Shutdown template via salt instead of in provision-all after packages…

… have been configured.
freedomofpress · Aug 14, 2024 · 1ac9eb5 · 1ac9eb5
1 parent 3b61aea
commit 1ac9eb5
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 39 deletions.
diff --git a/files/provision-all b/files/provision-all
@@ -16,8 +16,7 @@ echo "..........................................................................
 echo "Configure base template"
 sudo qubesctl --show-output state.sls securedrop_salt.sd-base-template
 sudo qubesctl --show-output --skip-dom0 --targets sd-base-bookworm-template state.highstate
-qvm-shutdown --wait sd-base-bookworm-template
-
+# Template shutdown is handled at the end of package configuration
 
 # Running only against dom0, to ensure the VMs are created (but not yet configured)
 echo ".........................................................................."

diff --git a/securedrop_salt/sd-base-template-packages.sls b/securedrop_salt/sd-base-template-packages.sls
@@ -30,4 +30,17 @@ sd-workstation-template-enable-paxctld:
     - enable: True
     - reload: True
     - require:
-      - pkg: sd-base-template-install-securedrop-packages
+      - pkg: sd-base-template-install-securedrop-packages
+
+{% set vmname = grains['id'] %}
+
+# Shut down the base template after all packages have been installed
+# and other configurations have been applied, to ensure that templates
+# based off this template have all requisites before they are created.
+shutdown-template:
+  qvm.shutdown:
+    - name: {{ vmname }}
+    - flags:
+        - wait
+    - require:
+      - service: sd-workstation-template-enable-paxctld
diff --git a/securedrop_salt/sd-devices-files.sls b/securedrop_salt/sd-devices-files.sls
diff --git a/securedrop_salt/sd-viewer-files.sls → ...p_salt/sd-large-template-requirements.sls b/securedrop_salt/sd-viewer-files.sls → ...p_salt/sd-large-template-requirements.sls
@@ -14,17 +14,24 @@ include:
   - securedrop_salt.fpf-apt-repo
   - securedrop_salt.sd-logging-setup
 
-sd-viewer-install-metapackage:
+sd-large-install-libreoffice:
+  pkg.installed:
+    - name: libreoffice
+    - retry:
+        attempts: 3
+        interval: 60
+    - install_recommends: False
+
+sd-large-install-viewer-metapackage:
   pkg.installed:
     - pkgs:
       - securedrop-workstation-viewer
     - require:
       - sls: securedrop_salt.fpf-apt-repo
 
-sd-viewer-install-libreoffice:
+sd-large-install-export-metapackage:
   pkg.installed:
-    - name: libreoffice
-    - retry:
-        attempts: 3
-        interval: 60
-    - install_recommends: False
+    - pkgs:
+      - securedrop-export
+    - require:
+      - sls: securedrop_salt.fpf-apt-repo