Import profiles/roles from salt-devel

- + renaming baseline to common

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

21 files changed, 731 insertions, 1 deletions

diff --git a/salt/common.sls b/salt/common.sls
new file mode 100644
index 0000000..d0d4de2
--- /dev/null
+++ b/salt/common.sls
@@ -0,0 +1,3 @@
+include:
+  - role.minion
+  - role.common-suse
diff --git a/salt/profile/lighttpd/files/etc/lighttpd/lighttpd.conf.j2 b/salt/profile/lighttpd/files/etc/lighttpd/lighttpd.conf.j2
new file mode 100644
index 0000000..12671ba
--- /dev/null
+++ b/salt/profile/lighttpd/files/etc/lighttpd/lighttpd.conf.j2
@@ -0,0 +1,466 @@
+{%- set header = salt['pillar.get']('managed_header_pound') -%}
+{{ header }}
+# This is mostly the default file shipped with the package, it's only managed via Salt to enable the vhosts.d include at the bottom
+#######################################################################
+##
+## /etc/lighttpd/lighttpd.conf
+##
+## check /etc/lighttpd/conf.d/*.conf for the configuration of modules.
+##
+#######################################################################
+
+#######################################################################
+##
+## Some Variable definition which will make chrooting easier.
+##
+## if you add a variable here. Add the corresponding variable in the
+## chroot example as well.
+##
+var.log_root    = "/var/log/lighttpd"
+var.server_root = "/srv/www"
+var.state_dir   = "/run"
+var.home_dir    = "/var/lib/lighttpd"
+var.conf_dir    = "/etc/lighttpd"
+
+## 
+## run the server chrooted.
+## 
+## This requires root permissions during startup.
+##
+## If you run Chrooted set the the variables to directories relative to
+## the chroot dir.
+##
+## example chroot configuration:
+## 
+#var.log_root    = "/logs"
+#var.server_root = "/"
+#var.state_dir   = "/run"
+#var.home_dir    = "/lib/lighttpd"
+#var.vhosts_dir  = "/vhosts"
+#var.conf_dir    = "/etc"
+#
+#server.chroot   = "/srv/www"
+
+##
+## Some additional variables to make the configuration easier
+##
+
+##
+## Base directory for all virtual hosts
+##
+## used in:
+## conf.d/evhost.conf
+## conf.d/simple_vhost.conf
+## vhosts.d/vhosts.template
+##
+var.vhosts_dir  = server_root + "/vhosts"
+
+##
+## Cache for mod_deflate
+##
+## used in:
+## conf.d/deflate.conf
+##
+var.cache_dir   = "/var/cache/lighttpd"
+
+##
+## Base directory for sockets.
+##
+## used in:
+## conf.d/fastcgi.conf
+## conf.d/scgi.conf
+##
+var.socket_dir  = home_dir + "/sockets"
+
+##
+#######################################################################
+
+#######################################################################
+##
+## Load the modules.
+include conf_dir + "/modules.conf"
+
+##
+#######################################################################
+
+#######################################################################
+##
+##  Basic Configuration
+## ---------------------
+##
+server.port = 80
+
+##
+## Use IPv6?
+##
+server.use-ipv6 = "enable"
+
+##
+## bind to a specific IP
+##
+#server.bind = "localhost"
+
+##
+## Run as a different username/groupname.
+## This requires root permissions during startup. 
+##
+server.username  = "lighttpd"
+server.groupname = "lighttpd"
+
+##
+## Enable lighttpd to serve requests on sockets received from systemd
+## https://www.freedesktop.org/software/systemd/man/systemd.socket.html
+##
+#server.systemd-socket-activation = "enable"
+
+## 
+## enable core files.
+##
+#server.core-files = "disable"
+
+##
+## Document root
+##
+server.document-root = server_root + "/htdocs"
+
+##
+## The value for the "Server:" response field.
+##
+## It would be nice to keep it at "lighttpd".
