valitydev/salt-common
14
0
Fork 0
mirror of https://github.com/valitydev/salt-common.git synced 2024-11-06 02:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Initial import

Browse Source
This commit is contained in:
Regna 2016-04-17 02:52:58 +03:00
commit bf63987f34
65 changed files with 2119 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
**~
***#

6
sls/augeas/init.sls Normal file
View File

@ -0,0 +1,6 @@
augeas:
pkg.installed:
- refresh: false
- pkgs:
- app-admin/augeas: "~>=1.3.0"
- dev-python/python-augeas: "~>=0.5.0"

12
sls/augeas/lenses.sls Normal file
View File

@ -0,0 +1,12 @@
include:
- augeas
{% set default_lenses = ['makeconf', 'confd'] %}
{% set extra_lenses = salt['pillar.get']('augeas_extra_lenses', []) %}
{% for lensname in default_lenses + extra_lenses %}
augeas-{{ lensname }}:
file.managed:
- name: /usr/share/augeas/lenses/{{ lensname }}.aug
- source: salt://augeas/lenses/{{ lensname }}.aug
{% endfor %}

8
sls/augeas/lenses/confd.aug Normal file
View File

@ -0,0 +1,8 @@
module Confd =
autoload xfm
let lns = Shellvars.lns
let filter = (incl "/etc/conf.d/*") . (excl "net") . (excl "net.*") . (excl "*~") . (excl ".*") . (excl "#*#") . (excl "*.bak")
let xfm = transform lns filter

8
sls/augeas/lenses/makeconf.aug Normal file
View File

@ -0,0 +1,8 @@
module Makeconf =
autoload xfm
let lns = Shellvars.lns
let filter = (incl "/etc/make.conf") . (incl "/etc/portage/make.conf")
let xfm = transform lns filter

21
sls/bird/bird.conf Normal file
View File

@ -0,0 +1,21 @@
log syslog { info, remote, warning, error, auth, fatal, bug };
router id 0.0.0.1;
# This pseudo-protocol performs synchronization between BIRD's routing
# tables and the kernel. If your kernel supports multiple routing tables
# (as Linux 2.2.x does), you can run multiple instances of the kernel
# protocol and synchronize different kernel tables with different BIRD tables.
protocol kernel {
learn; # Learn all alien routes from the kernel
persist; # Don't remove routes on bird shutdown
scan time 20; # Scan kernel routing table every 20 seconds
import all; # Default is import all
export none; # Default is export none
# kernel table 5; # Kernel table to synchronize with (default: main)
}
protocol bfd {
}
# This pseudo-protocol watches all interface up/down events.
protocol device {
scan time 10; # Scan interfaces every 10 seconds
}

41
sls/bird/bird.initd Executable file
View File

@ -0,0 +1,41 @@
#!/sbin/runscript
# -*- mode: shell-script -*-
# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
extra_started_commands="reload"
EXE="${SVCNAME}"
SOCK="/var/run/${EXE}.ctl"
depend() {
need net
use logger
}
checkconfig() {
if [ ! -f "/etc/${EXE}.conf" ]; then
eerror "Please create /etc/${EXE}.conf"
return 1
fi
return 0
}
start() {
checkconfig || return $?
ebegin "Starting ${SVCNAME}"
start-stop-daemon --start --exec /usr/sbin/${EXE} -- -c "/etc/${EXE}.conf" -s "${SOCK}"
eend $? "Failed to start BIRD"
}
stop() {
ebegin "Stopping ${SVCNAME}"
start-stop-daemon --stop --exec /usr/sbin/${EXE}
eend $? "Failed to stop BIRD"
}
reload() {
ebegin "Reloading ${SVCNAME}"
start-stop-daemon --stop --signal HUP --oknodo --exec /usr/sbin/${EXE}
eend $? "Failed to reload BIRD"
}

61
sls/bird/init.sls Normal file
View File

@ -0,0 +1,61 @@
# -*- mode: yaml -*-
pkg_bird:
pkg.installed:
- pkgs:
- net-misc/bird: "~>=1.5.0[ipv6]"
/etc/init.d/bird:
file.managed:
- source: salt://bird/bird.initd
- mode: 750
- user: root
- group: root
/etc/init.d/bird6:
file.symlink:
- target: /etc/init.d/bird
- force: True
/etc/bird.conf:
file.managed:
- source: salt://bird/bird.conf
- replace: False
- mode: 640
- user: root
- group: root
/etc/bird6.conf:
file.managed:
- source: salt://bird/bird.conf
- replace: False
- mode: 640
- user: root
- group: root
bird:
service.running:
- enable: True
- watch:
- file: /etc/init.d/bird
- pkg: pkg_bird
bird6:
service.running:
- enable: True
- watch:
- file: /etc/init.d/bird6
- pkg: pkg_bird
bird-reload:
service.running:
- name: bird
- reload: True
- require:
- file: /etc/bird.conf
bird6-reload:
service.running:
- name: bird6
- reload: True
- require:
- file: /etc/bird6.conf

16
sls/cron/cronie.sls Normal file
View File

@ -0,0 +1,16 @@
# -*- mode: yaml -*-
cronie:
pkg.latest:
- name: sys-process/cronie
- use: inotify
service.running:
- sig: cron
- enable: True
- watch:
- pkg: cronie
vixie-cron:
pkg.purged:
- name: sys-process/vixie-cron
service:
- disabled

3
sls/cron/init.sls Normal file
View File

@ -0,0 +1,3 @@
# -*- mode: yaml -*-
include:
- cron.cronie

4
sls/editors/emacs.sls Normal file
View File

@ -0,0 +1,4 @@
# -*- mode: yaml -*-
emacs:
pkg.installed:
- name: app-editors/emacs

20
sls/fonts/consolefont.sls Normal file
View File

@ -0,0 +1,20 @@
include:
- augeas.lenses
- fonts.terminus
manage-consolefont:
augeas.change:
- context: /files/etc/conf.d/consolefont
- lens: Shellvars.lns
- require:
- file: augeas-confd
- pkg: terminus
- changes:
- set consolefont '"ter-v14n"'
consolefont_service:
service.running:
- name: consolefont
- enable: True
- watch:
- augeas: manage-consolefont

7
sls/fonts/terminus.sls Normal file
View File

@ -0,0 +1,7 @@
{% set terminus_use_flags = salt['pillar.get']('terminus_use_flags',
'-pcf,psf,center-tilde,-ru-g,-a-like-o,distinct-l,ru-dv,ru-i') %}
terminus:
pkg.installed:
- pkgs:
- media-fonts/terminus-font: '[{{ terminus_use_flags }}]'

7
sls/gentoo/init.sls Normal file
View File

@ -0,0 +1,7 @@
# -*- mode: yaml -*-
include:
- gentoo.portage
- gentoo.profile
- gentoo.openrc
- gentoo.makeconf

