Gogs and Pass state, altered grains management, added grain to enable backups, fixed firewalld issue, added required pkgs for aur_repo

pillars/roles/aurpkgs/calendar.sls

@@ -1,2 +1,3 @@
-aurpkgs:
-  baikal: []
+aur:
+  pkgs:
+    baikal: []

pillars/roles/aurpkgs/git.sls

@@ -1,3 +1,4 @@
-aurpkgs:
-  glide-git: []
-  gogs: []
+aur:
+  pkgs:
+    glide-git: []
+    gogs: []

pillars/roles/aurpkgs/headphones.sls

@@ -1,2 +1,3 @@
-aurpkgs:
-  headphones: []
+aur:
+  pkgs:
+    headphones: []

pillars/roles/aurpkgs/icinga.sls

@@ -1,4 +1,5 @@
-aurpkgs:
-  icinga2: []
-  icingaweb2: []
-  icingaweb2-module-director: []
+aur:
+  pkgs:
+    icinga2: []
+    icingaweb2: []
+    icingaweb2-module-director: []

pillars/roles/aurpkgs/jackett.sls

@@ -1,2 +1,3 @@
-aurpkgs:
-  jackett: []
+aur:
+  pkgs:
+    jackett: []

pillars/roles/aurpkgs/lam.sls

@@ -1,5 +1,6 @@
-aurpkgs:
-  ldap-account-manager: []
+aur:
+  pkgs:
+    ldap-account-manager: []
 #  building php56 doesn't seem to work
 #  php56: []
 #  php56-fpm: []

pillars/roles/aurpkgs/ombi.sls

@@ -1,2 +1,3 @@
-aurpkgs:
-  ombi: []
+aur:
+  pkgs:
+    ombi: []

pillars/roles/aurpkgs/pass.sls

@@ -0,0 +1,5 @@
+#note: teampass package is currently broken due to mysql being a required dependency
+#will readd if/when the teampass AUR package is fixed
+#aur:
+#  pkgs:
+#    teampass: []

pillars/roles/aurpkgs/plexmediaserver.sls

@@ -1,2 +1,3 @@
-aurpkgs:
-  plex-media-server-plexpass: []
+aur:
+  pkgs:
+    plex-media-server-plexpass: []

pillars/roles/aurpkgs/portal.sls

@@ -1,2 +0,0 @@
-aurpkgs:
-  byobu: []

pillars/roles/aurpkgs/radarr.sls

@@ -1,2 +1,3 @@
-aurpkgs:
-  radarr: []
+aur:
+  pkgs:
+    radarr: []

pillars/roles/aurpkgs/sonarr.sls

@@ -1,2 +1,3 @@
-aurpkgs:
-  sonarr: []
+aur:
+  pkgs:
+    sonarr: []

pillars/roles/backup/gogs.sls

@@ -0,0 +1,10 @@
+backup:
+  gogs:
+    location: /var/lib/gogs/
+    rsync_user: backups
+    key: backups_key
+    host: host.actcur.com
+    user: root
+    group: root
+    fmode: 600
+    dmode: 700

pillars/roles/backup/pass.sls

@@ -0,0 +1,10 @@
+backup:
+  pass:
+    location: /teampass
+    rsync_user: backups
+    key: backups_key
+    host: host.actcur.com
+    user: http
+    group: http
+    fmode: 644
+    dmode: 700

pillars/roles/database/pass.sls

@@ -0,0 +1,9 @@
+database:
+  users:
+    teampass:
+      host: pass.actcur.com
+  databases:
+    teampass:
+      teampass:
+        host: pass.actcur.com
+        grant: all privileges

pillars/roles/firewalld/certbot.sls

@@ -1,5 +1,5 @@
 firewalld:
   70_internal:
     service:
-      - http
-      - https
+      http: []
+      https: []

pillars/roles/firewalld/deluge.sls

@@ -1,12 +1,11 @@
 firewalld:
   70_internal:
     service:
-      - http
+      http: []
     port:
-      - 58846/tcp
-      - 8112/tcp
+      58846/tcp: []
+      8112/tcp: []
   99_public:
     port:
-      - 63150/tcp
-      - 63150/udp
-
+      63150/tcp: []
+      63150/udp: []

pillars/roles/firewalld/git.sls

@@ -1,7 +1,7 @@
 firewalld:
   70_internal:
     port:
-      - 3000/tcp
+      3000/tcp: []
   99_public:
     port:
-      - 5022/tcp
+      5022/tcp: []