+##
+#server.tag = "lighttpd"
+
+##
+## store a pid file
+##
+server.pid-file = state_dir + "/lighttpd.pid"
+
+##
+#######################################################################
+
+#######################################################################
+##
+##  Logging Options
+## ------------------
+##
+## all logging options can be overwritten per vhost.
+##
+## Path to the error log file
+##
+server.errorlog             = log_root + "/error.log"
+
+##
+## If you want to log to syslog you have to unset the 
+## server.errorlog setting and uncomment the next line.
+##
+#server.errorlog-use-syslog = "enable"
+
+##
+## Access log config
+## 
+include conf_dir + "/conf.d/access_log.conf"
+
+##
+## The debug options are moved into their own file.
+## see conf.d/debug.conf for various options for request debugging.
+##
+include conf_dir + "/conf.d/debug.conf"
+
+##
+#######################################################################
+
+#######################################################################
+##
+##  Tuning/Performance
+## --------------------
+##
+## corresponding documentation:
+## https://wiki.lighttpd.net/Docs_Performance
+##
+## set the event-handler (read the performance section in the manual)
+##
+## The recommended server.event-handler is chosen by default for each OS.
+##
+## epoll  (recommended on Linux)
+## kqueue (recommended on *BSD and MacOS X)
+## solaris-eventports (recommended on Solaris)
+## poll   (recommended if none of above are available)
+## select (*not* recommended)
+## libev  (*not* recommended)
+##
+#server.event-handler = "linux-sysepoll"
+
+##
+## The basic network interface for all platforms at the syscalls read()
+## and write(). Every modern OS provides its own syscall to help network
+## servers transfer files as fast as possible 
+##
+#server.network-backend = "sendfile"
+
+##
+## As lighttpd is a single-threaded server, its main resource limit is
+## the number of file descriptors, which is set to 1024 by default (on
+## most systems).
+##
+## If you are running a high-traffic site you might want to increase this
+## limit by setting server.max-fds.
+##
+## Changing this setting requires root permissions on startup. see
+## server.username/server.groupname.
+##
+## By default lighttpd would not change the operation system default.
+## But setting it to 16384 is a better default for busy servers.
+##
+## With SELinux enabled, this is denied by default and needs to be allowed
+## by running the following once: setsebool -P httpd_setrlimit on
+##
+server.max-fds = 16384
+
+##
+## listen-backlog is the size of the listen() backlog queue requested when
+## the lighttpd server ask the kernel to listen() on the provided network
+## address.  Clients attempting to connect() to the server enter the listen()
+## backlog queue and wait for the lighttpd server to accept() the connection.
+##
+## The out-of-box default on many operating systems is 128 and is identified
+## as SOMAXCONN.  This can be tuned on many operating systems.  (On Linux,
+## cat /proc/sys/net/core/somaxconn)  Requesting a size larger than operating
+## system limit will be silently reduced to the limit by the operating system.
+##
+## When there are too many connection attempts waiting for the server to
+## accept() new connections, the listen backlog queue fills and the kernel
+## rejects additional connection attempts.  This can be useful as an
+## indication to an upstream load balancer that the server is busy, and
+## possibly overloaded.  In that case, configure a smaller limit for
+## server.listen-backlog.  On the other hand, configure a larger limit to be
+## able to handle bursts of new connections, but only do so up to an amount
+## that the server can keep up with responding in a reasonable amount of
+## time.  Otherwise, clients may abandon the connection attempts and the
+## server will waste resources servicing abandoned connections.
+##
+## It is best to leave this setting at its default unless you have modelled
+## your traffic and tested that changing this benefits your traffic patterns.
+##
+## Default: 1024
+##
+#server.listen-backlog = 128
+
+##
+## Stat() call caching.
+##
+## lighttpd can utilize FAM/Gamin to cache stat call.
+##
+## possible values are:
+## disable, simple, inotify, kqueue, or fam.
+##
+#server.stat-cache-engine = "simple"
+
+##
+## Fine tuning for the request handling
+##
+## max-connections == max-fds/3)
+## (other file handles are used for fastcgi/files)
+##
+#server.max-connections = 1024
+
+##
+## How many seconds to keep a keep-alive connection open,
+## until we consider it idle. 
