first commit

decrypt/application-x-sd-xfer.xml

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<mime-info xmlns="http://www.freedesktop.org/standards/shared-mime-info">
+  <mime-type type="application/x-sd-xfer">
+    <comment>Archive for transfering files from sd-journalist to disp vm for decryption</comment>
+    <glob pattern="*.sd-xfer"/>
+  </mime-type>
+</mime-info>

decrypt/decrypt-sd-submission

@@ -0,0 +1,63 @@
+#!/usr/bin/env python
+
+import sys
+import tarfile
+import tempfile
+import os
+import fnmatch
+import zipfile
+import glob
+import subprocess
+import shutil
+
+input = sys.argv[1]
+
+# a nice place to work...
+tmpdir = tempfile.mkdtemp()
+
+# we get given a tarball of everything the user has downloaded.
+# first step, extract that archive
+with tarfile.open(input) as tar:
+  # potentially unsafe, can create arbitrary files on the filesystem 
+  # given a malicious tarball
+  tar.extractall(tmpdir)
+
+# everything in the archive should be zips, as created by SD
+# let's unzip those here
+zips = glob.glob(tmpdir + "/*zip")
+for z in zips:
+  with zipfile.ZipFile(z) as zf:
+    zf.extractall(tmpdir + "/extracted/")
+  os.unlink(z)
+
+# great, we should be left with a directory tree filled with files
+# encrypted to our public key. let's find those and decrypt them
+for root, dirnames, filenames in os.walk(tmpdir):
+  for fn in fnmatch.filter(filenames, '*.gpg'):
+    [fn_no_ext, _] = os.path.splitext(fn)
+    subprocess.call(["gpg", "--out", os.path.join(root, fn_no_ext), "--decrypt" , os.path.join(root, fn)])
+
+    os.unlink(os.path.join(root, fn))
+
+# almost done. docs are gzipped. let's ungzip them.
+for root, dirnames, filenames in os.walk(tmpdir):
+  for fn in fnmatch.filter(filenames, '*.gz'):
+    # maybe sorta lazy, could do this using python gzip module.
+    subprocess.call(["gunzip", os.path.join(root, fn)])
+
+# ok. we're going to send all the decrypted stuff to the svs vm.
+# let's tar it all up again, so we can `qvm-open-in-vm` it.
+fh = tempfile.NamedTemporaryFile(suffix=".sd-xfer-extracted", delete=False)
+print "extracted fh name " + fh.name
+out_tar = tarfile.open(mode='w', fileobj=fh)
+out_tar.add(os.path.join(tmpdir, "extracted"), arcname="extracted")
+shutil.rmtree(tmpdir)
+
+# finally! ship this off to sd-svs
+subprocess.call(["qvm-open-in-vm", "sd-svs", fh.name])
+os.unlink(fh.name)
+
+# work around a qubes open-in-vm bug
+# (https://groups.google.com/forum/#!topic/qubes-users/dxFa4ZXmPYc)
+# shouldn't be an issue for disp vm's
+os.unlink(input)

decrypt/decrypt-sd-submission.desktop

@@ -0,0 +1,5 @@
+[Desktop Entry]
+Type=Application
+MimeType=application/x-sd-xfer
+Name=Decrypt SD Submission
+Exec=/home/user/bin/decrypt-sd-submission

