More comprehensive "make clean" action

Makefile

@@ -17,49 +17,35 @@ clone: assert-dom0 ## Pulls the latest repo from work VM to dom0
 	@./scripts/clone-to-dom0
 
 qubes-rpc: prep-salt ## Places default deny qubes-rpc policies for sd-svs and sd-gpg
-	sudo qubesctl top.enable sd-dom0-qvm-rpc
 	sudo qubesctl --show-output --targets sd-dom0-qvm-rpc state.highstate
 
 sd-workstation-template: prep-salt ## Provisions base template for SDW AppVMs
-	sudo qubesctl top.enable sd-workstation-template
-	sudo qubesctl top.enable sd-workstation-template-files
-	sudo qubesctl --show-output --targets sd-workstation-template state.highstate
+	sudo qubesctl --show-output state.sls sd-workstation-template
+	sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-template state.highstate
 
 sd-proxy: prep-salt ## Provisions SD Proxy VM
-	sudo qubesctl top.enable sd-proxy
-	sudo qubesctl top.enable sd-proxy-files
-	sudo qubesctl --show-output --targets sd-proxy-template state.highstate
-	sudo qubesctl --show-output --targets sd-proxy state.highstate
+	sudo qubesctl --show-output state.sls sd-proxy
+	sudo qubesctl --show-output --skip-dom0 --targets sd-proxy-template state.highstate
 
 sd-gpg: prep-salt ## Provisions SD GPG keystore VM
-	sudo qubesctl top.enable sd-gpg
-	sudo qubesctl top.enable sd-gpg-files
-	sudo qubesctl --show-output --targets sd-gpg state.highstate
+	sudo qubesctl --show-output state.sls sd-gpg
+	sudo qubesctl --show-output --skip-dom0 --targets sd-gpg state.highstate
 
 sd-svs: prep-salt ## Provisions SD SVS VM
-	sudo qubesctl top.enable sd-svs
-	sudo qubesctl top.enable sd-svs-files
-	sudo qubesctl top.enable sd-svs-config
-	sudo qubesctl --show-output --targets sd-svs-template state.highstate
-	sudo qubesctl --show-output --targets sd-svs state.highstate
+	sudo qubesctl --show-output state.sls sd-svs
+	sudo qubesctl --show-output --skip-dom0 --targets sd-svs-template,sd-svs state.highstate
 
 sd-whonix: prep-salt ## Provisions SD Whonix VM
-	sudo qubesctl top.enable sd-whonix
-	sudo qubesctl top.enable sd-whonix-hidserv-key
-	sudo qubesctl --show-output --targets sd-whonix-template state.highstate
-	sudo qubesctl --show-output --targets sd-whonix state.highstate
+	sudo qubesctl --show-output state.sls sd-whonix
+	sudo qubesctl --show-output --skip-dom0 --targets sd-whonix-template,sd-whonix state.highstate
 
 sd-svs-disp: prep-salt ## Provisions SD Submission Viewing VM
-	sudo qubesctl top.enable sd-svs-disp
-	sudo qubesctl top.enable sd-svs-disp-files
-	sudo qubesctl --show-output --targets sd-svs-disp-template state.highstate
-	sudo qubesctl --show-output --targets sd-svs-disp state.highstate
+	sudo qubesctl --show-output state.sls sd-svs-disp
+	sudo qubesctl --show-output --skip-dom0 --targets sd-svs-disp-template,sd-svs-disp state.highstate
 
 sd-export: prep-salt ## Provisions SD Export VM
-	sudo qubesctl top.enable sd-export
-	sudo qubesctl top.enable sd-export-files
-	sudo qubesctl --show-output --targets sd-export-template state.highstate
-	sudo qubesctl --show-output --targets sd-export-export-dvm state.highstate
+	sudo qubesctl --show-output state.sls sd-export
+	sudo qubesctl --show-output --skip-dom0 --targets sd-export-template,sd-export-usb,sd-export-usb-dvm state.highstate
 
 clean-salt: assert-dom0 ## Purges SD Salt configuration from dom0
 	@echo "Purging Salt config..."
@@ -89,10 +75,10 @@ remove-sd-export: assert-dom0 ## Destroys SD EXPORT VMs
 	@./scripts/destroy-vm sd-export-usb
 	@./scripts/destroy-vm sd-export-usb-dvm
 
-clean: assert-dom0 destroy-all clean-salt ## Destroys all SD VMs
+clean: assert-dom0 prep-salt destroy-all ## Destroys all SD VMs
+	sudo qubesctl --show-output state.sls sd-clean-all
 	sudo dnf -y -q remove securedrop-workstation-dom0-config 2>/dev/null || true
-	sudo rm -f /usr/bin/securedrop-update \
-		/etc/cron.daily/securedrop-update-cron
+	$(MAKE) clean-salt
 
 test: assert-dom0 ## Runs all application tests (no integration tests yet)
 	python3 -m unittest discover -v tests
@@ -136,11 +122,9 @@ prep-dom0: prep-salt # Copies dom0 config files for VM updates
 	sudo qubesctl top.enable sd-dom0-files
 	sudo qubesctl --show-output --targets dom0 state.highstate
 
-list-vms: ## Prints all Qubes VMs managed by Workstation salt config
-	@./scripts/list-vms
-
 destroy-all: ## Destroys all VMs managed by Workstation salt config
-	@./scripts/list-vms | xargs ./scripts/destroy-vm
+	qubes-prefs default_dispvm fedora-30-dvm
+	./scripts/destroy-vm --all
 
