Page MenuHomeDevCentral
Files F12242567

No OneTemporary
Actions

View Options

diff --git a/roles/core/init.sls b/roles/core/init.sls
index 6b3f8fa..c6d72e9 100644
--- a/roles/core/init.sls
+++ b/roles/core/init.sls
@@ -1,27 +1,28 @@
# -------------------------------------------------------------
# Salt — Core units
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .rc
- .certificates
- .hostname
- .login
- .network
- .memory
- .monitoring
- .motd
- .ntp
- .src
- .ports
- .rsyslog
- .salt
- .sshd
- .sudo
+ - .storage
- .sysctl
- .timezone
- .userland-software
- .users
diff --git a/roles/core/storage/files/zfs.cron b/roles/core/storage/files/zfs.cron
new file mode 100644
index 0000000..105b391
--- /dev/null
+++ b/roles/core/storage/files/zfs.cron
@@ -0,0 +1,24 @@
+# -------------------------------------------------------------
+# ZFS snapshots
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: roles/core/storage/files/zfs.cron
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+SHELL=/bin/sh
+PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin
+
+# See crontab(5) for field format.
+*/5 * * * * root /usr/local/sbin/zfs-auto-snapshot frequent 24
+0 * * * * root /usr/local/sbin/zfs-auto-snapshot hourly 48
+7 0 * * * root /usr/local/sbin/zfs-auto-snapshot daily 31
+14 0 * * 7 root /usr/local/sbin/zfs-auto-snapshot weekly 7
+28 0 1 * * root /usr/local/sbin/zfs-auto-snapshot monthly 12
diff --git a/roles/core/init.sls b/roles/core/storage/init.sls
similarity index 53%
copy from roles/core/init.sls
copy to roles/core/storage/init.sls
index 6b3f8fa..e3f2350 100644
--- a/roles/core/init.sls
+++ b/roles/core/storage/init.sls
@@ -1,27 +1,9 @@
# -------------------------------------------------------------
-# Salt — Core units
+# Salt — Storage
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- - .rc
- - .certificates
- - .hostname
- - .login
- - .network
- - .memory
- - .monitoring
- - .motd
- - .ntp
- - .src
- - .ports
- - .rsyslog
- - .salt
- - .sshd
- - .sudo
- - .sysctl
- - .timezone
- - .userland-software
- - .users
+ - .snapshots
diff --git a/roles/core/init.sls b/roles/core/storage/snapshots.sls
similarity index 51%
copy from roles/core/init.sls
copy to roles/core/storage/snapshots.sls
index 6b3f8fa..2c8945b 100644
--- a/roles/core/init.sls
+++ b/roles/core/storage/snapshots.sls
@@ -1,27 +1,17 @@
# -------------------------------------------------------------
-# Salt — Core units
+# Salt — Storage
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
-include:
- - .rc
- - .certificates
- - .hostname
- - .login
- - .network
- - .memory
- - .monitoring
- - .motd
- - .ntp
- - .src
- - .ports
- - .rsyslog
- - .salt
- - .sshd
- - .sudo
- - .sysctl
- - .timezone
- - .userland-software
- - .users
+{% set zfs_tank = salt['node.get']("zfs:pool") %}
+
+{% if zfs_tank %}
+zfstools:
+ pkg.installed
+
+/etc/cron.d/zfs:
+ file.managed:
+ - source: salt://roles/core/storage/files/zfs.cron
+{% endif %}
diff --git a/roles/core/users/init.sls b/roles/core/users/init.sls
index 206ed4f..492e866 100644
--- a/roles/core/users/init.sls
+++ b/roles/core/users/init.sls
@@ -1,144 +1,146 @@
# -------------------------------------------------------------
# Salt — Provision users accounts
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Created: 2017-11-09
# Description: Adds and revokes user accounts, in the relevant
# groups and with their stable SSH keys.
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
# -------------------------------------------------------------
# Table of contents
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
#
# :: Disabled accounts
# :: ZFS (before user account creation)
# :: Active accounts
# :: ZFS (after user account creation)
# :: Groups
# :: SSH keys
#
# -------------------------------------------------------------
{% from "map.jinja" import dirs, shells with context %}
{% set users = salt['forest.get_users']() %}
{% set zfs_tank = salt['node.get']("zfs:pool") %}
{% set forest = salt['node.get']['forest'] %}
# -------------------------------------------------------------
# Disabled accounts
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for username in pillar.get('revokedusers') %}
{{ username }}:
user.absent
{% endfor %}
# -------------------------------------------------------------
# ZFS datasets
#
# Where ZFS is available, home directories are created as separate
# datasets. That has several benefits, like allowing users to create
# snapshots or manage backups.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% if zfs_tank %}
zfs_home_permissions_sets:
cmd.run:
- name: |
zfs allow -s @local allow,clone,create,diff,hold,mount,promote,receive,release,rollback,snapshot,send {{ zfs_tank }}{{ dirs.home }}
zfs allow -s @descendent allow,clone,create,diff,destroy,hold,mount,promote,receive,release,rename,rollback,snapshot,send {{ zfs_tank }}{{ dirs.home }}
touch {{ dirs.home }}/.zfs-permissions-set
- creates: {{ dirs.home }}/.zfs-permissions-set
{% for username in users %}
{% set home_directory = zfs_tank + dirs['home'] + '/' + username %}
{{ home_directory }}:
- zfs.filesystem_present
+ zfs.filesystem_present:
+ - properties:
+ "com.sun:auto-snapshot": "true"
zfs_permissions_home_local_{{ username }}:
cmd.run:
- name: zfs allow -lu {{ username }} @local {{ home_directory }}
- require:
- user: {{ username }}
- onchanges:
- zfs: {{ home_directory }}
zfs_permissions_home_descendant_{{ username }}:
cmd.run:
- name: zfs allow -du {{ username }} @descendent {{ home_directory }}
- require:
- user: {{ username }}
- onchanges:
- zfs: {{ home_directory }}
/home/{{ username }}:
file.directory:
- user: {{ username }}
- group: {{ username }}
- dir_mode: 700
- require:
- user: {{ username }}
{% endfor %}
{% endif %}
# -------------------------------------------------------------
# Active accounts
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for username, user in users.items() %}
{{ username }}:
user.present:
- fullname: {{ user['fullname'] }}
- shell: {{ shells[user['shell']|default('bash')] }}
- uid: {{ user['uid'] }}
- loginclass: {{ user['class']|default('english') }}
{% endfor %}
# -------------------------------------------------------------
# Groups
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for groupname, group in salt['forest.get_groups']().items() %}
group_{{ groupname }}:
group.present:
- name: {{ groupname }}
- gid: {{ group['gid'] }}
- members: {{ group['members'] }}
{% endfor %}
{% if grains["os"] == "FreeBSD" %}
group_wheel:
group.present:
- name: wheel
- gid: 0
- members: {{ salt["forest.get_wheel_users"]() }}
{% endif %}
# -------------------------------------------------------------
# SSH keys
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
{% for username, user in users.items() %}
/home/{{ username }}/.ssh:
file.directory:
- user: {{ username }}
- group: {{ username }}
- dir_mode: 700
/home/{{ username }}/.ssh/authorized_keys:
file.managed:
- source: salt://roles/core/users/files/authorized_keys
- user: {{ username }}
- group: {{ username }}
- mode: 600
- template: jinja
- context:
keys: {{ user['ssh_keys'] }}
{% endfor %}

File Metadata

Mime Type
text/x-diff
Expires
Sun, Oct 12, 09:29 (5 h, 52 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3065660
Default Alt Text
(8 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator