Open rocodes opened 4 months ago
I support this approach wholeheartedly. As you point out, @rocodes, it has precedent in how we parameterize securedrop
's Ansible playbooks. It would be wonderful to be able to separate configuration from provisioning logic.
Description
Filing for discussion
Right now our provisioning logic copies everything needed for provisioning into one common Salt directory, and uses conditionals in .sls files to choose the right path(s) for provisioning, leading to lots of branching logic
{% if d.environment == "staging" %} ... {% elif d.environment == "prod" %}
. Part of why the provsioning is complex is because it's trying to deal with different build flavours/environments, and can't tell which one to use until orchestration/apply time.I think we could use saltenv/pillarenv and simplify our lives:
qubesctl state.apply pillarenv=dev
) ** (use thepillarenv_from_saltenv
configuration option for sanity)securedrop-workstation.repo
,sd-release-key.asc
), meaning sd-default-config{.sls,.yml} wouldn't be needed.How will this impact SecureDrop/SecureDrop Workstation users?
How would this affect the SecureDrop Workstation threat model?