diff --git a/MANIFEST.in b/MANIFEST.in
deleted file mode 100644
index 9d19a1c7a2..0000000000
--- a/MANIFEST.in
+++ /dev/null
@@ -1,10 +0,0 @@
-graft debian
-graft etc
-graft lib
-graft var
-prune var/www/securedrop/tests
-include requirements.txt
-include setup.py
-recursive-exclude . *.pyc
-recursive-exclude . .coverage
-recursive-exclude . .coverage.*
diff --git a/Makefile b/Makefile
index e8538648f5..1dfdddc79b 100644
--- a/Makefile
+++ b/Makefile
@@ -64,7 +64,7 @@ update-pip-requirements: update-admin-pip-requirements update-python3-requiremen
 .PHONY: check-black
 check-black: ## Check Python source code formatting with black
 	@echo "███ Running black check..."
-	@black --check --diff setup.py securedrop \
+	@black --check --diff securedrop \
                 install_files \
                 journalist_gui \
                 molecule \
@@ -73,7 +73,7 @@ check-black: ## Check Python source code formatting with black
 
 .PHONY: black
 black: ## Update Python source code formatting with black
-	@black setup.py securedrop \
+	@black securedrop \
                 install_files \
                 journalist_gui \
                 molecule \
@@ -82,7 +82,7 @@ black: ## Update Python source code formatting with black
 .PHONY: check-isort
 check-isort: ## Check Python import organization with isort
 	@echo "███ Running isort check..."
-	@isort --check-only --diff setup.py securedrop \
+	@isort --check-only --diff securedrop \
                 install_files \
                 journalist_gui \
                 molecule \
@@ -91,7 +91,7 @@ check-isort: ## Check Python import organization with isort
 
 .PHONY: isort
 isort: ## Update Python import organization with isort
-	@isort setup.py securedrop \
+	@isort securedrop \
                 install_files \
                 journalist_gui \
                 molecule \
diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop
index 955dc05a61..4a3dd84bcd 100644
--- a/install_files/ansible-base/group_vars/all/securedrop
+++ b/install_files/ansible-base/group_vars/all/securedrop
@@ -18,13 +18,6 @@ remote_host_ref: "{{ ansible_host|default(inventory_hostname) }}"
 # is used on the build VM to pull in required packages.
 development_dependencies: []
 
-# These profiles are referenced by multiple machines, such as Application Server
-# for direct copying at install time, and the build machine for including them
-# in the deb packages.
-apparmor_profiles:
-  - usr.sbin.tor
-  - usr.sbin.apache2
-
 # Installing the securedrop-app-code.deb package
 securedrop_target_distribution: focal
 securedrop_app_code_deb: "securedrop-app-code_{{ securedrop_version }}+{{ securedrop_target_distribution }}_amd64" # do not enter .deb extension
diff --git a/install_files/ansible-base/group_vars/securedrop_application_server.yml b/install_files/ansible-base/group_vars/securedrop_application_server.yml
index 1482aac77a..3c7b9f150c 100644
--- a/install_files/ansible-base/group_vars/securedrop_application_server.yml
+++ b/install_files/ansible-base/group_vars/securedrop_application_server.yml
@@ -6,9 +6,9 @@ ip_info:
 
 ### Used by the install_local_deb_pkgs role ###
 local_deb_packages:
-  - "securedrop-keyring-0.1.6+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
-  - "securedrop-config-0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
-  - "securedrop-ossec-agent-3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
+  - "securedrop-keyring_0.1.6+{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb"
+  - "securedrop-config_{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb"
+  - "securedrop-ossec-agent_3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb"
   - "securedrop-grsec-{{ grsec_version }}+{{ securedrop_target_distribution }}-amd64.deb"
   - "{{ securedrop_app_code_deb }}.deb"
   - "ossec-agent-3.6.0+{{ securedrop_target_distribution }}-amd64.deb"
diff --git a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
index 722fdc5ff7..a5979b0504 100644
--- a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
+++ b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
@@ -6,9 +6,9 @@ ip_info:
 
 ### Used by the install_local_deb_pkgs role ###
 local_deb_packages:
-  - "securedrop-keyring-0.1.6+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
-  - "securedrop-config-0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
-  - "securedrop-ossec-server-3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
+  - "securedrop-keyring_0.1.6+{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb"
+  - "securedrop-config_{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb"
+  - "securedrop-ossec-server_3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}_all.deb"
   - securedrop-grsec-{{ grsec_version }}+{{ securedrop_target_distribution }}-amd64.deb
   - ossec-server-3.6.0+{{ securedrop_target_distribution }}-amd64.deb
 
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml
index d821305fb6..ca4b15b8d0 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml
@@ -2,26 +2,12 @@
 # Directory for creating the sdist tarball
 securedrop_app_code_prep_dir: "/tmp/{{ securedrop_app_code_deb }}-prep"
 
-# Directory for storing the filtered application code files. These files
-# are "filtered" via an `.rsync-filter` file in the src directory.
-securedrop_code_filtered: "{{ securedrop_app_code_prep_dir }}/var/www/securedrop"
-
-securedrop_translation_pip_requirements: "{{ securedrop_code_filtered }}/requirements/python3/translation-requirements.txt"
-securedrop_pip_requirements: "{{ securedrop_code_filtered }}/requirements/python3/securedrop-app-code-requirements.txt"
-
 # SecureDrop code installation directory
 securedrop_code: /var/www/securedrop
 
 # Location of the application storage on disk, including database.
 securedrop_data: /var/lib/securedrop
 
-# Configuration files for SecureDrop systemd services
-systemd_services:
-  - securedrop_rqrequeue.service
-  - securedrop_rqworker.service
-  - securedrop_shredder.service
-  - securedrop_source_deleter.service
-
 # SecureDrop rq worker log directory
 securedrop_worker_log_dir: /var/log/securedrop_worker
 
@@ -29,7 +15,11 @@ securedrop_worker_log_dir: /var/log/securedrop_worker
 securedrop_user: "www-data"
 
 # Directory for building the Debian package
-securedrop_app_code_deb_dir: "/tmp/{{ securedrop_app_code_deb }}"
+securedrop_app_code_deb_dir: "/tmp/securedrop-build"
+
+securedrop_translation_pip_requirements: "{{ securedrop_app_code_deb_dir }}/requirements/python3/translation-requirements.txt"
+securedrop_pip_requirements: "{{ securedrop_app_code_deb_dir }}/requirements/python3/securedrop-app-code-requirements.txt"
+
 
