Merge sd-whonix into sd-proxy

deeplow · deeplow · commit 5715f95924bf · 2025-08-20T21:02:47.000+01:00
Companion PR for client change [1] with the aim of deprecating whonix, in favor of delegating the tor connectivity aspect to sd-proxy running arti. Changes introduced: 1. sd-proxy connects to 'sys-firewall' directly: since sd-proxy is now handling tor connections, it must connect directly to the internet. It keeps the original goal of preventing the client from being able to connect to arbitrary domains. This is also something that sd-whonix did not guarantee (it could connect to arbitrary domains, albeit via Tor). 2. sd-whonix has access to onion service auth key Access done via qubes feature vm-config.SD_PROXY_ORIGIN_KEY 3. sd-whonix removed 4. Install `securedrop-proxy-config` in sd-proxy template [1]: freedomofpress/securedrop-client#2561 Test in ci: openqa
diff --git a/securedrop_salt/sd-proxy-template-files.sls b/securedrop_salt/sd-proxy-template-files.sls
@@ -9,5 +9,6 @@ install-securedrop-proxy-package:
   pkg.installed:
     - pkgs:
       - securedrop-proxy
+      - securedrop-proxy-config
     - require:
       - sls: securedrop_salt.fpf-apt-repo
diff --git a/securedrop_salt/sd-proxy.sls b/securedrop_salt/sd-proxy.sls
@@ -11,7 +11,6 @@
 {% import_json "securedrop_salt/config.json" as d %}
 
 include:
-  - securedrop_salt.sd-whonix
   - securedrop_salt.sd-workstation-template
 
 sd-proxy-dvm:
@@ -26,7 +25,7 @@ sd-proxy-dvm:
       - template: sd-small-{{ sdvars.distribution }}-template
     - prefs:
       - template: sd-small-{{ sdvars.distribution }}-template
-      - netvm: sd-whonix
+      - netvm: sys-firewall
       - template_for_dispvms: True
       - default_dispvm: ""
     - features:
@@ -41,7 +40,6 @@ sd-proxy-dvm:
         - sd-workstation
         - sd-{{ sdvars.distribution }}
     - require:
-      - qvm: sd-whonix
       - qvm: sd-small-{{ sdvars.distribution }}-template
 
 sd-proxy-create-named-dispvm:
@@ -53,12 +51,13 @@ sd-proxy-create-named-dispvm:
       - class: DispVM
     - prefs:
       - template: sd-proxy-dvm
-      - netvm: sd-whonix
+      - netvm: sys-firewall
       - autostart: true
       - default_dispvm: ""
     - features:
       - enable:
         - service.securedrop-mime-handling
+        - service.securedrop-proxy-config
       - set:
           - vm-config.SD_MIME_HANDLING: default
           - servicevm: 1
@@ -79,5 +78,6 @@ sd-proxy-config:
     - name: sd-proxy
     - set:
         - vm-config.SD_PROXY_ORIGIN: http://{{ d.hidserv.hostname }}
+        - vm-config.SD_PROXY_ORIGIN_KEY: {{ d.hidserv.key }}
     - require:
       - qvm: sd-proxy-create-named-dispvm
diff --git a/securedrop_salt/sd-remove-deprecated-qubes.sls b/securedrop_salt/sd-remove-deprecated-qubes.sls
@@ -5,7 +5,7 @@
 # WARNING: only remove when complete reinstall is assumed (e.g. 1.0.0 release)
 # This is because the workstation may have been offline for a while
 # and skipped some salt updates.
-{% for untagged_qube in ["sd-retain-logvm"] %}
+{% for untagged_qube in ["sd-retain-logvm", "sd-whonix"] %}
 
 poweroff-before-removal-{{ untagged_qube }}:
   qvm.shutdown:
diff --git a/securedrop_salt/sd-whonix-config.sls b/securedrop_salt/sd-whonix-config.sls
diff --git a/securedrop_salt/sd-whonix.sls b/securedrop_salt/sd-whonix.sls
diff --git a/securedrop_salt/sd-workstation.top b/securedrop_salt/sd-workstation.top
@@ -37,7 +37,6 @@ base:
     - match: list
     - securedrop_salt.sd-usb-autoattach-add
   whonix-gateway-{{ whonix.whonix_version }}:
-    - securedrop_salt.sd-whonix-config
 
   # "Placeholder" config to trigger TemplateVM boots,
   # so upgrades can be applied automatically via cron.
