etc/salt-master/master.d/saltshaker.conf

# Common settings
interface: 0.0.0.0
log_level: debug
#log_file: /dev/stderr

pidfile: /run/salt-master.pid

# Extension modules
extension_modules: /srv/salt-modules

# File server
file_roots:
    base:
        - /srv/salt

# Pillars
pillar_roots:
    base:
        - /srv/pillar


dynamicsecrets.consul_url: http://169.254.1.1:8500/
dynamicsecrets.consul_token_secret: consul-acl-master-token

# load the dynamic secrets pillar
ext_pillar:
    - dynamicsecrets:
        config:
            approle-auth-token:
                type: uuid
            authserver-role-id:
                type: uuid
            concourse-encryption:
                length: 32
            concourse-hostkey:
                length: 2048
                type: rsa
            concourse-oauth2-read:
                type: uuid
            concourse-role-id:
                type: uuid
            concourse-signingkey:
                length: 2048
                type: rsa
            consul-acl-master-token:
                type: uuid
            consul-acl-token:
                type: consul-acl-token
                unique-per-host: True
            consul-agent-master-token:
                type: uuid
            consul-encryptionkey:
                encode: base64
                length: 16
            dkimsigner-role-id:
                type: uuid
            gpg-auth-token:
                type: uuid
            gpg-read-token:
                type: uuid
            mailforwarder-role-id:
                type: uuid
        grainmapping:
            roles:
                authserver:
                    - approle-auth-token
                    - authserver
                    - authserver-role-id
                    - concourse-oauth2-read
                    - dkimsigner-role-id
                    - dovecot-authserver
                    - mailforwarder-role-id
                    - opensmtpd-authserver
                buildserver:
                    - approle-auth-token
                    - concourse-db
                    - concourse-encryption
                    - concourse-hostkey
                    - concourse-oauth2-read
                    - concourse-role-id
                    - concourse-signingkey
                    - concourse-sysop
                buildworker:
                    - approle-auth-token
                    - concourse-hostkey
                    - concourse-role-id
                    - concourse-role-id
                consulserver:
                    - consul-acl-token
                    - consul-acl-master-token
                    - consul-agent-master-token
                database:
                    - authserver
                    - checkuser
                    - concourse-db
                    - dkimsigner
                    - dovecot-authserver
                    - mailforwarder
                    - opensmtpd-authserver
                    - postgres
                    - secure-vault
                    - vault-db-credential-admin
                mail:
                    - approle-auth-token
                    - dkimsigner-role-id
                    - dovecot-authserver
                    - mailforwarder-role-id
                    - opensmtpd-authserver
                vault:
                    - approle-auth-token
                    - authserver-role-id
                    - concourse-oauth2-read
                    - concourse-role-id
                    - dkimsigner-role-id
                    - mailforwarder-role-id
                    - secure-vault
        hostmapping:
            '*':
                - consul-acl-token
                - consul-encryptionkey
                - gpg-auth-token
                - gpg-read-token


# make sure that all minions run the roledir grain before their initial highstate
# http://docs.saltstack.com/en/latest/topics/reactor/#syncing-custom-types-on-minion-start
reactor:
    - 'salt/minion/*/start':
        - /srv/reactor/sync-all.sls
        - /srv/reactor/consul-acl.sls
    - 'maurusnet/consul/installed':
        - /srv/reactor/consul-acl.sls
    - 'maurusnet/highstate/complete':
        - /srv/reactor/sync-all.sls


hash_type: sha256

# Peer publishing
peer:
    .*:
        - grains.ls
        - grains.get