diff --git a/bin/test_show_highstate.sh b/bin/test_show_highstate.sh
index f7e645d..6433202 100755
--- a/bin/test_show_highstate.sh
+++ b/bin/test_show_highstate.sh
@@ -33,6 +33,10 @@ show_highstate() {
if [[ $_STATUS -eq 0 ]] || [[ $_STATUS -eq 2 ]]; then
echo_PASSED
else
+ echo
+ # errors like conflicting IDs get displayed on stdout, not stderr, see https://github.com/saltstack/salt/issues/52653
+ echo "== running test again without /dev/null'ing stdout =="
+ $RUN_TEST
echo_FAILED
STATUS=1
fi
diff --git a/pillar/id/pinot_infra_opensuse_org.sls b/pillar/id/pinot_infra_opensuse_org.sls
new file mode 100644
index 0000000..2a8f7b4
--- /dev/null
+++ b/pillar/id/pinot_infra_opensuse_org.sls
@@ -0,0 +1,10 @@
+grains:
+ city: nuremberg
+ country: de
+ hostusage:
+ - countdown.o.o
+ roles:
+ - countdown
+ reboot_safe: yes
+ salt_cluster: opensuse
+ virt_cluster: atreju
diff --git a/pillar/role/countdown.sls b/pillar/role/countdown.sls
new file mode 100644
index 0000000..1526fdb
--- /dev/null
+++ b/pillar/role/countdown.sls
@@ -0,0 +1,40 @@
+apparmor:
+ profiles:
+ httpd2-prefork:
+ source: salt://profile/countdown/files/httpd2-prefork.apparmor
+ template: jinja
+
+profile:
+ countdown:
+ languages:
+ - af
+ - bg
+ - cs
+ - da
+ - de
+ - el
+ - en
+ - es
+ - fi
+ - fr
+ - gl
+ - hr
+ - hu
+ - id
+ - it
+ - ja
+ - lt
+ - nb
+ - nl
+ - pl
+ - pt
+ - pt_BR
+ - ro
+ - ru
+ - sk
+ - sv
+ - tr
+ - tw
+ - wa
+ - zh
+ redirect_target: 'Portal:15.1'
diff --git a/salt/profile/countdown/apache.sls b/salt/profile/countdown/apache.sls
new file mode 100644
index 0000000..062acc6
--- /dev/null
+++ b/salt/profile/countdown/apache.sls
@@ -0,0 +1,28 @@
+apache2:
+ pkg.installed:
+ - pkgs:
+ - apache2-mod_apparmor
+ - apache2-prefork
+ service.running:
+ - enable: True
+
+/etc/apache2/vhosts.d/countdown.opensuse.org.conf:
+ file.managed:
+ - listen_in:
+ - service: apache2
+ - source: salt://profile/countdown/files/apache-vhost.conf
+ - template: jinja
+
+sysconfig_apache2_countdown:
+ file.replace:
+ - name: /etc/sysconfig/apache2
+ - pattern: ^APACHE_MODULES=.*$
+ # original line: "actions alias auth_basic authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout authn_core php7 rewrite"
+ - repl: APACHE_MODULES=" alias apparmor auth_basic authn_file authz_host authz_groupfile authz_core authz_user autoindex dir env expires include log_config mime negotiation setenvif socache_shmcb reqtimeout authn_core rewrite remoteip status"
+ - listen_in:
+ - service: apache2
+
+/etc/logrotate.d/apache2-vhosts:
+ file.managed:
+ # same file as used for the wikis, no need to duplicate it
+ - source: salt://profile/wiki/files/apache2-wiki.logrotate
diff --git a/salt/profile/countdown/countdown.sls b/salt/profile/countdown/countdown.sls
new file mode 100644
index 0000000..aa59f01
--- /dev/null
+++ b/salt/profile/countdown/countdown.sls
@@ -0,0 +1,49 @@
+countdown_packages:
+ pkg.installed:
+ - pkgs:
+ - adobe-sourcesanspro-fonts
+ - git
+ - google-opensans-fonts
+ - inkscape
+ - optipng
+ - rsync
+
+countdown:
+ user.present:
+ - fullname: countdown.o.o
+ - home: /srv/www/countdown.opensuse.org
+
+{% set countdown_dirs = ['/srv/www/countdown.opensuse.org', '/srv/www/countdown.opensuse.org/output', '/srv/www/countdown.opensuse.org/public'] %}
+
+{% for dir in countdown_dirs %}
+{{ dir }}:
+ file.directory:
+ - user: countdown
+{% endfor %}
+
+/etc/cron.d/countdown.opensuse.org:
+ file.managed:
+ - contents:
+ - '0 * * * * countdown /srv/www/countdown.opensuse.org/svg/cron.sh -G -E && rsync -a --delete-after /srv/www/countdown.opensuse.org/output/ /srv/www/countdown.opensuse.org/public/'
+
+cron:
+ service.running:
+ - enable: True
+
+countdown_git:
+ git.latest:
+ - name: https://github.com/openSUSE/countdown.o.o.git
+ - target: /srv/www/countdown.opensuse.org/git
+ - user: countdown
+ - force_reset: True
+ - require:
+ - pkg: countdown_packages
+
+# TODO (after Leap 15 release?): change path in countdown.o.o cron.sh and get rid of these symlinks
+/home/counter.opensuse.org:
+ file.symlink:
+ - target: /srv/www/countdown.opensuse.org
+
+/srv/www/countdown.opensuse.org/svg:
+ file.symlink:
+ - target: /srv/www/countdown.opensuse.org/git
diff --git a/salt/profile/countdown/files/apache-vhost.conf b/salt/profile/countdown/files/apache-vhost.conf
new file mode 100644
index 0000000..d49b87f
--- /dev/null
+++ b/salt/profile/countdown/files/apache-vhost.conf
@@ -0,0 +1,47 @@
+
+ ServerName countdown.opensuse.org
+ ServerAlias counter.opensuse.org
+ UseCanonicalName Off
+
+ AADefaultHatName vhost_countdown
+
+ DocumentRoot /srv/www/countdown.opensuse.org/public
+
+
+ Require all granted
+
+ Options +FollowSymlinks
+
+
+
+ Options Multiviews FollowSymLinks IncludesNoExec
+ DirectoryIndex medium
+
+
+ # Use language detection only if "whatever.png" gets requested, but not if "whatever.xy.png" gets requested.
+ # This ensures that "whatever.xy.png" always gets delivered, even if it doesn't match the browser's Accept-Language header.
+
+ LanguagePriority en
+
+ {% for lang in pillar['profile']['countdown']['languages']|sort %}
+ AddLanguage {{lang}} .{{lang}}.png
+ {%- endfor %}
+
+
+ RewriteEngine on
+ RewriteCond %{REQUEST_FILENAME} !-f
+ RewriteRule ^(.+)\.png/?$ $1
+ RewriteRule ^/?((small|medium|large|wide)-nolabel)/?$ /$1 [PT]
+ RewriteRule ^/?((small|medium|large|wide)-label)/?$ /$1 [PT]
+ RewriteRule ^/?(|small|medium|large|wide)/?$ /$1 [PT]
+
+ RedirectTemp /goto/ https://en.opensuse.org/{{ pillar['profile']['countdown']['redirect_target'] }}?pk_campaign=counter
+ RedirectTemp /link/ https://en.opensuse.org/{{ pillar['profile']['countdown']['redirect_target'] }}?pk_campaign=counter
+ RedirectTemp /redirect/ https://en.opensuse.org/{{ pillar['profile']['countdown']['redirect_target'] }}?pk_campaign=counter
+
+ LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Forwarded-For}i\"" combinedproxy
+ CustomLog "/var/log/apache2/countdown-access_log" combinedproxy
+
+
+
+# vim:ft=apache
diff --git a/salt/profile/countdown/files/httpd2-prefork.apparmor b/salt/profile/countdown/files/httpd2-prefork.apparmor
new file mode 100644
index 0000000..38045ac
--- /dev/null
+++ b/salt/profile/countdown/files/httpd2-prefork.apparmor
@@ -0,0 +1,127 @@
+# managed by salt - do not edit!
+
+# $Id: usr.sbin.httpd2-prefork 12 2006-04-12 21:35:41Z steve-beattie $
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2017 Christian Boltz
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include
+
+profile httpd2-prefork /usr/sbin/httpd{,2}-prefork flags=(complain,attach_disconnected) {
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+ #include
+
+ capability dac_override,
+ capability kill,
+ capability net_admin,
+ capability net_bind_service,
+ capability setgid,
+ capability setuid,
+ capability sys_ptrace,
+ capability sys_tty_config,
+
+ / rw,
+ /bin/bash rix,
+ /dev/random r,
+ /etc/apache2/*.conf r,
+ owner /etc/apache2/conf.d/ r,
+ /etc/apache2/magic r,
+ /etc/apache2/mod_perl-startup.pl r,
+ /etc/apache2/sysconfig.d/ r,
+ /etc/apache2/vhosts.d/ r,
+ /etc/apache2/vhosts.d/hostings/ r,
+ /etc/apache2/{conf,sysconfig,vhosts}.d/* r,
+ /etc/fstab r,
+ /etc/mime.types r,
+ /etc/mtab r,
+ /etc/odbcinst.ini r,
+ /proc/*/attr/current rw,
+ /proc/meminfo r,
+ /proc/sys/kernel/ngroups_max r,
+ /run/httpd.pid rw,
+ /tmp/magic* rw,
+ /usr/apache2/error/* r,
+ /usr/lib/apache2-leader/{lib,mod_}*.so* mr,
+ /usr/lib/apache2-metuxmpm/{lib,mod_}*.so* mr,
+ /usr/lib/apache2-prefork/{lib,mod_}*.so* mr,
+ /usr/lib/apache2-worker/{lib,mod_}*.so* mr,
+ /usr/lib/apache2/modules/{lib,mod_}*.so* mr,
+ /usr/lib/apache2/{lib,mod_}*.so mr,
+ /usr/lib64/apache2-leader/{lib,mod_}*.so* mr,
+ /usr/lib64/apache2-metuxmpm/{lib,mod_}*.so* mr,
+ /usr/lib64/apache2-prefork/{lib,mod_}*.so* mr,
+ /usr/lib64/apache2-worker/{lib,mod_}*.so* mr,
+ /usr/lib64/apache2/modules/{lib,mod_}*.so* mr,
+ /usr/lib64/apache2/{lib,mod_}*.so* mr,
+ /usr/sbin/httpd{,2}-prefork mr,
+ /usr/sbin/suexec2 mrix,
+ /usr/share/apache2/error/** r,
+ /usr/share/apache2/icons/** r,
+ /usr/share/misc/magic.mime r,
+ /usr/share/snmp/mibs r,
+ /usr/share/snmp/mibs/*.{txt,mib} r,
+ /usr/share/snmp/mibs/.index rw,
+ /var/lib/apache2/ssl_mutex w,
+ /var/log/apache2/* rwl,
+
+ ^DEFAULT_URI flags=(complain,attach_disconnected) {
+ #include
+
+ /proc/meminfo r,
+ /usr/share/zoneinfo/ r,
+ /usr/share/zoneinfo/** r,
+ /var/log/apache2/access_log w,
+ /var/log/apache2/error_log w,
+
+ }
+
+ ^HANDLING_UNTRUSTED_INPUT flags=(complain,attach_disconnected) {
+ #include
+
+ /**/.htaccess r,
+ /dev/urandom r,
+ /proc/*/attr/current w,
+ /var/lib/apache2/ssl_mutex wk,
+ /var/log/apache2/access_log w,
+ /var/log/apache2/error_log w,
+ /var/log/apache2/error_log-20[12][0-9][01][0-9][0-3][0-9] w,
+ /var/log/apache2/ssl_request_log w,
+
+ # strange, but happens in practise
+ /var/log/apache2/countdown-access_log w,
+
+ }
+
+ ^vhost_countdown flags=(complain,attach_disconnected) {
+ #include
+ #include
+
+ / r,
+# /bin/bash rix,
+# /dev/tty rw,
+# /proc/meminfo r,
+# /usr/bin/timeout rix,
+ /var/log/apache2/countdown-access_log w,
+ /var/log/apache2/countdown-access_log-21[12][0-9][01][0-9][0-3][0-9] w,
+ /var/log/apache2/error_log w,
+
+ /srv/www/countdown.opensuse.org/ r,
+ /srv/www/countdown.opensuse.org/** r,
+ }
+
+}
+
+# vim: ft=apparmor expandtab
+
diff --git a/salt/profile/countdown/init.sls b/salt/profile/countdown/init.sls
new file mode 100644
index 0000000..9ef6597
--- /dev/null
+++ b/salt/profile/countdown/init.sls
@@ -0,0 +1,3 @@
+include:
+ - profile.countdown.apache
+ - profile.countdown.countdown
diff --git a/salt/role/countdown.sls b/salt/role/countdown.sls
new file mode 100644
index 0000000..b5bbf8e
--- /dev/null
+++ b/salt/role/countdown.sls
@@ -0,0 +1,2 @@
+include:
+ - profile.countdown