diff --git a/.gitignore b/.gitignore index 6cbe93b..9589024 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +**/.ptp-sync +**/.ptp-sync-folder .project .pydevproject .settings diff --git a/_grains/hardware.py b/_grains/hardware.py index a5c6256..d4f7a24 100644 --- a/_grains/hardware.py +++ b/_grains/hardware.py @@ -17,6 +17,8 @@ def _hardware(): for line in open("/etc/armbian-release","r").readlines(): if re.match("BOARD=espressobin", line): h = "Espressobin" + if re.match("BOARD=pine64", line): + h = "Pine64" return h def main(): diff --git a/_grains/os_flavor.py b/_grains/os_flavor.py new file mode 100644 index 0000000..f45d2a2 --- /dev/null +++ b/_grains/os_flavor.py @@ -0,0 +1,20 @@ +#!/usr/bin/env python3 +import re +import os.path + +def _os_flavor(): + + if os.path.isfile('/etc/armbian-release'): + h = "Armbian" + elif os.path.isdir('/etc/osmc'): + h = "OSMC" + elif os.path.isfile('/etc/octopi_version'): + h = "OctoPi" + else: + h = "Debian" + return h + +def main(): + grains = {} + grains['os_flavor'] = _os_flavor() + return grains diff --git a/base/init.sls b/base/init.sls index 1faa0c1..20382e9 100644 --- a/base/init.sls +++ b/base/init.sls @@ -4,9 +4,9 @@ include: - .packages - - .pki - - .gluster.client + #- .pki - sysctl - - rsyslog - sudoers - systemd + - .timezone + - .release diff --git a/base/packages/FreeCAD.sls b/base/packages/FreeCAD.sls new file mode 100644 index 0000000..7c8d244 --- /dev/null +++ b/base/packages/FreeCAD.sls @@ -0,0 +1,75 @@ +include: + - .repo.openfoam + +pkg_FreeCAD: + pkg.installed: + - pkgs: + - openfoam + - libocct-draw-dev + - libocct-foundation-dev + - libocct-modeling-algorithms-dev + - libocct-modeling-data-dev + - libocct-ocaf-dev + - libocct-visualization-dev + - libocct-data-exchange-dev + - calculix-cgx + - cmake + - libboost-date-time-dev + - libboost-dev + - libboost-filesystem-dev + - libboost-graph-dev + - libboost-iostreams-dev + - libboost-program-options-dev + - libboost-python-dev + - libboost-regex-dev + - libboost-serialization-dev + - libboost-thread-dev + - libcoin-dev + - libeigen3-dev + - libgts-bin + - libgts-dev + - libkdtree++-dev + - libmedc-dev + - libocct-data-exchange-dev + - libocct-ocaf-dev + - libocct-visualization-dev + - libopencv-dev + - libproj-dev + - libpyside2-dev + - libqt5opengl5-dev + - libqt5svg5-dev + - libqt5webkit5-dev + - libqt5x11extras5-dev + - libqt5xmlpatterns5-dev + - libshiboken2-dev + - libspnav-dev + - libx11-dev + - libxerces-c-dev + - libzipios++-dev + - occt-draw + - pyside2-tools + - python3-dev + - python3-matplotlib + - python3-pivy + - python3-ply + - python3-pyside2.qtcore + - python3-pyside2.qtgui + - python3-pyside2.qtsvg + - python3-pyside2.qtwidgets + - python3-pyside2.qtnetwork + - python3-pyside2.qtwebengine + - python3-pyside2.qtwebenginecore + - python3-pyside2.qtwebenginewidgets + - python3-pyside2.qtwebchannel + - python3-markdown + - python3-git + - qtbase5-dev + - qttools5-dev + - swig + - libmetis-dev + - python3-pyside2.qtscripttools + - python3-pyside2.qtuitools + - pyside2-tools + - libshiboken2-dev + - libshiboken2-py3-5.15 + diff --git a/base/packages/common.sls b/base/packages/common.sls index c2d4e6e..c7efebb 100644 --- a/base/packages/common.sls +++ b/base/packages/common.sls @@ -26,20 +26,17 @@ common-installed: - bzip2 - gzip - unzip - - libwww-perl - bind9-host - dnsutils - tcpdump - file - - python-pip - - python-dev - - python-pyinotify - - python-m2crypto + - python3-pip + - python3-dev + - python3-pyinotify - python3-m2crypto + - python3-apt - lockfile-progs - virt-what - - ntp - - ntpdate - apt-transport-https - python3-croniter - flex @@ -48,7 +45,11 @@ common-installed: - nfs-common - mosquitto-clients - autofs - - python-apt + - debian-keyring + - python3-cherrypy3 + - python3-pygit2 + - systemd-timesyncd + - zstd common-removed: pkg.removed: @@ -58,3 +59,7 @@ common-removed: - exim4-base - exim4-config - exim4-daemon-light + - command-not-found + + + diff --git a/base/packages/haproxy.sls b/base/packages/haproxy.sls new file mode 100644 index 0000000..efb0c09 --- /dev/null +++ b/base/packages/haproxy.sls @@ -0,0 +1,61 @@ +include: + - haproxy + +pkg_prometheus-haproxy-exporter: + pkg.installed: + - pkgs: + - prometheus-haproxy-exporter + + +service_prometheus-haproxy-exporter: + service.running: + - name: prometheus-haproxy-exporter + - enable: True + - watch: + - file: /etc/default/prometheus-haproxy-exporter + +etc_default_prometheus_haproxy-exporter: + file.managed: + - name: /etc/default/prometheus-haproxy-exporter + - require: + - pkg: pkg_prometheus-haproxy-exporter + - contents: | + # + ## SALT managed + # + # Set the command-line arguments to pass to the server. + # Due to shell scaping, to pass backslashes for regexes, you need to double + # them (\\d for \d). If running under systemd, you need to double them again + # (\\\\d to mean \d), and escape newlines too. + ARGS="--haproxy.scrape-uri=http://localhost:9110/haproxy-status;csv --log.level=warn" + + # Prometheus-haproxy-exporter supports the following options: + # + # --web.listen-address=":9101" + # Address to listen on for web interface and telemetry. + # --web.telemetry-path="/metrics" + # Path under which to expose metrics. + # --haproxy.scrape-uri="http://localhost/;csv" + # URI on which to scrape HAProxy. + # --haproxy.ssl-verify + # Flag that enables SSL certificate verification for the scrape URI + # --haproxy.server-metric-fields="2,3,4,5,6,7,8,9,13,14,15,16,17,18,21,24,33,35,38,39,40,41,42,43,44" + # Comma-separated list of exported server metrics. See + # http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.1 + # --haproxy.timeout=5s + # Timeout for trying to get stats from HAProxy. + # --haproxy.pid-file="" + # Path to HAProxy pid file. + # + # If provided, the standard process metrics get exported for the HAProxy + # process, prefixed with 'haproxy_process_...'. The haproxy_process exporter + # needs to have read access to files owned by the HAProxy process. Depends + # on the availability of /proc. + # https://prometheus.io/docs/instrumenting/writing_clientlibs/#process-metrics. + # --log.level="info" + # Only log messages with the given severity or above. + # Valid levels: [debug, info, warn, error, fatal] + # --log.format="logger:stderr" + # Set the log target and format. Example: + # "logger:syslog?appname=bob&local=7" or "logger:stdout?json=true" + \ No newline at end of file diff --git a/base/packages/init.sls b/base/packages/init.sls index 03d5ea1..e847cfe 100644 --- a/base/packages/init.sls +++ b/base/packages/init.sls @@ -4,5 +4,6 @@ include: - .common - - .repo.maketank + - .repo.debian - .prometheus + - .salt.minion diff --git a/base/packages/openhab2.sls b/base/packages/openhab2.sls deleted file mode 100644 index 19a4fa8..0000000 --- a/base/packages/openhab2.sls +++ /dev/null @@ -1,46 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=yaml ---- -include: - - haproxy - - systemd.units - -openhab2-pkgs: - pkg.installed: - - pkgs: - - openhab2 - - openhab2-addons - - default-jre-headless - - libopenzwave1.5 - - gunicorn3 - - python3 - - prometheus-haproxy-exporter - - require: - - pkgrepo: repo_openhab2 - -repo_openhab2: - pkgrepo.managed: - - name: deb https://dl.bintray.com/openhab/apt-repo2 stable main - #- dist: {{ grains['oscodename'] }} - - file: /etc/apt/sources.list.d/openhab2.list - - key_url: 'https://bintray.com/user/downloadSubjectPublicKey?username=openhab' - - clean_file: True - -openhab-prometheus-exporter: - file.managed: - - name: /usr/local/bin/openhab2-prometheus-exporter.py - - source: https://raw.githubusercontent.com/zoide/openhab2-prometheus-exporter/master/openhab2-exporter.py - - source_hash: eea41af67a92266680a427ccde87344753bd8bbbcee20d9eb1d2ed3773e5676f - - user: openhab - - group: openhab - - mode: 0755 - -etc-apt-apt.conf-noproxy: - file.managed: - - name: /etc/apt/apt.conf.d/99-openhab2-noproxy - - user: root - - group: root - - mode: 0755 - - contents: | - #SALT managed - Acquire::http::proxy::dl.bintray.com "DIRECT"; diff --git a/base/packages/prometheus/init.sls b/base/packages/prometheus/init.sls index 84f83e9..3a8dd5d 100644 --- a/base/packages/prometheus/init.sls +++ b/base/packages/prometheus/init.sls @@ -8,13 +8,11 @@ set has_promexporter = salt['pillar.get']( # This has to be here, otherwise: # https://stackoverflow.com/questions/59268721/saltstack-use-include-twice-in-one-sls-file # +{%- if 'prometheus-node_exporter' in has_promexporter %} include: - {%- if 'prometheus-node_exporter' in has_promexporter %} - prometheus - systemd.reload - {%- else %} - #- prometheus.clean #Dat klappt nuesch! - {%- endif %} +{%- endif %} {%- if 'prometheus-node_exporter' in has_promexporter %} systemd-prometheus-node-exporter-service-override: @@ -44,9 +42,12 @@ link-orig-prom-path: - require: - file: delete-orig-prom-path +{% if grains['oscodename'] != 'bullseye' %} patch-smartmon.sh: file.managed: - name: /usr/share/prometheus-node-exporter/smartmon.sh - source: salt://base/packages/prometheus/files/smartmon.sh - mode: 0755 +{% endif %} + {%- endif %} diff --git a/base/packages/repo/brave-browser.sls b/base/packages/repo/brave-browser.sls new file mode 100644 index 0000000..20c77bb --- /dev/null +++ b/base/packages/repo/brave-browser.sls @@ -0,0 +1,18 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +repo_brave-browser: + pkgrepo.managed: + - name: deb [arch=amd64] https://brave-browser-apt-beta.s3.brave.com stable main + - dist: stable + - file: /etc/apt/sources.list.d/brave-browser-beta.list + - key_url: https://brave-browser-apt-beta.s3.brave.com/brave-browser-beta-archive-keyring.gpg + - clean_file: True + + +#apt-update: +# cmd.run: +# - name: apt update -y +# - listen: +# - pkgrepo: repo_maketank diff --git a/base/packages/repo/debian-bullseye.sls b/base/packages/repo/debian-bullseye.sls new file mode 100644 index 0000000..f54d37e --- /dev/null +++ b/base/packages/repo/debian-bullseye.sls @@ -0,0 +1,22 @@ +{%- + set cache_url = salt['pillar.get']( + 'services:apt-cache', + default='' + ) +%} + +{% if salt['pillar.get']('os:release', default = 'buster') != 'bullseye' %} + +repo_debian-bullseye: + pkgrepo.managed: + - name: 'deb http://{{ cache_url }}deb.debian.org/debian bullseye main contrib' + - file: /etc/apt/sources.list.d/debian-bullseye.list + - clean_file: True + +{% else %} + +repo_debian-bullseye-absent: + file.absent: + - name: /etc/apt/sources.list.d/debian-bullseye.list + +{% endif %} \ No newline at end of file diff --git a/base/packages/repo/debian-sid.sls b/base/packages/repo/debian-sid.sls new file mode 100644 index 0000000..c919bb4 --- /dev/null +++ b/base/packages/repo/debian-sid.sls @@ -0,0 +1,22 @@ +{%- + set cache_url = salt['pillar.get']( + 'services:apt-cache', + default='' + ) +%} + +#{% if salt['pillar.get']('os:release', default = 'buster') != 'bullseye' %} + +repo_debian-sid: + pkgrepo.managed: + - name: 'deb http://{{ cache_url }}deb.debian.org/debian sid main contrib' + - file: /etc/apt/sources.list.d/debian-sid.list + - clean_file: True + +#{% else %} + +#repo_debian-sid-absent: +# file.absent: +# - name: /etc/apt/sources.list.d/debian-sid.list + +#{% endif %} \ No newline at end of file diff --git a/base/packages/repo/debian.sls b/base/packages/repo/debian.sls index 173fe77..5dbcf2c 100644 --- a/base/packages/repo/debian.sls +++ b/base/packages/repo/debian.sls @@ -1,26 +1,64 @@ -# -*- coding: utf-8 -*- -# vim: ft=yaml ---- +#!jinja|yaml|gpg + +{%- + set cache_url = salt['pillar.get']( + 'services:apt-cache', + default='' + ) +%} + +{%- + set os_rel = salt['pillar.get']( + 'os:release', + default=False + ) +%} + +{%- if not os_rel %} +{% set os_rel = grains['oscodename'] %} +{%- endif %} + + +repo_default: + file.managed: + - name: /etc/apt/sources.list + - contents: '#SALT managed, all in sources.list.d' + - user: root + - group: root + - mode: 0600 + +{% if grains['os'] == 'Debian' %} repo_debian: pkgrepo.managed: - - name: deb http://deb.debian.org/debian {{ grains['oscodename'] }} main contrib non-free - - dist: {{ grains['oscodename'] }} + - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }} main contrib non-free non-free-firmware' - file: /etc/apt/sources.list.d/debian.list - clean_file: True + +{% if grains['oscodename'] == 'bullseye' %}} +repo_debian-updates: + pkgrepo.managed: + - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-updates main contrib non-free non-free-firmware' + - file: /etc/apt/sources.list.d/debian-updates.list + - clean_file: True + +#deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free +{% if os_rel == 'buster' %} +{% set repo_path = "/updates" %} +{% else %} +{% set repo_path = "-security" %} +{% endif %} + +repo_debian-security: + pkgrepo.managed: + - name: 'deb http://{{ cache_url }}deb.debian.org/debian-security {{ os_rel }}{{ repo_path }} main contrib #non-free' + - file: /etc/apt/sources.list.d/debian-security.list + - clean_file: True repo_debian-backports: pkgrepo.managed: - - name: deb http://deb.debian.org/debian {{ grains['oscodename'] }}-backports main contrib non-free - - dist: {{ grains['oscodename'] }} + - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-backports main contrib #non-free' - file: /etc/apt/sources.list.d/debian-backports.list - clean_file: True - - - - -#apt-update: -# cmd.run: -# - name: apt update -y -# - listen: -# - pkgrepo: repo_maketank +{% endif %} +{% endif %} diff --git a/base/packages/repo/maketank.sls b/base/packages/repo/maketank.sls deleted file mode 100644 index 3a4d8c5..0000000 --- a/base/packages/repo/maketank.sls +++ /dev/null @@ -1,18 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=yaml ---- - -repo_maketank: - pkgrepo.managed: - - name: deb http://apt.maketank.net/debian {{ grains['oscodename'] }} main - - dist: {{ grains['oscodename'] }} - - file: /etc/apt/sources.list.d/maketank.list - - key_url: http://apt.maketank.net/debian/debian.gpg - - clean_file: True - - -#apt-update: -# cmd.run: -# - name: apt update -y -# - listen: -# - pkgrepo: repo_maketank diff --git a/base/packages/repo/openfoam.sls b/base/packages/repo/openfoam.sls new file mode 100644 index 0000000..e732028 --- /dev/null +++ b/base/packages/repo/openfoam.sls @@ -0,0 +1,12 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +#required/wanted for FreeCAD +repo_openfoam: + pkgrepo.managed: + - name: deb [arch=amd64] https://dl.openfoam.com/repos/deb kinetic main + - dist: kinetic + - file: /etc/apt/sources.list.d/openfoam.list + - key_url: https://dl.openfoam.com/pubkey.gpg + - clean_file: True + diff --git a/base/packages/salt/master.sls b/base/packages/salt/master.sls new file mode 100644 index 0000000..0ae4508 --- /dev/null +++ b/base/packages/salt/master.sls @@ -0,0 +1,14 @@ +{%- set salt_v = "3002.6+dfsg1-4+deb11u1" %} + +pkgs-salt-master: + pkg.installed: + - hold: True + - pkgs: + - salt-master: {{ salt_v }} + - salt-api: {{ salt_v }} + +pkgs-salt-additional: + pkg.installed: + - pkgs: + - python3-cherrypy3 + - python3-pygit2 \ No newline at end of file diff --git a/base/packages/salt/minion.sls b/base/packages/salt/minion.sls new file mode 100644 index 0000000..7d1a776 --- /dev/null +++ b/base/packages/salt/minion.sls @@ -0,0 +1,7 @@ +{%- set salt_v = "3002.6+dfsg1-4+deb11u1" %} + +pkgs-salt-minion: + pkg.installed: + - hold: True + - pkgs: + - salt-minion: {{ salt_v }} diff --git a/base/pki/cert.sls b/base/pki/cert.sls index 5e8bb78..d1e6166 100644 --- a/base/pki/cert.sls +++ b/base/pki/cert.sls @@ -2,9 +2,20 @@ # vim: ft=yaml --- -/usr/local/share/ca-certificates: - file.directory +#/usr/local/share/ca-certificates: +# file.directory -/usr/local/share/ca-certificates/intca.crt: +/etc/pki/intca.crt: x509.pem_managed: - - text: {{ salt['mine.get']('tumor.chaos', 'x509.get_pem_entries')['tumor.chaos']['/etc/pki/ca.crt']|replace('\n', '') }} + - text: {{ salt['mine.get']('salt.chaos', 'x509.get_pem_entries')['salt.chaos']['/etc/pki/ca.crt']|replace('\n', '') }} + +/etc/ssl/certs/intca.crt: + x509.pem_managed: + - text: {{ salt['mine.get']('salt.chaos', 'x509.get_pem_entries')['salt.chaos']['/etc/pki/ca.crt']|replace('\n', '') }} + + +/usr/sbin/update-ca-certificates: + cmd.run: + - onchanges: + - x509: /etc/ssl/certs/intca.crt + diff --git a/base/pki/host.sls b/base/pki/host.sls index 9a66fb0..9d7aedc 100644 --- a/base/pki/host.sls +++ b/base/pki/host.sls @@ -11,11 +11,38 @@ /etc/pki/public.crt: x509.certificate_managed: - - ca_server: tumor.chaos + - ca_server: salt.chaos - signing_policy: host - public_key: /etc/pki/private.key - - CN: {{ grains['fqdn'] }} - - days_remaining: 30 + - CN: {{ grains['fqdn'] }} + - subjectAltName: 'DNS:{{ grains['fqdn'] }}' + - days_remaining: 5 - backup: True - require: - x509: /etc/pki/private.key + +{% for cn in salt['pillar.get']('pki:cns',{}) %} + +/etc/pki/{{ cn }}.crt: + x509.certificate_managed: + - ca_server: salt.chaos + - signing_policy: host + - public_key: /etc/pki/private.key + - days_remaining: 5 + - backup: False + - CN: {{ grains['fqdn'] }} + - subjectAltName: 'DNS:{{ cn }}' + - require: + - x509: /etc/pki/private.key + +/etc/pki/chain/{{ cn }}.pem: + file: + - append + - sources: + - /etc/pki/{{ cn }}.crt + - /etc/pki/intca.crt + - require: + - file: /etc/pki/chain + +{% endfor %} + \ No newline at end of file diff --git a/base/pki/init.sls b/base/pki/init.sls index 3eb548c..51383dd 100644 --- a/base/pki/init.sls +++ b/base/pki/init.sls @@ -8,3 +8,6 @@ include: /etc/pki: file.directory + +/etc/pki/chain: + file.directory diff --git a/base/pki/signing_policies.conf b/base/pki/signing_policies.conf index 85b94fe..7e21511 100644 --- a/base/pki/signing_policies.conf +++ b/base/pki/signing_policies.conf @@ -11,8 +11,9 @@ x509_signing_policies: - ST: Berlin - L: Berlin - basicConstraints: "critical CA:false" - - keyUsage: "critical keyEncipherment" + - keyUsage: "nonRepudiation, digitalSignature, keyEncipherment, keyAgreement" + - extendedKeyUsage: "serverAuth, clientAuth" - subjectKeyIdentifier: hash - authorityKeyIdentifier: keyid,issuer:always - - days_valid: 360 + - days_valid: 365 - copypath: /etc/pki/issued_certs/ diff --git a/base/release.sls b/base/release.sls new file mode 100644 index 0000000..cb80b75 --- /dev/null +++ b/base/release.sls @@ -0,0 +1,12 @@ + +{% set def_rel = 'bullseye' %} +{% if salt['pillar.get']('os:release', default = False) %} +{% set def_rel = salt['pillar.get']('os:release', default = False) %} +{% endif %} + +etc_apt_release: + file.managed: + - name: /etc/apt/apt.conf.d/01release + - user: root + - mode: 644 + - contents: 'APT::Default-Release "{{ def_rel }}";' diff --git a/base/rsyslog/client.sls b/base/rsyslog/client.sls new file mode 100644 index 0000000..d350c21 --- /dev/null +++ b/base/rsyslog/client.sls @@ -0,0 +1,4 @@ +include: + - rsyslog + - .service + \ No newline at end of file diff --git a/base/rsyslog/files/logrotate-server.conf b/base/rsyslog/files/logrotate-server.conf new file mode 100644 index 0000000..2ffd4d1 --- /dev/null +++ b/base/rsyslog/files/logrotate-server.conf @@ -0,0 +1,39 @@ +/data/logs/*/syslog +{ + rotate 10 + daily + size 50M + missingok + notifempty + delaycompress + compress + postrotate + invoke-rc.d rsyslog rotate > /dev/null + endscript +} + +/data/logs/*/mail.info +/data/logs/*/mail.warn +/data/logs/*/mail.err +/data/logs/*/mail.log +/data/logs/*/daemon.log +/data/logs/*/kern.log +/data/logs/*/auth.log +/data/logs/*/user.log +/data/logs/*/lpr.log +/data/logs/*/cron.log +/data/logs/*/debug +/data/logs/*/messages +{ + rotate 5 + daily + size 100M + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + invoke-rc.d rsyslog rotate > /dev/null + endscript +} diff --git a/base/rsyslog/files/server.conf b/base/rsyslog/files/server.conf new file mode 100644 index 0000000..b1d7f20 --- /dev/null +++ b/base/rsyslog/files/server.conf @@ -0,0 +1,82 @@ +# +# SALT managed. +# + +# Load UDP module +$ModLoad imudp + +# Load TCP module +$ModLoad imtcp + +# Load RELP module +$ModLoad imrelp + + +# +# Use traditional timestamp format. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + + +# Switch to remote ruleset +$RuleSet remote + + +# Log files are stored in directories matching the short hostname, excluding numbers +# i.e. web01 web02 and web03 will all log to a the web directory + +# Templates +$Template dynAuditLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/audit.log" +$Template dynAuthLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/auth.log" +$Template dynSyslog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/syslog" +$Template dynCronLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/cron.log" +$Template dynDaemonLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/daemon.log" +$Template dynKernLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/kern.log" +$Template dynUserLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/user.log" +$Template dynMailLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/mail.log" +$Template dynDebug,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/debug" +$Template dynMessages,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/messages" +$Template dynLocal0daemon,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/daemon.local0.log" + +# Rules +auth,authpriv.* ?dynAuthLog +*.*;auth.none,authpriv.none,mail.none,cron.none,kern.none,user.none,daemon.none -?dynSyslog +cron.* ?dynCronLog +kern.* -?dynKernLog +mail.* -?dynMailLog +user.* -?dynUserLog +#*.=info;*.=notice;*.=warn;\ +# +# auth.none,authpriv.none;\ +# cron.none,daemon.none;\ +# mail.none,news.none -?dynMessages +#hier gibts drachen / here are dragons +#if $syslogfacility-text == 'local0' then /var/log/somelog + +daemon.