53
sls/gentoo/makeconf.sls Normal file
View File

@ -0,0 +1,53 @@
# -*- mode: yaml -*-
include:
- augeas.lenses
{% set mirror_host = salt['pillar.get']('gentoo_mirror_host', 'gentoo.bakka.su') %}
{% set arch_conf = salt['pillar.get']('arch_conf', False) %}
{% set num_jobs = grains['num_cpus'] %}
{% set max_la = "%.2f" % (grains['num_cpus'] / 1.5) %}
{% if num_jobs > 8 %}
{% set num_jobs = 8 %}
{% endif %}
manage-make-conf:
augeas.change:
- context: /files/etc/portage/make.conf
# - lens: Makeconf.lns
- changes:
- set PORTDIR '"/usr/portage"'
- set DISTDIR '"/var/tmp/distfiles"'
- set PKGDIR '"/var/tmp/packages"'
- set PORTAGE_SSH_OPTS '""'
- set MAKEOPTS '"-j{{ num_jobs }} --load-average {{ max_la }}"'
- set PYTHON_TARGETS '"python2_7 python3_4"'
- set USE_PYTHON '"2.7 3.4"'
- set USE_SALT '"smp multitarget efi icu sqlite emacs sctp xattr syslog logrotate ssl openssl vhosts symlink device-mapper bash-completion zsh-completion -gnutls -tcpd"'
- set VIDEO_CARDS '""'
- set GENTOO_MIRRORS '"https://{{ mirror_host }}/gentoo-distfiles"'
{% if arch_conf %}
- set CHOST '"{{ arch_conf["CHOST"] }}"'
- set CFLAGS '"{{ arch_conf["CFLAGS"] }}"'
{% if arch_conf.get('CXXFLAGS', False) %}
{% set l_cxxflags = arch_conf['CXXFLAGS'] %}
{% else %}
{% set l_cxxflags = '${CFLAGS}' %}
{% endif %}
- set CXXFLAGS '"{{ l_cxxflags }}"'
# Should I also check for osarch here?
{% if (grains['cpuarch'] == 'x86_64' or grains['cpuarch'] == 'amd64'
or grains['cpuarch'] == 'i686' or grains['cpuarch'] == 'x86') %}
{% if arch_conf.get('CPU_FLAGS', False) %}
- set CPU_FLAGS_X86 '"{{ arch_conf["CPU_FLAGS"] }}"'
{% else %}
- set CPU_FLAGS_X86 '"{% for flag in ("mmx", "mmxext", "sse", "sse2", "sse3", "ssse3", "sse4_1", "sse4_2",
"aes", "popcnt", "avx", "avx2", "fma", "fma3", "fma4", "xop", "3dnow", "3dnowext", "sse4a")
%}{% if flag in grains["cpu_flags"] %}{{ flag }}{% if not loop.last %} {% endif %}{% endif %}{% endfor %}"'
{% endif %}
{% endif %}
{% if arch_conf.get('mirror_arch', False) %}
- set PORTAGE_BINHOST '"https://{{ mirror_host }}/gentoo-packages/{{ arch_conf["mirror_arch"] }}/packages"'
{% endif %}
{% endif %}
- require:
- file: /usr/share/augeas/lenses/makeconf.aug

11
sls/gentoo/openrc.sls Normal file
View File

@ -0,0 +1,11 @@
# -*- mode: yaml -*-
openrc:
pkg.latest:
- name: sys-apps/openrc
cmd.run:
- name: rc
cron.present:
- identifier: rc
- name: "/sbin/rc"
- minute: '*/5'
- user: root

75
sls/gentoo/portage.sls Normal file
View File

@ -0,0 +1,75 @@
# -*- mode: yaml -*-
include:
- core.git
sys-apps/portage:
pkg.latest:
- watch:
- portage_config: sys-apps/portage
portage_config.flags:
- accept_keywords:
- ~ARCH
- use:
- python3
- xattr
- git
- watch_in:
- cmd: emerge-changed-use
app-portage:
pkg.latest:
- pkgs:
- app-portage/portage-utils
- app-portage/gentoolkit
- app-portage/eix
- app-admin/webapp-config
app-portage-purged:
pkg.purged:
- pkgs:
- app-portage/epkg
/etc/portage/postsync.d/q-reinitialize:
file.managed:
- mode: 755
- replace: False
# rewrite this with consideration of read-only portage (on nfs)
/usr/portage:
git.latest:
- name: "git://git.bakka.su/gentoo-mirror"
- target: /usr/portage
- rev: master
- force_clone: True
- force_checkout: True
/etc/portage/repos.conf/:
file.directory:
- mode: 755
- user: root
- group: root
git.latest:
- name: "git://git.bakka.su/server-repos.conf"
- target: /etc/portage/repos.conf
- rev: master
- force_clone: True
- force_checkout: True
emerge-changed-use:
cmd.wait:
- name: '/usr/bin/emerge --quiet --changed-use @world'
# emerge-preserved-rebuild:
# cmd.run:
# - name: '/usr/bin/emerge --quiet @preserved-rebuild'
# glsa-check-fix:
# cmd.run:
# - name: '/usr/bin/glsa-check --fix affected'
/etc/portage/profile/:
file.directory:
- create: True
- mode: 755
- user: root
- group: root

14
sls/gentoo/profile.sls Normal file
View File

@ -0,0 +1,14 @@
# -*- mode: yaml -*-
{% set arch_conf = salt['pillar.get']('arch_conf', False) %}
eselect-profile:
eselect.set:
- name: profile
{% if arch_conf and arch_conf.get('profile', False) %}
- target: '{{ arch_conf["profile"] }}'
{% elif grains['osarch'] == 'x86' %}
- target: hardened/linux/x86
{% elif grains['osarch'] == 'x86_64' %}
- target: hardened/linux/amd64/no-multilib
{% elif grains['osarch'] == 'armv6l' %}
- target: hardened/linux/arm/armv6j
{% endif %}

5
sls/gentoo/repos.conf/baka-bakka.conf Normal file
View File

@ -0,0 +1,5 @@
[baka-bakka]
location = /var/lib/layman/baka-bakka
sync-type = git
sync-uri = git://git.bakka.su/baka-bakka

7
sls/gentoo/repos.conf/gentoo.conf Normal file
View File

@ -0,0 +1,7 @@
[DEFAULT]
main-repo = gentoo
[gentoo]
location = /usr/portage
sync-type = git
sync-uri = git://git.bakka.su/gentoo-mirror

5
sls/gentoo/repos.conf/tengine-overlay.conf Normal file
View File

@ -0,0 +1,5 @@
[tengine-overlay]
location = /var/lib/layman/tengine-overlay
sync-type = git
sync-uri = https://github.com/damex/tengine-overlay.git

9
sls/irqbalance/absent.sls Normal file
View File

@ -0,0 +1,9 @@
irqbalance:
pkg.purged:
- pkgs:
- sys-apps/irqbalance: '[numa]'
- sys-process/numactl
- require:
- service: irqbalance
service.disabled:
- name: irqbalance

8
sls/irqbalance/init.sls Normal file
View File

@ -0,0 +1,8 @@
irqbalance:
pkg.installed:
- pkgs:
- sys-apps/irqbalance: '[numa]'
- sys-process/numactl
service.running:
- name: irqbalance
- enable: True

11
sls/keepalived/init.sls Normal file
View File

@ -0,0 +1,11 @@
include:
- keepalived.pkg
# /etc/keepalived/keepalived.conf:
# - file.managed:
keepalived:
service.running:
- enable: True
- watch:
- pkg: pkg_keepalived

4
sls/keepalived/pkg.sls Normal file
View File

@ -0,0 +1,4 @@
pkg_keepalived:
pkg.installed:
- pkgs:
- sys-cluster/keepalived: '[ipv6,snmp]'

26
sls/lm_sensors/init.sls Normal file
View File

@ -0,0 +1,26 @@
# -*- mode: yaml -*-
lm_sensors:
pkg.installed:
- pkgs:
- sys-apps/lm_sensors: '[sensord]'
service.running:
- enable: True
- watch:
- pkg: lm_sensors
- file: /etc/init.d/lm_sensors
- file: /etc/conf.d/lm_sensors
/etc/init.d/lm_sensors:
file.managed:
- source: salt://lm_sensors/lm_sensors.initd
- mode: 755
- user: root
- group: root
/etc/conf.d/lm_sensors:
file.managed:
- source: salt://lm_sensors/lm_sensors.confd
- mode: 644
- user: root
- group: root

