| {% set system = salt['grains.filter_by']({ |
| 'Arch': { |
| 'pkgs': ['sudo', 'vim', 'wget'], |
| 'utc': true, |
| 'user': {}, |
| 'group': {}, |
| 'job': {}, |
| 'limit': {}, |
| 'locale': {}, |
| 'motd': {}, |
| 'env': {}, |
| 'profile': {}, |
| 'proxy': {}, |
| 'repo': {}, |
| 'package': {}, |
| 'autoupdates': { |
| 'pkgs': [] |
| }, |
| 'selinux': 'permissive', |
| 'ca_certs_dir': '/usr/local/share/ca-certificates', |
| 'ca_certs_bin': 'update-ca-certificates', |
| 'atop': { |
| 'enabled': false, |
| 'interval': '20', |
| 'autostart': true, |
| 'logpath': '/var/log/atop', |
| 'outfile': '/var/log/atop/daily.log' |
| }, |
| 'sosreport': {}, |
| 'ssd_scheduler': { |
| 'enabled': false, |
| 'name': 'deadline', |
| }, |
| }, |
| 'Debian': { |
| 'pkgs': ['python-apt', 'apt-transport-https', 'libmnl0'], |
| 'utc': true, |
| 'user': {}, |
| 'group': {}, |
| 'create_default_group_for_user': true, |
| 'job': {}, |
| 'limit': {}, |
| 'locale': {}, |
| 'motd': {}, |
| 'motd_news': { |
| 'enabled': false |
| }, |
| 'env': {}, |
| 'profile': {}, |
| 'proxy': {}, |
| 'repo': {}, |
| 'package': {}, |
| 'autoupdates': { |
| 'pkgs': ['unattended-upgrades'] |
| }, |
| 'selinux': 'permissive', |
| 'ca_certs_dir': '/usr/local/share/ca-certificates', |
| 'ca_certs_bin': 'update-ca-certificates', |
| 'atop': { |
| 'enabled': false, |
| 'interval': '20', |
| 'autostart': true, |
| 'logpath': '/var/log/atop', |
| 'outfile': '/var/log/atop/daily.log' |
| }, |
| 'sosreport': {}, |
| 'ssd_scheduler': { |
| 'enabled': false, |
| 'name': 'deadline', |
| }, |
| }, |
| 'RedHat': { |
| 'pkgs': ['policycoreutils', 'policycoreutils-python', 'telnet', 'wget'], |
| 'utc': true, |
| 'user': {}, |
| 'group': {}, |
| 'job': {}, |
| 'limit': {}, |
| 'locale': {}, |
| 'motd': {}, |
| 'env': {}, |
| 'profile': {}, |
| 'proxy': {}, |
| 'repo': {}, |
| 'package': {}, |
| 'autoupdates': { |
| 'pkgs': [] |
| }, |
| 'selinux': 'permissive', |
| 'ca_certs_dir': '/etc/pki/ca-trust/source/anchors', |
| 'ca_certs_bin': 'update-ca-trust extract', |
| 'atop': { |
| 'enabled': false, |
| 'interval': '20', |
| 'autostart': true, |
| 'logpath': '/var/log/atop', |
| 'outfile': '/var/log/atop/daily.log' |
| }, |
| 'sosreport': {}, |
| 'ssd_scheduler': { |
| 'enabled': false, |
| 'name': 'deadline', |
| }, |
| }, |
| }, grain='os_family', merge=salt['pillar.get']('linux:system')) %} |
| |
| {% set at = salt['grains.filter_by']({ |
| 'Debian': { |
| 'enabled': false, |
| 'pkgs': ['at'], |
| 'services': ['atd'], |
| 'user': {} |
| }, |
| }, grain='os_family', merge=salt['pillar.get']('linux:system:at')) %} |
| |
| {% set cron = salt['grains.filter_by']({ |
| 'Debian': { |
| 'enabled': false, |
