From fa80abbd4339be4ceb95b214c37aac80fde72759 Mon Sep 17 00:00:00 2001 From: Brian Hodges Date: Thu, 10 Dec 2015 22:36:20 -0800 Subject: [PATCH] Initial commit --- .gitignore | 1 + AUTHORS | 1 + CHANGELOG.rst | 6 + LICENSE | 201 ++++++ README.rst | 184 +++++ VERSION | 1 + srv/pillar/provision/aliases.sls | 5 + srv/pillar/provision/disy.sls | 25 + srv/pillar/provision/dnsmasq-cache.sls | 5 + srv/pillar/provision/hosts-block.sls | 9 + srv/pillar/provision/limits.sls | 7 + srv/pillar/provision/sysctl.sls | 52 ++ srv/pillar/provision/top.sls | 10 + srv/salt/provision/aliases/README.rst | 6 + srv/salt/provision/aliases/files/aliases | 12 + srv/salt/provision/aliases/init.sls | 17 + srv/salt/provision/aliases/map.jinja | 8 + srv/salt/provision/apt-sources/README.rst | 5 + srv/salt/provision/apt-sources/init.sls | 27 + srv/salt/provision/apt/README.rst | 4 + srv/salt/provision/apt/init.sls | 11 + srv/salt/provision/base-packages/README.rst | 5 + srv/salt/provision/base-packages/init.sls | 52 ++ srv/salt/provision/disy/README.rst | 10 + srv/salt/provision/disy/init.sls | 21 + srv/salt/provision/dnsmasq-cache/README.rst | 9 + .../dnsmasq-cache/files/00_main.conf | 8 + .../dnsmasq-cache/files/dnsmasq.conf | 630 ++++++++++++++++++ .../dnsmasq-cache/files/etc_default_dnsmasq | 33 + srv/salt/provision/dnsmasq-cache/init.sls | 40 ++ srv/salt/provision/hosts-block/README.rst | 8 + srv/salt/provision/hosts-block/files/hosts | 6 + srv/salt/provision/hosts-block/init.sls | 42 ++ .../provision/iptables-persistent/README.rst | 19 + .../iptables-persistent/files/iptables.conf | 3 + .../iptables-persistent/files/rules.v4 | 22 + .../provision/iptables-persistent/init.sls | 29 + .../provision/iptables-persistent/tuning.sls | 61 ++ srv/salt/provision/kernel-install/README.rst | 13 + .../provision/kernel-install/debug_kernel.sls | 12 + .../kernel-install/files/99_overrides.cfg | 1 + srv/salt/provision/kernel-install/init.sls | 46 ++ srv/salt/provision/limits/README.rst | 12 + srv/salt/provision/limits/files/limits.conf | 68 ++ srv/salt/provision/limits/files/limits_d.conf | 12 + srv/salt/provision/limits/init.sls | 25 + srv/salt/provision/limits/map.jinja | 8 + srv/salt/provision/motd/10-help-text | 16 + srv/salt/provision/motd/files/10-help-text | 16 + srv/salt/provision/motd/init.sls | 6 + srv/salt/provision/postfix/README.rst | 5 + srv/salt/provision/postfix/files/main.cf | 41 ++ srv/salt/provision/postfix/files/master.cf | 125 ++++ srv/salt/provision/postfix/init.sls | 28 + srv/salt/provision/postfix/map.jinja | 6 + srv/salt/provision/provision-final/README.rst | 2 + .../files/alkali_provisioned.txt | 2 + srv/salt/provision/provision-final/init.sls | 10 + srv/salt/provision/rsyslog-client/README.rst | 7 + .../files/99-RepeatedMsgReduction.conf | 2 + .../rsyslog-client/files/99-remote.conf | 6 + srv/salt/provision/rsyslog-client/init.sls | 30 + srv/salt/provision/rsyslog-client/map.jinja | 6 + srv/salt/provision/sysctl/README.rst | 18 + srv/salt/provision/sysctl/init.sls | 21 + srv/salt/provision/timezone/README.rst | 5 + srv/salt/provision/timezone/init.sls | 3 + srv/salt/provision/top.sls | 21 + 68 files changed, 2168 insertions(+) create mode 100644 .gitignore create mode 100644 AUTHORS create mode 100644 CHANGELOG.rst create mode 100644 LICENSE create mode 100644 README.rst create mode 100644 VERSION create mode 100644 srv/pillar/provision/aliases.sls create mode 100644 srv/pillar/provision/disy.sls create mode 100644 srv/pillar/provision/dnsmasq-cache.sls create mode 100644 srv/pillar/provision/hosts-block.sls create mode 100644 srv/pillar/provision/limits.sls create mode 100644 srv/pillar/provision/sysctl.sls create mode 100644 srv/pillar/provision/top.sls create mode 100644 srv/salt/provision/aliases/README.rst create mode 100644 srv/salt/provision/aliases/files/aliases create mode 100644 srv/salt/provision/aliases/init.sls create mode 100644 srv/salt/provision/aliases/map.jinja create mode 100644 srv/salt/provision/apt-sources/README.rst create mode 100644 srv/salt/provision/apt-sources/init.sls create mode 100644 srv/salt/provision/apt/README.rst create mode 100644 srv/salt/provision/apt/init.sls create mode 100644 srv/salt/provision/base-packages/README.rst create mode 100644 srv/salt/provision/base-packages/init.sls create mode 100644 srv/salt/provision/disy/README.rst create mode 100644 srv/salt/provision/disy/init.sls create mode 100644 srv/salt/provision/dnsmasq-cache/README.rst create mode 100644 srv/salt/provision/dnsmasq-cache/files/00_main.conf create mode 100644 srv/salt/provision/dnsmasq-cache/files/dnsmasq.conf create mode 100644 srv/salt/provision/dnsmasq-cache/files/etc_default_dnsmasq create mode 100644 srv/salt/provision/dnsmasq-cache/init.sls create mode 100644 srv/salt/provision/hosts-block/README.rst create mode 100644 srv/salt/provision/hosts-block/files/hosts create mode 100644 srv/salt/provision/hosts-block/init.sls create mode 100644 srv/salt/provision/iptables-persistent/README.rst create mode 100644 srv/salt/provision/iptables-persistent/files/iptables.conf create mode 100644 srv/salt/provision/iptables-persistent/files/rules.v4 create mode 100644 srv/salt/provision/iptables-persistent/init.sls create mode 100644 srv/salt/provision/iptables-persistent/tuning.sls create mode 100644 srv/salt/provision/kernel-install/README.rst create mode 100644 srv/salt/provision/kernel-install/debug_kernel.sls create mode 100644 srv/salt/provision/kernel-install/files/99_overrides.cfg create mode 100644 srv/salt/provision/kernel-install/init.sls create mode 100644 srv/salt/provision/limits/README.rst create mode 100644 srv/salt/provision/limits/files/limits.conf create mode 100644 srv/salt/provision/limits/files/limits_d.conf create mode 100644 srv/salt/provision/limits/init.sls create mode 100644 srv/salt/provision/limits/map.jinja create mode 100755 srv/salt/provision/motd/10-help-text create mode 100755 srv/salt/provision/motd/files/10-help-text create mode 100644 srv/salt/provision/motd/init.sls create mode 100644 srv/salt/provision/postfix/README.rst create mode 100644 srv/salt/provision/postfix/files/main.cf create mode 100644 srv/salt/provision/postfix/files/master.cf create mode 100644 srv/salt/provision/postfix/init.sls create mode 100644 srv/salt/provision/postfix/map.jinja create mode 100644 