diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..ddf82b0f --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +**~ +***# diff --git a/sls/augeas/init.sls b/sls/augeas/init.sls new file mode 100644 index 00000000..de583b7f --- /dev/null +++ b/sls/augeas/init.sls @@ -0,0 +1,6 @@ +augeas: + pkg.installed: + - refresh: false + - pkgs: + - app-admin/augeas: "~>=1.3.0" + - dev-python/python-augeas: "~>=0.5.0" diff --git a/sls/augeas/lenses.sls b/sls/augeas/lenses.sls new file mode 100644 index 00000000..7647c13e --- /dev/null +++ b/sls/augeas/lenses.sls @@ -0,0 +1,12 @@ +include: + - augeas + +{% set default_lenses = ['makeconf', 'confd'] %} +{% set extra_lenses = salt['pillar.get']('augeas_extra_lenses', []) %} + +{% for lensname in default_lenses + extra_lenses %} +augeas-{{ lensname }}: + file.managed: + - name: /usr/share/augeas/lenses/{{ lensname }}.aug + - source: salt://augeas/lenses/{{ lensname }}.aug +{% endfor %} diff --git a/sls/augeas/lenses/confd.aug b/sls/augeas/lenses/confd.aug new file mode 100644 index 00000000..70a25258 --- /dev/null +++ b/sls/augeas/lenses/confd.aug @@ -0,0 +1,8 @@ +module Confd = + autoload xfm + + let lns = Shellvars.lns + + let filter = (incl "/etc/conf.d/*") . (excl "net") . (excl "net.*") . (excl "*~") . (excl ".*") . (excl "#*#") . (excl "*.bak") + + let xfm = transform lns filter diff --git a/sls/augeas/lenses/makeconf.aug b/sls/augeas/lenses/makeconf.aug new file mode 100644 index 00000000..8683b0e9 --- /dev/null +++ b/sls/augeas/lenses/makeconf.aug @@ -0,0 +1,8 @@ +module Makeconf = + autoload xfm + + let lns = Shellvars.lns + + let filter = (incl "/etc/make.conf") . (incl "/etc/portage/make.conf") + + let xfm = transform lns filter diff --git a/sls/bird/bird.conf b/sls/bird/bird.conf new file mode 100644 index 00000000..603b4d4a --- /dev/null +++ b/sls/bird/bird.conf @@ -0,0 +1,21 @@ +log syslog { info, remote, warning, error, auth, fatal, bug }; +router id 0.0.0.1; +# This pseudo-protocol performs synchronization between BIRD's routing +# tables and the kernel. If your kernel supports multiple routing tables +# (as Linux 2.2.x does), you can run multiple instances of the kernel +# protocol and synchronize different kernel tables with different BIRD tables. +protocol kernel { + learn; # Learn all alien routes from the kernel + persist; # Don't remove routes on bird shutdown + scan time 20; # Scan kernel routing table every 20 seconds + import all; # Default is import all + export none; # Default is export none + # kernel table 5; # Kernel table to synchronize with (default: main) +} + +protocol bfd { +} +# This pseudo-protocol watches all interface up/down events. +protocol device { + scan time 10; # Scan interfaces every 10 seconds +} diff --git a/sls/bird/bird.initd b/sls/bird/bird.initd new file mode 100755 index 00000000..cc5179f3 --- /dev/null +++ b/sls/bird/bird.initd @@ -0,0 +1,41 @@ +#!/sbin/runscript +# -*- mode: shell-script -*- +# Copyright 1999-2012 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +extra_started_commands="reload" + +EXE="${SVCNAME}" +SOCK="/var/run/${EXE}.ctl" + +depend() { + need net + use logger +} + +checkconfig() { + if [ ! -f "/etc/${EXE}.conf" ]; then + eerror "Please create /etc/${EXE}.conf" + return 1 + fi + return 0 +} + +start() { + checkconfig || return $? + ebegin "Starting ${SVCNAME}" + start-stop-daemon --start --exec /usr/sbin/${EXE} -- -c "/etc/${EXE}.conf" -s "${SOCK}" + eend $? "Failed to start BIRD" +} + +stop() { + ebegin "Stopping ${SVCNAME}" + start-stop-daemon --stop --exec /usr/sbin/${EXE} + eend $? "Failed to stop BIRD" +} + +reload() { + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --stop --signal HUP --oknodo --exec /usr/sbin/${EXE} + eend $? "Failed to reload BIRD" +} diff --git a/sls/bird/init.sls b/sls/bird/init.sls new file mode 100644 index 00000000..7c3b2e24 --- /dev/null +++ b/sls/bird/init.sls @@ -0,0 +1,61 @@ +# -*- mode: yaml -*- +pkg_bird: + pkg.installed: + - pkgs: + - net-misc/bird: "~>=1.5.0[ipv6]" + +/etc/init.d/bird: + file.managed: + - source: salt://bird/bird.initd + - mode: 750 + - user: root + - group: root + +/etc/init.d/bird6: + file.symlink: + - target: /etc/init.d/bird + - force: True + +/etc/bird.conf: + file.managed: + - source: salt://bird/bird.conf + - replace: False + - mode: 640 + - user: root + - group: root + +/etc/bird6.conf: + file.managed: + - source: salt://bird/bird.conf + - replace: False + - mode: 640 + - user: root + - group: root + +bird: + service.running: + - enable: True + - watch: + - file: /etc/init.d/bird + - pkg: pkg_bird + +bird6: + service.running: + - enable: True + - watch: + - file: /etc/init.d/bird6 + - pkg: pkg_bird + +bird-reload: + service.running: + - name: bird + - reload: True + - require: + - file: /etc/bird.conf + +bird6-reload: + service.running: + - name: bird6 + - reload: True + - require: + - file: /etc/bird6.conf diff --git a/sls/cron/cronie.sls b/sls/cron/cronie.sls new file mode 100644 index 00000000..e52435dc --- /dev/null +++ b/sls/cron/cronie.sls @@ -0,0 +1,16 @@ +# -*- mode: yaml -*- +cronie: + pkg.latest: + - name: sys-process/cronie + - use: inotify + service.running: + - sig: cron + - enable: True + - watch: + - pkg: cronie + +vixie-cron: + pkg.purged: + - name: sys-process/vixie-cron + service: + - disabled diff --git a/sls/cron/init.sls b/sls/cron/init.sls new file mode 100644 index 00000000..451e80cf --- /dev/null +++ b/sls/cron/init.sls @@ -0,0 +1,3 @@ +# -*- mode: yaml -*- +include: + - cron.cronie diff --git a/sls/editors/emacs.sls b/sls/editors/emacs.sls new file mode 100644 index 00000000..9ed043b9 --- /dev/null +++ b/sls/editors/emacs.sls @@ -0,0 +1,4 @@ +# -*- mode: yaml -*- +emacs: + pkg.installed: + - name: app-editors/emacs diff --git a/sls/fonts/consolefont.sls b/sls/fonts/consolefont.sls new file mode 100644 index 00000000..4dfa7fe1 --- /dev/null +++ b/sls/fonts/consolefont.sls @@ -0,0 +1,20 @@ +include: + - augeas.lenses + - fonts.terminus + +manage-consolefont: + augeas.change: + - context: /files/etc/conf.d/consolefont + - lens: Shellvars.lns + - require: + - file: augeas-confd + - pkg: terminus + - changes: + - set consolefont '"ter-v14n"' + +consolefont_service: + service.running: + - name: consolefont + - enable: True + - watch: + - augeas: manage-consolefont diff --git a/sls/fonts/terminus.sls b/sls/fonts/terminus.sls new file mode 100644 index 00000000..04f5a9a6 --- /dev/null +++ b/sls/fonts/terminus.sls @@ -0,0 +1,7 @@ +{% set terminus_use_flags = salt['pillar.get']('terminus_use_flags', + '-pcf,psf,center-tilde,-ru-g,-a-like-o,distinct-l,ru-dv,ru-i') %} + +terminus: + pkg.installed: + - pkgs: + - media-fonts/terminus-font: '[{{ terminus_use_flags }}]' diff --git a/sls/gentoo/init.sls b/sls/gentoo/init.sls new file mode 100644 index 00000000..37e7bd56 --- /dev/null +++ b/sls/gentoo/init.sls @@ -0,0 +1,7 @@ +# -*- mode: yaml -*- +include: + - gentoo.portage + - gentoo.profile + - gentoo.openrc + - gentoo.makeconf + diff --git a/sls/gentoo/makeconf.sls b/sls/gentoo/makeconf.sls new file mode 100644 index 00000000..498e6e28 --- /dev/null +++ b/sls/gentoo/makeconf.sls @@ -0,0 +1,53 @@ +# -*- mode: yaml -*- +include: + - augeas.lenses +{% set mirror_host = salt['pillar.get']('gentoo_mirror_host', 'gentoo.bakka.su') %} +{% set arch_conf = salt['pillar.get']('arch_conf', False) %} + +{% set num_jobs = grains['num_cpus'] %} +{% set max_la = "%.2f" % (grains['num_cpus'] / 1.5) %} +{% if num_jobs > 8 %} + {% set num_jobs = 8 %} +{% endif %} + +manage-make-conf: + augeas.change: + - context: /files/etc/portage/make.conf + # - lens: Makeconf.lns + - changes: + - set PORTDIR '"/usr/portage"' + - set DISTDIR '"/var/tmp/distfiles"' + - set PKGDIR '"/var/tmp/packages"' + - set PORTAGE_SSH_OPTS '""' + - set MAKEOPTS '"-j{{ num_jobs }} --load-average {{ max_la }}"' + - set PYTHON_TARGETS '"python2_7 python3_4"' + - set USE_PYTHON '"2.7 3.4"' + - set USE_SALT '"smp multitarget efi icu sqlite emacs sctp xattr syslog logrotate ssl openssl vhosts symlink device-mapper bash-completion zsh-completion -gnutls -tcpd"' + - set VIDEO_CARDS '""' + - set GENTOO_MIRRORS '"https://{{ mirror_host }}/gentoo-distfiles"' + {% if arch_conf %} + - set CHOST '"{{ arch_conf["CHOST"] }}"' + - set CFLAGS '"{{ arch_conf["CFLAGS"] }}"' + {% if arch_conf.get('CXXFLAGS', False) %} + {% set