feat: default to disposable netvm

- Default sys-net and sys-firewall to disposable;
- Set global and per vm preferences by starting the qubes or shutting
  down them when necessary; and
- Less manual steps remaining for the user: just rename the net qube, as
  it can only be done via Qubes Manager.

salt/sys-net/files/admin/policy/default-disp.policy

@@ -0,0 +1,11 @@
+# SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+## Do not modify this file, create a new policy with with a lower number in the
+## file name instead. For example `30-user.policy`.
+qubes.UpdatesProxy  *  @tag:whonix-updatevm  @default  allow target=sys-whonix
+qubes.UpdatesProxy  *  @tag:whonix-updatevm  @anyvm    deny
+qubes.UpdatesProxy  *  @type:TemplateVM      @default  allow target=disp-{{ sls_path }}
+qubes.UpdatesProxy  *  @type:TemplateVM      @anyvm    deny
+## vim:ft=qrexecpolicy

salt/sys-net/files/admin/policy/default.policy

@@ -6,6 +6,6 @@
 ## file name instead. For example `30-user.policy`.
 qubes.UpdatesProxy  *  @tag:whonix-updatevm  @default  allow target=sys-whonix
 qubes.UpdatesProxy  *  @tag:whonix-updatevm  @anyvm    deny
-qubes.UpdatesProxy  *  @type:TemplateVM      @default  allow target=disp-{{ sls_path }}
+qubes.UpdatesProxy  *  @type:TemplateVM      @default  allow target={{ sls_path }}
 qubes.UpdatesProxy  *  @type:TemplateVM      @anyvm    deny
 ## vim:ft=qrexecpolicy