Initial exmaple repository

README.md

@@ -1,4 +0,0 @@
-salt-multi-environment-gitfs
-============================
-
-Salt Multi-environment gitfs example.

master

@@ -0,0 +1,9 @@
+fileserver_backend:
+  - git
+gitfs_remotes:
+  - git+ssh://[email protected]/bretep/salt-multi-environment-gitfs.git
+gitfs_root: states
+ext_pillar:
+  - git: dev git+ssh://[email protected]/bretep/salt-multi-environment-gitfs.git
+  - git: stg git+ssh://[email protected]/bretep/salt-multi-environment-gitfs.git
+  - git: prd git+ssh://[email protected]/bretep/salt-multi-environment-gitfs.git

minion

@@ -0,0 +1,2 @@
+master: salt.example.com
+environment: dev

pillars/dev/init.sls

@@ -0,0 +1,4 @@
+{{ saltenv if saltenv != None else env}}:
+  '*':
+    - pillars.users
+    - pillars.{{ saltenv if saltenv != None else env}}.pkgs

pillars/dev/pkgs.sls

@@ -0,0 +1,4 @@
+pkgs:
+  pip:
+    awscli: 1.3.0
+    newrelic: 2.14.0.11

pillars/prd/init.sls

@@ -0,0 +1,4 @@
+{{ saltenv if saltenv != None else env}}:
+  '*':
+    - pillars.users
+    - pillars.{{ saltenv if saltenv != None else env}}.pkgs

pillars/prd/pkgs.sls

@@ -0,0 +1,4 @@
+pkgs:
+  pip:
+    awscli: 1.3.0
+    newrelic: 2.14.0.11

pillars/stg/init.sls

@@ -0,0 +1,4 @@
+{{ saltenv if saltenv != None else env}}:
+  '*':
+    - pillars.users
+    - pillars.{{ saltenv if saltenv != None else env}}.pkgs

pillars/stg/pkgs.sls

@@ -0,0 +1,4 @@
+pkgs:
+  pip:
+    awscli: 1.3.0
+    newrelic: 2.14.0.11

pillars/users/init.sls

@@ -0,0 +1,17 @@
+users:
+  jdoe:
+    fullname: John Doe
+    shell: /bin/bash
+    groups:
+      - _default
+      - dev
+      - prd
+      - stg
+    ssh_keys:
+      - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpkoPTGHOdmSVgIlzBY7Z+K3sGWqb2nqVUIwi+8dhK5Wnlg081Swpb9ZXhCAHqogQoZ0e1CHa9z4TppXHB2+8bLkVEXAMPLEm+SJx3f4LraSRNlKiaaR1uMlk0E7A+uglOvQ/6Abu/F3Wid2M9EhMqsNyAbe1fdtZWLQTC3olbO+HxkFjXzVFxlSmzobu5dgFBXo2p9UaPg5e+SBcyyjDgwy3oeuCBBhireDnc547SDWiEc0JaSyt/wl0iE/UziOwtBd5DYErqgjs18t+sk3qjhR8XJvZoNpmwoklYlW08WkPHdHjmSyrw6aZf30Hyc3Xm1DL16BrtWuY7ndyFYJoOx+h jdoe_examplee
+
+  dummy:
+    fullname: Dummy Person
+    shell: /bin/bash
+    groups:
+      - user

states/_grains/ec2_info.py

@@ -0,0 +1,88 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+"""
+Get some grains information that is only available in Amazon AWS
+
+Author: Erik Günther
+
+"""
+import logging
+import httplib
+import socket
+import json
+
+# Set up logging
+LOG = logging.getLogger(__name__)
+
+
+def _call_aws(url):
+    """
+    Call AWS via httplib. Require correct path.
+    Host: 169.254.169.254
+
+    """
+    conn = httplib.HTTPConnection("169.254.169.254", 80, timeout=1)
+    conn.request('GET', url)
+    response = conn.getresponse()
+    if response.status == 200:
+        return response.read()
+
+
+def _get_ec2_hostinfo(path="", data={}):
+    """
+    Recursive function that walks the EC2 metadata available to each minion.
+    :param path: URI fragment to append to /latest/meta-data/
+    :param data: Dictionary containing the results from walking the AWS meta-data
+
+    All EC2 variables are prefixed with "ec2_" so they are grouped as grains and to
+    avoid collisions with other grain names.
+    """
+    for line in _call_aws("/latest/meta-data/%s" % path).split("\n"):
+        if line[-1] != "/":
+            call_response = _call_aws("/latest/meta-data/%s" % (path + line))
+            if call_response is not None:
+                data["ec2_" + path.replace("/", "_") + line] = call_response
+            else:
+                data["ec2_" + path.replace("/", "_")[:-1]] = line
+        else:
+            _get_ec2_hostinfo(path + line, data=data)
+
+
+def _get_ec2_region():
+    """
+    Recursive call in _get_ec2_hostinfo() does not retrieve a node's region
+    """
+    data = _call_aws("/latest/dynamic/instance-identity/document")
+    return json.loads(data)['region']
+
+
+def ec2_info():
+    """
+    Collect some extra host information
+    """
+    try:
+        # First check that the AWS magic URL works. If it does
+        # we are running in AWS and will try to get more data.
+        _call_aws('/')
+    except (socket.timeout, socket.error, IOError):
+        return {}
+
+    try:
+        grains = {}
+        _get_ec2_hostinfo(data=grains)
+        grains['ec2_region'] = _get_ec2_region()
+        return grains
+    except socket.timeout, serr:
+        LOG.info("Could not read EC2 data (timeout): %s" % (serr))
+        return {}
+
+    except socket.error, serr:
+        LOG.info("Could not read EC2 data (error): %s" % (serr))
+        return {}
+
+    except IOError, serr:
+        LOG.info("Could not read EC2 data (IOError): %s" % (serr))
+        return {}
+
+if __name__ == "__main__":
+    print ec2_info()

states/dev.sls

@@ -0,0 +1,5 @@
+{{ pillar['master']['environment'] }}:
+  '*':
+    - users
+    - sudo
+    - awscli

states/prd.sls

@@ -0,0 +1,4 @@
+{{ pillar['master']['environment'] }}:
+  '*':
+    - users
+    - sudo

states/stg.sls

@@ -0,0 +1,4 @@
+{{ pillar['master']['environment'] }}:
+  '*':
+    - users
+    - sudo

states/sudo/init.sls

@@ -0,0 +1,13 @@
+sudo:
+  pkg.installed
+
+sudouser:
+  group.present:
+    - system: True
+
+/etc/sudoers.d/sudouser:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 440
+    - source: salt://sudo/sudouser

states/sudo/sudouser

@@ -0,0 +1 @@
+%sudouser  ALL=(ALL) NOPASSWD:ALL

states/top.sls

@@ -0,0 +1,2 @@
+include:
+  - {{ pillar['master']['environment'] }}

states/users/_default/.bash_logout

@@ -0,0 +1,7 @@
+# ~/.bash_logout: executed by bash(1) when login shell exits.
+
+# when leaving the console clear the screen to increase privacy
+
+if [ "$SHLVL" = 1 ]; then
+    [ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q
+fi

states/users/_default/.bashrc

@@ -0,0 +1,107 @@
+# ~/.bashrc: executed by bash(1) for non-login shells.
+# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
+# for examples
+
+# If not running interactively, don't do anything
+[ -z "$PS1" ] && return
+
+# don't put duplicate lines or lines starting with space in the history.
+# See bash(1) for more options
+HISTCONTROL=ignoreboth
+
+# append to the history file, don't overwrite it
+shopt -s histappend
+
+# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
+HISTSIZE=1000
+HISTFILESIZE=2000
+
+# check the window size after each command and, if necessary,
+# update the values of LINES and COLUMNS.
+shopt -s checkwinsize
+
+# If set, the pattern "**" used in a pathname expansion context will
+# match all files and zero or more directories and subdirectories.
+#shopt -s globstar
+
+# make less more friendly for non-text input files, see lesspipe(1)
+[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"
+
+# set variable identifying the chroot you work in (used in the prompt below)
+if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then
+    debian_chroot=$(cat /etc/debian_chroot)
+fi
+
+# set a fancy prompt (non-color, unless we know we "want" color)
+case "$TERM" in
+    xterm-color) color_prompt=yes;;
+esac
+
+# uncomment for a colored prompt, if the terminal has the capability; turned
+# off by default to not distract the user: the focus in a terminal window
+# should be on the output of commands, not on the prompt
+#force_color_prompt=yes
+
+if [ -n "$force_color_prompt" ]; then
+    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
+	# We have color support; assume it's compliant with Ecma-48
+	# (ISO/IEC-6429). (Lack of such support is extremely rare, and such
+	# a case would tend to support setf rather than setaf.)
+	color_prompt=yes
+    else
+	color_prompt=
+    fi
+fi
+
+if [ "$color_prompt" = yes ]; then
+    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
+else
+    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
+fi
+unset color_prompt force_color_prompt
+
+# If this is an xterm set the title to user@host:dir
+case "$TERM" in
+xterm*|rxvt*)
+    PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
+    ;;
+*)
+    ;;
+esac
+
+# enable color support of ls and also add handy aliases
+if [ -x /usr/bin/dircolors ]; then
+    test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
+    alias ls='ls --color=auto'
+    #alias dir='dir --color=auto'
+    #alias vdir='vdir --color=auto'
+
+    alias grep='grep --color=auto'
+    alias fgrep='fgrep --color=auto'
+    alias egrep='egrep --color=auto'
+fi
+
+# some more ls aliases
+alias ll='ls -alF'
+alias la='ls -A'
+alias l='ls -CF'
+
+# Add an "alert" alias for long running commands.  Use like so:
+#   sleep 10; alert
+alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'
+
+# Alias definitions.
+# You may want to put all your additions into a separate file like
+# ~/.bash_aliases, instead of adding them here directly.
+# See /usr/share/doc/bash-doc/examples in the bash-doc package.
+
+if [ -f ~/.bash_aliases ]; then
+    . ~/.bash_aliases
+fi
+
+# enable programmable completion features (you don't need to enable
+# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
+# sources /etc/bash.bashrc).
+if [ -f /etc/bash_completion ] && ! shopt -oq posix; then
+    . /etc/bash_completion
+fi

states/users/_default/.profile

@@ -0,0 +1,22 @@
+# ~/.profile: executed by the command interpreter for login shells.
+# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
+# exists.
+# see /usr/share/doc/bash/examples/startup-files for examples.
+# the files are located in the bash-doc package.
+
+# the default umask is set in /etc/profile; for setting the umask
+# for ssh logins, install and configure the libpam-umask package.
+#umask 022
+
+# if running bash
+if [ -n "$BASH_VERSION" ]; then
+    # include .bashrc if it exists
+    if [ -f "$HOME/.bashrc" ]; then
+	. "$HOME/.bashrc"
+    fi
+fi
+
+# set PATH so it includes user's private bin if it exists
+if [ -d "$HOME/bin" ] ; then
+    PATH="$HOME/bin:$PATH"
+fi

states/users/init.sls

@@ -0,0 +1,46 @@
+{% set salt_env = pillar['master']['environment'] %}
+# Add each user
+{% for user, user_data in pillar['users'].iteritems() %}
+user_{{ user }}:
+  user.present:
+    - name: {{ user }}
+    - fullname: {{ salt['pillar.get']('users:' + user + ':fullname', 'No Name') }}
+    - shell: {{ salt['pillar.get']('users:' + user + ':shell', '/bin/bash') }}
+{% if 'groups' in pillar['users'][user] %}
+    - optional_groups:
+{% for group in salt['pillar.get']('users:' + user + ':groups', []) %}
+      - {{ group }}
+{% if group == salt_env %}
+      - wheel
+{% endif %}{% endfor %}
+    - require:
+      - group: sudouser
+{% endif %}
+
+# Enforce home directory
+cp_user_home_{{ user }}:
+  file.recurse:
+    - name: /home/{{ user }}
+    - user: {{ user }}
+    - group: {{ user }}
+{% if 'users/' + user in salt['cp.list_master_dirs'](salt_env) %}
+    - source: salt://users/{{ user }}
+{% else %}
+    - source: salt://users/_default
+{% endif %}
+    - include_empty: True
+    - require:
+      - user: user_{{ user }}
+
+# Check SSH key and add
+{% if 'ssh_keys' in pillar['users'][user] %}
+ssh_keys_{{ user }}:
+  ssh_auth.present:
+    - user: {{ user }}
+    - names:
+{% for ssh_key in salt['pillar.get']('users:' + user + ':ssh_keys', []) %}
+      - {{ ssh_key }}{% endfor %}
+    - require:
+      - user: user_{{ user }}
+      - file: cp_user_home_{{ user }}
+{% endif %}{% endfor %}