infrastructure.salt: introduce salt-stage/pistis

New states for manging the repository validation and staging service
using Pistis.

Signed-off-by: Georg Pfuetzenreuter <[email protected]>

infrastructure-formula/infrastructure/salt/files/etc/systemd/system/salt-stage.path

@@ -0,0 +1,27 @@
+# Path unit to watch for Salt Git repository changes.
+# Copyright (C) 2024 Georg Pfuetzenreuter <[email protected]>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+{{ pillar.get('managed_by_salt_formula', '# Managed by the infrastructure formula') }}
+
+[Unit]
+Description=Salt repository monitor
+
+[Path]
+PathChanged={{ directory }}/.git/refs/heads/{{ branch }}
+TriggerLimitBurst=50
+
+[Install]
+WantedBy=paths.target

infrastructure-formula/infrastructure/salt/files/etc/systemd/system/salt-stage.service

@@ -0,0 +1,27 @@
+# Service unit to validate and copy a Salt Git repository.
+# Copyright (C) 2024 Georg Pfuetzenreuter <[email protected]>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+{{ pillar.get('managed_by_salt_formula', '# Managed by the infrastructure formula') }}
+{%- set pistis = salt['pillar.get']('infrastructure:salt:pistis', {}) %}
+
+[Unit]
+Description=Salt repository validation
+
+[Service]
+Type=oneshot
+EnvironmentFile=/etc/pistis
+ExecStart=pistis{{ ' -gitlab ' ~ pistis.gitlab if 'gitlab' in pistis }} -repository {{ directory }}{{ ' -ignore-merge' if pistis.get('ignore-merge') is True }}{{ ' -loglevel ' ~ pistis.loglevel if 'loglevel' in pistis }}
+ExecStartPost=rsync -a {{ directory }}/ {{ directory }}-validated

infrastructure-formula/infrastructure/salt/pistis.sls

@@ -0,0 +1,31 @@
+{%- from 'infrastructure/salt/map.jinja' import git -%}
+
+salt_pistis_package:
+  pkg.installed:
+    - name: pistis
+
+salt_pistis_files:
+  file.managed:
+    - names:
+        - /etc/systemd/system/salt-stage.path:
+            - source: salt://infrastructure/salt/files/etc/systemd/system/salt-stage.path
+            - mode: '0644'
+        - /etc/systemd/system/salt-stage.service:
+            - source: salt://infrastructure/salt/files/etc/systemd/system/salt-stage.service
+            - mode: '0644'
+        - /etc/pistis:
+            - contents:
+                - {{ pillar.get('managed_by_salt_formula', '# Managed by the infrastructure formula') | yaml_encode }}
+                - 'GITLAB_TOKEN={{ salt['pillar.get']('infrastructure:salt:pistis:gitlab_token', '') }}'
+            - mode: '0600'
+    - context:
+        branch: {{ git.branch }}
+        directory: {{ git.directory }}
+    - template: jinja
+
+salt_pistis_service:
+  service.running:
+    - name: salt-stage.path
+    - reload: False
+    - watch:
+        - file: salt_pistis_files