a932a8cc84
Don't add key_url as it is deprecated and not needed when pkgrepo_keyring is set. This has been supported since stretch so make it the default. Also use py3 repo by default for Debian family as it is now the only option. Additionally, Raspbian has been updated to use signed-by by default.
477 lines
14 KiB
YAML
477 lines
14 KiB
YAML
# -*- coding: utf-8 -*-
|
|
# vim: ft=yaml
|
|
---
|
|
salt:
|
|
# Set this to true to clean any non-salt-formula managed files out of
|
|
# /etc/salt/{master,minion}.d ... You really don't want to do this on 2015.2
|
|
# and up as it'll wipe out important files that Salt relies on.
|
|
clean_config_d_dir: false
|
|
|
|
# This state will remove "/etc/salt/minion" when you set this to true.
|
|
minion_remove_config: true
|
|
|
|
# This state will remove "/etc/salt/master" when you set this to true.
|
|
master_remove_config: true
|
|
|
|
# Set this to 'py3' to install the Python 3 packages.
|
|
# The default varies between OS versions.
|
|
py_ver: 'py3'
|
|
|
|
# Set this to false to not have the formula install packages (in the case you
|
|
# install Salt via git/pip/etc.)
|
|
install_packages: true
|
|
|
|
# Optional: set salt version (if install_packages is set to true)
|
|
version: 2017.7.2-1.el7
|
|
|
|
# Pin version provided under 'version' key by using apt-pinning
|
|
# available only on Debian family OS-es
|
|
pin_version: false
|
|
|
|
# to overwrite map.jinja salt packages
|
|
lookup:
|
|
salt_master: 'salt-master'
|
|
salt_minion: 'salt-minion'
|
|
salt_syndic: 'salt-syndic'
|
|
salt_cloud: 'salt-cloud'
|
|
salt_ssh: 'salt-ssh'
|
|
pyinotify: 'python-pyinotify' # the package to be installed for pyinotify
|
|
|
|
# Set which salt repository to use, default to https://repo.saltproject.io
|
|
# For older releases use https://archive.repo.saltproject.io
|
|
repo: 'https://archive.repo.saltproject.io'
|
|
|
|
# Set which release of SaltStack to use, default to 'latest'
|
|
# To get the available releases:
|
|
# * http://repo.saltproject.io/yum/redhat/7/x86_64/
|
|
# * http://repo.saltproject.io/apt/debian/8/amd64/
|
|
release: '2018.3'
|
|
|
|
# MacOS has no package management.
|
|
# Instead, we use file.managed to download an appropriate .pkg file and
|
|
# macpackage.installed to install it 'version', if set (see above), will be
|
|
# used to check the .pkg version to determine if it should be installed
|
|
#
|
|
# NOTE: if 'version' is not set version comparison will not occur and the
|
|
# .pkg WILL NOT be installed if a salt .pkg is already installed
|
|
# NOTE: salt_minion_pkg_hash, if set, will be passed into file.managed's
|
|
# source_hash, use URL or hash string
|
|
# yamllint disable rule:line-length
|
|
salt_minion_pkg_source: 'https://repo.saltproject.io/osx/salt-2017.7.4-py3-x86_64.pkg'
|
|
salt_minion_pkg_hash: 'https://repo.saltproject.io/osx/salt-2017.7.4-py3-x86_64.pkg.md5'
|
|
# yamllint enable rule:line-length
|
|
|
|
# tofs:
|
|
# The files_switch key serves as a selector for alternative
|
|
# directories under the formula files directory. See TOFS pattern
|
|
# doc for more info.
|
|
# Note: Any value not evaluated by `config.get` will be used literally.
|
|
# This can be used to set custom paths, as many levels deep as required.
|
|
# files_switch:
|
|
# - any/path/can/be/used/here
|
|
# - id
|
|
# - osfinger
|
|
# - os
|
|
# - os_family
|
|
# All aspects of path/file resolution are customisable using the options below.
|
|
# This is unnecessary in most cases; there are sensible defaults.
|
|
# path_prefix: template_alt
|
|
# dirs:
|
|
# files: files_alt
|
|
# default: default_alt
|
|
# source_files:
|
|
# salt-master:
|
|
# - 'alt_master.d'
|
|
# salt-minion:
|
|
# - 'alt_minion.d'
|
|
|
|
# salt master config
|
|
master_config_use_TOFS: true
|
|
master:
|
|
standalone: false
|
|
fileserver_backend:
|
|
- git
|
|
- s3fs
|
|
- roots
|
|
gitfs_remotes:
|
|
- git://github.com/saltstack-formulas/salt-formula.git:
|
|
- base: develop
|
|
s3.keyid: GKTADJGHEIQSXMKKRBJ08H
|
|
s3.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
|
|
s3.buckets:
|
|
- bucket1
|
|
- bucket2
|
|
- bucket3
|
|
- bucket4
|
|
file_roots:
|
|
base:
|
|
- /srv/salt
|
|
pillar_roots:
|
|
base:
|
|
- /srv/pillar
|
|
# for salt-api with tornado rest interface
|
|
rest_tornado:
|
|
port: 8000
|
|
ssl_crt: /etc/pki/api/certs/server.crt
|
|
ssl_key: /etc/pki/api/certs/server.key
|
|
debug: false
|
|
disable_ssl: false
|
|
# yamllint disable-line rule:line-length
|
|
# for profile configuration as https://docs.saltstack.com/en/latest/topics/tutorials/lxc.html#tutorial-lxc-profiles
|
|
lxc.container_profile:
|
|
debian:
|
|
template: download
|
|
options:
|
|
dist: debian
|
|
release: jessie
|
|
arch: amd64
|
|
backing: lvm
|
|
vgname: kimsufi
|
|
size: 10G
|
|
lxc.network_profile:
|
|
basic:
|
|
eth0:
|
|
link: lxcbr0
|
|
type: veth
|
|
flags: up
|
|
## for external auth - LDAP
|
|
## filter to use for Active Directory LDAP
|
|
# auth.ldap.filter: {% raw %}'sAMAccountName={{username}}'{% endraw %}
|
|
## filter to use for Most other LDAP servers
|
|
# auth.ldap.filter: {% raw %}'uid={{ username }}'{% endraw %}
|
|
|
|
# Define winrepo provider, by default support order is pygit2, gitpython
|
|
# Set to gitpython for Debian & Ubuntu to get around saltstack/salt#35993
|
|
# where pygit2 is not compiled with pygit2.GIT_FEATURE_HTTPS support
|
|
winrepo_provider: gitpython
|
|
|
|
# optional engine configuration
|
|
engines:
|
|
- slack:
|
|
token: xoxp-XXXXX-XXXXXXX # use Slack's legacy API token
|
|
control: true
|
|
valid_users:
|
|
- someuser
|
|
- otheruser
|
|
valid_commands:
|
|
- test.ping
|
|
- list_jobs
|
|
aliases:
|
|
list_jobs:
|
|
type: runner
|
|
cmd: jobs.list_jobs
|
|
|
|
# optional: these reactors will be configured on the master
|
|
# They override reactors configured in
|
|
# 'salt:reactors' or the old 'salt:reactor' parameters
|
|
reactors:
|
|
- 'master/deploy':
|
|
- /srv/salt/reactors/deploy.sls
|
|
|
|
# salt minion config:
|
|
minion_config_use_TOFS: true
|
|
minion:
|
|
|
|
# standalone setup
|
|
master_type: str # see init.sls & standalone.sls
|
|
|
|
# single master setup
|
|
master: salt
|
|
|
|
# multi master setup
|
|
# master:
|
|
# - salt_master_1
|
|
# - salt_master_2
|
|
|
|
fileserver_backend:
|
|
- git
|
|
- roots
|
|
gitfs_remotes:
|
|
- git://github.com/saltstack-formulas/salt-formula.git:
|
|
- base: develop
|
|
file_roots:
|
|
base:
|
|
- /srv/salt
|
|
pillar_roots:
|
|
base:
|
|
- /srv/pillar
|
|
module_config:
|
|
test: true
|
|
test.foo: foo
|
|
test.bar:
|
|
- baz
|
|
- quo
|
|
test.baz:
|
|
spam: sausage
|
|
cheese: bread
|
|
|
|
# salt mine setup
|
|
mine_interval: 60
|
|
# mine_functions can be set at the top level of the pillar, and
|
|
# that is preferable because it doesn't affect the conf file and
|
|
# doesn't require a minion restart. However, you can configure it
|
|
# here instead if you really want to.
|
|
mine_functions:
|
|
network.interface_ip: [eth0]
|
|
|
|
# Define a minion scheduler
|
|
schedule:
|
|
- highstate:
|
|
- function: state.apply
|
|
- minutes: 60
|
|
- returner: redis
|
|
|
|
# other 'non-default' config
|
|
auth_keytab: /root/auth.keytab
|
|
auth_principal: kadmin/admin
|
|
|
|
# optional engine configuration
|
|
engines:
|
|
- slack:
|
|
token: xoxp-XXXXX-XXXXXXX # use Slack's legacy API token
|
|
control: true
|
|
valid_users:
|
|
- someuser
|
|
- otheruser
|
|
valid_commands:
|
|
- test.ping
|
|
- list_jobs
|
|
aliases:
|
|
list_jobs:
|
|
type: runner
|
|
cmd: jobs.list_jobs
|
|
|
|
# optional beacons configuration
|
|
beacons:
|
|
load:
|
|
1m:
|
|
- 0.0
|
|
- 2.0
|
|
5m:
|
|
- 0.0
|
|
- 1.5
|
|
15m:
|
|
- 0.1
|
|
- 1.0
|
|
interval: 10
|
|
|
|
# Optional reactors: these reactors will be configured on the minion
|
|
# They override reactors configured in
|
|
# 'salt:reactors' or the old 'salt:reactor' parameters
|
|
reactors:
|
|
- 'minion/deploy':
|
|
- /srv/salt/reactors/deploy.sls
|
|
|
|
# Optional: Configure an elasticsearch returner
|
|
return: elasticsearch
|
|
elasticsearch:
|
|
hosts:
|
|
- example.elasticsearch.host:9200
|
|
- example.elasticsearch.host2:9200
|
|
index_date: true
|
|
index: salt
|
|
number_of_shards: 5
|
|
number_of_replicas: 2
|
|
debug_returner_payload: true
|
|
states_count: true
|
|
states_order_output: true
|
|
states_single_index: true
|
|
functions_blacklist:
|
|
- test.ping
|
|
- saltutil.find_job
|
|
|
|
# init.sls skips salt.api and salt.syndic states
|
|
# unless those dicts are populated with something
|
|
api:
|
|
somekey: somevalue
|
|
syndic:
|
|
somekey: somevalue
|
|
|
|
# salt cloud config
|
|
cloud:
|
|
master: salt
|
|
|
|
# For non-templated custom cloud provider/profile/map files
|
|
providers:
|
|
provider-filename1.conf:
|
|
vmware-prod:
|
|
driver: vmware
|
|
user: myusernameprod
|
|
password: mypassword
|
|
vmware-nonprod:
|
|
driver: vmware
|
|
user: myusernamenonprod
|
|
password: mypassword
|
|
profiles:
|
|
profile-filename1.conf:
|
|
server-non-prod:
|
|
clonefrom: rhel6xtemplatenp
|
|
grains:
|
|
platform:
|
|
name: salt
|
|
realm: lab
|
|
subscription_level: standard
|
|
memory: 8GB
|
|
num_cpus: 4
|
|
password: sUpErsecretey
|
|
provider: vmware-nonprod
|
|
maps:
|
|
map-filename1.map:
|
|
server-non-prod:
|
|
- host.mycompany.com:
|
|
grains:
|
|
environment: dev1
|
|
|
|
# You can take profile and map templates from an alternate location
|
|
# if you want to write your own.
|
|
template_sources:
|
|
providers: salt://salt/files/cloud.providers.d
|
|
profiles: salt://salt/files/cloud.profiles.d
|
|
maps: salt://salt/files/cloud.maps.d
|
|
|
|
# These settings are used by the default provider templates and
|
|
# only need to be set for the ones you're using.
|
|
aws_key: AWSKEYIJSHJAIJS6JSH
|
|
aws_secret: AWSSECRETYkkDY1iQf9zRtl9+pW+Nm+aZY95
|
|
gce_project: test
|
|
# yamllint disable-line rule:line-length
|
|
gce_service_account_email_address: 867543072364-orl4h2tpp8jcn1tr9ipj@developer.gserviceaccount.com
|
|
rsos_user: afeawofghob
|
|
rsos_tenant: tenant_id_number
|
|
rsos_apikey: WFJIOJEOIGHSOFHESO
|
|
rsos_regions:
|
|
- ORD
|
|
- DFW
|
|
- IAD
|
|
- SYD
|
|
- HKG
|
|
|
|
ssh_roster:
|
|
prod1:
|
|
host: host.example.com
|
|
user: ubuntu
|
|
sudo: true
|
|
priv: /etc/salt/ssh_keys/sshkey.pem
|
|
gitfs:
|
|
keys:
|
|
global:
|
|
# key and pub end up being the extension used on the key file
|
|
# values other than key and pub are possible
|
|
key: |
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
...........
|
|
-----END RSA PRIVATE KEY-----
|
|
pub: |
|
|
...........
|
|
|
|
# These reactors will be configured both in the minion and the master
|
|
reactors:
|
|
- 'deploy':
|
|
- /srv/salt/reactors/deploy.sls
|
|
|
|
# https://docs.saltstack.com/en/latest/ref/states/requisites.html#retrying-states
|
|
retry_options:
|
|
attempts: 2
|
|
until: true
|
|
interval: 10
|
|
splay: 10
|
|
|
|
salt_cloud_certs:
|
|
aws:
|
|
pem: |
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
...........
|
|
-----END RSA PRIVATE KEY-----
|
|
|
|
gce:
|
|
pem: |
|
|
-----BEGIN RSA PRIVATE KEY-----
|
|
...........
|
|
-----END RSA PRIVATE KEY-----
|
|
|
|
salt_formulas:
|
|
git_opts:
|
|
# The Git options can be customized differently for each
|
|
# environment, if an option is missing in a given environment, the
|
|
# value from "default" is used instead.
|
|
default:
|
|
# URL where the formulas git repositories are downloaded from
|
|
# it will be suffixed with <formula-name>.git
|
|
baseurl: https://github.com/saltstack-formulas
|
|
# Directory where Git repositories are downloaded
|
|
basedir: /srv/formulas
|
|
# Update the git repository to the latest version (false by default)
|
|
update: false
|
|
# Options passed directly to the git.latest state
|
|
options:
|
|
rev: master
|
|
user: username
|
|
identity: /path/to/.ssh/id_rsa_github_username
|
|
dev:
|
|
basedir: /srv/formulas/dev
|
|
update: true
|
|
options:
|
|
rev: develop
|
|
# Alternatively, a single directory with multiple branches can be used
|
|
# E.g. It is strongly recommended to fork saltstack-formula repositories
|
|
# to avoid unexpected changes to your infrastructure
|
|
# Then upstream changes can be merged in manually with due consideration
|
|
# Specific values for `rev`, `user` & `identity` will override the defaults
|
|
production:
|
|
baseurl: git@github.com:username
|
|
options:
|
|
branch: master
|
|
remote: origin
|
|
staging:
|
|
baseurl: git@github.com:username
|
|
options:
|
|
branch: staging
|
|
remote: origin
|
|
rev: staging
|
|
upstream:
|
|
baseurl: git@github.com:saltstack-formulas
|
|
update: true
|
|
options:
|
|
branch: upstream
|
|
remote: upstream
|
|
# Options of the file.directory state that creates the directory where
|
|
# the git repositories of the formulas are stored
|
|
basedir_opts:
|
|
makedirs: true
|
|
user: root
|
|
group: root
|
|
mode: 755
|
|
# Explicitly checkout the original branch for repos after the
|
|
# git.latest states have been processed (false by default)
|
|
# Enable if using the alternative method (single directory, multiple branches)
|
|
checkout_orig_branch: true
|
|
# List of formulas to enable in each environment
|
|
list:
|
|
base:
|
|
- salt-formula
|
|
- postfix-formula
|
|
- nginx-formula: # We can also override some options per formula
|
|
rev: 'v1.1.0' # Pin a version
|
|
- openssh-formula:
|
|
rev: '3e01ad8' # or pin a commit id
|
|
dev:
|
|
- salt-formula
|
|
- postfix-formula
|
|
- openssh-formula
|
|
- nginx-formula:
|
|
# You can also pull from another location
|
|
name: 'https://github.com/another-fork-location/salt-formula.git'
|
|
rev: 'feat/feature'
|
|
# Likewise for the alternative method (single directory, multiple branches)
|
|
production:
|
|
- salt-formula
|
|
- openssh-formula
|
|
staging:
|
|
- salt-formula
|
|
- postfix-formula
|
|
- openssh-formula
|
|
upstream:
|
|
- salt-formula
|
|
- postfix-formula
|
|
- openssh-formula
|