* -?dynDaemonLog + +# drachen sind put / dragons borked +# +# Special format to keep audit logs as sent. +$Template auditFormat,"%msg%\n" + +# Catch messages from audispd and send to audit log. +:programname, isequal, "audispd" -?dynAuditLog;auditFormat +:programname, isequal, "audispd" stop + + + +# Switch back to default ruleset +$RuleSet RSYSLOG_DefaultRuleset + +$InputUDPServerBindRuleset remote +$UDPServerRun 514 +$UDPServerAddress * + +$InputTCPServerBindRuleset remote +$InputTCPServerRun 514 + +$InputRELPServerBindRuleset remote +$InputRELPServerRun 20514 + + diff --git a/base/rsyslog/server.sls b/base/rsyslog/server.sls new file mode 100644 index 0000000..6e878f6 --- /dev/null +++ b/base/rsyslog/server.sls @@ -0,0 +1,22 @@ +include: + - rsyslog + - .service + +rsyslog-server.conf: + file.managed: + - name: /etc/rsyslog.d/01-server.conf + - source: salt://base/rsyslog/files/server.conf + - user: root + - group: root + - onchange: + - service: rsyslog + +lograte-rsyslog-logs: + file.managed: + - name: /etc/logrotate.d/rsyslog-HOSTS-logs + - source: salt://base/rsyslog/files/logrotate-server.conf + - user: root + - group: root + + + \ No newline at end of file diff --git a/base/rsyslog/service.sls b/base/rsyslog/service.sls new file mode 100644 index 0000000..952e70d --- /dev/null +++ b/base/rsyslog/service.sls @@ -0,0 +1,5 @@ + +rsyslog: + service.running: + - enable: True + - reload: False diff --git a/base/timezone.sls b/base/timezone.sls new file mode 100644 index 0000000..3534b67 --- /dev/null +++ b/base/timezone.sls @@ -0,0 +1,5 @@ +etc_timezone: + file.managed: + - name: /etc/timezone + - contents: | + Europe/Berlin diff --git a/hardware/common/apt.sls b/hardware/common/apt.sls index f15394a..5a4178b 100644 --- a/hardware/common/apt.sls +++ b/hardware/common/apt.sls @@ -1,10 +1,10 @@ apt-proxy: - file.managed: + file.absent: - name: /etc/apt/apt.conf.d/proxy - contents: | # SALT managed - Acquire::http::proxy "http://apt-cache.lan:3142"; - Acquire::ftp::proxy "http://apt-cache.lan:3142"; + Acquire::http::proxy "http://apt-cache.lan"; + Acquire::ftp::proxy "http://apt-cache.lan"; diff --git a/hardware/common/init.sls b/hardware/common/init.sls index d864aa9..04aa0e2 100644 --- a/hardware/common/init.sls +++ b/hardware/common/init.sls @@ -5,7 +5,7 @@ set hardwaretype = salt['grains.get']( ) %} -include: -{%- if 'unknown' not in hardwaretype %} - - .apt -{%- endif %} +#include: +#{%- if 'unknown' not in hardwaretype %} +# - .apt +#{%- endif %} diff --git a/hardware/espressobin/init.sls b/hardware/espressobin/init.sls new file mode 100644 index 0000000..9a20f0f --- /dev/null +++ b/hardware/espressobin/init.sls @@ -0,0 +1,5 @@ +#!jinja|yaml|gpg + + +include: + - .pkgs \ No newline at end of file diff --git a/hardware/espressobin/pkgs.sls b/hardware/espressobin/pkgs.sls new file mode 100644 index 0000000..34cd88f --- /dev/null +++ b/hardware/espressobin/pkgs.sls @@ -0,0 +1,6 @@ +#!jinja|yaml|gpg + +espressobin-pkgs: + pkg.installed: + - pkgs: + - smartmontools \ No newline at end of file diff --git a/hardware/init.sls b/hardware/init.sls index 97b51bc..f3aadc4 100644 --- a/hardware/init.sls +++ b/hardware/init.sls @@ -3,3 +3,11 @@ include: {% if grains['hardware'] == 'RaspberryPi' %} - .raspberrypi {% endif %} + +#{% if grains['hardware'] == 'Pine64' %} +# - .pine64 +#{% endif %} + +{% if grains['hardware'] == 'Espressobin' %} + - .espressobin +{% endif %} \ No newline at end of file diff --git a/hardware/raspberrypi/fan/files/fan_ctrl.py b/hardware/raspberrypi/fan/files/fan_ctrl.py index 864934a..be2b1e9 100644 --- a/hardware/raspberrypi/fan/files/fan_ctrl.py +++ b/hardware/raspberrypi/fan/files/fan_ctrl.py @@ -10,7 +10,7 @@ import sys # Configuration FAN_PIN = getenv('RPI_FAN_PIN', 21) # BCM pin used to drive transistor's base -WAIT_TIME = getenv('RPI_FAN_WAITTIME', 5) # [s] Time to wait between each refresh +WAIT_TIME = getenv('RPI_FAN_WAITTIME', 10) # [s] Time to wait between each refresh FAN_MIN = getenv('RPI_FAN_MIN', 80) # [%] Fan minimum speed. PWM_FREQ = getenv('RPI_FAN_PWMFREQ', 25000) # [Hz] Change this value if fan has strange behavior # Fan speed will change only of the difference of temperature is higher than hysteresis @@ -21,7 +21,7 @@ prom_collect_dir = getenv('RPI_PROM_COLLECTDIR','/tmp/textfile-collector') prom_collect_file = prom_collect_dir + '/rpi_fan.prom' # Configurable temperature and fan speed steps -tempSteps = [60, 66, 70, 75] # [°C] +tempSteps = [60, 70, 75, 80] # [°C] speedSteps = [0, 80, 90, 100] # [%] # tempSteps = [40, 45] # speedSteps = [0, 100] diff --git a/hardware/raspberrypi/init.sls b/hardware/raspberrypi/init.sls index 83478de..158f7bc 100644 --- a/hardware/raspberrypi/init.sls +++ b/hardware/raspberrypi/init.sls @@ -13,6 +13,8 @@ set has_fan = salt['pillar.get']( %} include: + - .repo + - .wifi {%- if 'node_exporter' in has_promexporter %} - .prometheus-exporter {%- endif %} diff --git a/hardware/raspberrypi/repo.sls b/hardware/raspberrypi/repo.sls new file mode 100644 index 0000000..90496e4 --- /dev/null +++ b/hardware/raspberrypi/repo.sls @@ -0,0 +1,37 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +{%- set cache_url = salt['pillar.get']( + 'services:apt-cache', + default='' + ) +%} + +repo_raspi: + pkgrepo.managed: + - name: deb http://{{ cache_url }}raspbian.raspberrypi.org/raspbian/ {{ grains['oscodename'] }} main contrib firmware rpi + - dist: {{ grains['oscodename'] }} + - file: /etc/apt/sources.list.d/raspi.list + - clean_file: True + - key_url: http://archive.raspberrypi.org/debian/raspberrypi.gpg.key + +repo_archive_raspi: + pkgrepo.managed: + - name: deb http://{{ cache_url }}archive.raspberrypi.org/debian/ {{ grains['oscodename'] }} main + - dist: {{ grains['oscodename'] }} + - file: /etc/apt/sources.list.d/raspi_archive.list + - clean_file: True + - key_url: https://archive.raspbian.org/raspbian.public.key + +{% if grains.get('os_flavor') == 'OSMC' %} + +repo_archive_osmc: + pkgrepo.managed: + - name: deb http://{{ cache_url }}apt.osmc.tv {{ grains['oscodename'] }} main + - dist: {{ grains['oscodename'] }} + - file: /etc/apt/sources.list.d/osmc.list + - clean_file: True + - key_url: https://ftp.fau.de/osmc/osmc/apt/osmc_repository.gpg + +{% endif %} diff --git a/hardware/raspberrypi/wifi/files/interfaces-wlan0 b/hardware/raspberrypi/wifi/files/interfaces-wlan0 new file mode 100644 index 0000000..af96d98 --- /dev/null +++ b/hardware/raspberrypi/wifi/files/interfaces-wlan0 @@ -0,0 +1,6 @@ +# SALTSTACK +allow-hotplug wlan0 +iface wlan0 inet dhcp + wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf + wireless-power off + \ No newline at end of file diff --git a/hardware/raspberrypi/wifi/init.sls b/hardware/raspberrypi/wifi/init.sls new file mode 100644 index 0000000..dfd5226 --- /dev/null +++ b/hardware/raspberrypi/wifi/init.sls @@ -0,0 +1,8 @@ +# disable wifi powermanagement + +ifup-wlan0-powersave-off: + file.managed: + - name: /etc/network/interfaces.d/wlan0 + - source: + - salt://hardware/raspberrypi/wifi/files/interfaces-wlan0 + diff --git a/k8s/admin.sls b/k8s/admin.sls index 89220f3..0d0d338 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -2,10 +2,22 @@ # vim: ft=yaml --- include: - - kubernetes.package.repo + - .repo.kubernetes + - .cri-tools +{% set k8s_v = "1.26.00-00" %} k8s_pkgs-kubelet: pkg.installed: + - hold: True - pkgs: - - kubectl + - kubectl: {{ k8s_v }} + - kubeadm: {{ k8s_v }} + - kubelet: {{ k8s_v }} + - require: + - pkgrepo: repo_kubernetes.io + +k8s-additions_pkgs: + pkg.installed: + - pkgs: + - apparmor diff --git a/k8s/containerd.sls b/k8s/containerd.sls new file mode 100644 index 0000000..9026fb3 --- /dev/null +++ b/k8s/containerd.sls @@ -0,0 +1,23 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +include: + - base.packages.repo.debian-sid + - .cri-tools + +containerd_pkgs: + pkg.installed: + - pkgs: + - containerd + - containernetworking-plugins + - crun + - runc + - require: + - pkgrepo: repo_debian-sid + +/etc/containerd/config.toml: + file.managed: + - source: salt://k8s/files/containerd-config.toml + - mode: 644 + - user: root + - group: root diff --git a/k8s/cri-tools.sls b/k8s/cri-tools.sls new file mode 100644 index 0000000..989504a --- /dev/null +++ b/k8s/cri-tools.sls @@ -0,0 +1,17 @@ +include: + - .repo.kubernetes + +cri-tools_pkgs: + pkg.installed: + - pkgs: + - cri-tools + +/etc/crictl.yaml: + file.managed: + - mode: 644 + - user: root + - group: root + - contents: | + #SALT managed + runtime-endpoint: unix:///var/run/containerd/containerd.sock + image-endpoint: unix:///var/run/containerd/containerd.sock diff --git a/k8s/docker.sls b/k8s/docker.sls new file mode 100644 index 0000000..513c1c5 --- /dev/null +++ b/k8s/docker.sls @@ -0,0 +1,16 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +docker_pkgs: + pkg.installed: + - pkgs: + - docker.io + + +/etc/docker/daemon.json: + file.managed: + - source: salt://k8s/files/etc_docker_daemon.json + - mode: 644 + - user: root + - group: root diff --git a/k8s/files/containerd-config.toml b/k8s/files/containerd-config.toml new file mode 100644 index 0000000..63ce926 --- /dev/null +++ b/k8s/files/containerd-config.toml @@ -0,0 +1,31 @@ +version = 2 + +[debug] + level = "warn" + +[plugins] + + [plugins."io.containerd.grpc.v1.cri"] + [plugins."io.containerd.grpc.v1.cri".containerd] + snapshoter = "overlayfs" + default_runtime_name = "runc" + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + runtime_type = "io.containerd.runc.v2" + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] + SystemdCgroup = true + [plugins."io.containerd.grpc.v1.cri".cni] + bin_dir = "/opt/cni/bin" + conf_dir = "/etc/cni/net.d" + [plugins."io.containerd.internal.v1.opt"] + path = "/var/lib/containerd/opt" + [plugins."io.containerd.grpc.v1.cri".registry] + [plugins."io.containerd.grpc.v1.cri".registry.mirrors] + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."cr.lan"] + endpoint = ["http://cr.lan"] + #[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] + # endpoint = [ "http://dr-mirror.lan", "https://registry-1.docker.io"] + [plugins."io.containerd.grpc.v1.cri".registry.configs] + [plugins."io.containerd.grpc.v1.cri".registry.configs."cr.lan".tls] + insecure_skip_verify = true + # [plugins."io.containerd.grpc.v1.cri".registry.configs."docker.io".tls] + # insecure_skip_verify = true diff --git a/k8s/files/etc_containers_registries.conf b/k8s/files/etc_containers_registries.conf new file mode 100644 index 0000000..488b6d9 --- /dev/null +++ b/k8s/files/etc_containers_registries.conf @@ -0,0 +1,80 @@ +# For more information on this configuration file, see containers-registries.conf(5). +# +# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES +# We recommend always using fully qualified image names including the registry +# server (full dns name), namespace, image name, and tag +# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e., +# quay.io/repository/name@digest) further eliminates the ambiguity of tags. +# When using short names, there is always an inherent risk that the image being +# pulled could be spoofed. For example, a user wants to pull an image named +# `foobar` from a registry and expects it to come from myregistry.com. If +# myregistry.com is not first in the search list, an attacker could place a +# different `foobar` image at a registry earlier in the search list. The user +# would accidentally pull and run the attacker's image and code rather than the +# intended content. We recommend only adding registries which are completely +# trusted (i.e., registries which don't allow unknown or anonymous users to +# create accounts with arbitrary names). This will prevent an image from being +# spoofed, squatted or otherwise made insecure. If it is necessary to use one +# of these registries, it should be added at the end of the list. +# +# # An array of host[:port] registries to try when pulling an unqualified image, in order. +unqualified-search-registries = ["docker.io"] +# +[[registry]] +# # The "prefix" field is used to choose the relevant [[registry]] TOML table; +# # (only) the TOML table with the longest match for the input image name +# # (taking into account namespace/repo/tag/digest separators) is used. +# # +# # If the prefix field is missing, it defaults to be the same as the "location" field. +# prefix = "cr.lan" +# +# # If true, unencrypted HTTP as well as TLS connections with untrusted +# # certificates are allowed. +insecure = true +# +# # If true, pulling images with matching names is forbidden. +# blocked = false +# +# # The physical location of the "prefix"-rooted namespace. +# # +# # By default, this equal to "prefix" (in which case "prefix" can be omitted +# # and the [[registry]] TOML table can only specify "location"). +# # +# # Example: Given +# # prefix = "example.com/foo" +# # location = "internal-registry-for-example.net/bar" +# # requests for the image example.com/foo/myimage:latest will actually work with the +# # internal-registry-for-example.net/bar/myimage:latest image. +location = "cr.lan" + +# +# # (Possibly-partial) mirrors for the "prefix"-rooted namespace. +# # +# # The mirrors are attempted in the specified order; the first one that can be +# # contacted and contains the image will be used (and if none of the mirrors contains the image, +# # the primary location specified by the "registry.location" field, or using the unmodified +# # user-specified reference, is tried last). +# # +# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics +# # as if specified in the [[registry]] TOML table directly: +# # - location +# # - insecure +# [[registry.mirror]] +# location = "example-mirror-0.local/mirror-for-foo" +# [[registry.mirror]] +# location = "example-mirror-1.local/mirrors/foo" +# insecure = true +# # Given the above, a pull of example.com/foo/image:latest will try: +# # 1. example-mirror-0.local/mirror-for-foo/image:latest +# # 2. example-mirror-1.local/mirrors/foo/image:latest +# # 3. internal-registry-for-example.net/bar/image:latest +# # in order, and use the first one that exists. +#[[registry]] +#prefix="quay.io" +#location="qi-mirror.lan" +#insecure = true + +[[registry]] +prefix="docker.io" +location="dr-mirror.lan" +insecure = true \ No newline at end of file diff --git a/k8s/files/etc_docker_daemon.json b/k8s/files/etc_docker_daemon.json index 2dd9abe..d5cb977 100644 --- a/k8s/files/etc_docker_daemon.json +++ b/k8s/files/etc_docker_daemon.json @@ -1,12 +1,10 @@ { "exec-opts": ["native.cgroupdriver=systemd"], - "log-driver": "json-file", - "log-opts": { - "max-size": "100m" - }, + "log-level": "warn", "storage-driver": "overlay2", + "registry-mirrors": ["https://cr.lan"], "insecure-registries" : [ - "docker-registry.lan" + "cr.lan" ] } diff --git a/k8s/files/podman-policy.json b/k8s/files/podman-policy.json new file mode 100644 index 0000000..bdc833a --- /dev/null +++ b/k8s/files/podman-policy.json @@ -0,0 +1,8 @@ +{ + "default": [ + { + "type": "insecureAcceptAnything" + } + ] +} + diff --git a/k8s/init.sls b/k8s/init.sls index 21b7dfb..72dc312 100644 --- a/k8s/init.sls +++ b/k8s/init.sls @@ -3,6 +3,9 @@ --- include: - .admin + - .containerd + - .repo.kubernetes + #- .docker #- .filesystems @@ -13,21 +16,14 @@ include: - user: root - group: root -/etc/docker/daemon.json: - file.managed: - - source: salt://k8s/files/etc_docker_daemon.json - - mode: 644 - - user: root - - group: root - - k8s_pkgs: pkg.installed: - pkgs: - - docker.io - cgroupfs-mount - debootstrap - kubectl - kubelet - kubetail - qemu-utils + - require: + - pkgrepo: repo_kubernetes.io diff --git a/k8s/podman.sls b/k8s/podman.sls new file mode 100644 index 0000000..f80292a --- /dev/null +++ b/k8s/podman.sls @@ -0,0 +1,28 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +{% if grains['oscodename'] != 'bullseye' %} +include: + - base.packages.repo.debian-bullseye +{% endif %} + +podman_pkgs: + pkg.installed: + - pkgs: + - podman + - runc + - containers-storage + +/etc/containers/policy.json: + file.managed: + - source: salt://k8s/files/podman-policy.json + - mode: 644 + - user: root + - group: root + +/etc/containers/registries.conf: + file.managed: + - source: salt://k8s/files/etc_containers_registries.conf + - mode: 644 + - user: root + - group: root diff --git a/k8s/repo/kubernetes.sls b/k8s/repo/kubernetes.sls new file mode 100644 index 0000000..c3da4e3 --- /dev/null +++ b/k8s/repo/kubernetes.sls @@ -0,0 +1,8 @@ + +repo_kubernetes.io: + pkgrepo.managed: + - name: 'deb [arch=arm64] https://apt.kubernetes.io/ kubernetes-xenial main' + - file: /etc/apt/sources.list.d/kubernetes.list + - key_url: https://packages.cloud.google.com/apt/doc/apt-key.gpg + - clean_file: True + diff --git a/os/armbian/cron.sls b/os/armbian/cron.sls new file mode 100644 index 0000000..fcd529d --- /dev/null +++ b/os/armbian/cron.sls @@ -0,0 +1,4 @@ +# remove this pesky thing, +# we knwo what we are doing +/etc/cron.d/armbian-updates: + file.absent diff --git a/os/armbian/init.sls b/os/armbian/init.sls new file mode 100644 index 0000000..f749cc8 --- /dev/null +++ b/os/armbian/init.sls @@ -0,0 +1,6 @@ +include: + - .repo + - .packages + - .cron + - .systemd + diff --git a/os/armbian/packages.sls b/os/armbian/packages.sls new file mode 100644 index 0000000..821dd2b --- /dev/null +++ b/os/armbian/packages.sls @@ -0,0 +1,14 @@ +armbian-removed: + pkg.purged: + - pkgs: + - armbian-zsh + - alsa-utils + - wireless-tools + - wireless-regdb + - man-db + - groff-base + +armbian-zsh-etc-purge: + file.absent: + - name: /etc/oh-my-zsh + - recurse: True diff --git a/os/armbian/repo.sls b/os/armbian/repo.sls new file mode 100644 index 0000000..c133a97 --- /dev/null +++ b/os/armbian/repo.sls @@ -0,0 +1,39 @@ +#!jinja|yaml|gpg + +{% set base_url = 'mirrors.dotsrc.org' %} + + +{%- + set cache_url = salt['pillar.get']( + 'services:apt-cache', + default='' + ) +%} + +{%- + set os_rel = salt['pillar.get']( + 'os:release', + default=False + ) +%} + +{% if not os_rel %} +{% set os_rel = grains['oscodename'] %} +{% endif %} + + +repo_armbian: + pkgrepo.managed: + - name: 'deb http://{{ cache_url }}{{ base_url }}/armbian-apt {{ os_rel }} main {{ os_rel }}-utils #{{ os_rel }}-desktop' + - dist: {{ os_rel }} + - file: /etc/apt/sources.list.d/armbian.list + - clean_file: True + +pin_repo_armbian: + file.absent: + - name: /etc/apt/apt.conf.d/999_pin_repo_armbian + - contents: | + #SALT Managed + Package: * + Pin: origin {{ cache_url }}{{ base_url }} + Pin-Priority: 1001 \ No newline at end of file diff --git a/os/armbian/systemd.sls b/os/armbian/systemd.sls new file mode 100644 index 0000000..e69de29 diff --git a/os/init.sls b/os/init.sls new file mode 100644 index 0000000..cee44de --- /dev/null +++ b/os/init.sls @@ -0,0 +1,5 @@ +{% if grains['os_flavor'] == 'Armbian' %} +include: + - .armbian +{% endif %} + diff --git a/roles/mpd/common.sls b/roles/mpd/common.sls new file mode 100644 index 0000000..9fe7237 --- /dev/null +++ b/roles/mpd/common.sls @@ -0,0 +1,14 @@ +mpd_pkgs: + pkg.installed: + - pkgs: + - mpd + - mpc + +etc_mpd_conf: + file: + - managed + - name: /etc/mpd.conf + - source: salt://roles/mpd/files/mpd.conf + - user: mpd + - group: audio + - mode: 0600 \ No newline at end of file diff --git a/roles/mpd/files/mpd.conf b/roles/mpd/files/mpd.conf new file mode 100644 index 0000000..6c3baba --- /dev/null +++ b/roles/mpd/files/mpd.conf @@ -0,0 +1,850 @@ +### +### SALT managed +### + + +# An example configuration file for MPD. +# Read the user manual for documentation: http://www.musicpd.org/doc/user/ +# or /usr/share/doc/mpd/html/user.html + + +# Files and directories ####################################################### +# +# This setting controls the top directory which MPD will search to discover the +# available audio files and add them to the daemon's online database. This +# setting defaults to the XDG directory, otherwise the music directory will be +# be disabled and audio files will only be accepted over ipc socket (using +# file:// protocol) or streaming files over an accepted protocol. +# +music_directory "/net/tumor.chaos/srv/pub/Music" +# +# This setting sets the MPD internal playlist directory. The purpose of this +# directory is storage for playlists created by MPD. The server will use +# playlist files not created by the server but only if they are in the MPD +# format. This setting defaults to playlist saving being disabled. +# +playlist_directory "/var/lib/mpd/playlists" +# +# This setting sets the location of the MPD database. This file is used to +# load the database at server start up and store the database while the +# server is not up. This setting defaults to disabled which will allow +# MPD to accept files over ipc socket (using file:// protocol) or streaming +# files over an accepted protocol. +# +db_file "/var/lib/mpd/tag_cache" +# +# These settings are the locations for the daemon log files for the daemon. +# These logs are great for troubleshooting, depending on your log_level +# settings. +# +# The special value "syslog" makes MPD use the local syslog daemon. This +# setting defaults to logging to syslog. +# +# If you use systemd, do not configure a log_file. With systemd, MPD +# defaults to the systemd journal, which is fine. +# +#log_file "/var/log/mpd/mpd.log" + +# This setting sets the location of the file which stores the process ID +# for use of mpd --kill and some init scripts. This setting is disabled by +# default and the pid file will not be stored. +# +# If you use systemd, do not configure a pid_file. +# +#pid_file "/run/mpd/pid" + +# This setting sets the location of the file which contains information about +# most variables to get MPD back into the same general shape it was in before +# it was brought down. This setting is disabled by default and the server +# state will be reset on server start up. +# +state_file "/var/lib/mpd/state" +# +# The location of the sticker database. This is a database which +# manages dynamic information attached to songs. +# +sticker_file "/var/lib/mpd/sticker.sql" +# +############################################################################### + + +# General music daemon options ################################################ +# +# This setting specifies the user that MPD will run as. MPD should never run as +# root and you may use this setting to make MPD change its user ID after +# initialization. This setting is disabled by default and MPD is run as the +# current user. +# +user "mpd" +# +# This setting specifies the group that MPD will run as. If not specified +# primary group of user specified with "user" setting will be used (if set). +# This is useful if MPD needs to be a member of group such as "audio" to +# have permission to use sound card. +# +#group "nogroup" +# +# This setting sets the address for the daemon to listen on. Careful attention +# should be paid if this is assigned to anything other than the default, any. +# This setting can deny access to control of the daemon. Not effective if +# systemd socket activation is in use. +# +# For network +bind_to_address "0.0.0.0" +# +# And for Unix Socket +#bind_to_address "/run/mpd/socket" +# +# This setting is the TCP port that is desired for the daemon to get assigned +# to. +# +#port "6600" +# +# Suppress all messages below the given threshold. Use "verbose" for +# troubleshooting. Available setting arguments are "notice", "info", "verbose", +# "warning" and "error". +# +log_level "warning" +# +# Setting "restore_paused" to "yes" puts MPD into pause mode instead +# of starting playback after startup. +# +#restore_paused "no" +# +# This setting enables MPD to create playlists in a format usable by other +# music players. +# +#save_absolute_paths_in_playlists "no" +# +# This setting defines a list of tag types that will be extracted during the +# audio file discovery process. The complete list of possible values can be +# found in the user manual. +#metadata_to_use "artist,album,title,track,name,genre,date,composer,performer,disc" +# +# This example just enables the "comment" tag without disabling all +# the other supported tags: +#metadata_to_use "+comment" +# +# This setting enables automatic update of MPD's database when files in +# music_directory are changed. +# +#auto_update "yes" +# +# Limit the depth of the directories being watched, 0 means only watch +# the music directory itself. There is no limit by default. +# +#auto_update_depth "3" +# +############################################################################### + + +# Symbolic link behavior ###################################################### +# +# If this setting is set to "yes", MPD will discover audio files by following +# symbolic links outside of the configured music_directory. +# +#follow_outside_symlinks "yes" +# +# If this setting is set to "yes", MPD will discover audio files by following +# symbolic links inside of the configured music_directory. +# +#follow_inside_symlinks "yes" +# +############################################################################### + + +# Zeroconf / Avahi Service Discovery ########################################## +# +# If this setting is set to "yes", service information will be published with +# Zeroconf / Avahi. +# +#zeroconf_enabled "yes" +# +# The argument to this setting will be the Zeroconf / Avahi unique name for +# this MPD server on the network. %h will be replaced with the hostname. +# +#zeroconf_name "Music Player @ %h" +# +############################################################################### + + +# Permissions ################################################################# +# +# If this setting is set, MPD will require password authorization. The password +# setting can be specified multiple times for different password profiles. +# +#password "password@read,add,control,admin" +# +# This setting specifies the permissions a user has who has not yet logged in. +# +#default_permissions "read,add,control,admin" +# +############################################################################### + + +# Database ####################################################################### +# +# An example of a database section instead of the old 'db_file' setting. +# It enables mounting other storages into the music directory. +# +#database { +# plugin "simple" +# path "/var/lib/mpd/tag_cache" +# cache_directory "/var/lib/mpd/cache" +#} +# +# An example of database config for a satellite setup +# +#music_directory "nfs://fileserver.local/srv/mp3" +#database { +# plugin "proxy" +# host "other.mpd.host" +# port "6600" +#} + +# Input ####################################################################### +# +input { + plugin "curl" +# proxy "proxy.isp.com:8080" +# proxy_user "user" +# proxy_password "password" +} + +# Decoder ##################################################################### +# + +decoder { + plugin "hybrid_dsd" + enabled "no" +# gapless "no" +} +decoder { + plugin "wildmidi" + enabled "no" + #config_file "/etc/timidity/timidity.cfg" +} + +# +############################################################################### + +# Audio Output ################################################################ +# +# MPD supports various audio output types, as well as playing through multiple +# audio outputs at the same time, through multiple audio_output settings +# blocks. Setting this block is optional, though the server will only attempt +# autodetection for one sound card. +# +# An example of an ALSA output: +# +audio_output { + type "pipewire" + name "Pipewire" +# target "name" #Link to the given target. If not specified, + # let the PipeWire manager select a target. + # To get a list of available targets, type pw-cli dump short Node +# remote "name" + dsd "no" #Enable DSD playback. This requires PipeWire 0.38. + +} + +#audio_output { +# type "alsa" +# name "My ALSA Device" +## device "hw:0,0" # optional +## mixer_type "hardware" # optional +## mixer_device "default" # optional +## mixer_control "PCM" # optional +## mixer_index "0" # optional +#} +# +# An example of an OSS output: +# +#audio_output { +# type "oss" +# name "My OSS Device" +## device "/dev/dsp" # optional +## mixer_type "hardware" # optional +## mixer_device "/dev/mixer" # optional +## mixer_control "PCM" # optional +#} +# +# An example of a shout output (for streaming to Icecast): +# +#audio_output { +# type "shout" +# encoder "vorbis" # optional +# name "My Shout Stream" +# host "localhost" +# port "8000" +# mount "/mpd.ogg" +# password "hackme" +# quality "5.0" +# bitrate "128" +# format "44100:16:1" +## protocol "icecast2" # optional +## user "source" # optional +## description "My Stream Description" # optional +## url "http://example.com" # optional +## genre "jazz" # optional +## public "no" # optional +## timeout "2" # optional +## mixer_type "software" # optional +#} +# +# An example of a recorder output: +# +#audio_output { +# type "recorder" +# name "My recorder" +# encoder "vorbis" # optional, vorbis or lame +# path "/var/lib/mpd/recorder/mpd.ogg" +## quality "5.0" # do not define if bitrate is defined +# bitrate "128" # do not define if quality is defined +# format "44100:16:1" +#} +# +# An example of a httpd output (built-in HTTP streaming server): +# +#audio_output { +# type "httpd" +# name "My HTTP Stream" +# encoder "vorbis" # optional, vorbis or lame +# port "8000" +# bind_to_address "0.0.0.0" # optional, IPv4 or IPv6 +## quality "5.0" # do not define if bitrate is defined +# bitrate "128" # do not define if quality is defined +# format "44100:16:1" +# max_clients "0" # optional 0=no limit +#} +# +# An example of a pulseaudio output (streaming to a remote pulseaudio server) +# Please see README.Debian if you want mpd to play through the pulseaudio +# daemon started as part of your graphical desktop session! +# +#audio_output { +# type "pulse" +# name "My Pulse Output" +## server "remote_server" # optional +## sink "remote_server_sink" # optional +## media_role "media_role" #optional +#} +# +# An example of a winmm output (Windows multimedia API). +# +#audio_output { +# type "winmm" +# name "My WinMM output" +## device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional +# or +## device "0" # optional +## mixer_type "hardware" # optional +#} +# +# An example of an openal output. +# +#audio_output { +# type "openal" +# name "My OpenAL output" +## device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional +#} +# +# An example of an sndio output. +# +#audio_output { +# type "sndio" +# name "sndio output" +# mixer_type "hardware" +#} +# +# An example of an OS X output: +# +#audio_output { +# type "osx" +# name "My OS X Device" +## device "Built-in Output" # optional +## channel_map "-1,-1,0,1" # optional +#} +# +## Example "pipe" output: +# +#audio_output { +# type "pipe" +# name "my pipe" +# command "aplay -f cd 2>/dev/null" +## Or if you're want to use AudioCompress +# command "AudioCompress -m | aplay -f cd 2>/dev/null" +## Or to send raw PCM stream through PCM: +# command "nc example.org 8765" +# format "44100:16:2" +#} +# +## An example of a null output (for no audio output): +# +#audio_output { +# type "null" +# name "My Null Output" +# mixer_type "none" # optional +#} +# +############################################################################### + + +# Normalization automatic volume adjustments ################################## +## An example configuration file for MPD. +# Read the user manual for documentation: http://www.musicpd.org/doc/user/ +# or /usr/share/doc/mpd/html/user.html + + +# Files and directories ####################################################### +# +# This setting controls the top directory which MPD will search to discover the +# available audio files and add them to the daemon's online database. This +# setting defaults to the XDG directory, otherwise the music directory will be +# be disabled and audio files will only be accepted over ipc socket (using +# file:// protocol) or streaming files over an accepted protocol. +# +music_directory "/net/tumor.chaos/srv/pub/Music" +# +# This setting sets the MPD internal playlist directory. The purpose of this +# directory is storage for playlists created by MPD. The server will use +# playlist files not created by the server but only if they are in the MPD +# format. This setting defaults to playlist saving being disabled. +# +playlist_directory "/var/lib/mpd/playlists" +# +# This setting sets the location of the MPD database. This file is used to +# load the database at server start up and store the database while the +# server is not up. This setting defaults to disabled which will allow +# MPD to accept files over ipc socket (using file:// protocol) or