use pillar.get('roles', [])

ferm/init.sls

@@ -38,12 +38,10 @@ ferm:
       - file: /etc/ferm/ferm.conf
       - file: /etc/ferm/conf.d/*
 
+{%- set roles = salt['pillar.get']('roles', []) -%}
+
 include:
-{%- if 'vmhost' in pillar.roles %}
-  - ferm.stateless
-{%- elif 'edge' in pillar.roles %}
-  - ferm.stateless
-{%- elif 'noconntrack' in pillar.roles %}
+{%- if 'vmhost' in roles or 'edge' in roles or 'noconntrack' in roles -%}
   - ferm.stateless
 {%- else %}
   - ferm.stateful

network/files/ferm-domain-batman.conf.j2

@@ -34,7 +34,7 @@ domain ip {
             interface dom{{ domain_id }}-br outerface {{ salt['pillar.get']('ferm:public_interface', 'ens13') }} proto tcp tcp-flags (SYN RST) SYN TCPMSS set-mss {{ mtu - 32 - 20 - 20 }};
         }
    }
-   {%- if 'gateway' in pillar.roles %}
+   {%- if 'gateway' in pillar.get('roles', []) %}
    table filter {
         chain FORWARD {
             mod state state (ESTABLISHED RELATED) ACCEPT;

network/files/interfaces-domain.j2

@@ -90,7 +90,7 @@ iface dom{{ domain_id }}-tp inet manual
 	{% endif %}
 {% endif %}
 
-{%- if 'gateway' in pillar.roles and with_fastd %}
+{%- if 'gateway' in pillar.get('roles', []) and with_fastd %}
 {%- for instance in salt['pillar.get']('domains:%s:fastd:instances'|format(domain)) %}
 
 # l2 tunnel (fastd)

network/init.sls

@@ -20,7 +20,7 @@ network-pkg:
       - vnstat
       - knot-host
       - ipv6calc
-{%- if 'gateway' in pillar.roles %}
+{%- if 'gateway' in pillar.get('roles', []) %}
       - ebtables
 {%- endif %}
 

ntp/files/chrony_config.j2

-{%- if 'ntp' in pillar.get('roles', []) -%}
+{%- set roles = salt['pillar.get']('roles', []) -%}
+
+{%- if 'ntp' in roles -%}
 pool 2.de.pool.ntp.org iburst maxsources 20
 server ntp.se iburst
 server time.cloudflare.com iburst
@@ -6,7 +8,7 @@ server ptbtime1.ptb.de iburst
 server ptbtime2.ptb.de iburst
 server ptbtime3.ptb.de iburst
 server ntps1-0.eecsit.tu-berlin.de iburst
-{%- elif 'vmhost' in pillar.roles or 'edge' in pillar.roles or 'noconntrack' in pillar.roles -%}
+{%- elif 'vmhost' in roles or 'edge' in roles or 'noconntrack' in roles -%}
 pool ntp.services.ffffm.net iburst
 {%- else -%}
 pool ntp.services.ffffm.net iburst
@@ -20,7 +22,7 @@ bindcmdaddress ::1
 
 allow ::1
 
-{%- if 'ntp' in pillar.get('roles', []) %}
+{%- if 'ntp' in roles %}
 {%- for net in salt['pillar.get']('subnet', {}).values() %}
 allow {{ net.prefix }}
 {%- endfor %}

ssh/init.sls

@@ -47,7 +47,7 @@ undesirable-hostkeys:
       - /etc/ssh/ssh_host_dsa_key.pub
       - /etc/ssh/ssh_host_ecdsa_key
       - /etc/ssh/ssh_host_ecdsa_key.pub
-{%- if 'vmhost' not in pillar.roles %}
+{%- if 'vmhost' in pillar.get('roles', []) %}
       - /etc/ssh/ssh_host_rsa_key
       - /etc/ssh/ssh_host_rsa_key.pub
 {%- endif %}