remove reload - unknown function

This reverts commit 084ba2e892.

.gitignore

@@ -0,0 +1,2 @@
+serverspecific.sls
+system/files/systemupdate.sh

README.md

@@ -1,9 +0,0 @@
-# Noveria Salt-State
-
-![SaltStack® Logo](https://upload.wikimedia.org/wikipedia/commons/6/64/SaltStack_logo_blk_2k.png)
-
-This repository is for the master-less salt-statetree for the noveria host, running Fedora Server (insert latest version here).
-
-It managed the complete system using the saltproject.
-
-For further instructions, head to the official salt docs: https://docs.saltproject.io/en/latest/contents.html

apps/generate-motd/init.sls

@@ -0,0 +1,25 @@
+{% from "map.jinja" import noveria with context %}
+
+include:
+  - directories
+
+apps_generate-motd_git:
+  git.latest:
+    - name: https://git.noveria.org/Tools/generate_motd.git
+    - target: {{ noveria.app_dir }}/generate_motd
+    - user: root
+    - force_reset: True
+    - require:
+      - directories_apps_dir
+
+apps_generate-motd_link:
+  file.symlink:
+    - name: {{ noveria.bin_dir }}/generate_motd
+    - target: {{ noveria.app_dir }}/generate_motd/generate_motd
+    - user: root
+    - group: root
+    - mode: '0755'
+    - require:
+      - apps_generate-motd_git
+      - directories_bin_dir
+      - directories_apps_dir

apps/init.sls

@@ -0,0 +1,3 @@
+include:
+  - .noveriablcgen
+  - .generate-motd

apps/noveriablcgen/files/noveriablcgen_config.json.jinja

@@ -0,0 +1,7 @@
+{
+  "be_env_dir": "{{ BTRFS_ROOT }}",
+  "grub_conf_dir": "{{ GRUB_CONFD }}",
+  "filename": "{{ GRUB_CONFIG_FILENAME }}",
+  "root_uuid": "{{ ROOT_UUID }}",
+  "grub_cfg": "{{ GRUB_CONFIG }}"
+}

apps/noveriablcgen/init.sls

@@ -0,0 +1,44 @@
+{% from "map.jinja" import noveria with context %}
+
+include:
+  - directories
+
+apps_noveriablcgen_git:
+  git.latest:
+    - name: https://git.noveria.org/Tools/noveriablcgen.git
+    - target: {{ noveria.app_dir }}/noveriablcgen
+    - user: root
+    - force_reset: True
+    - require:
+      - directories_apps_dir
+
+apps_noveriablcgen_link:
+  file.symlink:
+    - name: {{ noveria.bin_dir }}/noveriablcgen
+    - target: {{ noveria.app_dir }}/noveriablcgen/noveriablcgen
+    - user: root
+    - group: root
+    - mode: '0755'
+    - require:
+      - apps_noveriablcgen_git
+      - directories_bin_dir
+      - directories_apps_dir
+
+apps_noveriablcgen_config:
+  file.managed:
+    - name: {{ noveria.etc_dir }}/noveriablcgen/noveriablcgen.json
+    - source: salt://{{ tpldir }}/files/noveriablcgen_config.json.jinja
+    - template: jinja
+    - context:
+        BTRFS_ROOT: "/btrfs"
+        GRUB_CONFD: "/etc/grub.d"
+        GRUB_CONFIG_FILENAME: "10_noveria"
+        ROOT_UUID: {{ salt['cmd.shell']('lsblk -o LABEL,UUID | grep ROOT | awk \'{print $2}\'') }}
+        GRUB_CONFIG: "/boot/grub/grub.cfg"
+    - mode: '0644'
+    - makedirs: True
+    - user: root
+    - group: root
+    - require:
+      - apps_noveriablcgen_git
+      - directories_etc_dir

directories.sls

@@ -0,0 +1,39 @@
+{% from "map.jinja" import noveria with context %}
+
+directories_dir:
+  file.directory:
+    - name: {{ noveria.dir }}
+    - user: root
+    - group: root
+    - file_mode: '0644'
+    - dir_mode: '0755'
+
+directories_bin_dir:
+  file.directory:
+    - name: {{ noveria.bin_dir }}
+    - user: root
+    - group: root
+    - file_mode: '0644'
+    - dir_mode: '0755'
+    - require:
+      - directories_dir
+
+directories_etc_dir:
+  file.directory:
+    - name: {{ noveria.etc_dir }}
+    - user: root
+    - group: root
+    - file_mode: '0644'
+    - dir_mode: '0755'
+    - require:
+      - directories_dir
+
+directories_apps_dir:
+  file.directory:
+    - name: {{ noveria.app_dir }}
+    - user: root
+    - group: root
+    - file_mode: '0644'
+    - dir_mode: '0755'
+    - require:
+      - directories_dir

haproxy/files/haproxy_config.jinja

@@ -0,0 +1,40 @@
+global
+    log         127.0.0.1 local2
+
+    maxconn     4000
+    user        haproxy
+    group       haproxy
+    daemon
+
+    stats socket /var/lib/haproxy/stats
+
+defaults
+    mode                    http
+    log                     global
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          5m
+    timeout server          5m
+    maxconn                 3000
+
+frontend ssh
+   mode tcp
+
+   bind {{ ipv4 }}:22
+
+   default_backend host-ssh
+
+frontend http
+   mode tcp
+   bind {{ ipv4 }}:80
+
+   default_backend host-http
+
+backend host-ssh
+    mode tcp
+
+    server localhost 127.0.0.1
+
+backend host-http
+    mode tcp
+    server localhost 127.0.0.1