l_cxxflags = arch_conf['CXXFLAGS'] %} + {% else %} + {% set l_cxxflags = '${CFLAGS}' %} + {% endif %} + - set CXXFLAGS '"{{ l_cxxflags }}"' + # Should I also check for osarch here? + {% if (grains['cpuarch'] == 'x86_64' or grains['cpuarch'] == 'amd64' + or grains['cpuarch'] == 'i686' or grains['cpuarch'] == 'x86') %} + {% if arch_conf.get('CPU_FLAGS', False) %} + - set CPU_FLAGS_X86 '"{{ arch_conf["CPU_FLAGS"] }}"' + {% else %} + - set CPU_FLAGS_X86 '"{% for flag in ("mmx", "mmxext", "sse", "sse2", "sse3", "ssse3", "sse4_1", "sse4_2", + "aes", "popcnt", "avx", "avx2", "fma", "fma3", "fma4", "xop", "3dnow", "3dnowext", "sse4a") + %}{% if flag in grains["cpu_flags"] %}{{ flag }}{% if not loop.last %} {% endif %}{% endif %}{% endfor %}"' + {% endif %} + {% endif %} + {% if arch_conf.get('mirror_arch', False) %} + - set PORTAGE_BINHOST '"https://{{ mirror_host }}/gentoo-packages/{{ arch_conf["mirror_arch"] }}/packages"' + {% endif %} + {% endif %} + - require: + - file: /usr/share/augeas/lenses/makeconf.aug diff --git a/sls/gentoo/openrc.sls b/sls/gentoo/openrc.sls new file mode 100644 index 00000000..2c74e62d --- /dev/null +++ b/sls/gentoo/openrc.sls @@ -0,0 +1,11 @@ +# -*- mode: yaml -*- +openrc: + pkg.latest: + - name: sys-apps/openrc + cmd.run: + - name: rc + cron.present: + - identifier: rc + - name: "/sbin/rc" + - minute: '*/5' + - user: root diff --git a/sls/gentoo/portage.sls b/sls/gentoo/portage.sls new file mode 100644 index 00000000..b49504aa --- /dev/null +++ b/sls/gentoo/portage.sls @@ -0,0 +1,75 @@ +# -*- mode: yaml -*- +include: + - core.git + +sys-apps/portage: + pkg.latest: + - watch: + - portage_config: sys-apps/portage + portage_config.flags: + - accept_keywords: + - ~ARCH + - use: + - python3 + - xattr + - git + - watch_in: + - cmd: emerge-changed-use + +app-portage: + pkg.latest: + - pkgs: + - app-portage/portage-utils + - app-portage/gentoolkit + - app-portage/eix + - app-admin/webapp-config + +app-portage-purged: + pkg.purged: + - pkgs: + - app-portage/epkg + +/etc/portage/postsync.d/q-reinitialize: + file.managed: + - mode: 755 + - replace: False + +# rewrite this with consideration of read-only portage (on nfs) +/usr/portage: + git.latest: + - name: "git://git.bakka.su/gentoo-mirror" + - target: /usr/portage + - rev: master + - force_clone: True + - force_checkout: True + +/etc/portage/repos.conf/: + file.directory: + - mode: 755 + - user: root + - group: root + git.latest: + - name: "git://git.bakka.su/server-repos.conf" + - target: /etc/portage/repos.conf + - rev: master + - force_clone: True + - force_checkout: True + +emerge-changed-use: + cmd.wait: + - name: '/usr/bin/emerge --quiet --changed-use @world' + +# emerge-preserved-rebuild: +# cmd.run: +# - name: '/usr/bin/emerge --quiet @preserved-rebuild' + +# glsa-check-fix: +# cmd.run: +# - name: '/usr/bin/glsa-check --fix affected' + +/etc/portage/profile/: + file.directory: + - create: True + - mode: 755 + - user: root + - group: root diff --git a/sls/gentoo/profile.sls b/sls/gentoo/profile.sls new file mode 100644 index 00000000..f6f1c97b --- /dev/null +++ b/sls/gentoo/profile.sls @@ -0,0 +1,14 @@ +# -*- mode: yaml -*- +{% set arch_conf = salt['pillar.get']('arch_conf', False) %} +eselect-profile: + eselect.set: + - name: profile + {% if arch_conf and arch_conf.get('profile', False) %} + - target: '{{ arch_conf["profile"] }}' + {% elif grains['osarch'] == 'x86' %} + - target: hardened/linux/x86 + {% elif grains['osarch'] == 'x86_64' %} + - target: hardened/linux/amd64/no-multilib + {% elif grains['osarch'] == 'armv6l' %} + - target: hardened/linux/arm/armv6j + {% endif %} diff --git a/sls/gentoo/repos.conf/baka-bakka.conf b/sls/gentoo/repos.conf/baka-bakka.conf new file mode 100644 index 00000000..1c94205d --- /dev/null +++ b/sls/gentoo/repos.conf/baka-bakka.conf @@ -0,0 +1,5 @@ +[baka-bakka] + +location = /var/lib/layman/baka-bakka +sync-type = git +sync-uri = git://git.bakka.su/baka-bakka diff --git a/sls/gentoo/repos.conf/gentoo.conf b/sls/gentoo/repos.conf/gentoo.conf new file mode 100644 index 00000000..ee7f509e --- /dev/null +++ b/sls/gentoo/repos.conf/gentoo.conf @@ -0,0 +1,7 @@ +[DEFAULT] +main-repo = gentoo + +[gentoo] +location = /usr/portage +sync-type = git +sync-uri = git://git.bakka.su/gentoo-mirror diff --git a/sls/gentoo/repos.conf/tengine-overlay.conf b/sls/gentoo/repos.conf/tengine-overlay.conf new file mode 100644 index 00000000..9cb156bc --- /dev/null +++ b/sls/gentoo/repos.conf/tengine-overlay.conf @@ -0,0 +1,5 @@ +[tengine-overlay] + +location = /var/lib/layman/tengine-overlay +sync-type = git +sync-uri = https://github.com/damex/tengine-overlay.git diff --git a/sls/irqbalance/absent.sls b/sls/irqbalance/absent.sls new file mode 100644 index 00000000..61a61603 --- /dev/null +++ b/sls/irqbalance/absent.sls @@ -0,0 +1,9 @@ +irqbalance: + pkg.purged: + - pkgs: + - sys-apps/irqbalance: '[numa]' + - sys-process/numactl + - require: + - service: irqbalance + service.disabled: + - name: irqbalance diff --git a/sls/irqbalance/init.sls b/sls/irqbalance/init.sls new file mode 100644 index 00000000..7574f260 --- /dev/null +++ b/sls/irqbalance/init.sls @@ -0,0 +1,8 @@ +irqbalance: + pkg.installed: + - pkgs: + - sys-apps/irqbalance: '[numa]' + - sys-process/numactl + service.running: + - name: irqbalance + - enable: True diff --git a/sls/keepalived/init.sls b/sls/keepalived/init.sls new file mode 100644 index 00000000..a6284344 --- /dev/null +++ b/sls/keepalived/init.sls @@ -0,0 +1,11 @@ +include: + - keepalived.pkg + +# /etc/keepalived/keepalived.conf: +# - file.managed: + +keepalived: + service.running: + - enable: True + - watch: + - pkg: pkg_keepalived diff --git a/sls/keepalived/pkg.sls b/sls/keepalived/pkg.sls new file mode 100644 index 00000000..dbafb98f --- /dev/null +++ b/sls/keepalived/pkg.sls @@ -0,0 +1,4 @@ +pkg_keepalived: + pkg.installed: + - pkgs: + - sys-cluster/keepalived: '[ipv6,snmp]' diff --git a/sls/lm_sensors/init.sls b/sls/lm_sensors/init.sls new file mode 100644 index 00000000..a7567adc --- /dev/null +++ b/sls/lm_sensors/init.sls @@ -0,0 +1,26 @@ +# -*- mode: yaml -*- + +lm_sensors: + pkg.installed: + - pkgs: + - sys-apps/lm_sensors: '[sensord]' + service.running: + - enable: True + - watch: + - pkg: lm_sensors + - file: /etc/init.d/lm_sensors + - file: /etc/conf.d/lm_sensors + +/etc/init.d/lm_sensors: + file.managed: + - source: salt://lm_sensors/lm_sensors.initd + - mode: 755 + - user: root + - group: root + +/etc/conf.d/lm_sensors: + file.managed: + - source: salt://lm_sensors/lm_sensors.confd + - mode: 644 + - user: root + - group: root diff --git a/sls/lm_sensors/lm_sensors.confd b/sls/lm_sensors/lm_sensors.confd new file mode 100644 index 00000000..f45c7bba --- /dev/null +++ b/sls/lm_sensors/lm_sensors.confd @@ -0,0 +1,2 @@ +# Initialize sensors at startup +INITSENSORS=yes diff --git a/sls/lm_sensors/lm_sensors.initd b/sls/lm_sensors/lm_sensors.initd new file mode 100644 index 00000000..77bb174f --- /dev/null +++ b/sls/lm_sensors/lm_sensors.initd @@ -0,0 +1,21 @@ +#!/sbin/runscript +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +depend() { + use modules +} + +start() { + if [ "${INITSENSORS}" = "yes" ]; then + if ! [ -f /etc/sensors3.conf ]; then + eerror "/etc/sensors3.conf does not exist!" + return 1 + fi + + ebegin "Initializing sensors" + /usr/bin/sensors -s >/dev/null 2>&1 + eend ${?