Saltstack Official Salt Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

f_defaults.conf 54KB

Fixed pillar_roots generation for salt-master. With a simple pillar like this:: $ sudo salt-call --config-dir /srv/etc/bootstrap --pillar-root /srv/pillar pillar.get salt:pillar_roots local: ---------- base: - /srv/pillar This was generated in /etc/salt/master.d/f_defaults.conf:: # highstate format, and is generally just key/value pairs. pillar_roots:base:- /srv/pillar # Resulting in parse errors by salt:: $ sudo salt '*' state.highstate [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ This patch will fix it as such:: ID: salt-master Function: file.recurse Name: /etc/salt/master.d Result: True Comment: Recursively updated /etc/salt/master.d Started: 11:37:12.946823 Duration: 6255.296 ms Changes: ---------- /etc/salt/master.d/f_defaults.conf: ---------- diff: --- +++ @@ -528,7 +528,9 @@ # Pillar is laid out in the same fashion as the file server, with environments, # a top file and sls files. However, pillar data does not need to be in the # highstate format, and is generally just key/value pairs. -pillar_roots:base:- /srv/pillar +pillar_roots: + base: + - /srv/pillar # Resulting in:: # highstate format, and is generally just key/value pairs. pillar_roots: base: - /srv/pillar #
9 years ago
Fixed pillar_roots generation for salt-master. With a simple pillar like this:: $ sudo salt-call --config-dir /srv/etc/bootstrap --pillar-root /srv/pillar pillar.get salt:pillar_roots local: ---------- base: - /srv/pillar This was generated in /etc/salt/master.d/f_defaults.conf:: # highstate format, and is generally just key/value pairs. pillar_roots:base:- /srv/pillar # Resulting in parse errors by salt:: $ sudo salt '*' state.highstate [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ This patch will fix it as such:: ID: salt-master Function: file.recurse Name: /etc/salt/master.d Result: True Comment: Recursively updated /etc/salt/master.d Started: 11:37:12.946823 Duration: 6255.296 ms Changes: ---------- /etc/salt/master.d/f_defaults.conf: ---------- diff: --- +++ @@ -528,7 +528,9 @@ # Pillar is laid out in the same fashion as the file server, with environments, # a top file and sls files. However, pillar data does not need to be in the # highstate format, and is generally just key/value pairs. -pillar_roots:base:- /srv/pillar +pillar_roots: + base: + - /srv/pillar # Resulting in:: # highstate format, and is generally just key/value pairs. pillar_roots: base: - /srv/pillar #
9 years ago
Fixed pillar_roots generation for salt-master. With a simple pillar like this:: $ sudo salt-call --config-dir /srv/etc/bootstrap --pillar-root /srv/pillar pillar.get salt:pillar_roots local: ---------- base: - /srv/pillar This was generated in /etc/salt/master.d/f_defaults.conf:: # highstate format, and is generally just key/value pairs. pillar_roots:base:- /srv/pillar # Resulting in parse errors by salt:: $ sudo salt '*' state.highstate [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ [ERROR ] Error parsing configuration file: /etc/salt/master.d/f_defaults.conf - while scanning a simple key in "<string>", line 531, column 1: pillar_roots:base:- /srv/pillar ^ could not found expected ':' in "<string>", line 532, column 1: # ^ This patch will fix it as such:: ID: salt-master Function: file.recurse Name: /etc/salt/master.d Result: True Comment: Recursively updated /etc/salt/master.d Started: 11:37:12.946823 Duration: 6255.296 ms Changes: ---------- /etc/salt/master.d/f_defaults.conf: ---------- diff: --- +++ @@ -528,7 +528,9 @@ # Pillar is laid out in the same fashion as the file server, with environments, # a top file and sls files. However, pillar data does not need to be in the # highstate format, and is generally just key/value pairs. -pillar_roots:base:- /srv/pillar +pillar_roots: + base: + - /srv/pillar # Resulting in:: # highstate format, and is generally just key/value pairs. pillar_roots: base: - /srv/pillar #
9 years ago
9 years ago
11 years ago
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456
  1. # This file managed by Salt, do not edit by hand!!
  2. # Based on salt version 2015.8.7 default config
  3. {% set reserved_keys = ['master', 'minion', 'cloud', 'salt_cloud_certs', 'engines'] -%}
  4. {% set cfg_salt = pillar.get('salt', {}) -%}
  5. {% set cfg_master = cfg_salt.get('master', {}) -%}
  6. {%- macro get_config(configname, default_value) -%}
  7. {%- if configname in cfg_master -%}
  8. {{ configname }}: {{ cfg_master[configname]|json }}
  9. {%- elif configname in cfg_salt and configname not in reserved_keys -%}
  10. {{ configname }}: {{ cfg_salt[configname]|json }}
  11. {%- else -%}
  12. #{{ configname }}: {{ default_value|json }}
  13. {%- endif -%}
  14. {%- endmacro -%}
  15. {%- from 'salt/formulas.jinja' import file_roots, formulas with context -%}
  16. ##### Primary configuration settings #####
  17. ##########################################
  18. # This configuration file is used to manage the behavior of the Salt Master.
  19. # Values that are commented out but have an empty line after the comment are
  20. # defaults that do not need to be set in the config. If there is no blank line
  21. # after the comment then the value is presented as an example and is not the
  22. # default.
  23. # The id to be passed in the publish job to minions.
  24. # This is used for MultiSyndics to return the job to the requesting master.
  25. # This must be the same string as the syndic is configured with.
  26. # master_id: None
  27. {{ get_config('master_id', 'None') }}
  28. # Per default, the master will automatically include all config files
  29. # from master.d/*.conf (master.d is a directory in the same directory
  30. # as the main master config file).
  31. {{ get_config('default_include', 'master.d/*.conf') }}
  32. # The address of the interface to bind to:
  33. {{ get_config('interface', '0.0.0.0') }}
  34. # Whether the master should listen for IPv6 connections. If this is set to True,
  35. # the interface option must be adjusted, too. (For example: "interface: '::'")
  36. {{ get_config('ipv6', 'False') }}
  37. # The tcp port used by the publisher:
  38. {{ get_config('publish_port', '4505') }}
  39. # The user under which the salt master will run. Salt will update all
  40. # permissions to allow the specified user to run the master. The exception is
  41. # the job cache, which must be deleted if this user is changed. If the
  42. # modified files cause conflicts, set verify_env to False.
  43. {{ get_config('user', 'root') }}
  44. # The port used by the communication interface. The ret (return) port is the
  45. # interface used for the file server, authentication, job returns, etc.
  46. {{ get_config('ret_port', '4506') }}
  47. # Specify the location of the daemon process ID file:
  48. {{ get_config('pidfile', '/var/run/salt-master.pid') }}
  49. # The root directory prepended to these options: pki_dir, cachedir,
  50. # sock_dir, log_file, autosign_file, autoreject_file, extension_modules,
  51. # key_logfile, pidfile:
  52. {{ get_config('root_dir', '/') }}
  53. # Directory used to store public key data:
  54. {{ get_config('pki_dir', '/etc/salt/pki/master') }}
  55. # Directory to store job and cache data:
  56. # This directory may contain sensitive data and should be protected accordingly.
  57. #
  58. {{ get_config('cachedir', '/var/cache/salt/master') }}
  59. # Directory for custom modules. This directory can contain subdirectories for
  60. # each of Salt's module types such as "runners", "output", "wheel", "modules",
  61. # "states", "returners", etc.
  62. {{ get_config('extension_modules', '<no default>') }}
  63. # Directory for custom modules. This directory can contain subdirectories for
  64. # each of Salt's module types such as "runners", "output", "wheel", "modules",
  65. # "states", "returners", etc.
  66. # Like 'extension_modules' but can take an array of paths
  67. {% if 'module_dirs' in cfg_master -%}
  68. module_dirs:
  69. {%- for dir in cfg_master['module_dirs'] %}
  70. - {{ dir}}
  71. {%- endfor -%}
  72. {% elif 'module_dirs' in cfg_salt -%}
  73. module_dirs:
  74. {%- for dir in cfg_salt['module_dirs'] %}
  75. - {{ dir}}
  76. {%- endfor -%}
  77. {% else -%}
  78. #module_dirs: <no default>
  79. # - /var/cache/salt/minion/extmods
  80. {% endif %}
  81. # Verify and set permissions on configuration directories at startup:
  82. {{ get_config('verify_env', 'True') }}
  83. # Set the number of hours to keep old job information in the job cache:
  84. {{ get_config('keep_jobs', '24') }}
  85. # Set the default timeout for the salt command and api. The default is 5
  86. # seconds.
