fix salt installation and change to new salt repo

init_server.sh

@@ -15,18 +15,14 @@ INIT_DATE_FILE='/etc/freifunk-server-initdate'
 
 check_salt_repo() {
 	# repos needs also a check in salt/freifunk/base/salt-minion/init.sls
-	case "$1" in
-		debian12 )
-			[ ! -d /etc/apt/keyrings ] && mkdir /etc/apt/keyrings
-			curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt/py3/debian/12/amd64/SALT-PROJECT-GPG-PUBKEY-2023.gpg
-			echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg arch=amd64] https://repo.saltproject.io/salt/py3/debian/12/amd64/latest bookworm main" | tee /etc/apt/sources.list.d/saltstack.list
-			;;
-		ubuntu20 )
-			[ ! -d /usr/share/keyrings ] && mkdir /usr/share/keyrings
-			curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/ubuntu/20.04/amd64/latest/salt-archive-keyring.gpg
-			echo 'deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/20.04/amd64/latest focal main' | tee /etc/apt/sources.list.d/saltstack.list
-			;;
-	esac
+	[ ! -d /etc/apt/keyrings ] && mkdir /etc/apt/keyrings
+	curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring.pgp https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public
+	curl -fsSL -o /etc/apt/sources.list.d/salt.sources https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.sources
+	tee /etc/apt/preferences.d/salt-pin-1001 <<EOF
+Package: salt-*
+Pin: version 3007.*
+Pin-Priority: 1001
+EOF
 }
 
 install_uci() {
@@ -221,15 +217,15 @@ if [ "$os_id" = 'debian' ]; then
 		11*)	PKGMNGR='apt-get'
 				install_uci debian11
 		;;
-		12*)	PKGMNGR='apt-get' ; check_salt_repo debian12
+		12*)	PKGMNGR='apt-get'
 				install_uci debian12
 		;;
 		*)		print_not_supported_os ;;
 	esac
 	printf '\nOK.\n'
 elif [ "$os_id" = 'ubuntu' ]; then
 	case "$version_id" in
-		20.04*) PKGMNGR='apt-get' ; check_salt_repo ubuntu20
+		20.04*) PKGMNGR='apt-get'
 				install_uci ubuntu20
 		;;
 		22.04*) PKGMNGR='apt-get'
@@ -242,6 +238,8 @@ else
 	print_not_supported_os
 fi
 
+check_salt_repo
+
 
 printf '\n### Update System ..\n'
 "$PKGMNGR" -y update

salt/freifunk/base/apt/init.sls

@@ -10,6 +10,13 @@ apt:
       - apt-transport-https
 {% endif %}
 
+/etc/apt/keyrings:
+  file.directory:
+    - user: root
+    - group: root
+    - dir_mode: 755
+    - file_mode: 644
+
 {# sources.list #}
 {% if grains['os'] == 'Debian' and grains['oscodename'] == 'bullseye' %}
 /etc/apt/sources.list:

salt/freifunk/base/clear_old_env.sls

@@ -12,6 +12,15 @@ remove_old_pkg:
 /etc/apt/sources.list.d/wireguard.list:
   file.absent
 
+/etc/apt/sources.list.d/saltstack.list:
+  file.absent
+
+/etc/apt/keyrings/salt-archive-keyring-2023.gpg:
+  file.absent
+
+/usr/share/keyrings/salt-archive-keyring.gpg:
+  file.absent
+
 
 /etc/apache2/conf-available/vnstat.conf:
   file.absent

salt/freifunk/base/salt-minion/init.sls

@@ -3,38 +3,49 @@
 
 {# Package #}
 {# repos needs also a check in init_server.sh #}
-salt-minion:
-  {% if grains['os'] == 'Debian' and grains['oscodename'] == 'bookworm' %}
-  pkgrepo.managed:
-    - humanname: SaltStack
-    - name: deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg arch=amd64] https://repo.saltproject.io/salt/py3/debian/12/amd64/latest bookworm main
-    - dist: bookworm
-    - file: /etc/apt/sources.list.d/saltstack.list
-    - require_in:
-      - pkg: salt-minion
-    - gpgcheck: 1
-    - key_url: https://repo.saltproject.io/salt/py3/debian/12/amd64/SALT-PROJECT-GPG-PUBKEY-2023.gpg
-
-  {% elif grains['os'] == 'Ubuntu' and grains['oscodename'] == 'focal' %}
-  pkgrepo.managed:
-    - humanname: SaltStack
-    - name: deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/20.04/amd64/latest focal main
-    - dist: focal
-    - file: /etc/apt/sources.list.d/saltstack.list
-    - require_in:
-      - pkg: salt-minion
-    - gpgcheck: 1
-    - key_url: https://repo.saltproject.io/py3/ubuntu/20.04/amd64/latest/salt-archive-keyring.gpg
+salt_keyring:
+  cmd.run:
+    - name: curl -L https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public -o /etc/apt/keyrings/salt-archive-keyring.pgp
+    - creates: /etc/apt/keyrings/salt-archive-keyring.pgp
+    - require:
+      - file: /etc/apt/keyrings
 
-  {% else %}
-  file.absent:
-    - name: /etc/apt/sources.list.d/saltstack.list
+/etc/apt/preferences.d/salt-pin-1001:
+  file.managed:
+    - contents: |
+        Package: salt-*
+        Pin: version 3007.*
+        Pin-Priority: 1001'
+    - user: root
+    - user: root
+    - mode: 644
 
-  {% endif %}
+/etc/apt/sources.list.d/salt.sources:
+  file.managed:
+    - contents: |
+        X-Repolib-Name: Salt Project
+        Description: Salt has many possible uses, including configuration management.
+          Built on Python, Salt is an event-driven automation tool and framework to deploy,
+          configure, and manage complex IT systems. Use Salt to automate common
+          infrastructure administration tasks and ensure that all the components of your
+          infrastructure are operating in a consistent desired state.
+          - Website: https://saltproject.io
+          - Public key: https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public
+        Enabled: yes
+        Types: deb
+        URIs: https://packages.broadcom.com/artifactory/saltproject-deb
+        Signed-By: /etc/apt/keyrings/salt-archive-keyring.pgp
+        Suites: stable
+        Components: main
 
+salt-minion:
   pkg.installed:
     - refresh: True
     - name: salt-minion
+    - require:
+      - salt_keyring
+      - file: /etc/apt/sources.list.d/salt.sources
+      - file: /etc/apt/preferences.d/salt-pin-1001
   service:
     - dead
     - enable: False