Implement proper provisioning for gvaldap

- merge improvements from the internal saltstack repository
- define dummy secrets in the pillars
- use systemd to setup the gvaldap celery worker

pillar/gnuviechadmin/gvaldap.sls

@@ -2,10 +2,17 @@ include:
   - gnuviechadmin
   - gnuviechadmin.queues.common
   - gnuviechadmin.queues.gvaldap
+  - ldapserver
 
 gnuviechadmin:
   component:
     name: gvaldap
     amqp_user: ldap
   ldap_admin_user: ldapadmin
+  ldap_admin_password: NnVnGoWBVw6BKb9DhTwHAz0ICrdiDy+HL1A6F2Rz
   allowed_hosts: 127.0.0.1,gvaldap.local,localhost
+  gvaldap:
+    git_url: https://git.dittberner.info/gnuviech/gvaldap.git
+    git_branch: master
+    celery_module: ldaptasks
+    django_secret_key: IyOiTDt2DMo4gBVTwZ+E2p+mI1S/rNzZVIFlSr6TpgtxtsJODOVWHaxgVW3FqGZVaFU=

pillar/gnuviechadmin/gvamysql.sls

@@ -8,3 +8,4 @@ gnuviechadmin:
     name: gvamysql
     amqp_user: mysql
   mysql_admin_user: gvamysql
+  mysql_admin_password: jSXstgT/AbWofdI2tJWYpQvFX1mtxt4tFMlrYxSA

pillar/gnuviechadmin/gvapgsql.sls

@@ -7,4 +7,5 @@ gnuviechadmin:
   component:
     name: gvapgsql
     amqp_user: pgsql
-  postgresql_admin_user: gvapgsql
+  pgsql_admin_user: gvapgsql
+  pgsql_admin_password: AAv6d1t9p/vtX/kVorim2MJROQfQPWJoZP3mzyMW

pillar/gnuviechadmin/init.sls

@@ -1,4 +1,6 @@
 gnuviechadmin:
+  ssh_known_hosts: |
+      nextgit.gnuviech-server.de ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBESb6Q0nyvx82wJ0S6Jx7ZvY6wJzuwqh2zWOlXzLDcor8Pu5iLqUn5GywS0ooyl3Hkyn983R6Zdr49zgTroRwQA=
   deploymenttype: local
   mailfrom: admin@gnuviech-server.de
   adminemail: admin@gnuviech-server.de
@@ -18,6 +20,7 @@ gnuviechadmin:
   ldap_users_ou: users
   redis_password: j2gfWeACPrj0R2xkgv4KAznCM9nCuUb4
   redis_host: gva.local
+  django_secret_key: yBnbG4azhNaTxIW0/Rv2dEij9PcVU1KVR//1bR6LujmLBnZJw8OOrEi2dIqz3pyOdG8=
   machines:
     gva.local:
       ip: 172.16.3.2

pillar/ldapserver.sls

@@ -0,0 +1,2 @@
+slapd:
+  admin_password: W3HelITKNF1jR5YoCCsbQzkktf61ylXb8xEEAFqU

states/gnuviechadmin/celery-worker.service

@@ -0,0 +1,12 @@
+[Unit]
+Description={{ description }}
+
+[Service]
+EnvironmentFile=-/etc/default/{{ appname }}
+ExecStart={{ virtualenv }}/bin/celery worker -A {{ celery_module }} -Q {{ amqpname }} --loglevel=INFO
+Restart=on-failure
+User={{ app_user }}
+WorkingDirectory={{ checkout }}/{{ appname }}
+
+[Install]
+WantedBy=multi-user.target

states/gnuviechadmin/gva/settings.sh

@@ -10,7 +10,7 @@ export GVA_PGSQL_HOSTNAME="{{ salt['pillar.get']('gnuviechadmin:database:host')
 export GVA_PGSQL_PORT={{ salt['pillar.get']('gnuviechadmin:database:port') }}
 export GVA_DOMAIN_NAME="{{ salt['pillar.get']('gnuviechadmin:domainname') }}"
 export GVA_SITE_NAME="{{ salt['pillar.get']('gnuviechadmin:sitename') }}"
-export GVA_SITE_SECRET="{{ salt['grains.get_or_set_hash']('gnuviechadmin:SECRET_KEY', 50) }}"
+export GVA_SITE_SECRET="{{ salt['pillar.get']('gnuviechadmin:django_secret_key') }}"
 export GVA_SITE_ADMINMAIL="{{ salt['pillar.get']('gnuviechadmin:adminemail') }}"
 export GVA_MIN_OS_UID={{ salt['pillar.get']('gnuviechadmin:minosuid') }}
 export GVA_MIN_OS_GID={{ salt['pillar.get']('gnuviechadmin:minosgid') }}

