Saltstack Official Salt Formula
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.

master 29KB

11 år sedan
11 år sedan
11 år sedan
11 år sedan
11 år sedan
11 år sedan
11 år sedan
11 år sedan
11 år sedan
11 år sedan
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805
  1. # This file managed by Salt, do not edit by hand!!
  2. # Based on salt version 0.17.4 default config
  3. {% set salt = pillar.get('salt', {}) -%}
  4. {% set master = salt.get('master', {}) -%}
  5. {%- macro get_config(configname, default_value) -%}
  6. {%- if configname in master -%}
  7. {{ configname }}: {{ master[configname] }}
  8. {%- elif configname in salt -%}
  9. {{ configname }}: {{ salt[configname] }}
  10. {%- else -%}
  11. #{{ configname }}: {{ default_value }}
  12. {%- endif -%}
  13. {%- endmacro -%}
  14. ##### Primary configuration settings #####
  15. ##########################################
  16. # This configuration file is used to manage the behavior of the Salt Master
  17. # Values that are commented out but have no space after the comment are
  18. # defaults that need not be set in the config. If there is a space after the
  19. # comment that the value is presented as an example and is not the default.
  20. # Per default, the master will automatically include all config files
  21. # from master.d/*.conf (master.d is a directory in the same directory
  22. # as the main master config file)
  23. {{ get_config('default_include', 'master.d/*.conf') }}
  24. # The address of the interface to bind to
  25. {{ get_config('interface', '0.0.0.0') }}
  26. # Whether the master should listen for IPv6 connections. If this is set to True,
  27. # the interface option must be adjusted too (for example: "interface: '::'")
  28. {{ get_config('ipv6', 'False') }}
  29. # The tcp port used by the publisher
  30. {{ get_config('publish_port', '4505') }}
  31. # The user to run the salt-master as. Salt will update all permissions to
  32. # allow the specified user to run the master. If the modified files cause
  33. # conflicts set verify_env to False.
  34. {{ get_config('user', 'root') }}
  35. # Max open files
  36. # Each minion connecting to the master uses AT LEAST one file descriptor, the
  37. # master subscription connection. If enough minions connect you might start
  38. # seeing on the console(and then salt-master crashes):
  39. # Too many open files (tcp_listener.cpp:335)
  40. # Aborted (core dumped)
  41. #
  42. # By default this value will be the one of `ulimit -Hn`, ie, the hard limit for
  43. # max open files.
  44. #
  45. # If you wish to set a different value than the default one, uncomment and
  46. # configure this setting. Remember that this value CANNOT be higher than the
  47. # hard limit. Raising the hard limit depends on your OS and/or distribution,
  48. # a good way to find the limit is to search the internet for(for example):
  49. # raise max open files hard limit debian
  50. #
  51. {{ get_config('max_open_files', '100000') }}
  52. # The number of worker threads to start, these threads are used to manage
  53. # return calls made from minions to the master, if the master seems to be
  54. # running slowly, increase the number of threads
  55. {{ get_config('worker_threads', '5') }}
  56. # The port used by the communication interface. The ret (return) port is the
  57. # interface used for the file server, authentication, job returnes, etc.
  58. {{ get_config('ret_port', '4506') }}
  59. # Specify the location of the daemon process ID file
  60. {{ get_config('pidfile', '/var/run/salt-master.pid') }}
  61. # The root directory prepended to these options: pki_dir, cachedir,
  62. # sock_dir, log_file, autosign_file, autoreject_file, extension_modules,
  63. # key_logfile, pidfile.
  64. {{ get_config('root_dir', '/') }}
  65. # Directory used to store public key data
  66. {{ get_config('pki_dir', '/etc/salt/pki/master') }}
  67. # Directory to store job and cache data
  68. {{ get_config('cachedir', '/var/cache/salt/master') }}
  69. # Verify and set permissions on configuration directories at startup
  70. {{ get_config('verify_env', 'True') }}
  71. # Set the number of hours to keep old job information in the job cache
  72. {{ get_config('keep_jobs', '24') }}
  73. # Set the default timeout for the salt command and api, the default is 5
  74. # seconds
  75. {{ get_config('timeout', '5') }}
  76. # The loop_interval option controls the seconds for the master's maintenance
  77. # process check cycle. This process updates file server backends, cleans the
  78. # job cache and executes the scheduler.