 securedrop_app_rsync_opts:
   - "--chmod=u=rwX,g=rX,o=rX"
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-trusty b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-trusty
deleted file mode 100644
index 124c773639..0000000000
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-trusty
+++ /dev/null
@@ -1,247 +0,0 @@
-securedrop-app-code (0.13.0~rc1+trusty) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 27 Feb 2019 11:01:15 +0000
-
-securedrop-app-code (0.12.2+trusty) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Thu, 25 Apr 2019 17:53:36 +0000
-
-securedrop-app-code (0.12.1+trusty) trusty; urgency=medium
-
-  * See changelog.md 
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 20 Mar 2019 20:20:21 +0000
-
-securedrop-app-code (0.12.0+trusty) trusty; urgency=medium
-
-  * See changelog.md 
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 27 Feb 2019 00:36:47 +0000
-
-securedrop-app-code (0.11.1) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Thu, 24 Jan 2019 01:08:49 +0000
-
-securedrop-app-code (0.11.0) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 11 Dec 2018 21:44:44 +0000
-
-securedrop-app-code (0.10.0) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 23 Oct 2018 17:53:14 +0000
-
-securedrop-app-code (0.9.1) trusty; urgency=medium
-
-   * See changelog.md
-
-  -- SecureDrop Team <securedrop@freedom.press>  Thu, 06 Sep 2018 17:57:36 +0000
-
-securedrop-app-code (0.9.0) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 22 Aug 2018 15:09:12 +0000
-
-securedrop-app-code (0.8.0) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 26 Jun 2018 22:20:25 +0000
-
-securedrop-app-code (0.7.0) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 16 May 2018 00:00:56 +0000
-
-securedrop-app-code (0.6) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 13 Mar 2018 18:46:05 +0000
-
-securedrop-app-code (0.5.2) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Thu, 01 Feb 2018 21:14:12 +0000
-
-securedrop-app-code (0.5.1) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 16 Jan 2018 19:11:20 +0000
-
-securedrop-app-code (0.5) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 05 Dec 2017 17:39:00 +0000
-
-securedrop-app-code (0.4.4) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Mon, 23 Oct 2017 17:53:17 -0700
-
-securedrop-app-code (0.4.3) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 12 Sep 2017 16:50:15 +0000
-
-securedrop-app-code (0.4.2) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Mon, 14 Aug 2017 23:09:30 +0000
-
-securedrop-app-code (0.4.1) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 02 Aug 2017 23:25:13 +0000
-
-securedrop-app-code (0.4) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 25 Jul 2017 18:21:02 +0000
-
-securedrop-app-code (0.3.12) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Mon, 20 Mar 2017 11:27:34 -0700
-
-securedrop-app-code (0.3.11) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Mon, 13 Feb 2017 22:08:06 +0000
-
-securedrop-app-code (0.3.10) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Fri, 21 Oct 2016 15:44:29 -0400
-
-securedrop-app-code (0.3.9) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 13 Sep 2016 22:11:33 +0000
-
-securedrop-app-code (0.3.9-rc2) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 17 Aug 2016 00:03:15 +0000
-
-securedrop-app-code (0.3.8) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press> Thu, 23 Jun 2016 23:57:03 +0000
-
-securedrop-app-code (0.3.7) trusty; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press> Fri, 03 Jun 2016 00:44:10 +0000
-
-securedrop-app-code (0.3.6) trusty; urgency=medium
-
-  * Update the expiration date on the FPF code signing public key (expired Oct 26)
-
- -- SecureDrop Team <securedrop@freedom.press> Thu, 29 Oct 2015 01:42:27 +0000
-
-securedrop-app-code (0.3.5) trusty; urgency=medium
-
- * Use certificate verification instead of fingerprint verification by default for the OSSEC Postfix
-configuration (#1076)
- * Fix apache2 service failing to start on Digital Ocean (#1078)
- * Allow Apache to rotate its logs (#1074)
- * Prevent reboots during cron-apt upgrade (#1071)
- * Update documentation (#1107, #1112, #1113)
- * Blacklist additional kernel modules used for wireless networking (#1116)
-
- -- SecureDrop Team <securedrop@freedom.press> Fri, 18 Sep 2015 21:28:41 +0000
-
-securedrop-app-code (0.3.4) trusty; urgency=medium
-
- * Fix ineffective SSH connection throttling (iSEC-15FTC-7, #1053)
- * Remove debugging print statements that could leak sensitive information to the logs for the document
-interface (iSEC-15FTC-2, #1059)
- * Harden default iptables policies (iSEC-15FTC-3, #1053)
- * Don't check passwords or codenames that exceed a maximum length to prevent DoS via excessive scrypt
-computation (iSEC-15FTC-6, #1059)
- * Remove unnecessary capabilties from the Apache AppArmor profile (iSEC-15FTC-9, #1058).
- * Change postfix hostname to something generic to prevent fingerprinting via OSSEC email headers
-(iSEC-15FTC-10, #1057)
- * Ensure correct permissions for Tor Onion Service directories so new installs won't break (#1052)
- * Clarify server setup steps in the install documentation (#1027, #1061)
- * Clarify that Tor ATHS setup is now automatic and does not require manual changes (#1030)
- * Explain that you can only download files to the "Tor Browser" folder on Tails as of Tails 1.3, due to the
-addition of AppArmor confinement for the Tor Browser (#1036, #1062).
- * Explain that you must use the Unsafe Browser to configure the network firewall because the Tor Browser will
-be blocked from accessing LAN addresses starting in Tails 1.5 (#1050)
- * Fix "gotcha" in network firewall configuration where pfSense guesses the wrong CIDR subnet (#1060)
- * Update the upgrade docs to refer to the latest version of the 0.3.x release series instead of a specific
-version that would need to be updated every time (#1063)
-
- -- SecureDrop Team <securedrop@freedom.press> Wed, 08 Jul 2015 17:15:52 +0000
-
-securedrop-app-code (0.3.3) trusty; urgency=medium
-
- * Remove unnecessary proxy command from Tails SSH aliases (#933)
- * Make grsec reboot idempotent to avoid unnecessary reboots on new installs (#939)
- * Make tmux the default shell on App and Monitor servers (#943)
- * Fully tested migration procedures for 0.2.1 and 0.3pre to 0.3 (#944, #993)
- * Ensure grub is not uninstalled in virtual machines (#945)
- * CSS fixes (#948)
- * Apache AppArmor profile should support TLS/SSL (#949)
- * Fix: journalist interface no longer flas new submissions as unread (#969)
- * Switch to NetworkManager for automatic ATHS setup on Admin Workstation (#1018)
- * Upgrade Selenium in testing dependencies so functional tests work (#991)
- * Clarify paths in install documentation (#1009)
-
- -- SecureDrop Team <securedrop@freedom.press> Tue, 05 May 2015 21:27:02 +0000
-
-securedrop-app-code (0.3.2) trusty; urgency=high
-
- * Fixes security vulnerabilty (severity=high) in access control on Journalist Interface (#974)
-
- -- SecureDrop Team <securedrop@freedom.press> Wed, 1 Apr 2015 23:37:16 +0000
-
-securedrop-app-code (0.3.1) trusty; urgency=medium
-
- * Improved installation and setup documentation (#927, #907, #903, #900)
- * Fixed PEP8 and other style issue (#926, #893, #884, #890, #885)
- * Automatic torrc initialization in Tails via dotfiles persistence (#925)
- * Fix bug in installing grsecurity kernel when using new Ubuntu 14.04.2 .iso (#919)
- * Prevent sources from creating "empty" submissions (#918)
- * Autoremove unused packages after automatic upgrade (#916)
- * Remove the App Server (private) IP address from OSSEC alert email subject lines (#915)
- * Handle custom header image as a conffile in the securedrop-app-code Debian package (#911)
- * Upgrade path from 0.3pre (#908, #909)
- * Remove offensive words from source and journalist word lists (#891, #901)
-
- -- SecureDrop Team <vagrant@vagrant-ubuntu-trusty-64> Mon, 23 Mar 2015 09:05:28 +0000
-
-securedrop-app-code (0.3) trusty; urgency=medium
-
-  * Initial release using Debian packages. For details on the differences between this release and the last
-(0.2), see `changelog.md`.
-
- -- SecureDrop Team <securedrop@freedom.press> Thu, 12 Feb 2015 03:33:44 +0000
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-xenial b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-xenial
deleted file mode 100644
index ffc5710328..0000000000
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-xenial
+++ /dev/null
@@ -1,131 +0,0 @@
-securedrop-app-code (1.9.0~rc1+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Fri, 12 Mar 2021 10:18:41 -0500
-
-securedrop-app-code (1.8.2+xenial) xenial; urgency=medium
-
-  * see changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 18 May 2021 20:34:33 +0000
-
-securedrop-app-code (1.8.1+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 14 Apr 2021 13:31:46 +0000
-
-securedrop-app-code (1.8.0+xenial) xenial; urgency=medium
-
-  * See changelog.md 
-
- -- SecureDrop Team <securedrop@freedom.press>  Thu, 11 Mar 2021 18:40:19 +0000
-
-securedrop-app-code (1.7.1+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 27 Jan 2021 14:10:48 -0500
-
-securedrop-app-code (1.7.0+xenial) xenial; urgency=medium
-
-  * See changelog.md 
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 26 Jan 2021 14:22:28 -0800
-
-securedrop-app-code (1.6.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 07 Oct 2020 10:11:26 -0400
-
-securedrop-app-code (1.5.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 28 Jul 2020 15:39:05 +0000
-
-securedrop-app-code (1.4.1+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Thu, 25 Jun 2020 11:09:28 -0400
-
-securedrop-app-code (1.4.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 17 Jun 2020 21:35:57 +0000
-
-securedrop-app-code (1.3.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 12 May 2020 18:37:42 +0000
-
-securedrop-app-code (1.2.2+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Fri, 13 Mar 2020 19:43:29 +0000
-
-securedrop-app-code (1.2.1+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 19 Feb 2020 14:40:43 +0000
-
-securedrop-app-code (1.2.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 20 Nov 2019 16:48:41 +0000
-
-securedrop-app-code (1.1.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Mon, 21 Oct 2019 18:09:35 +0000
-
-securedrop-app-code (1.0.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 17 Sep 2019 23:22:22 +0530
-
-securedrop-app-code (0.14.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 10 Jul 2019 15:11:49 +0000
-
-securedrop-app-code (0.13.1+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 18 Jun 2019 13:48:12 +0000
-
-securedrop-app-code (0.13.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 29 May 2019 20:45:21 +0000
-
-securedrop-app-code (0.12.2+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Thu, 25 Apr 2019 17:54:15 +0000
-
-securedrop-app-code (0.12.1+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 20 Mar 2019 20:20:40 +0000
-
-securedrop-app-code (0.12.0+xenial) xenial; urgency=medium
-
-  * See changelog.md
-
- -- SecureDrop Team <securedrop@freedom.press>  Wed, 27 Feb 2019 00:37:02 +0000
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
index 2fda3ad4b1..4f059e847b 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
@@ -1,109 +1,23 @@
 ---
-# Construct a staging area from which we can build the sdist tarball
-# which we'll then immediately extract for dh-virtualenv.
-- name: Copy install_files/securedrop-app-code to prep directory
-  synchronize:
-    src: "{{ role_path }}/../../../securedrop-app-code/"
-    dest: "{{ securedrop_app_code_prep_dir }}"
-    delete: yes
-    recursive: yes
+- name: Create build dir
+  file:
+    state: directory
+    dest: "{{ securedrop_app_code_deb_dir }}"
 
-- name: Copy app code to prep directory under var/www/securedrop
+- name: Copy securedrop to build directory
   synchronize:
     src: "{{ role_path }}/../../../../securedrop/"
-    dest: "{{ securedrop_code_filtered }}"
-    recursive: yes
+    dest: "{{ securedrop_app_code_deb_dir }}"
     delete: yes
+    recursive: yes
     rsync_opts: "{{ securedrop_app_rsync_opts }}"
 
-- name: Copy setup.py to prep directory
-  copy:
-    src: "{{ role_path }}/../../../../setup.py"
-    dest: "{{ securedrop_app_code_prep_dir }}/setup.py"
-
-- name: Copy MANIFEST.in to prep directory
-  copy:
-    src: "{{ role_path }}/../../../../MANIFEST.in"
-    dest: "{{ securedrop_app_code_prep_dir }}/MANIFEST.in"
-
-- name: Copy translation-requirements.txt to prep directory
-  command: cp "{{ securedrop_translation_pip_requirements }}" "{{ securedrop_app_code_prep_dir }}/translation-requirements.txt"
-
-- name: Copy requirements.txt to prep directory
-  command: cp "{{ securedrop_pip_requirements }}" "{{ securedrop_app_code_prep_dir }}/requirements.txt"
-
 - name: Control the version of setuptools used in the default construction of virtual environments
   shell: |
-    pip3 download --no-deps --require-hashes -r "{{ securedrop_app_code_prep_dir }}/requirements.txt" --dest /tmp/securedrop-app-code-requirements-download
+    pip3 download --no-deps --require-hashes -r "{{ securedrop_pip_requirements }}" --dest /tmp/securedrop-app-code-requirements-download
     rm -f /usr/share/python-wheels/setuptools-*.whl
     mv /tmp/securedrop-app-code-requirements-download/setuptools-*.whl /usr/share/python-wheels/
 
-- include: translations.yml
-
-- name: Create apparmor.d directory in prep directory
-  file:
-    state: directory
-    dest: "{{ securedrop_app_code_prep_dir }}/etc/apparmor.d"
-  tags: apparmor
-
-- name: Copy AppArmor profiles to prep path
-  copy:
-    src: "{{ item }}"
-    dest: "{{ securedrop_app_code_prep_dir }}/etc/apparmor.d/{{ item }}"
-  with_items: "{{ apparmor_profiles }}"
-  tags: apparmor
-
-- name: Replace placeholder changelog to dist-specific changelog
-  copy:
-    src: "changelog-{{ securedrop_target_distribution }}"
-    dest: "{{ securedrop_app_code_prep_dir }}/debian/changelog"
-
-- name: Create the control file based on distribution
-  template:
-    src: "control.j2"
-    dest: "{{ securedrop_app_code_prep_dir }}/debian/control"
-
-- name: Create lib/systemd/services directory in prep directory
-  file:
-    state: directory
-    dest: "{{ securedrop_app_code_prep_dir }}/lib/systemd/system"
-  tags: systemd
-
-- name: Copy systemd service configurations to prep path
-  template:
-    src: "{{ item }}"
-    dest: "{{ securedrop_app_code_prep_dir }}/lib/systemd/system/{{ item }}"
-    mode: 0644
-  with_items: "{{ systemd_services }}"
-  tags: systemd
-
-- name: Create sdist in prep dir
-  command: python3 setup.py sdist
-  args:
-    chdir: "{{ securedrop_app_code_prep_dir }}"
-
-- name: Create build dir
-  file:
-    state: directory
-    dest: "{{ securedrop_app_code_deb_dir }}"
-
-- name: Extract sdist to build dir
-  unarchive:
-    remote_src: yes
-    src: "{{ securedrop_app_code_prep_dir }}/dist/{{ securedrop_app_code_sdist_name }}"
-    dest: "{{ securedrop_app_code_deb_dir }}"
-    extra_opts:
-      - --strip-components=1
-
-# Because setup.py sdist refuses to include empty directories, and we
-# have to build from the sdist.
-- name: Create empty static asset directories in build dir
-  file:
-    state: directory
-    dest: "{{ item }}"
-  with_items:
-    - "{{ securedrop_app_code_deb_dir }}/var/www/securedrop/.well-known/pki-validation"
-
 - name: Build securedrop-app-code Debian package
   command: dpkg-buildpackage -us -uc
   args:
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml
deleted file mode 100644
index 418fcaf190..0000000000
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml
+++ /dev/null
@@ -1,38 +0,0 @@
----
-# We create the virtualenv separately from the "pip install" commands below,
-# to make error-reporting a bit more obvious. We also update beforehand,
-# beyond what the system version provides, see #6317.
-- name: Create virtualenv for translation work
-  shell: >
-    set -e &&
-    python3 -m venv /tmp/securedrop-app-code-i18n-ve &&
-    /tmp/securedrop-app-code-i18n-ve/bin/pip3 install -r
-    <(echo "pip==21.3
-    --hash=sha256:4a1de8f97884ecfc10b48fe61c234f7e7dcf4490a37217011ad9369d899ad5a6
-    --hash=sha256:741a61baab1dbce2d8ca415effa48a2b6a964564f81a9f4f1fce4c433346c034")
-  args:
-    executable: /bin/bash
-  tags:
-    - pip
-
-- name: Install SecureDrop Python requirements in virtualenv for translation work
-  shell: >
-    set -e &&
-    python3 -m venv /tmp/securedrop-app-code-i18n-ve &&
-    /tmp/securedrop-app-code-i18n-ve/bin/pip3 install --no-deps --no-binary :all: --require-hashes -r {{ securedrop_app_code_prep_dir }}/translation-requirements.txt &&
-    /tmp/securedrop-app-code-i18n-ve/bin/pip3 install --no-deps --no-binary :all: --require-hashes -r {{ securedrop_app_code_prep_dir }}/requirements.txt
-  environment:
-    PATH: /root/.cargo/bin:{{ ansible_env.PATH }}
-  tags:
-    - pip
-
-- name: Compile PO to MO.
-  shell: >-
-    cp config.py.example config.py ;
-    trap 'rm config.py' EXIT ;
-    . /tmp/securedrop-app-code-i18n-ve/bin/activate ;
-    /tmp/securedrop-app-code-i18n-ve/bin/python3 ./i18n_tool.py --verbose translate-messages --compile
-  args:
-    chdir: "{{ securedrop_code_filtered }}"
-  environment:
-    PYTHONDONTWRITEBYTECODE: "true"
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2 b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2
deleted file mode 100644
index 9ce7cb3483..0000000000
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/control.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-Source: securedrop-app-code
-Section: web
-Priority: optional
-Maintainer: SecureDrop Team <securedrop@freedom.press>
-Homepage: https://securedrop.org
-Build-Depends: debhelper (>= 9), dh-python, python3-all, python3-setuptools, dh-systemd, dh-virtualenv
-Standards-Version: 3.9.8
-
-Package: securedrop-app-code
-Architecture: amd64
-Conflicts: libapache2-mod-wsgi, supervisor
-Replaces: libapache2-mod-wsgi, supervisor
-Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, libapache2-mod-xsendfile, libpython3.8, paxctld, python3, python3-distutils, redis-server, securedrop-config, securedrop-keyring, sqlite3
-Description: SecureDrop application code, dependencies, Apache configuration, systemd services, and AppArmor profiles. This package will put the AppArmor profiles in enforce mode.
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/securedrop_rqrequeue.service b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/securedrop_rqrequeue.service
deleted file mode 100644
index b04b208f41..0000000000
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/securedrop_rqrequeue.service
+++ /dev/null
@@ -1,21 +0,0 @@
-[Unit]
-Description=SecureDrop rqrequeue process
-After=redis-server.service
-Wants=redis-server.service
-
-[Service]
-Environment=PYTHONPATH="{{ securedrop_code }}:{{ securedrop_venv_site_packages }}"
-ExecStart={{ securedrop_venv_bin }}/python {{ securedrop_code }}/scripts/rqrequeue --interval 60
-PrivateDevices=yes
-PrivateTmp=yes
-ProtectSystem=full
-ReadOnlyDirectories=/
-ReadWriteDirectories={{ securedrop_data }}
-Restart=always
-RestartSec=10s
-UMask=077
-User=www-data
-WorkingDirectory={{ securedrop_code }}
-
-[Install]
-WantedBy=multi-user.target
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/securedrop_shredder.service b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/securedrop_shredder.service
deleted file mode 100644
index 53b219368c..0000000000
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/securedrop_shredder.service
+++ /dev/null
@@ -1,19 +0,0 @@
-[Unit]
-Description=SecureDrop shredder
-
-[Service]
-Environment=PYTHONPATH="{{ securedrop_code }}:{{ securedrop_venv_site_packages }}"
-ExecStart={{ securedrop_venv_bin }}/python {{ securedrop_code }}/scripts/shredder --interval 60
-PrivateDevices=yes
-PrivateTmp=yes
-ProtectSystem=full
-ReadOnlyDirectories=/
-ReadWriteDirectories={{ securedrop_data }}
-Restart=always
-RestartSec=10s
-UMask=077
-User=www-data
-WorkingDirectory={{ securedrop_code }}
-
-[Install]
-WantedBy=multi-user.target
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/securedrop_source_deleter.service b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/securedrop_source_deleter.service
deleted file mode 100644
index 1743799368..0000000000
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/securedrop_source_deleter.service
+++ /dev/null
@@ -1,19 +0,0 @@
-[Unit]
-Description=SecureDrop Source deleter
-
-[Service]
-Environment=PYTHONPATH="{{ securedrop_code }}:{{ securedrop_venv_site_packages }}"
-ExecStart={{ securedrop_venv_bin }}/python {{ securedrop_code }}/scripts/source_deleter --interval 10
-PrivateDevices=yes
-PrivateTmp=yes
-ProtectSystem=full
-ReadOnlyDirectories=/
-ReadWriteDirectories={{ securedrop_data }}
-Restart=always
-RestartSec=10s
-UMask=077
-User=www-data
-WorkingDirectory={{ securedrop_code }}
-
-[Install]
-WantedBy=multi-user.target
diff --git a/install_files/ossec-agent/usr/share/lintian/overrides/ossec-agent b/install_files/ossec-agent/usr/share/lintian/overrides/ossec-agent
deleted file mode 100644
index 97a0230798..0000000000
--- a/install_files/ossec-agent/usr/share/lintian/overrides/ossec-agent
+++ /dev/null
@@ -1,9 +0,0 @@
-ossec-agent: new-package-should-close-itp-bug
-ossec-agent: embedded-library
-ossec-agent: embedded-zlib
-ossec-agent: possible-gpl-code-linked-with-openssl
-ossec-agent: executable-is-not-world-readable
-ossec-agent: non-standard-dir-perm
-ossec-agent: file-in-unusual-dir
-ossec-agent: non-standard-file-perm
-ossec-agent: non-standard-dir-in-var
diff --git a/install_files/ossec-server/DEBIAN/templates b/install_files/ossec-server/DEBIAN/templates
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/install_files/ossec-server/usr/share/lintian/overrides/ossec-server b/install_files/ossec-server/usr/share/lintian/overrides/ossec-server
deleted file mode 100644
index e08c759524..0000000000
--- a/install_files/ossec-server/usr/share/lintian/overrides/ossec-server
+++ /dev/null
@@ -1,7 +0,0 @@
-ossec-server: embedded-library
-ossec-server: embedded-zlib
-ossec-server: possible-gpl-code-linked-with-openssl
-ossec-server: new-package-should-close-itp-bug
-ossec-server: possibly-insecure-handling-of-tmp-files-in-maintainer-script
-ossec-server: non-standard-dir-in-var
-ossec-server: file-in-unusual-dir
diff --git a/install_files/securedrop-app-code/debian/conffiles b/install_files/securedrop-app-code/debian/conffiles
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/install_files/securedrop-app-code/debian/prerm b/install_files/securedrop-app-code/debian/prerm
deleted file mode 100644
index 5339992527..0000000000
--- a/install_files/securedrop-app-code/debian/prerm
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/sh
-# prerm script for securedrop-app-code
-#
-# see: dh_installdeb(1)
-
-set -e
-
-# summary of how this script can be called:
-#        * <prerm> `remove'
-#        * <old-prerm> `upgrade' <new-version>
-#        * <new-prerm> `failed-upgrade' <old-version>
-#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
-#        * <deconfigured's-prerm> `deconfigure' `in-favour'
-#          <package-being-installed> <version> `removing'
-#          <conflicting-package> <version>
-# for details, see http://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-
-
-case "$1" in
-    remove|deconfigure)
-    ;;
-
-    upgrade)
-    ;;
-
-    failed-upgrade)
-    ;;
-
-    *)
-        echo "prerm called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0
diff --git a/install_files/securedrop-app-code/debian/securedrop-app-code.install b/install_files/securedrop-app-code/debian/securedrop-app-code.install
deleted file mode 100644
index d36242a217..0000000000
--- a/install_files/securedrop-app-code/debian/securedrop-app-code.install
+++ /dev/null
@@ -1,7 +0,0 @@
-var/www /var/
-etc/apparmor.d/usr.sbin.apache2 /etc/apparmor.d
-etc/apparmor.d/usr.sbin.tor /etc/apparmor.d
-lib/systemd/system/securedrop_rqrequeue.service /lib/systemd/system
-lib/systemd/system/securedrop_rqworker.service /lib/systemd/system
-lib/systemd/system/securedrop_shredder.service /lib/systemd/system
-lib/systemd/system/securedrop_source_deleter.service /lib/systemd/system
diff --git a/install_files/securedrop-app-code/debian/templates b/install_files/securedrop-app-code/debian/templates
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/copyright b/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/copyright
deleted file mode 100644
index bf2f678662..0000000000
--- a/install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/copyright
+++ /dev/null
@@ -1,2 +0,0 @@
-Copyright (C) 2013 Aaron Swartz and James Dolan
-/usr/share/common-licenses/GPL-2
diff --git a/install_files/securedrop-app-code/usr/share/lintian/overrides/securedrop-app-code b/install_files/securedrop-app-code/usr/share/lintian/overrides/securedrop-app-code
deleted file mode 100644
index 93fd679999..0000000000
--- a/install_files/securedrop-app-code/usr/share/lintian/overrides/securedrop-app-code
+++ /dev/null
@@ -1 +0,0 @@
-securedrop-app-code: new-package-should-close-itp-bug
diff --git a/install_files/securedrop-config-focal/DEBIAN/control.j2 b/install_files/securedrop-config-focal/DEBIAN/control.j2
deleted file mode 100644
index 128b3c1181..0000000000
--- a/install_files/securedrop-config-focal/DEBIAN/control.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-Source: securedrop
-Section: web
-Priority: optional
-Maintainer: SecureDrop Team <securedrop@freedom.press>
-Homepage: https://securedrop.org
-Package: securedrop-config
-Version: 0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}
-Depends: unattended-upgrades,update-notifier-common
-Architecture: all
-Description: Establishes baseline system state for running SecureDrop.
- Configures apt repositories.
diff --git a/install_files/securedrop-keyring/DEBIAN/control.j2 b/install_files/securedrop-keyring/DEBIAN/control.j2
deleted file mode 100644
index 01670a56be..0000000000
--- a/install_files/securedrop-keyring/DEBIAN/control.j2
+++ /dev/null
@@ -1,10 +0,0 @@
-Source: securedrop
-Section: web
-Priority: optional
-Maintainer: SecureDrop Team <securedrop@freedom.press>
-Homepage: https://securedrop.org
-Package: securedrop-keyring
-Version: 0.1.6+{{ securedrop_version }}+{{ securedrop_target_distribution }}
-Architecture: amd64
-Depends: gnupg
-Description: Provides an apt keyring for SecureDrop-related packages, so the master signing key used for SecureDrop packages can be updated via apt.
diff --git a/install_files/securedrop-keyring/DEBIAN/preinst b/install_files/securedrop-keyring/DEBIAN/preinst
deleted file mode 100755
index 2c9e9e94e2..0000000000
--- a/install_files/securedrop-keyring/DEBIAN/preinst
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/bash
-# shellcheck disable=SC2230
-
-set -e
-
-# Solution adapted from DKG's work on `deb.torproject.org-keyring`.
-# In SecureDrop versions before 0.3.10, the Ansible playbooks used
-# the apt_key module to add the signing key to /etc/apt/trusted.gpg.
-# It's cleaner to use the trusted.gpg.d subdirectory, since we can
-# update that trivially in future versions of the keyring package.
-#
-# Therefore let's clean up prior versions of the key installed
-# to the general apt keyring, to ensure we only have one signing key
-# installed for authenticating securedrop-related packages.
-
-if [ -e /etc/apt/trusted.gpg ] && which gpg >/dev/null; then
-   (
-   h="$(mktemp -d)"
-   trap "rm -rf '$h'" EXIT
-
-   if gpg --homedir="$h" \
-          --batch --no-tty --no-default-keyring --keyring /etc/apt/trusted.gpg \
-          --list-key 0xB89A29DB2128160B8E4B1B4CBADDE0C7FC9F6818 > /dev/null 2>&1 ; then
-      gpg --homedir="$h" \
-          --batch --no-tty --no-default-keyring --keyring /etc/apt/trusted.gpg \
-          --no-auto-check-trustdb \
-          --delete-key 0xB89A29DB2128160B8E4B1B4CBADDE0C7FC9F6818 || true
-   fi
-   )
-fi
-
-#DEBHELPER#
diff --git a/install_files/securedrop-ossec-agent/DEBIAN/control.j2 b/install_files/securedrop-ossec-agent/DEBIAN/control.j2
deleted file mode 100644
index 92d908a0e4..0000000000
--- a/install_files/securedrop-ossec-agent/DEBIAN/control.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-Source: ossec.net
-Section: web
-Priority: optional
-Maintainer: SecureDrop Team <securedrop@freedom.press>
-Homepage: https://securedrop.org
-Package: securedrop-ossec-agent
-Version: 3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}
-Architecture: amd64
-Depends: libevent-2.1-7,libpcre2-8-0,ossec-agent,securedrop-keyring,securedrop-config
-Replaces: ossec-agent
-Conflicts: securedrop-ossec-server
-Description: Installs the securedrop pre-configured OSSEC agent
-  This package installs an OSSEC agent pre-configured for the
-  SecureDrop app server.
diff --git a/install_files/securedrop-ossec-agent/DEBIAN/postrm b/install_files/securedrop-ossec-agent/DEBIAN/postrm
deleted file mode 100755
index 804d725147..0000000000
