|
|
|
|
|
|
|
|
{{ file_roots(cfg_salt['file_roots']) }} |
|
|
{{ file_roots(cfg_salt['file_roots']) }} |
|
|
{%- elif formulas|length -%} |
|
|
{%- elif formulas|length -%} |
|
|
{{ file_roots({'base': ['/srv/salt']}) }} |
|
|
{{ file_roots({'base': ['/srv/salt']}) }} |
|
|
|
|
|
{%- else -%} |
|
|
|
|
|
#file_roots: |
|
|
|
|
|
# base: |
|
|
|
|
|
# - /srv/salt |
|
|
|
|
|
{%- endif %} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# File Server Backend |
|
|
|
|
|
# |
|
|
|
|
|
# Salt supports a modular fileserver backend system, this system allows |
|
|
|
|
|
# the salt minion to link directly to third party systems to gather and |
|
|
|
|
|
# manage the files available to minions. Multiple backends can be |
|
|
|
|
|
# configured and will be searched for the requested file in the order in which |
|
|
|
|
|
# they are defined here. The default setting only enables the standard backend |
|
|
|
|
|
# "roots" which uses the "file_roots" option. |
|
|
|
|
|
#fileserver_backend: |
|
|
|
|
|
# - roots |
|
|
|
|
|
# |
|
|
|
|
|
# To use multiple backends list them in the order they are searched: |
|
|
|
|
|
#fileserver_backend: |
|
|
|
|
|
# - git |
|
|
|
|
|
# - roots |
|
|
|
|
|
{% if 'fileserver_backend' in cfg_minion -%} |
|
|
|
|
|
fileserver_backend: |
|
|
|
|
|
{%- for backend in cfg_minion['fileserver_backend'] %} |
|
|
|
|
|
- {{ backend }} |
|
|
|
|
|
{%- endfor -%} |
|
|
{%- endif %} |
|
|
{%- endif %} |
|
|
|
|
|
|
|
|
# By default, the Salt fileserver recurses fully into all defined environments |
|
|
# By default, the Salt fileserver recurses fully into all defined environments |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# gitfs provider |
|
|
# gitfs provider |
|
|
{{ get_config('gitfs_provider', 'pygit2') }} |
|
|
{{ get_config('gitfs_provider', 'pygit2') }} |
|
|
# gitfs remotes |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Along with gitfs_password, is used to authenticate to HTTPS remotes. |
|
|
|
|
|
{{ get_config('gitfs_user', 'git') }} |
|
|
|
|
|
|
|
|
|
|
|
# Along with gitfs_user, is used to authenticate to HTTPS remotes. |
|
|
|
|
|
# This parameter is not required if the repository does not use authentication. |
|
|
|
|
|
{{ get_config('gitfs_password', '') }} |
|
|
|
|
|
|
|
|
|
|
|
# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. |
|
|
|
|
|
# This parameter enables authentication over HTTP. Enable this at your own risk. |
|
|
|
|
|
{{ get_config('gitfs_insecure_auth', 'False') }} |
|
|
|
|
|
|
|
|
|
|
|
# Along with gitfs_privkey (and optionally gitfs_passphrase), is used to |
|
|
|
|
|
# authenticate to SSH remotes. This parameter (or its per-remote counterpart) |
|
|
|
|
|
# is required for SSH remotes. |
|
|
|
|
|
{{ get_config('gitfs_pubkey', '') }} |
|
|
|
|
|
|
|
|
|
|
|
# Along with gitfs_pubkey (and optionally gitfs_passphrase), is used to |
|
|
|
|
|
# authenticate to SSH remotes. This parameter (or its per-remote counterpart) |
|
|
|
|
|
# is required for SSH remotes. |
|
|
|
|
|
{{ get_config('gitfs_privkey', '') }} |
|
|
|
|
|
|
|
|
|
|
|
# This parameter is optional, required only when the SSH key being used to |
|
|
|
|
|
# authenticate is protected by a passphrase. |
|
|
|
|
|
{{ get_config('gitfs_passphrase', '') }} |
|
|
|
|
|
# When using the git fileserver backend at least one git remote needs to be |
|
|
|
|
|
# defined. The user running the salt master will need read access to the repo. |
|
|
|
|
|
# |
|
|
|
|
|
# The repos will be searched in order to find the file requested by a client |
|
|
|
|
|
