Novos/salt-statetree
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: Novos:master
Branches Tags
Novos:master
Novos:oldstable/fedora
..
compare: Novos:oldstable/fedora
Branches Tags
Novos:master
Novos:oldstable/fedora

No commits in common. "master" and "oldstable/fedora" have entirely different histories.
master ... oldstable/

65 changed files with 150 additions and 1231 deletions
Show stats Expand all files Collapse all files

2
.gitignore vendored
View file

@ -1,2 +0,0 @@
serverspecific.sls
system/files/systemupdate.sh

9
README.md Normal file
View file

@ -0,0 +1,9 @@
# Noveria Salt-State
![SaltStack® Logo](https://upload.wikimedia.org/wikipedia/commons/6/64/SaltStack_logo_blk_2k.png)
This repository is for the master-less salt-statetree for the noveria host, running Fedora Server (insert latest version here).
It managed the complete system using the saltproject.
For further instructions, head to the official salt docs: https://docs.saltproject.io/en/latest/contents.html

25
apps/generate-motd/init.sls
View file

@ -1,25 +0,0 @@
{% from "map.jinja" import noveria with context %}
include:
- directories
apps_generate-motd_git:
git.latest:
- name: https://git.noveria.org/Tools/generate_motd.git
- target: {{ noveria.app_dir }}/generate_motd
- user: root
- force_reset: True
- require:
- directories_apps_dir
apps_generate-motd_link:
file.symlink:
- name: {{ noveria.bin_dir }}/generate_motd
- target: {{ noveria.app_dir }}/generate_motd/generate_motd
- user: root
- group: root
- mode: '0755'
- require:
- apps_generate-motd_git
- directories_bin_dir
- directories_apps_dir

3
apps/init.sls
View file

@ -1,3 +0,0 @@
include:
- .noveriablcgen
- .generate-motd

7
apps/noveriablcgen/files/noveriablcgen_config.json.jinja
View file

@ -1,7 +0,0 @@
{
"be_env_dir": "{{ BTRFS_ROOT }}",
"grub_conf_dir": "{{ GRUB_CONFD }}",
"filename": "{{ GRUB_CONFIG_FILENAME }}",
"root_uuid": "{{ ROOT_UUID }}",
"grub_cfg": "{{ GRUB_CONFIG }}"
}

44
apps/noveriablcgen/init.sls
View file

@ -1,44 +0,0 @@
{% from "map.jinja" import noveria with context %}
include:
- directories
apps_noveriablcgen_git:
git.latest:
- name: https://git.noveria.org/Tools/noveriablcgen.git
- target: {{ noveria.app_dir }}/noveriablcgen
- user: root
- force_reset: True
- require:
- directories_apps_dir
apps_noveriablcgen_link:
file.symlink:
- name: {{ noveria.bin_dir }}/noveriablcgen
- target: {{ noveria.app_dir }}/noveriablcgen/noveriablcgen
- user: root
- group: root
- mode: '0755'
- require:
- apps_noveriablcgen_git
- directories_bin_dir
- directories_apps_dir
apps_noveriablcgen_config:
file.managed:
- name: {{ noveria.etc_dir }}/noveriablcgen/noveriablcgen.json
- source: salt://{{ tpldir }}/files/noveriablcgen_config.json.jinja
- template: jinja
- context:
BTRFS_ROOT: "/btrfs"
GRUB_CONFD: "/etc/grub.d"
GRUB_CONFIG_FILENAME: "10_noveria"
ROOT_UUID: {{ salt['cmd.shell']('lsblk -o LABEL,UUID | grep ROOT | awk \'{print $2}\'') }}
GRUB_CONFIG: "/boot/grub/grub.cfg"
- mode: '0644'
- makedirs: True
- user: root
- group: root
- require:
- apps_noveriablcgen_git
- directories_etc_dir

39
directories.sls
View file

@ -1,39 +0,0 @@
{% from "map.jinja" import noveria with context %}
directories_dir:
file.directory:
- name: {{ noveria.dir }}
- user: root
- group: root
- file_mode: '0644'
- dir_mode: '0755'
directories_bin_dir:
file.directory:
- name: {{ noveria.bin_dir }}
- user: root
- group: root
- file_mode: '0644'
- dir_mode: '0755'
- require:
- directories_dir
directories_etc_dir:
file.directory:
- name: {{ noveria.etc_dir }}
- user: root
- group: root
- file_mode: '0644'
- dir_mode: '0755'
- require:
- directories_dir
directories_apps_dir:
file.directory:
- name: {{ noveria.app_dir }}
- user: root
- group: root
- file_mode: '0644'
- dir_mode: '0755'
- require:
- directories_dir

40
haproxy/files/haproxy_config.jinja
View file

@ -1,40 +0,0 @@
global
log 127.0.0.1 local2
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
timeout queue 1m
timeout connect 10s
timeout client 5m
timeout server 5m
maxconn 3000
frontend ssh
mode tcp
bind {{ ipv4 }}:22
default_backend host-ssh
frontend http
mode tcp
bind {{ ipv4 }}:80
default_backend host-http
backend host-ssh
mode tcp
server localhost 127.0.0.1
backend host-http
mode tcp
server localhost 127.0.0.1

