chaos/salt-master
Archived
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.maketank.net:2222/chaos/salt-master

Browse Source
This commit is contained in:
Udo Waechter
2025-11-20 18:20:17 +01:00
parent 893496947f e5667a6f55
commit 4bc4e384d9
63 changed files with 2263 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
base/init.sls
View File

@@ -4,9 +4,9 @@
include:
- .packages
- .pki
- .gluster.client
#- .pki
- sysctl
- rsyslog
- sudoers
- systemd
- .timezone
- .release

75
base/packages/FreeCAD.sls Normal file
View File

@@ -0,0 +1,75 @@
include:
- .repo.openfoam
pkg_FreeCAD:
pkg.installed:
- pkgs:
- openfoam
- libocct-draw-dev
- libocct-foundation-dev
- libocct-modeling-algorithms-dev
- libocct-modeling-data-dev
- libocct-ocaf-dev
- libocct-visualization-dev
- libocct-data-exchange-dev
- calculix-cgx
- cmake
- libboost-date-time-dev
- libboost-dev
- libboost-filesystem-dev
- libboost-graph-dev
- libboost-iostreams-dev
- libboost-program-options-dev
- libboost-python-dev
- libboost-regex-dev
- libboost-serialization-dev
- libboost-thread-dev
- libcoin-dev
- libeigen3-dev
- libgts-bin
- libgts-dev
- libkdtree++-dev
- libmedc-dev
- libocct-data-exchange-dev
- libocct-ocaf-dev
- libocct-visualization-dev
- libopencv-dev
- libproj-dev
- libpyside2-dev
- libqt5opengl5-dev
- libqt5svg5-dev
- libqt5webkit5-dev
- libqt5x11extras5-dev
- libqt5xmlpatterns5-dev
- libshiboken2-dev
- libspnav-dev
- libx11-dev
- libxerces-c-dev
- libzipios++-dev
- occt-draw
- pyside2-tools
- python3-dev
- python3-matplotlib
- python3-pivy
- python3-ply
- python3-pyside2.qtcore
- python3-pyside2.qtgui
- python3-pyside2.qtsvg
- python3-pyside2.qtwidgets
- python3-pyside2.qtnetwork
- python3-pyside2.qtwebengine
- python3-pyside2.qtwebenginecore
- python3-pyside2.qtwebenginewidgets
- python3-pyside2.qtwebchannel
- python3-markdown
- python3-git
- qtbase5-dev
- qttools5-dev
- swig
- libmetis-dev
- python3-pyside2.qtscripttools
- python3-pyside2.qtuitools
- pyside2-tools
- libshiboken2-dev
- libshiboken2-py3-5.15

21
base/packages/common.sls
View File

@@ -26,20 +26,17 @@ common-installed:
- bzip2
- gzip
- unzip
- libwww-perl
- bind9-host
- dnsutils
- tcpdump
- file
- python-pip
- python-dev
- python-pyinotify
- python-m2crypto
- python3-pip
- python3-dev
- python3-pyinotify
- python3-m2crypto
- python3-apt
- lockfile-progs
- virt-what
- ntp
- ntpdate
- apt-transport-https
- python3-croniter
- flex
@@ -48,7 +45,11 @@ common-installed:
- nfs-common
- mosquitto-clients
- autofs
- python-apt
- debian-keyring
- python3-cherrypy3
- python3-pygit2
- systemd-timesyncd
- zstd
common-removed:
pkg.removed:
@@ -58,3 +59,7 @@ common-removed:
- exim4-base
- exim4-config
- exim4-daemon-light
- command-not-found

