blob: 9068aa20d0eda762daf755e38cf60d9a1e691838 [file] [log] [blame]
{% set system = salt['grains.filter_by']({
'Arch': {
'pkgs': ['sudo', 'vim', 'wget'],
'utc': true,
'user': {},
'group': {},
'job': {},
'limit': {},
'locale': {},
'motd': {},
'env': {},
'profile': {},
'proxy': {},
'repo': {},
'package': {},
'autoupdates': {
'pkgs': []
},
'selinux': 'permissive',
'ca_certs_dir': '/usr/local/share/ca-certificates',
'ca_certs_bin': 'update-ca-certificates',
'atop': {
'enabled': false,
'interval': '20',
'autostart': true,
'logpath': '/var/log/atop',
'outfile': '/var/log/atop/daily.log'
},
'sosreport': {},
'ssd_scheduler': {
'enabled': false,
'name': 'deadline',
},
},
'Debian': {
'pkgs': ['python-apt', 'apt-transport-https', 'libmnl0'],
'utc': true,
'user': {},
'group': {},
'create_default_group_for_user': true,
'job': {},
'limit': {},
'locale': {},
'motd': {},
'motd_news': {
'enabled': false
},
'env': {},
'profile': {},
'proxy': {},
'repo': {},
'package': {},
'autoupdates': {
'pkgs': ['unattended-upgrades']
},
'selinux': 'permissive',
'ca_certs_dir': '/usr/local/share/ca-certificates',
'ca_certs_bin': 'update-ca-certificates',
'atop': {
'enabled': false,
'interval': '20',
'autostart': true,
'logpath': '/var/log/atop',
'outfile': '/var/log/atop/daily.log'
},
'sosreport': {},
'ssd_scheduler': {
'enabled': false,
'name': 'deadline',
},
},
'RedHat': {
'pkgs': ['policycoreutils', 'policycoreutils-python', 'telnet', 'wget'],
'utc': true,
'user': {},
'group': {},
'job': {},
'limit': {},
'locale': {},
'motd': {},
'env': {},
'profile': {},
'proxy': {},
'repo': {},
'package': {},
'autoupdates': {
'pkgs': []
},
'selinux': 'permissive',
'ca_certs_dir': '/etc/pki/ca-trust/source/anchors',
'ca_certs_bin': 'update-ca-trust extract',
'atop': {
'enabled': false,
'interval': '20',
'autostart': true,
'logpath': '/var/log/atop',
'outfile': '/var/log/atop/daily.log'
},
'sosreport': {},
'ssd_scheduler': {
'enabled': false,
'name': 'deadline',
},
},
}, grain='os_family', merge=salt['pillar.get']('linux:system')) %}
{% set at = salt['grains.filter_by']({
'Debian': {
'enabled': false,
'pkgs': ['at'],
'services': ['atd'],
'user': {}
},
}, grain='os_family', merge=salt['pillar.get']('linux:system:at')) %}
{% set cron = salt['grains.filter_by']({
'Debian': {
'enabled': false,
'pkgs': ['cron'],
'services': ['cron'],
'user': {}
},
}, grain='os_family', merge=salt['pillar.get']('linux:system:cron')) %}
{% set banner = salt['grains.filter_by']({
'BaseDefaults': {
'enabled': false,
},
}, grain='os_family', merge=salt['pillar.get']('linux:system:banner'), base='BaseDefaults') %}
{% set auth = salt['grains.filter_by']({
'Arch': {
'enabled': false,
'duo': {
'enabled': false,
'duo_host': 'localhost',
'duo_ikey': '',
'duo_skey': ''
}
},
'RedHat': {
'enabled': false,
'duo': {
'enabled': false,
'duo_host': 'localhost',
'duo_ikey': '',
'duo_skey': ''
}
},
'Debian': {
'enabled': false,
'duo': {
'enabled': false,
'duo_host': 'localhost',
'duo_ikey': '',
'duo_skey': ''