  87. {{ get_config('timeout', '5') }}
  88. # The loop_interval option controls the seconds for the master's maintenance
  89. # process check cycle. This process updates file server backends, cleans the
  90. # job cache and executes the scheduler.
  91. {{ get_config('loop_interval', '60') }}
  92. # Set the default outputter used by the salt command. The default is "nested".
  93. {{ get_config('output', 'nested') }}
  94. # Return minions that timeout when running commands like test.ping
  95. {{ get_config('show_timeout', 'True') }}
  96. # By default, output is colored. To disable colored output, set the color value
  97. # to False.
  98. {{ get_config('color', 'True') }}
  99. # Do not strip off the colored output from nested results and state outputs
  100. # (true by default).
  101. {{ get_config('strip_colors', 'False') }}
  102. # Set the directory used to hold unix sockets:
  103. {{ get_config('sock_dir', '/var/run/salt/master') }}
  104. # The master can take a while to start up when lspci and/or dmidecode is used
  105. # to populate the grains for the master. Enable if you want to see GPU hardware
  106. # data for your master.
  107. {{ get_config('enable_gpu_grains', 'False') }}
  108. # The master maintains a job cache. While this is a great addition, it can be
  109. # a burden on the master for larger deployments (over 5000 minions).
  110. # Disabling the job cache will make previously executed jobs unavailable to
  111. # the jobs system and is not generally recommended.
  112. {{ get_config('job_cache', 'True') }}
  113. # Cache minion grains and pillar data in the cachedir.
  114. {{ get_config('minion_data_cache', 'True') }}
  115. # Store all returns in the given returner.
  116. # Setting this option requires that any returner-specific configuration also
  117. # be set. See various returners in salt/returners for details on required
  118. # configuration values. (See also, event_return_queue below.)
  119. {{ get_config('event_return', 'mysql') }}
  120. # On busy systems, enabling event_returns can cause a considerable load on
  121. # the storage system for returners. Events can be queued on the master and
  122. # stored in a batched fashion using a single transaction for multiple events.
  123. # By default, events are not queued.
  124. {{ get_config('event_return_queue', '0') }}
  125. # Only events returns matching tags in a whitelist
  126. {% if 'event_return_whitelist' in cfg_master -%}
  127. event_return_whitelist:
  128. {%- for event_return in cfg_master['event_return_whitelist'] %}
  129. - {{ event_return }}
  130. {%- endfor -%}
  131. {% elif 'event_return_whitelist' in cfg_salt -%}
  132. event_return_whitelist:
  133. {%- for event_return in cfg_salt['event_return_whitelist'] %}
  134. - {{ event_return }}
  135. {%- endfor -%}
  136. {% else -%}
  137. # event_return_whitelist:
  138. # - salt/master/a_tag
  139. # - salt/master/another_tag
  140. {% endif %}
  141. # Store all event returns _except_ the tags in a blacklist
  142. {% if 'event_return_blacklist' in cfg_master -%}
  143. event_return_blacklist:
  144. {%- for event_return in cfg_master['event_return_blacklist'] %}
  145. - {{ event_return }}
  146. {%- endfor -%}
  147. {% elif 'event_return_blacklist' in cfg_salt -%}
  148. event_return_blacklist:
  149. {%- for event_return in cfg_salt['event_return_blacklist'] %}
  150. - {{ event_return }}
  151. {%- endfor -%}
  152. {% else -%}
  153. # event_return_blacklist:
  154. # - salt/master/not_this_tag
  155. # - salt/master/or_this_one
  156. {% endif %}
  157. # Passing very large events can cause the minion to consume large amounts of
  158. # memory. This value tunes the maximum size of a message allowed onto the
  159. # master event bus. The value is expressed in bytes.
  160. {{ get_config('max_event_size', '1048576') }}
  161. # By default, the master AES key rotates every 24 hours. The next command
  162. # following a key rotation will trigger a key refresh from the minion which may
  163. # result in minions which do not respond to the first command after a key refresh.
  164. #
  165. # To tell the master to ping all minions immediately after an AES key refresh, set
  166. # ping_on_rotate to True. This should mitigate the issue where a minion does not
  167. # appear to initially respond after a key is rotated.
  168. #
  169. # Note that ping_on_rotate may cause high load on the master immediately after
  170. # the key rotation event as minions reconnect. Consider this carefully if this
  171. # salt master is managing a large number of minions.
  172. #
  173. # If disabled, it is recommended to handle this event by listening for the
  174. # 'aes_key_rotate' event with the 'key' tag and acting appropriately.
  175. {{ get_config('ping_on_rotate', 'False') }}
  176. # By default, the master deletes its cache of minion data when the key for that
  177. # minion is removed. To preserve the cache after key deletion, set
  178. # 'preserve_minion_cache' to True.
  179. #
  180. # WARNING: This may have security implications if compromised minions auth with
  181. # a previous deleted minion ID.
  182. {{ get_config('preserve_minion_cache', 'False') }}
  183. # If max_minions is used in large installations, the master might experience
  184. # high-load situations because of having to check the number of connected
  185. # minions for every authentication. This cache provides the minion-ids of
  186. # all connected minions to all MWorker-processes and greatly improves the
  187. # performance of max_minions.
  188. {{ get_config('con_cache', 'False') }}
  189. # The master can include configuration from other files. To enable this,
  190. # pass a list of paths to this option. The paths can be either relative or
  191. # absolute; if relative, they are considered to be relative to the directory
  192. # the main master configuration file lives in (this file). Paths can make use
  193. # of shell-style globbing. If no files are matched by a path passed to this
  194. # option, then the master will log a warning message.
  195. #
  196. # Include a config file from some other path:
  197. # include: /etc/salt/extra_config
  198. #
  199. # Include config from several files and directories:
  200. # include:
  201. # - /etc/salt/extra_config
  202. {{ get_config('include', '[]') }}
  203. ##### Large-scale tuning settings #####
  204. ##########################################
  205. # Max open files
  206. #
  207. # Each minion connecting to the master uses AT LEAST one file descriptor, the
  208. # master subscription connection. If enough minions connect you might start
  209. # seeing on the console (and then salt-master crashes):
  210. # Too many open files (tcp_listener.cpp:335)
  211. # Aborted (core dumped)
  212. #
  213. # By default this value will be the one of `ulimit -Hn`, ie, the hard limit for
  214. # max open files.
  215. #
  216. # If you wish to set a different value than the default one, uncomment and
  217. # configure this setting. Remember that this value CANNOT be higher than the
  218. # hard limit. Raising the hard limit depends on your OS and/or distribution,
  219. # a good way to find the limit is to search the internet. For example:
  220. # raise max open files hard limit debian
  221. #
  222. {{ get_config('max_open_files', '100000') }}
  223. # The number of worker threads to start. These threads are used to manage
  224. # return calls made from minions to the master. If the master seems to be
  225. # running slowly, increase the number of threads. This setting can not be
  226. # set lower than 3.
  227. {{ get_config('worker_threads', '5') }}
  228. # Set the ZeroMQ high water marks
  229. # http://api.zeromq.org/3-2:zmq-setsockopt
  230. # The publisher interface ZeroMQPubServerChannel
  231. {{ get_config('pub_hwm', '1000') }}
  232. # These two ZMQ HWM settings, salt_event_pub_hwm and event_publisher_pub_hwm
  233. # are significant for masters with thousands of minions. When these are
  234. # insufficiently high it will manifest in random responses missing in the CLI
  235. # and even missing from the job cache. Masters that have fast CPUs and many
  236. # cores with appropriate worker_threads will not need these set as high.
  237. # On deployment with 8,000 minions, 2.4GHz CPUs, 24 cores, 32GiB memory has
  238. # these settings:
  239. #
  240. # salt_event_pub_hwm: 128000
  241. # event_publisher_pub_hwm: 64000
  242. # ZMQ high-water-mark for SaltEvent pub socket
  243. {{ get_config('salt_event_pub_hwm', '20000') }}
  244. # ZMQ high-water-mark for EventPublisher pub socket
  245. {{ get_config('event_publisher_pub_hwm', '10000') }}
  246. ##### Security settings #####
  247. ##########################################
  248. # Enable "open mode", this mode still maintains encryption, but turns off
  249. # authentication, this is only intended for highly secure environments or for
  250. # the situation where your keys end up in a bad state. If you run in open mode
  251. # you do so at your own risk!
