Updated package cache

pillars/roles/nginx/atheos.sls

@@ -0,0 +1,13 @@
+nginx:
+  ide:
+    auth: none
+    https:
+      port: 8080
+      prot: http
+
+portal:
+  Dev:
+    ide:
+      name: Atheos IDE
+      summary: Atheos IDE server
+      public: false

pillars/servers/env/server/atheos.sls

@@ -0,0 +1 @@
+env: prod

pillars/servers/env/server/gitea.sls

@@ -1 +1 @@
-env: dev
+env: prod

pillars/servers/env/server/pkg.sls

@@ -1 +1 @@
-env: prod
+env: dev

pillars/servers/roles/server/atheos.sls

@@ -0,0 +1,8 @@
+grains:
+  roles:
+    - server
+    - ssh
+    - nrpe
+    - saltminion
+    - atheos
+    - nginx-proxy

pillars/servers/roles/server/pkg.sls

@@ -5,5 +5,5 @@ grains:
     - nrpe
     - saltminion
     - pkg-cache
-    - aurblobs
+    - aurutils
     - nginx-proxy

states/repos/aur/aur-local

@@ -0,0 +1,3 @@
+[aur-local]
+SigLevel = Never
+Server = http://pkg.actcur.com/archlinux/$repo/os/$arch

states/repos/aur/aur.conf

@@ -1,3 +0,0 @@
-[aur-local]
-SigLevel = Never
-Server = http://pkg.actcur.com/$repo/os/$arch

states/repos/aur/init.sls

@@ -1,5 +1,17 @@
 {%- if grains['os'] != "Arch ARM" -%}
-/etc/pacman.conf:
+aur_local_repo:
+  file.managed:
+    - name: /etc/pacman.d/aur-local
+    - source: salt://repos/aur/aur-local
+
+include_aur_local_repo:
   file.append:
-    - source: salt://repos/aur/aur.conf
+    - name: /etc/pacman.conf
+    - text: Include = /etc/pacman.d/aur-local
+
+remove_old_aur_local_repo:
+  file.replace:
+    - name: /etc/pacman.conf
+    - pattern: '\[aur-local\]\n.*SigLevel = Never\n.*Server = http:\/\/pkg\.actcur\.com\/\$repo\/os\/\$arch'
+    - repl: ''
 {%- endif -%}

states/repos/epel.sls

@@ -1,2 +1,6 @@
 epel-release:
   pkg.installed
+
+powertools:
+  cmd.run:
+    - name: "dnf config-manager --set-enabled powertools"

states/roles/build/aurutils/init.sls

@@ -0,0 +1,5 @@
+install_old_dependencies:
+  pkg.installed:
+    - sources:
+      - aurutils: salt://roles/build/aurutils/aurutils.pkg.tar.zst
+      - autofs: salt://roles/build/aurutils/autofs.pkg.tar.zst

states/roles/build/freeipa-server/init.sls

@@ -1,6 +1,6 @@
 install_freeipa-server:
-  pkg.installed:
-    - name: freeipa-server
+  cmd.run:
+    - name: "dnf module install -y idm:DL1/{server,client,dns}"
 
 set_dm_password:
   environ.setenv:
@@ -27,3 +27,7 @@ unset_admin_password:
     - name: ADMIN_PASSWORD
     - value: "False"
     - false_unsets: true
+
+update_firewall:
+  cmd.run:
+    - name: "firewall-cmd --permanent --add-service={http,https,ldap,ldaps,kerberos,dns,ntp}"

states/roles/maintain/atheos/init.sls

@@ -0,0 +1,20 @@
+{%- set os=grains['os'] -%}
+
+atheos-php:
+  pkg.installed:
+    - name: php
+atheos-php-fpm:
+  pkg.installed:
+    - name: php-fpm
+  service.running:
+    - name: php-fpm
+    - enable: true
+    - watch:
+      - file: /etc/php/php.ini
+
+/etc/php/php.ini:
+  file.managed:
+    - source: salt://roles/maintain/atheos/php.ini
+    - user: root
+    - group: root
+    - mode: 644

