Initial revision.

.gitignore

@@ -0,0 +1,2 @@
+vendor/
+/base/all_private_ip_addresses.jinja

base/admin/ca.sls

@@ -0,0 +1,140 @@
+{% import 'globals.jinja' as globals %}
+
+include:
+  - constant_state
+  - generic_packages.m2crypto
+
+/data/admin/pki/cacerts:
+  file.directory:
+    - mode: 755
+    - require:
+      - file: /data/admin/pki
+
+# Root CA
+
+/data/admin/pki/root:
+  file.directory:
+    - mode: 700
+    - require:
+      - file: /data/admin/pki
+
+/data/admin/pki/root/issued_certs:
+  file.directory:
+    - mode: 700
+    - require:
+      - file: /data/admin/pki/root
+
+{% if grains['id'] == globals.primary_admin_host %}
+
+/data/admin/pki/root/ca.key:
+  x509.private_key_managed:
+    - bits: 4096
+    - backup: True
+    - require:
+      - file: /data/admin/pki/root
+
+/data/admin/pki/root/ca.crt:
+  x509.certificate_managed:
+    - signing_private_key: /data/admin/pki/root/ca.key
+    - basicConstraints: "critical CA:true"
+    - keyUsage: "critical cRLSign, keyCertSign"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - days_valid: 3650
+    - days_remaining: 0
+    - backup: True
+{%- for attr, value in pillar['global']['certificate_attributes']['root'].items() %}
+    - {{ attr }}: {{ value }}
+{%- endfor %}
+    - CN: Root Certificate Authority
+    - require:
+      - file: /data/admin/pki/cacerts
+      - x509: /data/admin/pki/root/ca.key
+
+/data/admin/pki/cacerts/ca_root.crt:
+  file.managed:
+    - source: /data/admin/pki/root/ca.crt
+    - require:
+      - x509: /data/admin/pki/root/ca.crt
+    - onchanges_in:
+      - module: mine_send_cacerts
+
+{% endif %}
+
+# Deployment CA
+
+/data/admin/pki/deployment:
+  file.directory:
+    - mode: 700
+    - require:
+      - file: /data/admin/pki
+
+/data/admin/pki/deployment/issued_certs:
+  file.directory:
+    - mode: 700
+    - require:
+      - file: /data/admin/pki/deployment
+
+{% if grains['id'] == globals.primary_admin_host %}
+
+/data/admin/pki/deployment/ca.key:
+  x509.private_key_managed:
+    - bits: 4096
+    - backup: True
+    - require:
+      - file: /data/admin/pki/deployment
+
+/data/admin/pki/deployment/ca.crt:
+  x509.certificate_managed:
+    - signing_cert: /data/admin/pki/root/ca.crt
+    - signing_private_key: /data/admin/pki/root/ca.key
+    - public_key: /data/admin/pki/deployment/ca.key
+    - basicConstraints: "critical CA:true"
+    - keyUsage: "critical cRLSign, keyCertSign"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - days_valid: 3650
+    - days_remaining: 0
+    - backup: True
+{%- for attr, value in pillar['global']['certificate_attributes']['deployment'].items() %}
+    - {{ attr }}: {{ value }}
+{%- endfor %}
+    - CN: Deployment Certificate Authority
+    - require:
+      - file: /data/admin/pki/cacerts
+      - x509: /data/admin/pki/root/ca.key
+      - x509: /data/admin/pki/root/ca.crt
+      - x509: /data/admin/pki/deployment/ca.key
+
+/data/admin/pki/cacerts/ca_deployment.crt:
+  file.managed:
+    - source: /data/admin/pki/deployment/ca.crt
+    - require:
+      - x509: /data/admin/pki/deployment/ca.crt
+    - onchanges_in:
+      - module: mine_send_cacerts
+
+/etc/salt/minion.d/signing_policies.conf:
+  file.managed:
+    - source: salt://admin/files/signing_policies.conf
+    - template: jinja
+    - watch_in:
+      - service: salt_minion
+
+{% else %}
+
+/etc/salt/minion.d/signing_policies.conf:
+  file.absent:
+    - watch_in:
+      - service: salt_minion
+
+{% endif %}
+
+mine_send_cacerts:
+  module.run:
+    - name: mine.send
+    - func: x509.get_pem_entries
+    - kwargs:
+        glob_path: /data/admin/pki/cacerts/*.crt
+    - onchanges:
+      - test: constant_state

base/admin/certbot.sls

@@ -0,0 +1,63 @@
+{% import 'globals.jinja' as globals %}
+
+include:
+  - nginx
+  - pip.virtualenvwrapper
+
+{% for subdir in [
+  'certbot-auto',
+  'letsencrypt',
+] %}
+/data/admin/{{ subdir }}:
+  file.directory:
+    - mode: 700
+    - require:
+      - file: /data/admin
+{% endfor %}
+
+/data/virtualenvs/letsencrypt:
+  file.directory:
+    - require:
+      - file: /data/virtualenvs
+    
+/root/.local/share:
+  file.symlink:
+    - target: /data/virtualenvs
+    - makedirs: True
+    - require:
+      - file: /data/virtualenvs
+
+/etc/letsencrypt:
+  file.symlink:
+    - target: /data/admin/letsencrypt
+    - require:
+      - file: /data/admin/letsencrypt
+
+/data/certbot/.well-known:
+  file.directory:
+    - mode: 755
+    - makedirs: True
+    - require:
+      - file: /data
+
+/etc/nginx/sites-enabled/certbot:
+  file.managed:
+    - source: salt://admin/files/certbot.nginx
+    - template: jinja
+    - watch_in:
+      - service: nginx
+
+{% if grains['id'] == globals.primary_admin_host %}
+
+# If the admin servers are replicated, then certbot must only be run on one
+# of them and the information replicated to all the others.
+/etc/cron.d/certbot:
+  file.managed:
+    - source: salt://admin/files/certbot.cron
+
+{% else %}
+
+/etc/cron.d/certbot:
+  file.absent
+
+{% endif %}

base/admin/files/certbot.cron

@@ -0,0 +1 @@
+42 8,20 * * *   root    /data/admin/certbot-auto/certbot-auto renew --quiet --post-hook="/bin/true" > /dev/null 2>&1

base/admin/files/certbot.nginx

@@ -0,0 +1,10 @@
+{% import 'globals.jinja' as globals %}
+server {
+  listen 80;
+  server_name {{ globals.private_fqdn }};
+  location /.well-known/ {
+      alias /data/certbot/.well-known/;
+      expires 30d;
+      autoindex off;
+  }
+}

base/admin/files/signing_policies.conf

@@ -0,0 +1,31 @@
+{% import 'globals.jinja' as globals -%}
+x509_signing_policies:
+  deployment_client:
+    - signing_private_key: /data/admin/pki/deployment/ca.key
+    - signing_cert: /data/admin/pki/deployment/ca.crt
+    - copypath: /data/admin/pki/deployment/issued_certs
+    - prepend_cn: True
+    - days_valid: 90
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "critical keyEncipherment"
+    - extendedKeyUsage: "clientAuth"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+{%- for attr, value in pillar['global']['certificate_attributes']['deployment'].items() %}
+    - {{ attr }}: {{ value }}
+{%- endfor %}
+  deployment_server:
+    - minions: {{ ','.join(globals.admin_hosts) }}
+    - signing_private_key: /data/admin/pki/deployment/ca.key
+    - signing_cert: /data/admin/pki/deployment/ca.crt
+    - copypath: /data/admin/pki/deployment/issued_certs
+    - prepend_cn: True
+    - days_valid: 90
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "critical keyEncipherment"
+    - extendedKeyUsage: "serverAuth,clientAuth"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+{%- for attr, value in pillar['global']['certificate_attributes']['deployment'].items() %}
+    - {{ attr }}: {{ value }}
+{%- endfor %}

base/admin/init.sls

@@ -0,0 +1,49 @@
+{% import "globals.jinja" as globals %}
+
+include:
+  - admin.ca
+  - admin.certbot
+  - saltstack.master
+
+/data/admin:
+  file.directory:
+    - mode: 700
+    - require:
+      - file: /data
+
+{% for subdir in [
+  'pillar',
+  'pki',
+  'salt',
+  'salt-modules',
+] %}
+/data/admin/{{ subdir }}:
+  file.directory:
+    - mode: 700
+    - require:
+      - file: /data/admin
+{% endfor %}
+
+admin_bashrc:
+  file.append:
+    - name: /root/.bashrc
+    - text:
+      - alias salt='salt -t60'
+
+/root/.ssh:
+  file.directory:
+    - mode: 700
+
+/root/.ssh/id_rsa:
+  file.managed:
+    - mode: 600
+    - contents_pillar: admin:ssh:id_rsa
+    - require:
+      - file: /root/.ssh
+
+/root/.ssh/id_rsa.pub:
+  file.managed:
+    - mode: 644
+    - contents_pillar: admin:ssh:id_rsa_pub
+    - require:
+      - file: /root/.ssh

