Merge pull request #784 from freedomofpress/600-bullseye-template-and…

…-repo-magic

Use bullseye templates on 4.1 and and use apt-test+nightlies repos for dev apt-test+main packages for staging

Makefile

@@ -58,36 +58,36 @@ remove-usb-autoattach: prep-dev ## Removes udev rules and scripts from sys-usb
 	sudo qubesctl --show-output state.sls sd-usb-autoattach-remove
 
 sd-workstation-template: prep-dev ## Provisions base template for SDW AppVMs
-	sudo qubesctl --show-output state.sls sd-workstation-buster-template
-	sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-buster-template state.highstate
+	sudo qubesctl --show-output state.sls sd-workstation-bullseye-template
+	sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-bullseye-template state.highstate
 
 sd-proxy: prep-dev ## Provisions SD Proxy VM
 	sudo qubesctl --show-output state.sls sd-proxy
-	sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-proxy state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-small-bullseye-template,sd-proxy state.highstate
 
 sd-gpg: prep-dev ## Provisions SD GPG keystore VM
 	sudo qubesctl --show-output state.sls sd-gpg
-	sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-buster-template,sd-gpg state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-bullseye-template,sd-gpg state.highstate
 
 sd-app: prep-dev ## Provisions SD APP VM
 	sudo qubesctl --show-output state.sls sd-app
-	sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-app state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-small-bullseye-template,sd-app state.highstate
 
 sd-whonix: prep-dev ## Provisions SD Whonix VM
 	sudo qubesctl --show-output state.sls sd-whonix
 	sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-16,sd-whonix state.highstate
 
 sd-viewer: prep-dev ## Provisions SD Submission Viewing VM
 	sudo qubesctl --show-output state.sls sd-viewer
-	sudo qubesctl --show-output --skip-dom0 --targets sd-viewer-buster-template,sd-viewer state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-viewer-bullseye-template,sd-viewer state.highstate
 
 sd-devices: prep-dev ## Provisions SD Export VM
 	sudo qubesctl --show-output state.sls sd-devices
-	sudo qubesctl --show-output --skip-dom0 --targets sd-devices-buster-template,sd-devices,sd-devices-dvm state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-devices-bullseye-template,sd-devices,sd-devices-dvm state.highstate
 
 sd-log: prep-dev ## Provisions SD logging VM
 	sudo qubesctl --show-output state.sls sd-log
-	sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-log state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-small-bullseye-template,sd-log state.highstate
 
 prep-dev: assert-dom0 ## Configures Salt layout for SD workstation VMs
 	@./scripts/prep-dev

dom0/fpf-apt-repo.sls

@@ -13,6 +13,7 @@
 #  - update.qubes-vm
 #  - sd-default-config
 
+# Imports "sdvars" for environment config
 {% from 'sd-default-config.sls' import sdvars with context %}
 
 # Debian Buster was changed from 'stable' to 'oldstable' on 2021-08,
@@ -39,7 +40,9 @@ install-python-apt-for-repo-config:
 
 configure-fpf-apt-repo:
   pkgrepo.managed:
-    - name: "deb [arch=amd64] {{ sdvars.apt_repo_url }} {{ grains['oscodename'] }} main"
+    # Can't reuse sdvars.distribution here because this queries grains from VMs
+    # rather than dom0
+    - name: "deb [arch=amd64] {{ sdvars.apt_repo_url }} {{ grains['oscodename'] }} {{ sdvars.component }}"
     - file: /etc/apt/sources.list.d/securedrop_workstation.list
     - key_url: "salt://sd/sd-workstation/{{ sdvars.signing_key_filename }}"
     - clean_file: True # squash file to ensure there are no duplicates

dom0/sd-app-files.sls

@@ -5,15 +5,15 @@
 # sd-app-files
 # ========
 #
-# Moves files into place on sd-small-buster-template
+# Moves files into place on sd-small-$sdvars.distribution-template
 #
 ##
 include:
   - fpf-apt-repo
   - sd-logging-setup
 
-# FPF repo is setup in "securedrop-workstation-buster" template,
-# and then cloned as "sd-small-buster-template"
+# FPF repo is setup in "securedrop-workstation-$sdvars.distribution" template,
+# and then cloned as "sd-small-$sdvars.distribution-template"
 install-securedrop-client-package:
   pkg.installed:
     - pkgs:

dom0/sd-app.sls

@@ -5,6 +5,10 @@
 # Installs 'sd-app' AppVM, to persistently store SD data
 # This VM has no network configured.
 ##
+
+# Imports "sdvars" for environment config
+{% from 'sd-default-config.sls' import sdvars with context %}
+
 include:
   - sd-workstation-template
   - sd-upgrade-templates
@@ -15,7 +19,7 @@ sd-app:
     - present:
       - label: yellow
     - prefs:
-      - template: sd-small-buster-template
+      - template: sd-small-{{ sdvars.distribution }}-template
       - netvm: ""
     - tags:
       - add:
@@ -25,7 +29,7 @@ sd-app:
       - enable:
         - service.paxctld
     - require:
-      - qvm: sd-small-buster-template
+      - qvm: sd-small-{{ sdvars.distribution }}-template
 