+##
+## Default: 5
+##
+#server.max-keep-alive-idle = 5
+
+##
+## How many keep-alive requests until closing the connection.
+##
+## Default: 16
+##
+#server.max-keep-alive-requests = 16
+
+##
+## Maximum size of a request in kilobytes.
+## By default it is unlimited (0).
+##
+## Uploads to your server cant be larger than this value.
+##
+#server.max-request-size = 0
+
+##
+## Time to read from a socket before we consider it idle.
+##
+## Default: 60
+##
+#server.max-read-idle = 60
+
+##
+## Time to write to a socket before we consider it idle.
+##
+## Default: 360
+##
+#server.max-write-idle = 360
+
+##
+##  Traffic Shaping 
+## -----------------
+##
+## see /usr/share/doc/lighttpd/traffic-shaping.txt
+##
+## Values are in kilobyte per second.
+##
+## Keep in mind that a limit below 32kB/s might actually limit the
+## traffic to 32kB/s. This is caused by the size of the TCP send
+## buffer. 
+##
+## per server:
+##
+#server.kbytes-per-second = 128
+
+##
+## per connection:
+##
+#connection.kbytes-per-second = 32
+
+##
+#######################################################################
+
+#######################################################################
+##
+##  Filename/File handling
+## ------------------------
+
+##
+## files to check for if .../ is requested
+## index-file.names            = ( "index.php", "index.rb", "index.html",
+##                                 "index.htm", "default.htm" )
+##
+index-file.names += (
+  "index.xhtml", "index.html", "index.htm", "default.htm", "index.php"
+)
+
+##
+## deny access the file-extensions
+##
+## ~    is for backupfiles from vi, emacs, joe, ...
+## .inc is often used for code includes which should in general not be part
+##      of the document-root
+url.access-deny             = ( "~", ".inc" )
+
+##
+## disable range requests for pdf files
+## workaround for a bug in the Acrobat Reader plugin.
+## (ancient; should no longer be needed)
+##
+#$HTTP["url"] =~ "\.pdf$" {
+#  server.range-requests = "disable"
+#}
+
+##
+## url handling modules (rewrite, redirect)
+##
+#url.rewrite                = ( "^/$"             => "/server-status" )
+#url.redirect               = ( "^/wishlist/(.+)" => "http://www.example.com/$1" )
+
+##
+## both rewrite/redirect support back reference to regex conditional using %n
+##
+#$HTTP["host"] =~ "^www\.(.*)" {
+#  url.redirect            = ( "^/(.*)" => "http://%1/$1" )
+#}
+
+##
+## which extensions should not be handle via static-file transfer
+##
+## .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi
+##
+static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".scgi" )
+
+##
+## error-handler for all status 400-599
+##
+#server.error-handler       = "/error-handler.html"
+#server.error-handler       = "/error-handler.php"
+
+##
+## error-handler for status 404
+##
+#server.error-handler-404   = "/error-handler.html"
+#server.error-handler-404   = "/error-handler.php"
+
+##
+## Format: <errorfile-prefix><status-code>.html
+## -> ..../status-404.html for 'File not found'
+##
+#server.errorfile-prefix    = server_root + "/htdocs/errors/status-"
+
+##
+## mimetype mapping
+##
+include conf_dir + "/conf.d/mime.conf"
+
+##
+## directory listing configuration
+##
+include conf_dir + "/conf.d/dirlisting.conf"
+
+##
+## Should lighttpd follow symlinks?
+## default: "enable"
+#server.follow-symlink = "enable"
+
+##
+## force all filenames to be lowercase?
+##
+#server.force-lowercase-filenames = "disable"
+
+##
+## defaults to /var/tmp as we assume it is a local harddisk
+## default: "/var/tmp"
+#server.upload-dirs = ( "/var/tmp" )
+
+##
+#######################################################################
+
+#######################################################################
+##
+##  SSL Support
+## ------------- 
+##
+## https://wiki.lighttpd.net/Docs_SSL
+#
+## To enable SSL for the whole server you have to provide a valid
+## certificate and have to enable the SSL engine.::
+##
+##   server.modules += ( "mod_openssl" )
+##
+##   ssl.privkey = "/path/to/privkey.pem"
+##   ssl.pemfile = "/path/to/fullchain.pem"
+##   # ssl.pemfile should contain the sorted certificate chain, including
+##   # intermediate certificates, as provided by the certificate issuer.
