securedrop-workstation/dom0/sd-proxy.sls at 550065c11a36182d935e86f9074980ffa026d4a4 · freedomofpress/securedrop-workstation · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# -*- coding: utf-8 -*-
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :

##
# qvm.work
# ========
#
# Installs 'sd-journlist' AppVM, for hosting the securedrop workstation app
#
##

include:
  - sd-whonix
  - sd-upgrade-templates

sd-proxy-template:
  qvm.vm:
    - name: sd-proxy-buster-template
    - clone:
      - source: whonix-ws-15
      - label: blue
    - tags:
      - add:
        - sd-workstation
        - sd-buster
        - sd-workstation-updates

sd-proxy:
  qvm.vm:
    - name: sd-proxy
    - present:
      - label: blue
    - prefs:
      - template: sd-proxy-buster-template
      - netvm: sd-whonix
      - kernelopts: "nopat apparmor=1 security=apparmor"
      - autostart: true
    - tags:
      - add:
        - sd-workstation
        - sd-buster
    - require:
      - qvm: sd-whonix
      - qvm: sd-proxy-template

# Permit the SecureDrop Proxy to manage Client connections
sd-proxy-dom0-securedrop.Proxy:
  file.prepend:
    - name: /etc/qubes-rpc/policy/securedrop.Proxy
    - text: |
        sd-app sd-proxy allow
        @anyvm @anyvm deny