freedomofpress · deeplow · Sep 3, 2025
@@ -155,6 +155,7 @@ jobs:
           - log
           - proxy
           - qubesdb-tools
+          - whonix-config
         debian_version:
           - bookworm
     runs-on: ubuntu-latest

@@ -15,6 +15,7 @@ This repository contains multiple components, including:
 * `log`: centralized logging
 * `qubesdb-tools`: tools for configuring non-Qubes-aware applications from
   QubesDB
+* `whonix-config`: Whonix configuration for SecureDrop
 * `proxy`: restricted HTTP proxy
 * `workstation-config`: configuration for SecureDrop Workstation templates
 

@@ -49,6 +49,14 @@ Description: Tools for configuring non-Qubes-aware applications from QubesDB.
  This package provides tools for configuring non-Qubes-aware applications from
  QubesDB.
 
+Package: securedrop-whonix-config
+Section: admin
+Architecture: all
+# FIXME: s/tor/anon-gw-anonymizer-config/ (requires Whonix repositories in piuparts)
+Depends: ${misc:Depends}, securedrop-qubesdb-tools, tor
+Description: Whonix configuration for SecureDrop.
+ This package configures Whonix/Tor for SecureDrop.
+
 Package: securedrop-workstation-config
 Architecture: all
 Depends: python3-qubesdb, rsyslog, mailcap, apparmor, nautilus, securedrop-keyring, xfce4-terminal

@@ -39,6 +39,7 @@ override_dh_installdeb:
 override_dh_installsystemd:
 	dh_installsystemd --name securedrop-log-server
 	dh_installsystemd --name securedrop-logging-disabled
+	dh_installsystemd --name securedrop-whonix-config
 	dh_installsystemd --name securedrop-proxy-onion-config
 	dh_installsystemd --name securedrop-arti
 	dh_installsystemd --name securedrop-mime-handling
@@ -0,0 +1 @@
+whonix-config/app_journalist.auth_private.tmpl /usr/share/securedrop-whonix-config
@@ -0,0 +1,2 @@
+# We don't care
+securedrop-whonix-config: package-has-long-file-name
@@ -0,0 +1,24 @@
+[Unit]
+Description=SecureDrop Whonix configuration
+ConditionPathExists=/var/run/qubes-service/securedrop-whonix-config
+
+# Both Qubes's qubes-qrexec-agent (for QubesDB) and Whonix's
+# anon-gw-anonymizer-config (for configuration directories) must
+# have started *before* this service for it to run successfully,
+# since it's a one-shot operation rather than a long-lived service.
+Requires=anon-gw-anonymizer-config.service
+After=anon-gw-anonymizer-config.service
+Requires=qubes-qrexec-agent.service
+After=qubes-qrexec-agent.service
+
+Before=tor.service
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/bin/template-from-qubesdb /usr/share/securedrop-whonix-config/app_journalist.auth_private.tmpl /var/lib/tor/authdir/app-journalist.auth_private
+ExecStartPost=bash -c "chown debian-tor:debian-tor /var/lib/tor/authdir/app-journalist.auth_private && chmod 0600 /var/lib/tor/authdir/app-journalist.auth_private"
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
@@ -0,0 +1 @@
+${SD_HIDSERV_HOSTNAME}:descriptor:x25519:${SD_HIDSERV_KEY}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		whonix-config/app_journalist.auth_private.tmpl /usr/share/securedrop-whonix-config
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# We don't care
		securedrop-whonix-config: package-has-long-file-name
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		${SD_HIDSERV_HOSTNAME}:descriptor:x25519:${SD_HIDSERV_KEY}