| 'pkgs': ['cron'], |
| 'services': ['cron'], |
| 'user': {} |
| }, |
| }, grain='os_family', merge=salt['pillar.get']('linux:system:cron')) %} |
| |
| {% set banner = salt['grains.filter_by']({ |
| 'BaseDefaults': { |
| 'enabled': false, |
| }, |
| }, grain='os_family', merge=salt['pillar.get']('linux:system:banner'), base='BaseDefaults') %} |
| |
| {% set auth = salt['grains.filter_by']({ |
| 'Arch': { |
| 'enabled': false, |
| 'duo': { |
| 'enabled': false, |
| 'duo_host': 'localhost', |
| 'duo_ikey': '', |
| 'duo_skey': '' |
| } |
| }, |
| 'RedHat': { |
| 'enabled': false, |
| 'duo': { |
| 'enabled': false, |
| 'duo_host': 'localhost', |
| 'duo_ikey': '', |
| 'duo_skey': '' |
| } |
| }, |
| 'Debian': { |
| 'enabled': false, |
| 'duo': { |
| 'enabled': false, |
| 'duo_host': 'localhost', |
| 'duo_ikey': '', |
| 'duo_skey': '' |
| } |
| }, |
| }, grain='os_family', merge=salt['pillar.get']('linux:system:auth')) %} |
| |
| {% set ldap = salt['grains.filter_by']({ |
| 'RedHat': { |
| 'enabled': false, |
| 'pkgs': ['openldap-clients', 'nss-pam-ldapd', 'authconfig', 'nscd'], |
| 'version': '3', |
| 'scope': 'sub', |
| 'uid': 'nslcd', |
| 'gid': 'nslcd', |
| }, |
| 'Debian': { |
| 'enabled': false, |
| 'pkgs': ['libnss-ldapd', 'libpam-ldapd', 'nscd'], |
| 'version': '3', |
| 'scope': 'sub', |
| 'uid': 'nslcd', |
| 'gid': 'nslcd', |
| }, |
| }, grain='os_family', merge=salt['pillar.get']('linux:system:auth:ldap')) %} |
| |
| {%- load_yaml as login_defs_defaults %} |
| Debian: |
| CHFN_RESTRICT: |
| value: 'rwh' |
| DEFAULT_HOME: |
| value: 'yes' |
| ENCRYPT_METHOD: |
| value: 'SHA512' |
| ENV_PATH: |
| value: 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games' |
| ENV_SUPATH: |
| value: 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' |
| ERASECHAR: |
| value: '0177' |
| FAILLOG_ENAB: |
| value: 'yes' |
| FTMP_FILE: |
| value: '/var/log/btmp' |
| GID_MAX: |
| value: '60000' |
| GID_MIN: |
| value: '1000' |
| HUSHLOGIN_FILE: |
| value: '.hushlogin' |
| KILLCHAR: |
| value: '025' |
| LOGIN_RETRIES: |
| value: '5' |
| LOGIN_TIMEOUT: |
| value: '60' |
| LOG_OK_LOGINS: |
| value: 'no' |
| LOG_UNKFAIL_ENAB: |
| value: 'no' |
| MAIL_DIR: |
| value: '/var/mail' |
| PASS_MAX_DAYS: |
| value: '99999' |
| PASS_MIN_DAYS: |
| value: '0' |
| PASS_WARN_AGE: |
| value: '7' |
| SU_NAME: |
| value: 'su' |
| SYSLOG_SG_ENAB: |
| value: 'yes' |
| SYSLOG_SU_ENAB: |
| value: 'yes' |
| TTYGROUP: |
| value: 'tty' |
| TTYPERM: |
| value: '0600' |
| UID_MAX: |
| value: '60000' |
| UID_MIN: |
| value: '1000' |
| UMASK: |
| value: '022' |
| USERGROUPS_ENAB: |
| value: 'yes' |
| {%- endload %} |
| {%- set login_defs = salt['grains.filter_by'](login_defs_defaults, |