--- a/install_files/securedrop-ossec-agent/DEBIAN/postrm
+++ /dev/null
@@ -1,42 +0,0 @@
-#!/bin/sh
-# postrm script for securedrop-app-ossec
-#
-# see: dh_installdeb(1)
-
-set -e
-#set -x
-# summary of how this script can be called:
-#        * <postrm> `remove'
-#        * <postrm> `purge'
-#        * <old-postrm> `upgrade' <new-version>
-#        * <new-postrm> `failed-upgrade' <old-version>
-#        * <new-postrm> `abort-install'
-#        * <new-postrm> `abort-install' <old-version>
-#        * <new-postrm> `abort-upgrade' <old-version>
-#        * <disappearer's-postrm> `disappear' <overwriter>
-#          <overwriter-version>
-# for details, see http://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-
-case "$1" in
-    upgrade|failed-upgrade)
-    ;;
-
-    remove|abort-install|abort-upgrade|disappear)
-    ;;
-
-    purge)
-    ;;
-
-    *)
-        echo "postrm called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0
diff --git a/install_files/securedrop-ossec-agent/DEBIAN/preinst b/install_files/securedrop-ossec-agent/DEBIAN/preinst
deleted file mode 100755
index 4bd90f765e..0000000000
--- a/install_files/securedrop-ossec-agent/DEBIAN/preinst
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/sh
-# preinst script for securedrop-app-ossec
-#
-# see: dh_installdeb(1)
-
-set -e
-#set -x
-# summary of how this script can be called:
-#        * <new-preinst> `install'
-#        * <new-preinst> `install' <old-version>
-#        * <new-preinst> `upgrade' <old-version>
-#        * <old-preinst> `abort-upgrade' <new-version>
-# for details, see http://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-
-case "$1" in
-    install)
-    ;;
-
-    upgrade)
-    ;;
-
-    abort-upgrade)
-    ;;
-
-    *)
-        echo "preinst called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0
diff --git a/install_files/securedrop-ossec-agent/DEBIAN/prerm b/install_files/securedrop-ossec-agent/DEBIAN/prerm
deleted file mode 100755
index 89702e25b8..0000000000
--- a/install_files/securedrop-ossec-agent/DEBIAN/prerm
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/sh
-# prerm script for securedrop-app-ossec
-#
-# see: dh_installdeb(1)
-
-set -e
-
-# summary of how this script can be called:
-#        * <prerm> `remove'
-#        * <old-prerm> `upgrade' <new-version>
-#        * <new-prerm> `failed-upgrade' <old-version>
-#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
-#        * <deconfigured's-prerm> `deconfigure' `in-favour'
-#          <package-being-installed> <version> `removing'
-#          <conflicting-package> <version>
-# for details, see http://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-
-
-case "$1" in
-    remove|deconfigure)
-    ;;
-
-    upgrade)
-    ;;
-
-    failed-upgrade)
-    ;;
-
-    *)
-        echo "prerm called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0
diff --git a/install_files/securedrop-ossec-agent/usr/share/doc/securedrop-ossec-agent/changelog.Debian b/install_files/securedrop-ossec-agent/usr/share/doc/securedrop-ossec-agent/changelog.Debian
deleted file mode 100644
index 9ed3cf4a70..0000000000
--- a/install_files/securedrop-ossec-agent/usr/share/doc/securedrop-ossec-agent/changelog.Debian
+++ /dev/null
@@ -1,17 +0,0 @@
-securedrop-ossec-agent (3.6.0) unstable; urgency=low
-
-  * Upgrade to ossec 3.6.0
-
- -- SecureDrop Team <securedrop@freedom.press>  Mon, 13 Apr 2020 15:20:12 -0400
-
-securedrop-ossec-agent (3.0.0) unstable; urgency=low
-
-  * Upgrade to ossec 3.0
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 21 Aug 2018 11:43:47 -0700
-
-securedrop-ossec-agent (2.8.1) unstable; urgency=low
-
-  * Initial release
-
- -- James Dolan <securedrop@pressfreedomfoundation.org>  Fri, 14 Mar 2014 15:46:57 -0700
diff --git a/install_files/securedrop-ossec-agent/usr/share/doc/securedrop-ossec-agent/copyright b/install_files/securedrop-ossec-agent/usr/share/doc/securedrop-ossec-agent/copyright
deleted file mode 100644
index de32720383..0000000000
--- a/install_files/securedrop-ossec-agent/usr/share/doc/securedrop-ossec-agent/copyright
+++ /dev/null
@@ -1 +0,0 @@
-/usr/share/common-licenses/GPL-2
diff --git a/install_files/securedrop-ossec-agent/usr/share/lintian/overrides/securedrop-ossec-agent b/install_files/securedrop-ossec-agent/usr/share/lintian/overrides/securedrop-ossec-agent
deleted file mode 100644
index b114fd31e8..0000000000
--- a/install_files/securedrop-ossec-agent/usr/share/lintian/overrides/securedrop-ossec-agent
+++ /dev/null
@@ -1,9 +0,0 @@
-securedrop-ossec-agent: new-package-should-close-itp-bug
-securedrop-ossec-agent: embedded-library
-securedrop-ossec-agent: embedded-zlib
-seucredrop-ossec-agent: possible-gpl-code-linked-with-openssl
-securedrop-ossec-agent: executable-is-not-world-readable
-securedrop-ossec-agent: non-standard-dir-perm
-securedrop-ossec-agent: file-in-unusual-dir
-securedrop-ossec-agent: non-standard-file-perm
-securedrop-ossec-agent: non-standard-dir-in-var
diff --git a/install_files/securedrop-ossec-server/DEBIAN/control.j2 b/install_files/securedrop-ossec-server/DEBIAN/control.j2
deleted file mode 100644
index 1f32706496..0000000000
--- a/install_files/securedrop-ossec-server/DEBIAN/control.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-Source: ossec.net
-Section: web
-Priority: optional
-Maintainer: SecureDrop Team <securedrop@freedom.press>
-Homepage: https://securedrop.org
-Package: securedrop-ossec-server
-Version: 3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}
-Architecture: amd64
-Depends: libevent-2.1-7,libpcre2-8-0,ossec-server,securedrop-keyring,securedrop-config
-Replaces: ossec-server
-Conflicts: securedrop-ossec-agent
-Description: Installs the pre-packaged OSSEC server
-  This package installs an OSSEC server pre-configured for the
-  SecureDrop mon server. It is configured to email all alerts to
-  root@localhost. The SecureDrop ansible playbook will configure
-  procmail and postfix to gpg encrypt the OSSEC alerts and email
-  them to SecureDrop Admin.
diff --git a/install_files/securedrop-ossec-server/DEBIAN/postrm b/install_files/securedrop-ossec-server/DEBIAN/postrm
deleted file mode 100755
index 0c42dfb075..0000000000
--- a/install_files/securedrop-ossec-server/DEBIAN/postrm
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/sh
-# postrm script for securedrop-monitor
-#
-# see: dh_installdeb(1)
-
-set -e
-#set -x
-# summary of how this script can be called:
-#        * <postrm> `remove'
-#        * <postrm> `purge'
-#        * <old-postrm> `upgrade' <new-version>
-#        * <new-postrm> `failed-upgrade' <old-version>
-#        * <new-postrm> `abort-install'
-#        * <new-postrm> `abort-install' <old-version>
-#        * <new-postrm> `abort-upgrade' <old-version>
-#        * <disappearer's-postrm> `disappear' <overwriter>
-#          <overwriter-version>
-# for details, see http://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-case "$1" in
-    upgrade|failed-upgrade)
-    ;;
-
-    remove|abort-install|abort-upgrade|disappear)
-    ;;
-
-    purge)
-    ;;
-
-    *)
-        echo "postrm called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0
diff --git a/install_files/securedrop-ossec-server/DEBIAN/preinst b/install_files/securedrop-ossec-server/DEBIAN/preinst
deleted file mode 100755
index f09fc49981..0000000000
--- a/install_files/securedrop-ossec-server/DEBIAN/preinst
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/sh
-# preinst script for securedrop-monitor package
-#
-# see: dh_installdeb(1)
-
-set -e
-#set -x
-# summary of how this script can be called:
-#        * <new-preinst> `install'
-#        * <new-preinst> `install' <old-version>
-#        * <new-preinst> `upgrade' <old-version>
-#        * <old-preinst> `abort-upgrade' <new-version>
-# for details, see http://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-
-case "$1" in
-    install)
-    ;;
-
-    upgrade)
-    ;;
-
-    abort-upgrade)
-    ;;
-
-    *)
-        echo "preinst called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0
diff --git a/install_files/securedrop-ossec-server/DEBIAN/prerm b/install_files/securedrop-ossec-server/DEBIAN/prerm
deleted file mode 100755
index 9f9e494f6e..0000000000
--- a/install_files/securedrop-ossec-server/DEBIAN/prerm
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/sh
-# prerm script for securedrop-monitor
-#
-# see: dh_installdeb(1)
-
-set -e
-#set -x
-# summary of how this script can be called:
-#        * <prerm> `remove'
-#        * <old-prerm> `upgrade' <new-version>
-#        * <new-prerm> `failed-upgrade' <old-version>
-#        * <conflictor's-prerm> `remove' `in-favour' <package> <new-version>
-#        * <deconfigured's-prerm> `deconfigure' `in-favour'
-#          <package-being-installed> <version> `removing'
-#          <conflicting-package> <version>
-# for details, see http://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-
-
-case "$1" in
-    remove|deconfigure)
-    ;;
-
-    upgrade)
-    ;;
-
-    failed-upgrade)
-    ;;
-
-    *)
-        echo "prerm called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0
diff --git a/install_files/securedrop-ossec-server/DEBIAN/templates b/install_files/securedrop-ossec-server/DEBIAN/templates
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/install_files/securedrop-ossec-server/usr/share/doc/securedrop-ossec-server/changelog.Debian b/install_files/securedrop-ossec-server/usr/share/doc/securedrop-ossec-server/changelog.Debian
deleted file mode 100644
index 061f26da6e..0000000000
--- a/install_files/securedrop-ossec-server/usr/share/doc/securedrop-ossec-server/changelog.Debian
+++ /dev/null
@@ -1,17 +0,0 @@
-securedrop-ossec-agent (3.6.0) unstable; urgency=low
-
-  * Upgrade to ossec 3.6.0
-
- -- SecureDrop Team <securedrop@freedom.press>  Mon, 13 Apr 2020 15:15:32 -0400
-
-securedrop-ossec-agent (3.0.0) unstable; urgency=low
-
-  * Upgrade to ossec 3.0
-
- -- SecureDrop Team <securedrop@freedom.press>  Tue, 21 Aug 2018 11:44:17 -0700
-
-securedrop-ossec-server (0.2.1-1) unstable; urgency=low
-
-  * Initial release
-
- -- James Dolan <securedrop@freedom.press>  Fri, 14 Mar 2014 15:52:47 -0700
diff --git a/install_files/securedrop-ossec-server/usr/share/doc/securedrop-ossec-server/copyright b/install_files/securedrop-ossec-server/usr/share/doc/securedrop-ossec-server/copyright
deleted file mode 100644
index fa6b800f4a..0000000000
--- a/install_files/securedrop-ossec-server/usr/share/doc/securedrop-ossec-server/copyright
+++ /dev/null
@@ -1,37 +0,0 @@
-This work was packaged for Debian by:
-
-    Santiago Bassett <santiago.bassett@gmail.com> on Fri, 29 Nov 2013 03:11:44 +0000
-
-This work was modified for SecureDrop environments by:
-    James Dolan <james@pressfreedomfoundation.org> on Thu, 29 Nov 2013 00:00:00 +0000
-
-It was downloaded from:
-
-    http://www.ossec.net
-
-Upstream Authors:
-
-    dcid@dcid.me
-    Jia-BingJB_Cheng@trendmicro.com
-    vichargrave@gmail.com
-    ossec@michaelstarks.com
-    ddpbsd@gmail.com
-    scott@atomicorp.com
-    brad.lhotsky@gmail.com
-    jeremy@jeremyrossy.com
-    santiago.bassett@gmail.com
-
-Copyright:
-
-    GNU General Public License version 2.
-
-License:
-
-    GNU General Public License version 2.
-
-The Debian packaging is:
-
-    Copyright (C) 2014 Santiago Bassett <santiago.bassett@gmail.com>
-
-and is licensed under the GPL version 2,
-see "/usr/share/common-licenses/GPL-2".
diff --git a/install_files/securedrop-ossec-server/usr/share/lintian/overrides/securedrop-ossec-server b/install_files/securedrop-ossec-server/usr/share/lintian/overrides/securedrop-ossec-server
deleted file mode 100644
index f25197cfd8..0000000000
--- a/install_files/securedrop-ossec-server/usr/share/lintian/overrides/securedrop-ossec-server
+++ /dev/null
@@ -1,7 +0,0 @@
-securedrop-ossec-server: embedded-library
-securedrop-ossec-server: embedded-zlib
-securedrop-ossec-server: possible-gpl-code-linked-with-openssl
-securedrop-ossec-server: new-package-should-close-itp-bug
-securedrop-ossec-server: possibly-insecure-handling-of-tmp-files-in-maintainer-script
-securedrop-ossec-server: non-standard-dir-in-var
-securedrop-ossec-server: file-in-unusual-dir
diff --git a/install_files/securedrop-ossec-server/var/ossec/checksdconfig.py b/install_files/securedrop-ossec-server/var/ossec/checksdconfig.py
deleted file mode 100755
index e22e88ce94..0000000000
--- a/install_files/securedrop-ossec-server/var/ossec/checksdconfig.py
+++ /dev/null
@@ -1,85 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-
-import argparse
-import subprocess
-import sys
-
-IPTABLES_RULES_UNCONFIGURED = {"all": ["-P INPUT ACCEPT", "-P FORWARD ACCEPT", "-P OUTPUT ACCEPT"]}
-
-
-IPTABLES_RULES_DEFAULT_DROP = {
-    "policies": [
-        "-P INPUT DROP",
-        "-P FORWARD DROP",
-        "-P OUTPUT DROP",
-    ],
-    "input": [
-        '-A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP',
-    ],
-    "output": [
-        '-A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP',
-    ],
-    "logndrop": [
-        (
-            "-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options "
-            "--log-uid"
-        ),
-        "-A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid",
-        "-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid",
-        "-A LOGNDROP -j DROP",
-    ],
-}
-
-
-def list_iptables_rules():
-    result = subprocess.run(["iptables", "-S"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-    rules = result.stdout.decode("utf-8").splitlines()
-    policies = [r for r in rules if r.startswith("-P")]
-    input_rules = [r for r in rules if r.startswith("-A INPUT")]
-    output_rules = [r for r in rules if r.startswith("-A OUTPUT")]
-    logndrop_rules = [r for r in rules if r.startswith("-A LOGNDROP")]
-    return {
-        "all": rules,
-        "policies": policies,
-        "input": input_rules,
-        "output": output_rules,
-        "logndrop": logndrop_rules,
-    }
-
-
-def check_iptables_are_default(rules):
-    if rules["all"] == IPTABLES_RULES_UNCONFIGURED:
-        raise ValueError("The iptables rules have not been configured.")
-
-
-def check_iptables_default_drop(rules):
-    for chain, chain_rules in IPTABLES_RULES_DEFAULT_DROP.items():
-        for i, rule in enumerate(reversed(chain_rules), 1):
-            try:
-                if rules[chain][-i] != rule:
-                    raise ValueError("The iptables default drop rules are incorrect.")
-            except (KeyError, IndexError):
-                raise ValueError("The iptables default drop rules are incorrect.")
-
-
-def check_iptables_rules():
-    rules = list_iptables_rules()
-    check_iptables_are_default(rules)
-    check_iptables_default_drop(rules)
-
-
-def check_system_configuration(args):
-    print("Checking system configuration...")
-    try:
-        check_iptables_rules()
-    except ValueError as e:
-        print("System configuration error:", e)
-        sys.exit(1)
-    print("System configuration checks were successful.")
-
-
-if __name__ == "__main__":
-    parser = argparse.ArgumentParser(description="SecureDrop server configuration check")
-    args = parser.parse_args()
-    check_system_configuration(args)
diff --git a/molecule/builder-focal/Dockerfile b/molecule/builder-focal/Dockerfile
index cba09ea9f3..385baa7e92 100644
--- a/molecule/builder-focal/Dockerfile
+++ b/molecule/builder-focal/Dockerfile
@@ -20,7 +20,6 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
         libffi-dev \
         libssl-dev \
         make \
-        paxctl \
         python3-all \
         python3-pip \
         python3-setuptools \
@@ -55,6 +54,6 @@ RUN TMPDIR=`mktemp -d` && cd ${TMPDIR} \
 