base/bootstrap/files/debian/fix-resolv-conf

@@ -0,0 +1,22 @@
+{% import 'globals.jinja' as globals -%}
+#!/bin/sh
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+
+# Exit if the file contents have already been replaced.
+grep -q SKIP_SUBSTITUTION /etc/resolv.conf && exit 0
+
+cat <<'EOM' > /etc/resolv.conf.tmp && grep '^nameserver ' /etc/resolv.conf >> /etc/resolv.conf.tmp && mv /etc/resolv.conf.tmp /etc/resolv.conf
+# ****************************************************************
+# * DO NOT EDIT THIS FILE OR REMOVE THIS LINE: SKIP_SUBSTITUTION *
+# ****************************************************************
+# This file is generated by /etc/network/if-pre-up.d/fix-resolv-conf
+# using the list of nameservers from the original /etc/resolv.conf provided
+# at boot time by the Linode Network Helper.
+
+domain {{ globals.private_node_domain }}
+search {{ globals.private_node_domain }} {{ globals.private_service_domain }}
+nameserver 127.0.0.1
+
+# Linode nameserver entries will be appended below.
+EOM

base/bootstrap/init.sls

@@ -0,0 +1,103 @@
+{% import 'globals.jinja' as globals %}
+
+# The if conditions below ensure that the CA already exists before trying to
+# create a deployment certificate or install consul on the primary admin server.
+# This requires initially running state.highstate twice on the primary admin
+# server in order to configure it fully.
+
+include:
+  - dnsmasq
+  - generic_packages.jq
+  - generic_packages.m2crypto
+  - generic_packages.sharutils
+  - generic_packages.tcpdump
+  - mount.data
+  - root_user
+  - saltstack.minion
+  - screen
+  - ssh.server
+{% if (grains['id'] != globals.primary_admin_host) or salt['file.file_exists']('/data/admin/pki/deployment/ca.crt') %}
+  - consul
+{%- if grains['id'] in globals.admin_hosts %}
+  - consul.server
+{%- endif %}
+
+deployment-keys:
+  group.present:
+    - system: True
+
+/etc/deployment:
+  file.directory
+
+/etc/deployment/ssl:
+  file.directory:
+    - require:
+      - file: /etc/deployment
+
+/etc/deployment/ssl/certs:
+  file.directory:
+    - require:
+      - file: /etc/deployment/ssl
+
+/etc/deployment/ssl/private:
+  file.directory:
+    - mode: 750
+    - group: deployment-keys
+    - require:
+      - group: deployment-keys
+      - file: /etc/deployment/ssl
+
+/etc/deployment/ssl/private/deployment.key:
+  x509.private_key_managed:
+    - bits: 4096
+    - backup: True
+    - require:
+      - file: /etc/deployment/ssl/private
+
+/etc/deployment/ssl/certs/deployment.crt:
+  x509.certificate_managed:
+    - ca_server: {{ globals.primary_admin_host }}
+    - signing_policy: {{ 'deployment_server' if grains['id'] in globals.admin_hosts else 'deployment_client' }}
+    - CN: {{ globals.private_fqdn }}
+    - days_remaining: 30
+    - backup: True
+    - public_key: /etc/deployment/ssl/private/deployment.key
+    - require:
+      - file: /etc/deployment/ssl/certs
+      - x509: /etc/deployment/ssl/private/deployment.key
+
+{% set ca_certs = salt['mine.get'](globals.primary_admin_host, 'x509.get_pem_entries')[globals.primary_admin_host] %}
+/etc/deployment/ssl/certs/ca-chain-deployment.crt:
+  # x509.pem_managed only allows one certificate per file, so we don't use it.
+  # It also seems redundant given the built-in abilities of file.managed and the
+  # jinja2 indent function.
+  file.managed:
+    - contents: |
+        {{ ca_certs['/data/admin/pki/cacerts/ca_root.crt']|indent(8) }}
+        {{ ca_certs['/data/admin/pki/cacerts/ca_deployment.crt']|indent(8) }}
+    - require:
+      - file: /etc/deployment/ssl/certs
+
+{% if grains['os_family'] == 'Debian' %}
+
+fix_resolv_conf:
+  file.managed:
+    - name: /etc/network/if-pre-up.d/fix-resolv-conf
+    - source: salt://bootstrap/files/debian/fix-resolv-conf
+    - template: jinja
+    - mode: 755
+
+# Ensure that the script gets run after it gets installed for the first time,
+# but only after dnsmasq is installed to redirect DNS lookups to consul.
+run_fix_resolv_conf:
+  cmd.run:
+    - name: /etc/network/if-pre-up.d/fix-resolv-conf
+    - require:
+      - pkg: dnsmasq
+      - service: consul
+    - onchanges:
+      - file: /etc/network/if-pre-up.d/fix-resolv-conf
+
+{% endif %}
+
+{% endif %}

base/circusd/files/circusd.ini

@@ -0,0 +1,16 @@
+[circus]
+check_delay = 5
+endpoint = ipc:///var/lib/circus/endpoint.sock
+pubsub_endpoint = ipc:///var/lib/circus/pubsub.sock
+include_dir = /etc/circus/conf.d
+loggerconfig = /etc/circus/circusd.logger.yaml
+debug = False
+httpd = False
+
+;; Enabling this results in significant CPU usage (5-8% on most hosts)
+statsd = False
+
+[plugin:flapping]
+use = circus.plugins.flapping.Flapping
+retry_in = 3
+max_retry = 2

base/circusd/files/circusd.logger.yaml

@@ -0,0 +1,22 @@
+version: 1
+disable_existing_loggers: false
+formatters:
+  simple:
+    format: '%(asctime)s %(name)s[%(process)d] [%(levelname)s] %(message)s'
+    datefmt: '%Y-%m-%d %H:%M:%S'
+handlers:
+  logfile:
+    class: logging.handlers.RotatingFileHandler
+    filename: /var/log/circus/circusd.log
+    maxBytes: 1048576
+    backupCount: 7
+    level: DEBUG
+    formatter: simple
+loggers:
+  circus:
+    level: INFO
+    handlers: [logfile]
+    propagate: no
+root:
+  level: INFO
+  handlers: [logfile]

base/circusd/files/circusd.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Circus process manager
+After=syslog.target network.target nss-lookup.target
+
+[Service]
+Type=simple
+ExecReload=/data/virtualenvs/circus/bin/circusctl reload
+ExecStart=/data/virtualenvs/circus/bin/circusd /etc/circus/circusd.ini
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=default.target

base/circusd/files/requirements.in

@@ -0,0 +1,2 @@
+circus
+pyyaml

base/circusd/files/requirements.txt

@@ -0,0 +1,10 @@
+backports-abc==0.5
+certifi==2017.4.17
+circus==0.14.0
+iowait==0.2
+psutil==5.2.2
+PyYAML==3.12
+pyzmq==16.0.2
+singledispatch==3.4.0.3
+six==1.10.0
+tornado==4.5.1

