From a0cbb48b2c4d47eccd56862f476330c442ff96c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Sat, 7 Oct 2017 03:42:01 +0200
Subject: [PATCH] Add state to route all updates through Whonix

As discussed in QubesOS/qubes-issues#2604, lets have a state for
switching just updates, not all the traffic.

Fixes QubesOS/qubes-issues#2604
---
 README.rst                                    |  4 ++++
 qvm/updates-via-whonix.sls                    | 19 +++++++++++++++++++
 qvm/updates-via-whonix.top                    |  7 +++++++
 ...-mgmt-salt-dom0-virtual-machines-dom0.spec |  2 ++
 4 files changed, 32 insertions(+)
 create mode 100644 qvm/updates-via-whonix.sls
 create mode 100644 qvm/updates-via-whonix.top

diff --git a/README.rst b/README.rst
index 3b21bf5..2308bdf 100644
--- a/README.rst
+++ b/README.rst
@@ -63,6 +63,10 @@ Whonix workstation AppVM.
 -------------------
 Whonix workstation AppVM for Whonix Disposable VMs.
 
+``qvm.updates-via-whonix``
+-------------------
+Setup UpdatesProxy to route all templates updates through Tor (sys-whonix here).
+
 ``qvm.template-fedora-21``
 --------------------------
 Fedora-21 TemplateVM
diff --git a/qvm/updates-via-whonix.sls b/qvm/updates-via-whonix.sls
new file mode 100644
index 0000000..c08e1fe
--- /dev/null
+++ b/qvm/updates-via-whonix.sls
@@ -0,0 +1,19 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+##
+# qvm.updates-via-whonix
+# ===============
+#
+# Setup UpdatesProxy to always use sys-whonix.
+#
+# Execute:
+#   qubesctl state.sls qvm.updates-via-whonix dom0
+##
+
+
+default-update-policy-whonix:
+  file.prepend:
+    - name: /etc/qubes-rpc/policy/qubes.UpdatesProxy
+    - text:
+      - $type:TemplateVM $default allow,target=sys-whonix
diff --git a/qvm/updates-via-whonix.top b/qvm/updates-via-whonix.top
new file mode 100644
index 0000000..646c0e3
--- /dev/null
+++ b/qvm/updates-via-whonix.top
@@ -0,0 +1,7 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  dom0:
+    - match: nodegroup
+    - qvm.updates-via-whonix
diff --git a/rpm_spec/qubes-mgmt-salt-dom0-virtual-machines-dom0.spec b/rpm_spec/qubes-mgmt-salt-dom0-virtual-machines-dom0.spec
index dbaa44d..8f09dcd 100644
--- a/rpm_spec/qubes-mgmt-salt-dom0-virtual-machines-dom0.spec
+++ b/rpm_spec/qubes-mgmt-salt-dom0-virtual-machines-dom0.spec
@@ -78,6 +78,8 @@ fi
 /srv/formulas/base/virtual-machines-formula/qvm/template-whonix-ws.sls
 /srv/formulas/base/virtual-machines-formula/qvm/untrusted.sls
 /srv/formulas/base/virtual-machines-formula/qvm/untrusted.top
+/srv/formulas/base/virtual-machines-formula/qvm/updates-via-whonix.sls
+/srv/formulas/base/virtual-machines-formula/qvm/updates-via-whonix.top
 /srv/formulas/base/virtual-machines-formula/qvm/vault.sls
 /srv/formulas/base/virtual-machines-formula/qvm/vault.top
 /srv/formulas/base/virtual-machines-formula/qvm/whonix-ws-dvm.sls