# and the first repo to have the file will return it. |
|
|
|
|
|
# When using the git backend branches and tags are translated into salt |
|
|
|
|
|
# environments. |
|
|
|
|
|
# Note: file:// repos will be treated as a remote, so refs you want used must |
|
|
|
|
|
# exist in that repo as *local* refs. |
|
|
{% if 'gitfs_remotes' in cfg_minion -%} |
|
|
{% if 'gitfs_remotes' in cfg_minion -%} |
|
|
gitfs_remotes: |
|
|
gitfs_remotes: |
|
|
{%- for remote in cfg_minion['gitfs_remotes'] %} |
|
|
{%- for remote in cfg_minion['gitfs_remotes'] %} |
|
|
|
|
|
|
|
|
{%- endif -%} |
|
|
{%- endif -%} |
|
|
{%- endfor -%} |
|
|
{%- endfor -%} |
|
|
{%- endif %} |
|
|
{%- endif %} |
|
|
# verify git ssl errors |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# The gitfs_ssl_verify option specifies whether to ignore ssl certificate |
|
|
|
|
|
# errors when contacting the gitfs backend. You might want to set this to |
|
|
|
|
|
# false if you're using a git backend that uses a self-signed certificate but |
|
|
|
|
|
# keep in mind that setting this flag to anything other than the default of True |
|
|
|
|
|
# is a security concern, you may want to try using the ssh transport. |
|
|
{{ get_config('gitfs_ssl_verify', 'True') }} |
|
|
{{ get_config('gitfs_ssl_verify', 'True') }} |
|
|
# gitfs root dir |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# The gitfs_root option gives the ability to serve files from a subdirectory |
|
|
|
|
|
# within the repository. The path is defined relative to the root of the |
|
|
|
|
|
# repository and defaults to the repository root. |
|
|
{{ get_config('gitfs_root', 'somefolder/otherfolder') }} |
|
|
{{ get_config('gitfs_root', 'somefolder/otherfolder') }} |
|
|
|
|
|
|
|
|
|
|
|
# The gitfs_env_whitelist and gitfs_env_blacklist parameters allow for greater |
|
|
|
|
|
# control over which branches/tags are exposed as fileserver environments. |
|
|
|
|
|
{% if 'gitfs_env_whitelist' in cfg_minion -%} |
|
|
|
|
|
gitfs_env_whitelist: |
|
|
|
|
|
{%- for git_env in cfg_minion['gitfs_env_whitelist'] %} |
|
|
|
|
|
- {{ git_env }} |
|
|
|
|
|
{%- endfor -%} |
|
|
|
|
|
{% else -%} |
|
|
|
|
|
# gitfs_env_whitelist: |
|
|
|
|
|
# - base |
|
|
|
|
|
# - v1.* |
|
|
|
|
|
{% endif %} |
|
|
|
|
|
|
|
|
|
|
|
{% if 'gitfs_env_blacklist' in cfg_minion -%} |
|
|
|
|
|
gitfs_env_blacklist: |
|
|
|
|
|
{%- for git_env in cfg_minion['gitfs_env_blacklist'] %} |
|
|
|
|
|
- {{ git_env }} |
|
|
|
|
|
{%- endfor -%} |
|
|
|
|
|
{% else -%} |
|
|
|
|
|
# gitfs_env_blacklist: |
|
|
|
|
|
# - bug/* |
|
|
|
|
|
# - feature/* |
|
|
|
|
|
{% endif %} |
|
|
|
|
|
|
|
|
|
|
|
##### Pillar settings ##### |
|
|
|
|
|
########################################## |
|
|
# The Salt pillar is searched for locally if file_client is set to local. If |
|
|
# The Salt pillar is searched for locally if file_client is set to local. If |
|
|
# this is the case, and pillar data is defined, then the pillar_roots need to |
|
|
# this is the case, and pillar data is defined, then the pillar_roots need to |
|
|
# also be configured on the minion: |
|
|
# also be configured on the minion: |
|
|
|
|
|
|
|
|
- {{ dir }} |
|
|
- {{ dir }} |
|
|
{%- endfor -%} |
|
|
{%- endfor -%} |
|
|
{%- endfor -%} |
|
|
{%- endfor -%} |
|
|
|
|
|
{%- else -%} |
|
|
|
|
|
#pillar_roots: |
|
|
|
|
|
# base: |
|
|
|
|
|
# - /srv/pillar |
|
|
{%- endif %} |
|
|
{%- endif %} |
|
|
|
|
|
|
|
|
|
|
|
{% if 'ext_pillar' in cfg_minion %} |
|
|
|
|
|
ext_pillar: |
|
|
|
|
|
{%- for pillar in cfg_minion['ext_pillar'] -%} |
|
|
|
|
|
{%- for key in pillar -%} |
|
|
|
|
|
{%- if pillar[key] is string %} |
|
|
|
|
|
- {{ key }}: {{ pillar[key] }} |
|
|
|
|
|
{%- elif pillar[key] is iterable and pillar[key] is not mapping %} |
|
|
|
|
|
- {{ key }}: |
|
|
|
|
|
{%- for parameter in pillar[key] %} |
|
|
|
|
|
- {{ parameter }} |
|
|
|
|
|
{%- endfor -%} |
|
|
|
|
|
{%- elif pillar[key] is mapping and pillar[key] is not string %} |
|
|
|
|
|
- {{ key }}: |
|
|
|
|
|
{%- for parameter in pillar[key] %} |
|
|
|
|
|
{{ parameter }}: {{pillar[key][parameter]}} |
|
|
|
|
|
{%- endfor %} |
|
|
|
|
|
{%- else %} |
|
|
|
|
|
# Error in rendering {{ key }}, please read https://docs.saltstack.com/en/latest/topics/development/external_pillars.html#configuration |
|
|
|
|
|
{% endif %} |
|
|
|
|
|
{%- endfor -%} |
|
|
|
|
|
{%- endfor %} |
|
|
|
|
|
{% elif 'ext_pillar' in cfg_salt %} |
|
|
|
|
|
ext_pillar: |
|
|
|
|
|
{% for pillar in cfg_salt['ext_pillar'] %} |
|
|
|
|
|
- {{ pillar.items()[0][0] }}: {{ pillar.items()[0][1] }} |
|
|
|
|
|
{% endfor %} |
|
|
|
|
|
{% else %} |
|
|
|
|
|
#ext_pillar: |
|
|
|
|
|
# - hiera: /etc/hiera.yaml |
|
|
|
|
|
# - cmd_yaml: cat /etc/salt/yaml |
|
|
|
|
|
{% endif %} |
|
|
|
|
|
|
|
|
|
|
|
# The ext_pillar_first option allows for external pillar sources to populate |
|
|
|
|
|
# before file system pillar. This allows for targeting file system pillar from |
|
|
|
|
|
# ext_pillar. |
|
|
|
|
|
{{ get_config('ext_pillar_first', 'False') }} |
|
|
|
|
|
|
|
|
|
|
|
# The pillar_gitfs_ssl_verify option specifies whether to ignore ssl certificate |
|
|
|
|
|
# errors when contacting the pillar gitfs backend. You might want to set this to |
|
|
|
|
|
# false if you're using a git backend that uses a self-signed certificate but |
|
|
|
|
|
# keep in mind that setting this flag to anything other than the default of True |
|
|
|
|
|
# is a security concern, you may want to try using the ssh transport. |
|
|
|
|
|
{{ get_config('pillar_gitfs_ssl_verify', 'True') }} |
|
|
|
|
|
|
|
|
|
|
|
# The pillar_opts option adds the master configuration file data to a dict in |
|
|
|
|
|
# the pillar called "master". This is used to set simple configurations in the |
|
|
|
|
|
# master config file that can then be used on minions. |
|
|
|
|
|
{{ get_config('pillar_opts', 'True') }} |
|
|
|
|
|
|
|
|
|
|
|
# The pillar_safe_render_error option prevents the master from passing pillar |
|
|
|
|
|
# render errors to the minion. This is set on by default because the error could |
|
|
|
|
|
# contain templating data which would give that minion information it shouldn't |
|
|
|
|
|
# have, like a password! When set true the error message will only show: |
|
|
|
|
|
# Rendering SLS 'my.sls' failed. Please see master log for details. |
|
|
|
|
|
{{ get_config('pillar_safe_render_error', 'True') }} |
|
|
|
|
|
|
|
|
|
|
|
# The pillar_source_merging_strategy option allows you to configure merging strategy |
|
|
|
|
|
# between different sources. It accepts four values: recurse, aggregate, overwrite, |
|
|
|
|
|
# or smart. Recurse will merge recursively mapping of data. Aggregate instructs |
|
|
|
|
|
# aggregation of elements between sources that use the #!yamlex renderer. Overwrite |
|
|
|
|
|
# will verwrite elements according the order in which they are processed. This is |
|
|
|
|
|
# behavior of the 2014.1 branch and earlier. Smart guesses the best strategy based |
|
|
|
|
|
# on the "renderer" setting and is the default value. |
|
|
|
|
|
{{ get_config('pillar_source_merging_strategy', 'smart') }} |
|
|
|
|
|
|
|
|
|
|
|
# Recursively merge lists by aggregating them instead of replacing them. |
|
