salt/base/bootstrap/init.sls

{% import 'globals.jinja' as globals %}

# The if conditions below ensure that the CA already exists before trying to
# create a deployment certificate or install consul on the primary admin server.
# This requires initially running state.highstate twice on the primary admin
# server in order to configure it fully.

include:
  - dnsmasq
  - generic_packages.jq
  - generic_packages.m2crypto
  - generic_packages.sharutils
  - generic_packages.tcpdump
  - mount.data
  - root_user
  - saltstack.minion
  - screen
  - ssh.server
{% if (grains['id'] != globals.primary_admin_host) or salt['file.file_exists']('/data/admin/pki/deployment/ca.crt') %}
  - consul
{%- if grains['id'] in globals.admin_hosts %}
  - consul.server
{%- endif %}

deployment-keys:
  group.present:
    - system: True

/etc/deployment:
  file.directory

/etc/deployment/ssl:
  file.directory:
    - require:
      - file: /etc/deployment

/etc/deployment/ssl/certs:
  file.directory:
    - require:
      - file: /etc/deployment/ssl

/etc/deployment/ssl/private:
  file.directory:
    - mode: 750
    - group: deployment-keys
    - require:
      - group: deployment-keys
      - file: /etc/deployment/ssl

/etc/deployment/ssl/private/deployment.key:
  x509.private_key_managed:
    - bits: 4096
    - backup: True
    - require:
      - file: /etc/deployment/ssl/private

/etc/deployment/ssl/certs/deployment.crt:
  x509.certificate_managed:
    - ca_server: {{ globals.primary_admin_host }}
    - signing_policy: {{ 'deployment_server' if grains['id'] in globals.admin_hosts else 'deployment_client' }}
    - CN: {{ globals.private_fqdn }}
    - days_remaining: 30
    - backup: True
    - public_key: /etc/deployment/ssl/private/deployment.key
    - require:
      - file: /etc/deployment/ssl/certs
      - x509: /etc/deployment/ssl/private/deployment.key

{% set ca_certs = salt['mine.get'](globals.primary_admin_host, 'x509.get_pem_entries')[globals.primary_admin_host] %}
/etc/deployment/ssl/certs/ca-chain-deployment.crt:
  # x509.pem_managed only allows one certificate per file, so we don't use it.
  # It also seems redundant given the built-in abilities of file.managed and the
  # jinja2 indent function.
  file.managed:
    - contents: |
        {{ ca_certs['/data/admin/pki/cacerts/ca_root.crt']|indent(8) }}
        {{ ca_certs['/data/admin/pki/cacerts/ca_deployment.crt']|indent(8) }}
    - require:
      - file: /etc/deployment/ssl/certs

{% if grains['os_family'] == 'Debian' %}

fix_resolv_conf:
  file.managed:
    - name: /etc/network/if-pre-up.d/fix-resolv-conf
    - source: salt://bootstrap/files/debian/fix-resolv-conf
    - template: jinja
    - mode: 755

# Ensure that the script gets run after it gets installed for the first time,
# but only after dnsmasq is installed to redirect DNS lookups to consul.
run_fix_resolv_conf:
  cmd.run:
    - name: /etc/network/if-pre-up.d/fix-resolv-conf
    - require:
      - pkg: dnsmasq
      - service: consul
    - onchanges:
      - file: /etc/network/if-pre-up.d/fix-resolv-conf

{% endif %}

{% endif %}