cozy-salt/docker-compose.yaml at main · vegcom/cozy-salt · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# For McVlan network isolation
# docker compose -f docker-compose.yaml  -f docker-compose-net.yml  config

# YAML Anchors - Common service definitions (HIGH-002)
x-minion-base: &minion-base
  restart: "no"
  privileged: true
  dns:
    - 1.1.1.1
    - 1.0.0.1
  networks:
    - salt-net
  depends_on:
    salt:
      condition: service_healthy

x-minion-healthcheck: &minion-healthcheck
  test: ["CMD-SHELL", "test -f /var/log/salt/minion && tail -1 /var/log/salt/minion | grep -q . || exit 1"]
  interval: 30s
  timeout: 10s
  retries: 3
  start_period: 90s

services:
  salt:
    build:
      context: .
      dockerfile: Dockerfile
      target: salt-master
    container_name: salt
    hostname: salt
    dns:
      - 1.1.1.1
      - 1.0.0.1
    dns_search:
      - local
      - localdomain
    networks:
      - salt-net
    restart: unless-stopped
    expose:
      - "4505"  # Master pub (ZeroMQ)
      - "4506"  # Minion ret (ZeroMQ)
      - "5353"  # Avahi (MDNS)
    volumes:
      # Local service discovery
      - /var/run/dbus:/var/run/dbus
      # Salt file roots - use bind mount with subpath
      - ./srv/salt:/srv/salt:ro
      - ./srv/pillar:/srv/pillar:ro
      # Provisioning files - separate mount point
      - ./provisioning:/provisioning:ro
      # Persistent data
      - salt-cache:/var/cache/salt
      - salt-logs:/var/log/salt
      - salt-pki:/etc/salt/pki/master
      # Master keys bind mount (survives rebuilds - volume has minions/*, these overlay master.*)
      - ./srv/salt/keys/master/master.pem:/etc/salt/pki/master/master.pem:ro
      - ./srv/salt/keys/master/master.pub:/etc/salt/pki/master/master.pub:ro
      # Master config (file_roots.conf, auto_accept.conf generated by entrypoint)
      - ./srv/master.d:/etc/salt/master.d
      # Persistent job return data (sqlite3 returner)
      - ./srv/data:/srv/data
    environment:
      - SALT_API_ENABLED=True
      - SALT_API_USER_PASS=${SALT_API_USER_PASS:-4wesome-Pass0rd}
    healthcheck:
      test: ["CMD", "nc", "-z", "127.0.0.1", "4505"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s

  # Ubuntu test minion - auto-applies highstate on startup
  salt-minion-ubuntu:
    <<: *minion-base
    build:
      context: .
      dockerfile: Dockerfile
      target: salt-minion-deb
    container_name: salt-minion-ubuntu-test
    environment:
      - SALT_MASTER=salt
      - MINION_ID=ubuntu-test
    # Keys are baked into image at build time - no bind mounts needed
    healthcheck: *minion-healthcheck
    profiles:
      - test-ubuntu

  # RHEL test minion - auto-applies highstate on startup
  salt-minion-rhel:
    <<: *minion-base
    build:
      context: .
      dockerfile: Dockerfile
      target: salt-minion-rpm
    container_name: salt-minion-rhel-test
    environment:
      - SALT_MASTER=salt
      - MINION_ID=rhel-test
    # Keys are baked into image at build time - no bind mounts needed
    healthcheck: *minion-healthcheck
    profiles:
      - test-rhel

  # Windows Desktop test minion via Dockur (requires KVM on Linux host)
  # This runs actual Windows 11 Desktop in a VM-like container using QEMU+KVM
  # Auto-enrolls in Salt via Autounattend.xml + FirstLogonCommands
  # Access via web interface at http://localhost:8006 (login: admin/admin123!)
  salt-minion-windows:
    image: dockurr/windows
    container_name: salt-minion-windows-test
    restart: "no"
    environment:
      VERSION: "11"           # Windows 11 Pro
      RAM_SIZE: "4G"          # 4GB RAM
      CPU_CORES: "2"          # 2 vCPUs
      DISK_SIZE: "64G"        # 64GB virtual disk
      MANUAL: "N"             # Unattended install with Autounattend.xml
    devices:
      - /dev/kvm              # Requires KVM support (Linux only)
      - /dev/net/tun          # Required for networking
    cap_add:
      - NET_ADMIN             # Required for network management
    ports:
      - 8006:8006             # Web VNC interface
      - 3389:3389             # RDP (optional, for direct access)
    volumes:
      - ./scripts:/mnt/scripts:ro  # Mount scripts for Salt enrollment
      - ./provisioning/windows/Autounattend.xml:/Autounattend.xml:ro  # Unattended install config
    networks:
      - salt-net
    depends_on:
      salt:
        condition: service_healthy
    profiles:
      - test-windows

volumes:
  salt-cache:
  salt-logs:
  salt-pki:

networks:
  salt-net: