commit e36af35f0697378ac86b440a3074e9f712b0de28 Author: Beth Parker Date: Mon Aug 7 13:25:01 2017 -0500 initial commit diff --git a/merge.sh b/merge.sh new file mode 100644 index 0000000..f7bba37 --- /dev/null +++ b/merge.sh @@ -0,0 +1,4 @@ +git checkout master +git merge dev +git push +git checkout dev diff --git a/pillars/roles/aurpkgs/calendar.sls b/pillars/roles/aurpkgs/calendar.sls new file mode 100755 index 0000000..c02ebb1 --- /dev/null +++ b/pillars/roles/aurpkgs/calendar.sls @@ -0,0 +1,2 @@ +aurpkgs: + baikal: [] diff --git a/pillars/roles/aurpkgs/git.sls b/pillars/roles/aurpkgs/git.sls new file mode 100755 index 0000000..51e3a4a --- /dev/null +++ b/pillars/roles/aurpkgs/git.sls @@ -0,0 +1,3 @@ +aurpkgs: + glide-git: [] + gogs: [] diff --git a/pillars/roles/aurpkgs/headphones.sls b/pillars/roles/aurpkgs/headphones.sls new file mode 100755 index 0000000..37737bd --- /dev/null +++ b/pillars/roles/aurpkgs/headphones.sls @@ -0,0 +1,2 @@ +aurpkgs: + headphones: [] diff --git a/pillars/roles/aurpkgs/init.sls b/pillars/roles/aurpkgs/init.sls new file mode 100755 index 0000000..0d188fa --- /dev/null +++ b/pillars/roles/aurpkgs/init.sls @@ -0,0 +1,21 @@ +{% set states = salt['cp.list_states'](saltenv) %} +include: + - roles.aurpkgs.none +{%- if grains['roles'] is defined -%} + {%- if grains['roles'] is not none -%} + {%- if 'aurrepo' in grains['roles'] -%} + {%- for state in states %} + {%- if state.startswith("pillars.roles.aurpkgs.") -%} + {%- set role = state.split('.')[3] %} + - roles.aurpkgs.{{ role }} + {%- endif -%} + {%- endfor -%} + {%- else -%} + {%- for role in grains['roles'] %} + {%- if 'pillars.roles.aurpkgs.'+role in states %} + - roles.aurpkgs.{{ role }} + {%- endif -%} + {%- endfor -%} + {%- endif -%} + {%- endif -%} +{%- endif -%} diff --git a/pillars/roles/aurpkgs/jackett.sls b/pillars/roles/aurpkgs/jackett.sls new file mode 100755 index 0000000..831c9ca --- /dev/null +++ b/pillars/roles/aurpkgs/jackett.sls @@ -0,0 +1,2 @@ +aurpkgs: + jackett: [] diff --git a/pillars/roles/aurpkgs/lam.sls b/pillars/roles/aurpkgs/lam.sls new file mode 100755 index 0000000..dad9ff4 --- /dev/null +++ b/pillars/roles/aurpkgs/lam.sls @@ -0,0 +1,6 @@ +aurpkgs: + ldap-account-manager: [] +# building php56 doesn't seem to work +# php56: [] +# php56-fpm: [] +# php56-ldap: [] diff --git a/pillars/roles/aurpkgs/none.sls b/pillars/roles/aurpkgs/none.sls new file mode 100755 index 0000000..dd93027 --- /dev/null +++ b/pillars/roles/aurpkgs/none.sls @@ -0,0 +1,2 @@ +aurpkgs: + wtf:[] diff --git a/pillars/roles/aurpkgs/ombi.sls b/pillars/roles/aurpkgs/ombi.sls new file mode 100755 index 0000000..50bf469 --- /dev/null +++ b/pillars/roles/aurpkgs/ombi.sls @@ -0,0 +1,2 @@ +aurpkgs: + ombi: [] diff --git a/pillars/roles/aurpkgs/plexmediaserver.sls b/pillars/roles/aurpkgs/plexmediaserver.sls new file mode 100755 index 0000000..36d699f --- /dev/null +++ b/pillars/roles/aurpkgs/plexmediaserver.sls @@ -0,0 +1,2 @@ +aurpkgs: + plex-media-server-plexpass: [] diff --git a/pillars/roles/aurpkgs/portal.sls b/pillars/roles/aurpkgs/portal.sls new file mode 100755 index 0000000..8f43531 --- /dev/null +++ b/pillars/roles/aurpkgs/portal.sls @@ -0,0 +1,2 @@ +aurpkgs: + byobu: [] diff --git a/pillars/roles/aurpkgs/radarr.sls b/pillars/roles/aurpkgs/radarr.sls new file mode 100755 index 0000000..996d392 --- /dev/null +++ b/pillars/roles/aurpkgs/radarr.sls @@ -0,0 +1,2 @@ +aurpkgs: + radarr: [] diff --git a/pillars/roles/aurpkgs/sonarr.sls b/pillars/roles/aurpkgs/sonarr.sls new file mode 100755 index 0000000..dd4cfd5 --- /dev/null +++ b/pillars/roles/aurpkgs/sonarr.sls @@ -0,0 +1,2 @@ +aurpkgs: + sonarr: [] diff --git a/pillars/roles/firewalld/certbot.sls b/pillars/roles/firewalld/certbot.sls new file mode 100755 index 0000000..687ca3e --- /dev/null +++ b/pillars/roles/firewalld/certbot.sls @@ -0,0 +1,5 @@ +firewalld: + 70_internal: + service: + - http + - https diff --git a/pillars/roles/firewalld/core.sls b/pillars/roles/firewalld/core.sls new file mode 100755 index 0000000..4e496e3 --- /dev/null +++ b/pillars/roles/firewalld/core.sls @@ -0,0 +1,17 @@ +firewalld: + 60_guest: + description: Guest zone. Only connections from the guest network are accepted. + include: + - 99_public + source: + - 192.168.42.0/24 + 70_internal: + description: Internal zone. Only connections from internal network are accepted. + include: + - 99_public + source: + - 172.16.0.0/16 + 99_public: + description: Public zone. Only selected connections are accepted from anywhere. + source: + - 0.0.0.0/0 diff --git a/pillars/roles/firewalld/deluge.sls b/pillars/roles/firewalld/deluge.sls new file mode 100755 index 0000000..807ab30 --- /dev/null +++ b/pillars/roles/firewalld/deluge.sls @@ -0,0 +1,12 @@ +firewalld: + 70_internal: + service: + - http + port: + - 58846/tcp + - 8112/tcp + 99_public: + port: + - 63150/tcp + - 63150/udp + diff --git a/pillars/roles/firewalld/git.sls b/pillars/roles/firewalld/git.sls new file mode 100755 index 0000000..ec1e02f --- /dev/null +++ b/pillars/roles/firewalld/git.sls @@ -0,0 +1,7 @@ +firewalld: + 70_internal: + port: + - 3000/tcp + 99_public: + port: + - 5022/tcp diff --git a/pillars/roles/firewalld/gitlab.sls b/pillars/roles/firewalld/gitlab.sls new file mode 100644 index 0000000..ec1e02f --- /dev/null +++ b/pillars/roles/firewalld/gitlab.sls @@ -0,0 +1,7 @@ +firewalld: + 70_internal: + port: + - 3000/tcp + 99_public: + port: + - 5022/tcp diff --git a/pillars/roles/firewalld/init.sls b/pillars/roles/firewalld/init.sls new file mode 100755 index 0000000..5372ee6 --- /dev/null +++ b/pillars/roles/firewalld/init.sls @@ -0,0 +1,13 @@ +{% set states = salt['cp.list_states'](saltenv) %} +include: + - roles.firewalld.core + +{%- if grains['roles'] is defined -%} + {%- if grains['roles'] is not none -%} + {%- for role in grains['roles'] %} + {%- if 'pillars.roles.firewalld.'+role in states %} + - roles.firewalld.{{ role }} + {%- endif -%} + {%- endfor -%} + {%- endif -%} +{%- endif -%} diff --git a/pillars/roles/firewalld/nginx-proxy.sls b/pillars/roles/firewalld/nginx-proxy.sls new file mode 100755 index 0000000..3ff8c54 --- /dev/null +++ b/pillars/roles/firewalld/nginx-proxy.sls @@ -0,0 +1,8 @@ +firewalld: + 70_internal: + service: + - http + - https + 50_server: + port: + - 8080/tcp diff --git a/pillars/roles/firewalld/pepper.sls b/pillars/roles/firewalld/pepper.sls new file mode 100755 index 0000000..aada81c --- /dev/null +++ b/pillars/roles/firewalld/pepper.sls @@ -0,0 +1,4 @@ +firewalld: + 70_internal: + port: + - 80/tcp diff --git a/pillars/roles/firewalld/plexmediaserver.sls b/pillars/roles/firewalld/plexmediaserver.sls new file mode 100755 index 0000000..cce7f9a --- /dev/null +++ b/pillars/roles/firewalld/plexmediaserver.sls @@ -0,0 +1,4 @@ +firewalld: + 99_public: + port: + - 32400/tcp diff --git a/pillars/roles/firewalld/portal.sls b/pillars/roles/firewalld/portal.sls new file mode 100755 index 0000000..7ee3131 --- /dev/null +++ b/pillars/roles/firewalld/portal.sls @@ -0,0 +1,5 @@ +firewalld: + 99_public: + service: + - http + - https diff --git a/pillars/roles/firewalld/saltmaster.sls b/pillars/roles/firewalld/saltmaster.sls new file mode 100755 index 0000000..f9b57ad --- /dev/null +++ b/pillars/roles/firewalld/saltmaster.sls @@ -0,0 +1,14 @@ +firewalld: + 70_internal: + port: + - 4505/tcp + - 4506/tcp +# rule: +# salt port 1: +# source: 192.168.41.29 +# port: 4505/tcp +# action: accept +# salt port 2: +# source: 192.168.41.29 +# port: 4506/tcp +# action: accept diff --git a/pillars/roles/firewalld/saltminion.sls b/pillars/roles/firewalld/saltminion.sls new file mode 100755 index 0000000..2df4b7c --- /dev/null +++ b/pillars/roles/firewalld/saltminion.sls @@ -0,0 +1,11 @@ +firewalld: + 70_internal: + rule: + salt port 1: + source: 192.168.41.29 + port: 4505/tcp + action: accept + salt port 2: + source: 192.168.41.29 + port: 4506/tcp + action: accept diff --git a/pillars/roles/firewalld/server.sls b/pillars/roles/firewalld/server.sls new file mode 100755 index 0000000..2226daa --- /dev/null +++ b/pillars/roles/firewalld/server.sls @@ -0,0 +1,15 @@ +firewalld: + 10_enduser: + description: End User zone. Only connections form end users are accepted. + include: + - 99_public + - 70_internal + source: + - 172.16.40.0/24 + 50_server: + description: Server zone. Only connections from servers are accepted. + include: + - 99_public + - 70_internal + source: + - 172.16.41.0/24 diff --git a/pillars/roles/firewalld/ssh.sls b/pillars/roles/firewalld/ssh.sls new file mode 100755 index 0000000..25bd61e --- /dev/null +++ b/pillars/roles/firewalld/ssh.sls @@ -0,0 +1,4 @@ +firewalld: + 70_internal: + service: + - ssh diff --git a/pillars/roles/git/init.sls b/pillars/roles/git/init.sls new file mode 100755 index 0000000..608c7de --- /dev/null +++ b/pillars/roles/git/init.sls @@ -0,0 +1,13 @@ +{% set states = salt['cp.list_states'](saltenv) %} +include: + - roles.git.none + +{%- if grains['roles'] is defined -%} + {%- if grains['roles'] is not none -%} + {%- for role in grains['roles'] %} + {%- if 'pillars.roles.git.'+role in states %} + - roles.git.{{ role }} + {%- endif -%} + {%- endfor -%} + {%- endif -%} +{%- endif -%} diff --git a/pillars/roles/git/none.sls b/pillars/roles/git/none.sls new file mode 100755 index 0000000..e69de29 diff --git a/pillars/roles/git/portal.sls b/pillars/roles/git/portal.sls new file mode 100644 index 0000000..4333628 --- /dev/null +++ b/pillars/roles/git/portal.sls @@ -0,0 +1,9 @@ +git: + tmux: + repo: "ssh://gogs@git.actcur.com:5022/actcur/tmux.git" + path: "/root/tmux" + branch: "master" + key: "git_actcur" + force: true + email: "actcur@actcur.com" + name: "Actaeus Curabitur" diff --git a/pillars/roles/git/saltmaster.sls b/pillars/roles/git/saltmaster.sls new file mode 100755 index 0000000..5641da5 --- /dev/null +++ b/pillars/roles/git/saltmaster.sls @@ -0,0 +1,17 @@ +git: + salt: + repo: "ssh://gogs@git.actcur.com:5022/actcur/salt.git" + path: "/srv/salt/prod" + branch: "master" + key: "git_actcur" + force: true + email: "actcur@actcur.com" + name: "Actaeus Curabitur" + salt_dev: + repo: "ssh://gogs@git.actcur.com:5022/actcur/salt.git" + path: "/srv/salt/dev" + branch: "dev" + key: "git_actcur" + force: true + email: "actcur@actcur.com" + name: "Actaeus Curabitur" diff --git a/pillars/roles/init.sls b/pillars/roles/init.sls new file mode 100755 index 0000000..aabab46 --- /dev/null +++ b/pillars/roles/init.sls @@ -0,0 +1,7 @@ +include: + - roles.maintainer + - roles.firewalld + - roles.nginx + - roles.aurpkgs + - roles.mount + - roles.git diff --git a/pillars/roles/maintainer/deluge.sls b/pillars/roles/maintainer/deluge.sls new file mode 100755 index 0000000..393d424 --- /dev/null +++ b/pillars/roles/maintainer/deluge.sls @@ -0,0 +1,4 @@ +roles: + pepper: + maintainer: + - masaufuku diff --git a/pillars/roles/maintainer/init.sls b/pillars/roles/maintainer/init.sls new file mode 100755 index 0000000..eda2530 --- /dev/null +++ b/pillars/roles/maintainer/init.sls @@ -0,0 +1,7 @@ +include: + - roles.maintainer.saltmaster + - roles.maintainer.ssh + - roles.maintainer.server + - roles.maintainer.saltminion + - roles.maintainer.pepper + - roles.maintainer.deluge diff --git a/pillars/roles/maintainer/pepper.sls b/pillars/roles/maintainer/pepper.sls new file mode 100755 index 0000000..393d424 --- /dev/null +++ b/pillars/roles/maintainer/pepper.sls @@ -0,0 +1,4 @@ +roles: + pepper: + maintainer: + - masaufuku diff --git a/pillars/roles/maintainer/saltmaster.sls b/pillars/roles/maintainer/saltmaster.sls new file mode 100755 index 0000000..f81d323 --- /dev/null +++ b/pillars/roles/maintainer/saltmaster.sls @@ -0,0 +1,4 @@ +roles: + saltmaster: + maintainer: + - masaufuku diff --git a/pillars/roles/maintainer/saltminion.sls b/pillars/roles/maintainer/saltminion.sls new file mode 100755 index 0000000..81c8a7a --- /dev/null +++ b/pillars/roles/maintainer/saltminion.sls @@ -0,0 +1,4 @@ +roles: + saltminion: + maintainer: + - masaufuku diff --git a/pillars/roles/maintainer/server.sls b/pillars/roles/maintainer/server.sls new file mode 100755 index 0000000..1c411f3 --- /dev/null +++ b/pillars/roles/maintainer/server.sls @@ -0,0 +1,5 @@ +roles: + server: + maintainer: + - masaufuku + diff --git a/pillars/roles/maintainer/ssh.sls b/pillars/roles/maintainer/ssh.sls new file mode 100755 index 0000000..c741748 --- /dev/null +++ b/pillars/roles/maintainer/ssh.sls @@ -0,0 +1,5 @@ +roles: + ssh: + maintainer: + - masaufuku + diff --git a/pillars/roles/mount/gitlab.sls b/pillars/roles/mount/gitlab.sls new file mode 100644 index 0000000..613147e --- /dev/null +++ b/pillars/roles/mount/gitlab.sls @@ -0,0 +1,6 @@ +mount: + sshfs: + /var/lib/gitlab: + host: host.actcur.com + directory: /mnt/butter/git + user: git diff --git a/pillars/roles/mount/init.sls b/pillars/roles/mount/init.sls new file mode 100755 index 0000000..086dafc --- /dev/null +++ b/pillars/roles/mount/init.sls @@ -0,0 +1,13 @@ +{% set states = salt['cp.list_states'](saltenv) %} +include: + - roles.mount.none + +{%- if grains['roles'] is defined -%} + {%- if grains['roles'] is not none -%} + {%- for role in grains['roles'] %} + {%- if 'pillars.roles.mount.'+role in states %} + - roles.mount.{{ role }} + {%- endif -%} + {%- endfor -%} + {%- endif -%} +{%- endif -%} diff --git a/pillars/roles/mount/none.sls b/pillars/roles/mount/none.sls new file mode 100755 index 0000000..e69de29 diff --git a/pillars/roles/mount/pkg-cache.sls b/pillars/roles/mount/pkg-cache.sls new file mode 100755 index 0000000..568ac3c --- /dev/null +++ b/pillars/roles/mount/pkg-cache.sls @@ -0,0 +1,6 @@ +mount: + sshfs: + /mnt/pkgs: + host: host.actcur.com + directory: /mnt/butter/pkgs + user: pkgs diff --git a/pillars/roles/mount/plexmediaserver.sls b/pillars/roles/mount/plexmediaserver.sls new file mode 100755 index 0000000..3b412fb --- /dev/null +++ b/pillars/roles/mount/plexmediaserver.sls @@ -0,0 +1,14 @@ +mount: + sshfs: + /mnt/video: + host: host.actcur.com + directory: /mnt/butter/video + user: mount + /mnt/music: + host: host.actcur.com + directory: /mnt/butter/music + user: mount + ext4: + /var/lib/plexmediaserver/Library: + device: UUID=0ab3f7fc-6525-40ba-905c-ff5fff2de1a3 + diff --git a/pillars/roles/mount/saltmaster.sls b/pillars/roles/mount/saltmaster.sls new file mode 100755 index 0000000..72c26c9 --- /dev/null +++ b/pillars/roles/mount/saltmaster.sls @@ -0,0 +1,6 @@ +mount: + sshfs: + /mnt: + host: host.actcur.com + directory: /mnt/butter/salt + user: mount diff --git a/pillars/roles/nginx/authtypes.txt b/pillars/roles/nginx/authtypes.txt new file mode 100755 index 0000000..4fd27bf --- /dev/null +++ b/pillars/roles/nginx/authtypes.txt @@ -0,0 +1,4 @@ +blocked: can't access +none: public access +simple: file-based auth +ldap: directory based auth - not implemented diff --git a/pillars/roles/nginx/baikal.sls b/pillars/roles/nginx/baikal.sls new file mode 100755 index 0000000..792381b --- /dev/null +++ b/pillars/roles/nginx/baikal.sls @@ -0,0 +1,12 @@ +nginx: + cal: + auth: none + https: + port: 8080 + prot: http + default: no + baikal: + auth: none + https: + port: 8080 + prot: http diff --git a/pillars/roles/nginx/calandar.sls b/pillars/roles/nginx/calandar.sls new file mode 100755 index 0000000..ce7455a --- /dev/null +++ b/pillars/roles/nginx/calandar.sls @@ -0,0 +1,11 @@ +nginx: + cal: + auth: none + https: + port: 8081 + prot: http + baikal: + auth: none + https: + port: 8081 + prot: http diff --git a/pillars/roles/nginx/git.sls b/pillars/roles/nginx/git.sls new file mode 100755 index 0000000..4029e0f --- /dev/null +++ b/pillars/roles/nginx/git.sls @@ -0,0 +1,6 @@ +nginx: + git: + auth: none + https: + port: 3000 + prot: http diff --git a/pillars/roles/nginx/gitlab.sls b/pillars/roles/nginx/gitlab.sls new file mode 100644 index 0000000..4029e0f --- /dev/null +++ b/pillars/roles/nginx/gitlab.sls @@ -0,0 +1,6 @@ +nginx: + git: + auth: none + https: + port: 3000 + prot: http diff --git a/pillars/roles/nginx/headphones.sls b/pillars/roles/nginx/headphones.sls new file mode 100755 index 0000000..e9fc132 --- /dev/null +++ b/pillars/roles/nginx/headphones.sls @@ -0,0 +1,6 @@ +nginx: + headphones: + auth: blocked + https: + port: 8181 + prot: http diff --git a/pillars/roles/nginx/init.sls b/pillars/roles/nginx/init.sls new file mode 100755 index 0000000..4debb29 --- /dev/null +++ b/pillars/roles/nginx/init.sls @@ -0,0 +1,21 @@ +{% set states = salt['cp.list_states'](saltenv) %} +include: + - roles.nginx.none +{%- if grains['roles'] is defined -%} + {%- if grains['roles'] is not none -%} + {%- if 'portal' in grains['roles'] -%} + {%- for state in states %} + {%- if state.startswith("pillars.roles.nginx.") -%} + {%- set role = state.split('.')[3] %} + - roles.nginx.{{ role }} + {%- endif -%} + {%- endfor -%} + {%- else -%} + {%- for role in grains['roles'] %} + {%- if 'pillars.roles.nginx.'+role in states %} + - roles.nginx.{{ role }} + {%- endif -%} + {%- endfor -%} + {%- endif -%} + {%- endif -%} +{%- endif -%} diff --git a/pillars/roles/nginx/jackett.sls b/pillars/roles/nginx/jackett.sls new file mode 100755 index 0000000..1b9eae4 --- /dev/null +++ b/pillars/roles/nginx/jackett.sls @@ -0,0 +1,6 @@ +nginx: + jackett: + auth: blocked + https: + port: 9117 + prot: http diff --git a/pillars/roles/nginx/lam.sls b/pillars/roles/nginx/lam.sls new file mode 100755 index 0000000..56a7fc4 --- /dev/null +++ b/pillars/roles/nginx/lam.sls @@ -0,0 +1,6 @@ +nginx: + lam: + auth: none + https: + port: 8000 + prot: http diff --git a/pillars/roles/nginx/lamp.sls b/pillars/roles/nginx/lamp.sls new file mode 100755 index 0000000..857f4a2 --- /dev/null +++ b/pillars/roles/nginx/lamp.sls @@ -0,0 +1,6 @@ +nginx: + lamp: + auth: none + https: + port: 8000 + prot: http diff --git a/pillars/roles/nginx/ldapui.sls b/pillars/roles/nginx/ldapui.sls new file mode 100755 index 0000000..4687ede --- /dev/null +++ b/pillars/roles/nginx/ldapui.sls @@ -0,0 +1,6 @@ +nginx: + ldapui: + auth: simple + https: + port: 8000 + prot: http diff --git a/pillars/roles/nginx/none.sls b/pillars/roles/nginx/none.sls new file mode 100755 index 0000000..e69de29 diff --git a/pillars/roles/nginx/ombi.sls b/pillars/roles/nginx/ombi.sls new file mode 100755 index 0000000..665416a --- /dev/null +++ b/pillars/roles/nginx/ombi.sls @@ -0,0 +1,6 @@ +nginx: + ombi: + auth: none + https: + port: 3579 + prot: http diff --git a/pillars/roles/nginx/pkg-cache.sls b/pillars/roles/nginx/pkg-cache.sls new file mode 100755 index 0000000..4d5c7e3 --- /dev/null +++ b/pillars/roles/nginx/pkg-cache.sls @@ -0,0 +1,9 @@ +nginx: + pkg: + auth: blocked + https: + port: 8000 + prot: http + http: + port: 8000 + prot: http diff --git a/pillars/roles/nginx/plexmediaserver.sls b/pillars/roles/nginx/plexmediaserver.sls new file mode 100755 index 0000000..3cf49de --- /dev/null +++ b/pillars/roles/nginx/plexmediaserver.sls @@ -0,0 +1,6 @@ +nginx: + plex: + auth: none + https: + port: 32400 + prot: http diff --git a/pillars/roles/nginx/radarr.sls b/pillars/roles/nginx/radarr.sls new file mode 100755 index 0000000..1145f0b --- /dev/null +++ b/pillars/roles/nginx/radarr.sls @@ -0,0 +1,6 @@ +nginx: + radarr: + auth: blocked + https: + port: 7878 + prot: http diff --git a/pillars/roles/nginx/sonarr.sls b/pillars/roles/nginx/sonarr.sls new file mode 100755 index 0000000..facf534 --- /dev/null +++ b/pillars/roles/nginx/sonarr.sls @@ -0,0 +1,6 @@ +nginx: + sonarr: + auth: blocked + https: + port: 8989 + prot: http diff --git a/pillars/roles/nginx/sync.sls b/pillars/roles/nginx/sync.sls new file mode 100755 index 0000000..071fd8a --- /dev/null +++ b/pillars/roles/nginx/sync.sls @@ -0,0 +1,6 @@ +nginx: + sync: + auth: blocked + https: + port: 8080 + prot: http diff --git a/pillars/roles/nginx/ttrss.sls b/pillars/roles/nginx/ttrss.sls new file mode 100755 index 0000000..00b1494 --- /dev/null +++ b/pillars/roles/nginx/ttrss.sls @@ -0,0 +1,6 @@ +nginx: + tt: + auth: none + https: + port: 8080 + prot: http diff --git a/pillars/servers/env/init.sls b/pillars/servers/env/init.sls new file mode 100755 index 0000000..276f0a6 --- /dev/null +++ b/pillars/servers/env/init.sls @@ -0,0 +1,2 @@ +include: + - servers.env.server.{{ grains['host'] }} diff --git a/pillars/servers/env/server/.sls b/pillars/servers/env/server/.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archbaikal.sls b/pillars/servers/env/server/archbaikal.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archbaikal.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archcal.sls b/pillars/servers/env/server/archcal.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archcal.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archcouch.sls b/pillars/servers/env/server/archcouch.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archcouch.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archdeluge.sls b/pillars/servers/env/server/archdeluge.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archdeluge.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archgit.sls b/pillars/servers/env/server/archgit.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archgit.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archheadphones.sls b/pillars/servers/env/server/archheadphones.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archheadphones.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archjackett.sls b/pillars/servers/env/server/archjackett.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archjackett.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archlam.sls b/pillars/servers/env/server/archlam.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archlam.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archldap.sls b/pillars/servers/env/server/archldap.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archldap.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archldaptest.sls b/pillars/servers/env/server/archldaptest.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archldaptest.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archldapui.sls b/pillars/servers/env/server/archldapui.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archldapui.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archmail.sls b/pillars/servers/env/server/archmail.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archmail.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archombi.sls b/pillars/servers/env/server/archombi.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archombi.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archpkg.sls b/pillars/servers/env/server/archpkg.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archpkg.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archplex.sls b/pillars/servers/env/server/archplex.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archplex.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archportal.sls b/pillars/servers/env/server/archportal.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archportal.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archradarr.sls b/pillars/servers/env/server/archradarr.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archradarr.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archrequest.sls b/pillars/servers/env/server/archrequest.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archrequest.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archsalt.sls b/pillars/servers/env/server/archsalt.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archsalt.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archsonarr.sls b/pillars/servers/env/server/archsonarr.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archsonarr.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archssh.sls b/pillars/servers/env/server/archssh.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archssh.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archsync.sls b/pillars/servers/env/server/archsync.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archsync.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/archtt.sls b/pillars/servers/env/server/archtt.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/archtt.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/base b/pillars/servers/env/server/base new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/base @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/centlamp.sls b/pillars/servers/env/server/centlamp.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/centlamp.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/env/server/pisalt.sls b/pillars/servers/env/server/pisalt.sls new file mode 100755 index 0000000..2fdef9a --- /dev/null +++ b/pillars/servers/env/server/pisalt.sls @@ -0,0 +1 @@ +env: prod diff --git a/pillars/servers/init.sls b/pillars/servers/init.sls new file mode 100755 index 0000000..c450382 --- /dev/null +++ b/pillars/servers/init.sls @@ -0,0 +1,4 @@ +include: + - servers.maintainer + - servers.env + - servers.roles diff --git a/pillars/servers/maintainer/init.sls b/pillars/servers/maintainer/init.sls new file mode 100755 index 0000000..bd8633a --- /dev/null +++ b/pillars/servers/maintainer/init.sls @@ -0,0 +1,2 @@ +include: + - servers.maintainer.server.{{ grains['host'] }} diff --git a/pillars/servers/maintainer/server/.sls b/pillars/servers/maintainer/server/.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archbaikal.sls b/pillars/servers/maintainer/server/archbaikal.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archbaikal.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archcal.sls b/pillars/servers/maintainer/server/archcal.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archcal.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archcouch.sls b/pillars/servers/maintainer/server/archcouch.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archcouch.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archdeluge.sls b/pillars/servers/maintainer/server/archdeluge.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archdeluge.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archgit.sls b/pillars/servers/maintainer/server/archgit.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archgit.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archheadphones.sls b/pillars/servers/maintainer/server/archheadphones.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archheadphones.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archjackett.sls b/pillars/servers/maintainer/server/archjackett.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archjackett.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archlam.sls b/pillars/servers/maintainer/server/archlam.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archlam.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archldap.sls b/pillars/servers/maintainer/server/archldap.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archldap.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archldaptest.sls b/pillars/servers/maintainer/server/archldaptest.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archldaptest.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archldapui.sls b/pillars/servers/maintainer/server/archldapui.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archldapui.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archmail.sls b/pillars/servers/maintainer/server/archmail.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archmail.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archombi.sls b/pillars/servers/maintainer/server/archombi.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archombi.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archpkg.sls b/pillars/servers/maintainer/server/archpkg.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archpkg.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archplex.sls b/pillars/servers/maintainer/server/archplex.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archplex.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archportal.sls b/pillars/servers/maintainer/server/archportal.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archportal.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archradarr.sls b/pillars/servers/maintainer/server/archradarr.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archradarr.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archrequest.sls b/pillars/servers/maintainer/server/archrequest.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archrequest.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archsalt.sls b/pillars/servers/maintainer/server/archsalt.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archsalt.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archsonarr.sls b/pillars/servers/maintainer/server/archsonarr.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archsonarr.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archssh.sls b/pillars/servers/maintainer/server/archssh.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archssh.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archsync.sls b/pillars/servers/maintainer/server/archsync.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archsync.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/archtt.sls b/pillars/servers/maintainer/server/archtt.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/archtt.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/base b/pillars/servers/maintainer/server/base new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/base @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/centlamp.sls b/pillars/servers/maintainer/server/centlamp.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/centlamp.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/maintainer/server/pisalt.sls b/pillars/servers/maintainer/server/pisalt.sls new file mode 100755 index 0000000..c0b416d --- /dev/null +++ b/pillars/servers/maintainer/server/pisalt.sls @@ -0,0 +1,3 @@ +maintainer: + - masaufuku + diff --git a/pillars/servers/mkserver.sh b/pillars/servers/mkserver.sh new file mode 100755 index 0000000..66d107b --- /dev/null +++ b/pillars/servers/mkserver.sh @@ -0,0 +1,5 @@ +#!/bin/bash +cp maintainer/server/base maintainer/server/$1.sls +cp env/server/base env/server/$1.sls +cp roles/server/base roles/server/$1.sls + diff --git a/pillars/servers/roles/init.sls b/pillars/servers/roles/init.sls new file mode 100755 index 0000000..65ff040 --- /dev/null +++ b/pillars/servers/roles/init.sls @@ -0,0 +1,2 @@ +include: + - servers.roles.server.{{ grains['host'] }} diff --git a/pillars/servers/roles/server/.sls b/pillars/servers/roles/server/.sls new file mode 100755 index 0000000..07c13df --- /dev/null +++ b/pillars/servers/roles/server/.sls @@ -0,0 +1,5 @@ +grains: + roles: + - server + - ssh + - saltminion diff --git a/pillars/servers/roles/server/archbaikal.sls b/pillars/servers/roles/server/archbaikal.sls new file mode 100755 index 0000000..6d93df7 --- /dev/null +++ b/pillars/servers/roles/server/archbaikal.sls @@ -0,0 +1,7 @@ +grains: + roles: + - server + - ssh + - saltminion + - nginx-proxy + - baikal diff --git a/pillars/servers/roles/server/archcal.sls b/pillars/servers/roles/server/archcal.sls new file mode 100755 index 0000000..7432a1e --- /dev/null +++ b/pillars/servers/roles/server/archcal.sls @@ -0,0 +1,7 @@ +grains: + roles: + - server + - ssh + - saltminion + - nginx-proxy + - calandar diff --git a/pillars/servers/roles/server/archcouch.sls b/pillars/servers/roles/server/archcouch.sls new file mode 100755 index 0000000..d26e731 --- /dev/null +++ b/pillars/servers/roles/server/archcouch.sls @@ -0,0 +1,8 @@ +grains: + roles: + - server + - ssh + - saltminion + - nginx-proxy + - couch + - nfs diff --git a/pillars/servers/roles/server/archdeluge.sls b/pillars/servers/roles/server/archdeluge.sls new file mode 100755 index 0000000..962c8ec --- /dev/null +++ b/pillars/servers/roles/server/archdeluge.sls @@ -0,0 +1,7 @@ +grains: + roles: + - server + - ssh + - saltminion + - deluge +# - nfs diff --git a/pillars/servers/roles/server/archgit.sls b/pillars/servers/roles/server/archgit.sls new file mode 100755 index 0000000..639313a --- /dev/null +++ b/pillars/servers/roles/server/archgit.sls @@ -0,0 +1,8 @@ +grains: + roles: + - server + - ssh + - saltminion + - git + - nginx-proxy + - nfs diff --git a/pillars/servers/roles/server/archheadphones.sls b/pillars/servers/roles/server/archheadphones.sls new file mode 100755 index 0000000..474b62b --- /dev/null +++ b/pillars/servers/roles/server/archheadphones.sls @@ -0,0 +1,8 @@ +grains: + roles: + - server + - ssh + - saltminion + - nginx-proxy + - headphones + - nfs diff --git a/pillars/servers/roles/server/archjackett.sls b/pillars/servers/roles/server/archjackett.sls new file mode 100755 index 0000000..d129ec2 --- /dev/null +++ b/pillars/servers/roles/server/archjackett.sls @@ -0,0 +1,7 @@ +grains: + roles: + - server + - ssh + - saltminion + - nginx-proxy + - jackett diff --git a/pillars/servers/roles/server/archlam.sls b/pillars/servers/roles/server/archlam.sls new file mode 100755 index 0000000..8529094 --- /dev/null +++ b/pillars/servers/roles/server/archlam.sls @@ -0,0 +1,8 @@ +grains: + roles: + - server + - ssh + - saltminion + - lam + - nginx-proxy + diff --git a/pillars/servers/roles/server/archldap.sls b/pillars/servers/roles/server/archldap.sls new file mode 100755 index 0000000..bc13938 --- /dev/null +++ b/pillars/servers/roles/server/archldap.sls @@ -0,0 +1,6 @@ +grains: + roles: + - server + - ssh + - saltminion + - ldap diff --git a/pillars/servers/roles/server/archldaptest.sls b/pillars/servers/roles/server/archldaptest.sls new file mode 100755 index 0000000..07c13df --- /dev/null +++ b/pillars/servers/roles/server/archldaptest.sls @@ -0,0 +1,5 @@ +grains: + roles: + - server + - ssh + - saltminion diff --git a/pillars/servers/roles/server/archldapui.sls b/pillars/servers/roles/server/archldapui.sls new file mode 100755 index 0000000..c8f6570 --- /dev/null +++ b/pillars/servers/roles/server/archldapui.sls @@ -0,0 +1,7 @@ +grains: + roles: + - server + - ssh + - saltminion + - ldapui + - nginx-proxy diff --git a/pillars/servers/roles/server/archmail.sls b/pillars/servers/roles/server/archmail.sls new file mode 100755 index 0000000..a6ca203 --- /dev/null +++ b/pillars/servers/roles/server/archmail.sls @@ -0,0 +1,6 @@ +grains: + roles: + - server + - ssh + - saltminion + - sendmail diff --git a/pillars/servers/roles/server/archombi.sls b/pillars/servers/roles/server/archombi.sls new file mode 100755 index 0000000..6669635 --- /dev/null +++ b/pillars/servers/roles/server/archombi.sls @@ -0,0 +1,7 @@ +grains: + roles: + - server + - ssh + - saltminion + - nginx-proxy + - ombi diff --git a/pillars/servers/roles/server/archpkg.sls b/pillars/servers/roles/server/archpkg.sls new file mode 100755 index 0000000..90032c3 --- /dev/null +++ b/pillars/servers/roles/server/archpkg.sls @@ -0,0 +1,8 @@ +grains: + roles: + - server + - ssh + - saltminion + - pkg-cache + - aurrepo + - nginx-proxy diff --git a/pillars/servers/roles/server/archplex.sls b/pillars/servers/roles/server/archplex.sls new file mode 100755 index 0000000..89e86b0 --- /dev/null +++ b/pillars/servers/roles/server/archplex.sls @@ -0,0 +1,7 @@ +grains: + roles: + - server + - ssh + - saltminion + - nginx-proxy + - plexmediaserver diff --git a/pillars/servers/roles/server/archportal.sls b/pillars/servers/roles/server/archportal.sls new file mode 100755 index 0000000..6c96879 --- /dev/null +++ b/pillars/servers/roles/server/archportal.sls @@ -0,0 +1,7 @@ +grains: + roles: + - server + - ssh + - saltminion + - portal + - nginx-proxy diff --git a/pillars/servers/roles/server/archradarr.sls b/pillars/servers/roles/server/archradarr.sls new file mode 100755 index 0000000..1623dc7 --- /dev/null +++ b/pillars/servers/roles/server/archradarr.sls @@ -0,0 +1,7 @@ +grains: + roles: + - server + - ssh + - saltminion + - nginx-proxy + - radarr diff --git a/pillars/servers/roles/server/archrequest.sls b/pillars/servers/roles/server/archrequest.sls new file mode 100755 index 0000000..ee25b86 --- /dev/null +++ b/pillars/servers/roles/server/archrequest.sls @@ -0,0 +1,7 @@ +grains: + roles: + - server + - ssh + - saltminion + - plexrequests + - nginx-proxy diff --git a/pillars/servers/roles/server/archsalt.sls b/pillars/servers/roles/server/archsalt.sls new file mode 100755 index 0000000..eda4276 --- /dev/null +++ b/pillars/servers/roles/server/archsalt.sls @@ -0,0 +1,8 @@ +grains: + roles: + - server + - ssh + - saltminion + - saltmaster + - mirrorlist + - certbot diff --git a/pillars/servers/roles/server/archsonarr.sls b/pillars/servers/roles/server/archsonarr.sls new file mode 100755 index 0000000..aeb4863 --- /dev/null +++ b/pillars/servers/roles/server/archsonarr.sls @@ -0,0 +1,9 @@ +grains: + roles: + - server + - ssh + - saltminion + - nginx-proxy + - sonarr + - nfs + - ytdownloader diff --git a/pillars/servers/roles/server/archssh.sls b/pillars/servers/roles/server/archssh.sls new file mode 100755 index 0000000..b4b9cf7 --- /dev/null +++ b/pillars/servers/roles/server/archssh.sls @@ -0,0 +1,6 @@ +grains: + roles: + - server + - ssh + - saltminion + - sshin diff --git a/pillars/servers/roles/server/archsync.sls b/pillars/servers/roles/server/archsync.sls new file mode 100755 index 0000000..bd5750a --- /dev/null +++ b/pillars/servers/roles/server/archsync.sls @@ -0,0 +1,7 @@ +grains: + roles: + - server + - ssh + - saltminion + - sync + - nginx-proxy diff --git a/pillars/servers/roles/server/archtt.sls b/pillars/servers/roles/server/archtt.sls new file mode 100755 index 0000000..4a6a411 --- /dev/null +++ b/pillars/servers/roles/server/archtt.sls @@ -0,0 +1,7 @@ +grains: + roles: + - server + - ssh + - saltminion + - ttrss + - nginx-proxy diff --git a/pillars/servers/roles/server/base b/pillars/servers/roles/server/base new file mode 100755 index 0000000..07c13df --- /dev/null +++ b/pillars/servers/roles/server/base @@ -0,0 +1,5 @@ +grains: + roles: + - server + - ssh + - saltminion diff --git a/pillars/servers/roles/server/centlamp.sls b/pillars/servers/roles/server/centlamp.sls new file mode 100755 index 0000000..9c57b3d --- /dev/null +++ b/pillars/servers/roles/server/centlamp.sls @@ -0,0 +1,7 @@ +grains: + roles: + - server + - ssh + - saltminion + - nginx-proxy + - lamp diff --git a/pillars/servers/roles/server/pisalt.sls b/pillars/servers/roles/server/pisalt.sls new file mode 100755 index 0000000..e69d932 --- /dev/null +++ b/pillars/servers/roles/server/pisalt.sls @@ -0,0 +1,6 @@ +grains: + roles: + - server + - ssh + - saltminion + - saltmaster diff --git a/pillars/top.sls b/pillars/top.sls new file mode 100755 index 0000000..a6637e3 --- /dev/null +++ b/pillars/top.sls @@ -0,0 +1,8 @@ +prod: + '*': + - roles + - servers +dev: + '*': + - roles + - servers diff --git a/states/basepkgs/init.sls b/states/basepkgs/init.sls new file mode 100755 index 0000000..8a76069 --- /dev/null +++ b/states/basepkgs/init.sls @@ -0,0 +1,26 @@ +nano: + pkg.installed +wget: + pkg.installed +openssh: + pkg.installed +htop: + pkg.installed +git: + pkg.installed + + +#note: bug in current version of saltstack breaks multi-package installs w/ yum. It'll be fixed in next version +#https://github.com/saltstack/salt/issues/28356 +#basepkgs: +# pkg.installed: +# - pkgs: +# - nano +# - wget +# - openssh +# - htop +# - git + +sshd: + service.running: + - enable: True diff --git a/states/mirrors.jinja b/states/mirrors.jinja new file mode 100644 index 0000000..36d40c7 --- /dev/null +++ b/states/mirrors.jinja @@ -0,0 +1 @@ +/root/scripts/mirrors.jinja \ No newline at end of file diff --git a/states/mirrors.list b/states/mirrors.list new file mode 100644 index 0000000..acd640b --- /dev/null +++ b/states/mirrors.list @@ -0,0 +1 @@ +/root/scripts/mirrors.list \ No newline at end of file diff --git a/states/pillars b/states/pillars new file mode 100644 index 0000000..27c0754 --- /dev/null +++ b/states/pillars @@ -0,0 +1 @@ +../pillars/ \ No newline at end of file diff --git a/states/repos/aur/aur.conf b/states/repos/aur/aur.conf new file mode 100755 index 0000000..13fd976 --- /dev/null +++ b/states/repos/aur/aur.conf @@ -0,0 +1,3 @@ +[aur-local] +SigLevel = Never +Server = http://pkg.actcur.com/$repo/os/$arch diff --git a/states/repos/aur/init.sls b/states/repos/aur/init.sls new file mode 100755 index 0000000..42375d6 --- /dev/null +++ b/states/repos/aur/init.sls @@ -0,0 +1,5 @@ +{%- if grains['os'] != "Arch ARM" -%} +/etc/pacman.conf: + file.append: + - source: salt://repos/aur/aur.conf +{%- endif -%} diff --git a/states/repos/epel.sls b/states/repos/epel.sls new file mode 100755 index 0000000..b5850a8 --- /dev/null +++ b/states/repos/epel.sls @@ -0,0 +1,2 @@ +epel-release: + pkg.installed diff --git a/states/repos/nginx/init.sls b/states/repos/nginx/init.sls new file mode 100755 index 0000000..dd351c1 --- /dev/null +++ b/states/repos/nginx/init.sls @@ -0,0 +1,6 @@ +/etc/yum.repos.d/nginx.repo: + file.managed: + - source: salt://repos/nginx/nginx.repo + - user: root + - group: root + - mode: 644 diff --git a/states/repos/nginx/nginx.repo b/states/repos/nginx/nginx.repo new file mode 100755 index 0000000..09cab68 --- /dev/null +++ b/states/repos/nginx/nginx.repo @@ -0,0 +1,5 @@ +[nginx] +name=nginx repo +baseurl=http://nginx.org/packages/rhel/7/$basearch/ +gpgcheck=0 +enabled=1 diff --git a/states/repos/temp/init.sls b/states/repos/temp/init.sls new file mode 100755 index 0000000..653d129 --- /dev/null +++ b/states/repos/temp/init.sls @@ -0,0 +1,7 @@ +/etc/pacman.conf: + file.managed: + - source: salt://repos/temp/pacman.conf + - user: root + - group: root + - mode: 644 + diff --git a/states/repos/temp/pacman.conf b/states/repos/temp/pacman.conf new file mode 100755 index 0000000..73ad2f8 --- /dev/null +++ b/states/repos/temp/pacman.conf @@ -0,0 +1,102 @@ +# +# /etc/pacman.conf +# +# See the pacman.conf(5) manpage for option and repository directives + +# +# GENERAL OPTIONS +# +[options] +# The following paths are commented out with their default values listed. +# If you wish to use different paths, uncomment and update the paths. +#RootDir = / +#DBPath = /var/lib/pacman/ +#CacheDir = /var/cache/pacman/pkg/ +#LogFile = /var/log/pacman.log +#GPGDir = /etc/pacman.d/gnupg/ +HoldPkg = pacman glibc +#XferCommand = /usr/bin/curl -C - -f %u > %o +#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u +#CleanMethod = KeepInstalled +#UseDelta = 0.7 +Architecture = auto + +# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup +#IgnorePkg = +#IgnoreGroup = + +#NoUpgrade = +#NoExtract = + +# Misc options +#UseSyslog +#Color +#TotalDownload +CheckSpace +#VerbosePkgLists + +# By default, pacman accepts packages signed by keys that its local keyring +# trusts (see pacman-key and its man page), as well as unsigned packages. +SigLevel = Required DatabaseOptional +LocalFileSigLevel = Optional +#RemoteFileSigLevel = Required + +# NOTE: You must run `pacman-key --init` before first using pacman; the local +# keyring can then be populated with the keys of all official Arch Linux +# packagers with `pacman-key --populate archlinux`. + +# +# REPOSITORIES +# - can be defined here or included from another file +# - pacman will search repositories in the order defined here +# - local/custom mirrors can be added here or in separate files +# - repositories listed first will take precedence when packages +# have identical names, regardless of version number +# - URLs will have $repo replaced by the name of the current repo +# - URLs will have $arch replaced by the name of the architecture +# +# Repository entries are of the format: +# [repo-name] +# Server = ServerName +# Include = IncludePath +# +# The header [repo-name] is crucial - it must be present and +# uncommented to enable the repo. +# + +# The testing repositories are disabled by default. To enable, uncomment the +# repo name header and Include lines. You can add preferred servers immediately +# after the header, and they will be used before the default mirrors. + +#[testing] +#Include = /etc/pacman.d/mirrorlist + +[core] +Include = /etc/pacman.d/mirrorlist + +[extra] +Include = /etc/pacman.d/mirrorlist + +#[community-testing] +#Include = /etc/pacman.d/mirrorlist + +[community] +Include = /etc/pacman.d/mirrorlist + +# If you want to run 32 bit applications on your x86_64 system, +# enable the multilib repositories as required here. + +#[multilib-testing] +#Include = /etc/pacman.d/mirrorlist + +#[multilib] +#Include = /etc/pacman.d/mirrorlist + +# An example of a custom package repository. See the pacman manpage for +# tips on creating your own repositories. +#[custom] +#SigLevel = Optional TrustAll +#Server = file:///home/custompkgs +[archlinuxfr] +SigLevel = Never +Server = http://repo.archlinux.fr/$arch diff --git a/states/repos/webtatic/init.sls b/states/repos/webtatic/init.sls new file mode 100755 index 0000000..a1fc34d --- /dev/null +++ b/states/repos/webtatic/init.sls @@ -0,0 +1,7 @@ +webtatic: + pkg.installed: + - sources: + - webtatic-release: https://mirror.webtatic.com/yum/el7/webtatic-release.rpm + +#"rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm": +# cmd.run diff --git a/states/repos/yaourt/init.sls b/states/repos/yaourt/init.sls new file mode 100755 index 0000000..242964c --- /dev/null +++ b/states/repos/yaourt/init.sls @@ -0,0 +1,10 @@ +{%- if grains['os'] != "Arch ARM" -%} +/etc/pacman.conf: + file.append: + - source: salt://repos/yaourt/yaourt.conf + +yaourt: + pkg.installed: + - pkgs: + - yaourt +{%- endif -%} diff --git a/states/repos/yaourt/yaourt.conf b/states/repos/yaourt/yaourt.conf new file mode 100755 index 0000000..d43278e --- /dev/null +++ b/states/repos/yaourt/yaourt.conf @@ -0,0 +1,3 @@ +[archlinuxfr] +SigLevel = Never +Server = http://repo.archlinux.fr/$arch diff --git a/states/roles/build/pepper/build_pepper.sh b/states/roles/build/pepper/build_pepper.sh new file mode 100755 index 0000000..17be9c0 --- /dev/null +++ b/states/roles/build/pepper/build_pepper.sh @@ -0,0 +1,10 @@ +cd /root/ +curl -sS https://getcomposer.org/installer | php +mv composer.phar /usr/local/bin/composer +composer global require "laravel/installer" +ln -s /root/.config/composer/vendor/bin/laravel /usr/local/bin/laravel +cd /opt/ +laravel new pepper +cd /opt/pepper +#require packages we need +composer require symfony/yaml diff --git a/states/roles/build/pepper/init.sls b/states/roles/build/pepper/init.sls new file mode 100755 index 0000000..b460120 --- /dev/null +++ b/states/roles/build/pepper/init.sls @@ -0,0 +1,48 @@ +include: +{%- set os=grains['os'] -%} +{%- if os=="CentOS" or os=="RedHat" %} + - repos.nginx + - repos.webtatic +{% endif %} + +php.packages: + pkg.installed: + - pkgs: + - php56w + - php56w-mbstring + - php56w-mysql + - php56w-mcrypt + - php56w-fpm + - php56w-xml + +install_mariadb: + pkg.installed: + - pkgs: + - mariadb-server + +selinux-policy-targeted: + pkg.installed + +policycoreutils-python: + pkg.installed + +httpd_can_network_connect: + selinux.boolean: + - value: True + - persist: True + +/root/salt/scripts/build_pepper.sh: + file.managed: + - makedirs: true + - source: salt://roles/build/pepper/build_pepper.sh + - user: root + - group: root + - mode: 744 + +build_pepper: + cmd.run: + - name: "sh /root/salt/scripts/build_pepper.sh" + +install_nginx: + pkg.installed: + - name: nginx diff --git a/states/roles/build/saltpad/build_saltpad.sh b/states/roles/build/saltpad/build_saltpad.sh new file mode 100755 index 0000000..8d662f1 --- /dev/null +++ b/states/roles/build/saltpad/build_saltpad.sh @@ -0,0 +1,9 @@ +cd /opt/ +git clone https://github.com/tinyclues/saltpad.git -b saltpad_v1 +#git clone https://github.com/Lothiraldan/saltpad.git +cd saltpad +virtualenv venv +source venv/bin/activate +pip install -r requirements.txt +pip install chaussette +pip install pyyaml diff --git a/states/roles/build/saltpad/init.sls b/states/roles/build/saltpad/init.sls new file mode 100755 index 0000000..5358724 --- /dev/null +++ b/states/roles/build/saltpad/init.sls @@ -0,0 +1,49 @@ +include: +{%- set os=grains['os'] -%} +{%- if os=="CentOS" or os=="RedHat" %} + - repos.nginx +{% endif %} + +selinux-policy-targeted: + pkg.installed + +policycoreutils-python: + pkg.installed + +httpd_can_network_connect: + selinux.boolean: + - value: True + - persist: True + +python-virtualenv: + pkg.installed + +/root/salt/scripts/build_saltpad.sh: + file.managed: + - makedirs: true + - source: salt://roles/build/saltpad/build_saltpad.sh + - user: root + - group: root + - mode: 744 + +build_saltpad: + cmd.run: + - name: "sh /root/salt/scripts/build_saltpad.sh" + +/root/salt/scripts/start_saltpad.sh: + file.managed: + - source: salt://roles/build/saltpad/start_saltpad.sh + - user: root + - group: root + - mode: 744 + +/usr/lib/systemd/system/saltpad.service: + file.managed: + - source: salt://roles/build/saltpad/saltpad.service + - user: root + - group: root + - mode: 644 + +install_nginx: + pkg.installed: + - name: nginx diff --git a/states/roles/build/saltpad/saltpad.service b/states/roles/build/saltpad/saltpad.service new file mode 100755 index 0000000..876955c --- /dev/null +++ b/states/roles/build/saltpad/saltpad.service @@ -0,0 +1,11 @@ +[Unit] +Description=The Saltpad +After=syslog.target network.target + +[Service] +Type=forking +LimitNOFILE=8192 +ExecStart=/bin/bash /root/salt/scripts/start_saltpad.sh start + +[Install] +WantedBy=multi-user.target diff --git a/states/roles/build/saltpad/start_saltpad.sh b/states/roles/build/saltpad/start_saltpad.sh new file mode 100755 index 0000000..a6dcd32 --- /dev/null +++ b/states/roles/build/saltpad/start_saltpad.sh @@ -0,0 +1,67 @@ +#/bin/bash + +c=`ps aux | grep chaussette | wc -l` + +function stop { + if [ c -gt 1 ]; + then + echo "Stopping server.." + pkill chaussette + echo ".. Done." + else + echo "Server not running" + fi +} + +function start { + if [c -gt 1 ] + then + echo "Server is already running" + else + echo "Starting Server.." + cd /opt/saltpad + source venv/bin/activate + chaussette saltpad.merged:app & + echo ".. Done." + fi +} + +function restart { + echo "Restarting server.." + if [ c -gt 1 ] + then + stop + sleep 5 + start + else + start + fi + echo ".. Done." +} + +function status { + if [ c -gt 1 ] + then + echo "Server is not running" + exit 1 + else + echo "Server is running" + fi +} + +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + restart + ;; + status) + status + ;; + *) + echo "Usage: $0 {start|stop|restart|status}" +esac diff --git a/states/roles/grains b/states/roles/grains new file mode 100755 index 0000000..edcadfb --- /dev/null +++ b/states/roles/grains @@ -0,0 +1,19 @@ +{#- ensure that grains pillar exists -#} +{%- if pillar['grains'] is defined -%} + {#- loop through grains -#} + {%- for key, value in pillar['grains'].items() recursive -%} + {%- set depth=loop.depth %} +{% for i in range(1,depth) -%}{{ " " }}{%- endfor -%} +{{ key }}: + {%- if value is mapping -%} + {{ loop(value.items()) }} + {%- else %} + {%- if value is not none -%} + {%- for item in value %} +{% for i in range(0,depth) -%}{{ " " }}{%- endfor -%} +- {{ item }} + {%- endfor -%} + {%- endif -%} + {%- endif -%} + {%- endfor -%} +{%- endif -%} diff --git a/states/roles/init.sls b/states/roles/init.sls new file mode 100755 index 0000000..e200622 --- /dev/null +++ b/states/roles/init.sls @@ -0,0 +1,13 @@ +roles-minion: + service.running: + - name: salt-minion + - watch: + - file: /etc/salt/grains + +/etc/salt/grains: + file.managed: + - source: salt://roles/grains + - user: root + - group: root + - mode: 644 + - template: jinja diff --git a/states/roles/maintain/aurrepo/init.sls b/states/roles/maintain/aurrepo/init.sls new file mode 100755 index 0000000..3facd0a --- /dev/null +++ b/states/roles/maintain/aurrepo/init.sls @@ -0,0 +1,59 @@ +base-devel: + pkg.group_installed + +sudo: + pkg.installed + +user-build: + user.present: + - name: build + - createhome: true + file.append: + - name: /etc/sudoers + - text: "build ALL=(ALL) NOPASSWD: ALL" + +/repo: + file.symlink: + - target: /mnt/pkgs/aur-local/os/x86_64/ + +git-aur_repo: + git.latest: + - name: https://git.actcur.com/actcur/aur_repo + - target: /home/build/aur_repo + - user: build + +build-aur_repo: + cmd.run: + - name: "makepkg -si --noconfirm;git reset --hard" + - runas: build + - cwd: /home/build/aur_repo + - onchanges: + - git: git-aur_repo + +/etc/aur_repo/pkglist: + file.managed: + - source: salt://roles/maintain/aurrepo/pkglist + - user: root + - group: root + - mode: 644 + - makedirs: true + - template: jinja + +"/usr/lib/systemd/system/updateaur.service": + file.managed: + - source: salt://roles/maintain/aurrepo/updateaur.service + - user: root + - group: root + - mode: 644 + +"/usr/lib/systemd/system/updateaur.timer": + file.managed: + - source: salt://roles/maintain/aurrepo/updateaur.timer + - user: root + - group: root + - mode: 644 + +"updateaur.timer": + service.running: + - enable: true + diff --git a/states/roles/maintain/aurrepo/pkglist b/states/roles/maintain/aurrepo/pkglist new file mode 100755 index 0000000..95ba7ea --- /dev/null +++ b/states/roles/maintain/aurrepo/pkglist @@ -0,0 +1,5 @@ +{% if pillar['aurpkgs'] is defined -%} +{% for pkg in pillar['aurpkgs'] %} +{{pkg}} +{%- endfor -%} +{%- endif -%} diff --git a/states/roles/maintain/aurrepo/updateaur.service b/states/roles/maintain/aurrepo/updateaur.service new file mode 100755 index 0000000..a573c87 --- /dev/null +++ b/states/roles/maintain/aurrepo/updateaur.service @@ -0,0 +1,12 @@ +[Unit] +Description=Update AUR packages + +[Service] +Type=oneshot +RemainAfterExit=no +User=build +Group=build +ExecStart=/bin/aur_repo + +[Install] +WantedBy=multi-user.target diff --git a/states/roles/maintain/aurrepo/updateaur.timer b/states/roles/maintain/aurrepo/updateaur.timer new file mode 100755 index 0000000..e9cea9f --- /dev/null +++ b/states/roles/maintain/aurrepo/updateaur.timer @@ -0,0 +1,13 @@ +[Unit] +Description=Updates package repository every 24 hours + +[Timer] +# Time to wait after booting before we run first time +OnBootSec=10min +# Time between running each consecutive time +OnUnitActiveSec=1d +Unit=updateaur.service + +[Install] +WantedBy=multi-user.target + diff --git a/states/roles/maintain/certbot/certbot.service b/states/roles/maintain/certbot/certbot.service new file mode 100755 index 0000000..940a701 --- /dev/null +++ b/states/roles/maintain/certbot/certbot.service @@ -0,0 +1,10 @@ +[Unit] +Description=Runs certbot renew + +[Service] +Type=oneshot +RemainAfterExit=no +ExecStart=/bin/bash /root/scripts/certbot.sh + +[Install] +WantedBy=multi-user.target diff --git a/states/roles/maintain/certbot/certbot.sh b/states/roles/maintain/certbot/certbot.sh new file mode 100755 index 0000000..3de2f3b --- /dev/null +++ b/states/roles/maintain/certbot/certbot.sh @@ -0,0 +1,3 @@ +echo "Running certbot renew" > /root/scripts/certbot.log +/bin/certbot renew >> /root/scripts/certbot.log +echo "Finished certbot renew" >> /root/scripts/certbot.log diff --git a/states/roles/maintain/certbot/certbot.timer b/states/roles/maintain/certbot/certbot.timer new file mode 100755 index 0000000..bff9668 --- /dev/null +++ b/states/roles/maintain/certbot/certbot.timer @@ -0,0 +1,13 @@ +[Unit] +Description=Runs certbot renew ever week + +[Timer] +# Time to wait after booting before we run first time +OnBootSec=10min +# Time between running each consecutive time +OnUnitActiveSec=1w +Unit=certbot.service + +[Install] +WantedBy=multi-user.target + diff --git a/states/roles/maintain/certbot/init.sls b/states/roles/maintain/certbot/init.sls new file mode 100755 index 0000000..c052e86 --- /dev/null +++ b/states/roles/maintain/certbot/init.sls @@ -0,0 +1,34 @@ +certbot: + pkg.installed + +/root/scripts/certbot.sh: + file.managed: + - makedirs: true + - source: salt://roles/maintain/certbot/certbot.sh + - user: root + - group: root + - mode: 644 + +"/usr/lib/systemd/system/certbot.service": + file.managed: + - source: salt://roles/maintain/certbot/certbot.service + - user: root + - group: root + - mode: 644 + +"/usr/lib/systemd/system/certbot.timer": + file.managed: + - source: salt://roles/maintain/certbot/certbot.timer + - user: root + - group: root + - mode: 644 + +"certbot.timer": + service.running: + - enable: true + +"certbot-reload": + module.run: + - name: service.systemctl_reload + - onchanges: + - file: /usr/lib/systemd/system/* diff --git a/states/roles/maintain/deluge/cert.pem b/states/roles/maintain/deluge/cert.pem new file mode 100755 index 0000000..6210447 --- /dev/null +++ b/states/roles/maintain/deluge/cert.pem @@ -0,0 +1,112 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6 (0x6) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=WI, L=Stevens Point, O=Masau++, OU=Masau++ CA, CN=ca.s.mpp/emailAddress=masau.fuku@gmail.com + Validity + Not Before: May 26 16:52:50 2015 GMT + Not After : May 25 16:52:50 2016 GMT + Subject: C=US, ST=WI, L=Stevens Point, O=Masau++, OU=Masau++ Downloads, CN=deluge.s.mpp/emailAddress=masau.fuku@gmail.