Salt Phase 2a: codify host state as Salt states #2

Merged

forgejo_admin merged 1 commit from 2a-codify-host-state into main

2026-02-27 09:15:46 +00:00

forgejo_admin commented

2026-02-27 08:54:21 +00:00

Owner

Summary

Add Salt states that describe the archbox host exactly as it currently is
All 27 states pass salt-call state.apply test=True with zero changes
Source of truth: host-inventory-archbox (pal-e-docs, audited 2026-02-27)

Changes

salt/states/top.sls: Updated from empty ('*': []) to assign 7 state modules to archbox
salt/states/packages/init.sls: 54 pacman packages across 7 groups (base, GPU, containers, tailscale, CLI, languages, desktop). 11 AUR packages listed as comments only.
salt/states/kernel/init.sls: 8 kernel modules via kmod.present — nvidia (4), uinput, xpad, overlay, br_netfilter
salt/states/services/init.sls: 7 systemd services. salt-master/salt-minion enable: False by design. containerd enable: False (Docker dependency). k3s and sshd managed by their own dedicated states.
salt/states/users/init.sls: ldraney user (uid 1000, /usr/bin/zsh) with wheel, input, docker groups
salt/states/nvidia/init.sls + nvidia/config.toml: NVIDIA container runtime config via file.managed (mode=auto, runtimes=runc+crun, load-kmods=true)
salt/states/k3s/init.sls: Binary existence check at /usr/local/bin/k3s + service running/enabled
salt/states/ssh/init.sls + ssh/sshd_config: Current sshd_config via file.managed — NOT hardened (PermitRootLogin yes). Hardening deferred to security plan.

Key decisions:

No version pinning (Arch rolling release)
AUR packages as comments only (Salt pkg module uses pacman, not paru)
k3s and sshd in dedicated states to avoid duplicate state IDs with services state
sshd_config captures current reality, not a hardened config

Test Plan

salt-call state.show_top shows all 7 states assigned to archbox
salt-call state.show_sls <state> parses correctly for all 7 states
salt-call state.show_highstate — 27 unique state IDs, no duplicates
salt-call state.apply test=True — 27 succeeded, 0 failed, 0 changes
No regressions in existing Salt bootstrap (Phase 1 files untouched)

Review Checklist

Passed automated review-fix loop
No secrets committed
No unnecessary file changes
Commit messages are descriptive
Only salt/states/ files modified (no pillar, bootstrap, Makefile, terraform)
No firewall states (Phase 3 scope)

issue-salt-phase-2a-codify-host-state — the issue this PR addresses
plan-2026-02-26-salt-host-management — Phase 2a of the Salt host management plan
host-inventory-archbox — the host audit used as source of truth

## Summary - Add Salt states that describe the archbox host exactly as it currently is - All 27 states pass `salt-call state.apply test=True` with zero changes - Source of truth: `host-inventory-archbox` (pal-e-docs, audited 2026-02-27) ## Changes - `salt/states/top.sls`: Updated from empty (`'*': []`) to assign 7 state modules to `archbox` - `salt/states/packages/init.sls`: 54 pacman packages across 7 groups (base, GPU, containers, tailscale, CLI, languages, desktop). 11 AUR packages listed as comments only. - `salt/states/kernel/init.sls`: 8 kernel modules via `kmod.present` — nvidia (4), uinput, xpad, overlay, br_netfilter - `salt/states/services/init.sls`: 7 systemd services. salt-master/salt-minion `enable: False` by design. containerd `enable: False` (Docker dependency). k3s and sshd managed by their own dedicated states. - `salt/states/users/init.sls`: ldraney user (uid 1000, /usr/bin/zsh) with wheel, input, docker groups - `salt/states/nvidia/init.sls` + `nvidia/config.toml`: NVIDIA container runtime config via `file.managed` (mode=auto, runtimes=runc+crun, load-kmods=true) - `salt/states/k3s/init.sls`: Binary existence check at /usr/local/bin/k3s + service running/enabled - `salt/states/ssh/init.sls` + `ssh/sshd_config`: Current sshd_config via `file.managed` — NOT hardened (PermitRootLogin yes). Hardening deferred to security plan. Key decisions: - No version pinning (Arch rolling release) - AUR packages as comments only (Salt pkg module uses pacman, not paru) - k3s and sshd in dedicated states to avoid duplicate state IDs with services state - sshd_config captures current reality, not a hardened config ## Test Plan - [x] `salt-call state.show_top` shows all 7 states assigned to archbox - [x] `salt-call state.show_sls <state>` parses correctly for all 7 states - [x] `salt-call state.show_highstate` — 27 unique state IDs, no duplicates - [x] `salt-call state.apply test=True` — 27 succeeded, 0 failed, 0 changes - [ ] No regressions in existing Salt bootstrap (Phase 1 files untouched) ## Review Checklist - [x] Passed automated review-fix loop - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive - [x] Only salt/states/ files modified (no pillar, bootstrap, Makefile, terraform) - [x] No firewall states (Phase 3 scope) ## Related Notes - `issue-salt-phase-2a-codify-host-state` — the issue this PR addresses - `plan-2026-02-26-salt-host-management` — Phase 2a of the Salt host management plan - `host-inventory-archbox` — the host audit used as source of truth

forgejo_admin added 1 commit

2026-02-27 08:54:21 +00:00

Salt Phase 2a: codify host state as Salt states 3784b4cdc2

Add Salt states that describe the archbox host exactly as it is.
All 27 states pass `state.apply test=True` with zero changes.

