Home Explore Help
Sign In
deployment
/
salt
Watch 2
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Commits 5 Releases 0 Wiki

No Description

Branch: master
Branches Tags
salt
/
base
/
bootstrap
/
init.sls

init.sls 3.0KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104 
  1. {% import 'globals.jinja' as globals %}
    2. 

  2. 

  3. # The if conditions below ensure that the CA already exists before trying to
    4. 

  4. # create a deployment certificate or install consul on the primary admin server.
    5. 

  5. # This requires initially running state.highstate twice on the primary admin
    6. 

  6. # server in order to configure it fully.
    7. 

  7. 

  8. include:
    9. 

  9.   - dnsmasq
    10. 

  10.   - generic_packages.jq
    11. 

  11.   - generic_packages.m2crypto
    12. 

  12.   - generic_packages.sharutils
    13. 

  13.   - generic_packages.tcpdump
    14. 

  14.   - mount.data
    15. 

  15.   - root_user
    16. 

  16.   - saltstack.minion
    17. 

  17.   - screen
    18. 

  18.   - ssh.server
    19. 

  19. {% if (grains['id'] != globals.primary_admin_host) or salt['file.file_exists']('/data/admin/pki/deployment/ca.crt') %}
    20. 

  20.   - consul
    21. 

  21. {%- if grains['id'] in globals.admin_hosts %}
    22. 

  22.   - consul.server
    23. 

  23. {%- endif %}
    24. 

  24. 

  25. deployment-keys:
    26. 

  26.   group.present:
    27. 

  27.     - system: True
    28. 

  28. 

  29. /etc/deployment:
    30. 

  30.   file.directory
    31. 

  31. 

  32. /etc/deployment/ssl:
    33. 

  33.   file.directory:
    34. 

  34.     - require:
    35. 

  35.       - file: /etc/deployment
    36. 

  36. 

  37. /etc/deployment/ssl/certs:
    38. 

  38.   file.directory:
    39. 

  39.     - require:
    40. 

  40.       - file: /etc/deployment/ssl
    41. 

  41. 

  42. /etc/deployment/ssl/private:
    43. 

  43.   file.directory:
    44. 

  44.     - mode: 750
    45. 

  45.     - group: deployment-keys
    46. 

  46.     - require:
    47. 

  47.       - group: deployment-keys
    48. 

  48.       - file: /etc/deployment/ssl
    49. 

  49. 

  50. /etc/deployment/ssl/private/deployment.key:
    51. 

  51.   x509.private_key_managed:
    52. 

  52.     - bits: 4096
    53. 

  53.     - backup: True
    54. 

  54.     - require:
    55. 

  55.       - file: /etc/deployment/ssl/private
    56. 

  56. 

  57. /etc/deployment/ssl/certs/deployment.crt:
    58. 

  58.   x509.certificate_managed:
    59. 

  59.     - ca_server: {{ globals.primary_admin_host }}
    60. 

  60.     - signing_policy: {{ 'deployment_server' if grains['id'] in globals.admin_hosts else 'deployment_client' }}
    61. 

  61.     - CN: {{ globals.private_fqdn }}
    62. 

  62.     - days_remaining: 30
    63. 

  63.     - backup: True
    64. 

  64.     - public_key: /etc/deployment/ssl/private/deployment.key
    65. 

  65.     - require:
    66. 

  66.       - file: /etc/deployment/ssl/certs
    67. 

  67.       - x509: /etc/deployment/ssl/private/deployment.key
    68. 

  68. 

  69. {% set ca_certs = salt['mine.get'](globals.primary_admin_host, 'x509.get_pem_entries')[globals.primary_admin_host] %}
    70. 

  70. /etc/deployment/ssl/certs/ca-chain-deployment.crt:
    71. 

  71.   # x509.pem_managed only allows one certificate per file, so we don't use it.
    72. 

  72.   # It also seems redundant given the built-in abilities of file.managed and the
    73. 

  73.   # jinja2 indent function.
    74. 

  74.   file.managed:
    75. 

  75.     - contents: |
    76. 

  76.         {{ ca_certs['/data/admin/pki/cacerts/ca_root.crt']|indent(8) }}
    77. 

  77.         {{ ca_certs['/data/admin/pki/cacerts/ca_deployment.crt']|indent(8) }}
    78. 

  78.     - require:
    79. 

  79.       - file: /etc/deployment/ssl/certs
    80. 

  80. 

  81. {% if grains['os_family'] == 'Debian' %}
    82. 

  82. 

  83. fix_resolv_conf:
    84. 

  84.   file.managed:
    85. 

  85.     - name: /etc/network/if-pre-up.d/fix-resolv-conf
    86. 

  86.     - source: salt://bootstrap/files/debian/fix-resolv-conf
    87. 

  87.     - template: jinja
    88. 

  88.     - mode: 755
    89. 

  89. 

  90. # Ensure that the script gets run after it gets installed for the first time,
    91. 

  91. # but only after dnsmasq is installed to redirect DNS lookups to consul.
    92. 

  92. run_fix_resolv_conf:
    93. 

  93.   cmd.run:
    94. 

  94.     - name: /etc/network/if-pre-up.d/fix-resolv-conf
    95. 

  95.     - require:
    96. 

  96.       - pkg: dnsmasq
    97. 

  97.       - service: consul
    98. 

  98.     - onchanges:
    99. 

  99.       - file: /etc/network/if-pre-up.d/fix-resolv-conf
    100. 

  100. 

  101. {% endif %}
    102. 

  102. 

  103. {% endif %}
    104. 

  104.