states/roles/maintain/atheos/nginx.conf

@@ -0,0 +1,34 @@
+server {
+    listen 8080
+    server_name atheos.actcur.com;
+
+    root /sites/atheos;
+    index index.html index.htm index.php;
+
+    charset utf-8;
+    rewrite_log on;
+
+    location / {
+        try_files $uri $uri/ @laravel;
+    }
+
+    error_page 404 /404.html;
+    error_page 500 502 503 504 /50x.html;
+    location = /50x.html {
+        root /usr/share/nginx/www;
+    }
+
+    location ~ \.php$ {
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
+        fastcgi_index index.php;
+        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+        include fastcgi_params;
+    }
+
+    location ~ /\.(?!well-known).* {
+        deny all;
+    }
+    error_log /var/log/nginx/ra_error.log notice;
+    access_log /var/log/nginx/ra_access.log;
+}

states/roles/maintain/aurutils/aur_builder

@@ -0,0 +1,3 @@
+[aur_builder]
+SigLevel = Optional TrustAll
+Server = file:///repo

states/roles/maintain/aurutils/init.sls

@@ -0,0 +1,49 @@
+sudo:
+  pkg.installed
+
+base-devel:
+  pkg.installed
+
+aur_builder_repo:
+  file.managed:
+    - name: /etc/pacman.d/aur_builder
+    - source: salt://roles/maintain/aurutils/aur_builder
+
+include_aur_builder_repo:
+  file.append:
+    - name: /etc/pacman.conf
+    - text: Include = /etc/pacman.d/aur_builder
+
+user-build:
+  user.present:
+    - name: build
+    - createhome: true
+  file.append:
+    - name: /etc/sudoers
+    - text: "build ALL=(ALL) NOPASSWD: ALL"
+
+/repo:
+  file.symlink:
+    - target: /mnt/pkgs/aur-local/os/x86_64/
+
+/build:
+  file.symlink:
+    - target: /mnt/build/
+
+"/usr/lib/systemd/system/updateaur.service":
+  file.managed:
+    - source: salt://roles/maintain/aurutils/updateaur.service
+    - user: root
+    - group: root
+    - mode: 644
+
+"/usr/lib/systemd/system/updateaur.timer":
+  file.managed:
+    - source: salt://roles/maintain/aurutils/updateaur.timer
+    - user: root
+    - group: root
+    - mode: 644
+
+#"updateaur.timer":
+#  service.running:
+#    - enable: true

states/roles/maintain/aurutils/updateaur.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Update AUR package repository
+
+[Service]
+Type=oneshot
+RemainAfterExit=no
+User=build
+Group=build
+ExecStart=/bin/bash -c "AUR_PAGER=ls aur sync -u --margs --noconfirm" 
+
+[Install]
+WantedBy=multi-user.target

states/roles/maintain/aurutils/updateaur.timer

@@ -0,0 +1,13 @@
+[Unit]
+Description=Updates AUR package repository every 24 hours
+
+[Timer]
+# Time to wait after booting before we run first time
+OnBootSec=10min
+# Time between running each consecutive time
+OnUnitActiveSec=1d
+Unit=updateaur.service
+
+[Install]
+WantedBy=multi-user.target
+

states/roles/maintain/freeipa-server/DSTRootCAX3.pem

@@ -1,20 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----

states/roles/maintain/freeipa-server/LetsEncryptAuthorityX3.pem

@@ -1,27 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
-SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
-GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
-q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
-SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
-Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
-a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
-/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
-AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
-CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
-bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
-c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
-VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
-ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
-MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
-Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
-AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
-uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
-wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
-X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
-PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
-KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
------END CERTIFICATE-----

states/roles/maintain/freeipa-server/cacerts/isrg-root-x2.pem

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw
+CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
+R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00
+MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT
+ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw
+EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW
++1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9
+ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T
+AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI
+zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW
+tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1
+/q4AaOeMSQ+2b1tbFfLn
+-----END CERTIFICATE-----

states/roles/maintain/freeipa-server/cacerts/isrgrootx1.pem

@@ -0,0 +1,31 @@
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
+WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
+ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
+MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
+h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
+A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
+T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
+B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
+B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
+KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
+OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
+jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
+qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
+rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
+HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
+hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
+ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
+3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
+NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
+ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
+TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
+jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
+oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
+4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
+mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
+emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
+-----END CERTIFICATE-----

states/roles/maintain/freeipa-server/cacerts/lets-encrypt-e1.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAk2gAwIBAgIRALO93/inhFu86QOgQTWzSkUwCgYIKoZIzj0EAwMwTzEL
+MAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNo
+IEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjAwOTA0MDAwMDAwWhcN
+MjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5j
+cnlwdDELMAkGA1UEAxMCRTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQkXC2iKv0c
+S6Zdl3MnMayyoGli72XoprDwrEuf/xwLcA/TmC9N/A8AmzfwdAVXMpcuBe8qQyWj
++240JxP2T35p0wKZXuskR5LBJJvmsSGPwSSB/GjMH2m6WPUZIvd0xhajggEIMIIB
+BDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFFrz7Sv8NsI3eblSMOpUb89V
+yy6sMB8GA1UdIwQYMBaAFHxClq7eS0g7+pL4nozPbYupcjeVMDIGCCsGAQUFBwEB
+BCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gyLmkubGVuY3Iub3JnLzAnBgNVHR8E
+IDAeMBygGqAYhhZodHRwOi8veDIuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYG
+Z4EMAQIBMA0GCysGAQQBgt8TAQEBMAoGCCqGSM49BAMDA2cAMGQCMHt01VITjWH+
+Dbo/AwCd89eYhNlXLr3pD5xcSAQh8suzYHKOl9YST8pE9kLJ03uGqQIwWrGxtO3q
+YJkgsTgDyj2gJrjubi1K9sZmHzOa25JK1fUpE8ZwYii6I4zPPS/Lgul/
+-----END CERTIFICATE-----

states/roles/maintain/freeipa-server/cacerts/lets-encrypt-e2.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICxjCCAkygAwIBAgIQTtI99q9+x/mwxHJv+VEqdzAKBggqhkjOPQQDAzBPMQsw
+CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
+R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw0y
+NTA5MTUxNjAwMDBaMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNy
+eXB0MQswCQYDVQQDEwJFMjB2MBAGByqGSM49AgEGBSuBBAAiA2IABCOaLO3lixmN
+YVWex+ZVYOiTLgi0SgNWtU4hufk50VU4Zp/LbBVDxCsnsI7vuf4xp4Cu+ETNggGE
+yBqJ3j8iUwe5Yt/qfSrRf1/D5R58duaJ+IvLRXeASRqEL+VkDXrW3qOCAQgwggEE
+MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw
+EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUbZkq9U0C6+MRwWC6km+NPS7x
+6kQwHwYDVR0jBBgwFoAUfEKWrt5LSDv6kviejM9ti6lyN5UwMgYIKwYBBQUHAQEE
+JjAkMCIGCCsGAQUFBzAChhZodHRwOi8veDIuaS5sZW5jci5vcmcvMCcGA1UdHwQg
+MB4wHKAaoBiGFmh0dHA6Ly94Mi5jLmxlbmNyLm9yZy8wIgYDVR0gBBswGTAIBgZn
+gQwBAgEwDQYLKwYBBAGC3xMBAQEwCgYIKoZIzj0EAwMDaAAwZQIxAPJCN9qpyDmZ
+tX8K3m8UYQvK51BrXclM6WfrdeZlUBKyhTXUmFAtJw4X6A0x9mQFPAIwJa/No+KQ
+UAM1u34E36neL/Zba7ombkIOchSgx1iVxzqtFWGddgoG+tppRPWhuhhn
+-----END CERTIFICATE-----

states/roles/maintain/freeipa-server/cacerts/lets-encrypt-r3.pem

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----

states/roles/maintain/freeipa-server/cacerts/lets-encrypt-r4.pem

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAIp5IlCr5SxSbO7Pf8lC3WIwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCzKNx3KdPnkb7ztwoAx/vyVQslImNTNq/pCCDfDa8oPs3Gq1e2naQlGaXS
+Mm1Jpgi5xy+hm5PFIEBrhDEgoo4wYCVg79kaiT8faXGy2uo/c0HEkG9m/X2eWNh3
+z81ZdUTJoQp7nz8bDjpmb7Z1z4vLr53AcMX/0oIKr13N4uichZSk5gA16H5OOYHH
+IYlgd+odlvKLg3tHxG0ywFJ+Ix5FtXHuo+8XwgOpk4nd9Z/buvHa4H6Xh3GBHhqC
+VuQ+fBiiCOUWX6j6qOBIUU0YFKAMo+W2yrO1VRJrcsdafzuM+efZ0Y4STTMzAyrx
+E+FCPMIuWWAubeAHRzNl39Jnyk2FAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFDadPuCxQPYnLHy/jZ0xivZUpkYmMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCJbu5CalWO+H+Az0lmIG14DXmlYHQE
+k26umjuCyioWs2icOlZznPTcZvbfq02YPHGTCu3ctggVDULJ+fwOxKekzIqeyLNk
+p8dyFwSAr23DYBIVeXDpxHhShvv0MLJzqqDFBTHYe1X5X2Y7oogy+UDJxV2N24/g
+Z8lxG4Vr2/VEfUOrw4Tosl5Z+1uzOdvTyBcxD/E5rGgTLczmulctHy3IMTmdTFr0
+FnU0/HMQoquWQuODhFqzMqNcsdbjANUBwOEQrKI8Sy6+b84kHP7PtO+S4Ik8R2k7
+ZeMlE1JmxBi/PZU860YlwT8/qOYToCHVyDjhv8qutbf2QnUl3SV86th2I1QQE14s
+0y7CdAHcHkw3sAEeYGkwCA74MO+VFtnYbf9B2JBOhyyWb5087rGzitu5MTAW41X9
+DwTeXEg+a24tAeht+Y1MionHUwa4j7FB/trN3Fnb/r90+4P66ZETVIEcjseUSMHO
+w6yqv10/H/dw/8r2EDUincBBX3o9DL3SadqragkKy96HtMiLcqMMGAPm0gti1b6f
+bnvOdr0mrIVIKX5nzOeGZORaYLoSD4C8qvFT7U+Um6DMo36cVDNsPmkF575/s3C2
+CxGiCPQqVxPgfNSh+2CPd2Xv04lNeuw6gG89DlOhHuoFKRlmPnom+gwqhz3ZXMfz
+TfmvjrBokzCICA==
+-----END CERTIFICATE-----

states/roles/maintain/freeipa-server/init.sls

@@ -5,19 +5,19 @@
     - group: root
     - dir_mode: 500
 
-/etc/httpd/certs/DSTRootCAX3.pem:
-  file.managed:
-    - source: salt://roles/maintain/freeipa-server/DSTRootCAX3.pem
+/etc/httpd/certs/cacerts/:
+  file.directory:
     - user: root
     - group: root
-    - mode: 400
+    - dir_mode: 500
 
-/etc/httpd/certs/LetsEncryptAuthorityX3.pem:
-  file.managed:
-    - source: salt://roles/maintain/freeipa-server/LetsEncryptAuthorityX3.pem
+/etc/httpd/certs/cacerts:
+  file.recurse:
+    - source: salt://roles/maintain/freeipa-server/cacerts
+    - clean: true
     - user: root
     - group: root
-    - mode: 400
+    - file_mode: 400
 
 "/etc/httpd/certs/ipa.actcur.com/":
   file.recurse:
@@ -30,10 +30,9 @@
 
 install_cacerts:
   cmd.run:
-    - name: 'ipa-cacert-manage install "/etc/httpd/certs/DSTRootCAX3.pem" -n DSTRootCAX3 -t C,,;ipa-cacert-manage install "/etc/httpd/certs/LetsEncryptAuthorityX3.pem" -n letsencryptx3 -t C,,;ipa-certupdate -v'
+    - name: 'cd /etc/httpd/certs/cacerts/;for cert in `ls ./`; do ipa-cacert-manage install $cert;done;ipa-certupdate -v'
     - onchanges:
-      - file: /etc/httpd/certs/DSTRootCAX3.pem
-      - file: /etc/httpd/certs/LetsEncryptAuthorityX3.pem
+      - file: /etc/httpd/certs/cacerts/*
 
 set_dm_password:
   environ.setenv:
@@ -44,7 +43,7 @@ set_dm_password:
 
 install_cert:
   cmd.run:
-    - name: 'ipa-server-certinstall -p $DM_PASSWORD --pin="" -w -d /etc/httpd/certs/ipa.actcur.com/privkey.pem /etc/httpd/certs/ipa.actcur.com/fullchain.pem'
+    - name: 'ipa-server-certinstall -p $DM_PASSWORD --pin="" -w -d /etc/httpd/certs/ipa.actcur.com/privkey.pem /etc/httpd/certs/ipa.actcur.com/cert.pem'
     - onchanges:
       - file: /etc/httpd/certs/ipa.actcur.com/*
 