states/gnuviechadmin/gvaapp_macros.sls

@@ -0,0 +1,225 @@
+{% macro gvaapp_base(gvaappname, servicename) -%}
+include:
+- python.pipenv
+- python.virtualenv
+
+{% set app_home = salt['grains.get']('gnuviechadmin:home', '/home/{}'.format(gvaappname)) %}
+{% set app_user = salt['grains.get']('gnuviechadmin:user', gvaappname) %}
+{% set app_group = salt['grains.get']('gnuviechadmin:group', gvaappname) %}
+{% set venv = "{}/{}-venv".format(app_home, gvaappname) -%}
+
+{% set appfullname = 'GNUViech Admin {} User'.format(grains['gnuviechadmin']['fullname']) -%}
+{% set update_git = salt['grains.get']('gnuviechadmin:update_git', True) %}
+{% set gitrepo = salt['pillar.get']('gnuviechadmin:{}:git_url'.format(gvaappname), 'git:gnuviech/{}.git'.format(gvaappname)) -%}
+{% set checkout = salt['grains.get']('gnuviechadmin:checkout', '/srv/{}'.format(gvaappname)) -%}
+{% set deployment_key = '{}/.ssh/id_deployment'.format(app_home) -%}
+
+{{ gvaappname }}-group:
+  group.present:
+    - name: {{ app_group }}
+
+{{ gvaappname }}-user:
+  user.present:
+    - name: {{ app_user }}
+    - home: {{ app_home }}
+    - shell: /bin/bash
+    - fullname: {{ appfullname }}
+    - groups:
+      - {{ app_group }}
+  alias.present:
+    - target: root
+
+gvabase-dependencies:
+  pkg.installed:
+    - name: build-essential
+
+{% if update_git %}
+{{ app_home }}/.ssh:
+  file.directory:
+    - user: {{ app_user }}
+    - group: {{ app_group }}
+    - mode: 0700
+    - require:
+      - user: {{ gvaappname }}-user
+
+SSH Deployment Key:
+  cmd.run:
+    - name: ssh-keygen -t ed25519 -C "Deployment key for {{ gvaappname }}" -N "" -f {{ deployment_key }}
+    - creates: {{ deployment_key }}
+    - runas: {{ app_user }}
+    - requires:
+      - file: {{ app_home }}/.ssh
+    - require_in:
+        git: {{ gitrepo }}
+
+SSH known hosts configuration:
+  file.managed:
+    - name: {{ app_home }}/.ssh/known_hosts
+    - user: {{ app_user }}
+    - group: {{ app_group }}
+    - mode: 0600
+    - contents_pillar: gnuviechadmin:ssh_known_hosts
+    - require:
+      - file: {{ app_home }}/.ssh
+    - require_in:
+        git: {{ gitrepo }}
+
+SSH configuration:
+  file.managed:
+    - name: {{ app_home }}/.ssh/config
+    - user: {{ app_user }}
+    - group: {{ app_group }}
+    - mode: 0600
+    - source: salt://gnuviechadmin/ssh_deploy_config
+    - template: jinja
+    - context:
+        key: {{ deployment_key }}
+    - require:
+      - file: {{ app_home }}/.ssh
+    - require_in:
+        git: {{ gitrepo }}
+{% endif %}
+
+{{ checkout }}:
+  file.directory:
+    - user: {{ app_user }}
+    - group: {{ app_group }}
+    - mode: 0755
+    - require:
+      - user: {{ gvaappname }}-user
+
+{% if update_git %}
+{{ gitrepo }}:
+  git.latest:
+    - user: {{ app_user }}
+    - target: {{ checkout }}
+    - rev: {{ salt['pillar.get']('gnuviechadmin:{}:git_branch'.format(gvaappname), 'production') }}
+    - require:
+      - file: {{ checkout }}
+    - watch_in:
+      - cmd: {{ gvaappname }}-requirements
+      - service: {{ servicename }}
+{% endif %}
+
+rm -rf {{ venv }}:
+  cmd.run:
+    - runas: {{ app_user }}
+    - unless: test -f {{ venv }}/bin/python3
+    - require:
+      - user: {{ gvaappname }}-user
+
+create-{{ gvaappname }}-venv:
+  cmd.run:
+    - name: python3 -m virtualenv --python=python3 {{ venv }}
+    - runas: {{ app_user }}
+    - unless: test -f {{ venv }}/bin/pip3
+    - require:
+      - user: {{ gvaappname }}-user
+      - python3-virtualenv-packages
+    - watch_in:
+      - cmd: update-{{ gvaappname }}-pip