decrypt/notes

@@ -0,0 +1,74 @@
+"stage" SD is running on crabby
+
+Source url is
+
+  http://zmdxuykqj2ouq4yi.onion/
+
+Journalist URL is
+
+  http://avgfxawdn6c3coe3.onion/
+
+  joshua / allcreationbows , 2FA is on google app on iphone
+
+Journalist hidden service auth is
+
+  HidServAuth avgfxawdn6c3coe3.onion Il8Xas7uf6rjtc0LxYwhrx # client: journalist
+
+That line just needs to go in /etc/tor/torrc on the sd-whonix VM
+
+
+Here is a source code:
+
+  flock unfocused dust rebound refinance moonwalk partly
+
+in the journalist UI, that user is
+
+  distinguishable rumen
+
+SD encrypts everything using GPG. The keys are in XXX (see slack!). The secure key needs to added to the disp VM, and `gpg --import secure.sec` needs to be run there. For development, do the same to the `work` vm.
+
+-----
+
+What happens when file downloaded in journalist workstation?
+
+User should trigger script which:
+
+   - tar's up downloaded files, names it blah.sd-xfer
+   - runs this:
+
+       qvm-open-in-dvm blah.sd-xfer
+
+    or for development:
+
+      qvm-open-in-vm work blah.sd-xfer
+
+That is the move-to-svs script in sd_journalist:~/projects/sd/
+
+The disp vm template (and for development the work vm) must be configured to open files of that type with the next script. First, the xml file in this directory should be installed at
+
+    /usr/share/mime/packages/application-x-sd-xfer.xml 
+
+and the .desktop here should be placed in
+
+    /usr/share/applications/
+
+(this all from https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Desktop_Migration_and_Administration_Guide/File_Formats.html)
+
+Then you need to update the mime and application databases:
+
+    sudo update-mime-database /usr/share/mime
+    sudo update-desktop-database /usr/share/applications
+
+Those steps configure xdg-open to open `.sd-xfer` files using the `decrypt-sd-submission` script, in this directory. That script should be symlinked in ~/bin/ (and in disp vms, the script should be copied to ~/bin/).
+
+That script untars the file, unzips each file in the tarball, decrypts each file in each zip, re-tar's the results into a file with a `.sd-xfer-extracted` extension, the opens that file in the sd-svs VM.
+
+The sd-svs VM is mostly a respository for those decrypted files. It's configured to open `.sd-xfer-extracted` files with a script which simply untars the file into the ~/Sources directory. See sd-svs:~/projects/sd/ - it contains the script, plus .desktop and .xml files for handling those file types.
+
+That all seems to be working pretty well. 
+
+--- 
+
+Opening files in the SVS VM.
+
+By default, we want *all* files in the sd-svs VM to be opened in disposable VMs  (except .sd-xfer-extracted files). This is sorta hard, but we'll try! Maybe we can remove *all* files in /usr/share/mime/, and have a single "mime type" which is handle by a scrpit which just `qvm-open-in-dvm`s. Of course we'd want to leave the mime type for `.sd-xfer-extractred`, too.

