Many changes and additions.

base/admin/certbot.sls

@@ -20,12 +20,12 @@ include:
     - require:
       - file: /data/virtualenvs
     
-/root/.local/share:
+/opt/eff.org/certbot/venv:
   file.symlink:
-    - target: /data/virtualenvs
+    - target: /data/virtualenvs/letsencrypt
     - makedirs: True
     - require:
-      - file: /data/virtualenvs
+      - file: /data/virtualenvs/letsencrypt
 
 /etc/letsencrypt:
   file.symlink:

base/circusd/init.sls

@@ -49,6 +49,7 @@ include:
 
 circusd:
   service.running:
+    - enable: True
     - require:
       - module: reload_systemd
       - file: /var/lib/circus

base/clients/360south/sms_feed/files/settings_local.py

@@ -7,9 +7,11 @@ BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 DEBUG = False
 USE_X_FORWARDED_HOST = False
 
-ALLOWED_HOSTS = ['{{ settings['server_name'] }}']
+ALLOWED_HOSTS = ['{{ settings["server_name"] }}']
 
-SECRET_KEY = '{{ settings['secret_key'] }}'
+FORCE_HTTP_RSS_URLS = True
+
+SECRET_KEY = '{{ settings["secret_key"] }}'
 LANGUAGE_CODE = 'en-za'
 TIME_ZONE = 'Africa/Johannesburg'
 
@@ -30,3 +32,5 @@ DATABASES = {
 
 EMAIL_HOST = '{{ globals.config.mail.host }}'
 EMAIL_PORT = {{ globals.config.mail.port }}
+SERVER_EMAIL = '{{ settings["server_email"] }}'
+DEFAULT_FROM_EMAIL = '{{ settings["default_email_from"] }}'

base/clients/andrew/init.sls

@@ -0,0 +1,7 @@
+include:
+  - clients
+
+/data/clients/andrew:
+  file.directory:
+    - require:
+      - file: /data/clients

base/clients/andrew/xword/files/settings_local.py

@@ -0,0 +1,6 @@
+{% import 'globals.jinja' as globals -%}
+{% set settings = pillar['clients']['andrew']['xword'] -%}
+
+SECRET_KEY = '{{ settings.secret_key }}'
+
+ALLOWED_HOSTS = ['{{ settings.server_name }}']

base/clients/andrew/xword/files/xword.ini

@@ -0,0 +1,19 @@
+[watcher:xword]
+cmd = /data/virtualenvs/xword/bin/chaussette --fd $(circus.sockets.xword) xword.wsgi.application
+working_dir = /data/clients/andrew/xword
+use_sockets = True
+numprocesses = {{ grains['num_cpus'] * 2 + 1 }}
+uid = www-data
+gid = www-data
+stdout_stream.class = FileStream
+stdout_stream.max_bytes = 1048576
+stdout_stream.backup_count = 7
+stdout_stream.filename = /var/log/circus/xword.log
+stderr_stream.class = FileStream
+stderr_stream.max_bytes = 1048576
+stderr_stream.backup_count = 7
+stderr_stream.filename = /var/log/circus/xword_err.log
+
+[socket:xword]
+host = 127.0.0.1
+port = {{ settings.listen_port }}

base/clients/andrew/xword/files/xword.nginx

@@ -0,0 +1,22 @@
+server {
+	listen 80;
+	server_name {{ settings.server_name }};
+
+	include /etc/nginx/include/certbot.conf;
+
+	client_max_body_size 8M;
+
+	location /static/ {
+	    alias /data/clients/andrew/xword/static/;
+	    expires 30d;
+	    autoindex off;
+	}
+
+	location / {
+	    # The trailing '/' is important as it causes nginx to send the
+	    # cleaned URI through to the destination service (double slashes
+	    # removed, etc.).
+	    proxy_pass          http://127.0.0.1:{{ settings.listen_port }}/;
+	    include		/etc/nginx/include/proxy.conf;
+	}
+}

base/clients/andrew/xword/init.sls

@@ -0,0 +1,80 @@
+{% import 'globals.jinja' as globals %}
+{% import 'circusd/lib.jinja' as circusd %}
+{% set settings = pillar['clients']['andrew']['xword'] %}
+
+include:
+  - clients.andrew
+  - generic_packages.python3_6
+  - generic_packages.libsm6
+  - generic_packages.libxrender1
+
+/etc/nginx/sites-enabled/xword:
+  file.managed:
+    - source: salt://clients/andrew/xword/files/xword.nginx
+    - template: jinja
+    - context:
+        settings: {{ settings }}
+    - require:
+      - file: nginx_conf
+    - watch_in:
+      - service: nginx
+
+/data/clients/andrew/xword:
+  file.directory:
+    - require:
+      - file: /data/clients/andrew
+
+/data/clients/andrew/xword/static:
+  file.directory:
+    - require:
+      - file: /data/clients/andrew/xword
+      - git: xword
+
+xword:
+  git.latest:
+    - name: git@git.codefans.co.za:andrew/xword.git
+    - target: /data/clients/andrew/xword
+    - rev: {{ settings.rev }}
+    - identity: {{ globals.config.git.identity_file }}
+    - require:
+      - file: /data/clients/andrew/xword
+  {{ circusd.circusd_watcher_running() }}
+
+{{ circusd.circusd_watcher_configuration(
+     'xword',
+     'salt://clients/andrew/xword/files/xword.ini',
+     {'settings': settings},
+     [],
+     [
+        'git: xword',
+        'file: xword_config',
+        'virtualenv: /data/virtualenvs/xword',
+     ]
+) }}
+
+/data/virtualenvs/xword:
+  virtualenv.managed:
+    - python: /usr/bin/python3.6
+    - requirements: /data/clients/andrew/xword/requirements.txt
+    - require:
+      - pkg: python3_6
+      - file: /data/virtualenvs
+      - git: xword
+
+xword_config:
+  file.managed:
+    - name: /data/clients/andrew/xword/xword/settings_local.py
+    - source: salt://clients/andrew/xword/files/settings_local.py
+    - template: jinja
+    - require:
+      - git: xword
+
+xword_collectstatic:
+  cmd.run:
+    - name: /data/virtualenvs/xword/bin/python3 /data/clients/andrew/xword/manage.py collectstatic --noinput --verbosity 0 --clear --link
+    - require:
+      - file: /data/clients/andrew/xword/static
+    - onchanges:
+      - virtualenv: /data/virtualenvs/xword
+      - git: xword
+      - file: xword_config

base/clients/billquote/billquote/files/billquote.nginx

@@ -0,0 +1,38 @@
+server {
+	listen 80;
+	server_name {{ settings.server_name }};
+
+	include /etc/nginx/include/certbot.conf;
+
+	root /home/billquote/billquote/htdocs;
+	index index.php;
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+
+	location /bill_pages/ {
+	    alias /home/billquote/billquote/bill_pages/;
+	    expires 30d;
+	    autoindex off;
+	}
+
+	location ~ \.php$ {
+		include snippets/fastcgi-php.conf;
+		fastcgi_pass unix:/run/php/php5.6-fpm.sock;
+	}
+
+	location ~ /\.ht {
+		deny all;
+	}
+}
+
+#server {
+#	listen 443 ssl;
+#	server_name {{ settings.server_name }};
+#
+#	include /etc/nginx/include/ssl.conf;
+#
+#	ssl_certificate /etc/nginx/ssl.d/{{ settings.server_name }}/fullchain.pem;
+#	ssl_certificate_key /etc/nginx/ssl.d/{{ settings.server_name }}/privkey.pem;
+#}

