Configure environment-specific services in dom0 via systemd

[rocodes]

Status

Ready for review

Description of Changes

Refs #1004 (comment)
Supersedes #1031

Changes proposed in this pull request:

• Configure systemd-logind changes via logind.conf.d directory rather than editing logind.conf file directly
• Install logind powersetting changes via workstation RPM
• Disable logind powersetting changes on dev setups [note: this means that during the time between installing the rpm and sdw-admin --apply, the power settings are in effect. But I think devs can handle that; usually those things follow pretty closely one after the other.]
• Write build flavour/environment flag (dev, staging, prod) to /var/lib/securedrop-workstation/ during Saltstack orchestration.
• use above mentioned flag file to conditionally disable logind changes in dev environments.
• Convert xfce power settings to be handled the same way: service enabled during rpm installation, disabled conditionally at orchestration on dev machines, reverted fully if dom0 RPM is uninstalled.

Testing

• CI passes
• Uninstall SDW via sdw-admin --uninstall (or skip if fresh install scenario)
• Create a desktop icon or shortcut on dom0 desktop.
• Install rpm built from the tip of this branch: RPM installs successfully
• systemctl --user list-unit-files | grep enabled shows user-xfce-settings.service and user-xfce-icon-size.service
• systemctl list-unit-files | grep logind shows logind-override-disable.service as enabled
• Reboot laptop. Upon login, desktop icon is enlarged and power settings are adjusted (no suspend/hibernate options available)
• Closing laptop lid shuts off laptop
• Power on and run sdw-admin --apply [dev]. Provisioning completes successfully, and after reboot or restarting systemd (systemctl daemon-reexec), power setting changes are reverted
• sdw-admin --apply [staging or prod] completes successfully and power settings changes are in place after reboot
  • as discussed below, going from dev -> staging/prod does not reinstate power settings.
• Uninstalling rpm reverts icon size and power settings changes.

Deployment

Any special considerations for deployment? Consider both:

1. Upgrading existing pilot instances
2. New installs

Checklist

If you have made changes to the provisioning logic

• All tests (make test) pass in dom0

If you have added or removed files

• I have updated MANIFEST.in and rpm-build/SPECS/securedrop-workstation-dom0-config.spec

If documentation is required

• I have opened a PR in the docs repo for these changes, or will do so later
• I would appreciate help with the documentation

[legoktm]

I like where this is going :)

[legoktm]

Looks good, minor notes inline. Will test it now

[legoktm]

It seems if I switch to a dev install and then back to staging/prod, rpm will not restore the deleted 10-logind_override.conf file. (sudo rpm -V securedrop-workstation-dom0-config reports it as missing). https://serverfault.com/questions/1131250/can-you-force-replacement-of-files-marked-config-in-rpms says it's marked as %config and it's not possible to override that (like we do in Debian with our conffiles hack).

Maybe this is an OK limitation for now? that if you switch to dev you need to do a full provision from scratch to switch to staging/prod.

[rocodes]

It seems if I switch to a dev install and then back to staging/prod, rpm will not restore the deleted 10-logind_override.conf file.

Ugh, good catch, and I don't love that. I always sdw uninstall if I'm switching between dev, staging, prod, just because unfortunately some of our cleanup logic is still in Salt and requires the uninstall command, but this could bite people.

Another solution could be putting a second, lower-priority configuration file that unsets this option on dev systems, instead of a service that deletes the other override file. (With the eventual goal of moving more logic out of salt and into the rpm so that we can cleanly uninstall and reinstall each time we re-provision, and so that there is symmetry in terms of where the setup/teardown actions happen, instead of them being in two places).

Either way I'm not forcing this through if we're unhappy with it in some way - I'll make your suggested changes (thank you!) and let me know your thoughts re the way to handle the dev configuration.

[legoktm]

Ugh, good catch, and I don't love that. I always sdw uninstall if I'm switching between dev, staging, prod, just because unfortunately some of our cleanup logic is still in Salt and requires the uninstall command, but this could bite people.

I think this is a reasonable limitation for now, I'm okay with documenting it in a bug as something to eventually fix.

(Finishing up the test plan now)

[legoktm]

LGTM \o/