decrypt/sd-journalist.sec

@@ -0,0 +1,106 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+Version: GnuPG v2.0.19 (GNU/Linux)
+
+lQcYBFJZi2ABEACZJJA53+pEAdkZyD99nxB995ZVTBw60SQ/6E/gws4kInv+YS7t
+wSMXGa5bR4SD9voWxzLgyulqbM93jUFKn5GcsSh2O/lxAvEDKsPmXCRP1eBg3pjU
++8DRLm0TEFiywC+w6HF4PsOh+JlBWafUfL3vwrGKTXvrlKBsosvDmoogLjkMWomM
+KBF/97OKyQiMQf1BDJqZ88nScJEqwo0xz0PfcB04GAtfR7N6Qa8HpFc0VDQcILFB
+0aJx5+p7nw1LyR37LLoK8JbEY6QZd277Y0/U+O4v6WfH/2H5kQ8sC+P8hPwr3rSg
+u3SVbNRasB4ZHFpJZR9Kv21zmQb9U3rrCk2yg3Wm0qtZ0S5CECAAwG2LQkKouRw2
+ak+Y8aolHDt6a785eF0AaAtgbPX4THMum/CNMksHO0PBBqxR+C9z7WSHXFHvv+8B
+5nRccS4m4klyYTbZOOJ45DuC3xDjTRwzzpkYhqf4pLAhwF3spKZsAczAFPmDyxFf
+CyIBiMZSK/j8PMJT1X5tgpL1NXImNdVIPV2Fy+W7PkNfG2FL/FQIUnK6ntukLW/7
+hV6VHcx52mMn1pVUc6v80LEb4BMDz41vlj9R8YVv8hycPtnN0QL5gIME1n7jbKJf
+yfWxkvBXMINDgHK/RysRMP6FXA6Mw65BGNIuO0Il0FTy12HuKI/coEsG2QARAQAB
+AA//Q5Azhy0IDDfqgarsg+4U1xZPv1MEU1iozv8dmpInYx7JqHlUvHUMl6jvWPsM
+9jGUtU7t3en3n8ngoCR0LUmH8uLf8IXWL2s2TIjmA7AcHxLDWslqEPD+6Oq8GYCJ
+OVd70udCBGRgaAmnB4NX/XGJVImHTXaQ2Obp/fO2xRXdoYPzDEW3UFvvGI9+KRk3
+SbXlVvkKDijVnh+mlABgTZzdG2s5oOFOxxr5jlMDNvJkvMP3d39e5KRpsCo6s46A
+zbItpX5el+v8ACnboJamIod2lYW7g+zMKhq8LWA3mt2mGGbNYEdxVkZNkY0BhP8V
+UEvHc4EHFLGuxqS5RjM51A9oJk6CES2rs8Q68rXuUKpIoolq4KCNSQvetOGLPiks
+EICbJcC+3pwg1OhOCbD2nV8kHHSiuEbQCt4UBNzw+g4ponW9IwadKz1WSGpdRlzi
+Ksn+jpAzIi8b50tEIFqCMEF/zH+V1dU3TtVmKpI4KshBtmvkWt4Ea460Ve8q5Oku
+4AG7Iujiz/KAtWYU9AnzzalyB4Zy0yGqeNZ0faxnewtVSpqhJ+Qcxv6IuOcNYZow
+1ese5ncRh3OPwskyRhl+9B9YOEVky+vUFa2IB5K/0CnFC86MMjlJ97uRJJ+4ompV
+rWCSpNifBgjPc+7q1jLqJMkE5pc45ZCEIvR9SvHOjI/uSU8IAMFtM8WW6LXmb7z0
+intLj4rPSgnic5PtQP/XghiqNeMLVSRfTo+xO0IqMIRFEeCjDiQ74nh4k6WDdQpG
+Uq3+5SeV1VJSRLpjBUZBEdX0XBhzS5XvKVzCnXSVl7JzL9mGHk1QWziLLimlu49R
+m3qt5g30UkX56A6aJ6VpJc4P5wwV9Mxnjp4B/D34xGEfX7YaNYE859/y9NhXlHuV
+dd0esfYnTV4UPifBJvopeRy0P/RICkozE9sgRgg1RVfDWEyLcljCQNgxrra3sMLY
+jlK3wvAEdXf1Gb1024Knbp5u8gTZgqh/PREDXI2eqdCSuLdygcJAsGJHkdZtYUSK
+epWGGicIAMqvOd6wvfEvz2Comn/t8gwuAv49TUOMGMTmpR4VSuKePZ8f+olUqy4X
+Fo0wCzq+K+DYPH+JL9S9nXW29E20EM6Khd+lREMNcUf/G2Cb3mjfz27GyhRiACYq
+Nrvsn0pHstXTJqnQyznZlbgGmk+gzfsK9aMT3W9XZFjODDsHEvHYF0zcO212AjCj
+COJuZePP44eDqiu9Owxv15KwqtgHlaVz5kg9j1cA58ppmd/lRvep7aR3tuuKiXyb
+htunNaitKTwB475oO+W/x7RsL9oZh85i8R+YSzyqabEg7VNTazk82boo2sDsuaiu