} + fi +} diff --git a/sls/mdadm/init.sls b/sls/mdadm/init.sls new file mode 100644 index 00000000..7e9647ba --- /dev/null +++ b/sls/mdadm/init.sls @@ -0,0 +1,20 @@ +mdadm: + pkg.installed: + - pkgs: + - sys-fs/mdadm: + +/etc/mdadm.conf: + file.managed: + - source: salt://mdadm/mdadm.conf.tpl + - template: jinja + - mode: 644 + - user: root + - group: root + +mdadm_monitor: + service.running: + - name: mdadm + - enable: True + - watch: + - pkg: mdadm + - file: /etc/mdadm.conf diff --git a/sls/mdadm/mdadm.conf.tpl b/sls/mdadm/mdadm.conf.tpl new file mode 100644 index 00000000..8a19d2d9 --- /dev/null +++ b/sls/mdadm/mdadm.conf.tpl @@ -0,0 +1,6 @@ +# mdadm configuration file +# Managed by Salt +{% set default_email = salt['pillar.get']('contacts:default:email', False) %} +# +#PROGRAM /usr/sbin/handle-mdadm-events +{% if default_email %}MAILADDR {{ default_email }}{% endif %} diff --git a/sls/nginx/includes/blockgit.conf b/sls/nginx/includes/blockgit.conf new file mode 100644 index 00000000..bedf5a42 --- /dev/null +++ b/sls/nginx/includes/blockgit.conf @@ -0,0 +1 @@ +location ^~ /.git/ { internal; } diff --git a/sls/nginx/includes/errors.conf b/sls/nginx/includes/errors.conf new file mode 100644 index 00000000..f517fd9a --- /dev/null +++ b/sls/nginx/includes/errors.conf @@ -0,0 +1,4 @@ +error_page 403 404 =404 /errors/404.html; +#error_page 403 /img/V899.jpg; +error_page 500 502 503 504 =500 /errors/500.html; +location ^~/errors/ { internal; } diff --git a/sls/nginx/init.sls b/sls/nginx/init.sls new file mode 100644 index 00000000..cccdcdcc --- /dev/null +++ b/sls/nginx/init.sls @@ -0,0 +1,330 @@ +# -*- mode: yaml -*- +{% set tengine = salt['pillar.get']('tengine', False) %} +include: + - ssl.openssl + - augeas.lenses + - logrotate + {% if tengine %} + - gentoo.portage + {% endif %} + +{% set worker_processes = salt['grains.get']('num_cpus', 2) -%} +{% if worker_processes < 1 -%} +{% set worker_processes = 2 -%} +{% elif worker_processes < 4 -%} +{% set worker_processes = 4 -%} +{% endif %} +{% set worker_connections = 4096 -%} +{% set worker_rlimit_nofile = worker_processes*worker_connections*2 -%} + +{% set makeconf_nginx_modules_http = '''access auth_basic autoindex browser charset empty_gif fastcgi geo geoip gzip gzip_static limit_req limit_zone lua map memcached proxy realip referer rewrite scgi spdy split_clients ssi ssl reqstat upstream_keepalive upstream_least_conn upstream_rbtree limit_conn upstream_session_sticky stub_status upstream_check upstream_consistent_hash upstream_ip_hash userid uwsgi''' -%} +{% set makeconf_nginx_modules_mail = 'smtp imap pop3' -%} +{% set ssl_ciphers = ':'.join([ +'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-AES128-GCM-SHA256', +'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES128-GCM-SHA256', +'ECDHE-ECDSA-AES128-SHA', 'ECDHE-RSA-AES128-SHA', +'ECDH-ECDSA-AES128-SHA', 'ECDH-RSA-AES128-SHA', +'DHE-RSA-AES128-SHA', 'AES128-SHA256', 'AES128-SHA', +'!3DES', '!MD5', '!aNULL', '!EDH']) -%} + +{% if tengine %} +manage-tengine-modules: + augeas.change: + - context: /files/etc/portage/make.conf + - changes: + - set TENGINE_STATIC_MODULES_HTTP '"{{ makeconf_nginx_modules_http }}"' + - set TENGINE_SHARED_MODULES_HTTP '""' + - set TENGINE_EXTERNAL_MODULES_HTTP '""' + - set TENGINE_MODULES_MAIL '"{{ makeconf_nginx_modules_mail }}"' + - require: + - file: augeas-makeconf +{% else %} +manage-nginx-modules: + augeas.change: + - context: /files/etc/portage/make.conf + - changes: + - set NGINX_MODULES_HTTP '"{{ makeconf_nginx_modules_http }}"' + - set NGINX_MODULES_MAIL '"{{ makeconf_nginx_modules_mail }}"' + - require: + - file: augeas-makeconf +{% endif %} + +libpcre: + portage_config.flags: + - name: dev-libs/libpcre + - use: + - jit + +{% if tengine %} +tengine: + service.running: + - enable: True + - watch: + - pkg: tengine + - pkg: openssl + - file: /etc/tengine/tengine.conf + pkg.latest: + - name: www-servers/tengine + - require: + - portage_config: libpcre + - watch: + - portage_config: tengine + - augeas: manage-tengine-modules + portage_config.flags: + - name: www-servers/tengine + - accept_keywords: + - ~* + - use: + - aio + - http + - http-cache + - ipv6 + - pcre + - "-libatomic" + - jemalloc + - luajit + - pcre-jit + +nginx-reload: + # This is for watch_in reloads + service.running: + - name: tengine + - reload: True + - require: + - pkg: tengine + - file: /etc/tengine/tengine.conf + + +/etc/tengine/tengine.conf: + file.managed: + - source: salt://nginx/tengine.conf.tpl + - template: jinja + - defaults: + worker_processes: {{ worker_processes }} + worker_connections: {{ worker_connections }} + worker_rlimit_nofile: {{ worker_rlimit_nofile }} + ssl_protocols: 'TLSv1.1 TLSv1.2' + ssl_ciphers: {{ ssl_ciphers }} + ssl_ecdh_curve: prime256v1 + ssl_session_cache: 'shared:SSL:20m' + ssl_session_timeout: 120m + - mode: 755 + - user: root + - group: root + - require: + - file: /etc/tengine/listen + - file: /etc/tengine/listen_ssl + - file: /etc/tengine/cf_real_ip.conf + - file: /etc/tengine/includes/ + - file: /etc/tengine/vhosts.d/ + +/etc/tengine/listen: + file.managed: + - source: salt://nginx/listen.conf + - mode: 755 + - user: root + - group: root + +/etc/tengine/listen_ssl: + file.managed: + - source: salt://nginx/listen_ssl.conf + - mode: 755 + - user: root + - group: root + +/etc/tengine/cf_real_ip.conf: + file.managed: + - source: salt://nginx/real_ip.conf.tpl + - template: jinja + - defaults: + ips: + - 204.93.240.0/24 + - 204.93.177.0/24 + - 199.27.128.0/21 + - 173.245.48.0/20 + - 103.21.244.0/22 + - 103.22.200.0/22 + - 103.31.4.0/22 + - 141.101.64.0/18 + - 108.162.192.0/18 + - 190.93.240.0/20 + - 188.114.96.0/20 + - 197.234.240.0/22 + - 198.41.128.0/17 + - 162.158.0.0/15 + - 2400:cb00::/32 + - 2606:4700::/32 + - 2803:f800::/32 + - 2405:b500::/32 + - 2405:8100::/32 + header: CF-Connecting-IP + - mode: 755 + - user: root + - group: root + +/etc/tengine/includes/: + file.recurse: + - source: salt://nginx/includes + - dir_mode: 755 + - file_mode: 644 + - user: root + - group: root + +/etc/tengine/vhosts.d/: + file.directory: + - create: True + - mode: 755 + - user: root + - group: root + +/var/cache/tengine/: + file.directory: + - create: True + - mode: 755 + - user: tengine + - group: tengine + +/etc/logrotate.d/tengine: + file.managed: + - source: salt://nginx/tengine.logrotate + - mode: 644 + - user: root + - group: root + - require: + - file: /etc/logrotate.d/ + +{% else %} +nginx: + service.running: + - enable: True + - watch: + - pkg: nginx + - pkg: openssl + - file: /etc/nginx/nginx.conf + pkg.latest: + - name: www-servers/nginx + - watch: + - portage_config: nginx + - augeas: manage-nginx-modules + portage_config.flags: + - name: www-servers/nginx + - accept_keywords: + - ~* + - use: + - aio + - http + - http2 + - http-cache + - ipv6 + - pcre + - libatomic + - ssl + - threads + +nginx-reload: + # This is for watch_in reloads + service.running: + - name: nginx + - reload: True + - require: + - pkg: nginx + - file: /etc/nginx/nginx.conf + +/etc/nginx/nginx.conf: + file.managed: + - source: salt://nginx/nginx.conf.tpl + - template: jinja + - defaults: + worker_processes: {{ worker_processes }} + worker_connections: {{ worker_connections }} + worker_rlimit_nofile: {{ worker_rlimit_nofile }} + ssl_protocols: 'TLSv1.1 TLSv1.2' + ssl_ciphers: {{ ssl_ciphers }} + ssl_ecdh_curve: prime256v1 + ssl_session_cache: 'shared:SSL:20m' + ssl_session_timeout: 120m + - mode: 755 + - user: root + - group: root + - require: + - file: /etc/nginx/listen + - file: /etc/nginx/listen_ssl + - file: /etc/nginx/cf_real_ip.conf + - file: /etc/nginx/includes/ + - file: /etc/nginx/vhosts.d/ + +/etc/nginx/listen: + file.managed: + - source: salt://nginx/listen.conf + - mode: 755 + - user: root + - group: root + +/etc/nginx/listen_ssl: + file.managed: + - source: salt://nginx/listen_ssl.conf + - mode: 755 + - user: root + - group: root + +/etc/nginx/cf_real_ip.conf: + file.managed: + - source: salt://nginx/real_ip.conf.tpl + - template: jinja + - defaults: + ips: + - 204.93.240.0/24 + - 204.93.177.0/24 + - 199.27.128.0/21 + - 173.245.48.0/20 + - 103.21.244.0/22 + - 103.22.200.0/22 + - 103.31.4.0/22 + - 141.101.64.0/18 + - 108.162.192.0/18 + - 190.93.240.0/20 + - 188.114.96.0/20 + - 197.234.240.0/22 + - 198.41.128.0/17 + - 162.158.0.0/15 + - 2400:cb00::/32 + - 2606:4700::/32 + - 2803:f800::/32 + - 2405:b500::/32 + - 2405:8100::/32 + header: CF-Connecting-IP + - mode: 755 + - user: root + - group: root + +/etc/nginx/includes/: + file.recurse: + - source: salt://nginx/includes + - dir_mode: 755 + - file_mode: 644 + - user: root + - group: root + +/etc/nginx/vhosts.d/: + file.directory: + - create: True + - mode: 755 + - user: root + - group: root + +/var/cache/nginx/: + file.directory: + - create: True + - mode: 755 + - user: nginx + - group: nginx + +/etc/logrotate.d/nginx: + file.managed: + - source: salt://nginx/nginx.logrotate + - mode: 644 + - user: root + - group: root + - require: + - file: /etc/logrotate.d/ +{% endif %} diff --git a/sls/nginx/listen.conf b/sls/nginx/listen.conf new file mode 100644 index 00000000..76cb18d2 --- /dev/null +++ b/sls/nginx/listen.conf @@ -0,0 +1,2 @@ +listen 80; +listen [::]:80; diff --git a/sls/nginx/listen_ssl.conf b/sls/nginx/listen_ssl.conf new file mode 100644 