Commit Graph

294 Commits

Author SHA1 Message Date
45b53f8392
salt.master: add firewalld rules
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 15:50:11 +01:00
e395f7f0a3
Manage common firewalld rules
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 15:49:48 +01:00
e62080ae5b
Manage firewalld
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 15:30:37 +01:00
1660fb099e
Merge lists on test minions
Reflect production setting, allow pillar to merge from different roles.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 15:29:30 +01:00
4ece021122
Enable firewalld-formula
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
... and sort list entries alphabetically.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 15:12:52 +01:00
880f6796c5
salt.master: enable API IPv6 listener
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
No individual listeners can be configured, hence global dual stack
listener it is.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 14:59:35 +01:00
7b808efdb5
Enable SSH banner
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 14:15:40 +01:00
002fad5f27
salt.minion: allow minions without roles
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
If-clause to check for Syndic roles caused regression on minions without
any assigned roles.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-29 14:09:49 +01:00
bd7fe25eb0
Listeners macro: skip on empty mine
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Don't fail if mine does not contain information about the queried
minion.
In the future it would be nice to add another conditional to allow such
minions to fall-back to the locally executed network module for
masterless setups.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-28 02:14:37 +01:00
bd166cbb42
salt.master: set rootgroup
Needed for formula to not nuke Syndic key permissions. Little bit ugly.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-28 02:14:36 +01:00
08f23700c9
Listeners macro: use mined addresses
Some checks failed
ci/lysergic/push/pipeline Pipeline failed
The network module run on the Salt master, but the macro should fetch
minion addresses.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-28 01:32:23 +01:00
0ea6f8c62d
Mine IPv6 addresses
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-28 01:13:21 +01:00
975fa89abc
Mine IP addresses
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Add Salt mine configuration to collect minion IP addresses.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-28 01:06:44 +01:00
e8b905cd0b
salt.master: increase LDAP scope
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Likely needed as it does not support searching a more fine grained base
DN.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-28 00:19:42 +01:00
a831a25701
salt.master: switch to CherryPy
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Tornado does not support all the features.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-28 00:17:39 +01:00
f4b253a1cf
salt.master: add ldap + completion packages
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
- python-ldap is needed for authenticating with the API
- shell completions are useful :-)

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-27 20:59:00 +01:00
570522176a
salt.master: add LDAP configuration
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-27 20:01:01 +01:00
85bfe2cac4
salt.master: add Salt API configuration
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-27 19:25:21 +01:00
950b308546
Relay via static zz0.email host
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Split horizon for the complete .email zone is not feasible for all
sites, and TLS certificate currently does not cover any of the internal
hostnames.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-27 12:45:01 +01:00
b7ec9e683f Merge pull request 'Manage common SSH server' (#6) from ssh into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #6
2023-01-27 11:48:51 +01:00
698234c040
Manage common SSH server
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-26 23:05:21 +01:00
f949c0aba0
mta.postfix->global.mta pillar; remove mta profile
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
This is more a MTA configuration for system email on all hosts instead of
a dedicated email server role.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-26 20:54:09 +01:00
56a1e11ef6
Move common to global pillar
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-26 20:54:09 +01:00
d627582075
Read formulas from central file
- add formulas.yaml file containing list of all enabled formulas
- read formulas from said file in role.salt.master and prepare_minion.py
- add symlink for easier tracking of the file

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-26 20:54:09 +01:00
68939f8054
Postfix: configure alias_database
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Not needed, but the formula writes a hash:/ entry default, which might
cause confusion in the future, since our alias_maps is using lmdb:/.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-25 21:39:35 +01:00
286bd5d20b
Repository: remove comment, add priority
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
LibertaCasa RPM repsitory:
- comment was not added by Salt, it attempted to re-add it every time
- set lower priority

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-25 21:31:40 +01:00
9fd56e7640
Allow local system mail in Postfix
- correct mydestination to allow lysergic.dev to be sent through the
  relay
- correct relayhost to use SMTPS port

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-25 21:29:16 +01:00
7305d70822 Merge pull request 'Revert OS pillar split' (#4) from revert-ospillarsplit into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #4
2023-01-24 23:29:11 +01:00
4bf9ac9413
Include Postfix pillar via role
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-24 23:16:56 +01:00
7b9f184c6b
Revert "Split to OS specific common pillar"
This reverts commit 4863396938.
2023-01-24 23:03:20 +01:00
342affc1b8 Merge pull request 'Include role.salt.common in master' (#3) from master-include-common into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #3
2023-01-24 21:59:04 +01:00
4c6b221dad
Include role.salt.common in master
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Needed to allow individual apply's of salt.master without breaking
common configuration options.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-24 21:46:18 +01:00
d83eb08f48 Merge pull request 'Manage global Postfix'es + make common pillar OS based' (#2) from postfix into production
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Reviewed-on: #2
2023-01-24 21:26:04 +01:00
70036d224f
Manage aliases
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-24 21:18:08 +01:00
5f9a74c612
Enable postfix-formula
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-24 21:18:08 +01:00
6c7aaa08e1
Manage common Postfix
Add configuration for global client MTA's.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

Enable Postfix management

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-24 21:17:55 +01:00
4863396938
Split to OS specific common pillar
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-24 18:03:15 +01:00
2698d18625
Include users in pipeline
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-22 22:59:29 +01:00
dc3c0dd6a9
Include users in common.suse
Some checks failed
ci/lysergic/push/pipeline Pipeline failed
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-22 22:56:39 +01:00
0457625204
Enforce ID and roles in top
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Adapt to current private pillar top:
- match ID grain for inclusion of ID files
- move roles under conditional

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-22 22:39:14 +01:00
48c9e05de1
Enable users-formula
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-22 21:37:45 +01:00
a3583e25a5
Wrap zypper pillar in OS check
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Zypper pillar data is not needed on non-SUSE systems.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-22 21:33:27 +01:00
0c2ea3ef95
Add common_packages to common.suse
Add ID and initialize with fish and system-group wheel packages.
More packages to be added later on.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-22 21:32:45 +01:00
e8f19191eb
Disable refreshdb_force
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Speed up state.apply's.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-22 21:02:44 +01:00
3226b4113c
Remove release from RPM key check
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Release tag can be different from machine to machine. Checking for the
version tag should be good enough.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-22 20:55:56 +01:00
5bda75100a
Manage LC repository + ca-certificates
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
manage
- home:crameleon:LibertaCasa repository
- ca-certificates-syscid
in common SUSE state.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-22 20:44:39 +01:00
2e08c3cf36
Connect syndic minions to syndic master
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Syndics are generally the masters assigned to their region.
We want the minions on syndics to connect to their upstream master
("master of masters") instead of to themselves.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-22 19:28:28 +01:00
a5754ea0cb
Add admins to redis group on masters
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Avoid permissions errors if Salt attempts to write to Redis during
non-root state.apply calls.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-22 18:38:36 +01:00
cce6cce594
Use central machine-roles endpoint
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-22 16:55:55 +01:00
0efd688151
Use http.query instead of nbroles module
All checks were successful
ci/lysergic/push/pipeline Pipeline was successful
This is an attempt to remove the need for the custom nbroles module. If
it works out, the localhost reference should be replaced with a global
roles API endpoint.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-22 16:32:57 +01:00