}
},
}, grain='os_family', merge=salt['pillar.get']('linux:system:auth')) %}
{% set ldap = salt['grains.filter_by']({
'RedHat': {
'enabled': false,
'pkgs': ['openldap-clients', 'nss-pam-ldapd', 'authconfig', 'nscd'],
'version': '3',
'scope': 'sub',
'uid': 'nslcd',
'gid': 'nslcd',
},
'Debian': {
'enabled': false,
'pkgs': ['libnss-ldapd', 'libpam-ldapd', 'nscd'],
'version': '3',
'scope': 'sub',
'uid': 'nslcd',
'gid': 'nslcd',
},
}, grain='os_family', merge=salt['pillar.get']('linux:system:auth:ldap')) %}
{%- load_yaml as login_defs_defaults %}
Debian:
CHFN_RESTRICT:
value: 'rwh'
DEFAULT_HOME:
value: 'yes'
ENCRYPT_METHOD:
value: 'SHA512'
ENV_PATH:
value: 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games'
ENV_SUPATH:
value: 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
ERASECHAR:
value: '0177'
FAILLOG_ENAB:
value: 'yes'
FTMP_FILE:
value: '/var/log/btmp'
GID_MAX:
value: '60000'
GID_MIN:
value: '1000'
HUSHLOGIN_FILE:
value: '.hushlogin'
KILLCHAR:
value: '025'
LOGIN_RETRIES:
value: '5'
LOGIN_TIMEOUT:
value: '60'
LOG_OK_LOGINS:
value: 'no'
LOG_UNKFAIL_ENAB:
value: 'no'
MAIL_DIR:
value: '/var/mail'
PASS_MAX_DAYS:
value: '99999'
PASS_MIN_DAYS:
value: '0'
PASS_WARN_AGE:
value: '7'
SU_NAME:
value: 'su'
SYSLOG_SG_ENAB:
value: 'yes'
SYSLOG_SU_ENAB:
value: 'yes'
TTYGROUP:
value: 'tty'
TTYPERM:
value: '0600'
UID_MAX:
value: '60000'
UID_MIN:
value: '1000'
UMASK:
value: '022'
USERGROUPS_ENAB:
value: 'yes'
{%- endload %}
{%- set login_defs = salt['grains.filter_by'](login_defs_defaults,
grain='os_family', merge=salt['pillar.get']('linux:system:login_defs')) %}
{# 'network_name', #}
{% set interface_params = [
'gateway',
'mtu',
'network',
'broadcast',
'master',
'miimon',
'ovs_ports',
'ovs_bridge',
'mode',
'port_type',
'peer',
'lacp-rate',
'dns-search',
'up_cmds',
'pre_up_cmds',
'post_up_cmds',
'down_cmds',
'pre_down_cmds',
'post_down_cmds',
'maxwait',
'stp',
'gro',
'rx',
'tx',
'sg',
'tso',
'ufo',
'gso',
'lro',
'lacp_rate',
'ad_select',
'downdelay',
'updelay',
'hashing-algorithm',
'hardware-dma-ring-rx',
'hwaddr',
'noifupdown',
'arp_ip_target',
'primary',
] %}
{% set debian_headers = "linux-headers-" + grains.get('kernelrelease')|string %}
{% set network = salt['grains.filter_by']({
'Arch': {
'pkgs': ['wpa_supplicant', 'dhclient', 'wireless_tools', 'ifenslave'],
'bridge_pkgs': ['bridge-utils', 'vlan'],
'ovs_pkgs': ['openvswitch-switch', 'vlan'],
'hostname_file': '/etc/hostname',
'network_manager': False,
'systemd': {},
'interface': {},
'interface_params': interface_params,
'bridge': 'none',
'proxy': {
'host': 'none',
},
'host': {},
'mine_dns_records': False,
'dhclient_config': '/etc/dhcp/dhclient.conf',
'ovs_nowait': False,
},
'Debian': {
'pkgs': ['ifenslave'],
'hostname_file': '/etc/hostname',
'bridge_pkgs': ['bridge-utils', 'vlan'],
'ovs_pkgs': ['openvswitch-switch', 'bridge-utils', 'vlan'],
'dpdk_pkgs': ['dpdk', 'dpdk-dev', 'dpdk-igb-uio-dkms', 'dpdk-rte-kni-dkms', debian_headers.encode('utf8') ],
'network_manager': False,
