up2date

common/files/vimrc

@@ -1,7 +1,6 @@
 if v:lang =~ "utf8$" || v:lang =~ "UTF-8$"
    set fileencodings=ucs-bom,utf-8,latin1
 endif
-
 set nocompatible        " Use Vim defaults (much better!)
 set bs=indent,eol,start " allow backspacing over everything in insert mode
 set ai                  " always set autoindenting on
@@ -69,3 +68,5 @@ set smarttab
 " always uses spaces instead of tab characters
 set expandtab
 
+" disable visual on click
+set mouse=

common/map.jinja

@@ -4,13 +4,11 @@
     'packages': [
       'vim'
     ],
-    'vimrc': '/etc/vim/vimrc'
   },
   'RedHat': {
     'packages': [
       'vim-enhanced'
     ],
-    'vimrc': '/etc/vimrc'
   },
 }) %}
 

common/vimrc.sls

@@ -1,10 +1,18 @@
 {% from "common/map.jinja" import common with context %}
 
-{{ common['vimrc'] }}:
+/root/.vimrc:
   file.managed:
-    - source: 'salt://common/files/vimrc.jinja'
+    - source: 'salt://common/files/vimrc'
-    - template: jinja
     - user: root
     - group: root
     - mode: 644
 
+{% for user in salt.pillar.get('users', []) %}
+/home/{{user}}/.vimrc:
+  file.managed:
+    - source: 'salt://common/files/vimrc'
+    - user: {{user}}
+    - group: {{user}}
+    - mode: 644
+
+{% endfor %}

gitea/install.sls

@@ -4,6 +4,7 @@
 %}
 {% set basepath = salt.pillar.get('gitea:path')  %}
 
+# FIXME: this could be file.managed with source_hash set
 'download gitea':
   cmd.run:
     - name: 'wget {{ url }} -O {{ basepath }}/bin/gitea && chmod +x {{ basepath }}/bin/gitea && echo {{ ver }} > {{ basepath }}/VERSION'

icinga2/files/icingaweb2.jinja

@@ -6,7 +6,7 @@ rewrite ^/$ http://icinga.keiran.us/icingaweb2 permanent;
 
   location ~ ^/icingaweb2/index\.php(.*)$ {
     # fastcgi_pass 127.0.0.1:9000;
-    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
+    fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
     fastcgi_index index.php;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
@@ -23,11 +23,32 @@ rewrite ^/$ http://icinga.keiran.us/icingaweb2 permanent;
   location ~ ^/ccfc/$ {
     auth_basic "Login";
     auth_basic_user_file /var/www/htpasswd_ccfc;
-    fastcgi_pass unix://var/run/php/php7.0-fpm.sock;
+    fastcgi_pass unix://var/run/php/php7.3-fpm.sock;
     fastcgi_index index.php;
     include fastcgi_params;
     fastcgi_param SCRIPT_FILENAME /var/www/ccfc/index.php;
     fastcgi_param REMOTE_USER $remote_user;
   }
 
+
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/icinga.keiran.us/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/icinga.keiran.us/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
 }
+server {
+    if ($host = icinga.keiran.us) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+
+server_name icinga.keiran.us;
+    listen 80;
+    return 404; # managed by Certbot
+
+
+}

icinga2/init.sls

@@ -4,6 +4,9 @@ icinga_packages:
     - pkgs:
       - icinga2
       - icingaweb2
+      - icinga2-ido-mysql
+      - certbot
+      - python-certbot-nginx
 
 apache2:
   service.dead:
@@ -15,7 +18,7 @@ apache2:
 
 icingaweb2_vhost:
   file.managed:
-    - name: /etc/nginx/sites-enabled/icingaweb2
+    - name: /etc/nginx/sites-available/icingaweb2
     - source: 'salt://icinga2/files/icingaweb2.jinja'
     - template: jinja
     - user: root

nginx/init.sls

@@ -7,13 +7,15 @@ nginx:
     - reload: True
 
 {% if salt.pillar.get('use_php', True) %}
+{% from "nginx/map.jinja" import php_ver with context %}
 
 {% set timezone = salt.timezone.get_zone() %}
 
 php-fpm:
   pkg.installed: []
+{% if php_ver is not none %}
   service.running:
-    - name: php7.0-fpm
+    - name: php{{php_ver}}-fpm
     - enable: True
     - watch:
       - file: php_cgi.fixpathinfo=1
@@ -21,19 +23,23 @@ php-fpm:
 
 php_cgi.fixpathinfo=1:
   file.uncomment:
-    - name: /etc/php/7.0/fpm/php.ini
+    - name: /etc/php/{{php_ver}}/fpm/php.ini
     - char: ;
     - regex: cgi\.fix\_pathinfo\=1
 
 php_date.timezone={{ timezone }}:
   file.replace:
-    - name: /etc/php/7.0/fpm/php.ini
+    - name: /etc/php/{{php_ver}}/fpm/php.ini
     - append_if_not_found: True
     - pattern: \;date\.timezone.*
     - repl: date.timezone = {{ timezone }}
+{% else %}
+{%     do salt.log.error('Could not determine php_ver; might need to re-run state') %}
+{% endif %}
 
 {% endif %}
 
+
 /var/www/html/index.html:
   file.managed:
     - user: root

nginx/map.jinja

@@ -0,0 +1,6 @@
+{% set php_fpm_raw = salt['pkg.version']('php-fpm') %}
+{% if php_fpm_raw|length > 0 %}
+{%     set php_ver = php_fpm_raw.split('+')[0].split(':')[1] %}
+{% else %}
+{%     set php_ver = None %}
+{% endif %}

restic/server.sls

@@ -0,0 +1,7 @@
+
+restic-vps:
+  user.present:
+    - home: /mnt/bak1/restic-vps
+    - uid: 1002
+    - gid: 1002
+

salt/files/master.jinja

@@ -3,4 +3,4 @@ minion_data_cache: True
 state_output: changes
 top_file_merging_strategy: same
 pillar_merge_lists: True
-log_level: warning
+log_level: error

salt/files/minion.jinja

@@ -1,5 +1,6 @@
 master: kpi.keiran.us
 pillar_raise_on_missing: True
 state_output: changes
-log_level: warning
+log_level: error
+grains_cache: True
 mysql.default_file: '/root/.my.cnf'

samba/files/smb.conf.jinja

@@ -0,0 +1,34 @@
+#
+# Managed by Salt
+#
+# run testparm -s after making changes to validate them
+
+[global]
+  workgroup = WORKGROUP
+  log file = /var/log/samba/log.%m
+  max log size = 1000
+  logging = file
+  panic action = /usr/share/samba/panic-action %d
+  server role = standalone server
+  obey pam restrictions = yes
+  unix password sync = no
+  map to guest = bad user
+  usershare max shares = 0
+
+{% if salt.pillar.get('samba:enable_homes', false) %}
+[homes]
+  comment = Home Directories
+  browseable = no
+  read only = yes
+  create mask = 0700
+  directory mask = 0700
+  valid users = %S
+{% endif %}
+
+{% for name, path in salt.pillar.get('samba:shares', {}).items() %}
+[{{ name }}]
+  path = {{ path }}
+  valid users = @sambashare
+  read only = yes
+{% endfor %}
+

samba/files/wsdd.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=Web Services Dynamic Discovery host daemon
+; Start after the network has been configured
+After=network-online.target
+Wants=network-online.target
+; It makes sense to have Samba running when wsdd starts, but is not required
+;Wants=smb.service
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/wsdd --shortlog
+; Replace those with an unprivledged user/group that matches your environment,
+; like nobody/nogroup or daemon:daemon or a dedicated user for wsdd
+User=nobody
+; The following lines can be used for a chroot execution of wsdd.
+; Also append '--chroot /run/wsdd/chroot' to ExecStart to enable chrooting
+;AmbientCapabilities=CAP_SYS_CHROOT
+;ExecStartPre=/usr/bin/install -d -o nobody -g nobody -m 0700 /run/wsdd/chroot
+;ExecStopPost=rmdir /run/wsdd/chroot
+
+[Install]
+WantedBy=multi-user.target