| grain='os_family', merge=salt['pillar.get']('linux:system:login_defs')) %} |
| |
| {# 'network_name', #} |
| |
| {% set interface_params = [ |
| 'gateway', |
| 'mtu', |
| 'network', |
| 'broadcast', |
| 'master', |
| 'miimon', |
| 'ovs_ports', |
| 'ovs_bridge', |
| 'mode', |
| 'port_type', |
| 'peer', |
| 'lacp-rate', |
| 'dns-search', |
| 'up_cmds', |
| 'pre_up_cmds', |
| 'post_up_cmds', |
| 'down_cmds', |
| 'pre_down_cmds', |
| 'post_down_cmds', |
| 'maxwait', |
| 'stp', |
| 'gro', |
| 'rx', |
| 'tx', |
| 'sg', |
| 'tso', |
| 'ufo', |
| 'gso', |
| 'lro', |
| 'lacp_rate', |
| 'ad_select', |
| 'downdelay', |
| 'updelay', |
| 'hashing-algorithm', |
| 'hardware-dma-ring-rx', |
| 'hwaddr', |
| 'noifupdown', |
| 'arp_ip_target', |
| 'primary', |
| ] %} |
| {% set debian_headers = "linux-headers-" + grains.get('kernelrelease')|string %} |
| {% set network = salt['grains.filter_by']({ |
| 'Arch': { |
| 'pkgs': ['wpa_supplicant', 'dhclient', 'wireless_tools', 'ifenslave'], |
| 'bridge_pkgs': ['bridge-utils', 'vlan'], |
| 'ovs_pkgs': ['openvswitch-switch', 'vlan'], |
| 'hostname_file': '/etc/hostname', |
| 'network_manager': False, |
| 'systemd': {}, |
| 'interface': {}, |
| 'interface_params': interface_params, |
| 'bridge': 'none', |
| 'proxy': { |
| 'host': 'none', |
| }, |
| 'host': {}, |
| 'mine_dns_records': False, |
| 'dhclient_config': '/etc/dhcp/dhclient.conf', |
| 'ovs_nowait': False, |
| }, |
| 'Debian': { |
| 'pkgs': ['ifenslave'], |
| 'hostname_file': '/etc/hostname', |
| 'bridge_pkgs': ['bridge-utils', 'vlan'], |
| 'ovs_pkgs': ['openvswitch-switch', 'bridge-utils', 'vlan'], |
| 'dpdk_pkgs': ['dpdk', 'dpdk-dev', 'dpdk-igb-uio-dkms', 'dpdk-rte-kni-dkms', debian_headers.encode('utf8') ], |
| 'network_manager': False, |
| 'systemd': {}, |
| 'interface': {}, |
| 'interface_params': interface_params, |
| 'bridge': 'none', |
| 'proxy': { |
| 'host': 'none' |
| }, |
| 'host': {}, |
| 'mine_dns_records': False, |
| 'dhclient_config': '/etc/dhcp/dhclient.conf', |
| 'ovs_nowait': False, |
| }, |
| 'RedHat': { |
| 'pkgs': ['iputils'], |
| 'bridge_pkgs': ['bridge-utils', 'vlan'], |
| 'ovs_pkgs': ['openvswitch-switch', 'bridge-utils', 'vlan'], |
| 'hostname_file': '/etc/sysconfig/network', |
| 'network_manager': False, |
| 'systemd': {}, |
| 'interface': {}, |
| 'interface_params': interface_params, |
| 'bridge': 'none', |
| 'proxy': { |
| 'host': 'none' |
| }, |
| 'host': {}, |
| 'mine_dns_records': False, |
| 'dhclient_config': '/etc/dhcp/dhclient.conf', |
| 'ovs_nowait': False, |
| }, |
| }, grain='os_family', merge=salt['pillar.get']('linux:network')) %} |
| |
| {% set storage = salt['grains.filter_by']({ |
| 'Arch': { |
| 'mount': {}, |
| 'swap': {}, |
