|
- {% set system = salt['grains.filter_by']({
- 'Arch': {
- 'pkgs': ['sudo', 'vim', 'wget'],
- 'utc': true,
- 'user': {},
- 'group': {},
- 'job': {},
- 'limit': {},
- 'locale': {},
- 'motd': {},
- 'env': {},
- 'profile': {},
- 'proxy': {},
- 'repo': {},
- 'package': {},
- 'autoupdates': {
- 'pkgs': []
- },
- 'selinux': 'permissive',
- 'ca_certs_dir': '/usr/local/share/ca-certificates',
- 'ca_certs_bin': 'update-ca-certificates',
- 'atop': {
- 'enabled': false,
- 'interval': '20',
- 'autostart': true,
- 'logpath': '/var/log/atop',
- 'outfile': '/var/log/atop/daily.log'
- },
- 'at': {
- 'pkgs': [],
- 'services': []
- },
- 'cron': {
- 'pkgs': [],
- 'services': []
- },
- },
- 'Debian': {
- 'pkgs': ['python-apt', 'apt-transport-https', 'libmnl0'],
- 'utc': true,
- 'user': {},
- 'group': {},
- 'job': {},
- 'limit': {},
- 'locale': {},
- 'motd': {},
- 'env': {},
- 'profile': {},
- 'proxy': {},
- 'repo': {},
- 'package': {},
- 'autoupdates': {
- 'pkgs': ['unattended-upgrades']
- },
- 'selinux': 'permissive',
- 'ca_certs_dir': '/usr/local/share/ca-certificates',
- 'ca_certs_bin': 'update-ca-certificates',
- 'atop': {
- 'enabled': false,
- 'interval': '20',
- 'autostart': true,
- 'logpath': '/var/log/atop',
- 'outfile': '/var/log/atop/daily.log'
- },
- 'at': {
- 'pkgs': ['at'],
- 'services': ['atd'],
- 'user': {}
- },
- 'cron': {
- 'pkgs': ['cron'],
- 'services': ['cron'],
- 'user': {}
- },
- },
- 'RedHat': {
- 'pkgs': ['policycoreutils', 'policycoreutils-python', 'telnet', 'wget'],
- 'utc': true,
- 'user': {},
- 'group': {},
- 'job': {},
- 'limit': {},
- 'locale': {},
- 'motd': {},
- 'env': {},
- 'profile': {},
- 'proxy': {},
- 'repo': {},
- 'package': {},
- 'autoupdates': {
- 'pkgs': []
- },
- 'selinux': 'permissive',
- 'ca_certs_dir': '/etc/pki/ca-trust/source/anchors',
- 'ca_certs_bin': 'update-ca-trust extract',
- 'atop': {
- 'enabled': false,
- 'interval': '20',
- 'autostart': true,
- 'logpath': '/var/log/atop',
- 'outfile': '/var/log/atop/daily.log'
- },
- 'at': {
- 'pkgs': [],
- 'services': []
- },
- 'cron': {
- 'pkgs': [],
- 'services': []
- },
- },
- }, merge=salt['grains.filter_by']({
- 'bullseye': {
- 'pkgs': ['python3-apt', 'apt-transport-https', 'libmnl0'],
- },
- 'sid': {
- 'pkgs': ['python3-apt', 'apt-transport-https', 'libmnl0'],
- },
- }, grain='oscodename', merge=salt['pillar.get']('linux:system'))) %}
-
- {% set banner = salt['grains.filter_by']({
- 'BaseDefaults': {
- 'enabled': false,
- },
- }, grain='os_family', merge=salt['pillar.get']('linux:system:banner'), base='BaseDefaults') %}
-
- {% set auth = salt['grains.filter_by']({
- 'Arch': {
- 'enabled': false,
- 'duo': {
- 'enabled': false,
- 'duo_host': 'localhost',
- 'duo_ikey': '',
- 'duo_skey': ''
- }
- },
- 'RedHat': {
- 'enabled': false,
- 'duo': {
- 'enabled': false,
- 'duo_host': 'localhost',
- 'duo_ikey': '',
- 'duo_skey': ''
- }
- },
- 'Debian': {
- 'enabled': false,
- 'duo': {
- 'enabled': false,
- 'duo_host': 'localhost',
- 'duo_ikey': '',
- 'duo_skey': ''
- }
- },
- }, grain='os_family', merge=salt['pillar.get']('linux:system:auth')) %}
-
- {% set ldap = salt['grains.filter_by']({
- 'RedHat': {
- 'enabled': false,
- 'pkgs': ['openldap-clients', 'nss-pam-ldapd', 'authconfig', 'nscd'],
