feat: bump Fedora version

- Update to Fedora 41; - Change default Fedora template to Xfce variant; - Enforce Fedora based formulas to depend on a chain that always has the correct management disposable set. For 'qubes-builder,' it requires 'mgmt', which requires 'fedora-minimal', which requires 'fedora-xfce'; - Cleanup salt patch necessary on version 39 and 40. - Update base templates when stale before being cloned to derivative templates. - Remove non-essential bootstrap formulas from requirements. Dom0 was never required, but very recommended, templates were required because it was best to update them on their formula before generating outdated clones of it. Fix: https://github.com/ben-grande/qusal/issues/108 Fix: https://github.com/ben-grande/qusal/issues/57
2025-08-25 05:34:57 -04:00 · 2025-02-24 11:22:51 +01:00 · 2025-02-24 11:22:51 +01:00 · f933523e10
commit f933523e10
parent 599f044d58
48 changed files with 301 additions and 271 deletions
--- a/docs/BOOTSTRAP.md
+++ b/docs/BOOTSTRAP.md
@ -23,9 +23,6 @@ matter in some circumstances, in those cases, it is noted in this page.
 ## Essential
 *   Base (order matters):
    *   [dom0](../salt/dom0/README.md)
    *   [debian-minimal](../salt/debian-minimal/README.md)
    *   [fedora-minimal](../salt/fedora-minimal/README.md)
    *   [mgmt](../salt/mgmt/README.md)
    *   [sys-cacher](../salt/sys-cacher/README.md)
--- a/salt/debian-minimal/template.jinja
+++ b/salt/debian-minimal/template.jinja
@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
--- a/salt/debian-xfce/template.jinja
+++ b/salt/debian-xfce/template.jinja
@ -1,15 +1,16 @@
 {#
-SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
-{% set base = 'debian' -%}
+{%- import "debian/template.jinja" as template_base -%}
-{% set version = salt['pillar.get']('qvm:debian:version', '12') -%}
+{% set base = template_base.base -%}
 {% set version = template_base.version -%}
 {% set flavor = 'xfce' -%}
-{% set repo = salt['pillar.get']('qvm:debian:repo', 'qubes-templates-itl') -%}
+{% set repo = template_base.repo -%}
 {% if flavor -%}
  {% set flavor = '-' ~ flavor -%}
 {% endif -%}
-{% set template = base  ~ '-' ~ version ~ flavor -%}
+{% set template = base ~ '-' ~ version ~ flavor -%}
 {% set template_clean = base ~ flavor -%}
--- a/salt/debian/template.jinja
+++ b/salt/debian/template.jinja
@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@ -11,5 +11,5 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 {% if flavor -%}
  {% set flavor = '-' ~ flavor -%}
 {% endif -%}
-{% set template = base  ~ '-' ~ version ~ flavor -%}
+{% set template = base ~ '-' ~ version ~ flavor -%}
 {% set template_clean = base ~ flavor -%}
--- a/salt/fedora-minimal/README.md
+++ b/salt/fedora-minimal/README.md
@ -19,7 +19,7 @@ it.
 ```sh
 sudo qubesctl top.enable fedora-minimal
-sudo qubesctl --targets=fedora-40-minimal state.apply
+sudo qubesctl --targets=fedora-41-minimal state.apply
 sudo qubesctl top.disable fedora-minimal
 sudo qubesctl state.apply fedora-minimal.prefs
 ```
@ -30,7 +30,7 @@ sudo qubesctl state.apply fedora-minimal.prefs
 ```sh
 sudo qubesctl state.apply fedora-minimal.create
-sudo qubesctl --skip-dom0 --targets=fedora-40-minimal state.apply fedora-minimal.install
+sudo qubesctl --skip-dom0 --targets=fedora-41-minimal state.apply fedora-minimal.install
 sudo qubesctl state.apply fedora-minimal.prefs
 ```
--- a/salt/fedora-minimal/create.sls
+++ b/salt/fedora-minimal/create.sls
@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@ -9,7 +9,8 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 {%- import slsdotpath ~ "/template.jinja" as template -%}
 include:
-  - fedora.create
+  - fedora-xfce.create
  - fedora-xfce.prefs
  - .clone
 "dvm-{{ template.template }}-absent":
@ -23,6 +24,7 @@ name: {{ template.template }}
 force: True
 require:
 - sls: {{ template.template_clean }}.clone
 - sls: fedora-xfce.create
 present:
 - label: black
 prefs:
@ -32,6 +34,7 @@ prefs:
 - memory: 300
 - maxmem: 600
 - include_in_backups: False
 - management_dispvm: dvm-fedora-xfce
 features:
 - set:
  - menu-items: "qubes-open-file-manager.desktop qubes-run-terminal.desktop qubes-start.desktop"
@ -63,22 +66,3 @@ features:
  - menu-items: "qubes-open-file-manager.desktop qubes-run-terminal.desktop qubes-start.desktop"
 {%- endload %}
 {{ load(defaults) }}
 "{{ slsdotpath }}-set-management_dispvm-to-dvm-fedora":
  qvm.vm:
    - require:
      - qvm: dvm-fedora
    - name: {{ template.template }}
    - prefs:
      - management_dispvm: dvm-fedora
 ## TODO: Remove when template with patch reaches upstream or updates enforce
 ## salt-deps to be installed.
 ## https://github.com/QubesOS/qubes-issues/issues/8806
 "{{ slsdotpath }}-install-salt-deps":
  cmd.script:
    - require:
      - qvm: "{{ slsdotpath }}-set-management_dispvm-to-dvm-fedora"
    - name: salt-patch.sh
    - source: salt://fedora-minimal/files/admin/bin/salt-patch.sh
    - args: {{ template.template }}
--- a/salt/fedora-minimal/files/admin/bin/salt-patch.sh
+++ b/salt/fedora-minimal/files/admin/bin/salt-patch.sh
@ -1,18 +0,0 @@
 #!/bin/sh
 ## SPDX-FileCopyrightText: 2024 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 ##
 ## SPDX-License-Identifier: AGPL-3.0-or-later
 ## TODO: Remove when template with patch reaches upstream or updates enforce
 ## salt-deps to be installed.
 ## https://github.com/QubesOS/qubes-issues/issues/8806
 set -eu
 qube="${1}"
 dnf_min_install="dnf -q install --refresh -y --setopt=install_weak_deps=False"
 qvm-run --no-gui --user=root --pass-io --filter-escape-chars \
  --no-color-output --no-color-stderr -- "${qube}" \
  "${dnf_min_install} python3-urllib3"
--- a/salt/fedora-minimal/init.top
+++ b/salt/fedora-minimal/init.top
@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
--- a/salt/fedora-minimal/prefs.sls
+++ b/salt/fedora-minimal/prefs.sls
@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@ -9,21 +9,10 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
  - .create
-"{{ slsdotpath }}-set-management_dispvm-to-default":
+"{{ slsdotpath }}-set-{{ template.template }}-management_dispvm-to-default":
  qvm.vm:
    - require:
-      - cmd: "{{ slsdotpath }}-install-salt-deps"
+      - sls: {{ slsdotpath }}.create
    - name: {{ template.template }}
    - prefs:
      - management_dispvm: "*default*"
 ## TODO: Remove when template with patch reaches upstream or updates enforce
 ## salt-deps to be installed.
 ## https://github.com/QubesOS/qubes-issues/issues/8806
 "{{ slsdotpath }}-shutdown-template":
  qvm.shutdown:
    - require:
      - qvm: "{{ slsdotpath }}-set-management_dispvm-to-default"
    - name: {{ template.template }}
    - flags:
      - force
--- a/salt/fedora-minimal/template.jinja
+++ b/salt/fedora-minimal/template.jinja
@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
--- a/salt/fedora-xfce/README.md
+++ b/salt/fedora-xfce/README.md
@ -18,8 +18,9 @@ Creates the Fedora Xfce template as well as a Disposable Template based on it.
 ```sh
 sudo qubesctl top.enable fedora-xfce
-sudo qubesctl --targets=fedora-40-xfce state.apply
+sudo qubesctl --targets=fedora-41-xfce state.apply
 sudo qubesctl top.disable fedora-xfce
 sudo qubesctl state.apply fedora-xfce.prefs
 ```
 *   State:
@ -28,7 +29,8 @@ sudo qubesctl top.disable fedora-xfce
 ```sh
 sudo qubesctl state.apply fedora-xfce.create
-sudo qubesctl --skip-dom0 --targets=fedora-40-xfce state.apply fedora-xfce.install
+sudo qubesctl --skip-dom0 --targets=fedora-41-xfce state.apply fedora-xfce.install
 sudo qubesctl state.apply fedora-xfce.prefs
 ```
 <!-- pkg:end:post-install -->
--- a/salt/fedora-xfce/create.sls
+++ b/salt/fedora-xfce/create.sls
@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@ -62,3 +62,11 @@ features:
  - menu-items: "qubes-open-file-manager.desktop qubes-run-terminal.desktop qubes-start.desktop"
 {%- endload %}
 {{ load(defaults) }}
 "{{ slsdotpath }}-set-{{ template.template }}-management_dispvm-to-dvm-{{ template.template_clean }}":
  qvm.vm:
    - require:
      - qvm: dvm-{{ template.template_clean }}
    - name: {{ template.template }}
    - prefs:
      - management_dispvm: "dvm-{{ template.template_clean }}"
--- a/salt/fedora-xfce/prefs.sls
+++ b/salt/fedora-xfce/prefs.sls
@ -0,0 +1,18 @@
 {#
 SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 {%- import slsdotpath ~ "/template.jinja" as template -%}
 include:
  - .create
 "{{ slsdotpath }}-set-{{ template.template }}-management_dispvm-to-default":
  qvm.vm:
    - require:
      - sls: {{ slsdotpath }}.create
    - name: {{ template.template }}
    - prefs:
      - management_dispvm: "*default*"