+
+update-{{ gvaappname }}-pip:
+  cmd.wait:
+    - name: {{ venv }}/bin/python3 -m pip install -U pip
+    - runas: {{ app_user }}
+    - require:
+      - user: {{ gvaappname }}-user
+
+{{ venv }}:
+  file.directory:
+    - user: {{ app_user }}
+    - group: {{ app_group }}
+    - require:
+      - cmd: create-{{ gvaappname }}-venv
+    - watch_in:
+      - cmd: {{ gvaappname }}-requirements
+
+{{ gvaappname }}-requirements:
+  cmd.wait:
+    - name: /usr/local/bin/pipenv install --deploy
+    - runas: {{ app_user }}
+    - cwd: {{ checkout }}
+    - env:
+      - VIRTUAL_ENV: "{{ venv }}"
+      - PIPENV_HIDE_EMOJIS: 1
+      - PIPENV_NOSPIN: 1
+      - PIPENV_COLORBLIND: 1
+      - LC_ALL: C.UTF-8
+      - LANG: C.UTF-8
+    - require:
+      - cmd: install_pipenv
+      - file: {{ venv }}
+      {%- if update_git %}
+      - git: {{ gitrepo }}
+      {%- else %}
+      - file: {{ checkout }}
+      {%- endif %}
+      - pkg: gvabase-dependencies
+    - unless: test $(find {{ venv }} -type f -cnewer Pipfile.lock \! -name '*.pyc'|wc -l) -gt 0
+    - watch_in:
+      - service: {{ servicename }}
+{% endmacro %}
+
+{% macro create_celery_worker(gvaappname, purpose) %}
+{% set app_home = salt['grains.get']('gnuviechadmin:home', '/home/{}'.format(gvaappname)) %}
+{% set app_user = salt['grains.get']('gnuviechadmin:user', gvaappname) %}
+{% set app_group = salt['grains.get']('gnuviechadmin:group', gvaappname) %}
+
+{% set venv = "{}/{}-venv".format(app_home, gvaappname) -%}
+{% set checkout = salt['grains.get']('gnuviechadmin:checkout', '/srv/{}'.format(gvaappname)) -%}
+{% set gitrepo = salt['pillar.get']('gnuviechadmin:{}:git_url'.format(gvaappname), 'git:gnuviech/{}.git'.format(gvaappname)) -%}
+{% set update_git = salt['grains.get']('gnuviechadmin:update_git', True) %}
+
+{% set servicename = gvaappname + "-celery-worker" %}
+{% set amqp_user = grains['gnuviechadmin']['amqpuser'] -%}
+{{ gvaapp_base(gvaappname, servicename ) }}
+/etc/default/{{ gvaappname }}:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0640
+    - source: salt://gnuviechadmin/{{ gvaappname }}/celery-worker.env
+    - template: jinja
+    - context:
+        virtualenv: {{ venv }}
+        checkout: {{ checkout }}
+        broker_url: amqp://{{ amqp_user }}:{{ salt['pillar.get']('gnuviechadmin-queues:users:' + amqp_user + ':password') }}@mq/{{ salt['pillar.get']('gnuviechadmin-queues:vhost') }}
+    - watch_in:
+      - service: {{ servicename }}
+
+/etc/systemd/system/{{ servicename }}.service:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0640
+    - source: salt://gnuviechadmin/celery-worker.service
+    - template: jinja
+    - context:
+        virtualenv: {{ venv }}
+        checkout: {{ checkout }}
+        app_user: {{ app_user }}
+        appname: {{ gvaappname }}
+        celery_module: {{ salt['pillar.get']('gnuviechadmin:{}:celery_module'.format(gvaappname), gvaappname) }}
+        amqpname: {{ amqp_user }}
+        description: Gnuviechadmin celery worker {{ purpose|default(gvaappname) }}
+    - watch_in:
+      - service: {{ servicename }}
+
+{{ servicename }}:
+  service.running:
+    - enable: True
+    - require:
+      - file: {{ venv }}
+      {%- if update_git %}
+      - git: {{ gitrepo }}
+      {%- else %}
+      - file: {{ checkout }}
+      {%- endif %}
+      - file: /etc/systemd/system/{{ servicename }}.service
+    - watch:
+      - cmd: {{ gvaappname }}-requirements
+      {%- if update_git %}
+      - git: {{ gitrepo }}
+      {%- endif %}
+{% endmacro %}