  79. {{ get_config('loop_interval', '60') }}
  80. # Set the default outputter used by the salt command. The default is "nested"
  81. {{ get_config('output', 'nested') }}
  82. # By default output is colored, to disable colored output set the color value
  83. # to False
  84. {{ get_config('color', 'True') }}
  85. # Set the directory used to hold unix sockets
  86. {{ get_config('sock_dir', '/var/run/salt/master') }}
  87. # The master can take a while to start up when lspci and/or dmidecode is used
  88. # to populate the grains for the master. Enable if you want to see GPU hardware
  89. # data for your master.
  90. #
  91. {{ get_config('enable_gpu_grains', 'False') }}
  92. # The master maintains a job cache, while this is a great addition it can be
  93. # a burden on the master for larger deployments (over 5000 minions).
  94. # Disabling the job cache will make previously executed jobs unavailable to
  95. # the jobs system and is not generally recommended.
  96. #
  97. {{ get_config('job_cache', 'True') }}
  98. # Cache minion grains and pillar data in the cachedir.
  99. {{ get_config('minion_data_cache', 'True') }}
  100. # The master can include configuration from other files. To enable this,
  101. # pass a list of paths to this option. The paths can be either relative or
  102. # absolute; if relative, they are considered to be relative to the directory
  103. # the main master configuration file lives in (this file). Paths can make use
  104. # of shell-style globbing. If no files are matched by a path passed to this
  105. # option then the master will log a warning message.
  106. #
  107. #
  108. # Include a config file from some other path:
  109. #include: /etc/salt/extra_config
  110. #
  111. # Include config from several files and directories:
  112. #include:
  113. # - /etc/salt/extra_config
  114. {{ get_config('include', '[]') }}
  115. ##### Security settings #####
  116. ##########################################
  117. # Enable "open mode", this mode still maintains encryption, but turns off
  118. # authentication, this is only intended for highly secure environments or for
  119. # the situation where your keys end up in a bad state. If you run in open mode
  120. # you do so at your own risk!
  121. {{ get_config('open_mode', 'False') }}
  122. # Enable auto_accept, this setting will automatically accept all incoming
  123. # public keys from the minions. Note that this is insecure.
  124. {{ get_config('auto_accept', 'False') }}
  125. # If the autosign_file is specified, incoming keys specified in the
  126. # autosign_file will be automatically accepted. This is insecure. Regular
  127. # expressions as well as globing lines are supported.
  128. {{ get_config('autosign_file', '/etc/salt/autosign.conf') }}
  129. # Works like autosign_file, but instead allows you to specify minion IDs for
  130. # which keys will automatically be rejected. Will override both membership in
  131. # the autosign_file and the auto_accept setting.
  132. {{ get_config('autoreject_file', '/etc/salt/autosign.conf') }}
  133. # Enable permissive access to the salt keys. This allows you to run the
  134. # master or minion as root, but have a non-root group be given access to
  135. # your pki_dir. To make the access explicit, root must belong to the group
  136. # you've given access to. This is potentially quite insecure.
  137. # If an autosign_file is specified, enabling permissive_pki_access will allow group access
  138. # to that specific file.
  139. {{ get_config('permissive_pki_access', 'False') }}
  140. # Allow users on the master access to execute specific commands on minions.
  141. # This setting should be treated with care since it opens up execution
  142. # capabilities to non root users. By default this capability is completely
  143. # disabled.
  144. #
  145. #client_acl:
  146. # larry:
  147. # - test.ping
  148. # - network.*
  149. #
  150. {{ get_config('client_acl', '{}') }}
  151. # Blacklist any of the following users or modules
  152. #
  153. # This example would blacklist all non sudo users, including root from
  154. # running any commands. It would also blacklist any use of the "cmd"
  155. # module.
  156. # This is completely disabled by default.