+##   # If both privkey and cert are in same file, specify only ssl.pemfile.
+##
+##   # Check your cipher list with: openssl ciphers -v '...'
+##   # (use single quotes with: openssl ciphers -v '...'
+##   #  as your shell won't like ! in double quotes)
+##   #ssl.cipher-list            = "HIGH"   # default
+##
+##   # (recommended to accept only TLSv1.2 and TLSv1.3)
+##   #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")  # default
+##
+##   $SERVER["socket"] == "*:443" {
+##     ssl.engine  = "enable"
+##   }
+##   $SERVER["socket"] == "[::]:443" {
+##     ssl.engine  = "enable"
+##   }
+##
+#######################################################################
+
+#######################################################################
+##
+## custom includes like vhosts.
+##
+#include conf_dir + "/conf.d/config.conf"
+include conf_dir + "/vhosts.d/*.conf"
+##
+#######################################################################
diff --git a/salt/profile/lighttpd/files/etc/lighttpd/vhosts.conf.j2 b/salt/profile/lighttpd/files/etc/lighttpd/vhosts.conf.j2
new file mode 100644
index 0000000..24dd5b7
--- /dev/null
+++ b/salt/profile/lighttpd/files/etc/lighttpd/vhosts.conf.j2
@@ -0,0 +1,8 @@
+{%- set header = salt['pillar.get']('managed_header_pound') -%}
+{{ header }}
+
+{%- if vhostconfig is defined -%}
+$HTTP["host"] =~ "{{ vhostconfig['host'].replace('.', '\.') }}" {
+  server.document-root = "{{ vhostconfig['root'] }}"
+}
+{%- endif -%}
diff --git a/salt/profile/lighttpd/init.sls b/salt/profile/lighttpd/init.sls
new file mode 100644
index 0000000..1d4f9e9
--- /dev/null
+++ b/salt/profile/lighttpd/init.sls
@@ -0,0 +1,42 @@
+{%- set mypillar = 'profile:lighttpd' -%}
+{%- set vhosts = salt['pillar.get'](mypillar ~ ':vhosts') or [] -%}
+
+lighttpd_packages:
+  pkg.installed:
+    - pkgs:
+      - lighttpd
+
+{%- if vhosts | length > 0 %}
+lighttpd_directories:
+  file.directory:
+    - user: root
+    - group: lighttpd
+    - mode: '0750'
+    - clean: True
+    - require:
+      - pkg: lighttpd_packages
+      - file: lighttpd_files
+    - names:
+      - /etc/lighttpd/vhosts.d
+
+lighttpd_files:
+  file.managed:
+    - user: root
+    - group: lighttpd
+    - mode: '0640'
+    - template: jinja
+    - names:
+      - /etc/lighttpd/lighttpd.conf:
+        - source: salt:///{{ slspath }}/files/etc/lighttpd/lighttpd.conf.j2
+{%- for vhost, config in vhosts.items() %}
+      - /etc/lighttpd/vhosts.d/{{ vhost }}.conf:
+        - source: salt:///{{ slspath }}/files/etc/lighttpd/vhosts.conf.j2
+        - context:
+            vhostconfig: {{ config }}
+{%- endfor %}
+{%- endif %}
+
+lighttpd_service:
+  service.running:
+    - name: lighttpd.service
+    - enable: True
diff --git a/salt/profile/matterbridge/files/etc/matterbridge/matterbridge.toml.j2 b/salt/profile/matterbridge/files/etc/matterbridge/matterbridge.toml.j2
new file mode 100644
index 0000000..11204f3
--- /dev/null
+++ b/salt/profile/matterbridge/files/etc/matterbridge/matterbridge.toml.j2
@@ -0,0 +1,35 @@
+{%- set header = salt['pillar.get']('managed_header_pound') -%}