pillars/roles/firewalld/gitlab.sls

@@ -1,7 +1,7 @@
 firewalld:
   70_internal:
     port:
-      - 8000/tcp
+      8000/tcp: []
   99_public:
     port:
-      - 5022/tcp
+      5022/tcp: []

pillars/roles/firewalld/mysql.sls

@@ -1,4 +1,4 @@
 firewalld:
   70_internal:
     port:
-      - 3306/tcp
+      3306/tcp: []

pillars/roles/firewalld/nginx-proxy.sls

@@ -1,5 +1,5 @@
 firewalld:
   70_internal:
     service:
-      - http
-      - https
+      http: []
+      https: []

pillars/roles/firewalld/plexmediaserver.sls

@@ -1,4 +1,4 @@
 firewalld:
   99_public:
     port:
-      - 32400/tcp
+      32400/tcp: []

pillars/roles/firewalld/portal.sls

@@ -1,5 +1,5 @@
 firewalld:
   99_public:
     service:
-      - http
-      - https
+      http: []
+      https: []

pillars/roles/firewalld/saltmaster.sls

@@ -1,8 +1,8 @@
 firewalld:
   70_internal:
     port:
-      - 4505/tcp
-      - 4506/tcp
+      4505/tcp: []
+      4506/tcp: []
 #    rule:
 #      salt port 1:
 #        source: 192.168.41.29

pillars/roles/firewalld/server.sls

@@ -2,14 +2,14 @@ firewalld:
   10_enduser:
     description: End User zone. Only connections form end users are accepted.
     include:
-      - 99_public
-      - 70_internal
+      99_public: []
+      70_internal: []
     source:
-      - 172.16.40.0/24
+      172.16.40.0/24: []
   50_server:
     description: Server zone. Only connections from servers are accepted.
     include:
-      - 99_public
-      - 70_internal
+      99_public: []
+      70_internal: []
     source:
-      - 172.16.41.0/24
+      172.16.41.0/24: []

pillars/roles/firewalld/ssh.sls

@@ -1,4 +1,4 @@
 firewalld:
   70_internal:
     service:
-      - ssh
+      ssh: []

pillars/roles/firewalld/sshserver.sls

@@ -1,4 +1,4 @@
 firewalld:
   99_public:
     service:
-      - ssh
+      ssh: []

pillars/roles/firewalld/vpnserver.sls

@@ -1,7 +1,7 @@
 firewalld:
   99_public:
     service:
-      - openvpn
+      openvpn: []
     port:
-      - 1194/udp
+      1194/udp: []
     masquerade: true

pillars/roles/mount/aurrepo.sls

@@ -0,0 +1,4 @@
+mount:
+  ext4:
+    /mnt/build:
+      device: UUID=090ea2e6-82af-45e7-91e7-84e5967817a4

pillars/roles/nginx/pass.sls

@@ -0,0 +1,6 @@
+nginx:
+  pass:
+    auth: none
+    https:
+      port: 8080
+      prot: http

pillars/servers/env/server/archpass.sls

@@ -0,0 +1 @@
+env: prod

pillars/servers/maintainer/server/archpass.sls

@@ -0,0 +1,3 @@
+maintainer:
+  - masaufuku
+

pillars/servers/roles/server/archpass.sls

@@ -0,0 +1,7 @@
+grains:
+  roles:
+    - server
+    - ssh
+    - saltminion
+    - nginx-proxy
+    - pass

states/grains/init.sls

@@ -0,0 +1,14 @@
+{# ensure that grains pillar exists -#}
+{%- if pillar['grains'] is defined -%}
+  {%- if pillar['grains']['roles'] is defined %}
+set-roles:
+  grains.present:
+    - name: roles
+    - force: true
+    - value: [{% for role in pillar['grains']['roles'] %}{{role}},{% endfor %}]
+  {% else %}
+set-roles:
+  grains.absent:
+    - name: roles
+  {%- endif -%}
+{%- endif -%}

states/roles/grains

@@ -1,19 +0,0 @@
-{#- ensure that grains pillar exists -#}
-{%- if pillar['grains'] is defined -%}
-  {#- loop through grains -#}
-  {%- for key, value in pillar['grains'].items() recursive -%}
-    {%- set depth=loop.depth %}
-{% for i in range(1,depth) -%}{{ "  " }}{%- endfor -%}
-{{ key }}:
-    {%- if value is mapping -%}
-      {{ loop(value.items()) }}
-    {%- else %}
-      {%- if value is not none -%}
-        {%- for item in value %}
-{% for i in range(0,depth) -%}{{ "  " }}{%- endfor -%}
-- {{ item }}
-        {%- endfor -%}
-      {%- endif -%}
-    {%- endif -%}
-  {%- endfor -%}
-{%- endif -%}