  157. #
  158. {% if 'client_acl_blacklist' in master -%}
  159. client_acl_blacklist:
  160. users:
  161. {% for user in master['client_acl_blacklist'].get('users', []) -%}
  162. - {{ user }}
  163. {% endfor -%}
  164. modules:
  165. {% for mod in master['client_acl_blacklist'].get('modules', []) -%}
  166. - {{ mod }}
  167. {% endfor -%}
  168. {% elif 'client_acl_blacklist' in salt -%}
  169. client_acl_blacklist:
  170. users:
  171. {% for user in salt['client_acl_blacklist'].get('users', []) -%}
  172. - {{ user }}
  173. {% endfor -%}
  174. modules:
  175. {% for mod in salt['client_acl_blacklist'].get('modules', []) -%}
  176. - {{ mod }}
  177. {% endfor -%}
  178. {% else -%}
  179. #client_acl_blacklist:
  180. # users:
  181. # - root
  182. # - '^(?!sudo_).*$' # all non sudo users
  183. # modules:
  184. # - cmd
  185. {%- endif %}
  186. # The external auth system uses the Salt auth modules to authenticate and
  187. # validate users to access areas of the Salt system.
  188. #
  189. #external_auth:
  190. # pam:
  191. # fred:
  192. # - test.*
  193. #
  194. {{ get_config('external_auth', '{}') }}
  195. # Time (in seconds) for a newly generated token to live. Default: 12 hours
  196. {{ get_config('token_expire', '43200') }}
  197. # Allow minions to push files to the master. This is disabled by default, for
  198. # security purposes.
  199. {{ get_config('file_recv', 'False') }}
  200. # Set a hard-limit on the size of the files that can be pushed to the master.
  201. # It will be interpreted as megabytes.
  202. # Default: 100
  203. {{ get_config('file_recv_max_size', '100') }}
  204. # Signature verification on messages published from the master.
  205. # This causes the master to cryptographically sign all messages published to its event
  206. # bus, and minions then verify that signature before acting on the message.
  207. #
  208. # This is False by default.
  209. #
  210. # Note that to facilitate interoperability with masters and minions that are different
  211. # versions, if sign_pub_messages is True but a message is received by a minion with
  212. # no signature, it will still be accepted, and a warning message will be logged.
  213. # Conversely, if sign_pub_messages is False, but a minion receives a signed
  214. # message it will be accepted, the signature will not be checked, and a warning message
  215. # will be logged. This behavior will go away in Salt 0.17.6 (or Hydrogen RC1, whichever
  216. # comes first) and these two situations will cause minion to throw an exception and
  217. # drop the message.
  218. #
  219. {{ get_config('sign_pub_message', 'False') }}
  220. ##### Master Module Management #####
  221. ##########################################
  222. # Manage how master side modules are loaded
  223. # Add any additional locations to look for master runners
  224. {{ get_config('runner_dirs', '[]') }}
  225. # Enable Cython for master side modules
  226. {{ get_config('cython_enable', 'False') }}
  227. ##### State System settings #####
  228. ##########################################
  229. # The state system uses a "top" file to tell the minions what environment to
  230. # use and what modules to use. The state_top file is defined relative to the
  231. # root of the base environment as defined in "File Server settings" below.
  232. {{ get_config('state_top', 'top.sls') }}
  233. # The master_tops option replaces the external_nodes option by creating
  234. # a plugable system for the generation of external top data. The external_nodes
  235. # option is deprecated by the master_tops option.
  236. # To gain the capabilities of the classic external_nodes system, use the
  237. # following configuration:
  238. # master_tops:
  239. # ext_nodes: <Shell command which returns yaml>
  240. #
  241. {{ get_config('master_tops', '{}') }}
  242. # The external_nodes option allows Salt to gather data that would normally be
  243. # placed in a top file. The external_nodes option is the executable that will
  244. # return the ENC data. Remember that Salt will look for external nodes AND top
  245. # files and combine the results if both are enabled!
  246. {{ get_config('external_nodes', 'None') }}
  247. # The renderer to use on the minions to render the state data
  248. {{ get_config('renderer', 'yaml_jinja') }}
  249. # The Jinja renderer can strip extra carriage returns and whitespace
  250. # See http://jinja.pocoo.org/docs/api/#high-level-api
  251. #
  252. # If this is set to True the first newline after a Jinja block is removed
  253. # (block, not variable tag!). Defaults to False, corresponds to the Jinja
  254. # environment init variable "trim_blocks".
