From e7764ebd1354d95e18ca94829fa393d94f9e5de3 Mon Sep 17 00:00:00 2001 From: do Date: Tue, 21 Jul 2020 19:23:35 +0200 Subject: [PATCH 01/94] uninstall prometheus doesn't work --- base/packages/prometheus/init.sls | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/base/packages/prometheus/init.sls b/base/packages/prometheus/init.sls index 84f83e9..5854ee0 100644 --- a/base/packages/prometheus/init.sls +++ b/base/packages/prometheus/init.sls @@ -8,13 +8,11 @@ set has_promexporter = salt['pillar.get']( # This has to be here, otherwise: # https://stackoverflow.com/questions/59268721/saltstack-use-include-twice-in-one-sls-file # +{%- if 'prometheus-node_exporter' in has_promexporter %} include: - {%- if 'prometheus-node_exporter' in has_promexporter %} - prometheus - systemd.reload - {%- else %} - #- prometheus.clean #Dat klappt nuesch! - {%- endif %} +{%- endif %} {%- if 'prometheus-node_exporter' in has_promexporter %} systemd-prometheus-node-exporter-service-override: From 42dfed1e1fe794b73e7e2802a7d1cce7b688ff61 Mon Sep 17 00:00:00 2001 From: do Date: Tue, 28 Jul 2020 15:41:34 +0200 Subject: [PATCH 02/94] using syslog --- k8s/files/etc_docker_daemon.json | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/k8s/files/etc_docker_daemon.json b/k8s/files/etc_docker_daemon.json index 2dd9abe..3d3d37d 100644 --- a/k8s/files/etc_docker_daemon.json +++ b/k8s/files/etc_docker_daemon.json @@ -1,9 +1,7 @@ { "exec-opts": ["native.cgroupdriver=systemd"], - "log-driver": "json-file", - "log-opts": { - "max-size": "100m" - }, + "log-driver": "syslog", + "log-level": "warn", "storage-driver": "overlay2", "insecure-registries" : [ "docker-registry.lan" From 286c713b56da50be95d14c9b42d2437976595b4e Mon Sep 17 00:00:00 2001 From: do Date: Mon, 21 Sep 2020 11:41:26 +0200 Subject: [PATCH 03/94] refatoring of k8s and no more gluster --- base/init.sls | 2 +- hardware/raspberrypi/fan/files/fan_ctrl.py | 4 ++-- k8s/docker.sls | 16 ++++++++++++++++ k8s/init.sls | 10 +--------- top.sls | 1 + 5 files changed, 21 insertions(+), 12 deletions(-) create mode 100644 k8s/docker.sls diff --git a/base/init.sls b/base/init.sls index 1faa0c1..c8c7d50 100644 --- a/base/init.sls +++ b/base/init.sls @@ -5,7 +5,7 @@ include: - .packages - .pki - - .gluster.client + #- .gluster.client - sysctl - rsyslog - sudoers diff --git a/hardware/raspberrypi/fan/files/fan_ctrl.py b/hardware/raspberrypi/fan/files/fan_ctrl.py index 864934a..be2b1e9 100644 --- a/hardware/raspberrypi/fan/files/fan_ctrl.py +++ b/hardware/raspberrypi/fan/files/fan_ctrl.py @@ -10,7 +10,7 @@ import sys # Configuration FAN_PIN = getenv('RPI_FAN_PIN', 21) # BCM pin used to drive transistor's base -WAIT_TIME = getenv('RPI_FAN_WAITTIME', 5) # [s] Time to wait between each refresh +WAIT_TIME = getenv('RPI_FAN_WAITTIME', 10) # [s] Time to wait between each refresh FAN_MIN = getenv('RPI_FAN_MIN', 80) # [%] Fan minimum speed. PWM_FREQ = getenv('RPI_FAN_PWMFREQ', 25000) # [Hz] Change this value if fan has strange behavior # Fan speed will change only of the difference of temperature is higher than hysteresis @@ -21,7 +21,7 @@ prom_collect_dir = getenv('RPI_PROM_COLLECTDIR','/tmp/textfile-collector') prom_collect_file = prom_collect_dir + '/rpi_fan.prom' # Configurable temperature and fan speed steps -tempSteps = [60, 66, 70, 75] # [°C] +tempSteps = [60, 70, 75, 80] # [°C] speedSteps = [0, 80, 90, 100] # [%] # tempSteps = [40, 45] # speedSteps = [0, 100] diff --git a/k8s/docker.sls b/k8s/docker.sls new file mode 100644 index 0000000..513c1c5 --- /dev/null +++ b/k8s/docker.sls @@ -0,0 +1,16 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +docker_pkgs: + pkg.installed: + - pkgs: + - docker.io + + +/etc/docker/daemon.json: + file.managed: + - source: salt://k8s/files/etc_docker_daemon.json + - mode: 644 + - user: root + - group: root diff --git a/k8s/init.sls b/k8s/init.sls index 21b7dfb..43423b7 100644 --- a/k8s/init.sls +++ b/k8s/init.sls @@ -3,6 +3,7 @@ --- include: - .admin + - .docker #- .filesystems @@ -13,18 +14,9 @@ include: - user: root - group: root -/etc/docker/daemon.json: - file.managed: - - source: salt://k8s/files/etc_docker_daemon.json - - mode: 644 - - user: root - - group: root - - k8s_pkgs: pkg.installed: - pkgs: - - docker.io - cgroupfs-mount - debootstrap - kubectl diff --git a/top.sls b/top.sls index 382bc40..1faa4b2 100644 --- a/top.sls +++ b/top.sls @@ -8,6 +8,7 @@ base: - hardware 'tumor*': - base.pki.ca + - k8s.docker 'G@osarch:arm64 or G@osarch:armhf or G@osarch:armel': - match: compound - base.packages.arch.arm From db755165cb4f61d8397cfa5167bf496cdbcb30a2 Mon Sep 17 00:00:00 2001 From: do Date: Fri, 9 Oct 2020 19:36:41 +0200 Subject: [PATCH 04/94] no apt-cache.lan, openhab-prom-exporter fix --- base/packages/openhab2.sls | 2 +- hardware/common/apt.sls | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/base/packages/openhab2.sls b/base/packages/openhab2.sls index 19a4fa8..650f0a9 100644 --- a/base/packages/openhab2.sls +++ b/base/packages/openhab2.sls @@ -30,7 +30,7 @@ openhab-prometheus-exporter: file.managed: - name: /usr/local/bin/openhab2-prometheus-exporter.py - source: https://raw.githubusercontent.com/zoide/openhab2-prometheus-exporter/master/openhab2-exporter.py - - source_hash: eea41af67a92266680a427ccde87344753bd8bbbcee20d9eb1d2ed3773e5676f + - source_hash: b6d1114af7418aff2d047c0ffc127f5adf0e4122 - user: openhab - group: openhab - mode: 0755 diff --git a/hardware/common/apt.sls b/hardware/common/apt.sls index f15394a..5a4178b 100644 --- a/hardware/common/apt.sls +++ b/hardware/common/apt.sls @@ -1,10 +1,10 @@ apt-proxy: - file.managed: + file.absent: - name: /etc/apt/apt.conf.d/proxy - contents: | # SALT managed - Acquire::http::proxy "http://apt-cache.lan:3142"; - Acquire::ftp::proxy "http://apt-cache.lan:3142"; + Acquire::http::proxy "http://apt-cache.lan"; + Acquire::ftp::proxy "http://apt-cache.lan"; From 63006f7913239f90ca2b7793e0795c38498e8d54 Mon Sep 17 00:00:00 2001 From: do Date: Thu, 22 Oct 2020 19:31:45 +0200 Subject: [PATCH 05/94] apt-cacher --- base/packages/init.sls | 1 + base/packages/openhab2.sls | 9 ++++++++- base/packages/repo/debian.sls | 19 +++++++++++++++++-- base/packages/repo/maketank.sls | 8 +++++++- 4 files changed, 33 insertions(+), 4 deletions(-) diff --git a/base/packages/init.sls b/base/packages/init.sls index 03d5ea1..e00e864 100644 --- a/base/packages/init.sls +++ b/base/packages/init.sls @@ -4,5 +4,6 @@ include: - .common + - .repo.debian - .repo.maketank - .prometheus diff --git a/base/packages/openhab2.sls b/base/packages/openhab2.sls index 650f0a9..6677e7f 100644 --- a/base/packages/openhab2.sls +++ b/base/packages/openhab2.sls @@ -1,6 +1,13 @@ # -*- coding: utf-8 -*- # vim: ft=yaml --- +{%- + set cache_url = salt['pillar.get']( + 'services:apt-cache', + default='' + ) +%} + include: - haproxy - systemd.units @@ -20,7 +27,7 @@ openhab2-pkgs: repo_openhab2: pkgrepo.managed: - - name: deb https://dl.bintray.com/openhab/apt-repo2 stable main + - name: deb https://{{ cache_url }}dl.bintray.com/openhab/apt-repo2 stable main #- dist: {{ grains['oscodename'] }} - file: /etc/apt/sources.list.d/openhab2.list - key_url: 'https://bintray.com/user/downloadSubjectPublicKey?username=openhab' diff --git a/base/packages/repo/debian.sls b/base/packages/repo/debian.sls index 173fe77..629a434 100644 --- a/base/packages/repo/debian.sls +++ b/base/packages/repo/debian.sls @@ -2,20 +2,35 @@ # vim: ft=yaml --- +{%- + set cache_url = salt['pillar.get']( + 'services:apt-cache', + default='' + ) +%} + repo_debian: pkgrepo.managed: - - name: deb http://deb.debian.org/debian {{ grains['oscodename'] }} main contrib non-free + - name: deb http://{{ cache_url }}deb.debian.org/debian {{ grains['oscodename'] }} main contrib non-free - dist: {{ grains['oscodename'] }} - file: /etc/apt/sources.list.d/debian.list - clean_file: True repo_debian-backports: pkgrepo.managed: - - name: deb http://deb.debian.org/debian {{ grains['oscodename'] }}-backports main contrib non-free + - name: deb http://{{ cache_url}}deb.debian.org/debian {{ grains['oscodename'] }}-backports main contrib non-free - dist: {{ grains['oscodename'] }} - file: /etc/apt/sources.list.d/debian-backports.list - clean_file: True +repo_debian-security: + pkgrepo.managed: + - name: deb http://{{ cache_url}}deb.debian.org/debian {{ grains['oscodename'] }}/updates main contrib non-free + - dist: {{ grains['oscodename'] }} + - file: /etc/apt/sources.list.d/debian-security.list + - clean_file: True + + diff --git a/base/packages/repo/maketank.sls b/base/packages/repo/maketank.sls index 3a4d8c5..3ec8843 100644 --- a/base/packages/repo/maketank.sls +++ b/base/packages/repo/maketank.sls @@ -2,9 +2,15 @@ # vim: ft=yaml --- +{%- set cache_url = salt['pillar.get']( + 'services:apt-cache', + default='' + ) +%} + repo_maketank: pkgrepo.managed: - - name: deb http://apt.maketank.net/debian {{ grains['oscodename'] }} main + - name: deb http://{{ cache_url }}apt.maketank.net/debian {{ grains['oscodename'] }} main - dist: {{ grains['oscodename'] }} - file: /etc/apt/sources.list.d/maketank.list - key_url: http://apt.maketank.net/debian/debian.gpg From 9531cf694c7d6aba4c7e73dc55fb6cbbf3e23f70 Mon Sep 17 00:00:00 2001 From: do Date: Thu, 22 Oct 2020 19:53:18 +0200 Subject: [PATCH 06/94] apt-cacher --- base/packages/openhab2.sls | 3 +-- base/packages/repo/debian.sls | 4 +--- hardware/raspberrypi/init.sls | 1 + hardware/raspberrypi/repo/raspbian.sls | 17 +++++++++++++++++ 4 files changed, 20 insertions(+), 5 deletions(-) create mode 100644 hardware/raspberrypi/repo/raspbian.sls diff --git a/base/packages/openhab2.sls b/base/packages/openhab2.sls index 6677e7f..a4305c2 100644 --- a/base/packages/openhab2.sls +++ b/base/packages/openhab2.sls @@ -27,8 +27,7 @@ openhab2-pkgs: repo_openhab2: pkgrepo.managed: - - name: deb https://{{ cache_url }}dl.bintray.com/openhab/apt-repo2 stable main - #- dist: {{ grains['oscodename'] }} + - name: deb http://{{ cache_url }}dl.bintray.com/openhab/apt-repo2 stable main - file: /etc/apt/sources.list.d/openhab2.list - key_url: 'https://bintray.com/user/downloadSubjectPublicKey?username=openhab' - clean_file: True diff --git a/base/packages/repo/debian.sls b/base/packages/repo/debian.sls index 629a434..d3b94e9 100644 --- a/base/packages/repo/debian.sls +++ b/base/packages/repo/debian.sls @@ -1,6 +1,4 @@ -# -*- coding: utf-8 -*- -# vim: ft=yaml ---- +#!jinja|yaml|gpg {%- set cache_url = salt['pillar.get']( diff --git a/hardware/raspberrypi/init.sls b/hardware/raspberrypi/init.sls index 83478de..c036d02 100644 --- a/hardware/raspberrypi/init.sls +++ b/hardware/raspberrypi/init.sls @@ -13,6 +13,7 @@ set has_fan = salt['pillar.get']( %} include: + - .repo.raspbian {%- if 'node_exporter' in has_promexporter %} - .prometheus-exporter {%- endif %} diff --git a/hardware/raspberrypi/repo/raspbian.sls b/hardware/raspberrypi/repo/raspbian.sls new file mode 100644 index 0000000..520215a --- /dev/null +++ b/hardware/raspberrypi/repo/raspbian.sls @@ -0,0 +1,17 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +{%- set cache_url = salt['pillar.get']( + 'services:apt-cache', + default='' + ) +%} + +repo_maketank: + pkgrepo.managed: + - name: deb http://{{ cache_url }}archive.raspberrypi.org/debian/ {{ grains['oscodename'] }} main + - dist: {{ grains['oscodename'] }} + - file: /etc/apt/sources.list.d/raspi.list + - clean_file: True + From bfade616aa45b37d12bb3ad29dc26dcc18b7beb2 Mon Sep 17 00:00:00 2001 From: do Date: Thu, 22 Oct 2020 20:57:17 +0200 Subject: [PATCH 07/94] repos galore! --- base/packages/openhab2.sls | 8 +------- base/packages/repo/debian.sls | 12 +++--------- hardware/espressobin/init.sls | 3 +++ hardware/espressobin/repo.sls | 15 +++++++++++++++ hardware/init.sls | 8 ++++++++ hardware/pine64/init.sls | 3 +++ hardware/pine64/repo.sls | 15 +++++++++++++++ hardware/raspberrypi/init.sls | 2 +- .../raspberrypi/repo/{raspbian.sls => init.sls} | 2 +- 9 files changed, 50 insertions(+), 18 deletions(-) create mode 100644 hardware/espressobin/init.sls create mode 100644 hardware/espressobin/repo.sls create mode 100644 hardware/pine64/init.sls create mode 100644 hardware/pine64/repo.sls rename hardware/raspberrypi/repo/{raspbian.sls => init.sls} (96%) diff --git a/base/packages/openhab2.sls b/base/packages/openhab2.sls index a4305c2..afceebc 100644 --- a/base/packages/openhab2.sls +++ b/base/packages/openhab2.sls @@ -1,12 +1,6 @@ # -*- coding: utf-8 -*- # vim: ft=yaml --- -{%- - set cache_url = salt['pillar.get']( - 'services:apt-cache', - default='' - ) -%} include: - haproxy @@ -27,7 +21,7 @@ openhab2-pkgs: repo_openhab2: pkgrepo.managed: - - name: deb http://{{ cache_url }}dl.bintray.com/openhab/apt-repo2 stable main + - name: deb https://dl.bintray.com/openhab/apt-repo2 stable main - file: /etc/apt/sources.list.d/openhab2.list - key_url: 'https://bintray.com/user/downloadSubjectPublicKey?username=openhab' - clean_file: True diff --git a/base/packages/repo/debian.sls b/base/packages/repo/debian.sls index d3b94e9..cc24278 100644 --- a/base/packages/repo/debian.sls +++ b/base/packages/repo/debian.sls @@ -9,29 +9,23 @@ repo_debian: pkgrepo.managed: - - name: deb http://{{ cache_url }}deb.debian.org/debian {{ grains['oscodename'] }} main contrib non-free + - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ grains['oscodename'] }} main contrib non-free' - dist: {{ grains['oscodename'] }} - file: /etc/apt/sources.list.d/debian.list - clean_file: True repo_debian-backports: pkgrepo.managed: - - name: deb http://{{ cache_url}}deb.debian.org/debian {{ grains['oscodename'] }}-backports main contrib non-free - - dist: {{ grains['oscodename'] }} + - name: 'deb http://{{ cache_url}}deb.debian.org/debian {{ grains['oscodename'] }}-backports main contrib non-free' - file: /etc/apt/sources.list.d/debian-backports.list - clean_file: True repo_debian-security: pkgrepo.managed: - - name: deb http://{{ cache_url}}deb.debian.org/debian {{ grains['oscodename'] }}/updates main contrib non-free - - dist: {{ grains['oscodename'] }} + - name: 'deb http://{{ cache_url}}security.debian.org/debian-security {{ grains['oscodename'] }}/updates main contrib non-free' - file: /etc/apt/sources.list.d/debian-security.list - clean_file: True - - - - #apt-update: # cmd.run: # - name: apt update -y diff --git a/hardware/espressobin/init.sls b/hardware/espressobin/init.sls new file mode 100644 index 0000000..32e0205 --- /dev/null +++ b/hardware/espressobin/init.sls @@ -0,0 +1,3 @@ + +include: + - .repo \ No newline at end of file diff --git a/hardware/espressobin/repo.sls b/hardware/espressobin/repo.sls new file mode 100644 index 0000000..c8f3352 --- /dev/null +++ b/hardware/espressobin/repo.sls @@ -0,0 +1,15 @@ +#!jinja|yaml|gpg + +{%- + set cache_url = salt['pillar.get']( + 'services:apt-cache', + default='' + ) +%} + +repo_armbian: + pkgrepo.managed: + - name: 'deb http://{{ cache_url }}apt.armbian.com {{ grains['oscodename'] }} main {{ grains['oscodename'] }}-utils {{ grains['oscodename'] }}-desktop' + - dist: {{ grains['oscodename'] }} + - file: /etc/apt/sources.list.d/armbian.list + - clean_file: True \ No newline at end of file diff --git a/hardware/init.sls b/hardware/init.sls index 97b51bc..80b9349 100644 --- a/hardware/init.sls +++ b/hardware/init.sls @@ -3,3 +3,11 @@ include: {% if grains['hardware'] == 'RaspberryPi' %} - .raspberrypi {% endif %} + +{% if grains['hardware'] == 'Pine64' %} + - .pine64 +{% endif %} + +{% if grains['hardware'] == 'Espressobin' %} + - .espressobin +{% endif %} \ No newline at end of file diff --git a/hardware/pine64/init.sls b/hardware/pine64/init.sls new file mode 100644 index 0000000..32e0205 --- /dev/null +++ b/hardware/pine64/init.sls @@ -0,0 +1,3 @@ + +include: + - .repo \ No newline at end of file diff --git a/hardware/pine64/repo.sls b/hardware/pine64/repo.sls new file mode 100644 index 0000000..148bdb0 --- /dev/null +++ b/hardware/pine64/repo.sls @@ -0,0 +1,15 @@ +#!jinja|yaml|gpg + +{%- + set cache_url = salt['pillar.get']( + 'services:apt-cache', + default='' + ) +%} + +repo_armbian: + pkgrepo.managed: + - name: 'deb http://{{ cache_url }}mirrors.dotsrc.org/armbian-apt {{ grains['oscodename'] }} main {{ grains['oscodename'] }}-utils {{ grains['oscodename'] }}-desktop' + - dist: {{ grains['oscodename'] }} + - file: /etc/apt/sources.list.d/armbian.list + - clean_file: True \ No newline at end of file diff --git a/hardware/raspberrypi/init.sls b/hardware/raspberrypi/init.sls index c036d02..0bb387a 100644 --- a/hardware/raspberrypi/init.sls +++ b/hardware/raspberrypi/init.sls @@ -13,7 +13,7 @@ set has_fan = salt['pillar.get']( %} include: - - .repo.raspbian + - .repo {%- if 'node_exporter' in has_promexporter %} - .prometheus-exporter {%- endif %} diff --git a/hardware/raspberrypi/repo/raspbian.sls b/hardware/raspberrypi/repo/init.sls similarity index 96% rename from hardware/raspberrypi/repo/raspbian.sls rename to hardware/raspberrypi/repo/init.sls index 520215a..2dbc0b0 100644 --- a/hardware/raspberrypi/repo/raspbian.sls +++ b/hardware/raspberrypi/repo/init.sls @@ -8,7 +8,7 @@ ) %} -repo_maketank: +repo_raspi: pkgrepo.managed: - name: deb http://{{ cache_url }}archive.raspberrypi.org/debian/ {{ grains['oscodename'] }} main - dist: {{ grains['oscodename'] }} From 68cbcda77580b1f857801e4e1f07f7989fa36b9e Mon Sep 17 00:00:00 2001 From: do Date: Thu, 22 Oct 2020 23:18:34 +0200 Subject: [PATCH 08/94] fixing all repos with apt-cacher.lan --- base/packages/common.sls | 4 +++ base/packages/repo/debian.sls | 30 +++++++++++-------- hardware/espressobin/repo.sls | 2 +- .../raspberrypi/{repo/init.sls => repo.sls} | 3 +- 4 files changed, 24 insertions(+), 15 deletions(-) rename hardware/raspberrypi/{repo/init.sls => repo.sls} (68%) diff --git a/base/packages/common.sls b/base/packages/common.sls index c2d4e6e..7f37f9a 100644 --- a/base/packages/common.sls +++ b/base/packages/common.sls @@ -58,3 +58,7 @@ common-removed: - exim4-base - exim4-config - exim4-daemon-light + - command-not-found + + + diff --git a/base/packages/repo/debian.sls b/base/packages/repo/debian.sls index cc24278..cdfcc22 100644 --- a/base/packages/repo/debian.sls +++ b/base/packages/repo/debian.sls @@ -10,24 +10,28 @@ repo_debian: pkgrepo.managed: - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ grains['oscodename'] }} main contrib non-free' - - dist: {{ grains['oscodename'] }} - file: /etc/apt/sources.list.d/debian.list - clean_file: True +repo_debian-updates: + pkgrepo.managed: + - name: 'deb http://{{ cache_url}}deb.debian.org/debian {{ grains['oscodename'] }}-updates main contrib non-free' + - file: /etc/apt/sources.list.d/debian-updates.list + - clean_file: True + +repo_debian-security: + pkgrepo.managed: + - name: 'deb http://{{ cache_url}}deb.debian.org/debian-security {{ grains['oscodename'] }}/updates main contrib non-free' + - file: /etc/apt/sources.list.d/debian-security.list + - clean_file: True + repo_debian-backports: pkgrepo.managed: - name: 'deb http://{{ cache_url}}deb.debian.org/debian {{ grains['oscodename'] }}-backports main contrib non-free' - file: /etc/apt/sources.list.d/debian-backports.list - clean_file: True - -repo_debian-security: - pkgrepo.managed: - - name: 'deb http://{{ cache_url}}security.debian.org/debian-security {{ grains['oscodename'] }}/updates main contrib non-free' - - file: /etc/apt/sources.list.d/debian-security.list - - clean_file: True - -#apt-update: -# cmd.run: -# - name: apt update -y -# - listen: -# - pkgrepo: repo_maketank + +repo_default: + file.absent: + - name: /etc/apt/sources.list + \ No newline at end of file diff --git a/hardware/espressobin/repo.sls b/hardware/espressobin/repo.sls index c8f3352..148bdb0 100644 --- a/hardware/espressobin/repo.sls +++ b/hardware/espressobin/repo.sls @@ -9,7 +9,7 @@ repo_armbian: pkgrepo.managed: - - name: 'deb http://{{ cache_url }}apt.armbian.com {{ grains['oscodename'] }} main {{ grains['oscodename'] }}-utils {{ grains['oscodename'] }}-desktop' + - name: 'deb http://{{ cache_url }}mirrors.dotsrc.org/armbian-apt {{ grains['oscodename'] }} main {{ grains['oscodename'] }}-utils {{ grains['oscodename'] }}-desktop' - dist: {{ grains['oscodename'] }} - file: /etc/apt/sources.list.d/armbian.list - clean_file: True \ No newline at end of file diff --git a/hardware/raspberrypi/repo/init.sls b/hardware/raspberrypi/repo.sls similarity index 68% rename from hardware/raspberrypi/repo/init.sls rename to hardware/raspberrypi/repo.sls index 2dbc0b0..0db81c1 100644 --- a/hardware/raspberrypi/repo/init.sls +++ b/hardware/raspberrypi/repo.sls @@ -10,8 +10,9 @@ repo_raspi: pkgrepo.managed: - - name: deb http://{{ cache_url }}archive.raspberrypi.org/debian/ {{ grains['oscodename'] }} main + - name: deb http://{{ cache_url }}raspbian.raspberrypi.org/raspbian/ {{ grains['oscodename'] }} main contrib firmware rpi - dist: {{ grains['oscodename'] }} - file: /etc/apt/sources.list.d/raspi.list - clean_file: True + From 2cfc782a276dbc1725b5b81cccd9c0c8f177a25b Mon Sep 17 00:00:00 2001 From: do Date: Wed, 28 Oct 2020 12:51:41 +0100 Subject: [PATCH 09/94] creating empty sources.list --- base/packages/repo/debian.sls | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/base/packages/repo/debian.sls b/base/packages/repo/debian.sls index cdfcc22..da6ca64 100644 --- a/base/packages/repo/debian.sls +++ b/base/packages/repo/debian.sls @@ -32,6 +32,10 @@ repo_debian-backports: - clean_file: True repo_default: - file.absent: + file.managed: - name: /etc/apt/sources.list + - contents: '#SALT managed, all in sources.list.d' + - user: root + - group: root + - mode: 0600 \ No newline at end of file From fc73f02ad3a8333cbea9749acb0fc6e47dc90b9a Mon Sep 17 00:00:00 2001 From: do Date: Tue, 10 Nov 2020 13:53:30 +0100 Subject: [PATCH 10/94] auto is ser2net client and server --- base/packages/openhab/files/socat.init | 95 +++++++++++++++++++ .../{openhab2.sls => openhab/init.sls} | 0 base/packages/openhab/ser2net_client.sls | 34 +++++++ base/packages/openhab/ser2net_server.sls | 28 ++++++ top.sls | 4 +- 5 files changed, 160 insertions(+), 1 deletion(-) create mode 100644 base/packages/openhab/files/socat.init rename base/packages/{openhab2.sls => openhab/init.sls} (100%) create mode 100644 base/packages/openhab/ser2net_client.sls create mode 100644 base/packages/openhab/ser2net_server.sls diff --git a/base/packages/openhab/files/socat.init b/base/packages/openhab/files/socat.init new file mode 100644 index 0000000..7c7d6cc --- /dev/null +++ b/base/packages/openhab/files/socat.init @@ -0,0 +1,95 @@ +#! /bin/sh +### BEGIN INIT INFO +# Provides: ser2net-client +# Required-Start: $local_fs $time $network $named +# Required-Stop: $local_fs $time $network $named +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start/stop (socat a multipurpose relay) +# +# Description: The socat init script will start/stop socat as specified in /etc/default/socat +# Then log (FATAL,ERROR,WARN,INFO and Notic) in /var/log/socat.log +### END INIT INFO + +NAME=ser2net-client +DAEMON=/usr/bin/socat +# -d -d -d for more logging +SOCAT_DEFAULTS='-lf /var/log/ser2net-client.log' + +. /lib/lsb/init-functions +. /etc/default/${NAME} + +PATH=/bin:/usr/bin:/sbin:/usr/sbin + +[ -x $DAEMON ] || exit 0 + +start_socat() { + start-stop-daemon --oknodo --quiet --start \ + --pidfile /run/ser2net-client.pid \ + --background --make-pidfile \ + --exec $DAEMON -- $SOCAT_DEFAULTS $OPTIONS < /dev/null +} + +stop_socat() { + start-stop-daemon --oknodo --stop --quiet --pidfile /run/ser2net-client.pid --exec $DAEMON + rm -f /run/ser2net-client.pid +} + +start () { + start_socat + return $? +} + +stop () { + for PIDFILE in `ls /run/ser2net-client.pid 2> /dev/null`; do + NAME=`echo $PIDFILE | cut -c16-` + NAME=${NAME%%.pid} + stop_socat + done +} + +case "$1" in + start) + log_daemon_msg "Starting multipurpose relay" "ser2net-client" + if start ; then + log_end_msg $? + else + log_end_msg $? + fi + ;; + stop) + log_daemon_msg "Stopping multipurpose relay" "ser2net-client" + if stop ; then + log_end_msg $? + else + log_end_msg $? + fi + ;; + restart) + log_daemon_msg "Restarting multipurpose relay" "ser2net-client" + stop + if start ; then + log_end_msg $? + else + log_end_msg $? + fi + ;; + reload|force-reload) + log_daemon_msg "Reloading multipurpose relay" "ser2net-client" + stop + if start ; then + log_end_msg $? + else + log_end_msg $? + fi + ;; + status) + status_of_proc -p /run/ser2net-client.pid /usr/bin/socat socat && exit 0 || exit $? + ;; + *) + echo "Usage: /etc/init.d/$NAME {start|stop|restart|reload|force-reload|status}" + exit 3 + ;; +esac + +exit 0 \ No newline at end of file diff --git a/base/packages/openhab2.sls b/base/packages/openhab/init.sls similarity index 100% rename from base/packages/openhab2.sls rename to base/packages/openhab/init.sls diff --git a/base/packages/openhab/ser2net_client.sls b/base/packages/openhab/ser2net_client.sls new file mode 100644 index 0000000..51db98e --- /dev/null +++ b/base/packages/openhab/ser2net_client.sls @@ -0,0 +1,34 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +ser2net_client-pkgs: + pkg.installed: + - pkgs: + - socat + +ser2net_socat-conf: + file.managed: + - name: /etc/default/ser2net-client + - user: root + - mode: 0644 + - contents: | + #SALT managed + OPTIONS="pty,link=/dev/ttySER2NET0,raw,user=openhab,group=dialout,mode=660 tcp:auto:3333" + +ser2net_socat-init: + file.managed: + - name: /etc/init.d/ser2net-client + - user: root + - mode: 0740 + - source: salt://base/packages/openhab/files/socat.init + +ser2net_socat-service: + service.running: + - name: ser2net-client + - enable: True + - reload: True + - require: + - file: /etc/init.d/ser2net-client + - watch: + - file: /etc/default/ser2net-client diff --git a/base/packages/openhab/ser2net_server.sls b/base/packages/openhab/ser2net_server.sls new file mode 100644 index 0000000..77cb021 --- /dev/null +++ b/base/packages/openhab/ser2net_server.sls @@ -0,0 +1,28 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +ser2net_server-pkgs: + pkg.installed: + - pkgs: + - ser2net + +ser2net-conf: + file.managed: + - name: /etc/ser2net.conf + - user: root + - mode: 0644 + - contents: | + #SALT managed + 3333:raw:0:/dev/ttyAMA0:115200 8DATABITS NONE 1STOPBIT + +ser2net-service: + service.running: + - name: ser2net + - enable: True + - reload: True + - require: + - file: /etc/ser2net.conf + - watch: + - file: /etc/ser2net.conf + \ No newline at end of file diff --git a/top.sls b/top.sls index 1faa4b2..9578cb1 100644 --- a/top.sls +++ b/top.sls @@ -17,7 +17,9 @@ base: - prometheus - grafana 'auto*': - - base.packages.openhab2 + - base.packages.openhab + - base.packages.openhab.ser2net_server + - base.packages.openhab.ser2net_client 'pine*': - k8s 'kube*': From f0ef1976de0442747ef2e259a180732cfac12ba6 Mon Sep 17 00:00:00 2001 From: do Date: Wed, 11 Nov 2020 20:21:40 +0100 Subject: [PATCH 11/94] docker logs to local --- base/packages/openhab/ser2net_server.sls | 2 ++ k8s/files/etc_docker_daemon.json | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/base/packages/openhab/ser2net_server.sls b/base/packages/openhab/ser2net_server.sls index 77cb021..bb4c3fe 100644 --- a/base/packages/openhab/ser2net_server.sls +++ b/base/packages/openhab/ser2net_server.sls @@ -1,6 +1,8 @@ # -*- coding: utf-8 -*- # vim: ft=yaml --- +# manually installed from +#https://github.com/longshine/ser2nets ser2net_server-pkgs: pkg.installed: diff --git a/k8s/files/etc_docker_daemon.json b/k8s/files/etc_docker_daemon.json index 3d3d37d..61f410e 100644 --- a/k8s/files/etc_docker_daemon.json +++ b/k8s/files/etc_docker_daemon.json @@ -1,6 +1,5 @@ { "exec-opts": ["native.cgroupdriver=systemd"], - "log-driver": "syslog", "log-level": "warn", "storage-driver": "overlay2", "insecure-registries" : [ From 24b656ddaa7d935eaa00bc4e9688eef22114546c Mon Sep 17 00:00:00 2001 From: do Date: Fri, 13 Nov 2020 21:27:17 +0100 Subject: [PATCH 12/94] openhab3 now --- base/packages/openhab/init.sls | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/base/packages/openhab/init.sls b/base/packages/openhab/init.sls index afceebc..c9b0ae5 100644 --- a/base/packages/openhab/init.sls +++ b/base/packages/openhab/init.sls @@ -9,8 +9,8 @@ include: openhab2-pkgs: pkg.installed: - pkgs: - - openhab2 - - openhab2-addons + - openhab + - openhab-addons - default-jre-headless - libopenzwave1.5 - gunicorn3 @@ -21,10 +21,11 @@ openhab2-pkgs: repo_openhab2: pkgrepo.managed: - - name: deb https://dl.bintray.com/openhab/apt-repo2 stable main + #- name: deb https://dl.bintray.com/openhab/apt-repo2 stable main + - name: deb https://openhab.jfrog.io/openhab/openhab-linuxpkg testing main - file: /etc/apt/sources.list.d/openhab2.list - key_url: 'https://bintray.com/user/downloadSubjectPublicKey?username=openhab' - - clean_file: True + - clean_file: False openhab-prometheus-exporter: file.managed: @@ -44,3 +45,4 @@ etc-apt-apt.conf-noproxy: - contents: | #SALT managed Acquire::http::proxy::dl.bintray.com "DIRECT"; + Acquire::http::proxy::openhab.jfrog.io "DIRECT"; From 85646626b930c5aa3dcd71bb7715ed0ac37227ec Mon Sep 17 00:00:00 2001 From: do Date: Wed, 18 Nov 2020 10:45:07 +0100 Subject: [PATCH 13/94] openhab3 with nginx --- base/packages/openhab/init.sls | 3 ++- top.sls | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/base/packages/openhab/init.sls b/base/packages/openhab/init.sls index c9b0ae5..223713f 100644 --- a/base/packages/openhab/init.sls +++ b/base/packages/openhab/init.sls @@ -3,7 +3,8 @@ --- include: - - haproxy + #- haproxy + - nginx - systemd.units openhab2-pkgs: diff --git a/top.sls b/top.sls index 9578cb1..7a73f20 100644 --- a/top.sls +++ b/top.sls @@ -18,8 +18,8 @@ base: - grafana 'auto*': - base.packages.openhab - - base.packages.openhab.ser2net_server - - base.packages.openhab.ser2net_client + #- base.packages.openhab.ser2net_server + #- base.packages.openhab.ser2net_client 'pine*': - k8s 'kube*': From 6d16c493947e785c90ef959a2868bb632d58981f Mon Sep 17 00:00:00 2001 From: do Date: Thu, 19 Nov 2020 18:41:12 +0100 Subject: [PATCH 14/94] finer grained states and prometheus nginx --- base/packages/openhab/init.sls | 31 +++------------------------- base/packages/openhab/pkg.sls | 23 +++++++++++++++++++++ base/packages/openhab/prometheus.sls | 25 ++++++++++++++++++++++ 3 files changed, 51 insertions(+), 28 deletions(-) create mode 100644 base/packages/openhab/pkg.sls create mode 100644 base/packages/openhab/prometheus.sls diff --git a/base/packages/openhab/init.sls b/base/packages/openhab/init.sls index 223713f..3121eec 100644 --- a/base/packages/openhab/init.sls +++ b/base/packages/openhab/init.sls @@ -6,6 +6,8 @@ include: #- haproxy - nginx - systemd.units + - .pkg + - .prometheus openhab2-pkgs: pkg.installed: @@ -16,34 +18,7 @@ openhab2-pkgs: - libopenzwave1.5 - gunicorn3 - python3 - - prometheus-haproxy-exporter + - prometheus-nginx-exporter - require: - pkgrepo: repo_openhab2 -repo_openhab2: - pkgrepo.managed: - #- name: deb https://dl.bintray.com/openhab/apt-repo2 stable main - - name: deb https://openhab.jfrog.io/openhab/openhab-linuxpkg testing main - - file: /etc/apt/sources.list.d/openhab2.list - - key_url: 'https://bintray.com/user/downloadSubjectPublicKey?username=openhab' - - clean_file: False - -openhab-prometheus-exporter: - file.managed: - - name: /usr/local/bin/openhab2-prometheus-exporter.py - - source: https://raw.githubusercontent.com/zoide/openhab2-prometheus-exporter/master/openhab2-exporter.py - - source_hash: b6d1114af7418aff2d047c0ffc127f5adf0e4122 - - user: openhab - - group: openhab - - mode: 0755 - -etc-apt-apt.conf-noproxy: - file.managed: - - name: /etc/apt/apt.conf.d/99-openhab2-noproxy - - user: root - - group: root - - mode: 0755 - - contents: | - #SALT managed - Acquire::http::proxy::dl.bintray.com "DIRECT"; - Acquire::http::proxy::openhab.jfrog.io "DIRECT"; diff --git a/base/packages/openhab/pkg.sls b/base/packages/openhab/pkg.sls new file mode 100644 index 0000000..88842fe --- /dev/null +++ b/base/packages/openhab/pkg.sls @@ -0,0 +1,23 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +repo_openhab2: + pkgrepo.managed: + #- name: deb https://dl.bintray.com/openhab/apt-repo2 stable main + - name: deb https://openhab.jfrog.io/openhab/openhab-linuxpkg testing main + - file: /etc/apt/sources.list.d/openhab2.list + - key_url: 'https://bintray.com/user/downloadSubjectPublicKey?username=openhab' + - clean_file: False + +etc-apt-apt.conf-noproxy: + file.managed: + - name: /etc/apt/apt.conf.d/99-openhab2-noproxy + - user: root + - group: root + - mode: 0755 + - contents: | + #SALT managed + Acquire::http::proxy::dl.bintray.com "DIRECT"; + Acquire::http::proxy::openhab.jfrog.io "DIRECT"; + \ No newline at end of file diff --git a/base/packages/openhab/prometheus.sls b/base/packages/openhab/prometheus.sls new file mode 100644 index 0000000..bbc022a --- /dev/null +++ b/base/packages/openhab/prometheus.sls @@ -0,0 +1,25 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +openhab-prometheus-exporter: + file.managed: + - name: /usr/local/bin/openhab2-prometheus-exporter.py + - source: https://raw.githubusercontent.com/zoide/openhab2-prometheus-exporter/master/openhab2-exporter.py + - source_hash: b6d1114af7418aff2d047c0ffc127f5adf0e4122 + - user: openhab + - group: openhab + - mode: 0755 + +prometheus-nginx-exporter: + service.running: + - enable: True + - watch: + - file: etc-default-prometheus-nginx-exporter + +etc-default-prometheus-nginx-exporter: + file.managed: + - name: /etc/default/prometheus-nginx-exporter + - contents: | + #SALT managed + ARGS="-nginx.scrape-uri http://127.0.0.1:80/stub_status" \ No newline at end of file From c5e018ba856cb01c5229e2dae6cda3f86659866a Mon Sep 17 00:00:00 2001 From: do Date: Sat, 5 Dec 2020 22:30:01 +0100 Subject: [PATCH 15/94] its cold, baby! --- base/packages/openhab/prometheus.sls | 2 +- hardware/espressobin/init.sls | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/base/packages/openhab/prometheus.sls b/base/packages/openhab/prometheus.sls index bbc022a..77beda6 100644 --- a/base/packages/openhab/prometheus.sls +++ b/base/packages/openhab/prometheus.sls @@ -6,7 +6,7 @@ openhab-prometheus-exporter: file.managed: - name: /usr/local/bin/openhab2-prometheus-exporter.py - source: https://raw.githubusercontent.com/zoide/openhab2-prometheus-exporter/master/openhab2-exporter.py - - source_hash: b6d1114af7418aff2d047c0ffc127f5adf0e4122 + - source_hash: 399ba098b46abe482ce3be57484bf401d4d5a600 - user: openhab - group: openhab - mode: 0755 diff --git a/hardware/espressobin/init.sls b/hardware/espressobin/init.sls index 32e0205..1e5aae0 100644 --- a/hardware/espressobin/init.sls +++ b/hardware/espressobin/init.sls @@ -1,3 +1,6 @@ +#!jinja|yaml|gpg + include: - - .repo \ No newline at end of file + - .repo + - .pkgs \ No newline at end of file From e9f9c33e0b8e7086aaf961aabc277a33a5abac30 Mon Sep 17 00:00:00 2001 From: do Date: Wed, 9 Dec 2020 15:48:59 +0100 Subject: [PATCH 16/94] smartmontools for ebins --- hardware/espressobin/pkgs.sls | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 hardware/espressobin/pkgs.sls diff --git a/hardware/espressobin/pkgs.sls b/hardware/espressobin/pkgs.sls new file mode 100644 index 0000000..34cd88f --- /dev/null +++ b/hardware/espressobin/pkgs.sls @@ -0,0 +1,6 @@ +#!jinja|yaml|gpg + +espressobin-pkgs: + pkg.installed: + - pkgs: + - smartmontools \ No newline at end of file From ee79ddcb198248de0da3c5f9aa470425378e0bb4 Mon Sep 17 00:00:00 2001 From: do Date: Fri, 8 Jan 2021 16:07:24 +0100 Subject: [PATCH 17/94] no more prometheus for riot01 --- top.sls | 4 ---- 1 file changed, 4 deletions(-) diff --git a/top.sls b/top.sls index 7a73f20..902b2a7 100644 --- a/top.sls +++ b/top.sls @@ -12,10 +12,6 @@ base: 'G@osarch:arm64 or G@osarch:armhf or G@osarch:armel': - match: compound - base.packages.arch.arm - 'riot01*': - - haproxy - - prometheus - - grafana 'auto*': - base.packages.openhab #- base.packages.openhab.ser2net_server From ecf823315657f4796140cce0b8546bdb286aeb63 Mon Sep 17 00:00:00 2001 From: do Date: Tue, 12 Jan 2021 16:42:44 +0100 Subject: [PATCH 18/94] managing timezone and kube* specific version install --- base/init.sls | 1 + base/timezone.sls | 5 +++++ k8s/admin.sls | 6 +++++- 3 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 base/timezone.sls diff --git a/base/init.sls b/base/init.sls index c8c7d50..a51a003 100644 --- a/base/init.sls +++ b/base/init.sls @@ -10,3 +10,4 @@ include: - rsyslog - sudoers - systemd + - .timezone diff --git a/base/timezone.sls b/base/timezone.sls new file mode 100644 index 0000000..3534b67 --- /dev/null +++ b/base/timezone.sls @@ -0,0 +1,5 @@ +etc_timezone: + file.managed: + - name: /etc/timezone + - contents: | + Europe/Berlin diff --git a/k8s/admin.sls b/k8s/admin.sls index 89220f3..446bdc0 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -4,8 +4,12 @@ include: - kubernetes.package.repo +{% set k8s_v = "1.19.2-00" %} k8s_pkgs-kubelet: pkg.installed: + - hold: True - pkgs: - - kubectl + - kubectl: {{ k8s_v }} + - kubeadm: {{ k8s_v }} + - kubectl: {{ k8s_v }} From 0ec0a87e704a46fdd9430d1cfb43ff8fc811cd6e Mon Sep 17 00:00:00 2001 From: do Date: Tue, 12 Jan 2021 16:55:38 +0100 Subject: [PATCH 19/94] typo --- k8s/admin.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/admin.sls b/k8s/admin.sls index 446bdc0..a89a66b 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -12,4 +12,4 @@ k8s_pkgs-kubelet: - pkgs: - kubectl: {{ k8s_v }} - kubeadm: {{ k8s_v }} - - kubectl: {{ k8s_v }} + - kubelet: {{ k8s_v }} From 982b66a0ff0819362c1e16ac3d910b7a639f54af Mon Sep 17 00:00:00 2001 From: do Date: Fri, 15 Jan 2021 16:39:58 +0100 Subject: [PATCH 20/94] no desktop sources for pine64s --- hardware/pine64/repo.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hardware/pine64/repo.sls b/hardware/pine64/repo.sls index 148bdb0..0078c78 100644 --- a/hardware/pine64/repo.sls +++ b/hardware/pine64/repo.sls @@ -9,7 +9,7 @@ repo_armbian: pkgrepo.managed: - - name: 'deb http://{{ cache_url }}mirrors.dotsrc.org/armbian-apt {{ grains['oscodename'] }} main {{ grains['oscodename'] }}-utils {{ grains['oscodename'] }}-desktop' + - name: 'deb http://{{ cache_url }}mirrors.dotsrc.org/armbian-apt {{ grains['oscodename'] }} main {{ grains['oscodename'] }}-utils #{{ grains['oscodename'] }}-desktop' - dist: {{ grains['oscodename'] }} - file: /etc/apt/sources.list.d/armbian.list - - clean_file: True \ No newline at end of file + - clean_file: True From 1fea37ba50e7b00104543c191fa9c6808d730a0d Mon Sep 17 00:00:00 2001 From: do Date: Tue, 19 Jan 2021 09:57:50 +0100 Subject: [PATCH 21/94] no more docker --- k8s/files/etc_docker_daemon.json | 1 + k8s/init.sls | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/k8s/files/etc_docker_daemon.json b/k8s/files/etc_docker_daemon.json index 61f410e..d39e5b1 100644 --- a/k8s/files/etc_docker_daemon.json +++ b/k8s/files/etc_docker_daemon.json @@ -2,6 +2,7 @@ "exec-opts": ["native.cgroupdriver=systemd"], "log-level": "warn", "storage-driver": "overlay2", + "registry-mirrors": ["https://docker-registry.lan"], "insecure-registries" : [ "docker-registry.lan" ] diff --git a/k8s/init.sls b/k8s/init.sls index 43423b7..c628023 100644 --- a/k8s/init.sls +++ b/k8s/init.sls @@ -3,7 +3,8 @@ --- include: - .admin - - .docker + - .containerd + #- .docker #- .filesystems From 78447cc42e3da88184e2f1fed5587ceeac6c2aa2 Mon Sep 17 00:00:00 2001 From: do Date: Fri, 22 Jan 2021 14:49:49 +0100 Subject: [PATCH 22/94] kubeadm is no more, it's adm01 now --- k8s/admin.sls | 2 +- top.sls | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/k8s/admin.sls b/k8s/admin.sls index a89a66b..1590819 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -4,7 +4,7 @@ include: - kubernetes.package.repo -{% set k8s_v = "1.19.2-00" %} +{% set k8s_v = "1.20.2-00" %} k8s_pkgs-kubelet: pkg.installed: diff --git a/top.sls b/top.sls index 902b2a7..283bcd3 100644 --- a/top.sls +++ b/top.sls @@ -18,8 +18,6 @@ base: #- base.packages.openhab.ser2net_client 'pine*': - k8s - 'kube*': - - k8s 'lenny*': - k8s.admin - base.packages.node.lenny From e33986768b6198efe1ce6112074ac59c97507de6 Mon Sep 17 00:00:00 2001 From: do Date: Fri, 22 Jan 2021 15:15:44 +0100 Subject: [PATCH 23/94] from docker to containerd --- base/init.sls | 1 + base/release.sls | 7 +++++++ k8s/containerd.sls | 21 +++++++++++++++++++++ k8s/cri-tools.sls | 15 +++++++++++++++ k8s/files/containerd-config.toml | 16 ++++++++++++++++ k8s/repo/debian-bullseye.sls | 14 ++++++++++++++ 6 files changed, 74 insertions(+) create mode 100644 base/release.sls create mode 100644 k8s/containerd.sls create mode 100644 k8s/cri-tools.sls create mode 100644 k8s/files/containerd-config.toml create mode 100644 k8s/repo/debian-bullseye.sls diff --git a/base/init.sls b/base/init.sls index a51a003..27138f0 100644 --- a/base/init.sls +++ b/base/init.sls @@ -11,3 +11,4 @@ include: - sudoers - systemd - .timezone + - .release diff --git a/base/release.sls b/base/release.sls new file mode 100644 index 0000000..304a522 --- /dev/null +++ b/base/release.sls @@ -0,0 +1,7 @@ + +etc_apt_release: + file.managed: + - name: /etc/apt/apt.conf.d/01release + - user: root + - mode: 644 + - contents: 'APT::Default-Release "stable";' diff --git a/k8s/containerd.sls b/k8s/containerd.sls new file mode 100644 index 0000000..121ba5f --- /dev/null +++ b/k8s/containerd.sls @@ -0,0 +1,21 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +include: + - .repo.debian-bullseye + - .cri-tools + +containerd_pkgs: + pkg.installed: + - pkgs: + - containerd + - containernetworking-plugins + - require: + - pkgrepo: repo_debian-bullseye + +/etc/containerd/config.toml: + file.managed: + - source: salt://k8s/files/containerd-config.toml + - mode: 644 + - user: root + - group: root diff --git a/k8s/cri-tools.sls b/k8s/cri-tools.sls new file mode 100644 index 0000000..4eb1fb3 --- /dev/null +++ b/k8s/cri-tools.sls @@ -0,0 +1,15 @@ + +cri-tools_pkgs: + pkg.installed: + - pkgs: + - cri-tools + +/etc/crictl.yaml: + file.managed: + - mode: 644 + - user: root + - group: root + - contents: | + #SALT managed + runtime-endpoint: unix:///var/run/containerd/containerd.sock + image-endpoint: unix:///var/run/containerd/containerd.sock diff --git a/k8s/files/containerd-config.toml b/k8s/files/containerd-config.toml new file mode 100644 index 0000000..e522d8c --- /dev/null +++ b/k8s/files/containerd-config.toml @@ -0,0 +1,16 @@ +version = 2 + +[debug] + level = "warn" + +[plugins] + [plugins."io.containerd.grpc.v1.cri"] + [plugins."io.containerd.grpc.v1.cri".cni] + bin_dir = "/opt/cni/bin" + conf_dir = "/etc/cni/net.d" + [plugins."io.containerd.internal.v1.opt"] + path = "/var/lib/containerd/opt" + [plugins."io.containerd.grpc.v1.cri".registry] + [plugins."io.containerd.grpc.v1.cri".registry.configs."docker-registry.lan".tls] + insecure_skip_verify = true + diff --git a/k8s/repo/debian-bullseye.sls b/k8s/repo/debian-bullseye.sls new file mode 100644 index 0000000..2805285 --- /dev/null +++ b/k8s/repo/debian-bullseye.sls @@ -0,0 +1,14 @@ +{%- + set cache_url = salt['pillar.get']( + 'services:apt-cache', + default='' + ) +%} + + +repo_debian-bullseye: + pkgrepo.managed: + - name: 'deb http://{{ cache_url }}deb.debian.org/debian bullseye main contrib' + - file: /etc/apt/sources.list.d/debian-bullseye.list + - clean_file: True + From 01b2b894b7fa0600809b9184ddf881ee2045c8c3 Mon Sep 17 00:00:00 2001 From: do Date: Wed, 27 Jan 2021 11:10:17 +0100 Subject: [PATCH 24/94] podman and salt-minion version hold --- base/packages/init.sls | 1 + k8s/admin.sls | 1 + k8s/cri-tools.sls | 2 ++ k8s/files/podman-policy.json | 8 ++++++++ k8s/podman.sls | 19 +++++++++++++++++++ top.sls | 4 +++- 6 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 k8s/files/podman-policy.json create mode 100644 k8s/podman.sls diff --git a/base/packages/init.sls b/base/packages/init.sls index e00e864..3413a74 100644 --- a/base/packages/init.sls +++ b/base/packages/init.sls @@ -7,3 +7,4 @@ include: - .repo.debian - .repo.maketank - .prometheus + - .salt.minion diff --git a/k8s/admin.sls b/k8s/admin.sls index 1590819..5f7f803 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -3,6 +3,7 @@ --- include: - kubernetes.package.repo + - .cri-tools {% set k8s_v = "1.20.2-00" %} diff --git a/k8s/cri-tools.sls b/k8s/cri-tools.sls index 4eb1fb3..eba0262 100644 --- a/k8s/cri-tools.sls +++ b/k8s/cri-tools.sls @@ -1,3 +1,5 @@ +include: + - kubernetes.package.repo cri-tools_pkgs: pkg.installed: diff --git a/k8s/files/podman-policy.json b/k8s/files/podman-policy.json new file mode 100644 index 0000000..bdc833a --- /dev/null +++ b/k8s/files/podman-policy.json @@ -0,0 +1,8 @@ +{ + "default": [ + { + "type": "insecureAcceptAnything" + } + ] +} + diff --git a/k8s/podman.sls b/k8s/podman.sls new file mode 100644 index 0000000..994c156 --- /dev/null +++ b/k8s/podman.sls @@ -0,0 +1,19 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +include: + - .repo.debian-bullseye + +podman_pkgs: + pkg.installed: + - pkgs: + - podman + - require: + - pkgrepo: repo_debian-bullseye + +/etc/containers/policy.json: + file.managed: + - source: salt://k8s/files/podman-policy.json + - mode: 644 + - user: root + - group: root diff --git a/top.sls b/top.sls index 283bcd3..7c0d77e 100644 --- a/top.sls +++ b/top.sls @@ -12,10 +12,12 @@ base: 'G@osarch:arm64 or G@osarch:armhf or G@osarch:armel': - match: compound - base.packages.arch.arm - 'auto*': + 'auto01*': - base.packages.openhab #- base.packages.openhab.ser2net_server #- base.packages.openhab.ser2net_client + 'auto02*': + - k8s.podman 'pine*': - k8s 'lenny*': From caf410c6543db377cba8d370b2cbc8f60e7c5267 Mon Sep 17 00:00:00 2001 From: do Date: Wed, 27 Jan 2021 11:10:50 +0100 Subject: [PATCH 25/94] salt-minion version hold --- base/packages/salt/minion.sls | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 base/packages/salt/minion.sls diff --git a/base/packages/salt/minion.sls b/base/packages/salt/minion.sls new file mode 100644 index 0000000..428ac70 --- /dev/null +++ b/base/packages/salt/minion.sls @@ -0,0 +1,9 @@ +{% set salt_v = "3000.1+ds-1" %} + +pkgs-salt-minion: + pkg.installed: + - hold: True + - pkgs: + - salt-minion: {{ salt_v }} + - python3-m2crypto + From f208f61fa8df0754160e1cd5be51beeff9dd4a53 Mon Sep 17 00:00:00 2001 From: do Date: Wed, 27 Jan 2021 20:48:15 +0100 Subject: [PATCH 26/94] auto02 stuff --- top.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/top.sls b/top.sls index 7c0d77e..3e42c85 100644 --- a/top.sls +++ b/top.sls @@ -18,6 +18,8 @@ base: #- base.packages.openhab.ser2net_client 'auto02*': - k8s.podman + - haproxy + - systemd 'pine*': - k8s 'lenny*': From 6c3acc6a68881369b524ceb58bfba74a3a4f86e4 Mon Sep 17 00:00:00 2001 From: do Date: Wed, 27 Jan 2021 21:27:36 +0100 Subject: [PATCH 27/94] systemd.units for auto02 --- top.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/top.sls b/top.sls index 3e42c85..47067cb 100644 --- a/top.sls +++ b/top.sls @@ -19,7 +19,7 @@ base: 'auto02*': - k8s.podman - haproxy - - systemd + - systemd.units 'pine*': - k8s 'lenny*': From b35041f2269e60812d87f9aa061e2332fd1be85b Mon Sep 17 00:00:00 2001 From: do Date: Wed, 27 Jan 2021 23:55:16 +0100 Subject: [PATCH 28/94] podman needs runc --- k8s/podman.sls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/k8s/podman.sls b/k8s/podman.sls index 994c156..fafe442 100644 --- a/k8s/podman.sls +++ b/k8s/podman.sls @@ -7,7 +7,8 @@ include: podman_pkgs: pkg.installed: - pkgs: - - podman + - podman + - runc - require: - pkgrepo: repo_debian-bullseye From 39eb8770da6d044589cd1a3a326d28d7daed807f Mon Sep 17 00:00:00 2001 From: do Date: Sun, 31 Jan 2021 16:53:00 +0100 Subject: [PATCH 29/94] auto02 uses haproxy --- top.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/top.sls b/top.sls index 47067cb..8ee882e 100644 --- a/top.sls +++ b/top.sls @@ -8,7 +8,6 @@ base: - hardware 'tumor*': - base.pki.ca - - k8s.docker 'G@osarch:arm64 or G@osarch:armhf or G@osarch:armel': - match: compound - base.packages.arch.arm From af9b2c1457843759a68d5facebaa3dcc455c2612 Mon Sep 17 00:00:00 2001 From: do Date: Mon, 1 Feb 2021 16:42:36 +0100 Subject: [PATCH 30/94] repo docker-reg.lan config --- k8s/files/containerd-config.toml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/k8s/files/containerd-config.toml b/k8s/files/containerd-config.toml index e522d8c..35d0670 100644 --- a/k8s/files/containerd-config.toml +++ b/k8s/files/containerd-config.toml @@ -11,6 +11,10 @@ version = 2 [plugins."io.containerd.internal.v1.opt"] path = "/var/lib/containerd/opt" [plugins."io.containerd.grpc.v1.cri".registry] - [plugins."io.containerd.grpc.v1.cri".registry.configs."docker-registry.lan".tls] - insecure_skip_verify = true + [plugins."io.containerd.grpc.v1.cri".registry.mirrors] + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker-registry.lan"] + endpoint = ["http://docker-registry.lan"] + [plugins."io.containerd.grpc.v1.cri".registry.configs] + [plugins."io.containerd.grpc.v1.cri".registry.configs."docker-registry.lan".tls] + insecure_skip_verify = true From d90320f681572e943cf8b6fa12ae6d21aa454fa7 Mon Sep 17 00:00:00 2001 From: do Date: Tue, 2 Feb 2021 11:50:55 +0100 Subject: [PATCH 31/94] haproxy state --- base/packages/haproxy.sls | 61 +++++++++++++++++++++++++++++++++++++++ top.sls | 4 ++- 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 base/packages/haproxy.sls diff --git a/base/packages/haproxy.sls b/base/packages/haproxy.sls new file mode 100644 index 0000000..efb0c09 --- /dev/null +++ b/base/packages/haproxy.sls @@ -0,0 +1,61 @@ +include: + - haproxy + +pkg_prometheus-haproxy-exporter: + pkg.installed: + - pkgs: + - prometheus-haproxy-exporter + + +service_prometheus-haproxy-exporter: + service.running: + - name: prometheus-haproxy-exporter + - enable: True + - watch: + - file: /etc/default/prometheus-haproxy-exporter + +etc_default_prometheus_haproxy-exporter: + file.managed: + - name: /etc/default/prometheus-haproxy-exporter + - require: + - pkg: pkg_prometheus-haproxy-exporter + - contents: | + # + ## SALT managed + # + # Set the command-line arguments to pass to the server. + # Due to shell scaping, to pass backslashes for regexes, you need to double + # them (\\d for \d). If running under systemd, you need to double them again + # (\\\\d to mean \d), and escape newlines too. + ARGS="--haproxy.scrape-uri=http://localhost:9110/haproxy-status;csv --log.level=warn" + + # Prometheus-haproxy-exporter supports the following options: + # + # --web.listen-address=":9101" + # Address to listen on for web interface and telemetry. + # --web.telemetry-path="/metrics" + # Path under which to expose metrics. + # --haproxy.scrape-uri="http://localhost/;csv" + # URI on which to scrape HAProxy. + # --haproxy.ssl-verify + # Flag that enables SSL certificate verification for the scrape URI + # --haproxy.server-metric-fields="2,3,4,5,6,7,8,9,13,14,15,16,17,18,21,24,33,35,38,39,40,41,42,43,44" + # Comma-separated list of exported server metrics. See + # http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.1 + # --haproxy.timeout=5s + # Timeout for trying to get stats from HAProxy. + # --haproxy.pid-file="" + # Path to HAProxy pid file. + # + # If provided, the standard process metrics get exported for the HAProxy + # process, prefixed with 'haproxy_process_...'