states/roles/init.sls

@@ -1,13 +0,0 @@
-roles-minion:
-  service.running:
-    - name: salt-minion
-    - watch:
-      - file: /etc/salt/grains
-
-/etc/salt/grains:
-  file.managed:
-    - source: salt://roles/grains
-    - user: root
-    - group: root
-    - mode: 644
-    - template: jinja

states/roles/maintain/aurrepo/init.sls

@@ -4,6 +4,16 @@ base-devel:
 sudo:
   pkg.installed
 
+{% if pillar['aur'] is defined -%}
+{% if pillar['aur']['require'] is defined -%}
+{% for pkg in pillar['aur']['require'] %}
+aur_require_{{pkg}}:
+  pkg.installed:
+    - name: "{{pkg}}"
+{%- endfor -%}
+{%- endif -%}
+{%- endif %}
+
 user-build:
   user.present:
     - name: build
@@ -16,6 +26,10 @@ user-build:
   file.symlink:
     - target: /mnt/pkgs/aur-local/os/x86_64/
 
+/build:
+  file.symlink:
+    - target: /mnt/build/
+
 git-aur_repo:
   git.latest:
     - name: https://git.actcur.com/actcur/aur_repo

states/roles/maintain/aurrepo/pkglist

@@ -1,5 +1,7 @@
-{% if pillar['aurpkgs'] is defined -%}
-{% for pkg in pillar['aurpkgs'] %}
+{% if pillar['aur'] is defined -%}
+{% if pillar['aur']['pkgs'] is defined -%}
+{% for pkg in pillar['aur']['pkgs'] %}
 {{pkg}}
 {%- endfor -%}
 {%- endif -%}
+{%- endif -%}