srv/salt/provision/provision-final/README.rst create mode 100644 srv/salt/provision/provision-final/files/alkali_provisioned.txt create mode 100644 srv/salt/provision/provision-final/init.sls create mode 100644 srv/salt/provision/rsyslog-client/README.rst create mode 100644 srv/salt/provision/rsyslog-client/files/99-RepeatedMsgReduction.conf create mode 100644 srv/salt/provision/rsyslog-client/files/99-remote.conf create mode 100644 srv/salt/provision/rsyslog-client/init.sls create mode 100644 srv/salt/provision/rsyslog-client/map.jinja create mode 100644 srv/salt/provision/sysctl/README.rst create mode 100644 srv/salt/provision/sysctl/init.sls create mode 100644 srv/salt/provision/timezone/README.rst create mode 100644 srv/salt/provision/timezone/init.sls create mode 100644 srv/salt/provision/top.sls diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1377554 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.swp diff --git a/AUTHORS b/AUTHORS new file mode 100644 index 0000000..da5a0bd --- /dev/null +++ b/AUTHORS @@ -0,0 +1 @@ +zulily, llc diff --git a/CHANGELOG.rst b/CHANGELOG.rst new file mode 100644 index 0000000..5d29e94 --- /dev/null +++ b/CHANGELOG.rst @@ -0,0 +1,6 @@ +alkali +====== + +0.1.0 (2015-12-10) + + - Initial release diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..c77856a --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2014 Google, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.rst b/README.rst new file mode 100644 index 0000000..eb4ed4c --- /dev/null +++ b/README.rst @@ -0,0 +1,184 @@ +====== +alkali +====== + +alkali is a collections of SaltStack states and pillar data that provide *just the basics* for provisioning Linux instances +that may be built upon. alkali is a starter kit of sorts, to help new users to SaltStack get up-and-running +quickly with the most commonly used, core packages. + +Discussion +========== + +Salt state and pillar trees reside within this repository under the srv directory. These trees are meant to +be run within a "provision" environment, and only when a special grain is set to True: **in_provisioning**. + +The provision environment is intended to span across minions that are part of any salt environment. +It contains a very common collection of states and is generally static, the intent is that these states +will only be executed a single time like so: + +:: + + salt -G 'in_provisioning:True' state.highstate saltenv=provision -l debug + +States in other environments run post-provision phase may change settings previously applied. The +provision phase is not intended to meet the precise requirements of all possible instance types, but rather to +apply useful defaults that may be extended and overridden from more specific environments and targeting. + +While very uncommon, it is ocassionally necessary to re-run an updated provision environment state file. +If the dnsmasq_cache states are updated for example: + +:: + + salt '*.dev.*' state.sls dnsmasq_cache saltenv=provision -l debug + + +Getting Started +=============== ++ These states are currently only compatible with debian-based systems, with a few specific + states ony compatible with Ubuntu. They have only been tested and are known + to work on Ubuntu 14.04 and some later Ubuntu releases. + ++ Provision states will work with a master minion setup in which the saltenv may + be specified as an argument to the salt or salt-call commands. + ++ Clone this repository and copy relevant directories to /srv/salt/provision and + /srv/pillar/provision + ++ Bring up any instances that will be part of the cluster, with recent + base Ubuntu installs. + ++ Make sure to have a base environment, with an empty top.sls file at a minimum, + /srv/salt/base and /srv/pillar/base + ++ Configure file_roots and pillar_roots, for example: + +:: + + file_roots: + base: + - /srv/salt/base + provision: + - /srv/salt/provision + + pillar_roots: + base: + - /srv/pillar/base + provision: + - /srv/pillar/provision + + + ++ Any minions to be provisioned must have the in_provisioning grain set: + +:: + + salt-call grains.setval in_provisioning True + ++ Provision minions. From the master: + +:: + + salt -G 'in_provisioning:True' state.highstate saltenv=provision -l debug + +Compound targeting may be useful in some scenarios. + ++ Once provisioned, removing the in_provisioning grain is recommended. This + +:: + + salt-call grains.delval in_provisioning destructive=True + +Included States +=============== +All of the included states have a README.rst file with additional details, but to summarize: + +.. contents:: + :local: + +``aliases`` +----------- +/etc/aliases management, based on pillar data. + +``apt`` +------- +States for configuring apt. + +``apt-sources`` +--------------- +Management of apt sources.list.d files. Ubuntu-specific by default. + +``base-packages`` +----------------- +A list of packages to install at provision time, which require no configuration management. + +``disy`` +-------- +Creates symlinks and directories based on pillar settings. + +``dnsmasq-cache`` +----------------- +Installs and configures dnsmasq as a local caching daemon. + +``hosts-block`` +--------------- +Management of /etc/hosts to ensure consistency, utilizes pillar data. + +``iptables-persistent`` +----------------------- +Installs iptables and performs tuning, but does not apply a ruleset. + +``kernel-install`` +------------------ +Provides a simple mechanism for installing a specific kernel version +and setting it to be the grub default. Typically run ad-hoc only. + +``limits`` +---------- +Provides pillar-driven limits.conf and limits.conf.d management. + +``motd`` +-------- +Management of motd legalese to be displayed at login. + +``postfix`` +----------- +Basic postfix installation and configuration for a smarthost setup. + +``provision-final`` +------------------- +The last state file to be run, creates /root/.alkali_provisioned.txt which indicates +when the provision highstate was run. + +``rsyslog-client`` +------------------ +Brings up rsyslog with logging to a centralized syslog server. + +``sysctl`` +---------- +Pillar-driven kernel tuning, with reasonable defaults and host-function-specific +setting capabilities. + +``timezone`` +------------ +Sets the timezone. + + +Other States +============ +A few noteworthy formulas