haproxy/files/haproxy_rcscript.initd.jinja

@@ -0,0 +1,56 @@
+#!/sbin/openrc-run
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-proxy/haproxy/files/haproxy.initd-r1,v 1.2 2011/12/04 10:32:32 swegener Exp $
+
+# This is file is managed by salt (state: {{ sls }})
+
+extra_commands="checkconfig"
+extra_started_commands="reload"
+command=/usr/sbin/haproxy
+
+CONF=${HAPROXY_CONF:-/etc/haproxy/${SVCNAME}.cfg}
+CONF_DIR=${HAPROXY_CONF_DIR:-{{ conf_dir }}}
+PIDFILE=/var/run/${SVCNAME}.pid
+
+depend() {
+	need net
+	after firewall
+	use dns logger
+}
+
+checkconfig() {
+	if [ ! -f "${CONF}" ] && [ ! -d "${CONF}" ]; then
+		eerror "${CONF} does not exist!"
+		return 1
+	fi
+
+	ebegin "Checking ${CONF}"
+	$command -q -c -f "${CONF}"
+	eend $?
+}
+
+start() {
+	ebegin "Starting ${SVCNAME}"
+	start-stop-daemon --pidfile "${PIDFILE}" --exec $command \
+		--start -- -D -p "${PIDFILE}" -f "${CONF}" -f "${CONF_DIR}"
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping ${SVCNAME}"
+
+	if [ "${RC_CMD}" = "restart" ]; then
+		checkconfig || return 1
+	fi
+
+	start-stop-daemon --stop --pidfile "${PIDFILE}"
+	eend $?
+}
+
+reload() {
+	ebegin "Reloading ${SVCNAME}"
+	checkconfig || { eerror "Reloading failed, please fix your ${CONF} first"; return 1; }
+	$command -D -p "${PIDFILE}" -f "${CONF}" -f "${CONF_DIR}" -sf $(cat "${PIDFILE}")
+	eend $?
+}

haproxy/init.sls

@@ -0,0 +1,3 @@
+include:
+  - .pkg
+  - .service

haproxy/map.jinja

@@ -0,0 +1,5 @@
+{% set dir = '/etc/haproxy' %}
+
+{% set haproxy = {
+  'conf_dir': '%s/conf.d' % dir,
+}%}

haproxy/pkg.sls

@@ -0,0 +1,45 @@
+{% from tpldir+"/map.jinja" import haproxy with context %}
+{% set ipv4 = grains['ip4_interfaces']['eth0'][0] %}
+
+haproxy_pkg_pkgs:
+  pkg.installed:
+    - pkgs:
+      - haproxy
+
+haproxy_pkg_conf_dir:
+  file.directory:
+    - name: /etc/haproxy/conf.d
+    - user: root
+    - group: root
+    - file_mode: '0644'
+    - dir_mode: '0755'
+    - require:
+      - haproxy_pkg_pkgs
+
+haproxy_pkg_config:
+  file.managed:
+    - name: /etc/haproxy/haproxy.cfg
+    - source: salt://{{ tpldir }}/files/haproxy_config.jinja
+    - template: jinja
+    - context:
+        ipv4: {{ ipv4 }}
+    - user: root
+    - group: root
+    - mode: '0644'
+    - require:
+      - haproxy_pkg_pkgs
+
+haproxy_pkg_rc_script:
+  file.managed:
+    - name: /etc/init.d/haproxy
+    - source: salt://{{ tpldir }}/files/haproxy_rcscript.initd.jinja
+    - template: jinja
+    - context:  
+        sls: {{ sls }}
+        conf_dir: {{ haproxy.conf_dir }}
+    - user: root
+    - group: root
+    - mode: '0755'
+    - require:
+      - haproxy_pkg_conf_dir
+      - haproxy_pkg_config

haproxy/service.sls

@@ -0,0 +1,9 @@
+include:
+  - .pkg
+
+haproxy_service_running:
+  service.running:
+    - name: haproxy
+    - enable: True
+    - require:
+      - haproxy_pkg_rc_script

map.jinja

@@ -0,0 +1,8 @@
+{% set dir = '/usr/local/noveria' %}
+
+{% set noveria = {
+  'dir': '%s' % dir,
+  'bin_dir': '%s/bin' % dir,
+  'etc_dir': '%s/etc' % dir,
+  'app_dir': '%s/apps' % dir
+} %}

mysql/directory.sls

@@ -0,0 +1,15 @@
+include:
+  - .pkg
+
+mysql_directory:
+  file.directory:
+    - name: /var/lib/mysql
+    - create: False
+    - replace: False
+    - user: mysql
+    - group: mysql
+    - recurse:
+      - user
+      - group
+    - require:
+      - mysql_pkg

mysql/init.sls

@@ -0,0 +1,4 @@
+include:
+  - .pkg
+  - .directory
+  - .service

mysql/pkg.sls

@@ -0,0 +1,6 @@
+mysql_pkg:
+  pkg.installed:
+    - pkgs:
+      - mariadb
+      - mariadb-client
+      - mariadb-openrc

mysql/service.sls

@@ -0,0 +1,18 @@
+include:
+  - .directory
+
+{% if not salt['file.directory_exists']('/var/lib/mysql/mysql') %}
+mysql_service_setup:
+  cmd.run:
+    - name: /etc/init.d/mariadb setup
+    - runas: root
+    - shell: /bin/ash
+    - require:
+      - mysql_directory
+
+mysql_service_enable:
+  service.enabled:
+    - name: mariadb
+    - require:
+      - mysql_service_setup
+{% endif %}

network/files/firewall_rules.nft.jinja

@@ -0,0 +1,11 @@
+## This file is managed by Saltstack. (state: {{ sls }})
+#!/usr/sbin/nft
+
+table inet filter {
+  chain input {
+    tcp dport 22 accept
+    {%- for port in ALLOWED_PORTS %}
+    tcp dport {{ port }} accept
+    {%- endfor %}
+  }
+}

network/files/network_interfaces

@@ -0,0 +1,8 @@
+auto eth0
+iface eth0 inet dhcp
+
+auto lo
+iface lo inet loopback
+iface lo inet static
+    address 127.0.0.2/8
+    broadcast 0.0.0.0

network/firewall.sls

@@ -0,0 +1,29 @@
+network_firewall_pkgs:
+  pkg.installed:
+    - pkgs:
+      - nftables
+
+network_firewall_rules:
+  file.managed:
+    - name: /etc/nftables.d/noveria.nft
+    - source: salt://{{ tpldir }}/files/firewall_rules.nft.jinja
+    - template: jinja
+    - context:
+        sls: {{ sls }}
+        ALLOWED_PORTS: [80, 443, 25565, 51871]
+    - user: root
+    - group: root
+    - mode: '0600'
+    - makedirs: True
+    - require:
+      - network_firewall_pkgs
+
+network_firewall_service_reload:
+  service.running:
+    - name: nftables
+    - enable: True
+    - watch:
+      - network_firewall_rules
+    - require:
+      - network_firewall_pkgs
+  

network/init.sls

@@ -0,0 +1,20 @@
+include:
+  - system.base
+  - .firewall
+
+network_interfaces:
+  file.managed:
+    - name: /etc/network/interfaces
+    - source: salt://{{ tpldir }}/files/network_interfaces
+    - user: root
+    - group: root
+    - mode: '0644'
+    - require:
+      - system_base_pkgs
+
+network_service_reload:
+  service.running:
+    - name: networking
+    - enable: True
+    - watch:
+      - network_interfaces

openssh/config.sls

@@ -0,0 +1,17 @@
+include:
+  - .pkg
+
+openssh_config_configuration:
+  file.managed:
+    - name: /etc/ssh/sshd_config
+    - source: salt://{{ tpldir }}/files/openssh_sshd_config
+
+openssh_config_keys:
+  file.managed:
+    - name: /root/.ssh/authorized_keys
+    - source: salt://{{ tpldir }}/files/openssh_authorized_keys
+    - makedirs: True
+    - user: root
+    - group: root
+    - require:
+      - openssh_pkg

openssh/files/openssh_sshd_config

@@ -18,9 +18,9 @@ Include /etc/ssh/sshd_config.d/*.conf
 # SELinux about this change.
 # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
 #
-#Port 22
+Port 22
 #AddressFamily any
-#ListenAddress 0.0.0.0
+ListenAddress 127.0.0.1
 #ListenAddress ::
 
 #HostKey /etc/ssh/ssh_host_rsa_key

openssh/init.sls

@@ -0,0 +1,4 @@
+include:
+  - .pkg
+  - .config
+  - .service

openssh/pkg.sls

@@ -0,0 +1,4 @@
+openssh_pkg:
+  pkg.installed:
+    - pkgs:
+      - openssh-server

openssh/service.sls

@@ -0,0 +1,13 @@
+include:
+  - .config
+
+openssh_service_enable:
+  service.running:
+    - name: sshd
+    - enable: True
+    - watch:
+      - openssh_config_configuration
+      - openssh_config_keys
+    - require:
+      - openssh_config_configuration
+      - openssh_config_keys

podman/apps/certpod/init.sls

@@ -0,0 +1,4 @@
+{% from "map.jinja" import noveria with context %}
+
+include:
+  - directories

podman/apps/init.sls

@@ -0,0 +1,3 @@
+include:
+  - .poddoc
+  - .pms-cli

podman/apps/pms-cli/files/pms-cli_config.json.jinja

@@ -0,0 +1,11 @@
+{
+  "PODMAN_DIRECTORY": "{{ PODMAN_DIR }}",
+  "SERVERRUNNERS": {
+      "paper": "https://api.papermc.io/v2/projects/paper",
+      "folia": "https://api.papermc.io/v2/projects/folia"
+    },
+  "PROXYRUNNERS": {
+      "waterfall": "https://api.papermc.io/v2/projects/waterfall",
+      "velocity": "https://api.papermc.io/v2/projects/velocity"
+    }
+}

podman/apps/pms-cli/init.sls

@@ -0,0 +1,40 @@
+{% from "map.jinja" import noveria with context %}
+
+include:
+  - directories
+
+podman_apps_pms-cli_git:
+  git.latest:
+    - name: https://git.noveria.org/Tools/pms-cli.git
+    - target: {{ noveria.app_dir }}/pms-cli
+    - user: root
+    - force_reset: True
+    - require:
+      - directories_apps_dir
+
+podman_apps_pms-cli_link:
+  file.symlink:
+    - name: {{ noveria.bin_dir }}/pms-cli
+    - target: {{ noveria.app_dir }}/pms-cli/pms-cli
+    - user: root
+    - group: root
+    - mode: '0755'
+    - require:
+      - podman_apps_pms-cli_git
+      - directories_bin_dir
+      - directories_apps_dir
+
+podman_apps_pms-cli_config:
+  file.managed:
+    - name: {{ noveria.etc_dir }}/pms-cli/pms-cli.json
+    - source: salt://{{ tpldir }}/files/pms-cli_config.json.jinja
+    - template: jinja
+    - context:
+        PODMAN_DIR: "/opt/podman"
+    - mode: '0644'
+    - makedirs: True
+    - user: root
+    - group: root
+    - require:
+      - podman_apps_pms-cli_git
+      - directories_etc_dir

podman/apps/poddoc/files/poddoc_config.json.jinja

@@ -0,0 +1,4 @@
+{
+  "GIT_REPOSITORY": "{{ GIT_REPO }}",
+  "PODMAN_DIRECTORY": "{{ PODMAN_DIR }}"
+}

podman/apps/poddoc/init.sls

@@ -0,0 +1,41 @@
+{% from "map.jinja" import noveria with context %}
+
+include:
+  - directories
+
+podman_apps_poddoc_git:
+  git.latest:
+    - name: https://git.noveria.org/Tools/poddoc.git
+    - target: {{ noveria.app_dir }}/poddoc
+    - user: root
+    - force_reset: True
+    - require:
+      - directories_apps_dir
+
+podman_apps_poddoc_link:
+  file.symlink:
+    - name: {{ noveria.bin_dir }}/poddoc
+    - target: {{ noveria.app_dir }}/poddoc/poddoc
+    - user: root
+    - group: root
+    - mode: '0755'
+    - require:
+      - podman_apps_poddoc_git
+      - directories_bin_dir
+      - directories_apps_dir
+
+podman_apps_poddoc_config:
+  file.managed:
+    - name: {{ noveria.etc_dir }}/poddoc/poddoc.json
+    - source: salt://{{ tpldir }}/files/poddoc_config.json.jinja
+    - template: jinja
+    - context:
+        GIT_REPO: "https://git.noveria.org/Podman"
+        PODMAN_DIR: "/opt/podman"
+    - mode: '0644'
+    - makedirs: True
+    - user: root
+    - group: root
+    - require:
+      - podman_apps_poddoc_git
+      - directories_etc_dir

podman/directory.sls

@@ -0,0 +1,12 @@
+include:
+  - .user
+
+podman_directory_permissions:
+  file.directory:
+    - name: /opt/podman
+    - user: puser
+    - group: puser
+    - dir_mode: '0755'
+    - file_mode: '0644'
+    - require:
+      - podman_user_puser

podman/files/files_unprivileged_ports

@@ -0,0 +1 @@
+net.ipv4.ip_unprivileged_port_start=0

podman/init.sls

@@ -0,0 +1,6 @@
+include:
+  - .pkg
+  - .rootless
+  - .user
+  - .directory
+  - .service

podman/pkg.sls

@@ -0,0 +1,6 @@
+podman_pkg:
+  pkg.installed:
+    - pkgs:
+      - podman
+      - podman-openrc
+      - podman-compose

podman/rootless.sls

@@ -0,0 +1,45 @@
+include:
+  - .pkg
+  - .user
+
+podman_rootless_cgroup_mode:
+  file.keyvalue:
+    - name: /etc/rc.conf
+    - key_values:
+        rc_cgroup_mode: '"unified"'
+    - separator: '='
+    - uncomment: '#'
+    - key_ignore_case: false
+    - value_ignore_case: false
+    - append_if_not_found: True
+    - require:
+      - podman_pkg
+
+podman_rootless_cgroups:
+  service.running:
+    - name: cgroups
+    - enable: True
+    - watch:
+      - podman_rootless_cgroup_mode
+
+podman_rootless_modules:
+  file.append:
+    - name: /etc/modules
+    - text:
+      - tun
+      - fuse
+      - ip_tables
+
+podman_rootless_subgid:
+  file.append:
+    - name: /etc/subgid
+    - text: puser:100000:65536
+    - require:
+      - podman_user_puser
+
+podman_rootless_subuid:
+  file.append:
+    - name: /etc/subuid
+    - text: puser:100000:65536
+    - require:
+      - podman_user_puser

podman/service.sls

@@ -0,0 +1,15 @@
+include:
+  - .rootless
+
+podman_service:
+  service.running:
+    - name: podman
+    - enable: True
+
+podman_service_unprivileged_ports:
+  file.managed:
+    - name: /etc/sysctl.d/podman.conf
+    - source: salt://{{ tpldir }}/files/files_unprivileged_ports
+    - user: root
+    - group: root
+    - mode: '0644'

podman/user.sls

@@ -0,0 +1,25 @@
+include:
+  - .pkg
+
+podman_user_puser:
+  user.present:
+    - name: puser
+    - uid: 2000
+    - shell: /bin/zsh
+    - home: /home/puser
+    - password: '*'
+    - hash_password: True
+    - usergroup: True
+    - createhome: True
+    - require:
+      - podman_pkg
+
+podman_user_openssh_keys:
+  file.managed:
+    - name: /home/puser/.ssh/authorized_keys
+    - source: salt:///openssh/files/openssh_authorized_keys
+    - makedirs: True
+    - user: puser
+    - group: puser
+    - require:
+      - podman_user_puser

services/files/salt_noveria.conf

@@ -1,4 +0,0 @@
-file_client: local
-file_roots:
-  base:
-    - /srv/salt/salt-statetree

services/init.sls

@@ -1,5 +0,0 @@
-include:
-    - .mysql
-    - .podman
-    - .ssh
-    - .salt

services/mysql.sls

@@ -1,19 +0,0 @@
-include:
-    - system.packages
-
-system_service_mysql_enable:
-    service.enabled:
-        - name: mariadb
-        - require:
-            - system_packages_install
-    file.directory:
-        - name: /var/lib/mysql
-        - create: False
-        - replace: False
-        - user: mysql
-        - group: mysql
-        - recurse:
-            - user
-            - group
-        - require:
-            - system_packages_install

services/podman.sls

@@ -1,8 +0,0 @@
-include:
-    - system.packages
-
-system_service_podman_enable:
-    service.enabled:
-        - name: podman
-        - require:
-            - system_packages_install

services/salt.sls

@@ -1,12 +0,0 @@
-include:
-    - system.packages
-
-services_salt_file_client_local:
-    file.managed:
-        - name: /etc/salt/minion.d/noveria.conf
-        - source: salt://{{ tpldir }}/files/salt_noveria.conf
-        - user: root
-        - group: root
-        - mode: 640
-        - require:
-            - system_packages_install

services/ssh.sls

@@ -1,28 +0,0 @@
-include:
-    - system.packages
-
-system_ssh_add_keys:
-    file.managed:
-        - name: /root/.ssh/authorized_keys
-        - source: salt://{{ tpldir }}/files/ssh_authorized_keys
-        - makedirs: True
-        - user: root
-        - group: root
-        - require:
-            - system_packages_install
-
-system_ssh_configuration:
-    file.managed:
-        - name: /etc/ssh/sshd_config
-        - source: salt://{{ tpldir }}/files/ssh_sshd_config
-
-system_ssh_enable:
-    service.running:
-        - name: sshd
-        - enable: True
-        - watch:
-            - system_ssh_configuration
-            - system_ssh_add_keys
-        - require:
-            - system_ssh_configuration
-            - system_ssh_add_keys