base/clients/billquote/billquote/init.sls

@@ -0,0 +1,54 @@
+{% set settings = pillar['clients']['billquote']['billquote'] %}
+{% from 'lib.jinja' import user_present %}
+
+include:
+  - clients.billquote
+  - mariadb.server
+  - php5
+
+{{ user_present('billquote', pillar['users']['accounts']['billquote']) }}
+
+/etc/nginx/sites-enabled/billquote:
+  file.managed:
+    - source: salt://clients/billquote/billquote/files/billquote.nginx
+    - template: jinja
+    - context:
+        settings: {{ settings }}
+    - require:
+      - file: nginx_conf
+    - watch_in:
+      - service: nginx
+
+/home/billquote/billquote:
+  file.directory:
+    - user: billquote
+    - group: billquote
+    - require:
+      - user: billquote
+
+{% for dir in ['bill_pages', 'htdocs', 'mysql_data', 'protected'] %}
+/home/billquote/billquote/{{ dir }}:
+  file.directory:
+    - user: billquote
+    - group: billquote
+    - require:
+      - file: /home/billquote/billquote
+{% endfor %}
+
+/home/billquote/billquote/htdocs/assets:
+  file.directory:
+    - user: billquote
+    - group: www-data
+    - mode: 775
+    - require:
+      - file: /home/billquote/billquote/htdocs
+      - user: billquote
+
+/home/billquote/billquote/protected/runtime:
+  file.directory:
+    - user: billquote
+    - group: www-data
+    - mode: 775
+    - require:
+      - file: /home/billquote/billquote/protected
+      - user: billquote

base/clients/billquote/init.sls

@@ -0,0 +1,7 @@
+include:
+  - clients
+
+/data/clients/billquote:
+  file.directory:
+    - require:
+      - file: /data/clients

base/clients/labourpro/init.sls

@@ -0,0 +1,7 @@
+include:
+  - clients
+
+/data/clients/labourpro:
+  file.directory:
+    - require:
+      - file: /data/clients

base/clients/labourpro/lplicencemanager/files/shortdate.reg

@@ -0,0 +1,4 @@
+REGEDIT4
+
+[HKEY_CURRENT_USER\Control Panel\International]
+"sShortDate"="yyyy/MM/dd"

base/clients/labourpro/lplicencemanager/files/startwine.sh

@@ -0,0 +1,36 @@
+#!/bin/sh
+
+export DISPLAY=:0
+wname="LPLicenceManager"
+
+su -c "chown winer -R /home/winer" root
+
+if [ -f ~/configured1 ]
+then
+    echo "[$wname]: Using previous configuration."
+else
+    echo "[$wname]: First run configuration."
+    mkdir ~/.vnc
+    echo "{{ settings.vnc_password }}" | vncpasswd -f > ~/.vnc/passwd
+    winetricks -q settings windowmanagerdecorated=n windowmanagermanaged=n
+    touch ~/configured1
+fi
+while :
+do
+    echo "[$wname]: Starting."
+    Xvfb -screen 0 800x600x16 &
+    sleep 2
+    x0vncserver -display $DISPLAY -passwordfile ~/.vnc/passwd -rfbport 5900 &
+    if [ -f ~/configured2 ]
+    then
+        echo "[$wname]: Not changing registry."
+    else
+        echo "[$wname]: Updating registry."
+    	wine regedit.exe /s 'c:\shortdate.reg'
+    	touch ~/configured2
+    fi
+    wine 'c:\Data\LPLicenceManager\LPLicenceManager.exe'
+    killall x0vncserver
+    killall xvfb
+done
+echo "[$wname]: Exiting."

base/clients/labourpro/lplicencemanager/init.sls

@@ -0,0 +1,58 @@
+{% set settings = pillar['clients']['labourpro']['lplicencemanager'] %}
+
+include:
+  - docker
+  - clients.labourpro
+
+/data/clients/labourpro/lplicencemanager:
+  file.directory:
+    - require:
+      - file: /data/clients/labourpro
+
+/data/clients/labourpro/lplicencemanager/startwine.sh:
+  file.managed:
+    - source: salt://clients/labourpro/lplicencemanager/files/startwine.sh
+    - template: jinja
+    - mode: 755
+    - context:
+        settings: {{ settings }}
+    - require:
+      - file: /data/clients/labourpro/lplicencemanager
+
+/data/clients/labourpro/lplicencemanager/winer/.wine/drive_c/shortdate.reg:
+  file.managed:
+    - source: salt://clients/labourpro/lplicencemanager/files/shortdate.reg
+    - makedirs: True
+    - require:
+      - file: /data/clients/labourpro/lplicencemanager
+
+/data/clients/labourpro/lplicencemanager/winer/.wine/drive_c/Data/LPLicenceManager:
+  file.directory:
+    - makedirs: True
+    - require:
+      - file: /data/clients/labourpro/lplicencemanager
+
+/data/clients/labourpro/lplicencemanager/LPLicenceManager:
+  file.symlink:
+    - target: /data/clients/labourpro/lplicencemanager/winer/.wine/drive_c/Data/LPLicenceManager
+    - require:
+      - file: /data/clients/labourpro/lplicencemanager/winer/.wine/drive_c/Data/LPLicenceManager
+
+lplicencemanager:
+  docker_image.present:
+    - name: boggart/docker-wine-vnc
+    - require:
+      - pkg: docker
+  docker_container.running:
+    - image: boggart/docker-wine-vnc
+    - detach: True
+    - port_bindings:
+      - 4430:4430
+      - 5900:5900
+    - binds:
+      - /data/clients/labourpro/lplicencemanager/startwine.sh:/usr/local/bin/startwine.sh:ro
+      - /data/clients/labourpro/lplicencemanager/winer:/home/winer
+    - require:
+      - file: /data/clients/labourpro/lplicencemanager/startwine.sh
+      - file: /data/clients/labourpro/lplicencemanager/winer/.wine/drive_c/Data/LPLicenceManager
+      - docker_image: lplicencemanager

base/clients/rgroup/bulk_api/files/appsettings.json

@@ -0,0 +1,32 @@
+{
+  "Database": {
+    "ConnectionString": "{{ settings.database.connection_string }}"
+  },
+  "Logging": {
+    "IncludeScopes": false,
+    "LogLevel": {
+      "Default": "Information"
+    }
+  },
+  "TokenAuthentication": {
+    "Audience": "{{ settings.token_authentication.audience }}",
+    "Issuer": "{{ settings.token_authentication.issuer }}",
+    "Key": "{{ settings.token_authentication.key }}",
+    "TokenLifetime": {{ settings.token_authentication.lifetime }}
+  },
+  "MAX": {
+    "Host": "{{ settings.max.host }}",
+    "Port": {{ settings.max.port }},
+    "ConnectTimeout": {{ settings.max.connect_timeout }},
+    "ReceiveTimeout": {{ settings.max.receive_timeout }},
+    "SendTimeout":  {{ settings.max.send_timeout }}
+  },
+  "DataEncryption": {
+    "DefaultKey": "{{ settings.data_encryption.default_key }}"
+  },
+  "SFTP": {
+    "Host": "{{ settings.sftp.host }}",
+    "Username": "{{ settings.sftp.username }}",
+    "Password": "{{ settings.sftp.password }}"
+  }
+}

base/clients/rgroup/bulk_api/files/bulk_api.ini

@@ -0,0 +1,13 @@
+[watcher:bulk_api]
+cmd = /usr/bin/dotnet BulkPrintingAPI.dll
+working_dir = /data/clients/rgroup/bulk_api
+uid = www-data
+gid = www-data
+stdout_stream.class = FileStream
+stdout_stream.max_bytes = 1048576
+stdout_stream.backup_count = 7
+stdout_stream.filename = /var/log/circus/bulk_api.log
+stderr_stream.class = FileStream
+stderr_stream.max_bytes = 1048576
+stderr_stream.backup_count = 7
+stderr_stream.filename = /var/log/circus/bulk_api_err.log

base/clients/rgroup/bulk_api/files/bulk_api.nginx

@@ -0,0 +1,32 @@
+server {
+	listen 80;
+	server_name {{ settings.server_name }};
+
+	include /etc/nginx/include/certbot.conf;
+
+	location / {
+	    # The trailing '/' is important as it causes nginx to send the
+	    # cleaned URI through to the destination service (double slashes
+	    # removed, etc.).
+	    proxy_pass          http://127.0.0.1:{{ settings.listen_port }}/;
+	    include		/etc/nginx/include/proxy.conf;
+	}
+}
+
+server {
+	listen 443 ssl;
+	server_name {{ settings.server_name }};
+
+	include /etc/nginx/include/ssl.conf;
+
+	ssl_certificate /etc/nginx/ssl.d/{{ settings.server_name }}/fullchain.pem;
+	ssl_certificate_key /etc/nginx/ssl.d/{{ settings.server_name }}/privkey.pem;
+
+	location / {
+	    # The trailing '/' is important as it causes nginx to send the
+	    # cleaned URI through to the destination service (double slashes
+	    # removed, etc.).
+	    proxy_pass          http://127.0.0.1:{{ settings.listen_port }}/;
+	    include		/etc/nginx/include/proxy.conf;
+	}
+}

base/clients/rgroup/bulk_api/init.sls

@@ -0,0 +1,49 @@
+{% import 'globals.jinja' as globals %}
+{% import 'circusd/lib.jinja' as circusd %}
+{% from 'nginx/lib.jinja' import nginx_ssl_cert_present %}
+{% set settings = pillar['clients']['rgroup']['bulk_api'] %}
+
+include:
+  - clients.rgroup
+  - dotnetcore
+
+/data/clients/rgroup/bulk_api:
+  file.directory:
+    - require:
+      - file: /data/clients/rgroup
+
+bulk_api:
+  {{ circusd.circusd_watcher_running() }}
+
+{{ circusd.circusd_watcher_configuration(
+     'bulk_api',
+     'salt://clients/rgroup/bulk_api/files/bulk_api.ini',
+     {'settings': settings},
+     [],
+     [
+        'file: bulk_api_config',
+     ]
+) }}
+
+bulk_api_config:
+  file.managed:
+    - name: /data/clients/rgroup/bulk_api/appsettings.json
+    - source: salt://clients/rgroup/bulk_api/files/appsettings.json
+    - template: jinja
+    - context:
+        settings: {{ settings }}
+    - require:
+      - file: /data/clients/rgroup/bulk_api
+
+/etc/nginx/sites-enabled/bulk_api:
+  file.managed:
+    - source: salt://clients/rgroup/bulk_api/files/bulk_api.nginx
+    - template: jinja
+    - context:
+        settings: {{ settings }}
+    - require:
+      - file: nginx_conf
+    - watch_in:
+      - service: nginx
+
+{{ nginx_ssl_cert_present(settings.server_name) }}

base/clients/rgroup/init.sls

@@ -0,0 +1,7 @@
+include:
+  - clients
+
+/data/clients/rgroup:
+  file.directory:
+    - require:
+      - file: /data/clients

base/clients/rgroup/suitecrm/files/suitecrm.nginx

@@ -0,0 +1,32 @@
+server {
+	listen 80;
+	server_name {{ settings.server_name }};
+
+	include /etc/nginx/include/certbot.conf;
+}
+
+server {
+	listen 443 ssl;
+	server_name {{ settings.server_name }};
+
+	include /etc/nginx/include/ssl.conf;
+
+	ssl_certificate /etc/nginx/ssl.d/{{ settings.server_name }}/fullchain.pem;
+	ssl_certificate_key /etc/nginx/ssl.d/{{ settings.server_name }}/privkey.pem;
+
+	root /data/clients/rgroup/SuiteCRM-7.9.7;
+	index index.php;
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+
+	location ~ \.php$ {
+		include snippets/fastcgi-php.conf;
+		fastcgi_pass unix:/run/php/php5.6-fpm.sock;
+	}
+
+	location ~ /\.ht {
+		deny all;
+	}
+}

base/clients/rgroup/suitecrm/init.sls

@@ -0,0 +1,46 @@
+{% from 'nginx/lib.jinja' import nginx_ssl_cert_present %}
+{% set settings = pillar['clients']['rgroup']['suitecrm'] %}
+
+include:
+  - clients.rgroup
+  - mariadb
+  - php5
+
+suitecrm_installed:
+  archive.extracted:
+    - name: /data/clients/rgroup
+    - source: salt://clients/rgroup/suitecrm/files/vendor/SuiteCRM-7.9.7.zip
+    - require:
+      - file: /data/clients/rgroup
+  cmd.run:
+    - name: chmod -R g-w,o-w /data/clients/rgroup/SuiteCRM-7.9.7
+    - onchanges:
+      - archive: suitecrm_installed
+
+{% for subdir in ['cache', 'custom', 'modules', 'themes', 'data', 'upload'] %}
+/data/clients/rgroup/SuiteCRM-7.9.7/{{ subdir }}:
+  file.directory:
+    - user: www-data
+    - recurse:
+      - user
+    - require:
+      - cmd: suitecrm_installed
+{% endfor %}
+
+/data/clients/rgroup/SuiteCRM-7.9.7/config_override.php:
+  file.managed:
+    - replace: False
+    - user: www-data
+
+/etc/nginx/sites-enabled/suitecrm:
+  file.managed:
+    - source: salt://clients/rgroup/suitecrm/files/suitecrm.nginx
+    - template: jinja
+    - context:
+        settings: {{ settings }}
+    - require:
+      - file: nginx_conf
+    - watch_in:
+      - service: nginx
+
+{{ nginx_ssl_cert_present(settings.server_name) }}

base/consul/files/consul.service

@@ -1,3 +1,4 @@
+{% import 'globals.jinja' as globals -%}
 [Unit]
 Description=consul agent
 Requires=network-online.target
@@ -6,7 +7,7 @@ After=network-online.target
 [Service]
 Environment=GOMAXPROCS=2
 Restart=on-failure
-ExecStart=/usr/bin/consul agent -config-dir=/etc/consul -data-dir=/data/consul
+ExecStart=/usr/bin/consul agent -config-dir=/etc/consul -data-dir=/data/consul -advertise={{ globals.private_ip_address }}
 #ExecReload=/bin/kill -HUP $MAINPID
 KillSignal=SIGTERM
 

base/consul/init.sls

@@ -21,6 +21,7 @@ consul:
       - group: consul
       - group: deployment-keys
   service.running:
+    - enable: True
     - require:
       - user: consul
       - group: consul
@@ -62,5 +63,6 @@ consul:
 /etc/systemd/system/consul.service:
   file.managed:
     - source: salt://consul/files/consul.service
+    - template: jinja
     - onchanges_in:
       - module: reload_systemd

base/docker-wine/init.sls

@@ -0,0 +1,34 @@
+include:
+  - docker
+  - firewall.public.vnc
+
+docker-wine:
+  docker_image.present:
+    - name: suchja/wine:latest
+    - require:
+      - pkg: docker
+  docker_container.running:
+    - name: wine
+    - image: suchja/wine:latest
+    - detach: True
+    - entrypoint: /bin/bash
+    - links:
+      - display:xserver
+    - volumes_from:
+      - display
+    - require:
+      - docker_container: docker-x11server
+
+docker-x11server:
+  docker_image.present:
+    - name: suchja/x11server
+    - require:
+      - pkg: docker
+  docker_container.running:
+    - name: display
+    - image: suchja/x11server
+    - detach: True
+    - environment:
+      - VNC_PASSWORD: ahCeiquae0aesee1cee4
+    - port_bindings:
+      - 5900:5900

base/docker/init.sls

@@ -0,0 +1,8 @@
+include:
+  - generic_packages.python_docker
+
+docker:
+  pkg.installed:
+    - name: docker.io
+    - require:
+      - pkg: python_docker

base/dotnetcore/init.sls

@@ -0,0 +1,13 @@
+{% from 'dotnetcore/map.jinja' import dotnetcore %}
+
+dotnetcore:
+  pkgrepo.managed:
+    - name: {{ dotnetcore.repo_name }}
+    - file: {{ dotnetcore.repo_file }}
+    - keyserver: {{ dotnetcore.keyserver }}
+    - keyid: {{ dotnetcore.keyid }}
+    - clean_file: True
+    - require_in:
+      - pkg: dotnetcore
+  pkg.installed:
+    - name: {{ dotnetcore.package }}

base/dotnetcore/map.jinja

@@ -0,0 +1,9 @@
+{% set dotnetcore = salt['grains.filter_by']({
+	'Ubuntu': {
+		'package': 'dotnet-sharedframework-microsoft.netcore.app-1.1.2',
+		'repo_name': 'deb [arch=amd64] https://apt-mo.trafficmanager.net/repos/dotnet-release/ yakkety main',
+		'repo_file': '/etc/apt/sources.list.d/dotnetdev.list',
+		'keyserver': 'keyserver.ubuntu.com',
+		'keyid': '417A0893',
+	},
+}, grain='os', merge=salt['pillar.get']('dotnetcore:lookup')) %}

base/firewall/global/smtp.sls

@@ -0,0 +1,11 @@
+iptables_input_smtp:
+  iptables.insert:
+    - require:
+      - iptables: iptables_input_localhost
+    - save: True
+    - position: 2
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - proto: tcp
+    - dport: 25

base/firewall/public/vnc.sls

@@ -0,0 +1,2 @@
+{% from 'firewall/public/lib.jinja' import public_tcp_port_present %}
+{{ public_tcp_port_present(5900) }}

base/generic_packages/djvulibre_bin.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('djvulibre_bin') }}

base/generic_packages/libmysqlclient_dev.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('libmysqlclient_dev') }}

base/generic_packages/libsm6.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('libsm6') }}

base/generic_packages/libxrender1.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('libxrender1') }}

base/generic_packages/map.jinja

@@ -12,12 +12,20 @@
 		'zip': 'zip',
         },
 	'Ubuntu': {
-		'sharutils': 'sharutils',
-		'tcpdump': 'tcpdump',
+		'djvulibre_bin': 'djvulibre-bin',
 		'jq': 'jq',
 		'git': 'git',
-		'm2crypto': 'm2crypto',
+		'libmysqlclient_dev': 'libmysqlclient-dev',
+		'libsm6': 'libsm6',
+		'libxrender1': 'libxrender1',
+		'm2crypto': 'python-m2crypto',
 		'net_tools': 'net-tools',
+		'python_docker': 'python-docker',
+		'python3_dev': 'python3-dev',
+		'python3_6': 'python3.6',
+		'python3_6_dev': 'python3.6-dev',
+		'sharutils': 'sharutils',
+		'tcpdump': 'tcpdump',
 		'unzip': 'unzip',
 		'zip': 'zip',
 	}

base/generic_packages/python3_6.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('python3_6') }}

base/generic_packages/python3_6_dev.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('python3_6_dev') }}

base/generic_packages/python3_dev.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('python3_dev') }}

base/generic_packages/python_docker.sls

@@ -0,0 +1,2 @@
+{% from 'generic_packages/lib.jinja' import generic_package_installed %}
+{{ generic_package_installed('python_docker') }}

base/gitea/init.sls

@@ -15,6 +15,7 @@ gitea:
     - source: salt://gitea/files/vendor/1.1.2.linux-amd64/gitea
     - mode: 555
   service.running:
+    - enable: True
     - watch:
       - file: gitea
       - file: /etc/systemd/system/gitea.service

base/php5/files/www.conf

@@ -0,0 +1,411 @@
+; Start a new pool named 'www'.
+; the variable $pool can we used in any directive and will be replaced by the
+; pool name ('www' here)
+[www]
+
+; Per pool prefix
+; It only applies on the following directives:
+; - 'access.log'
+; - 'slowlog'
+; - 'listen' (unixsocket)
+; - 'chroot'
+; - 'chdir'
+; - 'php_values'
+; - 'php_admin_values'
+; When not set, the global prefix (or /usr) applies instead.
+; Note: This directive can also be relative to the global prefix.
+; Default Value: none
+;prefix = /path/to/pools/$pool
+
+; Unix user/group of processes
+; Note: The user is mandatory. If the group is not set, the default user's group
+;       will be used.
+user = www-data
+group = www-data
+
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all IPv4 addresses on a
+;                            specific port;
+;   '[::]:port'            - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory.
+listen = /run/php/php5.6-fpm.sock
+
+; Set listen(2) backlog.
+; Default Value: 65535 (-1 on FreeBSD and OpenBSD)
+;listen.backlog = 65535
+
+; Set permissions for unix socket, if one is used. In Linux, read/write
+; permissions must be set in order to allow connections from a web server. Many
+; BSD-derived systems allow connections regardless of permissions. 
+; Default Values: user and group are set as the running user
+;                 mode is set to 0660
+listen.owner = nginx
+listen.group = nginx
+;listen.mode = 0660
+; When POSIX Access Control Lists are supported you can set them using
+; these options, value is a comma separated list of user/group names.
+; When set, listen.owner and listen.group are ignored
+;listen.acl_users =
+;listen.acl_groups =
+ 
+; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
+; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
+; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
+; must be separated by a comma. If this value is left blank, connections will be
+; accepted from any ip address.
+; Default Value: any
+;listen.allowed_clients = 127.0.0.1
+
+; Specify the nice(2) priority to apply to the pool processes (only if set)
+; The value can vary from -19 (highest priority) to 20 (lower priority)
+; Note: - It will only work if the FPM master process is launched as root
+;       - The pool processes will inherit the master process priority
+;         unless it specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Choose how the process manager will control the number of child processes.
+; Possible Values:
+;   static  - a fixed number (pm.max_children) of child processes;
+;   dynamic - the number of child processes are set dynamically based on the
+;             following directives. With this process management, there will be
+;             always at least 1 children.
+;             pm.max_children      - the maximum number of children that can
+;                                    be alive at the same time.
+;             pm.start_servers     - the number of children created on startup.
+;             pm.min_spare_servers - the minimum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is less than this
+;                                    number then some children will be created.
+;             pm.max_spare_servers - the maximum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is greater than this
+;                                    number then some children will be killed.
+;  ondemand - no children are created at startup. Children will be forked when
+;             new requests will connect. The following parameter are used:
+;             pm.max_children           - the maximum number of children that
+;                                         can be alive at the same time.
+;             pm.process_idle_timeout   - The number of seconds after which
+;                                         an idle process will be killed.
+; Note: This value is mandatory.
+pm = dynamic
+
+; The number of child processes to be created when pm is set to 'static' and the
+; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+; This value sets the limit on the number of simultaneous requests that will be
+; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
+; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
+; CGI. The below defaults are based on a server without much resources. Don't
+; forget to tweak pm.* to fit your needs.
+; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
+; Note: This value is mandatory.
+pm.max_children = 5
+
+; The number of child processes created on startup.
+; Note: Used only when pm is set to 'dynamic'
+; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
+pm.start_servers = 2
+
+; The desired minimum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.min_spare_servers = 1
+
+; The desired maximum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.max_spare_servers = 3
+
+; The number of seconds after which an idle process will be killed.
+; Note: Used only when pm is set to 'ondemand'
+; Default Value: 10s
+;pm.process_idle_timeout = 10s;
+ 
+; The number of requests each child process should execute before respawning.
+; This can be useful to work around memory leaks in 3rd party libraries. For
+; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
+; Default Value: 0
+;pm.max_requests = 500
+
+; The URI to view the FPM status page. If this value is not set, no URI will be
+; recognized as a status page. It shows the following informations:
+;   pool                 - the name of the pool;
+;   process manager      - static, dynamic or ondemand;
+;   start time           - the date and time FPM has started;
+;   start since          - number of seconds since FPM has started;
+;   accepted conn        - the number of request accepted by the pool;
+;   listen queue         - the number of request in the queue of pending
+;                          connections (see backlog in listen(2));
+;   max listen queue     - the maximum number of requests in the queue
+;                          of pending connections since FPM has started;
+;   listen queue len     - the size of the socket queue of pending connections;
+;   idle processes       - the number of idle processes;
+;   active processes     - the number of active processes;
+;   total processes      - the number of idle + active processes;
+;   max active processes - the maximum number of active processes since FPM
+;                          has started;
+;   max children reached - number of times, the process limit has been reached,
+;                          when pm tries to start more children (works only for
+;                          pm 'dynamic' and 'ondemand');
+; Value are updated in real time.
+; Example output:
+;   pool:                 www
+;   process manager:      static
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          62636
+;   accepted conn:        190460
+;   listen queue:         0
+;   max listen queue:     1
+;   listen queue len:     42
+;   idle processes:       4
+;   active processes:     11
+;   total processes:      15
+;   max active processes: 12
+;   max children reached: 0
+;
+; By default the status page output is formatted as text/plain. Passing either
+; 'html', 'xml' or 'json' in the query string will return the corresponding
+; output syntax. Example:
+;   http://www.foo.bar/status
+;   http://www.foo.bar/status?json
+;   http://www.foo.bar/status?html
+;   http://www.foo.bar/status?xml
+;
+; By default the status page only outputs short status. Passing 'full' in the
+; query string will also return status for each pool process.
+; Example: 
+;   http://www.foo.bar/status?full
+;   http://www.foo.bar/status?json&full
+;   http://www.foo.bar/status?html&full
+;   http://www.foo.bar/status?xml&full
+; The Full status returns for each process:
+;   pid                  - the PID of the process;
+;   state                - the state of the process (Idle, Running, ...);
+;   start time           - the date and time the process has started;
+;   start since          - the number of seconds since the process has started;
+;   requests             - the number of requests the process has served;
+;   request duration     - the duration in µs of the requests;
+;   request method       - the request method (GET, POST, ...);
+;   request URI          - the request URI with the query string;
+;   content length       - the content length of the request (only with POST);
+;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
+;   script               - the main script called (or '-' if not set);
+;   last request cpu     - the %cpu the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because CPU calculation is done when the request
+;                          processing has terminated;
+;   last request memory  - the max amount of memory the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because memory calculation is done when the request
+;                          processing has terminated;
+; If the process is in Idle state, then informations are related to the
+; last request the process has served. Otherwise informations are related to
+; the current request being served.
+; Example output:
+;   ************************
+;   pid:                  31330
+;   state:                Running
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          63087
+;   requests:             12808
+;   request duration:     1250261
+;   request method:       GET
+;   request URI:          /test_mem.php?N=10000
+;   content length:       0
+;   user:                 -
+;   script:               /home/fat/web/docs/php/test_mem.php
+;   last request cpu:     0.00
+;   last request memory:  0
+;
+; Note: There is a real-time FPM status monitoring sample web page available
+;       It's available in: /usr/share/php/5.6/fpm/status.html
+;
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set 
+;pm.status_path = /status
+ 
+; The ping URI to call the monitoring page of FPM. If this value is not set, no
+; URI will be recognized as a ping page. This could be used to test from outside
+; that FPM is alive and responding, or to
+; - create a graph of FPM availability (rrd or such);
+; - remove a server from a group if it is not responding (load balancing);
+; - trigger alerts for the operating team (24/7).
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set
+;ping.path = /ping
+
+; This directive may be used to customize the response of a ping request. The
+; response is formatted as text/plain with a 200 response code.
+; Default Value: pong
+;ping.response = pong
+
+; The access log file
+; Default: not set
+;access.log = log/$pool.access.log
+
+; The access log format.
+; The following syntax is allowed
+;  %%: the '%' character
+;  %C: %CPU used by the request
+;      it can accept the following format:
+;      - %{user}C for user CPU only
+;      - %{system}C for system CPU only
+;      - %{total}C  for user + system CPU (default)
+;  %d: time taken to serve the request
+;      it can accept the following format:
+;      - %{seconds}d (default)
+;      - %{miliseconds}d
+;      - %{mili}d
+;      - %{microseconds}d
+;      - %{micro}d
+;  %e: an environment variable (same as $_ENV or $_SERVER)
+;      it must be associated with embraces to specify the name of the env
+;      variable. Some exemples:
+;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
+;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
+;  %f: script filename
+;  %l: content-length of the request (for POST request only)
+;  %m: request method
+;  %M: peak of memory allocated by PHP
+;      it can accept the following format:
+;      - %{bytes}M (default)
+;      - %{kilobytes}M
+;      - %{kilo}M
+;      - %{megabytes}M
+;      - %{mega}M
+;  %n: pool name
+;  %o: output header
+;      it must be associated with embraces to specify the name of the header:
+;      - %{Content-Type}o
+;      - %{X-Powered-By}o
+;      - %{Transfert-Encoding}o
+;      - ....
+;  %p: PID of the child that serviced the request
+;  %P: PID of the parent of the child that serviced the request
+;  %q: the query string 
+;  %Q: the '?' character if query string exists
+;  %r: the request URI (without the query string, see %q and %Q)
+;  %R: remote IP address
+;  %s: status (response code)
+;  %t: server time the request was received
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;  %T: time the log has been written (the request has finished)
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;  %u: remote user
+;
+; Default: "%R - %u %t \"%m %r\" %s"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+ 
+; The log file for slow requests
+; Default Value: not set
+; Note: slowlog is mandatory if request_slowlog_timeout is set
+;slowlog = log/$pool.log.slow
+ 
+; The timeout for serving a single request after which a PHP backtrace will be
+; dumped to the 'slowlog' file. A value of '0s' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_slowlog_timeout = 0
+ 
+; The timeout for serving a single request after which the worker process will
+; be killed. This option should be used when the 'max_execution_time' ini option
+; does not stop script execution for some reason. A value of '0' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_terminate_timeout = 0
+ 
+; Set open file descriptor rlimit.
+; Default Value: system defined value
+;rlimit_files = 1024
+ 
+; Set max core size rlimit.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+ 
+; Chroot to this directory at the start. This value must be defined as an
+; absolute path. When this value is not set, chroot is not used.
+; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
+; of its subdirectories. If the pool prefix is not set, the global prefix
+; will be used instead.
+; Note: chrooting is a great security feature and should be used whenever 
+;       possible. However, all PHP paths will be relative to the chroot
+;       (error_log, sessions.save_path, ...).
+; Default Value: not set
+;chroot = 
+ 
+; Chdir to this directory at the start.
+; Note: relative path can be used.
+; Default Value: current directory or / when chroot
+;chdir = /var/www
+ 
+; Redirect worker stdout and stderr into main error log. If not set, stdout and
+; stderr will be redirected to /dev/null according to FastCGI specs.
+; Note: on highloaded environement, this can cause some delay in the page
+; process time (several ms).
+; Default Value: no
+;catch_workers_output = yes
+
+; Clear environment in FPM workers
+; Prevents arbitrary environment variables from reaching FPM worker processes
+; by clearing the environment in workers before env vars specified in this
+; pool configuration are added.
+; Setting to "no" will make all environment variables available to PHP code
+; via getenv(), $_ENV and $_SERVER.
+; Default Value: yes
+;clear_env = no
+
+; Limits the extensions of the main script FPM will allow to parse. This can
+; prevent configuration mistakes on the web server side. You should only limit
+; FPM to .php extensions to prevent malicious users to use other extensions to
+; exectute php code.
+; Note: set an empty value to allow all extensions.
+; Default Value: .php
+;security.limit_extensions = .php .php3 .php4 .php5
+ 
+; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
+; the current environment.
+; Default Value: clean env
+;env[HOSTNAME] = $HOSTNAME
+;env[PATH] = /usr/local/bin:/usr/bin:/bin
+;env[TMP] = /tmp
+;env[TMPDIR] = /tmp
+;env[TEMP] = /tmp
+
+; Additional php.ini defines, specific to this pool of workers. These settings
+; overwrite the values previously defined in the php.ini. The directives are the
+; same as the PHP SAPI:
+;   php_value/php_flag             - you can set classic ini defines which can
+;                                    be overwritten from PHP call 'ini_set'. 
+;   php_admin_value/php_admin_flag - these directives won't be overwritten by
+;                                     PHP call 'ini_set'
+; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
+
+; Defining 'extension' will load the corresponding shared extension from
+; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
+; overwrite previously defined php.ini values, but will append the new value
+; instead.
+
+; Note: path INI options can be relative and will be expanded with the prefix
+; (pool, global or /usr)
+
+; Default Value: nothing is defined by default except the values in php.ini and
+;                specified at startup with the -d argument
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
+;php_flag[display_errors] = off
+;php_admin_value[error_log] = /var/log/fpm-php.www.log
+;php_admin_flag[log_errors] = on
+;php_admin_value[memory_limit] = 32M

base/php5/files/www.conf.orig

@@ -0,0 +1,411 @@
+; Start a new pool named 'www'.
+; the variable $pool can we used in any directive and will be replaced by the
+; pool name ('www' here)
+[www]
+
+; Per pool prefix
+; It only applies on the following directives:
+; - 'access.log'
+; - 'slowlog'
+; - 'listen' (unixsocket)
+; - 'chroot'
+; - 'chdir'
+; - 'php_values'
+; - 'php_admin_values'
+; When not set, the global prefix (or /usr) applies instead.
+; Note: This directive can also be relative to the global prefix.
+; Default Value: none
+;prefix = /path/to/pools/$pool
+
+; Unix user/group of processes
+; Note: The user is mandatory. If the group is not set, the default user's group
+;       will be used.
+user = www-data
+group = www-data
+
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all IPv4 addresses on a
+;                            specific port;
+;   '[::]:port'            - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory.
+listen = /run/php/php5.6-fpm.sock
+
+; Set listen(2) backlog.
+; Default Value: 65535 (-1 on FreeBSD and OpenBSD)
+;listen.backlog = 65535
+
+; Set permissions for unix socket, if one is used. In Linux, read/write
+; permissions must be set in order to allow connections from a web server. Many
+; BSD-derived systems allow connections regardless of permissions. 
+; Default Values: user and group are set as the running user
+;                 mode is set to 0660
+listen.owner = www-data
+listen.group = www-data
+;listen.mode = 0660
+; When POSIX Access Control Lists are supported you can set them using
+; these options, value is a comma separated list of user/group names.
+; When set, listen.owner and listen.group are ignored
+;listen.acl_users =
+;listen.acl_groups =
+ 
+; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
+; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
+; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
+; must be separated by a comma. If this value is left blank, connections will be
+; accepted from any ip address.
+; Default Value: any
+;listen.allowed_clients = 127.0.0.1
+
+; Specify the nice(2) priority to apply to the pool processes (only if set)
+; The value can vary from -19 (highest priority) to 20 (lower priority)
+; Note: - It will only work if the FPM master process is launched as root
+;       - The pool processes will inherit the master process priority
+;         unless it specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Choose how the process manager will control the number of child processes.
+; Possible Values:
+;   static  - a fixed number (pm.max_children) of child processes;
+;   dynamic - the number of child processes are set dynamically based on the
+;             following directives. With this process management, there will be
+;             always at least 1 children.
+;             pm.max_children      - the maximum number of children that can
+;                                    be alive at the same time.
+;             pm.start_servers     - the number of children created on startup.
+;             pm.min_spare_servers - the minimum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is less than this
+;                                    number then some children will be created.
+;             pm.max_spare_servers - the maximum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is greater than this
+;                                    number then some children will be killed.
+;  ondemand - no children are created at startup. Children will be forked when
+;             new requests will connect. The following parameter are used:
+;             pm.max_children           - the maximum number of children that
+;                                         can be alive at the same time.
+;             pm.process_idle_timeout   - The number of seconds after which
+;                                         an idle process will be killed.
+; Note: This value is mandatory.
+pm = dynamic
+
+; The number of child processes to be created when pm is set to 'static' and the
+; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+; This value sets the limit on the number of simultaneous requests that will be
+; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
+; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
+; CGI. The below defaults are based on a server without much resources. Don't
+; forget to tweak pm.* to fit your needs.
+; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
+; Note: This value is mandatory.
+pm.max_children = 5
+
+; The number of child processes created on startup.
+; Note: Used only when pm is set to 'dynamic'
+; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
+pm.start_servers = 2
+
+; The desired minimum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.min_spare_servers = 1
+
+; The desired maximum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.max_spare_servers = 3
+
+; The number of seconds after which an idle process will be killed.
+; Note: Used only when pm is set to 'ondemand'
+; Default Value: 10s
+;pm.process_idle_timeout = 10s;
+ 
+; The number of requests each child process should execute before respawning.
+; This can be useful to work around memory leaks in 3rd party libraries. For
+; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
+; Default Value: 0
+;pm.max_requests = 500
+
+; The URI to view the FPM status page. If this value is not set, no URI will be
+; recognized as a status page. It shows the following informations:
+;   pool                 - the name of the pool;
+;   process manager      - static, dynamic or ondemand;
+;   start time           - the date and time FPM has started;
+;   start since          - number of seconds since FPM has started;
+;   accepted conn        - the number of request accepted by the pool;
+;   listen queue         - the number of request in the queue of pending
+;                          connections (see backlog in listen(2));
+;   max listen queue     - the maximum number of requests in the queue
+;                          of pending connections since FPM has started;
+;   listen queue len     - the size of the socket queue of pending connections;
+;   idle processes       - the number of idle processes;
+;   active processes     - the number of active processes;
+;   total processes      - the number of idle + active processes;
+;   max active processes - the maximum number of active processes since FPM
+;                          has started;
+;   max children reached - number of times, the process limit has been reached,
+;                          when pm tries to start more children (works only for
+;                          pm 'dynamic' and 'ondemand');
+; Value are updated in real time.
+; Example output:
+;   pool:                 www
+;   process manager:      static
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          62636
+;   accepted conn:        190460
+;   listen queue:         0
+;   max listen queue:     1
+;   listen queue len:     42
+;   idle processes:       4
+;   active processes:     11
+;   total processes:      15
+;   max active processes: 12
+;   max children reached: 0
+;
+; By default the status page output is formatted as text/plain. Passing either
+; 'html', 'xml' or 'json' in the query string will return the corresponding
+; output syntax. Example:
+;   http://www.foo.bar/status
+;   http://www.foo.bar/status?json
+;   http://www.foo.bar/status?html
+;   http://www.foo.bar/status?xml
+;
+; By default the status page only outputs short status. Passing 'full' in the
+; query string will also return status for each pool process.
+; Example: 
+;   http://www.foo.bar/status?full
+;   http://www.foo.bar/status?json&full
+;   http://www.foo.bar/status?html&full
+;   http://www.foo.bar/status?xml&full
+; The Full status returns for each process:
+;   pid                  - the PID of the process;
+;   state                - the state of the process (Idle, Running, ...);
+;   start time           - the date and time the process has started;
+;   start since          - the number of seconds since the process has started;
+;   requests             - the number of requests the process has served;
+;   request duration     - the duration in µs of the requests;
+;   request method       - the request method (GET, POST, ...);
+;   request URI          - the request URI with the query string;
+;   content length       - the content length of the request (only with POST);
+;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
+;   script               - the main script called (or '-' if not set);
+;   last request cpu     - the %cpu the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because CPU calculation is done when the request
+;                          processing has terminated;
+;   last request memory  - the max amount of memory the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because memory calculation is done when the request
+;                          processing has terminated;
+; If the process is in Idle state, then informations are related to the
+; last request the process has served. Otherwise informations are related to
+; the current request being served.
+; Example output:
+;   ************************
+;   pid:                  31330
+;   state:                Running
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          63087
+;   requests:             12808
+;   request duration:     1250261
+;   request method:       GET
+;   request URI:          /test_mem.php?N=10000
+;   content length:       0
+;   user:                 -
+;   script:               /home/fat/web/docs/php/test_mem.php
+;   last request cpu:     0.00
+;   last request memory:  0
+;
+; Note: There is a real-time FPM status monitoring sample web page available
+;       It's available in: /usr/share/php/5.6/fpm/status.html
+;
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set 
+;pm.status_path = /status
+ 
+; The ping URI to call the monitoring page of FPM. If this value is not set, no
+; URI will be recognized as a ping page. This could be used to test from outside
+; that FPM is alive and responding, or to
+; - create a graph of FPM availability (rrd or such);
+; - remove a server from a group if it is not responding (load balancing);
+; - trigger alerts for the operating team (24/7).
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set
+;ping.path = /ping
+
+; This directive may be used to customize the response of a ping request. The
+; response is formatted as text/plain with a 200 response code.
+; Default Value: pong
+;ping.response = pong
+
+; The access log file
+; Default: not set
+;access.log = log/$pool.access.log
+
+; The access log format.
+; The following syntax is allowed
+;  %%: the '%' character
+;  %C: %CPU used by the request
+;      it can accept the following format:
+;      - %{user}C for user CPU only
+;      - %{system}C for system CPU only
+;      - %{total}C  for user + system CPU (default)
+;  %d: time taken to serve the request
+;      it can accept the following format:
+;      - %{seconds}d (default)
+;      - %{miliseconds}d
+;      - %{mili}d
+;      - %{microseconds}d
+;      - %{micro}d
+;  %e: an environment variable (same as $_ENV or $_SERVER)
+;      it must be associated with embraces to specify the name of the env
+;      variable. Some exemples:
+;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
+;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
+;  %f: script filename
+;  %l: content-length of the request (for POST request only)
+;  %m: request method
+;  %M: peak of memory allocated by PHP
+;      it can accept the following format:
+;      - %{bytes}M (default)
+;      - %{kilobytes}M
+;      - %{kilo}M
+;      - %{megabytes}M
+;      - %{mega}M
+;  %n: pool name
+;  %o: output header
+;      it must be associated with embraces to specify the name of the header:
+;      - %{Content-Type}o
+;      - %{X-Powered-By}o
+;      - %{Transfert-Encoding}o
+;      - ....
+;  %p: PID of the child that serviced the request
+;  %P: PID of the parent of the child that serviced the request
+;  %q: the query string 
+;  %Q: the '?' character if query string exists
+;  %r: the request URI (without the query string, see %q and %Q)
+;  %R: remote IP address
+;  %s: status (response code)
+;  %t: server time the request was received
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;  %T: time the log has been written (the request has finished)
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;  %u: remote user
+;
+; Default: "%R - %u %t \"%m %r\" %s"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+ 
+; The log file for slow requests
+; Default Value: not set
+; Note: slowlog is mandatory if request_slowlog_timeout is set
+;slowlog = log/$pool.log.slow
+ 
+; The timeout for serving a single request after which a PHP backtrace will be
+; dumped to the 'slowlog' file. A value of '0s' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_slowlog_timeout = 0
+ 
+; The timeout for serving a single request after which the worker process will
+; be killed. This option should be used when the 'max_execution_time' ini option
+; does not stop script execution for some reason. A value of '0' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_terminate_timeout = 0
+ 
+; Set open file descriptor rlimit.
+; Default Value: system defined value
+;rlimit_files = 1024
+ 
+; Set max core size rlimit.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+ 
+; Chroot to this directory at the start. This value must be defined as an
+; absolute path. When this value is not set, chroot is not used.
+; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
+; of its subdirectories. If the pool prefix is not set, the global prefix
+; will be used instead.
+; Note: chrooting is a great security feature and should be used whenever 
+;       possible. However, all PHP paths will be relative to the chroot
+;       (error_log, sessions.save_path, ...).
+; Default Value: not set
+;chroot = 
+ 
+; Chdir to this directory at the start.
+; Note: relative path can be used.
+; Default Value: current directory or / when chroot
+;chdir = /var/www
+ 
+; Redirect worker stdout and stderr into main error log. If not set, stdout and
+; stderr will be redirected to /dev/null according to FastCGI specs.
+; Note: on highloaded environement, this can cause some delay in the page
+; process time (several ms).
+; Default Value: no
+;catch_workers_output = yes
+
+; Clear environment in FPM workers
+; Prevents arbitrary environment variables from reaching FPM worker processes
+; by clearing the environment in workers before env vars specified in this
+; pool configuration are added.
+; Setting to "no" will make all environment variables available to PHP code
+; via getenv(), $_ENV and $_SERVER.
+; Default Value: yes
+;clear_env = no
+
+; Limits the extensions of the main script FPM will allow to parse. This can
+; prevent configuration mistakes on the web server side. You should only limit
+; FPM to .php extensions to prevent malicious users to use other extensions to
+; exectute php code.
+; Note: set an empty value to allow all extensions.
+; Default Value: .php
+;security.limit_extensions = .php .php3 .php4 .php5
+ 
+; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
+; the current environment.
+; Default Value: clean env
+;env[HOSTNAME] = $HOSTNAME
+;env[PATH] = /usr/local/bin:/usr/bin:/bin
+;env[TMP] = /tmp
+;env[TMPDIR] = /tmp
+;env[TEMP] = /tmp
+
+; Additional php.ini defines, specific to this pool of workers. These settings
+; overwrite the values previously defined in the php.ini. The directives are the
+; same as the PHP SAPI:
+;   php_value/php_flag             - you can set classic ini defines which can
+;                                    be overwritten from PHP call 'ini_set'. 
+;   php_admin_value/php_admin_flag - these directives won't be overwritten by
+;                                     PHP call 'ini_set'
+; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
+
+; Defining 'extension' will load the corresponding shared extension from
+; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
+; overwrite previously defined php.ini values, but will append the new value
+; instead.
+
+; Note: path INI options can be relative and will be expanded with the prefix
+; (pool, global or /usr)
+
+; Default Value: nothing is defined by default except the values in php.ini and
+;                specified at startup with the -d argument
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
+;php_flag[display_errors] = off
+;php_admin_value[error_log] = /var/log/fpm-php.www.log
+;php_admin_flag[log_errors] = on
+;php_admin_value[memory_limit] = 32M

base/php5/init.sls

@@ -0,0 +1,29 @@
+php5:
+  pkgrepo.managed:
+    - ppa: ondrej/php
+    - require_in:
+      - pkg: php5
+  pkg.installed:
+    - pkgs:
+      - php5.6-curl
+      - php5.6-fpm
+      - php5.6-gd
+      - php5.6-imap
+      - php5.6-mbstring
+      - php5.6-mysql
+      - php5.6-xml
+      - php5.6-zip
+  service.running:
+    - name: php5.6-fpm
+
+/etc/php/5.6/fpm/php.ini:
+  file.managed:
+    - source: salt://php5/files/php.ini
+    - watch_in:
+      - service: php5
+
+/etc/php/5.6/fpm/pool.d/www.conf:
+  file.managed:
+    - source: salt://php5/files/www.conf
+    - watch_in:
+      - service: php5

base/screen/files/Ubuntu-17.04/screenrc

@@ -86,7 +86,7 @@ termcapinfo xterm 'is=\E[r\E[m\E[2J\E[H\E[?7h\E[?1;4;6l'
 # following termcapinfo line which tells xterm to use the normal screen buffer
 # (which has scrollback), not the alternate screen buffer.
 #
-#termcapinfo xterm|xterms|xs|rxvt ti@:te@
+termcapinfo xterm|xterms|xs|rxvt ti@:te@
 
 # Enable non-blocking mode to better cope with flaky ssh connections.
 defnonblock 5

base/top.sls

@@ -19,8 +19,15 @@ base:
   hosting1:
     - circusd
     - clients.360south.sms_feed
+    - clients.andrew.xword
+    - clients.billquote.billquote
+    - clients.labourpro.lplicencemanager
+    - clients.rgroup.bulk_api
+    - clients.rgroup.suitecrm
     - firewall.public.http
     - firewall.public.https
+    - firewall.global.smtp
+    - generic_packages.djvulibre_bin
     - gitea
     - gitea.deploy
     - mariadb.server

base/vmail/files/Ubuntu-17.04/postfix/main.cf

@@ -40,11 +40,11 @@ alias_database = hash:/etc/aliases
 myorigin = /etc/mailname
 mydestination = $myhostname, {{ grains['id'] }}, localhost.localdomain, localhost
 relayhost = 
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ globals.all_private_ip_addresses|join(" ") }}
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 {{ globals.all_private_ip_addresses|join(" ") }}{% if 'postfix' in globals.config and 'extra_relay_networks' in globals.config.postfix %} {{ globals.config.postfix.extra_relay_networks }}{% endif %}
 mailbox_size_limit = 0
 recipient_delimiter = +
 inet_interfaces = all
-inet_protocols = all
+inet_protocols = ipv4
 
 ## Tells Postfix to use Dovecot's LMTP instead of its own LDA to save emails to the local mailboxes.
 virtual_transport = lmtp:unix:private/dovecot-lmtp