Add state to route all updates through Whonix

As discussed in QubesOS/qubes-issues#2604, lets have a state for
switching just updates, not all the traffic.

Fixes QubesOS/qubes-issues#2604

README.rst

@@ -63,6 +63,10 @@ Whonix workstation AppVM.
 -------------------
 Whonix workstation AppVM for Whonix Disposable VMs.
 
+``qvm.updates-via-whonix``
+-------------------
+Setup UpdatesProxy to route all templates updates through Tor (sys-whonix here).
+
 ``qvm.template-fedora-21``
 --------------------------
 Fedora-21 TemplateVM

qvm/updates-via-whonix.sls

@@ -0,0 +1,19 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+##
+# qvm.updates-via-whonix
+# ===============
+#
+# Setup UpdatesProxy to always use sys-whonix.
+#
+# Execute:
+#   qubesctl state.sls qvm.updates-via-whonix dom0
+##
+
+
+default-update-policy-whonix:
+  file.prepend:
+    - name: /etc/qubes-rpc/policy/qubes.UpdatesProxy
+    - text:
+      - $type:TemplateVM $default allow,target=sys-whonix

qvm/updates-via-whonix.top

@@ -0,0 +1,7 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  dom0:
+    - match: nodegroup
+    - qvm.updates-via-whonix

rpm_spec/qubes-mgmt-salt-dom0-virtual-machines-dom0.spec

@@ -78,6 +78,8 @@ fi
 /srv/formulas/base/virtual-machines-formula/qvm/template-whonix-ws.sls
 /srv/formulas/base/virtual-machines-formula/qvm/untrusted.sls
 /srv/formulas/base/virtual-machines-formula/qvm/untrusted.top
+/srv/formulas/base/virtual-machines-formula/qvm/updates-via-whonix.sls
+/srv/formulas/base/virtual-machines-formula/qvm/updates-via-whonix.top
 /srv/formulas/base/virtual-machines-formula/qvm/vault.sls
 /srv/formulas/base/virtual-machines-formula/qvm/vault.top
 /srv/formulas/base/virtual-machines-formula/qvm/whonix-ws-dvm.sls