system/base.sls

@@ -0,0 +1,74 @@
+{% from "map.jinja" import noveria with context %}
+
+include:
+  - directories
+
+system_base_pkgs:
+  pkg.installed:
+    - pkgs:
+      - linux-lts
+      - linux-firmware-none
+      - openjdk17-jre-headless
+      - jq
+      - vim
+      - git
+      - findmnt
+      - util-linux
+      - sudo
+      - curl
+      - rsync
+      - screen
+
+system_base_systemupdate:
+  file.managed:
+    - name: {{ noveria.app_dir }}/systemupdate
+    - source: salt://{{ tpldir }}/files/base_systemupdate
+    - mode: '0755'
+    - user: root
+    - group: root
+    - require:
+      - directories_apps_dir
+
+system_base_systemupdate_link:
+  file.symlink:
+    - name: {{ noveria.bin_dir }}/systemupdate
+    - target: {{ noveria.app_dir }}/systemupdate
+    - user: root
+    - group: root
+    - mode: '0755'
+    - require:
+      - system_base_systemupdate
+      - directories_bin_dir
+
+system_base_modules_service:
+  service.running:
+    - name: modules
+    - enable: True
+
+# TUN permission fix service workaround
+system_base_tun-perm_service:
+  file.managed:
+    - name: /etc/init.d/tun-perm
+    - source: salt://{{ tpldir }}/files/base_tun-perm.initd
+    - user: root
+    - group: root
+    - mode: '0755'
+  service.enabled:
+    - name: tun-perm
+    - require:
+      - system_base_modules_service
+
+system_base_sysctl_service:
+  service.running:
+    - name: sysctl
+    - enable: True
+
+system_base_syslog_service:
+  service.running:
+    - name: syslog
+    - enable: True
+
+system_base_sysfs_service:
+  service.running:
+    - name: sysfs
+    - enable: True

system/bootloader.sls

@@ -0,0 +1,79 @@
+include:
+  - .base
+
+system_bootloader_pkgs:
+  pkg.installed:
+    - pkgs:
+      - grub
+      - grub-efi
+      - mkinitfs
+      - mkinitfs-doc
+      - efibootmgr
+
+{% set CURRENT_SUBVOLUME_TIMESTAMP = salt['cmd.shell']('CURRENT_SUBVOLUME=$(LC_ALL=C btrfs sub show / | LC_ALL=C grep Name: | tr -d \'[:space:]\'); TIMESTAMP_FORMAT=\'[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2}_[[:digit:]]{2}-[[:digit:]]{2}-[[:digit:]]{2}\'; echo "$CURRENT_SUBVOLUME" | grep -Eo "$TIMESTAMP_FORMAT"') %}
+{% set CURRENT_SUBVOLUME_TIMESTAMP_HUMAN = salt['cmd.shell']('CURRENT_SUBVOLUME_TIMESTAMP=\'' + CURRENT_SUBVOLUME_TIMESTAMP + '\'; echo "${CURRENT_SUBVOLUME_TIMESTAMP:0:10} ${CURRENT_SUBVOLUME_TIMESTAMP:11:2}:${CURRENT_SUBVOLUME_TIMESTAMP:14:2}"') %}
+{% set KERNEL_VERSION = salt['cmd.shell']('uname -r') %}
+
+system_bootloader_mkinitfs_conf:
+  file.keyvalue:
+    - name: /etc/mkinitfs/mkinitfs.conf
+    - key_values:
+        features: '"ata base btrfs keymap kms mmc nvme scsi usb virtio"'
+    - separator: '='
+    - uncomment: '# '
+    - key_ignore_case: false
+    - value_ignore_case: false
+    - append_if_not_found: True
+    - require:
+      - system_base_pkgs
+      - system_bootloader_pkgs
+
+system_bootloader_os-release:
+  file.managed:
+    - name: /etc/os-release
+    - source: salt://{{ tpldir }}/files/bootloader_os-release.jinja
+    - template: jinja
+    - context:
+        OS_VERSION: {{ salt['cmd.shell']('date "+%Y%m"') }}
+        OS_RELEASE_INFO: '"Timestamp: {{ CURRENT_SUBVOLUME_TIMESTAMP_HUMAN }} | Kernel: {{ KERNEL_VERSION }}"'
+    - user: root
+    - group: root
+    - mode: '0644'
+
+system_bootloader_motd_dir:
+  file.directory:
+    - name: /etc/motd.d
+    - user: root
+    - group: root
+    - dir_mode: '0755'
+    - file_mode: '0644'
+    - require:
+      - system_bootloader_os-release
+
+system_bootloader_motd:
+  file.managed:
+    - name: /etc/motd.d/00_noveria.motd
+    - source: salt://{{ tpldir }}/files/bootloader_00_noveria.motd.jinja
+    - template: jinja
+    - context:
+        OS_NAME: {{ salt['cmd.shell']('echo NoveriaOS $(date "+%Y%m")') }}
+        OS_RELEASE_INFO: 'Timestamp: {{ CURRENT_SUBVOLUME_TIMESTAMP_HUMAN }} | Kernel: {{ KERNEL_VERSION }}'
+        OS_ISSUE_URL: 'https://git.noveria.org/NoveriaOS/ISO/issues'
+    - user: root
+    - group: root
+    - mode: '0644'
+    - require:
+      - system_bootloader_os-release
+      - system_bootloader_motd_dir
+
+system_bootloader_issue:
+  file.managed:
+    - name: /etc/issue
+    - source: salt://{{ tpldir }}/files/bootloader_issue.jinja
+    - template: jinja
+    - context:
+        OS_NAME: {{ salt['cmd.shell']('echo NoveriaOS $(date "+%Y%m")') }}
+        OS_RELEASE_INFO: {{ CURRENT_SUBVOLUME_TIMESTAMP_HUMAN }}
+    - user: root
+    - group: root
+    - mode: '0644'

system/btrfs.sls

@@ -1,20 +0,0 @@
-system_btrfs_create_podman_data_dir:
-    cmd.run:
-        - creates: /opt/podman
-        - name: btrfs subvolume create /opt/podman
-    file.managed:
-        - name: /opt/podman
-        - create: False
-        - replace: False
-        - user: root
-        - group: root
-
-system_btrfs_create_noveria_home:
-    cmd.run:
-        - creates: /home/noveria
-        - name: btrfs subvolume create /home/noveria
-
-system_btrfs_create_mysql_data_dir:
-    cmd.run:
-        - creates: /var/lib/mysql
-        - name: btrfs subvolume create /var/lib/mysql