+{%- set myfqdn = salt['grains.get']('fqdn') -%}
+{%- set mypillar = 'profile:matterbridge:instances:' ~ instance ~ ':' -%}
+{%- set myaccounts = mypillar ~ 'accounts' -%}
+{%- set mygateways = mypillar ~ 'gateways' -%}
+{%- set generalopts = ['RemoteNickFormat', 'IgnoreFailureOnStart', 'MessageSplit', 'MediaDownloadSize', 'MediaDownloadPath', 'MediaServerDownload', 'LogFile'] -%}
+{%- set accountopts = ['Nick', 'NickServNick', 'NickServPassword', 'Server', 'UseTLS', 'UseSASL', 'Label', 'Charset', 'IgnoreNicks', 'RunCommands', 'UseRelayMsg', 'RemoteNickFormat'] -%}
+{{ header }}
+
+[general]
+{% for option in generalopts %}
+{%- if salt['pillar.get'](mypillar ~ option, None) != None %}
+{{ option }}="{{ salt['pillar.get'](mypillar ~ option) }}"
+{%- endif -%}
+{%- endfor -%}
+
+{% for account, config in salt['pillar.get'](myaccounts).items() %}
+[{{ config['protocol'] }}.{{ account }}]
+{%- for option in accountopts %}
+{%- if salt['pillar.get'](myaccounts ~ ':' ~ account ~ ':' ~ option, None) != None %}
+{{ option }}="{{ config[option] }}"
+{%- endif -%}
+{% endfor %}
+{% endfor -%}
+
+{% for gateway, config in salt['pillar.get'](mygateways).items() %}
+[[gateway]]
+name="{{ gateway }}"
+enable=true
+{% for account, channel in config.items() %}
+  [[gateway.inout]]
+  account="{{ account }}"
+  channel="{{ channel }}"
+{% endfor %}
+{%- endfor -%}
diff --git a/salt/profile/matterbridge/init.sls b/salt/profile/matterbridge/init.sls
new file mode 100644
index 0000000..eee6df2
--- /dev/null
+++ b/salt/profile/matterbridge/init.sls
@@ -0,0 +1,45 @@
+{%- set mypillar = 'profile:matterbridge' -%}
+{%- set instances = salt['pillar.get'](mypillar ~ ':instances') or [] -%}
+
+matterbridge_packages:
+  pkg.installed:
+    - pkgs:
+      - matterbridge
+
+matterbridge_directory:
+  file.directory:
+    - user: root
+    - group: matterbridge
+    - clean: True
+    - require:
+      - pkg: matterbridge_packages
+{%- if instances | length > 0 %}
+      - file: matterbridge_files
+{%- endif %}
+    - names:
+      - /etc/matterbridge
+
+{%- if instances | length > 0 %}
+matterbridge_files:
+  file.managed:
+    - user: root
+    - mode: '0644'
+    - template: jinja
+    - source: salt:///{{ slspath }}/files/etc/matterbridge/matterbridge.toml.j2
+    - names:
+{%- for instance in instances %}
+      - /etc/matterbridge/{{ instance }}.toml:
+        - context:
+            instance: {{ instance }}
+
+matterbridge_{{ instance }}_service:
+  service.running:
+    - name: matterbridge@{{ instance }}.service
+    - enable: True
+{%- endfor %}
+{%- endif %}
+
+matterbridge_cleanup_timer:
+  service.running:
+    - name: matterbridge-cleanup.timer
+    - enable: True
diff --git a/salt/profile/node_exporter/init.sls b/salt/profile/node_exporter/init.sls
new file mode 100644
index 0000000..1e46b3d
--- /dev/null
+++ b/salt/profile/node_exporter/init.sls
@@ -0,0 +1,36 @@
+{%- set header = salt['pillar.get']('managed_header_pound') -%}
+{%- set sysconfig = '/etc/sysconfig/prometheus-node_exporter' -%}
+
+node_exporter_packages:
+  pkg.installed:
+    - pkgs:
+      - golang-github-prometheus-node_exporter
+
+node_exporter_sysconfig_header:
+  file.prepend:
+    - name: {{ sysconfig }}
+    - text: '{{ header }}'
+    - require:
+      - pkg: node_exporter_packages
+
+node_exporter_sysconfig:
+  file.replace:
+    - name: {{ sysconfig }}
+    - pattern: |
+        ^ARGS=.*$
+    - repl: |
+        ARGS="--web.listen-address=:9200 --collector.filesystem.fs-types-exclude='^(fuse.s3fs|fuse.cryfs|tmpfscgroup2?|debugfs|devpts|devtmpfs|fusectl|overlay|proc|procfs|pstore)\$' --no-collector.zfs --no-collector.thermal_zone --no-collector.powersupplyclass"
+    - require:
+      - pkg: node_exporter_packages
+      - file: node_exporter_sysconfig_header
+
+node_exporter_service:
+  service.running:
+    - name: prometheus-node_exporter.service
+    - enable: True
+    - full_restart: True
+    - require:
+      - pkg: node_exporter_packages
+      - file: node_exporter_sysconfig
+    - watch:
+      - file: node_exporter_sysconfig
diff --git a/salt/profile/salt/files/etc/salt/grains.j2 b/salt/profile/salt/files/etc/salt/grains.j2
new file mode 100644
index 0000000..74f3262
--- /dev/null
+++ b/salt/profile/salt/files/etc/salt/grains.j2
@@ -0,0 +1,9 @@
+{%- set header = salt['pillar.get']('managed_header_pound') -%}
+{%- set roles = salt['pillar.get']('netbox:config_context:roles', []) -%}
+{{ header }}
+{%- if roles is defined and roles %}
+roles:
+  {%- for role in roles %}
+  - {{ role }}
+  {%- endfor %}
+{% endif %}
diff --git a/salt/profile/salt/grains.sls b/salt/profile/salt/grains.sls
new file mode 100644
index 0000000..1926250
--- /dev/null
+++ b/salt/profile/salt/grains.sls
@@ -0,0 +1,15 @@
+salt_grains_file:
+  file.managed:
+    - user: root
+    - mode: '0644'
+    - template: jinja
+    - names:
+      - /etc/salt/grains:
+        - source: salt:///{{ slspath }}/files/etc/salt/grains.j2
+
+salt_restart_minion:
+  cmd.run:
+    - name: 'salt-call service.restart salt-minion'
+    - bg: True
+    - onchanges:
+      - file: salt_grains_file
diff --git a/salt/profile/seccheck/files/etc/security/autologout.conf b/salt/profile/seccheck/files/etc/security/autologout.conf
new file mode 100644
index 0000000..e910a29
--- /dev/null
+++ b/salt/profile/seccheck/files/etc/security/autologout.conf
@@ -0,0 +1,9 @@
+{%- set header = salt['pillar.get']('managed_header_pound') -%}
+{{ header }}
+TTY_TIMEOUT=60
+DEFAULT_DELAY=60
+KILL_WAIT=20
+
+LOGOUTCONF=(
+"ssh idle:720 delay:30"
+)
diff --git a/salt/profile/seccheck/files/etc/sysconfig/seccheck b/salt/profile/seccheck/files/etc/sysconfig/seccheck
new file mode 100644
index 0000000..86eb9af
--- /dev/null
+++ b/salt/profile/seccheck/files/etc/sysconfig/seccheck
@@ -0,0 +1,4 @@
+{%- set header = salt['pillar.get']('managed_header_pound') -%}
+{{ header }}
+SECCHK_USER="root"
+START_SECCHK="yes"
diff --git a/salt/profile/seccheck/init.sls b/salt/profile/seccheck/init.sls
new file mode 100644
index 0000000..eed0c57
--- /dev/null
+++ b/salt/profile/seccheck/init.sls
@@ -0,0 +1,20 @@
+seccheck_packages:
+  pkg.installed:
+    - pkgs:
+      - seccheck
