From 2b40942a442a0f15b2d75289d4977a114cd81e72 Mon Sep 17 00:00:00 2001 From: Georg Pfuetzenreuter Date: Sun, 15 Jan 2023 09:45:04 +0100 Subject: Import profiles/roles from salt-devel - + renaming baseline to common Signed-off-by: Georg Pfuetzenreuter --- salt/common.sls | 3 + .../lighttpd/files/etc/lighttpd/lighttpd.conf.j2 | 466 +++++++++++++++++++++ .../lighttpd/files/etc/lighttpd/vhosts.conf.j2 | 8 + salt/profile/lighttpd/init.sls | 42 ++ .../files/etc/matterbridge/matterbridge.toml.j2 | 35 ++ salt/profile/matterbridge/init.sls | 45 ++ salt/profile/node_exporter/init.sls | 36 ++ salt/profile/salt/files/etc/salt/grains.j2 | 9 + salt/profile/salt/grains.sls | 15 + .../seccheck/files/etc/security/autologout.conf | 9 + salt/profile/seccheck/files/etc/sysconfig/seccheck | 4 + salt/profile/seccheck/init.sls | 20 + salt/profile/test-webserver/init.sls | 4 + salt/profile/zypp/files/etc/zypp/zypp.conf.j2 | 8 + salt/profile/zypp/init.sls | 13 + salt/role/common-suse.sls | 4 + salt/role/lighttpd.sls | 2 + salt/role/matterbridge.sls | 3 + salt/role/minion.sls | 2 + salt/role/test-webserver.sls | 2 + salt/top.sls | 2 +- 21 files changed, 731 insertions(+), 1 deletion(-) create mode 100644 salt/common.sls create mode 100644 salt/profile/lighttpd/files/etc/lighttpd/lighttpd.conf.j2 create mode 100644 salt/profile/lighttpd/files/etc/lighttpd/vhosts.conf.j2 create mode 100644 salt/profile/lighttpd/init.sls create mode 100644 salt/profile/matterbridge/files/etc/matterbridge/matterbridge.toml.j2 create mode 100644 salt/profile/matterbridge/init.sls create mode 100644 salt/profile/node_exporter/init.sls create mode 100644 salt/profile/salt/files/etc/salt/grains.j2 create mode 100644 salt/profile/salt/grains.sls create mode 100644 salt/profile/seccheck/files/etc/security/autologout.conf create mode 100644 salt/profile/seccheck/files/etc/sysconfig/seccheck create mode 100644 salt/profile/seccheck/init.sls create mode 100644 salt/profile/test-webserver/init.sls create mode 100644 salt/profile/zypp/files/etc/zypp/zypp.conf.j2 create mode 100644 salt/profile/zypp/init.sls create mode 100644 salt/role/common-suse.sls create mode 100644 salt/role/lighttpd.sls create mode 100644 salt/role/matterbridge.sls create mode 100644 salt/role/minion.sls create mode 100644 salt/role/test-webserver.sls diff --git a/salt/common.sls b/salt/common.sls new file mode 100644 index 0000000..d0d4de2 --- /dev/null +++ b/salt/common.sls @@ -0,0 +1,3 @@ +include: + - role.minion + - role.common-suse diff --git a/salt/profile/lighttpd/files/etc/lighttpd/lighttpd.conf.j2 b/salt/profile/lighttpd/files/etc/lighttpd/lighttpd.conf.j2 new file mode 100644 index 0000000..12671ba --- /dev/null +++ b/salt/profile/lighttpd/files/etc/lighttpd/lighttpd.conf.j2 @@ -0,0 +1,466 @@ +{%- set header = salt['pillar.get']('managed_header_pound') -%} +{{ header }} +# This is mostly the default file shipped with the package, it's only managed via Salt to enable the vhosts.d include at the bottom +####################################################################### +## +## /etc/lighttpd/lighttpd.conf +## +## check /etc/lighttpd/conf.d/*.conf for the configuration of modules. +## +####################################################################### + +####################################################################### +## +## Some Variable definition which will make chrooting easier. +## +## if you add a variable here. Add the corresponding variable in the +## chroot example as well. +## +var.log_root = "/var/log/lighttpd" +var.server_root = "/srv/www" +var.state_dir = "/run" +var.home_dir = "/var/lib/lighttpd" +var.conf_dir = "/etc/lighttpd" + +## +## run the server chrooted. +## +## This requires root permissions during startup. +## +## If you