2
sls/lm_sensors/lm_sensors.confd Normal file
View File

@ -0,0 +1,2 @@
# Initialize sensors at startup
INITSENSORS=yes

21
sls/lm_sensors/lm_sensors.initd Normal file
View File

@ -0,0 +1,21 @@
#!/sbin/runscript
# Copyright 1999-2016 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
depend() {
use modules
}
start() {
if [ "${INITSENSORS}" = "yes" ]; then
if ! [ -f /etc/sensors3.conf ]; then
eerror "/etc/sensors3.conf does not exist!"
return 1
fi
ebegin "Initializing sensors"
/usr/bin/sensors -s >/dev/null 2>&1
eend ${?}
fi
}

20
sls/mdadm/init.sls Normal file
View File

@ -0,0 +1,20 @@
mdadm:
pkg.installed:
- pkgs:
- sys-fs/mdadm:
/etc/mdadm.conf:
file.managed:
- source: salt://mdadm/mdadm.conf.tpl
- template: jinja
- mode: 644
- user: root
- group: root
mdadm_monitor:
service.running:
- name: mdadm
- enable: True
- watch:
- pkg: mdadm
- file: /etc/mdadm.conf

6
sls/mdadm/mdadm.conf.tpl Normal file
View File

@ -0,0 +1,6 @@
# mdadm configuration file
# Managed by Salt
{% set default_email = salt['pillar.get']('contacts:default:email', False) %}
#
#PROGRAM /usr/sbin/handle-mdadm-events
{% if default_email %}MAILADDR {{ default_email }}{% endif %}

1
sls/nginx/includes/blockgit.conf Normal file
View File

@ -0,0 +1 @@
location ^~ /.git/ { internal; }

4
sls/nginx/includes/errors.conf Normal file
View File

@ -0,0 +1,4 @@
error_page 403 404 =404 /errors/404.html;
#error_page 403 /img/V899.jpg;
error_page 500 502 503 504 =500 /errors/500.html;
location ^~/errors/ { internal; }

330
sls/nginx/init.sls Normal file
View File

@ -0,0 +1,330 @@
# -*- mode: yaml -*-
{% set tengine = salt['pillar.get']('tengine', False) %}
include:
- ssl.openssl
- augeas.lenses
- logrotate
{% if tengine %}
- gentoo.portage
{% endif %}
{% set worker_processes = salt['grains.get']('num_cpus', 2) -%}
{% if worker_processes < 1 -%}
{% set worker_processes = 2 -%}
{% elif worker_processes < 4 -%}
{% set worker_processes = 4 -%}
{% endif %}
{% set worker_connections = 4096 -%}
{% set worker_rlimit_nofile = worker_processes*worker_connections*2 -%}
{% set makeconf_nginx_modules_http = '''access auth_basic autoindex browser charset empty_gif fastcgi geo geoip gzip gzip_static limit_req limit_zone lua map memcached proxy realip referer rewrite scgi spdy split_clients ssi ssl reqstat upstream_keepalive upstream_least_conn upstream_rbtree limit_conn upstream_session_sticky stub_status upstream_check upstream_consistent_hash upstream_ip_hash userid uwsgi''' -%}
{% set makeconf_nginx_modules_mail = 'smtp imap pop3' -%}
{% set ssl_ciphers = ':'.join([
'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES128-GCM-SHA256',
'ECDHE-ECDSA-AES128-SHA', 'ECDHE-RSA-AES128-SHA',
'ECDH-ECDSA-AES128-SHA', 'ECDH-RSA-AES128-SHA',
'DHE-RSA-AES128-SHA', 'AES128-SHA256', 'AES128-SHA',
'!3DES', '!MD5', '!aNULL', '!EDH']) -%}
{% if tengine %}
manage-tengine-modules:
augeas.change:
- context: /files/etc/portage/make.conf
- changes:
- set TENGINE_STATIC_MODULES_HTTP '"{{ makeconf_nginx_modules_http }}"'
- set TENGINE_SHARED_MODULES_HTTP '""'
- set TENGINE_EXTERNAL_MODULES_HTTP '""'
- set TENGINE_MODULES_MAIL '"{{ makeconf_nginx_modules_mail }}"'
- require:
- file: augeas-makeconf
{% else %}
manage-nginx-modules:
augeas.change:
- context: /files/etc/portage/make.conf
- changes:
- set NGINX_MODULES_HTTP '"{{ makeconf_nginx_modules_http }}"'
- set NGINX_MODULES_MAIL '"{{ makeconf_nginx_modules_mail }}"'
- require:
- file: augeas-makeconf
{% endif %}
libpcre:
portage_config.flags:
- name: dev-libs/libpcre
- use:
- jit
{% if tengine %}
tengine:
service.running:
- enable: True
- watch:
- pkg: tengine
- pkg: openssl
- file: /etc/tengine/tengine.conf
pkg.latest:
- name: www-servers/tengine
- require:
- portage_config: libpcre
- watch:
- portage_config: tengine
- augeas: manage-tengine-modules
portage_config.flags:
- name: www-servers/tengine
- accept_keywords:
- ~*
- use:
- aio
- http
- http-cache
- ipv6
- pcre
- "-libatomic"
- jemalloc
- luajit
- pcre-jit
nginx-reload:
# This is for watch_in reloads
service.running:
- name: tengine
- reload: True
- require:
- pkg: tengine
- file: /etc/tengine/tengine.conf
/etc/tengine/tengine.conf:
file.managed:
- source: salt://nginx/tengine.conf.tpl
- template: jinja
- defaults:
worker_processes: {{ worker_processes }}
worker_connections: {{ worker_connections }}
worker_rlimit_nofile: {{ worker_rlimit_nofile }}
ssl_protocols: 'TLSv1.1 TLSv1.2'
ssl_ciphers: {{ ssl_ciphers }}
ssl_ecdh_curve: prime256v1
ssl_session_cache: 'shared:SSL:20m'
ssl_session_timeout: 120m
- mode: 755
- user: root
- group: root
- require:
- file: /etc/tengine/listen
- file: /etc/tengine/listen_ssl
- file: /etc/tengine/cf_real_ip.conf
- file: /etc/tengine/includes/
- file: /etc/tengine/vhosts.d/
/etc/tengine/listen:
file.managed:
- source: salt://nginx/listen.conf
- mode: 755
- user: root
- group: root
/etc/tengine/listen_ssl:
file.managed:
- source: salt://nginx/listen_ssl.conf
- mode: 755
- user: root
- group: root
/etc/tengine/cf_real_ip.conf:
file.managed:
- source: salt://nginx/real_ip.conf.tpl
- template: jinja
- defaults:
ips:
- 204.93.240.0/24
- 204.93.177.0/24
- 199.27.128.0/21
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
header: CF-Connecting-IP
- mode: 755
- user: root
- group: root
/etc/tengine/includes/:
file.recurse:
- source: salt://nginx/includes
- dir_mode: 755
- file_mode: 644
- user: root
- group: root
/etc/tengine/vhosts.d/:
file.directory:
- create: True
- mode: 755
- user: root
- group: root
/var/cache/tengine/:
file.directory:
- create: True
- mode: 755
- user: tengine
- group: tengine
/etc/logrotate.d/tengine:
file.managed:
- source: salt://nginx/tengine.logrotate
- mode: 644
- user: root
- group: root
- require:
- file: /etc/logrotate.d/
{% else %}
nginx:
service.running:
- enable: True
- watch:
- pkg: nginx
- pkg: openssl
- file: /etc/nginx/nginx.conf
pkg.latest:
- name: www-servers/nginx
- watch:
- portage_config: nginx
- augeas: manage-nginx-modules
portage_config.flags:
- name: www-servers/nginx
- accept_keywords:
- ~*
- use:
- aio
- http
- http2
- http-cache
- ipv6
- pcre
- libatomic
- ssl
- threads
nginx-reload:
# This is for watch_in reloads
service.running:
- name: nginx
- reload: True
- require:
- pkg: nginx
- file: /etc/nginx/nginx.conf
/etc/nginx/nginx.conf:
file.managed:
- source: salt://nginx/nginx.conf.tpl
- template: jinja
- defaults:
worker_processes: {{ worker_processes }}
worker_connections: {{ worker_connections }}
worker_rlimit_nofile: {{ worker_rlimit_nofile }}
ssl_protocols: 'TLSv1.1 TLSv1.2'
ssl_ciphers: {{ ssl_ciphers }}
ssl_ecdh_curve: prime256v1
ssl_session_cache: 'shared:SSL:20m'
ssl_session_timeout: 120m
- mode: 755
- user: root
- group: root
- require:
- file: /etc/nginx/listen
- file: /etc/nginx/listen_ssl
- file: /etc/nginx/cf_real_ip.conf
- file: /etc/nginx/includes/
- file: /etc/nginx/vhosts.d/
/etc/nginx/listen:
file.managed:
- source: salt://nginx/listen.conf
- mode: 755
- user: root
- group: root
/etc/nginx/listen_ssl:
file.managed:
- source: salt://nginx/listen_ssl.conf
- mode: 755
- user: root
- group: root
/etc/nginx/cf_real_ip.conf:
file.managed:
- source: salt://nginx/real_ip.conf.tpl
- template: jinja
- defaults:
ips:
- 204.93.240.0/24
- 204.93.177.0/24
- 199.27.128.0/21
- 173.245.48.0/20
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 141.101.64.0/18
- 108.162.192.0/18
- 190.93.240.0/20
- 188.114.96.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 162.158.0.0/15
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
header: CF-Connecting-IP
- mode: 755
- user: root
- group: root
/etc/nginx/includes/:
file.recurse:
- source: salt://nginx/includes
- dir_mode: 755
- file_mode: 644
- user: root
- group: root
/etc/nginx/vhosts.d/:
file.directory:
- create: True
- mode: 755
- user: root
- group: root
/var/cache/nginx/:
file.directory:
- create: True
- mode: 755
- user: nginx
- group: nginx
/etc/logrotate.d/nginx:
file.managed:
- source: salt://nginx/nginx.logrotate
- mode: 644
- user: root
- group: root
- require:
- file: /etc/logrotate.d/
{% endif %}