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:bd:9d:14:c4:97:0e:8c:cb:85:e6:63:98:26:96: + 9c:f8:18:c3:dc:d1:f6:fe:94:a2:2a:18:db:27:c3: + d9:1e:82:0f:48:a4:9e:95:cb:c3:3f:9e:5e:9c:0d: + 3f:0f:54:f6:0d:9d:39:4f:a9:49:34:ff:38:55:2c: + ee:39:44:b7:c6:12:26:f6:a3:65:24:81:b0:ae:86: + c4:b2:fd:98:74:5f:4b:85:35:50:6c:38:0d:59:2a: + 46:a7:cc:ea:94:45:de:ad:fd:07:89:57:1d:a2:9c: + 71:16:cb:fd:ca:ef:13:c9:57:67:46:0c:48:de:59: + 3d:88:f5:40:2a:f0:76:ab:90:f5:9b:cc:7f:14:6e: + 81:04:fb:d3:58:57:ac:0e:20:34:7e:16:66:46:e2: + c2:ec:75:95:08:c0:94:a5:d6:69:1f:54:65:0d:d0: + 6d:64:1a:53:ab:79:a3:de:3d:04:b7:0c:32:c4:f9: + 62:5a:0d:9d:36:65:b5:c3:70:f9:3b:bf:df:c8:31: + 8a:c1:55:49:67:ec:5c:77:cf:16:33:50:f7:73:b8: + 76:33:7c:c7:82:7e:d4:d8:0d:09:5f:0f:22:9f:58: + 2d:f9:3d:7f:e8:c5:24:a9:d3:00:3f:cf:c6:79:cc: + ec:c5:ac:5e:97:45:10:e5:91:77:6d:1d:63:d3:72: + 85:95 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + AF:FE:08:07:B5:EF:A7:91:47:64:A8:A8:A5:94:B6:83:38:5E:1E:4A + X509v3 Authority Key Identifier: + keyid:4E:3B:BB:11:1A:0C:46:6E:1C:E4:64:39:49:91:09:B0:2E:F2:C8:5A + + Signature Algorithm: sha256WithRSAEncryption + 67:e9:e0:3f:28:e4:dc:76:b8:4c:e7:63:d1:3f:c5:3b:e0:a0: + e4:14:28:41:14:f0:c9:ba:8d:4d:96:d6:e7:bb:49:1b:fa:a2: + ab:54:66:88:40:42:ec:71:5c:5e:9e:ab:bc:cb:3a:c2:03:4e: + c5:5e:d5:0f:89:ae:55:db:9f:1e:d6:37:01:fc:4a:a7:fa:94: + a2:52:cf:04:18:fa:90:99:54:10:20:d6:b7:44:86:00:bb:85: + 01:1f:e4:27:6a:89:94:d6:67:94:ff:2e:50:58:53:0a:34:96: + 6c:35:bd:04:71:25:f1:91:55:60:e5:1a:89:7a:a1:79:c2:2c: + a2:2a:fb:33:48:bd:7a:a0:b5:97:07:3c:85:3a:f5:aa:81:e6: + ad:c2:09:9f:f7:f9:bb:00:d9:67:6d:ca:e9:4b:1c:3b:41:b1: + 77:4a:a2:88:5e:b5:9a:c2:ed:04:38:91:c4:08:f4:ae:8b:a1: + f3:5c:8a:5b:e2:93:a1:84:5c:d7:f3:55:ab:f1:26:4c:8a:96: + e3:3b:7a:75:5e:4a:98:4e:ae:1d:e1:db:6f:5f:8a:85:94:2c: + c9:84:36:7a:27:e4:52:e7:f3:93:0b:99:c2:22:96:60:9d:c6: + 29:2e:cc:0e:81:45:f1:17:69:bb:89:4d:be:f0:09:67:4c:15: + 1b:12:6d:9f +-----BEGIN CERTIFICATE----- +MIIEJTCCAw2gAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMx +CzAJBgNVBAgMAldJMRYwFAYDVQQHDA1TdGV2ZW5zIFBvaW50MRAwDgYDVQQKDAdN +YXNhdSsrMRMwEQYDVQQLDApNYXNhdSsrIENBMREwDwYDVQQDDAhjYS5zLm1wcDEj +MCEGCSqGSIb3DQEJARYUbWFzYXUuZnVrdUBnbWFpbC5jb20wHhcNMTUwNTI2MTY1 +MjUwWhcNMTYwNTI1MTY1MjUwWjCBnDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldJ +MRYwFAYDVQQHDA1TdGV2ZW5zIFBvaW50MRAwDgYDVQQKDAdNYXNhdSsrMRowGAYD +VQQLDBFNYXNhdSsrIERvd25sb2FkczEVMBMGA1UEAwwMZGVsdWdlLnMubXBwMSMw +IQYJKoZIhvcNAQkBFhRtYXNhdS5mdWt1QGdtYWlsLmNvbTCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAL2dFMSXDozLheZjmCaWnPgYw9zR9v6UoioY2yfD +2R6CD0iknpXLwz+eXpwNPw9U9g2dOU+pSTT/OFUs7jlEt8YSJvajZSSBsK6GxLL9 +mHRfS4U1UGw4DVkqRqfM6pRF3q39B4lXHaKccRbL/crvE8lXZ0YMSN5ZPYj1QCrw +dquQ9ZvMfxRugQT701hXrA4gNH4WZkbiwux1lQjAlKXWaR9UZQ3QbWQaU6t5o949 +BLcMMsT5YloNnTZltcNw+Tu/38gxisFVSWfsXHfPFjNQ93O4djN8x4J+1NgNCV8P +Ip9YLfk9f+jFJKnTAD/PxnnM7MWsXpdFEOWRd20dY9NyhZUCAwEAAaN7MHkwCQYD +VR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlm +aWNhdGUwHQYDVR0OBBYEFK/+CAe176eRR2SoqKWUtoM4Xh5KMB8GA1UdIwQYMBaA +FE47uxEaDEZuHORkOUmRCbAu8shaMA0GCSqGSIb3DQEBCwUAA4IBAQBn6eA/KOTc +drhM52PRP8U74KDkFChBFPDJuo1Nltbnu0kb+qKrVGaIQELscVxenqu8yzrCA07F +XtUPia5V258e1jcB/Eqn+pSiUs8EGPqQmVQQINa3RIYAu4UBH+QnaomU1meU/y5Q +WFMKNJZsNb0EcSXxkVVg5RqJeqF5wiyiKvszSL16oLWXBzyFOvWqgeatwgmf9/m7 +ANlnbcrpSxw7QbF3SqKIXrWawu0EOJHECPSui6HzXIpb4pOhhFzX81Wr8SZMipbj +O3p1XkqYTq4d4dtvX4qFlCzJhDZ6J+RS5/OTC5nCIpZgncYpLswOgUXxF2m7iU2+ +8AlnTBUbEm2f +-----END CERTIFICATE----- +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC9nRTElw6My4Xm +Y5gmlpz4GMPc0fb+lKIqGNsnw9kegg9IpJ6Vy8M/nl6cDT8PVPYNnTlPqUk0/zhV +LO45RLfGEib2o2UkgbCuhsSy/Zh0X0uFNVBsOA1ZKkanzOqURd6t/QeJVx2inHEW +y/3K7xPJV2dGDEjeWT2I9UAq8HarkPWbzH8UboEE+9NYV6wOIDR+FmZG4sLsdZUI +wJSl1mkfVGUN0G1kGlOreaPePQS3DDLE+WJaDZ02ZbXDcPk7v9/IMYrBVUln7Fx3 +zxYzUPdzuHYzfMeCftTYDQlfDyKfWC35PX/oxSSp0wA/z8Z5zOzFrF6XRRDlkXdt +HWPTcoWVAgMBAAECggEAMNT5ej+k4aGwlErl7lovhr1qA76XK60/rjPEjRMlIXRB +V2X96XoWiJXSq8HFkb9BtvPcxKVGUz2/VkBCAcGuynX2TuJ5s9Mqm2fd1HL3BlFc +c6vtUFGHLoVyuNhPOWxdEtXtUPN8kFpVzZcvf0nfAKVf1Wxof8rfzBvNMMHI7hnv +UsxuuKkvRp4EPMFM5bTJqRCnnUjw+Al4cnuVgejw3z4+aW3qL71SryXV9p5K0AM2 +C5zpx++Lho03TEV2fKpz4V9XzP1GEJNjrBTgGsCHfwkegfXyf8aXUdDn6QeUBq7F +KTo2CPgIA180WOk2WJ3ZBTFJw9iuEQJym/cDUUjaqQKBgQDqir2XvfhjqEDpcihB +rPvVE7L04Dp5wUZExdwCVl42hoHoDWoPMcJW++5tdV+Q4viJeEJ6daNLSpcsYlzK +zux0r16obaHH80OK0Q51qn8NiSuW7BKXfajBJPDmyZ/SG5X0XkHr5Z/UQL777Iqp +15hTay+Dh3hjZbIhwW0Ah7//lwKBgQDO9hA+5jjWl8YA4bPdbRlXGx4ORBjTe6hn +potDsFqUF4vfcdlgBaMHwEAtJoSMVbMK2Hw3U+CqlwIb6B7JhxzCzJKOK/ISTyxZ +aPs7brEOiZ6YTuaV+u4tS+fXUp0inQQV3tJ0Yoym2EyoQXhEvVKD4/5AdKCh0znk +Nc/D+E2JswKBgEy8a99ztgrVB7fZM7aZJCPIuCpKGpevVpA1tA/Htjdctq/3g5XJ +D+5pqs6BMm0y9WH0yLtMNcrycpeA7x8jqFVc8zlj9SR4QMbwMyzoRX1mPa65OjP6 +VvYqYe8AVJvnjp5PIH5PuIU3UcUW1R9QfHP+g6Mi9Y5/vVIx+LnNsFGtAoGABL8R +6k9fWFSMvvJuLJLW9O9zRgJ7y0XXu+DO6tN9kE3l8E7tHE2kyoW3MxHiElHY1FPY +rXAoA+GIs9kj8508pJ8KcWZCm/bi3n4Q3PER8HJph7avhRsHIVTPUVncrrGJKXM9 +wluMPDtTrrwppPHulYXCC/pgwLVWa4xsYmMsbA8CgYBkm2/+sS+TPS8FgM2UxM1w +WkIMqp57bZgLZeoG5fvkQOQRpd6R/g4F44+8b3386rtEDie1IRKDkX8l03WzcfMO +X5Rl1UV6crS3qy/jdURII3uo6cX1/L7ndXeD4rS/Giyz/NsbvAESlmvnA2uVgaFF +yc1fobuHTYZkM8EBZFqK1w== +-----END PRIVATE KEY----- diff --git a/states/roles/maintain/deluge/conf.d/deluge-web.conf b/states/roles/maintain/deluge/conf.d/deluge-web.conf new file mode 100755 index 0000000..0ad0ae6 --- /dev/null +++ b/states/roles/maintain/deluge/conf.d/deluge-web.conf @@ -0,0 +1,25 @@ +server { +# listen 443; + listen 80; + server_name deluge.s.mpp; + +# ssl_certificate /etc/nginx/cert.pem; +# ssl_certificate_key /etc/nginx/cert.pem; + +# ssl on; +# ssl_session_cache builtin:1000 shared:SSL:10m; +# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +# ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; +# ssl_prefer_server_ciphers on; + + location / { + proxy_pass http://127.0.0.1:8112/; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass_header Set-Cookie; + proxy_pass_header P3P; + + } +} diff --git a/states/roles/maintain/deluge/init.sls b/states/roles/maintain/deluge/init.sls new file mode 100755 index 0000000..6b89907 --- /dev/null +++ b/states/roles/maintain/deluge/init.sls @@ -0,0 +1,101 @@ +{%- set os=grains['os'] -%} +include: + - systems.extra.nfs_client + +deluge: + pkg.installed + +python2-mako: + pkg.installed + +mount: + group.present: + - gid: 503 + - addusers: + - deluge + +fuse: + pkg.installed + +sshfs: + pkg.installed + +{% if not salt['file.directory_exists']('/srv/deluge/.config/deluge') %} +/srv/deluge/.config/deluge: +# file.directory: +# - user: deluge +# - group: deluge +# - mode: 755 +# - makedirs: true +# - recurse: +# - user +# - group +# - mode + file.recurse: + - source: salt://roles/maintain/deluge/deluge + - user: deluge + - group: deluge + - dir_mode: 0755 + - file_mode: 0644 +{% endif %} + +/mnt/video: + mount.mounted: + - device: mount@host.s.mpp:/mnt/butter/video + - fstype: fuse.sshfs + - mkmnt: True + - opts: delay_connect,x-systemd.automount,_netdev,user,idmap=user,IdentityFile=/root/.ssh/mount_rsa,allow_other,reconnect + - dump: 0 + - pass_num: 2 + - persist: True + +#mount@host.s.mpp:/mnt/butter/video /mnt/video fuse.sshfs noauto,x-systemd.automount,_netdev,users,idmap=user,IdentityFile=/root/.ssh/mount_rsa,allow_other,reconnect 0 0 + +#/mnt/video: +# mount.mounted: +# - device: host.s.mpp:/video +# - fstype: nfs +# - mkmnt: True +# - opts: defaults,x-systemd.timeout=10,x-systemd.automount +# - dump: 0 +# - pass_num: 2 + +deluged: + service.running: + - enable: true + +deluge-web: + service.running: + - enable: true + +nginx: + pkg.installed: [] + service.running: + - enable: true + - watch: + - file: /etc/nginx/conf.d/* + - file: /etc/nginx/nginx.conf + - file: /etc/nginx/cert.pem + +/etc/nginx/cert.pem: + file.managed: + - source: salt://roles/maintain/deluge/nginx.conf + - user: http + - group: http + - mode: 400 + +/etc/nginx/nginx.conf: + file.managed: + - source: salt://roles/maintain/deluge/nginx.conf + - user: root + - group: root + - mode: 644 + +/etc/nginx/conf.d/: + file.recurse: + - source: salt://roles/maintain/deluge/conf.d/ + - user: root + - group: root + - dir_mode: 755 + - file_mode: 644 + - clean: true diff --git a/states/roles/maintain/deluge/nginx.conf b/states/roles/maintain/deluge/nginx.conf new file mode 100755 index 0000000..74f7622 --- /dev/null +++ b/states/roles/maintain/deluge/nginx.conf @@ -0,0 +1,71 @@ + +#user html; +worker_processes 1; + +#error_log logs/error.log; +#error_log logs/error.log notice; +#error_log logs/error.log info; + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include mime.types; + default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + #access_log logs/access.log main; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + #gzip on; + + include conf.d/*; + + # another virtual host using mix of IP-, name-, and port-based configuration + # + #server { + # listen 8000; + # listen somename:8080; + # server_name somename alias another.alias; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + + # HTTPS server + # + #server { + # listen 443 ssl; + # server_name localhost; + + # ssl_certificate cert.pem; + # ssl_certificate_key cert.key; + + # ssl_session_cache shared:SSL:1m; + # ssl_session_timeout 5m; + + # ssl_ciphers HIGH:!aNULL:!MD5; + # ssl_prefer_server_ciphers on; + + # location / { + # root html; + # index index.html index.htm; + # } + #} +} diff --git a/states/roles/maintain/gitlab/init.sls b/states/roles/maintain/gitlab/init.sls new file mode 100644 index 0000000..9cf9483 --- /dev/null +++ b/states/roles/maintain/gitlab/init.sls @@ -0,0 +1,30 @@ +gitlab: + - pkg: installed +mysql: + - pkg: installed +gitlab_nginx: + - pkg: installed +#manage /etc/webapps/gitlab/gitlab.yml +#manage /etc/webapps/gitlab-shell/config.yml +#manage /etc/webapps/gitlab/resque.yml +#manage /etc/redis.conf +#manage /etc/tempfiles.d/redis.conf +#manage /etc/webapps/gitlab/database.yml +#manage /etc/nginx/conf.d/gitlab.conf +#add users git and gitlab to redis group + +#initialize redis database w/: +#su - gitlab -s /bin/sh -c "cd '/usr/share/webapps/gitlab'; bundle-2.3 exec rake gitlab:setup RAILS_ENV=production" + +#configure gitlab user for git +#git config --global user.name "Actaeus Curabitur" +#git config --global user.email "actcur@actcur.com" +#git config --global core.autocrlf "input" + +#verify perms for repos are right +#chmod -R ug+rwX,o-rwx /var/lib/gitlab/repositories/ +#chmod -R ug-s /var/lib/gitlab/repositories +#find /var/lib/gitlab/repositories/ -type d -print0 | xargs -0 chmod g+s + +#start and enable redis +#start and enable gitlab.target, gitlab-sidekiq, gitlab-unicorn, and gitlab-workhorse diff --git a/states/roles/maintain/glances/auth.conf b/states/roles/maintain/glances/auth.conf new file mode 100755 index 0000000..82da9c6 --- /dev/null +++ b/states/roles/maintain/glances/auth.conf @@ -0,0 +1,13 @@ +#Authentication {{auth}} + +{%- if auth == "none" %} + +#No authentication +{%- elif auth == "simple" %} + +auth_basic "Restricted Content"; +auth_basic_user_file /etc/nginx/.htpasswd; +{%- elif auth == "ldap" %} + +#Not Implemented +{%- endif -%} diff --git a/states/roles/maintain/glances/certs b/states/roles/maintain/glances/certs new file mode 100644 index 0000000..1f4d9d6 --- /dev/null +++ b/states/roles/maintain/glances/certs @@ -0,0 +1 @@ +/etc/letsencrypt/live/ \ No newline at end of file diff --git a/states/roles/maintain/glances/glances.conf b/states/roles/maintain/glances/glances.conf new file mode 100755 index 0000000..e69de29 diff --git a/states/roles/maintain/glances/glances.html b/states/roles/maintain/glances/glances.html new file mode 100755 index 0000000..c08579c --- /dev/null +++ b/states/roles/maintain/glances/glances.html @@ -0,0 +1,82 @@ + + + + + + + +
+ +
+ + + + + diff --git a/states/roles/maintain/glances/init.sls b/states/roles/maintain/glances/init.sls new file mode 100755 index 0000000..233123c --- /dev/null +++ b/states/roles/maintain/glances/init.sls @@ -0,0 +1,85 @@ +{%- set os=grains['os'] -%} + +{##check if server is portal##} +{%- if 'portal' in pillar['grains']['roles'] -%} + {%- set portal = "portal" -%} +{%- endif -%} +nginx: + pkg.installed: [] + service.running: + - enable: true + - watch: + - file: /etc/nginx/conf.d/* + - file: /etc/nginx/nginx.conf +{%- if pillar['nginx'] is defined -%} +{%- for name in pillar['nginx'] %} + - file: /etc/nginx/certs/{{name}}.actcur.com/* +{%- endfor %} +{%- endif %} + +/etc/nginx/nginx.conf: + file.managed: + - source: salt://roles/maintain/nginx-proxy/nginx.conf + - user: root + - group: root + - mode: 644 + +{##ensure that nginx pillar exists##} +{%- if pillar['nginx'] is defined -%} + +{##set up conf files for this server##} +{%- for name in pillar['nginx'] %} +"/etc/nginx/certs/{{name}}.actcur.com/": + file.recurse: + - source: salt://roles/maintain/nginx-proxy/certs/{{name}}.actcur.com/ +{%- if os=="CentOS" or os=="RedHat" %} + - user: nginx + - user: nginx +{%- elif os=="Arch" or os=="Manjaro" %} + - user: http + - group: http +{%- endif %} + - dir_mode: 755 + - file:mode: 400 + - clean: true + +/etc/nginx/conf.d/{{ name }}.conf: + file.managed: + - makedirs: true + {%- if portal is defined %} + - source: salt://roles/maintain/nginx-proxy/remote.conf + {%- else %} + - source: salt://roles/maintain/nginx-proxy/local.conf + {%- endif %} + - user: root + - group: root + - mode: 644 + - template: jinja + - context: + server: {{ name }} + resolver: {{ salt['dnsutil.A']('r.actcur.com')[0] }} +{%- endfor %} +{%- endif %} + + +{%- if portal is defined %} +/etc/nginx/conf.d/portal.actcur.com.conf: + file.managed: + - makedirs: true + - source: salt://roles/maintain/nginx-proxy/portal.conf + - user: root + - group: root + - mode: 644 + - template: jinja + - context: + resolver: {{ salt['dnsutil.A']('r.actcur.com')[0] }} + +"/etc/nginx/certs/portal.actcur.com/": + file.recurse: + - source: salt://roles/maintain/nginx-proxy/certs/portal.actcur.com/ + - user: http + - group: http + - dir_mode: 755 + - file:mode: 400 + - clean: true +{%- endif -%} diff --git a/states/roles/maintain/glances/local.conf b/states/roles/maintain/glances/local.conf new file mode 100755 index 0000000..d477370 --- /dev/null +++ b/states/roles/maintain/glances/local.conf @@ -0,0 +1,64 @@ +{%- if pillar['nginx'][server]['https'] is defined -%} + {%- if pillar['nginx'][server]['https']['port'] is defined-%} + {%- set port = pillar['nginx'][server]['https']['port'] -%} + {%- endif -%} + {%- if pillar['nginx'][server]['https']['port'] is defined-%} + {%- set prot = pillar['nginx'][server]['https']['prot'] -%} + {%- else -%} + [%- set prot = "https" -%} + {%- endif -%} +server { + listen 443; + server_name {{server}}.actcur.com; + + resolver {{ resolver }}; + set $backend "{{prot}}://{{server}}.actcur.com{%- if port is defined -%}:{{port}}{%- endif -%}"; + + ssl on; + ssl_certificate /etc/nginx/certs/{{server}}.actcur.com/cert.pem; + ssl_certificate_key /etc/nginx/certs/{{server}}.actcur.com/privkey.pem; + ssl_session_cache shared:SSL:10m; + + location / { + proxy_pass $backend; + proxy_set_header Host $host; + + # re-write redirects to http as to https, example: /home + proxy_redirect http:// https://; + } +} +{%- endif -%} + + +{%- if pillar['nginx'][server]['http'] is defined-%} + {%- if pillar['nginx'][server]['http']['port'] is defined-%} + {%- set port = pillar['nginx'][server]['http']['port'] -%} + {%- endif -%} + {%- if pillar['nginx'][server]['http']['port'] is defined-%} + {%- set prot = pillar['nginx'][server]['http']['prot'] -%} + {%- else -%} + [%- set prot = "http" -%} + {%- endif -%} +server { + listen 80; + server_name {{server}}.actcur.com; + + resolver {{resolver}}; + set $backend "{{prot}}://{{server}}.actcur.com{%- if port is defined -%}:{{port}}{%- endif -%}"; + + location / { + proxy_pass $backend; + proxy_set_header Host $host; + + # re-write redirects to https as to http, example: /home + proxy_redirect https:// http://; + + } +} +{% else %} +server { + listen 80 default_server; + server_name _; + rewrite ^ https://$host$request_uri? permanent; +} +{%- endif -%} diff --git a/states/roles/maintain/glances/nginx.conf b/states/roles/maintain/glances/nginx.conf new file mode 100755 index 0000000..bf5fd27 --- /dev/null +++ b/states/roles/maintain/glances/nginx.conf @@ -0,0 +1,71 @@ + +#user html; +worker_processes 1; + +#error_log logs/error.log; +#error_log logs/error.log notice; +#error_log logs/error.log info; + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include mime.types; + default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + #access_log logs/access.log main; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + #gzip on; + + include conf.d/*.conf; + + # another virtual host using mix of IP-, name-, and port-based configuration + # + #server { + # listen 8000; + # listen somename:8080; + # server_name somename alias another.alias; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + + # HTTPS server + # + #server { + # listen 443 ssl; + # server_name localhost; + + # ssl_certificate cert.pem; + # ssl_certificate_key cert.key; + + # ssl_session_cache shared:SSL:1m; + # ssl_session_timeout 5m; + + # ssl_ciphers HIGH:!aNULL:!MD5; + # ssl_prefer_server_ciphers on; + + # location / { + # root html; + # index index.html index.htm; + # } + #} +} diff --git a/states/roles/maintain/glances/portal.conf b/states/roles/maintain/glances/portal.conf new file mode 100755 index 0000000..18c5e04 --- /dev/null +++ b/states/roles/maintain/glances/portal.conf @@ -0,0 +1,41 @@ +server { + + listen 443 default_server; + server_name portal.actcur.com; + + resolver {{resolver}}; + set $certbot "https://salt.actcur.com"; + + ssl on; + ssl_certificate /etc/letsencrypt/live/portal.actcur.com/cert.pem; + ssl_certificate_key /etc/letsencrypt/live/portal.actcur.com/privkey.pem; + ssl_session_cache shared:SSL:10m; + + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } + + location / { + root /srv/http; + } +} + +server { + listen 80 default_server; + server_name portal.actcur.com; + + resolver {{resolver}}; + set $certbot "http://salt.actcur.com"; + + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } + + location / { + rewrite ^ https://$host$request_uri? permanent; + } +} + + diff --git a/states/roles/maintain/glances/remote.conf b/states/roles/maintain/glances/remote.conf new file mode 100755 index 0000000..cab7274 --- /dev/null +++ b/states/roles/maintain/glances/remote.conf @@ -0,0 +1,67 @@ +{%- set auth = "blocked" -%} +{%- if pillar['nginx'][server]['https'] is defined -%} + {%- if pillar['nginx'][server]['auth'] is defined-%} + {%- set auth = pillar['nginx'][server]['auth'] -%} + {%- endif -%} +{%- endif -%} + +server { + listen 443; + server_name {{server}}.actcur.com; + + resolver {{resolver}}; + set $backend "https://{{server}}.actcur.com"; + set $certbot "https://salt.actcur.com"; + + ssl on; + ssl_certificate /etc/nginx/certs/{{server}}.actcur.com/cert.pem; + ssl_certificate_key /etc/nginx/certs/{{server}}.actcur.com/privkey.pem; + ssl_session_cache shared:SSL:10m; + + {% include 'roles/maintain/nginx-proxy/auth.conf' %} + + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } + +{%- if auth != "blocked" %} + + location / { + proxy_pass $backend; + proxy_set_header Host $host; + + # re-write redirects to http as to https, example: /home + proxy_redirect http:// https://; + } +{%- endif %} +} + +{%- if pillar['nginx'][server]['http'] is defined-%} + {%- if pillar['nginx'][server]['https']['auth'] is defined-%} + {%- set auth = pillar['nginx'][server]['https']['auth'] -%} + {%- else -%} + {%- set auth = "blocked" -%} + {%- endif -%} +server { + listen 80; + server_name {{server}}.actcur.com; + + resolver {{resolver}}; + set $backend "http://{{server}}.actcur.com"; + set $certbot "http://salt.actcur.com"; + + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } + + location / { + proxy_pass $backend; + proxy_set_header Host $host; + + # re-write redirects to https as to http, example: /home + proxy_redirect https:// http://; + } +} +{%- endif -%} diff --git a/states/roles/maintain/lam/config.cfg b/states/roles/maintain/lam/config.cfg new file mode 100755 index 0000000..53f5736 --- /dev/null +++ b/states/roles/maintain/lam/config.cfg @@ -0,0 +1,58 @@ + +# password to add/delete/rename configuration profiles (default: lam) +password: {SSHA}P9Ne8ZSKD4QHuHkFe8ayVIKSnvE= XjHBmA== + +# default profile, without ".conf" +default: ldap-root + +# log level +logLevel: 4 + +# log destination +logDestination: SYSLOG + + +# session timeout in minutes +sessionTimeout: 30 + +# list of hosts which may access LAM +allowedHosts: + +# list of hosts which may access LAM Pro self service +allowedHostsSelfService: + +# encrypt session data +encryptSession: true + +# Password: minimum password length +passwordMinLength: 0 + +# Password: minimum uppercase characters +passwordMinUpper: 0 + +# Password: minimum lowercase characters +passwordMinLower: 0 + +# Password: minimum numeric characters +passwordMinNumeric: 0 + +# Password: minimum symbolic characters +passwordMinSymbol: 0 + +# Password: minimum character classes (0-4) +passwordMinClasses: 0 + +# Password: checked rules +checkedRulesCount: -1 + +# Password: must not contain part of user name +passwordMustNotContain3Chars: false + +# Password: must not contain user name +passwordMustNotContainUser: false + +# Email format (default/unix) +mailEOL: default + +# PHP error reporting (default/system) +errorReporting: default diff --git a/states/roles/maintain/lam/init.sls b/states/roles/maintain/lam/init.sls new file mode 100755 index 0000000..99b0de2 --- /dev/null +++ b/states/roles/maintain/lam/init.sls @@ -0,0 +1,59 @@ +php: + pkg.installed: + - pkgs: + - php56 + - php56-fpm + - php56-ldap + service.running: + - name: php56-fpm + - enable: true + - watch: + - file: /etc/php56/php.ini + +ldap-account-manager: + pkg.installed + +/etc/php56/php.ini: + file.managed: + - source: salt://roles/maintain/lam/php.ini + - user: root + - group: root + - mode: 644 + +/etc/nginx/conf.d/lam-server.conf: + file.managed: + - source: salt://roles/maintain/lam/lam-server.conf + - user: root + - group: root + - mode: 644 + +/usr/share/webapps: + file.directory: + - user: http + - group: http + - recurse: + - user + - group + +/var/lib/ldap-account-manager: + file.directory: + - user: http + - group: http +# - mode: 777 + - recurse: + - user + - group +# - mode + +/etc/webapps/ldap-account-manager/config.cfg: + file.managed: + - source: salt://roles/maintain/lam/config.cfg + - user: http + - group: http + - mode: 644 + +/etc/webapps/ldap-account-manager: + file.directory: + - user: http + - group: http + - mode: 775 diff --git a/states/roles/maintain/lam/lam-server.conf b/states/roles/maintain/lam/lam-server.conf new file mode 100755 index 0000000..08c157f --- /dev/null +++ b/states/roles/maintain/lam/lam-server.conf @@ -0,0 +1,21 @@ +server { + listen 8000; + + index index.html; + root /usr/share/webapps/ldap-account-manager; + autoindex off; + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/run/php56-fpm/php-fpm.sock; + fastcgi_index index.php; + include fastcgi.conf; + } + + location ~ /lam/(tmp/internal|sess|config|lib|help|locale) { + deny all; + return 403; + } + +} + diff --git a/states/roles/maintain/lam/php.ini b/states/roles/maintain/lam/php.ini new file mode 100755 index 0000000..6d72085 --- /dev/null +++ b/states/roles/maintain/lam/php.ini @@ -0,0 +1,1995 @@ +[PHP] + +;;;;;;;;;;;;;;;;;;; +; About php.ini ; +;;;;;;;;;;;;;;;;;;; +; PHP's initialization file, generally called php.ini, is responsible for +; configuring many of the aspects of PHP's behavior. + +; PHP attempts to find and load this configuration from a number of locations. +; The following is a summary of its search order: +; 1. SAPI module specific location. +; 2. The PHPRC environment variable. (As of PHP 5.2.0) +; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0) +; 4. Current working directory (except CLI) +; 5. The web server's directory (for SAPI modules), or directory of PHP +; (otherwise in Windows) +; 6. The directory from the --with-config-file-path compile time option, or the +; Windows directory (C:\windows or C:\winnt) +; See the PHP docs for more specific information. +; http://php.net/configuration.file + +; The syntax of the file is extremely simple. Whitespace and lines +; beginning with a semicolon are silently ignored (as you probably guessed). +; Section headers (e.g. [Foo]) are also silently ignored, even though +; they might mean something in the future. + +; Directives following the section heading [PATH=/www/mysite] only +; apply to PHP files in the /www/mysite directory. Directives +; following the section heading [HOST=www.example.com] only apply to +; PHP files served from www.example.com. Directives set in these +; special sections cannot be overridden by user-defined INI files or +; at runtime. Currently, [PATH=] and [HOST=] sections only work under +; CGI/FastCGI. +; http://php.net/ini.sections + +; Directives are specified using the following syntax: +; directive = value +; Directive names are *case sensitive* - foo=bar is different from FOO=bar. +; Directives are variables used to configure PHP or PHP extensions. +; There is no name validation. If PHP can't find an expected +; directive because it is not set or is mistyped, a default value will be used. + +; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one +; of the INI constants (On, Off, True, False, Yes, No and None) or an expression +; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a +; previously set variable or directive (e.g. ${foo}) + +; Expressions in the INI file are limited to bitwise operators and parentheses: +; | bitwise OR +; ^ bitwise XOR +; & bitwise AND +; ~ bitwise NOT +; ! boolean NOT + +; Boolean flags can be turned on using the values 1, On, True or Yes. +; They can be turned off using the values 0, Off, False or No. + +; An empty string can be denoted by simply not writing anything after the equal +; sign, or by using the None keyword: + +; foo = ; sets foo to an empty string +; foo = None ; sets foo to an empty string +; foo = "None" ; sets foo to the string 'None' + +; If you use constants in your value, and these constants belong to a +; dynamically loaded extension (either a PHP extension or a Zend extension), +; you may only use these constants *after* the line that loads the extension. + +;;;;;;;;;;;;;;;;;;; +; About this file ; +;;;;;;;;;;;;;;;;;;; +; PHP comes packaged with two INI files. One that is recommended to be used +; in production environments and one that is recommended to be used in +; development environments. + +; php.ini-production contains settings which hold security, performance and +; best practices at its core. But please be aware, these settings may break +; compatibility with older or less security conscience applications. We +; recommending using the production ini in production and testing environments. + +; php.ini-development is very similar to its production variant, except it is +; much more verbose when it comes to errors. We recommend using the +; development version only in development environments, as errors shown to +; application users can inadvertently leak otherwise secure information. + +; This is php.ini-production INI file. + +;;;;;;;;;;;;;;;;;;; +; Quick Reference ; +;;;;;;;;;;;;;;;;;;; +; The following are all the settings which are different in either the production +; or development versions of the INIs with respect to PHP's default behavior. +; Please see the actual settings later in the document for more details as to why +; we recommend these changes in PHP's behavior. + +; display_errors +; Default Value: On +; Development Value: On +; Production Value: Off + +; display_startup_errors +; Default Value: Off +; Development Value: On +; Production Value: Off + +; error_reporting +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT + +; html_errors +; Default Value: On +; Development Value: On +; Production value: On + +; log_errors +; Default Value: Off +; Development Value: On +; Production Value: On + +; max_input_time +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) + +; output_buffering +; Default Value: Off +; Development Value: 4096 +; Production Value: 4096 + +; register_argc_argv +; Default Value: On +; Development Value: Off +; Production Value: Off + +; request_order +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" + +; session.gc_divisor +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 + +; session.hash_bits_per_character +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 + +; short_open_tag +; Default Value: On +; Development Value: Off +; Production Value: Off + +; track_errors +; Default Value: Off +; Development Value: On +; Production Value: Off + +; url_rewriter.tags +; Default Value: "a=href,area=href,frame=src,form=,fieldset=" +; Development Value: "a=href,area=href,frame=src,input=src,form=fakeentry" +; Production Value: "a=href,area=href,frame=src,input=src,form=fakeentry" + +; variables_order +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS" + +;;;;;;;;;;;;;;;;;;;; +; php.ini Options ; +;;;;;;;;;;;;;;;;;;;; +; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini" +;user_ini.filename = ".user.ini" + +; To disable this feature set this option to empty value +;user_ini.filename = + +; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes) +;user_ini.cache_ttl = 300 + +;;;;;;;;;;;;;;;;;;;; +; Language Options ; +;;;;;;;;;;;;;;;;;;;; + +; Enable the PHP scripting language engine under Apache. +; http://php.net/engine +engine = On + +; This directive determines whether or not PHP will recognize code between +; tags as PHP source which should be processed as such. It is +; generally recommended that should be used and that this feature +; should be disabled, as enabling it may result in issues when generating XML +; documents, however this remains supported for backward compatibility reasons. +; Note that this directive does not control the tags. +; http://php.net/asp-tags +asp_tags = Off + +; The number of significant digits displayed in floating point numbers. +; http://php.net/precision +precision = 14 + +; Output buffering is a mechanism for controlling how much output data +; (excluding headers and cookies) PHP should keep internally before pushing that +; data to the client. If your application's output exceeds this setting, PHP +; will send that data in chunks of roughly the size you specify. +; Turning on this setting and managing its maximum buffer size can yield some +; interesting side-effects depending on your application and web server. +; You may be able to send headers and cookies after you've already sent output +; through print or echo. You also may see performance benefits if your server is +; emitting less packets due to buffered output versus PHP streaming the output +; as it gets it. On production servers, 4096 bytes is a good setting for performance +; reasons. +; Note: Output buffering can also be controlled via Output Buffering Control +; functions. +; Possible Values: +; On = Enabled and buffer is unlimited. (Use with caution) +; Off = Disabled +; Integer = Enables the buffer and sets its maximum size in bytes. +; Note: This directive is hardcoded to Off for the CLI SAPI +; Default Value: Off +; Development Value: 4096 +; Production Value: 4096 +; http://php.net/output-buffering +output_buffering = 4096 + +; You can redirect all of the output of your scripts to a function. For +; example, if you set output_handler to "mb_output_handler", character +; encoding will be transparently converted to the specified encoding. +; Setting any output handler automatically turns on output buffering. +; Note: People who wrote portable scripts should not depend on this ini +; directive. Instead, explicitly set the output handler using ob_start(). +; Using this ini directive may cause problems unless you know what script +; is doing. +; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler" +; and you cannot use both "ob_gzhandler" and "zlib.output_compression". +; Note: output_handler must be empty if this is set 'On' !!!! +; Instead you must use zlib.output_handler. +; http://php.net/output-handler +;output_handler = + +; Transparent output compression using the zlib library +; Valid values for this option are 'off', 'on', or a specific buffer size +; to be used for compression (default is 4KB) +; Note: Resulting chunk size may vary due to nature of compression. PHP +; outputs chunks that are few hundreds bytes each as a result of +; compression. If you prefer a larger chunk size for better +; performance, enable output_buffering in addition. +; Note: You need to use zlib.output_handler instead of the standard +; output_handler, or otherwise the output will be corrupted. +; http://php.net/zlib.output-compression +zlib.output_compression = Off + +; http://php.net/zlib.output-compression-level +;zlib.output_compression_level = -1 + +; You cannot specify additional output handlers if zlib.output_compression +; is activated here. This setting does the same as output_handler but in +; a different order. +; http://php.net/zlib.output-handler +;zlib.output_handler = + +; Implicit flush tells PHP to tell the output layer to flush itself +; automatically after every output block. This is equivalent to calling the +; PHP function flush() after each and every call to print() or echo() and each +; and every HTML block. Turning this option on has serious performance +; implications and is generally recommended for debugging purposes only. +; http://php.net/implicit-flush +; Note: This directive is hardcoded to On for the CLI SAPI +implicit_flush = Off + +; The unserialize callback function will be called (with the undefined class' +; name as parameter), if the unserializer finds an undefined class +; which should be instantiated. A warning appears if the specified function is +; not defined, or if the function doesn't include/implement the missing class. +; So only set this entry, if you really want to implement such a +; callback-function. +unserialize_callback_func = + +; When floats & doubles are serialized store serialize_precision significant +; digits after the floating point. The default value ensures that when floats +; are decoded with unserialize, the data will remain the same. +serialize_precision = 17 + +; open_basedir, if set, limits all file operations to the defined directory +; and below. This directive makes most sense if used in a per-directory +; or per-virtualhost web server configuration file. +; http://php.net/open-basedir +open_basedir = /srv/http/:/home/:/tmp/:/usr/share/pear/:/usr/share/webapps/:/etc/webapps:/var/lib/ldap-account-manager/ + +; This directive allows you to disable certain functions for security reasons. +; It receives a comma-delimited list of function names. +; http://php.net/disable-functions +disable_functions = + +; This directive allows you to disable certain classes for security reasons. +; It receives a comma-delimited list of class names. +; http://php.net/disable-classes +disable_classes = + +; Colors for Syntax Highlighting mode. Anything that's acceptable in +; would work. +; http://php.net/syntax-highlighting +;highlight.string = #DD0000 +;highlight.comment = #FF9900 +;highlight.keyword = #007700 +;highlight.default = #0000BB +;highlight.html = #000000 + +; If enabled, the request will be allowed to complete even if the user aborts +; the request. Consider enabling it if executing long requests, which may end up +; being interrupted by the user or a browser timing out. PHP's default behavior +; is to disable this feature. +; http://php.net/ignore-user-abort +;ignore_user_abort = On + +; Determines the size of the realpath cache to be used by PHP. This value should +; be increased on systems where PHP opens many files to reflect the quantity of +; the file operations performed. +; http://php.net/realpath-cache-size +;realpath_cache_size = 16k + +; Duration of time, in seconds for which to cache realpath information for a given +; file or directory. For systems with rarely changing files, consider increasing this +; value. +; http://php.net/realpath-cache-ttl +;realpath_cache_ttl = 120 + +; Enables or disables the circular reference collector. +; http://php.net/zend.enable-gc +zend.enable_gc = On + +; If enabled, scripts may be written in encodings that are incompatible with +; the scanner. CP936, Big5, CP949 and Shift_JIS are the examples of such +; encodings. To use this feature, mbstring extension must be enabled. +; Default: Off +;zend.multibyte = Off + +; Allows to set the default encoding for the scripts. This value will be used +; unless "declare(encoding=...)" directive appears at the top of the script. +; Only affects if zend.multibyte is set. +; Default: "" +;zend.script_encoding = + +;;;;;;;;;;;;;;;;; +; Miscellaneous ; +;;;;;;;;;;;;;;;;; + +; Decides whether PHP may expose the fact that it is installed on the server +; (e.g. by adding its signature to the Web server header). It is no security +; threat in any way, but it makes it possible to determine whether you use PHP +; on your server or not. +; http://php.net/expose-php +expose_php = On + +;;;;;;;;;;;;;;;;;;; +; Resource Limits ; +;;;;;;;;;;;;;;;;;;; + +; Maximum execution time of each script, in seconds +; http://php.net/max-execution-time +; Note: This directive is hardcoded to 0 for the CLI SAPI +max_execution_time = 30 + +; Maximum amount of time each script may spend parsing request data. It's a good +; idea to limit this time on productions servers in order to eliminate unexpectedly +; long running scripts. +; Note: This directive is hardcoded to -1 for the CLI SAPI +; Default Value: -1 (Unlimited) +; Development Value: 60 (60 seconds) +; Production Value: 60 (60 seconds) +; http://php.net/max-input-time +max_input_time = 60 + +; Maximum input variable nesting level +; http://php.net/max-input-nesting-level +;max_input_nesting_level = 64 + +; How many GET/POST/COOKIE input variables may be accepted +; max_input_vars = 1000 + +; Maximum amount of memory a script may consume (128MB) +; http://php.net/memory-limit +memory_limit = 128M + +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +; Error handling and logging ; +;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +; This directive informs PHP of which errors, warnings and notices you would like +; it to take action for. The recommended way of setting values for this +; directive is through the use of the error level constants and bitwise +; operators. The error level constants are below here for convenience as well as +; some common settings and their meanings. +; By default, PHP is set to take action on all errors, notices and warnings EXCEPT +; those related to E_NOTICE and E_STRICT, which together cover best practices and +; recommended coding standards in PHP. For performance reasons, this is the +; recommend error reporting setting. Your production server shouldn't be wasting +; resources complaining about best practices and coding standards. That's what +; development servers and development settings are for. +; Note: The php.ini-development file has this setting as E_ALL. This +; means it pretty much reports everything which is exactly what you want during +; development and early testing. +; +; Error Level Constants: +; E_ALL - All errors and warnings (includes E_STRICT as of PHP 5.4.0) +; E_ERROR - fatal run-time errors +; E_RECOVERABLE_ERROR - almost fatal run-time errors +; E_WARNING - run-time warnings (non-fatal errors) +; E_PARSE - compile-time parse errors +; E_NOTICE - run-time notices (these are warnings which often result +; from a bug in your code, but it's possible that it was +; intentional (e.g., using an uninitialized variable and +; relying on the fact it is automatically initialized to an +; empty string) +; E_STRICT - run-time notices, enable to have PHP suggest changes +; to your code which will ensure the best interoperability +; and forward compatibility of your code +; E_CORE_ERROR - fatal errors that occur during PHP's initial startup +; E_CORE_WARNING - warnings (non-fatal errors) that occur during PHP's +; initial startup +; E_COMPILE_ERROR - fatal compile-time errors +; E_COMPILE_WARNING - compile-time warnings (non-fatal errors) +; E_USER_ERROR - user-generated error message +; E_USER_WARNING - user-generated warning message +; E_USER_NOTICE - user-generated notice message +; E_DEPRECATED - warn about code that will not work in future versions +; of PHP +; E_USER_DEPRECATED - user-generated deprecation warnings +; +; Common Values: +; E_ALL (Show all errors, warnings and notices including coding standards.) +; E_ALL & ~E_NOTICE (Show all errors, except for notices) +; E_ALL & ~E_NOTICE & ~E_STRICT (Show all errors, except for notices and coding standards warnings.) +; E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR (Show only errors) +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED +; Development Value: E_ALL +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT +; http://php.net/error-reporting +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT + +; This directive controls whether or not and where PHP will output errors, +; notices and warnings too. Error output is very useful during development, but +; it could be very dangerous in production environments. Depending on the code +; which is triggering the error, sensitive information could potentially leak +; out of your application such as database usernames and passwords or worse. +; For production environments, we recommend logging errors rather than +; sending them to STDOUT. +; Possible Values: +; Off = Do not display any errors +; stderr = Display errors to STDERR (affects only CGI/CLI binaries!) +; On or stdout = Display errors to STDOUT +; Default Value: On +; Development Value: On +; Production Value: Off +; http://php.net/display-errors +display_errors = Off + +; The display of errors which occur during PHP's startup sequence are handled +; separately from display_errors. PHP's default behavior is to suppress those +; errors from clients. Turning the display of startup errors on can be useful in +; debugging configuration problems. We strongly recommend you +; set this to 'off' for production servers. +; Default Value: Off +; Development Value: On +; Production Value: Off +; http://php.net/display-startup-errors +display_startup_errors = Off + +; Besides displaying errors, PHP can also log errors to locations such as a +; server-specific log, STDERR, or a location specified by the error_log +; directive found below. While errors should not be displayed on productions +; servers they should still be monitored and logging is a great way to do that. +; Default Value: Off +; Development Value: On +; Production Value: On +; http://php.net/log-errors +log_errors = On + +; Set maximum length of log_errors. In error_log information about the source is +; added. The default is 1024 and 0 allows to not apply any maximum length at all. +; http://php.net/log-errors-max-len +log_errors_max_len = 1024 + +; Do not log repeated messages. Repeated errors must occur in same file on same +; line unless ignore_repeated_source is set true. +; http://php.net/ignore-repeated-errors +ignore_repeated_errors = Off + +; Ignore source of message when ignoring repeated messages. When this setting +; is On you will not log errors with repeated messages from different files or +; source lines. +; http://php.net/ignore-repeated-source +ignore_repeated_source = Off + +; If this parameter is set to Off, then memory leaks will not be shown (on +; stdout or in the log). This has only effect in a debug compile, and if +; error reporting includes E_WARNING in the allowed list +; http://php.net/report-memleaks +report_memleaks = On + +; This setting is on by default. +;report_zend_debug = 0 + +; Store the last error/warning message in $php_errormsg (boolean). Setting this value +; to On can assist in debugging and is appropriate for development servers. It should +; however be disabled on production servers. +; Default Value: Off +; Development Value: On +; Production Value: Off +; http://php.net/track-errors +track_errors = Off + +; Turn off normal error reporting and emit XML-RPC error XML +; http://php.net/xmlrpc-errors +;xmlrpc_errors = 0 + +; An XML-RPC faultCode +;xmlrpc_error_number = 0 + +; When PHP displays or logs an error, it has the capability of formatting the +; error message as HTML for easier reading. This directive controls whether +; the error message is formatted as HTML or not. +; Note: This directive is hardcoded to Off for the CLI SAPI +; Default Value: On +; Development Value: On +; Production value: On +; http://php.net/html-errors +html_errors = On + +; If html_errors is set to On *and* docref_root is not empty, then PHP +; produces clickable error messages that direct to a page describing the error +; or function causing the error in detail. +; You can download a copy of the PHP manual from http://php.net/docs +; and change docref_root to the base URL of your local copy including the +; leading '/'. You must also specify the file extension being used including +; the dot. PHP's default behavior is to leave these settings empty, in which +; case no links to documentation are generated. +; Note: Never use this feature for production boxes. +; http://php.net/docref-root +; Examples +;docref_root = "/phpmanual/" + +; http://php.net/docref-ext +;docref_ext = .html + +; String to output before an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-prepend-string +; Example: +;error_prepend_string = "" + +; String to output after an error message. PHP's default behavior is to leave +; this setting blank. +; http://php.net/error-append-string +; Example: +;error_append_string = "" + +; Log errors to specified file. PHP's default behavior is to leave this value +; empty. +; http://php.net/error-log +; Example: +;error_log = php_errors.log +; Log errors to syslog (Event Log on Windows). +;error_log = syslog + +;windows.show_crt_warning +; Default value: 0 +; Development value: 0 +; Production value: 0 + +;;;;;;;;;;;;;;;;; +; Data Handling ; +;;;;;;;;;;;;;;;;; + +; The separator used in PHP generated URLs to separate arguments. +; PHP's default setting is "&". +; http://php.net/arg-separator.output +; Example: +;arg_separator.output = "&" + +; List of separator(s) used by PHP to parse input URLs into variables. +; PHP's default setting is "&". +; NOTE: Every character in this directive is considered as separator! +; http://php.net/arg-separator.input +; Example: +;arg_separator.input = ";&" + +; This directive determines which super global arrays are registered when PHP +; starts up. G,P,C,E & S are abbreviations for the following respective super +; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty +; paid for the registration of these arrays and because ENV is not as commonly +; used as the others, ENV is not recommended on productions servers. You +; can still get access to the environment variables through getenv() should you +; need to. +; Default Value: "EGPCS" +; Development Value: "GPCS" +; Production Value: "GPCS"; +; http://php.net/variables-order +variables_order = "GPCS" + +; This directive determines which super global data (G,P & C) should be +; registered into the super global array REQUEST. If so, it also determines +; the order in which that data is registered. The values for this directive +; are specified in the same manner as the variables_order directive, +; EXCEPT one. Leaving this value empty will cause PHP to use the value set +; in the variables_order directive. It does not mean it will leave the super +; globals array REQUEST empty. +; Default Value: None +; Development Value: "GP" +; Production Value: "GP" +; http://php.net/request-order +request_order = "GP" + +; This directive determines whether PHP registers $argv & $argc each time it +; runs. $argv contains an array of all the arguments passed to PHP when a script +; is invoked. $argc contains an integer representing the number of arguments +; that were passed when the script was invoked. These arrays are extremely +; useful when running scripts from the command line. When this directive is +; enabled, registering these variables consumes CPU cycles and memory each time +; a script is executed. For performance reasons, this feature should be disabled +; on production servers. +; Note: This directive is hardcoded to On for the CLI SAPI +; Default Value: On +; Development Value: Off +; Production Value: Off +; http://php.net/register-argc-argv +register_argc_argv = Off + +; When enabled, the ENV, REQUEST and SERVER variables are created when they're +; first used (Just In Time) instead of when the script starts. If these +; variables are not used within a script, having this directive on will result +; in a performance gain. The PHP directive register_argc_argv must be disabled +; for this directive to have any affect. +; http://php.net/auto-globals-jit +auto_globals_jit = On + +; Whether PHP will read the POST data. +; This option is enabled by default. +; Most likely, you won't want to disable this option globally. It causes $_POST +; and $_FILES to always be empty; the only way you will be able to read the +; POST data will be through the php://input stream wrapper. This can be useful +; to proxy requests or to process the POST data in a memory efficient fashion. +; http://php.net/enable-post-data-reading +;enable_post_data_reading = Off + +; Maximum size of POST data that PHP will accept. +; Its value may be 0 to disable the limit. It is ignored if POST data reading +; is disabled through enable_post_data_reading. +; http://php.net/post-max-size +post_max_size = 8M + +; Automatically add files before PHP document. +; http://php.net/auto-prepend-file +auto_prepend_file = + +; Automatically add files after PHP document. +; http://php.net/auto-append-file +auto_append_file = + +; By default, PHP will output a character encoding using +; the Content-type: header. To disable sending of the charset, simply +; set it to be empty. +; +; PHP's built-in default is text/html +; http://php.net/default-mimetype +default_mimetype = "text/html" + +; PHP's default character set is set to UTF-8. +; http://php.net/default-charset +default_charset = "UTF-8" + +; PHP internal character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/internal-encoding +;internal_encoding = + +; PHP input character encoding is set to empty. +; If empty, default_charset is used. +; http://php.net/input-encoding +;input_encoding = + +; PHP output character encoding is set to empty. +; If empty, default_charset is used. +; mbstring or iconv output handler is used. +; See also output_buffer. +; http://php.net/output-encoding +;output_encoding = + +; Always populate the $HTTP_RAW_POST_DATA variable. PHP's default behavior is +; to disable this feature and it will be removed in a future version. +; If post reading is disabled through enable_post_data_reading, +; $HTTP_RAW_POST_DATA is *NOT* populated. +; http://php.net/always-populate-raw-post-data +;always_populate_raw_post_data = -1 + +;;;;;;;;;;;;;;;;;;;;;;;;; +; Paths and Directories ; +;;;;;;;;;;;;;;;;;;;;;;;;; + +; UNIX: "/path1:/path2" +include_path = ".:/usr/share/pear" +; +; Windows: "\path1;\path2" +;include_path = ".;c:\php\includes" +; +; PHP's default setting for include_path is ".;/path/to/php/pear" +; http://php.net/include-path + +; The root of the PHP pages, used only if nonempty. +; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root +; if you are running php as a CGI under any web server (other than IIS) +; see documentation for security issues. The alternate is to use the +; cgi.force_redirect configuration below +; http://php.net/doc-root +doc_root = + +; The directory under which PHP opens the script using /~username used only +; if nonempty. +; http://php.net/user-dir +user_dir = + +; Directory in which the loadable extensions (modules) reside. +; http://php.net/extension-dir +extension_dir = "/usr/lib/php56/modules/" +; On windows: +; extension_dir = "ext" + +; Directory where the temporary files should be placed. +; Defaults to the system default (see sys_get_temp_dir) +; sys_temp_dir = "/tmp" + +; Whether or not to enable the dl() function. The dl() function does NOT work +; properly in multithreaded servers, such as IIS or Zeus, and is automatically +; disabled on them. +; http://php.net/enable-dl +enable_dl = Off + +; cgi.force_redirect is necessary to provide security running PHP as a CGI under +; most web servers. Left undefined, PHP turns this on by default. You can +; turn it off here AT YOUR OWN RISK +; **You CAN safely turn this off for IIS, in fact, you MUST.