  252. {{ get_config('open_mode', 'False') }}
  253. # Enable auto_accept, this setting will automatically accept all incoming
  254. # public keys from the minions. Note that this is insecure.
  255. {{ get_config('auto_accept', 'False') }}
  256. # Time in minutes that a incoming public key with a matching name found in
  257. # pki_dir/minion_autosign/keyid is automatically accepted. Expired autosign keys
  258. # are removed when the master checks the minion_autosign directory.
  259. # 0 equals no timeout
  260. {{ get_config('autosign_timeout', '120') }}
  261. # If the autosign_file is specified, incoming keys specified in the
  262. # autosign_file will be automatically accepted. This is insecure. Regular
  263. # expressions as well as globing lines are supported.
  264. {{ get_config('autosign_file', '/etc/salt/autosign.conf') }}
  265. # Works like autosign_file, but instead allows you to specify minion IDs for
  266. # which keys will automatically be rejected. Will override both membership in
  267. # the autosign_file and the auto_accept setting.
  268. {{ get_config('autoreject_file', '/etc/salt/autoreject.conf') }}
  269. # Enable permissive access to the salt keys. This allows you to run the
  270. # master or minion as root, but have a non-root group be given access to
  271. # your pki_dir. To make the access explicit, root must belong to the group
  272. # you've given access to. This is potentially quite insecure. If an autosign_file
  273. # is specified, enabling permissive_pki_access will allow group access to that
  274. # specific file.
  275. {{ get_config('permissive_pki_access', 'False') }}
  276. # Allow users on the master access to execute specific commands on minions.
  277. # This setting should be treated with care since it opens up execution
  278. # capabilities to non root users. By default this capability is completely
  279. # disabled.
  280. {% if 'client_acl' in cfg_master -%}
  281. client_acl:
  282. {%- for name, user in cfg_master['client_acl']|dictsort %}
  283. {{ name}}:
  284. {%- for command in user %}
  285. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  286. {%- endfor -%}
  287. {%- endfor -%}
  288. {% elif 'client_acl' in cfg_salt -%}
  289. client_acl:
  290. {%- for name, user in cfg_salt['client_acl']|dictsort %}
  291. {{ name }}:
  292. {%- for command in user %}
  293. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  294. {%- endfor -%}
  295. {%- endfor -%}
  296. {% else -%}
  297. #client_acl:
  298. # larry:
  299. # - test.ping
  300. # - network.*
  301. {%- endif %}
  302. # Blacklist any of the following users or modules
  303. #
  304. # This example would blacklist all non sudo users, including root from
  305. # running any commands. It would also blacklist any use of the "cmd"
  306. # module. This is completely disabled by default.
  307. {% if 'client_acl_blacklist' in cfg_master %}
  308. client_acl_blacklist:
  309. users:
  310. {% for user in cfg_master['client_acl_blacklist'].get('users', []) %}
  311. - {{ user }}
  312. {% endfor %}
  313. modules:
  314. {% for mod in cfg_master['client_acl_blacklist'].get('modules', []) %}
  315. - {{ mod }}
  316. {% endfor %}
  317. {% elif 'client_acl_blacklist' in cfg_salt %}
  318. client_acl_blacklist:
  319. users:
  320. {% for user in cfg_salt['client_acl_blacklist'].get('users', []) %}
  321. - {{ user }}
  322. {% endfor %}
  323. modules:
  324. {% for mod in cfg_salt['client_acl_blacklist'].get('modules', []) %}
  325. - {{ mod }}
  326. {% endfor %}
  327. {% else %}
  328. #client_acl_blacklist:
  329. # users:
  330. # - root
  331. # - '^(?!sudo_).*$' # all non sudo users
  332. # modules:
  333. # - cmd
  334. {% endif %}
  335. # Enforce client_acl & client_acl_blacklist when users have sudo
  336. # access to the salt command.
  337. {{ get_config('sudo_acl', 'False') }}
  338. # The external auth system uses the Salt auth modules to authenticate and
  339. # validate users to access areas of the Salt system.
  340. #external_auth:
  341. # pam:
  342. # fred:
  343. # - test.*
  344. {{ get_config('external_auth', '{}') }}
  345. # Time (in seconds) for a newly generated token to live. Default: 12 hours
  346. {{ get_config('token_expire', '43200') }}
  347. # Allow minions to push files to the master. This is disabled by default, for
  348. # security purposes.
  349. {{ get_config('file_recv', 'False') }}
  350. # Set a hard-limit on the size of the files that can be pushed to the master.
  351. # It will be interpreted as megabytes. Default: 100
  352. {{ get_config('file_recv_max_size', '100') }}
  353. # Signature verification on messages published from the master.
  354. # This causes the master to cryptographically sign all messages published to its event
  355. # bus, and minions then verify that signature before acting on the message.
  356. #
  357. # This is False by default.
  358. #
  359. # Note that to facilitate interoperability with masters and minions that are different
  360. # versions, if sign_pub_messages is True but a message is received by a minion with
  361. # no signature, it will still be accepted, and a warning message will be logged.
  362. # Conversely, if sign_pub_messages is False, but a minion receives a signed
  363. # message it will be accepted, the signature will not be checked, and a warning message
  364. # will be logged. This behavior went away in Salt 2014.1.0 and these two situations
  365. # will cause minion to throw an exception and drop the message.
  366. {{ get_config('sign_pub_message', 'False') }}
  367. # Sign the master auth-replies with a cryptographic signature of the masters public key.
  368. # Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial
  369. {{ get_config('master_sign_pubkey', 'False') }}
  370. # The customizable name of the signing-key-pair without suffix.
  371. # master_sign_key_name: <filename_without_suffix>
  372. {{ get_config('master_sign', '{}') }}
  373. # The name of the file in the masters pki-directory that holds the pre-calculated
  374. # signature of the masters public-key.
  375. # master_pubkey_signature: <filename>
  376. {{ get_config('master_pubkey_signature', '{}') }}
  377. # Instead of computing the signature for each auth-reply, use a pre-calculated signature.
  378. # The master_pubkey_signature must also be set for this.
  379. {{ get_config('master_use_pubkey_signature', 'False') }}
  380. # Rotate the salt-masters AES-key when a minion-public is deleted with salt-key.
  381. # This is a very important security-setting. Disabling it will enable deleted minions to still
  382. # listen in on the messages published by the salt-master.
  383. # Do not disable this unless it is absolutely clear what this does.
  384. {{ get_config('rotate_aes_key', 'True') }}
  385. # Unique ID attribute name for the user. For Active Directory should be set
  386. # to 'sAMAccountName'. Default value is 'memberUid'.
  387. {{ get_config('auth.ldap.accountattributename', 'memberUid') }}
  388. # Set this to True if LDAP is Active Directory. Default is False
  389. {{ get_config('auth.ldap.activedirectory', False) }}
  390. # Bind to LDAP anonymously to determine group membership
  391. # Active Directory does not allow anonymous binds without special configuration
  392. {{ get_config('auth.ldap.anonymous', False) }}
  393. # The base DN under which users can be found in LDAP
  394. {{ get_config('auth.ldap.basedn', '') }}
  395. # The user Salt authenticates to search for a users' Distinguished Name and
  396. # group membership.
  397. {{ get_config('auth.ldap.binddn', '') }}
  398. # The bind password to go along with the bind dn (binddn).
  399. {{ get_config('auth.ldap.bindpw', '') }}
  400. # The filter used to find the DN associated with a user. For most LDAPs use
  401. # the value {% raw %}'uid={{ username }}'{% endraw %}. For Active Directory use the value
  402. # {% raw %}'sAMAccountName={{username}}'{% endraw %}.
  403. {{ get_config('auth.ldap.filter', '') }}
  404. # The attribute used for user group membership. Defaults to 'memberOf'
  405. {{ get_config('auth.ldap.groupattribute', 'memberOf') }}
  406. # LDAP group class. Use 'group' for Active Directory. Defaults to 'posixGroup'
  407. {{ get_config('auth.ldap.groupclass', 'posixGroup') }}
  408. # To specify an OU that contains group data. Not used for Active Directory
  409. # Default value: 'Groups'
  410. {{ get_config('auth.ldap.groupou', 'Groups') }}
  411. # Allows the administrator to strip off a certain set of domain names
  412. # so the hostnames looked up in the directory service can match the minion IDs.
  413. {{ get_config('auth.ldap.minion_stripdomains', []) }}
  414. # Verify server's TLS certificate. Default value: False
  415. {{ get_config('auth.ldap.no_verify', False) }}
  416. # Only for Active Directory. Default value: 'person'
  417. {{ get_config('auth.ldap.persontype', 'person') }}
  418. # Port to connect via. Default value: '389'
  419. {{ get_config('auth.ldap.port', '389') }}
  420. # LDAP scope level, almost always 2. Default value: 2
  421. {{ get_config('auth.ldap.scope', 2) }}
  422. # Server to auth against. Default value: 'localhost'
  423. {{ get_config('auth.ldap.server', 'localhost') }}
  424. # Use TLS when connecting. Default value: False
  425. {{ get_config('auth.ldap.tls', False) }}
  426. # Server specified in URI format. Overrides .ldap.server, .ldap.port,
  427. # .ldap.tls. Default value: ''
  428. {{ get_config('auth.ldap.uri', '') }}
  429. ##### Salt-SSH Configuration #####
  430. ##########################################
  431. # Pass in an alternative location for the salt-ssh roster file
  432. {{ get_config('roster_file', '/etc/salt/roster') }}
  433. # Pass in minion option overrides that will be inserted into the SHIM for
  434. # salt-ssh calls. The local minion config is not used for salt-ssh. Can be
  435. # overridden on a per-minion basis in the roster (`minion_opts`)
  436. #ssh_minion_opts:
  437. # gpg_keydir: /root/gpg
  438. {{ get_config('ssh_minion_opts', '{}') }}
  439. ##### Master Module Management #####
  440. ##########################################
  441. # Manage how master side modules are loaded.
  442. # Add any additional locations to look for master runners:
  443. {{ get_config('runner_dirs', '[]') }}
  444. # Enable Cython for master side modules:
  445. {{ get_config('cython_enable', 'False') }}
  446. ##### State System settings #####
  447. ##########################################
  448. # The state system uses a "top" file to tell the minions what environment to
  449. # use and what modules to use. The state_top file is defined relative to the
  450. # root of the base environment as defined in "File Server settings" below.
  451. {{ get_config('state_top', 'top.sls') }}
  452. # The master_tops option replaces the external_nodes option by creating
  453. # a plugable system for the generation of external top data. The external_nodes
  454. # option is deprecated by the master_tops option.
  455. #
  456. # To gain the capabilities of the classic external_nodes system, use the
  457. # following configuration:
  458. # master_tops:
  459. # ext_nodes: <Shell command which returns yaml>
  460. #
  461. #master_tops: {}
  462. {% if 'master_tops' in cfg_master %}
  463. master_tops:
  464. {%- for master in cfg_master['master_tops'] -%}
  465. {%- if cfg_master['master_tops'][master] is string %}
  466. {{ master }}: {{ cfg_master['master_tops'][master] }}
  467. {%- else %}
  468. {{ master}}:
  469. {%- for parameter in cfg_master['master_tops'][master] %}
  470. {{ parameter }}: {{ cfg_master['master_tops'][master][parameter] }}
  471. {%- endfor -%}
  472. {%- endif -%}
  473. {%- endfor %}
  474. {% endif %}
  475. # The external_nodes option allows Salt to gather data that would normally be
  476. # placed in a top file. The external_nodes option is the executable that will
  477. # return the ENC data. Remember that Salt will look for external nodes AND top
  478. # files and combine the results if both are enabled!
  479. {{ get_config('external_nodes', 'None') }}
  480. # The renderer to use on the minions to render the state data
  481. {{ get_config('renderer', 'yaml_jinja') }}
  482. # The Jinja renderer can strip extra carriage returns and whitespace
  483. # See http://jinja.pocoo.org/docs/api/#high-level-api
  484. #
  485. # If this is set to True the first newline after a Jinja block is removed
  486. # (block, not variable tag!). Defaults to False, corresponds to the Jinja
  487. # environment init variable "trim_blocks".
  488. {{ get_config('jinja_trim_blocks', 'False') }}
  489. # If this is set to True leading spaces and tabs are stripped from the start
  490. # of a line to a block. Defaults to False, corresponds to the Jinja
  491. # environment init variable "lstrip_blocks".
  492. {{ get_config('jinja_lstrip_blocks', 'False') }}
  493. # The failhard option tells the minions to stop immediately after the first
  494. # failure detected in the state execution, defaults to False
  495. {{ get_config('failhard', 'False') }}
  496. # The state_verbose and state_output settings can be used to change the way
  497. # state system data is printed to the display. By default all data is printed.
  498. # The state_verbose setting can be set to True or False, when set to False
  499. # all data that has a result of True and no changes will be suppressed.
  500. {{ get_config('state_verbose', 'True') }}
  501. # The state_output setting changes if the output is the full multi line
  502. # output for each changed state if set to 'full', but if set to 'terse'
  503. # the output will be shortened to a single line. If set to 'mixed', the output
  504. # will be terse unless a state failed, in which case that output will be full.
  505. # If set to 'changes', the output will be full unless the state didn't change.
  506. {{ get_config('state_output', 'full') }}
  507. # Automatically aggregate all states that have support for mod_aggregate by
  508. # setting to 'True'. Or pass a list of state module names to automatically
  509. # aggregate just those types.
  510. #
  511. # state_aggregate:
  512. # - pkg
  513. #
  514. #state_aggregate: False
  515. {{ get_config('state_aggregate', '{}') }}
  516. # Send progress events as each function in a state run completes execution
  517. # by setting to 'True'. Progress events are in the format
  518. # 'salt/job/<JID>/prog/<MID>/<RUN NUM>'.
  519. {{ get_config('state_events', 'False') }}
  520. # Enable extra routines for YAML renderer used states containing UTF characters.
  521. {{ get_config('yaml_utf8', 'False') }}
  522. ##### File Server settings #####
  523. ##########################################
  524. # Salt runs a lightweight file server written in zeromq to deliver files to
  525. # minions. This file server is built into the master daemon and does not
  526. # require a dedicated port.
  527. # The file server works on environments passed to the master, each environment
  528. # can have multiple root directories, the subdirectories in the multiple file
  529. # roots cannot match, otherwise the downloaded files will not be able to be
  530. # reliably ensured. A base environment is required to house the top file.
  531. # Example:
  532. # file_roots:
  533. # base:
  534. # - /srv/salt/
  535. # dev:
  536. # - /srv/salt/dev/services
  537. # - /srv/salt/dev/states
  538. # prod:
  539. # - /srv/salt/prod/services
  540. # - /srv/salt/prod/states
  541. #
  542. {% if 'file_roots' in cfg_master -%}
  543. {{ file_roots(cfg_master['file_roots']) }}
  544. {%- elif 'file_roots' in cfg_salt -%}
  545. {{ file_roots(cfg_salt['file_roots']) }}
  546. {%- elif formulas|length -%}
  547. {{ file_roots({'base': ['/srv/salt']}) }}
  548. {%- else -%}
  549. #file_roots:
  550. # base:
  551. # - /srv/salt
  552. {%- endif %}
  553. # When using multiple environments, each with their own top file, the
  554. # default behaviour is an unordered merge. To prevent top files from
  555. # being merged together and instead to only use the top file from the
  556. # requested environment, set this value to 'same'.
  557. {{ get_config('top_file_merging_strategy', 'merge') }}
  558. # To specify the order in which environments are merged, set the ordering
  559. # in the env_order option. Given a conflict, the last matching value will
  560. # win.
  561. {{ get_config('env_order', '["base", "dev", "prod"]') }}
  562. # If top_file_merging_strategy is set to 'same' and an environment does not
  563. # contain a top file, the top file in the environment specified by default_top
  564. # will be used instead.
  565. {{ get_config('default_top', 'base') }}
  566. # The hash_type is the hash to use when discovering the hash of a file on
  567. # the master server. The default is md5, but sha1, sha224, sha256, sha384
  568. # and sha512 are also supported.
