Remove Qubes OS R4.0 related logic and tests

Dropping support for 4.0 to avoid unnecessary complexity. This removes
4.0 support from: salt states, scripts, Makefile, and tests.

(Also removes sd-devices from sd-workstation.top as it's a DispVM rather
than a DispVM template)

Makefile

@@ -58,36 +58,36 @@ remove-usb-autoattach: prep-dev ## Removes udev rules and scripts from sys-usb
 	sudo qubesctl --show-output state.sls sd-usb-autoattach-remove
 
 sd-workstation-template: prep-dev ## Provisions base template for SDW AppVMs
-	sudo qubesctl --show-output state.sls sd-workstation-buster-template
-	sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-buster-template state.highstate
+	sudo qubesctl --show-output state.sls sd-workstation-bullseye-template
+	sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-bullseye-template state.highstate
 
 sd-proxy: prep-dev ## Provisions SD Proxy VM
 	sudo qubesctl --show-output state.sls sd-proxy
-	sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-proxy state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-small-bullseye-template,sd-proxy state.highstate
 
 sd-gpg: prep-dev ## Provisions SD GPG keystore VM
 	sudo qubesctl --show-output state.sls sd-gpg
-	sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-buster-template,sd-gpg state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-bullseye-template,sd-gpg state.highstate
 
 sd-app: prep-dev ## Provisions SD APP VM
 	sudo qubesctl --show-output state.sls sd-app
-	sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-app state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-small-bullseye-template,sd-app state.highstate
 
 sd-whonix: prep-dev ## Provisions SD Whonix VM
 	sudo qubesctl --show-output state.sls sd-whonix
 	sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-16,sd-whonix state.highstate
 
 sd-viewer: prep-dev ## Provisions SD Submission Viewing VM
 	sudo qubesctl --show-output state.sls sd-viewer
-	sudo qubesctl --show-output --skip-dom0 --targets sd-viewer-buster-template,sd-viewer state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-viewer-bullseye-template,sd-viewer state.highstate
 
 sd-devices: prep-dev ## Provisions SD Export VM
 	sudo qubesctl --show-output state.sls sd-devices
-	sudo qubesctl --show-output --skip-dom0 --targets sd-devices-buster-template,sd-devices,sd-devices-dvm state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-devices-bullseye-template,sd-devices,sd-devices-dvm state.highstate
 
 sd-log: prep-dev ## Provisions SD logging VM
 	sudo qubesctl --show-output state.sls sd-log
-	sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-log state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets sd-small-bullseye-template,sd-log state.highstate
 
 prep-dev: assert-dom0 ## Configures Salt layout for SD workstation VMs
 	@./scripts/prep-dev

dom0/sd-clean-all.sls

@@ -9,7 +9,7 @@ set-fedora-as-default-dispvm:
 
 {% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %}
 
-{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:sys-usb:disposable', true) %}
+{% if salt['pillar.get']('qvm:sys-usb:disposable', true) %}
 restore-sys-usb-dispvm-halt:
   qvm.kill:
     - name: sys-usb
@@ -103,9 +103,6 @@ sd-cleanup-etc-changes:
       - DOTALL
     - repl: ''
     - backup: no
-{% if grains['osrelease'] == '4.0' %}
-    - ignore_if_missing: True
-{% endif %}
 
 {% if d.environment == "prod" or d.environment == "staging" %}
 apply-systemd-changes:
@@ -129,9 +126,7 @@ sd-cleanup-rpc-mgmt-policy:
       - /etc/qubes-rpc/policy/qubes.VMShell
       - /etc/qubes-rpc/policy/qubes.VMRootShell
     - repl: ''
-{% if grains['osrelease'] == '4.1' %}
     - ignore_if_missing: True
-{% endif %}
     - pattern: '^disp-mgmt-sd-\w+\s+sd-\w+\s+allow,user=root'
 
 {% set sdw_customized_rpc_files = salt['cmd.shell']('grep -rIl "BEGIN securedrop-workstation" /etc/qubes-rpc/ | cat').splitlines() %}

dom0/sd-default-config.sls

@@ -28,11 +28,6 @@
 {% endif %}
 
 # Append repo URL with appropriate dom0 Fedora version
-{% if grains['osrelease'] == '4.1' %}
-  {% set fedora_repo = "f32" %}
-  {% set _ = sdvars.update({"distribution": "bullseye"}) %}
-{% else %}
-  {% set fedora_repo = "f24" %}
-  {% set _ = sdvars.update({"distribution": "buster"}) %}
-{% endif %}
+{% set fedora_repo = "f32" %}
+{% set _ = sdvars.update({"distribution": "bullseye"}) %}
 {% set _ = sdvars.update({"dom0_yum_repo_url": sdvars["dom0_yum_repo_url"] + fedora_repo}) %}

dom0/sd-dom0-files.sls

@@ -46,7 +46,6 @@ dom0-workstation-rpm-repo:
     - require:
       - file: dom0-rpm-test-key
 