base/circusd/init.sls

@@ -0,0 +1,78 @@
+include:
+  - constant_state
+  - pip.virtualenvwrapper
+
+/var/lib/circus:
+  file.directory
+
+/var/log/circus:
+  file.directory
+
+/etc/circus:
+  file.directory
+
+/etc/circus/circusd.ini:
+  file.managed:
+    - source: salt://circusd/files/circusd.ini
+    - require:
+      - file: /etc/circus
+
+/etc/circus/circusd.logger.yaml:
+  file.managed:
+    - source: salt://circusd/files/circusd.logger.yaml
+    - require:
+      - file: /etc/circus
+
+/etc/circus/conf.d:
+  file.directory:
+    - require:
+      - file: /etc/circus
+
+/data/virtualenvs/circus:
+  virtualenv.managed:
+    - requirements: salt://circusd/files/requirements.txt
+    - require:
+      - pkg: pip
+      - file: /data/virtualenvs
+
+/usr/bin/circusctl:
+  file.symlink:
+    - target: /data/virtualenvs/circus/bin/circusctl
+    - require:
+      - virtualenv: /data/virtualenvs/circus
+
+/etc/systemd/system/circusd.service:
+  file.managed:
+    - source: salt://circusd/files/circusd.service
+    - onchanges_in:
+      - module: reload_systemd
+
+circusd:
+  service.running:
+    - require:
+      - module: reload_systemd
+      - file: /var/lib/circus
+      - file: /var/log/circus
+    - watch:
+      - virtualenv: /data/virtualenvs/circus
+      - file: /etc/circus/circusd.ini
+      - file: /etc/circus/circusd.logger.yaml
+      - file: /etc/systemd/system/circusd.service
+
+circusd.reloadconfig:
+  module.run:
+    - endpoint: ipc:///var/lib/circus/endpoint.sock
+    - require:
+      - file: /usr/bin/circusctl
+      - service: circusd
+
+    # Set onchanges to a dummy value in case no other states require this state
+    # using 'onchanges_in'.
+    - onchanges:
+      - test: constant_state
+
+circusd_bashrc:
+  file.append:
+    - name: /root/.bashrc
+    - text:
+      - export CIRCUSCTL_ENDPOINT=ipc:///var/lib/circus/endpoint.sock

base/circusd/lib.jinja

@@ -0,0 +1,56 @@
+# circusd_watcher_running() always runs last due to its dependency on
+# circusd.reloadconfig. If the service is not running it will be started. If
+# the service is already running, but changes were detected via the
+# xxx_watcher_requirements state, then the service will be restarted.
+#
+# circusd_watcher_configuration() keeps the appropriate circusd configuration
+# file up to date, and triggers a circusd.reloadconfig if any changes are
+# detected. It also generates the xxx_watcher_requiremnts state, which serves
+# as a dependency of both circusd.reloadconfig and circusd.watcher_running and
+# ensures that all requirements of the service are met before either of those
+# commands are executed (circusd.reloadconfig starts new services automatically,
+# so all requirements need to be met). The difference is that
+# circusd.reloadconfig only needs to be run if the actual circusd configuration
+# file changed (hence the require_in), while circusd.watcher_running always
+# need to be run (hence the watch_in).
+#
+# The test.succeed_with_changes state is a convenient way of putting all the
+# shared requirements for other states in one place. Because of the use of
+# 'onchanges', it will report changes if and only if any of its dependencies
+# change.
+
+{% macro circusd_watcher_running() %}
+  circusd.watcher_running:
+    - endpoint: ipc:///var/lib/circus/endpoint.sock
+    - require:
+      - module: circusd.reloadconfig
+{% endmacro %}
+
+{% macro circusd_watcher_configuration(name, source, context, extra_requires, extra_onchanges) %}
+/etc/circus/conf.d/{{ name }}.ini:
+  file.managed:
+    - source: {{ source }}
+{% if context %}
+    - template: jinja
+    - context: {{ context }}
+{% endif %}
+    - require:
+      - pkg: circusd
+    - onchanges_in:
+      - module: circusd.reloadconfig
+
+{{ name }}_watcher_requirements:
+  test.succeed_with_changes:
+    - require:
+      - service: circusd
+{% for item in extra_requires %}
+      - {{ item }}{% endfor %}
+    - onchanges:
+      - file: /etc/circus/conf.d/{{ name }}.ini
+{% for item in extra_onchanges %}
+      - {{ item }}{% endfor %}
+    - require_in:
+      - module: circusd.reloadconfig
+    - watch_in:
+      - circusd: {{ name }}
+{% endmacro %}

base/constant_state.sls

@@ -0,0 +1,5 @@
+# constant_state is referenced in the 'onchanges' of another state to guarantee
+# that there is at least one 'onchanges' entry for that state so that it will
+# never execute on its own. We can then trigger the state via 'onchanges_in' in # other states that need it.
+constant_state:
+  test.succeed_without_changes

base/consul/files/conf.d/datacenter.json

@@ -0,0 +1,3 @@
+{
+  "datacenter": "{{ consul_datacenter }}"
+}

base/consul/files/conf.d/dns.json

@@ -0,0 +1,6 @@
+{
+	"dns_config": {
+		"allow_stale": true,
+		"max_stale": "87600h"
+	}
+}

base/consul/files/conf.d/join.json

@@ -0,0 +1,3 @@
+{
+  "start_join": ["{{ server_ip_addresses|join('", "') }}"]
+}

base/consul/files/conf.d/security.json

@@ -0,0 +1,4 @@
+{
+  "encrypt": "{{ consul_secret }}",
+  "disable_remote_exec": true
+}

base/consul/files/conf.d/tls.json

@@ -0,0 +1,7 @@
+{
+  "ca_file": "/etc/deployment/ssl/certs/ca-chain-deployment.crt",
+  "cert_file": "/etc/deployment/ssl/certs/deployment.crt",
+  "key_file": "/etc/deployment/ssl/private/deployment.key",
+  "verify_incoming": true,
+  "verify_outgoing": true
+}

base/consul/files/consul.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=consul agent
+Requires=network-online.target
+After=network-online.target
+
+[Service]
+Environment=GOMAXPROCS=2
+Restart=on-failure
+ExecStart=/usr/bin/consul agent -config-dir=/etc/consul -data-dir=/data/consul
+#ExecReload=/bin/kill -HUP $MAINPID
+KillSignal=SIGTERM
+
+[Install]
+WantedBy=multi-user.target

base/consul/init.sls

@@ -0,0 +1,66 @@
+{% import 'globals.jinja' as globals %}
+
+include:
+  - systemd.helpers
+
+consul:
+  file.managed:
+    - name: /usr/bin/consul
+    - source: salt://consul/files/vendor/0.8.3.linux-amd64/consul
+    - mode: 555
+  group.present:
+    - system: True
+  user.present:
+    - system: True
+    - gid: consul
+    - home: /data/consul
+    - createhome: False
+    - groups:
+      - deployment-keys
+    - require:
+      - group: consul
+      - group: deployment-keys
+  service.running:
+    - require:
+      - user: consul
+      - group: consul
+      - file: /data/consul
+      - module: reload_systemd
+    - watch:
+      - file: consul
+      - file: /etc/consul
+      - x509: /etc/deployment/ssl/private/deployment.key
+      - x509: /etc/deployment/ssl/certs/deployment.crt
+      - file: /etc/deployment/ssl/certs/ca-chain-deployment.crt
+      - file: /etc/systemd/system/consul.service
+
+# We create this directory manually rather than using 'user.present' with
+# 'createhome: True' to ensure that .bashrc, etc., are not copied into it.
+/data/consul:
+  file.directory:
+    - user: consul
+    - group: consul
+    - require:
+      - user: consul
+      - group: consul
+
+/etc/consul:
+  file.recurse:
+    - source: salt://consul/files/conf.d
+    - user: root
+    - group: consul
+    - dir_mode: 750
+    - file_mode: 640
+    - template: jinja
+    - context:
+        consul_datacenter: {{ pillar['global']['consul_datacenter'] }}
+        consul_secret: {{ pillar['global']['consul_secret'] }}
+        server_ip_addresses: {{ globals.admin_ip_addresses }}
+    - require:
+      - group: consul
+
+/etc/systemd/system/consul.service:
+  file.managed:
+    - source: salt://consul/files/consul.service
+    - onchanges_in:
+      - module: reload_systemd

base/consul/server/files/server.json

@@ -0,0 +1,5 @@
+{% import 'globals.jinja' as globals %}
+{
+  "server": true,
+  "bootstrap_expect": {{ globals.admin_ip_addresses|count }}
+}

base/consul/server/init.sls

@@ -0,0 +1,15 @@
+include:
+  - consul
+
+/etc/consul/server.json:
+  file.managed:
+    - source: salt://consul/server/files/server.json
+    - template: jinja
+    - mode: 640
+    - user: root
+    - group: consul
+    - require:
+      - file: /etc/consul
+      - group: consul
+    - watch_in:
+      - service: consul

base/disabled_users.sls

@@ -0,0 +1,8 @@
+# We purposely use the same state name for disabled and enabled users to force
+# an error if an attempt is made to both enable and disable a user.
+{% for username in pillar['users']['disabled'] %}
+user_{{ username }}:
+  user.absent:
+    - name: {{ username }}
+    - purge: False
+{% endfor %}