  255. {{ get_config('jinja_trim_blocks', 'False') }}
  256. #
  257. # If this is set to True leading spaces and tabs are stripped from the start
  258. # of a line to a block. Defaults to False, corresponds to the Jinja
  259. # environment init variable "lstrip_blocks".
  260. {{ get_config('jinja_lstrip_blocks', 'False') }}
  261. # The failhard option tells the minions to stop immediately after the first
  262. # failure detected in the state execution, defaults to False
  263. {{ get_config('failhard', 'False') }}
  264. # The state_verbose and state_output settings can be used to change the way
  265. # state system data is printed to the display. By default all data is printed.
  266. # The state_verbose setting can be set to True or False, when set to False
  267. # all data that has a result of True and no changes will be suppressed.
  268. {{ get_config('state_verbose', 'True') }}
  269. # The state_output setting changes if the output is the full multi line
  270. # output for each changed state if set to 'full', but if set to 'terse'
  271. # the output will be shortened to a single line. If set to 'mixed', the output
  272. # will be terse unless a state failed, in which case that output will be full.
  273. {{ get_config('state_output', 'full') }}
  274. ##### File Server settings #####
  275. ##########################################
  276. # Salt runs a lightweight file server written in zeromq to deliver files to
  277. # minions. This file server is built into the master daemon and does not
  278. # require a dedicated port.
  279. # The file server works on environments passed to the master, each environment
  280. # can have multiple root directories, the subdirectories in the multiple file
  281. # roots cannot match, otherwise the downloaded files will not be able to be
  282. # reliably ensured. A base environment is required to house the top file.
  283. # Example:
  284. # file_roots:
  285. # base:
  286. # - /srv/salt/
  287. # dev:
  288. # - /srv/salt/dev/services
  289. # - /srv/salt/dev/states
  290. # prod:
  291. # - /srv/salt/prod/services
  292. # - /srv/salt/prod/states
  293. {% if 'file_roots' in master -%}
  294. file_roots:
  295. {%- for name, roots in master['file_roots']|dictsort %}
  296. {{ name }}:
  297. {%- for dir in roots %}
  298. - {{ dir }}
  299. {%- endfor -%}
  300. {%- endfor -%}
  301. {% elif 'file_roots' in salt -%}
  302. file_roots:
  303. {%- for name, roots in salt['file_roots']|dictsort %}
  304. {{ name }}:
  305. {%- for dir in roots %}
  306. - {{ dir }}
  307. {%- endfor -%}
  308. {%- endfor -%}
  309. {% else -%}
  310. #file_roots:
  311. # base:
  312. # - /srv/salt
  313. {%- endif %}
  314. # The hash_type is the hash to use when discovering the hash of a file on
  315. # the master server. The default is md5, but sha1, sha224, sha256, sha384
  316. # and sha512 are also supported.
  317. {{ get_config('hash_type', 'md5') }}
  318. # The buffer size in the file server can be adjusted here:
  319. {{ get_config('file_buffer_size', '1048576') }}
  320. # A regular expression (or a list of expressions) that will be matched
  321. # against the file path before syncing the modules and states to the minions.
  322. # This includes files affected by the file.recurse state.
  323. # For example, if you manage your custom modules and states in subversion
  324. # and don't want all the '.svn' folders and content synced to your minions,
  325. # you could set this to '/\.svn($|/)'. By default nothing is ignored.
  326. {% if 'file_ignore_regex' in master -%}
  327. file_ignore_regex:
  328. {% for regex in master['file_ignore_regex'] -%}
  329. - {{ regex }}
  330. {% endfor -%}
  331. {% elif 'file_ignore_regex' in salt -%}
  332. file_ignore_regex:
  333. {% for regex in salt['file_ignore_regex'] -%}
  334. - {{ regex }}
  335. {% endfor -%}
  336. {% else -%}
  337. #file_ignore_regex:
  338. # - '/\.svn($|/)'
  339. # - '/\.git($|/)'
  340. {%- endif %}
  341. # A file glob (or list of file globs) that will be matched against the file
  342. # path before syncing the modules and states to the minions. This is similar
  343. # to file_ignore_regex above, but works on globs instead of regex. By default
  344. # nothing is ignored.
