-
Notifications
You must be signed in to change notification settings - Fork 49
Expand file tree
/
Copy pathsd-sys-whonix-vms.sls
More file actions
66 lines (57 loc) · 2.24 KB
/
sd-sys-whonix-vms.sls
File metadata and controls
66 lines (57 loc) · 2.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# -*- coding: utf-8 -*-
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
##
# Install latest Whonix template, configure apparmor on installed templates,
# and ensure sys-whonix and anon-whonix use latest version.
##
{% import "qvm/whonix.jinja" as whonix %}
include:
- qvm.anon-whonix
- qvm.sys-whonix
- qvm.template-whonix-workstation
- qvm.template-whonix-gateway
# Configure or upgrade sys-whonix and anon-whonix
{% for (vm, component) in [('sys-whonix', 'gateway'), ('anon-whonix', 'workstation')] %}
# Enable apparmor on workstation and gateway templates. The requisite
# does all the work, so in theory, the next two states could be covered
# by a single `qvm.vm` state, but to avoid possible bugs and guarantee
# we are configuring the template, explicitly require qvm.template_installed
# with the expected template name.
whonix-{{ component }}-{{ whonix.whonix_version }}-installed:
qvm.template_installed:
- name: whonix-{{ component }}-{{ whonix.whonix_version }}
- fromrepo: {{ whonix.whonix_repo }}
- require:
- sls: qvm.template-whonix-{{ component }}
whonix-{{ component }}-{{ whonix.whonix_version }}-apparmor:
qvm.vm:
- name: whonix-{{ component }}-{{ whonix.whonix_version }}
- prefs:
- kernelopts: "apparmor=1 security=apparmor"
- require:
- qvm: whonix-{{ component }}-{{ whonix.whonix_version }}-installed
# The Qubes logic is too polite about enforcing template
# settings, using "present" rather than "prefs". Below we
# force the template updates.
poweroff-{{ vm }}:
qvm.shutdown:
- name: {{ vm }}
- flags:
- force
- wait
- onlyif:
- qvm-check --quiet {{ vm }}
- unless:
- qvm-prefs {{ vm }} template | grep -q whonix-{{ component }}-{{ whonix.whonix_version }}
# cmd.run is used instead of qvm.vm to avoid a recursive
# requisite issue via the "name" parameter of qvm.vm.
{{ vm }}-upgrade-template:
cmd.run:
- name: qvm-prefs {{ vm }} template whonix-{{ component }}-{{ whonix.whonix_version }}
- require:
- qvm: poweroff-{{ vm }}
- qvm: whonix-{{ component }}-{{ whonix.whonix_version }}-apparmor
- sls: qvm.{{ vm }}
- unless:
- qvm-prefs {{ vm }} template | grep -q whonix-{{ component }}-{{ whonix.whonix_version }}
{% endfor %}