  569. #
  570. # Prior to changing this value, the master should be stopped and all Salt
  571. # caches should be cleared.
  572. {{ get_config('hash_type', 'md5') }}
  573. # The buffer size in the file server can be adjusted here:
  574. {{ get_config('file_buffer_size', '1048576') }}
  575. # A regular expression (or a list of expressions) that will be matched
  576. # against the file path before syncing the modules and states to the minions.
  577. # This includes files affected by the file.recurse state.
  578. # For example, if you manage your custom modules and states in subversion
  579. # and don't want all the '.svn' folders and content synced to your minions,
  580. # you could set this to '/\.svn($|/)'. By default nothing is ignored.
  581. {% if 'file_ignore_regex' in cfg_master %}
  582. file_ignore_regex:
  583. {% for regex in cfg_master['file_ignore_regex'] %}
  584. - {{ regex }}
  585. {% endfor %}
  586. {% elif 'file_ignore_regex' in cfg_salt %}
  587. file_ignore_regex:
  588. {% for regex in cfg_salt['file_ignore_regex'] %}
  589. - {{ regex }}
  590. {% endfor %}
  591. {% else %}
  592. #file_ignore_regex:
  593. # - '/\.svn($|/)'
  594. # - '/\.git($|/)'
  595. {% endif %}
  596. # A file glob (or list of file globs) that will be matched against the file
  597. # path before syncing the modules and states to the minions. This is similar
  598. # to file_ignore_regex above, but works on globs instead of regex. By default
  599. # nothing is ignored.
  600. {% if 'file_ignore_glob' in cfg_master %}
  601. file_ignore_glob:
  602. {% for glob in cfg_master['file_ignore_glob'] %}
  603. - {{ glob }}
  604. {% endfor %}
  605. {% elif 'file_ignore_glob' in cfg_salt %}
  606. file_ignore_glob:
  607. {% for glob in cfg_salt['file_ignore_glob'] %}
  608. - {{ glob }}
  609. {% endfor %}
  610. {% else %}
  611. # file_ignore_glob:
  612. # - '*.pyc'
  613. # - '*/somefolder/*.bak'
  614. # - '*.swp'
  615. {% endif %}
  616. # File Server Backend
  617. #
  618. # Salt supports a modular fileserver backend system, this system allows
  619. # the salt master to link directly to third party systems to gather and
  620. # manage the files available to minions. Multiple backends can be
  621. # configured and will be searched for the requested file in the order in which
  622. # they are defined here. The default setting only enables the standard backend
  623. # "roots" which uses the "file_roots" option.
  624. #fileserver_backend:
  625. # - roots
  626. #
  627. # To use multiple backends list them in the order they are searched:
  628. #fileserver_backend:
  629. # - git
  630. # - roots
  631. {% if 'fileserver_backend' in cfg_master -%}
  632. fileserver_backend:
  633. {%- for backend in cfg_master['fileserver_backend'] %}
  634. - {{ backend }}
  635. {%- endfor -%}
  636. {%- endif %}
  637. # Uncomment the line below if you do not want the file_server to follow
  638. # symlinks when walking the filesystem tree. This is set to True
  639. # by default. Currently this only applies to the default roots
  640. # fileserver_backend.
  641. {{ get_config('fileserver_followsymlinks', 'False') }}
  642. # Uncomment the line below if you do not want symlinks to be
  643. # treated as the files they are pointing to. By default this is set to
  644. # False. By uncommenting the line below, any detected symlink while listing
  645. # files on the Master will not be returned to the Minion.
  646. {{ get_config('fileserver_ignoresymlinks', 'True') }}
  647. # By default, the Salt fileserver recurses fully into all defined environments
  648. # to attempt to find files. To limit this behavior so that the fileserver only
  649. # traverses directories with SLS files and special Salt directories like _modules,
  650. # enable the option below. This might be useful for installations where a file root
  651. # has a very large number of files and performance is impacted. Default is False.
  652. {{ get_config('fileserver_limit_traversal', 'False') }}
  653. # The fileserver can fire events off every time the fileserver is updated,
  654. # these are disabled by default, but can be easily turned on by setting this
  655. # flag to True
  656. {{ get_config('fileserver_events', 'False') }}
  657. # Git File Server Backend Configuration
  658. #
  659. # Optional parameter used to specify the provider to be used for gitfs. Must
  660. # be one of the following: pygit2, gitpython, or dulwich. If unset, then each
  661. # will be tried in that same order, and the first one with a compatible
  662. # version installed will be the provider that is used.
  663. {{ get_config('gitfs_provider', 'pygit2') }}
  664. # Along with gitfs_password, is used to authenticate to HTTPS remotes.
  665. {{ get_config('gitfs_user', 'git') }}
  666. # Along with gitfs_user, is used to authenticate to HTTPS remotes.
  667. # This parameter is not required if the repository does not use authentication.
  668. {{ get_config('gitfs_password', '') }}
  669. # By default, Salt will not authenticate to an HTTP (non-HTTPS) remote.
  670. # This parameter enables authentication over HTTP. Enable this at your own risk.
  671. {{ get_config('gitfs_insecure_auth', 'False') }}
  672. # Along with gitfs_privkey (and optionally gitfs_passphrase), is used to
  673. # authenticate to SSH remotes. This parameter (or its per-remote counterpart)
  674. # is required for SSH remotes.
  675. {{ get_config('gitfs_pubkey', '') }}
  676. # Along with gitfs_pubkey (and optionally gitfs_passphrase), is used to
  677. # authenticate to SSH remotes. This parameter (or its per-remote counterpart)
  678. # is required for SSH remotes.
  679. {{ get_config('gitfs_privkey', '') }}
  680. # This parameter is optional, required only when the SSH key being used to
  681. # authenticate is protected by a passphrase.
  682. {{ get_config('gitfs_passphrase', '') }}
  683. # When using the git fileserver backend at least one git remote needs to be
  684. # defined. The user running the salt master will need read access to the repo.
  685. #
  686. # The repos will be searched in order to find the file requested by a client
  687. # and the first repo to have the file will return it.
  688. # When using the git backend branches and tags are translated into salt
  689. # environments.
  690. # Note: file:// repos will be treated as a remote, so refs you want used must
  691. # exist in that repo as *local* refs.
  692. {% if 'gitfs_remotes' in cfg_master -%}
  693. gitfs_remotes:
  694. {%- for remote in cfg_master['gitfs_remotes'] %}
  695. {%- if remote is iterable and remote is not string %}
  696. {%- for repo, children in remote.items() %}
  697. - {{ repo }}:
  698. {%- for child in children %}
  699. {%- for key, value in child.items() %}
  700. - {{ key }}: {{ value }}
  701. {%- endfor -%}
  702. {%- endfor -%}
  703. {%- endfor -%}
  704. {%- else %}
  705. - {{ remote }}
  706. {%- endif -%}
  707. {%- endfor -%}
  708. {%- endif %}
  709. #gitfs_remotes:
  710. # - git://github.com/saltstack/salt-states.git
  711. # - file:///var/git/saltmaster
  712. #
  713. # The gitfs_ssl_verify option specifies whether to ignore ssl certificate
  714. # errors when contacting the gitfs backend. You might want to set this to
  715. # false if you're using a git backend that uses a self-signed certificate but
  716. # keep in mind that setting this flag to anything other than the default of True
  717. # is a security concern, you may want to try using the ssh transport.
  718. {{ get_config('gitfs_ssl_verify', 'True') }}
  719. # The gitfs_root option gives the ability to serve files from a subdirectory
  720. # within the repository. The path is defined relative to the root of the
  721. # repository and defaults to the repository root.
  722. {{ get_config('gitfs_root', 'somefolder/otherfolder') }}
  723. # The gitfs_env_whitelist and gitfs_env_blacklist parameters allow for greater
  724. # control over which branches/tags are exposed as fileserver environments.
  725. {% if 'gitfs_env_whitelist' in cfg_master -%}
  726. gitfs_env_whitelist:
  727. {%- for git_env in cfg_master['gitfs_env_whitelist'] %}
  728. - {{ git_env }}
  729. {%- endfor -%}
  730. {% else -%}
  731. # gitfs_env_whitelist:
  732. # - base
  733. # - v1.*
  734. {% endif %}
  735. {% if 'gitfs_env_blacklist' in cfg_master -%}
  736. gitfs_env_blacklist:
  737. {%- for git_env in cfg_master['gitfs_env_blacklist'] %}
  738. - {{ git_env }}
  739. {%- endfor -%}
  740. {% else -%}
  741. # gitfs_env_blacklist:
  742. # - bug/*
  743. # - feature/*
  744. {% endif %}
  745. # S3 File Server Backend Configuration
  746. #
  747. # S3 credentials must be set in the master config file.
