From a5754ea0cb540c40ff9ee59bff69c856be167d6f Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter
Date: Sun, 22 Jan 2023 18:38:36 +0100
Subject: Add admins to redis group on masters

Avoid permissions errors if Salt attempts to write to Redis during
non-root state.apply calls.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 salt/profile/salt/master.sls | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/salt/profile/salt/master.sls b/salt/profile/salt/master.sls
index ae2aee4..b647bb1 100644
--- a/salt/profile/salt/master.sls
+++ b/salt/profile/salt/master.sls
@@ -80,14 +80,6 @@ salt_master_extra_packages:
     - require:
       - pkg: redis
 
-salt_redis_membership:
-  group.present:
-    - name: redis
-    - addusers:
-      - {{ master_pillar['user'] }}
-    - require:
-      - pkg: redis
-
 salt_redis_service_enable:
   service.enabled:
     - name: {{ redis_service }}
@@ -102,14 +94,25 @@ salt_redis_service_start:
     - watch:
       - file: {{ redis_config }}
 
+salt_redis_membership:
+  group.present:
+    - name: redis
+    - require:
+      - pkg: redis
+    - addusers:
+      - {{ master_pillar['user'] }}
 {%- if pillar['secret_salt'] is defined %}
+      {%- for user in master_pillar['publisher_acl'] %}
+      - {{ user }}
+      {%- endfor %}
+
 admin_salt_membership:
   group.present:
     - name: salt
+    - require:
+      - pkg: salt-master
     - addusers:
       {%- for user in master_pillar['publisher_acl'] %}
       - {{ user }}
       {%- endfor %}
-    - require:
-      - pkg: salt-master
 {%- endif %}
-- 
cgit v1.2.3