2
sls/nginx/listen.conf Normal file
View File

@ -0,0 +1,2 @@
listen 80;
listen [::]:80;

2
sls/nginx/listen_ssl.conf Normal file
View File

@ -0,0 +1,2 @@
listen 443 ssl http2;
listen [::]:443 ssl http2;

61
sls/nginx/nginx.conf.tpl Normal file
View File

@ -0,0 +1,61 @@
user nginx nginx;
worker_processes {{ worker_processes }};
worker_rlimit_nofile {{ worker_rlimit_nofile }};
events {
worker_connections {{ worker_connections }};
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format common '[$time_local] $http_host $remote_addr $remote_user'
' "$request" [$status] $upstream_cache_status $bytes_sent $request_time'
' "$http_referer" "$http_user_agent" "$http_cookie"';
access_log /var/log/nginx/access_log common;
error_log /var/log/nginx/error_log info;
client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 4 2k;
request_pool_size 4k;
gzip on;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_types text/plain;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
server_tokens off;
ssl_protocols {{ ssl_protocols }};
ssl_prefer_server_ciphers on;
ssl_ciphers {{ ssl_ciphers }};
ssl_ecdh_curve {{ ssl_ecdh_curve }};
ssl_session_cache {{ ssl_session_cache }};
ssl_session_timeout {{ ssl_session_timeout }};
ssl_session_tickets on;
#ssl_session_ticket_key
#ssl_stapling on;
index index.html;
include cf_real_ip.conf;
include /etc/nginx/vhosts.d/*.conf;
}

12
sls/nginx/nginx.logrotate Normal file
View File

@ -0,0 +1,12 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# Managed by Salt
/var/log/nginx/*_log {
missingok
delaycompress
sharedscripts
postrotate
test -r /run/nginx.pid && kill -USR1 `cat /run/nginx.pid`
endscript
}

4
sls/nginx/real_ip.conf.tpl Normal file
View File

@ -0,0 +1,4 @@
{% for ip in ips %}
set_real_ip_from {{ ip }};
{% endfor %}
real_ip_header {{ header }};

61
sls/nginx/tengine.conf.tpl Normal file
View File

@ -0,0 +1,61 @@
user tengine tengine;
worker_processes {{ worker_processes }};
worker_rlimit_nofile {{ worker_rlimit_nofile }};
events {
worker_connections {{ worker_connections }};
use epoll;
}
http {
include /etc/tengine/mime.types;
default_type application/octet-stream;
log_format common '[$time_local] $http_host $remote_addr $remote_user'
' "$request" [$status] $upstream_cache_status $bytes_sent $request_time'
' "$http_referer" "$http_user_agent" "$http_cookie"';
access_log /var/log/tengine/access_log common;
error_log /var/log/tengine/error_log info;
client_header_timeout 10m;
client_body_timeout 10m;
send_timeout 10m;
connection_pool_size 256;
client_header_buffer_size 1k;
large_client_header_buffers 4 2k;
request_pool_size 4k;
gzip on;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_types text/plain;
output_buffers 1 32k;
postpone_output 1460;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 75 20;
ignore_invalid_headers on;
server_tokens off;
ssl_protocols {{ ssl_protocols }};
ssl_prefer_server_ciphers on;
ssl_ciphers {{ ssl_ciphers }};
ssl_ecdh_curve {{ ssl_ecdh_curve }};
ssl_session_cache {{ ssl_session_cache }};
ssl_session_timeout {{ ssl_session_timeout }};
ssl_session_tickets on;
#ssl_session_ticket_key
#ssl_stapling on;
index index.html;
include cf_real_ip.conf;
include /etc/tengine/vhosts.d/*.conf;
}

12
sls/nginx/tengine.logrotate Normal file
View File

@ -0,0 +1,12 @@
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# Managed by Salt
/var/log/tengine/*_log {
missingok
delaycompress
sharedscripts
postrotate
test -r /run/tengine.pid && kill -USR1 `cat /run/tengine.pid`
endscript
}

232
sls/php/fpm.d/default.conf Normal file
View File

@ -0,0 +1,232 @@
; Start a new pool named 'www'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr/lib/php5.3) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
; prefix = /path/to/pools/$pool
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses on a
; specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php-fpm/$pool.sock
; Set listen(2) backlog. A value of '-1' means unlimited.
; Default Value: 128 (-1 on FreeBSD and OpenBSD)
listen.backlog = -1
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0666
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = nginx
group = nginx
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives:
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes to be created when pm is set to 'dynamic'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI.
; Note: Used when pm is set to either 'static' or 'dynamic'
; Note: This value is mandatory.
pm.max_children = 4
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 1
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 2
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
pm.max_requests = 0
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. By default, the status page shows the following
; information:
; accepted conn - the number of request accepted by the pool;
; pool - the name of the pool;
; process manager - static or dynamic;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes.
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic')
; The values of 'idle processes', 'active processes' and 'total processes' are
; updated each second. The value of 'accepted conn' is updated in real time.
; Example output:
; accepted conn: 12073
; pool: www
; process manager: static
; idle processes: 35
; active processes: 65
; total processes: 100
; max children reached: 1
; By default the status page output is formatted as text/plain. Passing either
; 'html' or 'json' as a query string will return the corresponding output
; syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
ping.response = pong
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = /var/log/php-fpm-$pool.log.slow
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr/lib/php5.3)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