. The haproxy_process exporter + # needs to have read access to files owned by the HAProxy process. Depends + # on the availability of /proc. + # https://prometheus.io/docs/instrumenting/writing_clientlibs/#process-metrics. + # --log.level="info" + # Only log messages with the given severity or above. + # Valid levels: [debug, info, warn, error, fatal] + # --log.format="logger:stderr" + # Set the log target and format. Example: + # "logger:syslog?appname=bob&local=7" or "logger:stdout?json=true" + \ No newline at end of file diff --git a/top.sls b/top.sls index 8ee882e..1953d22 100644 --- a/top.sls +++ b/top.sls @@ -17,8 +17,10 @@ base: #- base.packages.openhab.ser2net_client 'auto02*': - k8s.podman - - haproxy + - base.packages.haproxy - systemd.units + #'drucki.wks': + #- base.packages.haproxy 'pine*': - k8s 'lenny*': From 83c2b283532b943d04678475293fe516fade8cd3 Mon Sep 17 00:00:00 2001 From: do Date: Tue, 9 Feb 2021 21:08:12 +0100 Subject: [PATCH 32/94] k8s podman --- k8s/files/etc_containers_registries.conf | 71 ++++++++++++++++++++++++ k8s/podman.sls | 7 +++ 2 files changed, 78 insertions(+) create mode 100644 k8s/files/etc_containers_registries.conf diff --git a/k8s/files/etc_containers_registries.conf b/k8s/files/etc_containers_registries.conf new file mode 100644 index 0000000..88c02f7 --- /dev/null +++ b/k8s/files/etc_containers_registries.conf @@ -0,0 +1,71 @@ +# For more information on this configuration file, see containers-registries.conf(5). +# +# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES +# We recommend always using fully qualified image names including the registry +# server (full dns name), namespace, image name, and tag +# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e., +# quay.io/repository/name@digest) further eliminates the ambiguity of tags. +# When using short names, there is always an inherent risk that the image being +# pulled could be spoofed. For example, a user wants to pull an image named +# `foobar` from a registry and expects it to come from myregistry.com. If +# myregistry.com is not first in the search list, an attacker could place a +# different `foobar` image at a registry earlier in the search list. The user +# would accidentally pull and run the attacker's image and code rather than the +# intended content. We recommend only adding registries which are completely +# trusted (i.e., registries which don't allow unknown or anonymous users to +# create accounts with arbitrary names). This will prevent an image from being +# spoofed, squatted or otherwise made insecure. If it is necessary to use one +# of these registries, it should be added at the end of the list. +# +# # An array of host[:port] registries to try when pulling an unqualified image, in order. +# unqualified-search-registries = ["example.com"] +# +[[registry]] +# # The "prefix" field is used to choose the relevant [[registry]] TOML table; +# # (only) the TOML table with the longest match for the input image name +# # (taking into account namespace/repo/tag/digest separators) is used. +# # +# # If the prefix field is missing, it defaults to be the same as the "location" field. + prefix = "docker-registry.lan" +# +# # If true, unencrypted HTTP as well as TLS connections with untrusted +# # certificates are allowed. +insecure = true +# +# # If true, pulling images with matching names is forbidden. +# blocked = false +# +# # The physical location of the "prefix"-rooted namespace. +# # +# # By default, this equal to "prefix" (in which case "prefix" can be omitted +# # and the [[registry]] TOML table can only specify "location"). +# # +# # Example: Given +# # prefix = "example.com/foo" +# # location = "internal-registry-for-example.net/bar" +# # requests for the image example.com/foo/myimage:latest will actually work with the +# # internal-registry-for-example.net/bar/myimage:latest image. +location = "docker-registry.lan" + +# +# # (Possibly-partial) mirrors for the "prefix"-rooted namespace. +# # +# # The mirrors are attempted in the specified order; the first one that can be +# # contacted and contains the image will be used (and if none of the mirrors contains the image, +# # the primary location specified by the "registry.location" field, or using the unmodified +# # user-specified reference, is tried last). +# # +# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics +# # as if specified in the [[registry]] TOML table directly: +# # - location +# # - insecure +# [[registry.mirror]] +# location = "example-mirror-0.local/mirror-for-foo" +# [[registry.mirror]] +# location = "example-mirror-1.local/mirrors/foo" +# insecure = true +# # Given the above, a pull of example.com/foo/image:latest will try: +# # 1. example-mirror-0.local/mirror-for-foo/image:latest +# # 2. example-mirror-1.local/mirrors/foo/image:latest +# # 3. internal-registry-for-example.net/bar/image:latest +# # in order, and use the first one that exists. diff --git a/k8s/podman.sls b/k8s/podman.sls index fafe442..48f0f53 100644 --- a/k8s/podman.sls +++ b/k8s/podman.sls @@ -18,3 +18,10 @@ podman_pkgs: - mode: 644 - user: root - group: root + +/etc/containers/registries.conf: + file.managed: + - source: salt://k8s/files/etc_containers_registries.conf + - mode: 644 + - user: root + - group: root From 20b4ef9d72c36bd7ca989c119edf8245519cbc23 Mon Sep 17 00:00:00 2001 From: do Date: Thu, 11 Feb 2021 23:12:13 +0100 Subject: [PATCH 33/94] ignore missint states? SHould be pillars.... --- top.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/top.sls b/top.sls index 1953d22..23532af 100644 --- a/top.sls +++ b/top.sls @@ -6,6 +6,7 @@ base: '*': - base - hardware + - ignore_missing: True 'tumor*': - base.pki.ca 'G@osarch:arm64 or G@osarch:armhf or G@osarch:armel': From db72f1aabf06b28555ee2e57afb95446222a639d Mon Sep 17 00:00:00 2001 From: do Date: Thu, 11 Feb 2021 23:12:37 +0100 Subject: [PATCH 34/94] intca in /etc/pki and multiple CNS --- base/pki/cert.sls | 6 +++--- base/pki/host.sls | 17 ++++++++++++++++- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/base/pki/cert.sls b/base/pki/cert.sls index 5e8bb78..6c9677c 100644 --- a/base/pki/cert.sls +++ b/base/pki/cert.sls @@ -2,9 +2,9 @@ # vim: ft=yaml --- -/usr/local/share/ca-certificates: - file.directory +#/usr/local/share/ca-certificates: +# file.directory -/usr/local/share/ca-certificates/intca.crt: +/etc/pki/intca.crt: x509.pem_managed: - text: {{ salt['mine.get']('tumor.chaos', 'x509.get_pem_entries')['tumor.chaos']['/etc/pki/ca.crt']|replace('\n', '') }} diff --git a/base/pki/host.sls b/base/pki/host.sls index 9a66fb0..cb664d5 100644 --- a/base/pki/host.sls +++ b/base/pki/host.sls @@ -15,7 +15,22 @@ - signing_policy: host - public_key: /etc/pki/private.key - CN: {{ grains['fqdn'] }} - - days_remaining: 30 + - days_remaining: 90 - backup: True - require: - x509: /etc/pki/private.key + +{% for cn in salt['pillar.get']('pki:cns',{}) %} + +/etc/pki/{{ cn }}.crt: + x509.certificate_managed: + - ca_server: tumor.chaos + - signing_policy: host + - public_key: /etc/pki/private.key + - CN: {{ cn }} + - days_remaining: 90 + - backup: False + - require: + - x509: /etc/pki/private.key +{% endfor %} + \ No newline at end of file From de8d3117bbb8ac7421e9859ad1c09b23306886c6 Mon Sep 17 00:00:00 2001 From: do Date: Fri, 12 Feb 2021 12:11:40 +0100 Subject: [PATCH 35/94] chain certificates --- base/pki/host.sls | 10 ++++++++++ base/pki/init.sls | 3 +++ 2 files changed, 13 insertions(+) diff --git a/base/pki/host.sls b/base/pki/host.sls index cb664d5..d88c50d 100644 --- a/base/pki/host.sls +++ b/base/pki/host.sls @@ -32,5 +32,15 @@ - backup: False - require: - x509: /etc/pki/private.key + +/etc/pki/chain/{{ cn }}.pem: + file: + - append + - sources: + - /etc/pki/{{ cn }}.crt + - /etc/pki/private.key + - require: + - file: /etc/pki/chain + {% endfor %} \ No newline at end of file diff --git a/base/pki/init.sls b/base/pki/init.sls index 3eb548c..51383dd 100644 --- a/base/pki/init.sls +++ b/base/pki/init.sls @@ -8,3 +8,6 @@ include: /etc/pki: file.directory + +/etc/pki/chain: + file.directory From 7a01441744474dca6441fde6c000f207ac777c25 Mon Sep 17 00:00:00 2001 From: do Date: Fri, 12 Feb 2021 16:59:41 +0100 Subject: [PATCH 36/94] using SANs --- base/pki/host.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/base/pki/host.sls b/base/pki/host.sls index d88c50d..1b4ced3 100644 --- a/base/pki/host.sls +++ b/base/pki/host.sls @@ -14,8 +14,8 @@ - ca_server: tumor.chaos - signing_policy: host - public_key: /etc/pki/private.key - - CN: {{ grains['fqdn'] }} - - days_remaining: 90 + - subjectAltName: 'DNS:{{ grains['fqdn'] }}' + - days_remaining: 5 - backup: True - require: - x509: /etc/pki/private.key @@ -27,9 +27,9 @@ - ca_server: tumor.chaos - signing_policy: host - public_key: /etc/pki/private.key - - CN: {{ cn }} - - days_remaining: 90 + - days_remaining: 5 - backup: False + - subjectAltName: 'DNS:{{ cn }}' - require: - x509: /etc/pki/private.key From 7ec3a3739d2c3ae7cda87eeffdefde39583b62df Mon Sep 17 00:00:00 2001 From: do Date: Fri, 12 Feb 2021 19:19:23 +0100 Subject: [PATCH 37/94] keyUsage and intca for all --- base/pki/host.sls | 1 + base/pki/signing_policies.conf | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/base/pki/host.sls b/base/pki/host.sls index 1b4ced3..f464441 100644 --- a/base/pki/host.sls +++ b/base/pki/host.sls @@ -38,6 +38,7 @@ - append - sources: - /etc/pki/{{ cn }}.crt + - /etc/pki/intca.crt - /etc/pki/private.key - require: - file: /etc/pki/chain diff --git a/base/pki/signing_policies.conf b/base/pki/signing_policies.conf index 85b94fe..63dec1d 100644 --- a/base/pki/signing_policies.conf +++ b/base/pki/signing_policies.conf @@ -11,8 +11,8 @@ x509_signing_policies: - ST: Berlin - L: Berlin - basicConstraints: "critical CA:false" - - keyUsage: "critical keyEncipherment" + - keyUsage: "nonRepudiation, digitalSignature, keyEncipherment" - subjectKeyIdentifier: hash - authorityKeyIdentifier: keyid,issuer:always - - days_valid: 360 + - days_valid: 365 - copypath: /etc/pki/issued_certs/ From f60cbb6117beb50b09231093373ce7a6c694f8c5 Mon Sep 17 00:00:00 2001 From: do Date: Tue, 16 Feb 2021 17:05:41 +0100 Subject: [PATCH 38/94] distribute intca to /etc/ssl/certs also --- base/pki/cert.sls | 11 +++++++++++ base/pki/signing_policies.conf | 3 ++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/base/pki/cert.sls b/base/pki/cert.sls index 6c9677c..a4c2beb 100644 --- a/base/pki/cert.sls +++ b/base/pki/cert.sls @@ -8,3 +8,14 @@ /etc/pki/intca.crt: x509.pem_managed: - text: {{ salt['mine.get']('tumor.chaos', 'x509.get_pem_entries')['tumor.chaos']['/etc/pki/ca.crt']|replace('\n', '') }} + +/etc/ssl/certs/intca.crt: + x509.pem_managed: + - text: {{ salt['mine.get']('tumor.chaos', 'x509.get_pem_entries')['tumor.chaos']['/etc/pki/ca.crt']|replace('\n', '') }} + + +/usr/sbin/update-ca-certificates: + cmd.run: + - onchanges: + - x509: /etc/ssl/certs/intca.crt + diff --git a/base/pki/signing_policies.conf b/base/pki/signing_policies.conf index 63dec1d..7e21511 100644 --- a/base/pki/signing_policies.conf +++ b/base/pki/signing_policies.conf @@ -11,7 +11,8 @@ x509_signing_policies: - ST: Berlin - L: Berlin - basicConstraints: "critical CA:false" - - keyUsage: "nonRepudiation, digitalSignature, keyEncipherment" + - keyUsage: "nonRepudiation, digitalSignature, keyEncipherment, keyAgreement" + - extendedKeyUsage: "serverAuth, clientAuth" - subjectKeyIdentifier: hash - authorityKeyIdentifier: keyid,issuer:always - days_valid: 365 From a10b2ccd917881313408de3da0faedb11666094f Mon Sep 17 00:00:00 2001 From: do Date: Wed, 17 Feb 2021 21:30:34 +0100 Subject: [PATCH 39/94] adm01 i can haz rsyslog and an ssd! --- base/init.sls | 2 - base/packages/common.sls | 9 ++- base/pki/host.sls | 2 + base/rsyslog/client.sls | 4 ++ base/rsyslog/files/logrotate-server.conf | 39 +++++++++++ base/rsyslog/files/server.conf | 82 ++++++++++++++++++++++++ base/rsyslog/server.sls | 22 +++++++ base/rsyslog/service.sls | 5 ++ k8s/podman.sls | 1 + top.sls | 9 ++- 10 files changed, 167 insertions(+), 8 deletions(-) create mode 100644 base/rsyslog/client.sls create mode 100644 base/rsyslog/files/logrotate-server.conf create mode 100644 base/rsyslog/files/server.conf create mode 100644 base/rsyslog/server.sls create mode 100644 base/rsyslog/service.sls diff --git a/base/init.sls b/base/init.sls index 27138f0..eb1ac11 100644 --- a/base/init.sls +++ b/base/init.sls @@ -5,9 +5,7 @@ include: - .packages - .pki - #- .gluster.client - sysctl - - rsyslog - sudoers - systemd - .timezone diff --git a/base/packages/common.sls b/base/packages/common.sls index 7f37f9a..f1d3162 100644 --- a/base/packages/common.sls +++ b/base/packages/common.sls @@ -26,15 +26,14 @@ common-installed: - bzip2 - gzip - unzip - - libwww-perl - bind9-host - dnsutils - tcpdump - file - - python-pip - - python-dev - - python-pyinotify - - python-m2crypto + - python3-pip + - python3-dev + - python3-pyinotify + - python3-m2crypto - python3-m2crypto - lockfile-progs - virt-what diff --git a/base/pki/host.sls b/base/pki/host.sls index f464441..41ed2c7 100644 --- a/base/pki/host.sls +++ b/base/pki/host.sls @@ -14,6 +14,7 @@ - ca_server: tumor.chaos - signing_policy: host - public_key: /etc/pki/private.key + - CN: {{ grains['fqdn'] }} - subjectAltName: 'DNS:{{ grains['fqdn'] }}' - days_remaining: 5 - backup: True @@ -29,6 +30,7 @@ - public_key: /etc/pki/private.key - days_remaining: 5 - backup: False + - CN: {{ grains['fqdn'] }} - subjectAltName: 'DNS:{{ cn }}' - require: - x509: /etc/pki/private.key diff --git a/base/rsyslog/client.sls b/base/rsyslog/client.sls new file mode 100644 index 0000000..d350c21 --- /dev/null +++ b/base/rsyslog/client.sls @@ -0,0 +1,4 @@ +include: + - rsyslog + - .service + \ No newline at end of file diff --git a/base/rsyslog/files/logrotate-server.conf b/base/rsyslog/files/logrotate-server.conf new file mode 100644 index 0000000..9f2a938 --- /dev/null +++ b/base/rsyslog/files/logrotate-server.conf @@ -0,0 +1,39 @@ +/data/logs/*/syslog +{ + rotate 10 + daily + minsize 50M + missingok + notifempty + delaycompress + compress + postrotate + invoke-rc.d rsyslog rotate > /dev/null + endscript +} + +/data/logs/*/mail.info +/data/logs/*/mail.warn +/data/logs/*/mail.err +/data/logs/*/mail.log +/data/logs/*/daemon.log +/data/logs/*/kern.log +/data/logs/*/auth.log +/data/logs/*/user.log +/data/logs/*/lpr.log +/data/logs/*/cron.log +/data/logs/*/debug +/data/logs/*/messages +{ + rotate 5 + daily + minsize 100M + missingok + notifempty + compress + delaycompress + sharedscripts + postrotate + invoke-rc.d rsyslog rotate > /dev/null + endscript +} diff --git a/base/rsyslog/files/server.conf b/base/rsyslog/files/server.conf new file mode 100644 index 0000000..b1d7f20 --- /dev/null +++ b/base/rsyslog/files/server.conf @@ -0,0 +1,82 @@ +# +# SALT managed. +# + +# Load UDP module +$ModLoad imudp + +# Load TCP module +$ModLoad imtcp + +# Load RELP module +$ModLoad imrelp + + +# +# Use traditional timestamp format. +# +$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat + + +# Switch to remote ruleset +$RuleSet remote + + +# Log files are stored in directories matching the short hostname, excluding numbers +# i.e. web01 web02 and web03 will all log to a the web directory + +# Templates +$Template dynAuditLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/audit.log" +$Template dynAuthLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/auth.log" +$Template dynSyslog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/syslog" +$Template dynCronLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/cron.log" +$Template dynDaemonLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/daemon.log" +$Template dynKernLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/kern.log" +$Template dynUserLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/user.log" +$Template dynMailLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/mail.log" +$Template dynDebug,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/debug" +$Template dynMessages,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/messages" +$Template dynLocal0daemon,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/daemon.local0.log" + +# Rules +auth,authpriv.* ?dynAuthLog +*.*;auth.none,authpriv.none,mail.none,cron.none,kern.none,user.none,daemon.none -?dynSyslog +cron.* ?dynCronLog +kern.* -?dynKernLog +mail.* -?dynMailLog +user.* -?dynUserLog +#*.=info;*.=notice;*.=warn;\ +# +# auth.none,authpriv.none;\ +# cron.none,daemon.none;\ +# mail.none,news.none -?dynMessages +#hier gibts drachen / here are dragons +#if $syslogfacility-text == 'local0' then /var/log/somelog + +daemon.* -?dynDaemonLog + +# drachen sind put / dragons borked +# +# Special format to keep audit logs as sent. +$Template auditFormat,"%msg%\n" + +# Catch messages from audispd and send to audit log. +:programname, isequal, "audispd" -?dynAuditLog;auditFormat +:programname, isequal, "audispd" stop + + + +# Switch back to default ruleset +$RuleSet RSYSLOG_DefaultRuleset + +$InputUDPServerBindRuleset remote +$UDPServerRun 514 +$UDPServerAddress * + +$InputTCPServerBindRuleset remote +$InputTCPServerRun 514 + +$InputRELPServerBindRuleset remote +$InputRELPServerRun 20514 + + diff --git a/base/rsyslog/server.sls b/base/rsyslog/server.sls new file mode 100644 index 0000000..6e878f6 --- /dev/null +++ b/base/rsyslog/server.sls @@ -0,0 +1,22 @@ +include: + - rsyslog + - .service + +rsyslog-server.conf: + file.managed: + - name: /etc/rsyslog.d/01-server.conf + - source: salt://base/rsyslog/files/server.conf + - user: root + - group: root + - onchange: + - service: rsyslog + +lograte-rsyslog-logs: + file.managed: + - name: /etc/logrotate.d/rsyslog-HOSTS-logs + - source: salt://base/rsyslog/files/logrotate-server.conf + - user: root + - group: root + + + \ No newline at end of file diff --git a/base/rsyslog/service.sls b/base/rsyslog/service.sls new file mode 100644 index 0000000..952e70d --- /dev/null +++ b/base/rsyslog/service.sls @@ -0,0 +1,5 @@ + +rsyslog: + service.running: + - enable: True + - reload: False diff --git a/k8s/podman.sls b/k8s/podman.sls index 48f0f53..2202708 100644 --- a/k8s/podman.sls +++ b/k8s/podman.sls @@ -9,6 +9,7 @@ podman_pkgs: - pkgs: - podman - runc + - containers-storage - require: - pkgrepo: repo_debian-bullseye diff --git a/top.sls b/top.sls index 23532af..b365594 100644 --- a/top.sls +++ b/top.sls @@ -6,9 +6,16 @@ base: '*': - base - hardware - - ignore_missing: True 'tumor*': - base.pki.ca + 'adm01.wks': + - base.rsyslog.server + - base.packages.haproxy + - k8s.podman + - systemd.units + 'not G@fqdn:adm01.wks': + - match: compound + - base.rsyslog.client 'G@osarch:arm64 or G@osarch:armhf or G@osarch:armel': - match: compound - base.packages.arch.arm From b32d02eb40b49d203b736d584d6bc3a787afe9c7 Mon Sep 17 00:00:00 2001 From: do Date: Fri, 19 Mar 2021 15:21:39 +0100 Subject: [PATCH 40/94] registries updates --- k8s/files/containerd-config.toml | 6 +++--- k8s/files/etc_containers_registries.conf | 8 +++++--- k8s/files/etc_docker_daemon.json | 4 ++-- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/k8s/files/containerd-config.toml b/k8s/files/containerd-config.toml index 35d0670..3f137d5 100644 --- a/k8s/files/containerd-config.toml +++ b/k8s/files/containerd-config.toml @@ -12,9 +12,9 @@ version = 2 path = "/var/lib/containerd/opt" [plugins."io.containerd.grpc.v1.cri".registry] [plugins."io.containerd.grpc.v1.cri".registry.mirrors] - [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker-registry.lan"] - endpoint = ["http://docker-registry.lan"] + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."cr.lan"] + endpoint = ["http://cr.lan"] [plugins."io.containerd.grpc.v1.cri".registry.configs] - [plugins."io.containerd.grpc.v1.cri".registry.configs."docker-registry.lan".tls] + [plugins."io.containerd.grpc.v1.cri".registry.configs."cr.lan".tls] insecure_skip_verify = true diff --git a/k8s/files/etc_containers_registries.conf b/k8s/files/etc_containers_registries.conf index 88c02f7..f190453 100644 --- a/k8s/files/etc_containers_registries.conf +++ b/k8s/files/etc_containers_registries.conf @@ -18,7 +18,7 @@ # of these registries, it should be added at the end of the list. # # # An array of host[:port] registries to try when pulling an unqualified image, in order. -# unqualified-search-registries = ["example.com"] +unqualified-search-registries = ["dr-mirror.lan"] # [[registry]] # # The "prefix" field is used to choose the relevant [[registry]] TOML table; @@ -26,7 +26,7 @@ # # (taking into account namespace/repo/tag/digest separators) is used. # # # # If the prefix field is missing, it defaults to be the same as the "location" field. - prefix = "docker-registry.lan" +# prefix = "cr.lan" # # # If true, unencrypted HTTP as well as TLS connections with untrusted # # certificates are allowed. @@ -45,7 +45,7 @@ insecure = true # # location = "internal-registry-for-example.net/bar" # # requests for the image example.com/foo/myimage:latest will actually work with the # # internal-registry-for-example.net/bar/myimage:latest image. -location = "docker-registry.lan" +location = "cr.lan" # # # (Possibly-partial) mirrors for the "prefix"-rooted namespace. @@ -69,3 +69,5 @@ location = "docker-registry.lan" # # 2. example-mirror-1.local/mirrors/foo/image:latest # # 3. internal-registry-for-example.net/bar/image:latest # # in order, and use the first one that exists. +[[registry.mirror]] +location = dr-mirror.lan diff --git a/k8s/files/etc_docker_daemon.json b/k8s/files/etc_docker_daemon.json index d39e5b1..d5cb977 100644 --- a/k8s/files/etc_docker_daemon.json +++ b/k8s/files/etc_docker_daemon.json @@ -2,9 +2,9 @@ "exec-opts": ["native.cgroupdriver=systemd"], "log-level": "warn", "storage-driver": "overlay2", - "registry-mirrors": ["https://docker-registry.lan"], + "registry-mirrors": ["https://cr.lan"], "insecure-registries" : [ - "docker-registry.lan" + "cr.lan" ] } From f64545c4ab75557d07046bf5ba2d4bf415b44a31 Mon Sep 17 00:00:00 2001 From: do Date: Wed, 24 Mar 2021 19:23:35 +0100 Subject: [PATCH 41/94] auto01 prepare for podman --- top.sls | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/top.sls b/top.sls index b365594..8a43a44 100644 --- a/top.sls +++ b/top.sls @@ -20,15 +20,12 @@ base: - match: compound - base.packages.arch.arm 'auto01*': - - base.packages.openhab - #- base.packages.openhab.ser2net_server - #- base.packages.openhab.ser2net_client + - k8s.podman + - systemd.units 'auto02*': - k8s.podman - base.packages.haproxy - systemd.units - #'drucki.wks': - #- base.packages.haproxy 'pine*': - k8s 'lenny*': From b08fc4dba2a6e8f152e243d4ff80deec644c4f26 Mon Sep 17 00:00:00 2001 From: do Date: Sat, 10 Apr 2021 21:45:36 +0200 Subject: [PATCH 42/94] new k8s version --- k8s/admin.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/admin.sls b/k8s/admin.sls index 5f7f803..aab8470 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -5,7 +5,7 @@ include: - kubernetes.package.repo - .cri-tools -{% set k8s_v = "1.20.2-00" %} +{% set k8s_v = "1.20.5-00" %} k8s_pkgs-kubelet: pkg.installed: From d50e92210c69dc335119e1551783672a58fa2d62 Mon Sep 17 00:00:00 2001 From: do Date: Sun, 11 Apr 2021 11:06:21 +0200 Subject: [PATCH 43/94] apparmor for k8s --- k8s/admin.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/k8s/admin.sls b/k8s/admin.sls index aab8470..ec5a80c 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -14,3 +14,8 @@ k8s_pkgs-kubelet: - kubectl: {{ k8s_v }} - kubeadm: {{ k8s_v }} - kubelet: {{ k8s_v }} + +k83-additions_pkgs: + pkg.installed: + - pkgs: + - apparmor From 07cd79ed030f7da0e71da22f4872736325c75e67 Mon Sep 17 00:00:00 2001 From: do Date: Fri, 21 May 2021 12:15:32 +0200 Subject: [PATCH 44/94] adding key-url --- hardware/raspberrypi/repo.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/hardware/raspberrypi/repo.sls b/hardware/raspberrypi/repo.sls index 0db81c1..5cf5ccf 100644 --- a/hardware/raspberrypi/repo.sls +++ b/hardware/raspberrypi/repo.sls @@ -14,5 +14,6 @@ repo_raspi: - dist: {{ grains['oscodename'] }} - file: /etc/apt/sources.list.d/raspi.list - clean_file: True + - key_url: https://archive.raspbian.org/raspbian.public.key From f4c3467d65e2ca767c19fd1035729d4183219473 Mon Sep 17 00:00:00 2001 From: do Date: Wed, 23 Jun 2021 21:36:36 +0200 Subject: [PATCH 45/94] new k8s --- k8s/admin.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/admin.sls b/k8s/admin.sls index ec5a80c..74756ff 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -5,7 +5,7 @@ include: - kubernetes.package.repo - .cri-tools -{% set k8s_v = "1.20.5-00" %} +{% set k8s_v = "1.21.2-00" %} k8s_pkgs-kubelet: pkg.installed: From a03211dff9134e2b753c5230d11c2a878053559a Mon Sep 17 00:00:00 2001 From: do Date: Fri, 23 Jul 2021 16:35:25 +0200 Subject: [PATCH 46/94] added armbian and os_flavor grain --- _grains/os_flavor.py | 16 ++++++++++++++++ os/armbian.sls | 4 ++++ os/init.sls | 5 +++++ top.sls | 1 + 4 files changed, 26 insertions(+) create mode 100644 _grains/os_flavor.py create mode 100644 os/armbian.sls create mode 100644 os/init.sls diff --git a/_grains/os_flavor.py b/_grains/os_flavor.py new file mode 100644 index 0000000..165504a --- /dev/null +++ b/_grains/os_flavor.py @@ -0,0 +1,16 @@ +#!/usr/bin/env python3 +import re +import os.path + +def _os_flavor(): + + if os.path.isfile('/etc/armbian-release'): + h = "Armbian" + else: + h = "Debian" + return h + +def main(): + grains = {} + grains['os_flavor'] = _hardware() + return grains diff --git a/os/armbian.sls b/os/armbian.sls new file mode 100644 index 0000000..56b46b3 --- /dev/null +++ b/os/armbian.sls @@ -0,0 +1,4 @@ +# remove this pesky thing, +# we knwo what we are doing +/etc/cron.d/armbian-updates: + file.absent: diff --git a/os/init.sls b/os/init.sls new file mode 100644 index 0000000..ef963ff --- /dev/null +++ b/os/init.sls @@ -0,0 +1,5 @@ +include: +{% if grains['os_flavor'] == 'Armbian' %} + - .armbian +{% endif %} + diff --git a/top.sls b/top.sls index 8a43a44..769bcaa 100644 --- a/top.sls +++ b/top.sls @@ -6,6 +6,7 @@ base: '*': - base - hardware + - os 'tumor*': - base.pki.ca 'adm01.wks': From 03c97ebaf8925eebc5685bc0c671bb24677b4ab3 Mon Sep 17 00:00:00 2001 From: do Date: Fri, 23 Jul 2021 17:05:03 +0200 Subject: [PATCH 47/94] added armbian and os_flavor grain --- _grains/os_flavor.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_grains/os_flavor.py b/_grains/os_flavor.py index 165504a..ceb09a4 100644 --- a/_grains/os_flavor.py +++ b/_grains/os_flavor.py @@ -12,5 +12,5 @@ def _os_flavor(): def main(): grains = {} - grains['os_flavor'] = _hardware() + grains['os_flavor'] = _os_flavor() return grains From fc449c04b2e124aee3f39edf539881b766fefd1f Mon Sep 17 00:00:00 2001 From: do Date: Fri, 23 Jul 2021 17:33:02 +0200 Subject: [PATCH 48/94] colon not required --- os/armbian.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os/armbian.sls b/os/armbian.sls index 56b46b3..fcd529d 100644 --- a/os/armbian.sls +++ b/os/armbian.sls @@ -1,4 +1,4 @@ # remove this pesky thing, # we knwo what we are doing /etc/cron.d/armbian-updates: - file.absent: + file.absent From cc571befc83409e5485958642eed7bab04b25b6b Mon Sep 17 00:00:00 2001 From: do Date: Fri, 23 Jul 2021 18:04:12 +0200 Subject: [PATCH 49/94] fix include --- os/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/os/init.sls b/os/init.sls index ef963ff..cee44de 100644 --- a/os/init.sls +++ b/os/init.sls @@ -1,5 +1,5 @@ -include: {% if grains['os_flavor'] == 'Armbian' %} +include: - .armbian {% endif %} From 60b3c0e1074d1bb671af26b75f3dcafcf0a715a8 Mon Sep 17 00:00:00 2001 From: do Date: Thu, 9 Sep 2021 12:26:22 +0200 Subject: [PATCH 50/94] added osmc --- _grains/os_flavor.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/_grains/os_flavor.py b/_grains/os_flavor.py index ceb09a4..00e7b4b 100644 --- a/_grains/os_flavor.py +++ b/_grains/os_flavor.py @@ -6,6 +6,8 @@ def _os_flavor(): if os.path.isfile('/etc/armbian-release'): h = "Armbian" + elif os.path.isdir('/etc/osmc'): + h = "OSMC" else: h = "Debian" return h From 350c24ccff5239ef619c1fe3c9b08c94dfc4f7c2 Mon Sep 17 00:00:00 2001 From: do Date: Thu, 9 Sep 2021 12:33:10 +0200 Subject: [PATCH 51/94] buster we still want --- base/release.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/release.sls b/base/release.sls index 304a522..c472056 100644 --- a/base/release.sls +++ b/base/release.sls @@ -4,4 +4,4 @@ etc_apt_release: - name: /etc/apt/apt.conf.d/01release - user: root - mode: 644 - - contents: 'APT::Default-Release "stable";' + - contents: 'APT::Default-Release "buster";' From 5e9ea64d41f0a825ef3f6a66ac3399c97ca5c14a Mon Sep 17 00:00:00 2001 From: do Date: Thu, 9 Sep 2021 12:33:16 +0200 Subject: [PATCH 52/94] osmc repos --- hardware/raspberrypi/repo.sls | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/hardware/raspberrypi/repo.sls b/hardware/raspberrypi/repo.sls index 5cf5ccf..fd45b28 100644 --- a/hardware/raspberrypi/repo.sls +++ b/hardware/raspberrypi/repo.sls @@ -16,4 +16,22 @@ repo_raspi: - clean_file: True - key_url: https://archive.raspbian.org/raspbian.public.key +repo_archive_raspi: + pkgrepo.managed: + - name: deb http://{{ cache_url }}archive.raspberrypi.org/debian/ {{ grains['oscodename'] }} main + - dist: {{ grains['oscodename'] }} + - file: /etc/apt/sources.list.d/raspi_archive.list + - clean_file: True + - key_url: https://archive.raspbian.org/raspbian.public.key +{% if grains.get('os_flavor') == 'OSMC' %} + +repo_archive_osmc: + pkgrepo.managed: + - name: deb http://{{ cache_url }}apt.osmc.tv {{ grains['oscodename'] }} main + - dist: {{ grains['oscodename'] }} + - file: /etc/apt/sources.list.d/osmc.list + - clean_file: True + - key_url: https://ftp.fau.de/osmc/osmc/apt/osmc_repository.gpg + +{% endif %} From 73a24f50c6fdf7ad550a5c3eb93b041e6c784051 Mon Sep 17 00:00:00 2001 From: do Date: Thu, 9 Sep 2021 17:10:07 +0200 Subject: [PATCH 53/94] adding powersafe off for wifi in rpis --- _grains/os_flavor.py | 2 ++ hardware/raspberrypi/init.sls | 1 + .../wifi/files/default-wifi-powersave.conf | 3 +++ .../wifi/files/wifi-powermanagement-off | 12 ++++++++++ hardware/raspberrypi/wifi/init.sls | 22 +++++++++++++++++++ 5 files changed, 40 insertions(+) create mode 100644 hardware/raspberrypi/wifi/files/default-wifi-powersave.conf create mode 100644 hardware/raspberrypi/wifi/files/wifi-powermanagement-off create mode 100644 hardware/raspberrypi/wifi/init.sls diff --git a/_grains/os_flavor.py b/_grains/os_flavor.py index 00e7b4b..f45d2a2 100644 --- a/_grains/os_flavor.py +++ b/_grains/os_flavor.py @@ -8,6 +8,8 @@ def _os_flavor(): h = "Armbian" elif os.path.isdir('/etc/osmc'): h = "OSMC" + elif os.path.isfile('/etc/octopi_version'): + h = "OctoPi" else: h = "Debian" return h diff --git a/hardware/raspberrypi/init.sls b/hardware/raspberrypi/init.sls index 0bb387a..158f7bc 100644 --- a/hardware/raspberrypi/init.sls +++ b/hardware/raspberrypi/init.sls @@ -14,6 +14,7 @@ set has_fan = salt['pillar.get']( include: - .repo + - .wifi {%- if 'node_exporter' in has_promexporter %} - .prometheus-exporter {%- endif %} diff --git a/hardware/raspberrypi/wifi/files/default-wifi-powersave.conf b/hardware/raspberrypi/wifi/files/default-wifi-powersave.conf new file mode 100644 index 0000000..9333932 --- /dev/null +++ b/hardware/raspberrypi/wifi/files/default-wifi-powersave.conf @@ -0,0 +1,3 @@ +# disable powersave +[connection] +wifi.powersave = 2 diff --git a/hardware/raspberrypi/wifi/files/wifi-powermanagement-off b/hardware/raspberrypi/wifi/files/wifi-powermanagement-off new file mode 100644 index 0000000..cd6a62c --- /dev/null +++ b/hardware/raspberrypi/wifi/files/wifi-powermanagement-off @@ -0,0 +1,12 @@ +#!/bin/sh + +IWCONFIG=/sbin/iwconfig +WLAN_IFACE=wlan0 + +if [ ! -x $IWCONFIG ]; then + exit 1 +fi + +if [ "$IFACE" = $WLAN_IFACE ]; then + $IWCONFIG $IFACE power off +fi \ No newline at end of file diff --git a/hardware/raspberrypi/wifi/init.sls b/hardware/raspberrypi/wifi/init.sls new file mode 100644 index 0000000..268bbca --- /dev/null +++ b/hardware/raspberrypi/wifi/init.sls @@ -0,0 +1,22 @@ +# disable wifi powermanagement + +nm-conf_d: + file.directory: + - name: /etc/NetworkManager/conf.d + +nm-conf_powersave-off: + file.managed: + - name: /etc/NetworkManager/conf.d/default-wifi-powersave.conf + - source: + - salt://hardware/raspberrypi/wifi/files/default-wifi-powersave.conf + - require: + - file: /etc/NetworkManager/conf.d + +if-up_powersave-off: + file.managed: + - name: /etc/network/if-up.d/wifi-powermanagement-off + - mode: 0755 + - source: + - salt://hardware/raspberrypi/wifi/files/wifi-powermanagement-off + + From f6c5fe75fa4e73e80a321e74dd26403c935ac281 Mon Sep 17 00:00:00 2001 From: do Date: Thu, 9 Sep 2021 17:29:25 +0200 Subject: [PATCH 54/94] this works, as long as noone renames the wifi card! :) --- .../wifi/files/default-wifi-powersave.conf | 3 --- .../raspberrypi/wifi/files/interfaces-wlan0 | 6 +++++ .../wifi/files/wifi-powermanagement-off | 12 ---------- hardware/raspberrypi/wifi/init.sls | 22 ++++--------------- 4 files changed, 10 insertions(+), 33 deletions(-) delete mode 100644 hardware/raspberrypi/wifi/files/default-wifi-powersave.conf create mode 100644 hardware/raspberrypi/wifi/files/interfaces-wlan0 delete mode 100644 hardware/raspberrypi/wifi/files/wifi-powermanagement-off diff --git a/hardware/raspberrypi/wifi/files/default-wifi-powersave.conf b/hardware/raspberrypi/wifi/files/default-wifi-powersave.conf deleted file mode 100644 index 9333932..0000000 --- a/hardware/raspberrypi/wifi/files/default-wifi-powersave.conf +++ /dev/null @@ -1,3 +0,0 @@ -# disable powersave -[connection] -wifi.powersave = 2 diff --git a/hardware/raspberrypi/wifi/files/interfaces-wlan0 b/hardware/raspberrypi/wifi/files/interfaces-wlan0 new file mode 100644 index 0000000..af96d98 --- /dev/null +++ b/hardware/raspberrypi/wifi/files/interfaces-wlan0 @@ -0,0 +1,6 @@ +# SALTSTACK +allow-hotplug wlan0 +iface wlan0 inet dhcp + wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf + wireless-power off + \ No newline at end of file diff --git a/hardware/raspberrypi/wifi/files/wifi-powermanagement-off b/hardware/raspberrypi/wifi/files/wifi-powermanagement-off deleted file mode 100644 index cd6a62c..0000000 --- a/hardware/raspberrypi/wifi/files/wifi-powermanagement-off +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -IWCONFIG=/sbin/iwconfig -WLAN_IFACE=wlan0 - -if [ ! -x $IWCONFIG ]; then - exit 1 -fi - -if [ "$IFACE" = $WLAN_IFACE ]; then - $IWCONFIG $IFACE power off -fi \ No newline at end of file diff --git a/hardware/raspberrypi/wifi/init.sls b/hardware/raspberrypi/wifi/init.sls index 268bbca..dfd5226 100644 --- a/hardware/raspberrypi/wifi/init.sls +++ b/hardware/raspberrypi/wifi/init.sls @@ -1,22 +1,8 @@ # disable wifi powermanagement -nm-conf_d: - file.directory: - - name: /etc/NetworkManager/conf.d - -nm-conf_powersave-off: +ifup-wlan0-powersave-off: file.managed: - - name: /etc/NetworkManager/conf.d/default-wifi-powersave.conf - - source: - - salt://hardware/raspberrypi/wifi/files/default-wifi-powersave.conf - - require: - - file: /etc/NetworkManager/conf.d - -if-up_powersave-off: - file.managed: - - name: /etc/network/if-up.d/wifi-powermanagement-off - - mode: 0755 - - source: - - salt://hardware/raspberrypi/wifi/files/wifi-powermanagement-off - + - name: /etc/network/interfaces.d/wlan0 + - source: + - salt://hardware/raspberrypi/wifi/files/interfaces-wlan0 From ba007d8f9369b458c013ab88499472357fca06c4 Mon Sep 17 00:00:00 2001 From: do Date: Mon, 20 Sep 2021 19:31:24 +0200 Subject: [PATCH 55/94] 1.21.5 - pre 1.22 --- k8s/admin.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/admin.sls b/k8s/admin.sls index 74756ff..c781056 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -5,7 +5,7 @@ include: - kubernetes.package.repo - .cri-tools -{% set k8s_v = "1.21.2-00" %} +{% set k8s_v = "1.21.5-00" %} k8s_pkgs-kubelet: pkg.installed: From 4e8d62b831ae96e7a44a682678a414a94f328c01 Mon Sep 17 00:00:00 2001 From: do Date: Tue, 21 Sep 2021 12:12:15 +0200 Subject: [PATCH 56/94] amrbian hacks --- os/{armbian.sls => armbian/cron.sls} | 0 os/armbian/init.sls | 4 ++++ os/armbian/packages.sls | 9 +++++++++ 3 files changed, 13 insertions(+) rename os/{armbian.sls => armbian/cron.sls} (100%) create mode 100644 os/armbian/init.sls create mode 100644 os/armbian/packages.sls diff --git a/os/armbian.sls b/os/armbian/cron.sls similarity index 100% rename from os/armbian.sls rename to os/armbian/cron.sls diff --git a/os/armbian/init.sls b/os/armbian/init.sls new file mode 100644 index 0000000..7234a90 --- /dev/null +++ b/os/armbian/init.sls @@ -0,0 +1,4 @@ +include: + - .packages + - .cron + diff --git a/os/armbian/packages.sls b/os/armbian/packages.sls new file mode 100644 index 0000000..0d12f70 --- /dev/null +++ b/os/armbian/packages.sls @@ -0,0 +1,9 @@ +armbian-removed: + pkg.purged: + - pkgs: + - armbian-zsh + +armbian-zsh-etc-purge: + file.absent: + - name: /etc/oh-my-zsh + - recurse: True From aad8b30d255be5b788f2653843be619b1c613b1c Mon Sep 17 00:00:00 2001 From: do Date: Sat, 16 Oct 2021 17:13:13 +0200 Subject: [PATCH 57/94] kubernetes 1.22 --- k8s/admin.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/admin.sls b/k8s/admin.sls index c781056..92d361b 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -5,7 +5,7 @@ include: - kubernetes.package.repo - .cri-tools -{% set k8s_v = "1.21.5-00" %} +{% set k8s_v = "1.22.2-00" %} k8s_pkgs-kubelet: pkg.installed: From 69fdb3b4ddb8146904372ac3452bd6a6acea0f8c Mon Sep 17 00:00:00 2001 From: do Date: Wed, 3 Nov 2021 20:18:15 +0100 Subject: [PATCH 58/94] no private key in chain --- base/pki/host.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/base/pki/host.sls b/base/pki/host.sls index 41ed2c7..de6ee1e 100644 --- a/base/pki/host.sls +++ b/base/pki/host.sls @@ -41,7 +41,6 @@ - sources: - /etc/pki/{{ cn }}.crt - /etc/pki/intca.crt - - /etc/pki/private.key - require: - file: /etc/pki/chain From c122e14e64deb59e6cb4eb451434e2288ce8937b Mon Sep 17 00:00:00 2001 From: do Date: Mon, 15 Nov 2021 18:16:17 +0100 Subject: [PATCH 59/94] repo key url update --- hardware/raspberrypi/repo.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardware/raspberrypi/repo.sls b/hardware/raspberrypi/repo.sls index fd45b28..90496e4 100644 --- a/hardware/raspberrypi/repo.sls +++ b/hardware/raspberrypi/repo.sls @@ -14,7 +14,7 @@ repo_raspi: - dist: {{ grains['oscodename'] }} - file: /etc/apt/sources.list.d/raspi.list - clean_file: True - - key_url: https://archive.raspbian.org/raspbian.public.key + - key_url: http://archive.raspberrypi.org/debian/raspberrypi.gpg.key repo_archive_raspi: pkgrepo.managed: From f189ad5c58261faf489926a0ee3ef914a4c54406 Mon Sep 17 00:00:00 2001 From: do Date: Tue, 4 Jan 2022 20:41:28 +0100 Subject: [PATCH 60/94] common / apt does nothing meanwhile --- hardware/common/init.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hardware/common/init.sls b/hardware/common/init.sls index d864aa9..04aa0e2 100644 --- a/hardware/common/init.sls +++ b/hardware/common/init.sls @@ -5,7 +5,7 @@ set hardwaretype = salt['grains.get']( ) %} -include: -{%- if 'unknown' not in hardwaretype %} - - .apt -{%- endif %} +#include: +#{%- if 'unknown' not in hardwaretype %} +# - .apt +#{%- endif %} From e6381fcb016d7b536c042d2b8966eedf57ed12f2 Mon Sep 17 00:00:00 2001 From: do Date: Fri, 28 Jan 2022 22:29:27 +0100 Subject: [PATCH 61/94] must get rid of this m2crypto stuff --- base/packages/common.sls | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/base/packages/common.sls b/base/packages/common.sls index f1d3162..4eccf87 100644 --- a/base/packages/common.sls +++ b/base/packages/common.sls @@ -33,8 +33,7 @@ common-installed: - python3-pip - python3-dev - python3-pyinotify - - python3-m2crypto - - python3-m2crypto + - python-m2crypto - lockfile-progs - virt-what - ntp From 88aceecceff07cda402512d0f8c160dba2eddb13 Mon Sep 17 00:00:00 2001 From: do Date: Fri, 28 Jan 2022 22:31:17 +0100 Subject: [PATCH 62/94] must get rid of this m2crypto stuff --- base/packages/salt/minion.sls | 2 -- 1 file changed, 2 deletions(-) diff --git a/base/packages/salt/minion.sls b/base/packages/salt/minion.sls index 428ac70..3aa9ed7 100644 --- a/base/packages/salt/minion.sls +++ b/base/packages/salt/minion.sls @@ -5,5 +5,3 @@ pkgs-salt-minion: - hold: True - pkgs: - salt-minion: {{ salt_v }} - - python3-m2crypto - From b2f6d3ea52bbbef4054d7e02bda5b23ce1549416 Mon Sep 17 00:00:00 2001 From: do Date: Mon, 31 Jan 2022 21:17:58 +0100 Subject: [PATCH 63/94] bullseye and non-debian. mpd --- base/packages/common.sls | 5 +- base/packages/prometheus/init.sls | 3 + base/packages/repo/debian.sls | 20 +- base/packages/repo/maketank.sls | 4 +- base/packages/salt/minion.sls | 3 + base/release.sls | 6 +- k8s/files/etc_containers_registries.conf | 4 +- k8s/podman.sls | 4 +- roles/mpd/common.sls | 14 + roles/mpd/files/mpd.conf | 411 +++++++++++++++++++++++ roles/mpd/init.sls | 2 + top.sls | 5 + 12 files changed, 463 insertions(+), 18 deletions(-) create mode 100644 roles/mpd/common.sls create mode 100644 roles/mpd/files/mpd.conf create mode 100644 roles/mpd/init.sls diff --git a/base/packages/common.sls b/base/packages/common.sls index 4eccf87..f871e5f 100644 --- a/base/packages/common.sls +++ b/base/packages/common.sls @@ -33,7 +33,8 @@ common-installed: - python3-pip - python3-dev - python3-pyinotify - - python-m2crypto + - python3-m2crypto + - python3-apt - lockfile-progs - virt-what - ntp @@ -46,7 +47,7 @@ common-installed: - nfs-common - mosquitto-clients - autofs - - python-apt + - debian-keyring common-removed: pkg.removed: diff --git a/base/packages/prometheus/init.sls b/base/packages/prometheus/init.sls index 5854ee0..3a8dd5d 100644 --- a/base/packages/prometheus/init.sls +++ b/base/packages/prometheus/init.sls @@ -42,9 +42,12 @@ link-orig-prom-path: - require: - file: delete-orig-prom-path +{% if grains['oscodename'] != 'bullseye' %} patch-smartmon.sh: file.managed: - name: /usr/share/prometheus-node-exporter/smartmon.sh - source: salt://base/packages/prometheus/files/smartmon.sh - mode: 0755 +{% endif %} + {%- endif %} diff --git a/base/packages/repo/debian.sls b/base/packages/repo/debian.sls index da6ca64..c456b55 100644 --- a/base/packages/repo/debian.sls +++ b/base/packages/repo/debian.sls @@ -7,6 +7,16 @@ ) %} +repo_default: + file.managed: + - name: /etc/apt/sources.list + - contents: '#SALT managed, all in sources.list.d' + - user: root + - group: root + - mode: 0600 + +{% if grains['os'] == 'Debian' %} + repo_debian: pkgrepo.managed: - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ grains['oscodename'] }} main contrib non-free' @@ -30,12 +40,4 @@ repo_debian-backports: - name: 'deb http://{{ cache_url}}deb.debian.org/debian {{ grains['oscodename'] }}-backports main contrib non-free' - file: /etc/apt/sources.list.d/debian-backports.list - clean_file: True - -repo_default: - file.managed: - - name: /etc/apt/sources.list - - contents: '#SALT managed, all in sources.list.d' - - user: root - - group: root - - mode: 0600 - \ No newline at end of file +{% endif %} diff --git a/base/packages/repo/maketank.sls b/base/packages/repo/maketank.sls index 3ec8843..75d1dfe 100644 --- a/base/packages/repo/maketank.sls +++ b/base/packages/repo/maketank.sls @@ -10,8 +10,8 @@ repo_maketank: pkgrepo.managed: - - name: deb http://{{ cache_url }}apt.maketank.net/debian {{ grains['oscodename'] }} main - - dist: {{ grains['oscodename'] }} + - name: deb http://{{ cache_url }}apt.maketank.net/debian buster main + - dist: buster - file: /etc/apt/sources.list.d/maketank.list - key_url: http://apt.maketank.net/debian/debian.gpg - clean_file: True diff --git a/base/packages/salt/minion.sls b/base/packages/salt/minion.sls index 3aa9ed7..2b9f6b1 100644 --- a/base/packages/salt/minion.sls +++ b/base/packages/salt/minion.sls @@ -1,4 +1,7 @@ {% set salt_v = "3000.1+ds-1" %} +{% if grains['oscodename'] == 'bullseye' %} +{% set salt_v = "3002.6+dfsg1-4+deb11u1" %} +{% endif %} pkgs-salt-minion: pkg.installed: diff --git a/base/release.sls b/base/release.sls index c472056..ee6fa66 100644 --- a/base/release.sls +++ b/base/release.sls @@ -1,7 +1,11 @@ +{% set def_rel = 'bullseye' %} +{% if grains['oscodename'] != 'bullseye' %} +{% set def_rel = 'buster' %} +{% endif %} etc_apt_release: file.managed: - name: /etc/apt/apt.conf.d/01release - user: root - mode: 644 - - contents: 'APT::Default-Release "buster";' + - contents: 'APT::Default-Release "{{ def_rel }}";' diff --git a/k8s/files/etc_containers_registries.conf b/k8s/files/etc_containers_registries.conf index f190453..dd259e7 100644 --- a/k8s/files/etc_containers_registries.conf +++ b/k8s/files/etc_containers_registries.conf @@ -69,5 +69,5 @@ location = "cr.lan" # # 2. example-mirror-1.local/mirrors/foo/image:latest # # 3. internal-registry-for-example.net/bar/image:latest # # in order, and use the first one that exists. -[[registry.mirror]] -location = dr-mirror.lan +#[[registry.mirror]] +#location = dr-mirror.lan diff --git a/k8s/podman.sls b/k8s/podman.sls index 2202708..98f0a12 100644 --- a/k8s/podman.sls +++ b/k8s/podman.sls @@ -1,8 +1,10 @@ # -*- coding: utf-8 -*- # vim: ft=yaml --- +{% if grains['oscodename'] != 'bullseye' %} include: - .repo.debian-bullseye +{% endif %} podman_pkgs: pkg.installed: @@ -10,8 +12,6 @@ podman_pkgs: - podman - runc - containers-storage - - require: - - pkgrepo: repo_debian-bullseye /etc/containers/policy.json: file.managed: diff --git a/roles/mpd/common.sls b/roles/mpd/common.sls new file mode 100644 index 0000000..9fe7237 --- /dev/null +++ b/roles/mpd/common.sls @@ -0,0 +1,14 @@ +mpd_pkgs: + pkg.installed: + - pkgs: + - mpd + - mpc + +etc_mpd_conf: + file: + - managed + - name: /etc/mpd.conf + - source: salt://roles/mpd/files/mpd.conf + - user: mpd + - group: audio + - mode: 0600 \ No newline at end of file diff --git a/roles/mpd/files/mpd.conf b/roles/mpd/files/mpd.conf new file mode 100644 index 0000000..8fc194b --- /dev/null +++ b/roles/mpd/files/mpd.conf @@ -0,0 +1,411 @@ +# An example configuration file for MPD. +# Read the user manual for documentation: http://www.musicpd.org/doc/user/ +# or /usr/share/doc/mpd/html/user.html + + +# Files and directories ####################################################### +# +# This setting controls the top directory which MPD will search to discover the +# available audio files and add them to the daemon's online database. This +# setting defaults to the XDG directory, otherwise the music directory will be +# be disabled and audio files will only be accepted over ipc socket (using +# file:// protocol) or streaming files over an accepted protocol. +# +music_directory "/net/tumor.chaos/srv/pub/Music" +# +# This setting sets the MPD internal playlist directory. The purpose of this +# directory is storage for playlists created by MPD. The server will use +# playlist files not created by the server but only if they are in the MPD +# format. This setting defaults to playlist saving being disabled. +# +playlist_directory "/var/lib/mpd/playlists" +# +# This setting sets the location of the MPD database. This file is used to +# load the database at server start up and store the database while the +# server is not up. This setting defaults to disabled which will allow +# MPD to accept files over ipc socket (using file:// protocol) or streaming +# files over an accepted protocol. +# +db_file "/var/lib/mpd/tag_cache" +# +# These settings are the locations for the daemon log files for the daemon. +# These logs are great for troubleshooting, depending on your log_level +# settings. +# +# The special value "syslog" makes MPD use the local syslog daemon. This +# setting defaults to logging to syslog, or to journal if mpd was started as +# a systemd service. +# +#log_file "/var/log/mpd/mpd.log" +log_file "syslog" +# +# This setting sets the location of the file which stores the process ID +# for use of mpd --kill and some init scripts. This setting is disabled by +# default and the pid file will not be stored. +# +pid_file "/run/mpd/pid" +# +# This setting sets the location of the file which contains information about +# most variables to get MPD back into the same general shape it was in before +# it was brought down. This setting is disabled by default and the server +# state will be reset on server start up. +# +state_file "/var/lib/mpd/state" +# +# The location of the sticker database. This is a database which +# manages dynamic information attached to songs. +# +sticker_file "/var/lib/mpd/sticker.sql" +# +############################################################################### + + +# General music daemon options ################################################ +# +# This setting specifies the user that MPD will run as. MPD should never run as +# root and you may use this setting to make MPD change its user ID after +# initialization. This setting is disabled by default and MPD is run as the +# current user. +# +user "mpd" +# +# This setting specifies the group that MPD will run as. If not specified +# primary group of user specified with "user" setting will be used (if set). +# This is useful if MPD needs to be a member of group such as "audio" to +# have permission to use sound card. +# +#group "nogroup" +# +# This setting sets the address for the daemon to listen on. Careful attention +# should be paid if this is assigned to anything other then the default, any. +# This setting can deny access to control of the daemon. Choose any if you want +# to have mpd listen on every address. Not effective if systemd socket +# activation is in use. +# +# For network +bind_to_address "0.0.0.0" +# +# And for Unix Socket +#bind_to_address "/run/mpd/socket" +# +# This setting is the TCP port that is desired for the daemon to get assigned +# to. +# +#port "6600" +# +# This setting controls the type of information which is logged. Available +# setting arguments are "default", "secure" or "verbose". The "verbose" setting +# argument is recommended for troubleshooting, though can quickly stretch +# available resources on limited hardware storage. +# +log_level "secure" +# +# Setting "restore_paused" to "yes" puts MPD into pause mode instead +# of starting playback after startup. +# +#restore_paused "no" +# +# This setting enables MPD to create playlists in a format usable by other +# music players. +# +#save_absolute_paths_in_playlists "no" +# +# This setting defines a list of tag types that will be extracted during the +# audio file discovery process. The complete list of possible values can be +# found in the user manual. +#metadata_to_use "artist,album,title,track,name,genre,date,composer,performer,disc" +# +# This example just enables the "comment" tag without disabling all +# the other supported tags: +#metadata_to_use "+comment" +# +# This setting enables automatic update of MPD's database when files in +# music_directory are changed. +# +#auto_update "yes" +# +# Limit the depth of the directories being watched, 0 means only watch +# the music directory itself. There is no limit by default. +# +#auto_update_depth "3" +# +############################################################################### + + +# Symbolic link behavior ###################################################### +# +# If this setting is set to "yes", MPD will discover audio files by following +# symbolic links outside of the configured music_directory. +# +#follow_outside_symlinks "yes" +# +# If this setting is set to "yes", MPD will discover audio files by following +# symbolic links inside of the configured music_directory. +# +#follow_inside_symlinks "yes" +# +############################################################################### + + +# Zeroconf / Avahi Service Discovery ########################################## +# +# If this setting is set to "yes", service information will be published with +# Zeroconf / Avahi. +# +zeroconf_enabled "no" +# +# The argument to this setting will be the Zeroconf / Avahi unique name for +# this MPD server on the network. %h will be replaced with the hostname. +# +#zeroconf_name "Music Player @ %h" +# +############################################################################### + + +# Permissions ################################################################# +# +# If this setting is set, MPD will require password authorization. The password +# setting can be specified multiple times for different password profiles. +# +#password "password@read,add,control,admin" +# +# This setting specifies the permissions a user has who has not yet logged in. +# +#default_permissions "read,add,control,admin" +# +############################################################################### +#input_cache { +# size "16m" +#} + +# Database ####################################################################### +# + +#database { +# plugin "proxy" +# host "other.mpd.host" +# port "6600" +#} + +# Input ####################################################################### +# + +input { + plugin "curl" +# proxy "proxy.isp.com:8080" +# proxy_user "user" +# proxy_password "password" +} + +# QOBUZ input plugin +input { + enabled "no" + plugin "qobuz" +# app_id "ID" +# app_secret "SECRET" +# username "USERNAME" +# password "PASSWORD" +# format_id "N" +} + +# TIDAL input plugin +input { + enabled "no" + plugin "tidal" +# token "TOKEN" +# username "USERNAME" +# password "PASSWORD" +# audioquality "Q" +} + +# Decoder ##################################################################### +# + +decoder { + plugin "hybrid_dsd" + enabled "no" +# gapless "no" +} + +# +############################################################################### + +# Audio Output ################################################################ +# +# MPD supports various audio output types, as well as playing through multiple +# audio outputs at the same time, through multiple audio_output settings +# blocks. Setting this block is optional, though the server will only attempt +# autodetection for one sound card. +# +# An example of an ALSA output: +# +audio_output { + type "alsa" + name "My ALSA Device" +# device "hw:0,0" # optional +# mixer_type "hardware" # optional +# mixer_device "default" # optional +# mixer_control "PCM" # optional +# mixer_index "0" # optional +} +# +# An example of an OSS output: +# +#audio_output { +# type "oss" +# name "My OSS Device" +# device "/dev/dsp" # optional +# mixer_type "hardware" # optional +# mixer_device "/dev/mixer" # optional +# mixer_control "PCM" # optional +#} +# +# An example of a shout output (for streaming to Icecast): +# +#audio_output { +# type "shout" +# encoder "vorbis" # optional +# name "My Shout Stream" +# host "localhost" +# port "8000" +# mount "/mpd.ogg" +# password "hackme" +# quality "5.0" +# bitrate "128" +# format "44100:16:1" +# protocol "icecast2" # optional +# user "source" # optional +# description "My Stream Description" # optional +# url "http://example.com" # optional +# genre "jazz" # optional +# public "no" # optional +# timeout "2" # optional +# mixer_type "software" # optional +#} +# +# An example of a recorder output: +# +#audio_output { +# type "recorder" +# name "My recorder" +# encoder "vorbis" # optional, vorbis or lame +# path "/var/lib/mpd/recorder/mpd.ogg" +## quality "5.0" # do not define if bitrate is defined +# bitrate "128" # do not define if quality is defined +# format "44100:16:1" +#} +# +# An example of a httpd output (built-in HTTP streaming server): +# +#audio_output { +# type "httpd" +# name "My HTTP Stream" +# encoder "vorbis" # optional, vorbis or lame +# port "8000" +# bind_to_address "0.0.0.0" # optional, IPv4 or IPv6 +# quality "5.0" # do not define if bitrate is defined +# bitrate "128" # do not define if quality is defined +# format "44100:16:1" +# max_clients "0" # optional 0=no limit +#} +# +# An example of a pulseaudio output (streaming to a remote pulseaudio server) +# Please see README.Debian if you want mpd to play through the pulseaudio +# daemon started as part of your graphical desktop session! +# +#audio_output { +# type "pulse" +# name "My Pulse Output" +# server "remote_server" # optional +# sink "remote_server_sink" # optional +#} +# +# An example of a winmm output (Windows multimedia API). +# +#audio_output { +# type "winmm" +# name "My WinMM output" +# device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional +# or +# device "0" # optional +# mixer_type "hardware" # optional +#} +# +# An example of an openal output. +# +#audio_output { +# type "openal" +# name "My OpenAL output" +# device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional +#} +# +## Example "pipe" output: +# +#audio_output { +# type "pipe" +# name "my pipe" +# command "aplay -f cd 2>/dev/null" +## Or if you're want to use AudioCompress +# command "AudioCompress -m | aplay -f cd 2>/dev/null" +## Or to send raw PCM stream through PCM: +# command "nc example.org 8765" +# format "44100:16:2" +#} +# +## An example of a null output (for no audio output): +# +#audio_output { +# type "null" +# name "My Null Output" +# mixer_type "none" # optional +#} +# +############################################################################### + + +# Normalization automatic volume adjustments ################################## +# +# This setting specifies the type of ReplayGain to use. This setting can have +# the argument "off", "album", "track" or "auto". "auto" is a special mode that +# chooses between "track" and "album" depending on the current state of +# random playback. If random playback is enabled then "track" mode is used. +# See for more details about ReplayGain. +# This setting is off by default. +# +#replaygain "album" +# +# This setting sets the pre-amp used for files that have ReplayGain tags. By +# default this setting is disabled. +# +#replaygain_preamp "0" +# +# This setting sets the pre-amp used for files that do NOT have ReplayGain tags. +# By default this setting is disabled. +# +#replaygain_missing_preamp "0" +# +# This setting enables or disables ReplayGain limiting. +# MPD calculates actual amplification based on the ReplayGain tags +# and replaygain_preamp / replaygain_missing_preamp setting. +# If replaygain_limit is enabled MPD will never amplify audio signal +# above its original level. If replaygain_limit is disabled such amplification +# might occur. By default this setting is enabled. +# +#replaygain_limit "yes" +# +# This setting enables on-the-fly normalization volume adjustment. This will +# result in the volume of all playing audio to be adjusted so the output has +# equal "loudness". This setting is disabled by default. +# +#volume_normalization "no" +# +############################################################################### + +# Character Encoding ########################################################## +# +# If file or directory names do not display correctly for your locale then you +# may need to modify this setting. +# +filesystem_charset "UTF-8" +# +############################################################################### diff --git a/roles/mpd/init.sls b/roles/mpd/init.sls new file mode 100644 index 0000000..8e8e067 --- /dev/null +++ b/roles/mpd/init.sls @@ -0,0 +1,2 @@ +include: + - .common \ No newline at end of file diff --git a/top.sls b/top.sls index 769bcaa..7b0412e 100644 --- a/top.sls +++ b/top.sls @@ -32,3 +32,8 @@ base: 'lenny*': - k8s.admin - base.packages.node.lenny + 'truhe*': + - roles.mpd + - k8s.podman + - base.packages.haproxy + - systemd.units From 25c15637eb3c5a03fd3473219c5a9fc8bdb4bd33 Mon Sep 17 00:00:00 2001 From: do Date: Wed, 9 Feb 2022 21:23:30 +0100 Subject: [PATCH 64/94] nut client ups things! --- roles/nut/client.sls | 16 ++ roles/nut/files/client/nut.conf | 34 +++ roles/nut/files/client/upsmon.conf | 385 +++++++++++++++++++++++++++++ top.sls | 8 +- 4 files changed, 439 insertions(+), 4 deletions(-) create mode 100644 roles/nut/client.sls create mode 100644 roles/nut/files/client/nut.conf create mode 100644 roles/nut/files/client/upsmon.conf diff --git a/roles/nut/client.sls b/roles/nut/client.sls new file mode 100644 index 0000000..523496e --- /dev/null +++ b/roles/nut/client.sls @@ -0,0 +1,16 @@ +nut-client_pkgs: + pkg.installed: + - pkgs: + - nut-client + +etc_nut_nut.conf: + file: + - recurse + - name: /etc/nut + - source: salt://roles/nut/files/client + - user: root + - group: nut + - file_mode: 0640 + - dir_mode: 0750 + - require: + - pkg: nut-client_pkgs \ No newline at end of file diff --git a/roles/nut/files/client/nut.conf b/roles/nut/files/client/nut.conf new file mode 100644 index 0000000..758b282 --- /dev/null +++ b/roles/nut/files/client/nut.conf @@ -0,0 +1,34 @@ +### SALT + +# Network UPS Tools: example nut.conf +# +############################################################################## +# General section +############################################################################## +# The MODE determines which part of the NUT is to be started, and which +# configuration files must be modified. +# +# This file try to standardize the various files being found in the field, like +# /etc/default/nut on Debian based systems, /etc/sysconfig/ups on RedHat based +# systems, ... Distribution's init script should source this file to see which +# component(s) has to be started. +# +# The values of MODE can be: +# - none: NUT is not configured, or use the Integrated Power Management, or use +# some external system to startup NUT components. So nothing is to be started. +# - standalone: This mode address a local only configuration, with 1 UPS +# protecting the local system. This implies to start the 3 NUT layers (driver, +# upsd and upsmon) and the matching configuration files. This mode can also +# address UPS redundancy. +# - netserver: same as for the standalone configuration, but also need +# some more network access controls (firewall, tcp-wrappers) and possibly a +# specific LISTEN directive in upsd.conf. +# Since this MODE is opened to the network, a special care should be applied +# to security concerns. +# - netclient: this mode only requires upsmon. +# +# IMPORTANT NOTE: +# This file is intended to be sourced by shell scripts. +# You MUST NOT use spaces around the equal sign! + +MODE=netclient diff --git a/roles/nut/files/client/upsmon.conf b/roles/nut/files/client/upsmon.conf new file mode 100644 index 0000000..363110b --- /dev/null +++ b/roles/nut/files/client/upsmon.conf @@ -0,0 +1,385 @@ +## SALT + +# Network UPS Tools: example upsmon configuration +# +# This file contains passwords, so keep it secure. + +# -------------------------------------------------------------------------- +# RUN_AS_USER +# +# By default, upsmon splits into two processes. One stays as root and +# waits to run the SHUTDOWNCMD. The other one switches to another userid +# and does everything else. +# +# The default nonprivileged user is set at compile-time with +# 'configure --with-user=...'. +# +# You can override it with '-u ' when starting upsmon, or just +# define it here for convenience. +# +# Note: if you plan to use the reload feature, this file (upsmon.conf) +# must be readable by this user! Since it contains passwords, DO NOT +# make it world-readable. Also, do not make it writable by the upsmon +# user, since it creates an opportunity for an attack by changing the +# SHUTDOWNCMD to something malicious. +# +# For best results, you should create a new normal user like "nutmon", +# and make it a member of a "nut" group or similar. Then specify it +# here and grant read access to the upsmon.conf for that group. +# +# This user should not have write access to upsmon.conf. +# +# RUN_AS_USER nut + +# -------------------------------------------------------------------------- +# MONITOR ("master"|"slave") +# +# List systems you want to monitor. Not all of these may supply power +# to the system running upsmon, but if you want to watch it, it has to +# be in this section. +# +# You must have at least one of these declared. +# +# is a UPS identifier in the form @[:] +# like ups@localhost, su700@mybox, etc. +# +# Examples: +# +# - "su700@mybox" means a UPS called "su700" on a system called "mybox" +# +# - "fenton@bigbox:5678" is a UPS called "fenton" on a system called +# "bigbox" which runs upsd on port "5678". +# +# The UPS names like "su700" and "fenton" are set in your ups.conf +# in [brackets] which identify a section for a particular driver. +# +# If the ups.conf on host "doghouse" has a section called "snoopy", the +# identifier for it would be "snoopy@doghouse". +# +# is an integer - the number of power supplies that this UPS +# feeds on this system. Most computers only have one power supply, so this +# is normally set to 1. You need a pretty big or special box to have any +# other value here. +# +# You can also set this to 0 for a system that doesn't supply any power, +# but you still want to monitor. Use this when you want to hear about +# changes for a given UPS without shutting down when it goes critical, +# unless is 0. +# +# and must match an entry in that system's +# upsd.users. If your username is "monmaster" and your password is +# "blah", the upsd.users would look like this: +# +# [monmaster] +# password = blah +# upsmon master (or slave) +# +# "master" means this system will shutdown last, allowing the slaves +# time to shutdown first. +# +# "slave" means this system shuts down immediately when power goes critical. +# +# Examples: +# +# MONITOR myups@bigserver 1 monmaster blah master +# MONITOR su700@server.example.com 1 upsmon secretpass slave +# MONITOR myups@localhost 1 upsmon pass master (or slave) +MONITOR nummer5@ups.wks 1 monuser $secret slave + +# -------------------------------------------------------------------------- +# MINSUPPLIES +# +# Give the number of power supplies that must be receiving power to keep +# this system running. Most systems have one power supply, so you would +# put "1" in this field. +# +# Large/expensive server type systems usually have more, and can run with +# a few missing. The HP NetServer LH4 can run with 2 out of 4, for example, +# so you'd set that to 2. The idea is to keep the box running as long +# as possible, right? +# +# Obviously you have to put the redundant supplies on different UPS circuits +# for this to make sense! See big-servers.txt in the docs subdirectory +# for more information and ideas on how to use this feature. + +MINSUPPLIES 1 + +# -------------------------------------------------------------------------- +# SHUTDOWNCMD "" +# +# upsmon runs this command when the system needs to be brought down. +# +# This should work just about everywhere ... if it doesn't, well, change it. + +SHUTDOWNCMD "/sbin/shutdown -h +0" + +# -------------------------------------------------------------------------- +# NOTIFYCMD +# +# upsmon calls this to send messages when things happen +# +# This command is called with the full text of the message as one argument. +# The environment string NOTIFYTYPE will contain the type string of +# whatever caused this event to happen. +# +# Note that this is only called for NOTIFY events that have EXEC set with +# NOTIFYFLAG. See NOTIFYFLAG below for more details. +# +# Making this some sort of shell script might not be a bad idea. For more +# information and ideas, see docs/scheduling.txt +# +# Example: +# NOTIFYCMD /bin/notifyme + +# -------------------------------------------------------------------------- +# POLLFREQ +# +# Polling frequency for normal activities, measured in seconds. +# +# Adjust this to keep upsmon from flooding your network, but don't make +# it too high or it may miss certain short-lived power events. + +POLLFREQ 30 + +# -------------------------------------------------------------------------- +# POLLFREQALERT +# +# Polling frequency in seconds while UPS on battery. +# +# You can make this number lower than POLLFREQ, which will make updates +# faster when any UPS is running on battery. This is a good way to tune +# network load if you have a lot of these things running. +# +# The default is 5 seconds for both this and POLLFREQ. + +POLLFREQALERT 5 + +# -------------------------------------------------------------------------- +# HOSTSYNC - How long upsmon will wait before giving up on another upsmon +# +# The master upsmon process uses this number when waiting for slaves to +# disconnect once it has set the forced shutdown (FSD) flag. If they +# don't disconnect after this many seconds, it goes on without them. +# +# Similarly, upsmon slave processes wait up to this interval for the +# master upsmon to set FSD when a UPS they are monitoring goes critical - +# that is, on battery and low battery. If the master doesn't do its job, +# the slaves will shut down anyway to avoid damage to the file systems. +# +# This "wait for FSD" is done to avoid races where the status changes +# to critical and back between polls by the master. + +HOSTSYNC 15 + +# -------------------------------------------------------------------------- +# DEADTIME - Interval to wait before declaring a stale ups "dead" +# +# upsmon requires a UPS to provide status information every few seconds +# (see POLLFREQ and POLLFREQALERT) to keep things updated. If the status +# fetch fails, the UPS is marked stale. If it stays stale for more than +# DEADTIME seconds, the UPS is marked dead. +# +# A dead UPS that was last known to be on battery is assumed to have gone +# to a low battery condition. This may force a shutdown if it is providing +# a critical amount of power to your system. +# +# Note: DEADTIME should be a multiple of POLLFREQ and POLLFREQALERT. +# Otherwise you'll have "dead" UPSes simply because upsmon isn't polling +# them quickly enough. Rule of thumb: take the larger of the two +# POLLFREQ values, and multiply by 3. + +DEADTIME 15 + +# -------------------------------------------------------------------------- +# POWERDOWNFLAG - Flag file for forcing UPS shutdown on the master system +# +# upsmon will create a file with this name in master mode when it's time +# to shut down the load. You should check for this file's existence in +# your shutdown scripts and run 'upsdrvctl shutdown' if it exists. +# +# See the config-notes.txt file in the docs subdirectory for more information. +# Refer to the section: +# [[UPS_shutdown]] "Configuring automatic shutdowns for low battery events" +# or refer to the online version. + +POWERDOWNFLAG /etc/killpower + +# -------------------------------------------------------------------------- +# NOTIFYMSG - change messages sent by upsmon when certain events occur +# +# You can change the default messages to something else if you like. +# +# NOTIFYMSG "message" +# +# NOTIFYMSG ONLINE "UPS %s on line power" +# NOTIFYMSG ONBATT "UPS %s on battery" +# NOTIFYMSG LOWBATT "UPS %s battery is low" +# NOTIFYMSG FSD "UPS %s: forced shutdown in progress" +# NOTIFYMSG COMMOK "Communications with UPS %s established" +# NOTIFYMSG COMMBAD "Communications with UPS %s lost" +# NOTIFYMSG SHUTDOWN "Auto logout and shutdown proceeding" +# NOTIFYMSG REPLBATT "UPS %s battery needs to be replaced" +# NOTIFYMSG NOCOMM "UPS %s is unavailable" +# NOTIFYMSG NOPARENT "upsmon parent process died - shutdown impossible" +# +# Note that %s is replaced with the identifier of the UPS in question. +# +# Possible values for : +# +# ONLINE : UPS is back online +# ONBATT : UPS is on battery +# LOWBATT : UPS has a low battery (if also on battery, it's "critical") +# FSD : UPS is being shutdown by the master (FSD = "Forced Shutdown") +# COMMOK : Communications established with the UPS +# COMMBAD : Communications lost to the UPS +# SHUTDOWN : The system is being shutdown +# REPLBATT : The UPS battery is bad and needs to be replaced +# NOCOMM : A UPS is unavailable (can't be contacted for monitoring) +# NOPARENT : The process that shuts down the system has died (shutdown impossible) + +# -------------------------------------------------------------------------- +# NOTIFYFLAG - change behavior of upsmon when NOTIFY events occur +# +# By default, upsmon sends walls (global messages to all logged in users) +# and writes to the syslog when things happen. You can change this. +# +# NOTIFYFLAG [+][+] ... +# +# NOTIFYFLAG ONLINE SYSLOG+WALL +# NOTIFYFLAG ONBATT SYSLOG+WALL +# NOTIFYFLAG LOWBATT SYSLOG+WALL +# NOTIFYFLAG FSD SYSLOG+WALL +# NOTIFYFLAG COMMOK SYSLOG+WALL +# NOTIFYFLAG COMMBAD SYSLOG+WALL +# NOTIFYFLAG SHUTDOWN SYSLOG+WALL +# NOTIFYFLAG REPLBATT SYSLOG+WALL +# NOTIFYFLAG NOCOMM SYSLOG+WALL +# NOTIFYFLAG NOPARENT SYSLOG+WALL +# +# Possible values for the flags: +# +# SYSLOG - Write the message in the syslog +# WALL - Write the message to all users on the system +# EXEC - Execute NOTIFYCMD (see above) with the message +# IGNORE - Don't do anything +# +# If you use IGNORE, don't use any other flags on the same line. + +# -------------------------------------------------------------------------- +# RBWARNTIME - replace battery warning time in seconds +# +# upsmon will normally warn you about a battery that needs to be replaced +# every 43200 seconds, which is 12 hours. It does this by triggering a +# NOTIFY_REPLBATT which is then handled by the usual notify structure +# you've defined above. +# +# If this number is not to your liking, override it here. + +RBWARNTIME 43200 + +# -------------------------------------------------------------------------- +# NOCOMMWARNTIME - no communications warning time in seconds +# +# upsmon will let you know through the usual notify system if it can't +# talk to any of the UPS entries that are defined in this file. It will +# trigger a NOTIFY_NOCOMM by default every 300 seconds unless you +# change the interval with this directive. + +NOCOMMWARNTIME 300 + +# -------------------------------------------------------------------------- +# FINALDELAY - last sleep interval before shutting down the system +# +# On a master, upsmon will wait this long after sending the NOTIFY_SHUTDOWN +# before executing your SHUTDOWNCMD. If you need to do something in between +# those events, increase this number. Remember, at this point your UPS is +# almost depleted, so don't make this too high. +# +# Alternatively, you can set this very low so you don't wait around when +# it's time to shut down. Some UPSes don't give much warning for low +# battery and will require a value of 0 here for a safe shutdown. +# +# Note: If FINALDELAY on the slave is greater than HOSTSYNC on the master, +# the master will give up waiting for the slave to disconnect. + +FINALDELAY 5 + +# -------------------------------------------------------------------------- +# CERTPATH - path to certificates (database directory or directory with CA's) +# +# When compiled with SSL support, you can enter the certificate path here. +# +# With NSS: +# Certificates are stored in a dedicated database (splitted in 3 files). +# Specify the path of the database directory. +# +# CERTPATH /etc/nut/cert/upsmon +# +# With OpenSSL: +# Directory containing CA certificates in PEM format, used to verify +# the server certificate presented by the upsd server. The files each +# contain one CA certificate. The files are looked up by the CA subject +# name hash value, which must hence be available. +# +# CERTPATH /usr/ssl/certs +# +# See 'docs/security.txt' or the Security chapter of NUT user manual +# for more information on the SSL support in NUT. +CERTPATH /etc/pki + +# -------------------------------------------------------------------------- +# CERTIDENT - self certificate name and database password +# CERTIDENT +# +# When compiled with SSL support with NSS, you can specify the certificate +# name to retrieve from database to authenticate itself and the password +# required to access certificate related private key. +# +# CERTIDENT "my nut monitor" "MyPasSw0rD" +# +# See 'docs/security.txt' or the Security chapter of NUT user manual +# for more information on the SSL support in NUT. + +# -------------------------------------------------------------------------- +# CERTHOST - security properties for an host +# CERTHOST +# +# When compiled with SSL support with NSS, you can specify security directive +# for each server you can contact. +# Each entry maps server name with the expected certificate name and flags +# indicating if the server certificate is verified and if the connection +# must be secure. +# +# CERTHOST localhost "My nut server" 1 1 +# +# See 'docs/security.txt' or the Security chapter of NUT user manual +# for more information on the SSL support in NUT. + +# -------------------------------------------------------------------------- +# CERTVERIFY - make upsmon verify all connections with certificates +# CERTVERIFY 1 +# +# When compiled with SSL support, make upsmon verify all connections with +# certificates. +# Without this, there is no guarantee that the upsd is the right host. +# Enabling this greatly reduces the risk of man in the middle attacks. +# This effectively forces the use of SSL, so don't use this unless +# all of your upsd hosts are ready for SSL and have their certificates +# in order. +# When compiled with NSS support of SSL, can be overriden for host +# specified with a CERTHOST directive. +CERTVERIFY 1 + +# -------------------------------------------------------------------------- +# FORCESSL - force upsmon to use SSL +# FORCESSL 1 +# +# When compiled with SSL, specify that a secured connection must be used +# to communicate with upsd. +# If you don't use 'CERTVERIFY 1', then this will at least make sure +# that nobody can sniff your sessions without a large effort. Setting +# this will make upsmon drop connections if the remote upsd doesn't +# support SSL, so don't use it unless all of them have it running. +# When compiled with NSS support of SSL, can be overriden for host +# specified with a CERTHOST directive. + diff --git a/top.sls b/top.sls index 7b0412e..a531f3a 100644 --- a/top.sls +++ b/top.sls @@ -20,15 +20,15 @@ base: 'G@osarch:arm64 or G@osarch:armhf or G@osarch:armel': - match: compound - base.packages.arch.arm - 'auto01*': - - k8s.podman - - systemd.units - 'auto02*': + 'auto*': - k8s.podman - base.packages.haproxy - systemd.units 'pine*': - k8s + - role.nut.client + 'ebin*': + - role.nut.client 'lenny*': - k8s.admin - base.packages.node.lenny From 629b75f709dc5c15e5c416972794fbc47567ccff Mon Sep 17 00:00:00 2001 From: do Date: Sun, 20 Mar 2022 17:07:03 +0100 Subject: [PATCH 65/94] kubernetes repo and refactoring --- {k8s => base/packages}/repo/debian-bullseye.sls | 0 base/packages/repo/maketank.sls | 2 +- k8s/admin.sls | 4 +++- k8s/containerd.sls | 2 +- k8s/init.sls | 3 +++ k8s/repo/kubernetes.sls | 8 ++++++++ 6 files changed, 16 insertions(+), 3 deletions(-) rename {k8s => base/packages}/repo/debian-bullseye.sls (100%) create mode 100644 k8s/repo/kubernetes.sls diff --git a/k8s/repo/debian-bullseye.sls b/base/packages/repo/debian-bullseye.sls similarity index 100% rename from k8s/repo/debian-bullseye.sls rename to base/packages/repo/debian-bullseye.sls diff --git a/base/packages/repo/maketank.sls b/base/packages/repo/maketank.sls index 75d1dfe..7c9f387 100644 --- a/base/packages/repo/maketank.sls +++ b/base/packages/repo/maketank.sls @@ -9,7 +9,7 @@ %} repo_maketank: - pkgrepo.managed: + pkgrepo.absent: - name: deb http://{{ cache_url }}apt.maketank.net/debian buster main - dist: buster - file: /etc/apt/sources.list.d/maketank.list diff --git a/k8s/admin.sls b/k8s/admin.sls index 92d361b..b9bfc21 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -2,7 +2,7 @@ # vim: ft=yaml --- include: - - kubernetes.package.repo + - .repo.kubernetes - .cri-tools {% set k8s_v = "1.22.2-00" %} @@ -14,6 +14,8 @@ k8s_pkgs-kubelet: - kubectl: {{ k8s_v }} - kubeadm: {{ k8s_v }} - kubelet: {{ k8s_v }} + - require: + - pkgrepo: repo_kubernetes.io k83-additions_pkgs: pkg.installed: diff --git a/k8s/containerd.sls b/k8s/containerd.sls index 121ba5f..d6cf4c6 100644 --- a/k8s/containerd.sls +++ b/k8s/containerd.sls @@ -2,7 +2,7 @@ # vim: ft=yaml --- include: - - .repo.debian-bullseye + - base.packages.repo.debian-bullseye - .cri-tools containerd_pkgs: diff --git a/k8s/init.sls b/k8s/init.sls index c628023..72dc312 100644 --- a/k8s/init.sls +++ b/k8s/init.sls @@ -4,6 +4,7 @@ include: - .admin - .containerd + - .repo.kubernetes #- .docker #- .filesystems @@ -24,3 +25,5 @@ k8s_pkgs: - kubelet - kubetail - qemu-utils + - require: + - pkgrepo: repo_kubernetes.io diff --git a/k8s/repo/kubernetes.sls b/k8s/repo/kubernetes.sls new file mode 100644 index 0000000..5f14ad5 --- /dev/null +++ b/k8s/repo/kubernetes.sls @@ -0,0 +1,8 @@ + +repo_kubernetes.io: + pkgrepo.managed: + - name: 'deb https://apt.kubernetes.io kubernetes-xenial main' + - file: /etc/apt/sources.list.d/kubernetes.list + - key_url: https://packages.cloud.google.com/apt/doc/apt-key.gpg + - clean_file: True + From 148527261b230ab57b028b5b3ba6872a5f57265c Mon Sep 17 00:00:00 2001 From: do Date: Mon, 21 Mar 2022 18:28:33 +0100 Subject: [PATCH 66/94] heavy repo refactoring --- base/packages/repo/debian-bullseye.sls | 8 ++++++ base/packages/repo/debian.sls | 27 +++++++++++++++--- base/release.sls | 2 +- hardware/espressobin/init.sls | 1 - hardware/espressobin/repo.sls | 15 ---------- hardware/init.sls | 6 ++-- hardware/pine64/init.sls | 3 -- hardware/pine64/repo.sls | 15 ---------- k8s/cri-tools.sls | 2 +- k8s/podman.sls | 2 +- os/armbian/init.sls | 1 + os/armbian/repo.sls | 39 ++++++++++++++++++++++++++ 12 files changed, 77 insertions(+), 44 deletions(-) delete mode 100644 hardware/espressobin/repo.sls delete mode 100644 hardware/pine64/init.sls delete mode 100644 hardware/pine64/repo.sls create mode 100644 os/armbian/repo.sls diff --git a/base/packages/repo/debian-bullseye.sls