index 00000000..f6091bbd --- /dev/null +++ b/sls/nginx/listen_ssl.conf @@ -0,0 +1,2 @@ +listen 443 ssl http2; +listen [::]:443 ssl http2; diff --git a/sls/nginx/nginx.conf.tpl b/sls/nginx/nginx.conf.tpl new file mode 100644 index 00000000..0aa4145e --- /dev/null +++ b/sls/nginx/nginx.conf.tpl @@ -0,0 +1,61 @@ +user nginx nginx; +worker_processes {{ worker_processes }}; +worker_rlimit_nofile {{ worker_rlimit_nofile }}; +events { + worker_connections {{ worker_connections }}; + use epoll; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format common '[$time_local] $http_host $remote_addr $remote_user' + ' "$request" [$status] $upstream_cache_status $bytes_sent $request_time' + ' "$http_referer" "$http_user_agent" "$http_cookie"'; + + access_log /var/log/nginx/access_log common; + error_log /var/log/nginx/error_log info; + + client_header_timeout 10m; + client_body_timeout 10m; + send_timeout 10m; + + connection_pool_size 256; + client_header_buffer_size 1k; + large_client_header_buffers 4 2k; + request_pool_size 4k; + + gzip on; + gzip_min_length 1100; + gzip_buffers 4 8k; + gzip_types text/plain; + + output_buffers 1 32k; + postpone_output 1460; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + keepalive_timeout 75 20; + + ignore_invalid_headers on; + server_tokens off; + + ssl_protocols {{ ssl_protocols }}; + ssl_prefer_server_ciphers on; + ssl_ciphers {{ ssl_ciphers }}; + ssl_ecdh_curve {{ ssl_ecdh_curve }}; + ssl_session_cache {{ ssl_session_cache }}; + ssl_session_timeout {{ ssl_session_timeout }}; + ssl_session_tickets on; + #ssl_session_ticket_key + #ssl_stapling on; + + index index.html; + + include cf_real_ip.conf; + include /etc/nginx/vhosts.d/*.conf; +} + diff --git a/sls/nginx/nginx.logrotate b/sls/nginx/nginx.logrotate new file mode 100644 index 00000000..9a50fa3a --- /dev/null +++ b/sls/nginx/nginx.logrotate @@ -0,0 +1,12 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# Managed by Salt + +/var/log/nginx/*_log { + missingok + delaycompress + sharedscripts + postrotate + test -r /run/nginx.pid && kill -USR1 `cat /run/nginx.pid` + endscript +} diff --git a/sls/nginx/real_ip.conf.tpl b/sls/nginx/real_ip.conf.tpl new file mode 100644 index 00000000..b3146fa7 --- /dev/null +++ b/sls/nginx/real_ip.conf.tpl @@ -0,0 +1,4 @@ +{% for ip in ips %} +set_real_ip_from {{ ip }}; +{% endfor %} +real_ip_header {{ header }}; diff --git a/sls/nginx/tengine.conf.tpl b/sls/nginx/tengine.conf.tpl new file mode 100644 index 00000000..560e3db5 --- /dev/null +++ b/sls/nginx/tengine.conf.tpl @@ -0,0 +1,61 @@ +user tengine tengine; +worker_processes {{ worker_processes }}; +worker_rlimit_nofile {{ worker_rlimit_nofile }}; +events { + worker_connections {{ worker_connections }}; + use epoll; +} + +http { + include /etc/tengine/mime.types; + default_type application/octet-stream; + + log_format common '[$time_local] $http_host $remote_addr $remote_user' + ' "$request" [$status] $upstream_cache_status $bytes_sent $request_time' + ' "$http_referer" "$http_user_agent" "$http_cookie"'; + + access_log /var/log/tengine/access_log common; + error_log /var/log/tengine/error_log info; + + client_header_timeout 10m; + client_body_timeout 10m; + send_timeout 10m; + + connection_pool_size 256; + client_header_buffer_size 1k; + large_client_header_buffers 4 2k; + request_pool_size 4k; + + gzip on; + gzip_min_length 1100; + gzip_buffers 4 8k; + gzip_types text/plain; + + output_buffers 1 32k; + postpone_output 1460; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + + keepalive_timeout 75 20; + + ignore_invalid_headers on; + server_tokens off; + + ssl_protocols {{ ssl_protocols }}; + ssl_prefer_server_ciphers on; + ssl_ciphers {{ ssl_ciphers }}; + ssl_ecdh_curve {{ ssl_ecdh_curve }}; + ssl_session_cache {{ ssl_session_cache }}; + ssl_session_timeout {{ ssl_session_timeout }}; + ssl_session_tickets on; + #ssl_session_ticket_key + #ssl_stapling on; + + index index.html; + + include cf_real_ip.conf; + include /etc/tengine/vhosts.d/*.conf; +} + diff --git a/sls/nginx/tengine.logrotate b/sls/nginx/tengine.logrotate new file mode 100644 index 00000000..1439e3b0 --- /dev/null +++ b/sls/nginx/tengine.logrotate @@ -0,0 +1,12 @@ +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# Managed by Salt + +/var/log/tengine/*_log { + missingok + delaycompress + sharedscripts + postrotate + test -r /run/tengine.pid && kill -USR1 `cat /run/tengine.pid` + endscript +} diff --git a/sls/php/fpm.d/default.conf b/sls/php/fpm.d/default.conf new file mode 100644 index 00000000..b00f5f5c --- /dev/null +++ b/sls/php/fpm.d/default.conf @@ -0,0 +1,232 @@ +; Start a new pool named 'www'. +; the variable $pool can we used in any directive and will be replaced by the +; pool name ('www' here) +[www] + +; Per pool prefix +; It only applies on the following directives: +; - 'slowlog' +; - 'listen' (unixsocket) +; - 'chroot' +; - 'chdir' +; - 'php_values' +; - 'php_admin_values' +; When not set, the global prefix (or /usr/lib/php5.3) applies instead. +; Note: This directive can also be relative to the global prefix. +; Default Value: none +; prefix = /path/to/pools/$pool + +; The address on which to accept FastCGI requests. +; Valid syntaxes are: +; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on +; a specific port; +; 'port' - to listen on a TCP socket to all addresses on a +; specific port; +; '/path/to/unix/socket' - to listen on a unix socket. +; Note: This value is mandatory. +listen = /run/php-fpm/$pool.sock + +; Set listen(2) backlog. A value of '-1' means unlimited. +; Default Value: 128 (-1 on FreeBSD and OpenBSD) +listen.backlog = -1 + +; Set permissions for unix socket, if one is used. In Linux, read/write +; permissions must be set in order to allow connections from a web server. Many +; BSD-derived systems allow connections regardless of permissions. +; Default Values: user and group are set as the running user +; mode is set to 0666 +listen.owner = nginx +listen.group = nginx +listen.mode = 0660 + +; Unix user/group of processes +; Note: The user is mandatory. If the group is not set, the default user's group +; will be used. +user = nginx +group = nginx + +; Choose how the process manager will control the number of child processes. +; Possible Values: +; static - a fixed number (pm.max_children) of child processes; +; dynamic - the number of child processes are set dynamically based on the +; following directives: +; pm.max_children - the maximum number of children that can +; be alive at the same time. +; pm.start_servers - the number of children created on startup. +; pm.min_spare_servers - the minimum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is less than this +; number then some children will be created. +; pm.max_spare_servers - the maximum number of children in 'idle' +; state (waiting to process). If the number +; of 'idle' processes is greater than this +; number then some children will be killed. +; Note: This value is mandatory. +pm = dynamic + +; The number of child processes to be created when pm is set to 'static' and the +; maximum number of child processes to be created when pm is set to 'dynamic'. +; This value sets the limit on the number of simultaneous requests that will be +; served. Equivalent to the ApacheMaxClients directive with mpm_prefork. +; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP +; CGI. +; Note: Used when pm is set to either 'static' or 'dynamic' +; Note: This value is mandatory. +pm.max_children = 4 + +; The number of child processes created on startup. +; Note: Used only when pm is set to 'dynamic' +; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 +pm.start_servers = 1 + +; The desired minimum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.min_spare_servers = 1 + +; The desired maximum number of idle server processes. +; Note: Used only when pm is set to 'dynamic' +; Note: Mandatory when pm is set to 'dynamic' +pm.max_spare_servers = 2 + +; The number of requests each child process should execute before respawning. +; This can be useful to work around memory leaks in 3rd party libraries. For +; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS. +; Default Value: 0 +pm.max_requests = 0 + +; The URI to view the FPM status page. If this value is not set, no URI will be +; recognized as a status page. By default, the status