{% set osrelease = salt['grains.get']('osrelease') %} chrony: driftfile: /var/lib/chrony/drift logdir: /var/log/chrony otherparams: {% if 'ntp' not in salt['grains.get']('roles', []) %} - logchange 0.5 - log measurements statistics tracking rtc - makestep 1.0 3 - noclientlog {% endif %} - rtcsync locale: present: - en_US.UTF-8 UTF-8 default: name: en_US.UTF-8 requires: en_US.UTF-8 UTF-8 ntp: ng: settings: ntpd: true ntp_conf: controlkey: - 1 disable: - monitor driftfile: - /var/lib/ntp/drift/ntp.drift logfile: - /var/log/ntp keys: - /etc/ntp.keys requestkey: - 1 restrict: - default ignore - -4 default kod notrap nomodify nopeer - -6 default kod notrap nomodify nopeer - 127.0.0.1 - ::1 - ntp1.infra.opensuse.org - ntp2.infra.opensuse.org - ntp3.infra.opensuse.org trustedkey: - 1 openldap: base: dc=infra,dc=opensuse,dc=org tls_cacertdir: /etc/ssl/certs/ tls_reqcert: demand uri: ldaps://freeipa.infra.opensuse.org openssh: banner_src: salt://profile/accounts/files/ssh_banner sshd_config_mode: 0640 profile: postfix: aliases: root: admin-auto@opensuse.org maincf: relayhost: '[relay.infra.opensuse.org]' rsyslog: custom: - salt://profile/log/files/etc/rsyslog.d/remote.conf.jinja custom_config_template: salt://profile/log/files/etc/rsyslog.conf imjournal: true protocol: tcp target: syslog.infra.opensuse.org salt: minion: backup_mode: minion environment: production hash_type: sha512 ipv6: false sshd_config: AuthorizedKeysFile: .ssh/authorized_keys AuthorizedKeysCommand: /usr/local/bin/fetch_freeipa_ldap_sshpubkey.sh AuthorizedKeysCommandUser: nobody HostKey: - /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_dsa_key - /etc/ssh/ssh_host_ecdsa_key {% if osrelease != '11.3' %} - /etc/ssh/ssh_host_ed25519_key {% endif %} PasswordAuthentication: no PermitRootLogin: without-password PrintMotd: yes {% if osrelease.startswith('11') and (salt['grains.get']('cpuarch') == 'x86_64') %} # TODO: support more 64bit archs https://progress.opensuse.org/issues/15794 Subsystem: sftp /usr/lib64/ssh/sftp-server {% else %} # TODO: upstream fix is not sufficient https://github.com/saltstack-formulas/openssh-formula/pull/57 Subsystem: sftp /usr/lib/ssh/sftp-server {% endif %} UseDNS: yes UsePAM: yes matches: root: type: User: root options: Banner: /etc/ssh/banner sssd: settings: sssd: True sssd_conf: domains: infra.opensuse.org: auth_provider: ldap id_provider: ldap ldap_group_search_base: cn=groups,cn=compat,dc=infra,dc=opensuse,dc=org ldap_search_base: dc=infra,dc=opensuse,dc=org ldap_tls_reqcert: demand ldap_uri: ldaps://freeipa.infra.opensuse.org ldap_user_search_base: cn=users,cn=accounts,dc=infra,dc=opensuse,dc=org general_settings: config_file_version: 2 domains: infra.opensuse.org services: nss, pam, ssh services: nss: filter_group: root filter_users: root pam: {} ssh: {} sudoers: defaults: generic: - always_set_home - secure_path="/usr/sbin:/usr/bin:/sbin:/bin" - env_reset - env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" - '!insults' users: root: - 'ALL=(ALL) ALL' includedir: /etc/sudoers.d included_files: /etc/sudoers.d/nagios_nopasswd_zypper: users: nagios: - 'ALL=(ALL) NOPASSWD: /usr/sbin/zypp-refresh,/usr/bin/zypper ref,/usr/bin/zypper sl,/usr/bin/zypper --xmlout --non-interactive list-updates -t package -t patch' /etc/sudoers.d/wheel: groups: wheel: - 'ALL=(ALL) ALL' timezone: name: UTC utc: True zypper: config: zypp_conf: main: download.use_deltarpm: 'false' solver.onlyRequires: 'true' packages: abuild-online-update: {} ca-certificates-freeipa-opensuse: {} command-not-found: {} curl: {} dhcp-client: {} less: {} lsof: {} man: {} openssh-helpers: {} screen: {} sssd-ldap: {} susepaste: {} tcpdump: {} vim: {} vim-data: {} withlock: {} wget: {} wgetpaste: {}