| 'disk': {}, |
| 'lvm': {}, |
| 'lvm_filters': {}, |
| 'lvm_services': ['lvm2-lvmetad', 'lvm2-lvmpolld', 'lvm2-monitor'], |
| 'loopback': {}, |
| 'nfs': { |
| 'pkgs': ['nfs-utils'] |
| }, |
| 'multipath': { |
| 'enabled': False, |
| 'pkgs': ['multipath-tools', 'multipath-tools-boot'], |
| 'service': '' |
| }, |
| }, |
| 'Debian': { |
| 'mount': {}, |
| 'swap': {}, |
| 'lvm': {}, |
| 'lvm_filters': {}, |
| 'disk': {}, |
| 'lvm_services': ['lvm2-lvmetad', 'lvm2-lvmpolld', 'lvm2-monitor'], |
| 'loopback': {}, |
| 'nfs': { |
| 'pkgs': ['nfs-common'] |
| }, |
| 'multipath': { |
| 'enabled': False, |
| 'pkgs': ['multipath-tools', 'multipath-tools-boot'], |
| 'service': 'multipath-tools' |
| }, |
| 'lvm_pkgs': ['lvm2'], |
| }, |
| 'RedHat': { |
| 'mount': {}, |
| 'swap': {}, |
| 'lvm': {}, |
| 'lvm_filters': {}, |
| 'disk': {}, |
| 'lvm_services': ['lvm2-lvmetad', 'lvm2-lvmpolld', 'lvm2-monitor'], |
| 'loopback': {}, |
| 'nfs': { |
| 'pkgs': ['nfs-utils'] |
| }, |
| 'multipath': { |
| 'enabled': False, |
| 'pkgs': [], |
| 'service': 'multipath' |
| }, |
| }, |
| }, merge=salt['grains.filter_by']({ |
| 'trusty': { |
| 'lvm_services': ['udev'], |
| }, |
| }, grain='oscodename', merge=salt['pillar.get']('linux:storage'))) %} |
| |
| {% set monitoring = salt['grains.filter_by']({ |
| 'default': { |
| 'bond_status': { |
| 'interfaces': False |
| }, |
| 'zombie': { |
| 'warn': 3, |
| 'crit': 7, |
| }, |
| 'procs': { |
| 'warn': 5000, |
| 'crit': 10000, |
| }, |
| 'load': { |
| 'warn': '6,4,2', |
| 'crit': '12,8,4', |
| }, |
| 'swap': { |
| 'warn': '50%', |
| 'crit': '20%', |
| }, |
| 'disk': { |
| 'warn': '15%', |
| 'crit': '5%', |
| }, |
| 'netlink': { |
| 'interfaces': [], |
| 'interface_regex': '^[a-z0-9]+$', |
| 'ignore_selected': False, |
| }, |
| 'cpu_usage_percentage': { |
| 'warn': 90.0, |
| }, |
| 'cpu_steal_percentage': { |
| 'warn': 5.0, |
| 'crit': 10.0, |
| }, |
| 'memory_usage_percentage': { |
| 'warn': 90.0, |
| 'major': 95.0, |
| }, |
| 'disk_usage_percentage': { |
| 'warn': 85.0, |
| 'major': 95.0, |
| }, |
| 'inodes_usage_percentage': { |
| 'warn': 85.0, |
| 'major': 95.0, |
| }, |
| 'system_load_threshold': { |
| 'warn': 1, |
| 'crit': 2, |
| }, |
| 'rx_packets_dropped_threshold': { |
| 'warn': 60, |
| }, |
| 'tx_packets_dropped_threshold': { |
| 'warn': 100, |
| }, |
| 'swap_in_rate': { |
| 'warn': 1024 * 1024, |
| }, |
| 'swap_out_rate': { |
| 'warn': 1024 * 1024, |
| }, |
| 'failed_auths_threshold': { |
| 'warn': 5, |
| }, |
| 'netdev_budget_squeeze_rate': 0.1 |
| }, |
| }, grain='os_family', merge=salt['pillar.get']('linux:monitoring')) %} |
| |
| {%- set sysctl_min_kernel = { |
| 'net.core.netdev_budget_usecs': '4.12', |
| } %} |