samba/init.sls

@@ -0,0 +1,29 @@
+samba_packages:
+  pkg.installed:
+    - pkgs:
+      - samba
+      - samba-common-bin
+
+smbd:
+  service.running:
+    - enable: True
+    - watch:
+      - file: /etc/samba/smb.conf
+      - pkg: samba_packages
+
+/etc/samba/smb.conf:
+  file.managed:
+    - source: 'salt://samba/files/smb.conf.jinja'
+    - template: jinja
+
+{# generate these with print(hashlib.new('md4', "password".encode('utf-16le')).hexdigest()) #}
+{% for user, passw in salt.pillar.get('samba:users', {}).items() %}
+samba_{{user}}:
+  pdbedit.managed:
+    - name: {{user}}
+    - password: {{passw}}
+    - password_hashed: True
+{% endfor %}
+
+include:
+  - samba.wsdd

samba/wsdd.sls

@@ -0,0 +1,23 @@
+
+wsdd:
+  file.managed:
+    - name: /lib/systemd/system/wsdd.service
+    - source: salt://samba/files/wsdd.service
+  service.running:
+    - enable: True
+    - watch:
+      - file: wsdd
+      - file: wsdd.py
+
+service.systemctl_reload:
+  module.run:
+    - onchanges:
+      - file: /lib/systemd/system/wsdd.service
+
+wsdd.py:
+  file.managed:
+    - name: /usr/bin/wsdd
+    - mode: 755
+    - source: https://raw.githubusercontent.com/christgau/wsdd/d1c0d3e31768646326a15d9eaef28ec9a3180023/src/wsdd.py
+    - source_hash: 2b7bd278e38d85c1742aba5d95bd9d81
+

ssh/files/authorized_keys.jinja

@@ -1,6 +1,6 @@
 # Managed by Salt
-{% set comments = pillar['authorized_keys'].keys()|sort -%}
+{% set comments = pillar['global_authorized_keys'].keys()|sort -%}
 {% for comment in comments -%}
-{%   set keydata = pillar['authorized_keys'][comment] -%}
+{%   set keydata = pillar['global_authorized_keys'][comment] -%}
 {{keydata}} {{comment}}
 {% endfor -%}

ssh/files/bashrc.jinja

@@ -73,5 +73,7 @@ if [ $(id -u) -gt 0 ]; then
     alias fab='sudo fab'
 fi
 
+alias random='< /dev/urandom tr -dc A-Za-z0-9 | head -c${1:-32};echo'
+
 # https://git.keiran.us/config-mgmt/puppet/raw/commit/09158fc579f5ee2c00f395971d8c986e3ec08788/modules/keir/files/bash/bashrc
 

ssh/init.sls

@@ -33,7 +33,7 @@
     - require:
       - file: /root/.ssh
 
-{% for user in salt.pillar.get('authkey_users', []) | union(salt.pillar.get('ssh_config_users', [])) %}
+{% for user in salt.pillar.get('users', []) | union(salt.pillar.get('ssh_config_users', [])) %}
 
 /home/{{user}}/.ssh:
   file.directory:
@@ -57,7 +57,7 @@
 
 {% endfor %}
 
-{% for user in salt.pillar.get('authkey_users', []) %}
+{% for user in salt.pillar.get('users', []) %}
 
 /home/{{user}}/.ssh/authorized_keys:
   file.managed:

top.sls

@@ -9,3 +9,5 @@
     - salt.master
     - icinga2
     - nginx
+    - restic.server
+    - samba