|
|
|
|
{{ get_config('pillar_merge_lists', False) }} |
|
|
|
|
|
|
|
|
|
|
|
# Git External Pillar (git_pillar) Configuration Options |
|
|
|
|
|
# |
|
|
|
|
|
# Specify the provider to be used for git_pillar. Must be either pygit2 or |
|
|
|
|
|
# gitpython. If unset, then both will be tried in that same order, and the |
|
|
|
|
|
# first one with a compatible version installed will be the provider that |
|
|
|
|
|
# is used. |
|
|
|
|
|
{{ get_config('git_pillar_provider', 'pygit2') }} |
|
|
|
|
|
|
|
|
|
|
|
# If the desired branch matches this value, and the environment is omitted |
|
|
|
|
|
# from the git_pillar configuration, then the environment for that git_pillar |
|
|
|
|
|
# remote will be base. |
|
|
|
|
|
{{ get_config('git_pillar_base', 'master') }} |
|
|
|
|
|
|
|
|
|
|
|
# If the branch is omitted from a git_pillar remote, then this branch will |
|
|
|
|
|
# be used instead. |
|
|
|
|
|
{{ get_config('git_pillar_branch', 'master') }} |
|
|
|
|
|
|
|
|
|
|
|
# Environment to use for git_pillar remotes. This is normally derived from |
|
|
|
|
|
# the branch/tag (or from a per-remote env parameter), but if set this will |
|
|
|
|
|
# override the process of deriving the env from the branch/tag name. |
|
|
|
|
|
{{ get_config('git_pillar_env', '') }} |
|
|
|
|
|
|
|
|
|
|
|
# Path relative to the root of the repository where the git_pillar top file |
|
|
|
|
|
# and SLS files are located. |
|
|
|
|
|
{{ get_config('git_pillar_root', 'pillar') }} |
|
|
|
|
|
|
|
|
|
|
|
# Specifies whether or not to ignore SSL certificate errors when contacting |
|
|
|
|
|
# the remote repository. |
|
|
|
|
|
{{ get_config('git_pillar_ssl_verify', True) }} |
|
|
|
|
|
|
|
|
|
|
|
# When set to False, if there is an update/checkout lock for a git_pillar |
|
|
|
|
|
# remote and the pid written to it is not running on the master, the lock |
|
|
|
|
|
# file will be automatically cleared and a new lock will be obtained. |
|
|
|
|
|
{{ get_config('git_pillar_global_lock', False) }} |
|
|
|
|
|
|
|
|
|
|
|
# Git External Pillar Authentication Options |
|
|
|
|
|
# |
|
|
|
|
|
# Along with git_pillar_password, is used to authenticate to HTTPS remotes. |
|
|
|
|
|
{{ get_config('git_pillar_user', '') }} |
|
|
|
|
|
|
|
|
|
|
|
# Along with git_pillar_user, is used to authenticate to HTTPS remotes. |
|
|
|
|
|
# This parameter is not required if the repository does not use authentication. |
|
|
|
|
|
{{ get_config('git_pillar_password', '') }} |
|
|
|
|
|
|
|
|
|
|
|
# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. |
|
|
|
|
|
# This parameter enables authentication over HTTP. |
|
|
|
|
|
{{ get_config('git_pillar_insecure_auth', False) }} |
|
|
|
|
|
|
|
|
|
|
|
# Along with git_pillar_privkey (and optionally git_pillar_passphrase), |
|
|
|
|
|
# is used to authenticate to SSH remotes. |
|
|
|
|
|
{{ get_config('git_pillar_pubkey', '') }} |
|
|
|
|
|
|
|
|
|
|
|
# Along with git_pillar_pubkey (and optionally git_pillar_passphrase), |
|
|
|
|
|
# is used to authenticate to SSH remotes. |
|
|
|
|
|
{{ get_config('git_pillar_privkey', '') }} |
|
|
|
|
|
|
|
|
|
|
|
# This parameter is optional, required only when the SSH key being used |
|
|
|
|
|
# to authenticate is protected by a passphrase. |
|
|
|
|
|
{{ get_config('git_pillar_passphrase', '') }} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
###### Security settings ##### |
|
|
###### Security settings ##### |
|
|
########################################### |
|
|
########################################### |