states/roles/maintain/pkg-cache.tmp/init.sls

@@ -0,0 +1,22 @@
+nginx-pkg-cache:
+  pkg.installed:
+    - pkgs:
+      - nginx
+  service.running:
+    - name: nginx
+    - enable: true
+    - watch:
+      - file: /etc/nginx/conf.d/*
+
+/srv/http/pacman-cache:
+  file.symlink:
+    - target: /mnt/pkgs
+
+/etc/nginx/conf.d/pkg-cache.conf:
+  file.managed:
+    - makedirs: true
+    - source: salt://roles/maintain/pkg-cache/pkg-cache.conf
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja

states/roles/maintain/pkg-cache.tmp/pkg-cache.conf

@@ -12,10 +12,6 @@ server
 	location ~ aur-local\.(db|sig){
 		try_files $uri @pkg_mirror;
 	}
-	#TEMPORARY. Requests for teampass.db and sig files should stay here
-	location ~ teampass-temp\.(db|sig){
-		try_files $uri @pkg_mirror;
-	}
 
 	# Requests for package db and signature files should redirect upstream without caching
 	location ~ \.(db|sig)$ {

states/roles/maintain/pkg-cache/cache.conf

@@ -0,0 +1,47 @@
+log_format pkg-cache '$remote_addr - $upstream_cache_status [$time_local] $request_method $host$request_uri $server_protocol $status $body_bytes_sent $request_time $upstream_response_time';
+
+proxy_cache_path /cache
+                     levels=1:2  keys_zone=pkg-cache:60m
+                     inactive=365d use_temp_path=off max_size=10g;
+server {
+        listen 8000;
+        server_name pkg.actcur.com;
+
+        access_log /var/log/nginx/pkg-cache.access.log pkg-cache;
+        error_log /var/log/nginx/pkg-cache.error.log;
+
+        # Force proxy to use TLS for upstream server requests
+        proxy_ssl_protocols     TLSv1 TLSv1.1 TLSv1.2;
+        # Use previously negotiated connection parameters
+        proxy_ssl_session_reuse on;
+        # Enables revalidation of expired cache items using conditional requests with the "If-Modified-Since" and "If-None-Match" header fields.
+        proxy_cache_revalidate  on;
+        # Only one request at a time will be allowed to populate a new cache element
+        proxy_cache_lock        on;
+        # Cache any responses for 1 minute by default, can be overridden by more specific response codes
+        proxy_cache_valid       any 1m;
+
+        # Keep connections to upstream server open
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        proxy_read_timeout     300;
+        proxy_connect_timeout  300;
+
+        location /archlinux/aur-local {
+                root /mnt/pkgs;
+        }
+
+        location / {
+                proxy_pass             http://repo.miserver.it.umich.edu/;
+                proxy_cache            pkg-cache; # This directive should match the keys_zone option
+                proxy_cache_revalidate on;
+                proxy_cache_min_uses   0;
+                proxy_cache_valid      200 5m;
+                proxy_cache_use_stale  error timeout invalid_header updating http_500 http_502 http_503 http_504;
+                proxy_cache_lock       on;
+
+                # Add some cache status headers for debugging purposes, you can remove these lines if you want
+                add_header X-Upstream-Status $upstream_status;
+                add_header X-Cache-Status $upstream_cache_status;
+        }
+}

states/roles/maintain/pkg-cache/init.sls

@@ -8,15 +8,14 @@ nginx-pkg-cache:
     - watch:
       - file: /etc/nginx/conf.d/*
 
-/srv/http/pacman-cache:
+/cache:
   file.symlink:
-    - target: /mnt/pkgs
+    - target: /mnt/pkgs/cache
 
-/etc/nginx/conf.d/pkg-cache.conf:
+/etc/nginx/conf.d/cache.conf:
   file.managed:
     - makedirs: true
-    - source: salt://roles/maintain/pkg-cache/pkg-cache.conf
+    - source: salt://roles/maintain/pkg-cache/cache.conf
     - user: root
     - group: root
     - mode: 644
-    - template: jinja

states/systems/arch/mirrors/mirrorlist

@@ -1,2 +1,2 @@
-Server = http://pkg.actcur.com/$repo/os/$arch
+Server = http://pkg.actcur.com/archlinux/$repo/os/$arch
 {% include 'mirrors.list' %}

states/top.sls

@@ -38,4 +38,4 @@
   {%- endif -%}
 {%- endif -%}
 {%- endfor %}
-    - systems.core.fstrim
+    - systems.core.fstrim