states/gnuviechadmin/gvaldap.sls

@@ -1,15 +1,15 @@
-include:
+{% set gvaappname = salt['grains.get']('gnuviechadmin:appname') %}
-  - gnuviechadmin.base
+{% set purpose = "for LDAP data management" %}
-  - gnuviechadmin.django
+{% from 'gnuviechadmin/gvaapp_macros.sls' import create_celery_worker with context %}
-  - gnuviechadmin.celery
+{{ create_celery_worker(gvaappname, purpose) }}
 
-gvaldap-packages:
+{{ gvaappname }}-dependencies:
   pkg.installed:
     - pkgs:
       - libldap2-dev
       - libsasl2-dev
     - require_in:
-      - pkg: gnuviechadmin-packages
+      - cmd: {{ gvaappname }}-requirements
 
 base-ldap-objects:
   cmd.script:

states/gnuviechadmin/gvaldap/celery-worker.env

@@ -0,0 +1,13 @@
+DJANGO_SETTINGS_MODULE="gvaldap.settings"
+GVALDAP_ADMIN_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_email') }}"
+GVALDAP_ADMIN_NAME="{{ salt['pillar.get']('gnuviechadmin-gvaldap:admin_name') }}"
+GVALDAP_ALLOWED_HOSTS="{{ salt['pillar.get']('gnuviechadmin-gvaldap:allowed_hosts') }}"
+GVALDAP_BASEDN_GROUP="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_group') }}"
+GVALDAP_BASEDN_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:basedn_user') }}"
+GVALDAP_BROKER_URL="{{ broker_url }}"
+GVALDAP_RESULTS_REDIS_URL="{{ 'redis://:{}@{}/0'.format(salt['pillar.get']('gnviechadmin:redis_password'), salt['pillar.get']('gnuviechadmin:redis_host')) }}"
+GVALDAP_LDAP_PASSWORD="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_password' ) }}"
+GVALDAP_LDAP_URL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_url') }}"
+GVALDAP_LDAP_USER="{{ salt['pillar.get']('gnuviechadmin-gvaldap:ldap_user') }}"
+GVALDAP_SECRETKEY="{{ salt['pillar.get']('gnuviechadmin-gvaldap:django_secret_key') }}"
+GVALDAP_SERVER_EMAIL="{{ salt['pillar.get']('gnuviechadmin-gvaldap:server_email') }}"

states/gnuviechadmin/gvaldap/create_base_ldap_objects.sh

@@ -6,6 +6,7 @@ set -e
 {% set ldap_admin_user = salt['pillar.get']('gnuviechadmin:ldap_admin_user') %}
 {% set ldap_groups_ou = salt['pillar.get']('gnuviechadmin:ldap_groups_ou') %}
 {% set ldap_users_ou = salt['pillar.get']('gnuviechadmin:ldap_users_ou') %}
+{% set ldap_admin_password = salt['pillar.get']('gnuviechadmin:ldap_admin_password') %}
 
 # setup password hashing for cleartext input
 ldapadd -v -H ldapi:// -Y EXTERNAL -f /etc/ldap/schema/ppolicy.ldif
@@ -48,7 +49,7 @@ olcAccess: {4}to *
 EOD
 