b/base/packages/repo/debian-bullseye.sls index 2805285..f54d37e 100644 --- a/base/packages/repo/debian-bullseye.sls +++ b/base/packages/repo/debian-bullseye.sls @@ -5,6 +5,7 @@ ) %} +{% if salt['pillar.get']('os:release', default = 'buster') != 'bullseye' %} repo_debian-bullseye: pkgrepo.managed: @@ -12,3 +13,10 @@ repo_debian-bullseye: - file: /etc/apt/sources.list.d/debian-bullseye.list - clean_file: True +{% else %} + +repo_debian-bullseye-absent: + file.absent: + - name: /etc/apt/sources.list.d/debian-bullseye.list + +{% endif %} \ No newline at end of file diff --git a/base/packages/repo/debian.sls b/base/packages/repo/debian.sls index c456b55..ab7d194 100644 --- a/base/packages/repo/debian.sls +++ b/base/packages/repo/debian.sls @@ -7,6 +7,18 @@ ) %} +{%- + set os_rel = salt['pillar.get']( + 'os:release', + default=False + ) +%} + +{%- if not os_rel %} + set os_rel = grains['oscodename'] +{%- endif %} + + repo_default: file.managed: - name: /etc/apt/sources.list @@ -19,25 +31,32 @@ repo_default: repo_debian: pkgrepo.managed: - - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ grains['oscodename'] }} main contrib non-free' + - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }} main contrib non-free' - file: /etc/apt/sources.list.d/debian.list - clean_file: True repo_debian-updates: pkgrepo.managed: - - name: 'deb http://{{ cache_url}}deb.debian.org/debian {{ grains['oscodename'] }}-updates main contrib non-free' + - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-updates main contrib non-free' - file: /etc/apt/sources.list.d/debian-updates.list - clean_file: True +#deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free +{% if os_rel == 'buster' %} +{% set repo_path = "/updates" %} +{% else %} +{% set repo_path = "-security" %} +{% endif %} + repo_debian-security: pkgrepo.managed: - - name: 'deb http://{{ cache_url}}deb.debian.org/debian-security {{ grains['oscodename'] }}/updates main contrib non-free' + - name: 'deb http://{{ cache_url }}deb.debian.org/debian-security {{ os_rel }}{{ repo_path }} main contrib non-free' - file: /etc/apt/sources.list.d/debian-security.list - clean_file: True repo_debian-backports: pkgrepo.managed: - - name: 'deb http://{{ cache_url}}deb.debian.org/debian {{ grains['oscodename'] }}-backports main contrib non-free' + - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-backports main contrib non-free' - file: /etc/apt/sources.list.d/debian-backports.list - clean_file: True {% endif %} diff --git a/base/release.sls b/base/release.sls index ee6fa66..ee18981 100644 --- a/base/release.sls +++ b/base/release.sls @@ -1,5 +1,5 @@ {% set def_rel = 'bullseye' %} -{% if grains['oscodename'] != 'bullseye' %} +{% if grains['oscodename'] != 'bullseye' and salt['pillar.get']('os:release', default = False) != 'bullseye' %} {% set def_rel = 'buster' %} {% endif %} diff --git a/hardware/espressobin/init.sls b/hardware/espressobin/init.sls index 1e5aae0..9a20f0f 100644 --- a/hardware/espressobin/init.sls +++ b/hardware/espressobin/init.sls @@ -2,5 +2,4 @@ include: - - .repo - .pkgs \ No newline at end of file diff --git a/hardware/espressobin/repo.sls b/hardware/espressobin/repo.sls deleted file mode 100644 index 148bdb0..0000000 --- a/hardware/espressobin/repo.sls +++ /dev/null @@ -1,15 +0,0 @@ -#!jinja|yaml|gpg - -{%- - set cache_url = salt['pillar.get']( - 'services:apt-cache', - default='' - ) -%} - -repo_armbian: - pkgrepo.managed: - - name: 'deb http://{{ cache_url }}mirrors.dotsrc.org/armbian-apt {{ grains['oscodename'] }} main {{ grains['oscodename'] }}-utils {{ grains['oscodename'] }}-desktop' - - dist: {{ grains['oscodename'] }} - - file: /etc/apt/sources.list.d/armbian.list - - clean_file: True \ No newline at end of file diff --git a/hardware/init.sls b/hardware/init.sls index 80b9349..f3aadc4 100644 --- a/hardware/init.sls +++ b/hardware/init.sls @@ -4,9 +4,9 @@ include: - .raspberrypi {% endif %} -{% if grains['hardware'] == 'Pine64' %} - - .pine64 -{% endif %} +#{% if grains['hardware'] == 'Pine64' %} +# - .pine64 +#{% endif %} {% if grains['hardware'] == 'Espressobin' %} - .espressobin diff --git a/hardware/pine64/init.sls b/hardware/pine64/init.sls deleted file mode 100644 index 32e0205..0000000 --- a/hardware/pine64/init.sls +++ /dev/null @@ -1,3 +0,0 @@ - -include: - - .repo \ No newline at end of file diff --git a/hardware/pine64/repo.sls b/hardware/pine64/repo.sls deleted file mode 100644 index 0078c78..0000000 --- a/hardware/pine64/repo.sls +++ /dev/null @@ -1,15 +0,0 @@ -#!jinja|yaml|gpg - -{%- - set cache_url = salt['pillar.get']( - 'services:apt-cache', - default='' - ) -%} - -repo_armbian: - pkgrepo.managed: - - name: 'deb http://{{ cache_url }}mirrors.dotsrc.org/armbian-apt {{ grains['oscodename'] }} main {{ grains['oscodename'] }}-utils #{{ grains['oscodename'] }}-desktop' - - dist: {{ grains['oscodename'] }} - - file: /etc/apt/sources.list.d/armbian.list - - clean_file: True diff --git a/k8s/cri-tools.sls b/k8s/cri-tools.sls index eba0262..989504a 100644 --- a/k8s/cri-tools.sls +++ b/k8s/cri-tools.sls @@ -1,5 +1,5 @@ include: - - kubernetes.package.repo + - .repo.kubernetes cri-tools_pkgs: pkg.installed: diff --git a/k8s/podman.sls b/k8s/podman.sls index 98f0a12..f80292a 100644 --- a/k8s/podman.sls +++ b/k8s/podman.sls @@ -3,7 +3,7 @@ --- {% if grains['oscodename'] != 'bullseye' %} include: - - .repo.debian-bullseye + - base.packages.repo.debian-bullseye {% endif %} podman_pkgs: diff --git a/os/armbian/init.sls b/os/armbian/init.sls index 7234a90..b313013 100644 --- a/os/armbian/init.sls +++ b/os/armbian/init.sls @@ -1,4 +1,5 @@ include: + - .repo - .packages - .cron diff --git a/os/armbian/repo.sls b/os/armbian/repo.sls new file mode 100644 index 0000000..ee118d4 --- /dev/null +++ b/os/armbian/repo.sls @@ -0,0 +1,39 @@ +#!jinja|yaml|gpg + +{% set base_url = 'mirrors.dotsrc.org' %} + + +{%- + set cache_url = salt['pillar.get']( + 'services:apt-cache', + default='' + ) +%} + +{%- + set os_rel = salt['pillar.get']( + 'os:release', + default=False + ) +%} + +{% if not os_rel %} +{% set os_rel = grains['oscodename'] %} +{% endif %} + + +repo_armbian: + pkgrepo.managed: + - name: 'deb http://{{ cache_url }}{{ base_url }}/armbian-apt {{ os_rel }} main {{ os_rel }}-utils #{{ os_rel }}-desktop' + - dist: {{ os_rel }} + - file: /etc/apt/sources.list.d/armbian.list + - clean_file: True + +pin_repo_armbian: + file.managed: + - name: /etc/apt/apt.conf.d/999_pin_repo_armbian + - contents: | + #SALT Managed + Package: * + Pin: origin {{ cache_url }}{{ base_url }} + Pin-Priority: 1001 \ No newline at end of file From 7a090dad5fc6606005f49439036e01da9d1d6922 Mon Sep 17 00:00:00 2001 From: do Date: Wed, 23 Mar 2022 16:42:42 +0100 Subject: [PATCH 67/94] mapping not allowed in this context, mista --- base/packages/repo/debian.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/packages/repo/debian.sls b/base/packages/repo/debian.sls index ab7d194..d80c9d5 100644 --- a/base/packages/repo/debian.sls +++ b/base/packages/repo/debian.sls @@ -15,7 +15,7 @@ %} {%- if not os_rel %} - set os_rel = grains['oscodename'] +{% set os_rel = grains['oscodename'] %} {%- endif %} From 6677b42df813420bd5159eda7d5f57ca4b2bc2ba Mon Sep 17 00:00:00 2001 From: do Date: Mon, 16 May 2022 18:46:10 +0200 Subject: [PATCH 68/94] somewhat borked --- base/init.sls | 2 +- os/armbian/repo.sls | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/base/init.sls b/base/init.sls index eb1ac11..20382e9 100644 --- a/base/init.sls +++ b/base/init.sls @@ -4,7 +4,7 @@ include: - .packages - - .pki + #- .pki - sysctl - sudoers - systemd diff --git a/os/armbian/repo.sls b/os/armbian/repo.sls index ee118d4..c133a97 100644 --- a/os/armbian/repo.sls +++ b/os/armbian/repo.sls @@ -30,7 +30,7 @@ repo_armbian: - clean_file: True pin_repo_armbian: - file.managed: + file.absent: - name: /etc/apt/apt.conf.d/999_pin_repo_armbian - contents: | #SALT Managed From e1345214f14232788e61961ec773fad1fd0ed4da Mon Sep 17 00:00:00 2001 From: do Date: Wed, 18 May 2022 17:39:52 +0200 Subject: [PATCH 69/94] salt package install borked --- base/packages/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/packages/init.sls b/base/packages/init.sls index 3413a74..fd9c6c5 100644 --- a/base/packages/init.sls +++ b/base/packages/init.sls @@ -7,4 +7,4 @@ include: - .repo.debian - .repo.maketank - .prometheus - - .salt.minion + #- .salt.minion From bb76f0b5c86ad8e970e1205627b69e6f67f04390 Mon Sep 17 00:00:00 2001 From: do Date: Fri, 20 May 2022 19:14:30 +0200 Subject: [PATCH 70/94] 3002 for all --- base/packages/init.sls | 2 +- base/packages/salt/minion.sls | 5 +---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/base/packages/init.sls b/base/packages/init.sls index fd9c6c5..3413a74 100644 --- a/base/packages/init.sls +++ b/base/packages/init.sls @@ -7,4 +7,4 @@ include: - .repo.debian - .repo.maketank - .prometheus - #- .salt.minion + - .salt.minion diff --git a/base/packages/salt/minion.sls b/base/packages/salt/minion.sls index 2b9f6b1..e38152b 100644 --- a/base/packages/salt/minion.sls +++ b/base/packages/salt/minion.sls @@ -1,7 +1,4 @@ -{% set salt_v = "3000.1+ds-1" %} -{% if grains['oscodename'] == 'bullseye' %} -{% set salt_v = "3002.6+dfsg1-4+deb11u1" %} -{% endif %} +{% salt_v = "3002.6+dfsg1-4+deb11u1" %} pkgs-salt-minion: pkg.installed: From c9f3d12dc864596f9d668f67d1dc297c051ed1da Mon Sep 17 00:00:00 2001 From: do Date: Wed, 1 Jun 2022 19:02:47 +0200 Subject: [PATCH 71/94] brave browser repo, no pkg --- base/packages/repo/brave-browser.sls | 18 ++++++++++++++++++ top.sls | 2 ++ 2 files changed, 20 insertions(+) create mode 100644 base/packages/repo/brave-browser.sls diff --git a/base/packages/repo/brave-browser.sls b/base/packages/repo/brave-browser.sls new file mode 100644 index 0000000..c3d9184 --- /dev/null +++ b/base/packages/repo/brave-browser.sls @@ -0,0 +1,18 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- + +repo_brave-browser: + pkgrepo.managed: + - name: deb [arch=amd64] https://brave-browser-apt-beta.s3.brave.com/ stable main + - dist: stable + - file: /etc/apt/sources.list.d/brave-browser-beta.list + - key_url: https://brave-browser-apt-beta.s3.brave.com/brave-browser-beta-archive-keyring.gpg + - clean_file: True + + +#apt-update: +# cmd.run: +# - name: apt update -y +# - listen: +# - pkgrepo: repo_maketank diff --git a/top.sls b/top.sls index a531f3a..dadeedf 100644 --- a/top.sls +++ b/top.sls @@ -32,6 +32,8 @@ base: 'lenny*': - k8s.admin - base.packages.node.lenny + 'yori*': + - base.packages.repo.brave-browser 'truhe*': - roles.mpd - k8s.podman From 096161f21d94f3af04284d77db47186ff5bfc4ff Mon Sep 17 00:00:00 2001 From: do Date: Thu, 2 Jun 2022 18:49:13 +0200 Subject: [PATCH 72/94] FreeCAD build dependencies --- base/packages/FreeCAD.sls | 66 +++++++++++++++++++++++++++++++++ base/packages/repo/openfoam.sls | 18 +++++++++ top.sls | 5 ++- 3 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 base/packages/FreeCAD.sls create mode 100644 base/packages/repo/openfoam.sls diff --git a/base/packages/FreeCAD.sls b/base/packages/FreeCAD.sls new file mode 100644 index 0000000..c174228 --- /dev/null +++ b/base/packages/FreeCAD.sls @@ -0,0 +1,66 @@ +include: + - .repo.openfoam + +pkg_FreeCAD: + pkg.installed: + - pkgs: + - openfoam + - libocct*-dev + - calculix-cgx + - cmake + - cmake-gui + - libboost-date-time-dev + - libboost-dev + - libboost-filesystem-dev + - libboost-graph-dev + - libboost-iostreams-dev + - libboost-program-options-dev + - libboost-python-dev + - libboost-regex-dev + - libboost-serialization-dev + - libboost-thread-dev + - libcoin-dev + - libeigen3-dev + - libgts-bin + - libgts-dev + - libkdtree++-dev + - libmedc-dev + - libocct-data-exchange-dev + - libocct-ocaf-dev + - libocct-visualization-dev + - libopencv-dev + - libproj-dev + - libpyside2-dev + - libqt5opengl5-dev + - libqt5svg5-dev + - libqt5webkit5-dev + - libqt5x11extras5-dev + - libqt5xmlpatterns5-dev + - libshiboken2-dev + - libspnav-dev + - libvtk7-dev + - libx11-dev + - libxerces-c-dev + - libzipios++-dev + - occt-draw + - pyside2-tools + - python3-dev + - python3-matplotlib + - python3-pivy + - python3-ply + - python3-pyside2.qtcore + - python3-pyside2.qtgui + - python3-pyside2.qtsvg + - python3-pyside2.qtwidgets + - python3-pyside2.qtnetwork + - python3-pyside2.qtwebengine + - python3-pyside2.qtwebenginecore + - python3-pyside2.qtwebenginewidgets + - python3-pyside2.qtwebchannel + - python3-markdown + - python3-git + - qtbase5-dev + - qttools5-dev + - swig + - libmetis-dev + \ No newline at end of file diff --git a/base/packages/repo/openfoam.sls b/base/packages/repo/openfoam.sls new file mode 100644 index 0000000..53f6d98 --- /dev/null +++ b/base/packages/repo/openfoam.sls @@ -0,0 +1,18 @@ +# -*- coding: utf-8 -*- +# vim: ft=yaml +--- +#required/wanted for FreeCAD +repo_openfoam: + pkgrepo.managed: + - name: deb [arch=amd64] https://dl.openfoam.com/repos/deb bullseye main + - dist: groovy + - file: /etc/apt/sources.list.d/openfoam.list + - key_url: https://dl.openfoam.com/pubkey.gpg + - clean_file: True + + +#apt-update: +# cmd.run: +# - name: apt update -y +# - listen: +# - pkgrepo: repo_maketank diff --git a/top.sls b/top.sls index dadeedf..696d3b9 100644 --- a/top.sls +++ b/top.sls @@ -31,9 +31,12 @@ base: - role.nut.client 'lenny*': - k8s.admin - - base.packages.node.lenny + - base.packages.node.lenny # migrate these with yori/desktops + - base.packages.repo.brave-browser + - base.packages.FreeCAD 'yori*': - base.packages.repo.brave-browser + - base.packages.FreeCAD 'truhe*': - roles.mpd - k8s.podman From 179c8a063df6ae0cdcff40201f8c25202bfb727a Mon Sep 17 00:00:00 2001 From: do Date: Tue, 9 Aug 2022 21:44:48 +0200 Subject: [PATCH 73/94] ignore eclipse filesync folders --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 6cbe93b..c6dc9af 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +**/.ptp-sync-folder .project .pydevproject .settings From 6184d015d17ca0958a41895377168a8e86dca76c Mon Sep 17 00:00:00 2001 From: do Date: Tue, 9 Aug 2022 21:45:30 +0200 Subject: [PATCH 74/94] ignore eclipse filesync folders --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index c6dc9af..9589024 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +**/.ptp-sync **/.ptp-sync-folder .project .pydevproject From 9a6e19383513c1113a85caaaf11d5ff53cb4344a Mon Sep 17 00:00:00 2001 From: do Date: Tue, 9 Aug 2022 21:45:50 +0200 Subject: [PATCH 75/94] Freecad stuff --- base/packages/FreeCAD.sls | 16 +++++++++++++--- base/packages/salt/minion.sls | 2 +- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/base/packages/FreeCAD.sls b/base/packages/FreeCAD.sls index c174228..37d9bf9 100644 --- a/base/packages/FreeCAD.sls +++ b/base/packages/FreeCAD.sls @@ -5,10 +5,15 @@ pkg_FreeCAD: pkg.installed: - pkgs: - openfoam - - libocct*-dev + - libocct-draw-dev + - libocct-foundation-dev + - libocct-modeling-algorithms-dev + - libocct-modeling-data-dev + - libocct-ocaf-dev + - libocct-visualization-dev + - libocct-data-exchange-dev - calculix-cgx - cmake - - cmake-gui - libboost-date-time-dev - libboost-dev - libboost-filesystem-dev @@ -63,4 +68,9 @@ pkg_FreeCAD: - qttools5-dev - swig - libmetis-dev - \ No newline at end of file + - python3-pyside2.qtscriptools + - python3-pyside2.qtuitools + - pyside2-tools + - libshiboken2-dev + - libshiboken2-py3-5.15 + diff --git a/base/packages/salt/minion.sls b/base/packages/salt/minion.sls index e38152b..7d1a776 100644 --- a/base/packages/salt/minion.sls +++ b/base/packages/salt/minion.sls @@ -1,4 +1,4 @@ -{% salt_v = "3002.6+dfsg1-4+deb11u1" %} +{%- set salt_v = "3002.6+dfsg1-4+deb11u1" %} pkgs-salt-minion: pkg.installed: From ca1a6eeced580218d2e0bf74d037e9e23854ab38 Mon Sep 17 00:00:00 2001 From: do Date: Sat, 20 Aug 2022 18:40:00 +0200 Subject: [PATCH 76/94] using size instead of minsize --- base/rsyslog/files/logrotate-server.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/base/rsyslog/files/logrotate-server.conf b/base/rsyslog/files/logrotate-server.conf index 9f2a938..2ffd4d1 100644 --- a/base/rsyslog/files/logrotate-server.conf +++ b/base/rsyslog/files/logrotate-server.conf @@ -2,7 +2,7 @@ { rotate 10 daily - minsize 50M + size 50M missingok notifempty delaycompress @@ -27,7 +27,7 @@ { rotate 5 daily - minsize 100M + size 100M missingok notifempty compress From 9e1a05a4e8068565fe0fa6198026ca7cabfca563 Mon Sep 17 00:00:00 2001 From: do Date: Sat, 20 Aug 2022 19:24:28 +0200 Subject: [PATCH 77/94] openntp --- base/packages/common.sls | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/base/packages/common.sls b/base/packages/common.sls index f871e5f..08719d0 100644 --- a/base/packages/common.sls +++ b/base/packages/common.sls @@ -37,8 +37,7 @@ common-installed: - python3-apt - lockfile-progs - virt-what - - ntp - - ntpdate + - openntp - apt-transport-https - python3-croniter - flex From 6b8e1049cf9cccdccc59f87d8de87bdec1fcc023 Mon Sep 17 00:00:00 2001 From: do Date: Tue, 18 Oct 2022 16:44:16 +0200 Subject: [PATCH 78/94] pine64 hardware and arm64 arch for kubernetes --- _grains/hardware.py | 2 ++ k8s/repo/kubernetes.sls | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/_grains/hardware.py b/_grains/hardware.py index a5c6256..d4f7a24 100644 --- a/_grains/hardware.py +++ b/_grains/hardware.py @@ -17,6 +17,8 @@ def _hardware(): for line in open("/etc/armbian-release","r").readlines(): if re.match("BOARD=espressobin", line): h = "Espressobin" + if re.match("BOARD=pine64", line): + h = "Pine64" return h def main(): diff --git a/k8s/repo/kubernetes.sls b/k8s/repo/kubernetes.sls index 5f14ad5..c3da4e3 100644 --- a/k8s/repo/kubernetes.sls +++ b/k8s/repo/kubernetes.sls @@ -1,7 +1,7 @@ repo_kubernetes.io: pkgrepo.managed: - - name: 'deb https://apt.kubernetes.io kubernetes-xenial main' + - name: 'deb [arch=arm64] https://apt.kubernetes.io/ kubernetes-xenial main' - file: /etc/apt/sources.list.d/kubernetes.list - key_url: https://packages.cloud.google.com/apt/doc/apt-key.gpg - clean_file: True From 26336baaa29cf13933a91ea519c02d7c64229d15 Mon Sep 17 00:00:00 2001 From: do Date: Tue, 18 Oct 2022 18:53:09 +0200 Subject: [PATCH 79/94] new kubernetes version --- k8s/admin.sls | 2 +- roles/nut/client.sls | 2 +- top.sls | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/k8s/admin.sls b/k8s/admin.sls index b9bfc21..e372e04 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -5,7 +5,7 @@ include: - .repo.kubernetes - .cri-tools -{% set k8s_v = "1.22.2-00" %} +{% set k8s_v = "1.22.15-00" %} k8s_pkgs-kubelet: pkg.installed: diff --git a/roles/nut/client.sls b/roles/nut/client.sls index 523496e..29da22f 100644 --- a/roles/nut/client.sls +++ b/roles/nut/client.sls @@ -9,7 +9,7 @@ etc_nut_nut.conf: - name: /etc/nut - source: salt://roles/nut/files/client - user: root - - group: nut + - group: root - file_mode: 0640 - dir_mode: 0750 - require: diff --git a/top.sls b/top.sls index 696d3b9..88acc92 100644 --- a/top.sls +++ b/top.sls @@ -26,9 +26,9 @@ base: - systemd.units 'pine*': - k8s - - role.nut.client + - roles.nut.client 'ebin*': - - role.nut.client + - roles.nut.client 'lenny*': - k8s.admin - base.packages.node.lenny # migrate these with yori/desktops From c8511c1abceacba3bdcd857173bea2d004ac07a4 Mon Sep 17 00:00:00 2001 From: do Date: Tue, 18 Oct 2022 19:35:11 +0200 Subject: [PATCH 80/94] some python packages --- base/packages/common.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/base/packages/common.sls b/base/packages/common.sls index 08719d0..dad3c06 100644 --- a/base/packages/common.sls +++ b/base/packages/common.sls @@ -47,6 +47,8 @@ common-installed: - mosquitto-clients - autofs - debian-keyring + - python3-cherrypy3 + - python3-pygit2 common-removed: pkg.removed: From 21c8a224abe4755d3febdf0cb6f67a8dd08957fb Mon Sep 17 00:00:00 2001 From: do Date: Wed, 19 Oct 2022 20:24:32 +0200 Subject: [PATCH 81/94] missed a d and then it failed --- base/packages/common.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/packages/common.sls b/base/packages/common.sls index dad3c06..d7481e1 100644 --- a/base/packages/common.sls +++ b/base/packages/common.sls @@ -37,7 +37,7 @@ common-installed: - python3-apt - lockfile-progs - virt-what - - openntp + - openntpd - apt-transport-https - python3-croniter - flex From 5a9b09a0bc822f4c887d195fd29068749bd9c410 Mon Sep 17 00:00:00 2001 From: do Date: Mon, 24 Oct 2022 13:45:40 +0200 Subject: [PATCH 82/94] salt master stuff and CA move --- base/packages/salt/master.sls | 14 ++++++++++++++ base/pki/cert.sls | 4 ++-- base/pki/host.sls | 4 ++-- top.sls | 6 +++--- 4 files changed, 21 insertions(+), 7 deletions(-) create mode 100644 base/packages/salt/master.sls diff --git a/base/packages/salt/master.sls b/base/packages/salt/master.sls new file mode 100644 index 0000000..971df69 --- /dev/null +++ b/base/packages/salt/master.sls @@ -0,0 +1,14 @@ +{%- set salt_v = "3002.6+dfsg1-4+deb11u1" %} + +pkgs-salt-master: + pkg.installed: + - hold: True + - pkgs: + - salt-master: {{ salt_v }} + - salt-api: {{ salt_v }} + +pkgs-salt-additional: + pkg.installed + - pkgs: + - python3-cherrypy3 + - python3-pygit2 \ No newline at end of file diff --git a/base/pki/cert.sls b/base/pki/cert.sls index a4c2beb..d1e6166 100644 --- a/base/pki/cert.sls +++ b/base/pki/cert.sls @@ -7,11 +7,11 @@ /etc/pki/intca.crt: x509.pem_managed: - - text: {{ salt['mine.get']('tumor.chaos', 'x509.get_pem_entries')['tumor.chaos']['/etc/pki/ca.crt']|replace('\n', '') }} + - text: {{ salt['mine.get']('salt.chaos', 'x509.get_pem_entries')['salt.chaos']['/etc/pki/ca.crt']|replace('\n', '') }} /etc/ssl/certs/intca.crt: x509.pem_managed: - - text: {{ salt['mine.get']('tumor.chaos', 'x509.get_pem_entries')['tumor.chaos']['/etc/pki/ca.crt']|replace('\n', '') }} + - text: {{ salt['mine.get']('salt.chaos', 'x509.get_pem_entries')['salt.chaos']['/etc/pki/ca.crt']|replace('\n', '') }} /usr/sbin/update-ca-certificates: diff --git a/base/pki/host.sls b/base/pki/host.sls index de6ee1e..9d7aedc 100644 --- a/base/pki/host.sls +++ b/base/pki/host.sls @@ -11,7 +11,7 @@ /etc/pki/public.crt: x509.certificate_managed: - - ca_server: tumor.chaos + - ca_server: salt.chaos - signing_policy: host - public_key: /etc/pki/private.key - CN: {{ grains['fqdn'] }} @@ -25,7 +25,7 @@ /etc/pki/{{ cn }}.crt: x509.certificate_managed: - - ca_server: tumor.chaos + - ca_server: salt.chaos - signing_policy: host - public_key: /etc/pki/private.key - days_remaining: 5 diff --git a/top.sls b/top.sls index 88acc92..133ba1f 100644 --- a/top.sls +++ b/top.sls @@ -7,8 +7,6 @@ base: - base - hardware - os - 'tumor*': - - base.pki.ca 'adm01.wks': - base.rsyslog.server - base.packages.haproxy @@ -20,10 +18,12 @@ base: 'G@osarch:arm64 or G@osarch:armhf or G@osarch:armel': - match: compound - base.packages.arch.arm - 'auto*': + 'auto02*': - k8s.podman - base.packages.haproxy - systemd.units + - base.packages.salt.master + - base.pki.ca 'pine*': - k8s - roles.nut.client From d2f9ef539e38f45f0aacf0f84f8f262d5349a42b Mon Sep 17 00:00:00 2001 From: root Date: Tue, 25 Oct 2022 19:18:27 +0200 Subject: [PATCH 83/94] local mirror for docker.io --- k8s/files/containerd-config.toml | 7 ++++++- k8s/files/etc_containers_registries.conf | 13 ++++++++++--- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/k8s/files/containerd-config.toml b/k8s/files/containerd-config.toml index 3f137d5..2717352 100644 --- a/k8s/files/containerd-config.toml +++ b/k8s/files/containerd-config.toml @@ -17,4 +17,9 @@ version = 2 [plugins."io.containerd.grpc.v1.cri".registry.configs] [plugins."io.containerd.grpc.v1.cri".registry.configs."cr.lan".tls] insecure_skip_verify = true - + [plugins."io.containerd.grpc.v1.cri".registry.mirrors] + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] + endpoint = [ "http://dr-mirror.lan", "https://registry-1.docker.io"] + [plugins."io.containerd.grpc.v1.cri".registry.configs] + [plugins."io.containerd.grpc.v1.cri".registry.configs."docker.io".tls] + insecure_skip_verify = true \ No newline at end of file diff --git a/k8s/files/etc_containers_registries.conf b/k8s/files/etc_containers_registries.conf index dd259e7..488b6d9 100644 --- a/k8s/files/etc_containers_registries.conf +++ b/k8s/files/etc_containers_registries.conf @@ -18,7 +18,7 @@ # of these registries, it should be added at the end of the list. # # # An array of host[:port] registries to try when pulling an unqualified image, in order. -unqualified-search-registries = ["dr-mirror.lan"] +unqualified-search-registries = ["docker.io"] # [[registry]] # # The "prefix" field is used to choose the relevant [[registry]] TOML table; @@ -69,5 +69,12 @@ location = "cr.lan" # # 2. example-mirror-1.local/mirrors/foo/image:latest # # 3. internal-registry-for-example.net/bar/image:latest # # in order, and use the first one that exists. -#[[registry.mirror]] -#location = dr-mirror.lan +#[[registry]] +#prefix="quay.io" +#location="qi-mirror.lan" +#insecure = true + +[[registry]] +prefix="docker.io" +location="dr-mirror.lan" +insecure = true \ No newline at end of file From db1364c223b4920d2de492c423155a55b4cab83b Mon Sep 17 00:00:00 2001 From: Udo Waechter Date: Tue, 1 Nov 2022 21:09:21 +0100 Subject: [PATCH 84/94] ntp is back --- base/packages/common.sls | 3 ++- k8s/files/containerd-config.toml | 10 ++++------ 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/base/packages/common.sls b/base/packages/common.sls index d7481e1..f51161a 100644 --- a/base/packages/common.sls +++ b/base/packages/common.sls @@ -37,7 +37,8 @@ common-installed: - python3-apt - lockfile-progs - virt-what - - openntpd + - ntp + - sntp - apt-transport-https - python3-croniter - flex diff --git a/k8s/files/containerd-config.toml b/k8s/files/containerd-config.toml index 2717352..07409ba 100644 --- a/k8s/files/containerd-config.toml +++ b/k8s/files/containerd-config.toml @@ -14,12 +14,10 @@ version = 2 [plugins."io.containerd.grpc.v1.cri".registry.mirrors] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."cr.lan"] endpoint = ["http://cr.lan"] + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] + endpoint = [ "http://dr-mirror.lan", "https://registry-1.docker.io"] [plugins."io.containerd.grpc.v1.cri".registry.configs] [plugins."io.containerd.grpc.v1.cri".registry.configs."cr.lan".tls] insecure_skip_verify = true - [plugins."io.containerd.grpc.v1.cri".registry.mirrors] - [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] - endpoint = [ "http://dr-mirror.lan", "https://registry-1.docker.io"] - [plugins."io.containerd.grpc.v1.cri".registry.configs] - [plugins."io.containerd.grpc.v1.cri".registry.configs."docker.io".tls] - insecure_skip_verify = true \ No newline at end of file + [plugins."io.containerd.grpc.v1.cri".registry.configs."docker.io".tls] + insecure_skip_verify = true From e9b12f69f15b8332dbbd183e89d3e8aaeb360cd5 Mon Sep 17 00:00:00 2001 From: Udo Waechter Date: Fri, 18 Nov 2022 11:45:40 +0100 Subject: [PATCH 85/94] k8s update --- k8s/admin.