page shows the following +; information: +; accepted conn - the number of request accepted by the pool; +; pool - the name of the pool; +; process manager - static or dynamic; +; idle processes - the number of idle processes; +; active processes - the number of active processes; +; total processes - the number of idle + active processes. +; max children reached - number of times, the process limit has been reached, +; when pm tries to start more children (works only for +; pm 'dynamic') +; The values of 'idle processes', 'active processes' and 'total processes' are +; updated each second. The value of 'accepted conn' is updated in real time. +; Example output: +; accepted conn: 12073 +; pool: www +; process manager: static +; idle processes: 35 +; active processes: 65 +; total processes: 100 +; max children reached: 1 +; By default the status page output is formatted as text/plain. Passing either +; 'html' or 'json' as a query string will return the corresponding output +; syntax. Example: +; http://www.foo.bar/status +; http://www.foo.bar/status?json +; http://www.foo.bar/status?html +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +;pm.status_path = /status + +; The ping URI to call the monitoring page of FPM. If this value is not set, no +; URI will be recognized as a ping page. This could be used to test from outside +; that FPM is alive and responding, or to +; - create a graph of FPM availability (rrd or such); +; - remove a server from a group if it is not responding (load balancing); +; - trigger alerts for the operating team (24/7). +; Note: The value must start with a leading slash (/). The value can be +; anything, but it may not be a good idea to use the .php extension or it +; may conflict with a real PHP file. +; Default Value: not set +ping.path = /ping + +; This directive may be used to customize the response of a ping request. The +; response is formatted as text/plain with a 200 response code. +; Default Value: pong +ping.response = pong + +; The timeout for serving a single request after which the worker process will +; be killed. This option should be used when the 'max_execution_time' ini option +; does not stop script execution for some reason. A value of '0' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_terminate_timeout = 0 + +; The timeout for serving a single request after which a PHP backtrace will be +; dumped to the 'slowlog' file. A value of '0s' means 'off'. +; Available units: s(econds)(default), m(inutes), h(ours), or d(ays) +; Default Value: 0 +;request_slowlog_timeout = 0 + +; The log file for slow requests +; Default Value: not set +; Note: slowlog is mandatory if request_slowlog_timeout is set +;slowlog = /var/log/php-fpm-$pool.log.slow + +; Set open file descriptor rlimit. +; Default Value: system defined value +;rlimit_files = 1024 + +; Set max core size rlimit. +; Possible Values: 'unlimited' or an integer greater or equal to 0 +; Default Value: system defined value +;rlimit_core = 0 + +; Chroot to this directory at the start. This value must be defined as an +; absolute path. When this value is not set, chroot is not used. +; Note: you can prefix with '$prefix' to chroot to the pool prefix or one +; of its subdirectories. If the pool prefix is not set, the global prefix +; will be used instead. +; Note: chrooting is a great security feature and should be used whenever +; possible. However, all PHP paths will be relative to the chroot +; (error_log, sessions.save_path, ...). +; Default Value: not set +;chroot = + +; Chdir to this directory at the start. +; Note: relative path can be used. +; Default Value: current directory or / when chroot +;chdir = /var/www + +; Redirect worker stdout and stderr into main error log. If not set, stdout and +; stderr will be redirected to /dev/null according to FastCGI specs. +; Note: on highloaded environement, this can cause some delay in the page +; process time (several ms). +; Default Value: no +;catch_workers_output = yes + +; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from +; the current environment. +; Default Value: clean env +env[HOSTNAME] = $HOSTNAME +env[PATH] = /usr/local/bin:/usr/bin:/bin +;env[TMP] = /tmp +;env[TMPDIR] = /tmp +;env[TEMP] = /tmp + +; Additional php.ini defines, specific to this pool of workers. These settings +; overwrite the values previously defined in the php.ini. The directives are the +; same as the PHP SAPI: +; php_value/php_flag - you can set classic ini defines which can +; be overwritten from PHP call 'ini_set'. +; php_admin_value/php_admin_flag - these directives won't be overwritten by +; PHP call 'ini_set' +; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no. + +; Defining 'extension' will load the corresponding shared extension from +; extension_dir. Defining 'disable_functions' or 'disable_classes' will not +; overwrite previously defined php.ini values, but will append the new value +; instead. + +; Note: path INI options can be relative and will be expanded with the prefix +; (pool, global or /usr/lib/php5.3) + +; Default Value: nothing is defined by default except the values in php.ini and +; specified at startup with the -d argument +;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com +;php_flag[display_errors] = off +;php_admin_value[error_log] = /var/log/fpm-php.www.log +;php_admin_flag[log_errors] = on +;php_admin_value[memory_limit] = 32M + diff --git a/sls/php/init.sls b/sls/php/init.sls new file mode 100644 index 00000000..c9bf4e6f --- /dev/null +++ b/sls/php/init.sls @@ -0,0 +1,29 @@ +# -*- mode: yaml -*- +{% from "php/map.jinja" import php_config with context %} +{% set php_version = php_config['version'] %} + +include: + - ssl.openssl +{% if grains['os_family'] == 'Gentoo' %} + - augeas.lenses + +manage-php-ini-version: + augeas.change: + - context: /files/etc/portage/make.conf + - changes: + - set PHP_INI_VERSION '"{{ php_config['ini'] }}"' + - require: + - file: augeas-makeconf +{% endif %} + +php: + pkg.installed: + - pkgs: +{% if grains['os_family'] == 'Gentoo' %} + - dev-lang/php: ">=5.6.17:{{ php_version }}[fpm,curl,bcmath,embed,gd,inifile,mysql,mysqli,pcntl,pdo,snmp,sysvipc,xmlrpc,xmlreader,xmlwriter,xslt]" + - app-eselect/eselect-php: ">=0.7.1-r4[fpm]" + - virtual/httpd-php: ">=5.6:{{ php_version }}" + - app-emacs/php-mode + - watch: + - augeas: manage-php-ini-version +{% endif %} diff --git a/sls/php/map.jinja b/sls/php/map.jinja new file mode 100644 index 00000000..1cded0c0 --- /dev/null +++ b/sls/php/map.jinja @@ -0,0 +1,5 @@ +{% set php_config = salt['grains.filter_by']({ + 'Gentoo': { 'version': '5.6', + 'ini': 'production'}, + }) +%} diff --git a/sls/php/php-fpm.conf b/sls/php/php-fpm.conf new file mode 100644 index 00000000..bd625644 --- /dev/null +++ b/sls/php/php-fpm.conf @@ -0,0 +1,42 @@ + +include=/etc/php/fpm-php5.6/fpm.d/*.conf + +[global] +; Pid file +; Default Value: none +; Warning: pid file is overriden by the Gentoo init script. +pid = /run/php-fpm.pid + +; Error log file +; Note: the default prefix is /var/lib +; Default Value: log/php-fpm.log +error_log = /var/log/php-fpm.log + +; Log level +; Possible Values: alert, error, warning, notice, debug +; Default Value: notice +log_level = notice + +; If this number of child processes exit with SIGSEGV or SIGBUS within the time +; interval set by emergency_restart_interval then FPM will restart. A value +; of '0' means 'Off'. +; Default Value: 0 +emergency_restart_threshold = 0 + +; Interval of time used by emergency_restart_interval to determine when +; a graceful restart will be initiated. This can be useful to work around +; accidental corruptions in an accelerator's shared memory. +; Available Units: s(econds), m(inutes), h(ours), or d(ays) +; Default Unit: seconds +; Default Value: 0 +emergency_restart_interval = 0 + +; Time limit for child processes to wait for a reaction on signals from master. +; Available units: s(econds), m(inutes), h(ours), or d(ays) +; Default Unit: seconds +; Default Value: 0 +process_control_timeout = 0 + +; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging. +; Default Value: yes +daemonize = yes diff --git a/sls/php/php-fpm.sls b/sls/php/php-fpm.sls new file mode 100644 index 00000000..71fa0f2a --- /dev/null +++ b/sls/php/php-fpm.sls @@ -0,0 +1,45 @@ +# -*- mode: yaml -*- +{% from "php/map.jinja" import