streaming +# files over an accepted protocol. +# +db_file "/var/lib/mpd/tag_cache" +# +# These settings are the locations for the daemon log files for the daemon. +# These logs are great for troubleshooting, depending on your log_level +# settings. +# +# The special value "syslog" makes MPD use the local syslog daemon. This +# setting defaults to logging to syslog, or to journal if mpd was started as +# a systemd service. +# +#log_file "/var/log/mpd/mpd.log" +log_file "syslog" +# +# This setting sets the location of the file which stores the process ID +# for use of mpd --kill and some init scripts. This setting is disabled by +# default and the pid file will not be stored. +# +pid_file "/run/mpd/pid" +# +# This setting sets the location of the file which contains information about +# most variables to get MPD back into the same general shape it was in before +# it was brought down. This setting is disabled by default and the server +# state will be reset on server start up. +# +state_file "/var/lib/mpd/state" +# +# The location of the sticker database. This is a database which +# manages dynamic information attached to songs. +# +sticker_file "/var/lib/mpd/sticker.sql" +# +############################################################################### + + +# General music daemon options ################################################ +# +# This setting specifies the user that MPD will run as. MPD should never run as +# root and you may use this setting to make MPD change its user ID after +# initialization. This setting is disabled by default and MPD is run as the +# current user. +# +user "mpd" +# +# This setting specifies the group that MPD will run as. If not specified +# primary group of user specified with "user" setting will be used (if set). +# This is useful if MPD needs to be a member of group such as "audio" to +# have permission to use sound card. +# +#group "nogroup" +# +# This setting sets the address for the daemon to listen on. Careful attention +# should be paid if this is assigned to anything other then the default, any. +# This setting can deny access to control of the daemon. Choose any if you want +# to have mpd listen on every address. Not effective if systemd socket +# activation is in use. +# +# For network +bind_to_address "0.0.0.0" +# +# And for Unix Socket +#bind_to_address "/run/mpd/socket" +# +# This setting is the TCP port that is desired for the daemon to get assigned +# to. +# +#port "6600" +# +# This setting controls the type of information which is logged. Available +# setting arguments are "default", "secure" or "verbose". The "verbose" setting +# argument is recommended for troubleshooting, though can quickly stretch +# available resources on limited hardware storage. +# +log_level "secure" +# +# Setting "restore_paused" to "yes" puts MPD into pause mode instead +# of starting playback after startup. +# +#restore_paused "no" +# +# This setting enables MPD to create playlists in a format usable by other +# music players. +# +#save_absolute_paths_in_playlists "no" +# +# This setting defines a list of tag types that will be extracted during the +# audio file discovery process. The complete list of possible values can be +# found in the user manual. +#metadata_to_use "artist,album,title,track,name,genre,date,composer,performer,disc" +# +# This example just enables the "comment" tag without disabling all +# the other supported tags: +#metadata_to_use "+comment" +# +# This setting enables automatic update of MPD's database when files in +# music_directory are changed. +# +#auto_update "yes" +# +# Limit the depth of the directories being watched, 0 means only watch +# the music directory itself. There is no limit by default. +# +#auto_update_depth "3" +# +############################################################################### + + +# Symbolic link behavior ###################################################### +# +# If this setting is set to "yes", MPD will discover audio files by following +# symbolic links outside of the configured music_directory. +# +#follow_outside_symlinks "yes" +# +# If this setting is set to "yes", MPD will discover audio files by following +# symbolic links inside of the configured music_directory. +# +#follow_inside_symlinks "yes" +# +############################################################################### + + +# Zeroconf / Avahi Service Discovery ########################################## +# +# If this setting is set to "yes", service information will be published with +# Zeroconf / Avahi. +# +zeroconf_enabled "no" +# +# The argument to this setting will be the Zeroconf / Avahi unique name for +# this MPD server on the network. %h will be replaced with the hostname. +# +#zeroconf_name "Music Player @ %h" +# +############################################################################### + + +# Permissions ################################################################# +# +# If this setting is set, MPD will require password authorization. The password +# setting can be specified multiple times for different password profiles. +# +#password "password@read,add,control,admin" +# +# This setting specifies the permissions a user has who has not yet logged in. +# +#default_permissions "read,add,control,admin" +# +############################################################################### +#input_cache { +# size "16m" +#} + +# Database ####################################################################### +# + +#database { +# plugin "proxy" +# host "other.mpd.host" +# port "6600" +#} + +# Input ####################################################################### +# + +input { + plugin "curl" +# proxy "proxy.isp.com:8080" +# proxy_user "user" +# proxy_password "password" +} + +# QOBUZ input plugin +input { + enabled "no" + plugin "qobuz" +# app_id "ID" +# app_secret "SECRET" +# username "USERNAME" +# password "PASSWORD" +# format_id "N" +} + +# TIDAL input plugin +input { + enabled "no" + plugin "tidal" +# token "TOKEN" +# username "USERNAME" +# password "PASSWORD" +# audioquality "Q" +} + +# Decoder ##################################################################### +# + +decoder { + plugin "hybrid_dsd" + enabled "no" +# gapless "no" +} + +# +############################################################################### + +# Audio Output ################################################################ +# +# MPD supports various audio output types, as well as playing through multiple +# audio outputs at the same time, through multiple audio_output settings +# blocks. Setting this block is optional, though the server will only attempt +# autodetection for one sound card. +# +# An example of an ALSA output: +# +audio_output { + type "alsa" + name "My ALSA Device" +# device "hw:0,0" # optional +# mixer_type "hardware" # optional +# mixer_device "default" # optional +# mixer_control "PCM" # optional +# mixer_index "0" # optional +} +# +# An example of an OSS output: +# +#audio_output { +# type "oss" +# name "My OSS Device" +# device "/dev/dsp" # optional +# mixer_type "hardware" # optional +# mixer_device "/dev/mixer" # optional +# mixer_control "PCM" # optional +#} +# +# An example of a shout output (for streaming to Icecast): +# +#audio_output { +# type "shout" +# encoder "vorbis" # optional +# name "My Shout Stream" +# host "localhost" +# port "8000" +# mount "/mpd.ogg" +# password "hackme" +# quality "5.0" +# bitrate "128" +# format "44100:16:1" +# protocol "icecast2" # optional +# user "source" # optional +# description "My Stream Description" # optional +# url "http://example.com" # optional +# genre "jazz" # optional +# public "no" # optional +# timeout "2" # optional +# mixer_type "software" # optional +#} +# +# An example of a recorder output: +# +#audio_output { +# type "recorder" +# name "My recorder" +# encoder "vorbis" # optional, vorbis or lame +# path "/var/lib/mpd/recorder/mpd.ogg" +## quality "5.0" # do not define if bitrate is defined +# bitrate "128" # do not define if quality is defined +# format "44100:16:1" +#} +# +# An example of a httpd output (built-in HTTP streaming server): +# +#audio_output { +# type "httpd" +# name "My HTTP Stream" +# encoder "vorbis" # optional, vorbis or lame +# port "8000" +# bind_to_address "0.0.0.0" # optional, IPv4 or IPv6 +# quality "5.0" # do not define if bitrate is defined +# bitrate "128" # do not define if quality is defined +# format "44100:16:1" +# max_clients "0" # optional 0=no limit +#} +# +# An example of a pulseaudio output (streaming to a remote pulseaudio server) +# Please see README.Debian if you want mpd to play through the pulseaudio +# daemon started as part of your graphical desktop session! +# +#audio_output { +# type "pulse" +# name "My Pulse Output" +# server "remote_server" # optional +# sink "remote_server_sink" # optional +#} +# +# An example of a winmm output (Windows multimedia API). +# +#audio_output { +# type "winmm" +# name "My WinMM output" +# device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional +# or +# device "0" # optional +# mixer_type "hardware" # optional +#} +# +# An example of an openal output. +# +#audio_output { +# type "openal" +# name "My OpenAL output" +# device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional +#} +# +## Example "pipe" output: +# +#audio_output { +# type "pipe" +# name "my pipe" +# command "aplay -f cd 2>/dev/null" +## Or if you're want to use AudioCompress +# command "AudioCompress -m | aplay -f cd 2>/dev/null" +## Or to send raw PCM stream through PCM: +# command "nc example.org 8765" +# format "44100:16:2" +#} +# +## An example of a null output (for no audio output): +# +#audio_output { +# type "null" +# name "My Null Output" +# mixer_type "none" # optional +#} +# +############################################################################### + + +# Normalization automatic volume adjustments ################################## +# +# This setting specifies the type of ReplayGain to use. This setting can have +# the argument "off", "album", "track" or "auto". "auto" is a special mode that +# chooses between "track" and "album" depending on the current state of +# random playback. If random playback is enabled then "track" mode is used. +# See for more details about ReplayGain. +# This setting is off by default. +# +#replaygain "album" +# +# This setting sets the pre-amp used for files that have ReplayGain tags. By +# default this setting is disabled. +# +#replaygain_preamp "0" +# +# This setting sets the pre-amp used for files that do NOT have ReplayGain tags. +# By default this setting is disabled. +# +#replaygain_missing_preamp "0" +# +# This setting enables or disables ReplayGain limiting. +# MPD calculates actual amplification based on the ReplayGain tags +# and replaygain_preamp / replaygain_missing_preamp setting. +# If replaygain_limit is enabled MPD will never amplify audio signal +# above its original level. If replaygain_limit is disabled such amplification +# might occur. By default this setting is enabled. +# +#replaygain_limit "yes" +# +# This setting enables on-the-fly normalization volume adjustment. This will +# result in the volume of all playing audio to be adjusted so the output has +# equal "loudness". This setting is disabled by default. +# +#volume_normalization "no" +# +############################################################################### + +# Character Encoding ########################################################## +# +# If file or directory names do not display correctly for your locale then you +# may need to modify this setting. +# +filesystem_charset "UTF-8" +# +############################################################################### + +# This setting specifies the type of ReplayGain to use. This setting can have +# the argument "off", "album", "track" or "auto". "auto" is a special mode that +# chooses between "track" and "album" depending on the current state of +# random playback. If random playback is enabled then "track" mode is used. +# See for +# more details about ReplayGain. +# This setting is off by default. +# +#replaygain "album" +# +# This setting sets the pre-amp used for files that have ReplayGain tags. By +# default this setting is disabled. +# +#replaygain_preamp "0" +# +# This setting sets the pre-amp used for files that do NOT have ReplayGain tags. +# By default this setting is disabled. +# +#replaygain_missing_preamp "0" +# +# This setting enables or disables ReplayGain limiting. +# MPD calculates actual amplification based on the ReplayGain tags +# and replaygain_preamp / replaygain_missing_preamp setting. +# If replaygain_limit is enabled MPD will never amplify audio signal +# above its original level. If replaygain_limit is disabled such amplification +# might occur. By default this setting is enabled. +# +#replaygain_limit "yes" +# +# This setting enables on-the-fly normalization volume adjustment. This will +# result in the volume of all playing audio to be adjusted so the output has +# equal "loudness". This setting is disabled by default. +# +#volume_normalization "no" +# +############################################################################### + +# Character Encoding ########################################################## +# +# If file or directory names do not display correctly for your locale then you +# may need to modify this setting. +# +filesystem_charset "UTF-8" +# +############################################################################### \ No newline at end of file diff --git a/roles/mpd/init.sls b/roles/mpd/init.sls new file mode 100644 index 0000000..8e8e067 --- /dev/null +++ b/roles/mpd/init.sls @@ -0,0 +1,2 @@ +include: + - .common \ No newline at end of file diff --git a/roles/nut/client.sls b/roles/nut/client.sls new file mode 100644 index 0000000..29da22f --- /dev/null +++ b/roles/nut/client.sls @@ -0,0 +1,16 @@ +nut-client_pkgs: + pkg.installed: + - pkgs: + - nut-client + +etc_nut_nut.conf: + file: + - recurse + - name: /etc/nut + - source: salt://roles/nut/files/client + - user: root + - group: root + - file_mode: 0640 + - dir_mode: 0750 + - require: + - pkg: nut-client_pkgs \ No newline at end of file diff --git a/roles/nut/files/client/nut.conf b/roles/nut/files/client/nut.conf new file mode 100644 index 0000000..758b282 --- /dev/null +++ b/roles/nut/files/client/nut.conf @@ -0,0 +1,34 @@ +### SALT + +# Network UPS Tools: example nut.conf +# +############################################################################## +# General section +############################################################################## +# The MODE determines which part of the NUT is to be started, and which +# configuration files must be modified. +# +# This file try to standardize the various files being found in the field, like +# /etc/default/nut on Debian based systems, /etc/sysconfig/ups on RedHat based +# systems, ... Distribution's init script should source this file to see which +# component(s) has to be started. +# +# The values of MODE can be: +# - none: NUT is not configured, or use the Integrated Power Management, or use +# some external system to startup NUT components. So nothing is to be started. +# - standalone: This mode address a local only configuration, with 1 UPS +# protecting the local system. This implies to start the 3 NUT layers (driver, +# upsd and upsmon) and the matching configuration files. This mode can also +# address UPS redundancy. +# - netserver: same as for the standalone configuration, but also need +# some more network access controls (firewall, tcp-wrappers) and possibly a +# specific LISTEN directive in upsd.conf. +# Since this MODE is opened to the network, a special care should be applied +# to security concerns. +# - netclient: this mode only requires upsmon. +# +# IMPORTANT NOTE: +# This file is intended to be sourced by shell scripts. +# You MUST NOT use spaces around the equal sign! + +MODE=netclient diff --git a/roles/nut/files/client/upsmon.conf b/roles/nut/files/client/upsmon.conf new file mode 100644 index 0000000..363110b --- /dev/null +++ b/roles/nut/files/client/upsmon.conf @@ -0,0 +1,385 @@ +## SALT + +# Network UPS Tools: example upsmon configuration +# +# This file contains passwords, so keep it secure. + +# -------------------------------------------------------------------------- +# RUN_AS_USER +# +# By default, upsmon splits into two processes. One stays as root and +# waits to run the SHUTDOWNCMD. The other one switches to another userid +# and does everything else. +# +# The default nonprivileged user is set at compile-time with +# 'configure --with-user=...'. +# +# You can override it with '-u ' when starting upsmon, or just +# define it here for convenience. +# +# Note: if you plan to use the reload feature, this file (upsmon.conf) +# must be readable by this user! Since it contains passwords, DO NOT +# make it world-readable. Also, do not make it writable by the upsmon +# user, since it creates an opportunity for an attack by changing the +# SHUTDOWNCMD to something malicious. +# +# For best results, you should create a new normal user like "nutmon", +# and make it a member of a "nut" group or similar. Then specify it +# here and grant read access to the upsmon.conf for that group. +# +# This user should not have write access to upsmon.conf. +# +# RUN_AS_USER nut + +# -------------------------------------------------------------------------- +# MONITOR ("master"|"slave") +# +# List systems you want to monitor. Not all of these may supply power +# to the system running upsmon, but if you want to watch it, it has to +# be in this section. +# +# You must have at least one of these declared. +# +# is a UPS identifier in the form @[:] +# like ups@localhost, su700@mybox, etc. +# +# Examples: +# +# - "su700@mybox" means a UPS called "su700" on a system called "mybox" +# +# - "fenton@bigbox:5678" is a UPS called "fenton" on a system called +# "bigbox" which runs upsd on port "5678". +# +# The UPS names like "su700" and "fenton" are set in your ups.conf +# in [brackets] which identify a section for a particular driver. +# +# If the ups.conf on host "doghouse" has a section called "snoopy", the +# identifier for it would be "snoopy@doghouse". +# +# is an integer - the number of power supplies that this UPS +# feeds on this system. Most computers only have one power supply, so this +# is normally set to 1. You need a pretty big or special box to have any +# other value here. +# +# You can also set this to 0 for a system that doesn't supply any power, +# but you still want to monitor. Use this when you want to hear about +# changes for a given UPS without shutting down when it goes critical, +# unless is 0. +# +# and must match an entry in that system's +# upsd.users. If your username is "monmaster" and your password is +# "blah", the upsd.users would look like this: +# +# [monmaster] +# password = blah +# upsmon master (or slave) +# +# "master" means this system will shutdown last, allowing the slaves +# time to shutdown first. +# +# "slave" means this system shuts down immediately when power goes critical. +# +# Examples: +# +# MONITOR myups@bigserver 1 monmaster blah master +# MONITOR su700@server.example.com 1 upsmon secretpass slave +# MONITOR myups@localhost 1 upsmon pass master (or slave) +MONITOR nummer5@ups.wks 1 monuser $secret slave + +# -------------------------------------------------------------------------- +# MINSUPPLIES +# +# Give the number of power supplies that must be receiving power to keep +# this system running. Most systems have one power supply, so you would +# put "1" in this field. +# +# Large/expensive server type systems usually have more, and can run with +# a few missing. The HP NetServer LH4 can run with 2 out of 4, for example, +# so you'd set that to 2. The idea is to keep the box running as long +# as possible, right? +# +# Obviously you have to put the redundant supplies on different UPS circuits +# for this to make sense! See big-servers.txt in the docs subdirectory +# for more information and ideas on how to use this feature. + +MINSUPPLIES 1 + +# -------------------------------------------------------------------------- +# SHUTDOWNCMD "" +# +# upsmon runs this command when the system needs to be brought down. +# +# This should work just about everywhere ... if it doesn't, well, change it. + +SHUTDOWNCMD "/sbin/shutdown -h +0" + +# -------------------------------------------------------------------------- +# NOTIFYCMD +# +# upsmon calls this to send messages when things happen +# +# This command is called with the full text of the message as one argument. +# The environment string NOTIFYTYPE will contain the type string of +# whatever caused this event to happen. +# +# Note that this is only called for NOTIFY events that have EXEC set with +# NOTIFYFLAG. See NOTIFYFLAG below for more details. +# +# Making this some sort of shell script might not be a bad idea. For more +# information and ideas, see docs/scheduling.txt +# +# Example: +# NOTIFYCMD /bin/notifyme + +# -------------------------------------------------------------------------- +# POLLFREQ +# +# Polling frequency for normal activities, measured in seconds. +# +# Adjust this to keep upsmon from flooding your network, but don't make +# it too high or it may miss certain short-lived power events. + +POLLFREQ 30 + +# -------------------------------------------------------------------------- +# POLLFREQALERT +# +# Polling frequency in seconds while UPS on battery. +# +# You can make this number lower than POLLFREQ, which will make updates +# faster when any UPS is running on battery. This is a good way to tune +# network load if you have a lot of these things