61
base/packages/haproxy.sls Normal file
View File

@@ -0,0 +1,61 @@
include:
- haproxy
pkg_prometheus-haproxy-exporter:
pkg.installed:
- pkgs:
- prometheus-haproxy-exporter
service_prometheus-haproxy-exporter:
service.running:
- name: prometheus-haproxy-exporter
- enable: True
- watch:
- file: /etc/default/prometheus-haproxy-exporter
etc_default_prometheus_haproxy-exporter:
file.managed:
- name: /etc/default/prometheus-haproxy-exporter
- require:
- pkg: pkg_prometheus-haproxy-exporter
- contents: |
#
## SALT managed
#
# Set the command-line arguments to pass to the server.
# Due to shell scaping, to pass backslashes for regexes, you need to double
# them (\\d for \d). If running under systemd, you need to double them again
# (\\\\d to mean \d), and escape newlines too.
ARGS="--haproxy.scrape-uri=http://localhost:9110/haproxy-status;csv --log.level=warn"
# Prometheus-haproxy-exporter supports the following options:
#
# --web.listen-address=":9101"
# Address to listen on for web interface and telemetry.
# --web.telemetry-path="/metrics"
# Path under which to expose metrics.
# --haproxy.scrape-uri="http://localhost/;csv"
# URI on which to scrape HAProxy.
# --haproxy.ssl-verify
# Flag that enables SSL certificate verification for the scrape URI
# --haproxy.server-metric-fields="2,3,4,5,6,7,8,9,13,14,15,16,17,18,21,24,33,35,38,39,40,41,42,43,44"
# Comma-separated list of exported server metrics. See
# http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.1
# --haproxy.timeout=5s
# Timeout for trying to get stats from HAProxy.
# --haproxy.pid-file=""
# Path to HAProxy pid file.
#
# If provided, the standard process metrics get exported for the HAProxy
# process, prefixed with 'haproxy_process_...'. The haproxy_process exporter
# needs to have read access to files owned by the HAProxy process. Depends
# on the availability of /proc.
# https://prometheus.io/docs/instrumenting/writing_clientlibs/#process-metrics.
# --log.level="info"
# Only log messages with the given severity or above.
# Valid levels: [debug, info, warn, error, fatal]
# --log.format="logger:stderr"
# Set the log target and format. Example:
# "logger:syslog?appname=bob&local=7" or "logger:stdout?json=true"

3
base/packages/init.sls
View File

@@ -4,5 +4,6 @@
include:
- .common
- .repo.maketank
- .repo.debian
- .prometheus
- .salt.minion

46
base/packages/openhab2.sls
View File

@@ -1,46 +0,0 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
include:
- haproxy
- systemd.units
openhab2-pkgs:
pkg.installed:
- pkgs:
- openhab2
- openhab2-addons
- default-jre-headless
- libopenzwave1.5
- gunicorn3
- python3
- prometheus-haproxy-exporter
- require:
- pkgrepo: repo_openhab2
repo_openhab2:
pkgrepo.managed:
- name: deb https://dl.bintray.com/openhab/apt-repo2 stable main
#- dist: {{ grains['oscodename'] }}
- file: /etc/apt/sources.list.d/openhab2.list
- key_url: 'https://bintray.com/user/downloadSubjectPublicKey?username=openhab'
- clean_file: True
openhab-prometheus-exporter:
file.managed:
- name: /usr/local/bin/openhab2-prometheus-exporter.py
- source: https://raw.githubusercontent.com/zoide/openhab2-prometheus-exporter/master/openhab2-exporter.py
- source_hash: eea41af67a92266680a427ccde87344753bd8bbbcee20d9eb1d2ed3773e5676f
- user: openhab
- group: openhab
- mode: 0755
etc-apt-apt.conf-noproxy:
file.managed:
- name: /etc/apt/apt.conf.d/99-openhab2-noproxy
- user: root
- group: root
- mode: 0755
- contents: |
#SALT managed
Acquire::http::proxy::dl.bintray.com "DIRECT";

9
base/packages/prometheus/init.sls
View File

@@ -8,13 +8,11 @@ set has_promexporter = salt['pillar.get'](
# This has to be here, otherwise:
# https://stackoverflow.com/questions/59268721/saltstack-use-include-twice-in-one-sls-file
#
{%- if 'prometheus-node_exporter' in has_promexporter %}
include:
{%- if 'prometheus-node_exporter' in has_promexporter %}
- prometheus
- systemd.reload
{%- else %}
#- prometheus.clean #Dat klappt nuesch!
{%- endif %}
{%- endif %}
{%- if 'prometheus-node_exporter' in has_promexporter %}
systemd-prometheus-node-exporter-service-override:
@@ -44,9 +42,12 @@ link-orig-prom-path:
- require:
- file: delete-orig-prom-path
{% if grains['oscodename'] != 'bullseye' %}
patch-smartmon.sh:
file.managed:
- name: /usr/share/prometheus-node-exporter/smartmon.sh
- source: salt://base/packages/prometheus/files/smartmon.sh
- mode: 0755
{% endif %}
{%- endif %}