56
haproxy/files/haproxy_rcscript.initd.jinja
View file

@ -1,56 +0,0 @@
#!/sbin/openrc-run
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/net-proxy/haproxy/files/haproxy.initd-r1,v 1.2 2011/12/04 10:32:32 swegener Exp $
# This is file is managed by salt (state: {{ sls }})
extra_commands="checkconfig"
extra_started_commands="reload"
command=/usr/sbin/haproxy
CONF=${HAPROXY_CONF:-/etc/haproxy/${SVCNAME}.cfg}
CONF_DIR=${HAPROXY_CONF_DIR:-{{ conf_dir }}}
PIDFILE=/var/run/${SVCNAME}.pid
depend() {
need net
after firewall
use dns logger
}
checkconfig() {
if [ ! -f "${CONF}" ] && [ ! -d "${CONF}" ]; then
eerror "${CONF} does not exist!"
return 1
fi
ebegin "Checking ${CONF}"
$command -q -c -f "${CONF}"
eend $?
}
start() {
ebegin "Starting ${SVCNAME}"
start-stop-daemon --pidfile "${PIDFILE}" --exec $command \
--start -- -D -p "${PIDFILE}" -f "${CONF}" -f "${CONF_DIR}"
eend $?
}
stop() {
ebegin "Stopping ${SVCNAME}"
if [ "${RC_CMD}" = "restart" ]; then
checkconfig || return 1
fi
start-stop-daemon --stop --pidfile "${PIDFILE}"
eend $?
}
reload() {
ebegin "Reloading ${SVCNAME}"
checkconfig || { eerror "Reloading failed, please fix your ${CONF} first"; return 1; }
$command -D -p "${PIDFILE}" -f "${CONF}" -f "${CONF_DIR}" -sf $(cat "${PIDFILE}")
eend $?
}

3
haproxy/init.sls
View file

@ -1,3 +0,0 @@
include:
- .pkg
- .service

5
haproxy/map.jinja
View file

@ -1,5 +0,0 @@
{% set dir = '/etc/haproxy' %}
{% set haproxy = {
'conf_dir': '%s/conf.d' % dir,
}%}

45
haproxy/pkg.sls
View file

@ -1,45 +0,0 @@
{% from tpldir+"/map.jinja" import haproxy with context %}
{% set ipv4 = grains['ip4_interfaces']['eth0'][0] %}
haproxy_pkg_pkgs:
pkg.installed:
- pkgs:
- haproxy
haproxy_pkg_conf_dir:
file.directory:
- name: /etc/haproxy/conf.d
- user: root
- group: root
- file_mode: '0644'
- dir_mode: '0755'
- require:
- haproxy_pkg_pkgs
haproxy_pkg_config:
file.managed:
- name: /etc/haproxy/haproxy.cfg
- source: salt://{{ tpldir }}/files/haproxy_config.jinja
- template: jinja
- context:
ipv4: {{ ipv4 }}
- user: root
- group: root
- mode: '0644'
- require:
- haproxy_pkg_pkgs
haproxy_pkg_rc_script:
file.managed:
- name: /etc/init.d/haproxy
- source: salt://{{ tpldir }}/files/haproxy_rcscript.initd.jinja
- template: jinja
- context:
sls: {{ sls }}
conf_dir: {{ haproxy.conf_dir }}
- user: root
- group: root
- mode: '0755'
- require:
- haproxy_pkg_conf_dir
- haproxy_pkg_config

9
haproxy/service.sls
View file

@ -1,9 +0,0 @@
include:
- .pkg
haproxy_service_running:
service.running:
- name: haproxy
- enable: True
- require:
- haproxy_pkg_rc_script

8
map.jinja
View file

@ -1,8 +0,0 @@
{% set dir = '/usr/local/noveria' %}
{% set noveria = {
'dir': '%s' % dir,
'bin_dir': '%s/bin' % dir,
'etc_dir': '%s/etc' % dir,
'app_dir': '%s/apps' % dir
} %}

15
mysql/directory.sls
View file

@ -1,15 +0,0 @@
include:
- .pkg
mysql_directory:
file.directory:
- name: /var/lib/mysql
- create: False
- replace: False
- user: mysql
- group: mysql
- recurse:
- user
- group
- require:
- mysql_pkg

4
mysql/init.sls
View file

@ -1,4 +0,0 @@
include:
- .pkg
- .directory
- .service

6
mysql/pkg.sls
View file

@ -1,6 +0,0 @@
mysql_pkg:
pkg.installed:
- pkgs:
- mariadb
- mariadb-client
- mariadb-openrc

18
mysql/service.sls
View file

@ -1,18 +0,0 @@
include:
- .directory
{% if not salt['file.directory_exists']('/var/lib/mysql/mysql') %}
mysql_service_setup:
cmd.run:
- name: /etc/init.d/mariadb setup
- runas: root
- shell: /bin/ash
- require:
- mysql_directory
mysql_service_enable:
service.enabled:
- name: mariadb
- require:
- mysql_service_setup
{% endif %}

11
network/files/firewall_rules.nft.jinja
View file

@ -1,11 +0,0 @@
## This file is managed by Saltstack. (state: {{ sls }})
#!/usr/sbin/nft
table inet filter {
chain input {
tcp dport 22 accept
{%- for port in ALLOWED_PORTS %}
tcp dport {{ port }} accept
{%- endfor %}
}
}

8
network/files/network_interfaces
View file

@ -1,8 +0,0 @@
auto eth0
iface eth0 inet dhcp
auto lo
iface lo inet loopback
iface lo inet static
address 127.0.0.2/8
broadcast 0.0.0.0