states/roles/maintain/gogs/app.ini

@@ -0,0 +1,496 @@
+# !!! NEVER EVER MODIFY THIS FILE !!!
+# !!! PLEASE MAKE CHANGES ON CORRESPONDING CUSTOM CONFIG FILE !!!
+# !!! IF YOU ARE PACKAGING PROVIDER, PLEASE MAKE OWN COPY OF IT !!!
+; App name that shows on every page title
+APP_NAME = Gogs
+; The name of the system user that runs Gogs
+RUN_USER = gogs
+; Either "dev", "prod" or "test"
+RUN_MODE = prod
+
+[server]
+PROTOCOL               = http
+DOMAIN                 = git.actcur.com
+ROOT_URL               = http://git.actcur.com/
+HTTP_ADDR              = 0.0.0.0
+HTTP_PORT              = 3000
+; Permission for unix socket
+UNIX_SOCKET_PERMISSION = 666
+; Local (DMZ) URL for Gogs workers (such as SSH update) accessing web service.
+; In most cases you do not need to change the default value.
+; Alter it only if your SSH server node is not the same as HTTP node.
+LOCAL_ROOT_URL         = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
+; Disable SSH feature when not available
+DISABLE_SSH            = false
+; Whether use builtin SSH server or not.
+START_SSH_SERVER       = true
+; Domain name to be exposed in SSH clone URL
+SSH_DOMAIN             = %(DOMAIN)s
+; Port number to be exposed in SSH clone URL
+SSH_PORT               = 5022
+; Network interface builtin SSH server listens on
+SSH_LISTEN_HOST        = 0.0.0.0
+; Port number builtin SSH server listens on
+SSH_LISTEN_PORT        = %(SSH_PORT)s
+; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
+SSH_ROOT_PATH          =
+; Choose the ciphers to support for SSH connections
+SSH_SERVER_CIPHERS     = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128
+; Directory to create temporary files when test publick key using ssh-keygen,
+; default is system temporary directory.
+SSH_KEY_TEST_PATH      =
+; Path to ssh-keygen, default is 'ssh-keygen' and let shell find out which one to call.
+SSH_KEYGEN_PATH        = ssh-keygen
+; Indicate whether to check minimum key size with corresponding type
+MINIMUM_KEY_SIZE_CHECK = false
+; Disable CDN even in "prod" mode
+OFFLINE_MODE           = false
+DISABLE_ROUTER_LOG     = false
+; Generate steps:
+; $ ./gogs cert -ca=true -duration=8760h0m0s -host=myhost.example.com
+;
+; Or from a .pfx file exported from the Windows certificate store (do
+; not forget to export the private key):
+; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
+; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
+CERT_FILE              = /var/lib/gogs/cert/cert.pem
+KEY_FILE               = /var/lib/gogs/cert/key.pem
+; Allowed TLS version values: SSL30, TLS10, TLS11, TLS12
+TLS_MIN_VERSION        = TLS10
+; Upper level of template and static file path
+; default is the path where Gogs is executed
+STATIC_ROOT_PATH       = /usr/share/gogs
+; Default path for App data
+APP_DATA_PATH          = /var/lib/gogs/data
+; Application level GZIP support
+ENABLE_GZIP            = false
+; Landing page for non-logged users, can be "home" or "explore"
+LANDING_PAGE           = home
+
+[repository]
+; Root path for storing repositories's data, default is "~/<username>/gogs-repositories"
+ROOT                        = /var/lib/gogs/repos
+; The script type server supports, sometimes could be "sh"
+SCRIPT_TYPE                 = bash
+; Default ANSI charset for an unrecognized charset
+ANSI_CHARSET                =
+; Force every new repository to be private
+FORCE_PRIVATE               = false
+; Global maximum creation limit of repository per user, -1 means no limit
+MAX_CREATION_LIMIT          = -1
+; Mirror sync queue length, increase if mirror syncing starts hanging
+MIRROR_QUEUE_LENGTH         = 1000
+; Patch test queue length, increase if pull request patch testing starts hanging
+PULL_REQUEST_QUEUE_LENGTH   = 1000
+; Preferred Licenses to place at the top of the list
+; Name must match file name in conf/license or custom/conf/license
+PREFERRED_LICENSES          = Apache License 2.0,MIT License
+; Disable ability to interact with repositories by HTTP protocol
+DISABLE_HTTP_GIT            = false
+; Enable ability to migrate repository by local path
+ENABLE_LOCAL_PATH_MIGRATION = false
+; Concurrency is used to retrieve commits information. This variable define
+; the maximum number of tasks that can be run at the same time. Usually, the
+; value depend of how many CPUs (cores) you have. If the value is set to zero
+; or under, GOGS will automatically detect the number of CPUs your system have
+COMMITS_FETCH_CONCURRENCY   = 0
+; Enable render mode for raw file
+ENABLE_RAW_FILE_RENDER_MODE = false
+
+[repository.editor]
+; List of file extensions that should have line wraps in the CodeMirror editor.
+; Separate extensions with a comma. To line wrap files without extension, just put a comma
+LINE_WRAP_EXTENSIONS   = .txt,.md,.markdown,.mdown,.mkd,
+; Valid file modes that have a preview API associated with them, such as api/v1/markdown.
+; Separate values by commas. Preview tab in edit mode won't show if the file extension doesn't match
+PREVIEWABLE_FILE_MODES = markdown
+
+[repository.upload]
+; Enable repository file uploads.
+ENABLED       = true
+; Path to temporarily store uploads (default path gets cleaned by Gogs in every start)
+TEMP_PATH     = /var/cache/gogs
+; File types that are allowed to be uploaded, e.g. image/jpeg|image/png. Leave empty means allow any file type
+ALLOWED_TYPES =
+; Maximum size of each file in MB
+FILE_MAX_SIZE = 3
+; Maximum number of files per upload
+MAX_FILES     = 5
+
+; Attachment settings for releases
+[release.attachment]
+; Whether attachments are enabled. Defaults to `true`
+ENABLED       = true
+; Path for attachments. Defaults to `data/attachments`
+PATH          = data/attachments
+; One or more allowed types, e.g. image/jpeg|image/png
+ALLOWED_TYPES = */*
+; Max size of each file. Defaults to 32MB
+MAX_SIZE      = 32
+; Max number of files per upload. Defaults to 10
+MAX_FILES     = 10
+
+[markdown]
+; Enable hard line break extension
+ENABLE_HARD_LINE_BREAK = false
+; List of custom URL-Schemes that are allowed as links when rendering Markdown
+; for example git,magnet
+CUSTOM_URL_SCHEMES     =
+; List of file extensions that should be rendered/edited as Markdown
+; Separate extensions with a comma. To render files w/o extension as markdown, just put a comma
+FILE_EXTENSIONS        = .md,.markdown,.mdown,.mkd
+
+[smartypants]
+ENABLED       = false
+FRACTIONS     = true
+DASHES        = true
+LATEX_DASHES  = true
+ANGLED_QUOTES = true
+
+[http]
+; Value for Access-Control-Allow-Origin header, default is not to present
+ACCESS_CONTROL_ALLOW_ORIGIN =
+
+; Define allowed algorithms and their minimum key length (use -1 to disable a type)
+[ssh.minimum_key_sizes]
+ED25519 = 256
+ECDSA   = 256
+RSA     = 2048
+DSA     = 1024
+
+[database]
+; Either "mysql", "postgres" or "sqlite3", you can connect to TiDB with MySQL protocol
+DB_TYPE  = mysql
+;HOST	=localhost:3306
+;USER	=root
+;PASSWD	=Eichkatze12
+HOST     = sql.actcur.com:3306
+NAME     = gogs
+USER     = gogs
+PASSWD   = eyxaG5WvIEnanWbsnYUM
+; For "postgres" only, either "disable", "require" or "verify-full"
+SSL_MODE = disable
+; For "sqlite3" and "tidb", use absolute path when you start as service
+PATH     = /var/lib/gogs/gogs.db
+
+[admin]
+; Disable regular (non-admin) users to create organizations
+DISABLE_REGULAR_ORG_CREATION = false
+
+[security]
+INSTALL_LOCK                      = true
+; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
+#@FDEWREWR&*(
+SECRET_KEY                        = 1BAesyiWwNseJMM
+; Auto-login remember days
+LOGIN_REMEMBER_DAYS               = 7
+COOKIE_USERNAME                   = gogs_awesome
+COOKIE_REMEMBER_NAME              = gogs_incredible
+COOKIE_SECURE                     = false
+; Reverse proxy authentication header name of user name
+REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
+; Enable to set cookie to indicate user login status
+ENABLE_LOGIN_STATUS_COOKIE        = false
+LOGIN_STATUS_COOKIE_NAME          = login_status
+
+[service]
+ACTIVE_CODE_LIVE_MINUTES               = 180
+RESET_PASSWD_CODE_LIVE_MINUTES         = 180
+; User need to confirm e-mail for registration
+REGISTER_EMAIL_CONFIRM                 = false
+; Does not allow register and admin create account only
+DISABLE_REGISTRATION                   = false
+; User must sign in to view anything.
+REQUIRE_SIGNIN_VIEW                    = false
+; Mail notification
+ENABLE_NOTIFY_MAIL                     = true
+; More detail: https://github.com/gogits/gogs/issues/165
+ENABLE_REVERSE_PROXY_AUTHENTICATION    = false
+ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
+; Enable captcha validation for registration