- 'version': '3',
- 'scope': 'sub',
- 'uid': 'nslcd',
- 'gid': 'nslcd',
- },
- 'Debian': {
- 'enabled': false,
- 'pkgs': ['libnss-ldapd', 'libpam-ldapd', 'nscd'],
- 'version': '3',
- 'scope': 'sub',
- 'uid': 'nslcd',
- 'gid': 'nslcd',
- },
- }, grain='os_family', merge=salt['pillar.get']('linux:system:auth:ldap')) %}
-
- {%- load_yaml as login_defs_defaults %}
- Debian:
- CHFN_RESTRICT:
- value: 'rwh'
- DEFAULT_HOME:
- value: 'yes'
- ENCRYPT_METHOD:
- value: 'SHA512'
- ENV_PATH:
- value: 'PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games'
- ENV_SUPATH:
- value: 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
- ERASECHAR:
- value: '0177'
- FAILLOG_ENAB:
- value: 'yes'
- FTMP_FILE:
- value: '/var/log/btmp'
- GID_MAX:
- value: '60000'
- GID_MIN:
- value: '1000'
- HUSHLOGIN_FILE:
- value: '.hushlogin'
- KILLCHAR:
- value: '025'
- LOGIN_RETRIES:
- value: '5'
- LOGIN_TIMEOUT:
- value: '60'
- LOG_OK_LOGINS:
- value: 'no'
- LOG_UNKFAIL_ENAB:
- value: 'no'
- MAIL_DIR:
- value: '/var/mail'
- PASS_MAX_DAYS:
- value: '99999'
- PASS_MIN_DAYS:
- value: '0'
- PASS_WARN_AGE:
- value: '7'
- SU_NAME:
- value: 'su'
- SYSLOG_SG_ENAB:
- value: 'yes'
- SYSLOG_SU_ENAB:
- value: 'yes'
- TTYGROUP:
- value: 'tty'
- TTYPERM:
- value: '0600'
- UID_MAX:
- value: '60000'
- UID_MIN:
- value: '1000'
- UMASK:
- value: '022'
- USERGROUPS_ENAB:
- value: 'yes'
- {%- endload %}
- {%- set login_defs = salt['grains.filter_by'](login_defs_defaults,
- grain='os_family', merge=salt['pillar.get']('linux:system:login_defs')) %}
-
- {# 'network_name', #}
-
- {% set interface_params = [
- 'gateway',
- 'mtu',
- 'network',
- 'broadcast',
- 'master',
- 'miimon',
- 'ovs_ports',
- 'ovs_bridge',
- 'mode',
- 'port_type',
- 'peer',
- 'lacp-rate',
- 'dns-search',
- 'up_cmds',
- 'pre_up_cmds',
- 'post_up_cmds',
- 'down_cmds',
- 'pre_down_cmds',
- 'post_down_cmds',
- 'maxwait',
- 'stp',
- 'gro',
- 'rx',
- 'tx',
- 'sg',
- 'tso',
- 'ufo',
- 'gso',
- 'lro',
- 'lacp_rate',
- 'ad_select',
- 'downdelay',
- 'updelay',
- 'hashing-algorithm',
- 'hardware-dma-ring-rx',
- 'hwaddr',
- 'noifupdown',
- 'arp_ip_target',
- 'primary',
- ] %}
- {% set debian_headers = "linux-headers-" + grains.get('kernelrelease')|string %}
- {% set network = salt['grains.filter_by']({
- 'Arch': {
- 'pkgs': ['wpa_supplicant', 'dhclient', 'wireless_tools', 'ifenslave'],
- 'bridge_pkgs': ['bridge-utils', 'vlan'],
- 'ovs_pkgs': ['openvswitch-switch', 'vlan'],
- 'hostname_file': '/etc/hostname',
- 'network_manager': False,
- 'systemd': {},
- 'interface': {},
- 'interface_params': interface_params,
- 'bridge': 'none',
- 'proxy': {
- 'host': 'none',
- },
- 'host': {},
- 'mine_dns_records': False,
- 'dhclient_config': '/etc/dhcp/dhclient.conf',
- 'ovs_nowait': False,
- },
- 'Debian': {
- 'pkgs': ['ifenslave'],
- 'hostname_file': '/etc/hostname',
- 'bridge_pkgs': ['bridge-utils', 'vlan'],
- 'ovs_pkgs': ['openvswitch-switch', 'bridge-utils', 'vlan'],
- 'dpdk_pkgs': ['dpdk', 'dpdk-dev', 'dpdk-igb-uio-dkms', 'dpdk-rte-kni-dkms', debian_headers.encode('utf8') ],
- 'network_manager': False,
- 'systemd': {},
- 'interface': {},
- 'interface_params': interface_params,
- 'bridge': 'none',
- 'proxy': {
- 'host': 'none'
- },
- 'host': {},
- 'mine_dns_records': False,