29
network/firewall.sls
View file

@ -1,29 +0,0 @@
network_firewall_pkgs:
pkg.installed:
- pkgs:
- nftables
network_firewall_rules:
file.managed:
- name: /etc/nftables.d/noveria.nft
- source: salt://{{ tpldir }}/files/firewall_rules.nft.jinja
- template: jinja
- context:
sls: {{ sls }}
ALLOWED_PORTS: [80, 443, 25565, 51871]
- user: root
- group: root
- mode: '0600'
- makedirs: True
- require:
- network_firewall_pkgs
network_firewall_service_reload:
service.running:
- name: nftables
- enable: True
- watch:
- network_firewall_rules
- require:
- network_firewall_pkgs

20
network/init.sls
View file

@ -1,20 +0,0 @@
include:
- system.base
- .firewall
network_interfaces:
file.managed:
- name: /etc/network/interfaces
- source: salt://{{ tpldir }}/files/network_interfaces
- user: root
- group: root
- mode: '0644'
- require:
- system_base_pkgs
network_service_reload:
service.running:
- name: networking
- enable: True
- watch:
- network_interfaces

17
openssh/config.sls
View file

@ -1,17 +0,0 @@
include:
- .pkg
openssh_config_configuration:
file.managed:
- name: /etc/ssh/sshd_config
- source: salt://{{ tpldir }}/files/openssh_sshd_config
openssh_config_keys:
file.managed:
- name: /root/.ssh/authorized_keys
- source: salt://{{ tpldir }}/files/openssh_authorized_keys
- makedirs: True
- user: root
- group: root
- require:
- openssh_pkg

4
openssh/init.sls
View file

@ -1,4 +0,0 @@
include:
- .pkg
- .config
- .service

4
openssh/pkg.sls
View file

@ -1,4 +0,0 @@
openssh_pkg:
pkg.installed:
- pkgs:
- openssh-server

13
openssh/service.sls
View file

@ -1,13 +0,0 @@
include:
- .config
openssh_service_enable:
service.running:
- name: sshd
- enable: True
- watch:
- openssh_config_configuration
- openssh_config_keys
- require:
- openssh_config_configuration
- openssh_config_keys

4
podman/apps/certpod/init.sls
View file

@ -1,4 +0,0 @@
{% from "map.jinja" import noveria with context %}
include:
- directories

3
podman/apps/init.sls
View file

@ -1,3 +0,0 @@
include:
- .poddoc
- .pms-cli

11
podman/apps/pms-cli/files/pms-cli_config.json.jinja
View file

@ -1,11 +0,0 @@
{
"PODMAN_DIRECTORY": "{{ PODMAN_DIR }}",
"SERVERRUNNERS": {
"paper": "https://api.papermc.io/v2/projects/paper",
"folia": "https://api.papermc.io/v2/projects/folia"
},
"PROXYRUNNERS": {
"waterfall": "https://api.papermc.io/v2/projects/waterfall",
"velocity": "https://api.papermc.io/v2/projects/velocity"
}
}

40
podman/apps/pms-cli/init.sls
View file

@ -1,40 +0,0 @@
{% from "map.jinja" import noveria with context %}
include:
- directories
podman_apps_pms-cli_git:
git.latest:
- name: https://git.noveria.org/Tools/pms-cli.git
- target: {{ noveria.app_dir }}/pms-cli
- user: root
- force_reset: True
- require:
- directories_apps_dir
podman_apps_pms-cli_link:
file.symlink:
- name: {{ noveria.bin_dir }}/pms-cli
- target: {{ noveria.app_dir }}/pms-cli/pms-cli
- user: root
- group: root
- mode: '0755'
- require:
- podman_apps_pms-cli_git
- directories_bin_dir
- directories_apps_dir
podman_apps_pms-cli_config:
file.managed:
- name: {{ noveria.etc_dir }}/pms-cli/pms-cli.json
- source: salt://{{ tpldir }}/files/pms-cli_config.json.jinja
- template: jinja
- context:
PODMAN_DIR: "/opt/podman"
- mode: '0644'
- makedirs: True
- user: root
- group: root
- require:
- podman_apps_pms-cli_git
- directories_etc_dir

4
podman/apps/poddoc/files/poddoc_config.json.jinja
View file

@ -1,4 +0,0 @@
{
"GIT_REPOSITORY": "{{ GIT_REPO }}",
"PODMAN_DIRECTORY": "{{ PODMAN_DIR }}"
}

41
podman/apps/poddoc/init.sls
View file

@ -1,41 +0,0 @@
{% from "map.jinja" import noveria with context %}
include:
- directories
podman_apps_poddoc_git:
git.latest:
- name: https://git.noveria.org/Tools/poddoc.git
- target: {{ noveria.app_dir }}/poddoc
- user: root
- force_reset: True
- require:
- directories_apps_dir
podman_apps_poddoc_link:
file.symlink:
- name: {{ noveria.bin_dir }}/poddoc
- target: {{ noveria.app_dir }}/poddoc/poddoc
- user: root
- group: root
- mode: '0755'
- require:
- podman_apps_poddoc_git
- directories_bin_dir
- directories_apps_dir
podman_apps_poddoc_config:
file.managed:
- name: {{ noveria.etc_dir }}/poddoc/poddoc.json
- source: salt://{{ tpldir }}/files/poddoc_config.json.jinja
- template: jinja
- context:
GIT_REPO: "https://git.noveria.org/Podman"
PODMAN_DIR: "/opt/podman"
- mode: '0644'
- makedirs: True
- user: root
- group: root
- require:
- podman_apps_poddoc_git
- directories_etc_dir

12
podman/directory.sls
View file

@ -1,12 +0,0 @@
include:
- .user
podman_directory_permissions:
file.directory:
- name: /opt/podman
- user: puser
- group: puser
- dir_mode: '0755'
- file_mode: '0644'
- require:
- podman_user_puser

