Verkos/Generated/setup-salt-master.sh

#!/bin/ash
set -ex

#Usage: repos
repos() {
	cat > /etc/apk/repositories <<EOF
http://dl-cdn.alpinelinux.org/alpine/$1/main
http://dl-cdn.alpinelinux.org/alpine/$1/community
##http://dl-cdn.alpinelinux.org/alpine/$1/testing
EOF

	apk -U upgrade
}

#Usage: pkgs 'htop tmux emacs' [update]
pkgs() {
    if [ "$2" == "update" ]; then
	   apk update
	fi

	if [ "$1" != "" ]; then
		apk add $1
	fi
}

#Usage: crontab_base [blank]
crontab_base() {
	if [ "$2" == "blank" ]; then
		cat > /tmp/new.cron >>EOF
		EOF
	else
		cat > /tmp/new.cron <<EOF
# do daily/weekly/monthly maintenance
# min	hour	day	month	weekday	command
*/15	*	*	*	*	run-parts /etc/periodic/15min
0	*	*	*	*	run-parts /etc/periodic/hourly
0	2	*	*	*	run-parts /etc/periodic/daily
0	3	*	*	6	run-parts /etc/periodic/weekly
0	5	1	*	*	run-parts /etc/periodic/monthly
EOF
	fi
}

#Usage: crontab_append '*/15 * * * * /usr/local/bin/atentu -m > /etc/motd'
crontab_append() {
	printf "$1\n" | tee -a /tmp/new.cron
}

#Usage: apply_crontab
apply_crontab() {
	crontab /tmp/new.cron
}

#Usage: iptables_conf
#Variables:
iptables_conf() {
	if [ ! -f /etc/iptables/salt.rules ]; then
		touch /etc/iptables/salt.rules
	else
		rm /etc/iptables/salt.rules
	fi
	
	cat > /etc/iptables/salt.rules <<EOF
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
# Allow ICMP
-A INPUT -i eth0 -p icmp -j ACCEPT
# Allow Salt
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 4505 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 4506 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
COMMIT
EOF

	iptables-restore /etc/iptables/salt.rules
	/etc/init.d/iptables save
}

#Usage: salt_config [high/low]
#Variables:
salt_config() {
	security=$1

	if [ -z $security ]; then
		security=low
	fi

	if [ "$(grep -o salt /etc/shadow)" != "salt" ]; then
		#Create user with disabled login and no home, but with access to a shell (for salt-run)
		adduser -D -H -s /bin/ash salt
	fi

	if [ "$(grep -o salt /etc/group)" != "salt" ]; then
		groupadd salt
	fi

	for dir in /etc/salt /var/cache/salt /var/log/salt /var/run/salt /srv/salt /srv/pillar; do
		if [ ! -d $dir ]; then
			mkdir -p $dir
			chmod 0774 $dir
			chown salt:salt $dir
		fi
	done

	if [ ! -d /etc/salt/gpgkeys ]; then
		mkdir -p /etc/salt/gpgkeys
		chmod 0700 /etc/salt/gpgkeys

		if [ ! -f /etc/salt/gpgkeys/genscript ]; then
			cat > /etc/salt/gpgkeys/genscript <<EOF
Key-Type: RSA
Key-Length: 4096
Name-Real: Salt
Name-Email: no-reply@invalid.address
Expire-Date: 0
%no-ask-passphrase
%no-protection
EOF
		fi

		gpg --gen-key --homedir /etc/salt/gpgkeys --batch /etc/salt/gpgkeys/genscript
		gpg --homedir /etc/salt/gpgkeys --armor --export > /etc/salt/gpgkeys/salt_pub.gpg
		gpg --import /etc/salt/gpgkeys/salt_pub.gpg
	fi

	if [ ! -d /etc/salt/master.d ]; then
		mkdir -p /etc/salt/master.d
	fi

	for conf in file.conf pillar.conf primary.conf security.conf state.conf reactor.conf; do
		if [ -f /etc/salt/master.d/$conf ]; then
			mv /etc/salt/master.d/$conf /etc/salt/master.d/$conf.bak
		fi
	done

	cat > /etc/salt/master.d/file.conf <<EOF
file_roots:
  base:
    - /srv/salt/base
  dev:
    - /srv/salt/dev
  prod:
    - /srv/salt/prod

top_file_merging_strategy: same
default_top: dev
hash_type: sha512
EOF

	cat > /etc/salt/master.d/pillar.conf <<EOF
pillar_roots:
  base:
    - /srv/pillar/base
  dev:
    - /srv/pillar/dev
  prod:
    - /srv/pillar/prod

pillar_safe_render_error: True
pillar_source_merging_strategy: none
pillarenv_from_saltenv: True
pillar_raise_on_missing: True
EOF

	cat > /etc/salt/master.d/primary.conf <<EOF
user: salt
verify_env: True
enable_gpu_grains: True
ping_on_rotate: True
allow_minion_key_revoke: False
timeout: 30
EOF

	if [ "$security" == "high" ]; then
		cat > /etc/salt/master.d/security.conf <<EOF
keysize: 4096
autosign_timeout: 0
master_sign_pubkey: True
master_use_pubkey_signature: True
sign_pub_messages: True
require_minion_sign_messages: True
drop_messages_signature_fail: False
ssl:
  keyfile: /etc/salt/pki/certs/salt.key
  certfile: /etc/sale/pki/certs/salt.crt
  ssl_version: PROTOCOL_TLSv1_2
EOF
	fi

	cat > /etc/salt/master.d/state.conf <<EOF
failhard: True
EOF

	cat > /etc/salt/master.d/reactor.conf <<EOF
reactor:
  #- 'salt/minion/*/start':
  #  - /srv/salt/reactor/start.sls
  #- 'salt/beacon/*/beacon_name':
  #  - /srv/salt/reactor/beacon.sls

reactor_refresh_interval: 60
reactor_worker_threads: 10
reactor_worker_hwm: 10000
EOF

	for dir in /etc/salt /var/cache/salt /var/log/salt /var/run/salt /srv/salt; do
		chown -R salt:salt $dir
	done

	if [ "$security" == "high" ]; then
		rc-service salt-master start

		sleep 30
		#Generate minion authentication keys
		salt-key --gen-signature --auto-create
	fi
}

#Usage: enable_services default 'lighttpd rsyslog samba iptables'
enable_services() {
	for service in $2; do
		rc-update add $service $1
	done
}

#Usage: reboot_system
#Variables
reboot_system() {
	reboot
}

repos edge
pkgs "procps htop iftop net-tools tmux iptables mg syslog-ng haveged iproute2 coreutils logrotate shadow openssh salt salt-master salt-minion salt-api salt-syndic gpg gnupg-utils gpg-agent py3-tornado"
crontab_base
crontab_append "0 	2 	* 	* 	5 	/sbin/apk -U -a upgrade"
apply_crontab
iptables_conf
salt_config high
enable_services boot "syslog-ng"
enable_services default "crond iptables salt-master sshd"
reboot_system