18
base/packages/repo/brave-browser.sls Normal file
View File

@@ -0,0 +1,18 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
repo_brave-browser:
pkgrepo.managed:
- name: deb [arch=amd64] https://brave-browser-apt-beta.s3.brave.com stable main
- dist: stable
- file: /etc/apt/sources.list.d/brave-browser-beta.list
- key_url: https://brave-browser-apt-beta.s3.brave.com/brave-browser-beta-archive-keyring.gpg
- clean_file: True
#apt-update:
# cmd.run:
# - name: apt update -y
# - listen:
# - pkgrepo: repo_maketank

22
base/packages/repo/debian-bullseye.sls Normal file
View File

@@ -0,0 +1,22 @@
{%-
set cache_url = salt['pillar.get'](
'services:apt-cache',
default=''
)
%}
{% if salt['pillar.get']('os:release', default = 'buster') != 'bullseye' %}
repo_debian-bullseye:
pkgrepo.managed:
- name: 'deb http://{{ cache_url }}deb.debian.org/debian bullseye main contrib'
- file: /etc/apt/sources.list.d/debian-bullseye.list
- clean_file: True
{% else %}
repo_debian-bullseye-absent:
file.absent:
- name: /etc/apt/sources.list.d/debian-bullseye.list
{% endif %}

22
base/packages/repo/debian-sid.sls Normal file
View File

@@ -0,0 +1,22 @@
{%-
set cache_url = salt['pillar.get'](
'services:apt-cache',
default=''
)
%}
#{% if salt['pillar.get']('os:release', default = 'buster') != 'bullseye' %}
repo_debian-sid:
pkgrepo.managed:
- name: 'deb http://{{ cache_url }}deb.debian.org/debian sid main contrib'
- file: /etc/apt/sources.list.d/debian-sid.list
- clean_file: True
#{% else %}
#repo_debian-sid-absent:
# file.absent:
# - name: /etc/apt/sources.list.d/debian-sid.list
#{% endif %}

70
base/packages/repo/debian.sls
View File

@@ -1,26 +1,64 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
#!jinja|yaml|gpg
{%-
set cache_url = salt['pillar.get'](
'services:apt-cache',
default=''
)
%}
{%-
set os_rel = salt['pillar.get'](
'os:release',
default=False
)
%}
{%- if not os_rel %}
{% set os_rel = grains['oscodename'] %}
{%- endif %}
repo_default:
file.managed:
- name: /etc/apt/sources.list
- contents: '#SALT managed, all in sources.list.d'
- user: root
- group: root
- mode: 0600
{% if grains['os'] == 'Debian' %}
repo_debian:
pkgrepo.managed:
- name: deb http://deb.debian.org/debian {{ grains['oscodename'] }} main contrib non-free
- dist: {{ grains['oscodename'] }}
- name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }} main contrib non-free non-free-firmware'
- file: /etc/apt/sources.list.d/debian.list
- clean_file: True
{% if grains['oscodename'] == 'bullseye' %}}
repo_debian-updates:
pkgrepo.managed:
- name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-updates main contrib non-free non-free-firmware'
- file: /etc/apt/sources.list.d/debian-updates.list
- clean_file: True
#deb http://deb.debian.org/debian-security/ bullseye-security main contrib non-free
{% if os_rel == 'buster' %}
{% set repo_path = "/updates" %}
{% else %}
{% set repo_path = "-security" %}
{% endif %}
repo_debian-security:
pkgrepo.managed:
- name: 'deb http://{{ cache_url }}deb.debian.org/debian-security {{ os_rel }}{{ repo_path }} main contrib #non-free'
- file: /etc/apt/sources.list.d/debian-security.list
- clean_file: True
repo_debian-backports:
pkgrepo.managed:
- name: deb http://deb.debian.org/debian {{ grains['oscodename'] }}-backports main contrib non-free
- dist: {{ grains['oscodename'] }}
- name: 'deb http://{{ cache_url }}deb.debian.org/debian {{ os_rel }}-backports main contrib #non-free'
- file: /etc/apt/sources.list.d/debian-backports.list
- clean_file: True
#apt-update:
# cmd.run:
# - name: apt update -y
# - listen:
# - pkgrepo: repo_maketank
{% endif %}
{% endif %}

18
base/packages/repo/maketank.sls
View File

@@ -1,18 +0,0 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
repo_maketank:
pkgrepo.managed:
- name: deb http://apt.maketank.net/debian {{ grains['oscodename'] }} main
- dist: {{ grains['oscodename'] }}
- file: /etc/apt/sources.list.d/maketank.list
- key_url: http://apt.maketank.net/debian/debian.gpg
- clean_file: True
#apt-update:
# cmd.run:
# - name: apt update -y
# - listen:
# - pkgrepo: repo_maketank