  345. {% if 'file_ignore_glob' in master -%}
  346. file_ignore_glob:
  347. {% for glob in master['file_ignore_glob'] -%}
  348. - {{ glob }}
  349. {% endfor -%}
  350. {% elif 'file_ignore_glob' in salt -%}
  351. file_ignore_glob:
  352. {% for glob in salt['file_ignore_glob'] -%}
  353. - {{ glob }}
  354. {% endfor -%}
  355. {% else -%}
  356. # file_ignore_glob:
  357. # - '*.pyc'
  358. # - '*/somefolder/*.bak'
  359. # - '*.swp'
  360. {%- endif %}
  361. # File Server Backend
  362. # Salt supports a modular fileserver backend system, this system allows
  363. # the salt master to link directly to third party systems to gather and
  364. # manage the files available to minions. Multiple backends can be
  365. # configured and will be searched for the requested file in the order in which
  366. # they are defined here. The default setting only enables the standard backend
  367. # "roots" which uses the "file_roots" option.
  368. #
  369. #fileserver_backend:
  370. # - roots
  371. #
  372. # To use multiple backends list them in the order they are searched:
  373. #
  374. #fileserver_backend:
  375. # - git
  376. # - roots
  377. {% if 'fileserver_backend' in master -%}
  378. fileserver_backend:
  379. {%- for backend in master['fileserver_backend'] %}
  380. - {{ backend }}
  381. {% endfor -%}
  382. {% endif %}
  383. #
  384. # Uncomment the line below if you do not want the file_server to follow
  385. # symlinks when walking the filesystem tree. This is set to True
  386. # by default. Currently this only applies to the default roots
  387. # fileserver_backend.
  388. #
  389. {{ get_config('fileserver_followsymlinks', 'False') }}
  390. #
  391. # Uncomment the line below if you do not want symlinks to be
  392. # treated as the files they are pointing to. By default this is set to
  393. # False. By uncommenting the line below, any detected symlink while listing
  394. # files on the Master will not be returned to the Minion.
  395. #
  396. {{ get_config('fileserver_ignoresymlinks', 'True') }}
  397. #
  398. # By default, the Salt fileserver recurses fully into all defined environments
  399. # to attempt to find files. To limit this behavior so that the fileserver only
  400. # traverses directories with SLS files and special Salt directories like _modules,
  401. # enable the option below. This might be useful for installations where a file root
  402. # has a very large number of files and performance is impacted. Default is False.
  403. #
  404. {{ get_config('fileserver_limit_traversal', 'False') }}
  405. #
  406. # The fileserver can fire events off every time the fileserver is updated,
  407. # these are disabled by default, but can be easily turned on by setting this
  408. # flag to True
  409. {{ get_config('fileserver_events', 'False') }}
  410. #
  411. # Git fileserver backend configuration
  412. #
  413. # Gitfs can be provided by one of two python modules: GitPython or pygit2. If
  414. # using pygit2, both libgit2 and git must also be installed.
  415. {{ get_config('gitfs_provider', 'gitpython') }}
  416. #
  417. # When using the git fileserver backend at least one git remote needs to be
  418. # defined. The user running the salt master will need read access to the repo.
  419. #
  420. # The repos will be searched in order to find the file requested by a client
  421. # and the first repo to have the file will return it.
  422. # When using the git backend branches and tags are translated into salt
  423. # environments.
  424. # Note: file:// repos will be treated as a remote, so refs you want used must
  425. # exist in that repo as *local* refs.
  426. {% if 'gitfs_remotes' in master -%}
  427. gitfs_remotes:
  428. {%- for remote in master['gitfs_remotes'] %}
  429. - {{ remote }}{% endfor -%}
  430. {%- endif %}
  431. #
  432. #gitfs_remotes:
  433. # - git://github.com/saltstack/salt-states.git
  434. # - file:///var/git/saltmaster
  435. #
  436. # The gitfs_ssl_verify option specifies whether to ignore ssl certificate
  437. # errors when contacting the gitfs backend. You might want to set this to
  438. # false if you're using a git backend that uses a self-signed certificate but
  439. # keep in mind that setting this flag to anything other than the default of True
  440. # is a security concern, you may want to try using the ssh transport.
