Andor · April 20, 2022 14:08
diff --git a/default b/default
 {% for key, value in options.iteritems() %}
 {{ key|upper }}="{{ value }}"
 {% endfor %}
diff --git a/systemd.vaultbot.service b/systemd.vaultbot.service
 [Unit]
 Description=Systemd Timer Service for VaultBot

 [Service]
 EnvironmentFile=-/etc/default/vaultbot
 Type=oneshot
 ExecStart=/usr/bin/vaultbot
 User=root
 Group=root
diff --git a/systemd.vaultbot.timer b/systemd.vaultbot.timer
 [Unit]
 Description=Systemd Timer for VaultBot

 [Timer]
 OnCalendar={{ OnCalendar }}
 Persistent=true
 RandomizedDelaySec=0

 [Install]
 WantedBy=timers.target
diff --git a/vaultbot.sls b/vaultbot.sls
 {% macro vaultbot(params, grains) %}
 {% set url = params['url'] %}
 {% set sha1 = params['sha1'] %}
 {% set ec2_tags = grains['ec2_tags'] %}
 {% if not ec2_tags %}
 {{ raise('Cannot find EC2 Tags') }}
 {% endif %}
 vaultbot-download:
  cmd.run:
    - name: curl {{ url }} | xz -dc > /usr/bin/vaultbot
    - runas: root
    - unless: sha1sum -c <<< '{{ sha1 }} /usr/bin/vaultbot'

 vaultbot-set-rights:
  cmd.run:
    - name: chmod +x /usr/bin/vaultbot
    - runas: root
    - unless: test -x /usr/bin/vaultbot

 /etc/systemd/system/vaultbot.timer:
  file.managed:
    - source: salt://mongodb/files/vaultbot/systemd.vaultbot.timer
    - user: root
    - group: root
    - mode: 0644
    - template: jinja
    - context:
        OnCalendar: daily

 /etc/systemd/system/vaultbot.service:
  file.managed:
    - source: salt://mongodb/files/vaultbot/systemd.vaultbot.service
    - user: root
    - group: root
    - mode: 0644

 /etc/default/vaultbot:
  file.managed:
    - source: salt://mongodb/files/vaultbot/default
    - user: root
    - group: root
    - mode: 0644
    - template: jinja
    - context:
        options:
          RENEW_HOOK: /bin/systemctl restart mongos
          VAULT_ADDR: https://c1-vault.aws.callstats.io
          VAULT_AUTH_METHOD: aws-ec2
          VAULT_AWS_AUTH_ROLE: {{ ec2_tags.cluster }}-mongos
          VAULT_AWS_AUTH_MOUNT: {{ ec2_tags.env }}/aws
          VAULT_AWS_AUTH_NONCE_PATH: /root/.vaultbot-aws-nonce
          PKI_COMMON_NAME: {{ grains['nodename'] }}
          PKI_TTL: 168h
          PKI_RENEW_TIME: 24h
          PKI_ROLE_NAME: {{ ec2_tags.cluster }}-mongos-server
          PKI_MOUNT: {{ ec2_tags.env }}/pki/v2
          PKI_CERT_PATH: /etc/mongo-cert.pem
          PKI_CACHAIN_PATH: /etc/mongo-cachain.pem
          PKI_PRIVKEY_PATH: /etc/mongo-key.pem
          PKI_PEMBUNDLE_PATH: /etc/mongo-bundle.pem

 systemctl daemon-reload:
  cmd.run:
    - onchanges:
        - file: /etc/systemd/system/vaultbot.timer
        - file: /etc/systemd/system/vaultbot.service

 vaultbot.timer:
  service.running:
    - enable: True
    - onchanges:
        - file: /etc/systemd/system/vaultbot.timer
        - file: /etc/systemd/system/vaultbot.service
        - file: /etc/default/vaultbot
        - cmd: vaultbot-download
        - cmd: vaultbot-set-rights

 systemctl start vaultbot.service:
  cmd.run:
    - onchanges:
        - file: /etc/systemd/system/vaultbot.timer
        - file: /etc/systemd/system/vaultbot.service
        - file: /etc/default/vaultbot
        - cmd: vaultbot-download
        - cmd: vaultbot-set-rights

 {% endmacro %}
	{% for key, value in options.iteritems() %}
	{{ key\|upper }}="{{ value }}"
	{% endfor %}
	[Unit]
	Description=Systemd Timer Service for VaultBot

	[Service]
	EnvironmentFile=-/etc/default/vaultbot
	Type=oneshot
	ExecStart=/usr/bin/vaultbot
	User=root
	Group=root
	[Unit]
	Description=Systemd Timer for VaultBot

	[Timer]
	OnCalendar={{ OnCalendar }}
	Persistent=true
	RandomizedDelaySec=0

	[Install]
	WantedBy=timers.target
	{% macro vaultbot(params, grains) %}
	{% set url = params['url'] %}
	{% set sha1 = params['sha1'] %}
	{% set ec2_tags = grains['ec2_tags'] %}
	{% if not ec2_tags %}
	{{ raise('Cannot find EC2 Tags') }}
	{% endif %}
	vaultbot-download:
	cmd.run:
	- name: curl {{ url }} \| xz -dc > /usr/bin/vaultbot
	- runas: root
	- unless: sha1sum -c <<< '{{ sha1 }} /usr/bin/vaultbot'

	vaultbot-set-rights:
	cmd.run:
	- name: chmod +x /usr/bin/vaultbot
	- runas: root
	- unless: test -x /usr/bin/vaultbot

	/etc/systemd/system/vaultbot.timer:
	file.managed:
	- source: salt://mongodb/files/vaultbot/systemd.vaultbot.timer
	- user: root
	- group: root
	- mode: 0644
	- template: jinja
	- context:
	OnCalendar: daily

	/etc/systemd/system/vaultbot.service:
	file.managed:
	- source: salt://mongodb/files/vaultbot/systemd.vaultbot.service
	- user: root
	- group: root
	- mode: 0644

	/etc/default/vaultbot:
	file.managed:
	- source: salt://mongodb/files/vaultbot/default
	- user: root
	- group: root
	- mode: 0644
	- template: jinja
	- context:
	options:
	RENEW_HOOK: /bin/systemctl restart mongos
	VAULT_ADDR: https://c1-vault.aws.callstats.io
	VAULT_AUTH_METHOD: aws-ec2
	VAULT_AWS_AUTH_ROLE: {{ ec2_tags.cluster }}-mongos
	VAULT_AWS_AUTH_MOUNT: {{ ec2_tags.env }}/aws
	VAULT_AWS_AUTH_NONCE_PATH: /root/.vaultbot-aws-nonce
	PKI_COMMON_NAME: {{ grains['nodename'] }}
	PKI_TTL: 168h
	PKI_RENEW_TIME: 24h
	PKI_ROLE_NAME: {{ ec2_tags.cluster }}-mongos-server
	PKI_MOUNT: {{ ec2_tags.env }}/pki/v2
	PKI_CERT_PATH: /etc/mongo-cert.pem
	PKI_CACHAIN_PATH: /etc/mongo-cachain.pem
	PKI_PRIVKEY_PATH: /etc/mongo-key.pem
	PKI_PEMBUNDLE_PATH: /etc/mongo-bundle.pem

	systemctl daemon-reload:
	cmd.run:
	- onchanges:
	- file: /etc/systemd/system/vaultbot.timer
	- file: /etc/systemd/system/vaultbot.service

	vaultbot.timer:
	service.running:
	- enable: True
	- onchanges:
	- file: /etc/systemd/system/vaultbot.timer
	- file: /etc/systemd/system/vaultbot.service
	- file: /etc/default/vaultbot
	- cmd: vaultbot-download
	- cmd: vaultbot-set-rights

	systemctl start vaultbot.service:
	cmd.run:
	- onchanges:
	- file: /etc/systemd/system/vaultbot.timer
	- file: /etc/systemd/system/vaultbot.service
	- file: /etc/default/vaultbot
	- cmd: vaultbot-download
	- cmd: vaultbot-set-rights

	{% endmacro %}