base/dnsmasq/files/common.conf

@@ -0,0 +1,3 @@
+bind-interfaces
+listen-address=127.0.0.1
+domain-needed

base/dnsmasq/files/consul.conf

@@ -0,0 +1,2 @@
+server=/consul/127.0.0.1#8600
+server=/168.192.in-addr.arpa/127.0.0.1#8600

base/dnsmasq/init.sls

@@ -0,0 +1,18 @@
+{% from 'dnsmasq/map.jinja' import dnsmasq %}
+
+dnsmasq:
+  pkg.installed:
+    - name: {{ dnsmasq.package }}
+  service.running:
+    - name: {{ dnsmasq.service }}
+    - watch:
+      - pkg: dnsmasq
+      - file: dnsmasq_files
+
+dnsmasq_files:
+  file.recurse:
+    - name: {{ dnsmasq.config_dir }}
+    - source: salt://dnsmasq/files
+    - file_mode: 644
+    - require:
+      - pkg: dnsmasq

base/dnsmasq/map.jinja

@@ -0,0 +1,7 @@
+{% set dnsmasq = salt['grains.filter_by']({
+	'Debian': {
+		'package': 'dnsmasq',
+		'service': 'dnsmasq',
+		'config_dir': '/etc/dnsmasq.d'
+	}
+}, merge=salt['pillar.get']('dnsmasq:lookup')) %}

base/firewall/backend_private_ip_entries.sls

@@ -0,0 +1,12 @@
+{% import 'globals.jinja' as globals %}
+ipset_backend_private_ip_entries:
+  ipset.present:
+    - require:
+      - ipset: ipset_backend_private_ips
+    - onchanges_in:
+      - cmd: do_ipset_save
+    - set_name: ipset_backend_private_ips
+    - entry:
+{% for ip in globals.all_private_ip_addresses %}
+      - {{ ip }}
+{% endfor %}

base/firewall/files/ipset-save.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+
+ipset save > /etc/iptables/ipset.tmp && mv /etc/iptables/ipset.tmp /etc/iptables/ipset

base/firewall/files/restore-iptables

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+
+if [ -f /etc/iptables/rules.v4 -a -f /etc/iptables/ipset ]; then
+	# Flush the iptables so that we can cleanly flush the ipsets.
+	iptables -t raw -F
+	iptables -t filter -F
+fi
+
+if [ -f /etc/iptables/ipset ]; then
+	# We flush first in case some sets are still in use and the destroy
+	# doesn't work.
+	ipset flush
+	ipset destroy
+	ipset restore < /etc/iptables/ipset 2> /dev/null
+fi
+
+if [ -f /etc/iptables/rules.v4 ]; then
+	iptables-restore < /etc/iptables/rules.v4 2> /dev/null
+fi

base/firewall/init.sls

@@ -0,0 +1,292 @@
+{% import 'globals.jinja' as globals %}
+
+# Required packages and helpers
+# -----------------------------
+ipset_package:
+  pkg.installed:
+    - name: ipset
+
+/etc/iptables/ipset-save.sh:
+  file.managed:
+    - source: salt://firewall/files/ipset-save.sh
+    - mode: 555
+    - makedirs: True
+
+/etc/network/if-pre-up.d/restore-iptables:
+  file.managed:
+    - source: salt://firewall/files/restore-iptables
+    - mode: 555
+
+do_ipset_save:
+  cmd.run:
+    - name: /etc/iptables/ipset-save.sh
+    - onchanges:
+      - pkg: ipset_package
+      - file: /etc/iptables/ipset-save.sh
+
+# IP Sets
+# -------
+
+# Backend server private IP addresses.
+ipset_backend_private_ips:
+  ipset.set_present:
+    - require:
+      - pkg: ipset_package
+    - onchanges_in:
+      - cmd: do_ipset_save
+    - set_type: bitmap:ip
+    - range: 192.168.128.0/17
+
+# Ensure we always include the admin server IP(s).
+ipset_backend_admin_ip_entries:
+  ipset.present:
+    - require:
+      - ipset: ipset_backend_private_ips
+    - onchanges_in:
+      - cmd: do_ipset_save
+    - set_name: ipset_backend_private_ips
+    - entry:
+{% for ip in globals.admin_ip_addresses %}
+      - {{ ip }}
+{% endfor %}
+
+include:
+  - firewall.backend_private_ip_entries
+
+# Publically accessible TCP ports.
+ipset_public_tcp_ports:
+  ipset.set_present:
+    - require:
+      - pkg: ipset_package
+    - onchanges_in:
+      - cmd: do_ipset_save
+    - set_type: bitmap:port
+    - range: 0-65535
+
+# Always include SSH access.
+ipset_public_tcp_port_entries:
+  ipset.present:
+    - require:
+      - ipset: ipset_public_tcp_ports
+    - onchanges_in:
+      - cmd: do_ipset_save
+    - set_name: ipset_public_tcp_ports
+    - entry:
+      - '22'
+
+# Publically accessible UDP ports.
+ipset_public_udp_ports:
+  ipset.set_present:
+    - require:
+      - pkg: ipset_package
+    - onchanges_in:
+      - cmd: do_ipset_save
+    - set_type: bitmap:port
+    - range: 0-65535
+
+# Default Policies
+# ----------------
+
+iptables_policy_input:
+  iptables.set_policy:
+    - save: True
+    - chain: INPUT
+    - policy: DROP
+
+# Prerouting rules
+# ----------------
+# These are used to bypass connection tracking on input as it is unnecessary.
+
+iptables_prerouting_localhost:
+  iptables.append:
+    - save: True
+    - table: raw
+    - chain: PREROUTING
+    - jump: NOTRACK
+    - in-interface: lo
+
+iptables_prerouting_backend_private_ips:
+  iptables.append:
+    - require:
+      - iptables: iptables_prerouting_localhost
+      - ipset: ipset_backend_private_ips
+    - save: True
+    - table: raw
+    - chain: PREROUTING
+    - jump: NOTRACK
+    - in-interface: eth0
+    - match-set: ipset_backend_private_ips src,dst
+
+iptables_prerouting_public_tcp_ports:
+  iptables.append:
+    - require:
+      - iptables: iptables_prerouting_backend_private_ips
+      - ipset: ipset_public_tcp_ports
+    - save: True
+    - table: raw
+    - chain: PREROUTING
+    - jump: NOTRACK
+    - in-interface: eth0
+    - proto: tcp
+    - match-set: ipset_public_tcp_ports dst
+
+iptables_prerouting_public_udp_ports:
+  iptables.append:
+    - require:
+      - iptables: iptables_prerouting_public_tcp_ports
+      - ipset: ipset_public_udp_ports
+    - save: True
+    - table: raw
+    - chain: PREROUTING
+    - jump: NOTRACK
+    - in-interface: eth0
+    - proto: udp
+    - match-set: ipset_public_udp_ports dst
+
+iptables_prerouting_icmp:
+  iptables.append:
+    - require:
+      - iptables: iptables_prerouting_public_udp_ports
+    - save: True
+    - table: raw
+    - chain: PREROUTING
+    - jump: NOTRACK
+    - in-interface: eth0
+    - proto: icmp
+
+# Input rules
+# -----------
+
+iptables_input_localhost:
+  iptables.append:
+    - save: True
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - in-interface: lo
+
+iptables_input_backend_private_ips:
+  iptables.append:
+    - require:
+      - iptables: iptables_input_localhost
+      - ipset: ipset_backend_private_ips
+    - save: True
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - in-interface: eth0
+    - match-set: ipset_backend_private_ips src,dst
+
+iptables_input_public_tcp_ports:
+  iptables.append:
+    - require:
+      - iptables: iptables_input_backend_private_ips
+      - ipset: ipset_public_tcp_ports
+    - save: True
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - in-interface: eth0
+    - proto: tcp
+    - match-set: ipset_public_tcp_ports dst
+
+iptables_input_public_udp_ports:
+  iptables.append:
+    - require:
+      - iptables: iptables_input_public_tcp_ports
+      - ipset: ipset_public_udp_ports
+    - save: True
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - in-interface: eth0
+    - proto: udp
+    - match-set: ipset_public_udp_ports dst
+
+iptables_input_icmp:
+  iptables.append:
+    - require:
+      - iptables: iptables_input_public_udp_ports
+    - save: True
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - in-interface: eth0
+    - proto: icmp
+    - match: limit
+    - limit: 3/second
+    - limit-burst: 3
+
+iptables_input_established:
+  iptables.append:
+    - require:
+      - iptables: iptables_input_icmp
+    - save: True
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - in-interface: eth0
+    - match: conntrack
+    - ctstate: ESTABLISHED,RELATED
+
+# Output Rules
+# ------------
+# These are used to bypass connection tracking on output where it is
+# unnecessary.
+
+iptables_output_localhost:
+  iptables.append:
+    - save: True
+    - table: raw
+    - chain: OUTPUT
+    - jump: NOTRACK
+    - out-interface: lo
+
+iptables_output_backend_private_ips:
+  iptables.append:
+    - require:
+      - iptables: iptables_output_localhost
+      - ipset: ipset_backend_private_ips
+    - save: True
+    - table: raw
+    - chain: OUTPUT
+    - jump: NOTRACK
+    - out-interface: eth0
+    - match-set: ipset_backend_private_ips src,dst
+
+iptables_output_public_tcp_ports:
+  iptables.append:
+    - require:
+      - iptables: iptables_output_backend_private_ips
+      - ipset: ipset_public_tcp_ports
+    - save: True
+    - table: raw
+    - chain: OUTPUT
+    - jump: NOTRACK
+    - out-interface: eth0
+    - proto: tcp
+    - match-set: ipset_public_tcp_ports src
+
+iptables_output_public_udp_ports:
+  iptables.append:
+    - require:
+      - iptables: iptables_output_public_tcp_ports
+      - ipset: ipset_public_udp_ports
+    - save: True
+    - table: raw
+    - chain: OUTPUT
+    - jump: NOTRACK
+    - out-interface: eth0
+    - proto: udp 
+    - match-set: ipset_public_udp_ports src
+
+iptables_output_icmp:
+  iptables.append:
+    - require:
+      - iptables: iptables_output_public_udp_ports
+    - save: True
+    - table: raw
+    - chain: OUTPUT
+    - jump: NOTRACK
+    - out-interface: eth0
+    - proto: icmp

