From 942d41d89e780f40ef4f67b8e752522db3a5110e Mon Sep 17 00:00:00 2001 From: Michael Z Date: Mon, 24 Oct 2022 11:48:51 -0400 Subject: [PATCH] Leverage systemd conditionals for logging services Goal of this change is to make it possible to just enable all the services we need on all VMs, but have them start exclusively in the VMs they're meant for. Since we have predictable hostnames, we can ask systemd to only start services for specific hostnames. --- securedrop-log/debian/securedrop-log.install | 1 - securedrop-workstation-config/debian/control | 2 +- .../debian/securedrop-workstation-config.install | 1 + ...ote-logging.securedrop-workstation-config.service | 12 ++++++++++++ 4 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 securedrop-workstation-config/securedrop-disable-remote-logging.securedrop-workstation-config.service diff --git a/securedrop-log/debian/securedrop-log.install b/securedrop-log/debian/securedrop-log.install index 01500926..49d442fd 100644 --- a/securedrop-log/debian/securedrop-log.install +++ b/securedrop-log/debian/securedrop-log.install @@ -2,4 +2,3 @@ securedrop.Log etc/qubes-rpc/ sd-rsyslog usr/sbin/ securedrop-log.service etc/systemd/system sdlog.conf etc/rsyslog.d/ - diff --git a/securedrop-workstation-config/debian/control b/securedrop-workstation-config/debian/control index f3968c61..65107a52 100644 --- a/securedrop-workstation-config/debian/control +++ b/securedrop-workstation-config/debian/control @@ -2,7 +2,7 @@ Source: securedrop-workstation-config Section: unknown Priority: optional Maintainer: SecureDrop Team -Build-Depends: debhelper-compat (= 11), +Build-Depends: debhelper-compat (= 11) Standards-Version: 3.9.8 Homepage: https://github.com/freedomofpress/securedrop-workstation-config diff --git a/securedrop-workstation-config/debian/securedrop-workstation-config.install b/securedrop-workstation-config/debian/securedrop-workstation-config.install index e2d96c18..3b8f4b7b 100644 --- a/securedrop-workstation-config/debian/securedrop-workstation-config.install +++ b/securedrop-workstation-config/debian/securedrop-workstation-config.install @@ -4,3 +4,4 @@ mimeapps.list.sd-app opt/sdw/ mimeapps.list.sd-devices-dvm opt/sdw/ open-in-dvm.desktop opt/sdw/ paxctld.conf opt/sdw/ +securedrop-disable-remote-logging.service etc/systemd/system diff --git a/securedrop-workstation-config/securedrop-disable-remote-logging.securedrop-workstation-config.service b/securedrop-workstation-config/securedrop-disable-remote-logging.securedrop-workstation-config.service new file mode 100644 index 00000000..9858f060 --- /dev/null +++ b/securedrop-workstation-config/securedrop-disable-remote-logging.securedrop-workstation-config.service @@ -0,0 +1,12 @@ +[Unit] +Description=SecureDrop: Disable remote logging for sd-log and sd-gpg +Before=rsyslog.service +ConditionHost=|sd-log +ConditionHost=|sd-gpg + +[Service] +Type=oneshot +ExecStart=/usr/bin/rm /etc/rsyslog.d/sdlog.conf + +[Install] +WantedBy=multi-user.target