and states that are absent and will most likely +be useful to a wide audience: + +* ntp - Using the SaltStack community formula is recommended +* openssh - Using the SaltStack community formula is recommended +* Log shipping and monitoring agents - nrpe, zabbix, the splunk forwarder, newrelic, etc. +* Account management-related states +* resolvconf management + +ToDo / Known Issues +=================== ++ Add support for non-Debian-based distributions and better non-Ubuntu-specific support in general. + +License +======= + +Apache License, version 2.0. Please see LICENSE. diff --git a/VERSION b/VERSION new file mode 100644 index 0000000..6e8bf73 --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +0.1.0 diff --git a/srv/pillar/provision/aliases.sls b/srv/pillar/provision/aliases.sls new file mode 100644 index 0000000..046bbaa --- /dev/null +++ b/srv/pillar/provision/aliases.sls @@ -0,0 +1,5 @@ +aliases: + - postmaster: + - root + - root: + - root@example.com diff --git a/srv/pillar/provision/disy.sls b/srv/pillar/provision/disy.sls new file mode 100644 index 0000000..00ce6b3 --- /dev/null +++ b/srv/pillar/provision/disy.sls @@ -0,0 +1,25 @@ +disy: + targeted_defaults: + mariadb: + /backups/db: + operation: directory + parameters: + - user: root + - group: root + - mode: 755 + - makedirs: True + defaults: + default: + /backups: + operation: directory + parameters: + - user: root + - group: root + - mode: 755 + /bin/env: + operation: symlink + parameters: + - target: /usr/bin/env + - force: True + - user: root + - group: root diff --git a/srv/pillar/provision/dnsmasq-cache.sls b/srv/pillar/provision/dnsmasq-cache.sls new file mode 100644 index 0000000..c5b158c --- /dev/null +++ b/srv/pillar/provision/dnsmasq-cache.sls @@ -0,0 +1,5 @@ +dnsmasq_cache: + main: + listen-address: 127.0.0.1 + bind-interfaces: '' + neg-ttl: 5 diff --git a/srv/pillar/provision/hosts-block.sls b/srv/pillar/provision/hosts-block.sls new file mode 100644 index 0000000..fee152b --- /dev/null +++ b/srv/pillar/provision/hosts-block.sls @@ -0,0 +1,9 @@ +# Example pillar data... +hosts_block: + - "Centralized syslog Servers": + - 172.16.0.50: + - logger-001 + - logger-001.example.com + - 172.16.0.51: + - logger-002 + - logger-002.example.com diff --git a/srv/pillar/provision/limits.sls b/srv/pillar/provision/limits.sls new file mode 100644 index 0000000..0cf7c2e --- /dev/null +++ b/srv/pillar/provision/limits.sls @@ -0,0 +1,7 @@ +limits: + conf: [] + d: + - 01-defaults: + - '*': + - { type: "-", item: "nproc", value: 24576 } + - { type: "-", item: "nofile", value: 196608 } diff --git a/srv/pillar/provision/sysctl.sls b/srv/pillar/provision/sysctl.sls new file mode 100644 index 0000000..9d76a3c --- /dev/null +++ b/srv/pillar/provision/sysctl.sls @@ -0,0 +1,52 @@ +sysctl: + targeted_defaults: + # Common examples for various function_classes + mariadb: + vm.swappiness: 0 + mongo: + vm.zone_reclaim_mode: 0 + redis: + vm.overcommit_memory: 0 + defaults: + # Example settings, customize as necessary. + default: + fs.file-max: 196608 + kernel.core_uses_pid: 1 + kernel.msgmax: 65536 + kernel.msgmnb: 65536 + kernel.panic: 1 + # Current default, may not make sense on all systems... + kernel.shmall: 4294967296 + # Current default, may not make sense on all systems... + kernel.shmmax: 68719476736 + kernel.sysrq: 1 + net.core.netdev_max_backlog: 50000 + net.core.optmem_max: 40960 + net.core.rmem_default: 16777216 + net.core.rmem_max: 16777216 + net.core.wmem_default: 16777216 + net.core.wmem_max: 16777216 + net.ipv4.conf.all.arp_ignore: 1 + net.ipv4.conf.default.accept_source_route: 0 + net.ipv4.conf.default.rp_filter: 1 + net.ipv4.conf.eth0.arp_announce: 2 + net.ipv4.conf.eth0.arp_ignore: 1 + {% if 'eth1' in grains['ip_interfaces'].keys() -%} + net.ipv4.conf.eth1.arp_announce: 2 + net.ipv4.conf.eth1.arp_ignore: 1 + {% endif -%} + net.ipv4.ip_forward: 0 + net.ipv4.ip_local_port_range: 12000 61000 + net.ipv4.tcp_fin_timeout: 20 + net.ipv4.tcp_max_syn_backlog: 30000 + net.ipv4.tcp_max_tw_buckets: 2000000 + net.ipv4.tcp_rmem: 4096 87380 16777216 + net.ipv4.tcp_slow_start_after_idle: 0 + net.ipv4.tcp_syncookies: 1 + net.ipv4.tcp_tw_reuse: 1 + net.ipv4.tcp_wmem: 4096 65536 16777216 + net.ipv6.conf.all.disable_ipv6: 1 + net.ipv6.conf.default.disable_ipv6: 1 + net.ipv6.conf.lo.disable_ipv6: 1 + vm.overcommit_memory: 1 + vm.swappiness: 10 diff --git a/srv/pillar/provision/top.sls b/srv/pillar/provision/top.sls new file mode 100644 index 0000000..63dda70 --- /dev/null +++ b/srv/pillar/provision/top.sls @@ -0,0 +1,10 @@ +# Matching on the in_provisioning grain is an option, but single state runs post-provision +# would not have access to pillar data. +provision: + '*': + - aliases + - disy + - dnsmasq-cache + - hosts-block + - limits + - sysctl diff --git a/srv/salt/provision/aliases/README.rst b/srv/salt/provision/aliases/README.rst new file mode 100644 index 0000000..c0833f0 --- /dev/null +++ b/srv/salt/provision/aliases/README.rst @@ -0,0 +1,6 @@ +aliases +======= + +Simple /etc/aliases management, based on pillar data. Requires the postfix +states run first, handled by top.sls ordering. Customize aliases by +editing aliases.sls in the pillar tree. diff --git a/srv/salt/provision/aliases/files/aliases b/srv/salt/provision/aliases/files/aliases new file mode 100644 index 0000000..8886fd5 --- /dev/null +++ b/srv/salt/provision/aliases/files/aliases @@ -0,0 +1,12 @@ +# This file is managed by salt. Manual changes risk being overwritten. +# +# /etc/aliases +# +# See man 5 aliases for format + +{% for alias in pillar['aliases'] %} + {%- for name, recipients in alias.iteritems() -%} + {{ name }}: {% for recipient in recipients %}{{ recipient }}{% if not loop.last %}, {% endif %}{% endfor %} + {%- endfor %} +{% endfor %} + diff --git a/srv/salt/provision/aliases/init.sls b/srv/salt/provision/aliases/init.sls new file mode 100644 index 0000000..b75e256 --- /dev/null +++ b/srv/salt/provision/aliases/init.sls @@ -0,0 +1,17 @@ +{% from "aliases/map.jinja" import aliases with context %} + +{{ aliases.aliases }}: + file.managed: + - source: {{ aliases.aliases_src }} + - user: root + - group: root + - mode: 644 + - template: jinja + - require: + - pkg: {{ aliases.postfix_pkg }} + +run-newaliases: + cmd.wait: + - name: {{ aliases.newaliases_bin }} + - watch: + - file: {{ aliases.aliases }} diff --git a/srv/salt/provision/aliases/map.jinja b/srv/salt/provision/aliases/map.jinja new file mode 100644 index 0000000..8c01868 --- /dev/null +++ b/srv/salt/provision/aliases/map.jinja @@ -0,0 +1,8 @@ +{% set aliases = salt['grains.filter_by']({ + 'Debian': { + 'aliases': '/etc/aliases', + 'newaliases_bin': '/usr/bin/newaliases', + 'aliases_src': 'salt://aliases/files/aliases', + 'postfix_pkg': 'postfix', + }, +}) %} diff --git a/srv/salt/provision/apt-sources/README.rst b/srv/salt/provision/apt-sources/README.rst new file mode 100644 index 0000000..f4cbb65 --- /dev/null +++ b/srv/salt/provision/apt-sources/README.rst @@ -0,0 +1,5 @@ +apt-sources +=========== + +Basic apt sources configuration for Ubuntu, based on the codename provided +by lsb_release. diff --git a/srv/salt/provision/apt-sources/init.sls b/srv/salt/provision/apt-sources/init.sls new file mode 100644 index 0000000..841b3c2 --- /dev/null +++ b/srv/salt/provision/apt-sources/init.sls @@ -0,0 +1,27 @@ +{% set codename = salt['cmd.run']("lsb_release -c | awk '{ print $2 }'") %} + +# We are using sources.list.d, zero-out sources.list +/etc/apt/sources.list: + file.managed: + - contents: '' + +# Repos to include +{{ codename }}: + pkgrepo.managed: + - name: deb http://archive.ubuntu.com/ubuntu/ {{ codename }} main restricted universe + - file: /etc/apt/sources.list.d/{{ codename }}.list + - refreshdb: True + +{{ codename }}-security: + pkgrepo.managed: + - name: deb http://archive.ubuntu.com/ubuntu/ {{ codename }}-security main restricted universe + - file: /etc/apt/sources.list.d/{{ codename }}_security.list + - refreshdb: True + +{{ codename }}-updates: + pkgrepo.managed: + - name: deb http://archive.ubuntu.com/ubuntu/ {{ codename }}-updates main restricted universe + - file: /etc/apt/sources.list.d/{{ codename }}_updates.list + - refreshdb: True + + diff --git a/srv/salt/provision/apt/README.rst b/srv/salt/provision/apt/README.rst new file mode 100644 index 0000000..763b6d8 --- /dev/null +++ b/srv/salt/provision/apt/README.rst @@ -0,0 +1,4 @@ +apt +=== + +apt configuration, presently limited to disabling unattended upgrades. diff --git a/srv/salt/provision/apt/init.sls b/srv/salt/provision/apt/init.sls new file mode 100644 index 0000000..bf9346d --- /dev/null +++ b/srv/salt/provision/apt/init.sls @@ -0,0 +1,11 @@ +disable-unattended-upgrades: + file.replace: + - name: /etc/apt/apt.conf.d/50unattended-upgrades + - pattern: '\t"\${distro_id}:\${distro_codename}-security";' + - repl: // "${distro_id}:${distro_codename}-security"; + +disable-unattended-upgrades-2: + file.append: + - name: /etc/apt/apt.conf.d/10periodic + - text: APT::Periodic::Unattended-Upgrade "0"; + - makedirs: True diff --git a/srv/salt/provision/base-packages/README.rst b/srv/salt/provision/base-packages/README.rst new file mode 100644 index 0000000..8e0b63c --- /dev/null +++ b/srv/salt/provision/base-packages/README.rst @@ -0,0 +1,5 @@ +base-packages +============= + +A list of base packages to install at provision time. Customize the list in init.sls as +needed. diff --git a/srv/salt/provision/base-packages/init.sls b/srv/salt/provision/base-packages/init.sls new file mode 100644 index 0000000..f4fed2b --- /dev/null +++ b/srv/salt/provision/base-packages/init.sls @@ -0,0 +1,52 @@ +base_packages: + pkg.installed: + - pkgs: + - netcat +# Add any packages to the list here, for example: +# - acct +# - atop +# - atsar +# - augeas-tools +# - bc +# - binutils +# - curl +# - debconf-utils +# - dstat +# - ethtool +# - gdb +# - git +# - gnupg2 +# - htop +# - iotop +# - ipcalc +# - iperf +# - iptraf +# - mlocate +# - mtr-tiny +# - multitail +# - nethogs +# - ngrep +# - nmap +# - parallel +# - python-jinja2 +# - python-protobix +# - python-simplejson +# - python-sqlalchemy +# - python-sqlite +# - python-virtualenv +# - python-yaml +# - screen +# - strace +# - tcpdump +# - tig +# - tmux +# - traceroute +# - tree +# - unzip +# - valgrind +# - vim +# - virt-what +# - wget +# - whois +# - xfsprogs +# - zip diff --git a/srv/salt/provision/disy/README.rst b/srv/salt/provision/disy/README.rst new file mode 100644 index 0000000..5e2259e --- /dev/null +++ b/srv/salt/provision/disy/README.rst @@ -0,0 +1,10 @@ +disy +==== +disy - prounounced dicey, creates symlinks and directories +that reside on all systems by default. Also allows for +management of directories and symlinks that target hosts +with a matching "function_class" grain. For example, +for all systems hosting mysql/mariadb/percona databases, +a function_class that groups these might be mariadb. + +Customize the disy.sls pillar file as necessary. diff --git a/srv/salt/provision/disy/init.sls b/srv/salt/provision/disy/init.sls new file mode 100644 index 0000000..c33a5e0 --- /dev/null +++ b/srv/salt/provision/disy/init.sls @@ -0,0 +1,21 @@ +{# Get the targeted defaults #} +{% + set disy_overrides = salt['grains.filter_by']( + salt['pillar.get']('disy:targeted_defaults', {}), + grain='function_class') +%} + +{# Get the defaults, then merge the targeted defaults on top #} +{% + set disy_settings = salt['grains.filter_by']( + salt['pillar.get']('disy:defaults', {}), + grain='function_class', merge=disy_overrides) +%} + +{# Apply disy states state for merged settings. #} +{% for path, settings in disy_settings.iteritems() %} +{{ path }}: + file.{{ disy_settings[path]['operation'] }}: + {{ disy_settings[path]['parameters']|yaml }} +{% endfor %} + diff --git a/srv/salt/provision/dnsmasq-cache/README.rst b/srv/salt/provision/dnsmasq-cache/README.rst new file mode 100644 index 0000000..2cf8e29 --- /dev/null +++ b/srv/salt/provision/dnsmasq-cache/README.rst @@ -0,0 +1,9 @@ +dnsmasq-cache +============= + +Installs and configures dnsmasq as a local caching daemon. + +Make sure to set 127.0.0.1 as the first nameserver in /etc/resolv.conf +(not handled by these states) or the local dnsmasq instance will not be utilized. + +dnsmasq main configuration settings are customizable in the pillar data. diff --git a/srv/salt/provision/dnsmasq-cache/files/00_main.conf b/srv/salt/provision/dnsmasq-cache/files/00_main.conf new file mode 100644 index 0000000..d7d717b --- /dev/null +++ b/srv/salt/provision/dnsmasq-cache/files/00_main.conf @@ -0,0 +1,8 @@ +{%- for key, value in main_settings.iteritems() -%} + {%- if value -%} +{{ key }}={{ value }} + {%- else %} +{{ key }} + {%- endif %} + +{% endfor -%} diff --git a/srv/salt/provision/dnsmasq-cache/files/dnsmasq.conf b/srv/salt/provision/dnsmasq-cache/files/dnsmasq.conf new file mode 100644 index 0000000..9a0dbd7 --- /dev/null +++ b/srv/salt/provision/dnsmasq-cache/files/dnsmasq.conf @@ -0,0 +1,630 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# Listen on this specific port instead of the standard DNS port +# (53). Setting this to zero completely disables DNS function, +# leaving only DHCP and/or TFTP. +#port=5353 + +# The following two options make you a better netizen, since they +# tell dnsmasq to filter out queries which the public DNS cannot +# answer, and which load the servers (especially the root servers) +# unnecessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link unnecessarily. + +# Never forward plain names (without a dot or domain part) +#domain-needed +# Never forward addresses in the non-routed address spaces. +#bogus-priv + + +# Uncomment this to filter useless windows-originated DNS requests +# which can trigger dial-on-demand links needlessly. +# Note that (amongst other things) this blocks all SRV requests, +# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. +# This option only affects forwarding, SRV records originating for +# dnsmasq (via srv-host= lines) are not suppressed by it. +#filterwin2k + +# Change this line if you want dns to get its upstream servers from +# somewhere other that /etc/resolv.conf +#resolv-file= + +# By default, dnsmasq will send queries to any of the upstream +# servers it knows about and tries to favour servers to are known +# to be up. Uncommenting this forces dnsmasq to try each query +# with each server strictly in the order they appear in +# /etc/resolv.conf +#strict-order + +# If you don't want dnsmasq to read /etc/resolv.conf or any other +# file, getting its servers from this file instead (see below), then +# uncomment this. +#no-resolv + +# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv +# files for changes and re-read them then uncomment this. +#no-poll + +# Add other name servers here, with domain specs if they are for +# non-public domains. +#server=/localnet/192.168.0.1 + +# Example of routing PTR queries to nameservers: this will send all +# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 +#server=/3.168.192.in-addr.arpa/10.1.2.3 + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +#local=/localnet/ + +# Add domains which you want to force to an IP address here. +# The example below send any host in double-click.net to a local +# web-server. +#address=/double-click.net/127.0.0.1 + +# --address (and --server) work with IPv6 addresses too. +#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 + +# Add the IPs of all queries to yahoo.com, google.com, and their +# subdomains to the vpn and search ipsets: +#ipset=/yahoo.com/google.com/vpn,search + +# You can control how dnsmasq talks to a server: this forces +# queries to 10.1.2.3 to be routed via eth1 +# server=10.1.2.3@eth1 + +# and this sets the source (ie local) address used to talk to +# 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that +# IP on the machine, obviously). +# server=10.1.2.3@192.168.1.1#55 + +# If you want dnsmasq to change uid and gid to something other +# than the default, edit the following lines. +#user= +#group= + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg eth0) here. +# Repeat the line for more than one interface. +#interface= +# Or you can specify which interface _not_ to listen on +#except-interface= +# Or which to listen on by address (remember to include 127.0.0.1 if +# you use this.) +#listen-address= +# If you want dnsmasq to provide only DNS service on an interface, +# configure it as shown above, and then use the following line to +# disable DHCP and TFTP on it. +#no-dhcp-interface= + +# On systems which support it, dnsmasq binds the wildcard address, +# even when it is listening on only some interfaces. It then discards +# requests that it shouldn't reply to. This has the advantage of +# working even when interfaces come and go and change address. If you +# want dnsmasq to really bind only the interfaces it is listening on, +# uncomment this option. About the only time you may need this is when +# running another nameserver on the same machine. +#bind-interfaces + +# If you don't want dnsmasq to read /etc/hosts, uncomment the +# following line. +#no-hosts +# or if you want it to read another file, as well as /etc/hosts, use +# this. +#addn-hosts=/etc/banner_add_hosts + +# Set this (and domain: see below) if you want to have a domain +# automatically added to simple names in a hosts-file. +#expand-hosts + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +#domain=thekelleys.org.uk + +# Set a different domain for a particular subnet +#domain=wireless.thekelleys.org.uk,192.168.2.0/24 + +# Same idea, but range rather then subnet +#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +#dhcp-range=192.168.0.50,192.168.0.150,12h + +# This is an example of a DHCP range where the netmask is given. This +# is needed for networks we reach the dnsmasq DHCP server via a relay +# agent. If you don't know what a DHCP relay agent is, you probably +# don't need to worry about this. +#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h + +# This is an example of a DHCP range which sets a tag, so that +# some DHCP options may be set only for this network. +#dhcp-range=set:red,192.168.0.50,192.168.0.150 + +# Use this DHCP range only when the tag "green" is set. +#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + +# Specify a subnet which can't be used for dynamic address allocation, +# is available for hosts with matching --dhcp-host lines. Note that +# dhcp-host declarations will be ignored unless there is a dhcp-range +# of some type for the subnet in question. +# In this case the netmask is implied (it comes from the network +# configuration on the machine running dnsmasq) it is possible to give +# an explicit netmask instead. +#dhcp-range=192.168.0.0,static + +# Enable DHCPv6. Note that the prefix-length does not need to be specified +# and defaults to 64 if missing/ +#dhcp-range=1234::2, 1234::500, 64, 12h + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +#dhcp-range=1234::, ra-only + +# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and +# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack +# hosts. Use the DHCPv4 lease to derive the name, network segment and +# MAC address and assume that the host will also have an +# IPv6 address calculated using the SLAAC alogrithm. +#dhcp-range=1234::, ra-names + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) +#dhcp-range=1234::, ra-only, 48h + +# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA +# so that clients can use SLAAC addresses as well as DHCP ones. +#dhcp-range=1234::2, 1234::500, slaac + +# Do Router Advertisements and stateless DHCP for this subnet. Clients will +# not get addresses from DHCP, but they will get other configuration information. +# They will use SLAAC for addresses. +#dhcp-range=1234::, ra-stateless + +# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses +# from DHCPv4 leases. +#dhcp-range=1234::, ra-stateless, ra-names + +# Do router advertisements for all subnets where we're doing DHCPv6 +# Unless overriden by ra-stateless, ra-names, et al, the router +# advertisements will have the M and O bits set, so that the clients +# get addresses and configuration from DHCPv6, and the A bit reset, so the +# clients don't use SLAAC addresses. +#enable-ra + +# Supply parameters for specified hosts using DHCP. There are lots +# of valid alternatives, so we will give examples of each. Note that +# IP addresses DO NOT have to be in the range given above, they just +# need to be on the same network. The order of the parameters in these +# do not matter, it's permissible to give name, address and MAC in any +# order. + +# Always allocate the host with Ethernet address 11:22:33:44:55:66 +# The IP address 192.168.0.60 +#dhcp-host=11:22:33:44:55:66,192.168.0.60 + +# Always set the name of the host with hardware address +# 11:22:33:44:55:66 to be "fred" +#dhcp-host=11:22:33:44:55:66,fred + +# Always give the host with Ethernet address 11:22:33:44:55:66 +# the name fred and IP address 192.168.0.60 and lease time 45 minutes +#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m + +# Give a host with Ethernet address 11:22:33:44:55:66 or +# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume +# that these two Ethernet interfaces will never be in use at the same +# time, and give the IP address to the second, even if it is already +# in use by the first. Useful for laptops with wired and wireless +# addresses. +#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 + +# Give the machine which says its name is "bert" IP address +# 192.168.0.70 and an infinite lease +#dhcp-host=bert,192.168.0.70,infinite + +# Always give the host with client identifier 01:02:02:04 +# the IP address 192.168.0.60 +#dhcp-host=id:01:02:02:04,192.168.0.60 + +# Always give the host with client identifier "marjorie" +# the IP address 192.168.0.60 +#dhcp-host=id:marjorie,192.168.0.60 + +# Enable the address given for "judge" in /etc/hosts +# to be given to a machine presenting the name "judge" when +# it asks for a DHCP lease. +#dhcp-host=judge + +# Never offer DHCP service to a machine whose Ethernet +# address is 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,ignore + +# Ignore any client-id presented by the machine with Ethernet +# address 11:22:33:44:55:66. This is useful to prevent a machine +# being treated differently when running under different OS's or +# between PXE boot and OS boot. +#dhcp-host=11:22:33:44:55:66,id:* + +# Send extra options which are tagged as "red" to +# the machine with Ethernet address 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,set:red + +# Send extra options which are tagged as "red" to +# any machine with Ethernet address starting 11:22:33: +#dhcp-host=11:22:33:*:*:*,set:red + +# Give a fixed IPv6 address and name to client with +# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 +# Note the MAC addresses CANNOT be used to identify DHCPv6 clients. +# Note also the they [] around the IPv6 address are obilgatory. +#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] + +# Ignore any clients which are not specified in dhcp-host lines +# or /etc/ethers. Equivalent to ISC "deny unknown-clients". +# This relies on the special "known" tag which is set when +# a host is matched. +#dhcp-ignore=tag:!known + +# Send extra options which are tagged as "red" to any machine whose +# DHCP vendorclass string includes the substring "Linux" +#dhcp-vendorclass=set:red,Linux + +# Send extra options which are tagged as "red" to any machine one +# of whose DHCP userclass strings includes the substring "accounts" +#dhcp-userclass=set:red,accounts + +# Send extra options which are tagged as "red" to any machine whose +# MAC address matches the pattern. +#dhcp-mac=set:red,00:60:8C:*:*:* + +# If this line is uncommented, dnsmasq will read /etc/ethers and act +# on the ethernet-address/IP pairs found there just as if they had +# been given as --dhcp-host options. Useful if you keep +# MAC-address/host mappings there for other purposes. +#read-ethers + +# Send options to hosts which ask for a DHCP lease. +# See RFC 2132 for details of available options. +# Common options can be given to dnsmasq by name: +# run "dnsmasq --help dhcp" to get a list. +# Note that all the common settings, such as netmask and +# broadcast address, DNS server and default route, are given +# sane defaults by dnsmasq. You very likely will not need +# any dhcp-options. If you use Windows clients and Samba, there +# are some options which are recommended, they are detailed at the +# end of this section. + +# Override the default route supplied by dnsmasq, which assumes the +# router is the same machine as the one running dnsmasq. +#dhcp-option=3,1.2.3.4 + +# Do the same thing, but using the option name +#dhcp-option=option:router,1.2.3.4 + +# Override the default route supplied by dnsmasq and send no default +# route at all. Note that this only works for the options sent by +# default (1, 3, 6, 12, 28) the same line will send a zero-length option +# for all other option numbers. +#dhcp-option=3 + +# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 +#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + +# Send DHCPv6 option. Note [] around IPv6 addresses. +#dhcp-option=option6:dns-server,[1234::77],[1234::88] + +# Send DHCPv6 option for namservers