Updated merge script, moved certs and keys symlinks and references to secure, and added ca and vpnserver states

2017-08-25 10:35:25 -05:00 · 2017-08-25 10:35:25 -05:00 · 408866fd12
commit 408866fd12
parent 2f927b6d62
70 changed files with 2878 additions and 26 deletions
--- a/merge.sh
+++ b/merge.sh
@ -1,9 +1,18 @@
-git checkout dev
+read -p "Commit message? " cm;
-git merge master
+git fetch --all;
 git push
-git checkout master
+#copy dev to history to ensure we don't lose changes if something goes wrong
-git merge --squash dev
+git checkout history;
-git commit
+git reset --hard dev;
-git push
+git push --force;
-git checkout dev
+
 #merge to master
 git checkout -B master origin/master;
 git merge --squash dev;
 git commit -am "$cm";
 git push;
 #clean dev
 git checkout dev;
 git reset --hard master;
 git push --force;
--- a/pillars/roles/backup/init.sls
+++ b/pillars/roles/backup/init.sls
--- a/pillars/roles/backup/radarr.sls
+++ b/pillars/roles/backup/radarr.sls
--- a/pillars/roles/ca/init.sls
+++ b/pillars/roles/ca/init.sls
@ -0,0 +1,21 @@
 {% set states = salt['cp.list_states'](saltenv) %}
 include:
  - roles.ca.none
 {%- if grains['roles'] is defined -%}
  {%- if grains['roles'] is not none -%}
    {%- if 'ca' in grains['roles'] -%}
      {%- for state in states %}
        {%- if state.startswith("pillars.roles.ca.") -%}
          {%- set role = state.split('.')[3] %}
  - roles.ca.{{ role }}
        {%- endif -%}
      {%- endfor -%}
    {%- else -%}
      {%- for role in grains['roles'] %}
        {%- if 'pillars.roles.ca.'+role in states %}
  - roles.ca.{{ role }}
        {%- endif -%}
      {%- endfor -%}
    {%- endif -%}
  {%- endif -%}
 {%- endif -%}
--- a/pillars/roles/ca/none.sls
+++ b/pillars/roles/ca/none.sls
--- a/pillars/roles/ca/vpnserver.sls
+++ b/pillars/roles/ca/vpnserver.sls
@ -0,0 +1,13 @@
 ca:
  vpn.actcur.com:
    type: server
    priv-locations:
      /etc/openvpn/server/vpn.actcur.com.key:
        user: root
        group: root
        mode: 400
    cert-locations:
      /etc/openvpn/server/vpn.actcur.com.crt:
        user: root
        group: root
        mode: 400
--- a/pillars/roles/firewalld/nginx-proxy.sls
+++ b/pillars/roles/firewalld/nginx-proxy.sls
--- a/pillars/roles/init.sls
+++ b/pillars/roles/init.sls
@ -6,3 +6,4 @@ include:
  - roles.mount
  - roles.git
  - roles.backup
  - roles.ca
--- a/pillars/roles/mount/saltmaster.sls
+++ b/pillars/roles/mount/saltmaster.sls
@ -8,3 +8,11 @@ mount:
      host: host.actcur.com
      directory: /mnt/butter/backups/configurations
      user: backups
    /secure/ca/issued:
      host: ca.actcur.com
      directory: /etc/easy-rsa/pki/issued
      user: ca
    /secure/ca/private:
      host: ca.actcur.com
      directory: /etc/easy-rsa/pki/private
      user: ca
--- a/pillars/servers/env/server/archca.sls
+++ b/pillars/servers/env/server/archca.sls
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/env/server/archgitlab.sls~HEAD
+++ b/pillars/servers/env/server/archgitlab.sls~HEAD
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/env/server/archgitlab.sls~HEAD_0
+++ b/pillars/servers/env/server/archgitlab.sls~HEAD_0
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/env/server/archgitlab.sls~history
+++ b/pillars/servers/env/server/archgitlab.sls~history
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/env/server/archgitlab.sls~history_0
+++ b/pillars/servers/env/server/archgitlab.sls~history_0
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/env/server/archhost1.sls~HEAD
+++ b/pillars/servers/env/server/archhost1.sls~HEAD
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/env/server/archhost1.sls~HEAD_0
+++ b/pillars/servers/env/server/archhost1.sls~HEAD_0
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/env/server/archhost1.sls~history
+++ b/pillars/servers/env/server/archhost1.sls~history
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/env/server/archhost1.sls~history_0
+++ b/pillars/servers/env/server/archhost1.sls~history_0
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/env/server/archvpn.sls
+++ b/pillars/servers/env/server/archvpn.sls
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/env/server/debiangitlab.sls~HEAD
+++ b/pillars/servers/env/server/debiangitlab.sls~HEAD
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/env/server/debiangitlab.sls~HEAD_0
+++ b/pillars/servers/env/server/debiangitlab.sls~HEAD_0
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/env/server/debiangitlab.sls~history
+++ b/pillars/servers/env/server/debiangitlab.sls~history
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/env/server/debiangitlab.sls~history_0
+++ b/pillars/servers/env/server/debiangitlab.sls~history_0
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/maintainer/server/archca.sls
+++ b/pillars/servers/maintainer/server/archca.sls
@ -0,0 +1,3 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/maintainer/server/archgitlab.sls~HEAD
+++ b/pillars/servers/maintainer/server/archgitlab.sls~HEAD
@ -0,0 +1,3 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/maintainer/server/archgitlab.sls~HEAD_0
+++ b/pillars/servers/maintainer/server/archgitlab.sls~HEAD_0
@ -0,0 +1,3 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/maintainer/server/archgitlab.sls~history
+++ b/pillars/servers/maintainer/server/archgitlab.sls~history
@ -0,0 +1,3 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/maintainer/server/archgitlab.sls~history_0
+++ b/pillars/servers/maintainer/server/archgitlab.sls~history_0
@ -0,0 +1,3 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/maintainer/server/archhost1.sls~HEAD
+++ b/pillars/servers/maintainer/server/archhost1.sls~HEAD
@ -0,0 +1,3 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/maintainer/server/archhost1.sls~HEAD_0
+++ b/pillars/servers/maintainer/server/archhost1.sls~HEAD_0
@ -0,0 +1,3 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/maintainer/server/archhost1.sls~history
+++ b/pillars/servers/maintainer/server/archhost1.sls~history
@ -0,0 +1,3 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/maintainer/server/archhost1.sls~history_0
+++ b/pillars/servers/maintainer/server/archhost1.sls~history_0
@ -0,0 +1,3 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/maintainer/server/archvpn.sls
+++ b/pillars/servers/maintainer/server/archvpn.sls
@ -0,0 +1,3 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/maintainer/server/debiangitlab.sls~HEAD
+++ b/pillars/servers/maintainer/server/debiangitlab.sls~HEAD
@ -0,0 +1,3 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/maintainer/server/debiangitlab.sls~HEAD_0
+++ b/pillars/servers/maintainer/server/debiangitlab.sls~HEAD_0
@ -0,0 +1,3 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/maintainer/server/debiangitlab.sls~history
+++ b/pillars/servers/maintainer/server/debiangitlab.sls~history
@ -0,0 +1,3 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/maintainer/server/debiangitlab.sls~history_0
+++ b/pillars/servers/maintainer/server/debiangitlab.sls~history_0
@ -0,0 +1,3 @@
 maintainer:
  - masaufuku
--- a/pillars/servers/roles/server/archca.sls
+++ b/pillars/servers/roles/server/archca.sls
@ -0,0 +1,6 @@
 grains:
  roles:
    - server
    - ssh
    - saltminion
    - ca
--- a/pillars/servers/roles/server/archvpn.sls
+++ b/pillars/servers/roles/server/archvpn.sls
@ -0,0 +1,7 @@
 grains:
  roles:
    - server
    - ssh
    - saltminion
    - vpnserver
    - ca-cert
--- a/states/roles/build/ca/init.sls
+++ b/states/roles/build/ca/init.sls
@ -0,0 +1,15 @@
 ca-easy-rsa-build:
  pkg.installed:
    - name: easy-rsa
 #temporary - easy-rsa package is broken and uses wrong working direcotry
 easy-rsa-vars-build:
  file.managed:
    - name: "/etc/easy-rsa/vars"
    - source: salt://roles/maintain/ca/vars
 #--vars=./vars is temporary until package is fixed
 gen-ca-key:
  cmd.run:
    - name: "easyrsa --vars=./vars init-pki;easyrsa --batch --vars=./vars build-ca nopass batch"
    - cwd: "/etc/easy-rsa"
--- a/states/roles/maintain/ca-cert/init.sls
+++ b/states/roles/maintain/ca-cert/init.sls
@ -0,0 +1,29 @@
 {##ensure that ca pillar exists##}
 {%- if pillar['ca'] is defined -%}
  {##copy certs and private keys for machine##}
  {%- for name in pillar['ca'] %}
    {%- if pillar['ca'][name]['priv-locations'] is defined -%}
      {%- for plocation in pillar['ca'][name]['priv-locations'] %}
