@eloquence has tested this valiantly and patiently today and discovered that what I've automated here, though not my original, manual experimentation, effectively conflates SecureDrop's two kinds of virtual environments:
staging, provisioned via host-level make staging, with Tails access manually configured; and
production, provisioned via Tails-level securedrop-admin {sdconfig,install}, with Tails access automatically configured by securedrop-admin tailsconfig.
[x] (1) is what this Terraform/cloud-init configuration should actually set up. This does not currently work without manual intervention and needs to be tested and fixed.
[x] (2) should be documented as "expert mode".
[x] ...and this distinction should be clarified with a PR to the upstream freedomofpress/securedrop-docs. ;-)
@eloquence has tested this valiantly and patiently today and discovered that what I've automated here, though not my original, manual experimentation, effectively conflates SecureDrop's two kinds of virtual environments:
make staging, with Tails access manually configured; andsecuredrop-admin {sdconfig,install}, with Tails access automatically configured bysecuredrop-admin tailsconfig.freedomofpress/securedrop-docs. ;-)