Packaging workstation provisioning code for dom0

[redshiftzero]

For provisioning workstations for developers, we're currently using git clone to pull down the code for the journalist workstation in an AppVM and then using qvm-run --pass-io to copy the code into dom0.

For production, a reasonable approach might be to create a securedrop-workstation package that we pull into dom0 (adding an additional repo if needed), such that SecureDrop administrators need to just do the following to get the workstation code into dom0:

sudo qubes-dom0-update
sudo qubes-dom0-update securedrop-workstation

Related: For the client, we should package that separately and install in sd-journalist only.

[redshiftzero]

Note: we should definitely maintain awareness of Qubes 4.0 changes here such that we can select a path that will continue to work with minimal changes if possible (i.e. one change is that this package would likely get installed in the management VM not dom0 for Qubes 4.0).

[conorsch]

Our strategy at present is to use the dom0 package to ship Salt configs that handle the VM configuration and provisioning. Via Salt, we can declare dependencies on other dom0 packages (e.g. securedrop-template-whonix-gw-14), as well as customize VM images locally per service.

[redshiftzero]

this was done in #171