** +; http://php.net/cgi.force-redirect +;cgi.force_redirect = 1 + +; if cgi.nph is enabled it will force cgi to always sent Status: 200 with +; every request. PHP's default behavior is to disable this feature. +;cgi.nph = 1 + +; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape +; (iPlanet) web servers, you MAY need to set an environment variable name that PHP +; will look for to know it is OK to continue execution. Setting this variable MAY +; cause security issues, KNOW WHAT YOU ARE DOING FIRST. +; http://php.net/cgi.redirect-status-env +;cgi.redirect_status_env = + +; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's +; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok +; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting +; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting +; of zero causes PHP to behave as before. Default is 1. You should fix your scripts +; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. +; http://php.net/cgi.fix-pathinfo +;cgi.fix_pathinfo=1 + +; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate +; security tokens of the calling client. This allows IIS to define the +; security context that the request runs under. mod_fastcgi under Apache +; does not currently support this feature (03/17/2002) +; Set to 1 if running under IIS. Default is zero. +; http://php.net/fastcgi.impersonate +;fastcgi.impersonate = 1 + +; Disable logging through FastCGI connection. PHP's default behavior is to enable +; this feature. +;fastcgi.logging = 0 + +; cgi.rfc2616_headers configuration option tells PHP what type of headers to +; use when sending HTTP response code. If set to 0, PHP sends Status: header that +; is supported by Apache. When this option is set to 1, PHP will send +; RFC2616 compliant header. +; Default is zero. +; http://php.net/cgi.rfc2616-headers +;cgi.rfc2616_headers = 0 + +;;;;;;;;;;;;;;;; +; File Uploads ; +;;;;;;;;;;;;;;;; + +; Whether to allow HTTP file uploads. +; http://php.net/file-uploads +file_uploads = On + +; Temporary directory for HTTP uploaded files (will use system default if not +; specified). +; http://php.net/upload-tmp-dir +;upload_tmp_dir = + +; Maximum allowed size for uploaded files. +; http://php.net/upload-max-filesize +upload_max_filesize = 2M + +; Maximum number of files that can be uploaded via a single request +max_file_uploads = 20 + +;;;;;;;;;;;;;;;;;; +; Fopen wrappers ; +;;;;;;;;;;;;;;;;;; + +; Whether to allow the treatment of URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-fopen +allow_url_fopen = On + +; Whether to allow include/require to open URLs (like http:// or ftp://) as files. +; http://php.net/allow-url-include +allow_url_include = Off + +; Define the anonymous ftp password (your email address). PHP's default setting +; for this is empty. +; http://php.net/from +;from="john@doe.com" + +; Define the User-Agent string. PHP's default setting for this is empty. +; http://php.net/user-agent +;user_agent="PHP" + +; Default timeout for socket based streams (seconds) +; http://php.net/default-socket-timeout +default_socket_timeout = 60 + +; If your scripts have to deal with files from Macintosh systems, +; or you are running on a Mac and need to deal with files from +; unix or win32 systems, setting this flag will cause PHP to +; automatically detect the EOL character in those files so that +; fgets() and file() will work regardless of the source of the file. +; http://php.net/auto-detect-line-endings +;auto_detect_line_endings = Off + +;;;;;;;;;;;;;;;;;;;;;; +; Dynamic Extensions ; +;;;;;;;;;;;;;;;;;;;;;; + +; If you wish to have an extension loaded automatically, use the following +; syntax: +; +; extension=modulename.extension +; +; For example, on Windows: +; +; extension=msql.dll +; +; ... or under UNIX: +; +; extension=msql.so +; +; ... or with a path: +; +; extension=/path/to/extension/msql.so +; +; If you only provide the name of the extension, PHP will look for it in its +; default extension directory. +; +;extension=bcmath.so +;extension=bz2.so +;extension=calendar.so +extension=curl.so +;extension=dba.so +;extension=enchant.so +;extension=exif.so +;extension=ftp.so +;extension=gd.so +extension=gettext.so +;extension=gmp.so +;extension=iconv.so +;extension=imap.so +;extension=intl.so +extension=ldap.so +;extension=mcrypt.so +;extension=mssql.so +;extension=mysql.so +;extension=mysqli.so +;extension=odbc.so +;zend_extension=opcache.so +extension=openssl.so +;extension=pdo_mysql.so +;extension=pdo_odbc.so +;extension=pdo_pgsql.so +;extension=pdo_sqlite.so +;extension=pgsql.so +;extension=phar.so +;extension=posix.so +;extension=pspell.so +;extension=shmop.so +;extension=snmp.so +;extension=soap.so +;extension=sockets.so +;extension=sqlite3.so +;extension=sysvmsg.so +;extension=sysvsem.so +;extension=sysvshm.so +;extension=tidy.so +;extension=xmlrpc.so +;extension=xsl.so +extension=zip.so + +;;;;;;;;;;;;;;;;;;; +; Module Settings ; +;;;;;;;;;;;;;;;;;;; + +[CLI Server] +; Whether the CLI web server uses ANSI color coding in its terminal output. +cli_server.color = On + +[Date] +; Defines the default timezone used by the date functions +; http://php.net/date.timezone +;date.timezone = + +; http://php.net/date.default-latitude +;date.default_latitude = 31.7667 + +; http://php.net/date.default-longitude +;date.default_longitude = 35.2333 + +; http://php.net/date.sunrise-zenith +;date.sunrise_zenith = 90.583333 + +; http://php.net/date.sunset-zenith +;date.sunset_zenith = 90.583333 + +[filter] +; http://php.net/filter.default +;filter.default = unsafe_raw + +; http://php.net/filter.default-flags +;filter.default_flags = + +[iconv] +; Use of this INI entry is deprecated, use global input_encoding instead. +; If empty, default_charset or input_encoding or iconv.input_encoding is used. +; The precedence is: default_charset < intput_encoding < iconv.input_encoding +;iconv.input_encoding = + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;iconv.internal_encoding = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; If empty, default_charset or output_encoding or iconv.output_encoding is used. +; The precedence is: default_charset < output_encoding < iconv.output_encoding +; To use an output encoding conversion, iconv's output handler must be set +; otherwise output encoding conversion cannot be performed. +;iconv.output_encoding = + +[intl] +;intl.default_locale = +; This directive allows you to produce PHP errors when some error +; happens within intl functions. The value is the level of the error produced. +; Default is 0, which does not produce any errors. +;intl.error_level = E_WARNING + +[sqlite] +; http://php.net/sqlite.assoc-case +;sqlite.assoc_case = 0 + +[sqlite3] +;sqlite3.extension_dir = + +[Pcre] +;PCRE library backtracking limit. +; http://php.net/pcre.backtrack-limit +;pcre.backtrack_limit=100000 + +;PCRE library recursion limit. +;Please note that if you set this value to a high number you may consume all +;the available process stack and eventually crash PHP (due to reaching the +;stack size limit imposed by the Operating System). +; http://php.net/pcre.recursion-limit +;pcre.recursion_limit=100000 + +[Pdo] +; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off" +; http://php.net/pdo-odbc.connection-pooling +;pdo_odbc.connection_pooling=strict + +;pdo_odbc.db2_instance_name + +[Pdo_mysql] +; If mysqlnd is used: Number of cache slots for the internal result set cache +; http://php.net/pdo_mysql.cache_size +pdo_mysql.cache_size = 2000 + +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +; http://php.net/pdo_mysql.default-socket +pdo_mysql.default_socket= + +[Phar] +; http://php.net/phar.readonly +;phar.readonly = On + +; http://php.net/phar.require-hash +;phar.require_hash = On + +;phar.cache_list = + +[mail function] +; For Win32 only. +; http://php.net/smtp +SMTP = localhost +; http://php.net/smtp-port +smtp_port = 25 + +; For Win32 only. +; http://php.net/sendmail-from +;sendmail_from = me@example.com + +; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). +; http://php.net/sendmail-path +;sendmail_path = + +; Force the addition of the specified parameters to be passed as extra parameters +; to the sendmail binary. These parameters will always replace the value of +; the 5th parameter to mail(). +;mail.force_extra_parameters = + +; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename +mail.add_x_header = On + +; The path to a log file that will log all mail() calls. Log entries include +; the full path of the script, line number, To address and headers. +;mail.log = +; Log mail to syslog (Event Log on Windows). +;mail.log = syslog + +[SQL] +; http://php.net/sql.safe-mode +sql.safe_mode = Off + +[ODBC] +; http://php.net/odbc.default-db +;odbc.default_db = Not yet implemented + +; http://php.net/odbc.default-user +;odbc.default_user = Not yet implemented + +; http://php.net/odbc.default-pw +;odbc.default_pw = Not yet implemented + +; Controls the ODBC cursor model. +; Default: SQL_CURSOR_STATIC (default). +;odbc.default_cursortype + +; Allow or prevent persistent links. +; http://php.net/odbc.allow-persistent +odbc.allow_persistent = On + +; Check that a connection is still valid before reuse. +; http://php.net/odbc.check-persistent +odbc.check_persistent = On + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/odbc.max-persistent +odbc.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/odbc.max-links +odbc.max_links = -1 + +; Handling of LONG fields. Returns number of bytes to variables. 0 means +; passthru. +; http://php.net/odbc.defaultlrl +odbc.defaultlrl = 4096 + +; Handling of binary data. 0 means passthru, 1 return as is, 2 convert to char. +; See the documentation on odbc_binmode and odbc_longreadlen for an explanation +; of odbc.defaultlrl and odbc.defaultbinmode +; http://php.net/odbc.defaultbinmode +odbc.defaultbinmode = 1 + +;birdstep.max_links = -1 + +[Interbase] +; Allow or prevent persistent links. +ibase.allow_persistent = 1 + +; Maximum number of persistent links. -1 means no limit. +ibase.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +ibase.max_links = -1 + +; Default database name for ibase_connect(). +;ibase.default_db = + +; Default username for ibase_connect(). +;ibase.default_user = + +; Default password for ibase_connect(). +;ibase.default_password = + +; Default charset for ibase_connect(). +;ibase.default_charset = + +; Default timestamp format. +ibase.timestampformat = "%Y-%m-%d %H:%M:%S" + +; Default date format. +ibase.dateformat = "%Y-%m-%d" + +; Default time format. +ibase.timeformat = "%H:%M:%S" + +[MySQL] +; Allow accessing, from PHP's perspective, local files with LOAD DATA statements +; http://php.net/mysql.allow_local_infile +mysql.allow_local_infile = On + +; Allow or prevent persistent links. +; http://php.net/mysql.allow-persistent +mysql.allow_persistent = On + +; If mysqlnd is used: Number of cache slots for the internal result set cache +; http://php.net/mysql.cache_size +mysql.cache_size = 2000 + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/mysql.max-persistent +mysql.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/mysql.max-links +mysql.max_links = -1 + +; Default port number for mysql_connect(). If unset, mysql_connect() will use +; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the +; compile-time value defined MYSQL_PORT (in that order). Win32 will only look +; at MYSQL_PORT. +; http://php.net/mysql.default-port +mysql.default_port = + +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +; http://php.net/mysql.default-socket +mysql.default_socket = + +; Default host for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysql.default-host +mysql.default_host = + +; Default user for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysql.default-user +mysql.default_user = + +; Default password for mysql_connect() (doesn't apply in safe mode). +; Note that this is generally a *bad* idea to store passwords in this file. +; *Any* user with PHP access can run 'echo get_cfg_var("mysql.default_password") +; and reveal this password! And of course, any users with read access to this +; file will be able to reveal the password as well. +; http://php.net/mysql.default-password +mysql.default_password = + +; Maximum time (in seconds) for connect timeout. -1 means no limit +; http://php.net/mysql.connect-timeout +mysql.connect_timeout = 60 + +; Trace mode. When trace_mode is active (=On), warnings for table/index scans and +; SQL-Errors will be displayed. +; http://php.net/mysql.trace-mode +mysql.trace_mode = Off + +[MySQLi] + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/mysqli.max-persistent +mysqli.max_persistent = -1 + +; Allow accessing, from PHP's perspective, local files with LOAD DATA statements +; http://php.net/mysqli.allow_local_infile +;mysqli.allow_local_infile = On + +; Allow or prevent persistent links. +; http://php.net/mysqli.allow-persistent +mysqli.allow_persistent = On + +; Maximum number of links. -1 means no limit. +; http://php.net/mysqli.max-links +mysqli.max_links = -1 + +; If mysqlnd is used: Number of cache slots for the internal result set cache +; http://php.net/mysqli.cache_size +mysqli.cache_size = 2000 + +; Default port number for mysqli_connect(). If unset, mysqli_connect() will use +; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the +; compile-time value defined MYSQL_PORT (in that order). Win32 will only look +; at MYSQL_PORT. +; http://php.net/mysqli.default-port +mysqli.default_port = 3306 + +; Default socket name for local MySQL connects. If empty, uses the built-in +; MySQL defaults. +; http://php.net/mysqli.default-socket +mysqli.default_socket = + +; Default host for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-host +mysqli.default_host = + +; Default user for mysql_connect() (doesn't apply in safe mode). +; http://php.net/mysqli.default-user +mysqli.default_user = + +; Default password for mysqli_connect() (doesn't apply in safe mode). +; Note that this is generally a *bad* idea to store passwords in this file. +; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw") +; and reveal this password! And of course, any users with read access to this +; file will be able to reveal the password as well. +; http://php.net/mysqli.default-pw +mysqli.default_pw = + +; Allow or prevent reconnect +mysqli.reconnect = Off + +[mysqlnd] +; Enable / Disable collection of general statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +; http://php.net/mysqlnd.collect_statistics +mysqlnd.collect_statistics = On + +; Enable / Disable collection of memory usage statistics by mysqlnd which can be +; used to tune and monitor MySQL operations. +; http://php.net/mysqlnd.collect_memory_statistics +mysqlnd.collect_memory_statistics = Off + +; Size of a pre-allocated buffer used when sending commands to MySQL in bytes. +; http://php.net/mysqlnd.net_cmd_buffer_size +;mysqlnd.net_cmd_buffer_size = 2048 + +; Size of a pre-allocated buffer used for reading data sent by the server in +; bytes. +; http://php.net/mysqlnd.net_read_buffer_size +;mysqlnd.net_read_buffer_size = 32768 + +[OCI8] + +; Connection: Enables privileged connections using external +; credentials (OCI_SYSOPER, OCI_SYSDBA) +; http://php.net/oci8.privileged-connect +;oci8.privileged_connect = Off + +; Connection: The maximum number of persistent OCI8 connections per +; process. Using -1 means no limit. +; http://php.net/oci8.max-persistent +;oci8.max_persistent = -1 + +; Connection: The maximum number of seconds a process is allowed to +; maintain an idle persistent connection. Using -1 means idle +; persistent connections will be maintained forever. +; http://php.net/oci8.persistent-timeout +;oci8.persistent_timeout = -1 + +; Connection: The number of seconds that must pass before issuing a +; ping during oci_pconnect() to check the connection validity. When +; set to 0, each oci_pconnect() will cause a ping. Using -1 disables +; pings completely. +; http://php.net/oci8.ping-interval +;oci8.ping_interval = 60 + +; Connection: Set this to a user chosen connection class to be used +; for all pooled server requests with Oracle 11g Database Resident +; Connection Pooling (DRCP). To use DRCP, this value should be set to +; the same string for all web servers running the same application, +; the database pool must be configured, and the connection string must +; specify to use a pooled server. +;oci8.connection_class = + +; High Availability: Using On lets PHP receive Fast Application +; Notification (FAN) events generated when a database node fails. The +; database must also be configured to post FAN events. +;oci8.events = Off + +; Tuning: This option enables statement caching, and specifies how +; many statements to cache. Using 0 disables statement caching. +; http://php.net/oci8.statement-cache-size +;oci8.statement_cache_size = 20 + +; Tuning: Enables statement prefetching and sets the default number of +; rows that will be fetched automatically after statement execution. +; http://php.net/oci8.default-prefetch +;oci8.default_prefetch = 100 + +; Compatibility. Using On means oci_close() will not close +; oci_connect() and oci_new_connect() connections. +; http://php.net/oci8.old-oci-close-semantics +;oci8.old_oci_close_semantics = Off + +[PostgreSQL] +; Allow or prevent persistent links. +; http://php.net/pgsql.allow-persistent +pgsql.allow_persistent = On + +; Detect broken persistent links always with pg_pconnect(). +; Auto reset feature requires a little overheads. +; http://php.net/pgsql.auto-reset-persistent +pgsql.auto_reset_persistent = Off + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/pgsql.max-persistent +pgsql.max_persistent = -1 + +; Maximum number of links (persistent+non persistent). -1 means no limit. +; http://php.net/pgsql.max-links +pgsql.max_links = -1 + +; Ignore PostgreSQL backends Notice message or not. +; Notice message logging require a little overheads. +; http://php.net/pgsql.ignore-notice +pgsql.ignore_notice = 0 + +; Log PostgreSQL backends Notice message or not. +; Unless pgsql.ignore_notice=0, module cannot log notice message. +; http://php.net/pgsql.log-notice +pgsql.log_notice = 0 + +[Sybase-CT] +; Allow or prevent persistent links. +; http://php.net/sybct.allow-persistent +sybct.allow_persistent = On + +; Maximum number of persistent links. -1 means no limit. +; http://php.net/sybct.max-persistent +sybct.max_persistent = -1 + +; Maximum number of links (persistent + non-persistent). -1 means no limit. +; http://php.net/sybct.max-links +sybct.max_links = -1 + +; Minimum server message severity to display. +; http://php.net/sybct.min-server-severity +sybct.min_server_severity = 10 + +; Minimum client message severity to display. +; http://php.net/sybct.min-client-severity +sybct.min_client_severity = 10 + +; Set per-context timeout +; http://php.net/sybct.timeout +;sybct.timeout= + +;sybct.packet_size + +; The maximum time in seconds to wait for a connection attempt to succeed before returning failure. +; Default: one minute +;sybct.login_timeout= + +; The name of the host you claim to be connecting from, for display by sp_who. +; Default: none +;sybct.hostname= + +; Allows you to define how often deadlocks are to be retried. -1 means "forever". +; Default: 0 +;sybct.deadlock_retry_count= + +[bcmath] +; Number of decimal digits for all bcmath functions. +; http://php.net/bcmath.scale +bcmath.scale = 0 + +[browscap] +; http://php.net/browscap +;browscap = extra/browscap.ini + +[Session] +; Handler used to store/retrieve data. +; http://php.net/session.save-handler +session.save_handler = files + +; Argument passed to save_handler. In the case of files, this is the path +; where data files are stored. Note: Windows users have to change this +; variable in order to use PHP's session functions. +; +; The path can be defined as: +; +; session.save_path = "N;/path" +; +; where N is an integer. Instead of storing all the session files in +; /path, what this will do is use subdirectories N-levels deep, and +; store the session data in those directories. This is useful if +; your OS has problems with many files in one directory, and is +; a more efficient layout for servers that handle many sessions. +; +; NOTE 1: PHP will not create this directory structure automatically. +; You can use the script in the ext/session dir for that purpose. +; NOTE 2: See the section on garbage collection below if you choose to +; use subdirectories for session storage +; +; The file storage module creates files using mode 600 by default. +; You can change that by using +; +; session.save_path = "N;MODE;/path" +; +; where MODE is the octal representation of the mode. Note that this +; does not overwrite the process's umask. +; http://php.net/session.save-path +;session.save_path = "/tmp" + +; Whether to use strict session mode. +; Strict session mode does not accept uninitialized session ID and regenerate +; session ID if browser sends uninitialized session ID. Strict mode protects +; applications from session fixation via session adoption vulnerability. It is +; disabled by default for maximum compatibility, but enabling it is encouraged. +; https://wiki.php.net/rfc/strict_sessions +session.use_strict_mode = 0 + +; Whether to use cookies. +; http://php.net/session.use-cookies +session.use_cookies = 1 + +; http://php.net/session.cookie-secure +;session.cookie_secure = + +; This option forces PHP to fetch and use a cookie for storing and maintaining +; the session id. We encourage this operation as it's very helpful in combating +; session hijacking when not specifying and managing your own session id. It is +; not the be-all and end-all of session hijacking defense, but it's a good start. +; http://php.net/session.use-only-cookies +session.use_only_cookies = 1 + +; Name of the session (used as cookie name). +; http://php.net/session.name +session.name = PHPSESSID + +; Initialize session on request startup. +; http://php.net/session.auto-start +session.auto_start = 0 + +; Lifetime in seconds of cookie or, if 0, until browser is restarted. +; http://php.net/session.cookie-lifetime +session.cookie_lifetime = 0 + +; The path for which the cookie is valid. +; http://php.net/session.cookie-path +session.cookie_path = / + +; The domain for which the cookie is valid. +; http://php.net/session.cookie-domain +session.cookie_domain = + +; Whether or not to add the httpOnly flag to the cookie, which makes it inaccessible to browser scripting languages such as JavaScript. +; http://php.net/session.cookie-httponly +session.cookie_httponly = + +; Handler used to serialize data. php is the standard serializer of PHP. +; http://php.net/session.serialize-handler +session.serialize_handler = php + +; Defines the probability that the 'garbage collection' process is started +; on every session initialization. The probability is calculated by using +; gc_probability/gc_divisor. Where session.gc_probability is the numerator +; and gc_divisor is the denominator in the equation. Setting this value to 1 +; when the session.gc_divisor value is 100 will give you approximately a 1% chance +; the gc will run on any give request. +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.gc-probability +session.gc_probability = 1 + +; Defines the probability that the 'garbage collection' process is started on every +; session initialization. The probability is calculated by using the following equation: +; gc_probability/gc_divisor. Where session.gc_probability is the numerator and +; session.gc_divisor is the denominator in the equation. Setting this value to 1 +; when the session.gc_divisor value is 100 will give you approximately a 1% chance +; the gc will run on any give request. Increasing this value to 1000 will give you +; a 0.1% chance the gc will run on any give request. For high volume production servers, +; this is a more efficient approach. +; Default Value: 100 +; Development Value: 1000 +; Production Value: 1000 +; http://php.net/session.gc-divisor +session.gc_divisor = 1000 + +; After this number of seconds, stored data will be seen as 'garbage' and +; cleaned up by the garbage collection process. +; http://php.net/session.gc-maxlifetime +session.gc_maxlifetime = 1440 + +; NOTE: If you are using the subdirectory option for storing session files +; (see session.save_path above), then garbage collection does *not* +; happen automatically. You will need to do your own garbage +; collection through a shell script, cron entry, or some other method. +; For example, the following script would is the equivalent of +; setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes): +; find /path/to/sessions -cmin +24 -type f | xargs rm + +; Check HTTP Referer to invalidate externally stored URLs containing ids. +; HTTP_REFERER has to contain this substring for the session to be +; considered as valid. +; http://php.net/session.referer-check +session.referer_check = + +; How many bytes to read from the file. +; http://php.net/session.entropy-length +;session.entropy_length = 32 + +; Specified here to create the session id. +; http://php.net/session.entropy-file +; Defaults to /dev/urandom +; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom +; If neither are found at compile time, the default is no entropy file. +; On windows, setting the entropy_length setting will activate the +; Windows random source (using the CryptoAPI) +;session.entropy_file = /dev/urandom + +; Set to {nocache,private,public,} to determine HTTP caching aspects +; or leave this empty to avoid sending anti-caching headers. +; http://php.net/session.cache-limiter +session.cache_limiter = nocache + +; Document expires after n minutes. +; http://php.net/session.cache-expire +session.cache_expire = 180 + +; trans sid support is disabled by default. +; Use of trans sid may risk your users' security. +; Use this option with caution. +; - User may send URL contains active session ID +; to other person via. email/irc/etc. +; - URL that contains active session ID may be stored +; in publicly accessible computer. +; - User may access your site with the same session ID +; always using URL stored in browser's history or bookmarks. +; http://php.net/session.use-trans-sid +session.use_trans_sid = 0 + +; Select a hash function for use in generating session ids. +; Possible Values +; 0 (MD5 128 bits) +; 1 (SHA-1 160 bits) +; This option may also be set to the name of any hash function supported by +; the hash extension. A list of available hashes is returned by the hash_algos() +; function. +; http://php.net/session.hash-function +session.hash_function = 0 + +; Define how many bits are stored in each character when converting +; the binary hash data to something readable. +; Possible values: +; 4 (4 bits: 0-9, a-f) +; 5 (5 bits: 0-9, a-v) +; 6 (6 bits: 0-9, a-z, A-Z, "-", ",") +; Default Value: 4 +; Development Value: 5 +; Production Value: 5 +; http://php.net/session.hash-bits-per-character +session.hash_bits_per_character = 5 + +; The URL rewriter will look for URLs in a defined set of HTML tags. +; form/fieldset are special; if you include them here, the rewriter will +; add a hidden field with the info which is otherwise appended +; to URLs. If you want XHTML conformity, remove the form entry. +; Note that all valid entries require a "=", even if no value follows. +; Default Value: "a=href,area=href,frame=src,form=,fieldset=" +; Development Value: "a=href,area=href,frame=src,input=src,form=fakeentry" +; Production Value: "a=href,area=href,frame=src,input=src,form=fakeentry" +; http://php.net/url-rewriter.tags +url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" + +; Enable upload progress tracking in $_SESSION +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.enabled +;session.upload_progress.enabled = On + +; Cleanup the progress information as soon as all POST data has been read +; (i.e. upload completed). +; Default Value: On +; Development Value: On +; Production Value: On +; http://php.net/session.upload-progress.cleanup +;session.upload_progress.cleanup = On + +; A prefix used for the upload progress key in $_SESSION +; Default Value: "upload_progress_" +; Development Value: "upload_progress_" +; Production Value: "upload_progress_" +; http://php.net/session.upload-progress.prefix +;session.upload_progress.prefix = "upload_progress_" + +; The index name (concatenated with the prefix) in $_SESSION +; containing the upload progress information +; Default Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Development Value: "PHP_SESSION_UPLOAD_PROGRESS" +; Production Value: "PHP_SESSION_UPLOAD_PROGRESS" +; http://php.net/session.upload-progress.name +;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS" + +; How frequently the upload progress should be updated. +; Given either in percentages (per-file), or in bytes +; Default Value: "1%" +; Development Value: "1%" +; Production Value: "1%" +; http://php.net/session.upload-progress.freq +;session.upload_progress.freq = "1%" + +; The minimum delay between updates, in seconds +; Default Value: 1 +; Development Value: 1 +; Production Value: 1 +; http://php.net/session.upload-progress.min-freq +;session.upload_progress.min_freq = "1" + +[MSSQL] +; Allow or prevent persistent links. +mssql.allow_persistent = On + +; Maximum number of persistent links. -1 means no limit. +mssql.max_persistent = -1 + +; Maximum number of links (persistent+non persistent). -1 means no limit. +mssql.max_links = -1 + +; Minimum error severity to display. +mssql.min_error_severity = 10 + +; Minimum message severity to display. +mssql.min_message_severity = 10 + +; Compatibility mode with old versions of PHP 3.0. +mssql.compatibility_mode = Off + +; Connect timeout +;mssql.connect_timeout = 5 + +; Query timeout +;mssql.timeout = 60 + +; Valid range 0 - 2147483647. Default = 4096. +;mssql.textlimit = 4096 + +; Valid range 0 - 2147483647. Default = 4096. +;mssql.textsize = 4096 + +; Limits the number of records in each batch. 0 = all records in one batch. +;mssql.batchsize = 0 + +; Specify how datetime and datetim4 columns are returned +; On => Returns data converted to SQL server settings +; Off => Returns values as YYYY-MM-DD hh:mm:ss +;mssql.datetimeconvert = On + +; Use NT authentication when connecting to the server +mssql.secure_connection = Off + +; Specify max number of processes. -1 = library default +; msdlib defaults to 25 +; FreeTDS defaults to 4096 +;mssql.max_procs = -1 + +; Specify client character set. +; If empty or not set the client charset from freetds.conf is used +; This is only used when compiled with FreeTDS +;mssql.charset = "ISO-8859-1" + +[Assertion] +; Assert(expr); active by default. +; http://php.net/assert.active +;assert.active = On + +; Issue a PHP warning for each failed assertion. +; http://php.net/assert.warning +;assert.warning = On + +; Don't bail out by default. +; http://php.net/assert.bail +;assert.bail = Off + +; User-function to be called if an assertion fails. +; http://php.net/assert.callback +;assert.callback = 0 + +; Eval the expression with current error_reporting(). Set to true if you want +; error_reporting(0) around the eval(). +; http://php.net/assert.quiet-eval +;assert.quiet_eval = 0 + +[COM] +; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs +; http://php.net/com.typelib-file +;com.typelib_file = + +; allow Distributed-COM calls +; http://php.net/com.allow-dcom +;com.allow_dcom = true + +; autoregister constants of a components typlib on com_load() +; http://php.net/com.autoregister-typelib +;com.autoregister_typelib = true + +; register constants casesensitive +; http://php.net/com.autoregister-casesensitive +;com.autoregister_casesensitive = false + +; show warnings on duplicate constant registrations +; http://php.net/com.autoregister-verbose +;com.autoregister_verbose = true + +; The default character set code-page to use when passing strings to and from COM objects. +; Default: system ANSI code page +;com.code_page= + +[mbstring] +; language for internal character representation. +; This affects mb_send_mail() and mbstrig.detect_order. +; http://php.net/mbstring.language +;mbstring.language = Japanese + +; Use of this INI entry is deprecated, use global internal_encoding instead. +; internal/script encoding. +; Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*) +; If empty, default_charset or internal_encoding or iconv.internal_encoding is used. +; The precedence is: default_charset < internal_encoding < iconv.internal_encoding +;mbstring.internal_encoding = + +; Use of this INI entry is deprecated, use global input_encoding instead. +; http input encoding. +; mbstring.encoding_traslation = On is needed to use this setting. +; If empty, default_charset or input_encoding or mbstring.input is used. +; The precedence is: default_charset < intput_encoding < mbsting.http_input +; http://php.net/mbstring.http-input +;mbstring.http_input = + +; Use of this INI entry is deprecated, use global output_encoding instead. +; http output encoding. +; mb_output_handler must be registered as output buffer to function. +; If empty, default_charset or output_encoding or mbstring.http_output is used. +; The precedence is: default_charset < output_encoding < mbstring.http_output +; To use an output encoding conversion, mbstring's output handler must be set +; otherwise output encoding conversion cannot be performed. +; http://php.net/mbstring.http-output +;mbstring.http_output = + +; enable automatic encoding translation according to +; mbstring.internal_encoding setting. Input chars are +; converted to internal encoding by setting this to On. +; Note: Do _not_ use automatic encoding translation for +; portable libs/applications. +; http://php.net/mbstring.encoding-translation +;mbstring.encoding_translation = Off + +; automatic encoding detection order. +; "auto" detect order is changed according to mbstring.language +; http://php.net/mbstring.detect-order +;mbstring.detect_order = auto + +; substitute_character used when character cannot be converted +; one from another +; http://php.net/mbstring.substitute-character +;mbstring.substitute_character = none + +; overload(replace) single byte functions by mbstring functions. +; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(), +; etc. Possible values are 0,1,2,4 or combination of them. +; For example, 7 for overload everything. +; 0: No overload +; 1: Overload mail() function +; 2: Overload str*() functions +; 4: Overload ereg*() functions +; http://php.net/mbstring.func-overload +;mbstring.func_overload = 0 + +; enable strict encoding detection. +; Default: Off +;mbstring.strict_detection = On + +; This directive specifies the regex pattern of content types for which mb_output_handler() +; is activated. +; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml) +;mbstring.http_output_conv_mimetype= + +[gd] +; Tell the jpeg decode to ignore warnings and try to create +; a gd image. The warning will then be displayed as notices +; disabled by default +; http://php.net/gd.jpeg-ignore-warning +;gd.jpeg_ignore_warning = 0 + +[exif] +; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS. +; With mbstring support this will automatically be converted into the encoding +; given by corresponding encode setting. When empty mbstring.internal_encoding +; is used. For the decode settings you can distinguish between motorola and +; intel byte order. A decode setting cannot be empty. +; http://php.net/exif.encode-unicode +;exif.encode_unicode = ISO-8859-15 + +; http://php.net/exif.decode-unicode-motorola +;exif.decode_unicode_motorola = UCS-2BE + +; http://php.net/exif.decode-unicode-intel +;exif.decode_unicode_intel = UCS-2LE + +; http://php.net/exif.encode-jis +;exif.encode_jis = + +; http://php.net/exif.decode-jis-motorola +;exif.decode_jis_motorola = JIS + +; http://php.net/exif.decode-jis-intel +;exif.decode_jis_intel = JIS + +[Tidy] +; The path to a default tidy configuration file to use when using tidy +; http://php.net/tidy.default-config +;tidy.default_config = /usr/local/lib/php/default.tcfg + +; Should tidy clean and repair output automatically? +; WARNING: Do not use this option if you are generating non-html content +; such as dynamic images +; http://php.net/tidy.clean-output +tidy.clean_output = Off + +[soap] +; Enables or disables WSDL caching feature. +; http://php.net/soap.wsdl-cache-enabled +soap.wsdl_cache_enabled=1 + +; Sets the directory name where SOAP extension will put cache files. +; http://php.net/soap.wsdl-cache-dir +soap.wsdl_cache_dir="/tmp" + +; (time to live) Sets the number of second while cached file will be used +; instead of original one. +; http://php.net/soap.wsdl-cache-ttl +soap.wsdl_cache_ttl=86400 + +; Sets the size of the cache limit. (Max. number of WSDL files to cache) +soap.wsdl_cache_limit = 5 + +[sysvshm] +; A default size of the shared memory segment +;sysvshm.init_mem = 10000 + +[ldap] +; Sets the maximum number of open links or -1 for unlimited. +ldap.max_links = -1 + +[mcrypt] +; For more information about mcrypt settings see http://php.net/mcrypt-module-open + +; Directory where to load mcrypt algorithms +; Default: Compiled in into libmcrypt (usually /usr/local/lib/libmcrypt) +;mcrypt.algorithms_dir= + +; Directory where to load mcrypt modes +; Default: Compiled in into libmcrypt (usually /usr/local/lib/libmcrypt) +;mcrypt.modes_dir= + +[dba] +;dba.default_handler= + +[opcache] +; Determines if Zend OPCache is enabled +;opcache.enable=0 + +; Determines if Zend OPCache is enabled for the CLI version of PHP +;opcache.enable_cli=0 + +; The OPcache shared memory storage size. +;opcache.memory_consumption=64 + +; The amount of memory for interned strings in Mbytes. +;opcache.interned_strings_buffer=4 + +; The maximum number of keys (scripts) in the OPcache hash table. +; Only numbers between 200 and 100000 are allowed. +;opcache.max_accelerated_files=2000 + +; The maximum percentage of "wasted" memory until a restart is scheduled. +;opcache.max_wasted_percentage=5 + +; When this directive is enabled, the OPcache appends the current working +; directory to the script key, thus eliminating possible collisions between +; files with the same name (basename). Disabling the directive improves +; performance, but may break existing applications. +;opcache.use_cwd=1 + +; When disabled, you must reset the OPcache manually or restart the +; webserver for changes to the filesystem to take effect. +;opcache.validate_timestamps=1 + +; How often (in seconds) to check file timestamps for changes to the shared +; memory storage allocation. ("1" means validate once per second, but only +; once per request. "0" means always validate) +;opcache.revalidate_freq=2 + +; Enables or disables file search in include_path optimization +;opcache.revalidate_path=0 + +; If disabled, all PHPDoc comments are dropped from the code to reduce the +; size of the optimized code. +;opcache.save_comments=1 + +; If disabled, PHPDoc comments are not loaded from SHM, so "Doc Comments" +; may be always stored (save_comments=1), but not loaded by applications +; that don't need them anyway. +;opcache.load_comments=1 + +; If enabled, a fast shutdown sequence is used for the accelerated code +;opcache.fast_shutdown=0 + +; Allow file existence override (file_exists, etc.) performance feature. +;opcache.enable_file_override=0 + +; A bitmask, where each bit enables or disables the appropriate OPcache +; passes +;opcache.optimization_level=0xffffffff + +;opcache.inherited_hack=1 +;opcache.dups_fix=0 + +; The location of the OPcache blacklist file (wildcards allowed). +; Each OPcache blacklist file is a text file that holds the names of files +; that should not be accelerated. The file format is to add each filename +; to a new line. The filename may be a full path or just a file prefix +; (i.e., /var/www/x blacklists all the files and directories in /var/www +; that start with 'x'). Line starting with a ; are ignored (comments). +;opcache.blacklist_filename= + +; Allows exclusion of large files from being cached. By default all files +; are cached. +;opcache.max_file_size=0 + +; Check the cache checksum each N requests. +; The default value of "0" means that the checks are disabled. +;opcache.consistency_checks=0 + +; How long to wait (in seconds) for a scheduled restart to begin if the cache +; is not being accessed. +;opcache.force_restart_timeout=180 + +; OPcache error_log file name. Empty string assumes "stderr". +;opcache.error_log= + +; All OPcache errors go to the Web server log. +; By default, only fatal errors (level 0) or errors (level 1) are logged. +; You can also enable warnings (level 2), info messages (level 3) or +; debug messages (level 4). +;opcache.log_verbosity_level=1 + +; Preferred Shared Memory back-end. Leave empty and let the system decide. +;opcache.preferred_memory_model= + +; Protect the shared memory from unexpected writing during script execution. +; Useful for internal debugging only. +;opcache.protect_memory=0 + +[curl] +; A default value for the CURLOPT_CAINFO option. This is required to be an +; absolute path. +;curl.cainfo = + +[openssl] +; The location of a Certificate Authority (CA) file on the local filesystem +; to use when verifying the identity of SSL/TLS peers. Most users should +; not specify a value for this directive as PHP will attempt to use the +; OS-managed cert stores in its absence. If specified, this value may still +; be overridden on a per-stream basis via the "cafile" SSL stream context +; option. +;openssl.cafile= + +; If openssl.cafile is not specified or if the CA file is not found, the +; directory pointed to by openssl.capath is searched for a suitable +; certificate. This value must be a correctly hashed certificate directory. +; Most users should not specify a value for this directive as PHP will +; attempt to use the OS-managed cert stores in its absence. If specified, +; this value may still be overridden on a per-stream basis via the "capath" +; SSL stream context option. +;openssl.capath= + +; Local Variables: +; tab-width: 4 +; End: diff --git a/states/roles/maintain/lamp/httpd.conf b/states/roles/maintain/lamp/httpd.conf new file mode 100755 index 0000000..e45dc15 --- /dev/null +++ b/states/roles/maintain/lamp/httpd.conf @@ -0,0 +1,541 @@ +# +# This is the main Apache HTTP server configuration file. It contains the +# configuration directives that give the server its instructions. +# See for detailed information. +# In particular, see +# +# for a discussion of each configuration directive. +# +# Do NOT simply read the instructions in here without understanding +# what they do. They're here only as hints or reminders. If you are unsure +# consult the online docs. You have been warned. +# +# Configuration and logfile names: If the filenames you specify for many +# of the server's control files begin with "/" (or "drive:/" for Win32), the +# server will use that explicit path. If the filenames do *not* begin +# with "/", the value of ServerRoot is prepended -- so "logs/access_log" +# with ServerRoot set to "/usr/local/apache2" will be interpreted by the +# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" +# will be interpreted as '/logs/access_log'. + +# +# ServerRoot: The top of the directory tree under which the server's +# configuration, error, and log files are kept. +# +# Do not add a slash at the end of the directory path. If you point +# ServerRoot at a non-local disk, be sure to specify a local disk on the +# Mutex directive, if file-based mutexes are used. If you wish to share the +# same ServerRoot for multiple httpd daemons, you will need to change at +# least PidFile. +# +ServerRoot "/etc/httpd" + +# +# Mutex: Allows you to set the mutex mechanism and mutex file directory +# for individual mutexes, or change the global defaults +# +# Uncomment and change the directory if mutexes are file-based and the default +# mutex file directory is not on a local disk or is not appropriate for some +# other reason. +# +# Mutex default:/run/httpd + +# +# Listen: Allows you to bind Apache to specific IP addresses and/or +# ports, instead of the default. See also the +# directive. +# +# Change this to Listen on specific IP addresses as shown below to +# prevent Apache from glomming onto all bound IP addresses. +# +#Listen 12.34.56.78:80 +Listen 8000 + +# +# Dynamic Shared Object (DSO) Support +# +# To be able to use the functionality of a module which was built as a DSO you +# have to place corresponding `LoadModule' lines at this location so the +# directives contained in it are actually available _before_ they are used. +# Statically compiled modules (those listed by `httpd -l') do not need +# to be loaded here. +# +# Example: +# LoadModule foo_module modules/mod_foo.so +# +LoadModule authn_file_module modules/mod_authn_file.so +#LoadModule authn_dbm_module modules/mod_authn_dbm.so +#LoadModule authn_anon_module modules/mod_authn_anon.so +#LoadModule authn_dbd_module modules/mod_authn_dbd.so +#LoadModule authn_socache_module modules/mod_authn_socache.so +LoadModule authn_core_module modules/mod_authn_core.so +LoadModule authz_host_module modules/mod_authz_host.so +LoadModule authz_groupfile_module modules/mod_authz_groupfile.so +LoadModule authz_user_module modules/mod_authz_user.so +#LoadModule authz_dbm_module modules/mod_authz_dbm.so +#LoadModule authz_owner_module modules/mod_authz_owner.so +#LoadModule authz_dbd_module modules/mod_authz_dbd.so +LoadModule authz_core_module modules/mod_authz_core.so +#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so +#LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so +LoadModule access_compat_module modules/mod_access_compat.so +LoadModule auth_basic_module modules/mod_auth_basic.so +#LoadModule auth_form_module modules/mod_auth_form.so +#LoadModule auth_digest_module modules/mod_auth_digest.so +#LoadModule allowmethods_module modules/mod_allowmethods.so +#LoadModule file_cache_module modules/mod_file_cache.so +#LoadModule cache_module modules/mod_cache.so +#LoadModule cache_disk_module modules/mod_cache_disk.so +#LoadModule cache_socache_module modules/mod_cache_socache.so +#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so +#LoadModule socache_dbm_module modules/mod_socache_dbm.so +#LoadModule socache_memcache_module modules/mod_socache_memcache.so +#LoadModule watchdog_module modules/mod_watchdog.so +#LoadModule macro_module modules/mod_macro.so +#LoadModule dbd_module modules/mod_dbd.so +#LoadModule dumpio_module modules/mod_dumpio.so +#LoadModule echo_module modules/mod_echo.so +#LoadModule buffer_module modules/mod_buffer.so +#LoadModule data_module modules/mod_data.so +#LoadModule ratelimit_module modules/mod_ratelimit.so +LoadModule reqtimeout_module modules/mod_reqtimeout.so +#LoadModule ext_filter_module modules/mod_ext_filter.so +#LoadModule request_module modules/mod_request.so +LoadModule include_module modules/mod_include.so +LoadModule filter_module modules/mod_filter.so +#LoadModule reflector_module modules/mod_reflector.so +#LoadModule substitute_module modules/mod_substitute.so +#LoadModule sed_module modules/mod_sed.so +#LoadModule charset_lite_module modules/mod_charset_lite.so +#LoadModule deflate_module modules/mod_deflate.so +#LoadModule xml2enc_module modules/mod_xml2enc.so +#LoadModule proxy_html_module modules/mod_proxy_html.so +LoadModule mime_module modules/mod_mime.so +#LoadModule ldap_module modules/mod_ldap.so +LoadModule log_config_module modules/mod_log_config.so +#LoadModule log_debug_module modules/mod_log_debug.so +#LoadModule log_forensic_module modules/mod_log_forensic.so +#LoadModule logio_module modules/mod_logio.so +#LoadModule lua_module modules/mod_lua.so +LoadModule env_module modules/mod_env.so +#LoadModule mime_magic_module modules/mod_mime_magic.so +#LoadModule cern_meta_module modules/mod_cern_meta.so +#LoadModule expires_module modules/mod_expires.so +LoadModule headers_module modules/mod_headers.so +#LoadModule ident_module modules/mod_ident.so +#LoadModule usertrack_module modules/mod_usertrack.so +#LoadModule unique_id_module modules/mod_unique_id.so +LoadModule setenvif_module modules/mod_setenvif.so +LoadModule version_module modules/mod_version.so +#LoadModule remoteip_module modules/mod_remoteip.so +LoadModule proxy_module modules/mod_proxy.so +LoadModule proxy_connect_module modules/mod_proxy_connect.so +LoadModule proxy_ftp_module modules/mod_proxy_ftp.so +LoadModule proxy_http_module modules/mod_proxy_http.so +LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so +LoadModule proxy_scgi_module modules/mod_proxy_scgi.so +#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so +LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so +LoadModule proxy_ajp_module modules/mod_proxy_ajp.so +LoadModule proxy_balancer_module modules/mod_proxy_balancer.so +LoadModule proxy_express_module modules/mod_proxy_express.so +#LoadModule session_module modules/mod_session.so +#LoadModule session_cookie_module modules/mod_session_cookie.so +#LoadModule session_crypto_module modules/mod_session_crypto.so +#LoadModule session_dbd_module modules/mod_session_dbd.so +LoadModule slotmem_shm_module modules/mod_slotmem_shm.so +#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so +#LoadModule ssl_module modules/mod_ssl.so +#LoadModule dialup_module modules/mod_dialup.so +LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so +LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so +LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so +LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so +LoadModule mpm_prefork_module modules/mod_mpm_prefork.so +LoadModule unixd_module modules/mod_unixd.so +#LoadModule heartbeat_module modules/mod_heartbeat.so +#LoadModule heartmonitor_module modules/mod_heartmonitor.so +#LoadModule dav_module modules/mod_dav.so +LoadModule status_module modules/mod_status.so +LoadModule autoindex_module modules/mod_autoindex.so +#LoadModule asis_module modules/mod_asis.so +#LoadModule info_module modules/mod_info.so +#LoadModule suexec_module modules/mod_suexec.so +#LoadModule cgid_module modules/mod_cgid.so +#LoadModule cgi_module modules/mod_cgi.so +#LoadModule dav_fs_module modules/mod_dav_fs.so +#LoadModule dav_lock_module modules/mod_dav_lock.so +#LoadModule vhost_alias_module modules/mod_vhost_alias.so +LoadModule negotiation_module modules/mod_negotiation.so +LoadModule dir_module modules/mod_dir.so +#LoadModule imagemap_module modules/mod_imagemap.so +#LoadModule actions_module modules/mod_actions.so +#LoadModule speling_module modules/mod_speling.so +LoadModule userdir_module modules/mod_userdir.so +LoadModule alias_module modules/mod_alias.so +LoadModule rewrite_module modules/mod_rewrite.so +LoadModule php7_module modules/libphp7.so + +#RewriteEngine On +#RewriteCond %{HTTPS} off +#RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} + + +# +# If you wish httpd to run as a different user or group, you must run +# httpd as root initially and it will switch. +# +# User/Group: The name (or #number) of the user/group to run httpd as. +# It is usually good practice to create a dedicated user and group for +# running httpd, as with most system services. +# +User http +Group http + + + +# 'Main' server configuration +# +# The directives in this section set up the values used by the 'main' +# server, which responds to any requests that aren't handled by a +# definition. These values also provide defaults for +# any containers you may define later in the file. +# +# All of these directives may appear inside containers, +# in which case these default settings will be overridden for the +# virtual host being defined. +# + +# +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. e.g. admin@your-domain.com +# +ServerAdmin you@example.com + +# +# ServerName gives the name and port that the server uses to identify itself. +# This can often be determined automatically, but we recommend you specify +# it explicitly to prevent problems during startup. +# +# If your host doesn't have a registered DNS name, enter its IP address here. +# +#ServerName www.example.com:80 + +# +# Deny access to the entirety of your server's filesystem. You must +# explicitly permit access to web content directories in other +# blocks below. +# + + AllowOverride none + Require all denied + + +# +# Note that from this point forward you must specifically allow +# particular features to be enabled - so if something's not working as +# you might expect, make sure that you have specifically enabled it +# below. +# + +# +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# +DocumentRoot "/srv/http" + + # + # Possible values for the Options directive are "None", "All", + # or any combination of: + # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews + # + # Note that "MultiViews" must be named *explicitly* --- "Options All" + # doesn't give it to you. + # + # The Options directive is both complicated and important. Please see + # http://httpd.apache.org/docs/2.4/mod/core.html#options + # for more information. + # + Options Indexes FollowSymLinks + + # + # AllowOverride controls what directives may be placed in .htaccess files. + # It can be "All", "None", or any combination of the keywords: + # AllowOverride FileInfo AuthConfig Limit + # + AllowOverride None + + # + # Controls who can get stuff from this server. + # + Require all granted + + +# +# DirectoryIndex: sets the file that Apache will serve if a directory +# is requested. +# + + DirectoryIndex index.html + + +# +# The following lines prevent .htaccess and .htpasswd files from being +# viewed by Web clients. +# + + Require all denied + + +# +# ErrorLog: The location of the error log file. +# If you do not specify an ErrorLog directive within a +# container, error messages relating to that virtual host will be +# logged here. If you *do* define an error logfile for a +# container, that host's errors will be logged there and not here. +# +ErrorLog "/var/log/httpd/error_log" + +# +# LogLevel: Control the number of messages logged to the error_log. +# Possible values include: debug, info, notice, warn, error, crit, +# alert, emerg. +# +LogLevel warn + + + # + # The following directives define some format nicknames for use with + # a CustomLog directive (see below). + # + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + + # You need to enable mod_logio.c to use %I and %O + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + # + # The location and format of the access logfile (Common Logfile Format). + # If you do not define any access logfiles within a + # container, they will be logged here. Contrariwise, if you *do* + # define per- access logfiles, transactions will be + # logged therein and *not* in this file. + # + CustomLog "/var/log/httpd/access_log" common + + # + # If you prefer a logfile with access, agent, and referer information + # (Combined Logfile Format) you can use the following directive. + # + #CustomLog "/var/log/httpd/access_log" combined + + + + # + # Redirect: Allows you to tell clients about documents that used to + # exist in your server's namespace, but do not anymore. The client + # will make a new request for the document at its new location. + # Example: + # Redirect permanent /foo http://www.example.com/bar + + # + # Alias: Maps web paths into filesystem paths and is used to + # access content that does not live under the DocumentRoot. + # Example: + # Alias /webpath /full/filesystem/path + # + # If you include a trailing / on /webpath then the server will + # require it to be present in the URL. You will also likely + # need to provide a section to allow access to + # the filesystem path. + + # + # ScriptAlias: This controls which directories contain server scripts. + # ScriptAliases are essentially the same as Aliases, except that + # documents in the target directory are treated as applications and + # run by the server when requested rather than as documents sent to the + # client. The same rules about trailing "/" apply to ScriptAlias + # directives as to Alias. + # + ScriptAlias /cgi-bin/ "/srv/http/cgi-bin/" + + + + + # + # ScriptSock: On threaded servers, designate the path to the UNIX + # socket used to communicate with the CGI daemon of mod_cgid. + # + #Scriptsock cgisock + + +# +# "/srv/http/cgi-bin" should be changed to whatever your ScriptAliased +# CGI directory exists, if you have that configured. +# + + AllowOverride None + Options None + Require all granted + + + + # + # TypesConfig points to the file containing the list of mappings from + # filename extension to MIME-type. + # + TypesConfig conf/mime.types + + # + # AddType allows you to add to or override the MIME configuration + # file specified in TypesConfig for specific file types. + # + #AddType application/x-gzip .tgz + # + # AddEncoding allows you to have certain browsers uncompress + # information on the fly. Note: Not all browsers support this. + # + #AddEncoding x-compress .Z + #AddEncoding x-gzip .gz .tgz + # + # If the AddEncoding directives above are commented-out, then you + # probably should define those extensions to indicate media types: + # + AddType application/x-compress .Z + AddType application/x-gzip .gz .tgz + + # + # AddHandler allows you to map certain file extensions to "handlers": + # actions unrelated to filetype. These can be either built into the server + # or added with the Action directive (see below) + # + # To use CGI scripts outside of ScriptAliased directories: + # (You will also need to add "ExecCGI" to the "Options" directive.) + # + #AddHandler cgi-script .cgi + + # For type maps (negotiated resources): + #AddHandler type-map var + + # + # Filters allow you to process content before it is sent to the client. + # + # To parse .shtml files for server-side includes (SSI): + # (You will also need to add "Includes" to the "Options" directive.) + # + #AddType text/html .shtml + #AddOutputFilter INCLUDES .shtml + + +# +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +# +#MIMEMagicFile