+ENABLE_CAPTCHA                         = true
+
+[webhook]
+; Types are enabled for users to use, can be "gogs", "slack", "discord"
+TYPES           = gogs, slack, discord
+; Hook task queue length, increase if webhook shooting starts hanging
+QUEUE_LENGTH    = 1000
+; Deliver timeout in seconds
+DELIVER_TIMEOUT = 15
+; Allow insecure certification
+SKIP_TLS_VERIFY = false
+; Number of history information in each page
+PAGING_NUM      = 10
+
+[mailer]
+ENABLED         = true
+; Buffer length of channel, keep it as it is if you don't know what it is.
+SEND_BUFFER_LEN = 100
+; Name displayed in mail title
+SUBJECT         = %(APP_NAME)s
+; Mail server
+; Gmail: smtp.gmail.com:587
+; QQ: smtp.qq.com:465
+; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
+HOST            = smtp.zoho.com:587
+; Disable HELO operation when hostname are different.
+DISABLE_HELO    = true
+; Custom hostname for HELO operation, default is from system.
+HELO_HOSTNAME   =
+; Do not verify the certificate of the server. Only use this for self-signed certificates
+SKIP_VERIFY     = false
+; Use client certificate
+USE_CERTIFICATE = false
+CERT_FILE       = custom/mailer/cert.pem
+KEY_FILE        = custom/mailer/key.pem
+; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
+FROM            = gogs@actcur.com
+; Mailer user name and password
+USER            = gogs@actcur.com
+PASSWD          = kKbG2t7IZmWaVbNQYRcd
+; Use text/plain as format of content
+USE_PLAIN_TEXT  = false
+
+[cache]
+; Either "memory", "redis", or "memcache", default is "memory"
+ADAPTER  = memory
+; For "memory" only, GC interval in seconds, default is 60
+INTERVAL = 60
+; For "redis" and "memcache", connection host address
+; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
+; memcache: `127.0.0.1:11211`
+HOST     =
+
+[session]
+; Either "memory", "file", or "redis", default is "memory"
+PROVIDER          = file
+; Provider config options
+; memory: not have any config yet
+; file: session file path, e.g. `data/sessions`
+; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
+; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
+PROVIDER_CONFIG   = data/sessions
+; Session cookie name
+COOKIE_NAME       = i_like_gogits
+; If you use session in https only, default is false
+COOKIE_SECURE     = false
+; Enable set cookie, default is true
+ENABLE_SET_COOKIE = true
+; Session GC time interval, default is 3600
+GC_INTERVAL_TIME  = 3600
+; Session life time, default is 86400
+SESSION_LIFE_TIME = 86400
+; Cookie name for CSRF
+CSRF_COOKIE_NAME  = _csrf
+
+[picture]
+; Path to store user uploaded avatars
+AVATAR_UPLOAD_PATH      = data/avatars
+; Chinese users can choose "duoshuo"
+; or a custom avatar source, like: http://cn.gravatar.com/avatar/
+GRAVATAR_SOURCE         = gravatar
+; This value will be forced to be true in offline mode.
+DISABLE_GRAVATAR        = false
+; Federated avatar lookup uses DNS to discover avatar associated
+; with emails, see https://www.libravatar.org
+; This value will be forced to be false in offline mode or Gravatar is disbaled.
+ENABLE_FEDERATED_AVATAR = true
+
+; Attachment settings for issues
+[attachment]
+; Whether attachments are enabled. Defaults to `true`
+ENABLED       = true
+; Path for attachments. Defaults to `data/attachments`
+PATH          = data/attachments
+; One or more allowed types, e.g. image/jpeg|image/png
+ALLOWED_TYPES = image/jpeg|image/png
+; Max size of each file. Defaults to 4MB
+MAX_SIZE      = 4
+; Max number of files per upload. Defaults to 5
+MAX_FILES     = 5
+
+[time]
+; Specifies the format for fully outputed dates. Defaults to RFC1123
+; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano
+; For more information about the format see http://golang.org/pkg/time/#pkg-constants
+FORMAT =
+
+; General settings of loggers
+[log]
+ROOT_PATH  = /var/log/gogs
+; Can be "console" and "file", default is "console"
+; Use comma to separate multiple modes, e.g. "console, file"
+MODE       = file
+; Buffer length of channel, keep it as it is if you don't know what it is.
+BUFFER_LEN = 100
+; Either "Trace", "Info", "Warn", "Error", "Fatal", default is "Trace"
+LEVEL      = Info
+
+; For "console" mode only
+[log.console]
+; leave empty to inherit
+LEVEL =
+
+; For "file" mode only
+[log.file]
+; leave empty to inherit
+LEVEL          =