 {% import_json "sd/config.json" as d %}
 
@@ -42,9 +46,9 @@ sd-app-private-volume-size:
 sd-app-template-sync-appmenus:
   cmd.run:
     - name: >
-        qvm-start --skip-if-running sd-small-buster-template &&
-        qvm-sync-appmenus sd-small-buster-template
+        qvm-start --skip-if-running sd-small-{{ sdvars.distribution }}-template &&
+        qvm-sync-appmenus sd-small-{{ sdvars.distribution }}-template
     - require:
-      - qvm: sd-small-buster-template
+      - qvm: sd-small-{{ sdvars.distribution }}-template
     - onchanges:
-      - qvm: sd-small-buster-template
+      - qvm: sd-small-{{ sdvars.distribution }}-template

dom0/sd-clean-all.sls

@@ -9,7 +9,7 @@ set-fedora-as-default-dispvm:
 
 {% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %}
 
-{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:sys-usb:disposable', true) %}
+{% if salt['pillar.get']('qvm:sys-usb:disposable', true) %}
 restore-sys-usb-dispvm-halt:
   qvm.kill:
     - name: sys-usb
@@ -103,9 +103,6 @@ sd-cleanup-etc-changes:
       - DOTALL
     - repl: ''
     - backup: no
-{% if grains['osrelease'] == '4.0' %}
-    - ignore_if_missing: True
-{% endif %}
 
 {% if d.environment == "prod" or d.environment == "staging" %}
 apply-systemd-changes:
@@ -129,9 +126,7 @@ sd-cleanup-rpc-mgmt-policy:
       - /etc/qubes-rpc/policy/qubes.VMShell
       - /etc/qubes-rpc/policy/qubes.VMRootShell
     - repl: ''
-{% if grains['osrelease'] == '4.1' %}
     - ignore_if_missing: True
-{% endif %}
     - pattern: '^disp-mgmt-sd-\w+\s+sd-\w+\s+allow,user=root'
 
 {% set sdw_customized_rpc_files = salt['cmd.shell']('grep -rIl "BEGIN securedrop-workstation" /etc/qubes-rpc/ | cat').splitlines() %}

dom0/sd-default-config.sls

@@ -14,8 +14,20 @@
 {% import_json "sd/config.json" as d %}
 
 # Respect "dev" env if provided, default to "prod"
-{% if d.environment == "dev" or d.environment == "staging" %}
-  {% set sdvars = sdvars_defaults["dev"] %}
+{% if d.environment == "dev" %}
+  # use apt-test and nightlies
+  {% set sdvars = sdvars_defaults["test"] %}
+  {% set _ = sdvars.update({"component": "nightlies"}) %}
+{% elif d.environment == "staging" %}
+  # use apt-test and main (RC/test builds)
+  {% set sdvars = sdvars_defaults["test"] %}
+  {% set _ = sdvars.update({"component": "main"}) %}
 {% else %}
   {% set sdvars = sdvars_defaults["prod"] %}
+  {% set _ = sdvars.update({"component": "main"}) %}
 {% endif %}
+
+# Append repo URL with appropriate dom0 Fedora version
+{% set fedora_repo = "f32" %}
+{% set _ = sdvars.update({"distribution": "bullseye"}) %}
+{% set _ = sdvars.update({"dom0_yum_repo_url": sdvars["dom0_yum_repo_url"] + fedora_repo}) %}

dom0/sd-default-config.yml

@@ -1,11 +1,14 @@
 ---
+# Both prod.dom0_yum_repo_url and test.dom0_yum_repo_url will be appended to with
+# the respective Fedora release depending on Qubes OS version
+#
 # Production variables, for use with real-world installs
 prod:
-  dom0_yum_repo_url: "https://yum.securedrop.org/workstation/dom0/f25"
+  dom0_yum_repo_url: "https://yum.securedrop.org/workstation/dom0/"
   apt_repo_url: "https://apt.freedom.press"
   signing_key_filename: "securedrop-release-signing-pubkey-2021.asc"
-# Development variables, suited for use during local development
-dev:
-  dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25"
+# Staging and Dev variables, for QAing and local development
+test:
+  dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/"
   apt_repo_url: "https://apt-test.freedom.press"
   signing_key_filename: "apt-test-pubkey.asc"