conf/magic + +# +# Customizable error responses come in three flavors: +# 1) plain text 2) local redirects 3) external redirects +# +# Some examples: +#ErrorDocument 500 "The server made a boo boo." +#ErrorDocument 404 /missing.html +#ErrorDocument 404 "/cgi-bin/missing_handler.pl" +#ErrorDocument 402 http://www.example.com/subscription_info.html +# + +# +# MaxRanges: Maximum number of Ranges in a request before +# returning the entire resource, or one of the special +# values 'default', 'none' or 'unlimited'. +# Default setting is to accept 200 Ranges. +#MaxRanges unlimited + +# +# EnableMMAP and EnableSendfile: On systems that support it, +# memory-mapping or the sendfile syscall may be used to deliver +# files. This usually improves server performance, but must +# be turned off when serving from networked-mounted +# filesystems or if support for these functions is otherwise +# broken on your system. +# Defaults: EnableMMAP On, EnableSendfile Off +# +#EnableMMAP off +#EnableSendfile on + +# Supplemental configuration +# +# The configuration files in the conf/extra/ directory can be +# included to add extra features or to modify the default configuration of +# the server, or you may simply copy their contents here and change as +# necessary. + +# Server-pool management (MPM specific) +Include conf/extra/httpd-mpm.conf + +# Multi-language error messages +Include conf/extra/httpd-multilang-errordoc.conf + +# Fancy directory listings +Include conf/extra/httpd-autoindex.conf + +# Language settings +Include conf/extra/httpd-languages.conf + +# User home directories +Include conf/extra/httpd-userdir.conf + +# Real-time info on requests and configuration +#Include conf/extra/httpd-info.conf + +# Virtual hosts +#Include conf/extra/httpd-vhosts.conf + +# Local access to the Apache HTTP Server Manual +#Include conf/extra/httpd-manual.conf + +# Distributed authoring and versioning (WebDAV) +#Include conf/extra/httpd-dav.conf + +# Various default settings +Include conf/extra/httpd-default.conf + +#php +Include conf/extra/php7_module.conf + +# ldap account manager configuration +Include conf/servers/*.conf + +# Configure mod_proxy_html to understand HTML4/XHTML1 + +Include conf/extra/proxy-html.conf + + +# Secure (SSL/TLS) connections +#Include conf/extra/httpd-ssl.conf +# +# Note: The following must must be present to support +# starting without SSL on platforms with no /dev/random equivalent +# but a statically compiled-in mod_ssl. +# + +SSLRandomSeed startup builtin +SSLRandomSeed connect builtin + +# +# uncomment out the below to deal with user agents that deliberately +# violate open standards by misusing DNT (DNT *must* be a specific +# end-user choice) +# +# +#BrowserMatch "MSIE 10.0;" bad_DNT +# +# +#RequestHeader unset DNT env=bad_DNT +# + diff --git a/states/roles/maintain/lamp/init.sls b/states/roles/maintain/lamp/init.sls new file mode 100755 index 0000000..010c3b1 --- /dev/null +++ b/states/roles/maintain/lamp/init.sls @@ -0,0 +1,21 @@ +apache: + pkg.installed + +/etc/httpd/conf/servers: + file.directory: + - user: root + - group: root + - mode: 755 + +/etc/httpd/conf/httpd.conf: + file.managed: + - source: salt://roles/maintain/lamp/httpd.conf + - user: root + - group: root + - mode: 644 + +php: + pkg.installed: + - pkgs: + - php + - php_apache diff --git a/states/roles/maintain/ldap/DB_CONFIG b/states/roles/maintain/ldap/DB_CONFIG new file mode 100755 index 0000000..d0f2c68 --- /dev/null +++ b/states/roles/maintain/ldap/DB_CONFIG @@ -0,0 +1,28 @@ +# $OpenLDAP$ +# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases. +# +# See the Oracle Berkeley DB documentation +# +# for detail description of DB_CONFIG syntax and semantics. +# +# Hints can also be found in the OpenLDAP Software FAQ +# +# in particular: +# + +# Note: most DB_CONFIG settings will take effect only upon rebuilding +# the DB environment. + +# one 0.25 GB cache +set_cachesize 0 268435456 1 + +# Data Directory +#set_data_dir db + +# Transaction Log settings +set_lg_regionmax 262144 +set_lg_bsize 2097152 +#set_lg_dir logs + +# Note: special DB_CONFIG flags are no longer needed for "quick" +# slapadd(8) or slapindex(8) access (see their -q option). diff --git a/states/roles/maintain/ldap/certs b/states/roles/maintain/ldap/certs new file mode 100644 index 0000000..1f4d9d6 --- /dev/null +++ b/states/roles/maintain/ldap/certs @@ -0,0 +1 @@ +/etc/letsencrypt/live/ \ No newline at end of file diff --git a/states/roles/maintain/ldap/init.sls b/states/roles/maintain/ldap/init.sls new file mode 100755 index 0000000..a6cd60a --- /dev/null +++ b/states/roles/maintain/ldap/init.sls @@ -0,0 +1,95 @@ +openldap: + pkg.installed + +/var/lib/openldap/openldap-data: + file.directory: + - mode: 755 + - user: ldap + - group: ldap + +/etc/openldap/certs/: + file.recurse: + - source: salt://roles/maintain/nginx-proxy/certs/ldap.actcur.com/ + - user: ldap + - group: ldap + - dir_mode: 755 + - file:mode: 400 + - clean: true + +/usr/lib/systemd/system/slapd.service: + file.managed: + - source: salt://roles/maintain/ldap/slapd.service + - user: root + - group: root + - mode: 644 + +slapd: + service.running: + - enable: true + - watch: + - file: own_slapd.d + - file: /usr/lib/systemd/system/slapd.service + +/etc/openldap/slapd.conf: + file.managed: + - source: salt://roles/maintain/ldap/slapd.conf + - user: root + - group: ldap + - mode: 640 + +/root/update_slapd.sh: + file.managed: + - source: salt://roles/maintain/ldap/update_slapd.sh + - user: root + - group: root + - mode: 700 + +update_slapd: + cmd.run: + - name: "/bin/bash /root/update_slapd.sh" + - stateful: true + - require: + - file: /etc/openldap/slapd.conf + +own_slapd.d: + file.directory: + - name: /etc/openldap/slapd.d/ + - user: ldap + - group: ldap + - dir_mode: 755 + - file_mode: 644 + - recurse: + - user + - group + - mode + - require: + - cmd: update_slapd + +own_data: + file.directory: + - name: /var/lib/openldap/openldap-data + - user: ldap + - group: ldap + - dir_mode: 755 + - file_mode: 644 + - recurse: + - user + - group + - mode + - require: + - cmd: update_slapd + +/etc/openldap/rdn.ldiff: + file.managed: + - source: salt://roles/maintain/ldap/rdn.ldiff + - user: root + - group: root + - mode: 750 + +/var/lib/openldap/openldap-data/DB_CONFIG: + file.managed: + - source: salt://roles/maintain/ldap/DB_CONFIG + - user: ldap + - group: ldap + - mode: 644 + diff --git a/states/roles/maintain/ldap/rdn.ldiff b/states/roles/maintain/ldap/rdn.ldiff new file mode 100755 index 0000000..79a3703 --- /dev/null +++ b/states/roles/maintain/ldap/rdn.ldiff @@ -0,0 +1,11 @@ +dn: dc=actcur,dc=com +objectClass: dcObject +objectClass: organization +dc: actcur +o: ActcurOrg +description: ActCur domain + +dn: cn=root,dc=actcur,dc=com +objectClass: organizationalRole +cn: root +description: Directory Root User diff --git a/states/roles/maintain/ldap/slapd.conf b/states/roles/maintain/ldap/slapd.conf new file mode 100755 index 0000000..2c7a2a5 --- /dev/null +++ b/states/roles/maintain/ldap/slapd.conf @@ -0,0 +1,101 @@ +# +# See slapd.conf(5) for details on configuration options. +# This file should NOT be world readable. +# +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema + +# Define global ACLs to disable default read access. + +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +#referral ldap://root.openldap.org + +pidfile /run/openldap/slapd.pid +argsfile /run/openldap/slapd.args + +# Load dynamic backend modules: +# modulepath /usr/lib/openldap +# moduleload back_mdb.la +# moduleload back_ldap.la + +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 63-bit encryption for simple bind +# security ssf=1 update_ssf=112 simple_bind=64 + +# Sample access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# Directives needed to implement policy: +# access to dn.base="" by * read +# access to dn.base="cn=Subschema" by * read +# access to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! + +####################################################################### +# MDB database definitions +####################################################################### + +database mdb +maxsize 1073741824 +suffix "dc=actcur,dc=com" +rootdn "cn=root,dc=actcur,dc=com" +# Cleartext passwords, especially for the rootdn, should +# be avoid. See slappasswd(8) and slapd.conf(5) for details. +# Use of strong authentication encouraged. +rootpw {SSHA}26ofqGZtb6fO+/5D3cUCiZQXBZSUc/CE +#{SSHA}3KgcfNXboKlvnSo+a9SuS1roQOD13IV5 +# The database directory MUST exist prior to running slapd AND +# should only be accessible by the slapd and slap tools. +# Mode 700 recommended. +directory /var/lib/openldap/openldap-data +# Indices to maintain +index objectClass eq +index uid pres,eq +index mail pres,sub,eq +index cn pres,sub,eq +index sn pres,sub,eq +index dc eq +#rootpw {SSHA}3KgcfNXboKlvnSo+a9SuS1roQOD13IV5 +rootpw {SSHA}26ofqGZtb6fO+/5D3cUCiZQXBZSUc/CE + +####################################################################### +# Certificate/SSL Definition +####################################################################### + +TLSCipherSuite DEFAULT +TLSCertificateFile /etc/openldap/certs/cert.pem +TLSCertificateKeyFile /etc/openldap/certs/privkey.pem +TLSCACertificateFile /etc/openldap/certs/chain.pem +TLSCACertificatePath /usr/share/ca-certificates/trust-source + +#database config +#rootdn "cn=root,cn=config" +#rootpw {SSHA}3KgcfNXboKlvnSo+a9SuS1roQOD13IV5 + +access to attrs=userPassword + by self write + by anonymous auth + by group.exact="cn=ldapadm,ou=group,dc=actcur,dc=com" write + by * none + +access to * + by self read + by group.exact="cn=ldapadm,ou=group,dc=actcur,dc=com" write + by * read diff --git a/states/roles/maintain/ldap/slapd.service b/states/roles/maintain/ldap/slapd.service new file mode 100755 index 0000000..a664fa3 --- /dev/null +++ b/states/roles/maintain/ldap/slapd.service @@ -0,0 +1,9 @@ +[Unit] +Description=OpenLDAP server daemon + +[Service] +Type=forking +ExecStart=/usr/bin/slapd -u ldap -g ldap + +[Install] +WantedBy=multi-user.target diff --git a/states/roles/maintain/ldap/update_slapd.sh b/states/roles/maintain/ldap/update_slapd.sh new file mode 100755 index 0000000..23ecaf0 --- /dev/null +++ b/states/roles/maintain/ldap/update_slapd.sh @@ -0,0 +1,10 @@ +if [ `find /etc/openldap/slapd.conf -mmin +1 | wc -l` == 0 ] +then + rm -Rf /etc/openldap/slapd.d/* + slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ + systemctl stop slapd + slapindex + echo "changed=yes comment='cleaned /etc/openldap/slapd.d and ran slaptest'" +else + echo "changed=no" +fi diff --git a/states/roles/maintain/mirrorlist/getmirrors.service b/states/roles/maintain/mirrorlist/getmirrors.service new file mode 100755 index 0000000..7edf8e7 --- /dev/null +++ b/states/roles/maintain/mirrorlist/getmirrors.service @@ -0,0 +1,10 @@ +[Unit] +Description=Retrieves top 10 mirrors + +[Service] +Type=oneshot +RemainAfterExit=no +ExecStart=/bin/bash /root/scripts/getmirrors.sh + +[Install] +WantedBy=multi-user.target diff --git a/states/roles/maintain/mirrorlist/getmirrors.sh b/states/roles/maintain/mirrorlist/getmirrors.sh new file mode 100755 index 0000000..744de1b --- /dev/null +++ b/states/roles/maintain/mirrorlist/getmirrors.sh @@ -0,0 +1,23 @@ +cd /root/scripts +curl 'https://www.archlinux.org/mirrorlist/?country=CA&country=US&protocol=http&protocol=https&ip_version=4&use_mirror_status=on)' > tempMirrors.list +sleep 10 +sed -i 's/^#Server/Server/' tempMirrors.list +cat tempMirrors.list | grep -e "Server = .*\/[$]repo\/os\/[$]arch" > tempMirrors2.list +mirrors=$(rankmirrors -n 10 tempMirrors2.list | grep "Server = ") +echo "$mirrors" > mirrors.list +mirrors=$(cat mirrors.list) +echo "$mirrors" > mirrors.jinja +sed -i 's/^Server = //' mirrors.jinja +sed -i 's/[$]repo\/os\/[$]arch//' mirrors.jinja +mirrors=$(cat mirrors.jinja) +jinja="{%- set mirrors=[" +for url in $mirrors; do + jinja=$jinja"'"$url"'," +done +jinja=${jinja%?} +jinja=${jinja}"] -%}" +echo $jinja > mirrors.jinja + +rm tempMirrors.list +rm tempMirrors2.list + diff --git a/states/roles/maintain/mirrorlist/getmirrors.timer b/states/roles/maintain/mirrorlist/getmirrors.timer new file mode 100755 index 0000000..f54a65a --- /dev/null +++ b/states/roles/maintain/mirrorlist/getmirrors.timer @@ -0,0 +1,13 @@ +[Unit] +Description=Runs getmirrors.service every 8 hours + +[Timer] +# Time to wait after booting before we run first time +OnBootSec=10min +# Time between running each consecutive time +OnUnitActiveSec=1h +Unit=getmirrors.service + +[Install] +WantedBy=multi-user.target + diff --git a/states/roles/maintain/mirrorlist/init.sls b/states/roles/maintain/mirrorlist/init.sls new file mode 100755 index 0000000..82d87d2 --- /dev/null +++ b/states/roles/maintain/mirrorlist/init.sls @@ -0,0 +1,41 @@ +{%- set os=grains['os'] -%} + +/root/scripts/getmirrors.sh: + file.managed: + - makedirs: true + - source: salt://roles/maintain/mirrorlist/getmirrors.sh + - user: root + - group: root + - mode: 644 + +"/usr/lib/systemd/system/getmirrors.service": + file.managed: + - source: salt://roles/maintain/mirrorlist/getmirrors.service + - user: root + - group: root + - mode: 644 + +"/usr/lib/systemd/system/getmirrors.timer": + file.managed: + - source: salt://roles/maintain/mirrorlist/getmirrors.timer + - user: root + - group: root + - mode: 644 + +"getmirrors.timer": + service.running: + - enable: true + +/srv/salt/prod/states/mirrors.list: + file.symlink: + - target: /root/scripts/mirrors.list + +/srv/salt/prod/states/mirrors.jinja: + file.symlink: + - target: /root/scripts/mirrors.jinja + +"mirrors-reload": + module.run: + - name: service.systemctl_reload + - onchanges: + - file: /usr/lib/systemd/system/* diff --git a/states/roles/maintain/nfs/init.sls b/states/roles/maintain/nfs/init.sls new file mode 100755 index 0000000..7be0943 --- /dev/null +++ b/states/roles/maintain/nfs/init.sls @@ -0,0 +1,14 @@ +nfs-utils: + pkg.installed + +rpcbind: + service.running: + - enable: true + +nfs-client.target: + service.running: + - enable: true + +remote-fs.target: + service.running: + - enable: true diff --git a/states/roles/maintain/nginx-proxy/auth.conf b/states/roles/maintain/nginx-proxy/auth.conf new file mode 100755 index 0000000..82da9c6 --- /dev/null +++ b/states/roles/maintain/nginx-proxy/auth.conf @@ -0,0 +1,13 @@ +#Authentication {{auth}} + +{%- if auth == "none" %} + +#No authentication +{%- elif auth == "simple" %} + +auth_basic "Restricted Content"; +auth_basic_user_file /etc/nginx/.htpasswd; +{%- elif auth == "ldap" %} + +#Not Implemented +{%- endif -%} diff --git a/states/roles/maintain/nginx-proxy/certs b/states/roles/maintain/nginx-proxy/certs new file mode 100644 index 0000000..1f4d9d6 --- /dev/null +++ b/states/roles/maintain/nginx-proxy/certs @@ -0,0 +1 @@ +/etc/letsencrypt/live/ \ No newline at end of file diff --git a/states/roles/maintain/nginx-proxy/init.sls b/states/roles/maintain/nginx-proxy/init.sls new file mode 100755 index 0000000..233123c --- /dev/null +++ b/states/roles/maintain/nginx-proxy/init.sls @@ -0,0 +1,85 @@ +{%- set os=grains['os'] -%} + +{##check if server is portal##} +{%- if 'portal' in pillar['grains']['roles'] -%} + {%- set portal = "portal" -%} +{%- endif -%} +nginx: + pkg.installed: [] + service.running: + - enable: true + - watch: + - file: /etc/nginx/conf.d/* + - file: /etc/nginx/nginx.conf +{%- if pillar['nginx'] is defined -%} +{%- for name in pillar['nginx'] %} + - file: /etc/nginx/certs/{{name}}.actcur.com/* +{%- endfor %} +{%- endif %} + +/etc/nginx/nginx.conf: + file.managed: + - source: salt://roles/maintain/nginx-proxy/nginx.conf + - user: root + - group: root + - mode: 644 + +{##ensure that nginx pillar exists##} +{%- if pillar['nginx'] is defined -%} + +{##set up conf files for this server##} +{%- for name in pillar['nginx'] %} +"/etc/nginx/certs/{{name}}.actcur.com/": + file.recurse: + - source: salt://roles/maintain/nginx-proxy/certs/{{name}}.actcur.com/ +{%- if os=="CentOS" or os=="RedHat" %} + - user: nginx + - user: nginx +{%- elif os=="Arch" or os=="Manjaro" %} + - user: http + - group: http +{%- endif %} + - dir_mode: 755 + - file:mode: 400 + - clean: true + +/etc/nginx/conf.d/{{ name }}.conf: + file.managed: + - makedirs: true + {%- if portal is defined %} + - source: salt://roles/maintain/nginx-proxy/remote.conf + {%- else %} + - source: salt://roles/maintain/nginx-proxy/local.conf + {%- endif %} + - user: root + - group: root + - mode: 644 + - template: jinja + - context: + server: {{ name }} + resolver: {{ salt['dnsutil.A']('r.actcur.com')[0] }} +{%- endfor %} +{%- endif %} + + +{%- if portal is defined %} +/etc/nginx/conf.d/portal.actcur.com.conf: + file.managed: + - makedirs: true + - source: salt://roles/maintain/nginx-proxy/portal.conf + - user: root + - group: root + - mode: 644 + - template: jinja + - context: + resolver: {{ salt['dnsutil.A']('r.actcur.com')[0] }} + +"/etc/nginx/certs/portal.actcur.com/": + file.recurse: + - source: salt://roles/maintain/nginx-proxy/certs/portal.actcur.com/ + - user: http + - group: http + - dir_mode: 755 + - file:mode: 400 + - clean: true +{%- endif -%} diff --git a/states/roles/maintain/nginx-proxy/local.conf b/states/roles/maintain/nginx-proxy/local.conf new file mode 100755 index 0000000..06ea3c4 --- /dev/null +++ b/states/roles/maintain/nginx-proxy/local.conf @@ -0,0 +1,69 @@ +{%- if pillar['nginx'][server]['default'] is defined -%} + {%- set default = pillar['nginx'][server]['default'] -%} +{%- else -%} + {%- set default = "yes" -%} +{%- endif -%} +{%- if pillar['nginx'][server]['https'] is defined -%} + {%- if pillar['nginx'][server]['https']['port'] is defined-%} + {%- set port = pillar['nginx'][server]['https']['port'] -%} + {%- endif -%} + {%- if pillar['nginx'][server]['https']['port'] is defined-%} + {%- set prot = pillar['nginx'][server]['https']['prot'] -%} + {%- else -%} + {%- set prot = "https" -%} + {%- endif -%} +server { + listen 443; + server_name {{server}}.actcur.com; + + resolver {{ resolver }}; + set $backend "{{prot}}://{{server}}.actcur.com{%- if port is defined -%}:{{port}}{%- endif -%}"; + + ssl on; + ssl_certificate /etc/nginx/certs/{{server}}.actcur.com/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/{{server}}.actcur.com/privkey.pem; + ssl_session_cache shared:SSL:10m; + client_max_body_size 1024m; + location / { + proxy_pass $backend; + proxy_set_header Host $host; + + # re-write redirects to http as to https, example: /home + proxy_redirect http:// https://; + } +} +{%- endif -%} + + +{%- if pillar['nginx'][server]['http'] is defined-%} + {%- if pillar['nginx'][server]['http']['port'] is defined-%} + {%- set port = pillar['nginx'][server]['http']['port'] -%} + {%- endif -%} + {%- if pillar['nginx'][server]['http']['port'] is defined-%} + {%- set prot = pillar['nginx'][server]['http']['prot'] -%} + {%- else -%} + [%- set prot = "http" -%} + {%- endif -%} +server { + listen 80; + server_name {{server}}.actcur.com; + + resolver {{resolver}}; + set $backend "{{prot}}://{{server}}.actcur.com{%- if port is defined -%}:{{port}}{%- endif -%}"; + + location / { + proxy_pass $backend; + proxy_set_header Host $host; + + # re-write redirects to https as to http, example: /home + proxy_redirect https:// http://; + + } +} +{% elif default == "yes" %} +server { + listen 80 default_server; + server_name _; + rewrite ^ https://$host$request_uri? permanent; +} +{%- endif -%} diff --git a/states/roles/maintain/nginx-proxy/nginx.conf b/states/roles/maintain/nginx-proxy/nginx.conf new file mode 100755 index 0000000..bf5fd27 --- /dev/null +++ b/states/roles/maintain/nginx-proxy/nginx.conf @@ -0,0 +1,71 @@ + +#user html; +worker_processes 1; + +#error_log logs/error.log; +#error_log logs/error.log notice; +#error_log logs/error.log info; + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include mime.types; + default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + #access_log logs/access.log main; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + #gzip on; + + include conf.d/*.conf; + + # another virtual host using mix of IP-, name-, and port-based configuration + # + #server { + # listen 8000; + # listen somename:8080; + # server_name somename alias another.alias; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + + # HTTPS server + # + #server { + # listen 443 ssl; + # server_name localhost; + + # ssl_certificate cert.pem; + # ssl_certificate_key cert.key; + + # ssl_session_cache shared:SSL:1m; + # ssl_session_timeout 5m; + + # ssl_ciphers HIGH:!aNULL:!MD5; + # ssl_prefer_server_ciphers on; + + # location / { + # root html; + # index index.html index.htm; + # } + #} +} diff --git a/states/roles/maintain/nginx-proxy/portal.conf b/states/roles/maintain/nginx-proxy/portal.conf new file mode 100755 index 0000000..07ab7b6 --- /dev/null +++ b/states/roles/maintain/nginx-proxy/portal.conf @@ -0,0 +1,41 @@ +server { + + listen 443 default_server; + server_name portal.actcur.com; + + resolver {{resolver}}; + set $certbot "https://salt.actcur.com"; + + ssl on; + ssl_certificate /etc/nginx/certs/portal.actcur.com/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/portal.actcur.com/privkey.pem; + ssl_session_cache shared:SSL:10m; + + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } + + location / { + root /srv/http; + } +} + +server { + listen 80 default_server; + server_name portal.actcur.com; + + resolver {{resolver}}; + set $certbot "http://salt.actcur.com"; + + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } + + location / { + rewrite ^ https://$host$request_uri? permanent; + } +} + + diff --git a/states/roles/maintain/nginx-proxy/remote.conf b/states/roles/maintain/nginx-proxy/remote.conf new file mode 100755 index 0000000..08979ca --- /dev/null +++ b/states/roles/maintain/nginx-proxy/remote.conf @@ -0,0 +1,67 @@ +{%- set auth = "blocked" -%} +{%- if pillar['nginx'][server]['https'] is defined -%} + {%- if pillar['nginx'][server]['auth'] is defined-%} + {%- set auth = pillar['nginx'][server]['auth'] -%} + {%- endif -%} +{%- endif -%} + +server { + listen 443; + server_name {{server}}.actcur.com; + + resolver {{resolver}}; + set $backend "https://{{server}}.actcur.com"; + set $certbot "https://salt.actcur.com"; + + ssl on; + ssl_certificate /etc/nginx/certs/{{server}}.actcur.com/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/{{server}}.actcur.com/privkey.pem; + ssl_session_cache shared:SSL:10m; + client_max_body_size 1024m; + {% include 'roles/maintain/nginx-proxy/auth.conf' %} + + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } + +{%- if auth != "blocked" %} + + location / { + proxy_pass $backend; + proxy_set_header Host $host; + + # re-write redirects to http as to https, example: /home + proxy_redirect http:// https://; + } +{%- endif %} +} + +{%- if pillar['nginx'][server]['http'] is defined-%} + {%- if pillar['nginx'][server]['https']['auth'] is defined-%} + {%- set auth = pillar['nginx'][server]['https']['auth'] -%} + {%- else -%} + {%- set auth = "blocked" -%} + {%- endif -%} +server { + listen 80; + server_name {{server}}.actcur.com; + + resolver {{resolver}}; + set $backend "http://{{server}}.actcur.com"; + set $certbot "http://salt.actcur.com"; + client_max_body_size 1024m; + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } + + location / { + proxy_pass $backend; + proxy_set_header Host $host; + + # re-write redirects to https as to http, example: /home + proxy_redirect https:// http://; + } +} +{%- endif -%} diff --git a/states/roles/maintain/pepper/conf.d/pepper.conf b/states/roles/maintain/pepper/conf.d/pepper.conf new file mode 100755 index 0000000..ad9e053 --- /dev/null +++ b/states/roles/maintain/pepper/conf.d/pepper.conf @@ -0,0 +1,45 @@ +server { + listen 80; + server_name salt.uwsp.edu; + + charset utf-8; + + #root /usr/share/nginx/html/abc.com/public; + root /opt/pepper/public; + index index.php index.html; + + location / { + try_files $uri $uri/ /index.php?$query_string; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; + fastcgi_index index.php; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_intercept_errors off; + fastcgi_buffer_size 16k; + fastcgi_buffers 4 16k; + } + + location ~* \.(jpg|jpeg|gif|png|css|js|ico|xml)$ { + access_log off; + log_not_found off; + expires 30d; + } + + location ~ /\. { + deny all; access_log off; log_not_found off; + } + + location = /favicon.ico { access_log off; log_not_found off; } + location = /robots.txt { access_log off; log_not_found off; } + + client_max_body_size 100m; +} diff --git a/states/roles/maintain/pepper/init.sls b/states/roles/maintain/pepper/init.sls new file mode 100755 index 0000000..0b17c00 --- /dev/null +++ b/states/roles/maintain/pepper/init.sls @@ -0,0 +1,52 @@ + +nginx: + service.running: + - enable: true + - watch: + - file: /etc/nginx/conf.d/* + +php-fpm: + service.running: + - enable: true + - watch: + - file: /etc/php-fpm.d/www.conf + +/etc/nginx/conf.d/: + file.recurse: + - source: salt://roles/maintain/pepper/conf.d/ + - user: root + - group: root + - dir_mode: 755 + - file_mode: 644 + - clean: true + +/etc/php-fpm.d/www.conf: + file.managed: + - source: salt://roles/maintain/pepper/www.conf + - user: root + - group: root + - mode: 644 + +/opt/pepper: + file.directory: + - user: nginx + - group: nginx + - recurse: + - user + - group + +/opt/pepper/storage: + file.directory: + - mode: 775 + - recurse: + - mode + +#/opt/saltpad/saltpad/modules/: +# file.recurse: +# - source: salt://roles/maintain/saltpad/modules/ +# - user: root +# - group: root +# - dir_mode: 755 +# - file_mode: 644 +# - clean: true + diff --git a/states/roles/maintain/pepper/www.conf b/states/roles/maintain/pepper/www.conf new file mode 100755 index 0000000..e9a2137 --- /dev/null +++ b/states/roles/maintain/pepper/www.conf @@ -0,0 +1,227 @@ +; Start a new pool named 'www'. +[www] + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses on a +; specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = /var/run/php-fpm/php-fpm.sock + +; Set listen(2) backlog. A value of '-1' means unlimited. +; Default Value: -1 +;listen.backlog = -1 + +; List of ipv4 addresses of FastCGI clients which are allowed to connect. +; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original +; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address +; must be separated by a comma. If this value is left blank, connections will be +; accepted from any ip address. +; Default Value: any +listen.allowed_clients = 127.0.0.1 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. +; Default Values: user and group are set as the running user +; mode is set to 0666 +listen.owner = nginx +listen.group = nginx +;listen.mode = 0666 + +; Unix user/group of processes +; Note: The user is mandatory. If the group is not set, the default user's group +; will be used. +; RPM: apache Choosed to be able to access some dir as httpd +user = nginx +; RPM: Keep a group allowed to write in log dir. +group = nginx + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives: +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes to be created when pm is set to 'dynamic'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. +; Note: Used when pm is set to either 'static' or 'dynamic' +; Note: This value is mandatory. +pm.max_children = 50 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 +pm.start_servers = 5 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 5 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 35 + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +;pm.max_requests = 500 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. By default, the status page shows the following +; information: +; accepted conn - the number of request accepted by the pool; +; pool - the name of the pool; +; process manager - static or dynamic; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes. +; The values of 'idle processes', 'active processes' and 'total processes' are +; updated each second. The value of 'accepted conn' is updated in real time. +; Example output: +; accepted conn: 12073 +; pool: www +; process manager: static +; idle processes: 35 +; active processes: 65 +; total processes: 100 +; By default the status page output is formatted as text/plain. Passing either +; 'html' or 'json' as a query string will return the corresponding output +; syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;pm.status_path = /status + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +;ping.response = pong + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +slowlog = /var/log/php-fpm/www-slow.log + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. This value must be an absolute path. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Default Value: no +;catch_workers_output = yes + +; Limits the extensions of the main script FPM will allow to parse. This can +; prevent configuration mistakes on the web server side. You should only limit +; FPM to .php extensions to prevent malicious users to use other extensions to +; exectute php code. +; Note: set an empty value to allow all extensions. +; Default Value: .php +;security.limit_extensions = .php .php3 .php4 .php5 + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +;env[HOSTNAME] = $HOSTNAME +;env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +php_admin_value[error_log] = /var/log/php-fpm/www-error.log +php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 128M + +; Set session path to a directory owned by process user +php_value[session.save_handler] = files +php_value[session.save_path] = /var/lib/php/session +php_value[soap.wsdl_cache_dir] = /var/lib/php/wsdlcache + diff --git a/states/roles/maintain/pkg-cache/init.sls b/states/roles/maintain/pkg-cache/init.sls new file mode 100755 index 0000000..0de1ebc --- /dev/null +++ b/states/roles/maintain/pkg-cache/init.sls @@ -0,0 +1,22 @@ +nginx-pkg-cache: + pkg.installed: + - pkgs: + - nginx + service.running: + - name: nginx + - enable: true + - watch: + - file: /etc/nginx/conf.d/* + +/srv/http/pacman-cache: + file.symlink: + - target: /mnt/pkgs + +/etc/nginx/conf.d/pkg-cache.conf: + file.managed: + - makedirs: true + - source: salt://roles/maintain/pkg-cache/pkg-cache.conf + - user: root + - group: root + - mode: 644 + - template: jinja diff --git a/states/roles/maintain/pkg-cache/nginx.conf b/states/roles/maintain/pkg-cache/nginx.conf new file mode 100755 index 0000000..bf5fd27 --- /dev/null +++ b/states/roles/maintain/pkg-cache/nginx.conf @@ -0,0 +1,71 @@ + +#user html; +worker_processes 1; + +#error_log logs/error.log; +#error_log logs/error.log notice; +#error_log logs/error.log info; + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include mime.types; + default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + #access_log logs/access.log main; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + #gzip on; + + include conf.d/*.conf; + + # another virtual host using mix of IP-, name-, and port-based configuration + # + #server { + # listen 8000; + # listen somename:8080; + # server_name somename alias another.alias; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + + # HTTPS server + # + #server { + # listen 443 ssl; + # server_name localhost; + + # ssl_certificate cert.pem; + # ssl_certificate_key cert.key; + + # ssl_session_cache shared:SSL:1m; + # ssl_session_timeout 5m; + + # ssl_ciphers HIGH:!aNULL:!MD5; + # ssl_prefer_server_ciphers on; + + # location / { + # root html; + # index index.html index.htm; + # } + #} +} diff --git a/states/roles/maintain/pkg-cache/pkg-cache.conf b/states/roles/maintain/pkg-cache/pkg-cache.conf new file mode 100755 index 0000000..4e55d75 --- /dev/null +++ b/states/roles/maintain/pkg-cache/pkg-cache.conf @@ -0,0 +1,75 @@ +resolver 8.8.8.8 8.8.4.4; + +# Pacman Cache +server +{ + listen 8000; + server_name pkg.actcur.com; + root /srv/http/pacman-cache; + autoindex on; + + # Requests for aur.db and sig files should stay here + location ~ aur-local\.(db|sig){ + try_files $uri @pkg_mirror; + } + + # Requests for package db and signature files should redirect upstream without caching + location ~ \.(db|sig)$ { + proxy_pass http://mirrors$request_uri; + } + + # Requests for actual packages should be served directly from cache if available. + # If not available, retrieve and save the package from an upstream mirror. + location ~ \.tar\.xz$ { + try_files $uri @pkg_mirror; + } + + # Retrieve package from upstream mirrors and cache for future requests + location @pkg_mirror { + proxy_store on; + proxy_redirect off; + proxy_store_access user:rw group:rw all:r; + proxy_next_upstream error timeout http_404; + proxy_pass http://mirrors$request_uri; + } +} + +# Upstream Arch Linux Mirrors +# - Configure as many backend mirrors as you want in the blocks below +# - Servers are used in a round-robin fashion by nginx +# - Add "backup" if you want to only use the mirror upon failure of the other mirrors +# - Separate "server" configurations are required for each upstream mirror so we can set the "Host" header appropriately +upstream mirrors { + server localhost:8001; + server localhost:8002 backup; + server localhost:8003 backup; + server localhost:8004 backup; + server localhost:8005 backup; + server localhost:8006 backup; + server localhost:8007 backup; + server localhost:8008 backup; + server localhost:8009 backup; + server localhost:8010 backup; +} + +{% from 'mirrors.jinja' import mirrors %} + +{%- set port=8000 -%} +{%- if mirrors is defined -%} + {%- for mirror in mirrors -%} + {%- set port=port+1 %} + {%- set lst=mirror.split('/') %} + +# Arch Mirror {{ lst[2] }} Proxy Configuration +server +{ + listen {{ port + loop.index }}; + server_name localhost; + + location / { + proxy_pass {{ mirror }}$request_uri; + proxy_set_header Host {{ lst[2] }}; + } +} + {% endfor -%} +{%- endif -%} diff --git a/states/roles/maintain/plexmediaserver/init.sls b/states/roles/maintain/plexmediaserver/init.sls new file mode 100755 index 0000000..a7d3c25 --- /dev/null +++ b/states/roles/maintain/plexmediaserver/init.sls @@ -0,0 +1,22 @@ +{%- set os=grains['os'] -%} + + +plex-media-server-plexpass: + pkg.installed + +plexmediaserver: + service.running: + - enable: true + +/etc/conf.d/plexmediaserver: + file.managed: + - source: salt://roles/maintain/plexmediaserver/plexmediaserver + - user: root + - group: root + - mode: 644 + +mount: + group.present: + - gid: 503 + - addusers: + - plex diff --git a/states/roles/maintain/plexmediaserver/plexmediaserver b/states/roles/maintain/plexmediaserver/plexmediaserver new file mode 100755 index 0000000..4fb43de --- /dev/null +++ b/states/roles/maintain/plexmediaserver/plexmediaserver @@ -0,0 +1,7 @@ +LD_LIBRARY_PATH=/opt/plexmediaserver +PLEX_MEDIA_SERVER_HOME=/opt/plexmediaserver +#PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR=/var/lib/plex +PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR=/var/lib/plexmediaserver/Library/Application\ Support +PLEX_MEDIA_SERVER_MAX_PLUGIN_PROCS=6 +PLEX_MEDIA_SERVER_TMPDIR=/tmp +TMPDIR=/tmp diff --git a/states/roles/maintain/plexrequests/init.sls b/states/roles/maintain/plexrequests/init.sls new file mode 100755 index 0000000..91cbc29 --- /dev/null +++ b/states/roles/maintain/plexrequests/init.sls @@ -0,0 +1,17 @@ +/opt/plexrequests.sh: + file.managed: + - source: salt://roles/maintain/plexrequests/plexrequests.sh + - user: root + - group: root + - mode: 644 + +"/usr/lib/systemd/system/plexrequests.service": + file.managed: + - source: salt://roles/maintain/plexrequests/plexrequests.service + - user: root + - group: root + - mode: 644 + +plexrequests: + service.running: + - enable: true diff --git a/states/roles/maintain/plexrequests/plexrequests.service b/states/roles/maintain/plexrequests/plexrequests.service new file mode 100755 index 0000000..250919a --- /dev/null +++ b/states/roles/maintain/plexrequests/plexrequests.service @@ -0,0 +1,13 @@ +[Unit] +Description=Systemd script to run PlexRequests as a service +After=network-online.target + +[Service] +User=root +Group=root +Type=simple +ExecStart=/bin/bash /opt/plexrequests.sh +TimeoutStopSec=20 + +[Install] +WantedBy=multi-user.target diff --git a/states/roles/maintain/plexrequests/plexrequests.sh b/states/roles/maintain/plexrequests/plexrequests.sh new file mode 100755 index 0000000..3d2dfbd --- /dev/null +++ b/states/roles/maintain/plexrequests/plexrequests.sh @@ -0,0 +1,2 @@ +cd /opt/plexrequests +meteor diff --git a/states/roles/maintain/saltmaster/init.sls b/states/roles/maintain/saltmaster/init.sls new file mode 100755 index 0000000..a569f50 --- /dev/null +++ b/states/roles/maintain/saltmaster/init.sls @@ -0,0 +1,25 @@ +{%- set os=grains['os'] -%} + +salt-master: +{%- if os=="CentOS" or os=="RedHat" %} + pkg.installed: [] +{%- elif os=="Arch" or os=="Manjaro" %} + pkg.installed: + - pkgs: + - salt +{%- endif %} + service.running: + - enable: true + - watch: + - file: /etc/salt/master + +/etc/salt/master: + file.managed: + - source: salt://roles/maintain/saltmaster/master + - user: root + - group: root + - mode: 644 + +/srv/salt/prod/states/pillars: + file.symlink: + - target: ../pillars/ diff --git a/states/roles/maintain/saltmaster/master b/states/roles/maintain/saltmaster/master new file mode 100755 index 0000000..059ba89 --- /dev/null +++ b/states/roles/maintain/saltmaster/master @@ -0,0 +1,794 @@ +##### Primary configuration settings ##### +########################################## +# This configuration file is used to manage the behavior of the Salt Master. +# Values that are commented out but have an empty line after the comment are +# defaults that do not need to be set in the config. If there is no blank line +# after the comment then the value is presented as an example and is not the +# default. + +# Per default, the master will automatically include all config files +# from master.d/*.conf (master.d is a directory in the same directory +# as the main master config file). +#default_include: master.d/*.conf + +# The address of the interface to bind to: +#interface: 0.0.0.0 + +# Whether the master should listen for IPv6 connections. If this is set to True, +# the interface option must be adjusted, too. (For example: "interface: '::'") +#ipv6: False + +# The tcp port used by the publisher: +#publish_port: 4505 + +# The user under which the salt master will run. Salt will update all +# permissions to allow the specified user to run the master. The exception is +# the job cache, which must be deleted if this user is changed. If the +# modified files cause conflicts, set verify_env to False. +#user: root + +# Max open files +# +# Each minion connecting to the master uses AT LEAST one file descriptor, the +# master subscription connection. If enough minions connect you might start +# seeing on the console (and then salt-master crashes): +# Too many open files (tcp_listener.cpp:335) +# Aborted (core dumped) +# +# By default this value will be the one of `ulimit -Hn`, ie, the hard limit for +# max open files. +# +# If you wish to set a different value than the default one, uncomment and +# configure this setting. Remember that this value CANNOT be higher than the +# hard limit. Raising the hard limit depends on your OS and/or distribution, +# a good way to find the limit is to search the internet. For example: +# raise max open files hard limit debian +# +#max_open_files: 100000 + +# The number of worker threads to start. These threads are used to manage +# return calls made from minions to the master. If the master seems to be +# running slowly, increase the number of threads. This setting can not be +# set lower than 3. +#worker_threads: 5 + +# The port used by the communication interface. The ret (return) port is the +# interface used for the file server, authentication, job returns, etc. +#ret_port: 4506 + +# Specify the location of the daemon process ID file: +#pidfile: /var/run/salt-master.pid + +# The root directory prepended to these options: pki_dir, cachedir, +# sock_dir, log_file, autosign_file, autoreject_file, extension_modules, +# key_logfile, pidfile: +#root_dir: / + +# Directory used to store public key data: +#pki_dir: /etc/salt/pki/master + +# Directory to store job and cache data: +# This directory may contain sensitive data and should be protected accordingly. +# +#cachedir: /var/cache/salt/master + +# Directory for custom modules. This directory can contain subdirectories for +# each of Salt's module types such as "runners", "output", "wheel", "modules", +# "states", "returners", etc. +#extension_modules: + +# Directory for custom modules. This directory can contain subdirectories for +# each of Salt's module types such as "runners", "output", "wheel", "modules", +# "states", "returners", etc. +# Like 'extension_modules' but can take an array of paths +#module_dirs: +# - /var/cache/salt/minion/extmods + +# Verify and set permissions on configuration directories at startup: +#verify_env: True + +# Set the number of hours to keep old job information in the job cache: +#keep_jobs: 24 + +# Set the default timeout for the salt command and api. The default is 5 +# seconds. +#timeout: 5 + +# The loop_interval option controls the seconds for the master's maintenance +# process check cycle. This process updates file server backends, cleans the +# job cache and executes the scheduler. +#loop_interval: 60 + +# Set the default outputter used by the salt command. The default is "nested". +#output: nested + +# Return minions that timeout when running commands like test.ping +#show_timeout: True + +# By default, output is colored. To disable colored output, set the color value +# to False. +#color: True + +# Do not strip off the colored output from nested results and state outputs +# (true by default). +# strip_colors: False + +# Set the directory used to hold unix sockets: +#sock_dir: /var/run/salt/master + +# The master can take a while to start up when lspci and/or dmidecode is used +# to populate the grains for the master. Enable if you want to see GPU hardware +# data for your master. +# enable_gpu_grains: False + +# The master maintains a job cache. While this is a great addition, it can be +# a burden on the master for larger deployments (over 5000 minions). +# Disabling the job cache will make previously executed jobs unavailable to +# the jobs system and is not generally recommended. +#job_cache: True + +# Cache minion grains and pillar data in the cachedir. +#minion_data_cache: True + +# Store all returns in the given returner. +# Setting this option requires that any returner-specific configuration also +# be set. See various returners in salt/returners for details on required +# configuration values. (See also, event_return_queue below.) +# +#event_return: mysql + +# On busy systems, enabling event_returns can cause a considerable load on +# the storage system for returners. Events can be queued on the master and +# stored in a batched fashion using a single transaction for multiple events. +# By default, events are not queued. +#event_return_queue: 0 + +# Only events returns matching tags in a whitelist +# event_return_whitelist: +# - salt/master/a_tag +# - salt/master/another_tag + +# Store all event returns _except_ the tags in a blacklist +# event_return_blacklist: +# - salt/master/not_this_tag +# - salt/master/or_this_one + +# Passing very large events can cause the minion to consume large amounts of +# memory. This value tunes the maximum size of a message allowed onto the +# master event bus. The value is expressed in bytes. +#max_event_size: 1048576 + +# By default, the master AES key rotates every 24 hours. The next command +# following a key rotation will trigger a key refresh from the minion which may +# result in minions which do not respond to the first command after a key refresh. +# +# To tell the master to ping all minions immediately after an AES key refresh, set +# ping_on_rotate to True. This should mitigate the issue where a minion does not +# appear to initially respond after a key is rotated. +# +# Note that ping_on_rotate may cause high load on the master immediately after +# the key rotation event as minions reconnect. Consider this carefully if this +# salt master is managing a large number of minions. +# +# If disabled, it is recommended to handle this event by listening for the +# 'aes_key_rotate' event with the 'key' tag and acting appropriately. +# ping_on_rotate: False + +# By default, the master deletes its cache of minion data when the key for that +# minion is removed. To preserve the cache after key deletion, set +# 'preserve_minion_cache' to True. +# +# WARNING: This may have security implications if compromised minions auth with +# a previous deleted minion ID. +#preserve_minion_cache: False + +# If max_minions is used in large installations, the master might experience +# high-load situations because of having to check the number of connected +# minions for every authentication. This cache provides the minion-ids of +# all connected minions to all MWorker-processes and greatly improves the +# performance of max_minions. +# con_cache: False + +# The master can include configuration from other files. To enable this, +# pass a list of paths to this option. The paths can be either relative or +# absolute; if relative, they are considered to be relative to the directory +# the main master configuration file lives in (this file). Paths can make use +# of shell-style globbing. If no files are matched by a path passed to this +# option, then the master will log a warning message. +# +# Include a config file from some other path: +# include: /etc/salt/extra_config +# +# Include config from several files and directories: +# include: +# - /etc/salt/extra_config + + +##### Security settings ##### +########################################## +# Enable "open mode", this mode still maintains encryption, but turns off +# authentication, this is only intended for highly secure environments or for +# the situation where your keys end up in a bad state. If you run in open mode +# you do so at your own risk! +#open_mode: False + +# Enable auto_accept, this setting will automatically accept all incoming +# public keys from the minions. Note that this is insecure. +#auto_accept: False + +# Time in minutes that a incoming public key with a matching name found in +# pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys +# are removed when the master checks the minion_autosign directory. +# 0 equals no timeout +# autosign_timeout: 120 + +# If the autosign_file is specified, incoming keys specified in the +# autosign_file will be automatically accepted. This is insecure. Regular +# expressions as well as globing lines are supported. +#autosign_file: /etc/salt/autosign.conf + +# Works like autosign_file, but instead allows you to specify minion IDs for +# which keys will automatically be rejected. Will override both membership in +# the autosign_file and the auto_accept setting. +#autoreject_file: /etc/salt/autoreject.conf + +# Enable permissive access to the salt keys. This allows you to run the +# master or minion as root, but have a non-root group be given access to +# your pki_dir. To make the access explicit, root must belong to the group +# you've given access to. This is potentially quite insecure. If an autosign_file +# is specified, enabling permissive_pki_access will allow group access to that +# specific file. +#permissive_pki_access: False + +# Allow users on the master access to execute specific commands on minions. +# This setting should be treated with care since it opens up execution +# capabilities to non root users. By default this capability is completely +# disabled. +#client_acl: +# larry: +# - test.ping +# - network.* +# +# Blacklist any of the following users or modules +# +# This example would blacklist all non sudo users, including root from +# running any commands. It would also blacklist any use of the "cmd" +# module. This is completely disabled by default. +# +#client_acl_blacklist: +# users: +# - root +# - '^(?!sudo_).*$' # all non sudo users +# modules: +# - cmd + +# Enforce client_acl & client_acl_blacklist when users have sudo +# access to the salt command. +# +#sudo_acl: False + +# The external auth system uses the Salt auth modules to authenticate and +# validate users to access areas of the Salt system. +external_auth: + pam: + linuxadm%: + - '.*' + - '@runner' + - '@wheel' + root: + - '.