diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f42bf6f6a5..5812c73aeb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -155,6 +155,7 @@ jobs: - log - proxy - qubesdb-tools + - whonix-config debian_version: - bookworm runs-on: ubuntu-latest diff --git a/README.md b/README.md index b8ce4f79b3..774b34594c 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ This repository contains multiple components, including: * `log`: centralized logging * `qubesdb-tools`: tools for configuring non-Qubes-aware applications from QubesDB +* `whonix-config`: Whonix configuration for SecureDrop * `proxy`: restricted HTTP proxy * `workstation-config`: configuration for SecureDrop Workstation templates diff --git a/debian/control b/debian/control index 8505506ff9..12f76ca6a0 100644 --- a/debian/control +++ b/debian/control @@ -49,6 +49,14 @@ Description: Tools for configuring non-Qubes-aware applications from QubesDB. This package provides tools for configuring non-Qubes-aware applications from QubesDB. +Package: securedrop-whonix-config +Section: admin +Architecture: all +# FIXME: s/tor/anon-gw-anonymizer-config/ (requires Whonix repositories in piuparts) +Depends: ${misc:Depends}, securedrop-qubesdb-tools, tor +Description: Whonix configuration for SecureDrop. + This package configures Whonix/Tor for SecureDrop. + Package: securedrop-workstation-config Architecture: all Depends: python3-qubesdb, rsyslog, mailcap, apparmor, nautilus, securedrop-keyring, xfce4-terminal diff --git a/debian/rules b/debian/rules index c561ec5741..f3804318a7 100755 --- a/debian/rules +++ b/debian/rules @@ -39,6 +39,7 @@ override_dh_installdeb: override_dh_installsystemd: dh_installsystemd --name securedrop-log-server dh_installsystemd --name securedrop-logging-disabled + dh_installsystemd --name securedrop-whonix-config dh_installsystemd --name securedrop-proxy-onion-config dh_installsystemd --name securedrop-arti dh_installsystemd --name securedrop-mime-handling diff --git a/debian/securedrop-whonix-config.install b/debian/securedrop-whonix-config.install new file mode 100644 index 0000000000..923e3e4718 --- /dev/null +++ b/debian/securedrop-whonix-config.install @@ -0,0 +1 @@ +whonix-config/app_journalist.auth_private.tmpl /usr/share/securedrop-whonix-config \ No newline at end of file diff --git a/debian/securedrop-whonix-config.lintian-overrides b/debian/securedrop-whonix-config.lintian-overrides new file mode 100644 index 0000000000..63e0d5d98e --- /dev/null +++ b/debian/securedrop-whonix-config.lintian-overrides @@ -0,0 +1,2 @@ +# We don't care +securedrop-whonix-config: package-has-long-file-name \ No newline at end of file diff --git a/debian/securedrop-whonix-config.securedrop-whonix-config.service b/debian/securedrop-whonix-config.securedrop-whonix-config.service new file mode 100644 index 0000000000..ac7dc9389c --- /dev/null +++ b/debian/securedrop-whonix-config.securedrop-whonix-config.service @@ -0,0 +1,24 @@ +[Unit] +Description=SecureDrop Whonix configuration +ConditionPathExists=/var/run/qubes-service/securedrop-whonix-config + +# Both Qubes's qubes-qrexec-agent (for QubesDB) and Whonix's +# anon-gw-anonymizer-config (for configuration directories) must +# have started *before* this service for it to run successfully, +# since it's a one-shot operation rather than a long-lived service. +Requires=anon-gw-anonymizer-config.service +After=anon-gw-anonymizer-config.service +Requires=qubes-qrexec-agent.service +After=qubes-qrexec-agent.service + +Before=tor.service + +[Service] +Type=oneshot +User=root +ExecStart=/usr/bin/template-from-qubesdb /usr/share/securedrop-whonix-config/app_journalist.auth_private.tmpl /var/lib/tor/authdir/app-journalist.auth_private +ExecStartPost=bash -c "chown debian-tor:debian-tor /var/lib/tor/authdir/app-journalist.auth_private && chmod 0600 /var/lib/tor/authdir/app-journalist.auth_private" +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/whonix-config/app_journalist.auth_private.tmpl b/whonix-config/app_journalist.auth_private.tmpl new file mode 100644 index 0000000000..c4fa18661c --- /dev/null +++ b/whonix-config/app_journalist.auth_private.tmpl @@ -0,0 +1 @@ +${SD_HIDSERV_HOSTNAME}:descriptor:x25519:${SD_HIDSERV_KEY} \ No newline at end of file