Use bullseye template on 4.1 and buster template on 4.0

dom0/fpf-apt-repo.sls

@@ -13,6 +13,7 @@
 #  - update.qubes-vm
 #  - sd-default-config
 
+# Imports "sdvars" for environment config
 {% from 'sd-default-config.sls' import sdvars with context %}
 
 # Debian Buster was changed from 'stable' to 'oldstable' on 2021-08,
@@ -39,7 +40,7 @@ install-python-apt-for-repo-config:
 
 configure-fpf-apt-repo:
   pkgrepo.managed:
-    - name: "deb [arch=amd64] {{ sdvars.apt_repo_url }} {{ grains['oscodename'] }} {{ sdvars.component }}"
+    - name: "deb [arch=amd64] {{ sdvars.apt_repo_url }} {{ sdvars.distribution }} {{ sdvars.component }}"
     - file: /etc/apt/sources.list.d/securedrop_workstation.list
     - key_url: "salt://sd/sd-workstation/{{ sdvars.signing_key_filename }}"
     - clean_file: True # squash file to ensure there are no duplicates

dom0/sd-app-files.sls

@@ -5,15 +5,15 @@
 # sd-app-files
 # ========
 #
-# Moves files into place on sd-small-buster-template
+# Moves files into place on sd-small-$sdvars.distribution-template
 #
 ##
 include:
   - fpf-apt-repo
   - sd-logging-setup
 
-# FPF repo is setup in "securedrop-workstation-buster" template,
-# and then cloned as "sd-small-buster-template"
+# FPF repo is setup in "securedrop-workstation-$sdvars.distribution" template,
+# and then cloned as "sd-small-$sdvars.distribution-template"
 install-securedrop-client-package:
   pkg.installed:
     - pkgs:

dom0/sd-app.sls

@@ -5,6 +5,10 @@
 # Installs 'sd-app' AppVM, to persistently store SD data
 # This VM has no network configured.
 ##
+
+# Imports "sdvars" for environment config
+{% from 'sd-default-config.sls' import sdvars with context %}
+
 include:
   - sd-workstation-template
   - sd-upgrade-templates
@@ -15,7 +19,7 @@ sd-app:
     - present:
       - label: yellow
     - prefs:
-      - template: sd-small-buster-template
+      - template: sd-small-{{ sdvars.distribution }}-template
       - netvm: ""
     - tags:
       - add:
@@ -25,7 +29,7 @@ sd-app:
       - enable:
         - service.paxctld
     - require:
-      - qvm: sd-small-buster-template
+      - qvm: sd-small-{{ sdvars.distribution }}-template
 
 {% import_json "sd/config.json" as d %}
 
@@ -42,9 +46,9 @@ sd-app-private-volume-size:
 sd-app-template-sync-appmenus:
   cmd.run:
     - name: >
-        qvm-start --skip-if-running sd-small-buster-template &&
-        qvm-sync-appmenus sd-small-buster-template
+        qvm-start --skip-if-running sd-small-{{ sdvars.distribution }}-template &&
+        qvm-sync-appmenus sd-small-{{ sdvars.distribution }}-template
     - require:
-      - qvm: sd-small-buster-template
+      - qvm: sd-small-{{ sdvars.distribution }}-template
     - onchanges:
-      - qvm: sd-small-buster-template
+      - qvm: sd-small-{{ sdvars.distribution }}-template

dom0/sd-default-config.sls

@@ -17,20 +17,22 @@
 {% if d.environment == "dev" %}
   # use apt-test and nightlies
   {% set sdvars = sdvars_defaults["test"] %}
-  {% set _ = sdvars.update({"component": "nightlies"}) %} 
+  {% set _ = sdvars.update({"component": "nightlies"}) %}
 {% elif d.environment == "staging" %}
   # use apt-test and main (RC/test builds)
   {% set sdvars = sdvars_defaults["test"] %}
-  {% set _ = sdvars.update({"component": "main"}) %} 
+  {% set _ = sdvars.update({"component": "main"}) %}
 {% else %}
   {% set sdvars = sdvars_defaults["prod"] %}
-  {% set _ = sdvars.update({"component": "main"}) %} 
+  {% set _ = sdvars.update({"component": "main"}) %}
 {% endif %}
 
