diff --git a/GIDs b/GIDs --- a/GIDs +++ b/GIDs @@ -1,3 +1,5 @@ 827 chaton-dev 828 deployment 829 nasqueron-irc +9001 salt +9002 deploy diff --git a/UIDs b/UIDs --- a/UIDs +++ b/UIDs @@ -1,3 +1,5 @@ 830 odderon 831 builder 832 chaton +9001 salt +9002 deploy diff --git a/roles/saltmaster/sudo/files/deploy b/roles/saltmaster/account/files/deploy rename from roles/saltmaster/sudo/files/deploy rename to roles/saltmaster/account/files/deploy --- a/roles/saltmaster/sudo/files/deploy +++ b/roles/saltmaster/account/files/deploy @@ -4,7 +4,7 @@ # Project: Nasqueron # Created: 2017-09-28 # License: Trivial work, not eligible to copyright -# Source file: roles/saltmaster/sudo/files/deploy +# Source file: roles/saltmaster/account/files/deploy # ------------------------------------------------------------- # # diff --git a/roles/saltmaster/sudo/files/salt b/roles/saltmaster/account/files/salt rename from roles/saltmaster/sudo/files/salt rename to roles/saltmaster/account/files/salt --- a/roles/saltmaster/sudo/files/salt +++ b/roles/saltmaster/account/files/salt @@ -4,7 +4,7 @@ # Project: Nasqueron # Created: 2016-04-10 # License: Trivial work, not eligible to copyright -# Source file: roles/saltmaster/sudo/files/salt +# Source file: roles/saltmaster/account/files/salt # ------------------------------------------------------------- # # diff --git a/roles/saltmaster/account/init.sls b/roles/saltmaster/account/init.sls new file mode 100644 --- /dev/null +++ b/roles/saltmaster/account/init.sls @@ -0,0 +1,65 @@ +# ------------------------------------------------------------- +# Salt — Salt master configuration +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# Created: 2017-04-28 +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +{% from "map.jinja" import dirs with context %} + +# ------------------------------------------------------------- +# Accounts +# ------------------------------------------------------------- + +# Salt account +salt_account: + group.present: + - name: salt + - gid: 9001 + - system: True + user.present: + - name: salt + - fullname: SaltStack master account + - uid: 9001 + - gid: 9001 + - home: /var/run/salt + +salt_account_ownership: + cmd.run: + - name: chown -R salt {{ dirs.etc }}/salt /var/cache/salt /var/log/salt /var/run/salt + - onchanges: + - user: salt_account + +# Deployment account +deploy_account: + group.present: + - name: deploy + - gid: 9002 + - system: True + user.present: + - name: deploy + - fullname: Deployment and management of the Salt staging area + - uid: 9002 + - gid: 9002 + - home: /opt/salt/staging + +deploy_account_ownership: + cmd.run: + - name: chown -R salt /opt/salt/staging /opt/salt/private/staging + - onchanges: + - user: deploy_account + +# ------------------------------------------------------------- +# Sudo capabilities +# +# Ops should be able to sudo -u salt … +# Deployers should be able to sudo -u deploy +# ------------------------------------------------------------- + +{% for sudofile in ['salt', 'deploy'] %} +saltmaster_sudo_capabilities_{{ sudofile }}: + file.managed: + - name: {{ dirs.etc }}/sudoers.d/{{ sudofile }} + - source: salt://roles/saltmaster/account/files/{{ sudofile }} +{% endfor %} diff --git a/roles/saltmaster/init.sls b/roles/saltmaster/init.sls new file mode 100644 --- /dev/null +++ b/roles/saltmaster/init.sls @@ -0,0 +1,12 @@ +# ------------------------------------------------------------- +# Salt — Provision a salt master +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# Created: 2017-10-21 +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +include: + - .account + - .cloud + - .salt-wrapper diff --git a/roles/saltmaster/salt-wrapper/files/salt-wrapper.conf b/roles/saltmaster/salt-wrapper/files/salt-wrapper.conf --- a/roles/saltmaster/salt-wrapper/files/salt-wrapper.conf +++ b/roles/saltmaster/salt-wrapper/files/salt-wrapper.conf @@ -11,11 +11,11 @@ "roots": [ { "config": "/usr/local/etc/salt-woodscloud", - "states": "/opt/woodscloud-operations" + "states": "/opt/salt/woodscloud-operations" }, { "config": "/usr/local/etc/salt", - "states": "/opt/nasqueron-operations" + "states": "/opt/salt/nasqueron-operations" } ] } diff --git a/roles/saltmaster/sudo/init.sls b/roles/saltmaster/sudo/init.sls deleted file mode 100644 --- a/roles/saltmaster/sudo/init.sls +++ /dev/null @@ -1,23 +0,0 @@ -# ------------------------------------------------------------- -# Salt — Salt master configuration -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Project: Nasqueron -# Created: 2017-04-28 -# License: Trivial work, not eligible to copyright -# ------------------------------------------------------------- - -{% from "map.jinja" import dirs with context %} - -# ------------------------------------------------------------- -# Sudo capabilities -# -# Ops should be able to sudo -u salt … -# Deployers should be able to sudo -u deploy -# ------------------------------------------------------------- - -{% for sudofile in ['salt', 'deploy'] %} -saltmaster_sudo_capabilities_{{ sudofile }}: - file.managed: - - name: {{ dirs.etc }}/sudoers.d/{{ sudofile }} - - source: salt://roles/saltmaster/sudo/files/{{ sudofile }} -{% endfor %} diff --git a/top.sls b/top.sls --- a/top.sls +++ b/top.sls @@ -16,8 +16,7 @@ - roles/core/salt - roles/core/sshd 'local': - - roles/saltmaster/sudo - - roles/saltmaster/salt-wrapper + - roles/saltmaster 'ysul.nasqueron.org': - roles/webserver-legacy - roles/webserver-varnish