  748. # Alternatively, if on EC2 these credentials can be automatically
  749. # loaded from instance metadata.
  750. {% if 's3.keyid' in cfg_master -%}
  751. {{ get_config('s3.keyid', '<no default>') }}
  752. {{ get_config('s3.key', '<no default>') }}
  753. {% else -%}
  754. # s3.keyid: GKTADJGHEIQSXMKKRBJ08H
  755. # s3.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
  756. {% endif %}
  757. # This fileserver supports two modes of operation for the buckets:
  758. # - A single bucket per environment
  759. # - Multiple environments per bucket
  760. #
  761. # Note that bucket names must be all lowercase both in the AWS console
  762. # and in Salt, otherwise you may encounter SignatureDoesNotMatch
  763. # errors.
  764. #
  765. # A multiple-environment bucket must adhere to the following root
  766. # directory structure:
  767. #
  768. # s3://<bucket name>/<environment>/<files>
  769. #
  770. # This fileserver back-end requires the use of the MD5 hashing
  771. # algorithm. MD5 may not be compliant with all security policies.
  772. {% if 's3.buckets' in cfg_master -%}
  773. {{ get_config('s3.buckets', '<no default>') }}
  774. {% else -%}
  775. # s3.buckets: #single bucket per environment
  776. # production:
  777. # - bucket1
  778. # - bucket2
  779. # staging:
  780. # - bucket3
  781. # - bucket4
  782. #
  783. # s3.buckets: #multiple environments per bucket
  784. # - bucket1
  785. # - bucket2
  786. # - bucket3
  787. # - bucket4
  788. {% endif %}
  789. ##### Pillar settings #####
  790. ##########################################
  791. # Salt Pillars allow for the building of global data that can be made selectively
  792. # available to different minions based on minion grain filtering. The Salt
  793. # Pillar is laid out in the same fashion as the file server, with environments,
  794. # a top file and sls files. However, pillar data does not need to be in the
  795. # highstate format, and is generally just key/value pairs.
  796. {% if 'pillar_roots' in cfg_master -%}
  797. pillar_roots:
  798. {%- for name, roots in cfg_master['pillar_roots']|dictsort %}
  799. {{ name }}:
  800. {%- for dir in roots %}
  801. - {{ dir }}
  802. {%- endfor -%}
  803. {%- endfor -%}
  804. {% elif 'pillar_roots' in cfg_salt -%}
  805. pillar_roots:
  806. {%- for name, roots in cfg_salt['pillar_roots']|dictsort %}
  807. {{ name }}:
  808. {%- for dir in roots %}
  809. - {{ dir }}
  810. {%- endfor -%}
  811. {%- endfor -%}
  812. {%- else -%}
  813. #pillar_roots:
  814. # base:
  815. # - /srv/pillar
  816. {%- endif %}
  817. {% if 'ext_pillar' in cfg_master %}
  818. ext_pillar:
  819. {%- for pillar in cfg_master['ext_pillar'] -%}
  820. {%- for key in pillar -%}
  821. {%- if pillar[key] is string %}
  822. - {{ key }}: {{ pillar[key] }}
  823. {%- elif pillar[key] is iterable and pillar[key] is not mapping %}
  824. - {{ key }}:
  825. {%- for parameter in pillar[key] %}
  826. - {{ parameter }}
  827. {%- endfor -%}
  828. {%- elif pillar[key] is mapping and pillar[key] is not string %}
  829. - {{ key }}:
  830. {%- for parameter in pillar[key] %}
  831. {{ parameter }}: {{pillar[key][parameter]}}
  832. {%- endfor %}
  833. {%- else %}
  834. # Error in rendering {{ key }}, please read https://docs.saltstack.com/en/latest/topics/development/external_pillars.html#configuration
  835. {% endif %}
  836. {%- endfor -%}
  837. {%- endfor %}
  838. {% elif 'ext_pillar' in cfg_salt %}
  839. ext_pillar:
  840. {% for pillar in cfg_salt['ext_pillar'] %}
  841. - {{ pillar.items()[0][0] }}: {{ pillar.items()[0][1] }}
  842. {% endfor %}
  843. {% else %}
  844. #ext_pillar:
  845. # - hiera: /etc/hiera.yaml
  846. # - cmd_yaml: cat /etc/salt/yaml
  847. {% endif %}
  848. # The ext_pillar_first option allows for external pillar sources to populate
  849. # before file system pillar. This allows for targeting file system pillar from
  850. # ext_pillar.
  851. {{ get_config('ext_pillar_first', 'False') }}
  852. # The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate
  853. # errors when contacting the pillar gitfs backend. You might want to set this to
  854. # false if you're using a git backend that uses a self-signed certificate but
  855. # keep in mind that setting this flag to anything other than the default of True
  856. # is a security concern, you may want to try using the ssh transport.
  857. {{ get_config('pillar_gitfs_ssl_verify', 'True') }}
  858. # The pillar_opts option adds the master configuration file data to a dict in
  859. # the pillar called "master". This is used to set simple configurations in the
  860. # master config file that can then be used on minions.
  861. {{ get_config('pillar_opts', 'False') }}
  862. # The pillar_safe_render_error option prevents the master from passing pillar
  863. # render errors to the minion. This is set on by default because the error could
  864. # contain templating data which would give that minion information it shouldn't
  865. # have, like a password! When set true the error message will only show:
  866. # Rendering SLS 'my.sls' failed. Please see master log for details.
  867. {{ get_config('pillar_safe_render_error', 'True') }}
  868. # The pillar_source_merging_strategy option allows you to configure merging strategy
  869. # between different sources. It accepts four values: recurse, aggregate, overwrite,
  870. # or smart. Recurse will merge recursively mapping of data. Aggregate instructs
  871. # aggregation of elements between sources that use the #!yamlex renderer. Overwrite
  872. # will verwrite elements according the order in which they are processed. This is
  873. # behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based
  874. # on the "renderer" setting and is the default value.
  875. {{ get_config('pillar_source_merging_strategy', 'smart') }}
  876. # Recursively merge lists by aggregating them instead of replacing them.
  877. {{ get_config('pillar_merge_lists', False) }}
  878. # Git External Pillar (git_pillar) Configuration Options
  879. #
  880. # Specify the provider to be used for git_pillar. Must be either pygit2 or
  881. # gitpython. If unset, then both will be tried in that same order, and the
  882. # first one with a compatible version installed will be the provider that
  883. # is used.
  884. {{ get_config('git_pillar_provider', 'pygit2') }}
  885. # If the desired branch matches this value, and the environment is omitted
  886. # from the git_pillar configuration, then the environment for that git_pillar
  887. # remote will be base.
  888. {{ get_config('git_pillar_base', 'master') }}
  889. # If the branch is omitted from a git_pillar remote, then this branch will
  890. # be used instead.
  891. {{ get_config('git_pillar_branch', 'master') }}
  892. # Environment to use for git_pillar remotes. This is normally derived from
  893. # the branch/tag (or from a per-remote env parameter), but if set this will
  894. # override the process of deriving the env from the branch/tag name.
  895. {{ get_config('git_pillar_env', '') }}
  896. # Path relative to the root of the repository where the git_pillar top file
  897. # and SLS files are located.
  898. {{ get_config('git_pillar_root', 'pillar') }}
  899. # Specifies whether or not to ignore SSL certificate errors when contacting
  900. # the remote repository.
  901. {{ get_config('git_pillar_ssl_verify', True) }}
  902. # When set to False, if there is an update/checkout lock for a git_pillar
  903. # remote and the pid written to it is not running on the master, the lock
  904. # file will be automatically cleared and a new lock will be obtained.
  905. {{ get_config('git_pillar_global_lock', False) }}
  906. # Git External Pillar Authentication Options
  907. #
  908. # Along with git_pillar_password, is used to authenticate to HTTPS remotes.
  909. {{ get_config('git_pillar_user', '') }}
  910. # Along with git_pillar_user, is used to authenticate to HTTPS remotes.