 # Append repo URL with appropriate dom0 Fedora version
 {% if grains['osrelease'] == '4.1' %}
   {% set fedora_repo = "f32" %}
+  {% set _ = sdvars.update({"distribution": "bullseye"}) %}
 {% else %}
   {% set fedora_repo = "f24" %}
+  {% set _ = sdvars.update({"distribution": "buster"}) %}
 {% endif %}
 {% set _ = sdvars.update({"dom0_yum_repo_url": sdvars["dom0_yum_repo_url"] + fedora_repo}) %}

dom0/sd-devices.sls

@@ -5,6 +5,10 @@
 # Installs 'sd-devices' AppVM, to persistently store SD data
 # This VM has no network configured.
 ##
+
+# Imports "sdvars" for environment config
+{% from 'sd-default-config.sls' import sdvars with context %}
+
 include:
   - sd-workstation-template
   - sd-upgrade-templates
@@ -13,33 +17,33 @@ sd-devices-dvm:
   qvm.vm:
     - name: sd-devices-dvm
     - present:
-      - template: sd-large-buster-template
+      - template: sd-large-{{ sdvars.distribution }}-template
       - label: red
     - prefs:
-      - template: sd-large-buster-template
+      - template: sd-large-{{ sdvars.distribution }}-template
       - netvm: ""
       - template_for_dispvms: True
     - tags:
       - add:
         - sd-workstation
-        - sd-buster
+        - sd-{{ sdvars.distribution }}
     - features:
       - enable:
         - service.paxctld
     - require:
-      - qvm: sd-large-buster-template
+      - qvm: sd-large-{{ sdvars.distribution }}-template
 
 # Ensure the Qubes menu is populated with relevant app entries,
 # so that Nautilus/Files can be started via GUI interactions.
 sd-devices-template-sync-appmenus:
   cmd.run:
     - name: >
-        qvm-start --skip-if-running sd-large-buster-template &&
-        qvm-sync-appmenus sd-large-buster-template
+        qvm-start --skip-if-running sd-large-{{ sdvars.distribution }}-template &&
+        qvm-sync-appmenus sd-large-{{ sdvars.distribution }}-template
     - require:
-      - qvm: sd-large-buster-template
+      - qvm: sd-large-{{ sdvars.distribution }}-template
     - onchanges:
-      - qvm: sd-large-buster-template
+      - qvm: sd-large-{{ sdvars.distribution }}-template
 
 sd-devices-create-named-dispvm:
   qvm.vm:

dom0/sd-dom0-files.sls

@@ -78,11 +78,11 @@ dom0-install-securedrop-workstation-template:
 {% if grains['osrelease'] == '4.1' %}
   cmd.run:
     - name: >
-        qvm-template install securedrop-workstation-buster
+        qvm-template install securedrop-workstation-{{ sdvars.distribution }}
 {% else %}
   pkg.installed:
     - pkgs:
-      - qubes-template-securedrop-workstation-buster
+      - qubes-template-securedrop-workstation-{{ sdvars.distribution }}
 {% endif %}
     - require:
       - file: dom0-workstation-rpm-repo

dom0/sd-gpg.sls

@@ -9,6 +9,9 @@
 # This VM has no network configured.
 ##
 
+# Imports "sdvars" for environment config
+{% from 'sd-default-config.sls' import sdvars with context %}
+
 include:
   - sd-workstation-template
   - sd-upgrade-templates
@@ -17,10 +20,10 @@ sd-gpg:
   qvm.vm:
     - name: sd-gpg
     - present:
-      - template: sd-small-buster-template
+      - template: sd-small-{{ sdvars.distribution }}-template
       - label: purple
     - prefs:
-      - template: sd-small-buster-template
+      - template: sd-small-{{ sdvars.distribution }}-template
       - netvm: ""
       - autostart: true
     - tags:

dom0/sd-log.sls

@@ -6,6 +6,10 @@
 # from all SecureDrop related VMs.
 # This VM has no network configured.
 ##
+
+# Imports "sdvars" for environment config
+{% from 'sd-default-config.sls' import sdvars with context %}
+
 include:
   - sd-workstation-template
   - sd-upgrade-templates
@@ -14,10 +18,10 @@ sd-log:
   qvm.vm:
     - name: sd-log
     - present:
-      - template: sd-small-buster-template
+      - template: sd-small-{{ sdvars.distribution }}-template
       - label: red
     - prefs:
-      - template: sd-small-buster-template
+      - template: sd-small-{{ sdvars.distribution }}-template
       - netvm: ""
       - autostart: true
     - tags:
@@ -29,7 +33,7 @@ sd-log:
         - service.redis
         - service.securedrop-log
     - require:
-      - qvm: sd-small-buster-template
+      - qvm: sd-small-{{ sdvars.distribution }}-template
 