29
sls/php/init.sls Normal file
View File

@ -0,0 +1,29 @@
# -*- mode: yaml -*-
{% from "php/map.jinja" import php_config with context %}
{% set php_version = php_config['version'] %}
include:
- ssl.openssl
{% if grains['os_family'] == 'Gentoo' %}
- augeas.lenses
manage-php-ini-version:
augeas.change:
- context: /files/etc/portage/make.conf
- changes:
- set PHP_INI_VERSION '"{{ php_config['ini'] }}"'
- require:
- file: augeas-makeconf
{% endif %}
php:
pkg.installed:
- pkgs:
{% if grains['os_family'] == 'Gentoo' %}
- dev-lang/php: ">=5.6.17:{{ php_version }}[fpm,curl,bcmath,embed,gd,inifile,mysql,mysqli,pcntl,pdo,snmp,sysvipc,xmlrpc,xmlreader,xmlwriter,xslt]"
- app-eselect/eselect-php: ">=0.7.1-r4[fpm]"
- virtual/httpd-php: ">=5.6:{{ php_version }}"
- app-emacs/php-mode
- watch:
- augeas: manage-php-ini-version
{% endif %}

5
sls/php/map.jinja Normal file
View File

@ -0,0 +1,5 @@
{% set php_config = salt['grains.filter_by']({
'Gentoo': { 'version': '5.6',
'ini': 'production'},
})
%}

42
sls/php/php-fpm.conf Normal file
View File

@ -0,0 +1,42 @@
include=/etc/php/fpm-php5.6/fpm.d/*.conf
[global]
; Pid file
; Default Value: none
; Warning: pid file is overriden by the Gentoo init script.
pid = /run/php-fpm.pid
; Error log file
; Note: the default prefix is /var/lib
; Default Value: log/php-fpm.log
error_log = /var/log/php-fpm.log
; Log level
; Possible Values: alert, error, warning, notice, debug
; Default Value: notice
log_level = notice
; If this number of child processes exit with SIGSEGV or SIGBUS within the time
; interval set by emergency_restart_interval then FPM will restart. A value
; of '0' means 'Off'.
; Default Value: 0
emergency_restart_threshold = 0
; Interval of time used by emergency_restart_interval to determine when
; a graceful restart will be initiated. This can be useful to work around
; accidental corruptions in an accelerator's shared memory.
; Available Units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
emergency_restart_interval = 0
; Time limit for child processes to wait for a reaction on signals from master.
; Available units: s(econds), m(inutes), h(ours), or d(ays)
; Default Unit: seconds
; Default Value: 0
process_control_timeout = 0
; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
; Default Value: yes
daemonize = yes

45
sls/php/php-fpm.sls Normal file
View File

@ -0,0 +1,45 @@
# -*- mode: yaml -*-
{% from "php/map.jinja" import php_config with context %}
{% set php_version = php_config['version'] %}
include:
- php
/etc/php/fpm-php{{ php_version }}/php-fpm.conf:
file.managed:
- source: salt://php/php-fpm.conf
- mode: 644
- user: root
- group: root
/etc/php/fpm-php{{ php_version }}/fpm.d/:
file.directory:
- create: True
- mode: 755
- user: root
- group: root
/etc/php/fpm-php{{ php_version }}/fpm.d/default.conf:
file.managed:
- source: salt://php/fpm.d/default.conf
- mode: 644
- user: root
- group: root
- require:
- file: /etc/php/fpm-php{{ php_version }}/fpm.d/
eselect-php-fpm:
eselect.set:
- name: php
- action_parameter: 'fpm'
- target: 'php{{ php_version }}'
php-fpm:
service.running:
- enable: True
- watch:
- pkg: openssl
- pkg: php
- eselect: eselect-php-fpm
- file: /etc/php/fpm-php{{ php_version }}/php-fpm.conf
- file: /etc/php/fpm-php{{ php_version }}/fpm.d/

4
sls/smartmontools/pkg.sls Normal file
View File

@ -0,0 +1,4 @@
smartmontools:
pkg.installed:
- name: sys-apps/smartmontools

40
sls/smartmontools/smartd.conf.tpl Normal file
View File

@ -0,0 +1,40 @@
# Managed by Salt
{% set default_email = salt['pillar.get']('contacts:default:email', False) %}
# HERE IS A LIST OF DIRECTIVES FOR THIS CONFIGURATION FILE.
# PLEASE SEE THE smartd.conf MAN PAGE FOR DETAILS
#
# -d TYPE Set the device type: ata, scsi, marvell, removable, 3ware,N, hpt,L/M/N
# -T TYPE set the tolerance to one of: normal, permissive
# -o VAL Enable/disable automatic offline tests (on/off)
# -S VAL Enable/disable attribute autosave (on/off)
# -n MODE No check. MODE is one of: never, sleep, standby, idle
# -H Monitor SMART Health Status, report if failed
# -l TYPE Monitor SMART log. Type is one of: error, selftest
# -f Monitor for failure of any 'Usage' Attributes
# -m ADD Send warning email to ADD for -H, -l error, -l selftest, and -f
# -M TYPE Modify email warning behavior (see man page)
# -s REGE Start self-test when type/date matches regular expression (see man page)
# -p Report changes in 'Prefailure' Normalized Attributes
# -u Report changes in 'Usage' Normalized Attributes
# -t Equivalent to -p and -u Directives
# -r ID Also report Raw values of Attribute ID with -p, -u or -t
# -R ID Track changes in Attribute ID Raw value with -p, -u or -t
# -i ID Ignore Attribute ID for -f Directive
# -I ID Ignore Attribute ID for -p, -u or -t Directive
# -C ID Report if Current Pending Sector count non-zero
# -U ID Report if Offline Uncorrectable count non-zero
# -W D,I,C Monitor Temperature D)ifference, I)nformal limit, C)ritical limit
# -v N,ST Modifies labeling of Attribute N (see man page)
# -a Default: equivalent to -H -f -t -l error -l selftest -C 197 -U 198
# -F TYPE Use firmware bug workaround. Type is one of: none, samsung
# -P TYPE Drive-specific presets: use, ignore, show, showall
# # Comment: text after a hash sign is ignored
# \ Line continuation character
# Attribute ID is a decimal integer 1 <= ID <= 255
# except for -C and -U, where ID = 0 turns them off.
# All but -d, -m and -M Directives are only implemented for ATA devices
#
# If the test string DEVICESCAN is the first uncommented text
# then smartd will scan for devices.
# DEVICESCAN may be followed by any desired Directives.
DEVICESCAN -s S/../../1/10 {% if default_email %}-m {{ default_email }}{% endif %}

18
sls/smartmontools/smartd.sls Normal file
View File

@ -0,0 +1,18 @@
include:
- smartmontools.pkg
smartd_service:
service.running:
- name: smartd
- enable: True
- watch:
- pkg: smartmontools
- file: /etc/smartd.conf
/etc/smartd.conf:
file.managed:
- source: salt://smartmontools/smartd.conf.tpl
- template: jinja
- user: root
- group: root
- mode: 640

48
sls/ssl/ca-certificates.sls Normal file
View File

@ -0,0 +1,48 @@
# -*- mode: yaml -*-
include:
- ssl.openssl
ca-certificates:
pkg.latest:
- name: app-misc/ca-certificates
- require:
- pkg: openssl
/etc/ca-certificates.conf:
file.managed:
- replace: false
- mode: 0644
- user: root
- group: root
- require:
- pkg: ca-certificates
ca-certificates-dirs:
file.directory:
- names:
- /etc/ssl/certs
- /etc/ca-certificates
- /etc/ca-certificates/update.d
- mode: 0755
- user: root
- group: root
- require:
- pkg: ca-certificates
/usr/local/share/ca-certificates:
file.recurse:
- source: salt://ssl/ca-certificates
- dir_mode: 755
- file_mode: 644
- user: root
- group: root
/usr/sbin/update-ca-certificates:
cmd.wait:
- watch:
- pkg: ca-certificates
- file: /etc/ca-certificates.conf
- file: ca-certificates-dirs
- file: /usr/local/share/ca-certificates