run Chrooted set the the variables to directories relative to +## the chroot dir. +## +## example chroot configuration: +## +#var.log_root = "/logs" +#var.server_root = "/" +#var.state_dir = "/run" +#var.home_dir = "/lib/lighttpd" +#var.vhosts_dir = "/vhosts" +#var.conf_dir = "/etc" +# +#server.chroot = "/srv/www" + +## +## Some additional variables to make the configuration easier +## + +## +## Base directory for all virtual hosts +## +## used in: +## conf.d/evhost.conf +## conf.d/simple_vhost.conf +## vhosts.d/vhosts.template +## +var.vhosts_dir = server_root + "/vhosts" + +## +## Cache for mod_deflate +## +## used in: +## conf.d/deflate.conf +## +var.cache_dir = "/var/cache/lighttpd" + +## +## Base directory for sockets. +## +## used in: +## conf.d/fastcgi.conf +## conf.d/scgi.conf +## +var.socket_dir = home_dir + "/sockets" + +## +####################################################################### + +####################################################################### +## +## Load the modules. +include conf_dir + "/modules.conf" + +## +####################################################################### + +####################################################################### +## +## Basic Configuration +## --------------------- +## +server.port = 80 + +## +## Use IPv6? +## +server.use-ipv6 = "enable" + +## +## bind to a specific IP +## +#server.bind = "localhost" + +## +## Run as a different username/groupname. +## This requires root permissions during startup. +## +server.username = "lighttpd" +server.groupname = "lighttpd" + +## +## Enable lighttpd to serve requests on sockets received from systemd +## https://www.freedesktop.org/software/systemd/man/systemd.socket.html +## +#server.systemd-socket-activation = "enable" + +## +## enable core files. +## +#server.core-files = "disable" + +## +## Document root +## +server.document-root = server_root + "/htdocs" + +## +## The value for the "Server:" response field. +## +## It would be nice to keep it at "lighttpd". +## +#server.tag = "lighttpd" + +## +## store a pid file +## +server.pid-file = state_dir + "/lighttpd.pid" + +## +####################################################################### + +####################################################################### +## +## Logging Options +## ------------------ +## +## all logging options can be overwritten per vhost. +## +## Path to the error log file +## +server.errorlog = log_root + "/error.log" + +## +## If you want to log to syslog you have to unset the +## server.errorlog setting and uncomment the next line. +## +#server.errorlog-use-syslog = "enable" + +## +## Access log config +## +include conf_dir + "/conf.d/access_log.conf" + +## +## The debug options are moved into their own file. +## see conf.d/debug.conf for various options for request debugging. +## +include conf_dir + "/conf.d/debug.conf" + +## +####################################################################### + +####################################################################### +## +## Tuning/Performance +## -------------------- +## +## corresponding documentation: +## https://wiki.lighttpd.net/Docs_Performance +## +## set the event-handler (read the performance section in the manual) +## +## The recommended server.event-handler is chosen by default for each OS. +## +## epoll (recommended on Linux) +## kqueue (recommended on *BSD and MacOS X) +## solaris-eventports (recommended on Solaris) +## poll (recommended if none of above are available) +## select (*not* recommended) +## libev (*not* recommended) +## +#server.event-handler = "linux-sysepoll" + +## +## The basic network interface for all platforms at the syscalls read() +## and write(). Every modern OS provides its own syscall to help