-{% if grains['osrelease'] == '4.1' %}
 dom0-workstation-templates-repo:
   # Using file.blockreplace because /etc/qubes/repo-templates/ is not a .d
   # style directory, and qvm.template_installed:fromrepo seems to only support
@@ -65,7 +64,6 @@ dom0-workstation-templates-repo:
         name=SecureDrop Workstation Templates repository
     - require:
       - file: dom0-rpm-test-key
-{% endif %}
 
 dom0-remove-securedrop-workstation-stretch-template:
   pkg.removed:
@@ -75,20 +73,11 @@ dom0-remove-securedrop-workstation-stretch-template:
       - file: dom0-workstation-rpm-repo
 
 dom0-install-securedrop-workstation-template:
-{% if grains['osrelease'] == '4.1' %}
   cmd.run:
     - name: >
         qvm-template install securedrop-workstation-{{ sdvars.distribution }}
-{% else %}
-  pkg.installed:
-    - pkgs:
-      - qubes-template-securedrop-workstation-{{ sdvars.distribution }}
-{% endif %}
     - require:
       - file: dom0-workstation-rpm-repo
-{% if grains['osrelease'] != '4.1' %}
-      - pkg: dom0-remove-securedrop-workstation-stretch-template
-{% endif %}
 
 # Remove the legacy auto updater script
 dom0-remove-legacy-updater:

dom0/sd-dom0-qvm-rpc.sls

@@ -96,96 +96,6 @@ dom0-rpc-qubes.GpgImportKey:
         @anyvm @tag:sd-workstation deny
         @tag:sd-workstation @anyvm deny
 
-# Some legacy RPC files were moved under Qubes 4.1, to /etc/qubes/policy.d/.
-# We'll continue to configure them under the legacy path for 4.0 hosts.
-{% if grains['osrelease'] == '4.0' %}
-dom0-rpc-qubes.FeaturesRequest:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.FeaturesRequest
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.Filecopy:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.Filecopy
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        sd-log @default ask
-        sd-log @tag:sd-receive-logs ask
-        sd-proxy @tag:sd-client allow
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.GetImageRGBA:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.GetImageRGBA
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.OpenInVM:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.OpenInVM
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @tag:sd-client @dispvm:sd-viewer allow
-        @tag:sd-client sd-devices allow
-        sd-devices @dispvm:sd-viewer allow
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.OpenURL:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.OpenURL
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.StartApp:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.StartApp
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.VMRootShell:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.VMRootShell
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-dom0-rpc-qubes.VMshell:
-  file.blockreplace:
-    - name: /etc/qubes-rpc/policy/qubes.VMShell
-    - prepend_if_not_found: True
-    - marker_start: "### BEGIN securedrop-workstation ###"
-    - marker_end: "### END securedrop-workstation ###"
-    - content: |
-        @anyvm @tag:sd-workstation deny
-        @tag:sd-workstation @anyvm deny
-
-{% elif grains['osrelease'] == '4.1' %}
 # Qubes suggests using files starting with 70- to be the allow policies
 # and 60- deny policies, but due to the way SDW policies are stacked at the
 # moment, we reverse this suggested order
@@ -234,5 +144,3 @@ dom0-rpc-qubes.r5-format-ask-allow:
         qubes.OpenInVM          *           @tag:sd-client @dispvm:sd-viewer allow
         qubes.OpenInVM          *           @tag:sd-client sd-devices allow
         qubes.OpenInVM          *           sd-devices @dispvm:sd-viewer allow
-
-{% endif %}

dom0/sd-log.sls

@@ -35,24 +35,6 @@ sd-log:
     - require:
       - qvm: sd-small-{{ sdvars.distribution }}-template
 
-{% if grains['osrelease'] == '4.0' %}
-# Allow any SecureDrop VM to log to the centralized log VM
-sd-log-dom0-securedrop.Log:
-  file.prepend:
-    - name: /etc/qubes-rpc/policy/securedrop.Log
-    - text: |
-        @tag:sd-workstation sd-log allow
-        @anyvm @anyvm deny
-{% elif grains['osrelease'] == '4.1' %}
-# In 4.1 this policy is handled in the more central app policy
-# files added by sd-dom0-qvm-rpc.sls, no need to keep this
-# around in 4.0 if we migrated
-sd-log-dom0-remove-old-securedrop.Log-policy:
-  file.absent:
-    - names:
-      - /etc/qubes-rpc/policy/securedrop.Log
-{% endif %}
-
 {% import_json "sd/config.json" as d %}
 
 # The private volume size should be set in config.json

dom0/sd-logging-setup.sls

@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
-{% if grains['id'] in ["securedrop-workstation-{}".format(grains['oscodename']), "sd-small-{}-template".format(grains['oscodename']), "sd-large-{}-template".format(grains['oscodename'])] %}
+{% if grains['id'] in ["securedrop-workstation-bullseye", "sd-small-bullseye-template", "sd-large-bullseye-template"] %}
 include:
   - fpf-apt-repo
 

dom0/sd-sys-vms.sls

@@ -14,15 +14,9 @@ include:
 