+ZQspK6juGR50vDWiAJmuGYWzEGmvdv8IAJLYwi82TLg9OcDwaoBl295b/Pc5ar21
+LRSDPf//qAsXrN8YkrOm7BsfRp9tMzgCEpkCgDj3JZDLh1TlmX8Gmsa/xVq+bfNP
+8W0ELulOrcCQ0aAQxrJRCHjnUAzcI2tjzT6961PrrEYTsy7tlZ7mYZ2SmPyrPZEh
+SNVnO8H3rDaBXaqqLOi+SzrSkYn9DjA+IEp4Pi1J8mZWs5vV662xrqnHPhzNKf6Y
+dAAF5GlXOrEqCj2qF/i79P9kh5KHr37ZsgFl11zesVEyezL2sScv6KmeRjz3O3Nk
+TagLhJTzBNoUZymiq5CQlY2nn5c5UeFx9lpRHnJRkv9p8adspqwYKguBi7Q2U2Vj
+dXJlRHJvcCBUZXN0L0RldmVsb3BtZW50IChETyBOT1QgVVNFIElOIFBST0RVQ1RJ
+T04piQI4BBMBAgAiBQJSm8UDAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAK
+CRDMQO8SKCcUQReED/4uGk1OGSJHip2EsgAPrwL6L3aT9FMKt+eQCLoj5DdoH3tY
+0mXGMP/0M/oIq2Y+q6BEXVNEYOy2QzTnnPqn965tqN/SZF1CNu/IYmxCJj7TSJi/
+MuWtg7IebR8KvWLKJjW4PU5ybmB2hzyO3jTEzXY3j8bocGfx3Q8B6ot/MdK8ss5J
+rLSIPlgQHhyXloe4CTTk0alQbtt8KEp0kMXmqjrz66AsofwjzcezOn1PSc0S4tV7
+0OkIEapevBcr7cnYQv3gWSXpK4zZNg9NZ5dLR73g64Lv+GqK0UBksueMfEEmx/uD
+Bd7/uxmz7jWFb3D9MBLCjAMQ+s8Kh8bJQ/HPMjIh8T9y8ek/dI5Il7ehFaci1yzT
++qIPt7SArj3q4KR5lCNeIK7Bu8Kuu2VgfCRske2PJAQlauu7jO3XZcLSuihwTdLL
+se+WIdW6miyczJNAt1pHknHsdXANegJh7eoAy+ghFok7kZpYMTR/iy95EqNxAt6l
+LivYeyzUtfPjHjDpqPUtrZRGipqmFwIcTn5E/HokkViUSizx0Sd2LyJ2tox6a+az
+lreW4hRY5WVPclVeTynvAtMrSl1DEErRoVK/AZKnBgUEeDCd9g/EiRzOLrX5azb9
+nCiFlLMeWWVmbefvnCXrXJqVQNrVZdelSZakJpJ/oQpKyv/5nU9pcgeVrzP68Z0H
+GARSWYtgARAA837/vToG+ChFhaJvczBfsYPG3Hfwre9v7Fi0Fuj8+vkpJixB7pJU
+zvpO8YkOo3c1849a038t9ey+xudZ2gUm+hJH7/JrtqIDsK77YGJxgr3wqaKFEsXH
+4vmhCcyCS9vUwItUQi2ZteSkW5LxJfMEvdwUi4moOcOP/Hj9b13m6veRqwmcIjWX
+YXULN6p+I91Ub01v0mRyAHSWPpjH1DD46uHOLAPNqLOpFaxJ1nixn0/XfpJ35vSf
+9kbpsvdGywGOkhZkWffw8cCsGyLFcvAkb1N0VRUl/BwgUHqUQkJJbPa+ylQamBNl
+oftGvvcBxxzSO1QcShlz35a4q8WNQAeb4y3F9YZl2wqMn+MrYHR8gig8/TnPsZIC
+XslVul8EqnORIbjRV6d/guwRe3kGdURCS2y+grRJHhdIxwWk3ijP6TeH1YYz4lPx
+bDZmRiscS8sQ55wyOaWPG4aYVccAUWeRrVTaolTQ8Pq0QAkGpaU9tTnAICz/kc/q
+n90z8hGTeljxMfP++iC7kh2/JqTh+1v+deH+TbhWgJYJlJzt3E9dIYeCMDkPpL49
+KjMMPHwEiPQyRMV1GG98Q0gpjpCT4btfw6694HRQYWuP4wM+4wVpbFa9kSyc4pX/
+DIvY/FqRyHz/ll7cFs9/omD0tEj6Ae4PQwNPhIu+tKSSX+9wBIw/nxcAEQEAAQAP
+/1bzlAmTridx4hmtftUIgjOW1i2mmwjRxwsERhMkUiqhTSN3jHfQQ37B/ezcv6B6
+EocOOyXpdZUrXJkUxo5HZrrISm4SCIroYh727YdmwBgrEcTR52ljvVR9RheEs0a5
+ksjLOGSFei1tH5Af8gNWO+w8qg2GM8+k2UcUQZRCWRKxI5CLVvkUYCGKNV5EgNT3
+1Y4FfhgIjHlDKN/jmQBaGJlv1zr6hLdoqMm3g4qWAP/d+BsX3L9ZvcGpYwzoppwZ
+yzq5yk4ibyU1Y4AxM4cu4CPtDk7PxYe414VFsKnUl/nURx9jVzfVPWbRn1rURAtB