network +## servers transfer files as fast as possible +## +#server.network-backend = "sendfile" + +## +## As lighttpd is a single-threaded server, its main resource limit is +## the number of file descriptors, which is set to 1024 by default (on +## most systems). +## +## If you are running a high-traffic site you might want to increase this +## limit by setting server.max-fds. +## +## Changing this setting requires root permissions on startup. see +## server.username/server.groupname. +## +## By default lighttpd would not change the operation system default. +## But setting it to 16384 is a better default for busy servers. +## +## With SELinux enabled, this is denied by default and needs to be allowed +## by running the following once: setsebool -P httpd_setrlimit on +## +server.max-fds = 16384 + +## +## listen-backlog is the size of the listen() backlog queue requested when +## the lighttpd server ask the kernel to listen() on the provided network +## address. Clients attempting to connect() to the server enter the listen() +## backlog queue and wait for the lighttpd server to accept() the connection. +## +## The out-of-box default on many operating systems is 128 and is identified +## as SOMAXCONN. This can be tuned on many operating systems. (On Linux, +## cat /proc/sys/net/core/somaxconn) Requesting a size larger than operating +## system limit will be silently reduced to the limit by the operating system. +## +## When there are too many connection attempts waiting for the server to +## accept() new connections, the listen backlog queue fills and the kernel +## rejects additional connection attempts. This can be useful as an +## indication to an upstream load balancer that the server is busy, and +## possibly overloaded. In that case, configure a smaller limit for +## server.listen-backlog. On the other hand, configure a larger limit to be +## able to handle bursts of new connections, but only do so up to an amount +## that the server can keep up with responding in a reasonable amount of +## time. Otherwise, clients may abandon the connection attempts and the +## server will waste resources servicing abandoned connections. +## +## It is best to leave this setting at its default unless you have modelled +## your traffic and tested that changing this benefits your traffic patterns. +## +## Default: 1024 +## +#server.listen-backlog = 128 + +## +## Stat() call caching. +## +## lighttpd can utilize FAM/Gamin to cache stat call. +## +## possible values are: +## disable, simple, inotify, kqueue, or fam. +## +#server.stat-cache-engine = "simple" + +## +## Fine tuning for the request handling +## +## max-connections == max-fds/3) +## (other file handles are used for fastcgi/files) +## +#server.max-connections = 1024 + +## +## How many seconds to keep a keep-alive connection open, +## until we consider it idle. +## +## Default: 5 +## +#server.max-keep-alive-idle = 5 + +## +## How many keep-alive requests until closing the connection. +## +## Default: 16 +## +#server.max-keep-alive-requests = 16 + +## +## Maximum size of a request in kilobytes. +## By default it is unlimited (0). +## +## Uploads to your server cant be larger than this value. +## +#server.max-request-size = 0 + +## +## Time to read from a socket before we consider it idle. +## +## Default: 60 +## +#server.max-read-idle = 60 + +## +## Time to write to a socket before we consider it idle. +## +## Default: 360 +## +#server.max-write-idle = 360 + +## +## Traffic Shaping +## ----------------- +## +## see /usr/share/doc/lighttpd/traffic-shaping.txt +## +## Values are in kilobyte per second. +## +## Keep in mind that a limit below 32kB/s might actually limit the +## traffic to 32kB/s. This is caused by the size of the TCP send +## buffer. +## +## per server: +## +#server.kbytes-per-second = 128 + +## +## per connection: +## +#connection.kbytes-per-second = 32 + +## +####################################################################### + +####################################################################### +## +## Filename/File handling +## ------------------------ + +## +## files to check for if .../ is requested +## index-file.names = ( "index.php", "index.rb", "index.html", +## "index.htm", "default.htm" ) +## +index-file.names += ( + "index.xhtml", "index.html", "index.htm", "default.htm", "index.php" +) + +## +## deny access the file-extensions +## +## ~ is for backupfiles from vi, emacs, joe, ... +## .inc is often used for code includes which should in general not be part +## of the document-root +url.access-deny = ( "~", ".inc" ) + +## +## disable range requests for pdf files +## workaround for a bug in the Acrobat Reader plugin. +## (ancient; should no longer be needed) +## +#$HTTP["url"] =~ "\.pdf$" { +# server.range-requests = "disable" +#} + +## +## url handling modules (rewrite, redirect) +## +#url.rewrite = ( "^/$" => "/server-status" ) +#url.redirect = ( "^/wishlist/(.+)" => "http://www.example.com/$1" ) + +## +## both rewrite/redirect support back reference to regex conditional using %n +## +#$HTTP["host"] =~ "^www\.(.*)" { +# url.redirect = ( "^/(.*)" => "http://%1/$1" ) +#} + +## +## which extensions should not be handle via static-file transfer +## +## .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi +## +static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".scgi" ) + +## +## error-handler for all status 400-599 +## +#server.error-handler = "/error-handler.html" +#server.error-handler = "/error-handler.php" + +## +## error-handler for status 404 +## +#server.error-handler-404 = "/error-handler.html" +#server.error-handler-404 = "/error-handler.php" + +## +## Format: .html +## -> ..../status-404.html for 'File not found' +## +#server.errorfile-prefix = server_root + "/htdocs/errors/status-" + +## +## mimetype mapping +## +include conf_dir + "/conf.d/mime.conf" + +## +## directory listing configuration +## +include conf_dir + "/conf.d/dirlisting.conf" + +## +## Should lighttpd follow symlinks? +## default: "enable" +#server.follow-symlink = "enable" + +## +## force all filenames to be lowercase? +## +#server.force-lowercase-filenames = "disable" + +## +## defaults to /var/tmp as we assume it is a local harddisk +## default: "/var/tmp" +#server.upload-dirs = ( "/var/tmp" ) + +## +####################################################################### + +####################################################################### +## +## SSL Support +## ------------- +## +## https://wiki.lighttpd.net/Docs_SSL +# +## To enable SSL for the whole server you have to provide a valid +## certificate and have to enable the SSL engine.:: +## +## server.modules += ( "mod_openssl" ) +## +## ssl.privkey = "/path/to/privkey.pem" +## ssl.pemfile = "/path/to/fullchain.pem" +## # ssl.pemfile should contain the sorted certificate chain, including +## # intermediate certificates, as provided by the certificate issuer. +## # If both privkey and cert are in same file, specify only ssl.pemfile. +## +## # Check your cipher list with: openssl ciphers -v '...' +## # (use single quotes with: openssl ciphers -v '...' +## # as your shell won't like ! in double quotes) +## #ssl.cipher-list = "HIGH" # default +## +## # (recommended to accept only TLSv1.2 and TLSv1.3) +## #ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2") # default +## +## $SERVER["socket"] == "*:443" { +## ssl.engine = "enable" +## } +## $SERVER["socket"] == "[::]:443" { +## ssl.engine = "enable" +## } +## +####################################################################### + +####################################################################### +## +## custom includes like vhosts. +## +#include conf_dir + "/conf.d/config.conf" +include conf_dir + "/vhosts.d/*.conf" +## +####################################################################### diff --git a/salt/profile/lighttpd/files/etc/lighttpd/vhosts.conf.j2 b/salt/profile/lighttpd/files/etc/lighttpd/vhosts.conf.j2 new file mode 100644 index 0000000..24dd5b7 --- /dev/null +++ b/salt/profile/lighttpd/files/etc/lighttpd/vhosts.conf.j2 @@ -0,0 +1,8 @@ +{%- set header = salt['pillar.get']('managed_header_pound') -%} +{{ header }} + +{%- if vhostconfig is defined -%} +$HTTP["host"] =~ "{{ vhostconfig['host'].replace('.', '\.') }}" { + server.document-root = "{{ vhostconfig['root'] }}" +} +{%- endif -%} diff --git a/salt/profile/lighttpd/init.sls b/salt/profile/lighttpd/init.sls new file mode 100644 index 0000000..1d4f9e9 --- /dev/null +++ b/salt/profile/lighttpd/init.sls @@ -0,0 +1,42 @@ +{%- set mypillar = 'profile:lighttpd' -%} +{%- set vhosts = salt['pillar.get'](mypillar ~ ':vhosts') or [] -%} + +lighttpd_packages: + pkg.installed: + - pkgs: + - lighttpd + +{%- if vhosts | length > 0 %} +lighttpd_directories: + file.directory: + - user: root + - group: lighttpd + - mode: '0750' + - clean: True + - require: + - pkg: lighttpd_packages + - file: lighttpd_files + - names: + - /etc/lighttpd/vhosts.d + +lighttpd_files: + file.managed: + - user: root + - group: lighttpd + - mode: '0640' + - template: jinja + - names: + - /etc/lighttpd/lighttpd.conf: + - source: salt:///{{ slspath }}/files/etc/lighttpd/lighttpd.conf.j2 +{%- for vhost, config in vhosts.items() %} + - /etc/lighttpd/vhosts.d/{{ vhost }}.conf: + - source: salt:///{{ slspath }}/files/etc/lighttpd/vhosts.conf.j2 + - context: + vhostconfig: {{ config }} +{%- endfor %} +{%- endif %} + +lighttpd_service: + service.running: + - name: lighttpd.service + - enable: True diff --git a/salt/profile/matterbridge/files/etc/matterbridge/matterbridge.toml.j2 b/salt/profile/matterbridge/files/etc/matterbridge/matterbridge.toml.j2 new file mode 100644 index 0000000..11204f3 --- /dev/null +++ b/salt/profile/matterbridge/files/etc/matterbridge/matterbridge.toml.j2 @@ -0,0 +1,35 @@ +{%- set header = salt['pillar.get']('managed_header_pound') -%} +{%- set myfqdn = salt['grains.get']('fqdn') -%} +{%- set mypillar = 'profile:matterbridge:instances:' ~ instance ~ ':' -%} +{%- set myaccounts = mypillar ~ 'accounts' -%} +{%- set mygateways = mypillar ~ 'gateways' -%} +{%- set generalopts = ['RemoteNickFormat', 'IgnoreFailureOnStart', 'MessageSplit', 'MediaDownloadSize', 'MediaDownloadPath', 'MediaServerDownload', 'LogFile'] -%} +{%- set accountopts = ['Nick', 'NickServNick', 'NickServPassword', 'Server', 'UseTLS', 'UseSASL', 'Label', 'Charset', 'IgnoreNicks', 'RunCommands', 'UseRelayMsg', 'RemoteNickFormat'] -%} +{{ header }} + +[general] +{% for option in generalopts %} +{%- if salt['pillar.get'](mypillar ~ option, None) != None %} +{{ option }}="{{ salt['pillar.get'](mypillar ~ option) }}" +{%- endif -%} +{%- endfor -%} + +{% for account, config in salt['pillar.get'](myaccounts).items() %} +[{{ config['protocol'] }}.