+
+seccheck_files:
+  file.managed:
+    - user: root
+    - mode: '0644'
+    - template: jinja
+    - names:
+      - /etc/sysconfig/seccheck:
+        - source: salt:///{{ slspath }}/files/etc/sysconfig/seccheck
+      - /etc/security/autologout.conf:
+        - source: salt:///{{ slspath }}/files/etc/security/autologout.conf
+
+seccheck_service:
+  service.running:
+    - name: seccheck-autologout.timer
+    - enable: True
diff --git a/salt/profile/test-webserver/init.sls b/salt/profile/test-webserver/init.sls
new file mode 100644
index 0000000..166c4fd
--- /dev/null
+++ b/salt/profile/test-webserver/init.sls
@@ -0,0 +1,4 @@
+test-webserver_packages:
+  pkg.installed:
+    - pkgs:
+      - lighttpd
diff --git a/salt/profile/zypp/files/etc/zypp/zypp.conf.j2 b/salt/profile/zypp/files/etc/zypp/zypp.conf.j2
new file mode 100644
index 0000000..610b4c5
--- /dev/null
+++ b/salt/profile/zypp/files/etc/zypp/zypp.conf.j2
@@ -0,0 +1,8 @@
+{%- set header = salt['pillar.get']('managed_header_pound') -%}
+{{ header }}
+
+[main]
+repo.add.probe = true
+solver.onlyRequires = true
+multiversion = provides:multiversion(kernel)
+multiversion.kernels = latest,latest-1,running
diff --git a/salt/profile/zypp/init.sls b/salt/profile/zypp/init.sls
new file mode 100644
index 0000000..a964ccd
--- /dev/null
+++ b/salt/profile/zypp/init.sls
@@ -0,0 +1,13 @@
+zypp_files:
+  file.managed:
+    - user: root
+    - mode: '0644'
+    - template: jinja
+    - names:
+      - /etc/zypp/zypp.conf:
+        - source: salt:///{{ slspath }}/files/etc/zypp/zypp.conf.j2
+
+rpm_key_libertacasa:
+   cmd.run:
+     - name: 'rpm --import https://pepper.lysergic.dev/pub/libertacasa-obs-pubkey'
+     - unless: 'rpm -q gpg-pubkey-f8722274-5f7a4d7b'
diff --git a/salt/role/common-suse.sls b/salt/role/common-suse.sls
new file mode 100644
index 0000000..0cfce32
--- /dev/null
+++ b/salt/role/common-suse.sls
@@ -0,0 +1,4 @@
+include:
+  - profile.seccheck
+  - profile.zypp
+  - profile.node_exporter
diff --git a/salt/role/lighttpd.sls b/salt/role/lighttpd.sls
new file mode 100644
index 0000000..93eec82
--- /dev/null
+++ b/salt/role/lighttpd.sls
@@ -0,0 +1,2 @@
+include:
+  - profile.lighttpd
diff --git a/salt/role/matterbridge.sls b/salt/role/matterbridge.sls
new file mode 100644
index 0000000..70e55b2
--- /dev/null
+++ b/salt/role/matterbridge.sls
@@ -0,0 +1,3 @@
+include:
+  - profile.lighttpd
+  - profile.matterbridge
diff --git a/salt/role/minion.sls b/salt/role/minion.sls
new file mode 100644
index 0000000..1da5da3
--- /dev/null
+++ b/salt/role/minion.sls
@@ -0,0 +1,2 @@
+include:
+  - profile.salt.grains
diff --git a/salt/role/test-webserver.sls b/salt/role/test-webserver.sls
new file mode 100644
index 0000000..9130144
--- /dev/null
+++ b/salt/role/test-webserver.sls
@@ -0,0 +1,2 @@
+include:
+  - profile.test-webserver
diff --git a/salt/top.sls b/salt/top.sls
index de9b24b..d937aad 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -3,7 +3,7 @@
 
 {{ saltenv }}:
   '*':
-    - baseline
+    - common
   {% for role in roles %}
   'roles:{{ role }}':
     - match: grain