*' + - '@runner' + - '@wheel' +# +# Time (in seconds) for a newly generated token to live. Default: 12 hours +#token_expire: 43200 + +# Allow minions to push files to the master. This is disabled by default, for +# security purposes. +#file_recv: False + +# Set a hard-limit on the size of the files that can be pushed to the master. +# It will be interpreted as megabytes. Default: 100 +#file_recv_max_size: 100 + +# Signature verification on messages published from the master. +# This causes the master to cryptographically sign all messages published to its event +# bus, and minions then verify that signature before acting on the message. +# +# This is False by default. +# +# Note that to facilitate interoperability with masters and minions that are different +# versions, if sign_pub_messages is True but a message is received by a minion with +# no signature, it will still be accepted, and a warning message will be logged. +# Conversely, if sign_pub_messages is False, but a minion receives a signed +# message it will be accepted, the signature will not be checked, and a warning message +# will be logged. This behavior went away in Salt 2014.1.0 and these two situations +# will cause minion to throw an exception and drop the message. +# sign_pub_messages: False + +##### Salt-SSH Configuration ##### +########################################## + +# Pass in an alternative location for the salt-ssh roster file +#roster_file: /etc/salt/roster + +# Pass in minion option overrides that will be inserted into the SHIM for +# salt-ssh calls. The local minion config is not used for salt-ssh. Can be +# overridden on a per-minion basis in the roster (`minion_opts`) +#ssh_minion_opts: +# gpg_keydir: /root/gpg + +##### Master Module Management ##### +########################################## +# Manage how master side modules are loaded. + +# Add any additional locations to look for master runners: +#runner_dirs: [] + +# Enable Cython for master side modules: +#cython_enable: False + + +##### State System settings ##### +########################################## +# The state system uses a "top" file to tell the minions what environment to +# use and what modules to use. The state_top file is defined relative to the +# root of the base environment as defined in "File Server settings" below. +#state_top: top.sls + +# The master_tops option replaces the external_nodes option by creating +# a plugable system for the generation of external top data. The external_nodes +# option is deprecated by the master_tops option. +# +# To gain the capabilities of the classic external_nodes system, use the +# following configuration: +# master_tops: +# ext_nodes: +# +#master_tops: {} + +# The external_nodes option allows Salt to gather data that would normally be +# placed in a top file. The external_nodes option is the executable that will +# return the ENC data. Remember that Salt will look for external nodes AND top +# files and combine the results if both are enabled! +#external_nodes: None + +# The renderer to use on the minions to render the state data +#renderer: yaml_jinja + +# The Jinja renderer can strip extra carriage returns and whitespace +# See http://jinja.pocoo.org/docs/api/#high-level-api +# +# If this is set to True the first newline after a Jinja block is removed +# (block, not variable tag!). Defaults to False, corresponds to the Jinja +# environment init variable "trim_blocks". +#jinja_trim_blocks: False +# +# If this is set to True leading spaces and tabs are stripped from the start +# of a line to a block. Defaults to False, corresponds to the Jinja +# environment init variable "lstrip_blocks". +#jinja_lstrip_blocks: False + +# The failhard option tells the minions to stop immediately after the first +# failure detected in the state execution, defaults to False +#failhard: False + +# The state_verbose and state_output settings can be used to change the way +# state system data is printed to the display. By default all data is printed. +# The state_verbose setting can be set to True or False, when set to False +# all data that has a result of True and no changes will be suppressed. +#state_verbose: True + +# The state_output setting changes if the output is the full multi line +# output for each changed state if set to 'full', but if set to 'terse' +# the output will be shortened to a single line. If set to 'mixed', the output +# will be terse unless a state failed, in which case that output will be full. +# If set to 'changes', the output will be full unless the state didn't change. +state_output: terse + +# Automatically aggregate all states that have support for mod_aggregate by +# setting to 'True'. Or pass a list of state module names to automatically +# aggregate just those types. +# +# state_aggregate: +# - pkg +# +#state_aggregate: False + +# Send progress events as each function in a state run completes execution +# by setting to 'True'. Progress events are in the format +# 'salt/job//prog//'. +#state_events: False + +##### File Server settings ##### +########################################## +# Salt runs a lightweight file server written in zeromq to deliver files to +# minions. This file server is built into the master daemon and does not +# require a dedicated port. + +# The file server works on environments passed to the master, each environment +# can have multiple root directories, the subdirectories in the multiple file +# roots cannot match, otherwise the downloaded files will not be able to be +# reliably ensured. A base environment is required to house the top file. +# Example: +# file_roots: +# base: +# - /srv/salt/ +# dev: +# - /srv/salt/dev/services +# - /srv/salt/dev/states +# prod: +# - /srv/salt/prod/services +# - /srv/salt/prod/states +# +file_roots: + base: + - /srv/salt/prod/states + prod: + - /srv/salt/prod/states + dev: + - /srv/salt/dev/states +# + +# When using multiple environments, each with their own top file, the +# default behaviour is an unordered merge. To prevent top files from +# being merged together and instead to only use the top file from the +# requested environment, set this value to 'same'. +#top_file_merging_strategy: merge + +# To specify the order in which environments are merged, set the ordering +# in the env_order option. Given a conflict, the last matching value will +# win. +env_order: ['base', 'dev', 'prod'] + +# If top_file_merging_strategy is set to 'same' and an environment does not +# contain a top file, the top file in the environment specified by default_top +# will be used instead. +default_top: prod + +# The hash_type is the hash to use when discovering the hash of a file on +# the master server. The default is md5, but sha1, sha224, sha256, sha384 +# and sha512 are also supported. +# +# Prior to changing this value, the master should be stopped and all Salt +# caches should be cleared. +hash_type: sha256 + +# The buffer size in the file server can be adjusted here: +#file_buffer_size: 1048576 + +# A regular expression (or a list of expressions) that will be matched +# against the file path before syncing the modules and states to the minions. +# This includes files affected by the file.recurse state. +# For example, if you manage your custom modules and states in subversion +# and don't want all the '.svn' folders and content synced to your minions, +# you could set this to '/\.svn($|/)'. By default nothing is ignored. +#file_ignore_regex: +# - '/\.svn($|/)' +# - '/\.git($|/)' + +# A file glob (or list of file globs) that will be matched against the file +# path before syncing the modules and states to the minions. This is similar +# to file_ignore_regex above, but works on globs instead of regex. By default +# nothing is ignored. +# file_ignore_glob: +# - '*.pyc' +# - '*/somefolder/*.bak' +# - '*.swp' + +# File Server Backend +# +# Salt supports a modular fileserver backend system, this system allows +# the salt master to link directly to third party systems to gather and +# manage the files available to minions. Multiple backends can be +# configured and will be searched for the requested file in the order in which +# they are defined here. The default setting only enables the standard backend +# "roots" which uses the "file_roots" option. +#fileserver_backend: +# - roots +# +# To use multiple backends list them in the order they are searched: +#fileserver_backend: +# - git +# - roots +# +# Uncomment the line below if you do not want the file_server to follow +# symlinks when walking the filesystem tree. This is set to True +# by default. Currently this only applies to the default roots +# fileserver_backend. +#fileserver_followsymlinks: False +# +# Uncomment the line below if you do not want symlinks to be +# treated as the files they are pointing to. By default this is set to +# False. By uncommenting the line below, any detected symlink while listing +# files on the Master will not be returned to the Minion. +#fileserver_ignoresymlinks: True +# +# By default, the Salt fileserver recurses fully into all defined environments +# to attempt to find files. To limit this behavior so that the fileserver only +# traverses directories with SLS files and special Salt directories like _modules, +# enable the option below. This might be useful for installations where a file root +# has a very large number of files and performance is impacted. Default is False. +# fileserver_limit_traversal: False +# +# The fileserver can fire events off every time the fileserver is updated, +# these are disabled by default, but can be easily turned on by setting this +# flag to True +#fileserver_events: False + +# Git File Server Backend Configuration +# +# Gitfs can be provided by one of two python modules: GitPython or pygit2. If +# using pygit2, both libgit2 and git must also be installed. +#gitfs_provider: gitpython +# +# When using the git fileserver backend at least one git remote needs to be +# defined. The user running the salt master will need read access to the repo. +# +# The repos will be searched in order to find the file requested by a client +# and the first repo to have the file will return it. +# When using the git backend branches and tags are translated into salt +# environments. +# Note: file:// repos will be treated as a remote, so refs you want used must +# exist in that repo as *local* refs. +#gitfs_remotes: +# - git://github.com/saltstack/salt-states.git +# - file:///var/git/saltmaster +# +# The gitfs_ssl_verify option specifies whether to ignore ssl certificate +# errors when contacting the gitfs backend. You might want to set this to +# false if you're using a git backend that uses a self-signed certificate but +# keep in mind that setting this flag to anything other than the default of True +# is a security concern, you may want to try using the ssh transport. +#gitfs_ssl_verify: True +# +# The gitfs_root option gives the ability to serve files from a subdirectory +# within the repository. The path is defined relative to the root of the +# repository and defaults to the repository root. +#gitfs_root: somefolder/otherfolder +# +# +##### Pillar settings ##### +########################################## +# Salt Pillars allow for the building of global data that can be made selectively +# available to different minions based on minion grain filtering. The Salt +# Pillar is laid out in the same fashion as the file server, with environments, +# a top file and sls files. However, pillar data does not need to be in the +# highstate format, and is generally just key/value pairs. +#pillar_roots: +# base: +# - /srv/pillar +# +pillar_roots: + base: + - /srv/salt/prod/pillars + prod: + - /srv/salt/prod/pillars + dev: + - /srv/salt/dev/pillars +# +#ext_pillar: +# - hiera: /etc/hiera.yaml +# - cmd_yaml: cat /etc/salt/yaml + +# The ext_pillar_first option allows for external pillar sources to populate +# before file system pillar. This allows for targeting file system pillar from +# ext_pillar. +#ext_pillar_first: False + +# The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate +# errors when contacting the pillar gitfs backend. You might want to set this to +# false if you're using a git backend that uses a self-signed certificate but +# keep in mind that setting this flag to anything other than the default of True +# is a security concern, you may want to try using the ssh transport. +#pillar_gitfs_ssl_verify: True + +# The pillar_opts option adds the master configuration file data to a dict in +# the pillar called "master". This is used to set simple configurations in the +# master config file that can then be used on minions. +#pillar_opts: False + +# The pillar_safe_render_error option prevents the master from passing pillar +# render errors to the minion. This is set on by default because the error could +# contain templating data which would give that minion information it shouldn't +# have, like a password! When set true the error message will only show: +# Rendering SLS 'my.sls' failed. Please see master log for details. +#pillar_safe_render_error: True + +# The pillar_source_merging_strategy option allows you to configure merging strategy +# between different sources. It accepts four values: recurse, aggregate, overwrite, +# or smart. Recurse will merge recursively mapping of data. Aggregate instructs +# aggregation of elements between sources that use the #!yamlex renderer. Overwrite +# will verwrite elements according the order in which they are processed. This is +# behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based +# on the "renderer" setting and is the default value. +#pillar_source_merging_strategy: smart + + +##### Syndic settings ##### +########################################## +# The Salt syndic is used to pass commands through a master from a higher +# master. Using the syndic is simple. If this is a master that will have +# syndic servers(s) below it, then set the "order_masters" setting to True. +# +# If this is a master that will be running a syndic daemon for passthrough, then +# the "syndic_master" setting needs to be set to the location of the master server +# to receive commands from. + +# Set the order_masters setting to True if this master will command lower +# masters' syndic interfaces. +#order_masters: False + +# If this master will be running a salt syndic daemon, syndic_master tells +# this master where to receive commands from. +#syndic_master: masterofmaster + +# This is the 'ret_port' of the MasterOfMaster: +#syndic_master_port: 4506 + +# PID file of the syndic daemon: +#syndic_pidfile: /var/run/salt-syndic.pid + +# LOG file of the syndic daemon: +#syndic_log_file: syndic.log + + +##### Peer Publish settings ##### +########################################## +# Salt minions can send commands to other minions, but only if the minion is +# allowed to. By default "Peer Publication" is disabled, and when enabled it +# is enabled for specific minions and specific commands. This allows secure +# compartmentalization of commands based on individual minions. + +# The configuration uses regular expressions to match minions and then a list +# of regular expressions to match functions. The following will allow the +# minion authenticated as foo.example.com to execute functions from the test +# and pkg modules. +#peer: +# foo.example.com: +# - test.* +# - pkg.* +# +# This will allow all minions to execute all commands: +#peer: +# .*: +# - .* +# +# This is not recommended, since it would allow anyone who gets root on any +# single minion to instantly have root on all of the minions! + +# Minions can also be allowed to execute runners from the salt master. +# Since executing a runner from the minion could be considered a security risk, +# it needs to be enabled. This setting functions just like the peer setting +# except that it opens up runners instead of module functions. +# +# All peer runner support is turned off by default and must be enabled before +# using. This will enable all peer runners for all minions: +#peer_run: +# .*: +# - .* +# +# To enable just the manage.up runner for the minion foo.example.com: +#peer_run: +# foo.example.com: +# - manage.up +# +# +##### Mine settings ##### +########################################## +# Restrict mine.get access from minions. By default any minion has a full access +# to get all mine data from master cache. In acl definion below, only pcre matches +# are allowed. +# mine_get: +# .*: +# - .* +# +# The example below enables minion foo.example.com to get 'network.interfaces' mine +# data only, minions web* to get all network.* and disk.* mine data and all other +# minions won't get any mine data. +# mine_get: +# foo.example.com: +# - network.interfaces +# web.*: +# - network.* +# - disk.* + + +##### Logging settings ##### +########################################## +# The location of the master log file +# The master log can be sent to a regular file, local path name, or network +# location. Remote logging works best when configured to use rsyslogd(8) (e.g.: +# ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI +# format is: ://:/ +#log_file: /var/log/salt/master +#log_file: file:///dev/log +#log_file: udp://loghost:10514 + +#log_file: /var/log/salt/master +#key_logfile: /var/log/salt/key + +# The level of messages to send to the console. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# +# The following log levels are considered INSECURE and may log sensitive data: +# ['garbage', 'trace', 'debug'] +# +#log_level: warning + +# The level of messages to send to the log file. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# If using 'log_granular_levels' this must be set to the highest desired level. +#log_level_logfile: warning + +# The date and time format used in log messages. Allowed date/time formating +# can be seen here: http://docs.python.org/library/time.html#time.strftime +#log_datefmt: '%H:%M:%S' +#log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' + +# The format of the console logging messages. Allowed formatting options can +# be seen here: http://docs.python.org/library/logging.html#logrecord-attributes +# +# Console log colors are specified by these additional formatters: +# +# %(colorlevel)s +# %(colorname)s +# %(colorprocess)s +# %(colormsg)s +# +# Since it is desirable to include the surrounding brackets, '[' and ']', in +# the coloring of the messages, these color formatters also include padding as +# well. Color LogRecord attributes are only available for console logging. +# +#log_fmt_console: '%(colorlevel)s %(colormsg)s' +#log_fmt_console: '[%(levelname)-8s] %(message)s' +# +#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' + +# This can be used to control logging levels more specificically. This +# example sets the main salt library at the 'warning' level, but sets +# 'salt.modules' to log at the 'debug' level: +# log_granular_levels: +# 'salt': 'warning' +# 'salt.modules': 'debug' +# +#log_granular_levels: {} + + +##### Node Groups ##### +########################################## +# Node groups allow for logical groupings of minion nodes. A group consists of a group +# name and a compound target. +#nodegroups: +# group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com' +# group2: 'G@os:Debian and foo.domain.com' + + +##### Range Cluster settings ##### +########################################## +# The range server (and optional port) that serves your cluster information +# https://github.com/ytoolshed/range/wiki/%22yamlfile%22-module-file-spec +# +#range_server: range:80 + + +##### Windows Software Repo settings ##### +############################################## +# Location of the repo on the master: +#win_repo: '/srv/salt/win/repo' +# +# Location of the master's repo cache file: +#win_repo_mastercachefile: '/srv/salt/win/repo/winrepo.p' +# +# List of git repositories to include with the local repo: +#win_gitrepos: +# - 'https://github.com/saltstack/salt-winrepo.git' + +##### Returner settings ###### +############################################ +# Which returner(s) will be used for minion's result: +#return: mysql +rest_cherrypy: + port: 8000 + host: 127.0.0.1 + disable_ssl: true diff --git a/states/roles/maintain/saltminion/highstate.service b/states/roles/maintain/saltminion/highstate.service new file mode 100755 index 0000000..e2e9c7b --- /dev/null +++ b/states/roles/maintain/saltminion/highstate.service @@ -0,0 +1,10 @@ +[Unit] +Description=Runs state.highstate + +[Service] +Type=oneshot +RemainAfterExit=no +ExecStart=/bin/bash /root/scripts/highstate.sh + +[Install] +WantedBy=multi-user.target diff --git a/states/roles/maintain/saltminion/highstate.sh b/states/roles/maintain/saltminion/highstate.sh new file mode 100755 index 0000000..0168baf --- /dev/null +++ b/states/roles/maintain/saltminion/highstate.sh @@ -0,0 +1,3 @@ +echo "Running highstate `date`" > /root/scripts/highstate.log +/usr/bin/salt-call state.highstate >> /root/scripts/highstate.log +echo "Finished highstate" >> /root/scripts/highstate.log diff --git a/states/roles/maintain/saltminion/highstate.timer b/states/roles/maintain/saltminion/highstate.timer new file mode 100755 index 0000000..2abbcdd --- /dev/null +++ b/states/roles/maintain/saltminion/highstate.timer @@ -0,0 +1,13 @@ +[Unit] +Description=Runs state.highstate every hour + +[Timer] +# Time to wait after booting before we run first time +OnBootSec=10min +# Time between running each consecutive time +OnUnitActiveSec=1h +Unit=highstate.service + +[Install] +WantedBy=multi-user.target + diff --git a/states/roles/maintain/saltminion/init.sls b/states/roles/maintain/saltminion/init.sls new file mode 100755 index 0000000..271b252 --- /dev/null +++ b/states/roles/maintain/saltminion/init.sls @@ -0,0 +1,54 @@ +{%- set os=grains['os'] -%} + +salt-minion: +{%- if os=="CentOS" or os=="RedHat" %} + pkg.installed: [] +{%- elif os=="Arch" or os=="Manjaro" %} + pkg.installed: + - pkgs: + - salt +{%- endif %} + service.running: + - enable: true + - watch: + - file: /etc/salt/minion + +/etc/salt/minion: + file.managed: + - source: salt://roles/maintain/saltminion/minion + - user: root + - group: root + - mode: 644 + - template: jinja + +"/root/scripts/highstate.sh": + file.managed: + - source: salt://roles/maintain/saltminion/highstate.sh + - user: root + - group: root + - mode: 644 + - makedirs: true + +"/usr/lib/systemd/system/highstate.service": + file.managed: + - source: salt://roles/maintain/saltminion/highstate.service + - user: root + - group: root + - mode: 644 + +"/usr/lib/systemd/system/highstate.timer": + file.managed: + - source: salt://roles/maintain/saltminion/highstate.timer + - user: root + - group: root + - mode: 644 + +"highstate.timer": + service.running: + - enable: true + +"highstate-reload": + module.run: + - name: service.systemctl_reload + - onchanges: + - file: /usr/lib/systemd/system/* diff --git a/states/roles/maintain/saltminion/minion b/states/roles/maintain/saltminion/minion new file mode 100755 index 0000000..6fedb22 --- /dev/null +++ b/states/roles/maintain/saltminion/minion @@ -0,0 +1,629 @@ +##### Primary configuration settings ##### +########################################## +# This configuration file is used to manage the behavior of the Salt Minion. +# With the exception of the location of the Salt Master Server, values that are +# commented out but have an empty line after the comment are defaults that need +# not be set in the config. If there is no blank line after the comment, the +# value is presented as an example and is not the default. + +# Per default the minion will automatically include all config files +# from minion.d/*.conf (minion.d is a directory in the same directory +# as the main minion config file). +#default_include: minion.d/*.conf + +# Set the location of the salt master server. If the master server cannot be +# resolved, then the minion will fail to start. +master: salt.actcur.com + +# If multiple masters are specified in the 'master' setting, the default behavior +# is to always try to connect to them in the order they are listed. If random_master is +# set to True, the order will be randomized instead. This can be helpful in distributing +# the load of many minions executing salt-call requests, for example, from a cron job. +# If only one master is listed, this setting is ignored and a warning will be logged. +#random_master: False + +# Set whether the minion should connect to the master via IPv6: +#ipv6: False + +# Set the number of seconds to wait before attempting to resolve +# the master hostname if name resolution fails. Defaults to 30 seconds. +# Set to zero if the minion should shutdown and not retry. +# retry_dns: 30 + +# Set the port used by the master reply and authentication server. +#master_port: 4506 + +# The user to run salt. +#user: root + +# Specify the location of the daemon process ID file. +#pidfile: /var/run/salt-minion.pid + +# The root directory prepended to these options: pki_dir, cachedir, log_file, +# sock_dir, pidfile. +#root_dir: / + +# The directory to store the pki information in +#pki_dir: /etc/salt/pki/minion + +# Explicitly declare the id for this minion to use, if left commented the id +# will be the hostname as returned by the python call: socket.getfqdn() +# Since salt uses detached ids it is possible to run multiple minions on the +# same machine but with different ids, this can be useful for salt compute +# clusters. +#id: + +# Append a domain to a hostname in the event that it does not exist. This is +# useful for systems where socket.getfqdn() does not actually result in a +# FQDN (for instance, Solaris). +#append_domain: + +# Custom static grains for this minion can be specified here and used in SLS +# files just like all other grains. This example sets 4 custom grains, with +# the 'roles' grain having two values that can be matched against. +#grains: +# roles: +# - webserver +# - memcache +# deployment: datacenter4 +# cabinet: 13 +# cab_u: 14-15 +# +# Where cache data goes. +#cachedir: /var/cache/salt/minion + +# Verify and set permissions on configuration directories at startup. +#verify_env: True + +# The minion can locally cache the return data from jobs sent to it, this +# can be a good way to keep track of jobs the minion has executed +# (on the minion side). By default this feature is disabled, to enable, set +# cache_jobs to True. +#cache_jobs: False + +# Set the directory used to hold unix sockets. +#sock_dir: /var/run/salt/minion + +# Set the default outputter used by the salt-call command. The default is +# "nested". +#output: nested +# +# By default output is colored. To disable colored output, set the color value +# to False. +#color: True + +# Do not strip off the colored output from nested results and state outputs +# (true by default). +# strip_colors: False + +# Backup files that are replaced by file.managed and file.recurse under +# 'cachedir'/file_backups relative to their original location and appended +# with a timestamp. The only valid setting is "minion". Disabled by default. +# +# Alternatively this can be specified for each file in state files: +# /etc/ssh/sshd_config: +# file.managed: +# - source: salt://ssh/sshd_config +# - backup: minion +# +#backup_mode: minion + +# When waiting for a master to accept the minion's public key, salt will +# continuously attempt to reconnect until successful. This is the time, in +# seconds, between those reconnection attempts. +#acceptance_wait_time: 10 + +# If this is nonzero, the time between reconnection attempts will increase by +# acceptance_wait_time seconds per iteration, up to this maximum. If this is +# set to zero, the time between reconnection attempts will stay constant. +#acceptance_wait_time_max: 0 + +# If the master rejects the minion's public key, retry instead of exiting. +# Rejected keys will be handled the same as waiting on acceptance. +#rejected_retry: False + +# When the master key changes, the minion will try to re-auth itself to receive +# the new master key. In larger environments this can cause a SYN flood on the +# master because all minions try to re-auth immediately. To prevent this and +# have a minion wait for a random amount of time, use this optional parameter. +# The wait-time will be a random number of seconds between 0 and the defined value. +#random_reauth_delay: 60 + +# When waiting for a master to accept the minion's public key, salt will +# continuously attempt to reconnect until successful. This is the timeout value, +# in seconds, for each individual attempt. After this timeout expires, the minion +# will wait for acceptance_wait_time seconds before trying again. Unless your master +# is under unusually heavy load, this should be left at the default. +#auth_timeout: 60 + +# Number of consecutive SaltReqTimeoutError that are acceptable when trying to +# authenticate. +#auth_tries: 7 + +# If authentication fails due to SaltReqTimeoutError during a ping_interval, +# cause sub minion process to restart. +#auth_safemode: False + +# Ping Master to ensure connection is alive (minutes). +#ping_interval: 0 + +# To auto recover minions if master changes IP address (DDNS) +# auth_tries: 10 +# auth_safemode: False +# ping_interval: 90 +# +# Minions won't know master is missing until a ping fails. After the ping fail, +# the minion will attempt authentication and likely fails out and cause a restart. +# When the minion restarts it will resolve the masters IP and attempt to reconnect. + +# If you don't have any problems with syn-floods, don't bother with the +# three recon_* settings described below, just leave the defaults! +# +# The ZeroMQ pull-socket that binds to the masters publishing interface tries +# to reconnect immediately, if the socket is disconnected (for example if +# the master processes are restarted). In large setups this will have all +# minions reconnect immediately which might flood the master (the ZeroMQ-default +# is usually a 100ms delay). To prevent this, these three recon_* settings +# can be used. +# recon_default: the interval in milliseconds that the socket should wait before +# trying to reconnect to the master (1000ms = 1 second) +# +# recon_max: the maximum time a socket should wait. each interval the time to wait +# is calculated by doubling the previous time. if recon_max is reached, +# it starts again at recon_default. Short example: +# +# reconnect 1: the socket will wait 'recon_default' milliseconds +# reconnect 2: 'recon_default' * 2 +# reconnect 3: ('recon_default' * 2) * 2 +# reconnect 4: value from previous interval * 2 +# reconnect 5: value from previous interval * 2 +# reconnect x: if value >= recon_max, it starts again with recon_default +# +# recon_randomize: generate a random wait time on minion start. The wait time will +# be a random value between recon_default and recon_default + +# recon_max. Having all minions reconnect with the same recon_default +# and recon_max value kind of defeats the purpose of being able to +# change these settings. If all minions have the same values and your +# setup is quite large (several thousand minions), they will still +# flood the master. The desired behavior is to have timeframe within +# all minions try to reconnect. +# +# Example on how to use these settings. The goal: have all minions reconnect within a +# 60 second timeframe on a disconnect. +# recon_default: 1000 +# recon_max: 59000 +# recon_randomize: True +# +# Each minion will have a randomized reconnect value between 'recon_default' +# and 'recon_default + recon_max', which in this example means between 1000ms +# 60000ms (or between 1 and 60 seconds). The generated random-value will be +# doubled after each attempt to reconnect. Lets say the generated random +# value is 11 seconds (or 11000ms). +# reconnect 1: wait 11 seconds +# reconnect 2: wait 22 seconds +# reconnect 3: wait 33 seconds +# reconnect 4: wait 44 seconds +# reconnect 5: wait 55 seconds +# reconnect 6: wait time is bigger than 60 seconds (recon_default + recon_max) +# reconnect 7: wait 11 seconds +# reconnect 8: wait 22 seconds +# reconnect 9: wait 33 seconds +# reconnect x: etc. +# +# In a setup with ~6000 thousand hosts these settings would average the reconnects +# to about 100 per second and all hosts would be reconnected within 60 seconds. +# recon_default: 100 +# recon_max: 5000 +# recon_randomize: False +# +# +# The loop_interval sets how long in seconds the minion will wait between +# evaluating the scheduler and running cleanup tasks. This defaults to a +# sane 60 seconds, but if the minion scheduler needs to be evaluated more +# often lower this value +#loop_interval: 60 + +# The grains_refresh_every setting allows for a minion to periodically check +# its grains to see if they have changed and, if so, to inform the master +# of the new grains. This operation is moderately expensive, therefore +# care should be taken not to set this value too low. +# +# Note: This value is expressed in __minutes__! +# +# A value of 10 minutes is a reasonable default. +# +# If the value is set to zero, this check is disabled. +#grains_refresh_every: 1 + +# Cache grains on the minion. Default is False. +#grains_cache: False + +# Grains cache expiration, in seconds. If the cache file is older than this +# number of seconds then the grains cache will be dumped and fully re-populated +# with fresh data. Defaults to 5 minutes. Will have no effect if 'grains_cache' +# is not enabled. +# grains_cache_expiration: 300 + +# Windows platforms lack posix IPC and must rely on slower TCP based inter- +# process communications. Set ipc_mode to 'tcp' on such systems +#ipc_mode: ipc + +# Overwrite the default tcp ports used by the minion when in tcp mode +#tcp_pub_port: 4510 +#tcp_pull_port: 4511 + +# Passing very large events can cause the minion to consume large amounts of +# memory. This value tunes the maximum size of a message allowed onto the +# minion event bus. The value is expressed in bytes. +#max_event_size: 1048576 + +# To detect failed master(s) and fire events on connect/disconnect, set +# master_alive_interval to the number of seconds to poll the masters for +# connection events. +# +#master_alive_interval: 30 + +# The minion can include configuration from other files. To enable this, +# pass a list of paths to this option. The paths can be either relative or +# absolute; if relative, they are considered to be relative to the directory +# the main minion configuration file lives in (this file). Paths can make use +# of shell-style globbing. If no files are matched by a path passed to this +# option then the minion will log a warning message. +# +# Include a config file from some other path: +# include: /etc/salt/extra_config +# +# Include config from several files and directories: +#include: +# - /etc/salt/extra_config +# - /etc/roles/webserver +# +# +# +##### Minion module management ##### +########################################## +# Disable specific modules. This allows the admin to limit the level of +# access the master has to the minion. +#disable_modules: [cmd,test] +#disable_returners: [] +# +# Modules can be loaded from arbitrary paths. This enables the easy deployment +# of third party modules. Modules for returners and minions can be loaded. +# Specify a list of extra directories to search for minion modules and +# returners. These paths must be fully qualified! +#module_dirs: [] +#returner_dirs: [] +#states_dirs: [] +#render_dirs: [] +#utils_dirs: [] +# +# A module provider can be statically overwritten or extended for the minion +# via the providers option, in this case the default module will be +# overwritten by the specified module. In this example the pkg module will +# be provided by the yumpkg5 module instead of the system default. +#providers: +# pkg: yumpkg5 +# +# Enable Cython modules searching and loading. (Default: False) +#cython_enable: False +# +# Specify a max size (in bytes) for modules on import. This feature is currently +# only supported on *nix operating systems and requires psutil. +# modules_max_memory: -1 + + +##### State Management Settings ##### +########################################### +# The state management system executes all of the state templates on the minion +# to enable more granular control of system state management. The type of +# template and serialization used for state management needs to be configured +# on the minion, the default renderer is yaml_jinja. This is a yaml file +# rendered from a jinja template, the available options are: +# yaml_jinja +# yaml_mako +# yaml_wempy +# json_jinja +# json_mako +# json_wempy +# +#renderer: yaml_jinja +# +# The failhard option tells the minions to stop immediately after the first +# failure detected in the state execution. Defaults to False. +#failhard: False +# +# autoload_dynamic_modules turns on automatic loading of modules found in the +# environments on the master. This is turned on by default. To turn of +# autoloading modules when states run, set this value to False. +#autoload_dynamic_modules: True +# +# clean_dynamic_modules keeps the dynamic modules on the minion in sync with +# the dynamic modules on the master, this means that if a dynamic module is +# not on the master it will be deleted from the minion. By default, this is +# enabled and can be disabled by changing this value to False. +#clean_dynamic_modules: True +# +# Normally, the minion is not isolated to any single environment on the master +# when running states, but the environment can be isolated on the minion side +# by statically setting it. Remember that the recommended way to manage +# environments is to isolate via the top file. +{%- set env="dev" -%} +{%- if pillar['env'] is defined -%} + {%- set env=pillar['env'] -%} +{%- endif %} +environment: {{ env }} +# +# If using the local file directory, then the state top file name needs to be +# defined, by default this is top.sls. +#state_top: top.sls +# +# Run states when the minion daemon starts. To enable, set startup_states to: +# 'highstate' -- Execute state.highstate +# 'sls' -- Read in the sls_list option and execute the named sls files +# 'top' -- Read top_file option and execute based on that file on the Master +#startup_states: '' +# +# List of states to run when the minion starts up if startup_states is 'sls': +#sls_list: +# - edit.vim +# - hyper +# +# Top file to execute if startup_states is 'top': +#top_file: '' + +# Automatically aggregate all states that have support for mod_aggregate by +# setting to True. Or pass a list of state module names to automatically +# aggregate just those types. +# +# state_aggregate: +# - pkg +# +#state_aggregate: False + +##### File Directory Settings ##### +########################################## +# The Salt Minion can redirect all file server operations to a local directory, +# this allows for the same state tree that is on the master to be used if +# copied completely onto the minion. This is a literal copy of the settings on +# the master but used to reference a local directory on the minion. + +# Set the file client. The client defaults to looking on the master server for +# files, but can be directed to look at the local file directory setting +# defined below by setting it to local. +#file_client: remote + +# The file directory works on environments passed to the minion, each environment +# can have multiple root directories, the subdirectories in the multiple file +# roots cannot match, otherwise the downloaded files will not be able to be +# reliably ensured. A base environment is required to house the top file. +# Example: +# file_roots: +# base: +# - /srv/salt/ +# dev: +# - /srv/salt/dev/services +# - /srv/salt/dev/states +# prod: +# - /srv/salt/prod/services +# - /srv/salt/prod/states +# +#file_roots: +# base: +# - /srv/salt +file_roots: + base: + - /srv/salt/prod/states + prod: + - /srv/salt/prod/states + dev: + - /srv/salt/dev/states + +# By default, the Salt fileserver recurses fully into all defined environments +# to attempt to find files. To limit this behavior so that the fileserver only +# traverses directories with SLS files and special Salt directories like _modules, +# enable the option below. This might be useful for installations where a file root +# has a very large number of files and performance is negatively impacted. Default +# is False. +#fileserver_limit_traversal: False + +# The hash_type is the hash to use when discovering the hash of a file in +# the local fileserver. The default is md5, but sha1, sha224, sha256, sha384 +# and sha512 are also supported. +# +# Warning: Prior to changing this value, the minion should be stopped and all +# Salt caches should be cleared. +#hash_type: md5 + +# The Salt pillar is searched for locally if file_client is set to local. If +# this is the case, and pillar data is defined, then the pillar_roots need to +# also be configured on the minion: +#pillar_roots: +# base: +# - /srv/pillar +# +pillar_roots: + base: + - /srv/salt/prod/pillar + prod: + - /srv/salt/prod/pillar + dev: + - /srv/salt/dev/pillar +# +###### Security settings ##### +########################################### +# Enable "open mode", this mode still maintains encryption, but turns off +# authentication, this is only intended for highly secure environments or for +# the situation where your keys end up in a bad state. If you run in open mode +# you do so at your own risk! +#open_mode: False + +# Enable permissive access to the salt keys. This allows you to run the +# master or minion as root, but have a non-root group be given access to +# your pki_dir. To make the access explicit, root must belong to the group +# you've given access to. This is potentially quite insecure. +#permissive_pki_access: False + +# The state_verbose and state_output settings can be used to change the way +# state system data is printed to the display. By default all data is printed. +# The state_verbose setting can be set to True or False, when set to False +# all data that has a result of True and no changes will be suppressed. +#state_verbose: True + +# The state_output setting changes if the output is the full multi line +# output for each changed state if set to 'full', but if set to 'terse' +# the output will be shortened to a single line. +state_output: mixed + +# The state_output_diff setting changes whether or not the output from +# successful states is returned. Useful when even the terse output of these +# states is cluttering the logs. Set it to True to ignore them. +#state_output_diff: False + +# Fingerprint of the master public key to double verify the master is valid, +# the master fingerprint can be found by running "salt-key -F master" on the +# salt master. +#master_finger: '' + + +###### Thread settings ##### +########################################### +# Disable multiprocessing support, by default when a minion receives a +# publication a new process is spawned and the command is executed therein. +#multiprocessing: True + + +##### Logging settings ##### +########################################## +# The location of the minion log file +# The minion log can be sent to a regular file, local path name, or network +# location. Remote logging works best when configured to use rsyslogd(8) (e.g.: +# ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI +# format is: ://:/ +#log_file: /var/log/salt/minion +#log_file: file:///dev/log +#log_file: udp://loghost:10514 +# +#log_file: /var/log/salt/minion +#key_logfile: /var/log/salt/key + +# The level of messages to send to the console. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# Default: 'warning' +#log_level: warning + +# The level of messages to send to the log file. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# If using 'log_granular_levels' this must be set to the highest desired level. +# Default: 'warning' +#log_level_logfile: + +# The date and time format used in log messages. Allowed date/time formating +# can be seen here: http://docs.python.org/library/time.html#time.strftime +#log_datefmt: '%H:%M:%S' +#log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' + +# The format of the console logging messages. Allowed formatting options can +# be seen here: http://docs.python.org/library/logging.html#logrecord-attributes +#log_fmt_console: '[%(levelname)-8s] %(message)s' +#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' + +# This can be used to control logging levels more specificically. This +# example sets the main salt library at the 'warning' level, but sets +# 'salt.modules' to log at the 'debug' level: +# log_granular_levels: +# 'salt': 'warning' +# 'salt.modules': 'debug' +# +#log_granular_levels: {} + +# To diagnose issues with minions disconnecting or missing returns, ZeroMQ +# supports the use of monitor sockets # to log connection events. This +# feature requires ZeroMQ 4.0 or higher. +# +# To enable ZeroMQ monitor sockets, set 'zmq_monitor' to 'True' and log at a +# debug level or higher. +# +# A sample log event is as follows: +# +# [DEBUG ] ZeroMQ event: {'endpoint': 'tcp://127.0.0.1:4505', 'event': 512, +# 'value': 27, 'description': 'EVENT_DISCONNECTED'} +# +# All events logged will include the string 'ZeroMQ event'. A connection event +# should be logged on the as the minion starts up and initially connects to the +# master. If not, check for debug log level and that the necessary version of +# ZeroMQ is installed. +# +#zmq_monitor: False + +###### Module configuration ##### +########################################### +# Salt allows for modules to be passed arbitrary configuration data, any data +# passed here in valid yaml format will be passed on to the salt minion modules +# for use. It is STRONGLY recommended that a naming convention be used in which +# the module name is followed by a . and then the value. Also, all top level +# data must be applied via the yaml dict construct, some examples: +# +# You can specify that all modules should run in test mode: +#test: True +# +# A simple value for the test module: +#test.foo: foo +# +# A list for the test module: +#test.bar: [baz,quo] +# +# A dict for the test module: +#test.baz: {spam: sausage, cheese: bread} +# +# +###### Update settings ###### +########################################### +# Using the features in Esky, a salt minion can both run as a frozen app and +# be updated on the fly. These options control how the update process +# (saltutil.update()) behaves. +# +# The url for finding and downloading updates. Disabled by default. +#update_url: False +# +# The list of services to restart after a successful update. Empty by default. +#update_restart_services: [] + + +###### Keepalive settings ###### +############################################ +# ZeroMQ now includes support for configuring SO_KEEPALIVE if supported by +# the OS. If connections between the minion and the master pass through +# a state tracking device such as a firewall or VPN gateway, there is +# the risk that it could tear down the connection the master and minion +# without informing either party that their connection has been taken away. +# Enabling TCP Keepalives prevents this from happening. + +# Overall state of TCP Keepalives, enable (1 or True), disable (0 or False) +# or leave to the OS defaults (-1), on Linux, typically disabled. Default True, enabled. +#tcp_keepalive: True + +# How long before the first keepalive should be sent in seconds. Default 300 +# to send the first keepalive after 5 minutes, OS default (-1) is typically 7200 seconds +# on Linux see /proc/sys/net/ipv4/tcp_keepalive_time. +#tcp_keepalive_idle: 300 + +# How many lost probes are needed to consider the connection lost. Default -1 +# to use OS defaults, typically 9 on Linux, see /proc/sys/net/ipv4/tcp_keepalive_probes. +#tcp_keepalive_cnt: -1 + +# How often, in seconds, to send keepalives after the first one. Default -1 to +# use OS defaults, typically 75 seconds on Linux, see +# /proc/sys/net/ipv4/tcp_keepalive_intvl. +#tcp_keepalive_intvl: -1 + + +###### Windows Software settings ###### +############################################ +# Location of the repository cache file on the master: +#win_repo_cachefile: 'salt://win/repo/winrepo.p' + + +###### Returner settings ###### +############################################ +# Which returner(s) will be used for minion's result: +#return: mysql diff --git a/states/roles/maintain/saltpad/conf.d/saltpad.conf b/states/roles/maintain/saltpad/conf.d/saltpad.conf new file mode 100755 index 0000000..0739efe --- /dev/null +++ b/states/roles/maintain/saltpad/conf.d/saltpad.conf @@ -0,0 +1,19 @@ +server { + listen 80; + server_name csalt.s.mpp; +# ssl_certificate /opt/server.crt; +# ssl_certificate_key /opt/server.key; +# server_name YOURDNS.EXTENSION; +# ssl_certificate /etc/pki/tls/certs/wildcard.saltpad.net.crt; +# ssl_certificate_key /etc/pki/tls/certs/wildcard.saltpad.net.pem; + + location / { + proxy_pass http://localhost:8080/; +# proxy_pass http://localhost:5000/; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $http_host; + proxy_redirect off; + proxy_set_header X-Real-IP $remote_addr; + } +} + diff --git a/states/roles/maintain/saltpad/init.sls b/states/roles/maintain/saltpad/init.sls new file mode 100755 index 0000000..9369782 --- /dev/null +++ b/states/roles/maintain/saltpad/init.sls @@ -0,0 +1,57 @@ +salt-api: + pkg.installed: [] + service.running: + - enable: true + +saltpad: + service.running: + - enable: true + - watch: + - cmd: "sh /root/salt/scripts/merge.sh" + +nginx: + service.running: + - enable: true + - watch: + - file: /etc/nginx/conf.d/* + +/etc/nginx/conf.d/: + file.recurse: + - source: salt://roles/maintain/saltpad/conf.d/ + - user: root + - group: root + - dir_mode: 755 + - file_mode: 644 + - clean: true + +/root/salt/scripts/merge.sh: + file.managed: + - makedirs: true + - source: salt://roles/maintain/saltpad/merge.sh + - user: root + - group: root + - mode: 744 + +/opt/saltpad/saltpad/modules/: + file.recurse: + - source: salt://roles/maintain/saltpad/modules/ + - user: root + - group: root + - dir_mode: 755 + - file_mode: 644 + - clean: true + +"sh /root/salt/scripts/merge.sh": + cmd.wait: + - watch: + - file: /opt/saltpad/saltpad/modules/* + - require: + - file: /root/salt/scripts/merge.sh + +/opt/saltpad/saltpad/templates/: + file.recurse: + - source: salt://roles/maintain/saltpad/templates/ + - user: root + - group: root + - dir_mode: 755 + - file_mode: 644 diff --git a/states/roles/maintain/saltpad/merge.sh b/states/roles/maintain/saltpad/merge.sh new file mode 100755 index 0000000..58cc301 --- /dev/null +++ b/states/roles/maintain/saltpad/merge.sh @@ -0,0 +1,10 @@ +#!/bin/bash +cd /opt/saltpad/saltpad/ +cp app.py merged.py + +for mod in modules/*.py +do + #insert above root node + sed -i "/@app.route(\"\/\")/ {r $mod + N}" merged.py +done diff --git a/states/roles/maintain/saltpad/modules/firewalld.py b/states/roles/maintain/saltpad/modules/firewalld.py new file mode 100755 index 0000000..b3f8405 --- /dev/null +++ b/states/roles/maintain/saltpad/modules/firewalld.py @@ -0,0 +1,48 @@ +import yaml; + +@app.route("/firewalld/") +@login_required +def firewalld(role): + env = "prod" + fname = "/srv/salt/" + env + "/pillars/roles/firewalld/" + role + ".sls" + if (os.path.exists(fname)): + firewalld = import_yaml(fname) + print(firewalld) + else: + firewalld = "{'firewalld':{}}" + return render_template('firewalld_edit.html', firewalld=firewalld,role=role, is_mnt=is_role_maintainer(role)) + +@app.route("/firewalld_save/",methods=['POST']) +@login_required +def firewalld_save(role): + if is_role_maintainer(role): + env = "prod" + data=request.get_json() + print(data) + y = yaml.safe_dump(data,default_flow_style=False, indent=2) + # fix weird quirk - when not using default_flow_style, "-" lines aren't indented properly + y = y.replace("-"," -") + print(y) + fname = "/srv/salt/" + env + "/pillars/roles/firewalld/" + role + ".sls" + f = open(fname,"w") + f.write(y) + return redirect("/firewalld/" + role,302) + +#remove everything prior to the last "/" and then everything after the first "." in the name to ensure name isn't malicious +def cleanse_name(name): + name = re.sub('^.*/','',name)#remove everything up to and including final / + name = re.sub('^\.*','',name)#remove any .s at start of name that remain + print(name) + name = re.sub('\.*$','',name)#remove everything after and including first . + print(name) + return name + +def import_yaml(fname): + y = {} + if os.path.exists(fname): + f = open(fname,"r") + lines = f.read() + f.close() + y = yaml.load(lines) + return y + diff --git a/states/roles/maintain/saltpad/modules/roles.py b/states/roles/maintain/saltpad/modules/roles.py new file mode 100755 index 0000000..a784474 --- /dev/null +++ b/states/roles/maintain/saltpad/modules/roles.py @@ -0,0 +1,187 @@ +import os + +@app.route("/roles") +@login_required +def roles(): + env = "prod" + host = os.uname()[1] + roles = client.run("pillar.items",client="local", tgt=host)[host]["roles"] + print(roles) + #add servers that have each role + dname = "/srv/salt/" + env + "/pillars/servers/roles/server/" + for role in roles: + roles[role]["servers"]=[] + for fname in os.listdir(dname): + f = open(dname+fname,"r") + lines = f.readlines() + f.close() + sname = os.path.splitext(fname)[0] + print(sname) + for line in lines: + role = line.replace("-","").replace("\n","").strip() + if role != "roles:" and role != "grains:": + roles[role]["servers"].append(sname) + print(roles) + + usr = session.get('username') + from subprocess import check_output + grpstr = check_output(["groups", usr]) + groups = grpstr.split(" : ")[1].split() + maintainers = [usr] + for grp in groups: + maintainers.append("%"+grp+"%") + print(maintainers) + return render_template('roles.html', roles=roles, mnts=maintainers) + +@app.route("/role_add/") +@login_required +def role_add(role): + env = "prod" + #we need to create a file at pillars/maintainer/roles/[role].sls for this page. it should have the current user as initial maintainer + #Only do if file doesn't already exist + fname = "/srv/salt/" + env + "/pillars/roles/maintainer/" + role + ".sls" + if not (os.path.exists(fname)): + f = open(fname,"w") + f.write("roles:\n") + f.write(" "+role+":\n") + f.write(" maintainer:\n") + user = session.get('username') + f.write(" - "+user+"\n") + f.close() + #We need to add role to pillars/maintainer/roles/init.sls + fname = "/srv/salt/" + env + "/pillars/roles/maintainer/init.sls" + if (os.path.exists(fname)): + f = open(fname,"a") + f.write(" - roles.maintainer." + role + "\n") + f.close() + return redirect("/roles",302) + +@app.route("/role_del/") +@login_required +def role_del(role): + if is_role_maintainer(role): + env = "prod" + #We need to remove role from pillars/maintainer/roles/init.sls + fname = "/srv/salt/" + env + "/pillars/roles/maintainer/init.sls" + if (os.path.exists(fname)): + f = open(fname,"r") + lines = f.readlines() + f.close() + f = open(fname,"w") + for line in lines: + if line != " - roles.maintainer." + role + "\n": + f.write(line) + f.close() + #we need to remove maintainer file for the role if it exists + fname = "/srv/salt/" + env + "/pillars/roles/maintainer/" + role + ".sls" + if (os.path.exists(fname)): + os.remove(fname) + #We need to remove references to the role next + dname = "/srv/salt/" + env + "/pillars/servers/roles/server/" + for fname in os.listdir(dname): + f = open(dname+fname,"r") + lines = f.readlines() + f.close() + f = open(dname+fname,"w") + for line in lines: + if line != " - " + role + "\n": + f.write(line) + f.close() + return redirect("/roles",302) + +@app.route("/role/") +@login_required +def role_display(role): + #build json object + env = "prod" + rjson = {} + dname = "/srv/salt/" + env + "/pillars/roles/" + for folder in os.listdir(dname): + print(folder) + if os.path.isdir(dname + folder): + #grab matching file + fname = dname + folder + "/" + role + ".sls" + rjson[folder]=[] + if os.path.exists(fname): + f = open(fname,"r") + lines = f.readlines() + f.close() + for line in lines: + #add maintainers + if folder == "maintainer": + item = line.replace("-","").replace("\n","").strip() + if item != "roles:" and item != role+":" and item != "maintainer:": + rjson[folder].append(item) + else: + #add everything else + line=line.rstrip() + rjson[folder].append(line) + dname = "/srv/salt/" + env + "/pillars/servers/roles/server/" + rjson["servers"]=[] + for fname in os.listdir(dname): + f = open(dname+fname,"r") + lines = f.readlines() + f.close() + sname = os.path.splitext(fname)[0] + print(sname) + for line in lines: + thisrole = line.replace("-","").replace("\n","").strip() + if role == thisrole: + rjson["servers"].append(sname) + rjson["name"] = role + print(rjson) + return render_template('role_display.html', rjson=rjson, is_mnt=is_role_maintainer(rjson["name"])) + +@app.route("/role_add_server//") +@login_required +def role_add_server(role, server): + if is_server_maintainer(server): + env = "prod" + #We need to add role to pillars/servers/roles/server/.sls + fname = "/srv/salt/" + env + "/pillars/servers/roles/server/" + server + ".sls" + print(fname) + print(server) + print(role) + if (os.path.exists(fname)): + f = open(fname,"a") + f.write(" - " + role + "\n") + f.close() + return redirect("/role/" + role,302) + +@app.route("/role_rem_server//") +@login_required +def role_rem_server(role, server): + if is_server_maintainer(server): + env = "prod" + #We need to remove role from pillars/servers/roles/server/.sls + fname = "/srv/salt/" + env + "/pillars/servers/roles/server/" + server + ".sls" + print(fname) + print(server) + print(role) + if (os.path.exists(fname)): + f = open(fname,"r") + lines = f.readlines() + f.close() + f = open(fname,"w") + for line in lines: + if line != " - " + role + "\n": + f.write(line) + f.close() + return redirect("/role/" + role,302) + +def is_role_maintainer(role): + host = os.uname()[1] + maintainers = client.run("pillar.items",client="local", tgt=host)[host]["roles"][role]["maintainer"] + usr = session.get('username') + from subprocess import check_output + grpstr = check_output(["groups", usr]) + groups = grpstr.split(" : ")[1].split() + is_maintainer = False + if usr in maintainers: + is_maintainer = True + else: + for grp in groups: + if "%"+grp+"%" in maintainers: + is_maintainer = True + break + return is_maintainer diff --git a/states/roles/maintain/saltpad/modules/servers.py b/states/roles/maintain/saltpad/modules/servers.py new file mode 100755 index 0000000..65b5a9e --- /dev/null +++ b/states/roles/maintain/saltpad/modules/servers.py @@ -0,0 +1,121 @@ +@app.route("/servers") +@login_required +def servers(): + env = "prod" + host = os.uname()[1] + accepted = client.run('key.list_all', client='wheel')['data']['return']['minions'] + print(accepted) + #add maintainers for each server + dname = "/srv/salt/" + env + "/pillars/servers/maintainer/server/" + servers={} + for server in accepted: + servers[server]={} + servers[server]["maintainer"]=[] + servers[server]["roles"]=[] + print(servers) + for fname in os.listdir(dname): + f = open(dname+fname,"r") + lines = f.readlines() + f.close() + sname = os.path.splitext(fname)[0] + print(sname) + for line in lines: + maintainer = line.replace("-","").replace("\n","").strip() + if maintainer != "maintainer:": + servers[sname]["maintainer"].append(maintainer) + #add roles for each server + dname = "/srv/salt/" + env + "/pillars/servers/roles/server/" + for fname in os.listdir(dname): + f = open(dname+fname,"r") + lines = f.readlines() + f.close() + sname = os.path.splitext(fname)[0] + print(sname) + for line in lines: + role = line.replace("-","").replace("\n","").strip() + if role != "roles:" and role != "grains:": + servers[sname]["roles"].append(role) + print(servers) + return render_template('servers.html', servers=servers) + +@app.route("/servers/") +@login_required +def server_display(server): + env = "prod" + host = os.uname()[1] + aroles = client.run("pillar.items",client="local", tgt=host)[host]["roles"] + sroles=[] + dname = "/srv/salt/" + env + "/pillars/servers/roles/server/" + fname = server + ".sls" + f = open(dname+fname,"r") + lines = f.readlines() + f.close() + for line in lines: + role = line.replace("-","").replace("\n","").strip() + if role != "roles:" and role != "grains:": + sroles.append(role) + del aroles[role] + return render_template('server_display.html', server=server, aroles=aroles, sroles=sroles,is_mnt=is_server_maintainer(server)) + +@app.route("/server_add_role//") +@login_required +def server_add_role(server, role): + if is_server_maintainer(server): + env = "prod" + #We need to add role to pillars/servers/roles/server/.sls + fname = "/srv/salt/" + env + "/pillars/servers/roles/server/" + server + ".sls" + print(fname) + print(server) + print(role) + if (os.path.exists(fname)): + f = open(fname,"a") + f.write(" - " + role + "\n") + f.close() + return redirect("/servers/" + server,302) + +@app.route("/server_rem_role//") +@login_required +def server_rem_role(server, role): + if is_server_maintainer(server): + env = "prod" + #We need to remove role from pillars/servers/roles/server/.sls + fname = "/srv/salt/" + env + "/pillars/servers/roles/server/" + server + ".sls" + print(fname) + print(server) + print(role) + if (os.path.exists(fname)): + f = open(fname,"r") + lines = f.readlines() + f.close() + f = open(fname,"w") + for line in lines: + if line != " - " + role + "\n": + f.write(line) + f.close() + return redirect("/servers/" + server,302) + +def is_server_maintainer(server): + env = "prod" + fname = "/srv/salt/" + env + "/pillars/servers/maintainer/server/"+server+".sls" + f = open(fname,"r") + lines = f.readlines() + f.close() + maintainers = [] + for line in lines: + maintainer = line.replace("-","").replace("\n","").strip() + if maintainer != "maintainer:": + maintainers.append(maintainer) + usr = session.get('username') + from subprocess import check_output + grpstr = check_output(["groups", usr]) + groups = grpstr.split(" : ")[1].split() + is_maintainer = False + if usr in maintainers: + is_maintainer = True + else: + for grp in groups: + if "%"+grp+"%" in maintainers: + is_maintainer = True + break + return is_maintainer + diff --git a/states/roles/maintain/saltpad/templates/base.html b/states/roles/maintain/saltpad/templates/base.html new file mode 100755 index 0000000..28d2fe7 --- /dev/null +++ b/states/roles/maintain/saltpad/templates/base.html @@ -0,0 +1,49 @@ + + + + + + + + + Dashboard - SaltPad + + + + + + + + + + + + + {% block head %} + {% endblock %} + + + + + {% block body %} + {% endblock %} + + + + + + + + + + + + + + {% block scripts %} + {% endblock %} + + + diff --git a/states/roles/maintain/saltpad/templates/base_logged.html b/states/roles/maintain/saltpad/templates/base_logged.html new file mode 100755 index 0000000..d863218 --- /dev/null +++ b/states/roles/maintain/saltpad/templates/base_logged.html @@ -0,0 +1,137 @@ +{% extends "base.html" %} +{% from "macros.jinja" import print_flash_messages %} +{% block body %} + +
+ + + + +
+ + {{ print_flash_messages()|safe }} + + {% block page %} + {% endblock %} + +
+ +
+ +{% endblock %} diff --git a/states/roles/maintain/saltpad/templates/firewalld_edit.html b/states/roles/maintain/saltpad/templates/firewalld_edit.html new file mode 100755 index 0000000..f494195 --- /dev/null +++ b/states/roles/maintain/saltpad/templates/firewalld_edit.html @@ -0,0 +1,359 @@ +{% extends "base_logged.html" %} +{% block head %} + +{% endblock %} +{% block page %} +
+ +
+
+