61
sls/ssl/ca-certificates/baka_bakka.crt Normal file
View File

@ -0,0 +1,61 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 16322057414284631021 (0xe28398bd85f75bed)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=SU, ST=Soviet Union, O=C3R, OU=Security division, CN=Root CA v3 (SHA256)/emailAddress=admin@bakka.su
Validity
Not Before: Dec 17 16:06:11 2014 GMT
Not After : Dec 14 16:06:11 2024 GMT
Subject: C=SU, ST=Soviet Union, O=C3R, OU=Security division, CN=Root CA v3 (SHA256)/emailAddress=admin@bakka.su
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:00:41:37:f1:d2:f1:82:59:92:fd:b9:de:bc:31:
40:1a:66:9f:7e:0d:0d:98:67:8b:b6:ec:aa:78:60:
f1:5d:6a:60:38:b4:6b:33:62:e1:b2:8c:d4:9b:3e:
ae:8f:0a:ce:01:4e:fc:ed:8c:e9:62:8c:d3:dc:fd:
dc:c4:0c:46:91:f4:c5:00:75:bb:ac:d2:88:f6:1e:
b8:e3:c7:3c:75:2a:eb:b0:32:ef:51:62:9b:09:c5:
5f:8a:ac:b5:36:3d:af:65:bd:68:d0:12:d2:42:07:
3f:35:60:3d:7d:ed:fd:29:39:bc:9a:67:bb:43:83:
df:22:98:a3:8f:b6:d6:24:de:55:43:52:4c
ASN1 OID: secp521r1
X509v3 extensions:
X509v3 Subject Key Identifier:
89:45:A4:3E:3A:0F:99:59:C4:A9:38:91:25:1E:E2:1E:41:6E:55:D8
X509v3 Authority Key Identifier:
keyid:89:45:A4:3E:3A:0F:99:59:C4:A9:38:91:25:1E:E2:1E:41:6E:55:D8
X509v3 Basic Constraints:
CA:TRUE
X509v3 Key Usage:
Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
30:81:88:02:42:00:83:02:58:67:70:78:3e:a6:dc:6a:0d:0e:
b1:04:b1:02:84:5c:e8:f1:dc:33:83:87:c0:86:45:73:09:ef:
7f:65:25:b8:47:8b:83:6e:8c:7b:b5:14:18:00:15:18:19:b1:
84:21:ea:a0:e8:59:26:ff:ee:44:a4:e8:a8:2b:fb:6c:03:02:
42:01:04:2b:73:36:98:13:43:95:50:2b:87:49:70:00:87:da:
51:0a:0d:49:ea:64:42:81:56:e6:5a:df:45:a0:47:dd:7c:d2:
fc:50:f8:d6:c3:9d:85:ce:1e:a6:cd:e3:44:48:c3:5c:d0:f7:
16:87:ba:4c:8d:d9:d5:8b:05:6b:7d:ab:60
-----BEGIN CERTIFICATE-----
MIIC9DCCAlWgAwIBAgIJAOKDmL2F91vtMAoGCCqGSM49BAMCMIGLMQswCQYDVQQG
EwJTVTEVMBMGA1UECAwMU292aWV0IFVuaW9uMQwwCgYDVQQKDANDM1IxGjAYBgNV
BAsMEVNlY3VyaXR5IGRpdmlzaW9uMRwwGgYDVQQDDBNSb290IENBIHYzIChTSEEy
NTYpMR0wGwYJKoZIhvcNAQkBFg5hZG1pbkBiYWtrYS5zdTAeFw0xNDEyMTcxNjA2
MTFaFw0yNDEyMTQxNjA2MTFaMIGLMQswCQYDVQQGEwJTVTEVMBMGA1UECAwMU292
aWV0IFVuaW9uMQwwCgYDVQQKDANDM1IxGjAYBgNVBAsMEVNlY3VyaXR5IGRpdmlz
aW9uMRwwGgYDVQQDDBNSb290IENBIHYzIChTSEEyNTYpMR0wGwYJKoZIhvcNAQkB
Fg5hZG1pbkBiYWtrYS5zdTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAEE38dLx
glmS/bnevDFAGmaffg0NmGeLtuyqeGDxXWpgOLRrM2LhsozUmz6ujwrOAU787Yzp
YozT3P3cxAxGkfTFAHW7rNKI9h6448c8dSrrsDLvUWKbCcVfiqy1Nj2vZb1o0BLS
Qgc/NWA9fe39KTm8mme7Q4PfIpijj7bWJN5VQ1JMo10wWzAdBgNVHQ4EFgQUiUWk
PjoPmVnEqTiRJR7iHkFuVdgwHwYDVR0jBBgwFoAUiUWkPjoPmVnEqTiRJR7iHkFu
VdgwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDgYwAMIGI
AkIAgwJYZ3B4Pqbcag0OsQSxAoRc6PHcM4OHwIZFcwnvf2UluEeLg26Me7UUGAAV
GBmxhCHqoOhZJv/uRKToqCv7bAMCQgEEK3M2mBNDlVArh0lwAIfaUQoNSepkQoFW
5lrfRaBH3XzS/FD41sOdhc4eps3jREjDXND3Foe6TI3Z1YsFa32rYA==
-----END CERTIFICATE-----

4
sls/ssl/init.sls Normal file
View File

@ -0,0 +1,4 @@
# -*- mode: yaml -*-
include:
- ssl.openssl
- ssl.ca-certificates

22
sls/ssl/openssl.sls Normal file
View File

@ -0,0 +1,22 @@
# -*- mode: yaml -*-
openssl:
pkg.installed:
- refresh: False
- name: dev-libs/openssl
- version: "~>=1.0.2d[-bindist,static-libs,tls-heartbeat,zlib]"
- require:
- portage_config: sys-libs/zlib
- portage_config: app-misc/c_rehash
sys-libs/zlib:
portage_config.flags:
- use:
- static-libs
- minizip
app-misc/c_rehash:
portage_config.flags:
- accept_keywords:
- ~*

11
sls/sysctl/disable_ra.sls Normal file
View File

@ -0,0 +1,11 @@
# -*- mode: yaml -*-
net.ipv6.conf.all.accept_ra:
sysctl.present:
- config: /etc/sysctl.d/ipv6_ra.conf
- value: 0
net.ipv6.conf.default.accept_ra:
sysctl.present:
- config: /etc/sysctl.d/ipv6_ra.conf
- value: 0

11
sls/sysctl/enable_ra.sls Normal file
View File

@ -0,0 +1,11 @@
# -*- mode: yaml -*-
net.ipv6.conf.all.accept_ra:
sysctl.present:
- config: /etc/sysctl.d/ipv6_ra.conf
- value: 1
net.ipv6.conf.default.accept_ra:
sysctl.present:
- config: /etc/sysctl.d/ipv6_ra.conf
- value: 1

10
sls/sysctl/nonlocal_bind.sls Normal file
View File

@ -0,0 +1,10 @@
# -*- mode: yaml -*-
net.ipv4.ip_nonlocal_bind:
sysctl.present:
- config: /etc/sysctl.d/nonlocal_bind.conf
- value: 1
net.ipv6.ip_nonlocal_bind:
sysctl.present:
- config: /etc/sysctl.d/nonlocal_bind.conf
- value: 1