system/disks.sls

@@ -0,0 +1,37 @@
+system_disks_pkgs:
+  pkg.installed:
+    - pkgs:
+      - btrfs-progs
+
+system_disks_btrfs_module:
+  file.append:
+    - name: /etc/modules
+    - text: "btrfs"
+    - require:
+      - system_base_pkgs
+
+system_disks_btrfs_mount_permission:
+  file.directory:
+    - name: /btrfs
+    - user: root
+    - group: root
+    - dir_mode: '0755'
+
+{% set ROOT_UUID = salt['cmd.shell']('lsblk -o LABEL,UUID | grep ROOT | awk \'{print $2}\'') %}
+{% set ESP_UUID = salt['cmd.shell']('lsblk -o LABEL,UUID | grep EFI | awk \'{print $2}\'') %}
+
+system_disks_fstab:
+  file.managed:
+    - name: /etc/fstab
+    - source: salt://{{ tpldir }}/files/disks_fstab.jinja
+    - template: jinja
+    - context:
+        TIMESTAMP: {{ salt.pillar.get('system.disks.timestamp') }}
+        TMPFS_SIZE: {{ salt.pillar.get('system.disks.tmpfs.size') }}
+        ROOT_UUID: {{ ROOT_UUID }}
+        ESP_UUID: {{ ESP_UUID }}
+    - user: root
+    - group: root
+    - mode: '0644'
+    - require:
+      - system_disks_btrfs_mount_permission

system/files/base_systemupdate

@@ -0,0 +1,205 @@
+#!/usr/bin/env bash
+
+#######################################################################################################################
+##
+## Script to full update the system
+##
+##   0. Pre checks
+##   1. Generate new boot environment (BE)
+##   2. Update and Salt highstate
+##   3. Clean up
+##
+#######################################################################################################################
+
+
+#######################################################################################################################
+## Definitions
+#######################################################################################################################
+
+readonly TEMPDIR=$(mktemp -d /tmp/systemupdate.XXXXXX)
+readonly LOCK_FILE="${TEMPDIR}/systemupdate.lock"
+
+readonly TIMESTAMP=$(date +"%Y-%m-%d_%H-%M-%S")
+
+readonly BTRFS_ROOT="/btrfs"
+readonly CURRENT_SUBVOLUME=$(LC_ALL=C btrfs sub show / | LC_ALL=C grep 'Name' | cut -d: -f2 | awk '{$1=$1};1')
+readonly NEW_SUBVOLUME="@root_${TIMESTAMP}"
+readonly MOUNTPOINT='/mnt'
+
+readonly EFI_DISK=$(findmnt -T /efi -o SOURCE | tail -n 1)
+readonly ROOT_DISK=$(findmnt / -o SOURCE | cut -d"[" -f1 | tail -n 1)
+
+readonly BE_HISTORY_COUNT=5
+
+
+#######################################################################################################################
+## Errorhandling
+#######################################################################################################################
+
+#----------------------------------------------------------------------------------------------------------------------
+#   systemupdate failed
+#----------------------------------------------------------------------------------------------------------------------
+systemupdateFailed() {
+  echo ""
+  echo "┌──────────────────────────────────────────┐"
+  echo "│  FAILED => clean up                      │"
+  echo "└──────────────────────────────────────────┘"
+
+  subtaskTitle "Unmount BE if mounted"
+  unmountMountpoint
+
+  subtaskTitle "Remove BE"
+  removeBEFromTimestamp ${TIMESTAMP}
+
+  rm -f ${LOCK_FILE}
+
+  subtaskTitle "Finished with exit code 1"
+  exit 1
+}
+
+# catch ^C and other signals and clean up
+trap "echo -e '\n=> Interrupted with CTRL+C' >&2; systemupdateFailed" SIGINT SIGHUP SIGTERM SIGABRT
+
+
+#######################################################################################################################
+## Helper Functions
+#######################################################################################################################
+
+#----------------------------------------------------------------------------------------------------------------------
+#   Subtask title output
+#----------------------------------------------------------------------------------------------------------------------
+subtaskTitle() {
+  echo -e "\n=> $1"
+}
+
+#----------------------------------------------------------------------------------------------------------------------
+#   Unmount ${MOUNTPOINT}
+#----------------------------------------------------------------------------------------------------------------------
+unmountMountpoint() {
+  # if mountpoint exists -> umount
+  [[ $(findmnt -M "${MOUNTPOINT}") ]] && umount -R "${MOUNTPOINT}"
+}
+
+#----------------------------------------------------------------------------------------------------------------------
+#   Recursive subvolume delete
+#----------------------------------------------------------------------------------------------------------------------
+btrfsSubDelRecursive() {
+  btrfs sub list -o "${BTRFS_ROOT}/${1}" | cut -d " " -f 9 | while read i; do
+    btrfsSubDelRecursive "$i"
+  done
+  btrfs sub del "${BTRFS_ROOT}/${1}"
+}
+
+#----------------------------------------------------------------------------------------------------------------------
+#   Remove BE from timestamp
+#----------------------------------------------------------------------------------------------------------------------
+removeBEFromTimestamp() {
+  # remove all subvolume with this timestamp
+  for f in $(btrfs sub list -o /btrfs | cut -d " " -f 9 | grep "@root"); do
+    if [[ "$f" =~ "$1" ]]; then
+      btrfsSubDelRecursive "$f"
+    fi
+  done
+}
+
+
+#######################################################################################################################
+## Main
+#######################################################################################################################
+
+echo "┌──────────────────────────────────────────┐"
+echo "│  0. Pre checks                           │"
+echo "└──────────────────────────────────────────┘"
+subtaskTitle "Check if another systemupgrade is in progress"
+if [ -f ${LOCK_FILE} ]; then
+  echo "[ERROR] Another systemupgrade is in progress (lockfile: ${LOCK_FILE}) => exit" >&2
+  exit 1
+fi
+
+subtaskTitle "Check if ${MOUNTPOINT} exists"
+if [ ! -d ${MOUNTPOINT} ]; then
+  mkdir -p "${MOUNTPOINT}"
+fi
+
+subtaskTitle "Check if ${MOUNTPOINT} is already a mountpoint"
+if [[ $(findmnt -M "${MOUNTPOINT}") ]]; then
+  echo "[ERROR] ${MOUNTPOINT} is already a mountpoint => exit" >&2
+  exit 1
+fi
+
+subtaskTitle "Checks finished and update can start"
+
+# Create lock file
+touch ${LOCK_FILE} || systemupdateFailed
+
+
+echo ""
+echo "┌──────────────────────────────────────────┐"
+echo "│  1. Generate new boot environment (BE)   │"
+echo "└──────────────────────────────────────────┘"
+
+subtaskTitle "Create snapshot of current running system"
+btrfs subvolume snapshot / ${BTRFS_ROOT}/${NEW_SUBVOLUME} || systemupdateFailed
+
+subtaskTitle "Mount new BE to ${MOUNTPOINT}"
+mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol="${NEW_SUBVOLUME}" "${ROOT_DISK}" "${MOUNTPOINT}" || systemupdateFailed
+mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=@home "${ROOT_DISK}" "${MOUNTPOINT}/home" || systemupdateFailed
+mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=@podman "${ROOT_DISK}" "${MOUNTPOINT}/opt/podman" || systemupdateFailed
+mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=@mysql "${ROOT_DISK}" "${MOUNTPOINT}/var/lib/mysql" || systemupdateFailed
+mount -o noatime,nodiratime,discard=async,space_cache=v2,subvol=/ "${ROOT_DISK}" "${MOUNTPOINT}/btrfs" || systemupdateFailed
+
+mount -o nodev,nosuid,noexec "${EFI_DISK}" "${MOUNTPOINT}/efi" || systemupdateFailed
+mount -t proc /proc "${MOUNTPOINT}/proc/" || systemupdateFailed
+mount -t sysfs /sys "${MOUNTPOINT}/sys/" || systemupdateFailed
+mount -o bind /sys/firmware/efi/efivars "${MOUNTPOINT}/sys/firmware/efi/efivars/" || systemupdateFailed
+mount -o bind /dev "${MOUNTPOINT}/dev/" || systemupdateFailed
+mount -o bind /run "${MOUNTPOINT}/run/" || systemupdateFailed
+
+subtaskTitle "New BE mounted"
+
+echo ""
+echo "┌──────────────────────────────────────────┐"
+echo "│  2. Update and Salt highstate            │"
+echo "└──────────────────────────────────────────┘"
+
+subtaskTitle "Update Saltstack"
+
+chroot "${MOUNTPOINT}" /bin/bash -c "git -C /srv/salt pull" || systemupdateFailed
+
+subtaskTitle "Update bootloader configs"
+chroot "${MOUNTPOINT}" /bin/bash -c "salt-call state.sls system.bootloader" >/dev/null || systemupdateFailed
+
+subtaskTitle "Alpine repositories & keyring update"
+chroot "${MOUNTPOINT}" /bin/bash -c "apk update" || systemupdateFailed
+
+subtaskTitle "Alpine packages update"
+chroot "${MOUNTPOINT}" /bin/bash -c "apk upgrade" || systemupdateFailed
+
+subtaskTitle "Salt highstate"
+chroot "${MOUNTPOINT}" /bin/bash -c "salt-call state.highstate" >/dev/null || systemupdateFailed
+
+subtaskTitle "Generate new initial ramdisk"
+latest_kernel="$(chroot "${MOUNTPOINT}" /bin/bash -c 'echo $(apk search linux-lts | head -n1 | cut -d- -f3- | sed "s|r||")-lts')"
+chroot "${MOUNTPOINT}" /bin/bash -c "mkinitfs $latest_kernel" || systemupdateFailed
+
+subtaskTitle "Update motd"
+chroot "${MOUNTPOINT}" /bin/bash -c "/usr/local/noveria/bin/generate_motd" || systemupdateFailed
+
+subtaskTitle "Update GRUB"
+chroot "${MOUNTPOINT}" /bin/bash -c "grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=alpine" || systemupdateFailed
+chroot "${MOUNTPOINT}" /bin/bash -c "/usr/local/noveria/bin/noveriablcgen --noconfirm" || systemupdateFailed
+
+subtaskTitle "Update finished"
+
+subtaskTitle "Unmount BE"
+unmountMountpoint
+
+echo ""
+echo "┌──────────────────────────────────────────┐"
+echo "│  3. Clean Up                             │"
+echo "└──────────────────────────────────────────┘"
+
+subtaskTitle "Clean up finished"
+
+# Remove lock file
+rm -f ${LOCK_FILE}

system/files/base_tun-perm.initd

@@ -0,0 +1,13 @@
+#!/sbin/openrc-run
+supervisor=supervise-daemon
+
+name="tun module permission setter"
+description="setting the permission of /dev/net/tun to 666"
+
+command=$(which chmod)
+command_args="0666 /dev/net/tun"
+command_user="root"
+
+depend() {
+  need modules
+}

system/files/bootloader_00_noveria.motd.jinja

@@ -0,0 +1,17 @@
+╔═══════════════════════════════════════════════╗
+║                 Velkommen til                 ║
+║       _   _                     _             ║
+║      | \ | |                   (_)            ║
+║      |  \| | _____   _____ _ __ _  __ _       ║
+║      | . ` |/ _ \ \ / / _ \ '__| |/ _` |      ║
+║      | |\  | (_) \ V /  __/ |  | | (_| |      ║
+║      |_| \_|\___/ \_/ \___|_|  |_|\__,_|      ║
+║                                               ║
+╚═══════════════════════════════════════════════╝
+
+OS: {{ OS_NAME }}
+Version: {{ OS_RELEASE_INFO }}
+
+Report issues on: {{ OS_ISSUE_URL }}
+
+═════════════════════════════════════════════════

system/files/bootloader_issue.jinja

@@ -0,0 +1,2 @@
+Velkommen til {{ OS_NAME }}
+Timestamp: {{ OS_RELEASE_INFO }} | Kernel: \r

system/files/bootloader_os-release.jinja

@@ -0,0 +1,8 @@
+NAME="NoveriaOS"
+ID=noveriaos
+ID_LIKE=alpine
+VERSION_ID="{{ OS_VERSION }}"
+PRETTY_NAME="NoveriaOS {{ OS_VERSION }}"
+RELEASE_INFO={{ OS_RELEASE_INFO }}
+HOME_URL="https://noveria.org"
+BUG_REPORT_URL="https://git.noveria.org/NoveriaOS/ISO/issues"

system/files/disks_fstab.jinja

@@ -0,0 +1,11 @@
+# Static information about the filesystems.
+# See fstab(5) for details.
+
+# <file system>     <dir>       <type>  <options> <dump> <pass>
+UUID={{ ROOT_UUID }}    /           btrfs   noatime,nodiratime,compress=zstd,ssd,shared,discard=async,space_cache=v2,subvol=/@root_{{ TIMESTAMP }}  0 0
+UUID={{ ESP_UUID }}     /efi        vfat    rw,nosuid,nodev,noexec,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro   0 2
+UUID={{ ROOT_UUID }}    /home       btrfs   noatime,nodiratime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=/@home    0 0
+UUID={{ ROOT_UUID }}    /var/lib/mysql  btrfs   noatime,nodiratime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=/@mysql    0 0
+UUID={{ ROOT_UUID }}    /opt/podman btrfs   noatime,nodiratime,compress=zstd,ssd,discard=async,space_cache=v2,subvol=/@podman    0 0
+UUID={{ ROOT_UUID }}    /btrfs      btrfs   noatime,nodiratime,compress=zstd,ssd,discard=async,space_cache=v2,space_cache=v2,subvol=/     0 0
+tmpfs                   /tmp      tmpfs   nodev,nosuid,size={{ TMPFS_SIZE }}    0 0

system/files/salt_minion

@@ -0,0 +1,10 @@
+---
+state_verbose: False
+file_client: local
+file_roots:
+  base:
+    - /srv/salt
+pillar_roots:
+  base:
+    - /srv/pillar
+...

system/files/shell_profile.jinja

@@ -0,0 +1,34 @@
+export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:{{ CUSTOM_BIN }}"
+
+export PAGER=less
+export EDITOR=vim
+umask 022
+
+# use nicer PS1 for bash and busybox ash
+if [ -n "$BASH_VERSION" -o "$BB_ASH_VERSION" ]; then
+        PS1='[%n@%m %~]%# '
+# use nicer PS1 for zsh
+elif [ -n "$ZSH_VERSION" ]; then
+        PS1='[%n@%m %~]%# '
+# set up fallback default PS1
+else
+        : "${HOSTNAME:=$(hostname)}"
+        PS1='${HOSTNAME%%.*}:$PWD'
+        [ "$(id -u)" -eq 0 ] && PS1="${PS1}# " || PS1="${PS1}\$ "
+fi
+
+if [ -n "$BASH_VERSION" ] && [ "$BASH" != "/bin/sh" ]; then
+        # if we're bash (and not /bin/sh bash), also source the bashrc
+        # by default, bash sources the bashrc for non-login,
+        # and only /etc/profile on login (-l). so, make it do both on login.
+        # this ensures that login-shell bash (e.g. -bash or bash -l) still sources the
+        # system bashrc, which e.g. loads bash-completion
+        . /etc/bash/bashrc
+fi
+
+for script in /etc/profile.d/*.sh ; do
+        if [ -r "$script" ] ; then
+                . "$script"
+        fi
+done
+unset script

system/init.sls

@@ -1,4 +1,7 @@
 include:
-    - .btrfs
+  - .base
+  - .bootloader
+  - .disks
   - .user
-    - .packages
+  - .shell
+  - .salt

system/packages.sls

@@ -1,16 +0,0 @@
-include:
-    - .btrfs
-
-system_packages_install:
-    pkg.installed:
-        - pkgs:
-            - podman
-            - cockpit-podman
-            - podman-docker
-            - podman-compose
-            - mariadb-server
-            - java-latest-openjdk-headless
-            - jq
-        - require:
-            - system_btrfs_create_podman_data_dir
-            - system_btrfs_create_mysql_data_dir

system/salt.sls

@@ -0,0 +1,39 @@
+include:
+  - system.base
+
+system_salt_pkg:
+  pkg.installed:
+    - pkgs:
+      - salt-minion
+    - require:
+      - system_base_pkgs
+
+system_salt_minion_config:
+  file.managed:
+    - name: /etc/salt/minion
+    - source: salt://{{ tpldir }}/files/salt_minion
+    - user: root
+    - group: root
+    - mode: '0644'
+
+system_salt_minon_service:
+  service.disabled:
+    - name: salt-minion
+    - require:
+      - system_salt_pkg
+
+system_salt_minion_cachedir_permission:
+  file.directory:
+    - name: /var/cache/salt/minion
+    - mode: '0700'
+    - require:
+      - system_salt_pkg
+
+system_salt_minion_logdir_permission:
+  file.directory:
+    - name: /var/log/salt
+    - user: root
+    - group: root
+    - mode: '0700'
+    - require:
+      - system_salt_pkg

system/shell.sls

@@ -0,0 +1,27 @@
+{% from "map.jinja" import noveria with context %}
+
+include:
+  - directories
+  - system.base
+
+system_shell_pkgs:
+  pkg.installed:
+    - pkgs:
+      - zsh
+      - alpine-zsh-config
+      - bash
+    - require:
+      - system_base_pkgs
+
+system_shell_profile:
+  file.managed:
+    - name: /etc/profile
+    - source: salt://{{ tpldir }}/files/shell_profile.jinja
+    - template: jinja
+    - context:
+        CUSTOM_BIN: {{ noveria.bin_dir }}
+    - user: root
+    - group: root
+    - mode: '0644'
+    - require:
+      - system_shell_pkgs

system/user.sls

@@ -1,22 +1,12 @@
-include:
-    - .btrfs
-
-system_user_create:
+system_user_noveria_create:
   user.present:
     - name: noveria
     - shell: /bin/false
     - home: /home/noveria
     - usergroup: True
-        - createhome: False
+    - createhome: True
 
-system_user_create_home_noveria:
-    file.directory:
-        - name: /home/noveria
-        - user: noveria
-        - group: noveria
-        - mode: 700
-        - recurse:
-            - user
-            - group
-        - require:
-            - system_btrfs_create_noveria_home
+system_user_root_edit:
+  user.present:
+    - name: root
+    - shell: /bin/zsh

top.sls

@@ -1,4 +1,9 @@
 base:
   '*':
+    - directories
     - system
-        - services
+    - network
+    - apps
+    - openssh
+    - haproxy
+    - serverspecific