php_config with context %} +{% set php_version = php_config['version'] %} + +include: + - php + +/etc/php/fpm-php{{ php_version }}/php-fpm.conf: + file.managed: + - source: salt://php/php-fpm.conf + - mode: 644 + - user: root + - group: root + +/etc/php/fpm-php{{ php_version }}/fpm.d/: + file.directory: + - create: True + - mode: 755 + - user: root + - group: root + +/etc/php/fpm-php{{ php_version }}/fpm.d/default.conf: + file.managed: + - source: salt://php/fpm.d/default.conf + - mode: 644 + - user: root + - group: root + - require: + - file: /etc/php/fpm-php{{ php_version }}/fpm.d/ + +eselect-php-fpm: + eselect.set: + - name: php + - action_parameter: 'fpm' + - target: 'php{{ php_version }}' + +php-fpm: + service.running: + - enable: True + - watch: + - pkg: openssl + - pkg: php + - eselect: eselect-php-fpm + - file: /etc/php/fpm-php{{ php_version }}/php-fpm.conf + - file: /etc/php/fpm-php{{ php_version }}/fpm.d/ diff --git a/sls/smartmontools/pkg.sls b/sls/smartmontools/pkg.sls new file mode 100644 index 00000000..885c5fb0 --- /dev/null +++ b/sls/smartmontools/pkg.sls @@ -0,0 +1,4 @@ +smartmontools: + pkg.installed: + - name: sys-apps/smartmontools + diff --git a/sls/smartmontools/smartd.conf.tpl b/sls/smartmontools/smartd.conf.tpl new file mode 100644 index 00000000..32952aa9 --- /dev/null +++ b/sls/smartmontools/smartd.conf.tpl @@ -0,0 +1,40 @@ +# Managed by Salt +{% set default_email = salt['pillar.get']('contacts:default:email', False) %} +# HERE IS A LIST OF DIRECTIVES FOR THIS CONFIGURATION FILE. +# PLEASE SEE THE smartd.conf MAN PAGE FOR DETAILS +# +# -d TYPE Set the device type: ata, scsi, marvell, removable, 3ware,N, hpt,L/M/N +# -T TYPE set the tolerance to one of: normal, permissive +# -o VAL Enable/disable automatic offline tests (on/off) +# -S VAL Enable/disable attribute autosave (on/off) +# -n MODE No check. MODE is one of: never, sleep, standby, idle +# -H Monitor SMART Health Status, report if failed +# -l TYPE Monitor SMART log. Type is one of: error, selftest +# -f Monitor for failure of any 'Usage' Attributes +# -m ADD Send warning email to ADD for -H, -l error, -l selftest, and -f +# -M TYPE Modify email warning behavior (see man page) +# -s REGE Start self-test when type/date matches regular expression (see man page) +# -p Report changes in 'Prefailure' Normalized Attributes +# -u Report changes in 'Usage' Normalized Attributes +# -t Equivalent to -p and -u Directives +# -r ID Also report Raw values of Attribute ID with -p, -u or -t +# -R ID Track changes in Attribute ID Raw value with -p, -u or -t +# -i ID Ignore Attribute ID for -f Directive +# -I ID Ignore Attribute ID for -p, -u or -t Directive +# -C ID Report if Current Pending Sector count non-zero +# -U ID Report if Offline Uncorrectable count non-zero +# -W D,I,C Monitor Temperature D)ifference, I)nformal limit, C)ritical limit +# -v N,ST Modifies labeling of Attribute N (see man page) +# -a Default: equivalent to -H -f -t -l error -l selftest -C 197 -U 198 +# -F TYPE Use firmware bug workaround. Type is one of: none, samsung +# -P TYPE Drive-specific presets: use, ignore, show, showall +# # Comment: text after a hash sign is ignored +# \ Line continuation character +# Attribute ID is a decimal integer 1 <= ID <= 255 +# except for -C and -U, where ID = 0 turns them off. +# All but -d, -m and -M Directives are only implemented for ATA devices +# +# If the test string DEVICESCAN is the first uncommented text +# then smartd will scan for devices. +# DEVICESCAN may be followed by any desired Directives. +DEVICESCAN -s S/../../1/10 {% if default_email %}-m {{ default_email }}{% endif %} diff --git a/sls/smartmontools/smartd.sls b/sls/smartmontools/smartd.sls new file mode 100644 index 00000000..d5b001a3 --- /dev/null +++ b/sls/smartmontools/smartd.sls @@ -0,0 +1,18 @@ +include: + - smartmontools.pkg + +smartd_service: + service.running: + - name: smartd + - enable: True + - watch: + - pkg: smartmontools + - file: /etc/smartd.conf + +/etc/smartd.conf: + file.managed: + - source: salt://smartmontools/smartd.conf.tpl + - template: jinja + - user: root + - group: root + - mode: 640 diff --git a/sls/ssl/ca-certificates.sls b/sls/ssl/ca-certificates.sls new file mode 100644 index 00000000..6e173967 --- /dev/null +++ b/sls/ssl/ca-certificates.sls @@ -0,0 +1,48 @@ +# -*- mode: yaml -*- +include: + - ssl.openssl + +ca-certificates: + pkg.latest: + - name: app-misc/ca-certificates + - require: + - pkg: openssl + +/etc/ca-certificates.conf: + file.managed: + - replace: false + - mode: 0644 + - user: root + - group: root + - require: + - pkg: ca-certificates + +ca-certificates-dirs: + file.directory: + - names: + - /etc/ssl/certs + - /etc/ca-certificates + - /etc/ca-certificates/update.d + - mode: 0755 + - user: root + - group: root + - require: + - pkg: ca-certificates + +/usr/local/share/ca-certificates: + file.recurse: + - source: salt://ssl/ca-certificates + - dir_mode: 755 + - file_mode: 644 + - user: root + - group: root + +/usr/sbin/update-ca-certificates: + cmd.wait: + - watch: + - pkg: ca-certificates + - file: /etc/ca-certificates.conf + - file: ca-certificates-dirs + - file: /usr/local/share/ca-certificates + + diff --git a/sls/ssl/ca-certificates/baka_bakka.crt b/sls/ssl/ca-certificates/baka_bakka.crt new file mode 100644 index 00000000..aa6e40a6 --- /dev/null +++ b/sls/ssl/ca-certificates/baka_bakka.crt @@ -0,0 +1,61 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 16322057414284631021 (0xe28398bd85f75bed) + Signature Algorithm: ecdsa-with-SHA256 + Issuer: C=SU, ST=Soviet Union, O=C3R, OU=Security division, CN=Root CA v3 (SHA256)/emailAddress=admin@bakka.su + Validity + Not Before: Dec 17 16:06:11 2014 GMT + Not After : Dec 14 16:06:11 2024 GMT + Subject: C=SU, ST=Soviet Union, O=C3R, OU=Security division, CN=Root CA v3 (SHA256)/emailAddress=admin@bakka.su + Subject Public Key Info: + Public Key Algorithm: id-ecPublicKey + Public-Key: (521 bit) + pub: + 04:00:41:37:f1:d2:f1:82:59:92:fd:b9:de:bc:31: + 40:1a:66:9f:7e:0d:0d:98:67:8b:b6:ec:aa:78:60: + f1:5d:6a:60:38:b4:6b:33:62:e1:b2:8c:d4:9b:3e: + ae:8f:0a:ce:01:4e:fc:ed:8c:e9:62:8c:d3:dc:fd: + dc:c4:0c:46:91:f4:c5:00:75:bb:ac:d2:88:f6:1e: + b8:e3:c7:3c:75:2a:eb:b0:32:ef:51:62:9b:09:c5: + 5f:8a:ac:b5:36:3d:af:65:bd:68:d0:12:d2:42:07: + 3f:35:60:3d:7d:ed:fd:29:39:bc:9a:67:bb:43:83: + df:22:98:a3:8f:b6:d6:24:de:55:43:52:4c + ASN1 OID: secp521r1 + X509v3 extensions: + X509v3 Subject Key Identifier: + 89:45:A4:3E:3A:0F:99:59:C4:A9:38:91:25:1E:E2:1E:41:6E:55:D8 + X509v3 Authority Key Identifier: + keyid:89:45:A4:3E:3A:0F:99:59:C4:A9:38:91:25:1E:E2:1E:41:6E:55:D8 + + X509v3 Basic Constraints: + CA:TRUE + X509v3 Key Usage: + Certificate Sign, CRL Sign + Signature Algorithm: ecdsa-with-SHA256 + 30:81:88:02:42:00:83:02:58:67:70:78:3e:a6:dc:6a:0d:0e: + b1:04:b1:02:84:5c:e8:f1:dc:33:83:87:c0:86:45:73:09:ef: + 7f:65:25:b8:47:8b:83:6e:8c:7b:b5:14:18:00:15:18:19:b1: + 84:21:ea:a0:e8:59:26:ff:ee:44:a4:e8:a8:2b:fb:6c:03:02: + 42:01:04:2b:73:36:98:13:43:95:50:2b:87:49:70:00:87:da: + 51:0a:0d:49:ea:64:42:81:56:e6:5a:df:45:a0:47:dd:7c:d2: + fc:50:f8:d6:c3:9d:85:ce:1e:a6:cd:e3:44:48:c3:5c:d0:f7: + 16:87:ba:4c:8d:d9:d5:8b:05:6b:7d:ab:60 +-----BEGIN CERTIFICATE----- +MIIC9DCCAlWgAwIBAgIJAOKDmL2F91vtMAoGCCqGSM49BAMCMIGLMQswCQYDVQQG +EwJTVTEVMBMGA1UECAwMU292aWV0IFVuaW9uMQwwCgYDVQQKDANDM1IxGjAYBgNV +BAsMEVNlY3VyaXR5IGRpdmlzaW9uMRwwGgYDVQQDDBNSb290IENBIHYzIChTSEEy +NTYpMR0wGwYJKoZIhvcNAQkBFg5hZG1pbkBiYWtrYS5zdTAeFw0xNDEyMTcxNjA2 +MTFaFw0yNDEyMTQxNjA2MTFaMIGLMQswCQYDVQQGEwJTVTEVMBMGA1UECAwMU292 +aWV0IFVuaW9uMQwwCgYDVQQKDANDM1IxGjAYBgNVBAsMEVNlY3VyaXR5IGRpdmlz +aW9uMRwwGgYDVQQDDBNSb290IENBIHYzIChTSEEyNTYpMR0wGwYJKoZIhvcNAQkB +Fg5hZG1pbkBiYWtrYS5zdTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAEE38dLx +glmS/bnevDFAGmaffg0NmGeLtuyqeGDxXWpgOLRrM2LhsozUmz6ujwrOAU787Yzp +YozT3P3cxAxGkfTFAHW7rNKI9h6448c8dSrrsDLvUWKbCcVfiqy1Nj2vZb1o0BLS +Qgc/NWA9fe39KTm8mme7Q4PfIpijj7bWJN5VQ1JMo10wWzAdBgNVHQ4EFgQUiUWk +PjoPmVnEqTiRJR7iHkFuVdgwHwYDVR0jBBgwFoAUiUWkPjoPmVnEqTiRJR7iHkFu +VdgwDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAQYwCgYIKoZIzj0EAwIDgYwAMIGI +AkIAgwJYZ3B4Pqbcag0OsQSxAoRc6PHcM4OHwIZFcwnvf2UluEeLg26Me7UUGAAV +GBmxhCHqoOhZJv/uRKToqCv7bAMCQgEEK3M2mBNDlVArh0lwAIfaUQoNSepkQoFW +5lrfRaBH3XzS/FD41sOdhc4eps3jREjDXND3Foe6TI3Z1YsFa32rYA== +-----END