  911. # This parameter is not required if the repository does not use authentication.
  912. {{ get_config('git_pillar_password', '') }}
  913. # By default, Salt will not authenticate to an HTTP (non-HTTPS) remote.
  914. # This parameter enables authentication over HTTP.
  915. {{ get_config('git_pillar_insecure_auth', False) }}
  916. # Along with git_pillar_privkey (and optionally git_pillar_passphrase),
  917. # is used to authenticate to SSH remotes.
  918. {{ get_config('git_pillar_pubkey', '') }}
  919. # Along with git_pillar_pubkey (and optionally git_pillar_passphrase),
  920. # is used to authenticate to SSH remotes.
  921. {{ get_config('git_pillar_privkey', '') }}
  922. # This parameter is optional, required only when the SSH key being used
  923. # to authenticate is protected by a passphrase.
  924. {{ get_config('git_pillar_passphrase', '') }}
  925. ##### Syndic settings #####
  926. ##########################################
  927. # The Salt syndic is used to pass commands through a master from a higher
  928. # master. Using the syndic is simple. If this is a master that will have
  929. # syndic servers(s) below it, then set the "order_masters" setting to True.
  930. #
  931. # If this is a master that will be running a syndic daemon for passthrough, then
  932. # the "syndic_master" setting needs to be set to the location of the master server
  933. # to receive commands from.
  934. # Set the order_masters setting to True if this master will command lower
  935. # masters' syndic interfaces.
  936. {{ get_config('order_masters', 'False') }}
  937. # If this master will be running a salt syndic daemon, syndic_master tells
  938. # this master where to receive commands from.
  939. {{ get_config('syndic_master', 'masterofmaster') }}
  940. # This is the 'ret_port' of the MasterOfMaster:
  941. {{ get_config('syndic_master_port', '4506') }}
  942. # PID file of the syndic daemon:
  943. {{ get_config('syndic_pidfile', '/var/run/salt-syndic.pid') }}
  944. # LOG file of the syndic daemon:
  945. {{ get_config('syndic_log_file', 'syndic.log') }}
  946. ##### Peer Publish settings #####
  947. ##########################################
  948. # Salt minions can send commands to other minions, but only if the minion is
  949. # allowed to. By default "Peer Publication" is disabled, and when enabled it
  950. # is enabled for specific minions and specific commands. This allows secure
  951. # compartmentalization of commands based on individual minions.
  952. # The configuration uses regular expressions to match minions and then a list
  953. # of regular expressions to match functions. The following will allow the
  954. # minion authenticated as foo.example.com to execute functions from the test
  955. # and pkg modules.
  956. #peer:
  957. # foo.example.com:
  958. # - test.*
  959. # - pkg.*
  960. #
  961. # This will allow all minions to execute all commands:
  962. #peer:
  963. # .*:
  964. # - .*
  965. #
  966. # This is not recommended, since it would allow anyone who gets root on any
  967. # single minion to instantly have root on all of the minions!
  968. {% if 'peer' in cfg_master %}
  969. peer:
  970. {% for name, roots in cfg_master['peer'].items() %}
  971. {{ name }}:
  972. {% for mod in roots %}
  973. - {{ mod }}
  974. {% endfor %}
  975. {% endfor %}
  976. {% elif 'peer' in cfg_salt %}
  977. peer:
  978. {% for name, roots in cfg_salt['peer'].items() %}
  979. {{ name }}:
  980. {% for mod in roots %}
  981. - {{ mod }}
  982. {% endfor %}
  983. {% endfor %}
  984. {% endif %}
  985. # Minions can also be allowed to execute runners from the salt master.
  986. # Since executing a runner from the minion could be considered a security risk,
  987. # it needs to be enabled. This setting functions just like the peer setting
  988. # except that it opens up runners instead of module functions.
  989. #
  990. # All peer runner support is turned off by default and must be enabled before
  991. # using. This will enable all peer runners for all minions:
  992. #peer_run:
  993. # .*:
  994. # - .*
  995. #
  996. # To enable just the manage.up runner for the minion foo.example.com:
  997. #peer_run:
  998. # foo.example.com:
  999. # - manage.up
  1000. {% if 'peer_run' in cfg_master %}
  1001. peer_run:
  1002. {% for name, roots in cfg_master['peer_run'].items() %}
  1003. {{ name }}:
  1004. {% for mod in roots %}
  1005. - {{ mod }}
  1006. {% endfor %}
  1007. {% endfor %}
  1008. {% elif 'peer_run' in cfg_salt %}
  1009. peer_run:
  1010. {% for name, roots in cfg_salt['peer_run'].items() %}
  1011. {{ name }}:
  1012. {% for mod in roots %}
  1013. - {{ mod }}
  1014. {% endfor %}
  1015. {% endfor %}
  1016. {% endif %}
  1017. ##### Mine settings #####
  1018. #####################################
  1019. # Restrict mine.get access from minions. By default any minion has a full access
  1020. # to get all mine data from master cache. In acl definion below, only pcre matches
  1021. # are allowed.
  1022. # mine_get:
  1023. # .*:
  1024. # - .*
  1025. #
  1026. # The example below enables minion foo.example.com to get 'network.interfaces' mine
  1027. # data only, minions web* to get all network.* and disk.* mine data and all other
  1028. # minions won't get any mine data.
  1029. {% if 'mine_get' in cfg_master -%}
  1030. mine_get:
  1031. {%- for minion, data in cfg_master['mine_get']|dictsort %}
  1032. {{ minion }}:
  1033. {%- for command in data %}
  1034. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  1035. {%- endfor -%}
  1036. {%- endfor -%}
  1037. {% elif 'mine_get' in cfg_salt -%}
  1038. mine_get:
  1039. {%- for minion, data in cfg_salt['mine_get']|dictsort %}
  1040. {{ minion }}:
  1041. {%- for command in data %}
  1042. - {% raw %}'{% endraw %}{{ command }}{% raw %}'{% endraw %}
  1043. {%- endfor -%}
  1044. {%- endfor -%}
  1045. {% else -%}
  1046. # mine_get:
  1047. # foo.example.com:
  1048. # - network.interfaces
  1049. # web.*:
  1050. # - network.*
  1051. # - disk.*
  1052. {%- endif %}
  1053. ##### Logging settings #####
  1054. ##########################################
  1055. # The location of the master log file
  1056. # The master log can be sent to a regular file, local path name, or network
  1057. # location. Remote logging works best when configured to use rsyslogd(8) (e.g.:
  1058. # ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI
  1059. # format is: <file|udp|tcp>://<host|socketpath>:<port-if-required>/<log-facility>
  1060. #log_file: /var/log/salt/master
  1061. #log_file: file:///dev/log
  1062. #log_file: udp://loghost:10514
  1063. {{ get_config('log_file', '/var/log/salt/master') }}
  1064. {{ get_config('key_logfile', '/var/log/salt/key') }}
  1065. # The level of messages to send to the console.
  1066. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
  1067. #
  1068. # The following log levels are considered INSECURE and may log sensitive data:
  1069. # ['garbage', 'trace', 'debug']
  1070. #
  1071. {{ get_config('log_level', 'warning') }}
  1072. # The level of messages to send to the log file.
  1073. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
  1074. # If using 'log_granular_levels' this must be set to the highest desired level.
  1075. {{ get_config('log_level_logfile', 'warning') }}
  1076. # The date and time format used in log messages. Allowed date/time formating
  1077. # can be seen here: http://docs.python.org/library/time.html#time.strftime
  1078. {{ get_config('log_datefmt', "'%H:%M:%S'") }}
  1079. {{ get_config('log_datefmt_logfile', "'%Y-%m-%d %H:%M:%S'") }}
  1080. # The format of the console logging messages. Allowed formatting options can
  1081. # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes
  1082. #
  1083. # Console log colors are specified by these additional formatters:
  1084. #
  1085. # %(colorlevel)s
  1086. # %(colorname)s
  1087. # %(colorprocess)s
  1088. # %(colormsg)s
  1089. #
  1090. # Since it is desirable to include the surrounding brackets, '[' and ']', in
  1091. # the coloring of the messages, these color formatters also include padding as
  1092. # well. Color LogRecord attributes are only available for console logging.
