From b6b721af5c27ab614647a35578fd7017ace610cc Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Tue, 10 Mar 2020 10:00:02 -0400
Subject: [PATCH] Use blockreplace for sd-whonix tor config

This ensures idempotency
---
 dom0/sd-whonix-hidserv-key.sls | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/dom0/sd-whonix-hidserv-key.sls b/dom0/sd-whonix-hidserv-key.sls
index 3d50b54a..2456278d 100644
--- a/dom0/sd-whonix-hidserv-key.sls
+++ b/dom0/sd-whonix-hidserv-key.sls
@@ -6,14 +6,20 @@
 # add hidden service auth key to torrc
 {% if d.hidserv.hostname|length == 22 %}
 sd-whonix-hidserv-key:
-  file.append:
+  file.blockreplace:
     - name: /usr/local/etc/torrc.d/50_user.conf
-    - text: HidServAuth {{ d.hidserv.hostname }} {{ d.hidserv.key }}
+    - append_if_not_found: True
+    - marker_start: "### BEGIN securedrop-workstation ###"
+    - marker_end: "### END securedrop-workstation ###"
+    - content: HidServAuth {{ d.hidserv.hostname }} {{ d.hidserv.key }}
 {% else %}
 sd-whonix-hidservv3-directory-path:
-  file.append:
+  file.blockreplace:
     - name: /usr/local/etc/torrc.d/50_user.conf
-    - text: ClientOnionAuthDir /var/lib/tor/keys
+    - append_if_not_found: True
+    - marker_start: "### BEGIN securedrop-workstation ###"
+    - marker_end: "### END securedrop-workstation ###"
+    - content: ClientOnionAuthDir /var/lib/tor/keys
 
 {% set hostname_without_onion = d.hidserv.hostname.split('.')[0] %}
 install-sd-whonix-tor-private-key: