chaos/salt-master
Archived
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.maketank.net:2222/chaos/salt-master

Browse Source
This commit is contained in:
Udo Waechter
2025-11-20 18:20:17 +01:00
parent 893496947f e5667a6f55
commit 4bc4e384d9
63 changed files with 2263 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -1,3 +1,5 @@
**/.ptp-sync
**/.ptp-sync-folder
.project
.pydevproject
.settings

2
_grains/hardware.py
View File

@@ -17,6 +17,8 @@ def _hardware():
for line in open("/etc/armbian-release","r").readlines():
if re.match("BOARD=espressobin", line):
h = "Espressobin"
if re.match("BOARD=pine64", line):
h = "Pine64"
return h
def main():

20
_grains/os_flavor.py Normal file
View File

@@ -0,0 +1,20 @@
#!/usr/bin/env python3
import re
import os.path
def _os_flavor():
if os.path.isfile('/etc/armbian-release'):
h = "Armbian"
elif os.path.isdir('/etc/osmc'):
h = "OSMC"
elif os.path.isfile('/etc/octopi_version'):
h = "OctoPi"
else:
h = "Debian"
return h
def main():
grains = {}
grains['os_flavor'] = _os_flavor()
return grains

6
base/init.sls
View File

@@ -4,9 +4,9 @@
include:
- .packages
- .pki
- .gluster.client
#- .pki
- sysctl
- rsyslog
- sudoers
- systemd
- .timezone
- .release

75
base/packages/FreeCAD.sls Normal file
View File

@@ -0,0 +1,75 @@
include:
- .repo.openfoam
pkg_FreeCAD:
pkg.installed:
- pkgs:
- openfoam
- libocct-draw-dev
- libocct-foundation-dev
- libocct-modeling-algorithms-dev
- libocct-modeling-data-dev
- libocct-ocaf-dev
- libocct-visualization-dev
- libocct-data-exchange-dev
- calculix-cgx
- cmake
- libboost-date-time-dev
- libboost-dev
- libboost-filesystem-dev
- libboost-graph-dev
- libboost-iostreams-dev
- libboost-program-options-dev
- libboost-python-dev
- libboost-regex-dev
- libboost-serialization-dev
- libboost-thread-dev
- libcoin-dev
- libeigen3-dev
- libgts-bin
- libgts-dev
- libkdtree++-dev
- libmedc-dev
- libocct-data-exchange-dev
- libocct-ocaf-dev
- libocct-visualization-dev
- libopencv-dev
- libproj-dev
- libpyside2-dev
- libqt5opengl5-dev
- libqt5svg5-dev
- libqt5webkit5-dev
- libqt5x11extras5-dev
- libqt5xmlpatterns5-dev
- libshiboken2-dev
- libspnav-dev
- libx11-dev
- libxerces-c-dev
- libzipios++-dev
- occt-draw
- pyside2-tools
- python3-dev
- python3-matplotlib
- python3-pivy
- python3-ply
- python3-pyside2.qtcore
- python3-pyside2.qtgui
- python3-pyside2.qtsvg
- python3-pyside2.qtwidgets
- python3-pyside2.qtnetwork
- python3-pyside2.qtwebengine
- python3-pyside2.qtwebenginecore
- python3-pyside2.qtwebenginewidgets
- python3-pyside2.qtwebchannel
- python3-markdown
- python3-git
- qtbase5-dev
- qttools5-dev
- swig
- libmetis-dev
- python3-pyside2.qtscripttools
- python3-pyside2.qtuitools
- pyside2-tools
- libshiboken2-dev
- libshiboken2-py3-5.15

21
base/packages/common.sls
View File

@@ -26,20 +26,17 @@ common-installed:
- bzip2
- gzip
- unzip
- libwww-perl
- bind9-host
- dnsutils
- tcpdump
- file
- python-pip
- python-dev
- python-pyinotify
- python-m2crypto
- python3-pip
- python3-dev
- python3-pyinotify
- python3-m2crypto
- python3-apt
- lockfile-progs
- virt-what
- ntp
- ntpdate
- apt-transport-https
- python3-croniter
- flex
@@ -48,7 +45,11 @@ common-installed:
- nfs-common
- mosquitto-clients
- autofs
- python-apt
- debian-keyring
- python3-cherrypy3
- python3-pygit2
- systemd-timesyncd
- zstd
common-removed:
pkg.removed:
@@ -58,3 +59,7 @@ common-removed:
- exim4-base
- exim4-config
- exim4-daemon-light
- command-not-found

61
base/packages/haproxy.sls Normal file
View File

@@ -0,0 +1,61 @@
include:
- haproxy
pkg_prometheus-haproxy-exporter:
pkg.installed:
- pkgs:
- prometheus-haproxy-exporter
service_prometheus-haproxy-exporter:
service.running:
- name: prometheus-haproxy-exporter
- enable: True
- watch:
- file: /etc/default/prometheus-haproxy-exporter
etc_default_prometheus_haproxy-exporter:
file.managed:
- name: /etc/default/prometheus-haproxy-exporter
- require:
- pkg: pkg_prometheus-haproxy-exporter
- contents: |
#
## SALT managed
#
# Set the command-line arguments to pass to the server.
# Due to shell scaping, to pass backslashes for regexes, you need to double
# them (\\d for \d). If running under systemd, you need to double them again
# (\\\\d to mean \d), and escape newlines too.
ARGS="--haproxy.scrape-uri=http://localhost:9110/haproxy-status;csv --log.level=warn"
# Prometheus-haproxy-exporter supports the following options:
#
# --web.listen-address=":9101"
# Address to listen on for web interface and telemetry.
# --web.telemetry-path="/metrics"
# Path under which to expose metrics.
# --haproxy.scrape-uri="http://localhost/;csv"
# URI on which to scrape HAProxy.
# --haproxy.ssl-verify
# Flag that enables SSL certificate verification for the scrape URI
# --haproxy.server-metric-fields="2,3,4,5,6,7,8,9,13,14,15,16,17,18,21,24,33,35,38,39,40,41,42,43,44"
# Comma-separated list of exported server metrics. See
# http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.1
# --haproxy.timeout=5s
# Timeout for trying to get stats from HAProxy.
# --haproxy.pid-file=""
# Path to HAProxy pid file.
#
# If provided, the standard process metrics get exported for the HAProxy
# process, prefixed with 'haproxy_process_...'. The haproxy_process exporter
# needs to have read access to files owned by the HAProxy process. Depends
# on the availability of /proc.
# https://prometheus.io/docs/instrumenting/writing_clientlibs/#process-metrics.
# --log.level="info"
# Only log messages with the given severity or above.
# Valid levels: [debug, info, warn, error, fatal]
# --log.format="logger:stderr"
# Set the log target and format. Example:
# "logger:syslog?appname=bob&local=7" or "logger:stdout?json=true"

3
base/packages/init.sls
View File

@@ -4,5 +4,6 @@
include:
- .common
- .repo.maketank
- .repo.debian
- .prometheus
- .salt.minion

46
base/packages/openhab2.sls
View File

@@ -1,46 +0,0 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
include:
- haproxy
- systemd.units
openhab2-pkgs:
pkg.installed:
- pkgs:
- openhab2
- openhab2-addons
- default-jre-headless
- libopenzwave1.5
- gunicorn3
- python3
- prometheus-haproxy-exporter
- require:
- pkgrepo: repo_openhab2
repo_openhab2:
pkgrepo.managed:
- name: deb https://dl.bintray.com/openhab/apt-repo2 stable main
#- dist: {{ grains['oscodename'] }}
- file: /etc/apt/sources.list.d/openhab2.list
- key_url: 'https://bintray.com/user/downloadSubjectPublicKey?username=openhab'
- clean_file: True
openhab-prometheus-exporter:
file.managed:
- name: /usr/local/bin/openhab2-prometheus-exporter.py
- source: https://raw.githubusercontent.com/zoide/openhab2-prometheus-exporter/master/openhab2-exporter.py
- source_hash: eea41af67a92266680a427ccde87344753bd8bbbcee20d9eb1d2ed3773e5676f
- user: openhab
- group: openhab
- mode: 0755
etc-apt-apt.conf-noproxy:
file.managed:
- name: /etc/apt/apt.conf.d/99-openhab2-noproxy
- user: root
- group: root
- mode: 0755
- contents: |
#SALT managed
Acquire::http::proxy::dl.bintray.com "DIRECT";

9
base/packages/prometheus/init.sls
View File

@@ -8,13 +8,11 @@ set has_promexporter = salt['pillar.get'](
# This has to be here, otherwise:
# https://stackoverflow.com/questions/59268721/saltstack-use-include-twice-in-one-sls-file
#
{%- if 'prometheus-node_exporter' in has_promexporter %}
include:
{%- if 'prometheus-node_exporter' in has_promexporter %}
- prometheus
- systemd.reload
{%- else %}
#- prometheus.clean #Dat klappt nuesch!
{%- endif %}
{%- endif %}
{%- if 'prometheus-node_exporter' in has_promexporter %}
systemd-prometheus-node-exporter-service-override:
@@ -44,9 +42,12 @@ link-orig-prom-path:
- require:
- file: delete-orig-prom-path
{% if grains['oscodename'] != 'bullseye' %}
patch-smartmon.sh:
file.managed:
- name: /usr/share/prometheus-node-exporter/smartmon.sh
- source: salt://base/packages/prometheus/files/smartmon.sh
- mode: 0755
{% endif %}
{%- endif %}

18
base/packages/repo/brave-browser.sls Normal file
View File

@@ -0,0 +1,18 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
repo_brave-browser:
pkgrepo.managed:
- name: deb [arch=amd64] https://brave-browser-apt-beta.s3.brave.com stable main
- dist: stable
- file: /etc/apt/sources.list.d/brave-browser-beta.list
- key_url: https://brave-browser-apt-beta.s3.brave.com/brave-browser-beta-archive-keyring.gpg
- clean_file: True
#apt-update:
# cmd.run:
# - name: apt update -y
# - listen:
# - pkgrepo: repo_maketank

22
base/packages/repo/debian-bullseye.sls Normal file
View File

@@ -0,0 +1,22 @@
{%-
set cache_url = salt['pillar.get'](
'services:apt-cache',
default=''
)
%}
{% if salt['pillar.get']('os:release', default = 'buster') != 'bullseye' %}
repo_debian-bullseye:
pkgrepo.managed:
- name: 'deb http://{{ cache_url }}deb.debian.org/debian bullseye main contrib'
- file: /etc/apt/sources.list.d/debian-bullseye.list
- clean_file: True
{% else %}
repo_debian-bullseye-absent:
file.absent:
- name: /etc/apt/sources.list.d/debian-bullseye.list
{% endif %}

22
base/packages/repo/debian-sid.sls Normal file
View File

@@ -0,0 +1,22 @@
{%-
set cache_url = salt['pillar.get'](
'services:apt-cache',
default=''
)
%}
#{% if salt['pillar.get']('os:release', default = 'buster') != 'bullseye' %}
repo_debian-sid:
pkgrepo.managed:
- name: 'deb http://{{ cache_url }}deb.debian.org/debian sid main contrib'
- file: /etc/apt/sources.list.d/debian-sid.list
- clean_file: True
#{% else %}
#repo_debian-sid-absent:
# file.absent:
# - name: /etc/apt/sources.list.d/debian-sid.list
#{% endif %}

70
base/packages/repo/debian.sls
View File

@@ -1,26 +1,64 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
#!jinja|yaml|gpg
{%-
set cache_url = salt['pillar.get'](
'services:apt-cache',
default=''
)
%}
{%-
set os_rel = salt['pillar.get'](
'os:release',
default=False
)
%}
{%- if not os_rel %}
{% set os_rel = grains['oscodename'] %}
{%- endif %}
repo_default:
file.managed:
- name: /etc/apt/sources.list
- contents: '#SALT managed, all in sources.list.d'
- user: root
- group: root
- mode: 0600
{% if grains['os'] == 'Debian' %}
repo_debian:
pkgrepo.managed:
- name: deb http://deb.debian.org/debian {{ grains['oscodename'] }} main contrib non-free
- dist: {{ grains['oscodename'] }}
- name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }} main contrib non-free non-free-firmware'
- file: /etc/apt/sources.list.d/debian.list
- clean_file: True
{% if grains['oscodename'] == 'bullseye' %}}
repo_debian-updates:
pkgrepo.managed:
- name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-updates main contrib non-free non-free-firmware'
- file: /etc/apt/sources.list.d/debian-updates.list
- clean_file: True
#deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
{% if os_rel == 'buster' %}
{% set repo_path = "/updates" %}
{% else %}
{% set repo_path = "-security" %}
{% endif %}
repo_debian-security:
pkgrepo.managed:
- name: 'deb http://{{ cache_url }}deb.debian.org/debian-security {{ os_rel }}{{ repo_path }} main contrib #non-free'
- file: /etc/apt/sources.list.d/debian-security.list
- clean_file: True
repo_debian-backports:
pkgrepo.managed:
- name: deb http://deb.debian.org/debian {{ grains['oscodename'] }}-backports main contrib non-free
- dist: {{ grains['oscodename'] }}
- name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-backports main contrib #non-free'
- file: /etc/apt/sources.list.d/debian-backports.list
- clean_file: True
#apt-update:
# cmd.run:
# - name: apt update -y
# - listen:
# - pkgrepo: repo_maketank
{% endif %}
{% endif %}

18
base/packages/repo/maketank.sls
View File

@@ -1,18 +0,0 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
repo_maketank:
pkgrepo.managed:
- name: deb http://apt.maketank.net/debian {{ grains['oscodename'] }} main
- dist: {{ grains['oscodename'] }}
- file: /etc/apt/sources.list.d/maketank.list
- key_url: http://apt.maketank.net/debian/debian.gpg
- clean_file: True
#apt-update:
# cmd.run:
# - name: apt update -y
# - listen:
# - pkgrepo: repo_maketank

12
base/packages/repo/openfoam.sls Normal file
View File

@@ -0,0 +1,12 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
#required/wanted for FreeCAD
repo_openfoam:
pkgrepo.managed:
- name: deb [arch=amd64] https://dl.openfoam.com/repos/deb kinetic main
- dist: kinetic
- file: /etc/apt/sources.list.d/openfoam.list
- key_url: https://dl.openfoam.com/pubkey.gpg
- clean_file: True

14
base/packages/salt/master.sls Normal file
View File

@@ -0,0 +1,14 @@
{%- set salt_v = "3002.6+dfsg1-4+deb11u1" %}
pkgs-salt-master:
pkg.installed:
- hold: True
- pkgs:
- salt-master: {{ salt_v }}
- salt-api: {{ salt_v }}
pkgs-salt-additional:
pkg.installed:
- pkgs:
- python3-cherrypy3
- python3-pygit2

7
base/packages/salt/minion.sls Normal file
View File

@@ -0,0 +1,7 @@
{%- set salt_v = "3002.6+dfsg1-4+deb11u1" %}
pkgs-salt-minion:
pkg.installed:
- hold: True
- pkgs:
- salt-minion: {{ salt_v }}

19
base/pki/cert.sls
View File

@@ -2,9 +2,20 @@
# vim: ft=yaml
---
/usr/local/share/ca-certificates:
file.directory
#/usr/local/share/ca-certificates:
# file.directory
/usr/local/share/ca-certificates/intca.crt:
/etc/pki/intca.crt:
x509.pem_managed:
- text: {{ salt['mine.get']('tumor.chaos', 'x509.get_pem_entries')['tumor.chaos']['/etc/pki/ca.crt']|replace('\n', '') }}
- text: {{ salt['mine.get']('salt.chaos', 'x509.get_pem_entries')['salt.chaos']['/etc/pki/ca.crt']|replace('\n', '') }}
/etc/ssl/certs/intca.crt:
x509.pem_managed:
- text: {{ salt['mine.get']('salt.chaos', 'x509.get_pem_entries')['salt.chaos']['/etc/pki/ca.crt']|replace('\n', '') }}
/usr/sbin/update-ca-certificates:
cmd.run:
- onchanges:
- x509: /etc/ssl/certs/intca.crt

33
base/pki/host.sls
View File

@@ -11,11 +11,38 @@
/etc/pki/public.crt:
x509.certificate_managed:
- ca_server: tumor.chaos
- ca_server: salt.chaos
- signing_policy: host
- public_key: /etc/pki/private.key
- CN: {{ grains['fqdn'] }}
- days_remaining: 30
- CN: {{ grains['fqdn'] }}
- subjectAltName: 'DNS:{{ grains['fqdn'] }}'
- days_remaining: 5
- backup: True
- require:
- x509: /etc/pki/private.key
{% for cn in salt['pillar.get']('pki:cns',{}) %}
/etc/pki/{{ cn }}.crt:
x509.certificate_managed:
- ca_server: salt.chaos
- signing_policy: host
- public_key: /etc/pki/private.key
- days_remaining: 5
- backup: False
- CN: {{ grains['fqdn'] }}
- subjectAltName: 'DNS:{{ cn }}'
- require:
- x509: /etc/pki/private.key
/etc/pki/chain/{{ cn }}.pem:
file:
- append
- sources:
- /etc/pki/{{ cn }}.crt
- /etc/pki/intca.crt
- require:
- file: /etc/pki/chain
{% endfor %}

3
base/pki/init.sls
View File

@@ -8,3 +8,6 @@ include:
/etc/pki:
file.directory
/etc/pki/chain:
file.directory

5
base/pki/signing_policies.conf
View File

@@ -11,8 +11,9 @@ x509_signing_policies:
- ST: Berlin
- L: Berlin
- basicConstraints: "critical CA:false"
- keyUsage: "critical keyEncipherment"
- keyUsage: "nonRepudiation, digitalSignature, keyEncipherment, keyAgreement"
- extendedKeyUsage: "serverAuth, clientAuth"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: 360
- days_valid: 365
- copypath: /etc/pki/issued_certs/

12
base/release.sls Normal file
View File

@@ -0,0 +1,12 @@
{% set def_rel = 'bullseye' %}
{% if salt['pillar.get']('os:release', default = False) %}
{% set def_rel = salt['pillar.get']('os:release', default = False) %}
{% endif %}
etc_apt_release:
file.managed:
- name: /etc/apt/apt.conf.d/01release
- user: root
- mode: 644
- contents: 'APT::Default-Release "{{ def_rel }}";'

4
base/rsyslog/client.sls Normal file
View File

@@ -0,0 +1,4 @@
include:
- rsyslog
- .service

39
base/rsyslog/files/logrotate-server.conf Normal file
View File

@@ -0,0 +1,39 @@
/data/logs/*/syslog
{
rotate 10
daily
size 50M
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
/data/logs/*/mail.info
/data/logs/*/mail.warn
/data/logs/*/mail.err
/data/logs/*/mail.log
/data/logs/*/daemon.log
/data/logs/*/kern.log
/data/logs/*/auth.log
/data/logs/*/user.log
/data/logs/*/lpr.log
/data/logs/*/cron.log
/data/logs/*/debug
/data/logs/*/messages
{
rotate 5
daily
size 100M
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}

82
base/rsyslog/files/server.conf Normal file
View File

@@ -0,0 +1,82 @@
#
# SALT managed.
#
# Load UDP module
$ModLoad imudp
# Load TCP module
$ModLoad imtcp
# Load RELP module
$ModLoad imrelp
#
# Use traditional timestamp format.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Switch to remote ruleset
$RuleSet remote
# Log files are stored in directories matching the short hostname, excluding numbers
# i.e. web01 web02 and web03 will all log to a the web directory
# Templates
$Template dynAuditLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/audit.log"
$Template dynAuthLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/auth.log"
$Template dynSyslog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/syslog"
$Template dynCronLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/cron.log"
$Template dynDaemonLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/daemon.log"
$Template dynKernLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/kern.log"
$Template dynUserLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/user.log"
$Template dynMailLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/mail.log"
$Template dynDebug,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/debug"
$Template dynMessages,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/messages"
$Template dynLocal0daemon,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/daemon.local0.log"
# Rules
auth,authpriv.* ?dynAuthLog
*.*;auth.none,authpriv.none,mail.none,cron.none,kern.none,user.none,daemon.none -?dynSyslog
cron.* ?dynCronLog
kern.* -?dynKernLog
mail.* -?dynMailLog
user.* -?dynUserLog
#*.=info;*.=notice;*.=warn;\
#
# auth.none,authpriv.none;\
# cron.none,daemon.none;\
# mail.none,news.none -?dynMessages
#hier gibts drachen / here are dragons
#if $syslogfacility-text == 'local0' then /var/log/somelog
daemon.* -?dynDaemonLog
# drachen sind put / dragons borked
#
# Special format to keep audit logs as sent.
$Template auditFormat,"%msg%\n"
# Catch messages from audispd and send to audit log.
:programname, isequal, "audispd" -?dynAuditLog;auditFormat
:programname, isequal, "audispd" stop
# Switch back to default ruleset
$RuleSet RSYSLOG_DefaultRuleset
$InputUDPServerBindRuleset remote
$UDPServerRun 514
$UDPServerAddress *
$InputTCPServerBindRuleset remote
$InputTCPServerRun 514
$InputRELPServerBindRuleset remote
$InputRELPServerRun 20514

22
base/rsyslog/server.sls Normal file
View File

@@ -0,0 +1,22 @@
include:
- rsyslog
- .service
rsyslog-server.conf:
file.managed:
- name: /etc/rsyslog.d/01-server.conf
- source: salt://base/rsyslog/files/server.conf
- user: root
- group: root
- onchange:
- service: rsyslog
lograte-rsyslog-logs:
file.managed:
- name: /etc/logrotate.d/rsyslog-HOSTS-logs
- source: salt://base/rsyslog/files/logrotate-server.conf
- user: root
- group: root

5
base/rsyslog/service.sls Normal file
View File

@@ -0,0 +1,5 @@
rsyslog:
service.running:
- enable: True
- reload: False

5
base/timezone.sls Normal file
View File

@@ -0,0 +1,5 @@
etc_timezone:
file.managed:
- name: /etc/timezone
- contents: |
Europe/Berlin

6
hardware/common/apt.sls
View File

@@ -1,10 +1,10 @@
apt-proxy:
file.managed:
file.absent:
- name: /etc/apt/apt.conf.d/proxy
- contents: |
# SALT managed
Acquire::http::proxy "http://apt-cache.lan:3142";
Acquire::ftp::proxy "http://apt-cache.lan:3142";
Acquire::http::proxy "http://apt-cache.lan";
Acquire::ftp::proxy "http://apt-cache.lan";

8
hardware/common/init.sls
View File

@@ -5,7 +5,7 @@ set hardwaretype = salt['grains.get'](
)
%}
include:
{%- if 'unknown' not in hardwaretype %}
- .apt
{%- endif %}
#include:
#{%- if 'unknown' not in hardwaretype %}
# - .apt
#{%- endif %}

5
hardware/espressobin/init.sls Normal file
View File

@@ -0,0 +1,5 @@
#!jinja|yaml|gpg
include:
- .pkgs

6
hardware/espressobin/pkgs.sls Normal file
View File

@@ -0,0 +1,6 @@
#!jinja|yaml|gpg
espressobin-pkgs:
pkg.installed:
- pkgs:
- smartmontools

8
hardware/init.sls
View File

@@ -3,3 +3,11 @@ include:
{% if grains['hardware'] == 'RaspberryPi' %}
- .raspberrypi
{% endif %}
#{% if grains['hardware'] == 'Pine64' %}
# - .pine64
#{% endif %}
{% if grains['hardware'] == 'Espressobin' %}
- .espressobin
{% endif %}

4
hardware/raspberrypi/fan/files/fan_ctrl.py
View File

@@ -10,7 +10,7 @@ import sys
# Configuration
FAN_PIN = getenv('RPI_FAN_PIN', 21) # BCM pin used to drive transistor's base
WAIT_TIME = getenv('RPI_FAN_WAITTIME', 5) # [s] Time to wait between each refresh
WAIT_TIME = getenv('RPI_FAN_WAITTIME', 10) # [s] Time to wait between each refresh
FAN_MIN = getenv('RPI_FAN_MIN', 80) # [%] Fan minimum speed.
PWM_FREQ = getenv('RPI_FAN_PWMFREQ', 25000) # [Hz] Change this value if fan has strange behavior
# Fan speed will change only of the difference of temperature is higher than hysteresis
@@ -21,7 +21,7 @@ prom_collect_dir = getenv('RPI_PROM_COLLECTDIR','/tmp/textfile-collector')
prom_collect_file = prom_collect_dir + '/rpi_fan.prom'
# Configurable temperature and fan speed steps
tempSteps = [60, 66, 70, 75] # [°C]
tempSteps = [60, 70, 75, 80] # [°C]
speedSteps = [0, 80, 90, 100] # [%]
# tempSteps = [40, 45]
# speedSteps = [0, 100]

2
hardware/raspberrypi/init.sls
View File

@@ -13,6 +13,8 @@ set has_fan = salt['pillar.get'](
%}
include:
- .repo
- .wifi
{%- if 'node_exporter' in has_promexporter %}
- .prometheus-exporter
{%- endif %}

37
hardware/raspberrypi/repo.sls Normal file
View File

@@ -0,0 +1,37 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
{%- set cache_url = salt['pillar.get'](
'services:apt-cache',
default=''
)
%}
repo_raspi:
pkgrepo.managed:
- name: deb http://{{ cache_url }}raspbian.raspberrypi.org/raspbian/ {{ grains['oscodename'] }} main contrib firmware rpi
- dist: {{ grains['oscodename'] }}
- file: /etc/apt/sources.list.d/raspi.list
- clean_file: True
- key_url: http://archive.raspberrypi.org/debian/raspberrypi.gpg.key
repo_archive_raspi:
pkgrepo.managed:
- name: deb http://{{ cache_url }}archive.raspberrypi.org/debian/ {{ grains['oscodename'] }} main
- dist: {{ grains['oscodename'] }}
- file: /etc/apt/sources.list.d/raspi_archive.list
- clean_file: True
- key_url: https://archive.raspbian.org/raspbian.public.key
{% if grains.get('os_flavor') == 'OSMC' %}
repo_archive_osmc:
pkgrepo.managed:
- name: deb http://{{ cache_url }}apt.osmc.tv {{ grains['oscodename'] }} main
- dist: {{ grains['oscodename'] }}
- file: /etc/apt/sources.list.d/osmc.list
- clean_file: True
- key_url: https://ftp.fau.de/osmc/osmc/apt/osmc_repository.gpg
{% endif %}

6
hardware/raspberrypi/wifi/files/interfaces-wlan0 Normal file
View File

@@ -0,0 +1,6 @@
# SALTSTACK
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
wireless-power off

8
hardware/raspberrypi/wifi/init.sls Normal file
View File

@@ -0,0 +1,8 @@
# disable wifi powermanagement
ifup-wlan0-powersave-off:
file.managed:
- name: /etc/network/interfaces.d/wlan0
- source:
- salt://hardware/raspberrypi/wifi/files/interfaces-wlan0

16
k8s/admin.sls
View File

@@ -2,10 +2,22 @@
# vim: ft=yaml
---
include:
- kubernetes.package.repo
- .repo.kubernetes
- .cri-tools
{% set k8s_v = "1.26.00-00" %}
k8s_pkgs-kubelet:
pkg.installed:
- hold: True
- pkgs:
- kubectl
- kubectl: {{ k8s_v }}
- kubeadm: {{ k8s_v }}
- kubelet: {{ k8s_v }}
- require:
- pkgrepo: repo_kubernetes.io
k8s-additions_pkgs:
pkg.installed:
- pkgs:
- apparmor

23
k8s/containerd.sls Normal file
View File

@@ -0,0 +1,23 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
include:
- base.packages.repo.debian-sid
- .cri-tools
containerd_pkgs:
pkg.installed:
- pkgs:
- containerd
- containernetworking-plugins
- crun
- runc
- require:
- pkgrepo: repo_debian-sid
/etc/containerd/config.toml:
file.managed:
- source: salt://k8s/files/containerd-config.toml
- mode: 644
- user: root
- group: root

17
k8s/cri-tools.sls Normal file
View File

@@ -0,0 +1,17 @@
include:
- .repo.kubernetes
cri-tools_pkgs:
pkg.installed:
- pkgs:
- cri-tools
/etc/crictl.yaml:
file.managed:
- mode: 644
- user: root
- group: root
- contents: |
#SALT managed
runtime-endpoint: unix:///var/run/containerd/containerd.sock
image-endpoint: unix:///var/run/containerd/containerd.sock

16
k8s/docker.sls Normal file
View File

@@ -0,0 +1,16 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
docker_pkgs:
pkg.installed:
- pkgs:
- docker.io
/etc/docker/daemon.json:
file.managed:
- source: salt://k8s/files/etc_docker_daemon.json
- mode: 644
- user: root
- group: root

31
k8s/files/containerd-config.toml Normal file
View File

@@ -0,0 +1,31 @@
version = 2
[debug]
level = "warn"
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
[plugins."io.containerd.grpc.v1.cri".containerd]
snapshoter = "overlayfs"
default_runtime_name = "runc"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
SystemdCgroup = true
[plugins."io.containerd.grpc.v1.cri".cni]
bin_dir = "/opt/cni/bin"
conf_dir = "/etc/cni/net.d"
[plugins."io.containerd.internal.v1.opt"]
path = "/var/lib/containerd/opt"
[plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."cr.lan"]
endpoint = ["http://cr.lan"]
#[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
# endpoint = [ "http://dr-mirror.lan", "https://registry-1.docker.io"]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."cr.lan".tls]
insecure_skip_verify = true
# [plugins."io.containerd.grpc.v1.cri".registry.configs."docker.io".tls]
# insecure_skip_verify = true

80
k8s/files/etc_containers_registries.conf Normal file
View File

@@ -0,0 +1,80 @@
# For more information on this configuration file, see containers-registries.conf(5).
#
# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
# We recommend always using fully qualified image names including the registry
# server (full dns name), namespace, image name, and tag
# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
# quay.io/repository/name@digest) further eliminates the ambiguity of tags.
# When using short names, there is always an inherent risk that the image being
# pulled could be spoofed. For example, a user wants to pull an image named
# `foobar` from a registry and expects it to come from myregistry.com. If
# myregistry.com is not first in the search list, an attacker could place a
# different `foobar` image at a registry earlier in the search list. The user
# would accidentally pull and run the attacker's image and code rather than the
# intended content. We recommend only adding registries which are completely
# trusted (i.e., registries which don't allow unknown or anonymous users to
# create accounts with arbitrary names). This will prevent an image from being
# spoofed, squatted or otherwise made insecure. If it is necessary to use one
# of these registries, it should be added at the end of the list.
#
# # An array of host[:port] registries to try when pulling an unqualified image, in order.
unqualified-search-registries = ["docker.io"]
#
[[registry]]
# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
# # (only) the TOML table with the longest match for the input image name
# # (taking into account namespace/repo/tag/digest separators) is used.
# #
# # If the prefix field is missing, it defaults to be the same as the "location" field.
# prefix = "cr.lan"
#
# # If true, unencrypted HTTP as well as TLS connections with untrusted
# # certificates are allowed.
insecure = true
#
# # If true, pulling images with matching names is forbidden.
# blocked = false
#
# # The physical location of the "prefix"-rooted namespace.
# #
# # By default, this equal to "prefix" (in which case "prefix" can be omitted
# # and the [[registry]] TOML table can only specify "location").
# #
# # Example: Given
# # prefix = "example.com/foo"
# # location = "internal-registry-for-example.net/bar"
# # requests for the image example.com/foo/myimage:latest will actually work with the
# # internal-registry-for-example.net/bar/myimage:latest image.
location = "cr.lan"
#
# # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
# #
# # The mirrors are attempted in the specified order; the first one that can be
# # contacted and contains the image will be used (and if none of the mirrors contains the image,
# # the primary location specified by the "registry.location" field, or using the unmodified
# # user-specified reference, is tried last).
# #
# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics
# # as if specified in the [[registry]] TOML table directly:
# # - location
# # - insecure
# [[registry.mirror]]
# location = "example-mirror-0.local/mirror-for-foo"
# [[registry.mirror]]
# location = "example-mirror-1.local/mirrors/foo"
# insecure = true
# # Given the above, a pull of example.com/foo/image:latest will try:
# # 1. example-mirror-0.local/mirror-for-foo/image:latest
# # 2. example-mirror-1.local/mirrors/foo/image:latest
# # 3. internal-registry-for-example.net/bar/image:latest
# # in order, and use the first one that exists.
#[[registry]]
#prefix="quay.io"
#location="qi-mirror.lan"
#insecure = true
[[registry]]
prefix="docker.io"
location="dr-mirror.lan"
insecure = true

8
k8s/files/etc_docker_daemon.json
View File

@@ -1,12 +1,10 @@
{
"exec-opts": ["native.cgroupdriver=systemd"],
"log-driver": "json-file",
"log-opts": {
"max-size": "100m"
},
"log-level": "warn",
"storage-driver": "overlay2",
"registry-mirrors": ["https://cr.lan"],
"insecure-registries" : [
"docker-registry.lan"
"cr.lan"
]
}

8
k8s/files/podman-policy.json Normal file
View File

@@ -0,0 +1,8 @@
{
"default": [
{
"type": "insecureAcceptAnything"
}
]
}

14
k8s/init.sls
View File

@@ -3,6 +3,9 @@
---
include:
- .admin
- .containerd
- .repo.kubernetes
#- .docker
#- .filesystems
@@ -13,21 +16,14 @@ include:
- user: root
- group: root
/etc/docker/daemon.json:
file.managed:
- source: salt://k8s/files/etc_docker_daemon.json
- mode: 644
- user: root
- group: root
k8s_pkgs:
pkg.installed:
- pkgs:
- docker.io
- cgroupfs-mount
- debootstrap
- kubectl
- kubelet
- kubetail
- qemu-utils
- require:
- pkgrepo: repo_kubernetes.io

28
k8s/podman.sls Normal file
View File

@@ -0,0 +1,28 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
{% if grains['oscodename'] != 'bullseye' %}
include:
- base.packages.repo.debian-bullseye
{% endif %}
podman_pkgs:
pkg.installed:
- pkgs:
- podman
- runc
- containers-storage
/etc/containers/policy.json:
file.managed:
- source: salt://k8s/files/podman-policy.json
- mode: 644
- user: root
- group: root
/etc/containers/registries.conf:
file.managed:
- source: salt://k8s/files/etc_containers_registries.conf
- mode: 644
- user: root
- group: root

8
k8s/repo/kubernetes.sls Normal file
View File

@@ -0,0 +1,8 @@
repo_kubernetes.io:
pkgrepo.managed:
- name: 'deb [arch=arm64] https://apt.kubernetes.io/ kubernetes-xenial main'
- file: /etc/apt/sources.list.d/kubernetes.list
- key_url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
- clean_file: True

4
os/armbian/cron.sls Normal file
View File

@@ -0,0 +1,4 @@
# remove this pesky thing,
# we knwo what we are doing
/etc/cron.d/armbian-updates:
file.absent

6
os/armbian/init.sls Normal file
View File

@@ -0,0 +1,6 @@
include:
- .repo
- .packages
- .cron
- .systemd

14
os/armbian/packages.sls Normal file
View File

@@ -0,0 +1,14 @@
armbian-removed:
pkg.purged:
- pkgs:
- armbian-zsh
- alsa-utils
- wireless-tools
- wireless-regdb
- man-db
- groff-base
armbian-zsh-etc-purge:
file.absent:
- name: /etc/oh-my-zsh
- recurse: True

39
os/armbian/repo.sls Normal file
View File

@@ -0,0 +1,39 @@
#!jinja|yaml|gpg
{% set base_url = 'mirrors.dotsrc.org' %}
{%-
set cache_url = salt['pillar.get'](
'services:apt-cache',
default=''
)
%}
{%-
set os_rel = salt['pillar.get'](
'os:release',
default=False
)
%}
{% if not os_rel %}
{% set os_rel = grains['oscodename'] %}
{% endif %}
repo_armbian:
pkgrepo.managed:
- name: 'deb http://{{ cache_url }}{{ base_url }}/armbian-apt {{ os_rel }} main {{ os_rel }}-utils #{{ os_rel }}-desktop'
- dist: {{ os_rel }}
- file: /etc/apt/sources.list.d/armbian.list
- clean_file: True
pin_repo_armbian:
file.absent:
- name: /etc/apt/apt.conf.d/999_pin_repo_armbian
- contents: |
#SALT Managed
Package: *
Pin: origin {{ cache_url }}{{ base_url }}
Pin-Priority: 1001

0
os/armbian/systemd.sls Normal file
View File

5
os/init.sls Normal file
View File

@@ -0,0 +1,5 @@
{% if grains['os_flavor'] == 'Armbian' %}
include:
- .armbian
{% endif %}

14
roles/mpd/common.sls Normal file
View File

@@ -0,0 +1,14 @@
mpd_pkgs:
pkg.installed:
- pkgs:
- mpd
- mpc
etc_mpd_conf:
file:
- managed
- name: /etc/mpd.conf
- source: salt://roles/mpd/files/mpd.conf
- user: mpd
- group: audio
- mode: 0600

850
roles/mpd/files/mpd.conf Normal file
View File

@@ -0,0 +1,850 @@
###
### SALT managed
###
# An example configuration file for MPD.
# Read the user manual for documentation: http://www.musicpd.org/doc/user/
# or /usr/share/doc/mpd/html/user.html
# Files and directories #######################################################
#
# This setting controls the top directory which MPD will search to discover the
# available audio files and add them to the daemon's online database. This
# setting defaults to the XDG directory, otherwise the music directory will be
# be disabled and audio files will only be accepted over ipc socket (using
# file:// protocol) or streaming files over an accepted protocol.
#
music_directory "/net/tumor.chaos/srv/pub/Music"
#
# This setting sets the MPD internal playlist directory. The purpose of this
# directory is storage for playlists created by MPD. The server will use
# playlist files not created by the server but only if they are in the MPD
# format. This setting defaults to playlist saving being disabled.
#
playlist_directory "/var/lib/mpd/playlists"
#
# This setting sets the location of the MPD database. This file is used to
# load the database at server start up and store the database while the
# server is not up. This setting defaults to disabled which will allow
# MPD to accept files over ipc socket (using file:// protocol) or streaming
# files over an accepted protocol.
#
db_file "/var/lib/mpd/tag_cache"
#
# These settings are the locations for the daemon log files for the daemon.
# These logs are great for troubleshooting, depending on your log_level
# settings.
#
# The special value "syslog" makes MPD use the local syslog daemon. This
# setting defaults to logging to syslog.
#
# If you use systemd, do not configure a log_file. With systemd, MPD
# defaults to the systemd journal, which is fine.
#
#log_file "/var/log/mpd/mpd.log"
# This setting sets the location of the file which stores the process ID
# for use of mpd --kill and some init scripts. This setting is disabled by
# default and the pid file will not be stored.
#
# If you use systemd, do not configure a pid_file.
#
#pid_file "/run/mpd/pid"
# This setting sets the location of the file which contains information about
# most variables to get MPD back into the same general shape it was in before
# it was brought down. This setting is disabled by default and the server
# state will be reset on server start up.
#
state_file "/var/lib/mpd/state"
#
# The location of the sticker database. This is a database which
# manages dynamic information attached to songs.
#
sticker_file "/var/lib/mpd/sticker.sql"
#
###############################################################################
# General music daemon options ################################################
#
# This setting specifies the user that MPD will run as. MPD should never run as
# root and you may use this setting to make MPD change its user ID after
# initialization. This setting is disabled by default and MPD is run as the
# current user.
#
user "mpd"
#
# This setting specifies the group that MPD will run as. If not specified
# primary group of user specified with "user" setting will be used (if set).
# This is useful if MPD needs to be a member of group such as "audio" to
# have permission to use sound card.
#
#group "nogroup"
#
# This setting sets the address for the daemon to listen on. Careful attention
# should be paid if this is assigned to anything other than the default, any.
# This setting can deny access to control of the daemon. Not effective if
# systemd socket activation is in use.
#
# For network
bind_to_address "0.0.0.0"
#
# And for Unix Socket
#bind_to_address "/run/mpd/socket"
#
# This setting is the TCP port that is desired for the daemon to get assigned
# to.
#
#port "6600"
#
# Suppress all messages below the given threshold. Use "verbose" for
# troubleshooting. Available setting arguments are "notice", "info", "verbose",
# "warning" and "error".
#
log_level "warning"
#
# Setting "restore_paused" to "yes" puts MPD into pause mode instead
# of starting playback after startup.
#
#restore_paused "no"
#
# This setting enables MPD to create playlists in a format usable by other
# music players.
#
#save_absolute_paths_in_playlists "no"
#
# This setting defines a list of tag types that will be extracted during the
# audio file discovery process. The complete list of possible values can be
# found in the user manual.
#metadata_to_use "artist,album,title,track,name,genre,date,composer,performer,disc"
#
# This example just enables the "comment" tag without disabling all
# the other supported tags:
#metadata_to_use "+comment"
#
# This setting enables automatic update of MPD's database when files in
# music_directory are changed.
#
#auto_update "yes"
#
# Limit the depth of the directories being watched, 0 means only watch
# the music directory itself. There is no limit by default.
#
#auto_update_depth "3"
#
###############################################################################
# Symbolic link behavior ######################################################
#
# If this setting is set to "yes", MPD will discover audio files by following
# symbolic links outside of the configured music_directory.
#
#follow_outside_symlinks "yes"
#
# If this setting is set to "yes", MPD will discover audio files by following
# symbolic links inside of the configured music_directory.
#
#follow_inside_symlinks "yes"
#
###############################################################################
# Zeroconf / Avahi Service Discovery ##########################################
#
# If this setting is set to "yes", service information will be published with
# Zeroconf / Avahi.
#
#zeroconf_enabled "yes"
#
# The argument to this setting will be the Zeroconf / Avahi unique name for
# this MPD server on the network. %h will be replaced with the hostname.
#
#zeroconf_name "Music Player @ %h"
#
###############################################################################
# Permissions #################################################################
#
# If this setting is set, MPD will require password authorization. The password
# setting can be specified multiple times for different password profiles.
#
#password "password@read,add,control,admin"
#
# This setting specifies the permissions a user has who has not yet logged in.
#
#default_permissions "read,add,control,admin"
#
###############################################################################
# Database #######################################################################
#
# An example of a database section instead of the old 'db_file' setting.
# It enables mounting other storages into the music directory.
#
#database {
# plugin "simple"
# path "/var/lib/mpd/tag_cache"
# cache_directory "/var/lib/mpd/cache"
#}
#
# An example of database config for a satellite setup
#
#music_directory "nfs://fileserver.local/srv/mp3"
#database {
# plugin "proxy"
# host "other.mpd.host"
# port "6600"
#}
# Input #######################################################################
#
input {
plugin "curl"
# proxy "proxy.isp.com:8080"
# proxy_user "user"
# proxy_password "password"
}
# Decoder #####################################################################
#
decoder {
plugin "hybrid_dsd"
enabled "no"
# gapless "no"
}
decoder {
plugin "wildmidi"
enabled "no"
#config_file "/etc/timidity/timidity.cfg"
}
#
###############################################################################
# Audio Output ################################################################
#
# MPD supports various audio output types, as well as playing through multiple
# audio outputs at the same time, through multiple audio_output settings
# blocks. Setting this block is optional, though the server will only attempt
# autodetection for one sound card.
#
# An example of an ALSA output:
#
audio_output {
type "pipewire"
name "Pipewire"
# target "name" #Link to the given target. If not specified,
# let the PipeWire manager select a target.
# To get a list of available targets, type pw-cli dump short Node
# remote "name"
dsd "no" #Enable DSD playback. This requires PipeWire 0.38.
}
#audio_output {
# type "alsa"
# name "My ALSA Device"
## device "hw:0,0" # optional
## mixer_type "hardware" # optional
## mixer_device "default" # optional
## mixer_control "PCM" # optional
## mixer_index "0" # optional
#}
#
# An example of an OSS output:
#
#audio_output {
# type "oss"
# name "My OSS Device"
## device "/dev/dsp" # optional
## mixer_type "hardware" # optional
## mixer_device "/dev/mixer" # optional
## mixer_control "PCM" # optional
#}
#
# An example of a shout output (for streaming to Icecast):
#
#audio_output {
# type "shout"
# encoder "vorbis" # optional
# name "My Shout Stream"
# host "localhost"
# port "8000"
# mount "/mpd.ogg"
# password "hackme"
# quality "5.0"
# bitrate "128"
# format "44100:16:1"
## protocol "icecast2" # optional
## user "source" # optional
## description "My Stream Description" # optional
## url "http://example.com" # optional
## genre "jazz" # optional
## public "no" # optional
## timeout "2" # optional
## mixer_type "software" # optional
#}
#
# An example of a recorder output:
#
#audio_output {
# type "recorder"
# name "My recorder"
# encoder "vorbis" # optional, vorbis or lame
# path "/var/lib/mpd/recorder/mpd.ogg"
## quality "5.0" # do not define if bitrate is defined
# bitrate "128" # do not define if quality is defined
# format "44100:16:1"
#}
#
# An example of a httpd output (built-in HTTP streaming server):
#
#audio_output {
# type "httpd"
# name "My HTTP Stream"
# encoder "vorbis" # optional, vorbis or lame
# port "8000"
# bind_to_address "0.0.0.0" # optional, IPv4 or IPv6
## quality "5.0" # do not define if bitrate is defined
# bitrate "128" # do not define if quality is defined
# format "44100:16:1"
# max_clients "0" # optional 0=no limit
#}
#
# An example of a pulseaudio output (streaming to a remote pulseaudio server)
# Please see README.Debian if you want mpd to play through the pulseaudio
# daemon started as part of your graphical desktop session!
#
#audio_output {
# type "pulse"
# name "My Pulse Output"
## server "remote_server" # optional
## sink "remote_server_sink" # optional
## media_role "media_role" #optional
#}
#
# An example of a winmm output (Windows multimedia API).
#
#audio_output {
# type "winmm"
# name "My WinMM output"
## device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional
# or
## device "0" # optional
## mixer_type "hardware" # optional
#}
#
# An example of an openal output.
#
#audio_output {
# type "openal"
# name "My OpenAL output"
## device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional
#}
#
# An example of an sndio output.
#
#audio_output {
# type "sndio"
# name "sndio output"
# mixer_type "hardware"
#}
#
# An example of an OS X output:
#
#audio_output {
# type "osx"
# name "My OS X Device"
## device "Built-in Output" # optional
## channel_map "-1,-1,0,1" # optional
#}
#
## Example "pipe" output:
#
#audio_output {
# type "pipe"
# name "my pipe"
# command "aplay -f cd 2>/dev/null"
## Or if you're want to use AudioCompress
# command "AudioCompress -m | aplay -f cd 2>/dev/null"
## Or to send raw PCM stream through PCM:
# command "nc example.org 8765"
# format "44100:16:2"
#}
#
## An example of a null output (for no audio output):
#
#audio_output {
# type "null"
# name "My Null Output"
# mixer_type "none" # optional
#}
#
###############################################################################
# Normalization automatic volume adjustments ##################################
## An example configuration file for MPD.
# Read the user manual for documentation: http://www.musicpd.org/doc/user/
# or /usr/share/doc/mpd/html/user.html
# Files and directories #######################################################
#
# This setting controls the top directory which MPD will search to discover the
# available audio files and add them to the daemon's online database. This
# setting defaults to the XDG directory, otherwise the music directory will be
# be disabled and audio files will only be accepted over ipc socket (using
# file:// protocol) or streaming files over an accepted protocol.
#
music_directory "/net/tumor.chaos/srv/pub/Music"
#
# This setting sets the MPD internal playlist directory. The purpose of this
# directory is storage for playlists created by MPD. The server will use
# playlist files not created by the server but only if they are in the MPD
# format. This setting defaults to playlist saving being disabled.
#
playlist_directory "/var/lib/mpd/playlists"
#
# This setting sets the location of the MPD database. This file is used to
# load the database at server start up and store the database while the
# server is not up. This setting defaults to disabled which will allow
# MPD to accept files over ipc socket (using file:// protocol) or streaming
# files over an accepted protocol.
#
db_file "/var/lib/mpd/tag_cache"
#
# These settings are the locations for the daemon log files for the daemon.
# These logs are great for troubleshooting, depending on your log_level
# settings.
#
# The special value "syslog" makes MPD use the local syslog daemon. This
# setting defaults to logging to syslog, or to journal if mpd was started as
# a systemd service.
#
#log_file "/var/log/mpd/mpd.log"
log_file "syslog"
#
# This setting sets the location of the file which stores the process ID
# for use of mpd --kill and some init scripts. This setting is disabled by
# default and the pid file will not be stored.
#
pid_file "/run/mpd/pid"
#
# This setting sets the location of the file which contains information about
# most variables to get MPD back into the same general shape it was in before
# it was brought down. This setting is disabled by default and the server
# state will be reset on server start up.
#
state_file "/var/lib/mpd/state"
#
# The location of the sticker database. This is a database which
# manages dynamic information attached to songs.
#
sticker_file "/var/lib/mpd/sticker.sql"
#
###############################################################################
# General music daemon options ################################################
#
# This setting specifies the user that MPD will run as. MPD should never run as
# root and you may use this setting to make MPD change its user ID after
# initialization. This setting is disabled by default and MPD is run as the
# current user.
#
user "mpd"
#
# This setting specifies the group that MPD will run as. If not specified
# primary group of user specified with "user" setting will be used (if set).
# This is useful if MPD needs to be a member of group such as "audio" to
# have permission to use sound card.
#
#group "nogroup"
#
# This setting sets the address for the daemon to listen on. Careful attention
# should be paid if this is assigned to anything other then the default, any.
# This setting can deny access to control of the daemon. Choose any if you want
# to have mpd listen on every address. Not effective if systemd socket
# activation is in use.
#
# For network
bind_to_address "0.0.0.0"
#
# And for Unix Socket
#bind_to_address "/run/mpd/socket"
#
# This setting is the TCP port that is desired for the daemon to get assigned
# to.
#
#port "6600"
#
# This setting controls the type of information which is logged. Available
# setting arguments are "default", "secure" or "verbose". The "verbose" setting
# argument is recommended for troubleshooting, though can quickly stretch
# available resources on limited hardware storage.
#
log_level "secure"
#
# Setting "restore_paused" to "yes" puts MPD into pause mode instead
# of starting playback after startup.
#
#restore_paused "no"
#
# This setting enables MPD to create playlists in a format usable by other
# music players.
#
#save_absolute_paths_in_playlists "no"
#
# This setting defines a list of tag types that will be extracted during the
# audio file discovery process. The complete list of possible values can be
# found in the user manual.
#metadata_to_use "artist,album,title,track,name,genre,date,composer,performer,disc"
#
# This example just enables the "comment" tag without disabling all
# the other supported tags:
#metadata_to_use "+comment"
#
# This setting enables automatic update of MPD's database when files in
# music_directory are changed.
#
#auto_update "yes"
#
# Limit the depth of the directories being watched, 0 means only watch
# the music directory itself. There is no limit by default.
#
#auto_update_depth "3"
#
###############################################################################
# Symbolic link behavior ######################################################
#
# If this setting is set to "yes", MPD will discover audio files by following
# symbolic links outside of the configured music_directory.
#
#follow_outside_symlinks "yes"
#
# If this setting is set to "yes", MPD will discover audio files by following
# symbolic links inside of the configured music_directory.
#
#follow_inside_symlinks "yes"
#
###############################################################################
# Zeroconf / Avahi Service Discovery ##########################################
#
# If this setting is set to "yes", service information will be published with
# Zeroconf / Avahi.
#
zeroconf_enabled "no"
#
# The argument to this setting will be the Zeroconf / Avahi unique name for
# this MPD server on the network. %h will be replaced with the hostname.
#
#zeroconf_name "Music Player @ %h"
#
###############################################################################
# Permissions #################################################################
#
# If this setting is set, MPD will require password authorization. The password
# setting can be specified multiple times for different password profiles.
#
#password "password@read,add,control,admin"
#
# This setting specifies the permissions a user has who has not yet logged in.
#
#default_permissions "read,add,control,admin"
#
###############################################################################
#input_cache {
# size "16m"
#}
# Database #######################################################################
#
#database {
# plugin "proxy"
# host "other.mpd.host"
# port "6600"
#}
# Input #######################################################################
#
input {
plugin "curl"
# proxy "proxy.isp.com:8080"
# proxy_user "user"
# proxy_password "password"
}
# QOBUZ input plugin
input {
enabled "no"
plugin "qobuz"
# app_id "ID"
# app_secret "SECRET"
# username "USERNAME"
# password "PASSWORD"
# format_id "N"
}
# TIDAL input plugin
input {
enabled "no"
plugin "tidal"
# token "TOKEN"
# username "USERNAME"
# password "PASSWORD"
# audioquality "Q"
}
# Decoder #####################################################################
#
decoder {
plugin "hybrid_dsd"
enabled "no"
# gapless "no"
}
#
###############################################################################
# Audio Output ################################################################
#
# MPD supports various audio output types, as well as playing through multiple
# audio outputs at the same time, through multiple audio_output settings
# blocks. Setting this block is optional, though the server will only attempt
# autodetection for one sound card.
#
# An example of an ALSA output:
#
audio_output {
type "alsa"
name "My ALSA Device"
# device "hw:0,0" # optional
# mixer_type "hardware" # optional
# mixer_device "default" # optional
# mixer_control "PCM" # optional
# mixer_index "0" # optional
}
#
# An example of an OSS output:
#
#audio_output {
# type "oss"
# name "My OSS Device"
# device "/dev/dsp" # optional
# mixer_type "hardware" # optional
# mixer_device "/dev/mixer" # optional
# mixer_control "PCM" # optional
#}
#
# An example of a shout output (for streaming to Icecast):
#
#audio_output {
# type "shout"
# encoder "vorbis" # optional
# name "My Shout Stream"
# host "localhost"
# port "8000"
# mount "/mpd.ogg"
# password "hackme"
# quality "5.0"
# bitrate "128"
# format "44100:16:1"
# protocol "icecast2" # optional
# user "source" # optional
# description "My Stream Description" # optional
# url "http://example.com" # optional
# genre "jazz" # optional
# public "no" # optional
# timeout "2" # optional
# mixer_type "software" # optional
#}
#
# An example of a recorder output:
#
#audio_output {
# type "recorder"
# name "My recorder"
# encoder "vorbis" # optional, vorbis or lame
# path "/var/lib/mpd/recorder/mpd.ogg"
## quality "5.0" # do not define if bitrate is defined
# bitrate "128" # do not define if quality is defined
# format "44100:16:1"
#}
#
# An example of a httpd output (built-in HTTP streaming server):
#
#audio_output {
# type "httpd"
# name "My HTTP Stream"
# encoder "vorbis" # optional, vorbis or lame
# port "8000"
# bind_to_address "0.0.0.0" # optional, IPv4 or IPv6
# quality "5.0" # do not define if bitrate is defined
# bitrate "128" # do not define if quality is defined
# format "44100:16:1"
# max_clients "0" # optional 0=no limit
#}
#
# An example of a pulseaudio output (streaming to a remote pulseaudio server)
# Please see README.Debian if you want mpd to play through the pulseaudio
# daemon started as part of your graphical desktop session!
#
#audio_output {
# type "pulse"
# name "My Pulse Output"
# server "remote_server" # optional
# sink "remote_server_sink" # optional
#}
#
# An example of a winmm output (Windows multimedia API).
#
#audio_output {
# type "winmm"
# name "My WinMM output"
# device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional
# or
# device "0" # optional
# mixer_type "hardware" # optional
#}
#
# An example of an openal output.
#
#audio_output {
# type "openal"
# name "My OpenAL output"
# device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional
#}
#
## Example "pipe" output:
#
#audio_output {
# type "pipe"
# name "my pipe"
# command "aplay -f cd 2>/dev/null"
## Or if you're want to use AudioCompress
# command "AudioCompress -m | aplay -f cd 2>/dev/null"
## Or to send raw PCM stream through PCM:
# command "nc example.org 8765"
# format "44100:16:2"
#}
#
## An example of a null output (for no audio output):
#
#audio_output {
# type "null"
# name "My Null Output"
# mixer_type "none" # optional
#}
#
###############################################################################
# Normalization automatic volume adjustments ##################################
#
# This setting specifies the type of ReplayGain to use. This setting can have
# the argument "off", "album", "track" or "auto". "auto" is a special mode that
# chooses between "track" and "album" depending on the current state of
# random playback. If random playback is enabled then "track" mode is used.
# See <http://www.replaygain.org> for more details about ReplayGain.
# This setting is off by default.
#
#replaygain "album"
#
# This setting sets the pre-amp used for files that have ReplayGain tags. By
# default this setting is disabled.
#
#replaygain_preamp "0"
#
# This setting sets the pre-amp used for files that do NOT have ReplayGain tags.
# By default this setting is disabled.
#
#replaygain_missing_preamp "0"
#
# This setting enables or disables ReplayGain limiting.
# MPD calculates actual amplification based on the ReplayGain tags
# and replaygain_preamp / replaygain_missing_preamp setting.
# If replaygain_limit is enabled MPD will never amplify audio signal
# above its original level. If replaygain_limit is disabled such amplification
# might occur. By default this setting is enabled.
#
#replaygain_limit "yes"
#
# This setting enables on-the-fly normalization volume adjustment. This will
# result in the volume of all playing audio to be adjusted so the output has
# equal "loudness". This setting is disabled by default.
#
#volume_normalization "no"
#
###############################################################################
# Character Encoding ##########################################################
#
# If file or directory names do not display correctly for your locale then you
# may need to modify this setting.
#
filesystem_charset "UTF-8"
#
###############################################################################
# This setting specifies the type of ReplayGain to use. This setting can have
# the argument "off", "album", "track" or "auto". "auto" is a special mode that
# chooses between "track" and "album" depending on the current state of
# random playback. If random playback is enabled then "track" mode is used.
# See <https://wiki.hydrogenaud.io/index.php?title=Replaygain> for
# more details about ReplayGain.
# This setting is off by default.
#
#replaygain "album"
#
# This setting sets the pre-amp used for files that have ReplayGain tags. By
# default this setting is disabled.
#
#replaygain_preamp "0"
#
# This setting sets the pre-amp used for files that do NOT have ReplayGain tags.
# By default this setting is disabled.
#
#replaygain_missing_preamp "0"
#
# This setting enables or disables ReplayGain limiting.
# MPD calculates actual amplification based on the ReplayGain tags
# and replaygain_preamp / replaygain_missing_preamp setting.
# If replaygain_limit is enabled MPD will never amplify audio signal
# above its original level. If replaygain_limit is disabled such amplification
# might occur. By default this setting is enabled.
#
#replaygain_limit "yes"
#
# This setting enables on-the-fly normalization volume adjustment. This will
# result in the volume of all playing audio to be adjusted so the output has
# equal "loudness". This setting is disabled by default.
#
#volume_normalization "no"
#
###############################################################################
# Character Encoding ##########################################################
#
# If file or directory names do not display correctly for your locale then you
# may need to modify this setting.
#
filesystem_charset "UTF-8"
#
###############################################################################

2
roles/mpd/init.sls Normal file
View File

@@ -0,0 +1,2 @@
include:
- .common

16
roles/nut/client.sls Normal file
View File

@@ -0,0 +1,16 @@
nut-client_pkgs:
pkg.installed:
- pkgs:
- nut-client
etc_nut_nut.conf:
file:
- recurse
- name: /etc/nut
- source: salt://roles/nut/files/client
- user: root
- group: root
- file_mode: 0640
- dir_mode: 0750
- require:
- pkg: nut-client_pkgs

34
roles/nut/files/client/nut.conf Normal file
View File

@@ -0,0 +1,34 @@
### SALT
# Network UPS Tools: example nut.conf
#
##############################################################################
# General section
##############################################################################
# The MODE determines which part of the NUT is to be started, and which
# configuration files must be modified.
#
# This file try to standardize the various files being found in the field, like
# /etc/default/nut on Debian based systems, /etc/sysconfig/ups on RedHat based
# systems, ... Distribution's init script should source this file to see which
# component(s) has to be started.
#
# The values of MODE can be:
# - none: NUT is not configured, or use the Integrated Power Management, or use
# some external system to startup NUT components. So nothing is to be started.
# - standalone: This mode address a local only configuration, with 1 UPS
# protecting the local system. This implies to start the 3 NUT layers (driver,
# upsd and upsmon) and the matching configuration files. This mode can also
# address UPS redundancy.
# - netserver: same as for the standalone configuration, but also need
# some more network access controls (firewall, tcp-wrappers) and possibly a
# specific LISTEN directive in upsd.conf.
# Since this MODE is opened to the network, a special care should be applied
# to security concerns.
# - netclient: this mode only requires upsmon.
#
# IMPORTANT NOTE:
# This file is intended to be sourced by shell scripts.
# You MUST NOT use spaces around the equal sign!
MODE=netclient