 RUN echo "source $HOME/.cargo/env" >> $HOME/.bashrc
 
-RUN paxctl -cm /usr/bin/python3.8 && mkdir -p /tmp/build
+RUN mkdir -p /tmp/build
 RUN apt-get clean \
         && rm -rf /var/lib/apt/lists/*
diff --git a/molecule/builder-focal/molecule.yml b/molecule/builder-focal/molecule.yml
index b1b3cb0fe4..f0bdfcd4bd 100644
--- a/molecule/builder-focal/molecule.yml
+++ b/molecule/builder-focal/molecule.yml
@@ -13,21 +13,9 @@ platforms:
   - name: focal-sd-generic-ossec-server
     groups:
       - builders
-  - name: focal-sd-generic-ossec-agent2
-    groups:
-      - builders
-  - name: focal-sd-generic-ossec-server2
-    groups:
-      - builders
   - name: focal-sd-grsec
     groups:
       - builders
-  - name: focal-sd-config
-    groups:
-      - builders
-  - name: focal-sd-keyring
-    groups:
-      - builders
   - name: focal-sd-sec-update
     groups:
       - builders
diff --git a/molecule/builder-focal/playbook.yml b/molecule/builder-focal/playbook.yml
index c428ab3111..2dcd55ed1a 100644
--- a/molecule/builder-focal/playbook.yml
+++ b/molecule/builder-focal/playbook.yml
@@ -24,32 +24,11 @@
       purpose: agent
       when: ansible_host.endswith("-sd-generic-ossec-agent")
 
-    - role: build-generic-pkg
-      tags: securedrop-ossec-server
-      package_name: securedrop-ossec-server
-      when: ansible_host.endswith("-sd-generic-ossec-server2") or ansible_host == "localhost"
-
-    - role: build-generic-pkg
-      tags: securedrop-ossec-agent
-      package_name: securedrop-ossec-agent
-      when: ansible_host.endswith("-sd-generic-ossec-agent2") or ansible_host == "localhost"
-
-    - role: build-generic-pkg
-      tags: securedrop-keyring
-      package_name: securedrop-keyring
-      when: ansible_host.endswith("-sd-keyring") or ansible_host == "localhost"
-
     - role: build-generic-pkg
       tags: securedrop-grsec
       package_name: securedrop-grsec
       package_dirname: securedrop-grsec-focal
       when: ansible_host.endswith("-sd-grsec") or ansible_host == "localhost"
-
-    - role: build-generic-pkg
-      tags: securedrop-config
-      package_name: securedrop-config
-      package_dirname: securedrop-config-focal
-      when: ansible_host.endswith("-sd-config") or ansible_host == "localhost"
   tags: rebuild
 