Module Firewalld

+
    +
  1. SaltPad
    2. +
  2. Role {{ role }}
    3. +
+
+
+ +{{firewalld["firewalld"].update(base_zone={})}} +
+
+ +
+ + + + {% for zone in firewalld["firewalld"] %} +
+ +
+
+ + + + + + + + + {% if firewalld["firewalld"][zone] is defined %} + {% for source in firewalld["firewalld"][zone]["source"] %} + + + + + {% endfor %} + {% endif %} + +
SourceRemove
{{ source }}
+
+
+ + +
+
+ + +
+
+ + + + + + + + + {% if firewalld["firewalld"][zone] is defined %} + {% for service in firewalld["firewalld"][zone]["service"] %} + + + + + {% endfor %} + {% endif %} + +
ServiceRemove
{{ service }}
+
+
+ + +
+
+ + +
+
+ + + + + + + + + {% if firewalld["firewalld"][zone] is defined %} + {% for source in firewalld["firewalld"][zone]["port"] %} + + + + + {% endfor %} + {% endif %} + +
PortRemove
{{ port }}
+
+
+ + +
+
+ +
+

Custom Rules


+
+ + + + + + + + + + + + {% if firewalld["firewalld"][zone] is defined %} + {% for rule in firewalld["firewalld"][zone]["rule"] %} + + + + + + + + {% endfor %} + {% endif %} + +
NameSourcePortActionRemove
{{ rule }}{{ firewalld["firewalld"][zone]["rule"][rule]["source"] }}{{ firewalld["firewalld"][zone]["rule"][rule]["port"] }}{{ firewalld["firewalld"][zone]["rule"][rule]["action"] }}
+
+
+ Name: + Source: + Port: + Action: + +
+
+ + +
+

Include

+

include data from other zones to avoid rewriting it

+
+ + + + + + + + + {% if firewalld["firewalld"][zone] is defined %} + {% for include in firewalld["firewalld"][zone]["include"] %} + + + + + {% endfor %} + {% endif %} + +
ZoneRemove
{{ include }}
+
+
+ + +
+
+
+{% endfor %} + +
+{% endblock %} + +{% block scripts %} + +{% endblock %} \ No newline at end of file diff --git a/states/roles/maintain/saltpad/templates/mods.html b/states/roles/maintain/saltpad/templates/mods.html new file mode 100755 index 0000000..b254e5b --- /dev/null +++ b/states/roles/maintain/saltpad/templates/mods.html @@ -0,0 +1,2 @@ +
  • Roles
    • +
  • Servers
    • \ No newline at end of file diff --git a/states/roles/maintain/saltpad/templates/role_display.html b/states/roles/maintain/saltpad/templates/role_display.html new file mode 100755 index 0000000..fad6ad2 --- /dev/null +++ b/states/roles/maintain/saltpad/templates/role_display.html @@ -0,0 +1,136 @@ +{% extends "base_logged.html" %} +{% block page %} +
    + +
    +
    +

    Module Roles

    +
      +
    1. SaltPad
      2. +
    2. Role {{rjson["name"]}}
      3. +
    +
    +
    + +
    +
    +

    Maintainers

    +
    + + + + + {% if is_mnt %} + + {% endif %} + + + + {% for maintainer in rjson["maintainer"] %} + + + + + {% endfor %} + +
    MaintainerRemove
    {{ maintainer }} + {% if is_mnt %} + + {% endif %} +
    +
    +
    + {% if is_mnt%} + + + {% endif %} +
    +
    +
    +

    Servers

    +
    + + + + + {% if is_mnt %} + + {% endif %} + + + + {% for server in rjson["servers"] %} + + + + + {% endfor %} + +
    ServerRemove
    {{ server }} + {% if is_mnt %} + + {% endif %} +
    +
    +
    + {% if is_mnt %} + + + {% endif %} +
    +
    + +{% for category in rjson %} + {% if category != "maintainer" and category != "servers" and category != "name" %} +
    +

    {{ category }}

    +
    + + + + + + + + + +
    {{ category }}
    + 
    {% for line in rjson[category] %}
+{{ line }}{% endfor %}
    +
    +
    + +
    + {% endif %} +{% endfor %} + + +
    +
    +{% endblock %} + +{% block scripts %} + +{% endblock %} diff --git a/states/roles/maintain/saltpad/templates/roles.html b/states/roles/maintain/saltpad/templates/roles.html new file mode 100755 index 0000000..6ef7341 --- /dev/null +++ b/states/roles/maintain/saltpad/templates/roles.html @@ -0,0 +1,92 @@ +{% extends "base_logged.html" %} +{% block page %} +
    + +
    +
    +

    Modules Roles

    +
      +
    1. SaltPad
      2. +
    2. Roles
      3. +
    +
    +
    + +
    +
    +

    Roles

    +
    + + + + + + + + + + + {% for role in roles %} + + + + + + + {% endfor %} + +
    RoleMaintainersServersDelete
    {{ role }} + {% for maintainer in roles[role]["maintainer"] %} + {{ maintainer }}
    + {% endfor %} +     		+ {% for server in roles[role]["servers"] %} + {{ server }}
    + {% endfor %} +     		+ {% for maintainer in roles[role]["maintainer"] %} + {% if maintainer in mnts %} + + {% endif %} + {% endfor %} +
    +
    +
    + + +
    +
    +
    +
    +{% endblock %} + +{% block scripts %} + +{% endblock %} \ No newline at end of file diff --git a/states/roles/maintain/saltpad/templates/server_display.html b/states/roles/maintain/saltpad/templates/server_display.html new file mode 100755 index 0000000..ae8718b --- /dev/null +++ b/states/roles/maintain/saltpad/templates/server_display.html @@ -0,0 +1,74 @@ +{% extends "base_logged.html" %} +{% block page %} +
    + +
    +
    +

    Modules Servers

    +
      +
    1. SaltPad
      2. +
    2. Server Display
      3. +
    +
    +
    + +
    +
    + {% if not is_mnt %} +

    Note: Server is maintained by someone else

    + {% endif %} +

    Server Roles

    +
    + + + + + {% if is_mnt %} + + {% endif %} + + + + {% for role in sroles %} + + + + + {% endfor %} + +
    RolesRemove
    {{ role }} + {% if is_mnt %} + + {% endif %} +
    +
    + {% if is_mnt %} +
    + + +
    + {% endif %} +
    +
    +
    +{% endblock %} + +{% block scripts %} + +{% endblock %} \ No newline at end of file diff --git a/states/roles/maintain/saltpad/templates/servers.html b/states/roles/maintain/saltpad/templates/servers.html new file mode 100755 index 0000000..d37bf92 --- /dev/null +++ b/states/roles/maintain/saltpad/templates/servers.html @@ -0,0 +1,49 @@ +{% extends "base_logged.html" %} +{% block page %} +
    + +
    +
    +

    Modules Servers

    +
      +
    1. SaltPad
      2. +
    2. Servers
      3. +
    +
    +
    + +
    +
    +