CERTIFICATE----- diff --git a/sls/ssl/init.sls b/sls/ssl/init.sls new file mode 100644 index 00000000..799c6477 --- /dev/null +++ b/sls/ssl/init.sls @@ -0,0 +1,4 @@ +# -*- mode: yaml -*- +include: + - ssl.openssl + - ssl.ca-certificates diff --git a/sls/ssl/openssl.sls b/sls/ssl/openssl.sls new file mode 100644 index 00000000..6cb78256 --- /dev/null +++ b/sls/ssl/openssl.sls @@ -0,0 +1,22 @@ +# -*- mode: yaml -*- + +openssl: + pkg.installed: + - refresh: False + - name: dev-libs/openssl + - version: "~>=1.0.2d[-bindist,static-libs,tls-heartbeat,zlib]" + - require: + - portage_config: sys-libs/zlib + - portage_config: app-misc/c_rehash + +sys-libs/zlib: + portage_config.flags: + - use: + - static-libs + - minizip + +app-misc/c_rehash: + portage_config.flags: + - accept_keywords: + - ~* + diff --git a/sls/sysctl/disable_ra.sls b/sls/sysctl/disable_ra.sls new file mode 100644 index 00000000..536f9f8a --- /dev/null +++ b/sls/sysctl/disable_ra.sls @@ -0,0 +1,11 @@ +# -*- mode: yaml -*- +net.ipv6.conf.all.accept_ra: + sysctl.present: + - config: /etc/sysctl.d/ipv6_ra.conf + - value: 0 + +net.ipv6.conf.default.accept_ra: + sysctl.present: + - config: /etc/sysctl.d/ipv6_ra.conf + - value: 0 + diff --git a/sls/sysctl/enable_ra.sls b/sls/sysctl/enable_ra.sls new file mode 100644 index 00000000..e0835b13 --- /dev/null +++ b/sls/sysctl/enable_ra.sls @@ -0,0 +1,11 @@ +# -*- mode: yaml -*- +net.ipv6.conf.all.accept_ra: + sysctl.present: + - config: /etc/sysctl.d/ipv6_ra.conf + - value: 1 + +net.ipv6.conf.default.accept_ra: + sysctl.present: + - config: /etc/sysctl.d/ipv6_ra.conf + - value: 1 + diff --git a/sls/sysctl/nonlocal_bind.sls b/sls/sysctl/nonlocal_bind.sls new file mode 100644 index 00000000..c8f4b7a7 --- /dev/null +++ b/sls/sysctl/nonlocal_bind.sls @@ -0,0 +1,10 @@ +# -*- mode: yaml -*- +net.ipv4.ip_nonlocal_bind: + sysctl.present: + - config: /etc/sysctl.d/nonlocal_bind.conf + - value: 1 + +net.ipv6.ip_nonlocal_bind: + sysctl.present: + - config: /etc/sysctl.d/nonlocal_bind.conf + - value: 1 diff --git a/sls/watchdog/init.sls b/sls/watchdog/init.sls new file mode 100644 index 00000000..5876374b --- /dev/null +++ b/sls/watchdog/init.sls @@ -0,0 +1,46 @@ +# -*- mode: yaml -*- +{% set machine_type = salt['grains.get']('machine_type', 'nil') %} +include: + - core.modules + +/etc/watchdog.conf: + file.managed: + - source: salt://watchdog/watchdog.conf.tpl + - template: jinja + - user: root + - group: root + - mode: 644 + +/etc/conf.d/watchdog: + file.managed: + - source: salt://watchdog/watchdog.confd + - user: root + - group: root + - mode: 644 + +{% if machine_type == "raspberry pi" %} +/etc/modprobe.d/watchdog.conf: + file.managed: + - source: salt://watchdog/modprobe.d/bcm2708_wdog.conf + - user: root + - group: root + - mode: 755 + +/etc/modules.d/watchdog.conf: + file.managed: + - source: salt://watchdog/modules.d/bcm2708_wdog.conf + - user: root + - group: root + - mode: 755 +{% endif %} + +watchdog: + pkg.latest: + - name: sys-apps/watchdog + service.running: + - enable: True + - watch: + - pkg: watchdog + - file: /etc/watchdog.conf + - file: /etc/conf.d/watchdog + diff --git a/sls/watchdog/modprobe.d/bcm2708_wdog.conf b/sls/watchdog/modprobe.d/bcm2708_wdog.conf new file mode 100644 index 00000000..1205cfe1 --- /dev/null +++ b/sls/watchdog/modprobe.d/bcm2708_wdog.conf @@ -0,0 +1 @@ +options bcm2708_wdog nowayout=1 diff --git a/sls/watchdog/modules.d/bcm2708_wdog.conf b/sls/watchdog/modules.d/bcm2708_wdog.conf new file mode 100644 index 00000000..1e203f10 --- /dev/null +++ b/sls/watchdog/modules.d/bcm2708_wdog.conf @@ -0,0 +1 @@ +modules="${modules} bcm2708_wdog" diff --git a/sls/watchdog/watchdog.conf.tpl b/sls/watchdog/watchdog.conf.tpl new file mode 100644 index 00000000..b6cb5f05 --- /dev/null +++ b/sls/watchdog/watchdog.conf.tpl @@ -0,0 +1,25 @@ +# Defaults compiled into the binary +watchdog-device = /dev/{{ salt['grains.get']('watchdog_device', 'watchdog') }} +admin = root +interval = 1 +logtick = 1 +log-dir = /var/log/watchdog + +# This greatly decreases the chance that watchdog won't be scheduled before +# your machine is really loaded +realtime = yes +priority = 1 +# Check if sshd is still running +# pidfile = /run/sshd.pid + +# Uncomment to enable test. Setting one of these values to '0' disables it. +# These values will hopefully never reboot your machine during normal use +# (if your machine is really hung, the loadavg will go much higher than 25) +#max-load-1 = 24 +#max-load-5 = 18 +max-load-15 = 120 # use auto-generated values from cpu count here? + +# Note that this is the number of pages! +# To get the real size, check how large the pagesize is on your machine. +# min-memory = 4 +# allocatable-memory = 4 diff --git a/sls/watchdog/watchdog.confd b/sls/watchdog/watchdog.confd new file mode 100644 index 00000000..8df102aa --- /dev/null +++ b/sls/watchdog/watchdog.confd @@ -0,0 +1,10 @@ +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: $ +# -*- mode: shell-script -*- + +# for more info, see watchdog(8) +WATCHDOG_OPTS="" + +# # Since it watches for the sshd pid. +# rc_watchdog_need="sshd" diff --git a/sls/xen/init.sls b/sls/xen/init.sls new file mode 100644 index 00000000..616d7201 --- /dev/null +++ b/sls/xen/init.sls @@ -0,0 +1,114 @@ +# -*- mode: yaml -*- +{% set xen_provided = salt['grains.get']('xen_provided', False) %} +{% set efi = salt['grains.get']('efi', False) %} +xen: + pkg.installed: + - pkgs: + {% if not xen_provided %} + - app-emulation/xen: "~>=4.6.0-r8[{{ 'efi' if efi else '-efi' }}]" + {% endif %} + - app-emulation/xen-tools: "~>=4.6.0-r7[api,hvm,screen,system-qemu,system-seabios]" + - app-emulation/qemu: "[xen,numa,nfs,xfs]" + - dev-libs/libnl + - require: + - file: unmask-hvm + {% if xen_provided %} + - file: xen-provided + {% endif %} +{% if xen_provided %} +xen-provided: + file.append: + - name: /etc/portage/profile/package.provided + - text: "app-emulation/xen-4.6.0-r7" +{% endif %} +unmask-hvm: + file.append: + - name: /etc/portage/profile/use.mask + - text: "-hvm" + +xencommons: + service.running: + - enable: True + +xenstored: + service.running: + - enable: True + +xenconsoled: + service.running: + - enable: True + +/etc/init.d/net.xenbr0: + file.symlink: + - target: /etc/init.d/net.lo + +net.xenbr0: + service.running: + - enable: True + - require: + - file: /etc/init.d/net.xenbr0 + +/etc/xen/xl.conf: + file.managed: + - source: salt://xen/xl.conf + - mode: 644 + - user: root + - group: root + +/etc/init.d/xendomains: + file.managed: + - source: salt://xen/xendomains.initd + - mode: 755 + - user: root + - group: root + +/etc/conf.d/xendomains: + file.managed: + - source: salt://xen/xendomains.confd + - mode: 644 + - user: root + - group: root + +/etc/xen/domains/: + file.directory: + - create: True + - mode: 755 + - user: root + - group: root + +/etc/xen/auto/: + file.directory: + - create: True + - mode: 755 + - user: root + - group: root + +/etc/xen/scripts/: + file.directory: + - create: True + - mode: 755 + - user: root + - group: root + +/etc/xen/scripts/block-rbd: + file.managed: + - source: salt://xen/scripts/block-rbd + - mode: 755 + - user: root + - group: root + +xendomains: + service.running: + - enable: True + - watch: + - file: /etc/init.d/xendomains + - file: /etc/conf.d/xendomains + +bringup-xendomains: + cron.present: + - identifier: bringup-xendomains + - name: "/etc/init.d/xendomains --ifstarted bringup" + - minute: '*/10' + - user: root + - require: + - service: xendomains diff --git a/sls/xen/scripts/block-rbd b/sls/xen/scripts/block-rbd new file mode 100644 index 00000000..70b30fc0 --- /dev/null +++ b/sls/xen/scripts/block-rbd @@ -0,0 +1,130 @@ +#!/bin/bash -eu +# +# RBD Xen block device hotplug script +# +# Author Florian Heigl +# Author Thomas Zelch +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published +# by the Free Software Foundation; version 2.1 only. with the special +# exception on linking described in file LICENSE. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. +# +# Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn. +# ___ +# .-' `'. +# / \ +# | ; +# | | ___.--, +# _.._ |0) ~ (0) | _.---'`__.-( (_. +# __.--'`_.. '.__.\ '--. \_.-' ,.--'` `""` +# ( ,.--'` ',__ /./; ;, '.__.'` __ +# _`) ) .---.__.' / | |\ \__..--"" """--.,_ +# `---' .'.''-._.-'`_./ /\ '. \ _.-~~~````~~~-._`-.__.' +# | | .' _.-' | | \ \ '. `~---` +# \ \/ .' \ \ '. '-._) +# \/ / \ \ `=.__`~-. +# jgs / /\ `) ) / / `"".`\ +# , _.-'.'\ \ / / ( ( / / +# `--~` ) ) .-'.' '.'. | ( +# (/` ( (` ) ) '-; +# ` '-; (-' +# +# Usage: +# +# Target should be specified using the following syntax: +# +# script=block-rbd,vdev=xvda,pool=rbd,image=image +# +# CephX authentication has to be set up in /etc/ceph/ceph.conf +# + +# Mapping without RBD utility: +# http://cephnotes.ksperis.com/blog/2014/01/09/map-rbd-kernel-without-install-ceph-common + + +# hotplug has unhandled variables +# allow them while sourcing the other scripts +dir=$(dirname "$0") +set +u +. "$dir/block-common.sh" +set -u + + +check_tools() +{ + if ! [ -r /etc/ceph/ceph.conf ]; then + fatal "Unable to find ceph configuration" + fi + if ! type rbd 2>&1 >/dev/null ; then + fatal "Unable to find RBD binary" + fi + if ! lsmod | grep rbd >/dev/null ; then + fatal "Unable to access RBD kernel module" + fi +} + + +parse_target() +{ + pool=`echo $target | cut -f1 -d\:` + image=`echo $target | cut -f2 -d\:` + + export pool image +} + + +add() +{ + if rbd --pool $pool list | grep $image >/dev/null ; then + do_or_die rbd --pool $pool --image $image map > /dev/null + + else + fatal "Uname to attach RBD pool: $pool image: $image" + fi + + if ! [ -b /dev/rbd/$pool/$image ]; then + fatal "Missing RBD device file /dev/rbd/$pool/$image" + fi +} + + +# need to ensure this is the *last* VM accessing the rbd image? +remove() +{ + if [ -b /dev/rbd/$pool/$image ]; then + do_or_die rbd unmap /dev/rbd/$pool/$image > /dev/null + else + fatal "Uname to detach RBD pool: $pool image: $image wasn't found" + fi +} + + +command=$1 +target=$(xenstore-read $XENBUS_PATH/params || true) +if [ -z "$target" ]; then + fatal "No information about the target" +fi + + +parse_target +check_tools || exit 1 + + +case $command in +add) + add + write_dev /dev/rbd/$pool/$image + ;; +remove) + remove + ;; +*) + exit 1 + ;; +esac diff --git a/sls/xen/xendomains.confd b/sls/xen/xendomains.confd new file mode 100644 index 00000000..3c62779a --- /dev/null +++ b/sls/xen/xendomains.confd @@ -0,0 +1,27 @@ +# /etc/conf.d/xendomains + +# Directory of domains to boot. AUTODIR should contain one or more symlinks +# to domain config files in /etc/xen +AUTODIR=/etc/xen/auto + +# Send shutdown commands to all domains in parallel instead of waiting for +# each to shutdown individually +PARALLEL_SHUTDOWN=yes + +# When SCREEN="yes", domains in AUTODIR have their consoles connected to a +# screen session named SCREEN_NAME, with output logged to individual files +# named after each domain and written to /var/log/xen-consoles/ . These files +# are rotated (using app-admin/logrotate) every time xendomains is started. + +SCREEN="yes" +SCREEN_NAME="xen" + +# Number of seconds between writes to screen's logfiles. +# +# Lower values mean more disk activity and hence a possible performance +# impact, but higher values mean a greater chance of loosing some output +# in the event of a crash. + +SCREEN_LOG_INTERVAL="1" + +rc_xendomains_need="lvm" \ No newline at end of file diff --git a/sls/xen/xendomains.initd b/sls/xen/xendomains.initd new file mode 100755 index 00000000..9161f262 --- /dev/null +++ b/sls/xen/xendomains.initd @@ -0,0 +1,162 @@ +#!/sbin/runscript +# -*- mode: shell-script -*- +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + + +extra_commands="status bringup" + +depend() { + need xenstored + after dhcp xend xenconsoled +} + +get_domname() { + local name_from_file=$(sed -rn 's/^name\W*=\W*\"?([[:alnum:]_\.-]+)\"?\W*;?/\1/p' "${1}" | tail -n 1) + + if [ -z ${name_from_file} ] ; then + basename "${1}" + else + echo ${name_from_file} + fi +} + +is_running() { + /usr/sbin/xl list "${1}" >/dev/null 2>&1 +} + +using_screen() { + yesno SCREEN + use_screen=$? + return $use_screen +} + +set_screen_cmd() { + screen_cmd="screen -c ${SCREENRC:-/dev/null} -q -r ${SCREEN_NAME:=xen} -X" +} + +set_autodir() { + AUTODIR="${AUTODIR:=/etc/xen/auto}" +} + +domain_start() { + local conf="${1}" + local name="${2}" + ebegin "Starting domain ${name}" + if [ $use_screen -eq 0 ]; then + ${screen_cmd} screen -t "${name}" xl create "${conf}" -c + else + xl create --quiet "${conf}" + fi + eend $? +} + +domain_stop() { + local name="${1}" + xl shutdown -w ${name} >/dev/null +} + +bringup() { + set_autodir + if using_screen; then + set_screen_cmd + fi + # Create all domains with config files in AUTODIR. + for conf in $(ls "${AUTODIR}"/*.cfg 2>/dev/null | sort); do + name=$(get_domname "${conf}") + if ! is_running ${name}; then + eerror "Domain ${name} is not running" + domain_start "${conf}" ${name} + fi + done +} + +start() { + set_autodir + einfo "Starting Xen domains from ${AUTODIR}" + if using_screen; then + set_screen_cmd + if ! ${screen_cmd} sleep 0 >/dev/null 2>&1 ; then + ebegin "Creating screen session to hold domain consoles" + ( screen -c ${SCREENRC:-/dev/null} -d -m -S ${SCREEN_NAME} -t dom0 \ + && sleep 5 \ + && ${screen_cmd} zombie dr \ + && logrotate -f /etc/xen/xen-consoles.logrotate \ + && ${screen_cmd} logfile /var/log/xen-consoles/%t.log \ + && ${screen_cmd} logfile flush ${SCREEN_LOG_INTERVAL:-1} \ + && ${screen_cmd} log on \ + && ${screen_cmd} deflog on ) >/dev/null + fi + if [ $? -ne 0 ] ; then + eend 1 + return 1 + else + eend + fi + fi + for conf in $(ls "${AUTODIR}"/*.cfg 2>/dev/null | sort); do + name=$(get_domname "${conf}") + if is_running "${name}"; then + einfo "Not starting domain ${name} - already running" + else + domain_start "${conf}" ${name} + fi + done +} + +stop() { + set_autodir + if using_screen; then + set_screen_cmd + fi + einfo "Shutting down Xen domains from ${AUTODIR:=/etc/xen/auto}" + # Stop all domains with config files in AUTODIR. + DOMAINS="$(ls "${AUTODIR:=/etc/xen/auto}/"* 2>/dev/null | sort -r)" + + if yesno PARALLEL_SHUTDOWN; then + for conf in $DOMAINS; do + name=$(get_domname "${conf}") + if is_running ${name} ; then + einfo "Asking domain ${name} to shutdown" + xl shutdown -w ${name} >/dev/null & + else + einfo "Domain ${name} is not running" + fi + done + ebegin "Waiting for shutdown of domains" + wait + eend $? + else + for conf in $DOMAINS; do + name=$(get_domname "${conf}") + if is_running ${name} ; then + ebegin "Waiting for domain ${name} to shutdown" + xl shutdown -w ${name} >/dev/null + eend $? + else + einfo "Domain ${name} is not running" + fi + done + fi + if [ $use_screen -eq 0 ]; then + if ${screen_cmd} sleep 0 >/dev/null 2>&1 ; then + ebegin "Closing screen session ${SCREEN_NAME}" + ${screen_cmd} quit + eend $? + fi + fi +} + +status() { + ret=0 + for conf in $(ls "${AUTODIR}"/*.cfg 2>/dev/null | sort); do + name=$(get_domname "${conf}") + if is_running ${name}; then + einfo "Domain ${name} is running" + else + eerror "Domain ${name} is not running" + ret=1 + fi + done + return $ret +} diff --git a/sls/xen/xl.conf b/sls/xen/xl.conf new file mode 100644 index 00000000..0f19e268 --- /dev/null +++ b/sls/xen/xl.conf @@ -0,0 +1,39 @@ +## Global XL config file ## + +# Control whether dom0 is ballooned down when xen doesn't have enough +# free memory to create a domain. "auto" means only balloon if dom0 +# starts with all the host's memory. +autoballoon="auto" + +# full path of the lockfile used by xl during domain creation +lockfile="/var/lock/xl" + +# default output format used by "xl list -l" +#output_format="json" + +# first block device to be used for temporary VM disk mounts +blkdev_start="xvda" + +# default option to run hotplug scripts from xl +# if disabled the old behaviour will be used, and hotplug scripts will be +# launched by udev. +#run_hotplug_scripts=1 + +# default backend domain to connect guest vifs to. This can be any +# valid domain identifier. +vif.default.backend="0" + +# default gateway device to use with vif-route hotplug script +vif.default.gatewaydev="vlan100" + +# default vif script to use if none is specified in the guest config +vif.default.script="vif-bridge" + +# default bridge device to use with vif-bridge hotplug scripts +vif.default.bridge="xenbr0" + +# Reserve a claim of memory when launching a guest. This guarantees immediate +# feedback whether the guest can be launched due to memory exhaustion +# (which can take a long time to find out if launching huge guests). +# see xl.conf(5) for details. +claim_mode=1