 priv_location_{{plocation}}:
  file.managed:
    - name: {{plocation}}
    - source: salt://secure/ca/private/{{name}}.key
    - user: {{pillar['ca'][name]['priv-locations'][plocation]['user']}}
    - group: {{pillar['ca'][name]['priv-locations'][plocation]['group']}}
    - mode: {{pillar['ca'][name]['priv-locations'][plocation]['mode']}}
      {%- endfor %}
    {%- endif %}
    {%- if pillar['ca'][name]['cert-locations'] is defined -%}
      {%- for clocation in pillar['ca'][name]['cert-locations'] %}
 cert_location{{clocation}}:
  file.managed:
    - name: {{clocation}}
    - source: salt://secure/ca/issued/{{name}}.crt
    - user: {{pillar['ca'][name]['cert-locations'][clocation]['user']}}
    - group: {{pillar['ca'][name]['cert-locations'][clocation]['group']}}
    - mode: {{pillar['ca'][name]['cert-locations'][clocation]['mode']}}
      {%- endfor %}
    {%- endif %}
  {%- endfor %}
 {%- endif %}
--- a/states/roles/maintain/ca/init.sls
+++ b/states/roles/maintain/ca/init.sls
@ -0,0 +1,56 @@
 ca-easy-rsa-maint:
  pkg.installed:
    - name: easy-rsa
 #temporary - easy-rsa package is broken and uses wrong working direcotry
 easy-rsa-vars-maint:
  file.managed:
    - name: "/etc/easy-rsa/vars"
    - source: salt://roles/maintain/ca/vars
 #initialize ca if necessary
 #--vars=./vars is temporary until package is fixed
 gen-ca-key:
  cmd.run:
    - name: "easyrsa --vars=./vars init-pki;easyrsa --batch --vars=./vars build-ca nopass batch"
    - cwd: "/etc/easy-rsa"
    - onlyif: 'test ! -e /etc/easy-rsa/pki/ca.crt'
 #generate keys if needed
 #--vars=./vars is temporary until package is fixed
 {%- if pillar['ca'] is defined -%}
 {%- for name in pillar['ca'] %}
 gen-{{name}}-cert:
  cmd.run:
    - name: "easyrsa --batch --vars=./vars gen-req {{name}} nopass;easyrsa --batch --vars=./vars  sign-req {{pillar['ca'][name]['type']}} {{name}};"
    - cwd: "/etc/easy-rsa"
    - onlyif: 'test ! -e /etc/easy-rsa/pki/reqs/{{name}}.req'
 #set ownership to root:ca and mod to 640
 {{name}}-cert-perms:
  file.managed:
    - name: /etc/easy-rsa/pki/issued/{{name}}.crt
    - group: ca
    - mode: 640
 {{name}}-key-perms:
  file.managed:
    - name: /etc/easy-rsa/pki/private/{{name}}.key
    - group: ca
    - mode: 640
 {%- endfor %}
 {%- endif %}
 #set directory perms
 pki-perms:
  file.directory:
    - name: /etc/easy-rsa/pki/
    - group: ca
    - mode: 750
 issued-perms:
  file.directory:
    - name: /etc/easy-rsa/pki/issued/
    - group: ca
    - mode: 750
 private-perms:
  file.directory:
    - name: /etc/easy-rsa/pki/private
    - group: ca
    - mode: 750
--- a/states/roles/maintain/ca/vars
+++ b/states/roles/maintain/ca/vars
@ -0,0 +1,198 @@
 # Easy-RSA 3 parameter settings
 # NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
 # this file in place -- instead, you should copy the entire easy-rsa directory
 # to another location so future upgrades don't wipe out your changes.
 # HOW TO USE THIS FILE
 #
 # vars.example contains built-in examples to Easy-RSA settings. You MUST name
 # this file 'vars' if you want it to be used as a configuration file. If you do
 # not, it WILL NOT be automatically read when you call easyrsa commands.
 #
 # It is not necessary to use this config file unless you wish to change
 # operational defaults. These defaults should be fine for many uses without the
 # need to copy and edit the 'vars' file.
 #
 # All of the editable settings are shown commented and start with the command
 # 'set_var' -- this means any set_var command that is uncommented has been
 # modified by the user. If you're happy with a default, there is no need to
 # define the value to its default.
 # NOTES FOR WINDOWS USERS
 #
 # Paths for Windows  *MUST* use forward slashes, or optionally double-esscaped
 # backslashes (single forward slashes are recommended.) This means your path to
 # the openssl binary might look like this:
 # "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
 # A little housekeeping: DON'T EDIT THIS SECTION
 #
 # Easy-RSA 3.x doesn't source into the environment directly.
 # Complain if a user tries to do this:
 if [ -z "$EASYRSA_CALLER" ]; then
        echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
        echo "This is no longer necessary and is disallowed. See the section called" >&2
        echo "'How to use this file' near the top comments for more details." >&2
        return 1
 fi
 # DO YOUR EDITS BELOW THIS POINT
 # This variable should point to the top level of the easy-rsa tree. By default,
 # this is taken to be the directory you are currently in.
 set_var EASYRSA        "$PWD"
 # If your OpenSSL command is not in the system PATH, you will need to define the
 # path to it here. Normally this means a full path to the executable, otherwise
 # you could have left it undefined here and the shown default would be used.
 #
 # Windows users, remember to use paths with forward-slashes (or escaped
 # back-slashes.) Windows users should declare the full path to the openssl
 # binary here if it is not in their system PATH.
 #set_var EASYRSA_OPENSSL        "openssl"
 #
 # This sample is in Windows syntax -- edit it for your path if not using PATH:
 #set_var EASYRSA_OPENSSL        "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
 # Edit this variable to point to your soon-to-be-created key directory.
 #
 # WARNING: init-pki will do a rm -rf on this directory so make sure you define
 # it correctly! (Interactive mode will prompt before acting.)
 #set_var EASYRSA_PKI            "$EASYRSA/pki"
 # Define X509 DN mode.
 # This is used to adjust what elements are included in the Subject field as the DN
 # (this is the "Distinguished Name.")
 # Note that in cn_only mode the Organizational fields further below aren't used.
 #
 # Choices are:
 #   cn_only  - use just a CN value
 #   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format
 #set_var EASYRSA_DN     "cn_only"
 # Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
 # These are the default values for fields which will be placed in the
 # certificate.  Don't leave any of these fields blank, although interactively
 # you may omit any specific field by typing the "." symbol (not valid for
 # email.)
 #set_var EASYRSA_REQ_COUNTRY    "US"
 #set_var EASYRSA_REQ_PROVINCE   "California"
 #set_var EASYRSA_REQ_CITY       "San Francisco"
 #set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"
 #set_var EASYRSA_REQ_EMAIL      "me@example.net"
 #set_var EASYRSA_REQ_OU         "My Organizational Unit"
 # Choose a size in bits for your keypairs. The recommended value is 2048.  Using
 # 2048-bit keys is considered more than sufficient for many years into the
 # future. Larger keysizes will slow down TLS negotiation and make key/DH param
 # generation take much longer. Values up to 4096 should be accepted by most
 # software. Only used when the crypto alg is rsa (see below.)
 #set_var EASYRSA_KEY_SIZE       2048
 # The default crypto mode is rsa; ec can enable elliptic curve support.
 # Note that not all software supports ECC, so use care when enabling it.
 # Choices for crypto alg are: (each in lower-case)
 #  * rsa
 #  * ec
 #set_var EASYRSA_ALGO           rsa
 # Define the named curve, used in ec mode only:
 #set_var EASYRSA_CURVE          secp384r1
 # In how many days should the root CA key expire?
 #set_var EASYRSA_CA_EXPIRE      3650
 # In how many days should certificates expire?
 #set_var EASYRSA_CERT_EXPIRE    3650
 # How many days until the next CRL publish date?  Note that the CRL can still be
 # parsed after this timeframe passes. It is only used for an expected next
 # publication date.
 #set_var EASYRSA_CRL_DAYS       180
 # Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
 # is "no" to discourage use of deprecated extensions. If you require this
 # feature to use with --ns-cert-type, set this to "yes" here. This support
 # should be replaced with the more modern --remote-cert-tls feature.  If you do
 # not use --ns-cert-type in your configs, it is safe (and recommended) to leave
 # this defined to "no".  When set to "yes", server-signed certs get the
 # nsCertType=server attribute, and also get any NS_COMMENT defined below in the
 # nsComment field.
 #set_var EASYRSA_NS_SUPPORT     "no"
 # When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
 # Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.
 #set_var EASYRSA_NS_COMMENT     "Easy-RSA Generated Certificate"
 # A temp file used to stage cert extensions during signing. The default should
 # be fine for most users; however, some users might want an alternative under a
 # RAM-based FS, such as /dev/shm or /tmp on some systems.
 #set_var EASYRSA_TEMP_FILE      "$EASYRSA_PKI/extensions.temp"
 # !!
 # NOTE: ADVANCED OPTIONS BELOW THIS POINT
 # PLAY WITH THEM AT YOUR OWN RISK
 # !!
 # Broken shell command aliases: If you have a largely broken shell that is
 # missing any of these POSIX-required commands used by Easy-RSA, you will need
 # to define an alias to the proper path for the command.  The symptom will be
 # some form of a 'command not found' error from your shell. This means your
 # shell is BROKEN, but you can hack around it here if you really need. These
 # shown values are not defaults: it is up to you to know what you're doing if
 # you touch these.
 #
 #alias awk="/alt/bin/awk"
 #alias cat="/alt/bin/cat"
 # X509 extensions directory:
 # If you want to customize the X509 extensions used, set the directory to look
 # for extensions here. Each cert type you sign must have a matching filename,
 # and an optional file named 'COMMON' is included first when present. Note that
 # when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
 # fallback to $EASYRSA for the 'x509-types' dir.  You may override this
 # detection with an explicit dir here.
 #
 #set_var EASYRSA_EXT_DIR        "$EASYRSA/x509-types"
 # OpenSSL config file:
 # If you need to use a specific openssl config file, you can reference it here.
 # Normally this file is auto-detected from a file named openssl-1.0.cnf from the
 # EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
 # specific and you cannot just use a standard config file, so this is an
 # advanced feature.
 #set_var EASYRSA_SSL_CONF       "$EASYRSA/openssl-1.0.cnf"
 # Default CN:
 # This is best left alone. Interactively you will set this manually, and BATCH
 # callers are expected to set this themselves.
 #set_var EASYRSA_REQ_CN         "ChangeMe"
 # Cryptographic digest to use.
 # Do not change this default unless you understand the security implications.
 # Valid choices include: md5, sha1, sha256, sha224, sha384, sha512
 #set_var EASYRSA_DIGEST         "sha256"
 # Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
 # in batch mode without any user input, confirmation on dangerous operations,
 # or most output. Setting this to any non-blank string enables batch mode.
 #set_var EASYRSA_BATCH          ""
--- a/states/roles/maintain/gitlab/conf_files/database.yml
+++ b/states/roles/maintain/gitlab/conf_files/database.yml
@ -9,7 +9,7 @@ production:
  database: gitlab
  pool: 10
  username: gitlab
-  password: "{%- include 'secure/gitlab_db_password.txt' -%}"
+  password: "{%- include 'secure/passwords/gitlab_db_password.txt' -%}"
  host: sql.actcur.com
  # socket: /tmp/mysql.sock
--- a/states/roles/maintain/gitlab/conf_files/smtp_settings.rb
+++ b/states/roles/maintain/gitlab/conf_files/smtp_settings.rb
@ -16,7 +16,7 @@ if Rails.env.production?
    address: "smtp.zoho.com",
    port: 587,
    user_name: "notifications@actcur.com",
-    password: "{%- include 'secure/gitlab_smtp_password.txt' -%}",
+    password: "{%- include 'secure/passwords/gitlab_smtp_password.txt' -%}",
    domain: "smtp.zoho.com",
    enable_starttls_auto: true,
  }
--- a/states/roles/maintain/gitlab/init.sls
+++ b/states/roles/maintain/gitlab/init.sls
--- a/states/roles/maintain/gitlabarch/conf_files/config.yml
+++ b/states/roles/maintain/gitlabarch/conf_files/config.yml
@ -0,0 +1,73 @@
 #
 # If you change this file in a Merge Request, please also create
 # a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
 #
 # GitLab user. git by default
 user: gitlab
 # URL to GitLab instance, used for API calls. Default: http://localhost:8080.
 # For relative URL support read http://doc.gitlab.com/ce/install/relative_url.html
 # You only have to change the default if you have configured Unicorn
 # to listen on a custom port, or if you have configured Unicorn to
 # only listen on a Unix domain socket. For Unix domain sockets use
 # "http+unix://<urlquoted-path-to-socket>", e.g.
 # "http+unix://%2Fpath%2Fto%2Fsocket"
 gitlab_url: "http://localhost:8080"
 # See installation.md#using-https for additional HTTPS configuration details.
 http_settings:
 #  read_timeout: 300
 #  user: someone
 #  password: somepass
 #  ca_file: /etc/ssl/cert.pem
 #  ca_path: /etc/pki/tls/certs
  self_signed_cert: false
 # File used as authorized_keys for gitlab user
 auth_file: "/var/lib/gitlab/.ssh/authorized_keys"
 # File that contains the secret key for verifying access to GitLab.
 # Default is .gitlab_shell_secret in the gitlab-shell directory.
 # secret_file: "/var/lib/gitlab/gitlab-shell/.gitlab_shell_secret"
 # Parent directory for global custom hook directories (pre-receive.d, update.d, post-receive.d)
 # Default is hooks in the gitlab-shell directory.
 # custom_hooks_dir: "/var/lib/gitlab/gitlab-shell/hooks"
 # Redis settings used for pushing commit notices to gitlab
 redis:
  bin: /usr/bin/redis-cli
  host: 127.0.0.1
  port: 6379
  # pass: redispass # Allows you to specify the password for Redis
  database: 5
  socket: /run/redis/redis.sock # Comment out this line if you want to use TCP or Sentinel
  namespace: resque:gitlab
  # sentinels:
  #   -
  #     host: 127.0.0.1
  #     port: 26380
  #   -
  #     host: 127.0.0.1
  #     port: 26381
 # Log file.
 # Default is gitlab-shell.log in the root directory.
 log_file: "/var/log/gitlab/gitlab-shell.log"
 # Log level. INFO by default
 log_level: INFO
 # Audit usernames.
 # Set to true to see real usernames in the logs instead of key ids, which is easier to follow, but
 # incurs an extra API call on every gitlab-shell command.
 audit_usernames: false
 # Git trace log file.
 # If set, git commands receive GIT_TRACE* environment variables
 # See https://git-scm.com/book/es/v2/Git-Internals-Environment-Variables#Debugging for documentation
 # An absolute path starting with / – the trace output will be appended to that file.
 # It needs to exist so we can check permissions and avoid to throwing warnings to the users.
 git_trace_log_file:
--- a/states/roles/maintain/gitlabarch/conf_files/database.yml
+++ b/states/roles/maintain/gitlabarch/conf_files/database.yml
@ -0,0 +1,44 @@
 #
 # PRODUCTION
 #
 production:
  adapter: mysql2
  encoding: utf8
  collation: utf8_general_ci
  reconnect: false
  database: gitlab
  pool: 10
  username: gitlab
  password: "{%- include 'secure/passwords/gitlab_db_password.txt' -%}"
  host: sql.actcur.com
  # socket: /tmp/mysql.sock
 #
 # Development specific
 #
 development:
  adapter: mysql2
  encoding: utf8
  collation: utf8_general_ci
  reconnect: false
  database: gitlabhq_development
  pool: 5
  username: root
  password: "secure password"
  # host: localhost
  # socket: /tmp/mysql.sock
 # Warning: The database defined as "test" will be erased and
 # re-generated from your development database when you run "rake".
 # Do not set this db to the same as development or production.
 test: &test
  adapter: mysql2
  encoding: utf8mb4
  collation: utf8mb4_general_ci
  reconnect: false
  database: gitlabhq_test
  pool: 5
  username: root
  password:
  # host: localhost
  # socket: /tmp/mysql.sock
--- a/states/roles/maintain/gitlabarch/conf_files/gitlab.conf
+++ b/states/roles/maintain/gitlabarch/conf_files/gitlab.conf
@ -0,0 +1,69 @@
 ## GitLab
 ##
 ## Lines starting with two hashes (##) are comments with information.
 ## Lines starting with one hash (#) are configuration parameters that can be uncommented.
 ##
 ##################################
 ##        CONTRIBUTING          ##
 ##################################
 ##
 ## If you change this file in a Merge Request, please also create
 ## a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
 ##
 ###################################
 ##         configuration         ##
 ###################################
 ##
 ## See installation.md#using-https for additional HTTPS configuration details.
 upstream gitlab-workhorse {
  server unix:/run/gitlab/gitlab-workhorse.socket fail_timeout=0;
 }
 ## Normal HTTP host
 server {
  ## Either remove "default_server" from the listen line below,
  ## or delete the /etc/nginx/sites-enabled/default file. This will cause gitlab
  ## to be served if you visit any address that your server responds to, eg.
  ## the ip address of the server (http://x.x.x.x/)n 0.0.0.0:80 default_server;
  listen 0.0.0.0:8000;
  listen [::]:8000;
  server_name git2.actcur.com; ## Replace this with something like gitlab.example.com
  server_tokens off; ## Don't show the nginx version number, a security best practice
  ## See app/controllers/application_controller.rb for headers set
  ## Individual nginx logs for this GitLab vhost
  access_log  /var/log/nginx/gitlab_access.log;
  error_log   /var/log/nginx/gitlab_error.log;
  location / {
    client_max_body_size 0;
    gzip off;
    ## https://github.com/gitlabhq/gitlabhq/issues/694
    ## Some requests take more than 30 seconds.
    proxy_read_timeout      300;
    proxy_connect_timeout   300;
    proxy_redirect          off;
    proxy_http_version 1.1;
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;
    proxy_pass http://gitlab-workhorse;
  }
  error_page 404 /404.html;
  error_page 422 /422.html;
  error_page 500 /500.html;
  error_page 502 /502.html;
  location ~ ^/(404|422|500|502)\.html$ {
    root /usr/share/webapps/gitlab/public;
    internal;
  }
 }
--- a/states/roles/maintain/gitlabarch/conf_files/gitlab.yml
+++ b/states/roles/maintain/gitlabarch/conf_files/gitlab.yml
@ -0,0 +1,627 @@
 # # # # # # # # # # # # # # # # # #
 # GitLab application config file  #
 # # # # # # # # # # # # # # # # # #
 #
 ###########################  NOTE  #####################################
 # This file should not receive new settings. All configuration options #
 # * are being moved to ApplicationSetting model!                       #
 # If a setting requires an application restart say so in that screen.  #
 # If you change this file in a Merge Request, please also create       #
 # a MR on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests  #
 ########################################################################
 #
 #
 # How to use:
 # 1. Copy file as gitlab.yml
 # 2. Update gitlab -> host with your fully qualified domain name
 # 3. Update gitlab -> email_from
 # 4. If you installed Git from source, change git -> bin_path to /usr/local/bin/git
 #    IMPORTANT: If Git was installed in a different location use that instead.
 #    You can check with `which git`. If a wrong path of Git is specified, it will
 #     result in various issues such as failures of GitLab CI builds.
 # 5. Review this configuration file for other settings you may want to adjust
 production: &base
  #
  # 1. GitLab app settings
  # ==========================
  ## GitLab settings
  gitlab:
    ## Web server settings (note: host is the FQDN, do not include http://)
    host: git.actcur.com
    port: 443 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
    https: true # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
    # Uncommment this line below if your ssh host is different from HTTP/HTTPS one
    # (you'd obviously need to replace ssh.host_example.com with your own host).
    # Otherwise, ssh host will be set to the `host:` value above
    # ssh_host: ssh.host_example.com
    # Relative URL support
    # WARNING: We recommend using an FQDN to host GitLab in a root path instead
    # of using a relative URL.
    # Documentation: http://doc.gitlab.com/ce/install/relative_url.html
    # Uncomment and customize the following line to run in a non-root path
    #
    # relative_url_root: /gitlab
    # Trusted Proxies
    # Customize if you have GitLab behind a reverse proxy which is running on a different machine.
    # Add the IP address for your reverse proxy to the list, otherwise users will appear signed in from that address.
    trusted_proxies:
      # Examples:
      #- 192.168.1.0/24
      #- 192.168.2.1
      #- 2001:0db8::/32
    # Uncomment and customize if you can't use the default user to run GitLab (default: 'git')
    user: gitlab
    ## Date & Time settings
    # Uncomment and customize if you want to change the default time zone of GitLab application.
    # To see all available zones, run `bundle exec rake time:zones:all RAILS_ENV=production`
    # time_zone: 'UTC'
    ## Email settings
    # Uncomment and set to false if you need to disable email sending from GitLab (default: true)
    # email_enabled: true
    # Email address used in the "From" field in mails sent by GitLab
    email_from: notifications@actcur.com
    email_display_name: Actcur Git
    email_reply_to: noreply@actcur.com
    email_subject_suffix: ''
    # Email server smtp settings are in config/initializers/smtp_settings.rb.sample
    # default_can_create_group: false  # default: true
    # username_changing_enabled: false # default: true - User can change her username/namespace
    ## Automatic issue closing
    # If a commit message matches this regular expression, all issues referenced from the matched text will be closed.
    # This happens when the commit is pushed or merged into the default branch of a project.
    # When not specified the default issue_closing_pattern as specified below will be used.
    # Tip: you can test your closing pattern at http://rubular.com.
    # issue_closing_pattern: '((?:[Cc]los(?:e[sd]?|ing)|[Ff]ix(?:e[sd]|ing)?|[Rr]esolv(?:e[sd]?|ing))(:?) +(?:(?:issues? +)?%{issue_ref}(?:(?:, *| +and +)?)|([A-Z][A-Z0-9_]+-\d+))+)'
    ## Default project features settings
    default_projects_features:
      issues: true
      merge_requests: true
      wiki: true
      snippets: true
      builds: true
      container_registry: true
    ## Webhook settings
    # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
    # webhook_timeout: 10
    ## Repository downloads directory
    # When a user clicks e.g. 'Download zip' on a project, a temporary zip file is created in the following directory.
    # The default is 'shared/cache/archive/' relative to the root of the Rails app.
    # repository_downloads_path: shared/cache/archive/
  ## Reply by email
  # Allow users to comment on issues and merge requests by replying to notification emails.
  # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
  incoming_email:
    enabled: false
    # The email address including the `%{key}` placeholder that will be replaced to reference the item being replied to.
    # The placeholder can be omitted but if present, it must appear in the "user" part of the address (before the `@`).
    address: "gitlab-incoming+%{key}@gmail.com"
    # Email account username
    # With third party providers, this is usually the full email address.
    # With self-hosted email servers, this is usually the user part of the email address.
    user: "gitlab-incoming@gmail.com"
    # Email account password
    password: "[REDACTED]"
    # IMAP server host
    host: "imap.gmail.com"
    # IMAP server port
    port: 993
    # Whether the IMAP server uses SSL
    ssl: true
    # Whether the IMAP server uses StartTLS
    start_tls: false
    # The mailbox where incoming mail will end up. Usually "inbox".
    mailbox: "inbox"
    # The IDLE command timeout.
    idle_timeout: 60
  ## Build Artifacts
  artifacts:
    enabled: true
    # The location where build artifacts are stored (default: shared/artifacts).
    # path: shared/artifacts
  ## Git LFS
  lfs:
    enabled: true
    # The location where LFS objects are stored (default: shared/lfs-objects).
    # storage_path: shared/lfs-objects
  ## GitLab Pages
  pages:
    enabled: false
    # The location where pages are stored (default: shared/pages).
    # path: shared/pages
    # The domain under which the pages are served:
    # http://group.example.com/project
    # or project path can be a group page: group.example.com
    host: example.com
    port: 80 # Set to 443 if you serve the pages with HTTPS
    https: false # Set to true if you serve the pages with HTTPS
    # external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages
    # external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages
  ## Mattermost
  ## For enabling Add to Mattermost button
  mattermost:
    enabled: false
    host: 'https://mattermost.example.com'
  ## Gravatar
  ## For Libravatar see: http://doc.gitlab.com/ce/customization/libravatar.html
  gravatar:
    # gravatar urls: possible placeholders: %{hash} %{size} %{email} %{username}
    # plain_url: "http://..."     # default: http://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
    # ssl_url:   "https://..."    # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon
  ## Auxiliary jobs
  # Periodically executed jobs, to self-heal Gitlab, do external synchronizations, etc.
  # Please read here for more information: https://github.com/ondrejbartas/sidekiq-cron#adding-cron-job
  cron_jobs:
    # Flag stuck CI jobs as failed
    stuck_ci_jobs_worker:
      cron: "0 * * * *"
    # Execute scheduled triggers
    pipeline_schedule_worker:
      cron: "19 * * * *"
    # Remove expired build artifacts
    expire_build_artifacts_worker:
      cron: "50 * * * *"
    # Periodically run 'git fsck' on all repositories. If started more than
    # once per hour you will have concurrent 'git fsck' jobs.
    repository_check_worker:
      cron: "20 * * * *"
    # Send admin emails once a week
    admin_email_worker:
      cron: "0 0 * * 0"
    # Remove outdated repository archives
    repository_archive_cache_worker:
      cron: "0 * * * *"
  registry:
    # enabled: true
    # host: registry.example.com
    # port: 5005
    # api_url: http://localhost:5000/ # internal address to the registry, will be used by GitLab to directly communicate with API
    # key: config/registry.key
    # path: shared/registry
    # issuer: gitlab-issuer
  #
  # 2. GitLab CI settings
  # ==========================
  gitlab_ci:
    # Default project notifications settings:
    #
    # Send emails only on broken builds (default: true)
    # all_broken_builds: true
    #
    # Add pusher to recipients list (default: false)
    # add_pusher: true
    # The location where build traces are stored (default: builds/). Relative paths are relative to Rails.root
    # builds_path: builds/
  #
  # 3. Auth settings
  # ==========================
  ## LDAP settings
  # You can inspect a sample of the LDAP users with login access by running:
  #   bundle exec rake gitlab:ldap:check RAILS_ENV=production
  ldap:
    enabled: false
    servers:
      ##########################################################################
      #
      # Since GitLab 7.4, LDAP servers get ID's (below the ID is 'main'). GitLab
      # Enterprise Edition now supports connecting to multiple LDAP servers.
      #
      # If you are updating from the old (pre-7.4) syntax, you MUST give your
      # old server the ID 'main'.
      #
      ##########################################################################
      main: # 'main' is the GitLab 'provider ID' of this LDAP server
        ## label
        #
        # A human-friendly name for your LDAP server. It is OK to change the label later,
        # for instance if you find out it is too large to fit on the web page.
        #
        # Example: 'Paris' or 'Acme, Ltd.'
        label: 'LDAP'
        host: '_your_ldap_server'
        port: 389
        uid: 'sAMAccountName'
        method: 'plain' # "tls" or "ssl" or "plain"
        bind_dn: '_the_full_dn_of_the_user_you_will_bind_with'
        password: '_the_password_of_the_bind_user'
        # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
        # a request if the LDAP server becomes unresponsive.
        # A value of 0 means there is no timeout.
        timeout: 10
        # This setting specifies if LDAP server is Active Directory LDAP server.
        # For non AD servers it skips the AD specific queries.
        # If your LDAP server is not AD, set this to false.
        active_directory: true
        # If allow_username_or_email_login is enabled, GitLab will ignore everything
        # after the first '@' in the LDAP username submitted by the user on login.
        #
        # Example:
        # - the user enters 'jane.doe@example.com' and 'p@ssw0rd' as LDAP credentials;
        # - GitLab queries the LDAP server with 'jane.doe' and 'p@ssw0rd'.
        #
        # If you are using "uid: 'userPrincipalName'" on ActiveDirectory you need to
        # disable this setting, because the userPrincipalName contains an '@'.
        allow_username_or_email_login: false
        # To maintain tight control over the number of active users on your GitLab installation,
        # enable this setting to keep new users blocked until they have been cleared by the admin
        # (default: false).
        block_auto_created_users: false
        # Base where we can search for users
        #
        #   Ex. ou=People,dc=gitlab,dc=example
        #
        base: ''
        # Filter LDAP users
        #
        #   Format: RFC 4515 http://tools.ietf.org/search/rfc4515
        #   Ex. (employeeType=developer)
        #
        #   Note: GitLab does not support omniauth-ldap's custom filter syntax.
        #
        user_filter: ''
        # LDAP attributes that GitLab will use to create an account for the LDAP user.
        # The specified attribute can either be the attribute name as a string (e.g. 'mail'),
        # or an array of attribute names to try in order (e.g. ['mail', 'email']).
        # Note that the user's LDAP login will always be the attribute specified as `uid` above.
        attributes:
          # The username will be used in paths for the user's own projects
          # (like `gitlab.example.com/username/project`) and when mentioning
          # them in issues, merge request and comments (like `@username`).
          # If the attribute specified for `username` contains an email address,
          # the GitLab username will be the part of the email address before the '@'.
          username: ['uid', 'userid', 'sAMAccountName']
          email:    ['mail', 'email', 'userPrincipalName']
          # If no full name could be found at the attribute specified for `name`,
          # the full name is determined using the attributes specified for
          # `first_name` and `last_name`.
          name:       'cn'
          first_name: 'givenName'
          last_name:  'sn'
      # GitLab EE only: add more LDAP servers
      # Choose an ID made of a-z and 0-9 . This ID will be stored in the database
      # so that GitLab can remember which LDAP server a user belongs to.
      # uswest2:
      #   label:
      #   host:
      #   ....
  ## OmniAuth settings
  omniauth:
    # Allow login via Twitter, Google, etc. using OmniAuth providers
    enabled: false
    # Uncomment this to automatically sign in with a specific omniauth provider's without
    # showing GitLab's sign-in page (default: show the GitLab sign-in page)
    # auto_sign_in_with_provider: saml
    # Sync user's email address from the specified Omniauth provider every time the user logs
    # in (default: nil). And consequently make this field read-only.
    # sync_email_from_provider: cas3
    # CAUTION!
    # This allows users to login without having a user account first. Define the allowed providers
    # using an array, e.g. ["saml", "twitter"], or as true/false to allow all providers or none.
    # User accounts will be created automatically when authentication was successful.
    allow_single_sign_on: ["saml"]
    # Locks down those users until they have been cleared by the admin (default: true).
    block_auto_created_users: true
    # Look up new users in LDAP servers. If a match is found (same uid), automatically
    # link the omniauth identity with the LDAP account. (default: false)
    auto_link_ldap_user: false
    # Allow users with existing accounts to login and auto link their account via SAML
    # login, without having to do a manual login first and manually add SAML
    # (default: false)
    auto_link_saml_user: false
    # Set different Omniauth providers as external so that all users creating accounts
    # via these providers will not be able to have access to internal projects. You
    # will need to use the full name of the provider, like `google_oauth2` for Google.
    # Refer to the examples below for the full names of the supported providers.
    # (default: [])
    external_providers: []
