diff --git a/roles/saltmaster/account/init.sls b/roles/saltmaster/account/init.sls index a5f74d6..422336f 100644 --- a/roles/saltmaster/account/init.sls +++ b/roles/saltmaster/account/init.sls @@ -1,67 +1,85 @@ # ------------------------------------------------------------- # Salt — Salt master configuration # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # Created: 2017-04-28 # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- {% from "map.jinja" import dirs with context %} # ------------------------------------------------------------- # Accounts # ------------------------------------------------------------- # Salt account salt_account: group.present: - name: salt - gid: 9001 user.present: - name: salt - fullname: SaltStack master account - uid: 9001 - gid: 9001 - home: /var/run/salt salt_account_ownership: cmd.run: - name: chown -R salt {{ dirs.etc }}/salt /var/cache/salt /var/log/salt /var/run/salt - onchanges: - user: salt_account # Deployment account deploy_account: user.present: - name: deploy - fullname: Deployment and management of the Salt staging area - uid: 9002 - gid: 3003 - home: /var/run/deploy # Allow to repair ownership if the account is created after the staging deploy_account_ownership: cmd.run: - name: chown -R salt /opt/salt/staging /opt/salt/private/staging - onchanges: - user: deploy_account +# ------------------------------------------------------------- +# SSH key for deployment account +# +# This key should be added to: +# +# - zemke-rhyne account on devcentral +# https://devcentral.nasqueron.org/settings/user/zemke-rhyne/page/ssh/ +# +# - alken-orin account on GitHub +# Credentials are stored in DevCentral passphrase application +# ------------------------------------------------------------- + +/opt/salt/security: + file.directory: + - user: deploy + - group: ops + - chmod: 770 + deploy_account_ssh_key: cmd.run: - - name: ssh-keygen -t ed25519 -N "" -f /var/run/deploy/.ssh/id_ed25519 + - name: ssh-keygen -t ed25519 -N "" -f /opt/salt/security/id_ed25519 - runas: deploy - - creates: /var/run/deploy/.ssh/id_ed25519 + - creates: /opt/salt/security/id_ed25519 # ------------------------------------------------------------- # Sudo capabilities # # Ops should be able to sudo -u salt … # Deployers should be able to sudo -u deploy # ------------------------------------------------------------- {% for sudofile in ['salt', 'deploy'] %} saltmaster_sudo_capabilities_{{ sudofile }}: file.managed: - name: {{ dirs.etc }}/sudoers.d/{{ sudofile }} - source: salt://roles/saltmaster/account/files/{{ sudofile }} {% endfor %} diff --git a/roles/saltmaster/staging/init.sls b/roles/saltmaster/staging/init.sls index ad3dc97..d3ad525 100644 --- a/roles/saltmaster/staging/init.sls +++ b/roles/saltmaster/staging/init.sls @@ -1,38 +1,38 @@ # ------------------------------------------------------------- # Salt — Provision a salt master # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron # Created: 2017-10-21 # License: Trivial work, not eligible to copyright # ------------------------------------------------------------- # ------------------------------------------------------------- # Git repositories for the staging area # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - staging_public_repository: file.directory: - name: /opt/salt/staging - user: deploy - group: deploy - dir_mode: 775 git.latest: - name: https://devcentral.nasqueron.org/source/staging.git - target: /opt/salt/staging - user: deploy - update_head: False - submodules: True staging_private_repository: file.directory: - name: /opt/salt/private/staging - user: deploy - group: deploy - dir_mode: 770 git.latest: - name: ssh://vcs@devcentral.nasqueron.org:5022/source/private-staging.git - target: /opt/salt/private/staging - user: deploy - - identity: /var/run/deploy/.ssh/id_ed25519 + - identity: /opt/salt/security/id_ed25519 - update_head: False - submodules: True