'systemd': {},
'interface': {},
'interface_params': interface_params,
'bridge': 'none',
'proxy': {
'host': 'none'
},
'host': {},
'mine_dns_records': False,
'dhclient_config': '/etc/dhcp/dhclient.conf',
'ovs_nowait': False,
},
'RedHat': {
'pkgs': ['iputils'],
'bridge_pkgs': ['bridge-utils', 'vlan'],
'ovs_pkgs': ['openvswitch-switch', 'bridge-utils', 'vlan'],
'hostname_file': '/etc/sysconfig/network',
'network_manager': False,
'systemd': {},
'interface': {},
'interface_params': interface_params,
'bridge': 'none',
'proxy': {
'host': 'none'
},
'host': {},
'mine_dns_records': False,
'dhclient_config': '/etc/dhcp/dhclient.conf',
'ovs_nowait': False,
},
}, grain='os_family', merge=salt['pillar.get']('linux:network')) %}
{% set storage = salt['grains.filter_by']({
'Arch': {
'mount': {},
'swap': {},
'disk': {},
'lvm': {},
'lvm_filters': {},
'lvm_services': ['lvm2-lvmetad', 'lvm2-lvmpolld', 'lvm2-monitor'],
'loopback': {},
'nfs': {
'pkgs': ['nfs-utils']
},
'multipath': {
'enabled': False,
'pkgs': ['multipath-tools', 'multipath-tools-boot'],
'service': ''
},
},
'Debian': {
'mount': {},
'swap': {},
'lvm': {},
'lvm_filters': {},
'disk': {},
'lvm_services': ['lvm2-lvmetad', 'lvm2-lvmpolld', 'lvm2-monitor'],
'loopback': {},
'nfs': {
'pkgs': ['nfs-common']
},
'multipath': {
'enabled': False,
'pkgs': ['multipath-tools', 'multipath-tools-boot'],
'service': 'multipath-tools'
},
'lvm_pkgs': ['lvm2'],
},
'RedHat': {
'mount': {},
'swap': {},
'lvm': {},
'lvm_filters': {},
'disk': {},
'lvm_services': ['lvm2-lvmetad', 'lvm2-lvmpolld', 'lvm2-monitor'],
'loopback': {},
'nfs': {
'pkgs': ['nfs-utils']
},
'multipath': {
'enabled': False,
'pkgs': [],
'service': 'multipath'
},
},
}, merge=salt['grains.filter_by']({
'trusty': {
'lvm_services': ['udev'],
},
}, grain='oscodename', merge=salt['pillar.get']('linux:storage'))) %}
{% set monitoring = salt['grains.filter_by']({
'default': {
'bond_status': {
'interfaces': False
},
'zombie': {
'warn': 3,
'crit': 7,
},
'procs': {
'warn': 5000,
'crit': 10000,
},
'load': {
'warn': '6,4,2',
'crit': '12,8,4',
},
'swap': {
'warn': '50%',
'crit': '20%',
},
'disk': {
'warn': '15%',
'crit': '5%',
},
'netlink': {
'interfaces': [],
'interface_regex': '^[a-z0-9]+$',
'ignore_selected': False,
},
'cpu_usage_percentage': {
'warn': 90.0,
},
'cpu_steal_percentage': {
'warn': 5.0,
'crit': 10.0,
},
'memory_usage_percentage': {
'warn': 90.0,
'major': 95.0,
},
'disk_usage_percentage': {
'warn': 85.0,
'major': 95.0,
},
'inodes_usage_percentage': {
'warn': 85.0,
'major': 95.0,
},
'system_load_threshold': {
'warn': 1,
'crit': 2,
},
'rx_packets_dropped_threshold': {
'warn': 60,
},
'tx_packets_dropped_threshold': {
'warn': 100,
},
'swap_in_rate': {
'warn': 1024 * 1024,
},
'swap_out_rate': {
'warn': 1024 * 1024,
},
'failed_auths_threshold': {
'warn': 5,
},
'netdev_budget_squeeze_rate': 0.1
},
}, grain='os_family', merge=salt['pillar.get']('linux:monitoring')) %}
{%- set sysctl_min_kernel = {
'net.core.netdev_budget_usecs': '4.12',
} %}