{% set osrelease = salt['grains.get']('osrelease') %}
chrony:
driftfile: /var/lib/chrony/drift
logdir: /var/log/chrony
otherparams:
{% if 'ntp' not in salt['grains.get']('roles', []) %}
- logchange 0.5
- log measurements statistics tracking rtc
- makestep 1.0 3
- noclientlog
{% endif %}
- rtcsync
locale:
present:
- en_US.UTF-8 UTF-8
default:
name: en_US.UTF-8
requires: en_US.UTF-8 UTF-8
ntp:
ng:
settings:
ntpd: true
ntp_conf:
controlkey:
- 1
disable:
- monitor
driftfile:
- /var/lib/ntp/drift/ntp.drift
logfile:
- /var/log/ntp
keys:
- /etc/ntp.keys
requestkey:
- 1
restrict:
- default ignore
- -4 default kod notrap nomodify nopeer
- -6 default kod notrap nomodify nopeer
- 127.0.0.1
- ::1
- ntp1.infra.opensuse.org
- ntp2.infra.opensuse.org
- ntp3.infra.opensuse.org
trustedkey:
- 1
openldap:
base: dc=infra,dc=opensuse,dc=org
tls_cacertdir: /etc/ssl/certs/
tls_reqcert: demand
uri: ldaps://freeipa.infra.opensuse.org
openssh:
banner_src: salt://profile/accounts/files/ssh_banner
sshd_config_mode: 0640
profile:
monitoring:
checks:
check_zypper: '/usr/lib/nagios/plugins/check_zypper -vrst 120 -ui /etc/monitoring-plugins/check_zypper-ignores.txt'
postfix:
aliases:
root: admin-auto@opensuse.org
maincf:
relayhost: '[relay.infra.opensuse.org]'
rsyslog:
custom:
- salt://profile/log/files/etc/rsyslog.d/remote.conf.jinja
custom_config_template: salt://profile/log/files/etc/rsyslog.conf
imjournal: true
protocol: tcp
target: syslog.infra.opensuse.org
salt:
minion:
backup_mode: minion
environment: production
hash_type: sha512
ipv6: false
sshd_config:
AuthorizedKeysFile: .ssh/authorized_keys
AuthorizedKeysCommand: /usr/local/bin/fetch_freeipa_ldap_sshpubkey.sh
AuthorizedKeysCommandUser: nobody
HostKey:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
{% if osrelease != '11.3' %}
- /etc/ssh/ssh_host_ed25519_key
{% endif %}
PasswordAuthentication: no
PermitRootLogin: without-password
PrintMotd: yes
{% if osrelease.startswith('11') and (salt['grains.get']('cpuarch') == 'x86_64') %}
# TODO: support more 64bit archs https://progress.opensuse.org/issues/15794
Subsystem: sftp /usr/lib64/ssh/sftp-server
{% else %}
# TODO: upstream fix is not sufficient https://github.com/saltstack-formulas/openssh-formula/pull/57
Subsystem: sftp /usr/lib/ssh/sftp-server
{% endif %}
UseDNS: yes
UsePAM: yes
matches:
root:
type:
User: root
options:
Banner: /etc/ssh/banner
sssd:
settings:
sssd: True
sssd_conf:
domains:
infra.opensuse.org:
auth_provider: ldap
id_provider: ldap
ldap_group_search_base: cn=groups,cn=compat,dc=infra,dc=opensuse,dc=org
ldap_search_base: dc=infra,dc=opensuse,dc=org
ldap_tls_reqcert: demand
ldap_uri: ldaps://freeipa.infra.opensuse.org
ldap_user_search_base: cn=users,cn=accounts,dc=infra,dc=opensuse,dc=org
general_settings:
config_file_version: 2
domains: infra.opensuse.org
services: nss, pam, ssh
services:
nss:
filter_group: root
filter_users: root
pam: {}
ssh: {}
sudoers:
defaults:
generic:
- always_set_home
- secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
- env_reset
- env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
- '!insults'
users:
root:
- 'ALL=(ALL) ALL'
includedir: /etc/sudoers.d
included_files:
/etc/sudoers.d/nagios_nopasswd_zypper:
users:
nagios:
- 'ALL=(ALL) NOPASSWD: /usr/sbin/zypp-refresh,/usr/bin/zypper ref,/usr/bin/zypper sl,/usr/bin/zypper --xmlout --non-interactive list-updates -t package -t patch'
/etc/sudoers.d/wheel:
groups:
wheel:
- 'ALL=(ALL) ALL'
timezone:
name: UTC
utc: True
zypper:
config:
zypp_conf:
main:
download.use_deltarpm: 'false'
solver.onlyRequires: 'true'
packages:
abuild-online-update: {}
ca-certificates-freeipa-opensuse: {}
command-not-found: {}
curl: {}
dhcp-client: {}
less: {}
lsof: {}
man: {}
openssh-helpers: {}
screen: {}
sssd-ldap: {}
susepaste: {}
tcpdump: {}
vim: {}
vim-data: {}
withlock: {}
wget: {}
wgetpaste: {}