 # add OUs, groups and ldapadmin user
-ldapmodify -v -H {{ salt['pillar.get']('gnuviechadmin:ldap_url') }} -x -D "cn=admin,{{ base_dn }}" -w '{{ salt["grains.get_or_set_hash"]("slapd:password", 16) }}' <<EOD
+ldapmodify -v -H {{ salt['pillar.get']('gnuviechadmin:ldap_url') }} -x -D "cn=admin,{{ base_dn }}" -w '{{ salt["pillar.get"]("slapd:admin_password") }}' <<EOD
 dn: ou={{ ldap_users_ou }},{{ base_dn }}
 changetype: add
 objectClass: top
@@ -87,5 +88,5 @@ objectClass: simpleSecurityObject
 objectClass: organizationalRole
 cn: {{ ldap_admin_user }}
 description: LDAP manager for celery worker
-userPassword:: {{ salt['grains.get_or_set_hash']('gnuviechadmin.ldap_admin_password', 16).encode("base64") }}
+userPassword:: {{ salt['hashutil.base64_b64encode'](ldap_admin_password) }}
 EOD

states/gnuviechadmin/gvaldap/run_celery.sh

@@ -1,12 +0,0 @@
-#!/bin/sh
-
-set -ex
-
-. {{ home }}/gvasettings.sh
-
-unset LANG LANGUAGE LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY \
-    LC_MESSAGES LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT \
-    LC_IDENTIFICATION LC_ALL
-
-cd {{ appdir }}
-{{ virtualenv }}/bin/celery worker -A gvaldap -Q ldap --loglevel=INFO

states/gnuviechadmin/gvaldap/settings.sh

@@ -1,15 +0,0 @@
-#!/bin/sh
-
-export DJANGO_SETTINGS_MODULE='gvaldap.settings.{{ salt['pillar.get']('gnuviechadmin:deploymenttype', 'production') }}'
-export GVALDAP_ADMIN_NAME='Jan Dittberner'
-export GVALDAP_ADMIN_EMAIL='{{ salt['pillar.get']('gnuviechadmin:adminemail') }}'
-export GVALDAP_LDAP_URL='{{ salt['pillar.get']('gnuviechadmin:ldap_url') }}'
-export GVALDAP_LDAP_USER='{{ 'cn=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_admin_user'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
-export GVALDAP_LDAP_PASSWORD='{{ salt['grains.get_or_set_hash']('gnuviechadmin.ldap_admin_password', 16) }}'
-export GVALDAP_BASEDN_GROUP='{{ 'ou=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_groups_ou'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
-export GVALDAP_BASEDN_USER='{{ 'ou=%s,%s' % (salt['pillar.get']('gnuviechadmin:ldap_users_ou'), salt['pillar.get']('gnuviechadmin:ldap_base_dn')) }}'
-export GVALDAP_SECRETKEY='{{ salt['grains.get_or_set_hash']('gnuviechadmin.secret_key', 50) }}'
-export GVALDAP_BROKER_URL='{{ broker_url }}'
-export GVALDAP_ALLOWED_HOSTS='{{ salt['pillar.get']('gnuviechadmin:allowed_hosts') }}'
-export GVALDAP_SERVER_EMAIL='{{ salt['pillar.get']('gnuviechadmin:mailfrom') }}'
-export GVALDAP_RESULTS_REDIS_URL="redis://:{{ salt['pillar.get']('gnuviechadmin:redis_password') }}@{{ salt['pillar.get']('gnuviechadmin:redis_host') }}/0"

states/gnuviechadmin/gvamysql.sls

@@ -6,7 +6,7 @@ gvamysql-mysql-user:
   mysql_user.present:
     - name: {{ salt['pillar.get']('gnuviechadmin:mysql_admin_user', 'gvamysql') }}
     - host: '%'
-    - password: {{ salt['grains.get_or_set_hash']('gnuviechadmin.db_admin_password', 16) }}
+    - password: {{ salt['pillar.get']('gnuviechadmin:mysql_admin_password') }}
 
 gvamysql-grants-all-dbs:
   mysql_grants.present:
@@ -14,7 +14,7 @@ gvamysql-grants-all-dbs:
     - database: '*.*'
     - grant_option: True
     - user: {{ salt['pillar.get']('gnuviechadmin:mysql_admin_user', 'gvamysql') }}
-    - password: {{ salt['grains.get_or_set_hash']('gnuviechadmin.db_admin_password', 16) }}
+    - password: {{ salt['pillar.get']('gnuviechadmin:mysql_admin_password') }}
     - host: '%'
     - require:
       - mysql_user: gvamysql-mysql-user