{{ account }}] +{%- for option in accountopts %} +{%- if salt['pillar.get'](myaccounts ~ ':' ~ account ~ ':' ~ option, None) != None %} +{{ option }}="{{ config[option] }}" +{%- endif -%} +{% endfor %} +{% endfor -%} + +{% for gateway, config in salt['pillar.get'](mygateways).items() %} +[[gateway]] +name="{{ gateway }}" +enable=true +{% for account, channel in config.items() %} + [[gateway.inout]] + account="{{ account }}" + channel="{{ channel }}" +{% endfor %} +{%- endfor -%} diff --git a/salt/profile/matterbridge/init.sls b/salt/profile/matterbridge/init.sls new file mode 100644 index 0000000..eee6df2 --- /dev/null +++ b/salt/profile/matterbridge/init.sls @@ -0,0 +1,45 @@ +{%- set mypillar = 'profile:matterbridge' -%} +{%- set instances = salt['pillar.get'](mypillar ~ ':instances') or [] -%} + +matterbridge_packages: + pkg.installed: + - pkgs: + - matterbridge + +matterbridge_directory: + file.directory: + - user: root + - group: matterbridge + - clean: True + - require: + - pkg: matterbridge_packages +{%- if instances | length > 0 %} + - file: matterbridge_files +{%- endif %} + - names: + - /etc/matterbridge + +{%- if instances | length > 0 %} +matterbridge_files: + file.managed: + - user: root + - mode: '0644' + - template: jinja + - source: salt:///{{ slspath }}/files/etc/matterbridge/matterbridge.toml.j2 + - names: +{%- for instance in instances %} + - /etc/matterbridge/{{ instance }}.toml: + - context: + instance: {{ instance }} + +matterbridge_{{ instance }}_service: + service.running: + - name: matterbridge@{{ instance }}.service + - enable: True +{%- endfor %} +{%- endif %} + +matterbridge_cleanup_timer: + service.running: + - name: matterbridge-cleanup.timer + - enable: True diff --git a/salt/profile/node_exporter/init.sls b/salt/profile/node_exporter/init.sls new file mode 100644 index 0000000..1e46b3d --- /dev/null +++ b/salt/profile/node_exporter/init.sls @@ -0,0 +1,36 @@ +{%- set header = salt['pillar.get']('managed_header_pound') -%} +{%- set sysconfig = '/etc/sysconfig/prometheus-node_exporter' -%} + +node_exporter_packages: + pkg.installed: + - pkgs: + - golang-github-prometheus-node_exporter + +node_exporter_sysconfig_header: + file.prepend: + - name: {{ sysconfig }} + - text: '{{ header }}' + - require: + - pkg: node_exporter_packages + +node_exporter_sysconfig: + file.replace: + - name: {{ sysconfig }} + - pattern: | + ^ARGS=.*$ + - repl: | + ARGS="--web.listen-address=:9200 --collector.filesystem.fs-types-exclude='^(fuse.s3fs|fuse.cryfs|tmpfscgroup2?|debugfs|devpts|devtmpfs|fusectl|overlay|proc|procfs|pstore)\$' --no-collector.zfs --no-collector.thermal_zone --no-collector.powersupplyclass" + - require: + - pkg: node_exporter_packages + - file: node_exporter_sysconfig_header + +node_exporter_service: + service.running: + - name: prometheus-node_exporter.service + - enable: True + - full_restart: True + - require: + - pkg: node_exporter_packages + - file: node_exporter_sysconfig + - watch: + - file: node_exporter_sysconfig diff --git a/salt/profile/salt/files/etc/salt/grains.j2 b/salt/profile/salt/files/etc/salt/grains.j2 new file mode 100644 index 0000000..74f3262 --- /dev/null +++ b/salt/profile/salt/files/etc/salt/grains.j2 @@ -0,0 +1,9 @@ +{%- set header = salt['pillar.get']('managed_header_pound') -%} +{%- set roles = salt['pillar.get']('netbox:config_context:roles', []) -%} +{{ header }} +{%- if roles is defined and roles %} +roles: + {%- for role in roles %} + - {{ role }} + {%- endfor %} +{% endif %} diff --git a/salt/profile/salt/grains.sls b/salt/profile/salt/grains.sls new file mode 100644 index 0000000..1926250 --- /dev/null +++ b/salt/profile/salt/grains.sls @@ -0,0 +1,15 @@ +salt_grains_file: + file.managed: + - user: root + - mode: '0644' + - template: jinja + - names: + - /etc/salt/grains: + - source: salt:///{{ slspath }}/files/etc/salt/grains.j2 + +salt_restart_minion: + cmd.run: + - name: 'salt-call service.restart salt-minion' + - bg: True + - onchanges: + - file: salt_grains_file diff --git a/salt/profile/seccheck/files/etc/security/autologout.conf b/salt/profile/seccheck/files/etc/security/autologout.conf new file mode 100644 index 0000000..e910a29 --- /dev/null +++ b/salt/profile/seccheck/files/etc/security/autologout.conf @@ -0,0 +1,9 @@ +{%- set header = salt['pillar.get']('managed_header_pound') -%} +{{ header }} +TTY_TIMEOUT=60 +DEFAULT_DELAY=60 +KILL_WAIT=20 + +LOGOUTCONF=( +"ssh idle:720 delay:30" +) diff --git a/salt/profile/seccheck/files/etc/sysconfig/seccheck b/salt/profile/seccheck/files/etc/sysconfig/seccheck new file mode 100644 index 0000000..86eb9af --- /dev/null +++ b/salt/profile/seccheck/files/etc/sysconfig/seccheck @@ -0,0 +1,4 @@ +{%- set header = salt['pillar.get']('managed_header_pound') -%} +{{ header }} +SECCHK_USER="root" +START_SECCHK="yes" diff --git a/salt/profile/seccheck/init.sls b/salt/profile/seccheck/init.sls new file mode 100644 index 0000000..eed0c57 --- /dev/null +++ b/salt/profile/seccheck/init.sls @@ -0,0 +1,20 @@ +seccheck_packages: + pkg.installed: + - pkgs: + - seccheck + +seccheck_files: + file.managed: + - user: root + - mode: '0644' + - template: jinja + - names: + - /etc/sysconfig/seccheck: + - source: salt:///{{ slspath }}/files/etc/sysconfig/seccheck + - /etc/security/autologout.conf: + - source: salt:///{{ slspath }}/files/etc/security/autologout.conf + +seccheck_service: + service.running: + - name: seccheck-autologout.timer + - enable: True diff --git a/salt/profile/test-webserver/init.sls b/salt/profile/test-webserver/init.sls new file mode 100644 index 0000000..166c4fd --- /dev/null +++ b/salt/profile/test-webserver/init.sls @@ -0,0 +1,4 @@ +test-webserver_packages: + pkg.installed: + - pkgs: + - lighttpd diff --git a/salt/profile/zypp/files/etc/zypp/zypp.conf.j2 b/salt/profile/zypp/files/etc/zypp/zypp.conf.j2 new file mode 100644 index 0000000..610b4c5 --- /dev/null +++ b/salt/profile/zypp/files/etc/zypp/zypp.conf.j2 @@ -0,0 +1,8 @@ +{%- set header = salt['pillar.get']('managed_header_pound') -%} +{{ header }} + +[main] +repo.add.probe = true +solver.onlyRequires = true +multiversion = provides:multiversion(kernel) +multiversion.kernels = latest,latest-1,running diff --git a/salt/profile/zypp/init.sls b/salt/profile/zypp/init.sls new file mode 100644 index 0000000..a964ccd --- /dev/null +++ b/salt/profile/zypp/init.sls @@ -0,0 +1,13 @@ +zypp_files: + file.managed: + - user: root + - mode: '0644' + - template: jinja + - names: + - /etc/zypp/zypp.conf: + - source: salt:///{{ slspath }}/files/etc/zypp/zypp.conf.j2 + +rpm_key_libertacasa: + cmd.run: + - name: 'rpm --import https://pepper.lysergic.dev/pub/libertacasa-obs-pubkey' + - unless: 'rpm -q gpg-pubkey-f8722274-5f7a4d7b' diff --git a/salt/role/common-suse.sls b/salt/role/common-suse.sls new file mode 100644 index 0000000..0cfce32 --- /dev/null +++ b/salt/role/common-suse.sls @@ -0,0 +1,4 @@ +include: + - profile.seccheck + - profile.zypp + - profile.node_exporter diff --git a/salt/role/lighttpd.sls b/salt/role/lighttpd.sls new file mode 100644 index 0000000..93eec82 --- /dev/null +++ b/salt/role/lighttpd.sls @@ -0,0 +1,2 @@ +include: + - profile.lighttpd diff --git a/salt/role/matterbridge.sls b/salt/role/matterbridge.sls new file mode 100644 index 0000000..70e55b2 --- /dev/null +++ b/salt/role/matterbridge.sls @@ -0,0 +1,3 @@ +include: + - profile.lighttpd + - profile.matterbridge diff --git a/salt/role/minion.sls b/salt/role/minion.sls new file mode 100644 index 0000000..1da5da3 --- /dev/null +++ b/salt/role/minion.sls @@ -0,0 +1,2 @@ +include: + - profile.salt.grains diff --git a/salt/role/test-webserver.sls b/salt/role/test-webserver.sls new file mode 100644 index 0000000..9130144 --- /dev/null +++ b/salt/role/test-webserver.sls @@ -0,0 +1,2 @@ +include: + - profile.test-webserver diff --git a/salt/top.sls b/salt/top.sls index de9b24b..d937aad 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -3,7 +3,7 @@ {{ saltenv }}: '*': - - baseline + - common {% for role in roles %} 'roles:{{ role }}': - match: grain -- cgit v1.2.3