 # Typically we'd perform volume mounting here but to work around docker
diff --git a/molecule/builder-focal/tests/test_securedrop_deb_package.py b/molecule/builder-focal/tests/test_securedrop_deb_package.py
index 47376d8348..72e5e4152c 100644
--- a/molecule/builder-focal/tests/test_securedrop_deb_package.py
+++ b/molecule/builder-focal/tests/test_securedrop_deb_package.py
@@ -65,7 +65,6 @@ def make_deb_paths() -> Dict[str, Path]:
         securedrop_version=securedrop_test_vars["securedrop_version"],
         ossec_version=securedrop_test_vars["ossec_version"],
         keyring_version=securedrop_test_vars["keyring_version"],
-        config_version=securedrop_test_vars["config_version"],
         grsec_version=grsec_version,
         securedrop_target_distribution=securedrop_test_vars["securedrop_target_distribution"],
     )
@@ -190,8 +189,14 @@ def test_deb_package_control_fields(host: Host, deb: Path) -> None:
     c = host.run("dpkg-deb --field {}".format(deb))
 
     assert "Maintainer: SecureDrop Team <securedrop@freedom.press>" in c.stdout
-    # The securedrop-config package is architecture indepedent
-    if package_name == "securedrop-config":
+    arch_all = (
+        "securedrop-config",
+        "securedrop-keyring",
+        "securedrop-ossec-agent",
+        "securedrop-ossec-server",
+    )
+    # Some packages are architecture independent
+    if package_name in arch_all:
         assert "Architecture: all" in c.stdout
     else:
         assert "Architecture: amd64" in c.stdout
@@ -275,28 +280,25 @@ def test_deb_package_contains_expected_conffiles(host: Host, deb: Path):
     conffiles, which would break unattended updates to critical package
     functionality such as AppArmor profiles. This test validates overrides
     in the build logic to unset those conffiles.
+
+    The same applies to `securedrop-config` too.
     """
-    # For the securedrop-app-code package:
-    if deb.name.startswith("securedrop-app-code"):
-        mktemp = host.run("mktemp -d")
-        tmpdir = mktemp.stdout.strip()
-        # The `--raw-extract` flag includes `DEBIAN/` dir with control files
-        host.run("dpkg-deb --raw-extract {} {}".format(deb, tmpdir))
-        conffiles_path = os.path.join(tmpdir, "DEBIAN", "conffiles")
-        f = host.file(conffiles_path)
+    if not deb.name.startswith(("securedrop-app-code", "securedrop-config")):
+        return
 
-        assert f.is_file
+    mktemp = host.run("mktemp -d")
+    tmpdir = mktemp.stdout.strip()
+    # The `--raw-extract` flag includes `DEBIAN/` dir with control files
+    host.run("dpkg-deb --raw-extract {} {}".format(deb, tmpdir))
+    conffiles_path = os.path.join(tmpdir, "DEBIAN", "conffiles")
+    f = host.file(conffiles_path)
 
-        conffiles = f.content_string.rstrip()
+    assert f.is_file
 
-        # No files are currently allow-listed to be conffiles
-        assert conffiles == ""
+    conffiles = f.content_string.rstrip()
 
-    # For the securedrop-config package, we want to ensure there are no
-    # conffiles so securedrop_additions.sh is squashed every time
-    if deb.name.startswith("securedrop-config"):
-        c = host.run("dpkg-deb -I {}".format(deb))
-        assert "conffiles" not in c.stdout
+    # No files are currently allow-listed to be conffiles
+    assert conffiles == ""
 
 
 def test_securedrop_app_code_contains_css(securedrop_app_code_contents: str) -> None:
@@ -412,7 +414,6 @@ def test_control_helper_files_are_present(host: Host):
         "postrm",
         "preinst",
         "prerm",
-        "templates",
     ]
     c = host.run("dpkg-deb --info {}".format(deb_paths["securedrop_app_code"]))
     for wanted_file in wanted_files:
@@ -525,6 +526,6 @@ def test_app_package_does_not_contain_custom_logo(
 ) -> None:
     """
     Inspect the package contents to ensure custom_logo.png is not present. This
-    is because custom_logo.png superceeds logo.png.
+    is because custom_logo.png supersedes logo.png.
     """
     assert "/var/www/static/i/custom_logo.png" not in securedrop_app_code_contents
diff --git a/molecule/builder-focal/tests/vars.yml b/molecule/builder-focal/tests/vars.yml
index 92dd0e9fd2..28370694f4 100644
--- a/molecule/builder-focal/tests/vars.yml
+++ b/molecule/builder-focal/tests/vars.yml
@@ -2,19 +2,18 @@
 securedrop_version: "2.6.0~rc1"
 ossec_version: "3.6.0"
 keyring_version: "0.1.6"
-config_version: "0.1.4"
 grsec_version_focal: "5.15.57"
 
 # These values will be interpolated with values populated above
 # via helper functions in the tests.
 deb_paths:
   securedrop_app_code: /tmp/build/securedrop-app-code_{securedrop_version}+{securedrop_target_distribution}_amd64.deb
-  securedrop_ossec_agent: /tmp/build/securedrop-ossec-agent-{ossec_version}+{securedrop_version}+{securedrop_target_distribution}-amd64.deb
-  securedrop_ossec_server: /tmp/build/securedrop-ossec-server-{ossec_version}+{securedrop_version}+{securedrop_target_distribution}-amd64.deb
+  securedrop_ossec_agent: /tmp/build/securedrop-ossec-agent_{ossec_version}+{securedrop_version}+{securedrop_target_distribution}_all.deb
+  securedrop_ossec_server: /tmp/build/securedrop-ossec-server_{ossec_version}+{securedrop_version}+{securedrop_target_distribution}_all.deb
   ossec_server: /tmp/build/ossec-server-{ossec_version}+{securedrop_target_distribution}-amd64.deb
   ossec_agent: /tmp/build/ossec-agent-{ossec_version}+{securedrop_target_distribution}-amd64.deb
-  securedrop_keyring: /tmp/build/securedrop-keyring-{keyring_version}+{securedrop_version}+{securedrop_target_distribution}-amd64.deb
-  securedrop_config: /tmp/build/securedrop-config-{config_version}+{securedrop_version}+{securedrop_target_distribution}-amd64.deb
+  securedrop_keyring: /tmp/build/securedrop-keyring_{keyring_version}+{securedrop_version}+{securedrop_target_distribution}_all.deb
+  securedrop_config: /tmp/build/securedrop-config_{securedrop_version}+{securedrop_target_distribution}_all.deb
   securedrop_grsec: /tmp/build/securedrop-grsec-{grsec_version}-amd64.deb
 
 lintian_tags:
diff --git a/securedrop/.rsync-filter b/securedrop/.rsync-filter
deleted file mode 100644
index c4ed6282d2..0000000000
--- a/securedrop/.rsync-filter
+++ /dev/null
@@ -1,99 +0,0 @@
-exclude config.py
-exclude upload-screenshots.py
-include alembic.ini
-include alembic/
-include alembic/env.py
-include alembic/versions/
-include alembic/versions/*.py
-include config.py.example
-include *.py
-include securedrop-admin
-include COPYING
-include dictionaries/
-include dictionaries/*.txt
-include journalist_app/
-include journalist_app/*.py
-include journalist_templates/
-include journalist_templates/*.html
-include management/
-include management/*.py
-include qa_loader.py
-include requirements/
-include requirements/*
-include requirements/*/*.txt
-include scripts/
-include scripts/*
-include source_app/
-include source_app/*.py
-include source_templates/
-include source_templates/*.html
-include static/
-include static/css/
-include static/css/*.css
-include static/fonts/
-include static/fonts/**
-include static/i/
-exclude static/i/custom_logo.png
-include static/i/**
-include static/i/font-awesome/
-include static/i/font-awesome/**
-include static/i/tipbox/
-include static/i/tipbox/**
-include static/icons/
-include static/icons/**
-include static/js/
-include static/js/*.js
-include static/js/libs/
-include static/js/libs/*.js
-include tests/
-include tests/**.py
-include tests/**.ini
-include tests/files/
-include tests/files/test_journalist_key*
-include tests/functional/
-include tests/functional/**.py
-include tests/i18n/
-include tests/i18n/*.py
-include tests/i18n/*.html
-include tests/i18n/*.cfg
-include tests/i18n/*.in
-include tests/i18n/install_files/
-include tests/i18n/install_files/ansible-base/
-include tests/i18n/install_files/ansible-base/roles/
-include tests/i18n/install_files/ansible-base/roles/tails-config/
-include tests/i18n/install_files/ansible-base/roles/tails-config/templates/
-include tests/i18n/install_files/ansible-base/roles/tails-config/templates/*.po
-include tests/i18n/securedrop/
-include tests/i18n/securedrop/translations/
-include tests/i18n/securedrop/translations/de_DE/
-include tests/i18n/securedrop/translations/de_DE/LC_MESSAGES/
-include tests/i18n/securedrop/translations/de_DE/LC_MESSAGES/*.po
-include tests/i18n/securedrop/translations/nl/
-include tests/i18n/securedrop/translations/nl/LC_MESSAGES/
-include tests/i18n/securedrop/translations/nl/LC_MESSAGES/*.po
-include tests/migrations/
-include tests/migrations/*.py
-include tests/log/
-include tests/utils/
-include tests/utils/**.py
-include wordlist
-include wordlists/
-include wordlists/**.txt
-include sass/
-include sass/**.sass
-include sass/libraries/
-include sass/libraries/**.sass
-include sass/global/
-include sass/global/**.sass
-include sass/modules/
-include sass/modules/**.sass
-include babel.cfg
-include i18n.json
-include translations/
-include translations/*.pot
-include translations/*/
-include translations/*/*/
-include translations/*/*/*.po
-include .well-known/
-include .well-known/pki-validation/
-exclude *
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2 b/securedrop/debian/app-code/etc/apparmor.d/usr.sbin.apache2
similarity index 100%
rename from install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2
rename to securedrop/debian/app-code/etc/apparmor.d/usr.sbin.apache2
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.tor b/securedrop/debian/app-code/etc/apparmor.d/usr.sbin.tor
similarity index 100%
rename from install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.tor
rename to securedrop/debian/app-code/etc/apparmor.d/usr.sbin.tor
diff --git a/securedrop/debian/app-code/lib/systemd/system/securedrop_rqrequeue.service b/securedrop/debian/app-code/lib/systemd/system/securedrop_rqrequeue.service
new file mode 100644
index 0000000000..ae1ae609bb
--- /dev/null
+++ b/securedrop/debian/app-code/lib/systemd/system/securedrop_rqrequeue.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=SecureDrop rqrequeue process
+After=redis-server.service
+Wants=redis-server.service
+
+[Service]
+Environment=PYTHONPATH="/var/www/securedrop:/opt/venvs/securedrop-app-code/lib/python3.8/site-packages"
+ExecStart=/opt/venvs/securedrop-app-code/bin/python /var/www/securedrop/scripts/rqrequeue --interval 60
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=/var/lib/securedrop
+Restart=always
+RestartSec=10s
+UMask=077
+User=www-data
+WorkingDirectory=/var/www/securedrop
+
+[Install]
+WantedBy=multi-user.target
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/securedrop_rqworker.service b/securedrop/debian/app-code/lib/systemd/system/securedrop_rqworker.service
similarity index 53%
rename from install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/securedrop_rqworker.service
rename to securedrop/debian/app-code/lib/systemd/system/securedrop_rqworker.service
index 9b43f72415..8dc59a84f0 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/templates/securedrop_rqworker.service
+++ b/securedrop/debian/app-code/lib/systemd/system/securedrop_rqworker.service
@@ -4,18 +4,18 @@ After=redis-server.service
 Wants=redis-server.service
 
 [Service]
-Environment=PYTHONPATH="{{ securedrop_code }}:{{ securedrop_venv_site_packages }}"
-ExecStart={{ securedrop_venv_bin }}/rqworker
+Environment=PYTHONPATH="/var/www/securedrop:/opt/venvs/securedrop-app-code/lib/python3.8/site-packages"
+ExecStart=/opt/venvs/securedrop-app-code/bin/rqworker
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectSystem=full
 ReadOnlyDirectories=/
-ReadWriteDirectories={{ securedrop_data }}
+ReadWriteDirectories=/var/lib/securedrop
 Restart=always
 RestartSec=10s
 UMask=077
 User=www-data
-WorkingDirectory={{ securedrop_code }}
+WorkingDirectory=/var/www/securedrop
 
