|
|
@@ -59,7 +59,7 @@ |
|
|
|
|
|
|
|
# Directory to store job and cache data: |
|
|
|
# This directory may contain sensitive data and should be protected accordingly. |
|
|
|
# |
|
|
|
# |
|
|
|
{{ get_config('cachedir', '/var/cache/salt/master') }} |
|
|
|
|
|
|
|
# Directory for custom modules. This directory can contain subdirectories for |
|
|
@@ -133,7 +133,7 @@ module_dirs: |
|
|
|
{{ get_config('minion_data_cache', 'True') }} |
|
|
|
|
|
|
|
# Store all returns in the given returner. |
|
|
|
# Setting this option requires that any returner-specific configuration also |
|
|
|
# Setting this option requires that any returner-specific configuration also |
|
|
|
# be set. See various returners in salt/returners for details on required |
|
|
|
# configuration values. (See also, event_return_queue below.) |
|
|
|
{{ get_config('event_return', 'mysql') }} |
|
|
@@ -195,12 +195,12 @@ event_return_blacklist: |
|
|
|
# the key rotation event as minions reconnect. Consider this carefully if this |
|
|
|
# salt master is managing a large number of minions. |
|
|
|
# |
|
|
|
# If disabled, it is recommended to handle this event by listening for the |
|
|
|
# If disabled, it is recommended to handle this event by listening for the |
|
|
|
# 'aes_key_rotate' event with the 'key' tag and acting appropriately. |
|
|
|
{{ get_config('ping_on_rotate', 'False') }} |
|
|
|
|
|
|
|
# By default, the master deletes its cache of minion data when the key for that |
|
|
|
# minion is removed. To preserve the cache after key deletion, set |
|
|
|
# minion is removed. To preserve the cache after key deletion, set |
|
|
|
# 'preserve_minion_cache' to True. |
|
|
|
# |
|
|
|
# WARNING: This may have security implications if compromised minions auth with |
|
|
@@ -379,7 +379,7 @@ client_acl_blacklist: |
|
|
|
{% endif %} |
|
|
|
|
|
|
|
# Enforce client_acl & client_acl_blacklist when users have sudo |
|
|
|
# access to the salt command. |
|
|
|
# access to the salt command. |
|
|
|
{{ get_config('sudo_acl', 'False') }} |
|
|
|
|
|
|
|
# The external auth system uses the Salt auth modules to authenticate and |
|
|
@@ -416,7 +416,7 @@ client_acl_blacklist: |
|
|
|
# will cause minion to throw an exception and drop the message. |
|
|
|
{{ get_config('sign_pub_message', 'False') }} |
|
|
|
|
|
|
|
# Sign the master auth-replies with a cryptographic signature of the masters public key. |
|
|
|
# Sign the master auth-replies with a cryptographic signature of the masters public key. |
|
|
|
# Please see the tutorial how to use these settings in the Multimaster-PKI with Failover Tutorial |
|
|
|
{{ get_config('master_sign_pubkey', 'False') }} |
|
|
|
|
|
|
@@ -424,18 +424,18 @@ client_acl_blacklist: |
|
|
|
# master_sign_key_name: <filename_without_suffix> |
|
|
|
{{ get_config('master_sign', '{}') }} |
|
|
|
|
|
|
|
# The name of the file in the masters pki-directory that holds the pre-calculated |
|
|
|
# The name of the file in the masters pki-directory that holds the pre-calculated |
|
|
|
# signature of the masters public-key. |
|
|
|
# master_pubkey_signature: <filename> |
|
|
|
{{ get_config('master_pubkey_signature', '{}') }} |
|
|
|
|
|
|
|
# Instead of computing the signature for each auth-reply, use a pre-calculated signature. |
|
|
|
# Instead of computing the signature for each auth-reply, use a pre-calculated signature. |
|
|
|
# The master_pubkey_signature must also be set for this. |
|
|
|
{{ get_config('master_use_pubkey_signature', 'False') }} |
|
|
|
|
|
|
|
# Rotate the salt-masters AES-key when a minion-public is deleted with salt-key. |
|
|
|
# This is a very important security-setting. Disabling it will enable deleted minions to still |
|
|
|
# listen in on the messages published by the salt-master. |
|
|
|
# Rotate the salt-masters AES-key when a minion-public is deleted with salt-key. |
|
|
|
# This is a very important security-setting. Disabling it will enable deleted minions to still |
|
|
|
# listen in on the messages published by the salt-master. |
|
|
|
# Do not disable this unless it is absolutely clear what this does. |
|
|
|
{{ get_config('rotate_aes_key', 'True') }} |
|
|
|
|
|
|
@@ -453,16 +453,16 @@ client_acl_blacklist: |
|
|
|
# The base DN under which users can be found in LDAP |
|
|
|
{{ get_config('auth.ldap.basedn', '') }} |
|
|
|
|
|
|
|
# The user Salt authenticates to search for a users' Distinguished Name and |
|
|
|
# The user Salt authenticates to search for a users' Distinguished Name and |
|
|
|
# group membership. |
|
|
|
{{ get_config('auth.ldap.binddn', '') }} |
|
|
|
|
|
|
|
# The bind password to go along with the bind dn (binddn). |
|
|
|
# The bind password to go along with the bind dn (binddn). |
|
|
|
{{ get_config('auth.ldap.bindpw', '') }} |
|
|
|
|
|
|
|