12
base/packages/repo/openfoam.sls Normal file
View File

@@ -0,0 +1,12 @@
# -*- coding: utf-8 -*-
# vim: ft=yaml
---
#required/wanted for FreeCAD
repo_openfoam:
pkgrepo.managed:
- name: deb [arch=amd64] https://dl.openfoam.com/repos/deb kinetic main
- dist: kinetic
- file: /etc/apt/sources.list.d/openfoam.list
- key_url: https://dl.openfoam.com/pubkey.gpg
- clean_file: True

14
base/packages/salt/master.sls Normal file
View File

@@ -0,0 +1,14 @@
{%- set salt_v = "3002.6+dfsg1-4+deb11u1" %}
pkgs-salt-master:
pkg.installed:
- hold: True
- pkgs:
- salt-master: {{ salt_v }}
- salt-api: {{ salt_v }}
pkgs-salt-additional:
pkg.installed:
- pkgs:
- python3-cherrypy3
- python3-pygit2

7
base/packages/salt/minion.sls Normal file
View File

@@ -0,0 +1,7 @@
{%- set salt_v = "3002.6+dfsg1-4+deb11u1" %}
pkgs-salt-minion:
pkg.installed:
- hold: True
- pkgs:
- salt-minion: {{ salt_v }}

19
base/pki/cert.sls
View File

@@ -2,9 +2,20 @@
# vim: ft=yaml
---
/usr/local/share/ca-certificates:
file.directory
#/usr/local/share/ca-certificates:
# file.directory
/usr/local/share/ca-certificates/intca.crt:
/etc/pki/intca.crt:
x509.pem_managed:
- text: {{ salt['mine.get']('tumor.chaos', 'x509.get_pem_entries')['tumor.chaos']['/etc/pki/ca.crt']|replace('\n', '') }}
- text: {{ salt['mine.get']('salt.chaos', 'x509.get_pem_entries')['salt.chaos']['/etc/pki/ca.crt']|replace('\n', '') }}
/etc/ssl/certs/intca.crt:
x509.pem_managed:
- text: {{ salt['mine.get']('salt.chaos', 'x509.get_pem_entries')['salt.chaos']['/etc/pki/ca.crt']|replace('\n', '') }}
/usr/sbin/update-ca-certificates:
cmd.run:
- onchanges:
- x509: /etc/ssl/certs/intca.crt

33
base/pki/host.sls
View File

@@ -11,11 +11,38 @@
/etc/pki/public.crt:
x509.certificate_managed:
- ca_server: tumor.chaos
- ca_server: salt.chaos
- signing_policy: host
- public_key: /etc/pki/private.key
- CN: {{ grains['fqdn'] }}
- days_remaining: 30
- CN: {{ grains['fqdn'] }}
- subjectAltName: 'DNS:{{ grains['fqdn'] }}'
- days_remaining: 5
- backup: True
- require:
- x509: /etc/pki/private.key
{% for cn in salt['pillar.get']('pki:cns',{}) %}
/etc/pki/{{ cn }}.crt:
x509.certificate_managed:
- ca_server: salt.chaos
- signing_policy: host
- public_key: /etc/pki/private.key
- days_remaining: 5
- backup: False
- CN: {{ grains['fqdn'] }}
- subjectAltName: 'DNS:{{ cn }}'
- require:
- x509: /etc/pki/private.key
/etc/pki/chain/{{ cn }}.pem:
file:
- append
- sources:
- /etc/pki/{{ cn }}.crt
- /etc/pki/intca.crt
- require:
- file: /etc/pki/chain
{% endfor %}

3
base/pki/init.sls
View File

@@ -8,3 +8,6 @@ include:
/etc/pki:
file.directory
/etc/pki/chain:
file.directory

5
base/pki/signing_policies.conf
View File

@@ -11,8 +11,9 @@ x509_signing_policies:
- ST: Berlin
- L: Berlin
- basicConstraints: "critical CA:false"
- keyUsage: "critical keyEncipherment"
- keyUsage: "nonRepudiation, digitalSignature, keyEncipherment, keyAgreement"
- extendedKeyUsage: "serverAuth, clientAuth"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: 360
- days_valid: 365
- copypath: /etc/pki/issued_certs/

12
base/release.sls Normal file
View File

@@ -0,0 +1,12 @@
{% set def_rel = 'bullseye' %}
{% if salt['pillar.get']('os:release', default = False) %}
{% set def_rel = salt['pillar.get']('os:release', default = False) %}
{% endif %}
etc_apt_release:
file.managed:
- name: /etc/apt/apt.conf.d/01release
- user: root
- mode: 644
- contents: 'APT::Default-Release "{{ def_rel }}";'

4
base/rsyslog/client.sls Normal file
View File

@@ -0,0 +1,4 @@
include:
- rsyslog
- .service

39
base/rsyslog/files/logrotate-server.conf Normal file
View File

@@ -0,0 +1,39 @@
/data/logs/*/syslog
{
rotate 10
daily
size 50M
missingok
notifempty
delaycompress
compress
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
/data/logs/*/mail.info
/data/logs/*/mail.warn
/data/logs/*/mail.err
/data/logs/*/mail.log
/data/logs/*/daemon.log
/data/logs/*/kern.log
/data/logs/*/auth.log
/data/logs/*/user.log
/data/logs/*/lpr.log
/data/logs/*/cron.log
/data/logs/*/debug
/data/logs/*/messages
{
rotate 5
daily
size 100M
missingok
notifempty
compress
delaycompress
sharedscripts
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}

82
base/rsyslog/files/server.conf Normal file
View File

@@ -0,0 +1,82 @@
#
# SALT managed.
#
# Load UDP module
$ModLoad imudp
# Load TCP module
$ModLoad imtcp
# Load RELP module
$ModLoad imrelp
#
# Use traditional timestamp format.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Switch to remote ruleset
$RuleSet remote
# Log files are stored in directories matching the short hostname, excluding numbers
# i.e. web01 web02 and web03 will all log to a the web directory
# Templates
$Template dynAuditLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/audit.log"
$Template dynAuthLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/auth.log"
$Template dynSyslog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/syslog"
$Template dynCronLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/cron.log"
$Template dynDaemonLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/daemon.log"
$Template dynKernLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/kern.log"
$Template dynUserLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/user.log"
$Template dynMailLog,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/mail.log"
$Template dynDebug,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/debug"
$Template dynMessages,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/messages"
$Template dynLocal0daemon,"/data/logs/%source:R,ERE,1,DFLT:([A-Za-z-]*)--end%/daemon.local0.log"
# Rules
auth,authpriv.* ?dynAuthLog
*.*;auth.none,authpriv.none,mail.none,cron.none,kern.none,user.none,daemon.none -?dynSyslog
cron.* ?dynCronLog
kern.* -?dynKernLog
mail.* -?dynMailLog
user.* -?dynUserLog
#*.=info;*.=notice;*.=warn;\
#
# auth.none,authpriv.none;\
# cron.none,daemon.none;\
# mail.none,news.none -?dynMessages
#hier gibts drachen / here are dragons
#if $syslogfacility-text == 'local0' then /var/log/somelog
daemon.* -?dynDaemonLog
# drachen sind put / dragons borked
#
# Special format to keep audit logs as sent.
$Template auditFormat,"%msg%\n"
# Catch messages from audispd and send to audit log.
:programname, isequal, "audispd" -?dynAuditLog;auditFormat
:programname, isequal, "audispd" stop
# Switch back to default ruleset
$RuleSet RSYSLOG_DefaultRuleset
$InputUDPServerBindRuleset remote
$UDPServerRun 514
$UDPServerAddress *
$InputTCPServerBindRuleset remote
$InputTCPServerRun 514
$InputRELPServerBindRuleset remote
$InputRELPServerRun 20514

22
base/rsyslog/server.sls Normal file
View File

@@ -0,0 +1,22 @@
include:
- rsyslog
- .service
rsyslog-server.conf:
file.managed:
- name: /etc/rsyslog.d/01-server.conf
- source: salt://base/rsyslog/files/server.conf
- user: root
- group: root
- onchange:
- service: rsyslog
lograte-rsyslog-logs:
file.managed:
- name: /etc/logrotate.d/rsyslog-HOSTS-logs
- source: salt://base/rsyslog/files/logrotate-server.conf
- user: root
- group: root

5
base/rsyslog/service.sls Normal file
View File

@@ -0,0 +1,5 @@
rsyslog:
service.running:
- enable: True
- reload: False

5
base/timezone.sls Normal file
View File

@@ -0,0 +1,5 @@
etc_timezone:
file.managed:
- name: /etc/timezone
- contents: |
Europe/Berlin