+; This enables automated log rotate (switch of following options)
+LOG_ROTATE     = true
+; Segment log daily
+DAILY_ROTATE   = true
+; Max size shift of single file, default is 28 means 1 << 28, 256MB
+MAX_SIZE_SHIFT = 28
+; Max line number of single file
+MAX_LINES      = 1000000
+; Expired days of log file (delete after max days)
+MAX_DAYS       = 7
+
+; For "slack" mode only
+[log.slack]
+; leave empty to inherit
+LEVEL =
+; Webhook URL
+URL   =
+
+[log.xorm]
+; Enable file rotation
+ROTATE       = true
+; Rotate every day
+ROTATE_DAILY = true
+; Rotate once file size excesses x MB
+MAX_SIZE     = 100
+; Maximum days to keep logger files
+MAX_DAYS     = 3
+
+[cron]
+; Enable running cron tasks periodically.
+ENABLED      = true
+; Run cron tasks when Gogs starts.
+RUN_AT_START = false
+
+; Update mirrors
+[cron.update_mirrors]
+SCHEDULE = @every 10m
+
+; Repository health check
+[cron.repo_health_check]
+SCHEDULE = @every 24h
+TIMEOUT  = 60s
+; Arguments for command 'git fsck', e.g. "--unreachable --tags"
+; see more on http://git-scm.com/docs/git-fsck/1.7.5
+ARGS     =
+
+; Check repository statistics
+[cron.check_repo_stats]
+RUN_AT_START = true
+SCHEDULE     = @every 24h
+
+; Cleanup repository archives
+[cron.repo_archive_cleanup]
+RUN_AT_START = false
+SCHEDULE     = @every 24h
+; Time duration to check if archive should be cleaned
+OLDER_THAN   = 24h
+
+[git]
+; Disables highlight of added and removed changes
+DISABLE_DIFF_HIGHLIGHT       = false
+; Max number of lines allowed of a single file in diff view
+MAX_GIT_DIFF_LINES           = 1000
+; Max number of characters of a line allowed in diff view
+MAX_GIT_DIFF_LINE_CHARACTERS = 500
+; Max number of files shown in diff view
+MAX_GIT_DIFF_FILES           = 100
+; Arguments for command 'git gc', e.g. "--aggressive --auto"
+; see more on http://git-scm.com/docs/git-gc/1.7.5
+GC_ARGS                      =
+
+; Operation timeout in seconds
+[git.timeout]
+MIGRATE = 600
+MIRROR  = 300
+CLONE   = 300
+PULL    = 300
+GC      = 60
+
+[mirror]
+; Default interval in hours between each check
+DEFAULT_INTERVAL = 8
+
+[api]
+; Max number of items will response in a page
+MAX_RESPONSE_ITEMS = 50
+
+[ui]
+; Number of repositories that are showed in one explore page
+EXPLORE_PAGING_NUM    = 20
+; Number of issues that are showed in one page
+ISSUE_PAGING_NUM      = 10
+; Number of maximum commits showed in one activity feed
+FEED_MAX_COMMIT_NUM   = 5
+; Value of "theme-color" meta tag, used by Android >= 5.0
+; An invalid color like "none" or "disable" will have the default style
+; More info: https://developers.google.com/web/updates/2014/11/Support-for-theme-color-in-Chrome-39-for-Android
+THEME_COLOR_META_TAG  = `#ff5343`
+; Max size in bytes of files to be displayed (default is 8MB)
+MAX_DISPLAY_FILE_SIZE = 8388608
+
+[ui.admin]
+; Number of users that are showed in one page
+USER_PAGING_NUM   = 50
+; Number of repos that are showed in one page
+REPO_PAGING_NUM   = 50
+; Number of notices that are showed in one page
+NOTICE_PAGING_NUM = 25
+; Number of organization that are showed in one page
+ORG_PAGING_NUM    = 50
+
+[ui.user]
+; Number of repos that are showed in one page
+REPO_PAGING_NUM      = 15
+; Number of news feeds that are showed in one page
+NEWS_FEED_PAGING_NUM = 20
+; Number of commits that are showed in one page
+COMMITS_PAGING_NUM   = 30
+
+[i18n]
+LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR,gl-ES,uk-UA,en-GB,hu-HU
+NAMES = English,简体中文,繁體中文（香港）,繁體中文（台湾）,Deutsch,français,Nederlands,latviešu,русский,日本語,español,português do Brasil,polski,български,italiano,suomi,Türkçe,čeština,српски,svenska,한국어,galego,українська,English (United Kingdom),Magyar
+
+; Used for datetimepicker
+[i18n.datelang]
+en-US = en
+zh-CN = zh
+zh-HK = zh-TW
+zh-TW = zh-TW
+de-DE = de
+fr-FR = fr
+nl-NL = nl
+lv-LV = lv
+ru-RU = ru
+ja-JP = ja
+es-ES = es
+pt-BR = pt-BR
+pl-PL = pl
+bg-BG = bg
+it-IT = it
+fi-FI = fi
+tr-TR = tr
+cs-CZ = cs-CZ
+sr-SP = sr
+sv-SE = sv
+ko-KR = ko
+gl-ES = gl
+uk-UA = uk
+
+; Extension mapping to highlight class
+; e.g. .toml=ini
+[highlight.mapping]
+
+[other]
+SHOW_FOOTER_BRANDING           = false
+; Show version information about Gogs and Go in the footer
+SHOW_FOOTER_VERSION            = true
+; Show time of template execution in the footer
+SHOW_FOOTER_TEMPLATE_LOAD_TIME = true