State modules:
- packages: 54 pacman packages (AUR listed as comments)
- kernel: nvidia, uinput, xpad, overlay, br_netfilter modules
- services: tailscaled, ollama, docker, containerd, NetworkManager, salt-*
- users: ldraney user with wheel, input, docker groups
- nvidia: container runtime config.toml (file.managed)
- k3s: binary existence + service running
- ssh: sshd_config (file.managed) — current state, NOT hardened

Source of truth: host-inventory-archbox (pal-e-docs)
Plan: plan-2026-02-26-salt-host-management

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

forgejo_admin commented

2026-02-27 08:55:01 +00:00

Author

Owner

Review Pass: CLEAN

Reviewed all 10 changed files (527 additions, 11 deletions). Zero issues found.

File-by-file review

File	Status	Notes
`salt/states/top.sls`	OK	Correctly targets `archbox` minion ID, not wildcard
`salt/states/packages/init.sls`	OK	54 native packages, 11 AUR as comments. No version pins.
`salt/states/kernel/init.sls`	OK	8 modules via `kmod.present`, logically grouped
`salt/states/services/init.sls`	OK	k3s/sshd excluded (dedicated states). salt-* `enable: False` correct.
`salt/states/users/init.sls`	OK	uid/gid/shell/groups match `id ldraney` output. Group dependencies declared.
`salt/states/nvidia/init.sls`	OK	`file.managed` with dir prereq. Mode 0644/0755 verified against host.
`salt/states/nvidia/config.toml`	OK	Byte-for-byte match with `/etc/nvidia-container-runtime/config.toml`
`salt/states/k3s/init.sls`	OK	Binary existence + service check with dependency
`salt/states/ssh/init.sls`	OK	`watch` triggers sshd restart on config change. Security warnings documented.
`salt/states/ssh/sshd_config`	OK	Matches live host. `PermitRootLogin yes` documented as current reality.

Verification confirmed

state.show_top: 7 states assigned to archbox
state.show_highstate: 27 unique state IDs, no duplicates
state.apply test=True: 27 succeeded, 0 failed, 0 changes
File permissions verified: sshd_config=644, nvidia dir=755, nvidia config=644

No issues found

No secrets in any file
No out-of-scope changes (pillar, bootstrap, Makefile, terraform untouched)
No firewall states (Phase 3)
Boundaries respected

Ready for merge.

## Review Pass: CLEAN Reviewed all 10 changed files (527 additions, 11 deletions). Zero issues found. ### File-by-file review | File | Status | Notes | |------|--------|-------| | `salt/states/top.sls` | OK | Correctly targets `archbox` minion ID, not wildcard | | `salt/states/packages/init.sls` | OK | 54 native packages, 11 AUR as comments. No version pins. | | `salt/states/kernel/init.sls` | OK | 8 modules via `kmod.present`, logically grouped | | `salt/states/services/init.sls` | OK | k3s/sshd excluded (dedicated states). salt-* `enable: False` correct. | | `salt/states/users/init.sls` | OK | uid/gid/shell/groups match `id ldraney` output. Group dependencies declared. | | `salt/states/nvidia/init.sls` | OK | `file.managed` with dir prereq. Mode 0644/0755 verified against host. | | `salt/states/nvidia/config.toml` | OK | Byte-for-byte match with `/etc/nvidia-container-runtime/config.toml` | | `salt/states/k3s/init.sls` | OK | Binary existence + service check with dependency | | `salt/states/ssh/init.sls` | OK | `watch` triggers sshd restart on config change. Security warnings documented. | | `salt/states/ssh/sshd_config` | OK | Matches live host. `PermitRootLogin yes` documented as current reality. | ### Verification confirmed - `state.show_top`: 7 states assigned to archbox - `state.show_highstate`: 27 unique state IDs, no duplicates - `state.apply test=True`: 27 succeeded, 0 failed, **0 changes** - File permissions verified: sshd_config=644, nvidia dir=755, nvidia config=644 ### No issues found - No secrets in any file - No out-of-scope changes (pillar, bootstrap, Makefile, terraform untouched) - No firewall states (Phase 3) - Boundaries respected Ready for merge.