    Servers

    +
    + + + + + + + + + + {% for server in servers %} + + + + + + {% endfor %} + +
    ServerMaintainersRoles
    {{ server }} + {% for maintainer in servers[server]["maintainer"] %} + {{ maintainer }}
    + {% endfor %} +     		+ {% for role in servers[server]["roles"] %} + {{ role }}
    + {% endfor %} +
    +
    +
    +
    +
    +{% endblock %} \ No newline at end of file diff --git a/states/roles/maintain/saltpad/templates/yaml.js b/states/roles/maintain/saltpad/templates/yaml.js new file mode 100755 index 0000000..981455c --- /dev/null +++ b/states/roles/maintain/saltpad/templates/yaml.js @@ -0,0 +1,1866 @@ +(function e(t,n,r){function s(o,u){if(!n[o]){if(!t[o]){var a=typeof require=="function"&&require;if(!u&&a)return a(o,!0);if(i)return i(o,!0);var f=new Error("Cannot find module '"+o+"'");throw f.code="MODULE_NOT_FOUND",f}var l=n[o]={exports:{}};t[o][0].call(l.exports,function(e){var n=t[o][1][e];return s(n?n:e)},l,l.exports,e,t,n,r)}return n[o].exports}var i=typeof require=="function"&&require;for(var o=0;o ref; i = 0 <= ref ? ++j : --j) { + mapping[Escaper.LIST_ESCAPEES[i]] = Escaper.LIST_ESCAPED[i]; + } + return mapping; + })(); + + Escaper.PATTERN_CHARACTERS_TO_ESCAPE = new Pattern('[\\x00-\\x1f]|\xc2\x85|\xc2\xa0|\xe2\x80\xa8|\xe2\x80\xa9'); + + Escaper.PATTERN_MAPPING_ESCAPEES = new Pattern(Escaper.LIST_ESCAPEES.join('|')); + + Escaper.PATTERN_SINGLE_QUOTING = new Pattern('[\\s\'":{}[\\],&*#?]|^[-?|<>=!%@`]'); + + Escaper.requiresDoubleQuoting = function(value) { + return this.PATTERN_CHARACTERS_TO_ESCAPE.test(value); + }; + + Escaper.escapeWithDoubleQuotes = function(value) { + var result; + result = this.PATTERN_MAPPING_ESCAPEES.replace(value, (function(_this) { + return function(str) { + return _this.MAPPING_ESCAPEES_TO_ESCAPED[str]; + }; + })(this)); + return '"' + result + '"'; + }; + + Escaper.requiresSingleQuoting = function(value) { + return this.PATTERN_SINGLE_QUOTING.test(value); + }; + + Escaper.escapeWithSingleQuotes = function(value) { + return "'" + value.replace(/'/g, "''") + "'"; + }; + + return Escaper; + +})(); + +module.exports = Escaper; + + + +},{"./Pattern":7}],3:[function(require,module,exports){ +var DumpException, + extend = function(child, parent) { for (var key in parent) { if (hasProp.call(parent, key)) child[key] = parent[key]; } function ctor() { this.constructor = child; } ctor.prototype = parent.prototype; child.prototype = new ctor(); child.__super__ = parent.prototype; return child; }, + hasProp = {}.hasOwnProperty; + +DumpException = (function(superClass) { + extend(DumpException, superClass); + + function DumpException(message, parsedLine, snippet) { + this.message = message; + this.parsedLine = parsedLine; + this.snippet = snippet; + } + + DumpException.prototype.toString = function() { + if ((this.parsedLine != null) && (this.snippet != null)) { + return ' ' + this.message + ' (line ' + this.parsedLine + ': \'' + this.snippet + '\')'; + } else { + return ' ' + this.message; + } + }; + + return DumpException; + +})(Error); + +module.exports = DumpException; + + + +},{}],4:[function(require,module,exports){ +var ParseException, + extend = function(child, parent) { for (var key in parent) { if (hasProp.call(parent, key)) child[key] = parent[key]; } function ctor() { this.constructor = child; } ctor.prototype = parent.prototype; child.prototype = new ctor(); child.__super__ = parent.prototype; return child; }, + hasProp = {}.hasOwnProperty; + +ParseException = (function(superClass) { + extend(ParseException, superClass); + + function ParseException(message, parsedLine, snippet) { + this.message = message; + this.parsedLine = parsedLine; + this.snippet = snippet; + } + + ParseException.prototype.toString = function() { + if ((this.parsedLine != null) && (this.snippet != null)) { + return ' ' + this.message + ' (line ' + this.parsedLine + ': \'' + this.snippet + '\')'; + } else { + return ' ' + this.message; + } + }; + + return ParseException; + +})(Error); + +module.exports = ParseException; + + + +},{}],5:[function(require,module,exports){ +var DumpException, Escaper, Inline, ParseException, Pattern, Unescaper, Utils, + indexOf = [].indexOf || function(item) { for (var i = 0, l = this.length; i < l; i++) { if (i in this && this[i] === item) return i; } return -1; }; + +Pattern = require('./Pattern'); + +Unescaper = require('./Unescaper'); + +Escaper = require('./Escaper'); + +Utils = require('./Utils'); + +ParseException = require('./Exception/ParseException'); + +DumpException = require('./Exception/DumpException'); + +Inline = (function() { + function Inline() {} + + Inline.REGEX_QUOTED_STRING = '(?:"(?:[^"\\\\]*(?:\\\\.[^"\\\\]*)*)"|\'(?:[^\']*(?:\'\'[^\']*)*)\')'; + + Inline.PATTERN_TRAILING_COMMENTS = new Pattern('^\\s*#.*$'); + + Inline.PATTERN_QUOTED_SCALAR = new Pattern('^' + Inline.REGEX_QUOTED_STRING); + + Inline.PATTERN_THOUSAND_NUMERIC_SCALAR = new Pattern('^(-|\\+)?[0-9,]+(\\.[0-9]+)?$'); + + Inline.PATTERN_SCALAR_BY_DELIMITERS = {}; + + Inline.settings = {}; + + Inline.configure = function(exceptionOnInvalidType, objectDecoder) { + if (exceptionOnInvalidType == null) { + exceptionOnInvalidType = null; + } + if (objectDecoder == null) { + objectDecoder = null; + } + this.settings.exceptionOnInvalidType = exceptionOnInvalidType; + this.settings.objectDecoder = objectDecoder; + }; + + Inline.parse = function(value, exceptionOnInvalidType, objectDecoder) { + var context, result; + if (exceptionOnInvalidType == null) { + exceptionOnInvalidType = false; + } + if (objectDecoder == null) { + objectDecoder = null; + } + this.settings.exceptionOnInvalidType = exceptionOnInvalidType; + this.settings.objectDecoder = objectDecoder; + if (value == null) { + return ''; + } + value = Utils.trim(value); + if (0 === value.length) { + return ''; + } + context = { + exceptionOnInvalidType: exceptionOnInvalidType, + objectDecoder: objectDecoder, + i: 0 + }; + switch (value.charAt(0)) { + case '[': + result = this.parseSequence(value, context); + ++context.i; + break; + case '{': + result = this.parseMapping(value, context); + ++context.i; + break; + default: + result = this.parseScalar(value, null, ['"', "'"], context); + } + if (this.PATTERN_TRAILING_COMMENTS.replace(value.slice(context.i), '') !== '') { + throw new ParseException('Unexpected characters near "' + value.slice(context.i) + '".'); + } + return result; + }; + + Inline.dump = function(value, exceptionOnInvalidType, objectEncoder) { + var ref, result, type; + if (exceptionOnInvalidType == null) { + exceptionOnInvalidType = false; + } + if (objectEncoder == null) { + objectEncoder = null; + } + if (value == null) { + return 'null'; + } + type = typeof value; + if (type === 'object') { + if (value instanceof Date) { + return value.toISOString(); + } else if (objectEncoder != null) { + result = objectEncoder(value); + if (typeof result === 'string' || (result != null)) { + return result; + } + } + return this.dumpObject(value); + } + if (type === 'boolean') { + return (value ? 'true' : 'false'); + } + if (Utils.isDigits(value)) { + return (type === 'string' ? "'" + value + "'" : String(parseInt(value))); + } + if (Utils.isNumeric(value)) { + return (type === 'string' ? "'" + value + "'" : String(parseFloat(value))); + } + if (type === 'number') { + return (value === Infinity ? '.Inf' : (value === -Infinity ? '-.Inf' : (isNaN(value) ? '.NaN' : value))); + } + if (Escaper.requiresDoubleQuoting(value)) { + return Escaper.escapeWithDoubleQuotes(value); + } + if (Escaper.requiresSingleQuoting(value)) { + return Escaper.escapeWithSingleQuotes(value); + } + if ('' === value) { + return '""'; + } + if (Utils.PATTERN_DATE.test(value)) { + return "'" + value + "'"; + } + if ((ref = value.toLowerCase()) === 'null' || ref === '~' || ref === 'true' || ref === 'false') { + return "'" + value + "'"; + } + return value; + }; + + Inline.dumpObject = function(value, exceptionOnInvalidType, objectSupport) { + var j, key, len1, output, val; + if (objectSupport == null) { + objectSupport = null; + } + if (value instanceof Array) { + output = []; + for (j = 0, len1 = value.length; j < len1; j++) { + val = value[j]; + output.push(this.dump(val)); + } + return '[' + output.join(', ') + ']'; + } else { + output = []; + for (key in value) { + val = value[key]; + output.push(this.dump(key) + ': ' + this.dump(val)); + } + return '{' + output.join(', ') + '}'; + } + }; + + Inline.parseScalar = function(scalar, delimiters, stringDelimiters, context, evaluate) { + var i, joinedDelimiters, match, output, pattern, ref, ref1, strpos, tmp; + if (delimiters == null) { + delimiters = null; + } + if (stringDelimiters == null) { + stringDelimiters = ['"', "'"]; + } + if (context == null) { + context = null; + } + if (evaluate == null) { + evaluate = true; + } + if (context == null) { + context = { + exceptionOnInvalidType: this.settings.exceptionOnInvalidType, + objectDecoder: this.settings.objectDecoder, + i: 0 + }; + } + i = context.i; + if (ref = scalar.charAt(i), indexOf.call(stringDelimiters, ref) >= 0) { + output = this.parseQuotedScalar(scalar, context); + i = context.i; + if (delimiters != null) { + tmp = Utils.ltrim(scalar.slice(i), ' '); + if (!(ref1 = tmp.charAt(0), indexOf.call(delimiters, ref1) >= 0)) { + throw new ParseException('Unexpected characters (' + scalar.slice(i) + ').'); + } + } + } else { + if (!delimiters) { + output = scalar.slice(i); + i += output.length; + strpos = output.indexOf(' #'); + if (strpos !== -1) { + output = Utils.rtrim(output.slice(0, strpos)); + } + } else { + joinedDelimiters = delimiters.join('|'); + pattern = this.PATTERN_SCALAR_BY_DELIMITERS[joinedDelimiters]; + if (pattern == null) { + pattern = new Pattern('^(.+?)(' + joinedDelimiters + ')'); + this.PATTERN_SCALAR_BY_DELIMITERS[joinedDelimiters] = pattern; + } + if (match = pattern.exec(scalar.slice(i))) { + output = match[1]; + i += output.length; + } else { + throw new ParseException('Malformed inline YAML string (' + scalar + ').'); + } + } + if (evaluate) { + output = this.evaluateScalar(output, context); + } + } + context.i = i; + return output; + }; + + Inline.parseQuotedScalar = function(scalar, context) { + var i, match, output; + i = context.i; + if (!(match = this.PATTERN_QUOTED_SCALAR.exec(scalar.slice(i)))) { + throw new ParseException('Malformed inline YAML string (' + scalar.slice(i) + ').'); + } + output = match[0].substr(1, match[0].length - 2); + if ('"' === scalar.charAt(i)) { + output = Unescaper.unescapeDoubleQuotedString(output); + } else { + output = Unescaper.unescapeSingleQuotedString(output); + } + i += match[0].length; + context.i = i; + return output; + }; + + Inline.parseSequence = function(sequence, context) { + var e, i, isQuoted, len, output, ref, value; + output = []; + len = sequence.length; + i = context.i; + i += 1; + while (i < len) { + context.i = i; + switch (sequence.charAt(i)) { + case '[': + output.push(this.parseSequence(sequence, context)); + i = context.i; + break; + case '{': + output.push(this.parseMapping(sequence, context)); + i = context.i; + break; + case ']': + return output; + case ',': + case ' ': + case "\n": + break; + default: + isQuoted = ((ref = sequence.charAt(i)) === '"' || ref === "'"); + value = this.parseScalar(sequence, [',', ']'], ['"', "'"], context); + i = context.i; + if (!isQuoted && typeof value === 'string' && (value.indexOf(': ') !== -1 || value.indexOf(":\n") !== -1)) { + try { + value = this.parseMapping('{' + value + '}'); + } catch (_error) { + e = _error; + } + } + output.push(value); + --i; + } + ++i; + } + throw new ParseException('Malformed inline YAML string ' + sequence); + }; + + Inline.parseMapping = function(mapping, context) { + var done, i, key, len, output, shouldContinueWhileLoop, value; + output = {}; + len = mapping.length; + i = context.i; + i += 1; + shouldContinueWhileLoop = false; + while (i < len) { + context.i = i; + switch (mapping.charAt(i)) { + case ' ': + case ',': + case "\n": + ++i; + context.i = i; + shouldContinueWhileLoop = true; + break; + case '}': + return output; + } + if (shouldContinueWhileLoop) { + shouldContinueWhileLoop = false; + continue; + } + key = this.parseScalar(mapping, [':', ' ', "\n"], ['"', "'"], context, false); + i = context.i; + done = false; + while (i < len) { + context.i = i; + switch (mapping.charAt(i)) { + case '[': + value = this.parseSequence(mapping, context); + i = context.i; + if (output[key] === void 0) { + output[key] = value; + } + done = true; + break; + case '{': + value = this.parseMapping(mapping, context); + i = context.i; + if (output[key] === void 0) { + output[key] = value; + } + done = true; + break; + case ':': + case ' ': + case "\n": + break; + default: + value = this.parseScalar(mapping, [',', '}'], ['"', "'"], context); + i = context.i; + if (output[key] === void 0) { + output[key] = value; + } + done = true; + --i; + } + ++i; + if (done) { + break; + } + } + } + throw new ParseException('Malformed inline YAML string ' + mapping); + }; + + Inline.evaluateScalar = function(scalar, context) { + var cast, date, exceptionOnInvalidType, firstChar, firstSpace, firstWord, objectDecoder, raw, scalarLower, subValue, trimmedScalar; + scalar = Utils.trim(scalar); + scalarLower = scalar.toLowerCase(); + switch (scalarLower) { + case 'null': + case '': + case '~': + return null; + case 'true': + return true; + case 'false': + return false; + case '.inf': + return Infinity; + case '.nan': + return NaN; + case '-.inf': + return Infinity; + default: + firstChar = scalarLower.charAt(0); + switch (firstChar) { + case '!': + firstSpace = scalar.indexOf(' '); + if (firstSpace === -1) { + firstWord = scalarLower; + } else { + firstWord = scalarLower.slice(0, firstSpace); + } + switch (firstWord) { + case '!': + if (firstSpace !== -1) { + return parseInt(this.parseScalar(scalar.slice(2))); + } + return null; + case '!str': + return Utils.ltrim(scalar.slice(4)); + case '!!str': + return Utils.ltrim(scalar.slice(5)); + case '!!int': + return parseInt(this.parseScalar(scalar.slice(5))); + case '!!bool': + return Utils.parseBoolean(this.parseScalar(scalar.slice(6)), false); + case '!!float': + return parseFloat(this.parseScalar(scalar.slice(7))); + case '!!timestamp': + return Utils.stringToDate(Utils.ltrim(scalar.slice(11))); + default: + if (context == null) { + context = { + exceptionOnInvalidType: this.settings.exceptionOnInvalidType, + objectDecoder: this.settings.objectDecoder, + i: 0 + }; + } + objectDecoder = context.objectDecoder, exceptionOnInvalidType = context.exceptionOnInvalidType; + if (objectDecoder) { + trimmedScalar = Utils.rtrim(scalar); + firstSpace = trimmedScalar.indexOf(' '); + if (firstSpace === -1) { + return objectDecoder(trimmedScalar, null); + } else { + subValue = Utils.ltrim(trimmedScalar.slice(firstSpace + 1)); + if (!(subValue.length > 0)) { + subValue = null; + } + return objectDecoder(trimmedScalar.slice(0, firstSpace), subValue); + } + } + if (exceptionOnInvalidType) { + throw new ParseException('Custom object support when parsing a YAML file has been disabled.'); + } + return null; + } + break; + case '0': + if ('0x' === scalar.slice(0, 2)) { + return Utils.hexDec(scalar); + } else if (Utils.isDigits(scalar)) { + return Utils.octDec(scalar); + } else if (Utils.isNumeric(scalar)) { + return parseFloat(scalar); + } else { + return scalar; + } + break; + case '+': + if (Utils.isDigits(scalar)) { + raw = scalar; + cast = parseInt(raw); + if (raw === String(cast)) { + return cast; + } else { + return raw; + } + } else if (Utils.isNumeric(scalar)) { + return parseFloat(scalar); + } else if (this.PATTERN_THOUSAND_NUMERIC_SCALAR.test(scalar)) { + return parseFloat(scalar.replace(',', '')); + } + return scalar; + case '-': + if (Utils.isDigits(scalar.slice(1))) { + if ('0' === scalar.charAt(1)) { + return -Utils.octDec(scalar.slice(1)); + } else { + raw = scalar.slice(1); + cast = parseInt(raw); + if (raw === String(cast)) { + return -cast; + } else { + return -raw; + } + } + } else if (Utils.isNumeric(scalar)) { + return parseFloat(scalar); + } else if (this.PATTERN_THOUSAND_NUMERIC_SCALAR.test(scalar)) { + return parseFloat(scalar.replace(',', '')); + } + return scalar; + default: + if (date = Utils.stringToDate(scalar)) { + return date; + } else if (Utils.isNumeric(scalar)) { + return parseFloat(scalar); + } else if (this.PATTERN_THOUSAND_NUMERIC_SCALAR.test(scalar)) { + return parseFloat(scalar.replace(',', '')); + } + return scalar; + } + } + }; + + return Inline; + +})(); + +module.exports = Inline; + + + +},{"./Escaper":2,"./Exception/DumpException":3,"./Exception/ParseException":4,"./Pattern":7,"./Unescaper":8,"./Utils":9}],6:[function(require,module,exports){ +var Inline, ParseException, Parser, Pattern, Utils; + +Inline = require('./Inline'); + +Pattern = require('./Pattern'); + +Utils = require('./Utils'); + +ParseException = require('./Exception/ParseException'); + +Parser = (function() { + Parser.prototype.PATTERN_FOLDED_SCALAR_ALL = new Pattern('^(?:(?![^\\|>]*)\\s+)?(?\\||>)(?\\+|\\-|\\d+|\\+\\d+|\\-\\d+|\\d+\\+|\\d+\\-)?(? +#.*)?$'); + + Parser.prototype.PATTERN_FOLDED_SCALAR_END = new Pattern('(?\\||>)(?\\+|\\-|\\d+|\\+\\d+|\\-\\d+|\\d+\\+|\\d+\\-)?(? +#.*)?$'); + + Parser.prototype.PATTERN_SEQUENCE_ITEM = new Pattern('^\\-((?\\s+)(?.+?))?\\s*$'); + + Parser.prototype.PATTERN_ANCHOR_VALUE = new Pattern('^&(?[^ ]+) *(?.*)'); + + Parser.prototype.PATTERN_COMPACT_NOTATION = new Pattern('^(?' + Inline.REGEX_QUOTED_STRING + '|[^ \'"\\{\\[].*?) *\\:(\\s+(?.+?))?\\s*$'); + + Parser.prototype.PATTERN_MAPPING_ITEM = new Pattern('^(?' + Inline.REGEX_QUOTED_STRING + '|[^ \'"\\[\\{].*?) *\\:(\\s+(?.+?))?\\s*$'); + + Parser.prototype.PATTERN_DECIMAL = new Pattern('\\d+'); + + Parser.prototype.PATTERN_INDENT_SPACES = new Pattern('^ +'); + + Parser.prototype.PATTERN_TRAILING_LINES = new Pattern('(\n*)$'); + + Parser.prototype.PATTERN_YAML_HEADER = new Pattern('^\\%YAML[: ][\\d\\.]+.*\n'); + + Parser.prototype.PATTERN_LEADING_COMMENTS = new Pattern('^(\\#.*?\n)+'); + + Parser.prototype.PATTERN_DOCUMENT_MARKER_START = new Pattern('^\\-\\-\\-.*?\n'); + + Parser.prototype.PATTERN_DOCUMENT_MARKER_END = new Pattern('^\\.\\.\\.\\s*$'); + + Parser.prototype.PATTERN_FOLDED_SCALAR_BY_INDENTATION = {}; + + Parser.prototype.CONTEXT_NONE = 0; + + Parser.prototype.CONTEXT_SEQUENCE = 1; + + Parser.prototype.CONTEXT_MAPPING = 2; + + function Parser(offset) { + this.offset = offset != null ? offset : 0; + this.lines = []; + this.currentLineNb = -1; + this.currentLine = ''; + this.refs = {}; + } + + Parser.prototype.parse = function(value, exceptionOnInvalidType, objectDecoder) { + var alias, allowOverwrite, block, c, context, data, e, first, i, indent, isRef, j, k, key, l, lastKey, len, len1, len2, len3, lineCount, m, matches, mergeNode, n, name, parsed, parsedItem, parser, ref, ref1, ref2, refName, refValue, val, values; + if (exceptionOnInvalidType == null) { + exceptionOnInvalidType = false; + } + if (objectDecoder == null) { + objectDecoder = null; + } + this.currentLineNb = -1; + this.currentLine = ''; + this.lines = this.cleanup(value).split("\n"); + data = null; + context = this.CONTEXT_NONE; + allowOverwrite = false; + while (this.moveToNextLine()) { + if (this.isCurrentLineEmpty()) { + continue; + } + if ("\t" === this.currentLine[0]) { + throw new ParseException('A YAML file cannot contain tabs as indentation.', this.getRealCurrentLineNb() + 1, this.currentLine); + } + isRef = mergeNode = false; + if (values = this.PATTERN_SEQUENCE_ITEM.exec(this.currentLine)) { + if (this.CONTEXT_MAPPING === context) { + throw new ParseException('You cannot define a sequence item when in a mapping'); + } + context = this.CONTEXT_SEQUENCE; + if (data == null) { + data = []; + } + if ((values.value != null) && (matches = this.PATTERN_ANCHOR_VALUE.exec(values.value))) { + isRef = matches.ref; + values.value = matches.value; + } + if (!(values.value != null) || '' === Utils.trim(values.value, ' ') || Utils.ltrim(values.value, ' ').indexOf('#') === 0) { + if (this.currentLineNb < this.lines.length - 1 && !this.isNextLineUnIndentedCollection()) { + c = this.getRealCurrentLineNb() + 1; + parser = new Parser(c); + parser.refs = this.refs; + data.push(parser.parse(this.getNextEmbedBlock(null, true), exceptionOnInvalidType, objectDecoder)); + } else { + data.push(null); + } + } else { + if (((ref = values.leadspaces) != null ? ref.length : void 0) && (matches = this.PATTERN_COMPACT_NOTATION.exec(values.value))) { + c = this.getRealCurrentLineNb(); + parser = new Parser(c); + parser.refs = this.refs; + block = values.value; + indent = this.getCurrentLineIndentation(); + if (this.isNextLineIndented(false)) { + block += "\n" + this.getNextEmbedBlock(indent + values.leadspaces.length + 1, true); + } + data.push(parser.parse(block, exceptionOnInvalidType, objectDecoder)); + } else { + data.push(this.parseValue(values.value, exceptionOnInvalidType, objectDecoder)); + } + } + } else if ((values = this.PATTERN_MAPPING_ITEM.exec(this.currentLine)) && values.key.indexOf(' #') === -1) { + if (this.CONTEXT_SEQUENCE === context) { + throw new ParseException('You cannot define a mapping item when in a sequence'); + } + context = this.CONTEXT_MAPPING; + if (data == null) { + data = {}; + } + Inline.configure(exceptionOnInvalidType, objectDecoder); + try { + key = Inline.parseScalar(values.key); + } catch (_error) { + e = _error; + e.parsedLine = this.getRealCurrentLineNb() + 1; + e.snippet = this.currentLine; + throw e; + } + if ('<<' === key) { + mergeNode = true; + allowOverwrite = true; + if (((ref1 = values.value) != null ? ref1.indexOf('*') : void 0) === 0) { + refName = values.value.slice(1); + if (this.refs[refName] == null) { + throw new ParseException('Reference "' + refName + '" does not exist.', this.getRealCurrentLineNb() + 1, this.currentLine); + } + refValue = this.refs[refName]; + if (typeof refValue !== 'object') { + throw new ParseException('YAML merge keys used with a scalar value instead of an object.', this.getRealCurrentLineNb() + 1, this.currentLine); + } + if (refValue instanceof Array) { + for (i = j = 0, len = refValue.length; j < len; i = ++j) { + value = refValue[i]; + if (data[name = String(i)] == null) { + data[name] = value; + } + } + } else { + for (key in refValue) { + value = refValue[key]; + if (data[key] == null) { + data[key] = value; + } + } + } + } else { + if ((values.value != null) && values.value !== '') { + value = values.value; + } else { + value = this.getNextEmbedBlock(); + } + c = this.getRealCurrentLineNb() + 1; + parser = new Parser(c); + parser.refs = this.refs; + parsed = parser.parse(value, exceptionOnInvalidType); + if (typeof parsed !== 'object') { + throw new ParseException('YAML merge keys used with a scalar value instead of an object.', this.getRealCurrentLineNb() + 1, this.currentLine); + } + if (parsed instanceof Array) { + for (l = 0, len1 = parsed.length; l < len1; l++) { + parsedItem = parsed[l]; + if (typeof parsedItem !== 'object') { + throw new ParseException('Merge items must be objects.', this.getRealCurrentLineNb() + 1, parsedItem); + } + if (parsedItem instanceof Array) { + for (i = m = 0, len2 = parsedItem.length; m < len2; i = ++m) { + value = parsedItem[i]; + k = String(i); + if (!data.hasOwnProperty(k)) { + data[k] = value; + } + } + } else { + for (key in parsedItem) { + value = parsedItem[key]; + if (!data.hasOwnProperty(key)) { + data[key] = value; + } + } + } + } + } else { + for (key in parsed) { + value = parsed[key]; + if (!data.hasOwnProperty(key)) { + data[key] = value; + } + } + } + } + } else if ((values.value != null) && (matches = this.PATTERN_ANCHOR_VALUE.exec(values.value))) { + isRef = matches.ref; + values.value = matches.value; + } + if (mergeNode) { + + } else if (!(values.value != null) || '' === Utils.trim(values.value, ' ') || Utils.ltrim(values.value, ' ').indexOf('#') === 0) { + if (!(this.isNextLineIndented()) && !(this.isNextLineUnIndentedCollection())) { + if (allowOverwrite || data[key] === void 0) { + data[key] = null; + } + } else { + c = this.getRealCurrentLineNb() + 1; + parser = new Parser(c); + parser.refs = this.refs; + val = parser.parse(this.getNextEmbedBlock(), exceptionOnInvalidType, objectDecoder); + if (allowOverwrite || data[key] === void 0) { + data[key] = val; + } + } + } else { + val = this.parseValue(values.value, exceptionOnInvalidType, objectDecoder); + if (allowOverwrite || data[key] === void 0) { + data[key] = val; + } + } + } else { + lineCount = this.lines.length; + if (1 === lineCount || (2 === lineCount && Utils.isEmpty(this.lines[1]))) { + try { + value = Inline.parse(this.lines[0], exceptionOnInvalidType, objectDecoder); + } catch (_error) { + e = _error; + e.parsedLine = this.getRealCurrentLineNb() + 1; + e.snippet = this.currentLine; + throw e; + } + if (typeof value === 'object') { + if (value instanceof Array) { + first = value[0]; + } else { + for (key in value) { + first = value[key]; + break; + } + } + if (typeof first === 'string' && first.indexOf('*') === 0) { + data = []; + for (n = 0, len3 = value.length; n < len3; n++) { + alias = value[n]; + data.push(this.refs[alias.slice(1)]); + } + value = data; + } + } + return value; + } else if ((ref2 = Utils.ltrim(value).charAt(0)) === '[' || ref2 === '{') { + try { + return Inline.parse(value, exceptionOnInvalidType, objectDecoder); + } catch (_error) { + e = _error; + e.parsedLine = this.getRealCurrentLineNb() + 1; + e.snippet = this.currentLine; + throw e; + } + } + throw new ParseException('Unable to parse.', this.getRealCurrentLineNb() + 1, this.currentLine); + } + if (isRef) { + if (data instanceof Array) { + this.refs[isRef] = data[data.length - 1]; + } else { + lastKey = null; + for (key in data) { + lastKey = key; + } + this.refs[isRef] = data[lastKey]; + } + } + } + if (Utils.isEmpty(data)) { + return null; + } else { + return data; + } + }; + + Parser.prototype.getRealCurrentLineNb = function() { + return this.currentLineNb + this.offset; + }; + + Parser.prototype.getCurrentLineIndentation = function() { + return this.currentLine.length - Utils.ltrim(this.currentLine, ' ').length; + }; + + Parser.prototype.getNextEmbedBlock = function(indentation, includeUnindentedCollection) { + var data, indent, isItUnindentedCollection, newIndent, removeComments, removeCommentsPattern, unindentedEmbedBlock; + if (indentation == null) { + indentation = null; + } + if (includeUnindentedCollection == null) { + includeUnindentedCollection = false; + } + this.moveToNextLine(); + if (indentation == null) { + newIndent = this.getCurrentLineIndentation(); + unindentedEmbedBlock = this.isStringUnIndentedCollectionItem(this.currentLine); + if (!(this.isCurrentLineEmpty()) && 0 === newIndent && !unindentedEmbedBlock) { + throw new ParseException('Indentation problem.', this.getRealCurrentLineNb() + 1, this.currentLine); + } + } else { + newIndent = indentation; + } + data = [this.currentLine.slice(newIndent)]; + if (!includeUnindentedCollection) { + isItUnindentedCollection = this.isStringUnIndentedCollectionItem(this.currentLine); + } + removeCommentsPattern = this.PATTERN_FOLDED_SCALAR_END; + removeComments = !removeCommentsPattern.test(this.currentLine); + while (this.moveToNextLine()) { + indent = this.getCurrentLineIndentation(); + if (indent === newIndent) { + removeComments = !removeCommentsPattern.test(this.currentLine); + } + if (isItUnindentedCollection && !this.isStringUnIndentedCollectionItem(this.currentLine) && indent === newIndent) { + this.moveToPreviousLine(); + break; + } + if (this.isCurrentLineBlank()) { + data.push(this.currentLine.slice(newIndent)); + continue; + } + if (removeComments && this.isCurrentLineComment()) { + if (indent === newIndent) { + continue; + } + } + if (indent >= newIndent) { + data.push(this.currentLine.slice(newIndent)); + } else if (Utils.ltrim(this.currentLine).charAt(0) === '#') { + + } else if (0 === indent) { + this.moveToPreviousLine(); + break; + } else { + throw new ParseException('Indentation problem.', this.getRealCurrentLineNb() + 1, this.currentLine); + } + } + return data.join("\n"); + }; + + Parser.prototype.moveToNextLine = function() { + if (this.currentLineNb >= this.lines.length - 1) { + return false; + } + this.currentLine = this.lines[++this.currentLineNb]; + return true; + }; + + Parser.prototype.moveToPreviousLine = function() { + this.currentLine = this.lines[--this.currentLineNb]; + }; + + Parser.prototype.parseValue = function(value, exceptionOnInvalidType, objectDecoder) { + var e, foldedIndent, matches, modifiers, pos, ref, ref1, val; + if (0 === value.indexOf('*')) { + pos = value.indexOf('#'); + if (pos !== -1) { + value = value.substr(1, pos - 2); + } else { + value = value.slice(1); + } + if (this.refs[value] === void 0) { + throw new ParseException('Reference "' + value + '" does not exist.', this.currentLine); + } + return this.refs[value]; + } + if (matches = this.PATTERN_FOLDED_SCALAR_ALL.exec(value)) { + modifiers = (ref = matches.modifiers) != null ? ref : ''; + foldedIndent = Math.abs(parseInt(modifiers)); + if (isNaN(foldedIndent)) { + foldedIndent = 0; + } + val = this.parseFoldedScalar(matches.separator, this.PATTERN_DECIMAL.replace(modifiers, ''), foldedIndent); + if (matches.type != null) { + Inline.configure(exceptionOnInvalidType, objectDecoder); + return Inline.parseScalar(matches.type + ' ' + val); + } else { + return val; + } + } + try { + return Inline.parse(value, exceptionOnInvalidType, objectDecoder); + } catch (_error) { + e = _error; + if (((ref1 = value.charAt(0)) === '[' || ref1 === '{') && e instanceof ParseException && this.isNextLineIndented()) { + value += "\n" + this.getNextEmbedBlock(); + try { + return Inline.parse(value, exceptionOnInvalidType, objectDecoder); + } catch (_error) { + e = _error; + e.parsedLine = this.getRealCurrentLineNb() + 1; + e.snippet = this.currentLine; + throw e; + } + } else { + e.parsedLine = this.getRealCurrentLineNb() + 1; + e.snippet = this.currentLine; + throw e; + } + } + }; + + Parser.prototype.parseFoldedScalar = function(separator, indicator, indentation) { + var isCurrentLineBlank, j, len, line, matches, newText, notEOF, pattern, ref, text; + if (indicator == null) { + indicator = ''; + } + if (indentation == null) { + indentation = 0; + } + notEOF = this.moveToNextLine(); + if (!notEOF) { + return ''; + } + isCurrentLineBlank = this.isCurrentLineBlank(); + text = ''; + while (notEOF && isCurrentLineBlank) { + if (notEOF = this.moveToNextLine()) { + text += "\n"; + isCurrentLineBlank = this.isCurrentLineBlank(); + } + } + if (0 === indentation) { + if (matches = this.PATTERN_INDENT_SPACES.exec(this.currentLine)) { + indentation = matches[0].length; + } + } + if (indentation > 0) { + pattern = this.PATTERN_FOLDED_SCALAR_BY_INDENTATION[indentation]; + if (pattern == null) { + pattern = new Pattern('^ {' + indentation + '}(.*)$'); + Parser.prototype.PATTERN_FOLDED_SCALAR_BY_INDENTATION[indentation] = pattern; + } + while (notEOF && (isCurrentLineBlank || (matches = pattern.exec(this.currentLine)))) { + if (isCurrentLineBlank) { + text += this.currentLine.slice(indentation); + } else { + text += matches[1]; + } + if (notEOF = this.moveToNextLine()) { + text += "\n"; + isCurrentLineBlank = this.isCurrentLineBlank(); + } + } + } else if (notEOF) { + text += "\n"; + } + if (notEOF) { + this.moveToPreviousLine(); + } + if ('>' === separator) { + newText = ''; + ref = text.split("\n"); + for (j = 0, len = ref.length; j < len; j++) { + line = ref[j]; + if (line.length === 0 || line.charAt(0) === ' ') { + newText = Utils.rtrim(newText, ' ') + line + "\n"; + } else { + newText += line + ' '; + } + } + text = newText; + } + if ('+' !== indicator) { + text = Utils.rtrim(text); + } + if ('' === indicator) { + text = this.PATTERN_TRAILING_LINES.replace(text, "\n"); + } else if ('-' === indicator) { + text = this.PATTERN_TRAILING_LINES.replace(text, ''); + } + return text; + }; + + Parser.prototype.isNextLineIndented = function(ignoreComments) { + var EOF, currentIndentation, ret; + if (ignoreComments == null) { + ignoreComments = true; + } + currentIndentation = this.getCurrentLineIndentation(); + EOF = !this.moveToNextLine(); + if (ignoreComments) { + while (!EOF && this.isCurrentLineEmpty()) { + EOF = !this.moveToNextLine(); + } + } else { + while (!EOF && this.isCurrentLineBlank()) { + EOF = !this.moveToNextLine(); + } + } + if (EOF) { + return false; + } + ret = false; + if (this.getCurrentLineIndentation() > currentIndentation) { + ret = true; + } + this.moveToPreviousLine(); + return ret; + }; + + Parser.prototype.isCurrentLineEmpty = function() { + var trimmedLine; + trimmedLine = Utils.trim(this.currentLine, ' '); + return trimmedLine.length === 0 || trimmedLine.charAt(0) === '#'; + }; + + Parser.prototype.isCurrentLineBlank = function() { + return '' === Utils.trim(this.currentLine, ' '); + }; + + Parser.prototype.isCurrentLineComment = function() { + var ltrimmedLine; + ltrimmedLine = Utils.ltrim(this.currentLine, ' '); + return ltrimmedLine.charAt(0) === '#'; + }; + + Parser.prototype.cleanup = function(value) { + var count, i, indent, j, l, len, len1, line, lines, ref, ref1, ref2, smallestIndent, trimmedValue; + if (value.indexOf("\r") !== -1) { + value = value.split("\r\n").join("\n").split("\r").join("\n"); + } + count = 0; + ref = this.PATTERN_YAML_HEADER.replaceAll(value, ''), value = ref[0], count = ref[1]; + this.offset += count; + ref1 = this.PATTERN_LEADING_COMMENTS.replaceAll(value, '', 1), trimmedValue = ref1[0], count = ref1[1]; + if (count === 1) { + this.offset += Utils.subStrCount(value, "\n") - Utils.subStrCount(trimmedValue, "\n"); + value = trimmedValue; + } + ref2 = this.PATTERN_DOCUMENT_MARKER_START.replaceAll(value, '', 1), trimmedValue = ref2[0], count = ref2[1]; + if (count === 1) { + this.offset += Utils.subStrCount(value, "\n") - Utils.subStrCount(trimmedValue, "\n"); + value = trimmedValue; + value = this.PATTERN_DOCUMENT_MARKER_END.replace(value, ''); + } + lines = value.split("\n"); + smallestIndent = -1; + for (j = 0, len = lines.length; j < len; j++) { + line = lines[j]; + indent = line.length - Utils.ltrim(line).length; + if (smallestIndent === -1 || indent < smallestIndent) { + smallestIndent = indent; + } + } + if (smallestIndent > 0) { + for (i = l = 0, len1 = lines.length; l < len1; i = ++l) { + line = lines[i]; + lines[i] = line.slice(smallestIndent); + } + value = lines.join("\n"); + } + return value; + }; + + Parser.prototype.isNextLineUnIndentedCollection = function(currentIndentation) { + var notEOF, ret; + if (currentIndentation == null) { + currentIndentation = null; + } + if (currentIndentation == null) { + currentIndentation = this.getCurrentLineIndentation(); + } + notEOF = this.moveToNextLine(); + while (notEOF && this.isCurrentLineEmpty()) { + notEOF = this.moveToNextLine(); + } + if (false === notEOF) { + return false; + } + ret = false; + if (this.getCurrentLineIndentation() === currentIndentation && this.isStringUnIndentedCollectionItem(this.currentLine)) { + ret = true; + } + this.moveToPreviousLine(); + return ret; + }; + + Parser.prototype.isStringUnIndentedCollectionItem = function() { + return this.currentLine === '-' || this.currentLine.slice(0, 2) === '- '; + }; + + return Parser; + +})(); + +module.exports = Parser; + + + +},{"./Exception/ParseException":4,"./Inline":5,"./Pattern":7,"./Utils":9}],7:[function(require,module,exports){ +var Pattern; + +Pattern = (function() { + Pattern.prototype.regex = null; + + Pattern.prototype.rawRegex = null; + + Pattern.prototype.cleanedRegex = null; + + Pattern.prototype.mapping = null; + + function Pattern(rawRegex, modifiers) { + var _char, capturingBracketNumber, cleanedRegex, i, len, mapping, name, part, subChar; + if (modifiers == null) { + modifiers = ''; + } + cleanedRegex = ''; + len = rawRegex.length; + mapping = null; + capturingBracketNumber = 0; + i = 0; + while (i < len) { + _char = rawRegex.charAt(i); + if (_char === '\\') { + cleanedRegex += rawRegex.slice(i, +(i + 1) + 1 || 9e9); + i++; + } else if (_char === '(') { + if (i < len - 2) { + part = rawRegex.slice(i, +(i + 2) + 1 || 9e9); + if (part === '(?:') { + i += 2; + cleanedRegex += part; + } else if (part === '(?<') { + capturingBracketNumber++; + i += 2; + name = ''; + while (i + 1 < len) { + subChar = rawRegex.charAt(i + 1); + if (subChar === '>') { + cleanedRegex += '('; + i++; + if (name.length > 0) { + if (mapping == null) { + mapping = {}; + } + mapping[name] = capturingBracketNumber; + } + break; + } else { + name += subChar; + } + i++; + } + } else { + cleanedRegex += _char; + capturingBracketNumber++; + } + } else { + cleanedRegex += _char; + } + } else { + cleanedRegex += _char; + } + i++; + } + this.rawRegex = rawRegex; + this.cleanedRegex = cleanedRegex; + this.regex = new RegExp(this.cleanedRegex, 'g' + modifiers.replace('g', '')); + this.mapping = mapping; + } + + Pattern.prototype.exec = function(str) { + var index, matches, name, ref; + this.regex.lastIndex = 0; + matches = this.regex.exec(str); + if (matches == null) { + return null; + } + if (this.mapping != null) { + ref = this.mapping; + for (name in ref) { + index = ref[name]; + matches[name] = matches[index]; + } + } + return matches; + }; + + Pattern.prototype.test = function(str) { + this.regex.lastIndex = 0; + return this.regex.test(str); + }; + + Pattern.prototype.replace = function(str, replacement) { + this.regex.lastIndex = 0; + return str.replace(this.regex, replacement); + }; + + Pattern.prototype.replaceAll = function(str, replacement, limit) { + var count; + if (limit == null) { + limit = 0; + } + this.regex.lastIndex = 0; + count = 0; + while (this.regex.test(str) && (limit === 0 || count < limit)) { + this.regex.lastIndex = 0; + str = str.replace(this.regex, ''); + count++; + } + return [str, count]; + }; + + return Pattern; + +})(); + +module.exports = Pattern; + + + +},{}],8:[function(require,module,exports){ +var Pattern, Unescaper, Utils; + +Utils = require('./Utils'); + +Pattern = require('./Pattern'); + +Unescaper = (function() { + function Unescaper() {} + + Unescaper.PATTERN_ESCAPED_CHARACTER = new Pattern('\\\\([0abt\tnvfre "\\/\\\\N_LP]|x[0-9a-fA-F]{2}|u[0-9a-fA-F]{4}|U[0-9a-fA-F]{8})'); + + Unescaper.unescapeSingleQuotedString = function(value) { + return value.replace(/\'\'/g, '\''); + }; + + Unescaper.unescapeDoubleQuotedString = function(value) { + if (this._unescapeCallback == null) { + this._unescapeCallback = (function(_this) { + return function(str) { + return _this.unescapeCharacter(str); + }; + })(this); + } + return this.PATTERN_ESCAPED_CHARACTER.replace(value, this._unescapeCallback); + }; + + Unescaper.unescapeCharacter = function(value) { + var ch; + ch = String.fromCharCode; + switch (value.charAt(1)) { + case '0': + return ch(0); + case 'a': + return ch(7); + case 'b': + return ch(8); + case 't': + return "\t"; + case "\t": + return "\t"; + case 'n': + return "\n"; + case 'v': + return ch(11); + case 'f': + return ch(12); + case 'r': + return ch(13); + case 'e': + return ch(27); + case ' ': + return ' '; + case '"': + return '"'; + case '/': + return '/'; + case '\\': + return '\\'; + case 'N': + return ch(0x0085); + case '_': + return ch(0x00A0); + case 'L': + return ch(0x2028); + case 'P': + return ch(0x2029); + case 'x': + return Utils.utf8chr(Utils.hexDec(value.substr(2, 2))); + case 'u': + return Utils.utf8chr(Utils.hexDec(value.substr(2, 4))); + case 'U': + return Utils.utf8chr(Utils.hexDec(value.substr(2, 8))); + default: + return ''; + } + }; + + return Unescaper; + +})(); + +module.exports = Unescaper; + + + +},{"./Pattern":7,"./Utils":9}],9:[function(require,module,exports){ +var Pattern, Utils; + +Pattern = require('./Pattern'); + +Utils = (function() { + function Utils() {} + + Utils.REGEX_LEFT_TRIM_BY_CHAR = {}; + + Utils.REGEX_RIGHT_TRIM_BY_CHAR = {}; + + Utils.REGEX_SPACES = /\s+/g; + + Utils.REGEX_DIGITS = /^\d+$/; + + Utils.REGEX_OCTAL = /[^0-7]/gi; + + Utils.REGEX_HEXADECIMAL = /[^a-f0-9]/gi; + + Utils.PATTERN_DATE = new Pattern('^' + '(?[0-9][0-9][0-9][0-9])' + '-(?[0-9][0-9]?)' + '-(?[0-9][0-9]?)' + '(?:(?:[Tt]|[ \t]+)' + '(?[0-9][0-9]?)' + ':(?[0-9][0-9])' + ':(?[0-9][0-9])' + '(?:\.(?[0-9]*))?' + '(?:[ \t]*(?Z|(?[-+])(?[0-9][0-9]?)' + '(?::(?[0-9][0-9]))?))?)?' + '$', 'i'); + + Utils.LOCAL_TIMEZONE_OFFSET = new Date().getTimezoneOffset() * 60 * 1000; + + Utils.trim = function(str, _char) { + var regexLeft, regexRight; + if (_char == null) { + _char = '\\s'; + } + return str.trim(); + regexLeft = this.REGEX_LEFT_TRIM_BY_CHAR[_char]; + if (regexLeft == null) { + this.REGEX_LEFT_TRIM_BY_CHAR[_char] = regexLeft = new RegExp('^' + _char + '' + _char + '*'); + } + regexLeft.lastIndex = 0; + regexRight = this.REGEX_RIGHT_TRIM_BY_CHAR[_char]; + if (regexRight == null) { + this.REGEX_RIGHT_TRIM_BY_CHAR[_char] = regexRight = new RegExp(_char + '' + _char + '*$'); + } + regexRight.lastIndex = 0; + return str.replace(regexLeft, '').replace(regexRight, ''); + }; + + Utils.ltrim = function(str, _char) { + var regexLeft; + if (_char == null) { + _char = '\\s'; + } + regexLeft = this.REGEX_LEFT_TRIM_BY_CHAR[_char]; + if (regexLeft == null) { + this.REGEX_LEFT_TRIM_BY_CHAR[_char] = regexLeft = new RegExp('^' + _char + '' + _char + '*'); + } + regexLeft.lastIndex = 0; + return str.replace(regexLeft, ''); + }; + + Utils.rtrim = function(str, _char) { + var regexRight; + if (_char == null) { + _char = '\\s'; + } + regexRight = this.REGEX_RIGHT_TRIM_BY_CHAR[_char]; + if (regexRight == null) { + this.REGEX_RIGHT_TRIM_BY_CHAR[_char] = regexRight = new RegExp(_char + '' + _char + '*$'); + } + regexRight.lastIndex = 0; + return str.replace(regexRight, ''); + }; + + Utils.isEmpty = function(value) { + return !value || value === '' || value === '0' || (value instanceof Array && value.length === 0); + }; + + Utils.subStrCount = function(string, subString, start, length) { + var c, i, j, len, ref, sublen; + c = 0; + string = '' + string; + subString = '' + subString; + if (start != null) { + string = string.slice(start); + } + if (length != null) { + string = string.slice(0, length); + } + len = string.length; + sublen = subString.length; + for (i = j = 0, ref = len; 0 <= ref ? j < ref : j > ref; i = 0 <= ref ? ++j : --j) { + if (subString === string.slice(i, sublen)) { + c++; + i += sublen - 1; + } + } + return c; + }; + + Utils.isDigits = function(input) { + this.REGEX_DIGITS.lastIndex = 0; + return this.REGEX_DIGITS.test(input); + }; + + Utils.octDec = function(input) { + this.REGEX_OCTAL.lastIndex = 0; + return parseInt((input + '').replace(this.REGEX_OCTAL, ''), 8); + }; + + Utils.hexDec = function(input) { + this.REGEX_HEXADECIMAL.lastIndex = 0; + input = this.trim(input); + if ((input + '').slice(0, 2) === '0x') { + input = (input + '').slice(2); + } + return parseInt((input + '').replace(this.REGEX_HEXADECIMAL, ''), 16); + }; + + Utils.utf8chr = function(c) { + var ch; + ch = String.fromCharCode; + if (0x80 > (c %= 0x200000)) { + return ch(c); + } + if (0x800 > c) { + return ch(0xC0 | c >> 6) + ch(0x80 | c & 0x3F); + } + if (0x10000 > c) { + return ch(0xE0 | c >> 12) + ch(0x80 | c >> 6 & 0x3F) + ch(0x80 | c & 0x3F); + } + return ch(0xF0 | c >> 18) + ch(0x80 | c >> 12 & 0x3F) + ch(0x80 | c >> 6 & 0x3F) + ch(0x80 | c & 0x3F); + }; + + Utils.parseBoolean = function(input, strict) { + var lowerInput; + if (strict == null) { + strict = true; + } + if (typeof input === 'string') { + lowerInput = input.toLowerCase(); + if (!strict) { + if (lowerInput === 'no') { + return false; + } + } + if (lowerInput === '0') { + return false; + } + if (lowerInput === 'false') { + return false; + } + if (lowerInput === '') { + return false; + } + return true; + } + return !!input; + }; + + Utils.isNumeric = function(input) { + this.REGEX_SPACES.lastIndex = 0; + return typeof input === 'number' || typeof input === 'string' && !isNaN(input) && input.replace(this.REGEX_SPACES, '') !== ''; + }; + + Utils.stringToDate = function(str) { + var date, day, fraction, hour, info, minute, month, second, tz_hour, tz_minute, tz_offset, year; + if (!(str != null ? str.length : void 0)) { + return null; + } + info = this.PATTERN_DATE.exec(str); + if (!info) { + return null; + } + year = parseInt(info.year, 10); + month = parseInt(info.month, 10) - 1; + day = parseInt(info.day, 10); + if (info.hour == null) { + date = new Date(Date.UTC(year, month, day)); + return date; + } + hour = parseInt(info.hour, 10); + minute = parseInt(info.minute, 10); + second = parseInt(info.second, 10); + if (info.fraction != null) { + fraction = info.fraction.slice(0, 3); + while (fraction.length < 3) { + fraction += '0'; + } + fraction = parseInt(fraction, 10); + } else { + fraction = 0; + } + if (info.tz != null) { + tz_hour = parseInt(info.tz_hour, 10); + if (info.tz_minute != null) { + tz_minute = parseInt(info.tz_minute, 10); + } else { + tz_minute = 0; + } + tz_offset = (tz_hour * 60 + tz_minute) * 60000; + if ('-' === info.tz_sign) { + tz_offset *= -1; + } + } + date = new Date(Date.UTC(year, month, day, hour, minute, second, fraction)); + if (tz_offset) { + date.setTime(date.getTime() + tz_offset); + } + return date; + }; + + Utils.strRepeat = function(str, number) { + var i, res; + res = ''; + i = 0; + while (i < number) { + res += str; + i++; + } + return res; + }; + + Utils.getStringFromFile = function(path, callback) { + var data, fs, j, len1, name, ref, req, xhr; + if (callback == null) { + callback = null; + } + xhr = null; + if (typeof window !== "undefined" && window !