 {% if grains['osrelease'] == '4.0' %}
 # Allow any SecureDrop VM to log to the centralized log VM

dom0/sd-logging-setup.sls

@@ -1,7 +1,10 @@
 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
-{% if grains['id'] in ["securedrop-workstation-buster", "sd-small-buster-template", "sd-large-buster-template"] %}
+# Imports "sdvars" for environment config
+{% from 'sd-default-config.sls' import sdvars with context %}
+
+{% if grains['id'] in ["securedrop-workstation-{}".format(sdvars["distribution"]), "sd-small-{}-template".format(sdvars["distribution"]), "sd-large-{}-template".format(sdvars["distribution"])] %}
 include:
   - fpf-apt-repo
 
@@ -21,7 +24,7 @@ configure-rsyslog-for-sd:
 
 {% endif %}
 
-{% if grains['id'] == "sd-small-buster-template" %}
+{% if grains['id'] == "sd-small-{}-template".format(sdvars["distribution"]) %}
 install-redis-for-sd-log-template:
   pkg.installed:
     - pkgs:

dom0/sd-proxy.sls

@@ -6,6 +6,9 @@
 # and the SecureDrop servers.
 ##
 
+# Imports "sdvars" for environment config
+{% from 'sd-default-config.sls' import sdvars with context %}
+
 include:
   - sd-whonix
   - sd-upgrade-templates
@@ -16,16 +19,16 @@ sd-proxy:
     - present:
       - label: blue
     - prefs:
-      - template: sd-small-buster-template
+      - template: sd-small-{{ sdvars.distribution }}-template
       - netvm: sd-whonix
       - autostart: true
     - tags:
       - add:
         - sd-workstation
-        - sd-buster
+        - sd-{{ sdvars.distribution }}
     - require:
       - qvm: sd-whonix
-      - qvm: sd-small-buster-template
+      - qvm: sd-small-{{ sdvars.distribution }}-template
 
 # Permit the SecureDrop Proxy to manage Client connections
 sd-proxy-dom0-securedrop.Proxy:

dom0/sd-usb-autoattach-add.sls

@@ -6,6 +6,15 @@
 # USB devices to sd-devices.
 ##
 
+# If sys-usb is disposable, we have already set up sd-fedora-dvm to make our
+# modifications in, so we only want to modify sys-usb if it is a regular AppVM
+
+{% set apply = True %}
+{% if grains['id'] == 'sys-usb' and salt['pillar.get']('qvm:sys-usb:disposable', true) %}
+  {% set apply = False %}
+{% endif %}
+
+{% if apply %}
 sd-udev-rules:
   file.managed:
     - name: /rw/config/sd/etc/udev/rules.d/99-sd-devices.rules
@@ -39,3 +48,4 @@ sd-attach-export-device:
     - user: root
     - group: root
     - mode: 0555
+{% endif %}

dom0/sd-viewer.sls

@@ -11,6 +11,9 @@
 # This VM has no network configured.
 ##
 
+# Imports "sdvars" for environment config
+{% from 'sd-default-config.sls' import sdvars with context %}
+
 include:
   - sd-workstation-template
   - sd-upgrade-templates
@@ -19,23 +22,23 @@ sd-viewer:
   qvm.vm:
     - name: sd-viewer
     - present:
-      - template: sd-large-buster-template
+      - template: sd-large-{{ sdvars.distribution }}-template
       - label: green
     - prefs:
-      - template: sd-large-buster-template
+      - template: sd-large-{{ sdvars.distribution }}-template
       - netvm: ""
       - template_for_dispvms: True
       - default_dispvm: ""
     - tags:
       - add:
         - sd-workstation
         - sd-viewer-vm
-        - sd-buster
+        - sd-{{ sdvars.distribution }}
     - features:
       - enable:
         - service.paxctld
     - require:
-      - qvm: sd-large-buster-template
+      - qvm: sd-large-{{ sdvars.distribution }}-template
 
 sd-viewer-default-dispvm:
   cmd.run:

dom0/sd-whonix.sls

@@ -11,6 +11,9 @@
 #
 ##
 
+# Imports "sdvars" for environment config
+{% from 'sd-default-config.sls' import sdvars with context %}
+
 include:
   - sd-upgrade-templates
 
@@ -29,6 +32,6 @@ sd-whonix:
     - tags:
       - add:
         - sd-workstation
-        - sd-buster
+        - sd-{{ sdvars.distribution }}
     - require:
       - sls: sd-upgrade-templates