1
podman/files/files_unprivileged_ports
View file

@ -1 +0,0 @@
net.ipv4.ip_unprivileged_port_start=0

6
podman/init.sls
View file

@ -1,6 +0,0 @@
include:
- .pkg
- .rootless
- .user
- .directory
- .service

6
podman/pkg.sls
View file

@ -1,6 +0,0 @@
podman_pkg:
pkg.installed:
- pkgs:
- podman
- podman-openrc
- podman-compose

45
podman/rootless.sls
View file

@ -1,45 +0,0 @@
include:
- .pkg
- .user
podman_rootless_cgroup_mode:
file.keyvalue:
- name: /etc/rc.conf
- key_values:
rc_cgroup_mode: '"unified"'
- separator: '='
- uncomment: '#'
- key_ignore_case: false
- value_ignore_case: false
- append_if_not_found: True
- require:
- podman_pkg
podman_rootless_cgroups:
service.running:
- name: cgroups
- enable: True
- watch:
- podman_rootless_cgroup_mode
podman_rootless_modules:
file.append:
- name: /etc/modules
- text:
- tun
- fuse
- ip_tables
podman_rootless_subgid:
file.append:
- name: /etc/subgid
- text: puser:100000:65536
- require:
- podman_user_puser
podman_rootless_subuid:
file.append:
- name: /etc/subuid
- text: puser:100000:65536
- require:
- podman_user_puser

15
podman/service.sls
View file

@ -1,15 +0,0 @@
include:
- .rootless
podman_service:
service.running:
- name: podman
- enable: True
podman_service_unprivileged_ports:
file.managed:
- name: /etc/sysctl.d/podman.conf
- source: salt://{{ tpldir }}/files/files_unprivileged_ports
- user: root
- group: root
- mode: '0644'

25
podman/user.sls
View file

@ -1,25 +0,0 @@
include:
- .pkg
podman_user_puser:
user.present:
- name: puser
- uid: 2000
- shell: /bin/zsh
- home: /home/puser
- password: '*'
- hash_password: True
- usergroup: True
- createhome: True
- require:
- podman_pkg
podman_user_openssh_keys:
file.managed:
- name: /home/puser/.ssh/authorized_keys
- source: salt:///openssh/files/openssh_authorized_keys
- makedirs: True
- user: puser
- group: puser
- require:
- podman_user_puser

4
services/files/salt_noveria.conf Normal file
View file

@ -0,0 +1,4 @@
file_client: local
file_roots:
base:
- /srv/salt/salt-statetree

0
openssh/files/openssh_authorized_keys → services/files/ssh_authorized_keys
View file

4
openssh/files/openssh_sshd_config → services/files/ssh_sshd_config
View file

@ -18,9 +18,9 @@ Include /etc/ssh/sshd_config.d/*.conf
# SELinux about this change. # SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
# #
Port 22 #Port 22
#AddressFamily any #AddressFamily any
ListenAddress 127.0.0.1 #ListenAddress 0.0.0.0
#ListenAddress :: #ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_rsa_key

5
services/init.sls Normal file
View file

@ -0,0 +1,5 @@
include:
- .mysql
- .podman
- .ssh
- .salt

19
services/mysql.sls Normal file
View file

@ -0,0 +1,19 @@
include:
- system.packages
system_service_mysql_enable:
service.enabled:
- name: mariadb
- require:
- system_packages_install
file.directory:
- name: /var/lib/mysql
- create: False
- replace: False
- user: mysql
- group: mysql
- recurse:
- user
- group
- require:
- system_packages_install

8
services/podman.sls Normal file
View file

@ -0,0 +1,8 @@
include:
- system.packages
system_service_podman_enable:
service.enabled:
- name: podman
- require:
- system_packages_install

12
services/salt.sls Normal file
View file

@ -0,0 +1,12 @@
include:
- system.packages
services_salt_file_client_local:
file.managed:
- name: /etc/salt/minion.d/noveria.conf
- source: salt://{{ tpldir }}/files/salt_noveria.conf
- user: root
- group: root
- mode: 640
- require:
- system_packages_install

28
services/ssh.sls Normal file
View file

@ -0,0 +1,28 @@
include:
- system.packages
system_ssh_add_keys:
file.managed:
- name: /root/.ssh/authorized_keys
- source: salt://{{ tpldir }}/files/ssh_authorized_keys
- makedirs: True
- user: root
- group: root
- require:
- system_packages_install
system_ssh_configuration:
file.managed:
- name: /etc/ssh/sshd_config
- source: salt://{{ tpldir }}/files/ssh_sshd_config
system_ssh_enable:
service.running:
- name: sshd
- enable: True
- watch:
- system_ssh_configuration
- system_ssh_add_keys
- require:
- system_ssh_configuration
- system_ssh_add_keys

74
system/base.sls
View file

@ -1,74 +0,0 @@
{% from "map.jinja" import noveria with context %}
include:
- directories
system_base_pkgs:
pkg.installed:
- pkgs:
- linux-lts
- linux-firmware-none
- openjdk17-jre-headless
- jq
- vim
- git
- findmnt
- util-linux
- sudo
- curl
- rsync
- screen
system_base_systemupdate:
file.managed:
- name: {{ noveria.app_dir }}/systemupdate
- source: salt://{{ tpldir }}/files/base_systemupdate
- mode: '0755'
- user: root
- group: root
- require:
- directories_apps_dir
system_base_systemupdate_link:
file.symlink:
- name: {{ noveria.bin_dir }}/systemupdate
- target: {{ noveria.app_dir }}/systemupdate
- user: root
- group: root
- mode: '0755'
- require:
- system_base_systemupdate
- directories_bin_dir
system_base_modules_service:
service.running:
- name: modules
- enable: True
# TUN permission fix service workaround
system_base_tun-perm_service:
file.managed:
- name: /etc/init.d/tun-perm
- source: salt://{{ tpldir }}/files/base_tun-perm.initd
- user: root
- group: root
- mode: '0755'
service.enabled:
- name: tun-perm
- require:
- system_base_modules_service
system_base_sysctl_service:
service.running:
- name: sysctl
- enable: True
system_base_syslog_service:
service.running:
- name: syslog
- enable: True
system_base_sysfs_service:
service.running:
- name: sysfs
- enable: True

79
system/bootloader.sls
View file

@ -1,79 +0,0 @@
include:
- .base
system_bootloader_pkgs:
pkg.installed:
- pkgs:
- grub
- grub-efi
- mkinitfs
- mkinitfs-doc
- efibootmgr
{% set CURRENT_SUBVOLUME_TIMESTAMP = salt['cmd.shell']('CURRENT_SUBVOLUME=$(LC_ALL=C btrfs sub show / | LC_ALL=C grep Name: | tr -d \'[:space:]\'); TIMESTAMP_FORMAT=\'[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}_[[:digit:]]{2}-[[:digit:]]{2}-[[:digit:]]{2}\'; echo "$CURRENT_SUBVOLUME" | grep -Eo "$TIMESTAMP_FORMAT"') %}
{% set CURRENT_SUBVOLUME_TIMESTAMP_HUMAN = salt['cmd.shell']('CURRENT_SUBVOLUME_TIMESTAMP=\'' + CURRENT_SUBVOLUME_TIMESTAMP + '\'; echo "${CURRENT_SUBVOLUME_TIMESTAMP:0:10} ${CURRENT_SUBVOLUME_TIMESTAMP:11:2}:${CURRENT_SUBVOLUME_TIMESTAMP:14:2}"') %}
{% set KERNEL_VERSION = salt['cmd.shell']('uname -r') %}
system_bootloader_mkinitfs_conf:
file.keyvalue:
- name: /etc/mkinitfs/mkinitfs.conf
- key_values:
features: '"ata base btrfs keymap kms mmc nvme scsi usb virtio"'
- separator: '='
- uncomment: '# '
- key_ignore_case: false
- value_ignore_case: false
- append_if_not_found: True
- require:
- system_base_pkgs
- system_bootloader_pkgs
system_bootloader_os-release:
file.managed:
- name: /etc/os-release
- source: salt://{{ tpldir }}/files/bootloader_os-release.jinja
- template: jinja
- context:
OS_VERSION: {{ salt['cmd.shell']('date "+%Y%m"') }}
OS_RELEASE_INFO: '"Timestamp: {{ CURRENT_SUBVOLUME_TIMESTAMP_HUMAN }} | Kernel: {{ KERNEL_VERSION }}"'
- user: root
- group: root
- mode: '0644'
system_bootloader_motd_dir:
file.directory:
- name: /etc/motd.d
- user: root
- group: root
- dir_mode: '0755'
- file_mode: '0644'
- require:
- system_bootloader_os-release
system_bootloader_motd:
file.managed:
- name: /etc/motd.d/00_noveria.motd
- source: salt://{{ tpldir }}/files/bootloader_00_noveria.motd.jinja
- template: jinja
- context:
OS_NAME: {{ salt['cmd.shell']('echo NoveriaOS $(date "+%Y%m")') }}
OS_RELEASE_INFO: 'Timestamp: {{ CURRENT_SUBVOLUME_TIMESTAMP_HUMAN }} | Kernel: {{ KERNEL_VERSION }}'
OS_ISSUE_URL: 'https://git.noveria.org/NoveriaOS/ISO/issues'
- user: root
- group: root
- mode: '0644'
- require:
- system_bootloader_os-release
- system_bootloader_motd_dir
system_bootloader_issue:
file.managed:
- name: /etc/issue
- source: salt://{{ tpldir }}/files/bootloader_issue.jinja
- template: jinja
- context:
OS_NAME: {{ salt['cmd.shell']('echo NoveriaOS $(date "+%Y%m")') }}
OS_RELEASE_INFO: {{ CURRENT_SUBVOLUME_TIMESTAMP_HUMAN }}
- user: root
- group: root
- mode: '0644'

20
system/btrfs.sls Normal file
View file

@ -0,0 +1,20 @@
system_btrfs_create_podman_data_dir:
cmd.run:
- creates: /opt/podman
- name: btrfs subvolume create /opt/podman
file.managed:
- name: /opt/podman
- create: False
- replace: False
- user: root
- group: root
system_btrfs_create_noveria_home:
cmd.run:
- creates: /home/noveria
- name: btrfs subvolume create /home/noveria
system_btrfs_create_mysql_data_dir:
cmd.run:
- creates: /var/lib/mysql
- name: btrfs subvolume create /var/lib/mysql

37
system/disks.sls
View file

@ -1,37 +0,0 @@
system_disks_pkgs:
pkg.installed:
- pkgs:
- btrfs-progs
system_disks_btrfs_module:
file.append:
- name: /etc/modules
- text: "btrfs"
- require:
- system_base_pkgs
system_disks_btrfs_mount_permission:
file.directory:
- name: /btrfs
- user: root
- group: root
- dir_mode: '0755'
{% set ROOT_UUID = salt['cmd.shell']('lsblk -o LABEL,UUID | grep ROOT | awk \'{print $2}\'') %}
{% set ESP_UUID = salt['cmd.shell']('lsblk -o LABEL,UUID | grep EFI | awk \'{print $2}\'') %}
system_disks_fstab:
file.managed:
- name: /etc/fstab
- source: salt://{{ tpldir }}/files/disks_fstab.jinja
- template: jinja
- context:
TIMESTAMP: {{ salt.pillar.get('system.disks.timestamp') }}
TMPFS_SIZE: {{ salt.pillar.get('system.disks.tmpfs.size') }}
ROOT_UUID: {{ ROOT_UUID }}
ESP_UUID: {{ ESP_UUID }}
- user: root
- group: root
- mode: '0644'
- require:
- system_disks_btrfs_mount_permission

205
system/files/base_systemupdate
View file

@ -1,205 +0,0 @@
#!/usr/bin/env bash
#######################################################################################################################
##
## Script to full update the system
##
## 0. Pre checks
## 1. Generate new boot environment (BE)
## 2. Update and Salt highstate
## 3. Clean up
##
#######################################################################################################################
#######################################################################################################################
## Definitions
#######################################################################################################################
readonly TEMPDIR=$(mktemp -d /tmp/systemupdate.XXXXXX)
readonly LOCK_FILE="${TEMPDIR}/systemupdate.lock"
readonly TIMESTAMP=$(date +"%Y-%m-%d_%H-%M-%S")
readonly BTRFS_ROOT="/btrfs"
readonly CURRENT_SUBVOLUME=$(LC_ALL=C btrfs sub show / | LC_ALL=C grep 'Name' | cut -d: -f2 | awk '{$1=$1};1')
readonly NEW_SUBVOLUME="@root_${TIMESTAMP}"
readonly MOUNTPOINT='/mnt'
readonly EFI_DISK=$(findmnt -T /efi -o SOURCE | tail -n 1)
readonly ROOT_DISK=$(findmnt / -o SOURCE | cut -d"[" -f1 | tail -n 1)
readonly BE_HISTORY_COUNT=5
#######################################################################################################################
## Errorhandling
#######################################################################################################################
#----------------------------------------------------------------------------------------------------------------------
# systemupdate failed
#----------------------------------------------------------------------------------------------------------------------
systemupdateFailed() {
echo ""
echo "┌──────────────────────────────────────────┐"
echo "│ FAILED => clean up │"
echo "└──────────────────────────────────────────┘"
subtaskTitle "Unmount BE if mounted"
unmountMountpoint
subtaskTitle "Remove BE"
removeBEFromTimestamp ${TIMESTAMP}
rm -f ${LOCK_FILE}
subtaskTitle "Finished with exit code 1"
exit 1
}
# catch ^C and other signals and clean up
trap "echo -e '\n=> Interrupted with CTRL+C' >&2; systemupdateFailed" SIGINT SIGHUP SIGTERM SIGABRT
#######################################################################################################################
## Helper Functions
#######################################################################################################################
#----------------------------------------------------------------------------------------------------------------------
# Subtask title output
#----------------------------------------------------------------------------------------------------------------------
subtaskTitle() {
echo -e "\n=> $1"
}
#----------------------------------------------------------------------------------------------------------------------
# Unmount ${MOUNTPOINT}
#----------------------------------------------------------------------------------------------------------------------
unmountMountpoint() {
# if mountpoint exists -> umount
[[ $(findmnt -M "${MOUNTPOINT}") ]] && umount -R "${MOUNTPOINT}"
}
#----------------------------------------------------------------------------------------------------------------------
# Recursive subvolume delete
#----------------------------------------------------------------------------------------------------------------------
btrfsSubDelRecursive() {
btrfs sub list -o "${BTRFS_ROOT}/${1}" | cut -d " " -f 9 | while read i; do
btrfsSubDelRecursive "$i"
done
btrfs sub del "${BTRFS_ROOT}/${1}"
}
#----------------------------------------------------------------------------------------------------------------------
# Remove BE from timestamp
#----------------------------------------------------------------------------------------------------------------------
removeBEFromTimestamp() {
# remove all subvolume with this timestamp
for f in $(btrfs sub list -o /btrfs | cut -d " " -f 9 | grep "@root"); do
if [[ "$f" =~ "$1" ]]; then
btrfsSubDelRecursive "$f"
fi
done
}
#######################################################################################################################
## Main
#######################################################################################################################
echo "┌──────────────────────────────────────────┐"
echo "│ 0. Pre checks │"
echo "└──────────────────────────────────────────┘"
subtaskTitle "Check if another systemupgrade is in progress"
if [ -f ${LOCK_FILE} ]; then
echo "[ERROR] Another systemupgrade is in progress (lockfile: ${LOCK_FILE}) => exit" >&2
exit 1
fi
subtaskTitle "Check if ${MOUNTPOINT} exists"
if [ ! -d ${MOUNTPOINT} ]; then
mkdir -p "${MOUNTPOINT}"
fi
subtaskTitle "Check if ${MOUNTPOINT} is already a mountpoint"
if [[ $(findmnt -M "${MOUNTPOINT}") ]]; then
echo "[ERROR] ${MOUNTPOINT} is already a mountpoint => exit" >&2
exit 1
fi
subtaskTitle "Checks finished and update can start"
# Create lock file
touch ${LOCK_FILE} || systemupdateFailed
echo ""
echo "┌──────────────────────────────────────────┐"
echo "│ 1. Generate new boot environment (BE) │"
echo "└──────────────────────────────────────────┘"
subtaskTitle "Create snapshot of current running system"
btrfs subvolume snapshot / ${BTRFS_ROOT}/${NEW_SUBVOLUME} || systemupdateFailed
subtaskTitle "Mount new BE to ${MOUNTPOINT}"
mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol="${NEW_SUBVOLUME}" "${ROOT_DISK}" "${MOUNTPOINT}" || systemupdateFailed
mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=@home "${ROOT_DISK}" "${MOUNTPOINT}/home" || systemupdateFailed
mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=@podman "${ROOT_DISK}" "${MOUNTPOINT}/opt/podman" || systemupdateFailed
mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=@mysql "${ROOT_DISK}" "${MOUNTPOINT}/var/lib/mysql" || systemupdateFailed
mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=/ "${ROOT_DISK}" "${MOUNTPOINT}/btrfs" || systemupdateFailed
mount -o nodev,nosuid,noexec "${EFI_DISK}" "${MOUNTPOINT}/efi" || systemupdateFailed
mount -t proc /proc "${MOUNTPOINT}/proc/" || systemupdateFailed
mount -t sysfs /sys "${MOUNTPOINT}/sys/" || systemupdateFailed
mount -o bind /sys/firmware/efi/efivars "${MOUNTPOINT}/sys/firmware/efi/efivars/" || systemupdateFailed
mount -o bind /dev "${MOUNTPOINT}/dev/" || systemupdateFailed
mount -o bind /run "${MOUNTPOINT}/run/" || systemupdateFailed
subtaskTitle "New BE mounted"
echo ""
echo "┌──────────────────────────────────────────┐"
echo "│ 2. Update and Salt highstate │"
echo "└──────────────────────────────────────────┘"
subtaskTitle "Update Saltstack"
chroot "${MOUNTPOINT}" /bin/bash -c "git -C /srv/salt pull" || systemupdateFailed
subtaskTitle "Update bootloader configs"
chroot "${MOUNTPOINT}" /bin/bash -c "salt-call state.sls system.bootloader" >/dev/null || systemupdateFailed
subtaskTitle "Alpine repositories & keyring update"
chroot "${MOUNTPOINT}" /bin/bash -c "apk update" || systemupdateFailed
subtaskTitle "Alpine packages update"
chroot "${MOUNTPOINT}" /bin/bash -c "apk upgrade" || systemupdateFailed
subtaskTitle "Salt highstate"
chroot "${MOUNTPOINT}" /bin/bash -c "salt-call state.highstate" >/dev/null || systemupdateFailed
subtaskTitle "Generate new initial ramdisk"
latest_kernel="$(chroot "${MOUNTPOINT}" /bin/bash -c 'echo $(apk search linux-lts | head -n1 | cut -d- -f3- | sed "s|r||")-lts')"
chroot "${MOUNTPOINT}" /bin/bash -c "mkinitfs $latest_kernel" || systemupdateFailed
subtaskTitle "Update motd"
chroot "${MOUNTPOINT}" /bin/bash -c "/usr/local/noveria/bin/generate_motd" || systemupdateFailed
subtaskTitle "Update GRUB"
chroot "${MOUNTPOINT}" /bin/bash -c "grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=alpine" || systemupdateFailed
chroot "${MOUNTPOINT}" /bin/bash -c "/usr/local/noveria/bin/noveriablcgen --noconfirm" || systemupdateFailed
subtaskTitle "Update finished"
subtaskTitle "Unmount BE"
unmountMountpoint
echo ""
echo "┌──────────────────────────────────────────┐"
echo "│ 3. Clean Up │"
echo "└──────────────────────────────────────────┘"
subtaskTitle "Clean up finished"
# Remove lock file
rm -f ${LOCK_FILE}