46
sls/watchdog/init.sls Normal file
View File

@ -0,0 +1,46 @@
# -*- mode: yaml -*-
{% set machine_type = salt['grains.get']('machine_type', 'nil') %}
include:
- core.modules
/etc/watchdog.conf:
file.managed:
- source: salt://watchdog/watchdog.conf.tpl
- template: jinja
- user: root
- group: root
- mode: 644
/etc/conf.d/watchdog:
file.managed:
- source: salt://watchdog/watchdog.confd
- user: root
- group: root
- mode: 644
{% if machine_type == "raspberry pi" %}
/etc/modprobe.d/watchdog.conf:
file.managed:
- source: salt://watchdog/modprobe.d/bcm2708_wdog.conf
- user: root
- group: root
- mode: 755
/etc/modules.d/watchdog.conf:
file.managed:
- source: salt://watchdog/modules.d/bcm2708_wdog.conf
- user: root
- group: root
- mode: 755
{% endif %}
watchdog:
pkg.latest:
- name: sys-apps/watchdog
service.running:
- enable: True
- watch:
- pkg: watchdog
- file: /etc/watchdog.conf
- file: /etc/conf.d/watchdog

1
sls/watchdog/modprobe.d/bcm2708_wdog.conf Normal file
View File

@ -0,0 +1 @@
options bcm2708_wdog nowayout=1

1
sls/watchdog/modules.d/bcm2708_wdog.conf Normal file
View File

@ -0,0 +1 @@
modules="${modules} bcm2708_wdog"

25
sls/watchdog/watchdog.conf.tpl Normal file
View File

@ -0,0 +1,25 @@
# Defaults compiled into the binary
watchdog-device = /dev/{{ salt['grains.get']('watchdog_device', 'watchdog') }}
admin = root
interval = 1
logtick = 1
log-dir = /var/log/watchdog
# This greatly decreases the chance that watchdog won't be scheduled before
# your machine is really loaded
realtime = yes
priority = 1
# Check if sshd is still running
# pidfile = /run/sshd.pid
# Uncomment to enable test. Setting one of these values to '0' disables it.
# These values will hopefully never reboot your machine during normal use
# (if your machine is really hung, the loadavg will go much higher than 25)
#max-load-1 = 24
#max-load-5 = 18
max-load-15 = 120 # use auto-generated values from cpu count here?
# Note that this is the number of pages!
# To get the real size, check how large the pagesize is on your machine.
# min-memory = 4
# allocatable-memory = 4

10
sls/watchdog/watchdog.confd Normal file
View File

@ -0,0 +1,10 @@
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
# -*- mode: shell-script -*-
# for more info, see watchdog(8)
WATCHDOG_OPTS=""
# # Since it watches for the sshd pid.
# rc_watchdog_need="sshd"

114
sls/xen/init.sls Normal file
View File

@ -0,0 +1,114 @@
# -*- mode: yaml -*-
{% set xen_provided = salt['grains.get']('xen_provided', False) %}
{% set efi = salt['grains.get']('efi', False) %}
xen:
pkg.installed:
- pkgs:
{% if not xen_provided %}
- app-emulation/xen: "~>=4.6.0-r8[{{ 'efi' if efi else '-efi' }}]"
{% endif %}
- app-emulation/xen-tools: "~>=4.6.0-r7[api,hvm,screen,system-qemu,system-seabios]"
- app-emulation/qemu: "[xen,numa,nfs,xfs]"
- dev-libs/libnl
- require:
- file: unmask-hvm
{% if xen_provided %}
- file: xen-provided
{% endif %}
{% if xen_provided %}
xen-provided:
file.append:
- name: /etc/portage/profile/package.provided
- text: "app-emulation/xen-4.6.0-r7"
{% endif %}
unmask-hvm:
file.append:
- name: /etc/portage/profile/use.mask
- text: "-hvm"
xencommons:
service.running:
- enable: True
xenstored:
service.running:
- enable: True
xenconsoled:
service.running:
- enable: True
/etc/init.d/net.xenbr0:
file.symlink:
- target: /etc/init.d/net.lo
net.xenbr0:
service.running:
- enable: True
- require:
- file: /etc/init.d/net.xenbr0
/etc/xen/xl.conf:
file.managed:
- source: salt://xen/xl.conf
- mode: 644
- user: root
- group: root
/etc/init.d/xendomains:
file.managed:
- source: salt://xen/xendomains.initd
- mode: 755
- user: root
- group: root
/etc/conf.d/xendomains:
file.managed:
- source: salt://xen/xendomains.confd
- mode: 644
- user: root
- group: root
/etc/xen/domains/:
file.directory:
- create: True
- mode: 755
- user: root
- group: root
/etc/xen/auto/:
file.directory:
- create: True
- mode: 755
- user: root
- group: root
/etc/xen/scripts/:
file.directory:
- create: True
- mode: 755
- user: root
- group: root
/etc/xen/scripts/block-rbd:
file.managed:
- source: salt://xen/scripts/block-rbd
- mode: 755
- user: root
- group: root
xendomains:
service.running:
- enable: True
- watch:
- file: /etc/init.d/xendomains
- file: /etc/conf.d/xendomains
bringup-xendomains:
cron.present:
- identifier: bringup-xendomains
- name: "/etc/init.d/xendomains --ifstarted bringup"
- minute: '*/10'
- user: root
- require:
- service: xendomains

130
sls/xen/scripts/block-rbd Normal file
View File

@ -0,0 +1,130 @@
#!/bin/bash -eu
#
# RBD Xen block device hotplug script
#
# Author Florian Heigl <florian.heigl AT gmail>
# Author Thomas Zelch <thomaszelch AT gmail>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU Lesser General Public License as published
# by the Free Software Foundation; version 2.1 only. with the special
# exception on linking described in file LICENSE.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Lesser General Public License for more details.
#
# Phnglui mglwnafh Cthulhu Rlyeh wgahnagl fhtagn.
# ___
# .-' `'.
# / \
# | ;
# | | ___.--,
# _.._ |0) ~ (0) | _.---'`__.-( (_.
# __.--'`_.. '.__.\ '--. \_.-' ,.--'` `""`
# ( ,.--'` ',__ /./; ;, '.__.'` __
# _`) ) .---.__.' / | |\ \__..--"" """--.,_
# `---' .'.''-._.-'`_./ /\ '. \ _.-~~~````~~~-._`-.__.'
# | | .' _.-' | | \ \ '. `~---`
# \ \/ .' \ \ '. '-._)
# \/ / \ \ `=.__`~-.
# jgs / /\ `) ) / / `"".`\
# , _.-'.'\ \ / / ( ( / /
# `--~` ) ) .-'.' '.'. | (
# (/` ( (` ) ) '-;
# ` '-; (-'
#
# Usage:
#
# Target should be specified using the following syntax:
#
# script=block-rbd,vdev=xvda,pool=rbd,image=image
#
# CephX authentication has to be set up in /etc/ceph/ceph.conf
#
# Mapping without RBD utility:
# http://cephnotes.ksperis.com/blog/2014/01/09/map-rbd-kernel-without-install-ceph-common
# hotplug has unhandled variables
# allow them while sourcing the other scripts
dir=$(dirname "$0")
set +u
. "$dir/block-common.sh"
set -u
check_tools()
{
if ! [ -r /etc/ceph/ceph.conf ]; then
fatal "Unable to find ceph configuration"
fi
if ! type rbd 2>&1 >/dev/null ; then
fatal "Unable to find RBD binary"
fi
if ! lsmod | grep rbd >/dev/null ; then
fatal "Unable to access RBD kernel module"
fi
}
parse_target()
{
pool=`echo $target | cut -f1 -d\:`
image=`echo $target | cut -f2 -d\:`
export pool image
}
add()
{
if rbd --pool $pool list | grep $image >/dev/null ; then
do_or_die rbd --pool $pool --image $image map > /dev/null
else
fatal "Uname to attach RBD pool: $pool image: $image"
fi
if ! [ -b /dev/rbd/$pool/$image ]; then
fatal "Missing RBD device file /dev/rbd/$pool/$image"
fi
}
# need to ensure this is the *last* VM accessing the rbd image?
remove()
{
if [ -b /dev/rbd/$pool/$image ]; then
do_or_die rbd unmap /dev/rbd/$pool/$image > /dev/null
else
fatal "Uname to detach RBD pool: $pool image: $image wasn't found"
fi
}
command=$1
target=$(xenstore-read $XENBUS_PATH/params || true)
if [ -z "$target" ]; then
fatal "No information about the target"
fi
parse_target
check_tools || exit 1
case $command in
add)
add
write_dev /dev/rbd/$pool/$image
;;
remove)
remove
;;
*)
exit 1
;;
esac

