{% set osrelease = salt['grains.get']('osrelease') %}

locale:

  present:

    - 'en_US.UTF-8 UTF-8'

  default:

    name: 'en_US.UTF-8'

    requires: 'en_US.UTF-8 UTF-8'

ntp:

  ng:

    settings:

      ntpd: true

      ntp_conf:

        controlkey:

          - 1

        disable:

          - monitor

        driftfile:

          - /var/lib/ntp/drift/ntp.drift

        logfile:

          - /var/log/ntp

        keys:

          - /etc/ntp.keys

        requestkey:

          - 1

        restrict:

          - -4 default kod notrap nomodify nopeer

          - -6 default kod notrap nomodify nopeer

          - 127.0.0.1

          - ::1

        trustedkey:

          - 1

timezone:

  name: 'UTC'

  utc: True

salt:

  gitfs:

    libgit2:

      install_from_source: False

    pygit2:

      install_from_source: False

  master:

    cli_summary: True

    default_top: production

    env_order:

      - production

    ext_pillar:

      - git:

          - production gitlab@mickey.opensuse.org:infra/salt.git:

              - env: production

              - root: pillar

              - privkey: /srv/salt/.ssh/salt_gitlab_oo_infra_salt

              - pubkey: /srv/salt/.ssh/salt_gitlab_oo_infra_salt.pub

    ext_pillar_first: True

    fileserver_backend:

      - git

    gitfs_provider: pygit2

    gitfs_remotes:

      - gitlab@mickey.opensuse.org:infra/salt.git:

          - root: salt

          - privkey: /srv/salt/.ssh/salt_gitlab_oo_infra_salt

          - pubkey: /srv/salt/.ssh/salt_gitlab_oo_infra_salt.pub

      - https://gitlab.opensuse.org/saltstack-formulas/dhcpd-formula.git

      - https://gitlab.opensuse.org/saltstack-formulas/grains-formula.git

      - https://gitlab.opensuse.org/saltstack-formulas/keepalived-formula.git

      - https://gitlab.opensuse.org/saltstack-formulas/locale-formula.git

      - https://gitlab.opensuse.org/saltstack-formulas/ntp-formula.git

      - https://gitlab.opensuse.org/saltstack-formulas/openssh-formula.git

      - https://gitlab.opensuse.org/saltstack-formulas/salt-formula.git

      - https://gitlab.opensuse.org/saltstack-formulas/sudoers-formula.git

      - https://gitlab.opensuse.org/saltstack-formulas/users-formula.git

      - https://gitlab.opensuse.org/saltstack-formulas/timezone-formula.git

    gitfs_ssl_verify: True

    hash_type: sha512

    pillar_gitfs_ssl_verify: True

    pillar_merge_lists: True

    pillar_source_merging_strategy: smart

    state_output: changes

    state_verbose: False

    top_file_merging_strategy: same

    user: salt

  minion:

    backup_mode: minion

    environment: production

    hash_type: sha512

sshd_config:

  HostKey:

    - /etc/ssh/ssh_host_rsa_key

    - /etc/ssh/ssh_host_dsa_key

    - /etc/ssh/ssh_host_ecdsa_key

{% if osrelease != '11.3' %}

    - /etc/ssh/ssh_host_ed25519_key

{% endif %}

  PermitRootLogin: without-password

  PrintMotd: yes

{% if osrelease.startswith('11') and (salt['grains.get']('cpuarch') == 'x86_64') %}

  # TODO: support more 64bit archs https://progress.opensuse.org/issues/15794

  Subsystem: sftp /usr/lib64/ssh/sftp-server

{% else %}

  # TODO: upstream fix is not sufficient https://github.com/saltstack-formulas/openssh-formula/pull/57

  Subsystem: sftp /usr/lib/ssh/sftp-server

{% endif %}

  UseDNS: yes

  matches:

    root:

      type:

        User: root

      options:

        Banner: /etc/ssh/banner