Imports "sdvars" for environment config
 {% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %}
 
+# Check environment
+{% import_json "securedrop_salt/config.json" as d %}
+
 include:
   - securedrop_salt.sd-workstation-template
   - securedrop_salt.sd-upgrade-templates
@@ -29,6 +32,10 @@ sd-gpg:
     - features:
       - enable:
         - service.securedrop-logging-disabled
+    {% if d.environment == "prod" %}
+      - set:
+        - internal: 1
+    {% endif %}
     - tags:
       - add:
         - sd-workstation

diff --git a/securedrop_salt/sd-log.sls b/securedrop_salt/sd-log.sls
@@ -10,6 +10,9 @@
 # Imports "sdvars" for environment config
 {% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %}
 
+# Check environment
+{% import_json "securedrop_salt/config.json" as d %}
+
 include:
   - securedrop_salt.sd-workstation-template
   - securedrop_salt.sd-upgrade-templates
@@ -28,6 +31,10 @@ sd-log:
       - add:
         - sd-workstation
     - features:
+    {% if d.environment == "prod" %}
+      - set:
+        - internal: 1
+    {% endif %}
       - enable:
         - service.paxctld
         - service.redis
@@ -36,8 +43,6 @@ sd-log:
     - require:
       - qvm: sd-small-{{ sdvars.distribution }}-template
 
-{% import_json "securedrop_salt/config.json" as d %}
-
 # The private volume size should be set in config.json
 sd-log-private-volume-size:
   cmd.run:

diff --git a/securedrop_salt/sd-proxy.sls b/securedrop_salt/sd-proxy.sls
@@ -8,10 +8,12 @@
 
 # Imports "sdvars" for environment config
 {% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %}
+{% import_json "securedrop_salt/config.json" as d %}
 
 include:
   - securedrop_salt.sd-whonix
   - securedrop_salt.sd-upgrade-templates
+  - securedrop_salt.sd-workstation-template
 
 sd-proxy-dvm:
   qvm.vm:
@@ -23,6 +25,11 @@ sd-proxy-dvm:
       - netvm: sd-whonix
       - template_for_dispvms: True
       - default_dispvm: ""
+  {% if d.environment == "prod" %}
+    - features:
+      - set:
+        - internal: 1
+  {% endif %}
     - tags:
       - add:
         - sd-workstation
@@ -47,17 +54,20 @@ sd-proxy-create-named-dispvm:
         - service.securedrop-mime-handling
       - set:
           - vm-config.SD_MIME_HANDLING: default
+      {% if d.environment == "prod" %}
+          - internal: 1
+      {% endif %}
     - tags:
       - add:
         - sd-workstation
         - sd-{{ sdvars.distribution }}
     - require:
       - qvm: sd-proxy-dvm
 
-{% import_json "securedrop_salt/config.json" as d %}
-
 sd-proxy-config:
   qvm.features:
     - name: sd-proxy
     - set:
         - vm-config.SD_PROXY_ORIGIN: http://{{ d.hidserv.hostname }}
+    - require:
+      - qvm: sd-proxy-create-named-dispvm
diff --git a/securedrop_salt/sd-viewer.sls b/securedrop_salt/sd-viewer.sls
@@ -14,6 +14,9 @@
 # Imports "sdvars" for environment config
 {% from 'securedrop_salt/sd-default-config.sls' import sdvars with context %}
 
+# Check environment
+{% import_json "securedrop_salt/config.json" as d %}
+
 include:
   - securedrop_salt.sd-workstation-template
   - securedrop_salt.sd-upgrade-templates
@@ -35,6 +38,10 @@ sd-viewer:
         - sd-viewer-vm
         - sd-{{ sdvars.distribution }}
     - features:
+    {% if d.environment == "prod" %}
+      - set:
+        - internal: 1
+    {% endif %}
       - enable:
         - service.paxctld
         - service.securedrop-mime-handling