  441. {{ get_config('gitfs_ssl_verify', 'True') }}
  442. #
  443. #
  444. # The gitfs_root option gives the ability to serve files from a subdirectory
  445. # within the repository. The path is defined relative to the root of the
  446. # repository and defaults to the repository root.
  447. {{ get_config('gitfs_root', 'somefolder/otherfolder') }}
  448. ##### Pillar settings #####
  449. ##########################################
  450. # Salt Pillars allow for the building of global data that can be made selectively
  451. # available to different minions based on minion grain filtering. The Salt
  452. # Pillar is laid out in the same fashion as the file server, with environments,
  453. # a top file and sls files. However, pillar data does not need to be in the
  454. # highstate format, and is generally just key/value pairs.
  455. {% if 'pillar_roots' in master -%}
  456. pillar_roots:
  457. {%- for name, roots in master['pillar_roots']|dictsort %}
  458. {{ name }}:
  459. {%- for dir in roots %}
  460. - {{ dir }}
  461. {%- endfor -%}
  462. {%- endfor -%}
  463. {% elif 'pillar_roots' in salt -%}
  464. pillar_roots:
  465. {%- for name, roots in salt['pillar_roots'].items() -%}
  466. {{ name }}:
  467. {%- for dir in roots -%}
  468. - {{ dir }}
  469. {%- endfor -%}
  470. {%- endfor -%}
  471. {% else %}
  472. #pillar_roots:
  473. # base:
  474. # - /srv/pillar
  475. {%- endif %}
  476. {% if 'ext_pillar' in master -%}
  477. ext_pillar:
  478. {% for pillar in master['ext_pillar'] %}
  479. - {{ pillar.items()[0][0] }}: {{ pillar.items()[0][1] }}
  480. {% endfor -%}
  481. {% elif 'ext_pillar' in salt -%}
  482. ext_pillar:
  483. {% for pillar in salt['ext_pillar'] %}
  484. - {{ pillar.items()[0][0] }}: {{ pillar.items()[0][1] }}
  485. {% endfor -%}
  486. {% else %}
  487. #ext_pillar:
  488. # - hiera: /etc/hiera.yaml
  489. # - cmd_yaml: cat /etc/salt/yaml
  490. {%- endif %}
  491. # The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate
  492. # errors when contacting the pillar gitfs backend. You might want to set this to
  493. # false if you're using a git backend that uses a self-signed certificate but
  494. # keep in mind that setting this flag to anything other than the default of True
  495. # is a security concern, you may want to try using the ssh transport.
  496. {{ get_config('pillar_gitfs_ssl_verify', 'True') }}
  497. # The pillar_opts option adds the master configuration file data to a dict in
  498. # the pillar called "master". This is used to set simple configurations in the
  499. # master config file that can then be used on minions.
  500. {{ get_config('pillar_opts', 'True') }}
  501. ##### Syndic settings #####
  502. ##########################################
  503. # The Salt syndic is used to pass commands through a master from a higher
  504. # master. Using the syndic is simple, if this is a master that will have
  505. # syndic servers(s) below it set the "order_masters" setting to True, if this
  506. # is a master that will be running a syndic daemon for passthrough the
  507. # "syndic_master" setting needs to be set to the location of the master server
  508. # to receive commands from.
  509. # Set the order_masters setting to True if this master will command lower
  510. # masters' syndic interfaces.
  511. {{ get_config('order_masters', 'False') }}
  512. # If this master will be running a salt syndic daemon, syndic_master tells
  513. # this master where to receive commands from.
  514. {{ get_config('syndic_master', 'masterofmaster') }}
  515. # This is the 'ret_port' of the MasterOfMaster
  516. {{ get_config('syndic_master_port', '4506') }}
  517. # PID file of the syndic daemon
  518. {{ get_config('syndic_pidfile', '/var/run/salt-syndic.pid') }}
  519. # LOG file of the syndic daemon
  520. {{ get_config('syndic_log_file', 'syndic.log') }}
  521. ##### Peer Publish settings #####
  522. ##########################################
  523. # Salt minions can send commands to other minions, but only if the minion is
  524. # allowed to. By default "Peer Publication" is disabled, and when enabled it
  525. # is enabled for specific minions and specific commands. This allows secure
  526. # compartmentalization of commands based on individual minions.