27
sls/xen/xendomains.confd Normal file
View File

@ -0,0 +1,27 @@
# /etc/conf.d/xendomains
# Directory of domains to boot. AUTODIR should contain one or more symlinks
# to domain config files in /etc/xen
AUTODIR=/etc/xen/auto
# Send shutdown commands to all domains in parallel instead of waiting for
# each to shutdown individually
PARALLEL_SHUTDOWN=yes
# When SCREEN="yes", domains in AUTODIR have their consoles connected to a
# screen session named SCREEN_NAME, with output logged to individual files
# named after each domain and written to /var/log/xen-consoles/ . These files
# are rotated (using app-admin/logrotate) every time xendomains is started.
SCREEN="yes"
SCREEN_NAME="xen"
# Number of seconds between writes to screen's logfiles.
#
# Lower values mean more disk activity and hence a possible performance
# impact, but higher values mean a greater chance of loosing some output
# in the event of a crash.
SCREEN_LOG_INTERVAL="1"
rc_xendomains_need="lvm"

162
sls/xen/xendomains.initd Executable file
View File

@ -0,0 +1,162 @@
#!/sbin/runscript
# -*- mode: shell-script -*-
# Copyright 1999-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
extra_commands="status bringup"
depend() {
need xenstored
after dhcp xend xenconsoled
}
get_domname() {
local name_from_file=$(sed -rn 's/^name\W*=\W*\"?([[:alnum:]_\.-]+)\"?\W*;?/\1/p' "${1}" | tail -n 1)
if [ -z ${name_from_file} ] ; then
basename "${1}"
else
echo ${name_from_file}
fi
}
is_running() {
/usr/sbin/xl list "${1}" >/dev/null 2>&1
}
using_screen() {
yesno SCREEN
use_screen=$?
return $use_screen
}
set_screen_cmd() {
screen_cmd="screen -c ${SCREENRC:-/dev/null} -q -r ${SCREEN_NAME:=xen} -X"
}
set_autodir() {
AUTODIR="${AUTODIR:=/etc/xen/auto}"
}
domain_start() {
local conf="${1}"
local name="${2}"
ebegin "Starting domain ${name}"
if [ $use_screen -eq 0 ]; then
${screen_cmd} screen -t "${name}" xl create "${conf}" -c
else
xl create --quiet "${conf}"
fi
eend $?
}
domain_stop() {
local name="${1}"
xl shutdown -w ${name} >/dev/null
}
bringup() {
set_autodir
if using_screen; then
set_screen_cmd
fi
# Create all domains with config files in AUTODIR.
for conf in $(ls "${AUTODIR}"/*.cfg 2>/dev/null | sort); do
name=$(get_domname "${conf}")
if ! is_running ${name}; then
eerror "Domain ${name} is not running"
domain_start "${conf}" ${name}
fi
done
}
start() {
set_autodir
einfo "Starting Xen domains from ${AUTODIR}"
if using_screen; then
set_screen_cmd
if ! ${screen_cmd} sleep 0 >/dev/null 2>&1 ; then
ebegin "Creating screen session to hold domain consoles"
( screen -c ${SCREENRC:-/dev/null} -d -m -S ${SCREEN_NAME} -t dom0 \
&& sleep 5 \
&& ${screen_cmd} zombie dr \
&& logrotate -f /etc/xen/xen-consoles.logrotate \
&& ${screen_cmd} logfile /var/log/xen-consoles/%t.log \
&& ${screen_cmd} logfile flush ${SCREEN_LOG_INTERVAL:-1} \
&& ${screen_cmd} log on \
&& ${screen_cmd} deflog on ) >/dev/null
fi
if [ $? -ne 0 ] ; then
eend 1
return 1
else
eend
fi
fi
for conf in $(ls "${AUTODIR}"/*.cfg 2>/dev/null | sort); do
name=$(get_domname "${conf}")
if is_running "${name}"; then
einfo "Not starting domain ${name} - already running"
else
domain_start "${conf}" ${name}
fi
done
}
stop() {
set_autodir
if using_screen; then
set_screen_cmd
fi
einfo "Shutting down Xen domains from ${AUTODIR:=/etc/xen/auto}"
# Stop all domains with config files in AUTODIR.
DOMAINS="$(ls "${AUTODIR:=/etc/xen/auto}/"* 2>/dev/null | sort -r)"
if yesno PARALLEL_SHUTDOWN; then
for conf in $DOMAINS; do
name=$(get_domname "${conf}")
if is_running ${name} ; then
einfo "Asking domain ${name} to shutdown"
xl shutdown -w ${name} >/dev/null &
else
einfo "Domain ${name} is not running"
fi
done
ebegin "Waiting for shutdown of domains"
wait
eend $?
else
for conf in $DOMAINS; do
name=$(get_domname "${conf}")
if is_running ${name} ; then
ebegin "Waiting for domain ${name} to shutdown"
xl shutdown -w ${name} >/dev/null
eend $?
else
einfo "Domain ${name} is not running"
fi
done
fi
if [ $use_screen -eq 0 ]; then
if ${screen_cmd} sleep 0 >/dev/null 2>&1 ; then
ebegin "Closing screen session ${SCREEN_NAME}"
${screen_cmd} quit
eend $?
fi
fi
}
status() {
ret=0
for conf in $(ls "${AUTODIR}"/*.cfg 2>/dev/null | sort); do
name=$(get_domname "${conf}")
if is_running ${name}; then
einfo "Domain ${name} is running"
else
eerror "Domain ${name} is not running"
ret=1
fi
done
return $ret
}

39
sls/xen/xl.conf Normal file
View File

@ -0,0 +1,39 @@
## Global XL config file ##
# Control whether dom0 is ballooned down when xen doesn't have enough
# free memory to create a domain. "auto" means only balloon if dom0
# starts with all the host's memory.
autoballoon="auto"
# full path of the lockfile used by xl during domain creation
lockfile="/var/lock/xl"
# default output format used by "xl list -l"
#output_format="json"
# first block device to be used for temporary VM disk mounts
blkdev_start="xvda"
# default option to run hotplug scripts from xl
# if disabled the old behaviour will be used, and hotplug scripts will be
# launched by udev.
#run_hotplug_scripts=1
# default backend domain to connect guest vifs to. This can be any
# valid domain identifier.
vif.default.backend="0"
# default gateway device to use with vif-route hotplug script
vif.default.gatewaydev="vlan100"
# default vif script to use if none is specified in the guest config
vif.default.script="vif-bridge"
# default bridge device to use with vif-bridge hotplug scripts
vif.default.bridge="xenbr0"
# Reserve a claim of memory when launching a guest. This guarantees immediate
# feedback whether the guest can be launched due to memory exhaustion
# (which can take a long time to find out if launching huge guests).
# see xl.conf(5) for details.
claim_mode=1