Add golden pillars and states

custom/testing/golden-pillar-tree/base.sls

@@ -0,0 +1,2 @@
+packer_build: true
+packer_golden_images_build: true

custom/testing/golden-pillar-tree/top.sls

@@ -0,0 +1,3 @@
+base:
+  '*':
+    - base

custom/testing/golden-state-tree/config/dhclient.sls

@@ -0,0 +1,10 @@
+{% set dhclient_conf = '/etc/dhcp/dhclient.conf' %}
+
+{%- if salt['file.file_exists'](dhclient_conf) %}
+dhclient_conf.lease_time:
+  file.line:
+    - name: {{ dhclient_conf }}
+    - content: "supersede dhcp-lease-time 86400;"
+    - mode: insert
+    - location: end
+{%- endif %}

custom/testing/golden-state-tree/config/locale.sls

@@ -0,0 +1,104 @@
+# Arch Linux on some clouds has a default encoding of ASCII
+# This is not typical in production, so set this to UTF-8 instead
+#
+# This will cause integration.shell.matcher.MatchTest.test_salt_documentation_arguments_not_assumed
+# to fail if not set correctly.
+{%- set on_docker = salt['grains.get']('virtual_subtype', '') in ('Docker',) %}
+{%- set on_arch = grains['os_family'] == 'Arch' %}
+{%- set on_suse = grains['os_family'] in ('Suse', 'SUSE') %}
+
+{%- if grains['os'] in ('MacOS',) %}
+mac_locale:
+  file.blockreplace:
+    - name: /etc/profile
+    - marker_start: '#------ start locale zone ------'
+    - marker_end: '#------ endlocale zone ------'
+    - content: |
+        export LANG=en_US.UTF-8
+    - append_if_not_found: true
+
+{%- elif grains['os'] in ('FreeBSD',) %}
+/root/.bash_profile:
+  file.managed:
+    - user: root
+    - group: wheel
+    - mode: '0644'
+
+freebsd_locale:
+  file.blockreplace:
+    - name: /root/.bash_profile
+    - marker_start: '#------ start locale zone ------'
+    - marker_end: '#------ endlocale zone ------'
+    - content: |
+        export LANG=en_US.UTF-8
+    - append_if_not_found: true
+{%- else %}
+
+  {%- if on_suse %}
+suse_local:
+  pkg.installed:
+    - pkgs:
+      - glibc-locale
+      - dbus-1
+
+    {%- if not on_docker %}
+  service.running:
+    - name: dbus.socket
+    - onlyif: systemctl daemon-reload
+    {%- endif %}
+  {%- elif grains.os_family == 'Debian' %}
+deb_locale:
+  file.touch:
+    - name: /etc/default/keyboard  # ubuntu is stupid and this file has to exist for systemd-localed to be able to run
+  pkg.installed:
+    - pkgs:
+      - locales
+      - console-data
+      - dbus
+    {%- if grains.get('init') == 'systemd' %}
+  service.running:
+    - names:
+      - dbus.socket
+      - systemd-localed.service
+    {%- endif %}
+  {%- endif %}
+
+  {%- if on_arch %}
+accept_LANG_sshd:
+  file.append:
+    - name: /etc/ssh/sshd_config
+    - text: AcceptEnv LANG
+    {%- if not pillar.get('packer_golden_images_build', False) %}
+  service.running:
+    - name: sshd
+    - listen:
+      - file: accept_LANG_sshd
+    {%- endif %}
+  {%- endif %}
+
+# Fedora and Centos 8
+  {%- if grains['os_family'] == 'RedHat' and grains['osmajorrelease'] != 7 and grains['os'] != 'VMware Photon OS' %}
+redhat_locale:
+  pkg.installed:
+    - name: glibc-langpack-en
+  {%- endif %}
+
+# Photon OS 3
+  {%- if grains['os'] == 'VMware Photon OS' %}
+photon_locale:
+  pkg.installed:
+    - name: glibc-lang
+  {%- endif %}
+
+us_locale:
+  locale.present:
+    - name: en_US.UTF-8
+
+  {%- if grains['os_family'] not in ('FreeBSD',) %}
+default_locale:
+  locale.system:
+    - name: en_US.UTF-8
+    - require:
+      - locale: us_locale
+  {%- endif %}
+{%- endif %}

custom/testing/golden-state-tree/config/path.sls

@@ -0,0 +1,10 @@
+append-usr-local-bin-to-path:
+  file.append:
+    - name: /root/.bash_profile
+    - text: 'export PATH=/usr/local/bin:$PATH'
+    - unless: 'echo $PATH | grep -q /usr/local/bin'
+  environ.setenv:
+    - name: PATH
+    - value: '/usr/local/bin:{{ salt.cmd.run_stdout('echo $PATH', python_shell=True).strip() }}'
+    - unless: 'echo $PATH | grep -q /usr/local/bin'
+    - update_minion: True

custom/testing/golden-state-tree/config/sshd_config.sls

@@ -0,0 +1,77 @@
+{% set ssh_config = '/etc/ssh/sshd_config' %}
+
+ClientAliveInterval:
+  file.line:
+    - name: {{ ssh_config }}
+    - content: "ClientAliveInterval 60"
+  {%- if salt['file.search'](ssh_config, 'ClientAliveInterval') %}
+    - match: "(#)?.*ClientAliveInterval.*"
+    - mode: "replace"
+  {%- else %}
+    - mode: insert
+    - location: end
+  {%- endif %}
+
+ClientAliveCount:
+  file.line:
+    - name: {{ ssh_config }}
+    - content: "ClientAliveCountMax 20"
+  {%- if salt['file.search'](ssh_config, 'ClientAliveCountMax') %}
+    - match: "(#)?.*ClientAliveCountMax.*"
+    - mode: "replace"
+  {%- else %}
+    - mode: insert
+    - location: end
+  {%- endif %}
+
+TCPKeepAlive:
+  file.line:
+    - name: {{ ssh_config }}
+    - content: "TCPKeepAlive yes"
+  {%- if salt['file.search'](ssh_config, 'TCPKeepAlive') %}
+    - match: "(#)?.*TCPKeepAlive.*"
+    - mode: "replace"
+  {%- else %}
+    - mode: insert
+    - location: end
+  {%- endif %}
+
+
+{%- if grains['os'] == 'VMware Photon OS' %}
+{%- for algo in ("ssh-ed25519", "ecdsa-sha2-nistp256") %}
+
+HostKeyAlgorithms-{{ algo }}:
+  file.line:
+    - name: {{ ssh_config }}
+    - content: "HostKeyAlgorithms {{ algo }}"
+    - mode: insert
+    - location: end
+
+{%- endfor %}
+{%- endif %}
+
+stop-sshd:
+  service.dead:
+    {%- if grains['os'] == 'Ubuntu' and grains['osmajorrelease'] >= 23 %}
+    - name: ssh
+    {%- else %}
+    - name: sshd
+    {%- endif %}
+    - enable: True
+    - require:
+      - ClientAliveInterval
+      - ClientAliveCount
+      - TCPKeepAlive
+
+
+start-sshd:
+  service.enabled:
+    {%- if grains['os'] == 'Ubuntu' and grains['osmajorrelease'] >= 23 %}
+    - name: ssh
+    {%- else %}
+    - name: sshd
+    {%- endif %}
+    - enable: True
+    - reload: True
+    - require:
+      - stop-sshd

custom/testing/golden-state-tree/config/sssd.sls

@@ -0,0 +1,3 @@
+sssd:
+  service.dead:
+    - onlyif: systemctl is-active sssd

custom/testing/golden-state-tree/config/timezone.sls

@@ -0,0 +1,4 @@
+set-time-zone:
+  timezone.system:
+    - name: Etc/UTC
+    - utc: True

custom/testing/golden-state-tree/config/ulimits.sls

@@ -0,0 +1,15 @@
+{%- if grains['kernel'] == 'Linux' %}
+ulimits-nofile:
+  file.managed:
+    - name: /etc/security/limits.d/83-nofile.conf
+    - mode: 644
+    - makedirs: True
+    - contents: 'root - nofile 1048576'
+{%- elif grains['kernel'] == 'Darwin' %}
+set limits for launchctl:
+  cmd.run:
+    - name: launchctl limit maxfiles 10240 unlimited
+  file.append:
+    - name: /etc/launchd.conf
+    - text: limit maxfiles 10240 unlimited
+{%- endif %}