+bIWJLKz9V9aRMRMN8bnavbx5HrtGXanVzsGz1ZXlpnGAWeG2E2GFM42VQ1206gLn
+15sB1ZIrzLSDoCRa4eL7agt0zOyJ7PNBT1qZDvmulva+amdvzPwBHIaIALSQVPap
+17sO+bV6FN7dnHgKta1hWKdbeFJpoN0+TmIHAad/LO+qLeO0bA4/WgTXTN7uAiNG
+Tapp0x79xHVjC8JUF9tmArNVYQuybwBbZ2z3dYaYa+7dvdSGS9zUMWNwdGH2BnzQ
+LRGMyfQJAMXaivNdwHluuMuYyhBFstFhgH/4vYXLeJ2p0vdtFf8QqeFaEirHzBQX
+X8DJmfWySb1XcPsC7RUjgI+6rPNJZ53vjHQEr22QPFUhCADzoVVzPpLLIXJ+/Mee
+DA4vRg476cfCY+EW/cOu7kL+VzJZmgd7t06ZHU+TL1yDFkxajaJBQMz2RT5kLWtv
+FSf9cGPfdv7L6J9y7UiojTzdIFnJH5VDmo5ozntvJrUcmG5/vI2eyc9PAIX8Q+8v
+iKo2zFqs6+x+8gOES/3hZWHHC8rA2JsdJBk796vuWxgDIB67M2mA7L5qjyinkKrY
+cthDBNJ3PqfToFuvENS835hxluwyNQcaS1UTr39KD0qsXqvmmSZf/LVDBIJ89uXU
+pSY7hA0HSeWCA2haIxVzrzqPBlmZEagdqcfP9bsf4VsmuDZwYQkd9sgzWYqX2zed
+vXORCAD/2+wCvCrnoOn1U0yt6xjKCHe84IZh1jn0cnf1inSboHGjDU7otPWskWUF
+EVjdCFks5jR7jGaLUi85QfMQW4Sqbl1x9vFmk+xLVFxvrDibuDWg4JpuPyStvTCJ
+6K7jda1bQI+p0TGg5g1o8fDaUTex9J1zNyJ+vzlN3zuvcOKPdRkPDppsd7noTBBm
+lZhoNus3w+7/MO8RrRBskcDfUefwHILvxBFh3VapQ2ke17l4UJJSkFabxSnOj/th
+j3B26L1d0oV3bly6faTKb22puR1l+/jRcOpX+pzroZGDpmdBjvRdctepDsWxeDxK
+82Sw8NLkJ8pviD7MZ0BVK3q1aMQnB/4t7Ri0c+I1brdBtChELhYiXmU1+LMXs2GM
+dchHxJWpt0RhexHvIP1/mBwePr0uI2QVnA+UpZ/lAj14KxWje7K08FoRSLVsxZnx
+6ArKiqROJEIF1xpAYf2OK9TffFVCvFCu9EQqx61TLgNhbXreAELM0e2dcf3iocFq
+VA+dgmk6X5HdRPujta9gQ1STrw/s6wQ4aRv+ionItuLv8zUpULxTK0gOAPTNEMCR
+HO31+RmR1nse8LGtgTotVqSRa6cmFBUCi8OJJSAY9233fZXwJl0FEFk2S52zrTCY
+QVz0jqDU4hQ+zZfI82Z9yOMFAK8wcVk+YbKV+agfHf5PfaDLz56Fg/CJAh8EGAEC
+AAkFAlJZi2ACGwwACgkQzEDvEignFEGn9w//eUnH3PnLNkDpS8tBHqkr5XWLLaG9
+n5L4TBhEKJOBhNd6QfMtdbCNYZ9RgNMcx5pL070ExEwY5TeKfJvjsZlKhDQ3RtFV
+POtjr/SJ+FRInTQx6Y6h0jVvPikAyTe5HyJbKGVoafskAgAqYKb4rSqR4l3rVL2L
+KvHuz1CZo0+e6mbmlz5uk4CRsrKruwQWlYzlDHzafW1Uy2chbY6hE9vPzQmSRAHa
+mXpKOyRepnz2NwVYYjogKFgQ0pzrnFp8O3i4W4dT7mPiPZ/jJJhLB+hYL3sw6Aku
+oD9aKbF540JgWHKRQNasvmYoFOAxeAf+xiTcYOjt+yxphsqfXFttfgZdCXf6u7jN
+Pr8XsLFkSuMtv569KHJ/iK0z7kB1spGJHOitqopuUFrhN8kFKoeKx1zF1l4F7X36
+PJjprxkxwaGtB6SyIrFNGHvKUCTsItWAsQgcvFfMehnSgAXPa6Ub7Mf0pL097wxD
+EcKuXJ+hASVC4mhhutgE67byK28Y+DPr7nGC9lE68+ioiQiTwNi32UmpQUF5m4Ul
+3lbVO4covG55Vi9Ip4b57dOM5h0kW8Nkiczhw1avw33aZhKKmGWOIcApVNB4h/WZ
+rTtBQf+6XdgL6DTsX4EuicghcDq5BV5u/mIvFOA7MhDAdMlW7gw+JA2fWHh2TVGi
+d9X9on517X6qMDw=
+=E6hg
+-----END PGP PRIVATE KEY BLOCK-----