13
system/files/base_tun-perm.initd
View file

@ -1,13 +0,0 @@
#!/sbin/openrc-run
supervisor=supervise-daemon
name="tun module permission setter"
description="setting the permission of /dev/net/tun to 666"
command=$(which chmod)
command_args="0666 /dev/net/tun"
command_user="root"
depend() {
need modules
}

17
system/files/bootloader_00_noveria.motd.jinja
View file

@ -1,17 +0,0 @@
╔═══════════════════════════════════════════════╗
║ Velkommen til ║
║ _ _ _ ║
║ | \ | | (_) ║
║ | \| | _____ _____ _ __ _ __ _ ║
║ | . ` |/ _ \ \ / / _ \ '__| |/ _` | ║
║ | |\ | (_) \ V / __/ | | | (_| | ║
║ |_| \_|\___/ \_/ \___|_| |_|\__,_| ║
║ ║
╚═══════════════════════════════════════════════╝
OS: {{ OS_NAME }}
Version: {{ OS_RELEASE_INFO }}
Report issues on: {{ OS_ISSUE_URL }}
═════════════════════════════════════════════════

2
system/files/bootloader_issue.jinja
View file

@ -1,2 +0,0 @@
Velkommen til {{ OS_NAME }}
Timestamp: {{ OS_RELEASE_INFO }} | Kernel: \r

8
system/files/bootloader_os-release.jinja
View file

@ -1,8 +0,0 @@
NAME="NoveriaOS"
ID=noveriaos
ID_LIKE=alpine
VERSION_ID="{{ OS_VERSION }}"
PRETTY_NAME="NoveriaOS {{ OS_VERSION }}"
RELEASE_INFO={{ OS_RELEASE_INFO }}
HOME_URL="https://noveria.org"
BUG_REPORT_URL="https://git.noveria.org/NoveriaOS/ISO/issues"