  1093. #
  1094. {{ get_config('log_fmt_console', "'%(colorlevel)s %(colormsg)s'") }}
  1095. {{ get_config('log_fmt_console', "'[%(levelname)-8s] %(message)s'") }}
  1096. {{ get_config('log_fmt_logfile', "'%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'") }}
  1097. # This can be used to control logging levels more specificically. This
  1098. # example sets the main salt library at the 'warning' level, but sets
  1099. # 'salt.modules' to log at the 'debug' level:
  1100. # log_granular_levels:
  1101. # 'salt': 'warning'
  1102. # 'salt.modules': 'debug'
  1103. #
  1104. {% if 'log_granular_levels' in cfg_master %}
  1105. log_granular_levels:
  1106. {% for name, lvl in cfg_master['log_granular_levels'].items() %}
  1107. {{ name }}: {{ lvl }}
  1108. {% endfor %}
  1109. {% elif 'log_granular_levels' in cfg_salt %}
  1110. log_granular_levels:
  1111. {% for name, lvl in cfg_salt['log_granular_levels'].items() %}
  1112. {{ name }}: {{ lvl }}
  1113. {% endfor %}
  1114. {% else %}
  1115. #log_granular_levels: {}
  1116. {% endif %}
  1117. ##### Node Groups ######
  1118. ##########################################
  1119. # Node groups allow for logical groupings of minion nodes. A group consists of a group
  1120. # name and a compound target.
  1121. #nodegroups:
  1122. # group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com'
  1123. # group2: 'G@os:Debian and foo.domain.com'
  1124. {%- if 'nodegroups' in cfg_master %}
  1125. nodegroups:
  1126. {%- for name, lvl in cfg_master['nodegroups'].items() %}
  1127. {{ name }}: {{ lvl }}
  1128. {%- endfor %}
  1129. {%- elif 'nodegroups' in cfg_salt %}
  1130. nodegroups:
  1131. {%- for name, lvl in cfg_salt['nodegroups'].items() %}
  1132. {{ name }}: {{ lvl }}
  1133. {%- endfor %}
  1134. {%- endif %}
  1135. ##### Range Cluster settings #####
  1136. ##########################################
  1137. # The range server (and optional port) that serves your cluster information
  1138. # https://github.com/ytoolshed/range/wiki/%22yamlfile%22-module-file-spec
  1139. #
  1140. {{ get_config('range_server', 'range:80') }}
  1141. ##### Windows Software Repo settings #####
  1142. ###########################################
  1143. # Specify the provider to be used for git_pillar. Must be either pygit2 or
  1144. # gitpython. If unset, then both will be tried in that same order, and the
  1145. # first one with a compatible version installed will be the provider that
  1146. # is used.
  1147. {{ get_config('winrepo_provider', 'pygit2') }}
  1148. # Repo settings for 2015.8+ master used with 2015.8+ Windows minions
  1149. #
  1150. # Location of the repo on the master:
  1151. {{ get_config('winrepo_dir_ng', '/srv/salt/win/repo-ng') }}
  1152. # List of git repositories to include with the local repo:
  1153. {% if 'winrepo_remotes_ng' in cfg_master %}
  1154. winrepo_remotes_ng:
  1155. {% for repo in cfg_master['winrepo_remotes_ng'] %}
  1156. - {{ repo }}
  1157. {% endfor %}
  1158. {% elif 'winrepo_remotes_ng' in cfg_salt %}
  1159. winrepo_remotes_ng:
  1160. {% for repo in cfg_salt['winrepo_remotes_ng'] %}
  1161. - {{ repo }}
  1162. {% endfor %}
  1163. {% else %}
  1164. #winrepo_remotes_ng:
  1165. # - 'https://github.com/saltstack/salt-winrepo-ng.git'
  1166. {% endif %}
  1167. # Repo settings for 2015.8+ master used with pre-2015.8 Windows minions
  1168. #
  1169. # Location of the repo on the master:
  1170. {{ get_config('winrepo_dir', '/srv/salt/win/repo') }}
  1171. # Location of the master's repo cache file:
  1172. {{ get_config('winrepo_cachefile', 'winrepo.p') }}
  1173. # List of git repositories to include with the local repo:
  1174. {% if 'winrepo_remotes' in cfg_master %}
  1175. winrepo_remotes:
  1176. {% for repo in cfg_master['winrepo_remotes'] %}
  1177. - {{ repo }}
  1178. {% endfor %}
  1179. {% elif 'winrepo_remotes' in cfg_salt %}
  1180. winrepo_remotes:
  1181. {% for repo in cfg_salt['winrepo_remotes'] %}
  1182. - {{ repo }}
  1183. {% endfor %}
  1184. {% else %}
  1185. #winrepo_remotes:
  1186. # - 'https://github.com/saltstack/salt-winrepo.git'
  1187. {% endif %}
  1188. ##### Windows Software Repo settings - Pre 2015.8 #####
  1189. ########################################################
  1190. # Legacy repo settings for pre-2015.8 Windows minions.
  1191. #
  1192. # Location of the repo on the master:
  1193. {{ get_config('win_repo', '/srv/salt/win/repo') }}
  1194. # Location of the master's repo cache file:
  1195. {{ get_config('win_repo_mastercachefile', '/srv/salt/win/repo/winrepo.p') }}
  1196. # List of git repositories to include with the local repo:
  1197. {% if 'win_gitrepos' in cfg_master %}
  1198. win_gitrepos:
  1199. {% for repo in cfg_master['win_gitrepos'] %}
  1200. - {{ repo }}
  1201. {% endfor %}
  1202. {% elif 'win_gitrepos' in cfg_salt %}
  1203. win_gitrepos:
  1204. {% for repo in cfg_salt['win_gitrepos'] %}
  1205. - {{ repo }}
  1206. {% endfor %}
  1207. {% else %}
  1208. #winrepo_remotes:
  1209. # - 'https://github.com/saltstack/salt-winrepo.git'
  1210. {% endif %}
  1211. ##### Returner settings ######
  1212. ############################################
  1213. # Which returner(s) will be used for minion's result:
  1214. #return: mysql
  1215. {{ get_config('return', '')}}
  1216. ###### Miscellaneous settings ######
  1217. ############################################
  1218. # Default match type for filtering events tags: startswith, endswith, find, regex, fnmatch
  1219. {{ get_config('event_match_type', 'startswith') }}
  1220. {%- if 'halite' in cfg_master %}
  1221. ##### Halite #####
  1222. ##########################################
  1223. halite:
  1224. {%- for name, value in cfg_master['halite'].items() %}
  1225. {{ name }}: {{ value }}
  1226. {%- endfor %}
  1227. {%- endif %}
  1228. {%- if 'rest_cherrypy' in cfg_master %}
  1229. ##### rest_cherrypy #####
  1230. ##########################################
  1231. rest_cherrypy:
  1232. {%- for name, value in cfg_master['rest_cherrypy'].items() %}
  1233. {{ name }}: {{ value }}
  1234. {%- endfor %}
  1235. {%- endif %}
  1236. {%- if 'rest_tornado' in cfg_master %}
  1237. ##### rest_tornado #####
  1238. ###########################################
  1239. rest_tornado:
  1240. {%- for name, value in cfg_master['rest_tornado'].items() %}
  1241. {{ name }}: {{ value }}
  1242. {%- endfor %}
  1243. {%- endif %}
  1244. {%- if 'presence_events' in cfg_master %}
  1245. ##### presence events #####
  1246. ##########################################
  1247. {{ get_config('presence_events', 'False') }}
  1248. {%- endif %}
  1249. {%- if 'consul_config' in cfg_master %}
  1250. ##### consul_config #####
  1251. ##########################################
  1252. consul_config:
  1253. {%- for name, value in cfg_master['consul_config'].items() %}
  1254. {{ name }}: {{ value }}
  1255. {%- endfor %}
  1256. {%- endif %}
  1257. {% if 'mongo' in cfg_master -%}
  1258. ##### mongodb connection settings #####
  1259. ##########################################
  1260. {%- for name, value in cfg_master['mongo'].items() %}
  1261. mongo.{{ name }}: {{ value }}
  1262. {%- endfor %}
  1263. {% if 'alternative.mongo' in cfg_master -%}
  1264. {%- for name, value in cfg_master['alternative.mongo'].items() %}
  1265. alternative.mongo.{{ name }}: {{ value }}
  1266. {%- endfor %}
  1267. {% endif %}
  1268. {%- endif %}