 # Install latest templates required for SDW VMs.
 dom0-install-fedora-template:
-{% if grains['osrelease'] == '4.1' %}
   cmd.run:
     - name: >
-        qvm-template install fedora-35
-{% else %}
-  pkg.installed:
-    - pkgs:
-      - qubes-template-{{ sd_supported_fedora_version }}
-{% endif %}
+        qvm-template install {{ sd_supported_fedora_version }}
 
 # Update the mgmt VM before updating the new Fedora VM. The order is required
 # and listed in the release notes for F32 & F33.
@@ -32,30 +26,18 @@ set-fedora-template-as-default-mgmt-dvm:
         qvm-shutdown --wait default-mgmt-dvm &&
         qvm-prefs default-mgmt-dvm template {{ sd_supported_fedora_version }}
     - require:
-{% if grains['osrelease'] == '4.1' %}
       - cmd: dom0-install-fedora-template
-{% else %}
-      - pkg: dom0-install-fedora-template
-{% endif %}
 
 # If the VM has just been installed via package manager, update it immediately
 update-fedora-template-if-new:
   cmd.wait:
     - name: sudo qubesctl --skip-dom0 --targets {{ sd_supported_fedora_version }} state.sls update.qubes-vm
     - require:
-{% if grains['osrelease'] == '4.1' %}
       - cmd: dom0-install-fedora-template
-{% else %}
-      - pkg: dom0-install-fedora-template
-{% endif %}
       # Update the mgmt-dvm setting first, to avoid problems during first update
       - cmd: set-fedora-template-as-default-mgmt-dvm
     - watch:
-{% if grains['osrelease'] == '4.1' %}
       - cmd: dom0-install-fedora-template
-{% else %}
-      - pkg: dom0-install-fedora-template
-{% endif %}
 
 # qvm.default-dispvm is not strictly required here, but we want it to be
 # updated as soon as possible to ensure make clean completes successfully, as
@@ -64,11 +46,7 @@ set-fedora-default-template-version:
   cmd.run:
     - name: qubes-prefs default_template {{ sd_supported_fedora_version }}
     - require:
-{% if grains['osrelease'] == '4.1' %}
       - cmd: dom0-install-fedora-template
-{% else %}
-      - pkg: dom0-install-fedora-template
-{% endif %}
       - sls: qvm.default-dispvm
 
 # On 4.1, several sys qubes are disposable by default - since we also want to
@@ -78,7 +56,6 @@ set-fedora-default-template-version:
 # sys-usb is also disposable by default but a special case as we want to
 # customize the underlying DispVM template for usability purposes: we want to
 # consistently auto-attach USB devices to our sd-devices qube
-{% if grains['osrelease'] == '4.1' %}
 {% set required_dispvms = [ sd_supported_fedora_version + '-dvm' ] %}
 {% if salt['pillar.get']('qvm:sys-usb:disposable', true) %}
   {% set _ = required_dispvms.append("sd-fedora-dvm") %}
@@ -100,13 +77,12 @@ create-{{ required_dispvm }}:
     - require:
       - cmd: dom0-install-fedora-template
 {% endfor %}
-{% endif %}
 
 
 # Now proceed with rebooting all the sys-* VMs, since the new template is up to date.
 
 {% for sys_vm in ['sys-usb', 'sys-net', 'sys-firewall'] %}
-{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:' + sys_vm + ':disposable', false) %}
+{% if salt['pillar.get']('qvm:' + sys_vm + ':disposable', false) %}
 # As of Qubes 4.1, certain sys-* VMs will be DispVMs by default.
   {% if sys_vm == 'sys-usb' %}
     # If sys-usb is disposable, we want it to use the template we just created so we
@@ -123,21 +99,13 @@ sd-{{ sys_vm }}-fedora-version-halt:
   qvm.kill:
     - name: {{ sys_vm }}
     - require:
-{% if grains['osrelease'] == '4.1' %}
       - cmd: dom0-install-fedora-template
-{% else %}
-      - pkg: dom0-install-fedora-template
-{% endif %}
 
 sd-{{ sys_vm }}-fedora-version-halt-wait:
   cmd.run:
     - name: sleep 5
     - require:
-{% if grains['osrelease'] == '4.1' %}
       - cmd: dom0-install-fedora-template
-{% else %}
-      - pkg: dom0-install-fedora-template
-{% endif %}
 
 sd-{{ sys_vm }}-fedora-version-update:
   qvm.vm:

dom0/sd-workstation-template.sls

@@ -23,11 +23,7 @@ sd-workstation-template:
       - enable:
         - service.paxctld
     - require:
-{% if grains['osrelease'] == '4.1' %}
       - cmd: dom0-install-securedrop-workstation-template
-{% else %}
-      - pkg: dom0-install-securedrop-workstation-template
-{% endif %}
 
 # Installs consolidated templateVMs:
 # - sd-small-{{ sdvars.distribution }}-template, to be used for