running. +# +# The default is 5 seconds for both this and POLLFREQ. + +POLLFREQALERT 5 + +# -------------------------------------------------------------------------- +# HOSTSYNC - How long upsmon will wait before giving up on another upsmon +# +# The master upsmon process uses this number when waiting for slaves to +# disconnect once it has set the forced shutdown (FSD) flag. If they +# don't disconnect after this many seconds, it goes on without them. +# +# Similarly, upsmon slave processes wait up to this interval for the +# master upsmon to set FSD when a UPS they are monitoring goes critical - +# that is, on battery and low battery. If the master doesn't do its job, +# the slaves will shut down anyway to avoid damage to the file systems. +# +# This "wait for FSD" is done to avoid races where the status changes +# to critical and back between polls by the master. + +HOSTSYNC 15 + +# -------------------------------------------------------------------------- +# DEADTIME - Interval to wait before declaring a stale ups "dead" +# +# upsmon requires a UPS to provide status information every few seconds +# (see POLLFREQ and POLLFREQALERT) to keep things updated. If the status +# fetch fails, the UPS is marked stale. If it stays stale for more than +# DEADTIME seconds, the UPS is marked dead. +# +# A dead UPS that was last known to be on battery is assumed to have gone +# to a low battery condition. This may force a shutdown if it is providing +# a critical amount of power to your system. +# +# Note: DEADTIME should be a multiple of POLLFREQ and POLLFREQALERT. +# Otherwise you'll have "dead" UPSes simply because upsmon isn't polling +# them quickly enough. Rule of thumb: take the larger of the two +# POLLFREQ values, and multiply by 3. + +DEADTIME 15 + +# -------------------------------------------------------------------------- +# POWERDOWNFLAG - Flag file for forcing UPS shutdown on the master system +# +# upsmon will create a file with this name in master mode when it's time +# to shut down the load. You should check for this file's existence in +# your shutdown scripts and run 'upsdrvctl shutdown' if it exists. +# +# See the config-notes.txt file in the docs subdirectory for more information. +# Refer to the section: +# [[UPS_shutdown]] "Configuring automatic shutdowns for low battery events" +# or refer to the online version. + +POWERDOWNFLAG /etc/killpower + +# -------------------------------------------------------------------------- +# NOTIFYMSG - change messages sent by upsmon when certain events occur +# +# You can change the default messages to something else if you like. +# +# NOTIFYMSG "message" +# +# NOTIFYMSG ONLINE "UPS %s on line power" +# NOTIFYMSG ONBATT "UPS %s on battery" +# NOTIFYMSG LOWBATT "UPS %s battery is low" +# NOTIFYMSG FSD "UPS %s: forced shutdown in progress" +# NOTIFYMSG COMMOK "Communications with UPS %s established" +# NOTIFYMSG COMMBAD "Communications with UPS %s lost" +# NOTIFYMSG SHUTDOWN "Auto logout and shutdown proceeding" +# NOTIFYMSG REPLBATT "UPS %s battery needs to be replaced" +# NOTIFYMSG NOCOMM "UPS %s is unavailable" +# NOTIFYMSG NOPARENT "upsmon parent process died - shutdown impossible" +# +# Note that %s is replaced with the identifier of the UPS in question. +# +# Possible values for : +# +# ONLINE : UPS is back online +# ONBATT : UPS is on battery +# LOWBATT : UPS has a low battery (if also on battery, it's "critical") +# FSD : UPS is being shutdown by the master (FSD = "Forced Shutdown") +# COMMOK : Communications established with the UPS +# COMMBAD : Communications lost to the UPS +# SHUTDOWN : The system is being shutdown +# REPLBATT : The UPS battery is bad and needs to be replaced +# NOCOMM : A UPS is unavailable (can't be contacted for monitoring) +# NOPARENT : The process that shuts down the system has died (shutdown impossible) + +# -------------------------------------------------------------------------- +# NOTIFYFLAG - change behavior of upsmon when NOTIFY events occur +# +# By default, upsmon sends walls (global messages to all logged in users) +# and writes to the syslog when things happen. You can change this. +# +# NOTIFYFLAG [+][+] ... +# +# NOTIFYFLAG ONLINE SYSLOG+WALL +# NOTIFYFLAG ONBATT SYSLOG+WALL +# NOTIFYFLAG LOWBATT SYSLOG+WALL +# NOTIFYFLAG FSD SYSLOG+WALL +# NOTIFYFLAG COMMOK SYSLOG+WALL +# NOTIFYFLAG COMMBAD SYSLOG+WALL +# NOTIFYFLAG SHUTDOWN SYSLOG+WALL +# NOTIFYFLAG REPLBATT SYSLOG+WALL +# NOTIFYFLAG NOCOMM SYSLOG+WALL +# NOTIFYFLAG NOPARENT SYSLOG+WALL +# +# Possible values for the flags: +# +# SYSLOG - Write the message in the syslog +# WALL - Write the message to all users on the system +# EXEC - Execute NOTIFYCMD (see above) with the message +# IGNORE - Don't do anything +# +# If you use IGNORE, don't use any other flags on the same line. + +# -------------------------------------------------------------------------- +# RBWARNTIME - replace battery warning time in seconds +# +# upsmon will normally warn you about a battery that needs to be replaced +# every 43200 seconds, which is 12 hours. It does this by triggering a +# NOTIFY_REPLBATT which is then handled by the usual notify structure +# you've defined above. +# +# If this number is not to your liking, override it here. + +RBWARNTIME 43200 + +# -------------------------------------------------------------------------- +# NOCOMMWARNTIME - no communications warning time in seconds +# +# upsmon will let you know through the usual notify system if it can't +# talk to any of the UPS entries that are defined in this file. It will +# trigger a NOTIFY_NOCOMM by default every 300 seconds unless you +# change the interval with this directive. + +NOCOMMWARNTIME 300 + +# -------------------------------------------------------------------------- +# FINALDELAY - last sleep interval before shutting down the system +# +# On a master, upsmon will wait this long after sending the NOTIFY_SHUTDOWN +# before executing your SHUTDOWNCMD. If you need to do something in between +# those events, increase this number. Remember, at this point your UPS is +# almost depleted, so don't make this too high. +# +# Alternatively, you can set this very low so you don't wait around when +# it's time to shut down. Some UPSes don't give much warning for low +# battery and will require a value of 0 here for a safe shutdown. +# +# Note: If FINALDELAY on the slave is greater than HOSTSYNC on the master, +# the master will give up waiting for the slave to disconnect. + +FINALDELAY 5 + +# -------------------------------------------------------------------------- +# CERTPATH - path to certificates (database directory or directory with CA's) +# +# When compiled with SSL support, you can enter the certificate path here. +# +# With NSS: +# Certificates are stored in a dedicated database (splitted in 3 files). +# Specify the path of the database directory. +# +# CERTPATH /etc/nut/cert/upsmon +# +# With OpenSSL: +# Directory containing CA certificates in PEM format, used to verify +# the server certificate presented by the upsd server. The files each +# contain one CA certificate. The files are looked up by the CA subject +# name hash value, which must hence be available. +# +# CERTPATH /usr/ssl/certs +# +# See 'docs/security.txt' or the Security chapter of NUT user manual +# for more information on the SSL support in NUT. +CERTPATH /etc/pki + +# -------------------------------------------------------------------------- +# CERTIDENT - self certificate name and database password +# CERTIDENT +# +# When compiled with SSL support with NSS, you can specify the certificate +# name to retrieve from database to authenticate itself and the password +# required to access certificate related private key. +# +# CERTIDENT "my nut monitor" "MyPasSw0rD" +# +# See 'docs/security.txt' or the Security chapter of NUT user manual +# for more information on the SSL support in NUT. + +# -------------------------------------------------------------------------- +# CERTHOST - security properties for an host +# CERTHOST +# +# When compiled with SSL support with NSS, you can specify security directive +# for each server you can contact. +# Each entry maps server name with the expected certificate name and flags +# indicating if the server certificate is verified and if the connection +# must be secure. +# +# CERTHOST localhost "My nut server" 1 1 +# +# See 'docs/security.txt' or the Security chapter of NUT user manual +# for more information on the SSL support in NUT. + +# -------------------------------------------------------------------------- +# CERTVERIFY - make upsmon verify all connections with certificates +# CERTVERIFY 1 +# +# When compiled with SSL support, make upsmon verify all connections with +# certificates. +# Without this, there is no guarantee that the upsd is the right host. +# Enabling this greatly reduces the risk of man in the middle attacks. +# This effectively forces the use of SSL, so don't use this unless +# all of your upsd hosts are ready for SSL and have their certificates +# in order. +# When compiled with NSS support of SSL, can be overriden for host +# specified with a CERTHOST directive. +CERTVERIFY 1 + +# -------------------------------------------------------------------------- +# FORCESSL - force upsmon to use SSL +# FORCESSL 1 +# +# When compiled with SSL, specify that a secured connection must be used +# to communicate with upsd. +# If you don't use 'CERTVERIFY 1', then this will at least make sure +# that nobody can sniff your sessions without a large effort. Setting +# this will make upsmon drop connections if the remote upsd doesn't +# support SSL, so don't use it unless all of them have it running. +# When compiled with NSS support of SSL, can be overriden for host +# specified with a CERTHOST directive. + diff --git a/top.sls b/top.sls index 382bc40..3a4c9b1 100644 --- a/top.sls +++ b/top.sls @@ -6,21 +6,36 @@ base: '*': - base - hardware - 'tumor*': - - base.pki.ca + - os + 'adm01.wks': + - base.rsyslog.server + - base.packages.haproxy + - k8s.podman + - systemd.units + 'not G@fqdn:adm01.wks': + - match: compound + - base.rsyslog.client 'G@osarch:arm64 or G@osarch:armhf or G@osarch:armel': - match: compound - base.packages.arch.arm - 'riot01*': - - haproxy - - prometheus - - grafana - 'auto*': - - base.packages.openhab2 + 'auto02*': + - k8s.podman + - base.packages.haproxy + - systemd.units + #- base.packages.salt.master + #- base.pki.ca 'pine*': - - k8s - 'kube*': - - k8s + #- k8s + - roles.nut.client + 'ebin*': + - roles.nut.client 'lenny*': - - k8s.admin - - base.packages.node.lenny + #- k8s.admin + - base.packages.node.lenny # migrate these with yori/desktops + - base.packages.repo.brave-browser + - base.packages.FreeCAD + 'yori*': + - base.packages.repo.brave-browser + - base.packages.FreeCAD + 'truhe*': + - roles.mpd \ No newline at end of file