- 'dhclient_config': '/etc/dhcp/dhclient.conf',
- 'ovs_nowait': False,
- },
- 'RedHat': {
- 'pkgs': ['iputils'],
- 'bridge_pkgs': ['bridge-utils', 'vlan'],
- 'ovs_pkgs': ['openvswitch-switch', 'bridge-utils', 'vlan'],
- 'hostname_file': '/etc/sysconfig/network',
- 'network_manager': False,
- 'systemd': {},
- 'interface': {},
- 'interface_params': interface_params,
- 'bridge': 'none',
- 'proxy': {
- 'host': 'none'
- },
- 'host': {},
- 'mine_dns_records': False,
- 'dhclient_config': '/etc/dhcp/dhclient.conf',
- 'ovs_nowait': False,
- },
- }, grain='os_family', merge=salt['pillar.get']('linux:network')) %}
-
- {% set storage = salt['grains.filter_by']({
- 'Arch': {
- 'mount': {},
- 'swap': {},
- 'disk': {},
- 'lvm': {},
- 'lvm_services': ['lvm2-lvmetad', 'lvm2-lvmpolld', 'lvm2-monitor'],
- 'loopback': {},
- 'nfs': {
- 'pkgs': ['nfs-utils']
- },
- 'multipath': {
- 'enabled': False,
- 'pkgs': ['multipath-tools', 'multipath-tools-boot'],
- 'service': ''
- },
- },
- 'Debian': {
- 'mount': {},
- 'swap': {},
- 'lvm': {},
- 'disk': {},
- 'lvm_services': ['lvm2-lvmetad', 'lvm2-lvmpolld', 'lvm2-monitor'],
- 'loopback': {},
- 'nfs': {
- 'pkgs': ['nfs-common']
- },
- 'multipath': {
- 'enabled': False,
- 'pkgs': ['multipath-tools', 'multipath-tools-boot'],
- 'service': 'multipath-tools'
- },
- 'lvm_pkgs': ['lvm2'],
- },
- 'RedHat': {
- 'mount': {},
- 'swap': {},
- 'lvm': {},
- 'disk': {},
- 'lvm_services': ['lvm2-lvmetad', 'lvm2-lvmpolld', 'lvm2-monitor'],
- 'loopback': {},
- 'nfs': {
- 'pkgs': ['nfs-utils']
- },
- 'multipath': {
- 'enabled': False,
- 'pkgs': [],
- 'service': 'multipath'
- },
- },
- }, merge=salt['grains.filter_by']({
- 'focal': {
- 'lvm_services': ['lvm2-monitor'],
- },
- 'buster': {
- 'lvm_services': ['lvm2-monitor'],
- },
- 'trusty': {
- 'lvm_services': ['udev'],
- },
- }, grain='oscodename', merge=salt['pillar.get']('linux:storage'))) %}
-
- {% set monitoring = salt['grains.filter_by']({
- 'default': {
- 'bond_status': {
- 'interfaces': False
- },
- 'zombie': {
- 'warn': 3,
- 'crit': 7,
- },
- 'procs': {
- 'warn': 5000,
- 'crit': 10000,
- },
- 'load': {
- 'warn': '6,4,2',
- 'crit': '12,8,4',
- },
- 'swap': {
- 'warn': '50%',
- 'crit': '20%',
- },
- 'disk': {
- 'warn': '15%',
- 'crit': '5%',
- },
- 'netlink': {
- 'interfaces': [],
- 'interface_regex': '^[a-z0-9]+$',
- 'ignore_selected': False,
- },
- 'cpu_usage_percentage': {
- 'warn': 90.0,
- },
- 'memory_usage_percentage': {
- 'warn': 90.0,
- 'major': 95.0,
- },
- 'disk_usage_percentage': {
- 'warn': 85.0,
- 'major': 95.0,
- },
- 'swap_usage_percentage': {
- 'warn': 50.0,
- 'minor': 90.0,
- },
- 'inodes_usage_percentage': {
- 'warn': 85.0,
- 'major': 95.0,
- },
- 'system_load_threshold': {
- 'warn': 1,
- 'crit': 2,
- },
- 'rx_packets_dropped_threshold': {
- 'warn': 100,
- },
- 'tx_packets_dropped_threshold': {
- 'warn': 100,
- },
- 'swap_in_rate': {
- 'warn': 1024 * 1024,
- },
- 'swap_out_rate': {
- 'warn': 1024 * 1024,
- },
- 'failed_auths_threshold': {
- 'warn': 5,
- },
- 'net_rx_action_per_cpu_threshold': {
- 'warning': '500',
- 'minor': '5000'
- },
- 'packets_dropped_per_cpu_threshold': {
- 'minor': '0',
- 'major': '100'
- }
- },
- }, grain='os_family', merge=salt['pillar.get']('linux:monitoring')) %}
|