# The filter used to find the DN associated with a user. For most LDAPs use |
|
|
|
# the value {% raw %}'uid={{ username }}'{% endraw %}. For Active Directory use the value |
|
|
|
# {% raw %}'sAMAccountName={{username}}'{% endraw %}. |
|
|
|
# the value {% raw %}'uid={{ username }}'{% endraw %}. For Active Directory use the value |
|
|
|
# {% raw %}'sAMAccountName={{username}}'{% endraw %}. |
|
|
|
{{ get_config('auth.ldap.filter', '') }} |
|
|
|
|
|
|
|
# The attribute used for user group membership. Defaults to 'memberOf' |
|
|
@@ -475,7 +475,7 @@ client_acl_blacklist: |
|
|
|
# Default value: 'Groups' |
|
|
|
{{ get_config('auth.ldap.groupou', 'Groups') }} |
|
|
|
|
|
|
|
# Allows the administrator to strip off a certain set of domain names |
|
|
|
# Allows the administrator to strip off a certain set of domain names |
|
|
|
# so the hostnames looked up in the directory service can match the minion IDs. |
|
|
|
{{ get_config('auth.ldap.minion_stripdomains', []) }} |
|
|
|
|
|
|
@@ -646,7 +646,7 @@ master_tops: |
|
|
|
# When using multiple environments, each with their own top file, the |
|
|
|
# default behaviour is an unordered merge. To prevent top files from |
|
|
|
# being merged together and instead to only use the top file from the |
|
|
|
# requested environment, set this value to 'same'. |
|
|
|
# requested environment, set this value to 'same'. |
|
|
|
{{ get_config('top_file_merging_stragety', 'merge') }} |
|
|
|
|
|
|
|
# To specify the order in which environments are merged, set the ordering |
|
|
@@ -663,7 +663,7 @@ master_tops: |
|
|
|
# the master server. The default is md5, but sha1, sha224, sha256, sha384 |
|
|
|
# and sha512 are also supported. |
|
|
|
# |
|
|
|
# Prior to changing this value, the master should be stopped and all Salt |
|
|
|
# Prior to changing this value, the master should be stopped and all Salt |
|
|
|
# caches should be cleared. |
|
|
|
{{ get_config('hash_type', 'md5') }} |
|
|
|
|
|
|
@@ -770,11 +770,11 @@ fileserver_backend: |
|
|
|
# Along with gitfs_password, is used to authenticate to HTTPS remotes. |
|
|
|
{{ get_config('gitfs_user', 'git') }} |
|
|
|
|
|
|
|
# Along with gitfs_user, is used to authenticate to HTTPS remotes. |
|
|
|
# Along with gitfs_user, is used to authenticate to HTTPS remotes. |
|
|
|
# This parameter is not required if the repository does not use authentication. |
|
|
|
{{ get_config('gitfs_password', '') }} |
|
|
|
|
|
|
|
# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. |
|
|
|
# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. |
|
|
|
# This parameter enables authentication over HTTP. Enable this at your own risk. |
|
|
|
{{ get_config('gitfs_insecure_auth', 'False') }} |
|
|
|
|
|
|
@@ -973,9 +973,9 @@ ext_pillar: |
|
|
|
# be used instead. |
|
|
|
{{ get_config('git_pillar_branch', 'master') }} |
|
|
|
|
|
|
|
# Environment to use for git_pillar remotes. This is normally derived from |
|
|
|
# Environment to use for git_pillar remotes. This is normally derived from |
|
|
|
# the branch/tag (or from a per-remote env parameter), but if set this will |
|
|
|
# override the process of deriving the env from the branch/tag name. |
|
|
|
# override the process of deriving the env from the branch/tag name. |
|
|
|
{{ get_config('git_pillar_env', '') }} |
|
|
|
|
|
|
|
# Path relative to the root of the repository where the git_pillar top file |
|
|
@@ -983,12 +983,12 @@ ext_pillar: |
|
|
|
{{ get_config('git_pillar_root', 'pillar') }} |
|
|
|
|
|
|
|
# Specifies whether or not to ignore SSL certificate errors when contacting |
|
|
|
# the remote repository. |
|
|
|
# the remote repository. |
|
|
|
{{ get_config('git_pillar_ssl_verify', True) }} |
|
|
|
|
|
|
|
# When set to False, if there is an update/checkout lock for a git_pillar |
|
|
|
# remote and the pid written to it is not running on the master, the lock |
|
|
|
# file will be automatically cleared and a new lock will be obtained. |
|
|
|
# file will be automatically cleared and a new lock will be obtained. |
|
|
|
{{ get_config('git_pillar_global_lock', False) }} |
|
|
|
|
|
|
|
# Git External Pillar Authentication Options |
|
|
@@ -1380,3 +1380,17 @@ consul_config: |
|
|
|
{{ name }}: {{ value }} |
|
|
|
{%- endfor %} |
|
|
|
{%- endif %} |
|
|
|
|
|
|
|
{% if 'mongo' in cfg_master -%} |
|
|
|
##### mongodb connection settings ##### |
|
|
|
########################################## |
|
|
|
{%- for name, value in cfg_master['mongo'].items() %} |
|
|
|
mongo.{{ name }}: {{ value }} |
|
|
|
{%- endfor %} |
|
|
|
|
|
|
|
{% if 'alternative.mongo' in cfg_master -%} |
|
|
|
{%- for name, value in cfg_master['alternative.mongo'].items() %} |
|
|
|
alternative.mongo.{{ name }}: {{ value }} |
|
|
|
{%- endfor %} |
|
|
|
{% endif %} |
|
|
|
{%- endif %} |