== null) { + if (window.XMLHttpRequest) { + xhr = new XMLHttpRequest(); + } else if (window.ActiveXObject) { + ref = ["Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0", "Msxml2.XMLHTTP", "Microsoft.XMLHTTP"]; + for (j = 0, len1 = ref.length; j < len1; j++) { + name = ref[j]; + try { + xhr = new ActiveXObject(name); + } catch (_error) {} + } + } + } + if (xhr != null) { + if (callback != null) { + xhr.onreadystatechange = function() { + if (xhr.readyState === 4) { + if (xhr.status === 200 || xhr.status === 0) { + return callback(xhr.responseText); + } else { + return callback(null); + } + } + }; + xhr.open('GET', path, true); + return xhr.send(null); + } else { + xhr.open('GET', path, false); + xhr.send(null); + if (xhr.status === 200 || xhr.status === 0) { + return xhr.responseText; + } + return null; + } + } else { + req = require; + fs = req('fs'); + if (callback != null) { + return fs.readFile(path, function(err, data) { + if (err) { + return callback(null); + } else { + return callback(String(data)); + } + }); + } else { + data = fs.readFileSync(path); + if (data != null) { + return String(data); + } + return null; + } + } + }; + + return Utils; + +})(); + +module.exports = Utils; + + + +},{"./Pattern":7}],10:[function(require,module,exports){ +var Dumper, Parser, Utils, Yaml; + +Parser = require('./Parser'); + +Dumper = require('./Dumper'); + +Utils = require('./Utils'); + +Yaml = (function() { + function Yaml() {} + + Yaml.parse = function(input, exceptionOnInvalidType, objectDecoder) { + if (exceptionOnInvalidType == null) { + exceptionOnInvalidType = false; + } + if (objectDecoder == null) { + objectDecoder = null; + } + return new Parser().parse(input, exceptionOnInvalidType, objectDecoder); + }; + + Yaml.parseFile = function(path, callback, exceptionOnInvalidType, objectDecoder) { + var input; + if (callback == null) { + callback = null; + } + if (exceptionOnInvalidType == null) { + exceptionOnInvalidType = false; + } + if (objectDecoder == null) { + objectDecoder = null; + } + if (callback != null) { + return Utils.getStringFromFile(path, (function(_this) { + return function(input) { + var result; + result = null; + if (input != null) { + result = _this.parse(input, exceptionOnInvalidType, objectDecoder); + } + callback(result); + }; + })(this)); + } else { + input = Utils.getStringFromFile(path); + if (input != null) { + return this.parse(input, exceptionOnInvalidType, objectDecoder); + } + return null; + } + }; + + Yaml.dump = function(input, inline, indent, exceptionOnInvalidType, objectEncoder) { + var yaml; + if (inline == null) { + inline = 2; + } + if (indent == null) { + indent = 4; + } + if (exceptionOnInvalidType == null) { + exceptionOnInvalidType = false; + } + if (objectEncoder == null) { + objectEncoder = null; + } + yaml = new Dumper(); + yaml.indentation = indent; + return yaml.dump(input, inline, 0, exceptionOnInvalidType, objectEncoder); + }; + + Yaml.register = function() { + var require_handler; + require_handler = function(module, filename) { + return module.exports = YAML.parseFile(filename); + }; + if ((typeof require !== "undefined" && require !== null ? require.extensions : void 0) != null) { + require.extensions['.yml'] = require_handler; + return require.extensions['.yaml'] = require_handler; + } + }; + + Yaml.stringify = function(input, inline, indent, exceptionOnInvalidType, objectEncoder) { + return this.dump(input, inline, indent, exceptionOnInvalidType, objectEncoder); + }; + + Yaml.load = function(path, callback, exceptionOnInvalidType, objectDecoder) { + return this.parseFile(path, callback, exceptionOnInvalidType, objectDecoder); + }; + + return Yaml; + +})(); + +if (typeof window !== "undefined" && window !== null) { + window.YAML = Yaml; +} + +if (typeof window === "undefined" || window === null) { + this.YAML = Yaml; +} + +module.exports = Yaml; + + + +},{"./Dumper":1,"./Parser":6,"./Utils":9}]},{},[10]); diff --git a/states/roles/maintain/sendmail/highstate.service b/states/roles/maintain/sendmail/highstate.service new file mode 100755 index 0000000..e2e9c7b --- /dev/null +++ b/states/roles/maintain/sendmail/highstate.service @@ -0,0 +1,10 @@ +[Unit] +Description=Runs state.highstate + +[Service] +Type=oneshot +RemainAfterExit=no +ExecStart=/bin/bash /root/scripts/highstate.sh + +[Install] +WantedBy=multi-user.target diff --git a/states/roles/maintain/sendmail/highstate.sh b/states/roles/maintain/sendmail/highstate.sh new file mode 100755 index 0000000..0168baf --- /dev/null +++ b/states/roles/maintain/sendmail/highstate.sh @@ -0,0 +1,3 @@ +echo "Running highstate `date`" > /root/scripts/highstate.log +/usr/bin/salt-call state.highstate >> /root/scripts/highstate.log +echo "Finished highstate" >> /root/scripts/highstate.log diff --git a/states/roles/maintain/sendmail/highstate.timer b/states/roles/maintain/sendmail/highstate.timer new file mode 100755 index 0000000..2abbcdd --- /dev/null +++ b/states/roles/maintain/sendmail/highstate.timer @@ -0,0 +1,13 @@ +[Unit] +Description=Runs state.highstate every hour + +[Timer] +# Time to wait after booting before we run first time +OnBootSec=10min +# Time between running each consecutive time +OnUnitActiveSec=1h +Unit=highstate.service + +[Install] +WantedBy=multi-user.target + diff --git a/states/roles/maintain/sendmail/init.sls b/states/roles/maintain/sendmail/init.sls new file mode 100755 index 0000000..b81d0b0 --- /dev/null +++ b/states/roles/maintain/sendmail/init.sls @@ -0,0 +1,16 @@ +{%- set os=grains['os'] -%} + +postfix: + pkg.installed: + - pkgs: + - postfix +# service.running: +# - enable: true + +#/etc/salt/minion: +# file.managed: +# - source: salt://roles/maintain/saltminion/minion +# - user: root +# - group: root +# - mode: 644 +# - template: jinja diff --git a/states/roles/maintain/sendmail/minion b/states/roles/maintain/sendmail/minion new file mode 100755 index 0000000..6fedb22 --- /dev/null +++ b/states/roles/maintain/sendmail/minion @@ -0,0 +1,629 @@ +##### Primary configuration settings ##### +########################################## +# This configuration file is used to manage the behavior of the Salt Minion. +# With the exception of the location of the Salt Master Server, values that are +# commented out but have an empty line after the comment are defaults that need +# not be set in the config. If there is no blank line after the comment, the +# value is presented as an example and is not the default. + +# Per default the minion will automatically include all config files +# from minion.d/*.conf (minion.d is a directory in the same directory +# as the main minion config file). +#default_include: minion.d/*.conf + +# Set the location of the salt master server. If the master server cannot be +# resolved, then the minion will fail to start. +master: salt.actcur.com + +# If multiple masters are specified in the 'master' setting, the default behavior +# is to always try to connect to them in the order they are listed. If random_master is +# set to True, the order will be randomized instead. This can be helpful in distributing +# the load of many minions executing salt-call requests, for example, from a cron job. +# If only one master is listed, this setting is ignored and a warning will be logged. +#random_master: False + +# Set whether the minion should connect to the master via IPv6: +#ipv6: False + +# Set the number of seconds to wait before attempting to resolve +# the master hostname if name resolution fails. Defaults to 30 seconds. +# Set to zero if the minion should shutdown and not retry. +# retry_dns: 30 + +# Set the port used by the master reply and authentication server. +#master_port: 4506 + +# The user to run salt. +#user: root + +# Specify the location of the daemon process ID file. +#pidfile: /var/run/salt-minion.pid + +# The root directory prepended to these options: pki_dir, cachedir, log_file, +# sock_dir, pidfile. +#root_dir: / + +# The directory to store the pki information in +#pki_dir: /etc/salt/pki/minion + +# Explicitly declare the id for this minion to use, if left commented the id +# will be the hostname as returned by the python call: socket.getfqdn() +# Since salt uses detached ids it is possible to run multiple minions on the +# same machine but with different ids, this can be useful for salt compute +# clusters. +#id: + +# Append a domain to a hostname in the event that it does not exist. This is +# useful for systems where socket.getfqdn() does not actually result in a +# FQDN (for instance, Solaris). +#append_domain: + +# Custom static grains for this minion can be specified here and used in SLS +# files just like all other grains. This example sets 4 custom grains, with +# the 'roles' grain having two values that can be matched against. +#grains: +# roles: +# - webserver +# - memcache +# deployment: datacenter4 +# cabinet: 13 +# cab_u: 14-15 +# +# Where cache data goes. +#cachedir: /var/cache/salt/minion + +# Verify and set permissions on configuration directories at startup. +#verify_env: True + +# The minion can locally cache the return data from jobs sent to it, this +# can be a good way to keep track of jobs the minion has executed +# (on the minion side). By default this feature is disabled, to enable, set +# cache_jobs to True. +#cache_jobs: False + +# Set the directory used to hold unix sockets. +#sock_dir: /var/run/salt/minion + +# Set the default outputter used by the salt-call command. The default is +# "nested". +#output: nested +# +# By default output is colored. To disable colored output, set the color value +# to False. +#color: True + +# Do not strip off the colored output from nested results and state outputs +# (true by default). +# strip_colors: False + +# Backup files that are replaced by file.managed and file.recurse under +# 'cachedir'/file_backups relative to their original location and appended +# with a timestamp. The only valid setting is "minion". Disabled by default. +# +# Alternatively this can be specified for each file in state files: +# /etc/ssh/sshd_config: +# file.managed: +# - source: salt://ssh/sshd_config +# - backup: minion +# +#backup_mode: minion + +# When waiting for a master to accept the minion's public key, salt will +# continuously attempt to reconnect until successful. This is the time, in +# seconds, between those reconnection attempts. +#acceptance_wait_time: 10 + +# If this is nonzero, the time between reconnection attempts will increase by +# acceptance_wait_time seconds per iteration, up to this maximum. If this is +# set to zero, the time between reconnection attempts will stay constant. +#acceptance_wait_time_max: 0 + +# If the master rejects the minion's public key, retry instead of exiting. +# Rejected keys will be handled the same as waiting on acceptance. +#rejected_retry: False + +# When the master key changes, the minion will try to re-auth itself to receive +# the new master key. In larger environments this can cause a SYN flood on the +# master because all minions try to re-auth immediately. To prevent this and +# have a minion wait for a random amount of time, use this optional parameter. +# The wait-time will be a random number of seconds between 0 and the defined value. +#random_reauth_delay: 60 + +# When waiting for a master to accept the minion's public key, salt will +# continuously attempt to reconnect until successful. This is the timeout value, +# in seconds, for each individual attempt. After this timeout expires, the minion +# will wait for acceptance_wait_time seconds before trying again. Unless your master +# is under unusually heavy load, this should be left at the default. +#auth_timeout: 60 + +# Number of consecutive SaltReqTimeoutError that are acceptable when trying to +# authenticate. +#auth_tries: 7 + +# If authentication fails due to SaltReqTimeoutError during a ping_interval, +# cause sub minion process to restart. +#auth_safemode: False + +# Ping Master to ensure connection is alive (minutes). +#ping_interval: 0 + +# To auto recover minions if master changes IP address (DDNS) +# auth_tries: 10 +# auth_safemode: False +# ping_interval: 90 +# +# Minions won't know master is missing until a ping fails. After the ping fail, +# the minion will attempt authentication and likely fails out and cause a restart. +# When the minion restarts it will resolve the masters IP and attempt to reconnect. + +# If you don't have any problems with syn-floods, don't bother with the +# three recon_* settings described below, just leave the defaults! +# +# The ZeroMQ pull-socket that binds to the masters publishing interface tries +# to reconnect immediately, if the socket is disconnected (for example if +# the master processes are restarted). In large setups this will have all +# minions reconnect immediately which might flood the master (the ZeroMQ-default +# is usually a 100ms delay). To prevent this, these three recon_* settings +# can be used. +# recon_default: the interval in milliseconds that the socket should wait before +# trying to reconnect to the master (1000ms = 1 second) +# +# recon_max: the maximum time a socket should wait. each interval the time to wait +# is calculated by doubling the previous time. if recon_max is reached, +# it starts again at recon_default. Short example: +# +# reconnect 1: the socket will wait 'recon_default' milliseconds +# reconnect 2: 'recon_default' * 2 +# reconnect 3: ('recon_default' * 2) * 2 +# reconnect 4: value from previous interval * 2 +# reconnect 5: value from previous interval * 2 +# reconnect x: if value >= recon_max, it starts again with recon_default +# +# recon_randomize: generate a random wait time on minion start. The wait time will +# be a random value between recon_default and recon_default + +# recon_max. Having all minions reconnect with the same recon_default +# and recon_max value kind of defeats the purpose of being able to +# change these settings. If all minions have the same values and your +# setup is quite large (several thousand minions), they will still +# flood the master. The desired behavior is to have timeframe within +# all minions try to reconnect. +# +# Example on how to use these settings. The goal: have all minions reconnect within a +# 60 second timeframe on a disconnect. +# recon_default: 1000 +# recon_max: 59000 +# recon_randomize: True +# +# Each minion will have a randomized reconnect value between 'recon_default' +# and 'recon_default + recon_max', which in this example means between 1000ms +# 60000ms (or between 1 and 60 seconds). The generated random-value will be +# doubled after each attempt to reconnect. Lets say the generated random +# value is 11 seconds (or 11000ms). +# reconnect 1: wait 11 seconds +# reconnect 2: wait 22 seconds +# reconnect 3: wait 33 seconds +# reconnect 4: wait 44 seconds +# reconnect 5: wait 55 seconds +# reconnect 6: wait time is bigger than 60 seconds (recon_default + recon_max) +# reconnect 7: wait 11 seconds +# reconnect 8: wait 22 seconds +# reconnect 9: wait 33 seconds +# reconnect x: etc. +# +# In a setup with ~6000 thousand hosts these settings would average the reconnects +# to about 100 per second and all hosts would be reconnected within 60 seconds. +# recon_default: 100 +# recon_max: 5000 +# recon_randomize: False +# +# +# The loop_interval sets how long in seconds the minion will wait between +# evaluating the scheduler and running cleanup tasks. This defaults to a +# sane 60 seconds, but if the minion scheduler needs to be evaluated more +# often lower this value +#loop_interval: 60 + +# The grains_refresh_every setting allows for a minion to periodically check +# its grains to see if they have changed and, if so, to inform the master +# of the new grains. This operation is moderately expensive, therefore +# care should be taken not to set this value too low. +# +# Note: This value is expressed in __minutes__! +# +# A value of 10 minutes is a reasonable default. +# +# If the value is set to zero, this check is disabled. +#grains_refresh_every: 1 + +# Cache grains on the minion. Default is False. +#grains_cache: False + +# Grains cache expiration, in seconds. If the cache file is older than this +# number of seconds then the grains cache will be dumped and fully re-populated +# with fresh data. Defaults to 5 minutes. Will have no effect if 'grains_cache' +# is not enabled. +# grains_cache_expiration: 300 + +# Windows platforms lack posix IPC and must rely on slower TCP based inter- +# process communications. Set ipc_mode to 'tcp' on such systems +#ipc_mode: ipc + +# Overwrite the default tcp ports used by the minion when in tcp mode +#tcp_pub_port: 4510 +#tcp_pull_port: 4511 + +# Passing very large events can cause the minion to consume large amounts of +# memory. This value tunes the maximum size of a message allowed onto the +# minion event bus. The value is expressed in bytes. +#max_event_size: 1048576 + +# To detect failed master(s) and fire events on connect/disconnect, set +# master_alive_interval to the number of seconds to poll the masters for +# connection events. +# +#master_alive_interval: 30 + +# The minion can include configuration from other files. To enable this, +# pass a list of paths to this option. The paths can be either relative or +# absolute; if relative, they are considered to be relative to the directory +# the main minion configuration file lives in (this file). Paths can make use +# of shell-style globbing. If no files are matched by a path passed to this +# option then the minion will log a warning message. +# +# Include a config file from some other path: +# include: /etc/salt/extra_config +# +# Include config from several files and directories: +#include: +# - /etc/salt/extra_config +# - /etc/roles/webserver +# +# +# +##### Minion module management ##### +########################################## +# Disable specific modules. This allows the admin to limit the level of +# access the master has to the minion. +#disable_modules: [cmd,test] +#disable_returners: [] +# +# Modules can be loaded from arbitrary paths. This enables the easy deployment +# of third party modules. Modules for returners and minions can be loaded. +# Specify a list of extra directories to search for minion modules and +# returners. These paths must be fully qualified! +#module_dirs: [] +#returner_dirs: [] +#states_dirs: [] +#render_dirs: [] +#utils_dirs: [] +# +# A module provider can be statically overwritten or extended for the minion +# via the providers option, in this case the default module will be +# overwritten by the specified module. In this example the pkg module will +# be provided by the yumpkg5 module instead of the system default. +#providers: +# pkg: yumpkg5 +# +# Enable Cython modules searching and loading. (Default: False) +#cython_enable: False +# +# Specify a max size (in bytes) for modules on import. This feature is currently +# only supported on *nix operating systems and requires psutil. +# modules_max_memory: -1 + + +##### State Management Settings ##### +########################################### +# The state management system executes all of the state templates on the minion +# to enable more granular control of system state management. The type of +# template and serialization used for state management needs to be configured +# on the minion, the default renderer is yaml_jinja. This is a yaml file +# rendered from a jinja template, the available options are: +# yaml_jinja +# yaml_mako +# yaml_wempy +# json_jinja +# json_mako +# json_wempy +# +#renderer: yaml_jinja +# +# The failhard option tells the minions to stop immediately after the first +# failure detected in the state execution. Defaults to False. +#failhard: False +# +# autoload_dynamic_modules turns on automatic loading of modules found in the +# environments on the master. This is turned on by default. To turn of +# autoloading modules when states run, set this value to False. +#autoload_dynamic_modules: True +# +# clean_dynamic_modules keeps the dynamic modules on the minion in sync with +# the dynamic modules on the master, this means that if a dynamic module is +# not on the master it will be deleted from the minion. By default, this is +# enabled and can be disabled by changing this value to False. +#clean_dynamic_modules: True +# +# Normally, the minion is not isolated to any single environment on the master +# when running states, but the environment can be isolated on the minion side +# by statically setting it. Remember that the recommended way to manage +# environments is to isolate via the top file. +{%- set env="dev" -%} +{%- if pillar['env'] is defined -%} + {%- set env=pillar['env'] -%} +{%- endif %} +environment: {{ env }} +# +# If using the local file directory, then the state top file name needs to be +# defined, by default this is top.sls. +#state_top: top.sls +# +# Run states when the minion daemon starts. To enable, set startup_states to: +# 'highstate' -- Execute state.highstate +# 'sls' -- Read in the sls_list option and execute the named sls files +# 'top' -- Read top_file option and execute based on that file on the Master +#startup_states: '' +# +# List of states to run when the minion starts up if startup_states is 'sls': +#sls_list: +# - edit.vim +# - hyper +# +# Top file to execute if startup_states is 'top': +#top_file: '' + +# Automatically aggregate all states that have support for mod_aggregate by +# setting to True. Or pass a list of state module names to automatically +# aggregate just those types. +# +# state_aggregate: +# - pkg +# +#state_aggregate: False + +##### File Directory Settings ##### +########################################## +# The Salt Minion can redirect all file server operations to a local directory, +# this allows for the same state tree that is on the master to be used if +# copied completely onto the minion. This is a literal copy of the settings on +# the master but used to reference a local directory on the minion. + +# Set the file client. The client defaults to looking on the master server for +# files, but can be directed to look at the local file directory setting +# defined below by setting it to local. +#file_client: remote + +# The file directory works on environments passed to the minion, each environment +# can have multiple root directories, the subdirectories in the multiple file +# roots cannot match, otherwise the downloaded files will not be able to be +# reliably ensured. A base environment is required to house the top file. +# Example: +# file_roots: +# base: +# - /srv/salt/ +# dev: +# - /srv/salt/dev/services +# - /srv/salt/dev/states +# prod: +# - /srv/salt/prod/services +# - /srv/salt/prod/states +# +#file_roots: +# base: +# - /srv/salt +file_roots: + base: + - /srv/salt/prod/states + prod: + - /srv/salt/prod/states + dev: + - /srv/salt/dev/states + +# By default, the Salt fileserver recurses fully into all defined environments +# to attempt to find files. To limit this behavior so that the fileserver only +# traverses directories with SLS files and special Salt directories like _modules, +# enable the option below. This might be useful for installations where a file root +# has a very large number of files and performance is negatively impacted. Default +# is False. +#fileserver_limit_traversal: False + +# The hash_type is the hash to use when discovering the hash of a file in +# the local fileserver. The default is md5, but sha1, sha224, sha256, sha384 +# and sha512 are also supported. +# +# Warning: Prior to changing this value, the minion should be stopped and all +# Salt caches should be cleared. +#hash_type: md5 + +# The Salt pillar is searched for locally if file_client is set to local. If +# this is the case, and pillar data is defined, then the pillar_roots need to +# also be configured on the minion: +#pillar_roots: +# base: +# - /srv/pillar +# +pillar_roots: + base: + - /srv/salt/prod/pillar + prod: + - /srv/salt/prod/pillar + dev: + - /srv/salt/dev/pillar +# +###### Security settings ##### +########################################### +# Enable "open mode", this mode still maintains encryption, but turns off +# authentication, this is only intended for highly secure environments or for +# the situation where your keys end up in a bad state. If you run in open mode +# you do so at your own risk! +#open_mode: False + +# Enable permissive access to the salt keys. This allows you to run the +# master or minion as root, but have a non-root group be given access to +# your pki_dir. To make the access explicit, root must belong to the group +# you've given access to. This is potentially quite insecure. +#permissive_pki_access: False + +# The state_verbose and state_output settings can be used to change the way +# state system data is printed to the display. By default all data is printed. +# The state_verbose setting can be set to True or False, when set to False +# all data that has a result of True and no changes will be suppressed. +#state_verbose: True + +# The state_output setting changes if the output is the full multi line +# output for each changed state if set to 'full', but if set to 'terse' +# the output will be shortened to a single line. +state_output: mixed + +# The state_output_diff setting changes whether or not the output from +# successful states is returned. Useful when even the terse output of these +# states is cluttering the logs. Set it to True to ignore them. +#state_output_diff: False + +# Fingerprint of the master public key to double verify the master is valid, +# the master fingerprint can be found by running "salt-key -F master" on the +# salt master. +#master_finger: '' + + +###### Thread settings ##### +########################################### +# Disable multiprocessing support, by default when a minion receives a +# publication a new process is spawned and the command is executed therein. +#multiprocessing: True + + +##### Logging settings ##### +########################################## +# The location of the minion log file +# The minion log can be sent to a regular file, local path name, or network +# location. Remote logging works best when configured to use rsyslogd(8) (e.g.: +# ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI +# format is: ://:/ +#log_file: /var/log/salt/minion +#log_file: file:///dev/log +#log_file: udp://loghost:10514 +# +#log_file: /var/log/salt/minion +#key_logfile: /var/log/salt/key + +# The level of messages to send to the console. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# Default: 'warning' +#log_level: warning + +# The level of messages to send to the log file. +# One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'. +# If using 'log_granular_levels' this must be set to the highest desired level. +# Default: 'warning' +#log_level_logfile: + +# The date and time format used in log messages. Allowed date/time formating +# can be seen here: http://docs.python.org/library/time.html#time.strftime +#log_datefmt: '%H:%M:%S' +#log_datefmt_logfile: '%Y-%m-%d %H:%M:%S' + +# The format of the console logging messages. Allowed formatting options can +# be seen here: http://docs.python.org/library/logging.html#logrecord-attributes +#log_fmt_console: '[%(levelname)-8s] %(message)s' +#log_fmt_logfile: '%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s' + +# This can be used to control logging levels more specificically. This +# example sets the main salt library at the 'warning' level, but sets +# 'salt.modules' to log at the 'debug' level: +# log_granular_levels: +# 'salt': 'warning' +# 'salt.modules': 'debug' +# +#log_granular_levels: {} + +# To diagnose issues with minions disconnecting or missing returns, ZeroMQ +# supports the use of monitor sockets # to log connection events. This +# feature requires ZeroMQ 4.0 or higher. +# +# To enable ZeroMQ monitor sockets, set 'zmq_monitor' to 'True' and log at a +# debug level or higher. +# +# A sample log event is as follows: +# +# [DEBUG ] ZeroMQ event: {'endpoint': 'tcp://127.0.0.1:4505', 'event': 512, +# 'value': 27, 'description': 'EVENT_DISCONNECTED'} +# +# All events logged will include the string 'ZeroMQ event'. A connection event +# should be logged on the as the minion starts up and initially connects to the +# master. If not, check for debug log level and that the necessary version of +# ZeroMQ is installed. +# +#zmq_monitor: False + +###### Module configuration ##### +########################################### +# Salt allows for modules to be passed arbitrary configuration data, any data +# passed here in valid yaml format will be passed on to the salt minion modules +# for use. It is STRONGLY recommended that a naming convention be used in which +# the module name is followed by a . and then the value. Also, all top level +# data must be applied via the yaml dict construct, some examples: +# +# You can specify that all modules should run in test mode: +#test: True +# +# A simple value for the test module: +#test.foo: foo +# +# A list for the test module: +#test.bar: [baz,quo] +# +# A dict for the test module: +#test.baz: {spam: sausage, cheese: bread} +# +# +###### Update settings ###### +########################################### +# Using the features in Esky, a salt minion can both run as a frozen app and +# be updated on the fly. These options control how the update process +# (saltutil.update()) behaves. +# +# The url for finding and downloading updates. Disabled by default. +#update_url: False +# +# The list of services to restart after a successful update. Empty by default. +#update_restart_services: [] + + +###### Keepalive settings ###### +############################################ +# ZeroMQ now includes support for configuring SO_KEEPALIVE if supported by +# the OS. If connections between the minion and the master pass through +# a state tracking device such as a firewall or VPN gateway, there is +# the risk that it could tear down the connection the master and minion +# without informing either party that their connection has been taken away. +# Enabling TCP Keepalives prevents this from happening. + +# Overall state of TCP Keepalives, enable (1 or True), disable (0 or False) +# or leave to the OS defaults (-1), on Linux, typically disabled. Default True, enabled. +#tcp_keepalive: True + +# How long before the first keepalive should be sent in seconds. Default 300 +# to send the first keepalive after 5 minutes, OS default (-1) is typically 7200 seconds +# on Linux see /proc/sys/net/ipv4/tcp_keepalive_time. +#tcp_keepalive_idle: 300 + +# How many lost probes are needed to consider the connection lost. Default -1 +# to use OS defaults, typically 9 on Linux, see /proc/sys/net/ipv4/tcp_keepalive_probes. +#tcp_keepalive_cnt: -1 + +# How often, in seconds, to send keepalives after the first one. Default -1 to +# use OS defaults, typically 75 seconds on Linux, see +# /proc/sys/net/ipv4/tcp_keepalive_intvl. +#tcp_keepalive_intvl: -1 + + +###### Windows Software settings ###### +############################################ +# Location of the repository cache file on the master: +#win_repo_cachefile: 'salt://win/repo/winrepo.p' + + +###### Returner settings ###### +############################################ +# Which returner(s) will be used for minion's result: +#return: mysql diff --git a/states/roles/maintain/ytdownloader/feedsbase.csv b/states/roles/maintain/ytdownloader/feedsbase.csv new file mode 100755 index 0000000..ca17661 --- /dev/null +++ b/states/roles/maintain/ytdownloader/feedsbase.csv @@ -0,0 +1,4 @@ +RoosterTeeth http://podsync.net/sv8x /mnt/video/torrents/Process/ RWBY RWBY.S[Volume ]E[Chapter ] +RWBY http://podsync.net/8dzz /mnt/video/torrents/Process/ RWBY RWBY.S[Volume ]E[Chapter ] +RvB http://podsync.net/sv8x /mnt/video/torrents/Process/ Red vs. Blue Red.vs.Blue.S[Season ]E[Episode ] +RvB1-14 http://podsync.net/8jvQ /mnt/video/torrents/Process/ Season 1 Red.vs.Blue.S[Season ]E[Episode ] diff --git a/states/roles/maintain/ytdownloader/init.sls b/states/roles/maintain/ytdownloader/init.sls new file mode 100755 index 0000000..7c88d58 --- /dev/null +++ b/states/roles/maintain/ytdownloader/init.sls @@ -0,0 +1,47 @@ +{%- set os=grains['os'] -%} + +yt-python: + pkg.installed: + - pkgs: + - python + - python-requests + +"/root/scripts/ytdownloader/feedsbase.csv": + file.managed: + - source: salt://roles/maintain/ytdownloader/feedsbase.csv + - user: root + - group: root + - mode: 644 + - makedirs: true + +"/root/scripts/ytdownloader/ytdownloader.py": + file.managed: + - source: salt://roles/maintain/ytdownloader/ytdownloader.py + - user: root + - group: root + - mode: 644 + - makedirs: true + +"/usr/lib/systemd/system/ytdownloader.service": + file.managed: + - source: salt://roles/maintain/ytdownloader/ytdownloader.service + - user: root + - group: root + - mode: 644 + +"/usr/lib/systemd/system/ytdownloader.timer": + file.managed: + - source: salt://roles/maintain/ytdownloader/ytdownloader.timer + - user: root + - group: root + - mode: 644 + +"ytdownloader.timer": + service.running: + - enable: true + +"ytdownloader-reload": + module.run: + - name: service.systemctl_reload + - onchanges: + - file: /usr/lib/systemd/system/* diff --git a/states/roles/maintain/ytdownloader/ytdownloader.py b/states/roles/maintain/ytdownloader/ytdownloader.py new file mode 100755 index 0000000..959549c --- /dev/null +++ b/states/roles/maintain/ytdownloader/ytdownloader.py @@ -0,0 +1,100 @@ +#download files from youtube using rss feeds +import urllib.request +import xml.etree.ElementTree as ET +import requests +import csv +import os.path +import re +import shutil +from datetime import datetime + +def getname(name,scheme): + #find matching [*] + locs=re.findall('(?<=\[)[^\[\]]+(?=\])',scheme) + digits=[] + for loc in locs: + mstr='(?<='+loc+')[0-9]+' + dig=re.findall(mstr,name) + if(len(dig)>0): + digits.append(dig[0]) + schema=re.split('(\[[^\[\]]+\])',scheme) + nname='' + count=0 + for bit in schema: + if(re.match('\[.*\]',bit)): + if(len(digits)>count): + nname+=digits[count].zfill(2) + count+=1 + else: + nname+=bit + if(count == len(locs)): + return nname + else: + return name + +def downloadfile(name,dest,url): + name=name+".mp4" + print('Saving to: '+name) + urllib.request.urlretrieve(url,name) + print('Moving to: '+dest+name) + shutil.move(name,dest+name) + print('Done') + +def downloadfromfeed(feed): + url=feed[1] + dest=feed[2] + filt=feed[3] + scheme=feed[4] + lastdl=datetime.strptime(feed[5], '%Y-%m-%d %H:%M:%S') + response = urllib.request.urlopen(url) + data = response.read() + text = data.decode('utf-8') + root = ET.fromstring(text) + for child in root.findall('.//item'): + title=child.find('.//title') + date=datetime.strptime(child.find('.//pubDate').text, '%a, %d %b %Y %H:%M:%S %Z') + if(date>lastdl): + if(filt in title.text): + if(date>datetime.strptime(feed[5], '%Y-%m-%d %H:%M:%S')): + feed[5]=date.strftime('%Y-%m-%d %H:%M:%S') + enc=child.find('.//enclosure') + name=title.text + target=enc.attrib.get('url') + print('Downloading: '+name) + fname=getname(name,scheme) + downloadfile(fname,dest,target) + +def downloadfeeds(feeds): + for feed in feeds: + downloadfromfeed(feed) + +def readcsv(f,base): + data=[] + if(os.path.exists(f)): + with open(f) as csvfile: + reader=csv.reader(csvfile, delimiter='\t') + for row in reader: + data.append(row) + dnames=[row[0] for row in data] + with open(base) as basefile: + reader=csv.reader(basefile, delimiter='\t') + for row in reader: + if(row[0] not in dnames): + row.append('2000-01-01 01:01:01') + data.append(row) + dnames.append(row[0]) + return data + +def savecsv(data,f): + with open(f, 'w') as csvfile: + writer=csv.writer(csvfile, delimiter='\t') + writer.writerows(data) + +os.chdir('/root/scripts/ytdownloader') +csvfile='feeds.csv' +csvbase='feedsbase.csv' +data=readcsv(csvfile,csvbase) +downloadfeeds(data) +print(data) +savecsv(data,csvfile) + diff --git a/states/roles/maintain/ytdownloader/ytdownloader.service b/states/roles/maintain/ytdownloader/ytdownloader.service new file mode 100755 index 0000000..3313b13 --- /dev/null +++ b/states/roles/maintain/ytdownloader/ytdownloader.service @@ -0,0 +1,10 @@ +[Unit] +Description=Runs ytdownloader.py + +[Service] +Type=oneshot +RemainAfterExit=no +ExecStart=/bin/python /root/scripts/ytdownloader/ytdownloader.py + +[Install] +WantedBy=multi-user.target diff --git a/states/roles/maintain/ytdownloader/ytdownloader.timer b/states/roles/maintain/ytdownloader/ytdownloader.timer new file mode 100755 index 0000000..740ba7c --- /dev/null +++ b/states/roles/maintain/ytdownloader/ytdownloader.timer @@ -0,0 +1,13 @@ +[Unit] +Description=Runs ytdownloader every hour + +[Timer] +# Time to wait after booting before we run first time +OnBootSec=10min +# Time between running each consecutive time +OnUnitActiveSec=1h +Unit=ytdownloader.service + +[Install] +WantedBy=multi-user.target + diff --git a/states/systems/arch/mirrors/init.sls b/states/systems/arch/mirrors/init.sls new file mode 100755 index 0000000..e31e440 --- /dev/null +++ b/states/systems/arch/mirrors/init.sls @@ -0,0 +1,8 @@ +/etc/pacman.d/mirrorlist: + file.managed: + - makedirs: true + - source: salt://systems/arch/mirrors/mirrorlist + - user: root + - group: root + - mode: 644 + - template: jinja diff --git a/states/systems/arch/mirrors/mirrorlist b/states/systems/arch/mirrors/mirrorlist new file mode 100755 index 0000000..e0ee537 --- /dev/null +++ b/states/systems/arch/mirrors/mirrorlist @@ -0,0 +1,2 @@ +Server = http://pkg.actcur.com/$repo/os/$arch +{% include 'mirrors.list' %} diff --git a/states/systems/core/firewalld/init.sls b/states/systems/core/firewalld/init.sls new file mode 100755 index 0000000..9c4308e --- /dev/null +++ b/states/systems/core/firewalld/init.sls @@ -0,0 +1,35 @@ +iptables: + pkg.installed: + - name: iptables + +firewalld: + pkg.installed: + - name: firewalld + service.running: + - enable: true + - watch: + - file: /etc/firewalld/zones/* + +#salt minion should be restarted when firewall changes to ensure it's up properly +fwd-minion: + service.running: + - name: salt-minion + - watch: + - file: /etc/firewalld/zones/* + +{##ensure that firewalld pillar exists##} +{%- if pillar['firewalld'] is defined -%} + +{##set up zone files for this server##} +{%- for zone in pillar['firewalld'] %} +/etc/firewalld/zones/{{ zone }}.xml: + file.managed: + - source: salt://systems/core/firewalld/zone.xml + - user: root + - group: root + - mode: 644 + - template: jinja + - context: + zone: {{ zone }} +{%- endfor %} +{%- endif %} diff --git a/states/systems/core/firewalld/zone.xml b/states/systems/core/firewalld/zone.xml new file mode 100755 index 0000000..27239f3 --- /dev/null +++ b/states/systems/core/firewalld/zone.xml @@ -0,0 +1,112 @@ + + +{#- ensure that zone exists in firewalld pillar -#} +{%- if pillar['firewalld'] is defined -%} + {%- if pillar['firewalld'][zone] is defined %} + {{ zone }} + + {#- check if there's a description of this zone and add it if applicable- #} + {%- if pillar['firewalld'][zone]['description'] is defined %} + {{ pillar['firewalld'][zone]['description'] }} + {% endif %} + + {#- grab sources if applicable -#} + {%- if pillar['firewalld'][zone]['source'] is defined %} + + {%- for source in pillar['firewalld'][zone]['source'] %} + + {%- endfor -%} + {%- endif -%} + + {#- grab services for this zone of server -#} + {%- if pillar['firewalld'][zone]['service'] is defined %} + + {%- for service in pillar['firewalld'][zone]['service'] %} + + {%- endfor -%} + {%- endif -%} + + {#- grab ports for the this zone on server -#} + {%- if pillar['firewalld'][zone]['port'] is defined %} + + {%- for port in pillar['firewalld'][zone]['port'] -%} + {%- set lst=port.split('/') %} + + {%- endfor -%} + {%- endif -%} + + {#- grab specific rules for the this zone on server -#} + {%- if pillar['firewalld'][zone]['rule'] is defined %} + + {%- for rule in pillar['firewalld'][zone]['rule'] %} + + {%- if pillar['firewalld'][zone]['rule'][rule]['source'] is defined -%} +{#- #} + + {%- endif -%} + {%- if pillar['firewalld'][zone]['rule'][rule]['service'] is defined -%} +{#- #} + + {%- elif pillar['firewalld'][zone]['rule'][rule]['port'] is defined -%} + {%- set lst=pillar['firewalld'][zone]['rule'][rule]['port'].split('/') %} + + {%- endif %} + <{{ pillar['firewalld'][zone]['rule'][rule]['action'] }}/> + + {%- endfor -%} + {%- endif -%} + + {#- loop through included zones -#} + {%- if pillar['firewalld'][zone]['include'] is defined -%} + {%- for include in pillar['firewalld'][zone]['include'] -%} + {#- ensure include exists in firewalld pillar -#} + {%- if pillar['firewalld'][include] is defined %} +{# #} +{# #} + + + {#- grab services for this included zone of server -#} + {%- if pillar['firewalld'][include]['service'] is defined %} + + {%- for service in pillar['firewalld'][include]['service'] %} + + {%- endfor -%} + {%- endif -%} + + {#- grab ports for the this included zone on server -#} + {%- if pillar['firewalld'][include]['port'] is defined %} + + {%- for port in pillar['firewalld'][include]['port'] -%} + {%- set lst=port.split('/') %} + + {%- endfor -%} + {%- endif -%} + + {#- grab specific rules for the this included zone on server -#} + {%- if pillar['firewalld'][include]['rule'] is defined %} + + {%- for rule in pillar['firewalld'][include]['rule'] %} + + {%- if pillar['firewalld'][include]['rule'][rule]['source'] is defined -%} +{#- #} + + {%- endif -%} + {%- if pillar['firewalld'][include]['rule'][rule]['service'] is defined -%} +{#- #} + + {%- elif pillar['firewalld'][include]['rule'][rule]['port'] is defined -%} + {%- set lst=pillar['firewalld'][include]['rule'][rule]['port'].split('/') %} + + {%- endif %} + <{{ pillar['firewalld'][include]['rule'][rule]['action'] }}/> + + {%- endfor -%} + {%- endif -%} + + {%- endif -%} + {%- endfor -%} + {%- endif -%} + + {%- endif -%} +{%- endif %} + diff --git a/states/systems/core/firewalld/zone.xml.old b/states/systems/core/firewalld/zone.xml.old new file mode 100755 index 0000000..072c97c --- /dev/null +++ b/states/systems/core/firewalld/zone.xml.old @@ -0,0 +1,61 @@ + + +{#- ensure that zone exists in firewalld pillar -#} +{%- if pillar['firewalld'] is defined -%} +{%- if pillar['firewalld'][zone] is defined %} + {{ zone }} + +{#- check if there's a description of this zone and add it if applicable- #} +{%- if pillar['firewalld'][zone]['description'] is defined %} + {{ pillar['firewalld'][zone]['description'] }} +{% endif %} + +{#- grab sources if applicable -#} +{%- if pillar['firewalld'][zone]['source'] is defined %} + +{%- for source in pillar['firewalld'][zone]['source'] %} + +{%- endfor -%} +{%- endif -%} + +{#- grab services for this zone of server -#} +{%- if pillar['firewalld'][zone]['service'] is defined %} + +{%- for service in pillar['firewalld'][zone]['service'] %} + +{%- endfor -%} +{%- endif -%} + +{#- grab ports for the this zone on server -#} +{%- if pillar['firewalld'][zone]['port'] is defined %} + +{%- for port in pillar['firewalld'][zone]['port'] -%} +{%- set lst=port.split('/') %} + +{%- endfor -%} +{%- endif -%} + +{#- grab specific rules for the this zone on server -#} +{%- if pillar['firewalld'][zone]['rule'] is defined %} + +{%- for rule in pillar['firewalld'][zone]['rule'] %} + +{%- if pillar['firewalld'][zone]['rule'][rule]['source'] is defined -%} +{#- #} + +{%- endif -%} +{%- if pillar['firewalld'][zone]['rule'][rule]['service'] is defined -%} +{#- #} + +{%- elif pillar['firewalld'][zone]['rule'][rule]['port'] is defined -%} +{%- set lst=pillar['firewalld'][zone]['rule'][rule]['port'].split('/') %} + +{%- endif %} + <{{ pillar['firewalld'][zone]['rule'][rule]['action'] }}/> + +{%- endfor -%} +{%- endif -%} + +{%- endif -%} +{%- endif %} + diff --git a/states/systems/core/git/init.sls b/states/systems/core/git/init.sls new file mode 100644 index 0000000..0c16539 --- /dev/null +++ b/states/systems/core/git/init.sls @@ -0,0 +1,54 @@ +git_pkg: + pkg.installed: + - name: git + +{##ensure that git pillar exists##} +{%- if pillar['git'] is defined -%} + + {##set up git repos for this server##} + {%- for repo in pillar['git'] %} + + {%- if pillar['git'][repo]['key'] is defined %} +{{ repo }}_key: +file.managed: + - name: /root/.ssh/{{ pillar['git'][repo]['key'] }} + - source: salt://systems/core/git/keys/{{ pillar['git'][repo]['key'] }} + - user: root + - group: root + - mode: 600 + - makedirs: true + {%- endif -%} +{{ repo }}: + git.latest: + - name: {{ pillar['git'][repo]['repo'] }} + - target: {{ pillar['git'][repo]['path'] }} + {%- if pillar['git'][repo]['branch'] is defined %} + - branch: {{ pillar['git'][repo]['branch'] }} + {%- endif -%} + {%- if pillar['git'][repo]['key'] is defined %} + - identity: /root/.ssh/{{ pillar['git'][repo]['key'] }} + {%- endif -%} + {%- if pillar['git'][repo]['force'] is defined %} + - force_checkout: {{ pillar['git'][repo]['force'] }} + - force_reset: {{ pillar['git'][repo]['force'] }} + {%- endif -%} + + {##ensure that name is defined pillar exists##} + {%- if pillar['git'][repo]['name'] is defined %} +{{ repo }}_name: + git.config_set: + - name: user.name + - value: {{ pillar['git'][repo]['name'] }} + - repo: {{ pillar['git'][repo]['path'] }} + {%- endif -%} + + {##ensure that email is defined pillar exists##} + {%- if pillar['git'][repo]['email'] is defined %} +{{ repo }}_email: + git.config_set: + - name: user.email + - value: {{ pillar['git'][repo]['email'] }} + - repo: {{ pillar['git'][repo]['path'] }} + {%- endif -%} + {%- endfor %} +{%- endif %} diff --git a/states/systems/core/git/keys b/states/systems/core/git/keys new file mode 100644 index 0000000..2feebc4 --- /dev/null +++ b/states/systems/core/git/keys @@ -0,0 +1 @@ +/keys/git/ \ No newline at end of file diff --git a/states/systems/core/ldap.sss/init.sls b/states/systems/core/ldap.sss/init.sls new file mode 100755 index 0000000..63e862c --- /dev/null +++ b/states/systems/core/ldap.sss/init.sls @@ -0,0 +1,48 @@ +openldap_client: + pkg.installed: + - pkgs: + - openldap + +/etc/openldap/ldap.conf: + file.managed: + - source: salt://systems/core/ldap/ldap.conf + - user: root + - group: root + - mode: 644 + +sssd: + pkg.installed: [] + service.running: + - enable: true + - watch: + - file: /etc/sssd/sssd.conf + +/etc/sssd/sssd.conf: + file.managed: + - source: salt://systems/core/ldap/sssd.conf + - user: root + - group: root + - mode: 600 + +/etc/nscd.conf: + file.managed: + - source: salt://systems/core/ldap/nscd.conf + - user: root + - group: root + - mode: 644 + +/etc/nsswitch.conf: + file.managed: + - source: salt://systems/core/ldap/nsswitch.conf + - user: root + - group: root + - mode: 644 + + +/etc/pam.d: + file.recurse: + - source: salt://systems/core/ldap/pam.d + - user: root + - group: root + - dir_mode: 755 + - file_mode: 644 diff --git a/states/systems/core/ldap.sss/ldap.conf b/states/systems/core/ldap.sss/ldap.conf new file mode 100755 index 0000000..2fe899c --- /dev/null +++ b/states/systems/core/ldap.sss/ldap.conf @@ -0,0 +1,21 @@ +# +# LDAP Defaults +# + +# See ldap.conf(5) for details +# This file should be world readable but not world writable. + +#BASE dc=example,dc=com +#URI ldap://ldap.example.com ldap://ldap-master.example.com:666 + +#SIZELIMIT 12 +#TIMELIMIT 15 +#DEREF never +BASE dc=actcur,dc=com + +TLS_REQCERT demand + +URI ldaps://ldap.actcur.com:636 +TLS_CACERT /etc/openldap/certs/chain.pem +TLS_CACERTDIR /etc/openldap/certs/ + diff --git a/states/systems/core/ldap.sss/nscd.conf b/states/systems/core/ldap.sss/nscd.conf new file mode 100755 index 0000000..d60b39f --- /dev/null +++ b/states/systems/core/ldap.sss/nscd.conf @@ -0,0 +1,88 @@ +# +# /etc/nscd.conf +# +# An example Name Service Cache config file. This file is needed by nscd. +# +# Legal entries are: +# +# logfile +# debug-level +# threads +# max-threads +# server-user +# server-user is ignored if nscd is started with -S parameters +# stat-user +# reload-count unlimited| +# paranoia +# restart-interval