  527. # The configuration uses regular expressions to match minions and then a list
  528. # of regular expressions to match functions. The following will allow the
  529. # minion authenticated as foo.example.com to execute functions from the test
  530. # and pkg modules.
  531. #
  532. #peer:
  533. # foo.example.com:
  534. # - test.*
  535. # - pkg.*
  536. #
  537. # This will allow all minions to execute all commands:
  538. #
  539. #peer:
  540. # .*:
  541. # - .*
  542. #
  543. # This is not recommended, since it would allow anyone who gets root on any
  544. # single minion to instantly have root on all of the minions!
  545. {% if 'peer' in master -%}
  546. peer:
  547. {% for name, roots in master['peer'].items() -%}
  548. {{ name }}:
  549. {% for mod in roots -%}
  550. - {{ mod }}
  551. {% endfor -%}
  552. {% endfor -%}
  553. {% elif 'peer' in salt -%}
  554. peer:
  555. {% for name, roots in salt['peer'].items() -%}
  556. {{ name }}:
  557. {% for mod in roots -%}
  558. - {{ mod }}
  559. {% endfor -%}
  560. {% endfor -%}
  561. {% endif -%}
  562. # Minions can also be allowed to execute runners from the salt master.
  563. # Since executing a runner from the minion could be considered a security risk,
  564. # it needs to be enabled. This setting functions just like the peer setting
  565. # except that it opens up runners instead of module functions.
  566. #
  567. # All peer runner support is turned off by default and must be enabled before
  568. # using. This will enable all peer runners for all minions:
  569. #
  570. #peer_run:
  571. # .*:
  572. # - .*
  573. #
  574. # To enable just the manage.up runner for the minion foo.example.com:
  575. #
  576. #peer_run:
  577. # foo.example.com:
  578. # - manage.up
  579. {% if 'peer_run' in master -%}
  580. peer_run:
  581. {% for name, roots in master['peer_run'].items() -%}
  582. {{ name }}:
  583. {% for mod in roots -%}
  584. - {{ mod }}
  585. {% endfor -%}
  586. {% endfor -%}
  587. {% elif 'peer_run' in salt -%}
  588. peer_run:
  589. {% for name, roots in salt['peer_run'].items() -%}
  590. {{ name }}:
  591. {% for mod in roots -%}
  592. - {{ mod }}
  593. {% endfor -%}
  594. {% endfor -%}
  595. {% endif -%}
  596. ##### Mine settings #####
  597. ##########################################
  598. # Restrict mine.get access from minions. By default any minion has a full access
  599. # to get all mine data from master cache. In acl definion below, only pcre matches
  600. # are allowed.
  601. #
  602. # mine_get:
  603. # .*:
  604. # - .*
  605. #
  606. # Example below enables minion foo.example.com to get 'network.interfaces' mine data only
  607. # , minions web* to get all network.* and disk.* mine data and all other minions won't get
  608. # any mine data.
  609. #
  610. # mine_get:
  611. # foo.example.com:
  612. # - network.inetrfaces
  613. # web.*:
  614. # - network.*
  615. # - disk.*
  616. ##### Logging settings #####
  617. ##########################################
  618. # The location of the master log file
  619. # The master log can be sent to a regular file, local path name, or network
  620. # location. Remote logging works best when configured to use rsyslogd(8) (e.g.:
  621. # ``file:///dev/log``), with rsyslogd(8) configured for network logging. The URI
  622. # format is: <file|udp|tcp>://<host|socketpath>:<port-if-required>/<log-facility>
  623. #log_file: /var/log/salt/master
  624. #log_file: file:///dev/log
  625. #log_file: udp://loghost:10514
  626. {{ get_config('log_file', '/var/log/salt/master') }}
  627. {{ get_config('key_logfile', '/var/log/salt/key') }}
  628. # The level of messages to send to the console.
  629. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
  630. {{ get_config('log_level', 'warning') }}
  631. # The level of messages to send to the log file.