 [Install]
 WantedBy=multi-user.target
diff --git a/securedrop/debian/app-code/lib/systemd/system/securedrop_shredder.service b/securedrop/debian/app-code/lib/systemd/system/securedrop_shredder.service
new file mode 100644
index 0000000000..269cd0ca1d
--- /dev/null
+++ b/securedrop/debian/app-code/lib/systemd/system/securedrop_shredder.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=SecureDrop shredder
+
+[Service]
+Environment=PYTHONPATH="/var/www/securedrop:/opt/venvs/securedrop-app-code/lib/python3.8/site-packages"
+ExecStart=/opt/venvs/securedrop-app-code/bin/python /var/www/securedrop/scripts/shredder --interval 60
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=/var/lib/securedrop
+Restart=always
+RestartSec=10s
+UMask=077
+User=www-data
+WorkingDirectory=/var/www/securedrop
+
+[Install]
+WantedBy=multi-user.target
diff --git a/securedrop/debian/app-code/lib/systemd/system/securedrop_source_deleter.service b/securedrop/debian/app-code/lib/systemd/system/securedrop_source_deleter.service
new file mode 100644
index 0000000000..b8891cc9b3
--- /dev/null
+++ b/securedrop/debian/app-code/lib/systemd/system/securedrop_source_deleter.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=SecureDrop Source deleter
+
+[Service]
+Environment=PYTHONPATH="/var/www/securedrop:/opt/venvs/securedrop-app-code/lib/python3.8/site-packages"
+ExecStart=/opt/venvs/securedrop-app-code/bin/python /var/www/securedrop/scripts/source_deleter --interval 10
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectSystem=full
+ReadOnlyDirectories=/
+ReadWriteDirectories=/var/lib/securedrop
+Restart=always
+RestartSec=10s
+UMask=077
+User=www-data
+WorkingDirectory=/var/www/securedrop
+
+[Install]
+WantedBy=multi-user.target
diff --git a/install_files/securedrop-app-code/var/www/journalist.wsgi b/securedrop/debian/app-code/var/www/journalist.wsgi
similarity index 100%
rename from install_files/securedrop-app-code/var/www/journalist.wsgi
rename to securedrop/debian/app-code/var/www/journalist.wsgi
diff --git a/install_files/securedrop-app-code/var/www/source.wsgi b/securedrop/debian/app-code/var/www/source.wsgi
similarity index 100%
rename from install_files/securedrop-app-code/var/www/source.wsgi
rename to securedrop/debian/app-code/var/www/source.wsgi
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal b/securedrop/debian/changelog
similarity index 97%
rename from install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal
rename to securedrop/debian/changelog
index f372e993a6..49448c5ff2 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal
+++ b/securedrop/debian/changelog
@@ -1,4 +1,4 @@
-securedrop-app-code (2.6.0~rc1+focal) focal; urgency=medium
+securedrop (2.6.0~rc1+focal) focal; urgency=medium
 
   *
 
diff --git a/install_files/securedrop-app-code/debian/compat b/securedrop/debian/compat
similarity index 100%
rename from install_files/securedrop-app-code/debian/compat
rename to securedrop/debian/compat
diff --git a/install_files/securedrop-config-focal/etc/profile.d/securedrop_additions.sh b/securedrop/debian/config/etc/profile.d/securedrop_additions.sh
similarity index 100%
rename from install_files/securedrop-config-focal/etc/profile.d/securedrop_additions.sh
rename to securedrop/debian/config/etc/profile.d/securedrop_additions.sh
diff --git a/install_files/securedrop-config-focal/opt/securedrop/20auto-upgrades b/securedrop/debian/config/opt/securedrop/20auto-upgrades
similarity index 100%
rename from install_files/securedrop-config-focal/opt/securedrop/20auto-upgrades
rename to securedrop/debian/config/opt/securedrop/20auto-upgrades
diff --git a/install_files/securedrop-config-focal/opt/securedrop/50unattended-upgrades b/securedrop/debian/config/opt/securedrop/50unattended-upgrades
similarity index 100%
rename from install_files/securedrop-config-focal/opt/securedrop/50unattended-upgrades
rename to securedrop/debian/config/opt/securedrop/50unattended-upgrades
diff --git a/install_files/securedrop-config-focal/opt/securedrop/reboot-flag b/securedrop/debian/config/opt/securedrop/reboot-flag
similarity index 100%
rename from install_files/securedrop-config-focal/opt/securedrop/reboot-flag
rename to securedrop/debian/config/opt/securedrop/reboot-flag
diff --git a/securedrop/debian/control b/securedrop/debian/control
new file mode 100644
index 0000000000..9ba59a86ab
--- /dev/null
+++ b/securedrop/debian/control
@@ -0,0 +1,46 @@
+Source: securedrop
+Section: web
+Priority: optional
+Maintainer: SecureDrop Team <securedrop@freedom.press>
+Build-Depends: debhelper (>= 9), dh-python, python3-all, python3-setuptools, dh-systemd, dh-virtualenv
+Homepage: https://securedrop.org
+Standards-Version: 4.5.1
+
+Package: securedrop-app-code
+Architecture: amd64
+Conflicts: libapache2-mod-wsgi, supervisor
+Replaces: libapache2-mod-wsgi, supervisor
+Depends: ${dist:Depends}, ${misc:Depends}, ${python3:Depends}, apache2, apparmor-utils, coreutils, gnupg2, libapache2-mod-xsendfile, libpython3.8, paxctld, python3, python3-distutils, redis-server, securedrop-config, securedrop-keyring, sqlite3
+Description: SecureDrop application code, dependencies, Apache configuration, systemd services, and AppArmor profiles. This package will put the AppArmor profiles in enforce mode.
+
+Package: securedrop-config
+Architecture: all
+Depends: unattended-upgrades, update-notifier-common
+Description: Establishes baseline system state for running SecureDrop.
+ Configures apt repositories.
+
+Package: securedrop-keyring
+Architecture: all
+Depends: gnupg
+Description: Provides an apt keyring for SecureDrop-related packages, so the master signing key used for SecureDrop packages can be updated via apt.
+
+Package: securedrop-ossec-agent
+Architecture: all
+Depends: libevent-2.1-7,libpcre2-8-0,ossec-agent,securedrop-keyring,securedrop-config
+Replaces: ossec-agent
+Conflicts: securedrop-ossec-server
+Description: Installs the securedrop pre-configured OSSEC agent
+ This package installs an OSSEC agent pre-configured for the
+ SecureDrop app server.
+
+Package: securedrop-ossec-server
+Architecture: all
+Depends: libevent-2.1-7,libpcre2-8-0,ossec-server,securedrop-keyring,securedrop-config
+Replaces: ossec-server
+Conflicts: securedrop-ossec-agent
+Description: Installs the pre-packaged OSSEC server
+ This package installs an OSSEC server pre-configured for the
+ SecureDrop mon server. It is configured to email all alerts to
+ root@localhost. The SecureDrop ansible playbook will configure
+ procmail and postfix to gpg encrypt the OSSEC alerts and email
+ them to SecureDrop Admin.
diff --git a/install_files/securedrop-app-code/debian/copyright b/securedrop/debian/copyright
similarity index 55%
rename from install_files/securedrop-app-code/debian/copyright
rename to securedrop/debian/copyright
index ef114d74bc..f1e3adb4ac 100644
--- a/install_files/securedrop-app-code/debian/copyright
+++ b/securedrop/debian/copyright
@@ -3,5 +3,5 @@ Upstream-Name: securedrop
 Source: https://github.com/freedomofpress/securedrop
 
 Files: *
-Copyright: 2020 Freedom of the Press Foundation <securedrop@freedom.press>
-License: AGPL-3.0+
+Copyright: 2013- Aaron Swartz, James Dolan, Freedom of the Press Foundation, and SecureDrop contributors
+License: AGPL-3.0-or-later
diff --git a/install_files/securedrop-keyring/etc/apt/trusted.gpg.d/securedrop-keyring.gpg b/securedrop/debian/keyring/etc/apt/trusted.gpg.d/securedrop-keyring.gpg
similarity index 100%
rename from install_files/securedrop-keyring/etc/apt/trusted.gpg.d/securedrop-keyring.gpg
rename to securedrop/debian/keyring/etc/apt/trusted.gpg.d/securedrop-keyring.gpg
diff --git a/install_files/securedrop-ossec-agent/var/ossec/etc/local_decoder.xml b/securedrop/debian/ossec-agent/var/ossec/etc/local_decoder.xml
similarity index 100%
rename from install_files/securedrop-ossec-agent/var/ossec/etc/local_decoder.xml
rename to securedrop/debian/ossec-agent/var/ossec/etc/local_decoder.xml
diff --git a/install_files/securedrop-ossec-agent/var/ossec/etc/ossec.conf b/securedrop/debian/ossec-agent/var/ossec/etc/ossec.conf
similarity index 100%
rename from install_files/securedrop-ossec-agent/var/ossec/etc/ossec.conf
rename to securedrop/debian/ossec-agent/var/ossec/etc/ossec.conf
diff --git a/install_files/securedrop-ossec-agent/var/ossec/checksdconfig.py b/securedrop/debian/ossec-common/var/ossec/checksdconfig.py
similarity index 91%
rename from install_files/securedrop-ossec-agent/var/ossec/checksdconfig.py
rename to securedrop/debian/ossec-common/var/ossec/checksdconfig.py
index e22e88ce94..510f5d721f 100755
--- a/install_files/securedrop-ossec-agent/var/ossec/checksdconfig.py
+++ b/securedrop/debian/ossec-common/var/ossec/checksdconfig.py
@@ -32,7 +32,7 @@
 }
 
 
-def list_iptables_rules():
+def list_iptables_rules() -> dict:
     result = subprocess.run(["iptables", "-S"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
     rules = result.stdout.decode("utf-8").splitlines()
     policies = [r for r in rules if r.startswith("-P")]
@@ -48,12 +48,12 @@ def list_iptables_rules():
     }
 
 
-def check_iptables_are_default(rules):
+def check_iptables_are_default(rules: dict) -> None:
     if rules["all"] == IPTABLES_RULES_UNCONFIGURED:
         raise ValueError("The iptables rules have not been configured.")
 
 
-def check_iptables_default_drop(rules):
+def check_iptables_default_drop(rules: dict) -> None:
     for chain, chain_rules in IPTABLES_RULES_DEFAULT_DROP.items():
         for i, rule in enumerate(reversed(chain_rules), 1):
             try:
@@ -63,13 +63,13 @@ def check_iptables_default_drop(rules):
                 raise ValueError("The iptables default drop rules are incorrect.")
 