385
roles/nut/files/client/upsmon.conf Normal file
View File

@@ -0,0 +1,385 @@
## SALT
# Network UPS Tools: example upsmon configuration
#
# This file contains passwords, so keep it secure.
# --------------------------------------------------------------------------
# RUN_AS_USER <userid>
#
# By default, upsmon splits into two processes. One stays as root and
# waits to run the SHUTDOWNCMD. The other one switches to another userid
# and does everything else.
#
# The default nonprivileged user is set at compile-time with
# 'configure --with-user=...'.
#
# You can override it with '-u <user>' when starting upsmon, or just
# define it here for convenience.
#
# Note: if you plan to use the reload feature, this file (upsmon.conf)
# must be readable by this user! Since it contains passwords, DO NOT
# make it world-readable. Also, do not make it writable by the upsmon
# user, since it creates an opportunity for an attack by changing the
# SHUTDOWNCMD to something malicious.
#
# For best results, you should create a new normal user like "nutmon",
# and make it a member of a "nut" group or similar. Then specify it
# here and grant read access to the upsmon.conf for that group.
#
# This user should not have write access to upsmon.conf.
#
# RUN_AS_USER nut
# --------------------------------------------------------------------------
# MONITOR <system> <powervalue> <username> <password> ("master"|"slave")
#
# List systems you want to monitor. Not all of these may supply power
# to the system running upsmon, but if you want to watch it, it has to
# be in this section.
#
# You must have at least one of these declared.
#
# <system> is a UPS identifier in the form <upsname>@<hostname>[:<port>]
# like ups@localhost, su700@mybox, etc.
#
# Examples:
#
# - "su700@mybox" means a UPS called "su700" on a system called "mybox"
#
# - "fenton@bigbox:5678" is a UPS called "fenton" on a system called
# "bigbox" which runs upsd on port "5678".
#
# The UPS names like "su700" and "fenton" are set in your ups.conf
# in [brackets] which identify a section for a particular driver.
#
# If the ups.conf on host "doghouse" has a section called "snoopy", the
# identifier for it would be "snoopy@doghouse".
#
# <powervalue> is an integer - the number of power supplies that this UPS
# feeds on this system. Most computers only have one power supply, so this
# is normally set to 1. You need a pretty big or special box to have any
# other value here.
#
# You can also set this to 0 for a system that doesn't supply any power,
# but you still want to monitor. Use this when you want to hear about
# changes for a given UPS without shutting down when it goes critical,
# unless <powervalue> is 0.
#
# <username> and <password> must match an entry in that system's
# upsd.users. If your username is "monmaster" and your password is
# "blah", the upsd.users would look like this:
#
# [monmaster]
# password = blah
# upsmon master (or slave)
#
# "master" means this system will shutdown last, allowing the slaves
# time to shutdown first.
#
# "slave" means this system shuts down immediately when power goes critical.
#
# Examples:
#
# MONITOR myups@bigserver 1 monmaster blah master
# MONITOR su700@server.example.com 1 upsmon secretpass slave
# MONITOR myups@localhost 1 upsmon pass master (or slave)
MONITOR nummer5@ups.wks 1 monuser $secret slave
# --------------------------------------------------------------------------
# MINSUPPLIES <num>
#
# Give the number of power supplies that must be receiving power to keep
# this system running. Most systems have one power supply, so you would
# put "1" in this field.
#
# Large/expensive server type systems usually have more, and can run with
# a few missing. The HP NetServer LH4 can run with 2 out of 4, for example,
# so you'd set that to 2. The idea is to keep the box running as long
# as possible, right?
#
# Obviously you have to put the redundant supplies on different UPS circuits
# for this to make sense! See big-servers.txt in the docs subdirectory
# for more information and ideas on how to use this feature.
MINSUPPLIES 1
# --------------------------------------------------------------------------
# SHUTDOWNCMD "<command>"
#
# upsmon runs this command when the system needs to be brought down.
#
# This should work just about everywhere ... if it doesn't, well, change it.
SHUTDOWNCMD "/sbin/shutdown -h +0"
# --------------------------------------------------------------------------
# NOTIFYCMD <command>
#
# upsmon calls this to send messages when things happen
#
# This command is called with the full text of the message as one argument.
# The environment string NOTIFYTYPE will contain the type string of
# whatever caused this event to happen.
#
# Note that this is only called for NOTIFY events that have EXEC set with
# NOTIFYFLAG. See NOTIFYFLAG below for more details.
#
# Making this some sort of shell script might not be a bad idea. For more
# information and ideas, see docs/scheduling.txt
#
# Example:
# NOTIFYCMD /bin/notifyme
# --------------------------------------------------------------------------
# POLLFREQ <n>
#
# Polling frequency for normal activities, measured in seconds.
#
# Adjust this to keep upsmon from flooding your network, but don't make
# it too high or it may miss certain short-lived power events.
POLLFREQ 30
# --------------------------------------------------------------------------
# POLLFREQALERT <n>
#
# Polling frequency in seconds while UPS on battery.
#
# You can make this number lower than POLLFREQ, which will make updates
# faster when any UPS is running on battery. This is a good way to tune
# network load if you have a lot of these things running.
#
# The default is 5 seconds for both this and POLLFREQ.
POLLFREQALERT 5
# --------------------------------------------------------------------------
# HOSTSYNC - How long upsmon will wait before giving up on another upsmon
#
# The master upsmon process uses this number when waiting for slaves to
# disconnect once it has set the forced shutdown (FSD) flag. If they
# don't disconnect after this many seconds, it goes on without them.
#
# Similarly, upsmon slave processes wait up to this interval for the
# master upsmon to set FSD when a UPS they are monitoring goes critical -
# that is, on battery and low battery. If the master doesn't do its job,
# the slaves will shut down anyway to avoid damage to the file systems.
#
# This "wait for FSD" is done to avoid races where the status changes
# to critical and back between polls by the master.
HOSTSYNC 15
# --------------------------------------------------------------------------
# DEADTIME - Interval to wait before declaring a stale ups "dead"
#
# upsmon requires a UPS to provide status information every few seconds
# (see POLLFREQ and POLLFREQALERT) to keep things updated. If the status
# fetch fails, the UPS is marked stale. If it stays stale for more than
# DEADTIME seconds, the UPS is marked dead.
#
# A dead UPS that was last known to be on battery is assumed to have gone
# to a low battery condition. This may force a shutdown if it is providing
# a critical amount of power to your system.
#
# Note: DEADTIME should be a multiple of POLLFREQ and POLLFREQALERT.
# Otherwise you'll have "dead" UPSes simply because upsmon isn't polling
# them quickly enough. Rule of thumb: take the larger of the two
# POLLFREQ values, and multiply by 3.
DEADTIME 15
# --------------------------------------------------------------------------
# POWERDOWNFLAG - Flag file for forcing UPS shutdown on the master system
#
# upsmon will create a file with this name in master mode when it's time
# to shut down the load. You should check for this file's existence in
# your shutdown scripts and run 'upsdrvctl shutdown' if it exists.
#
# See the config-notes.txt file in the docs subdirectory for more information.
# Refer to the section:
# [[UPS_shutdown]] "Configuring automatic shutdowns for low battery events"
# or refer to the online version.
POWERDOWNFLAG /etc/killpower
# --------------------------------------------------------------------------
# NOTIFYMSG - change messages sent by upsmon when certain events occur
#
# You can change the default messages to something else if you like.
#
# NOTIFYMSG <notify type> "message"
#
# NOTIFYMSG ONLINE "UPS %s on line power"
# NOTIFYMSG ONBATT "UPS %s on battery"
# NOTIFYMSG LOWBATT "UPS %s battery is low"
# NOTIFYMSG FSD "UPS %s: forced shutdown in progress"
# NOTIFYMSG COMMOK "Communications with UPS %s established"
# NOTIFYMSG COMMBAD "Communications with UPS %s lost"
# NOTIFYMSG SHUTDOWN "Auto logout and shutdown proceeding"
# NOTIFYMSG REPLBATT "UPS %s battery needs to be replaced"
# NOTIFYMSG NOCOMM "UPS %s is unavailable"
# NOTIFYMSG NOPARENT "upsmon parent process died - shutdown impossible"
#
# Note that %s is replaced with the identifier of the UPS in question.
#
# Possible values for <notify type>:
#
# ONLINE : UPS is back online
# ONBATT : UPS is on battery
# LOWBATT : UPS has a low battery (if also on battery, it's "critical")
# FSD : UPS is being shutdown by the master (FSD = "Forced Shutdown")
# COMMOK : Communications established with the UPS
# COMMBAD : Communications lost to the UPS
# SHUTDOWN : The system is being shutdown
# REPLBATT : The UPS battery is bad and needs to be replaced
# NOCOMM : A UPS is unavailable (can't be contacted for monitoring)
# NOPARENT : The process that shuts down the system has died (shutdown impossible)
# --------------------------------------------------------------------------
# NOTIFYFLAG - change behavior of upsmon when NOTIFY events occur
#
# By default, upsmon sends walls (global messages to all logged in users)
# and writes to the syslog when things happen. You can change this.
#
# NOTIFYFLAG <notify type> <flag>[+<flag>][+<flag>] ...
#
# NOTIFYFLAG ONLINE SYSLOG+WALL
# NOTIFYFLAG ONBATT SYSLOG+WALL
# NOTIFYFLAG LOWBATT SYSLOG+WALL
# NOTIFYFLAG FSD SYSLOG+WALL
# NOTIFYFLAG COMMOK SYSLOG+WALL
# NOTIFYFLAG COMMBAD SYSLOG+WALL
# NOTIFYFLAG SHUTDOWN SYSLOG+WALL
# NOTIFYFLAG REPLBATT SYSLOG+WALL
# NOTIFYFLAG NOCOMM SYSLOG+WALL
# NOTIFYFLAG NOPARENT SYSLOG+WALL
#
# Possible values for the flags:
#
# SYSLOG - Write the message in the syslog
# WALL - Write the message to all users on the system
# EXEC - Execute NOTIFYCMD (see above) with the message
# IGNORE - Don't do anything
#
# If you use IGNORE, don't use any other flags on the same line.
# --------------------------------------------------------------------------
# RBWARNTIME - replace battery warning time in seconds
#
# upsmon will normally warn you about a battery that needs to be replaced
# every 43200 seconds, which is 12 hours. It does this by triggering a
# NOTIFY_REPLBATT which is then handled by the usual notify structure
# you've defined above.
#
# If this number is not to your liking, override it here.
RBWARNTIME 43200
# --------------------------------------------------------------------------
# NOCOMMWARNTIME - no communications warning time in seconds
#
# upsmon will let you know through the usual notify system if it can't
# talk to any of the UPS entries that are defined in this file. It will
# trigger a NOTIFY_NOCOMM by default every 300 seconds unless you
# change the interval with this directive.
NOCOMMWARNTIME 300
# --------------------------------------------------------------------------
# FINALDELAY - last sleep interval before shutting down the system
#
# On a master, upsmon will wait this long after sending the NOTIFY_SHUTDOWN
# before executing your SHUTDOWNCMD. If you need to do something in between
# those events, increase this number. Remember, at this point your UPS is
# almost depleted, so don't make this too high.
#
# Alternatively, you can set this very low so you don't wait around when
# it's time to shut down. Some UPSes don't give much warning for low
# battery and will require a value of 0 here for a safe shutdown.
#
# Note: If FINALDELAY on the slave is greater than HOSTSYNC on the master,
# the master will give up waiting for the slave to disconnect.
FINALDELAY 5
# --------------------------------------------------------------------------
# CERTPATH - path to certificates (database directory or directory with CA's)
#
# When compiled with SSL support, you can enter the certificate path here.
#
# With NSS:
# Certificates are stored in a dedicated database (splitted in 3 files).
# Specify the path of the database directory.
#
# CERTPATH /etc/nut/cert/upsmon
#
# With OpenSSL:
# Directory containing CA certificates in PEM format, used to verify
# the server certificate presented by the upsd server. The files each
# contain one CA certificate. The files are looked up by the CA subject
# name hash value, which must hence be available.
#
# CERTPATH /usr/ssl/certs
#
# See 'docs/security.txt' or the Security chapter of NUT user manual
# for more information on the SSL support in NUT.
CERTPATH /etc/pki
# --------------------------------------------------------------------------
# CERTIDENT - self certificate name and database password
# CERTIDENT <certificate name> <database password>
#
# When compiled with SSL support with NSS, you can specify the certificate
# name to retrieve from database to authenticate itself and the password
# required to access certificate related private key.
#
# CERTIDENT "my nut monitor" "MyPasSw0rD"
#
# See 'docs/security.txt' or the Security chapter of NUT user manual
# for more information on the SSL support in NUT.
# --------------------------------------------------------------------------
# CERTHOST - security properties for an host
# CERTHOST <hostname> <certificate name> <certverify> <forcessl>
#
# When compiled with SSL support with NSS, you can specify security directive
# for each server you can contact.
# Each entry maps server name with the expected certificate name and flags
# indicating if the server certificate is verified and if the connection
# must be secure.
#
# CERTHOST localhost "My nut server" 1 1
#
# See 'docs/security.txt' or the Security chapter of NUT user manual
# for more information on the SSL support in NUT.
# --------------------------------------------------------------------------
# CERTVERIFY - make upsmon verify all connections with certificates
# CERTVERIFY 1
#
# When compiled with SSL support, make upsmon verify all connections with
# certificates.
# Without this, there is no guarantee that the upsd is the right host.
# Enabling this greatly reduces the risk of man in the middle attacks.
# This effectively forces the use of SSL, so don't use this unless
# all of your upsd hosts are ready for SSL and have their certificates
# in order.
# When compiled with NSS support of SSL, can be overriden for host
# specified with a CERTHOST directive.
CERTVERIFY 1
# --------------------------------------------------------------------------
# FORCESSL - force upsmon to use SSL
# FORCESSL 1
#
# When compiled with SSL, specify that a secured connection must be used
# to communicate with upsd.
# If you don't use 'CERTVERIFY 1', then this will at least make sure
# that nobody can sniff your sessions without a large effort. Setting
# this will make upsmon drop connections if the remote upsd doesn't
# support SSL, so don't use it unless all of them have it running.
# When compiled with NSS support of SSL, can be overriden for host
# specified with a CERTHOST directive.

41
top.sls
View File

@@ -6,21 +6,36 @@ base:
'*':
- base
- hardware
'tumor*':
- base.pki.ca
- os
'adm01.wks':
- base.rsyslog.server
- base.packages.haproxy
- k8s.podman
- systemd.units
'not G@fqdn:adm01.wks':
- match: compound
- base.rsyslog.client
'G@osarch:arm64 or G@osarch:armhf or G@osarch:armel':
- match: compound
- base.packages.arch.arm
'riot01*':
- haproxy
- prometheus
- grafana
'auto*':
- base.packages.openhab2
'auto02*':
- k8s.podman
- base.packages.haproxy
- systemd.units
#- base.packages.salt.master
#- base.pki.ca
'pine*':
- k8s
'kube*':
- k8s
#- k8s
- roles.nut.client
'ebin*':
- roles.nut.client
'lenny*':
- k8s.admin
- base.packages.node.lenny
#- k8s.admin
- base.packages.node.lenny # migrate these with yori/desktops
- base.packages.repo.brave-browser
- base.packages.FreeCAD
'yori*':
- base.packages.repo.brave-browser
- base.packages.FreeCAD
'truhe*':
- roles.mpd