dom0/sd-devices.sls

@@ -5,6 +5,10 @@
 # Installs 'sd-devices' AppVM, to persistently store SD data
 # This VM has no network configured.
 ##
+
+# Imports "sdvars" for environment config
+{% from 'sd-default-config.sls' import sdvars with context %}
+
 include:
   - sd-workstation-template
   - sd-upgrade-templates
@@ -13,33 +17,33 @@ sd-devices-dvm:
   qvm.vm:
     - name: sd-devices-dvm
     - present:
-      - template: sd-large-buster-template
+      - template: sd-large-{{ sdvars.distribution }}-template
       - label: red
     - prefs:
-      - template: sd-large-buster-template
+      - template: sd-large-{{ sdvars.distribution }}-template
       - netvm: ""
       - template_for_dispvms: True
     - tags:
       - add:
         - sd-workstation
-        - sd-buster
+        - sd-{{ sdvars.distribution }}
     - features:
       - enable:
         - service.paxctld
     - require:
-      - qvm: sd-large-buster-template
+      - qvm: sd-large-{{ sdvars.distribution }}-template
 
 # Ensure the Qubes menu is populated with relevant app entries,
 # so that Nautilus/Files can be started via GUI interactions.
 sd-devices-template-sync-appmenus:
   cmd.run:
     - name: >
-        qvm-start --skip-if-running sd-large-buster-template &&
-        qvm-sync-appmenus sd-large-buster-template
+        qvm-start --skip-if-running sd-large-{{ sdvars.distribution }}-template &&
+        qvm-sync-appmenus sd-large-{{ sdvars.distribution }}-template
     - require:
-      - qvm: sd-large-buster-template
+      - qvm: sd-large-{{ sdvars.distribution }}-template
     - onchanges:
-      - qvm: sd-large-buster-template
+      - qvm: sd-large-{{ sdvars.distribution }}-template
 
 sd-devices-create-named-dispvm:
   qvm.vm:

dom0/sd-dom0-files.sls

@@ -46,7 +46,6 @@ dom0-workstation-rpm-repo:
     - require:
       - file: dom0-rpm-test-key
 
-{% if grains['osrelease'] == '4.1' %}
 dom0-workstation-templates-repo:
   # Using file.blockreplace because /etc/qubes/repo-templates/ is not a .d
   # style directory, and qvm.template_installed:fromrepo seems to only support
@@ -65,7 +64,6 @@ dom0-workstation-templates-repo:
         name=SecureDrop Workstation Templates repository
     - require:
       - file: dom0-rpm-test-key
-{% endif %}
 
 dom0-remove-securedrop-workstation-stretch-template:
   pkg.removed:
@@ -75,20 +73,11 @@ dom0-remove-securedrop-workstation-stretch-template:
       - file: dom0-workstation-rpm-repo
 
 dom0-install-securedrop-workstation-template:
-{% if grains['osrelease'] == '4.1' %}
   cmd.run:
     - name: >
-        qvm-template install securedrop-workstation-buster
-{% else %}
-  pkg.installed:
-    - pkgs:
-      - qubes-template-securedrop-workstation-buster
-{% endif %}
+        qvm-template install securedrop-workstation-{{ sdvars.distribution }}
     - require:
       - file: dom0-workstation-rpm-repo
-{% if grains['osrelease'] != '4.1' %}
-      - pkg: dom0-remove-securedrop-workstation-stretch-template
-{% endif %}
 
 # Remove the legacy auto updater script
 dom0-remove-legacy-updater:

dom0/sd-dom0-qvm-rpc.sls

@@ -96,96 +96,6 @@ dom0-rpc-qubes.GpgImportKey:
         @anyvm @tag:sd-workstation deny
         @tag:sd-workstation @anyvm deny
 
-# Some legacy RPC files were moved under Qubes 4.1, to /etc/qubes/policy.d/.
-# We'll continue to configure them under the legacy path for 4.0 hosts.
-{% if grains['osrelease'] == '4.0' %}
-dom0-rpc-qubes.FeaturesRequest:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.FeaturesRequest
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.Filecopy:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.Filecopy
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        sd-log @default ask
-        sd-log @tag:sd-receive-logs ask
-        sd-proxy @tag:sd-client allow
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.GetImageRGBA:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.GetImageRGBA
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.OpenInVM:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.OpenInVM
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @tag:sd-client @dispvm:sd-viewer allow
-        @tag:sd-client sd-devices allow
-        sd-devices @dispvm:sd-viewer allow
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.OpenURL:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.OpenURL
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.StartApp:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.StartApp
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.VMRootShell:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.VMRootShell
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.VMshell:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.VMShell
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-{% elif grains['osrelease'] == '4.1' %}
 # Qubes suggests using files starting with 70- to be the allow policies
 # and 60- deny policies, but due to the way SDW policies are stacked at the
 # moment, we reverse this suggested order
@@ -234,5 +144,3 @@ dom0-rpc-qubes.r5-format-ask-allow:
         qubes.OpenInVM          *           @tag:sd-client @dispvm:sd-viewer allow
         qubes.OpenInVM          *           @tag:sd-client sd-devices allow
         qubes.OpenInVM          *           sd-devices @dispvm:sd-viewer allow
-
-{% endif %}