    ## Auth providers
    # Uncomment the following lines and fill in the data of the auth provider you want to use
    # If your favorite auth provider is not listed you can use others:
    # see https://github.com/gitlabhq/gitlab-public-wiki/wiki/Custom-omniauth-provider-configurations
    # The 'app_id' and 'app_secret' parameters are always passed as the first two
    # arguments, followed by optional 'args' which can be either a hash or an array.
    # Documentation for this is available at http://doc.gitlab.com/ce/integration/omniauth.html
    providers:
      # See omniauth-cas3 for more configuration details
      # - { name: 'cas3',
      #     label: 'cas3',
      #     args: {
      #             url: 'https://sso.example.com',
      #             disable_ssl_verification: false,
      #             login_url: '/cas/login',
      #             service_validate_url: '/cas/p3/serviceValidate',
      #             logout_url: '/cas/logout'} }
      # - { name: 'authentiq',
      #     # for client credentials (client ID and secret), go to https://www.authentiq.com/
      #     app_id: 'YOUR_CLIENT_ID',
      #     app_secret: 'YOUR_CLIENT_SECRET',
      #     args: {
      #             scope: 'aq:name email~rs address aq:push'
      #             # redirect_uri parameter is optional except when 'gitlab.host' in this file is set to 'localhost'
      #             # redirect_uri: 'YOUR_REDIRECT_URI'
      #           }
      #   }
      # - { name: 'github',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET',
      #     url: "https://github.com/",
      #     verify_ssl: true,
      #     args: { scope: 'user:email' } }
      # - { name: 'bitbucket',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
      # - { name: 'gitlab',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET',
      #     args: { scope: 'api' } }
      # - { name: 'google_oauth2',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET',
      #     args: { access_type: 'offline', approval_prompt: '' } }
      # - { name: 'facebook',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
      # - { name: 'twitter',
      #     app_id: 'YOUR_APP_ID',
      #     app_secret: 'YOUR_APP_SECRET' }
      #
      # - { name: 'saml',
      #     label: 'Our SAML Provider',
      #     groups_attribute: 'Groups',
      #     external_groups: ['Contractors', 'Freelancers'],
      #     args: {
      #             assertion_consumer_service_url: 'https://gitlab.example.com/users/auth/saml/callback',
      #             idp_cert_fingerprint: '43:51:43:a1:b5:fc:8b:b7:0a:3a:a9:b1:0f:66:73:a8',
      #             idp_sso_target_url: 'https://login.example.com/idp',
      #             issuer: 'https://gitlab.example.com',
      #             name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
      #           } }
      #
      # - { name: 'crowd',
      #     args: {
      #       crowd_server_url: 'CROWD SERVER URL',
      #       application_name: 'YOUR_APP_NAME',
      #       application_password: 'YOUR_APP_PASSWORD' } }
      #
      # - { name: 'auth0',
      #     args: {
      #       client_id: 'YOUR_AUTH0_CLIENT_ID',
      #       client_secret: 'YOUR_AUTH0_CLIENT_SECRET',
      #       namespace: 'YOUR_AUTH0_DOMAIN' } }
    # SSO maximum session duration in seconds. Defaults to CAS default of 8 hours.
    # cas3:
    #   session_duration: 28800
  # Shared file storage settings
  shared:
    path: /var/lib/gitlab/shared # Default: shared
  # Gitaly settings
  gitaly:
    # This setting controls whether GitLab uses Gitaly (new component
    # introduced in 9.0). Eventually Gitaly use will become mandatory and
    # this option will disappear.
    enabled: true
  #
  # 4. Advanced settings
  # ==========================
  ## Repositories settings
  repositories:
    # Paths where repositories can be stored. Give the canonicalized absolute pathname.
    # IMPORTANT: None of the path components may be symlink, because
    # gitlab-shell invokes Dir.pwd inside the repository path and that results
    # real path not the symlink.
    storages: # You must have at least a `default` storage path.
      default:
        path: /var/lib/gitlab/repositories/
        gitaly_address: unix:/var/lib/gitlab/sockets/gitlab-gitaly.socket # TCP connections are supported too (e.g. tcp://host:port)
  ## Backup settings
  backup:
    path: "/var/lib/gitlab/backups"   # Relative paths are relative to Rails.root (default: tmp/backups/)
    # archive_permissions: 0640 # Permissions for the resulting backup.tar file (default: 0600)
    # keep_time: 604800   # default: 0 (forever) (in seconds)
    # pg_schema: public     # default: nil, it means that all schemas will be backed up
    # upload:
    #   # Fog storage connection settings, see http://fog.io/storage/ .
    #   connection:
    #     provider: AWS
    #     region: eu-west-1
    #     aws_access_key_id: AKIAKIAKI
    #     aws_secret_access_key: 'secret123'
    #   # The remote 'directory' to store your backups. For S3, this would be the bucket name.
    #   remote_directory: 'my.s3.bucket'
    #   # Use multipart uploads when file size reaches 100MB, see
    #   #  http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.html
    #   multipart_chunk_size: 104857600
    #   # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
    #   # encryption: 'AES256'
    #   # Specifies Amazon S3 storage class to use for backups, this is optional
    #   # storage_class: 'STANDARD'
  ## GitLab Shell settings
  gitlab_shell:
    path: /usr/share/webapps/gitlab-shell/
    hooks_path: /usr/share/webapps/gitlab-shell/hooks/
    # File that contains the secret key for verifying access for gitlab-shell.
    # Default is '.gitlab_shell_secret' relative to Rails.root (i.e. root of the GitLab app).
    # secret_file: /home/git/gitlab/.gitlab_shell_secret
    # Git over HTTP
    upload_pack: true
    receive_pack: true
    # Git import/fetch timeout
    # git_timeout: 800
    # If you use non-standard ssh port you need to specify it
    # ssh_port: 22
  workhorse:
    # File that contains the secret key for verifying access for gitlab-workhorse.
    # Default is '.gitlab_workhorse_secret' relative to Rails.root (i.e. root of the GitLab app).
    # secret_file: /home/git/gitlab/.gitlab_workhorse_secret
  ## Git settings
  # CAUTION!
  # Use the default values unless you really know what you are doing
  git:
    bin_path: /usr/bin/git
    # The next value is the maximum memory size grit can use
    # Given in number of bytes per git object (e.g. a commit)
    # This value can be increased if you have very large commits
    max_size: 20971520 # 20.megabytes
    # Git timeout to read a commit, in seconds
    timeout: 10
  ## Webpack settings
  # If enabled, this will tell rails to serve frontend assets from the webpack-dev-server running
  # on a given port instead of serving directly from /assets/webpack. This is only indended for use
  # in development.
  webpack:
    # dev_server:
    #   enabled: true
    #   host: localhost
    #   port: 3808
  #
  # 5. Extra customization
  # ==========================
  extra:
    ## Google analytics. Uncomment if you want it
    # google_analytics_id: '_your_tracking_id'
    ## Piwik analytics.
    # piwik_url: '_your_piwik_url'
    # piwik_site_id: '_your_piwik_site_id'
  rack_attack:
    git_basic_auth:
      # Rack Attack IP banning enabled
      # enabled: true
      #
      # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
      # ip_whitelist: ["127.0.0.1"]
      #
      # Limit the number of Git HTTP authentication attempts per IP
      # maxretry: 10
      #
      # Reset the auth attempt counter per IP after 60 seconds
      # findtime: 60
      #
      # Ban an IP for one hour (3600s) after too many auth attempts
      # bantime: 3600
 development:
  <<: *base
 test:
  <<: *base
  gravatar:
    enabled: true
  lfs:
    enabled: false
  gitlab:
    host: localhost
    port: 80
    # When you run tests we clone and setup gitlab-shell
    # In order to setup it correctly you need to specify
    # your system username you use to run GitLab
    # user: YOUR_USERNAME
  pages:
    path: tmp/tests/pages
  repositories:
    storages:
      default:
        path: tmp/tests/repositories/
        gitaly_address: unix:tmp/tests/gitaly/gitaly.socket
  gitaly:
    enabled: true
  backup:
    path: tmp/tests/backups
  gitlab_shell:
    path: tmp/tests/gitlab-shell/
    hooks_path: tmp/tests/gitlab-shell/hooks/
  issues_tracker:
    redmine:
      title: "Redmine"
      project_url: "http://redmine/projects/:issues_tracker_id"
      issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
      new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
    jira:
      title: "JIRA"
      url: https://sample_company.atlassian.net
      project_key: PROJECT
  ldap:
    enabled: false
    servers:
      main:
        label: ldap
        host: 127.0.0.1
        port: 3890
        uid: 'uid'
        method: 'plain' # "tls" or "ssl" or "plain"
        base: 'dc=example,dc=com'
        user_filter: ''
        group_base: 'ou=groups,dc=example,dc=com'
        admin_group: ''
 staging:
  <<: *base
--- a/states/roles/maintain/gitlabarch/conf_files/production.rb
+++ b/states/roles/maintain/gitlabarch/conf_files/production.rb
@ -0,0 +1,83 @@
 Rails.application.configure do
  # Settings specified here will take precedence over those in config/application.rb
  # Code is not reloaded between requests
  config.cache_classes = true
  # Full error reports are disabled and caching is turned on
  config.consider_all_requests_local       = false
  config.action_controller.perform_caching = true
  # Disable Rails's static asset server (Apache or nginx will already do this)
  config.serve_static_files = false
  # Compress JavaScripts and CSS.
  config.assets.js_compressor = :uglifier
  # config.assets.css_compressor = :sass
  # Don't fallback to assets pipeline if a precompiled asset is missed
  config.assets.compile = false
  # Generate digests for assets URLs
  config.assets.digest = true
  # Enable compression of compiled assets using gzip.
  config.assets.compress = true
  # Defaults to nil and saved in location specified by config.assets.prefix
  # config.assets.manifest = YOUR_PATH
  # Specifies the header that your server uses for sending files
  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
  # config.force_ssl = true
  # See everything in the log (default is :info)
  config.log_level = :info
  # Suppress 'Rendered template ...' messages in the log
  # source: http://stackoverflow.com/a/16369363
  %w{render_template render_partial render_collection}.each do |event|
    ActiveSupport::Notifications.unsubscribe "#{event}.action_view"
  end
  # Prepend all log lines with the following tags
  # config.log_tags = [ :subdomain, :uuid ]
  # Use a different logger for distributed setups
  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
  # Enable serving of images, stylesheets, and JavaScripts from an asset server
  config.action_controller.asset_host = ENV['GITLAB_CDN_HOST'] if ENV['GITLAB_CDN_HOST'].present?
  # Precompile additional assets (application.js, application.css, and all non-JS/CSS are already added)
  # config.assets.precompile += %w( search.js )
  # Disable delivery errors, bad email addresses will be ignored
  # config.action_mailer.raise_delivery_errors = false
  # Enable threaded mode
  # config.threadsafe! unless $rails_rake_task
  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
  # the I18n.default_locale when a translation can not be found)
  config.i18n.fallbacks = true
  # Send deprecation notices to registered listeners
  config.active_support.deprecation = :notify
  config.action_mailer.delivery_method = :smtp
  # Defaults to:
  # # config.action_mailer.sendmail_settings = {
  # #   location: '/usr/sbin/sendmail',
  # #   arguments: '-i -t'
  # # }
  config.action_mailer.perform_deliveries = true
  config.action_mailer.raise_delivery_errors = true
  config.eager_load = true
  config.allow_concurrency = false
 end
--- a/states/roles/maintain/gitlabarch/conf_files/redis.conf
+++ b/states/roles/maintain/gitlabarch/conf_files/redis.conf
--- a/states/roles/maintain/gitlabarch/conf_files/resque.yml
+++ b/states/roles/maintain/gitlabarch/conf_files/resque.yml
@ -0,0 +1,34 @@
 # If you change this file in a Merge Request, please also create
 # a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
 #
 development:
  url: unix:/run/redis/redis.sock
  # sentinels:
  #   -
  #     host: localhost
  #     port: 26380 # point to sentinel, not to redis port
  #   -
  #     host: slave2
  #     port: 26381 # point to sentinel, not to redis port
 test:
  url: unix:/run/redis/redis.sock
 production:
  # Redis (single instance)
  url: unix:/run/redis/redis.sock
  ##
  # Redis + Sentinel (for HA)
  #
  # Please read instructions carefully before using it as you may lose data:
  # http://redis.io/topics/sentinel
  #
  # You must specify a list of a few sentinels that will handle client connection
  # please read here for more information: https://docs.gitlab.com/ce/administration/high_availability/redis.html
  ##
  # url: redis://master:6379
  # sentinels:
  #   -
  #     host: slave1
  #     port: 26379 # point to sentinel, not to redis port
  #   -
  #     host: slave2
  #     port: 26379 # point to sentinel, not to redis port
--- a/states/roles/maintain/gitlabarch/conf_files/smtp_settings.rb
+++ b/states/roles/maintain/gitlabarch/conf_files/smtp_settings.rb
@ -0,0 +1,23 @@
 # To enable smtp email delivery for your GitLab instance do the following:
 # 1. Rename this file to smtp_settings.rb
 # 2. Edit settings inside this file
 # 3. Restart GitLab instance
 #
 # For full list of options and their values see http://api.rubyonrails.org/classes/ActionMailer/Base.html
 #
 # If you change this file in a Merge Request, please also create a Merge Request on https://gitlab.com/gitlab-org/omnibus-gitlab/merge_requests
 if Rails.env.production?
  Rails.application.config.action_mailer.delivery_method = :smtp
  ActionMailer::Base.delivery_method = :smtp
  ActionMailer::Base.smtp_settings = {
    authentication: :plain,
    address: "smtp.zoho.com",
    port: 587,
    user_name: "notifications@actcur.com",
    password: "{%- include 'secure/passwords/gitlab_smtp_password.txt' -%}",
    domain: "smtp.zoho.com",
    enable_starttls_auto: true,
  }
 end
--- a/states/roles/maintain/gitlabarch/conf_files/tmp_redis.conf
+++ b/states/roles/maintain/gitlabarch/conf_files/tmp_redis.conf
@ -0,0 +1 @@
 d /run/redis 0755 redis redis -
--- a/states/roles/maintain/gitlabarch/init.sls
+++ b/states/roles/maintain/gitlabarch/init.sls
@ -0,0 +1,175 @@
 gitlab:
  pkg.installed
 mariadb:
  pkg.installed
 gitlab_nginx:
  pkg.installed:
    - name: nginx
 #managed files
 /etc/webapps/gitlab/gitlab.yml:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/gitlab.yml
    - user: root
    - group: root
    - mode: 644
 /etc/webapps/gitlab/database.yml:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/database.yml
    - user: gitlab
    - group: gitlab
    - mode: 600
    - template: jinja
 /etc/webapps/gitlab/resque.yml:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/resque.yml
    - user: root
    - group: root
    - mode: 644
 /etc/webapps/gitlab-shell/config.yml:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/config.yml
    - user: gitlab
    - group: gitlab
    - mode: 600
 /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/smtp_settings.rb
    - user: root
    - group: root
    - mode: 644
    - template: jinja
 /usr/share/webapps/gitlab/config/environments/production.rb:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/production.rb
    - user: root
    - group: root
    - mode: 644
 /etc/redis.conf:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/redis.conf
    - user: root
    - group: root
    - mode: 644
 /etc/tempfiles.d/redis.conf:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/tmp_redis.conf
    - user: root
    - group: root
    - mode: 644
    - makedirs: true
 /etc/nginx/conf.d/gitlab.conf:
  file.managed:
    - source: salt://roles/maintain/gitlab/conf_files/gitlab.conf
    - user: root
    - group: root
    - makedirs: true
    - dir_mode: 755
    - mode: 644
 #add users git and gitlab to redis group
 git_user:
  user.present:
    - name: git
    - groups:
      - redis
 gitlab_user:
  user.present:
    - name: gitlab
    - groups:
      - redis
 #migrate redis database as gitlab user if necessary
 redis-running:
  service.running:
    - name: redis
    - enable: true
    - watch:
      - file: /etc/redis.conf
      - file: /etc/tempfiles.d/redis.conf
 gitlab_rake_db:
  cmd.run:
    - name: "bundle-2.3 exec rake db:migrate RAILS_ENV=production"
    - cwd: "/usr/share/webapps/gitlab"
    - runas: gitlab
    - watch:
      - pkg: gitlab
 #global git configuration
 gitlab_git_name:
  git.config_set:
    - name: user.name
    - value: "Actaeus Curabitur"
    - user: gitlab
    - global: true
 gitlab_git_email:
  git.config_set:
    - name: user.email
    - value: "actcur@actcur.com"
    - user: gitlab
    - global: true
 gitlab_git_crlf:
  git.config_set:
    - name: core.autocrlf
    - value: "input"
    - user: gitlab
    - global: true
 #create symlink
 symlink_repos:
  file.symlink:
    - name: /var/lib/gitlab/repositories
    - target: /mnt/repos
    - force: true
 #verify perms for repos are right
 /var/lib/gitlab/repositories/:
  file.directory:
    - user: gitlab
    - group: gitlab
    - dir_mode: 4770
 #start services
 gitlab.target:
  service.running:
    - enable: true
    - watch:
      - file: /etc/webapps/gitlab/gitlab.yml
      - file: /etc/webapps/gitlab/database.yml
      - file: /etc/webapps/gitlab/resque.yml
      - file: /etc/webapps/gitlab-shell/config.yml
      - file: /etc/nginx/conf.d/gitlab.conf
      - file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
      - file: /usr/share/webapps/gitlab/config/environments/production.rb
 gitlab-workhorse:
  service.running:
    - enable: true
    - watch:
      - file: /etc/webapps/gitlab/gitlab.yml
      - file: /etc/webapps/gitlab/database.yml
      - file: /etc/webapps/gitlab/resque.yml
      - file: /etc/webapps/gitlab-shell/config.yml
      - file: /etc/nginx/conf.d/gitlab.conf
      - file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
      - file: /usr/share/webapps/gitlab/config/environments/production.rb
 gitlab-unicorn:
  service.running:
    - enable: true
    - watch:
      - file: /etc/webapps/gitlab/gitlab.yml
      - file: /etc/webapps/gitlab/database.yml
      - file: /etc/webapps/gitlab/resque.yml
      - file: /etc/webapps/gitlab-shell/config.yml
      - file: /etc/nginx/conf.d/gitlab.conf
      - file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
      - file: /usr/share/webapps/gitlab/config/environments/production.rb
 gitlab-sidekiq:
  service.running:
    - enable: true
    - watch:
      - file: /etc/webapps/gitlab/gitlab.yml
      - file: /etc/webapps/gitlab/database.yml
      - file: /etc/webapps/gitlab/resque.yml
      - file: /etc/webapps/gitlab-shell/config.yml
      - file: /etc/nginx/conf.d/gitlab.conf
      - file: /usr/share/webapps/gitlab/config/initializers/smtp_settings.rb
      - file: /usr/share/webapps/gitlab/config/environments/production.rb
--- a/states/roles/maintain/glances/certs
+++ b/states/roles/maintain/glances/certs
@ -1 +0,0 @@
 /etc/letsencrypt/live/
--- a/states/roles/maintain/glances/init.sls
+++ b/states/roles/maintain/glances/init.sls
@ -31,7 +31,7 @@ nginx:
 {%- for name in pillar['nginx'] %}
 "/etc/nginx/certs/{{name}}.actcur.com/":
  file.recurse:
-    - source: salt://roles/maintain/nginx-proxy/certs/{{name}}.actcur.com/
+    - source: salt://secure/certs/{{name}}.actcur.com/
 {%- if os=="CentOS" or os=="RedHat" %}
    - user: nginx
    - user: nginx
@ -76,7 +76,7 @@ nginx:
 "/etc/nginx/certs/portal.actcur.com/":
  file.recurse:
-    - source: salt://roles/maintain/nginx-proxy/certs/portal.actcur.com/
+    - source: salt://secure/certs/portal.actcur.com/
    - user: http
    - group: http
    - dir_mode: 755
--- a/states/roles/maintain/ldap/certs
+++ b/states/roles/maintain/ldap/certs
@ -1 +0,0 @@
 /etc/letsencrypt/live/
--- a/states/roles/maintain/ldap/init.sls
+++ b/states/roles/maintain/ldap/init.sls
@ -9,7 +9,7 @@ openldap:
 /etc/openldap/certs/:
  file.recurse:
-    - source: salt://roles/maintain/nginx-proxy/certs/ldap.actcur.com/
+    - source: salt://secure/certs/ldap.actcur.com/
    - user: ldap
    - group: ldap
    - dir_mode: 755
@ -92,4 +92,3 @@ own_data:
    - user: ldap
    - group: ldap
    - mode: 644
--- a/states/roles/maintain/nginx-proxy/certs
+++ b/states/roles/maintain/nginx-proxy/certs
@ -1 +0,0 @@
 /etc/letsencrypt/live/
--- a/states/roles/maintain/nginx-proxy/init.sls
+++ b/states/roles/maintain/nginx-proxy/init.sls
@ -35,7 +35,7 @@ nginx:
 {%- for name in pillar['nginx'] %}
 "/etc/nginx/certs/{{name}}.actcur.com/":
  file.recurse:
-    - source: salt://roles/maintain/nginx-proxy/certs/{{name}}.actcur.com/
+    - source: salt://secure/certs/{{name}}.actcur.com/
 {%- if os=="CentOS" or os=="RedHat" %}
    - user: nginx
    - user: nginx
@ -44,7 +44,7 @@ nginx:
    - group: http
 {%- endif %}
    - dir_mode: 755
-    - file:mode: 400
+    - file_mode: 400
    - clean: true
 /etc/nginx/conf.d/{{ name }}.conf:
@ -80,10 +80,10 @@ nginx:
 "/etc/nginx/certs/portal.actcur.com/":
  file.recurse:
-    - source: salt://roles/maintain/nginx-proxy/certs/portal.actcur.com/
+    - source: salt://secure/certs/portal.actcur.com/
    - user: http
    - group: http
    - dir_mode: 755
-    - file:mode: 400
+    - file_mode: 400
    - clean: true
 {%- endif -%}
--- a/states/roles/maintain/vpnserver/init.sls
+++ b/states/roles/maintain/vpnserver/init.sls
@ -0,0 +1,17 @@
 vpn-server:
  pkg.installed:
    - name: openvpn
 #generate diff-hellman param files
 #build only
 gen-dh-param:
  cmd.run:
    - name: "openssl dhparam -out /etc/openvpn/server/dh.pem 2048"
    - onlyif: 'test ! -e /etc/openvpn/server/dh.pem'
 #generate hmac key
 #build only
 gen-hmac-key:
  cmd.run:
    - name: "openvpn --genkey --secret /etc/openvpn/server/ta.key"
    - onlyif: 'test ! -e /etc/openvpn/server/ta.key'
--- a/states/systems/core/backup/init.sls
+++ b/states/systems/core/backup/init.sls
@ -11,7 +11,7 @@
 {{ name }}_key:
  file.managed:
    - name: /root/.ssh/{{ pillar['backup'][name]['key'] }}
-    - source: salt://systems/core/backup/keys/{{ pillar['backup'][name]['key'] }}
+    - source: salt://secure/keys/backup/{{ pillar['backup'][name]['key'] }}
    - user: root
    - group: root
    - mode: 600
--- a/states/systems/core/git/init.sls
+++ b/states/systems/core/git/init.sls
@ -12,7 +12,7 @@ git_pkg:
 {{ repo }}_key:
  file.managed:
    - name: /root/.ssh/{{ pillar['git'][repo]['key'] }}
-    - source: salt://systems/core/git/keys/{{ pillar['git'][repo]['key'] }}
+    - source: salt://secure/keys/git/{{ pillar['git'][repo]['key'] }}
    - user: root
    - group: root
    - mode: 600
--- a/states/systems/core/git/keys
+++ b/states/systems/core/git/keys
@ -1 +0,0 @@
 /keys/git/
--- a/states/systems/core/mount/init.sls
+++ b/states/systems/core/mount/init.sls
@ -45,7 +45,7 @@ mount_host.actcur.com:
 {{ mount }}_key:
  file.managed:
    - name: /root/.ssh/{{user}}_key
-    - source: salt://systems/core/mount/keys/{{user}}_key
+    - source: salt://secure/keys/mount/{{user}}_key
    - user: root
    - group: root
    - mode: 600
--- a/states/systems/core/mount/keys
+++ b/states/systems/core/mount/keys
@ -1 +0,0 @@
 /keys/mount/
--- a/states/top.sls
+++ b/states/top.sls
--- a/0
+++ b/0