states/roles/maintain/gogs/init.sls

@@ -0,0 +1,11 @@
+
+gogs_package:
+  pkg.installed:
+    - name: gogs
+
+/etc/gogs/api.ini:
+  file.managed:
+    - source: salt://roles/maintain/gogs/api.ini
+    - user: root
+    - group: root
+    - mode: 644

states/roles/maintain/pass/init.sls

@@ -0,0 +1,63 @@
+#install teampass - needs to be changed to being built in the aurrepo as soon as Marcin updates the dependencies to not include mysql
+teampass_/etc/pacman.conf:
+  file.append:
+    - name: /etc/pacman.conf
+    - source: salt://roles/maintain/pass/temp-repo.conf
+
+install_teampass:
+  pkg.installed:
+    - name: teampass
+
+teampass_php-gd:
+  pkg.installed:
+    - name: php-gd
+
+teampass_php-fpm:
+  pkg.installed:
+    - name: php-fpm
+  service.running:
+    - name: php-fpm
+    - enable: true
+    - watch:
+      - file: /etc/php/php.ini
+
+/etc/php/php.ini:
+  file.managed:
+    - source: salt://roles/maintain/pass/php.ini
+
+/etc/nginx/conf.d/teampass.conf:
+  file.managed:
+    - source: salt://roles/maintain/pass/nginx.conf
+
+#change ownership on directories
+"/usr/share/webapps/teampass/includes/config/":
+  file.directory:
+    - user: http
+    - group: http
+"/usr/share/webapps/teampass/includes/avatars/":
+  file.directory:
+    - user: http
+    - group: http
+"/usr/share/webapps/teampass/includes/libraries/csrfp/libs/":
+  file.directory:
+    - user: http
+    - group: http
+"/usr/share/webapps/teampass/includes/libraries/csrfp/js/":
+  file.directory:
+    - user: http
+    - group: http
+"/usr/share/webapps/teampass/includes/libraries/csrfp/log/":
+  file.directory:
+    - user: http
+    - group: http
+
+"/teampass":
+  file.directory:
+    - user: http
+    - group: http
+    - dir_mode: 700
+    - file_mode: 600
+    - recurse:
+      - user
+      - group
+      - mode

states/roles/maintain/pass/nginx.conf

@@ -0,0 +1,21 @@
+server {
+  server_name domain.tld www.domain.tld;
+  root /usr/share/webapps/teampass;
+  listen 8080;
+
+  location / {
+    # try to serve file directly, fallback to front controller
+    try_files $uri /index.php$is_args$args;
+  }
+
+  location ~ \.php$ {
+    try_files $uri $document_root$fastcgi_script_name =404;
+    fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
+    fastcgi_index index.php;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    include fastcgi.conf;
+  }
+
+  error_log /var/log/nginx/teampass_error.log;
+  access_log /var/log/nginx/teampass_access.log;
+}

states/roles/maintain/pass/temp-repo.conf

@@ -0,0 +1,3 @@
+[teampass-temp]
+SigLevel = Never
+Server = http://pkg.actcur.com/$repo/os/$arch

states/roles/maintain/pkg-cache/pkg-cache.conf

@@ -12,6 +12,10 @@ server
 	location ~ aur-local\.(db|sig){
 		try_files $uri @pkg_mirror;
 	}
+	#TEMPORARY. Requests for teampass.db and sig files should stay here
+	location ~ teampass-temp\.(db|sig){
+		try_files $uri @pkg_mirror;
+	}
 
 	# Requests for package db and signature files should redirect upstream without caching
 	location ~ \.(db|sig)$ {

states/systems/core/backup/disable.sls

@@ -0,0 +1,5 @@
+disable_backups:
+  grains.present:
+    - name: backups_enabled
+    - value: false
+    - force: true

states/systems/core/backup/enable.sls

@@ -0,0 +1,5 @@
+enable_backups:
+  grains.present:
+    - name: backups_enabled
+    - value: true
+    - force: true

states/systems/core/backup/init.sls

@@ -1,4 +1,5 @@
 
+
 {%- if 'backup' in pillar['grains']['roles'] -%}
 {%- else -%}
   {##ensure that backup pillar exists##}
@@ -52,6 +53,9 @@ backup_host.actcur.com:
 rsync_{{ name }}:
   pkg.installed:
     - name: rsync
+        {##only run if backups are enabled##}
+        {%- if grains['backups_enabled'] is defined -%}
+          {%- if grains['backups_enabled'] == true %}
 backup_dir_{{ name }}:
   cmd.run:
     - name: "ssh {{ name }} 'mkdir -p /mnt/butter/backups/configurations/{{ name }}/latest'"
@@ -61,6 +65,8 @@ backup_{{ name }}:
     - source: {{ pillar['backup'][name]['location'] }}/
     - delete: true
     - force: true
+          {%- endif -%}
+        {%- endif -%}
       {%- endif -%}
     {%- endfor %}
   {%- endif %}

states/top.sls

@@ -13,7 +13,7 @@
   '*':
     - update
     - basepkgs
-    - roles
+    - grains
     - systems.core.firewalld
     - systems.core.mount
     - systems.core.git

states/update/init.sls

@@ -1,3 +1,9 @@
 update:
   pkg.uptodate:
     - refresh: True
+
+{% if grains['os_family'] == 'Arch' %}
+clear_pkg_cache:
+  cmd.run:
+    - name: "pacman -Sc --noconfirm"
+{% endif %}