 .PHONY: update-pip-requirements
 update-pip-requirements: ## Updates all Python requirements files via pip-compile.

dom0/fpf-apt-test-repo.sls

@@ -1,19 +1,8 @@
 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
-
-# Handle misconfigured jessie-backports repo in default debian-9 TemplateVM.
-# The Jessie repos aren't maintained anymore, and their inclusion causes
-# even apt update to fail.
-remove-jessie-backports-repo:
-  file.line:
-    - name: /etc/apt/sources.list
-    # Unclear why "Delete" *must* be capitalized, but that's the case!
-    - mode: delete
-    - match: jessie-backports
-    # quiet param seems to be ignored, so using "onlyif" to test existence
-    - quiet: True
-    - onlyif:
-      - test -f /etc/apt/sources.list
+#
+include:
+  - update.qubes-vm
 
 # That's right, we need to install a package in order to
 # configure a repo to install another package
@@ -22,22 +11,14 @@ install-python-apt-for-repo-config:
     - pkgs:
       - python-apt
     - require:
-      - file: remove-jessie-backports-repo
+      # Require that the Qubes update state has run first
+      - sls: update.qubes-vm
 
-configure apt-test apt repo:
+configure-apt-test-apt-repo:
   pkgrepo.managed:
     - name: "deb [arch=amd64] https://apt-test-qubes.freedom.press stretch main"
     - file: /etc/apt/sources.list.d/securedrop_workstation.list
     - key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc"
     - clean_file: True # squash file to ensure there are no duplicates
     - require:
       - pkg: install-python-apt-for-repo-config
-
-# Ensure all apt updates are applied, since the VMs
-# will be cloned, duplicating package version drift.
-update-all-apt-packages:
-  pkg.uptodate:
-    - cache_valid_time: "3600"
-    - dist_upgrade: True
-    - require:
-      - pkg: install-python-apt-for-repo-config

dom0/sd-clean-all.sls

@@ -0,0 +1,45 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+set-fedora-as-default-dispvm:
+  cmd.run:
+    - name: qubes-prefs default_dispvm fedora-30-dvm
+
+remove-dom0-sdw-config-files:
+  file.absent:
+    - names:
+      - /opt/securedrop
+      - /etc/yum.repos.d/securedrop-workstation-dom0.repo
+      - /usr/bin/securedrop-update
+      - /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
+      - /etc/cron.daily/securedrop-update-cron
+      - /usr/share/securedrop/icons
+
+sd-cleanup-sys-firewall:
+  cmd.run:
+    - names:
+      - qvm-run sys-firewall 'sudo rm -f /rw/config/RPM-GPG-KEY-securedrop-workstation-test'
+      - qvm-run sys-firewall 'sudo rm -f /rw/config/sd-copy-rpm-repo-pubkey.sh'
+      - qvm-run sys-firewall 'sudo rm -f /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test'
+      - qvm-run sys-firewall 'sudo perl -pi -E "s#^/rw/config/sd-copy-rpm-repo-pubkey.sh##" /rw/config/rc.local'
+
+sd-cleanup-rpc-mgmt-policy:
+  file.replace:
+    - names:
+      - /etc/qubes-rpc/policy/qubes.VMShell
+      - /etc/qubes-rpc/policy/qubes.VMRootShell
+    - repl: ''
+    - pattern: '^disp-mgmt-sd-\w+\s+sd-\w+\s+allow,user=root'
+
+{% set sdw_customized_rpc_files = salt['cmd.shell']('grep -rl "BEGIN securedrop-workstation" /etc/qubes-rpc/ | cat').splitlines() %}
+{% if sdw_customized_rpc_files|length > 0 %}
+sd-cleanup-rpc-policy-grants:
+  file.replace:
+    - names: {{ sdw_customized_rpc_files }}
+    - pattern: '### BEGIN securedrop-workstation ###.*### END securedrop-workstation ###'
+    - flags:
+      - MULTILINE
+      - DOTALL
+    - repl: ''
+    - backup: no
+{% endif %}

dom0/sd-svs-config.sls

@@ -1,3 +1,5 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 ##
 # sd-svs-config
 # ========

dom0/sd-sys-firewall-files.sls

@@ -1,3 +1,6 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+#
 sys-firewall-rpm-test-key:
   file.managed:
     - name: /rw/config/RPM-GPG-KEY-securedrop-workstation-test

dom0/sd-workstation.top

@@ -0,0 +1,39 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  dom0:
+    - sd-sys-vms
+    - sd-dom0-files
+    - sd-workstation-template
+    - sd-dom0-qvm-rpc
+    - sd-export
+    - sd-gpg
+    - sd-proxy
+    - sd-svs-disp
+    - sd-svs
+    - sd-whonix
+  sd-export-template:
+    - sd-export-files
+  sd-gpg:
+    - sd-gpg-files
+  sd-proxy-template:
+    - sd-proxy-template-files
+  sd-svs:
+    - sd-svs-config
+  sd-svs-disp-template:
+    - sd-svs-disp-files
+  sd-svs-template:
+    - sd-svs-files
+  sys-firewall:
+    - sd-sys-firewall-files
+  sd-whonix:
+    - sd-whonix-hidserv-key
+  securedrop-workstation:
+    - sd-workstation-template-files
+
+  # "Placeholder" config to trigger TemplateVM boots,
+  # so upgrades can be applied automatically via cron.
+  qubes:type:template:
+    - match: pillar
+    - topd