Remove systemd-resolved, explicitly install systemd-hwe-hwdb on noble

[legoktm]

Status

Ready for review

Description of Changes

These two packages are installed on fresh systems, but not on upgrades because they were split out of the systemd package. Set the dependency ourselves to make sure it's always pulled in. [see discussion below]

In the future once all SecureDrops are on noble, we can uninstall systemd-resolved entirely instead of merely stopping it.

Fixes #7464.

Testing

• CI passes (verifies conditional dependency is correctly applied)
• staging CI passes, verifies fresh install is fine
• do a focal to noble upgrade with these packages, verify systemd-resolved is not installed post-upgrade, /etc/resolv.conf points to your configured DNS, and e.g. curl https://securedrop.org works since DNS is working.
• verify that ./securedrop-admin install works post-upgrade.

Deployment

Any special considerations for deployment? upgrade is more important.

• Configuration tests pass
• I have written a test plan and validated it for this PR

[legoktm]

Unfortunately this correctly installs systemd-resolved, but then that gets enabled and is actively running post-upgrade. So we need a postinst step to re-disable it. Will work on that tomorrow.

[legoktm]

This is going even more poorly; once we install systemd-resolved, it blows away /etc/resolv.conf, so when we turn it off, there's no DNS. Since DNS is configured by the admin, it's not something we can directly recreate (we could do the backup/restore strategy, like iptables).

So I'm going to switch gears and just have us not install systemd-resolved. Unfortunately this invalidates our fresh install testing but I think it's going to work out better.

[legoktm]

It worked!! I can confirm that:

• doing a focal -> noble migration leaves you with a system without systemd-resolved, and still working DNS (status quo before this PR). systemd-hwe-hwdb is pulled in.
• after that, running ./securedrop-admin --force install (using this PR), will not fail, and the line to remove systemd-resolved is marked as "ok" and not "changed".
• And even after that DNS still works.

I didn't manually test a noble fresh install because staging CI does that for us, and it worked as expected:

2025-03-07T16:57:17.6852219Z TASK [common : Disable systemd-resolved (focal)] *******************************
2025-03-07T16:57:17.6997915Z skipping: [app-staging]
2025-03-07T16:57:17.7069178Z skipping: [mon-staging]
2025-03-07T16:57:17.7126125Z 
2025-03-07T16:57:17.7126715Z TASK [common : Uninstall systemd-resolved (noble)] *****************************
2025-03-07T16:57:22.0994976Z changed: [app-staging]
2025-03-07T16:57:22.1548691Z changed: [mon-staging]

[rocodes]

Per release checkin meeting today, I will visually review, relying on CI + @legoktm 's prior testing. We will incorporate further testing as part of regular rc QA test plan.

[rocodes]

I've caught up with the context in #7464, the initial implementation plan, and the subsequent decision to remove systemd-resolved instead of installing everywhere, and I've reviewed the changes here- at first the systemd depends in the control file was slightly confusing given that context, but I see that it is conditionally pulling in the systemd-hwe-hwdb dependency for noble.

Thanks for all the documentation and for resolving this so quickly @legoktm - LGTM. Will look out for the backport.