base/firewall/public/dns.sls

@@ -0,0 +1,2 @@
+{% from 'firewall/public/lib.jinja' import public_tcp_port_present %}
+{{ public_tcp_port_present(53) }}

base/firewall/public/http.sls

@@ -0,0 +1,2 @@
+{% from 'firewall/public/lib.jinja' import public_tcp_port_present %}
+{{ public_tcp_port_present(80) }}

base/firewall/public/https.sls

@@ -0,0 +1,2 @@
+{% from 'firewall/public/lib.jinja' import public_tcp_port_present %}
+{{ public_tcp_port_present(443) }}

base/firewall/public/imap.sls

@@ -0,0 +1,2 @@
+{% from 'firewall/public/lib.jinja' import public_tcp_port_present %}
+{{ public_tcp_port_present(143) }}

base/firewall/public/imaps.sls

@@ -0,0 +1,2 @@
+{% from 'firewall/public/lib.jinja' import public_tcp_port_present %}
+{{ public_tcp_port_present(993) }}

base/firewall/public/lib.jinja

@@ -0,0 +1,11 @@
+{% macro public_tcp_port_present(port) %}
+ipset_public_tcp_port_{{ port }}:
+  ipset.present:
+    - require:
+      - ipset: ipset_public_tcp_ports
+    - onchanges_in:
+      - cmd: do_ipset_save
+    - set_name: ipset_public_tcp_ports
+    - entry:
+      - '{{ port }}'
+{% endmacro %}

base/firewall/public/pop3.sls

@@ -0,0 +1,2 @@
+{% from 'firewall/public/lib.jinja' import public_tcp_port_present %}
+{{ public_tcp_port_present(110) }}

base/firewall/public/pop3s.sls

@@ -0,0 +1,2 @@
+{% from 'firewall/public/lib.jinja' import public_tcp_port_present %}
+{{ public_tcp_port_present(995) }}

base/firewall/public/smtp.sls

@@ -0,0 +1,2 @@
+{% from 'firewall/public/lib.jinja' import public_tcp_port_present %}
+{{ public_tcp_port_present(25) }}

base/firewall/public/submission.sls

@@ -0,0 +1,2 @@
+{% from 'firewall/public/lib.jinja' import public_tcp_port_present %}
+{{ public_tcp_port_present(587) }}

base/generic_packages/git.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('git') }}

base/generic_packages/jq.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('jq') }}

base/generic_packages/lib.jinja

@@ -0,0 +1,7 @@
+{% from 'generic_packages/map.jinja' import package_names %}
+
+{% macro generic_package_installed(package) %}
+{{ package }}:
+  pkg.installed:
+    - name: {{ package_names[package] }}
+{% endmacro %}

base/generic_packages/m2crypto.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('m2crypto') }}

base/generic_packages/map.jinja

@@ -0,0 +1,24 @@
+{% set package_names = salt['grains.filter_by']({
+        'Debian': {
+                'sharutils': 'sharutils',
+                'lsyncd': 'lsyncd',
+                'tcpdump': 'tcpdump',
+                'debhelper': 'debhelper',
+                'devscripts': 'devscripts',
+                'jq': 'jq',
+                'git': 'git',
+		'm2crypto': 'm2crypto',
+		'unzip': 'unzip',
+		'zip': 'zip',
+        },
+	'Ubuntu': {
+		'sharutils': 'sharutils',
+		'tcpdump': 'tcpdump',
+		'jq': 'jq',
+		'git': 'git',
+		'm2crypto': 'm2crypto',
+		'net_tools': 'net-tools',
+		'unzip': 'unzip',
+		'zip': 'zip',
+	}
+}, grain='os', merge=salt['pillar.get']('package_names:lookup')) %}

base/generic_packages/net_tools.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('net_tools') }}

base/generic_packages/sharutils.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('sharutils') }}

base/generic_packages/tcpdump.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('tcpdump') }}

base/generic_packages/unzip.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('unzip') }}

base/generic_packages/zip.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('zip') }}

base/gitea/files/app.ini

@@ -0,0 +1,57 @@
+APP_NAME = Gitea: Git with a cup of tea
+RUN_USER = git
+RUN_MODE = prod
+
+[database]
+DB_TYPE  = mysql
+HOST     = {{ db_host }}:{{ db_port }}
+NAME     = {{ db_name }}
+USER     = {{ db_user }}
+PASSWD   = {{ db_password }}
+SSL_MODE = disable
+PATH     = data/gitea.db
+
+[repository]
+ROOT = /data/repo
+
+[server]
+SSH_DOMAIN       = {{ server_name }}
+HTTP_PORT        = 3000
+ROOT_URL         = https://{{ server_name }}/
+DISABLE_SSH      = false
+SSH_PORT         = 22
+LFS_START_SERVER = false
+OFFLINE_MODE     = false
+
+[mailer]
+ENABLED = true
+HOST    = {{ mail_host }}
+FROM    = {{ mail_from }}
+USER    = 
+PASSWD  = 
+SKIP_VERIFY = true
+
+[service]
+REGISTER_EMAIL_CONFIRM     = false
+ENABLE_NOTIFY_MAIL         = false
+DISABLE_REGISTRATION       = true
+ENABLE_CAPTCHA             = false
+REQUIRE_SIGNIN_VIEW        = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+NO_REPLY_ADDRESS           = {{ no_reply_address }}
+
+[picture]
+DISABLE_GRAVATAR        = false
+ENABLE_FEDERATED_AVATAR = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE      = file
+LEVEL     = Info
+ROOT_PATH = /var/log/gitea
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY   = {{ secret_key }}

base/gitea/files/gitea.nginx

@@ -0,0 +1,28 @@
+server {
+  listen 80;
+  server_name {{ server_name }};
+
+  include /etc/nginx/include/certbot.conf;
+
+  location / {
+    return 301 https://$host$request_uri;
+  }
+}
+
+server {
+  listen 443 ssl;
+  server_name {{ server_name }};
+
+  include /etc/nginx/include/ssl.conf;
+
+  ssl_certificate /etc/nginx/ssl.d/{{ server_name }}/fullchain.pem;
+  ssl_certificate_key /etc/nginx/ssl.d/{{ server_name }}/privkey.pem;
+
+  location / {
+    # The trailing '/' is important as it causes nginx to send the
+    # cleaned URI through to the destination service (double slashes
+    # removed, etc.).
+    proxy_pass          http://127.0.0.1:3000/;
+    include		/etc/nginx/include/proxy.conf;
+  }
+}

base/gitea/files/gitea.service

@@ -0,0 +1,26 @@
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=syslog.target
+After=network.target
+After=mysqld.service
+#After=postgresql.service
+#After=memcached.service
+#After=redis.service
+
+[Service]
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+#LimitMEMLOCK=infinity
+#LimitNOFILE=65535
+Type=simple
+User=git
+Group=git
+WorkingDirectory=/home/git/gitea
+ExecStart=/usr/bin/gitea web
+Restart=always
+Environment=USER=git HOME=/home/git GITEA_CUSTOM=/etc/gitea GITEA_WORK_DIR=/home/git/gitea
+
+[Install]
+WantedBy=multi-user.target

base/gitea/init.sls

@@ -0,0 +1,99 @@
+{% from 'nginx/lib.jinja' import nginx_ssl_cert_present %}
+
+gitea:
+  group.present:
+    - name: git
+  user.present:
+    - name: git
+    - gid: git
+    - home: /home/git
+    - createhome: False
+    - require:
+      - group: git
+  file.managed:
+    - name: /usr/bin/gitea
+    - source: salt://gitea/files/vendor/1.1.2.linux-amd64/gitea
+    - mode: 555
+  service.running:
+    - watch:
+      - file: gitea
+      - file: /etc/systemd/system/gitea.service
+
+/etc/systemd/system/gitea.service:
+  file.managed:
+    - source: salt://gitea/files/gitea.service
+    - onchanges_in:
+      - module: reload_systemd
+
+/etc/gitea:
+  file.directory:
+    - require:
+      - file: /data
+
+/etc/gitea/conf:
+  file.directory:
+    - mode: 750
+    - group: git
+    - require:
+      - file: /etc/gitea
+      - group: git
+
+/etc/gitea/conf/app.ini:
+  file.managed:
+    - source: salt://gitea/files/app.ini
+    - mode: 640
+    - group: git
+    - template: jinja
+    - context: {{ pillar['gitea'] }}
+    - require:
+      - file: /etc/gitea/conf
+      - group: git
+    - watch_in:
+      - service: gitea
+
+/var/log/gitea:
+  file.directory:
+    - user: git
+    - group: git
+    - require:
+      - user: git
+      - group: git
+
+/data/repo:
+  file.directory:
+    - user: git
+    - group: git
+    - require:
+      - file: /data
+      - user: git
+      - group: git
+
+/home/git:
+  file.directory:
+    - user: git
+    - group: git
+    - require:
+      - user: git
+      - group: git
+
+/home/git/gitea:
+  file.directory:
+    - user: git
+    - group: git
+    - require:
+      - file: /home/git
+      - user: git
+      - group: git
+
+/etc/nginx/sites-enabled/gitea:
+  file.managed:
+    - source: salt://gitea/files/gitea.nginx
+    - template: jinja
+    - context:
+        server_name: {{ pillar['gitea']['server_name'] }}
+    - require:
+      - file: nginx_conf
+    - watch_in:
+      - service: nginx
+
+{{ nginx_ssl_cert_present(pillar['gitea']['server_name']) }}

base/globals.jinja

@@ -0,0 +1,40 @@
+{% import 'all_private_ip_addresses.jinja' as all_private_ip_addresses %}
+
+{% set interface_eth0 = salt['network.interface']('eth0')|sort(attribute="label")|list %}
+{% set public_interface = interface_eth0[0] %}
+{% set public_ip_address = public_interface.address %}
+{% if interface_eth0|length > 0 %}
+  {% set private_interface = interface_eth0[-1] %}
+  {% set private_ip_address = private_interface.address %}
+{% else %}
+  {% set private_interface = none %}
+  {% set private_ip_address = none %}
+{% endif %}
+
+{% set private_node_domain = pillar['global']['private_node_domain'] %}
+{% set private_service_domain = pillar['global']['private_service_domain'] %}
+
+{% set private_fqdn = grains['id'] + '.' + private_node_domain %}
+
+{% set public_domain = pillar['global']['public_domain'] %}
+{% set public_fqdn = grains['id'] + '.' + public_domain %}
+
+{% set admin_servers = pillar['global']['admin_servers'] %}
+
+# WARNING: DO NOT CHANGE THIS VALUE without reading the comment in the
+# global.sls pillar.
+{% set primary_admin_host = pillar['global']['primary_admin_host'] %}
+
+{% set primary_admin_fqdn = primary_admin_host + '.' + private_node_domain %}
+{% set primary_admin_ip_address = admin_servers[primary_admin_host] %}
+{% set admin_hosts = admin_servers.keys() %}
+{% set admin_ip_addresses = admin_servers.values() %}
+
+{% set all_private_ip_addresses = all_private_ip_addresses.addresses %}
+
+{% set certbot_proxy_ip_address = primary_admin_ip_address %}
+{% set certbot_proxy_host = primary_admin_fqdn %}
+
+{% set deploy_env = pillar['env']['name'] %}
+{% set config = pillar['env'][deploy_env] %}
+{% set common = pillar['env']['common'] %}

base/lib.jinja

@@ -0,0 +1,42 @@
+{% macro user_present(username, details, extra_groups=None) %}
+
+user_{{ username }}:
+  group.present:
+    - name: {{ username }}
+
+  user.present:
+    - name: {{ username }}
+    - fullname: {{ details.full_name }}
+    - password: {{ details.password }}
+    - shell: {{ details.shell }}
+    {% if extra_groups %}
+    - groups:
+      {% for group in extra_groups %}
+      - {{ group }}
+      {% endfor %}
+    {% endif %}
+    - gid_from_name: True
+    - createhome: True
+    - require:
+      - group: {{ username }}
+
+ssh_key_{{ username }}:
+  ssh_auth.present:
+    - user: {{ username }}
+    - names:
+      {% for ssh_key in details['ssh_keys'] %}
+      - {{ ssh_key }}
+      {% endfor %}
+
+gitenv_{{ username }}:
+  file.managed:
+    - name: ~{{ username }}/.gitenv
+    - contents: |
+        {
+          "GIT_AUTHOR_NAME": "{{ details.full_name }}",
+          "GIT_AUTHOR_EMAIL": "{{ details.email_address }}",
+          "GIT_COMMITTER_NAME": "{{ details.full_name }}",
+          "GIT_COMMITTER_EMAIL": "{{ details.email_address }}"
+        }
+
+{% endmacro %}

base/mariadb/files/utf8mb4.cnf

@@ -0,0 +1,11 @@
+[mysqld]
+character-set-client-handshake = FALSE
+character_set_server = utf8mb4
+collation_server = utf8mb4_general_ci
+#sql_mode=TRADITIONAL
+
+[mysql]
+default-character-set = utf8mb4
+
+[client]
+default-character-set = utf8mb4

base/mariadb/init.sls

@@ -0,0 +1,22 @@
+{% from 'mariadb/map.jinja' import mariadb %}
+
+mariadb_repo:
+  pkgrepo.managed:
+    - name: {{ mariadb.repo_name }}
+    - file: {{ mariadb.repo_file }}
+    - keyserver: {{ mariadb.keyserver }}
+    - keyid: {{ mariadb.keyid }}
+    - clean_file: True
+    - require_in:
+      - pkg: mariadb_client
+
+mariadb_client:
+  pkg.installed:
+    - name: {{ mariadb.client_package }}
+
+mariadb_conf:
+  file.managed:
+    - name: /etc/mysql/conf.d/utf8mb4.cnf
+    - source: salt://mariadb/files/utf8mb4.cnf
+    - require:
+      - pkg: mariadb_client

base/mariadb/map.jinja

@@ -0,0 +1,20 @@
+{% set mariadb = salt['grains.filter_by']({
+	'Debian': {
+		'client_package': 'mariadb-client',
+		'server_package': 'mariadb-server',
+		'server_service': 'mysql',
+		'repo_name': 'deb http://mirrors.coreix.net/mariadb/repo/10.2/debian %s main' % salt['grains.get']('oscodename'),
+		'repo_file': '/etc/apt/sources.list.d/mariadb.list',
+		'keyserver': 'keyserver.ubuntu.com',
+		'keyid': 'cbcb082a1bb943db'
+	},
+	'Ubuntu': {
+		'client_package': 'mariadb-client',
+		'server_package': 'mariadb-server',
+		'server_service': 'mysql',
+		'repo_name': 'deb [arch=amd64] http://lon1.mirrors.digitalocean.com/mariadb/repo/10.2/ubuntu %s main' % salt['grains.get']('oscodename'),
+		'repo_file': '/etc/apt/sources.list.d/mariadb.list',
+		'keyserver': 'keyserver.ubuntu.com',
+		'keyid': 'F1656F24C74CD1D8'
+	}
+}, grain='os', merge=salt['pillar.get']('mariadb:lookup')) %}

base/mariadb/server/files/backup.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+innobackupex --user="{{ xtrabackup_user }}" --password="{{ xtrabackup_password }}" --compress --galera-info /data/backup/once_off

base/mariadb/server/files/bind.cnf

@@ -0,0 +1,3 @@
+{% import 'globals.jinja' as globals %}
+[mysqld]
+bind-address = {{ globals.private_ip_address }}

base/mariadb/server/files/mysql-my.cnf

@@ -0,0 +1,2 @@
+[mysqld]
+wsrep_sst_auth={{ xtrabackup_user }}:{{ xtrabackup_password }}

base/mariadb/server/init.sls

@@ -0,0 +1,92 @@
+{% from 'mariadb/map.jinja' import mariadb %}
+{% import 'globals.jinja' as globals %}
+
+include:
+  - mariadb
+  - systemd.helpers
+
+/data/mysql:
+  file.directory:
+    - require:
+      - file: /data
+
+/data/backup:
+  file.directory:
+    - require:
+      - file: /data
+
+/data/backup/once_off:
+  file.directory:
+    - require:
+      - file: /data/backup
+
+/data/backup/daily:
+  file.directory:
+    - require:
+      - file: /data/backup
+
+/var/lib/mysql:
+  file.symlink:
+    - target: /data/mysql
+    - require:
+      - file: /data/mysql
+
+/root/backup.sh:
+  file.managed:
+    - mode: 700
+    - source: salt://mariadb/server/files/backup.sh
+    - template: jinja
+    - context:
+        xtrabackup_user: {{ globals.config.mariadb.xtrabackup_user }}
+        xtrabackup_password: {{ globals.config.mariadb.xtrabackup_password }}
+
+mariadb_server:
+  pkg.installed:
+    - name: {{ mariadb.server_package }}
+    - require:
+      - pkgrepo: mariadb_repo
+      - file: /var/lib/mysql
+      - pkg: mariadb_client
+  service.running:
+    - name: {{ mariadb.server_service }}
+    - require:
+      - file: mysql_data_final
+      - module: reload_systemd
+    - watch:
+      - file: mariadb_conf
+      - file: mariadb_server_bind_conf
+      - file: mariadb_server_protected_conf
+
+# The mysql user probably won't exist when /data/mysql gets created,
+# so we have to change the permissions after installing the package.
+mysql_data_final:
+  file.directory:
+    # We need to use a different name to avoid clashing.
+    - name: /data/mysql/.
+    - user: mysql
+    - group: mysql
+    - require:
+      - pkg: mariadb_server
+      - file: /data/mysql
+
+mariadb_server_bind_conf:
+  file.managed:
+    - name: /etc/mysql/conf.d/bind.cnf
+    - source: salt://mariadb/server/files/bind.cnf
+    - template: jinja
+    - require:
+      - pkg: mariadb_client
+
+mariadb_server_protected_conf:
+  file.managed:
+    - name: /var/lib/mysql/.my.cnf
+    - source: salt://mariadb/server/files/mysql-my.cnf
+    - user: mysql
+    - group: mysql
+    - mode: 600
+    - template: jinja
+    - context:
+        xtrabackup_user: {{ globals.config.mariadb.xtrabackup_user }}
+        xtrabackup_password: {{ globals.config.mariadb.xtrabackup_password }}
+    - require:
+      - pkg: mariadb_server

base/mount/data.sls

@@ -0,0 +1,15 @@
+/data:
+  mount.mounted:
+    - device: /dev/sdc
+    - fstype: ext4
+    - mkmnt: True
+    - pass_num: 2
+    - opts:
+      - defaults
+
+data_permissions:
+  file.directory:
+    - name: /data
+    - mode: 755
+    - require:
+      - mount: /data

base/nginx/files/conf.d/drop-invalid-hosts.conf

@@ -0,0 +1,5 @@
+server {
+	listen		80 default_server;
+	server_name	"";
+	return		444;
+}

base/nginx/files/fastcgi.conf

@@ -0,0 +1,25 @@
+
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

base/nginx/files/include/certbot.conf

@@ -0,0 +1,8 @@
+{% import 'globals.jinja' as globals %}
+location /.well-known/ {
+    # The trailing '/.well-known/' is important as it causes nginx to send the
+    # cleaned URI through to the destination service (double slashes
+    # removed, etc.).
+    proxy_pass http://{{ globals.certbot_proxy_ip_address }}/.well-known/;
+    proxy_set_header Host {{ globals.certbot_proxy_host }};
+}

base/nginx/files/include/proxy.conf

@@ -0,0 +1,5 @@
+proxy_set_header  Host               $host;
+proxy_set_header  X-Real-IP          $remote_addr;
+proxy_set_header  X-Forwarded-For    $remote_addr;
+proxy_set_header  X-Forwarded-Proto  $scheme;
+proxy_redirect    off;

base/nginx/files/include/websockets.conf

@@ -0,0 +1,3 @@
+proxy_http_version  1.1;
+proxy_set_header    Upgrade $http_upgrade;
+proxy_set_header    Connection "upgrade";

base/nginx/files/nginx.conf

@@ -0,0 +1,85 @@
+user nginx;
+worker_processes 4;
+pid /run/nginx.pid;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+# 
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+# 
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+# 
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}

base/nginx/files/snippets/fastcgi-php.conf

@@ -0,0 +1,13 @@
+# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+# Check that the PHP script exists before passing it
+try_files $fastcgi_script_name =404;
+
+# Bypass the fact that try_files resets $fastcgi_path_info
+# see: http://trac.nginx.org/nginx/ticket/321
+set $path_info $fastcgi_path_info;
+fastcgi_param PATH_INFO $path_info;
+
+fastcgi_index index.php;
+include fastcgi.conf;

base/nginx/files/snippets/snakeoil.conf

@@ -0,0 +1,5 @@
+# Self signed certificates generated by the ssl-cert package
+# Don't use them in a production server!
+
+ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

base/nginx/init.sls

@@ -0,0 +1,32 @@
+{% from 'nginx/map.jinja' import nginx %}
+
+nginx:
+  pkgrepo.managed:
+    - name: {{ nginx.repo_name }}
+    - file: {{ nginx.repo_file }}
+    - key_url: {{ nginx.key_url }}
+    - clean_file: True
+    - require_in:
+      - pkg: nginx
+  pkg.installed:
+    - name: {{ nginx.package }}
+  service.running:
+    - name: {{ nginx.service }}
+    - watch:
+      - pkg: nginx
+      - file: nginx_conf
+
+/etc/nginx/conf.d/default.conf:
+  file.absent
+
+/etc/nginx/conf.d/example_ssl.conf:
+  file.absent
+
+nginx_conf:
+  file.recurse:
+    - name: /etc/nginx
+    - source: salt://nginx/files
+    - include_empty: True
+    - template: jinja
+    - require:
+      - pkg: nginx

base/nginx/lib.jinja

@@ -0,0 +1,25 @@
+{% macro nginx_ssl_cert_present(server_domain) %}
+/etc/nginx/ssl.d/{{ server_domain }}:
+  file.directory:
+    - mode: 700
+    - require:
+      - file: /etc/nginx/ssl.d
+
+/etc/nginx/ssl.d/{{ server_domain }}/fullchain.pem:
+  file.managed:
+    - mode: 400
+    - contents_pillar: env:certs:host:{{ server_domain }}:fullchain.pem
+    - require:
+      - file: /etc/nginx/ssl.d/{{ server_domain }}
+    - watch_in:
+      - service: nginx
+
+/etc/nginx/ssl.d/{{ server_domain }}/privkey.pem:
+  file.managed:
+    - mode: 400
+    - contents_pillar: env:certs:host:{{ server_domain }}:privkey.pem
+    - require:
+      - file: /etc/nginx/ssl.d/{{ server_domain }}
+    - watch_in:
+      - service: nginx
+{% endmacro %}

base/nginx/map.jinja

@@ -0,0 +1,16 @@
+{% set nginx = salt['grains.filter_by']({
+	'Debian': {
+		'package': 'nginx',
+		'service': 'nginx',
+		'repo_name': 'deb http://nginx.org/packages/debian/ %s nginx' % salt['grains.get']('oscodename'),
+		'repo_file': '/etc/apt/sources.list.d/nginx.list',
+		'key_url': 'https://nginx.org/keys/nginx_signing.key'
+	},
+	'Ubuntu': {
+		'package': 'nginx',
+		'service': 'nginx',
+		'repo_name': 'deb http://nginx.org/packages/ubuntu/ %s nginx' % 'xenial',
+		'repo_file': '/etc/apt/sources.list.d/nginx.list',
+		'key_url': 'https://nginx.org/keys/nginx_signing.key'
+	},
+}, grain='os', merge=salt['pillar.get']('nginx:lookup')) %}

base/nginx/ssl-files/conf.d/ssl-drop-invalid-hosts.conf

@@ -0,0 +1,16 @@
+server {
+	listen		443 default_server;
+	server_name	"";
+
+	include		include/ssl.conf;
+
+	# This config won't work without a valid certificate.
+	# We use a dummy certificate instead of a wildcard one as
+	# Let's Encrypt currently does not offer wildcard certificates.
+	# Anyone who hits this virtual server is doing something wrong
+	# anway, so an invalid certificate won't add to their problems.
+	ssl_certificate /etc/nginx/ssl.d/dummy-cert.pem;
+	ssl_certificate_key /etc/nginx/ssl.d/dummy-key.pem;
+
+	return		444;
+}

base/nginx/ssl-files/include/ssl.conf

@@ -0,0 +1,3 @@
+keepalive_timeout	70;
+ssl_session_cache	shared:SSL:10m;
+ssl_session_timeout	10m;

base/nginx/ssl.sls

@@ -0,0 +1,43 @@
+include:
+  - nginx
+
+/etc/nginx/ssl.d:
+  file.directory:
+    - mode: 700
+    - require:
+      - file: nginx_conf
+
+/etc/nginx/ssl.d/dummy-cert.pem:
+  file.managed:
+    - mode: 400
+    - contents_pillar: env:certs:dummy-cert.pem
+    - require:
+      - file: /etc/nginx/ssl.d
+
+/etc/nginx/ssl.d/dummy-key.pem:
+  file.managed:
+    - mode: 400
+    - contents_pillar: env:certs:dummy-key.pem
+    - require:
+      - file: /etc/nginx/ssl.d
+
+# NOTE: naming the subdirectory 'files-ssl' instead of ssl-files causes it to be
+# picked up by the file.recurse in the nginx_conf state, which is only supposed
+# to copy the 'files' subdirectory. This causes the empty directories
+# /etc/nginx/../files-ssl/conf.d/, /etc/nginx/../files-ssl/include/, etc., to
+# be created on the minion (not sure why the contents aren't copied as well).
+# This is not a problem of multiple file.recurse states pointing at the same
+# destination directory. It also happens if we multiple 'file.managed' states
+# here for each individual file.
+nginx_conf_ssl:
+  file.recurse:
+    - name: /etc/nginx
+    - source: salt://nginx/ssl-files
+    - include_empty: True
+    - require:
+      - file: /etc/nginx/ssl.d
+    - watch:
+      - file: /etc/nginx/ssl.d/dummy-cert.pem
+      - file: /etc/nginx/ssl.d/dummy-key.pem
+    - watch_in:
+      - service: nginx

base/pip/init.sls

@@ -0,0 +1,8 @@
+pip:
+  pkg.installed:
+    - pkgs:
+      - libcurl4-openssl-dev
+      - python2.7-dev
+      - libssl-dev
+      - python-pip
+      - virtualenv

base/pip/virtualenvwrapper.sls

@@ -0,0 +1,19 @@
+include:
+  - pip
+
+/data/virtualenvs:
+  file.directory:
+    - require:
+      - file: /data
+
+virtualenvwrapper:
+  pip.installed:
+    - require:
+      - pkg: pip
+
+virtualenvwrapper_bashrc:
+  file.append:
+    - name: /root/.bashrc
+    - text:
+      - export WORKON_HOME=/data/virtualenvs
+      - source /usr/local/bin/virtualenvwrapper.sh

base/root_user/files/restart_minion.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+service salt-minion stop
+sleep 5
+killall salt-minion
+sleep 5
+killall -9 salt-minion
+sleep 5
+service salt-minion start

base/root_user/init.sls

@@ -0,0 +1,22 @@
+ssh_auth_root:
+  ssh_auth.present:
+    - user: root
+    - names:
+      - from="192.168.0.0/16" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDICROKx+47R4SXP9tCzCWaOpHFuHHykvEBeSdklJ6jIeHYBH607XwJ/2eQeiO/KufExO6hwc3OTR5pCAERbSzEIPbWdeiqyQci2qxAFYc1gHsvPnStzR8B4yyXyMNDBsdruwyjIeX4J1hRcfLdUjeUEAUfsCcy49ooxUbR+7RN7DhAy9adTweFdl0E6xnRiP2unp9itY1cjzPBC/H5xdQa4BJl6AFpp0Ox37IDr5GZQzjqOMSU4MeSoPyiDfD7JqeKFMXa6eJfrxe6wSuDOWE2uwUIZDTMY+9kl498/E6d4b1pdKW/IG8EJEsTrSD4YF9LK18glt6i69yfWR5jSDOP root@admin1
+
+/root/restart_minion.sh:
+  file.managed:
+    - source: salt://root_user/files/restart_minion.sh
+    - mode: 555
+
+/root/.bashrc:
+  file.append:
+    - text: |
+        if [ "$SUDO_USER" != "" ]; then
+          SUDO_USER_HOME=$(getent passwd "$SUDO_USER" | cut -d: -f6)
+          if [ -f "$SUDO_USER_HOME/.gitenv" ]; then
+            for var in GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL; do
+              export $var="$(jq -r .$var "$SUDO_USER_HOME/.gitenv")"
+            done
+          fi
+        fi

base/saltstack/map.jinja

@@ -0,0 +1,12 @@
+{% set saltstack = salt['grains.filter_by']({
+	'Debian': {
+		'repo_name': 'deb http://repo.saltstack.com/apt/debian/%s/amd64/latest %s main' % (salt['grains.get']('osmajorrelease'), salt['grains.get']('oscodename')),
+		'repo_file': '/etc/apt/sources.list.d/saltstack.list',
+		'repo_key_url': 'https://repo.saltstack.com/apt/debian/%s/amd64/latest/SALTSTACK-GPG-KEY.pub' % salt['grains.get']('osmajorrelease')
+	},
+	'Ubuntu': {
+		'repo_name': 'deb http://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest xenial main',
+		'repo_file': '/etc/apt/sources.list.d/saltstack.list',
+		'repo_key_url': 'https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub',
+	}
+}, grain='os', merge=salt['pillar.get']('saltstack:lookup')) %}

base/saltstack/master/files/file_roots.conf

@@ -0,0 +1,3 @@
+file_roots:
+  base:
+    - /data/admin/salt/base

base/saltstack/master/files/hash_type.conf

@@ -0,0 +1 @@
+hash_type: sha256

base/saltstack/master/files/interface.conf

@@ -0,0 +1 @@
+interface: {{ listen_address }}

base/saltstack/master/files/output.conf

@@ -0,0 +1,2 @@
+state_verbose: False
+state_output: changes

base/saltstack/master/files/peer.conf

@@ -0,0 +1,3 @@
+peer:
+  .*:
+    - x509.sign_remote_certificate

base/saltstack/master/files/pillar_roots.conf

@@ -0,0 +1,3 @@
+pillar_roots:
+  base:
+    - /data/admin/pillar/base

base/saltstack/master/files/runners.conf

@@ -0,0 +1,2 @@
+runner_dirs:
+  - /data/admin/salt-modules/runners

base/saltstack/master/files/worker_threads.conf

@@ -0,0 +1 @@
+worker_threads: 15

base/saltstack/master/init.sls

@@ -0,0 +1,26 @@
+{% import 'globals.jinja' as globals %}
+
+include:
+  - saltstack.minion
+
+salt_master:
+  pkg.installed:
+    - pkgs:
+      - salt-master
+    - require:
+      - pkg: salt_minion
+  service.running:
+    - name: salt-master
+    - watch:
+      - pkg: salt_master
+      - file: /etc/salt/master.d
+
+/etc/salt/master.d:
+  file.recurse:
+    - source: salt://saltstack/master/files
+    - file_mode: 644
+    - template: jinja
+    - context:
+        listen_address: {{ globals.private_ip_address }}
+    - require:
+      - pkg: salt_master

base/saltstack/minion/files/hash_type.conf

@@ -0,0 +1 @@
+hash_type: sha256

base/saltstack/minion/files/master.conf

@@ -0,0 +1,2 @@
+master:{% for ip in master_ip_addresses %}
+  - {{ ip }}{% endfor %}