custom/testing/golden-state-tree/download/busybox.sls

@@ -0,0 +1,17 @@
+/usr/bin/busybox:
+  file.managed:
+  {%- if grains['osarch'] == 'aarch64' %}
+    - source: https://github.com/saltstack/salt-jenkins/files/12686271/busybox.arch64.zip
+    - source_hash: f6c93120cec5f4a6414ae7e7725ef20dd51f07b93f5f69961c1ce2c3ab13b446
+  {%- else %}
+    - source: https://github.com/saltstack/salt-jenkins/files/8031454/busybox.zip
+    - source_hash: sha256=d270442b2fff1c8ebbd076afaf2f6739abc5790526acfafd8fcdba3eab80ed73
+  {%- endif %}
+    - mode: 0755
+
+
+run-busybox:
+  cmd.run:
+    - name: /usr/bin/busybox pwd && exit 0 || exit 1
+    - require:
+      - /usr/bin/busybox

custom/testing/golden-state-tree/download/vault.sls

@@ -0,0 +1,13 @@
+install-vault-binary:
+
+  pkg.latest:
+    - name: unzip
+
+  archive.extracted:
+    - name: /usr/local/bin/
+    - source: https://releases.hashicorp.com/vault/0.9.6/vault_0.9.6_linux_amd64.zip
+    - source_hash: https://releases.hashicorp.com/vault/0.9.6/vault_0.9.6_SHA256SUMS
+    - archive_format: zip
+    - if_missing: /usr/local/bin/vault
+    - source_hash_update: True
+    - enforce_toplevel: False

custom/testing/golden-state-tree/github-actions-runner/account.sls

@@ -0,0 +1,42 @@
+
+create-actions-runner-account:
+  user.present:
+    - name: actions-runner
+    - shell: /bin/bash
+    - home: /home/actions-runner
+    - empty_password: true
+    - createhome: true
+    - usergroup: true
+    - optional_groups:
+      {#-
+          These groups get added to the user if the groups exist.
+          The groups were collected from the golden images cloud-init configuration
+          file /etc/cloud/cloud.cfg
+      #}
+      - adm
+      - audio
+      - cdrom
+      - dialout
+      - dip
+      - docker
+      - floppy
+      - lxd
+      - netdev
+      - plugdev
+      - sudo
+      - systemd-journal
+      - users
+      - video
+      - wheel
+      {%- if grains['os'] == 'VMware Photon OS' %}
+      {#- Let's also include the root's group in the account since Photon OS's
+          images are commonly built to use root and not other system accounts #}
+      - root
+      {%- endif %}
+
+actions-runner-sudoers-file:
+  file.managed:
+    - name: /etc/sudoers.d/actions-runner
+    - mode: "0644"
+    - contents:
+      - actions-runner ALL=(ALL) NOPASSWD:ALL

custom/testing/golden-state-tree/github-actions-runner/files/add-start-at-boot-task.ps1

@@ -0,0 +1,5 @@
+$taskName = "Start GitHub Actions Runner"
+$principal = New-ScheduledTaskPrincipal -UserID "NT AUTHORITY\SYSTEM" -LogonType ServiceAccount -RunLevel Highest
+$action = New-ScheduledTaskAction -WorkingDirectory "C:\actions-runner" -Execute 'Powershell.exe' -Argument "-NoProfile -File ""C:\start-runner.ps1"""
+$trigger = New-ScheduledTaskTrigger -AtStartup
+Register-ScheduledTask -Action $action -Trigger $trigger -Principal $principal -TaskName $taskName -Description $taskName

custom/testing/golden-state-tree/github-actions-runner/files/github-actions-runner.systemd.unit

@@ -0,0 +1,16 @@
+# set ft=systemd
+
+[Unit]
+Description=GitHub Actions Runner
+After=network.target
+
+[Service]
+ExecStart=/opt/actions-runner/start-runner-service.sh
+User={{ actions_runner_account }}
+WorkingDirectory=/opt/actions-runner/
+KillMode=process
+KillSignal=SIGTERM
+TimeoutStopSec=5min
+
+[Install]
+WantedBy=multi-user.target