  632. # One of 'garbage', 'trace', 'debug', info', 'warning', 'error', 'critical'.
  633. {{ get_config('log_level_logfile', 'warning') }}
  634. # The date and time format used in log messages. Allowed date/time formating
  635. # can be seen here: http://docs.python.org/library/time.html#time.strftime
  636. {{ get_config('log_datefmt', "'%H:%M:%S'") }}
  637. {{ get_config('log_datefmt_logfile', "'%Y-%m-%d %H:%M:%S'") }}
  638. # The format of the console logging messages. Allowed formatting options can
  639. # be seen here: http://docs.python.org/library/logging.html#logrecord-attributes
  640. {{ get_config('log_fmt_console', "'[%(levelname)-8s] %(message)s'") }}
  641. {{ get_config('log_fmt_logfile', "'%(asctime)s,%(msecs)03.0f [%(name)-17s][%(levelname)-8s] %(message)s'") }}
  642. # This can be used to control logging levels more specificically. This
  643. # example sets the main salt library at the 'warning' level, but sets
  644. # 'salt.modules' to log at the 'debug' level:
  645. # log_granular_levels:
  646. # 'salt': 'warning',
  647. # 'salt.modules': 'debug'
  648. #
  649. {% if 'log_granular_levels' in master %}
  650. log_granular_levels:
  651. {% for name, lvl in master['log_granular_levels'] %}
  652. {{ name }}: {{ lvl }}
  653. {% endfor -%}
  654. {% elif 'log_granular_levels' in salt %}
  655. log_granular_levels:
  656. {% for name, lvl in salt['log_granular_levels'] %}
  657. {{ name }}: {{ lvl }}
  658. {% endfor -%}
  659. {% else %}
  660. #log_granular_levels: {}
  661. {% endif %}
  662. ##### Node Groups #####
  663. ##########################################
  664. # Node groups allow for logical groupings of minion nodes.
  665. # A group consists of a group name and a compound target.
  666. #
  667. #nodegroups:
  668. # group1: 'L@foo.domain.com,bar.domain.com,baz.domain.com and bl*.domain.com'
  669. # group2: 'G@os:Debian and foo.domain.com'
  670. {% if 'nodegroups' in master %}
  671. nodegroups:
  672. {% for name, lvl in master['nodegroups'] %}
  673. {{ name }}: {{ lvl }}
  674. {% endfor -%}
  675. {% elif 'nodegroups' in salt %}
  676. nodegroups:
  677. {% for name, lvl in salt['nodegroups'] %}
  678. {{ name }}: {{ lvl }}
  679. {% endfor -%}
  680. {% endif %}
  681. ##### Range Cluster settings #####
  682. ##########################################
  683. # The range server (and optional port) that serves your cluster information
  684. # https://github.com/grierj/range/wiki/Introduction-to-Range-with-YAML-files
  685. #
  686. {{ get_config('range_server', 'range:80') }}
  687. ##### Windows Software Repo settings #####
  688. ##############################################
  689. # Location of the repo on the master
  690. {{ get_config('win_repo', '/srv/salt/win/repo') }}
  691. # Location of the master's repo cache file
  692. {{ get_config('win_repo_mastercachefile', '/srv/salt/win/repo/winrepo.p') }}
  693. # List of git repositories to include with the local repo
  694. {% if 'win_gitrepos' in master %}
  695. win_gitrepos:
  696. {% for repo in master['win_gitrepos'] %}
  697. - {{ repo }}
  698. {% endfor -%}
  699. {% elif 'win_gitrepos' in salt %}
  700. win_gitrepos:
  701. {% for repo in salt['win_gitrepos'] %}
  702. - {{ repo }}
  703. {% endfor -%}
  704. {% else %}
  705. #win_gitrepos:
  706. # - 'https://github.com/saltstack/salt-winrepo.git'
  707. {% endif %}
  708. {% if 'halite' in master -%}
  709. ##### Halite #####
  710. ##########################################
  711. halite:
  712. {%- for name, value in master['halite'].iteritems() %}
  713. {{ name }}: {{ value }}
  714. {%- endfor %}
  715. {%- endif %}