dom0/hidserv.json

@@ -0,0 +1,6 @@
+{
+  "hidserv": {
+    "hostname": "avgfxawdn6c3coe3.onion",
+    "key": "Il8Xas7uf6rjtc0LxYwhrx"
+  }
+}

dom0/sd-journalist.sls

@@ -0,0 +1,30 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+##
+# qvm.work
+# ========
+#
+# Installs 'sd-journlist' AppVM, for hosting the securedrop workstation app
+#
+##
+
+include:
+  - qvm.template-whonix-ws
+  - sd-whonix
+
+{%- from "qvm/template.jinja" import load -%}
+
+{% load_yaml as defaults -%}
+name:         sd-journalist
+present:
+  - template: whonix-ws
+  - label:    blue
+prefs:
+  - netvm:    sd-whonix
+require:
+  - pkg:      template-whonix-ws
+  - qvm:      sd-whonix
+{%- endload %}
+
+{{ load(defaults) }}

dom0/sd-journalist.top

@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  dom0:
+    - sd-journalist

dom0/sd-svs.sls

@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+##
+# qvm.work
+# ========
+#
+# Installs 'sd-journlist-pesistent' AppVM, to persistently store SD data
+# This VM has no network configured.
+##
+
+{%- from "qvm/template.jinja" import load -%}
+
+{% load_yaml as defaults -%}
+name:         sd-svs
+present:
+  - label:    yellow
+prefs:
+  - netvm:    none
+{%- endload %}
+
+{{ load(defaults) }}

dom0/sd-svs.top

@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  dom0:
+    - sd-svs

dom0/sd-whonix-hidserv-key.sls

@@ -0,0 +1,13 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+{% import_json "hidserv.json" as d %}
+
+# add hidden service auth key to torrc
+
+sd-whonix-hidserv-key:
+  require:
+    - sls: sd-whonix
+  file.append:
+    - name: /etc/tor/torrc
+    - text: HidServAuth {{ d.hidserv.hostname }} {{ d.hidserv.key }}

dom0/sd-whonix-hidserv-key.top

@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  sd-whonix:
+    - sd-whonix-hidserv-key

dom0/sd-whonix.sls

@@ -0,0 +1,34 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+##
+# qvm.sd-whonix
+# ==============
+#
+# Installs 'sd-whonix' ProxyVM for securedrop journalist workstation.
+#
+##
+
+include:
+  - qvm.template-whonix-gw
+  - qvm.sys-firewall
+
+{%- from "qvm/template.jinja" import load -%}
+
+{% load_yaml as defaults -%}
+name: sd-whonix
+present:
+  - template: whonix-gw
+  - label: purple
+  - mem: 500
+  - flags:
+    - proxy
+prefs:
+  - netvm: sys-firewall
+  - autostart: true
+require:
+  - pkg: template-whonix-gw
+  - qvm: sys-firewall
+{%- endload %}
+
+{{ load(defaults) }}

dom0/sd-whonix.top

@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  dom0:
+    - sd-whonix