 
-def check_iptables_rules():
+def check_iptables_rules() -> None:
     rules = list_iptables_rules()
     check_iptables_are_default(rules)
     check_iptables_default_drop(rules)
 
 
-def check_system_configuration(args):
+def check_system_configuration(args: argparse.Namespace) -> None:
     print("Checking system configuration...")
     try:
         check_iptables_rules()
diff --git a/install_files/securedrop-ossec-server/var/ossec/etc/local_decoder.xml b/securedrop/debian/ossec-server/var/ossec/etc/local_decoder.xml
similarity index 100%
rename from install_files/securedrop-ossec-server/var/ossec/etc/local_decoder.xml
rename to securedrop/debian/ossec-server/var/ossec/etc/local_decoder.xml
diff --git a/install_files/securedrop-ossec-server/var/ossec/etc/local_internal_options.conf b/securedrop/debian/ossec-server/var/ossec/etc/local_internal_options.conf
similarity index 100%
rename from install_files/securedrop-ossec-server/var/ossec/etc/local_internal_options.conf
rename to securedrop/debian/ossec-server/var/ossec/etc/local_internal_options.conf
diff --git a/install_files/securedrop-ossec-server/var/ossec/etc/ossec.conf b/securedrop/debian/ossec-server/var/ossec/etc/ossec.conf
similarity index 100%
rename from install_files/securedrop-ossec-server/var/ossec/etc/ossec.conf
rename to securedrop/debian/ossec-server/var/ossec/etc/ossec.conf
diff --git a/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml b/securedrop/debian/ossec-server/var/ossec/rules/local_rules.xml
similarity index 100%
rename from install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml
rename to securedrop/debian/ossec-server/var/ossec/rules/local_rules.xml
diff --git a/install_files/securedrop-app-code/debian/rules b/securedrop/debian/rules
similarity index 59%
rename from install_files/securedrop-app-code/debian/rules
rename to securedrop/debian/rules
index d0b94ab91e..5ce9dafaa4 100755
--- a/install_files/securedrop-app-code/debian/rules
+++ b/securedrop/debian/rules
@@ -1,4 +1,5 @@
 #!/usr/bin/make -f
+include /usr/share/dpkg/pkg-info.mk
 
 DEB_DH_INSTALL_ARGS=-X .git
 
@@ -14,16 +15,29 @@ override_dh_gencontrol:
 # want them to be correctly updated with each update.
 override_dh_installdeb:
 	dh_installdeb
-	cp ${CURDIR}/debian/conffiles ${CURDIR}/debian/securedrop-app-code/DEBIAN/
+	echo "" > ${CURDIR}/debian/securedrop-app-code/DEBIAN/conffiles
+	echo "" > ${CURDIR}/debian/securedrop-config/DEBIAN/conffiles
+
+override_dh_install:
+	# Build translations
+	bash ./debian/translations.sh
+	# Things to exclude
+	find . -type f -name '*requirements.in' -delete
+	find . -type f -name '*.mako' -delete
+	rm upload-screenshots.py
+	dh_install
 
 override_dh_strip_nondeterminism:
+	# Delete non-reproducible things
 	find ./debian/ -type f -name '*.pyc' -delete
 	find ./debian/ -type f -name 'pip-selfcheck.json' -delete
-	find -type f -name RECORD -exec sed -i -e '/.*\.pyc.*/d' {} +
+	find ./debian/ -type f -name 'RECORD' -delete
 	dh_strip_nondeterminism $@
 
 override_dh_virtualenv:
+	cp requirements/python3/securedrop-app-code-requirements.txt requirements.txt
 	dh_virtualenv \
+		--package=securedrop-app-code \
 		--python=/usr/bin/python3 \
 		--builtin-venv \
 		--preinstall setuptools-scm==6.0.1 \
@@ -32,6 +46,14 @@ override_dh_virtualenv:
 		--extra-pip-arg "--no-deps" \
 		--extra-pip-arg "--no-binary=:all:" \
 		--extra-pip-arg "--no-cache-dir"
+	# Strip non-reproducible debugging information
+	dh_strip $@ --no-automatic-dbgsym
+
+override_dh_gencontrol:
+	dh_gencontrol -psecuredrop-ossec-agent -- "-v3.6.0+${DEB_VERSION}"
+	dh_gencontrol -psecuredrop-ossec-server -- "-v3.6.0+${DEB_VERSION}"
+	dh_gencontrol -psecuredrop-keyring -- "-v0.1.6+${DEB_VERSION}"
+	dh_gencontrol --remaining-packages
 
 #
 # Have to override the automatic service handling since we have more
diff --git a/install_files/securedrop-app-code/debian/config b/securedrop/debian/securedrop-app-code.config
similarity index 100%
rename from install_files/securedrop-app-code/debian/config
rename to securedrop/debian/securedrop-app-code.config
diff --git a/securedrop/debian/securedrop-app-code.dirs b/securedrop/debian/securedrop-app-code.dirs
new file mode 100644
index 0000000000..1202f3e9e7
--- /dev/null
+++ b/securedrop/debian/securedrop-app-code.dirs
@@ -0,0 +1 @@
+/var/www/securedrop/.well-known/pki-validation
diff --git a/securedrop/debian/securedrop-app-code.install b/securedrop/debian/securedrop-app-code.install
new file mode 100644
index 0000000000..bbe106c320
--- /dev/null
+++ b/securedrop/debian/securedrop-app-code.install
@@ -0,0 +1,8 @@
+debian/app-code/etc /
+debian/app-code/lib /
+debian/app-code/var /
+COPYING alembic.ini babel.cfg config.py.example /var/www/securedrop
+*.py i18n.json /var/www/securedrop
+journalist_app journalist_templates /var/www/securedrop
+source_app source_templates /var/www/securedrop
+alembic dictionaries management requirements static translations wordlists scripts /var/www/securedrop
diff --git a/install_files/securedrop-app-code/debian/postinst b/securedrop/debian/securedrop-app-code.postinst
similarity index 100%
rename from install_files/securedrop-app-code/debian/postinst
rename to securedrop/debian/securedrop-app-code.postinst
diff --git a/install_files/securedrop-app-code/debian/postrm b/securedrop/debian/securedrop-app-code.postrm
similarity index 100%
rename from install_files/securedrop-app-code/debian/postrm
rename to securedrop/debian/securedrop-app-code.postrm
diff --git a/install_files/securedrop-app-code/debian/preinst b/securedrop/debian/securedrop-app-code.preinst
similarity index 100%
rename from install_files/securedrop-app-code/debian/preinst
rename to securedrop/debian/securedrop-app-code.preinst
diff --git a/securedrop/debian/securedrop-config.install b/securedrop/debian/securedrop-config.install
new file mode 100644
index 0000000000..ab397f789e
--- /dev/null
+++ b/securedrop/debian/securedrop-config.install
@@ -0,0 +1,2 @@
+debian/config/etc /
+debian/config/opt /
diff --git a/install_files/securedrop-config-focal/DEBIAN/postinst b/securedrop/debian/securedrop-config.postinst
similarity index 100%
rename from install_files/securedrop-config-focal/DEBIAN/postinst
rename to securedrop/debian/securedrop-config.postinst
diff --git a/securedrop/debian/securedrop-keyring.install b/securedrop/debian/securedrop-keyring.install
new file mode 100644
index 0000000000..70e682dea7
--- /dev/null
+++ b/securedrop/debian/securedrop-keyring.install
@@ -0,0 +1 @@
+debian/keyring/etc /
diff --git a/securedrop/debian/securedrop-ossec-agent.install b/securedrop/debian/securedrop-ossec-agent.install
new file mode 100644
index 0000000000..bd9fdf4fc4
--- /dev/null
+++ b/securedrop/debian/securedrop-ossec-agent.install
@@ -0,0 +1,2 @@
+debian/ossec-common/var /
+debian/ossec-agent/var /
diff --git a/install_files/securedrop-ossec-agent/DEBIAN/postinst b/securedrop/debian/securedrop-ossec-agent.postinst
similarity index 100%
rename from install_files/securedrop-ossec-agent/DEBIAN/postinst
rename to securedrop/debian/securedrop-ossec-agent.postinst
diff --git a/securedrop/debian/securedrop-ossec-server.install b/securedrop/debian/securedrop-ossec-server.install
new file mode 100644
index 0000000000..e8eefbd407
--- /dev/null
+++ b/securedrop/debian/securedrop-ossec-server.install
@@ -0,0 +1,2 @@
+debian/ossec-common/var /
+debian/ossec-server/var /
diff --git a/install_files/securedrop-ossec-server/DEBIAN/postinst b/securedrop/debian/securedrop-ossec-server.postinst
similarity index 100%
rename from install_files/securedrop-ossec-server/DEBIAN/postinst
rename to securedrop/debian/securedrop-ossec-server.postinst
diff --git a/securedrop/debian/translations.sh b/securedrop/debian/translations.sh
new file mode 100644
index 0000000000..60b8b564ee
--- /dev/null
+++ b/securedrop/debian/translations.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+set -ex
+
+export PATH="${PATH}:/root/.cargo/bin"
+
+# We create the virtualenv separately from the "pip install" commands below,
+# to make error-reporting a bit more obvious. We also update beforehand,
+# beyond what the system version provides, see #6317.
+python3 -m venv /tmp/securedrop-app-code-i18n-ve
+/tmp/securedrop-app-code-i18n-ve/bin/pip3 install -r \
+<(echo "pip==21.3
+--hash=sha256:4a1de8f97884ecfc10b48fe61c234f7e7dcf4490a37217011ad9369d899ad5a6
+--hash=sha256:741a61baab1dbce2d8ca415effa48a2b6a964564f81a9f4f1fce4c433346c034")
+
+# Install dependencies
+/tmp/securedrop-app-code-i18n-ve/bin/pip3 install --no-deps --no-binary :all: --require-hashes -r requirements/python3/translation-requirements.txt
+/tmp/securedrop-app-code-i18n-ve/bin/pip3 install --no-deps --no-binary :all: --require-hashes -r requirements/python3/securedrop-app-code-requirements.txt
+
+# Compile the translations, need to have a placeholder config.py that we clean up
+export PYTHONDONTWRITEBYTECODE="true"
+cp config.py.example config.py
+. /tmp/securedrop-app-code-i18n-ve/bin/activate
+/tmp/securedrop-app-code-i18n-ve/bin/python3 ./i18n_tool.py --verbose translate-messages --compile
+rm config.py
diff --git a/setup.py b/securedrop/setup.py
similarity index 97%
rename from setup.py
rename to securedrop/setup.py
index e095baf371..6c5d051f9a 100644
--- a/setup.py
+++ b/securedrop/setup.py
@@ -13,12 +13,12 @@
     license="AGPLv3+",
     python_requires=">=3.8",
     url="https://github.com/freedomofpress/securedrop",
-    classifiers=(
+    classifiers=[
         "Development Status :: 5 - Stable",
         "Programming Language :: Python :: 3",
         "Topic :: Software Development :: Libraries :: Python Modules",
         "License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)",
         "Intended Audience :: Developers",
         "Operating System :: OS Independent",
-    ),
+    ],
 )
diff --git a/update_version.sh b/update_version.sh
index a57f9418eb..3324cd5e95 100755
--- a/update_version.sh
+++ b/update_version.sh
@@ -66,7 +66,7 @@ export DEBEMAIL="${DEBEMAIL:-securedrop@freedom.press}"
 export DEBFULLNAME="${DEBFULLNAME:-SecureDrop Team}"
 
 # Update the Focal changelog in the Debian package
-dch -b -v "${NEW_VERSION}+focal" -D focal -c install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal
+dch -b -v "${NEW_VERSION}+focal" -D focal -c securedrop/debian/changelog
 # Commit the change
 # Due to `set -e`, providing an empty commit message here will cause the script to abort early.
 git commit -a