states/gnuviechadmin/gvamysql/settings.sh

@@ -5,4 +5,4 @@ export GVAMYSQL_RESULTS_REDIS_URL="redis://:{{ salt['pillar.get']('gnuviechadmin
 export GVAMYSQL_DBADMIN_HOST="{{ salt['pillar.get']('gnuviechadmin:mysql_admin_host', 'localhost') }}"
 export GVAMYSQL_DBADMIN_PORT="{{ salt['pillar.get']('gnuviechadmin:mysql_admin_port', 3306) }}"
 export GVAMYSQL_DBADMIN_USER="{{ salt['pillar.get']('gnuviechadmin:mysql_admin_user', 'gvamysql') }}"
-export GVAMYSQL_DBADMIN_PASSWORD="{{ salt['grains.get_or_set_hash']('gnuviechadmin.db_admin_password', 16) }}"
+export GVAMYSQL_DBADMIN_PASSWORD="{{ salt['pillar.get']('gnuviechadmin:mysql_admin_password') }}"

states/gnuviechadmin/gvapgsql.sls

@@ -5,7 +5,7 @@ include:
 gvapgsql-pgsql-user:
   postgres_user.present:
     - name: {{ salt['pillar.get']('gnuviechadmin:pgsql_admin_user', 'gvapgsql') }}
-    - password: {{ salt['grains.get_or_set_hash']('gnuviechadmin.db_admin_password', 16) }}
+    - password: {{ salt['pillar.get']('gnuviechadmin:pgsql_admin_password') }}
     - user: postgres
     - superuser: True
     - login: True

states/gnuviechadmin/gvapgsql/settings.sh

@@ -5,4 +5,4 @@ export GVAPGSQL_RESULTS_REDIS_URL="redis://:{{ salt['pillar.get']('gnuviechadmin
 export GVAPGSQL_DBADMIN_HOST="{{ salt['pillar.get']('gnuviechadmin:pgsql_admin_host', 'localhost') }}"
 export GVAPGSQL_DBADMIN_PORT="{{ salt['pillar.get']('gnuviechadmin:pgsql_admin_port', 5432) }}"
 export GVAPGSQL_DBADMIN_USER="{{ salt['pillar.get']('gnuviechadmin:pgsql_admin_user', 'gvapgsql') }}"
-export GVAPGSQL_DBADMIN_PASSWORD="{{ salt['grains.get_or_set_hash']('gnuviechadmin.db_admin_password', 16) }}"
+export GVAPGSQL_DBADMIN_PASSWORD="{{ salt['pillar.get']('gnuviechadmin:pgsql_admin_password') }}"

states/gnuviechadmin/ssh_deploy_config

@@ -0,0 +1,5 @@
+Host git
+Hostname file
+User gituser
+IdentityFile {{ key }}
+IdentitiesOnly yes

states/ldapserver/init.sls

@@ -3,8 +3,8 @@ ldapserver-packages:
     - name: slapd
     - data:
         'slapd/domain': {'type': 'string', 'value': '{{ salt["pillar.get"]("gnuviechadmin:ldap_domain") }}'}
-        'slapd/password1': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd:password", 16) }}'}
+        'slapd/password1': {'type': 'string', 'value': '{{ salt["pillar.get"]("slapd:admin_password") }}'}
-        'slapd/password2': {'type': 'string', 'value': '{{ salt["grains.get_or_set_hash"]("slapd:password", 16) }}'}
+        'slapd/password2': {'type': 'string', 'value': '{{ salt["pillar.get"]("slapd:admin_password") }}'}
   pkg.installed:
     - pkgs:
       - ldap-utils

states/python/pipenv.sls

@@ -0,0 +1,14 @@
+pipenv-preconditions:
+  pkg.installed:
+    - pkgs:
+      - python3-wheel
+      - python3-pip
+      - python3-setuptools
+
+install_pipenv:
+  cmd.run:
+    - name: python3 -m pip install -U --prefix /usr/local pipenv
+    - creates: /usr/local/bin/pipenv
+    - require:
+      - pipenv-preconditions
+

states/python/virtualenv.sls

@@ -0,0 +1,5 @@
+python3-virtualenv-packages:
+  pkg.installed:
+    - pkgs:
+      - python3-dev
+      - python3-virtualenv