11
system/files/disks_fstab.jinja
View file

@ -1,11 +0,0 @@
# Static information about the filesystems.
# See fstab(5) for details.
# <file system> <dir> <type> <options> <dump> <pass>
UUID={{ ROOT_UUID }} / btrfs noatime,nodiratime,compress=zstd,ssd,shared,discard=async,space_cache=v2,subvol=/@root_{{ TIMESTAMP }} 0 0
UUID={{ ESP_UUID }} /efi vfat rw,nosuid,nodev,noexec,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2
UUID={{ ROOT_UUID }} /home btrfs noatime,nodiratime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=/@home 0 0
UUID={{ ROOT_UUID }} /var/lib/mysql btrfs noatime,nodiratime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=/@mysql 0 0
UUID={{ ROOT_UUID }} /opt/podman btrfs noatime,nodiratime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=/@podman 0 0
UUID={{ ROOT_UUID }} /btrfs btrfs noatime,nodiratime,compress=zstd,ssd,discard=async,space_cache=v2,space_cache=v2,subvol=/ 0 0
tmpfs /tmp tmpfs nodev,nosuid,size={{ TMPFS_SIZE }} 0 0

10
system/files/salt_minion
View file

@ -1,10 +0,0 @@
---
state_verbose: False
file_client: local
file_roots:
base:
- /srv/salt
pillar_roots:
base:
- /srv/pillar
...

34
system/files/shell_profile.jinja
View file

@ -1,34 +0,0 @@
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:{{ CUSTOM_BIN }}"
export PAGER=less
export EDITOR=vim
umask 022
# use nicer PS1 for bash and busybox ash
if [ -n "$BASH_VERSION" -o "$BB_ASH_VERSION" ]; then
PS1='[%n@%m %~]%# '
# use nicer PS1 for zsh
elif [ -n "$ZSH_VERSION" ]; then
PS1='[%n@%m %~]%# '
# set up fallback default PS1
else
: "${HOSTNAME:=$(hostname)}"
PS1='${HOSTNAME%%.*}:$PWD'
[ "$(id -u)" -eq 0 ] && PS1="${PS1}# " || PS1="${PS1}\$ "
fi
if [ -n "$BASH_VERSION" ] && [ "$BASH" != "/bin/sh" ]; then
# if we're bash (and not /bin/sh bash), also source the bashrc
# by default, bash sources the bashrc for non-login,
# and only /etc/profile on login (-l). so, make it do both on login.
# this ensures that login-shell bash (e.g. -bash or bash -l) still sources the
# system bashrc, which e.g. loads bash-completion
. /etc/bash/bashrc
fi
for script in /etc/profile.d/*.sh ; do
if [ -r "$script" ] ; then
. "$script"
fi
done
unset script

9
system/init.sls
View file

@ -1,7 +1,4 @@
include: include:
- .base - .btrfs
- .bootloader - .user
- .disks - .packages
- .user
- .shell
- .salt

16
system/packages.sls Normal file
View file

@ -0,0 +1,16 @@
include:
- .btrfs
system_packages_install:
pkg.installed:
- pkgs:
- podman
- cockpit-podman
- podman-docker
- podman-compose
- mariadb-server
- java-latest-openjdk-headless
- jq
- require:
- system_btrfs_create_podman_data_dir
- system_btrfs_create_mysql_data_dir

39
system/salt.sls
View file

@ -1,39 +0,0 @@
include:
- system.base
system_salt_pkg:
pkg.installed:
- pkgs:
- salt-minion
- require:
- system_base_pkgs
system_salt_minion_config:
file.managed:
- name: /etc/salt/minion
- source: salt://{{ tpldir }}/files/salt_minion
- user: root
- group: root
- mode: '0644'
system_salt_minon_service:
service.disabled:
- name: salt-minion
- require:
- system_salt_pkg
system_salt_minion_cachedir_permission:
file.directory:
- name: /var/cache/salt/minion
- mode: '0700'
- require:
- system_salt_pkg
system_salt_minion_logdir_permission:
file.directory:
- name: /var/log/salt
- user: root
- group: root
- mode: '0700'
- require:
- system_salt_pkg

27
system/shell.sls
View file

@ -1,27 +0,0 @@
{% from "map.jinja" import noveria with context %}
include:
- directories
- system.base
system_shell_pkgs:
pkg.installed:
- pkgs:
- zsh
- alpine-zsh-config
- bash
- require:
- system_base_pkgs
system_shell_profile:
file.managed:
- name: /etc/profile
- source: salt://{{ tpldir }}/files/shell_profile.jinja
- template: jinja
- context:
CUSTOM_BIN: {{ noveria.bin_dir }}
- user: root
- group: root
- mode: '0644'
- require:
- system_shell_pkgs

32
system/user.sls
View file

@ -1,12 +1,22 @@
system_user_noveria_create: include:
user.present: - .btrfs
- name: noveria
- shell: /bin/false
- home: /home/noveria
- usergroup: True
- createhome: True
system_user_root_edit: system_user_create:
user.present: user.present:
- name: root - name: noveria
- shell: /bin/zsh - shell: /bin/false
- home: /home/noveria
- usergroup: True
- createhome: False
system_user_create_home_noveria:
file.directory:
- name: /home/noveria
- user: noveria
- group: noveria
- mode: 700
- recurse:
- user
- group
- require:
- system_btrfs_create_noveria_home

11
top.sls
View file

@ -1,9 +1,4 @@
base: base:
'*': '*':
- directories - system
- system - services
- network
- apps
- openssh
- haproxy
- serverspecific