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/admin.sls b/k8s/admin.sls index e372e04..829f26c 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -5,7 +5,7 @@ include: - .repo.kubernetes - .cri-tools -{% set k8s_v = "1.22.15-00" %} +{% set k8s_v = "1.23.14-00" %} k8s_pkgs-kubelet: pkg.installed: From 62aad81be02654701ec5cfa779dc1c1dbdd870f9 Mon Sep 17 00:00:00 2001 From: Udo Waechter Date: Tue, 13 Dec 2022 12:43:47 +0100 Subject: [PATCH 86/94] systemd-timesyncd --- base/packages/common.sls | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/base/packages/common.sls b/base/packages/common.sls index f51161a..ab7af83 100644 --- a/base/packages/common.sls +++ b/base/packages/common.sls @@ -37,8 +37,6 @@ common-installed: - python3-apt - lockfile-progs - virt-what - - ntp - - sntp - apt-transport-https - python3-croniter - flex @@ -50,6 +48,7 @@ common-installed: - debian-keyring - python3-cherrypy3 - python3-pygit2 + - systemd-timesyncd common-removed: pkg.removed: From 913aebdcec218e2d513b5899c8ad91a013b953d9 Mon Sep 17 00:00:00 2001 From: Udo Waechter Date: Tue, 13 Dec 2022 18:45:16 +0100 Subject: [PATCH 87/94] bullseye stuff --- base/packages/init.sls | 1 - base/packages/repo/debian.sls | 8 ++++---- base/packages/repo/maketank.sls | 24 ------------------------ base/packages/salt/master.sls | 8 ++++---- k8s/admin.sls | 2 +- top.sls | 5 +---- 6 files changed, 10 insertions(+), 38 deletions(-) delete mode 100644 base/packages/repo/maketank.sls diff --git a/base/packages/init.sls b/base/packages/init.sls index 3413a74..e847cfe 100644 --- a/base/packages/init.sls +++ b/base/packages/init.sls @@ -5,6 +5,5 @@ include: - .common - .repo.debian - - .repo.maketank - .prometheus - .salt.minion diff --git a/base/packages/repo/debian.sls b/base/packages/repo/debian.sls index d80c9d5..2ad7537 100644 --- a/base/packages/repo/debian.sls +++ b/base/packages/repo/debian.sls @@ -31,13 +31,13 @@ repo_default: repo_debian: pkgrepo.managed: - - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }} main contrib non-free' + - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }} main contrib #non-free' - file: /etc/apt/sources.list.d/debian.list - clean_file: True repo_debian-updates: pkgrepo.managed: - - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-updates main contrib non-free' + - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-updates main contrib #non-free' - file: /etc/apt/sources.list.d/debian-updates.list - clean_file: True @@ -50,13 +50,13 @@ repo_debian-updates: repo_debian-security: pkgrepo.managed: - - name: 'deb http://{{ cache_url }}deb.debian.org/debian-security {{ os_rel }}{{ repo_path }} main contrib non-free' + - name: 'deb http://{{ cache_url }}deb.debian.org/debian-security {{ os_rel }}{{ repo_path }} main contrib #non-free' - file: /etc/apt/sources.list.d/debian-security.list - clean_file: True repo_debian-backports: pkgrepo.managed: - - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-backports main contrib non-free' + - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-backports main contrib #non-free' - file: /etc/apt/sources.list.d/debian-backports.list - clean_file: True {% endif %} diff --git a/base/packages/repo/maketank.sls b/base/packages/repo/maketank.sls deleted file mode 100644 index 7c9f387..0000000 --- a/base/packages/repo/maketank.sls +++ /dev/null @@ -1,24 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=yaml ---- - -{%- set cache_url = salt['pillar.get']( - 'services:apt-cache', - default='' - ) -%} - -repo_maketank: - pkgrepo.absent: - - name: deb http://{{ cache_url }}apt.maketank.net/debian buster main - - dist: buster - - file: /etc/apt/sources.list.d/maketank.list - - key_url: http://apt.maketank.net/debian/debian.gpg - - clean_file: True - - -#apt-update: -# cmd.run: -# - name: apt update -y -# - listen: -# - pkgrepo: repo_maketank diff --git a/base/packages/salt/master.sls b/base/packages/salt/master.sls index 971df69..0ae4508 100644 --- a/base/packages/salt/master.sls +++ b/base/packages/salt/master.sls @@ -8,7 +8,7 @@ pkgs-salt-master: - salt-api: {{ salt_v }} pkgs-salt-additional: - pkg.installed - - pkgs: - - python3-cherrypy3 - - python3-pygit2 \ No newline at end of file + pkg.installed: + - pkgs: + - python3-cherrypy3 + - python3-pygit2 \ No newline at end of file diff --git a/k8s/admin.sls b/k8s/admin.sls index 829f26c..2e9d3cb 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -17,7 +17,7 @@ k8s_pkgs-kubelet: - require: - pkgrepo: repo_kubernetes.io -k83-additions_pkgs: +k8s-additions_pkgs: pkg.installed: - pkgs: - apparmor diff --git a/top.sls b/top.sls index 133ba1f..57ef6f9 100644 --- a/top.sls +++ b/top.sls @@ -38,7 +38,4 @@ base: - base.packages.repo.brave-browser - base.packages.FreeCAD 'truhe*': - - roles.mpd - - k8s.podman - - base.packages.haproxy - - systemd.units + - roles.mpd \ No newline at end of file From a238ff1ce540b1111627e867960d9dad8e33fca0 Mon Sep 17 00:00:00 2001 From: Udo Waechter Date: Wed, 14 Dec 2022 17:17:51 +0100 Subject: [PATCH 88/94] some armbian cleanups --- os/armbian/packages.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/os/armbian/packages.sls b/os/armbian/packages.sls index 0d12f70..821dd2b 100644 --- a/os/armbian/packages.sls +++ b/os/armbian/packages.sls @@ -2,6 +2,11 @@ armbian-removed: pkg.purged: - pkgs: - armbian-zsh + - alsa-utils + - wireless-tools + - wireless-regdb + - man-db + - groff-base armbian-zsh-etc-purge: file.absent: From 47bf2c2b41b8f28ad867f9dac123ae766e0a7bf7 Mon Sep 17 00:00:00 2001 From: Udo Waechter Date: Wed, 21 Dec 2022 13:40:38 +0100 Subject: [PATCH 89/94] containerd config for bullseye --- k8s/files/containerd-config.toml | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/k8s/files/containerd-config.toml b/k8s/files/containerd-config.toml index 07409ba..7fcb35d 100644 --- a/k8s/files/containerd-config.toml +++ b/k8s/files/containerd-config.toml @@ -4,20 +4,27 @@ version = 2 level = "warn" [plugins] + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] + systemdCgroup = true + systemd_cgroup = true [plugins."io.containerd.grpc.v1.cri"] + [plugins."io.containerd.grpc.v1.cri".containerd] + [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime] + runtime_type = "io.containerd.runc.v2" [plugins."io.containerd.grpc.v1.cri".cni] bin_dir = "/opt/cni/bin" conf_dir = "/etc/cni/net.d" [plugins."io.containerd.internal.v1.opt"] path = "/var/lib/containerd/opt" [plugins."io.containerd.grpc.v1.cri".registry] - [plugins."io.containerd.grpc.v1.cri".registry.mirrors] - [plugins."io.containerd.grpc.v1.cri".registry.mirrors."cr.lan"] - endpoint = ["http://cr.lan"] - [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] + [plugins."io.containerd.grpc.v1.cri".registry.mirrors] + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."cr.lan"] + endpoint = ["http://cr.lan"] + [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] endpoint = [ "http://dr-mirror.lan", "https://registry-1.docker.io"] - [plugins."io.containerd.grpc.v1.cri".registry.configs] - [plugins."io.containerd.grpc.v1.cri".registry.configs."cr.lan".tls] - insecure_skip_verify = true - [plugins."io.containerd.grpc.v1.cri".registry.configs."docker.io".tls] - insecure_skip_verify = true + [plugins."io.containerd.grpc.v1.cri".registry.configs] + [plugins."io.containerd.grpc.v1.cri".registry.configs."cr.lan".tls] + insecure_skip_verify = true + [plugins."io.containerd.grpc.v1.cri".registry.configs."docker.io".tls] + insecure_skip_verify = true From 0b653934cfdb5e890667ec57931dc3834ec181df Mon Sep 17 00:00:00 2001 From: Udo Waechter Date: Wed, 1 Mar 2023 13:04:34 +0100 Subject: [PATCH 90/94] stuff --- base/packages/common.sls | 2 +- base/packages/repo/debian-sid.sls | 22 ++++++++++++++++++++++ base/release.sls | 9 +++++---- k8s/admin.sls | 2 +- k8s/containerd.sls | 6 ++++-- k8s/files/containerd-config.toml | 21 +++++++++++---------- os/armbian/init.sls | 1 + os/armbian/systemd.sls | 0 8 files changed, 45 insertions(+), 18 deletions(-) create mode 100644 base/packages/repo/debian-sid.sls create mode 100644 os/armbian/systemd.sls diff --git a/base/packages/common.sls b/base/packages/common.sls index ab7af83..44e68ad 100644 --- a/base/packages/common.sls +++ b/base/packages/common.sls @@ -33,7 +33,7 @@ common-installed: - python3-pip - python3-dev - python3-pyinotify - - python3-m2crypto + - python-m2crypto - python3-apt - lockfile-progs - virt-what diff --git a/base/packages/repo/debian-sid.sls b/base/packages/repo/debian-sid.sls new file mode 100644 index 0000000..c919bb4 --- /dev/null +++ b/base/packages/repo/debian-sid.sls @@ -0,0 +1,22 @@ +{%- + set cache_url = salt['pillar.get']( + 'services:apt-cache', + default='' + ) +%} + +#{% if salt['pillar.get']('os:release', default = 'buster') != 'bullseye' %} + +repo_debian-sid: + pkgrepo.managed: + - name: 'deb http://{{ cache_url }}deb.debian.org/debian sid main contrib' + - file: /etc/apt/sources.list.d/debian-sid.list + - clean_file: True + +#{% else %} + +#repo_debian-sid-absent: +# file.absent: +# - name: /etc/apt/sources.list.d/debian-sid.list + +#{% endif %} \ No newline at end of file diff --git a/base/release.sls b/base/release.sls index ee18981..827b52d 100644 --- a/base/release.sls +++ b/base/release.sls @@ -1,7 +1,8 @@ -{% set def_rel = 'bullseye' %} -{% if grains['oscodename'] != 'bullseye' and salt['pillar.get']('os:release', default = False) != 'bullseye' %} -{% set def_rel = 'buster' %} -{% endif %} + +{%- set def_rel = 'bullseye' %} +{%- if salt['pillar.get']('os:release', default = False) %} +{%- def_rel = salt['pillar.get']('os:release', default = False) %} +{%- endif %} etc_apt_release: file.managed: diff --git a/k8s/admin.sls b/k8s/admin.sls index 2e9d3cb..0d0d338 100644 --- a/k8s/admin.sls +++ b/k8s/admin.sls @@ -5,7 +5,7 @@ include: - .repo.kubernetes - .cri-tools -{% set k8s_v = "1.23.14-00" %} +{% set k8s_v = "1.26.00-00" %} k8s_pkgs-kubelet: pkg.installed: diff --git a/k8s/containerd.sls b/k8s/containerd.sls index d6cf4c6..9026fb3 100644 --- a/k8s/containerd.sls +++ b/k8s/containerd.sls @@ -2,7 +2,7 @@ # vim: ft=yaml --- include: - - base.packages.repo.debian-bullseye + - base.packages.repo.debian-sid - .cri-tools containerd_pkgs: @@ -10,8 +10,10 @@ containerd_pkgs: - pkgs: - containerd - containernetworking-plugins + - crun + - runc - require: - - pkgrepo: repo_debian-bullseye + - pkgrepo: repo_debian-sid /etc/containerd/config.toml: file.managed: diff --git a/k8s/files/containerd-config.toml b/k8s/files/containerd-config.toml index 7fcb35d..63ce926 100644 --- a/k8s/files/containerd-config.toml +++ b/k8s/files/containerd-config.toml @@ -4,14 +4,15 @@ version = 2 level = "warn" [plugins] - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] - systemdCgroup = true - systemd_cgroup = true + [plugins."io.containerd.grpc.v1.cri"] [plugins."io.containerd.grpc.v1.cri".containerd] - [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime] - runtime_type = "io.containerd.runc.v2" + snapshoter = "overlayfs" + default_runtime_name = "runc" + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + runtime_type = "io.containerd.runc.v2" + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] + SystemdCgroup = true [plugins."io.containerd.grpc.v1.cri".cni] bin_dir = "/opt/cni/bin" conf_dir = "/etc/cni/net.d" @@ -21,10 +22,10 @@ version = 2 [plugins."io.containerd.grpc.v1.cri".registry.mirrors] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."cr.lan"] endpoint = ["http://cr.lan"] - [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] - endpoint = [ "http://dr-mirror.lan", "https://registry-1.docker.io"] + #[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] + # endpoint = [ "http://dr-mirror.lan", "https://registry-1.docker.io"] [plugins."io.containerd.grpc.v1.cri".registry.configs] [plugins."io.containerd.grpc.v1.cri".registry.configs."cr.lan".tls] insecure_skip_verify = true - [plugins."io.containerd.grpc.v1.cri".registry.configs."docker.io".tls] - insecure_skip_verify = true + # [plugins."io.containerd.grpc.v1.cri".registry.configs."docker.io".tls] + # insecure_skip_verify = true diff --git a/os/armbian/init.sls b/os/armbian/init.sls index b313013..f749cc8 100644 --- a/os/armbian/init.sls +++ b/os/armbian/init.sls @@ -2,4 +2,5 @@ include: - .repo - .packages - .cron + - .systemd diff --git a/os/armbian/systemd.sls b/os/armbian/systemd.sls new file mode 100644 index 0000000..e69de29 From 55f76a93c82650c9ddf2b4eba4e93b63f1d41793 Mon Sep 17 00:00:00 2001 From: Udo Waechter Date: Mon, 6 Mar 2023 18:57:50 +0100 Subject: [PATCH 91/94] release.sls fix and repo urls --- base/packages/common.sls | 2 +- base/packages/repo/openfoam.sls | 2 +- base/release.sls | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/base/packages/common.sls b/base/packages/common.sls index 44e68ad..ab7af83 100644 --- a/base/packages/common.sls +++ b/base/packages/common.sls @@ -33,7 +33,7 @@ common-installed: - python3-pip - python3-dev - python3-pyinotify - - python-m2crypto + - python3-m2crypto - python3-apt - lockfile-progs - virt-what diff --git a/base/packages/repo/openfoam.sls b/base/packages/repo/openfoam.sls index 53f6d98..c66ea43 100644 --- a/base/packages/repo/openfoam.sls +++ b/base/packages/repo/openfoam.sls @@ -4,7 +4,7 @@ #required/wanted for FreeCAD repo_openfoam: pkgrepo.managed: - - name: deb [arch=amd64] https://dl.openfoam.com/repos/deb bullseye main + - name: deb [arch=amd64] https://dl.openfoam.com/repos/deb kinetic main - dist: groovy - file: /etc/apt/sources.list.d/openfoam.list - key_url: https://dl.openfoam.com/pubkey.gpg diff --git a/base/release.sls b/base/release.sls index 827b52d..cb80b75 100644 --- a/base/release.sls +++ b/base/release.sls @@ -1,8 +1,8 @@ -{%- set def_rel = 'bullseye' %} -{%- if salt['pillar.get']('os:release', default = False) %} -{%- def_rel = salt['pillar.get']('os:release', default = False) %} -{%- endif %} +{% set def_rel = 'bullseye' %} +{% if salt['pillar.get']('os:release', default = False) %} +{% set def_rel = salt['pillar.get']('os:release', default = False) %} +{% endif %} etc_apt_release: file.managed: From 67952bf6be427b0ea5c626e7cd7a9a12ea62fd31 Mon Sep 17 00:00:00 2001 From: Udo Waechter Date: Mon, 6 Mar 2023 19:30:58 +0100 Subject: [PATCH 92/94] removed obsolete openhab stuff --- base/packages/FreeCAD.sls | 3 +- base/packages/openhab/files/socat.init | 95 ---- base/packages/openhab/init.sls | 24 - base/packages/openhab/pkg.sls | 23 - base/packages/openhab/prometheus.sls | 25 - base/packages/openhab/ser2net_client.sls | 34 -- base/packages/openhab/ser2net_server.sls | 30 -- base/packages/repo/debian.sls | 6 +- roles/mpd/files/mpd.conf | 635 +++++++++++++++++++---- 9 files changed, 542 insertions(+), 333 deletions(-) delete mode 100644 base/packages/openhab/files/socat.init delete mode 100644 base/packages/openhab/init.sls delete mode 100644 base/packages/openhab/pkg.sls delete mode 100644 base/packages/openhab/prometheus.sls delete mode 100644 base/packages/openhab/ser2net_client.sls delete mode 100644 base/packages/openhab/ser2net_server.sls diff --git a/base/packages/FreeCAD.sls b/base/packages/FreeCAD.sls index 37d9bf9..7c8d244 100644 --- a/base/packages/FreeCAD.sls +++ b/base/packages/FreeCAD.sls @@ -43,7 +43,6 @@ pkg_FreeCAD: - libqt5xmlpatterns5-dev - libshiboken2-dev - libspnav-dev - - libvtk7-dev - libx11-dev - libxerces-c-dev - libzipios++-dev @@ -68,7 +67,7 @@ pkg_FreeCAD: - qttools5-dev - swig - libmetis-dev - - python3-pyside2.qtscriptools + - python3-pyside2.qtscripttools - python3-pyside2.qtuitools - pyside2-tools - libshiboken2-dev diff --git a/base/packages/openhab/files/socat.init b/base/packages/openhab/files/socat.init deleted file mode 100644 index 7c7d6cc..0000000 --- a/base/packages/openhab/files/socat.init +++ /dev/null @@ -1,95 +0,0 @@ -#! /bin/sh -### BEGIN INIT INFO -# Provides: ser2net-client -# Required-Start: $local_fs $time $network $named -# Required-Stop: $local_fs $time $network $named -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Start/stop (socat a multipurpose relay) -# -# Description: The socat init script will start/stop socat as specified in /etc/default/socat -# Then log (FATAL,ERROR,WARN,INFO and Notic) in /var/log/socat.log -### END INIT INFO - -NAME=ser2net-client -DAEMON=/usr/bin/socat -# -d -d -d for more logging -SOCAT_DEFAULTS='-lf /var/log/ser2net-client.log' - -. /lib/lsb/init-functions -. /etc/default/${NAME} - -PATH=/bin:/usr/bin:/sbin:/usr/sbin - -[ -x $DAEMON ] || exit 0 - -start_socat() { - start-stop-daemon --oknodo --quiet --start \ - --pidfile /run/ser2net-client.pid \ - --background --make-pidfile \ - --exec $DAEMON -- $SOCAT_DEFAULTS $OPTIONS < /dev/null -} - -stop_socat() { - start-stop-daemon --oknodo --stop --quiet --pidfile /run/ser2net-client.pid --exec $DAEMON - rm -f /run/ser2net-client.pid -} - -start () { - start_socat - return $? -} - -stop () { - for PIDFILE in `ls /run/ser2net-client.pid 2> /dev/null`; do - NAME=`echo $PIDFILE | cut -c16-` - NAME=${NAME%%.pid} - stop_socat - done -} - -case "$1" in - start) - log_daemon_msg "Starting multipurpose relay" "ser2net-client" - if start ; then - log_end_msg $? - else - log_end_msg $? - fi - ;; - stop) - log_daemon_msg "Stopping multipurpose relay" "ser2net-client" - if stop ; then - log_end_msg $? - else - log_end_msg $? - fi - ;; - restart) - log_daemon_msg "Restarting multipurpose relay" "ser2net-client" - stop - if start ; then - log_end_msg $? - else - log_end_msg $? - fi - ;; - reload|force-reload) - log_daemon_msg "Reloading multipurpose relay" "ser2net-client" - stop - if start ; then - log_end_msg $? - else - log_end_msg $? - fi - ;; - status) - status_of_proc -p /run/ser2net-client.pid /usr/bin/socat socat && exit 0 || exit $? - ;; - *) - echo "Usage: /etc/init.d/$NAME {start|stop|restart|reload|force-reload|status}" - exit 3 - ;; -esac - -exit 0 \ No newline at end of file diff --git a/base/packages/openhab/init.sls b/base/packages/openhab/init.sls deleted file mode 100644 index 3121eec..0000000 --- a/base/packages/openhab/init.sls +++ /dev/null @@ -1,24 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=yaml ---- - -include: - #- haproxy - - nginx - - systemd.units - - .pkg - - .prometheus - -openhab2-pkgs: - pkg.installed: - - pkgs: - - openhab - - openhab-addons - - default-jre-headless - - libopenzwave1.5 - - gunicorn3 - - python3 - - prometheus-nginx-exporter - - require: - - pkgrepo: repo_openhab2 - diff --git a/base/packages/openhab/pkg.sls b/base/packages/openhab/pkg.sls deleted file mode 100644 index 88842fe..0000000 --- a/base/packages/openhab/pkg.sls +++ /dev/null @@ -1,23 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=yaml ---- - -repo_openhab2: - pkgrepo.managed: - #- name: deb https://dl.bintray.com/openhab/apt-repo2 stable main - - name: deb https://openhab.jfrog.io/openhab/openhab-linuxpkg testing main - - file: /etc/apt/sources.list.d/openhab2.list - - key_url: 'https://bintray.com/user/downloadSubjectPublicKey?username=openhab' - - clean_file: False - -etc-apt-apt.conf-noproxy: - file.managed: - - name: /etc/apt/apt.conf.d/99-openhab2-noproxy - - user: root - - group: root - - mode: 0755 - - contents: | - #SALT managed - Acquire::http::proxy::dl.bintray.com "DIRECT"; - Acquire::http::proxy::openhab.jfrog.io "DIRECT"; - \ No newline at end of file diff --git a/base/packages/openhab/prometheus.sls b/base/packages/openhab/prometheus.sls deleted file mode 100644 index 77beda6..0000000 --- a/base/packages/openhab/prometheus.sls +++ /dev/null @@ -1,25 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=yaml ---- - -openhab-prometheus-exporter: - file.managed: - - name: /usr/local/bin/openhab2-prometheus-exporter.py - - source: https://raw.githubusercontent.com/zoide/openhab2-prometheus-exporter/master/openhab2-exporter.py - - source_hash: 399ba098b46abe482ce3be57484bf401d4d5a600 - - user: openhab - - group: openhab - - mode: 0755 - -prometheus-nginx-exporter: - service.running: - - enable: True - - watch: - - file: etc-default-prometheus-nginx-exporter - -etc-default-prometheus-nginx-exporter: - file.managed: - - name: /etc/default/prometheus-nginx-exporter - - contents: | - #SALT managed - ARGS="-nginx.scrape-uri http://127.0.0.1:80/stub_status" \ No newline at end of file diff --git a/base/packages/openhab/ser2net_client.sls b/base/packages/openhab/ser2net_client.sls deleted file mode 100644 index 51db98e..0000000 --- a/base/packages/openhab/ser2net_client.sls +++ /dev/null @@ -1,34 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=yaml ---- - -ser2net_client-pkgs: - pkg.installed: - - pkgs: - - socat - -ser2net_socat-conf: - file.managed: - - name: /etc/default/ser2net-client - - user: root - - mode: 0644 - - contents: | - #SALT managed - OPTIONS="pty,link=/dev/ttySER2NET0,raw,user=openhab,group=dialout,mode=660 tcp:auto:3333" - -ser2net_socat-init: - file.managed: - - name: /etc/init.d/ser2net-client - - user: root - - mode: 0740 - - source: salt://base/packages/openhab/files/socat.init - -ser2net_socat-service: - service.running: - - name: ser2net-client - - enable: True - - reload: True - - require: - - file: /etc/init.d/ser2net-client - - watch: - - file: /etc/default/ser2net-client diff --git a/base/packages/openhab/ser2net_server.sls b/base/packages/openhab/ser2net_server.sls deleted file mode 100644 index bb4c3fe..0000000 --- a/base/packages/openhab/ser2net_server.sls +++ /dev/null @@ -1,30 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: ft=yaml ---- -# manually installed from -#https://github.com/longshine/ser2nets - -ser2net_server-pkgs: - pkg.installed: - - pkgs: - - ser2net - -ser2net-conf: - file.managed: - - name: /etc/ser2net.conf - - user: root - - mode: 0644 - - contents: | - #SALT managed - 3333:raw:0:/dev/ttyAMA0:115200 8DATABITS NONE 1STOPBIT - -ser2net-service: - service.running: - - name: ser2net - - enable: True - - reload: True - - require: - - file: /etc/ser2net.conf - - watch: - - file: /etc/ser2net.conf - \ No newline at end of file diff --git a/base/packages/repo/debian.sls b/base/packages/repo/debian.sls index 2ad7537..462eacd 100644 --- a/base/packages/repo/debian.sls +++ b/base/packages/repo/debian.sls @@ -34,7 +34,8 @@ repo_debian: - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }} main contrib #non-free' - file: /etc/apt/sources.list.d/debian.list - clean_file: True - + +{% if grains['oscodename] == 'bullseye' %}} repo_debian-updates: pkgrepo.managed: - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-updates main contrib #non-free' @@ -59,4 +60,5 @@ repo_debian-backports: - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-backports main contrib #non-free' - file: /etc/apt/sources.list.d/debian-backports.list - clean_file: True -{% endif %} +{% endif %} +{% endif %} diff --git a/roles/mpd/files/mpd.conf b/roles/mpd/files/mpd.conf index 8fc194b..6c3baba 100644 --- a/roles/mpd/files/mpd.conf +++ b/roles/mpd/files/mpd.conf @@ -1,3 +1,8 @@ +### +### SALT managed +### + + # An example configuration file for MPD. # Read the user manual for documentation: http://www.musicpd.org/doc/user/ # or /usr/share/doc/mpd/html/user.html @@ -11,14 +16,14 @@ # be disabled and audio files will only be accepted over ipc socket (using # file:// protocol) or streaming files over an accepted protocol. # -music_directory "/net/tumor.chaos/srv/pub/Music" +music_directory "/net/tumor.chaos/srv/pub/Music" # # This setting sets the MPD internal playlist directory. The purpose of this # directory is storage for playlists created by MPD. The server will use # playlist files not created by the server but only if they are in the MPD # format. This setting defaults to playlist saving being disabled. # -playlist_directory "/var/lib/mpd/playlists" +playlist_directory "/var/lib/mpd/playlists" # # This setting sets the location of the MPD database. This file is used to # load the database at server start up and store the database while the @@ -26,31 +31,34 @@ playlist_directory "/var/lib/mpd/playlists" # MPD to accept files over ipc socket (using file:// protocol) or streaming # files over an accepted protocol. # -db_file "/var/lib/mpd/tag_cache" +db_file "/var/lib/mpd/tag_cache" # # These settings are the locations for the daemon log files for the daemon. # These logs are great for troubleshooting, depending on your log_level # settings. # # The special value "syslog" makes MPD use the local syslog daemon. This -# setting defaults to logging to syslog, or to journal if mpd was started as -# a systemd service. +# setting defaults to logging to syslog. # -#log_file "/var/log/mpd/mpd.log" -log_file "syslog" +# If you use systemd, do not configure a log_file. With systemd, MPD +# defaults to the systemd journal, which is fine. # +#log_file "/var/log/mpd/mpd.log" + # This setting sets the location of the file which stores the process ID # for use of mpd --kill and some init scripts. This setting is disabled by # default and the pid file will not be stored. # -pid_file "/run/mpd/pid" +# If you use systemd, do not configure a pid_file. # +#pid_file "/run/mpd/pid" + # This setting sets the location of the file which contains information about # most variables to get MPD back into the same general shape it was in before # it was brought down. This setting is disabled by default and the server # state will be reset on server start up. # -state_file "/var/lib/mpd/state" +state_file "/var/lib/mpd/state" # # The location of the sticker database. This is a database which # manages dynamic information attached to songs. @@ -67,38 +75,36 @@ sticker_file "/var/lib/mpd/sticker.sql" # initialization. This setting is disabled by default and MPD is run as the # current user. # -user "mpd" +user "mpd" # # This setting specifies the group that MPD will run as. If not specified # primary group of user specified with "user" setting will be used (if set). # This is useful if MPD needs to be a member of group such as "audio" to # have permission to use sound card. # -#group "nogroup" +#group "nogroup" # # This setting sets the address for the daemon to listen on. Careful attention -# should be paid if this is assigned to anything other then the default, any. -# This setting can deny access to control of the daemon. Choose any if you want -# to have mpd listen on every address. Not effective if systemd socket -# activation is in use. +# should be paid if this is assigned to anything other than the default, any. +# This setting can deny access to control of the daemon. Not effective if +# systemd socket activation is in use. # # For network -bind_to_address "0.0.0.0" +bind_to_address "0.0.0.0" # # And for Unix Socket -#bind_to_address "/run/mpd/socket" +#bind_to_address "/run/mpd/socket" # # This setting is the TCP port that is desired for the daemon to get assigned # to. # -#port "6600" +#port "6600" # -# This setting controls the type of information which is logged. Available -# setting arguments are "default", "secure" or "verbose". The "verbose" setting -# argument is recommended for troubleshooting, though can quickly stretch -# available resources on limited hardware storage. +# Suppress all messages below the given threshold. Use "verbose" for +# troubleshooting. Available setting arguments are "notice", "info", "verbose", +# "warning" and "error". # -log_level "secure" +log_level "warning" # # Setting "restore_paused" to "yes" puts MPD into pause mode instead # of starting playback after startup. @@ -108,12 +114,12 @@ log_level "secure" # This setting enables MPD to create playlists in a format usable by other # music players. # -#save_absolute_paths_in_playlists "no" +#save_absolute_paths_in_playlists "no" # # This setting defines a list of tag types that will be extracted during the # audio file discovery process. The complete list of possible values can be # found in the user manual. -#metadata_to_use "artist,album,title,track,name,genre,date,composer,performer,disc" +#metadata_to_use "artist,album,title,track,name,genre,date,composer,performer,disc" # # This example just enables the "comment" tag without disabling all # the other supported tags: @@ -137,12 +143,12 @@ log_level "secure" # If this setting is set to "yes", MPD will discover audio files by following # symbolic links outside of the configured music_directory. # -#follow_outside_symlinks "yes" +#follow_outside_symlinks "yes" # # If this setting is set to "yes", MPD will discover audio files by following # symbolic links inside of the configured music_directory. # -#follow_inside_symlinks "yes" +#follow_inside_symlinks "yes" # ############################################################################### @@ -152,12 +158,399 @@ log_level "secure" # If this setting is set to "yes", service information will be published with # Zeroconf / Avahi. # -zeroconf_enabled "no" +#zeroconf_enabled "yes" # # The argument to this setting will be the Zeroconf / Avahi unique name for # this MPD server on the network. %h will be replaced with the hostname. # -#zeroconf_name "Music Player @ %h" +#zeroconf_name "Music Player @ %h" +# +############################################################################### + + +# Permissions ################################################################# +# +# If this setting is set, MPD will require password authorization. The password +# setting can be specified multiple times for different password profiles. +# +#password "password@read,add,control,admin" +# +# This setting specifies the permissions a user has who has not yet logged in. +# +#default_permissions "read,add,control,admin" +# +############################################################################### + + +# Database ####################################################################### +# +# An example of a database section instead of the old 'db_file' setting. +# It enables mounting other storages into the music directory. +# +#database { +# plugin "simple" +# path "/var/lib/mpd/tag_cache" +# cache_directory "/var/lib/mpd/cache" +#} +# +# An example of database config for a satellite setup +# +#music_directory "nfs://fileserver.local/srv/mp3" +#database { +# plugin "proxy" +# host "other.mpd.host" +# port "6600" +#} + +# Input ####################################################################### +# +input { + plugin "curl" +# proxy "proxy.isp.com:8080" +# proxy_user "user" +# proxy_password "password" +} + +# Decoder ##################################################################### +# + +decoder { + plugin "hybrid_dsd" + enabled "no" +# gapless "no" +} +decoder { + plugin "wildmidi" + enabled "no" + #config_file "/etc/timidity/timidity.cfg" +} + +# +############################################################################### + +# Audio Output ################################################################ +# +# MPD supports various audio output types, as well as playing through multiple +# audio outputs at the same time, through multiple audio_output settings +# blocks. Setting this block is optional, though the server will only attempt +# autodetection for one sound card. +# +# An example of an ALSA output: +# +audio_output { + type "pipewire" + name "Pipewire" +# target "name" #Link to the given target. If not specified, + # let the PipeWire manager select a target. + # To get a list of available targets, type pw-cli dump short Node +# remote "name" + dsd "no" #Enable DSD playback. This requires PipeWire 0.38. + +} + +#audio_output { +# type "alsa" +# name "My ALSA Device" +## device "hw:0,0" # optional +## mixer_type "hardware" # optional +## mixer_device "default" # optional +## mixer_control "PCM" # optional +## mixer_index "0" # optional +#} +# +# An example of an OSS output: +# +#audio_output { +# type "oss" +# name "My OSS Device" +## device "/dev/dsp" # optional +## mixer_type "hardware" # optional +## mixer_device "/dev/mixer" # optional +## mixer_control "PCM" # optional +#} +# +# An example of a shout output (for streaming to Icecast): +# +#audio_output { +# type "shout" +# encoder "vorbis" # optional +# name "My Shout Stream" +# host "localhost" +# port "8000" +# mount "/mpd.ogg" +# password "hackme" +# quality "5.0" +# bitrate "128" +# format "44100:16:1" +## protocol "icecast2" # optional +## user "source" # optional +## description "My Stream Description" # optional +## url "http://example.com" # optional +## genre "jazz" # optional +## public "no" # optional +## timeout "2" # optional +## mixer_type "software" # optional +#} +# +# An example of a recorder output: +# +#audio_output { +# type "recorder" +# name "My recorder" +# encoder "vorbis" # optional, vorbis or lame +# path "/var/lib/mpd/recorder/mpd.ogg" +## quality "5.0" # do not define if bitrate is defined +# bitrate "128" # do not define if quality is defined +# format "44100:16:1" +#} +# +# An example of a httpd output (built-in HTTP streaming server): +# +#audio_output { +# type "httpd" +# name "My HTTP Stream" +# encoder "vorbis" # optional, vorbis or lame +# port "8000" +# bind_to_address "0.0.0.0" # optional, IPv4 or IPv6 +## quality "5.0" # do not define if bitrate is defined +# bitrate "128" # do not define if quality is defined +# format "44100:16:1" +# max_clients "0" # optional 0=no limit +#} +# +# An example of a pulseaudio output (streaming to a remote pulseaudio server) +# Please see README.Debian if you want mpd to play through the pulseaudio +# daemon started as part of your graphical desktop session! +# +#audio_output { +# type "pulse" +# name "My Pulse Output" +## server "remote_server" # optional +## sink "remote_server_sink" # optional +## media_role "media_role" #optional +#} +# +# An example of a winmm output (Windows multimedia API). +# +#audio_output { +# type "winmm" +# name "My WinMM output" +## device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional +# or +## device "0" # optional +## mixer_type "hardware" # optional +#} +# +# An example of an openal output. +# +#audio_output { +# type "openal" +# name "My OpenAL output" +## device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional +#} +# +# An example of an sndio output. +# +#audio_output { +# type "sndio" +# name "sndio output" +# mixer_type "hardware" +#} +# +# An example of an OS X output: +# +#audio_output { +# type "osx" +# name "My OS X Device" +## device "Built-in Output" # optional +## channel_map "-1,-1,0,1" # optional +#} +# +## Example "pipe" output: +# +#audio_output { +# type "pipe" +# name "my pipe" +# command "aplay -f cd 2>/dev/null" +## Or if you're want to use AudioCompress +# command "AudioCompress -m | aplay -f cd 2>/dev/null" +## Or to send raw PCM stream through PCM: +# command "nc example.org 8765" +# format "44100:16:2" +#} +# +## An example of a null output (for no audio output): +# +#audio_output { +# type "null" +# name "My Null Output" +# mixer_type "none" # optional +#} +# +############################################################################### + + +# Normalization automatic volume adjustments ################################## +## An example configuration file for MPD. +# Read the user manual for documentation: http://www.musicpd.org/doc/user/ +# or /usr/share/doc/mpd/html/user.html + + +# Files and directories ####################################################### +# +# This setting controls the top directory which MPD will search to discover the +# available audio files and add them to the daemon's online database. This +# setting defaults to the XDG directory, otherwise the music directory will be +# be disabled and audio files will only be accepted over ipc socket (using +# file:// protocol) or streaming files over an accepted protocol. +# +music_directory "/net/tumor.chaos/srv/pub/Music" +# +# This setting sets the MPD internal playlist directory. The purpose of this +# directory is storage for playlists created by MPD. The server will use +# playlist files not created by the server but only if they are in the MPD +# format. This setting defaults to playlist saving being disabled. +# +playlist_directory "/var/lib/mpd/playlists" +# +# This setting sets the location of the MPD database. This file is used to +# load the database at server start up and store the database while the +# server is not up. This setting defaults to disabled which will allow +# MPD to accept files over ipc socket (using file:// protocol) or streaming +# files over an accepted protocol. +# +db_file "/var/lib/mpd/tag_cache" +# +# These settings are the locations for the daemon log files for the daemon. +# These logs are great for troubleshooting, depending on your log_level +# settings. +# +# The special value "syslog" makes MPD use the local syslog daemon. This +# setting defaults to logging to syslog, or to journal if mpd was started as +# a systemd service. +# +#log_file "/var/log/mpd/mpd.log" +log_file "syslog" +# +# This setting sets the location of the file which stores the process ID +# for use of mpd --kill and some init scripts. This setting is disabled by +# default and the pid file will not be stored. +# +pid_file "/run/mpd/pid" +# +# This setting sets the location of the file which contains information about +# most variables to get MPD back into the same general shape it was in before +# it was brought down. This setting is disabled by default and the server +# state will be reset on server start up. +# +state_file "/var/lib/mpd/state" +# +# The location of the sticker database. This is a database which +# manages dynamic information attached to songs. +# +sticker_file "/var/lib/mpd/sticker.sql" +# +############################################################################### + + +# General music daemon options ################################################ +# +# This setting specifies the user that MPD will run as. MPD should never run as +# root and you may use this setting to make MPD change its user ID after +# initialization. This setting is disabled by default and MPD is run as the +# current user. +# +user "mpd" +# +# This setting specifies the group that MPD will run as. If not specified +# primary group of user specified with "user" setting will be used (if set). +# This is useful if MPD needs to be a member of group such as "audio" to +# have permission to use sound card. +# +#group "nogroup" +# +# This setting sets the address for the daemon to listen on. Careful attention +# should be paid if this is assigned to anything other then the default, any. +# This setting can deny access to control of the daemon. Choose any if you want +# to have mpd listen on every address. Not effective if systemd socket +# activation is in use. +# +# For network +bind_to_address "0.0.0.0" +# +# And for Unix Socket +#bind_to_address "/run/mpd/socket" +# +# This setting is the TCP port that is desired for the daemon to get assigned +# to. +# +#port "6600" +# +# This setting controls the type of information which is logged. Available +# setting arguments are "default", "secure" or "verbose". The "verbose" setting +# argument is recommended for troubleshooting, though can quickly stretch +# available resources on limited hardware storage. +# +log_level "secure" +# +# Setting "restore_paused" to "yes" puts MPD into pause mode instead +# of starting playback after startup. +# +#restore_paused "no" +# +# This setting enables MPD to create playlists in a format usable by other +# music players. +# +#save_absolute_paths_in_playlists "no" +# +# This setting defines a list of tag types that will be extracted during the +# audio file discovery process. The complete list of possible values can be +# found in the user manual. +#metadata_to_use "artist,album,title,track,name,genre,date,composer,performer,disc" +# +# This example just enables the "comment" tag without disabling all +# the other supported tags: +#metadata_to_use "+comment" +# +# This setting enables automatic update of MPD's database when files in +# music_directory are changed. +# +#auto_update "yes" +# +# Limit the depth of the directories being watched, 0 means only watch +# the music directory itself. There is no limit by default. +# +#auto_update_depth "3" +# +############################################################################### + + +# Symbolic link behavior ###################################################### +# +# If this setting is set to "yes", MPD will discover audio files by following +# symbolic links outside of the configured music_directory. +# +#follow_outside_symlinks "yes" +# +# If this setting is set to "yes", MPD will discover audio files by following +# symbolic links inside of the configured music_directory. +# +#follow_inside_symlinks "yes" +# +############################################################################### + + +# Zeroconf / Avahi Service Discovery ########################################## +# +# If this setting is set to "yes", service information will be published with +# Zeroconf / Avahi. +# +zeroconf_enabled "no" +# +# The argument to this setting will be the Zeroconf / Avahi unique name for +# this MPD server on the network. %h will be replaced with the hostname. +# +#zeroconf_name "Music Player @ %h" # ############################################################################### @@ -175,7 +568,7 @@ zeroconf_enabled "no" # ############################################################################### #input_cache { -# size "16m" +# size "16m" #} # Database ####################################################################### @@ -240,47 +633,47 @@ decoder { # An example of an ALSA output: # audio_output { - type "alsa" - name "My ALSA Device" -# device "hw:0,0" # optional -# mixer_type "hardware" # optional -# mixer_device "default" # optional -# mixer_control "PCM" # optional -# mixer_index "0" # optional + type "alsa" + name "My ALSA Device" +# device "hw:0,0" # optional +# mixer_type "hardware" # optional +# mixer_device "default" # optional +# mixer_control "PCM" # optional +# mixer_index "0" # optional } # # An example of an OSS output: # #audio_output { -# type "oss" -# name "My OSS Device" -# device "/dev/dsp" # optional -# mixer_type "hardware" # optional -# mixer_device "/dev/mixer" # optional -# mixer_control "PCM" # optional +# type "oss" +# name "My OSS Device" +# device "/dev/dsp" # optional +# mixer_type "hardware" # optional +# mixer_device "/dev/mixer" # optional +# mixer_control "PCM" # optional #} # # An example of a shout output (for streaming to Icecast): # #audio_output { -# type "shout" -# encoder "vorbis" # optional -# name "My Shout Stream" -# host "localhost" -# port "8000" -# mount "/mpd.ogg" -# password "hackme" -# quality "5.0" -# bitrate "128" -# format "44100:16:1" -# protocol "icecast2" # optional -# user "source" # optional -# description "My Stream Description" # optional -# url "http://example.com" # optional -# genre "jazz" # optional -# public "no" # optional -# timeout "2" # optional -# mixer_type "software" # optional +# type "shout" +# encoder "vorbis" # optional +# name "My Shout Stream" +# host "localhost" +# port "8000" +# mount "/mpd.ogg" +# password "hackme" +# quality "5.0" +# bitrate "128" +# format "44100:16:1" +# protocol "icecast2" # optional +# user "source" # optional +# description "My Stream Description" # optional +# url "http://example.com" # optional +# genre "jazz" # optional +# public "no" # optional +# timeout "2" # optional +# mixer_type "software" # optional #} # # An example of a recorder output: @@ -298,15 +691,15 @@ audio_output { # An example of a httpd output (built-in HTTP streaming server): # #audio_output { -# type "httpd" -# name "My HTTP Stream" -# encoder "vorbis" # optional, vorbis or lame -# port "8000" -# bind_to_address "0.0.0.0" # optional, IPv4 or IPv6 -# quality "5.0" # do not define if bitrate is defined -# bitrate "128" # do not define if quality is defined -# format "44100:16:1" -# max_clients "0" # optional 0=no limit +# type "httpd" +# name "My HTTP Stream" +# encoder "vorbis" # optional, vorbis or lame +# port "8000" +# bind_to_address "0.0.0.0" # optional, IPv4 or IPv6 +# quality "5.0" # do not define if bitrate is defined +# bitrate "128" # do not define if quality is defined +# format "44100:16:1" +# max_clients "0" # optional 0=no limit #} # # An example of a pulseaudio output (streaming to a remote pulseaudio server) @@ -314,50 +707,50 @@ audio_output { # daemon started as part of your graphical desktop session! # #audio_output { -# type "pulse" -# name "My Pulse Output" -# server "remote_server" # optional -# sink "remote_server_sink" # optional +# type "pulse" +# name "My Pulse Output" +# server "remote_server" # optional +# sink "remote_server_sink" # optional #} # # An example of a winmm output (Windows multimedia API). # #audio_output { -# type "winmm" -# name "My WinMM output" -# device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional -# or -# device "0" # optional -# mixer_type "hardware" # optional +# type "winmm" +# name "My WinMM output" +# device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional +# or +# device "0" # optional +# mixer_type "hardware" # optional #} # # An example of an openal output. # #audio_output { -# type "openal" -# name "My OpenAL output" -# device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional +# type "openal" +# name "My OpenAL output" +# device "Digital Audio (S/PDIF) (High Definition Audio Device)" # optional #} # ## Example "pipe" output: # #audio_output { -# type "pipe" -# name "my pipe" -# command "aplay -f cd 2>/dev/null" +# type "pipe" +# name "my pipe" +# command "aplay -f cd 2>/dev/null" ## Or if you're want to use AudioCompress -# command "AudioCompress -m | aplay -f cd 2>/dev/null" +# command "AudioCompress -m | aplay -f cd 2>/dev/null" ## Or to send raw PCM stream through PCM: -# command "nc example.org 8765" -# format "44100:16:2" +# command "nc example.org 8765" +# format "44100:16:2" #} # ## An example of a null output (for no audio output): # #audio_output { -# type "null" -# name "My Null Output" -# mixer_type "none" # optional +# type "null" +# name "My Null Output" +# mixer_type "none" # optional #} # ############################################################################### @@ -372,17 +765,17 @@ audio_output { # See for more details about ReplayGain. # This setting is off by default. # -#replaygain "album" +#replaygain "album" # # This setting sets the pre-amp used for files that have ReplayGain tags. By # default this setting is disabled. # -#replaygain_preamp "0" +#replaygain_preamp "0" # # This setting sets the pre-amp used for files that do NOT have ReplayGain tags. # By default this setting is disabled. # -#replaygain_missing_preamp "0" +#replaygain_missing_preamp "0" # # This setting enables or disables ReplayGain limiting. # MPD calculates actual amplification based on the ReplayGain tags @@ -391,13 +784,13 @@ audio_output { # above its original level. If replaygain_limit is disabled such amplification # might occur. By default this setting is enabled. # -#replaygain_limit "yes" +#replaygain_limit "yes" # # This setting enables on-the-fly normalization volume adjustment. This will # result in the volume of all playing audio to be adjusted so the output has # equal "loudness". This setting is disabled by default. # -#volume_normalization "no" +#volume_normalization "no" # ############################################################################### @@ -406,6 +799,52 @@ audio_output { # If file or directory names do not display correctly for your locale then you # may need to modify this setting. # -filesystem_charset "UTF-8" +filesystem_charset "UTF-8" # ############################################################################### + +# This setting specifies the type of ReplayGain to use. This setting can have +# the argument "off", "album", "track" or "auto". "auto" is a special mode that +# chooses between "track" and "album" depending on the current state of +# random playback. If random playback is enabled then "track" mode is used. +# See for +# more details about ReplayGain. +# This setting is off by default. +# +#replaygain "album" +# +# This setting sets the pre-amp used for files that have ReplayGain tags. By +# default this setting is disabled. +# +#replaygain_preamp "0" +# +# This setting sets the pre-amp used for files that do NOT have ReplayGain tags. +# By default this setting is disabled. +# +#replaygain_missing_preamp "0" +# +# This setting enables or disables ReplayGain limiting. +# MPD calculates actual amplification based on the ReplayGain tags +# and replaygain_preamp / replaygain_missing_preamp setting. +# If replaygain_limit is enabled MPD will never amplify audio signal +# above its original level. If replaygain_limit is disabled such amplification +# might occur. By default this setting is enabled. +# +#replaygain_limit "yes" +# +# This setting enables on-the-fly normalization volume adjustment. This will +# result in the volume of all playing audio to be adjusted so the output has +# equal "loudness". This setting is disabled by default. +# +#volume_normalization "no" +# +############################################################################### + +# Character Encoding ########################################################## +# +# If file or directory names do not display correctly for your locale then you +# may need to modify this setting. +# +filesystem_charset "UTF-8" +# +############################################################################### \ No newline at end of file From 0db04a2090a6e47fd1f8667eb24e1afa506bea38 Mon Sep 17 00:00:00 2001 From: Udo Waechter Date: Tue, 1 Aug 2023 17:09:31 +0200 Subject: [PATCH 93/94] bookworm updateS --- base/packages/common.sls | 1 + base/packages/repo/brave-browser.sls | 2 +- base/packages/repo/debian.sls | 6 +++--- base/packages/repo/openfoam.sls | 8 +------- 4 files changed, 6 insertions(+), 11 deletions(-) diff --git a/base/packages/common.sls b/base/packages/common.sls index ab7af83..c7efebb 100644 --- a/base/packages/common.sls +++ b/base/packages/common.sls @@ -49,6 +49,7 @@ common-installed: - python3-cherrypy3 - python3-pygit2 - systemd-timesyncd + - zstd common-removed: pkg.removed: diff --git a/base/packages/repo/brave-browser.sls b/base/packages/repo/brave-browser.sls index c3d9184..20c77bb 100644 --- a/base/packages/repo/brave-browser.sls +++ b/base/packages/repo/brave-browser.sls @@ -4,7 +4,7 @@ repo_brave-browser: pkgrepo.managed: - - name: deb [arch=amd64] https://brave-browser-apt-beta.s3.brave.com/ stable main + - name: deb [arch=amd64] https://brave-browser-apt-beta.s3.brave.com stable main - dist: stable - file: /etc/apt/sources.list.d/brave-browser-beta.list - key_url: https://brave-browser-apt-beta.s3.brave.com/brave-browser-beta-archive-keyring.gpg diff --git a/base/packages/repo/debian.sls b/base/packages/repo/debian.sls index 462eacd..5dbcf2c 100644 --- a/base/packages/repo/debian.sls +++ b/base/packages/repo/debian.sls @@ -31,14 +31,14 @@ repo_default: repo_debian: pkgrepo.managed: - - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }} main contrib #non-free' + - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }} main contrib non-free non-free-firmware' - file: /etc/apt/sources.list.d/debian.list - clean_file: True -{% if grains['oscodename] == 'bullseye' %}} +{% if grains['oscodename'] == 'bullseye' %}} repo_debian-updates: pkgrepo.managed: - - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-updates main contrib #non-free' + - name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-updates main contrib non-free non-free-firmware' - file: /etc/apt/sources.list.d/debian-updates.list - clean_file: True diff --git a/base/packages/repo/openfoam.sls b/base/packages/repo/openfoam.sls index c66ea43..e732028 100644 --- a/base/packages/repo/openfoam.sls +++ b/base/packages/repo/openfoam.sls @@ -5,14 +5,8 @@ repo_openfoam: pkgrepo.managed: - name: deb [arch=amd64] https://dl.openfoam.com/repos/deb kinetic main - - dist: groovy + - dist: kinetic - file: /etc/apt/sources.list.d/openfoam.list - key_url: https://dl.openfoam.com/pubkey.gpg - clean_file: True - -#apt-update: -# cmd.run: -# - name: apt update -y -# - listen: -# - pkgrepo: repo_maketank From e5667a6f552ef35d61c5297e750c07fa9f878a55 Mon Sep 17 00:00:00 2001 From: Udo Waechter Date: Sun, 1 Oct 2023 14:47:00 +0200 Subject: [PATCH 94/94] removed k8s stuff --- top.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/top.sls b/top.sls index 57ef6f9..3a4c9b1 100644 --- a/top.sls +++ b/top.sls @@ -22,15 +22,15 @@ base: - k8s.podman - base.packages.haproxy - systemd.units - - base.packages.salt.master - - base.pki.ca + #- base.packages.salt.master + #- base.pki.ca 'pine*': - - k8s + #- k8s - roles.nut.client 'ebin*': - roles.nut.client 'lenny*': - - k8s.admin + #- k8s.admin - base.packages.node.lenny # migrate these with yori/desktops - base.packages.repo.brave-browser - base.packages.FreeCAD