--- a/salt/fedora-xfce/prefs.top
+++ b/salt/fedora-xfce/prefs.top
@ -0,0 +1,10 @@
 {#
 SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 base:
  'dom0':
    - match: nodegroup
    - fedora-xfce.prefs
--- a/salt/fedora-xfce/template.jinja
+++ b/salt/fedora-xfce/template.jinja
@ -1,15 +1,16 @@
 {#
-SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
-{% set base = 'fedora' -%}
+{%- import "fedora/template.jinja" as template_base -%}
-{% set version = salt['pillar.get']('qvm:fedora:version', '39') -%}
+{% set base = template_base.base -%}
 {% set version = template_base.version -%}
 {% set flavor = 'xfce' -%}
-{% set repo = salt['pillar.get']('qvm:fedora:repo', 'qubes-templates-itl') -%}
+{% set repo = template_base.repo -%}
 {% if flavor -%}
  {% set flavor = '-' ~ flavor -%}
 {% endif -%}
-{% set template = base  ~ '-' ~ version ~ flavor -%}
+{% set template = base ~ '-' ~ version ~ flavor -%}
 {% set template_clean = base ~ flavor -%}
--- a/salt/fedora/README.md
+++ b/salt/fedora/README.md
@ -18,8 +18,9 @@ Creates the Fedora template as well as a Disposable Template based on it.
 ```sh
 sudo qubesctl top.enable fedora
-sudo qubesctl --targets=fedora-40 state.apply
+sudo qubesctl --targets=fedora-41 state.apply
 sudo qubesctl top.disable fedora
 sudo qubesctl state.apply fedora.prefs
 ```
 *   State:
@ -28,7 +29,8 @@ sudo qubesctl top.disable fedora
 ```sh
 sudo qubesctl state.apply fedora.create
-sudo qubesctl --skip-dom0 --targets=fedora-40 state.apply fedora.install
+sudo qubesctl --skip-dom0 --targets=fedora-41 state.apply fedora.install
 sudo qubesctl state.apply fedora.prefs
 ```
 <!-- pkg:end:post-install -->
--- a/salt/fedora/create.sls
+++ b/salt/fedora/create.sls
@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@ -62,3 +62,11 @@ features:
  - menu-items: "qubes-open-file-manager.desktop qubes-run-terminal.desktop qubes-start.desktop"
 {%- endload %}
 {{ load(defaults) }}
 "{{ slsdotpath }}-set-{{ template.template }}-management_dispvm-to-dvm-{{ template.template_clean }}":
  qvm.vm:
    - require:
      - qvm: dvm-{{ template.template_clean }}
    - name: {{ template.template }}
    - prefs:
      - management_dispvm: "dvm-{{ template.template_clean }}"
--- a/salt/fedora/prefs.sls
+++ b/salt/fedora/prefs.sls
@ -0,0 +1,18 @@
 {#
 SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 {%- import slsdotpath ~ "/template.jinja" as template -%}
 include:
  - .create
 "{{ slsdotpath }}-set-{{ template.template }}-management_dispvm-to-default":
  qvm.vm:
    - require:
      - sls: {{ slsdotpath }}.create
    - name: {{ template.template }}
    - prefs:
      - management_dispvm: "*default*"
--- a/salt/fedora/prefs.top
+++ b/salt/fedora/prefs.top
@ -0,0 +1,10 @@
 {#
 SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 base:
  'dom0':
    - match: nodegroup
    - fedora.prefs
--- a/salt/fedora/template.jinja
+++ b/salt/fedora/template.jinja
@ -1,15 +1,15 @@
 {#
-SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 {% set base = 'fedora' -%}
-{% set version = salt['pillar.get']('qvm:fedora:version', '40') -%}
+{% set version = salt['pillar.get']('qvm:fedora:version', '41') -%}
 {% set flavor = '' -%}
 {% set repo = salt['pillar.get']('qvm:fedora:repo', 'qubes-templates-itl') -%}
 {% if flavor -%}
  {% set flavor = '-' ~ flavor -%}
 {% endif -%}
-{% set template = base  ~ '-' ~ version ~ flavor -%}
+{% set template = base ~ '-' ~ version ~ flavor -%}
 {% set template_clean = base ~ flavor -%}
--- a/salt/mgmt/create.sls
+++ b/salt/mgmt/create.sls
@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@ -7,7 +7,6 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 {%- from "qvm/template.jinja" import load -%}
 include:
  - fedora.create
  - .clone
  - fedora-minimal.prefs
@ -19,6 +18,7 @@ require:
 - sls: fedora-minimal.prefs
 prefs:
 - audiovm: ""
 - management_dispvm: dvm-fedora-xfce
 {%- endload %}
 {{ load(defaults) }}
@ -48,22 +48,3 @@ features:
  - internal
 {%- endload %}
 {{ load(defaults) }}
 "{{ slsdotpath }}-set-management_dispvm-to-dvm-fedora":
  qvm.vm:
    - require:
      - qvm: dvm-fedora
    - name: tpl-{{ slsdotpath }}
    - prefs:
      - management_dispvm: dvm-fedora
 ## TODO: Remove when template with patch reaches upstream or updates enforce
 ## salt-deps to be installed.
 ## https://github.com/QubesOS/qubes-issues/issues/8806
 "{{ slsdotpath }}-install-salt-deps":
  cmd.script:
    - require:
      - qvm: "{{ slsdotpath }}-set-management_dispvm-to-dvm-fedora"
    - name: salt-patch.sh
    - source: salt://fedora-minimal/files/admin/bin/salt-patch.sh
    - args: tpl-{{ slsdotpath }}
--- a/salt/mgmt/prefs.sls
+++ b/salt/mgmt/prefs.sls
@ -10,13 +10,13 @@ include:
 "{{ slsdotpath }}-set-qubes-prefs-management_dispvm-to-dvm-{{ slsdotpath }}":
  cmd.run:
    - require:
-      - cmd: "{{ slsdotpath }}-install-salt-deps"
+      - sls: {{ slsdotpath }}.create
    - name: qubes-prefs -- management_dispvm dvm-{{ slsdotpath }}
 "{{ slsdotpath }}-set-tpl-{{ slsdotpath }}-management_dispvm-to-default":
  qvm.vm:
    - require:
-      - cmd: "{{ slsdotpath }}-install-salt-deps"
+      - sls: {{ slsdotpath }}.create
    - name: tpl-{{ slsdotpath }}
    - prefs:
      - management_dispvm: "*default*"
@ -27,14 +27,3 @@ include:
      - cmd: "{{ slsdotpath }}-set-qubes-prefs-management_dispvm-to-dvm-{{ slsdotpath }}"
      - qvm: "{{ slsdotpath }}-set-tpl-{{ slsdotpath }}-management_dispvm-to-default"
    - name: default-mgmt-dvm
 ## TODO: Remove when template with patch reaches upstream or updates enforce
 ## salt-deps to be installed.
 ## https://github.com/QubesOS/qubes-issues/issues/8806
 "{{ slsdotpath }}-shutdown-template":
  qvm.shutdown:
    - require:
      - qvm: "{{ slsdotpath }}-set-tpl-{{ slsdotpath }}-management_dispvm-to-default"
    - name: tpl-{{ slsdotpath }}
    - flags:
      - force
--- a/salt/qubes-builder/README.md
+++ b/salt/qubes-builder/README.md
@ -35,9 +35,11 @@ template.
 *   Top:
 ```sh
-sudo qubesctl top.enable qubes-builder
+sudo qubesctl top.enable mgmt qubes-builder
 sudo qubesctl --targets=tpl-mgmt state.apply
 sudo qubesctl state.apply qubes-builder.prefs-mgmt
 sudo qubesctl --targets=tpl-qubes-builder,dvm-qubes-builder,qubes-builder state.apply
-sudo qubesctl top.disable qubes-builder
+sudo qubesctl top.disable mgmt qubes-builder
 sudo qubesctl state.apply qubes-builder.prefs
 ```
@ -47,8 +49,9 @@ sudo qubesctl state.apply qubes-builder.prefs
 ```sh
 sudo qubesctl state.apply qubes-builder.create
 sudo qubesctl --skip-dom0 --targets=tpl-mgmt state.apply mgmt.install
 sudo qubesctl state.apply qubes-builder.prefs-mgmt
 sudo qubesctl --skip-dom0 --targets=tpl-qubes-builder state.apply qubes-builder.install
 sudo qubesctl state.apply qubes-builder.prefs
 sudo qubesctl --skip-dom0 --targets=dvm-qubes-builder state.apply qubes-builder.configure-qubes-executor
 sudo qubesctl --skip-dom0 --targets=qubes-builder state.apply qubes-builder.configure
 ```
--- a/salt/qubes-builder/create.sls
+++ b/salt/qubes-builder/create.sls
@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@ -8,14 +8,14 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
  - .clone
-  - fedora-minimal.prefs
+  - mgmt.create
 {% load_yaml as defaults -%}
 name: tpl-{{ slsdotpath }}
 force: True
 require:
 - sls: {{ slsdotpath }}.clone
- sls: fedora-minimal.prefs
+- sls: mgmt.create
 prefs:
 - audiovm: ""
 {%- endload %}
@ -89,33 +89,3 @@ features:
 {% from 'utils/macros/policy.sls' import policy_set with context -%}
 {{ policy_set(sls_path, '70') }}
 "{{ slsdotpath }}-set-management_dispvm-to-dvm-fedora":
  qvm.vm:
    - require:
      - qvm: dvm-fedora
    - name: tpl-{{ slsdotpath }}
    - prefs:
      - management_dispvm: dvm-fedora
 ## TODO: Remove when template with patch reaches upstream or updates enforce
 ## salt-deps to be installed.
 ## https://github.com/QubesOS/qubes-issues/issues/8806
 "{{ slsdotpath }}-install-salt-deps":
  cmd.script:
    - require:
      - qvm: "{{ slsdotpath }}-set-management_dispvm-to-dvm-fedora"
    - name: salt-patch.sh
    - source: salt://fedora-minimal/files/admin/bin/salt-patch.sh
    - args: tpl-{{ slsdotpath }}
 ## TODO: Remove when template with patch reaches upstream or updates enforce
 ## salt-deps to be installed.
 ## https://github.com/QubesOS/qubes-issues/issues/8806
 "{{ slsdotpath }}-shutdown-template":
  qvm.shutdown:
    - require:
      - cmd: "{{ slsdotpath }}-install-salt-deps"
    - name: tpl-{{ slsdotpath }}
    - flags:
      - force
--- a/salt/qubes-builder/init.sls
+++ b/salt/qubes-builder/init.sls
@ -1,16 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 include:
 {% if grains['id'] == 'dom0' -%}
  - .create
 {% elif grains['id'] == 'tpl-' ~ slsdotpath -%}
  - .install
 {% elif grains['id'] == 'dvm-' ~ slsdotpath -%}
  - .configure-qubes-executor
 {% elif grains['id'] == slsdotpath -%}
  - .configure
 {% endif -%}
--- a/salt/qubes-builder/init.top
+++ b/salt/qubes-builder/init.top
@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2023 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
--- a/salt/qubes-builder/prefs-mgmt.sls
+++ b/salt/qubes-builder/prefs-mgmt.sls
@ -0,0 +1,17 @@
 {#
 SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 include:
  - .create
  - mgmt.prefs
 "{{ slsdotpath }}-set-tpl-{{ slsdotpath }}-management_dispvm-to-default":
  qvm.vm:
    - require:
      - sls: {{ slsdotpath }}.create
    - name: tpl-{{ slsdotpath }}
    - prefs:
      - management_dispvm: "*default*"
--- a/salt/qubes-builder/prefs-mgmt.top
+++ b/salt/qubes-builder/prefs-mgmt.top
@ -0,0 +1,10 @@
 {#
 SPDX-FileCopyrightText: 2024 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 base:
  'dom0':
    - match: nodegroup
    - qubes-builder.prefs-mgmt
--- a/salt/qubes-builder/prefs.sls
+++ b/salt/qubes-builder/prefs.sls
@ -1,20 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 ## TODO: Remove when template with patch reaches upstream or updates enforce
 ## salt-deps to be installed.
 ## https://github.com/QubesOS/qubes-issues/issues/8806
 include:
  - .create
 "{{ slsdotpath }}-set-management_dispvm-to-default":
  qvm.vm:
    - require:
      - cmd: "{{ slsdotpath }}-install-salt-deps"
    - name: tpl-{{ slsdotpath }}
    - prefs:
      - management_dispvm: "*default*"
--- a/salt/qubes-builder/prefs.top
+++ b/salt/qubes-builder/prefs.top
@ -1,10 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 base:
  'dom0':
    - match: nodegroup
    - qubes-builder.prefs
--- a/salt/sys-gui-gpu/README.md
+++ b/salt/sys-gui-gpu/README.md
@ -23,9 +23,11 @@ WARNING: [unfinished formula](../../docs/TROUBLESHOOT.md#no-support-for-unfinish
 ```sh
 sudo qubesctl top.enable qvm.sys-gui-gpu pillar=True
-sudo qubesctl top.enable sys-gui-gpu
+sudo qubesctl top.enable mgmt sys-gui-gpu
 sudo qubesctl --targets=tpl-mgmt state.apply
 sudo qubesctl state.apply sys-gui.prefs-mgmt
 sudo qubesctl --targets=tpl-sys-gui,sys-gui-gpu state.apply
-sudo qubesctl top.disable sys-gui-gpu
+sudo qubesctl top.disable mgmt sys-gui-gpu
 sudo qubesctl state.apply sys-gui-gpu.prefs
 ```
@ -36,6 +38,8 @@ sudo qubesctl state.apply sys-gui-gpu.prefs
 ```sh
 sudo qubesctl top.enable qvm.sys-gui-gpu pillar=True
 sudo qubesctl state.apply sys-gui-gpu.create
 sudo qubesctl --skip-dom0 --targets=tpl-mgmt state.apply mgmt.install
 sudo qubesctl state.apply sys-gui.prefs-mgmt
 sudo qubesctl --skip-dom0 --targets=tpl-sys-gui state.apply sys-gui-gpu.install
 sudo qubesctl --skip-dom0 --targets=sys-gui-gpu state.apply sys-gui-gpu.configure
 sudo qubesctl state.apply sys-gui-gpu.prefs
--- a/salt/sys-gui-gpu/create.sls
+++ b/salt/sys-gui-gpu/create.sls
@ -12,6 +12,7 @@ SPDX-License-Identifier: GPL-2.0-only
 include:
  - .clone
  - sys-gui.create
 "{{ slsdotpath }}-gpu-installed":
  pkg.installed:
--- a/salt/sys-gui-vnc/README.md
+++ b/salt/sys-gui-vnc/README.md
@ -23,7 +23,9 @@ WARNING: [unfinished formula](../../docs/TROUBLESHOOT.md#no-support-for-unfinish
 ```sh
 sudo qubesctl top.enable qvm.sys-gui-vnc pillar=True
-sudo qubesctl top.enable sys-gui-vnc
+sudo qubesctl top.enable mgmt sys-gui-vnc
 sudo qubesctl --targets=tpl-mgmt state.apply
 sudo qubesctl state.apply sys-gui.prefs-mgmt
 sudo qubesctl --targets=tpl-sys-gui,sys-gui-vnc state.apply
 sudo qubesctl top.disable sys-gui-vnc
 sudo qubesctl state.apply sys-gui-vnc.prefs
@ -36,6 +38,8 @@ sudo qubesctl state.apply sys-gui-vnc.prefs
 ```sh
 sudo qubesctl top.enable qvm.sys-gui-vnc pillar=True
 sudo qubesctl state.apply sys-gui-vnc.create
 sudo qubesctl --skip-dom0 --targets=tpl-mgmt state.apply mgmt.install
 sudo qubesctl state.apply sys-gui.prefs-mgmt
 sudo qubesctl --skip-dom0 --targets=tpl-sys-gui state.apply sys-gui-vnc.install
 sudo qubesctl --skip-dom0 --targets=sys-gui-vnc state.apply sys-gui-vnc.configure
 sudo qubesctl state.apply sys-gui-vnc.prefs
--- a/salt/sys-gui-vnc/create.sls
+++ b/salt/sys-gui-vnc/create.sls
@ -11,6 +11,7 @@ SPDX-License-Identifier: GPL-2.0-only
 include:
  - .clone
  - sys-gui.create
 {% if 'psu' in salt['pillar.get']('qvm:sys-gui-vnc:dummy-modules', []) or 'backlight' in salt['pillar.get']('qvm:sys-gui-vnc:dummy-modules', []) %}
 "{{ slsdotpath }}-vnc-installed":
--- a/salt/sys-gui/README.md
+++ b/salt/sys-gui/README.md
@ -23,9 +23,11 @@ WARNING: [unfinished formula](../../docs/TROUBLESHOOT.md#no-support-for-unfinish
 ```sh
 sudo qubesctl top.enable qvm.sys-gui pillar=True
-sudo qubesctl top.enable sys-gui
+sudo qubesctl top.enable mgmt sys-gui
 sudo qubesctl --targets=tpl-mgmt state.apply
 sudo qubesctl state.apply sys-gui.prefs-mgmt
 sudo qubesctl --targets=tpl-sys-gui,sys-gui state.apply
-sudo qubesctl top.disable sys-gui
+sudo qubesctl top.disable mgmt sys-gui
 sudo qubesctl state.apply sys-gui.prefs
 ```
@ -36,6 +38,8 @@ sudo qubesctl state.apply sys-gui.prefs
 ```sh
 sudo qubesctl top.enable qvm.sys-gui pillar=True
 sudo qubesctl state.apply sys-gui.create
 sudo qubesctl --skip-dom0 --targets=tpl-mgmt state.apply mgmt.install
 sudo qubesctl state.apply sys-gui.prefs-mgmt
 sudo qubesctl --skip-dom0 --targets=tpl-sys-gui state.apply sys-gui.install
 sudo qubesctl --skip-dom0 --targets=sys-gui state.apply sys-gui.configure
 sudo qubesctl state.apply sys-gui.prefs
--- a/salt/sys-gui/create.sls
+++ b/salt/sys-gui/create.sls
@ -1,7 +1,7 @@
 {#
 SPDX-FileCopyrightText: 2019 - 2020 Frederic Pierret <frederic.pierret@qubes-os.org>
 SPDX-FileCopyrightText: 2020 - 2024 Marmarek Marczykowski-Gorecki <marmarek@invisiblethingslab.com>
-SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2024 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: GPL-2.0-only
 #}
@ -11,6 +11,7 @@ SPDX-License-Identifier: GPL-2.0-only
 include:
  - .clone
  - mgmt.create
 {% if 'psu' in salt['pillar.get']('qvm:sys-gui:dummy-modules', []) or 'backlight' in salt['pillar.get']('qvm:sys-gui:dummy-modules', []) %}
 "{{ slsdotpath }}-installed":
@ -32,6 +33,7 @@ name: tpl-{{ slsdotpath }}
 force: True
 require:
 - sls: {{ slsdotpath }}.clone
 - sls: mgmt.create
 prefs:
 - audiovm: ""
 {%- endload %}
--- a/salt/sys-gui/prefs-mgmt.sls
+++ b/salt/sys-gui/prefs-mgmt.sls
@ -0,0 +1,16 @@
 {#
 SPDX-FileCopyrightText: 2024 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 include:
  - mgmt.prefs
 "{{ slsdotpath }}-set-tpl-{{ slsdotpath }}-management_dispvm-to-default":
  qvm.vm:
    - require:
      - sls: {{ slsdotpath }}.create
    - name: tpl-{{ slsdotpath }}
    - prefs:
      - management_dispvm: "*default*"
--- a/salt/sys-gui/prefs-mgmt.top
+++ b/salt/sys-gui/prefs-mgmt.top
@ -0,0 +1,10 @@
 {#
 SPDX-FileCopyrightText: 2024 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 base:
  'dom0':
    - match: nodegroup
    - sys-gui.prefs-mgmt
--- a/salt/sys-gui/prefs.sls
+++ b/salt/sys-gui/prefs.sls
@ -14,3 +14,11 @@ SPDX-License-Identifier: AGPL-3.0-or-later
    - require:
      - qvm: "{{ slsdotpath }}-autostart"
    - name: qubes-prefs -- default_guivm {{ slsdotpath }}
 "{{ slsdotpath }}-set-tpl-{{ slsdotpath }}-management_dispvm-to-default":
  qvm.vm:
    - require:
      - sls: {{ slsdotpath }}.create
    - name: tpl-{{ slsdotpath }}
    - prefs:
      - management_dispvm: "*default*"
--- a/salt/sys-pgp/README.md
+++ b/salt/sys-pgp/README.md
@ -28,9 +28,11 @@ and access to them is made from the client through Qrexec.
 *   Top:
 ```sh
-sudo qubesctl top.enable sys-pgp
+sudo qubesctl top.enable mgmt sys-pgp
 sudo qubesctl --targets=tpl-mgmt state.apply
 sudo qubesctl state.apply sys-pgp.prefs-mgmt
 sudo qubesctl --targets=tpl-sys-pgp,sys-pgp state.apply
-sudo qubesctl top.disable sys-pgp
+sudo qubesctl top.disable mgmt sys-pgp
 sudo qubesctl state.apply sys-pgp.prefs
 ```
@ -40,9 +42,10 @@ sudo qubesctl state.apply sys-pgp.prefs
 ```sh
 sudo qubesctl state.apply sys-pgp.create
 sudo qubesctl --skip-dom0 --targets=tpl-mgmt state.apply mgmt.install
 sudo qubesctl state.apply sys-pgp.prefs-mgmt
 sudo qubesctl --skip-dom0 --targets=tpl-sys-pgp state.apply sys-pgp.install
 sudo qubesctl --skip-dom0 --targets=sys-pgp state.apply sys-pgp.configure
 sudo qubesctl state.apply sys-pgp.prefs
 ```
 <!-- pkg:end:post-install -->
--- a/salt/sys-pgp/create.sls
+++ b/salt/sys-pgp/create.sls
@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@ -8,14 +8,14 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 include:
  - .clone
-  - fedora-minimal.prefs
+  - mgmt.create
 {% load_yaml as defaults -%}
 name: tpl-{{ slsdotpath }}
 force: True
 require:
 - sls: {{ slsdotpath }}.clone
- sls: fedora-minimal.prefs
+- sls: mgmt.create
 prefs:
 - audiovm: ""
 {%- endload %}
@ -47,22 +47,3 @@ features:
 {% from 'utils/macros/policy.sls' import policy_set with context -%}
 {{ policy_set(sls_path, '80') }}
 "{{ slsdotpath }}-set-management_dispvm-to-dvm-fedora":
  qvm.vm:
    - require:
      - qvm: dvm-fedora
    - name: tpl-{{ slsdotpath }}
    - prefs:
      - management_dispvm: dvm-fedora
 ## TODO: Remove when template with patch reaches upstream or updates enforce
 ## salt-deps to be installed.
 ## https://github.com/QubesOS/qubes-issues/issues/8806
 "{{ slsdotpath }}-install-salt-deps":
  cmd.script:
    - require:
      - qvm: "{{ slsdotpath }}-set-management_dispvm-to-dvm-fedora"
    - name: salt-patch.sh
    - source: salt://fedora-minimal/files/admin/bin/salt-patch.sh
    - args: tpl-{{ slsdotpath }}
--- a/salt/sys-pgp/install.sls
+++ b/salt/sys-pgp/install.sls
@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@ -22,13 +22,14 @@ include:
      - gnupg2
      - man-db
 {# TODO: sequoia-wot can't be installed on fedora-41 #}
 {% set pkg = {
  'Debian': {
    'pkg': ['sq', 'sq-keyring-linter', 'sq-wot', 'sqop', 'sqv'],
  },
  'RedHat': {
-    'pkg': ['sequoia-sq', 'sequoia-keyring-linter', 'sequoia-wot',
+    'pkg': ['sequoia-sq', 'sequoia-keyring-linter', 'sequoia-sop',
-            'sequoia-sop', 'sequoia-sqv', 'sequoia-policy-config',
+            'sequoia-sqv', 'sequoia-policy-config',
            'sequoia-chameleon-gnupg'],
  },
 }.get(grains.os_family) -%}
--- a/salt/sys-pgp/prefs-mgmt.sls
+++ b/salt/sys-pgp/prefs-mgmt.sls
@ -0,0 +1,17 @@
 {#
 SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 include:
  - .create
  - mgmt.prefs
 "{{ slsdotpath }}-set-tpl-{{ slsdotpath }}-management_dispvm-to-default":
  qvm.vm:
    - require:
      - sls: {{ slsdotpath }}.create
    - name: tpl-{{ slsdotpath }}
    - prefs:
      - management_dispvm: "*default*"
--- a/salt/sys-pgp/prefs-mgmt.top
+++ b/salt/sys-pgp/prefs-mgmt.top
@ -0,0 +1,10 @@
 {#
 SPDX-FileCopyrightText: 2024 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 base:
  'dom0':
    - match: nodegroup
    - sys-pgp.prefs-mgmt
--- a/salt/sys-pgp/prefs.sls
+++ b/salt/sys-pgp/prefs.sls
@ -1,27 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 include:
  - .create
 "{{ slsdotpath }}-set-management_dispvm-to-default":
  qvm.vm:
    - require:
      - cmd: "{{ slsdotpath }}-install-salt-deps"
    - name: tpl-{{ slsdotpath }}
    - prefs:
      - management_dispvm: "*default*"
 ## TODO: Remove when template with patch reaches upstream or updates enforce
 ## salt-deps to be installed.
 ## https://github.com/QubesOS/qubes-issues/issues/8806
 "{{ slsdotpath }}-shutdown-template":
  qvm.shutdown:
    - require:
      - qvm: "{{ slsdotpath }}-set-management_dispvm-to-default"
    - name: tpl-{{ slsdotpath }}
    - flags:
      - force
--- a/salt/sys-pgp/prefs.top
+++ b/salt/sys-pgp/prefs.top
@ -1,10 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 base:
  'dom0':
    - match: nodegroup
    - sys-pgp.prefs
--- a/salt/utils/macros/clone-template.sls
+++ b/salt/utils/macros/clone-template.sls
@ -1,5 +1,5 @@
 {#
-SPDX-FileCopyrightText: 2023 - 2024 Benjamin Grande M. S. <ben.grande.b@gmail.com>
+SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@ -35,6 +35,9 @@ include:
 {% endif %}
 {% from 'utils/macros/update-admin.sls' import update_admin -%}
 {{ update_admin(source, prefix + name) }}
 "{{ prefix }}{{ name }}-clone":
  qvm.clone:
    - require:
--- a/salt/utils/macros/update-admin.sls
+++ b/salt/utils/macros/update-admin.sls
@ -0,0 +1,48 @@
 {#
 SPDX-FileCopyrightText: 2023 - 2025 Benjamin Grande M. S. <ben.grande.b@gmail.com>
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 {#
 Usage:
 1: Import this template:
 {% from 'utils/macros/update-admin.sls' import update_admin -%}
 2: Set template base to update and the reason for it:
 {{ update_admin('fedora-minimal', 'tpl-sys-pgp') }}
 The 'reason' is only used for creating a globally unique ID.
 #}
 {% macro update_admin(source, reason, shutdown=True, include_create=False) -%}
 {% import source ~ "/template.jinja" as template -%}
 {% import "dom0/gui-user.jinja" as gui_user -%}
 {% if include_create -%}
 include:
  - {{ source }}.create
 {% endif -%}
 "{{ reason }}-{{ source }}-update-admin":
  cmd.run:
    - require:
      - sls: {{ source }}.create
    - name: qubes-vm-update --no-progress --show-output --targets={{ template.template }}
    - runas: {{ gui_user.gui_user }}
 {% if shutdown -%}
 {#
 Shutdown is necessary for cloned templates to have the newer state.
 Even if 'qubes-vm-update' tries to shutdown a qube that was not previously
 running, it does not wait for the shutdown to complete:
  https://github.com/qubesos/qubes-issues/issues/9814
 #}
 "{{ reason }}-{{ source }}-update-admin-shutdown":
  qvm.shutdown:
    - name: {{ template.template }}
    - flags:
      - wait
 {% endif -%}
 {% endmacro -%}