as the machine running +# dnsmasq and another. +#dhcp-option=option6:dns-server,[::],[1234::88] + +# Ask client to poll for option changes every six hours. (RFC4242) +#dhcp-option=option6:information-refresh-time,6h + +# Set the NTP time server address to be the same machine as +# is running dnsmasq +#dhcp-option=42,0.0.0.0 + +# Set the NIS domain name to "welly" +#dhcp-option=40,welly + +# Set the default time-to-live to 50 +#dhcp-option=23,50 + +# Set the "all subnets are local" flag +#dhcp-option=27,1 + +# Send the etherboot magic flag and then etherboot options (a string). +#dhcp-option=128,e4:45:74:68:00:00 +#dhcp-option=129,NIC=eepro100 + +# Specify an option which will only be sent to the "red" network +# (see dhcp-range for the declaration of the "red" network) +# Note that the tag: part must precede the option: part. +#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 + +# The following DHCP options set up dnsmasq in the same way as is specified +# for the ISC dhcpcd in +# http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt +# adapted for a typical dnsmasq installation where the host running +# dnsmasq is also the host running samba. +# you may want to uncomment some or all of them if you use +# Windows clients and Samba. +#dhcp-option=19,0 # option ip-forwarding off +#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) +#dhcp-option=45,0.0.0.0 # netbios datagram distribution server +#dhcp-option=46,8 # netbios node type + +# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. +#dhcp-option=252,"\n" + +# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client +# probably doesn't support this...... +#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com + +# Send RFC-3442 classless static routes (note the netmask encoding) +#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + +# Send vendor-class specific options encapsulated in DHCP option 43. +# The meaning of the options is defined by the vendor-class so +# options are sent only when the client supplied vendor class +# matches the class given here. (A substring match is OK, so "MSFT" +# matches "MSFT" and "MSFT 5.0"). This example sets the +# mtftp address to 0.0.0.0 for PXEClients. +#dhcp-option=vendor:PXEClient,1,0.0.0.0 + +# Send microsoft-specific option to tell windows to release the DHCP lease +# when it shuts down. Note the "i" flag, to tell dnsmasq to send the +# value as a four-byte integer - that's what microsoft wants. See +# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true +#dhcp-option=vendor:MSFT,2,1i + +# Send the Encapsulated-vendor-class ID needed by some configurations of +# Etherboot to allow is to recognise the DHCP server. +#dhcp-option=vendor:Etherboot,60,"Etherboot" + +# Send options to PXELinux. Note that we need to send the options even +# though they don't appear in the parameter request list, so we need +# to use dhcp-option-force here. +# See http://syslinux.zytor.com/pxe.php#special for details. +# Magic number - needed before anything else is recognised +#dhcp-option-force=208,f1:00:74:7e +# Configuration file name +#dhcp-option-force=209,configs/common +# Path prefix +#dhcp-option-force=210,/tftpboot/pxelinux/files/ +# Reboot time. (Note 'i' to send 32-bit value) +#dhcp-option-force=211,30i + +# Set the boot filename for netboot/PXE. You will only need +# this is you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built in TFTP server or an +# external one. (See below for how to enable the TFTP server.) +#dhcp-boot=pxelinux.0 + +# The same as above, but use custom tftp-server instead machine running dnsmasq +#dhcp-boot=pxelinux,server.name,192.168.1.100 + +# Boot for Etherboot gPXE. The idea is to send two different +# filenames, the first loads gPXE, and the second tells gPXE what to +# load. The dhcp-match sets the gpxe tag for requests from gPXE. +#dhcp-match=set:gpxe,175 # gPXE sends a 175 option. +#dhcp-boot=tag:!gpxe,undionly.kpxe +#dhcp-boot=mybootimage + +# Encapsulated options for Etherboot gPXE. All the options are +# encapsulated within option 175 +#dhcp-option=encap:175, 1, 5b # priority code +#dhcp-option=encap:175, 176, 1b # no-proxydhcp +#dhcp-option=encap:175, 177, string # bus-id +#dhcp-option=encap:175, 189, 1b # BIOS drive code +#dhcp-option=encap:175, 190, user # iSCSI username +#dhcp-option=encap:175, 191, pass # iSCSI password + +# Test for the architecture of a netboot client. PXE clients are +# supposed to send their architecture as option 93. (See RFC 4578) +#dhcp-match=peecees, option:client-arch, 0 #x86-32 +#dhcp-match=itanics, option:client-arch, 2 #IA64 +#dhcp-match=hammers, option:client-arch, 6 #x86-64 +#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 + +# Do real PXE, rather than just booting a single file, this is an +# alternative to dhcp-boot. +#pxe-prompt="What system shall I netboot?" +# or with timeout before first available action is taken: +#pxe-prompt="Press F8 for menu.", 60 + +# Available boot services. for PXE. +#pxe-service=x86PC, "Boot from local disk" + +# Loads /pxelinux.0 from dnsmasq TFTP server. +#pxe-service=x86PC, "Install Linux", pxelinux + +# Loads /pxelinux.0 from TFTP server at 1.2.3.4. +# Beware this fails on old PXE ROMS. +#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + +# Use bootserver on network, found my multicast or broadcast. +#pxe-service=x86PC, "Install windows from RIS server", 1 + +# Use bootserver at a known IP address. +#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + +# If you have multicast-FTP available, +# information for that can be passed in a similar way using options 1 +# to 5. See page 19 of +# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files available via FTP. +#tftp-root=/var/ftpd + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize + +# Set the boot file name only when the "red" tag is set. +#dhcp-boot=tag:red,pxelinux.red-net + +# An example of dhcp-boot with an external TFTP server: the name and IP +# address of the server are given after the filename. +# Can fail with old PXE ROMS. Overridden by --pxe-service. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + +# If there are multiple external tftp servers having a same name +# (using /etc/hosts) then that name can be specified as the +# tftp_servername (the third option to dhcp-boot) and in that +# case dnsmasq resolves this name and returns the resultant IP +# addresses in round robin fasion. This facility can be used to +# load balance the tftp load among a set of servers. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name + +# Set the limit on DHCP leases, the default is 150 +#dhcp-lease-max=150 + +# The DHCP server needs somewhere on disk to keep its lease database. +# This defaults to a sane location, but if you want to change it, use +# the line below. +#dhcp-leasefile=/var/lib/misc/dnsmasq.leases + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slightest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/files/auth.html +#dhcp-authoritative + +# Run an executable when a DHCP lease is created or destroyed. +# The arguments sent to the script are "add" or "del", +# then the MAC address, the IP address and finally the hostname +# if there is one. +#dhcp-script=/bin/echo + +# Set the cachesize here. +#cache-size=150 + +# If you want to disable negative caching, uncomment this. +#no-negcache + +# Normally responses which come from /etc/hosts and the DHCP lease +# file have Time-To-Live set as zero, which conventionally means +# do not cache further. If you are happy to trade lower load on the +# server for potentially stale date, you can set a time-to-live (in +# seconds) here. +#local-ttl= + +# If you want dnsmasq to detect attempts by Verisign to send queries +# to unregistered .com and .net hosts to its sitefinder service and +# have dnsmasq instead return the correct NXDOMAIN response, uncomment +# this line. You can add similar lines to do the same for other +# registries which have implemented wildcard A records. +#bogus-nxdomain=64.94.110.11 + +# If you want to fix up DNS results from upstream servers, use the +# alias option. This only works for IPv4. +# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 +#alias=1.2.3.4,5.6.7.8 +# and this maps 1.2.3.x to 5.6.7.x +#alias=1.2.3.0,5.6.7.0,255.255.255.0 +# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 +#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + +# Change these lines if you want dnsmasq to serve MX records. + +# Return an MX record named "maildomain.com" with target +# servermachine.com and preference 50 +#mx-host=maildomain.com,servermachine.com,50 + +# Set the default target for MX records created using the localmx option. +#mx-target=servermachine.com + +# Return an MX record pointing to the mx-target for all local +# machines. +#localmx + +# Return an MX record pointing to itself for all local machines. +#selfmx + +# Change the following lines if you want dnsmasq to serve SRV +# records. These are useful if you want to serve ldap requests for +# Active Directory and other windows-originated DNS requests. +# See RFC 2782. +# You may add multiple srv-host lines. +# The fields are ,,,, +# If the domain part if missing from the name (so that is just has the +# service and protocol sections) then the domain given by the domain= +# config option is used. (Note that expand-hosts does not need to be +# set for this to work.) + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 (using domain=) +#domain=example.com +#srv-host=_ldap._tcp,ldapserver.example.com,389 + +# Two SRV records for LDAP, each with different priorities +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + +# A SRV record indicating that there is no LDAP server for the domain +# example.com +#srv-host=_ldap._tcp.example.com + +# The following line shows how to make dnsmasq serve an arbitrary PTR +# record. This is useful for DNS-SD. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for PTR records.) +#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + +# Change the following lines to enable dnsmasq to serve TXT records. +# These are used for things like SPF and zeroconf. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for TXT records.) + +#Example SPF. +#txt-record=example.com,"v=spf1 a -all" + +#Example zeroconf +#txt-record=_http._tcp.example.com,name=value,paper=A4 + +# Provide an alias for a "local" DNS name. Note that this _only_ works +# for targets which are names from DHCP or /etc/hosts. Give host +# "bert" another name, bertrand +#cname=bertand,bert + +# For debugging purposes, log each DNS query as it passes through +# dnsmasq. +#log-queries + +# Log lots of extra information about DHCP transactions. +#log-dhcp + +# Include another lot of configuration options. +#conf-file=/etc/dnsmasq.more.conf +#conf-dir=/etc/dnsmasq.d diff --git a/srv/salt/provision/dnsmasq-cache/files/etc_default_dnsmasq b/srv/salt/provision/dnsmasq-cache/files/etc_default_dnsmasq new file mode 100644 index 0000000..1c93c96 --- /dev/null +++ b/srv/salt/provision/dnsmasq-cache/files/etc_default_dnsmasq @@ -0,0 +1,33 @@ +# This file has five functions: +# 1) to completely disable starting dnsmasq, +# 2) to set DOMAIN_SUFFIX by running `dnsdomainname` +# 3) to select an alternative config file +# by setting DNSMASQ_OPTS to --conf-file= +# 4) to tell dnsmasq to read the files in /etc/dnsmasq.d for +# more configuration variables. +# 5) to stop the resolvconf package from controlling dnsmasq's +# idea of which upstream nameservers to use. +# For upgraders from very old versions, all the shell variables set +# here in previous versions are still honored by the init script +# so if you just keep your old version of this file nothing will break. + +#DOMAIN_SUFFIX=`dnsdomainname` +#DNSMASQ_OPTS="--conf-file=/etc/dnsmasq.alt" + +# Whether or not to run the dnsmasq daemon; set to 0 to disable. +ENABLED=1 + +# By default search this drop directory for configuration options. +# Libvirt leaves a file here to make the system dnsmasq play nice. +# Comment out this line if you don't want this. The dpkg-* are file +# endings which cause dnsmasq to skip that file. This avoids pulling +# in backups made by dpkg. +CONFIG_DIR=/etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new + +# If the resolvconf package is installed, dnsmasq will use its output +# rather than the contents of /etc/resolv.conf to find upstream +# nameservers. Uncommenting this line inhibits this behaviour. +# Not that including a "resolv-file=" line in +# /etc/dnsmasq.conf is not enough to override resolvconf if it is +# installed: the line below must be uncommented. +IGNORE_RESOLVCONF=yes diff --git a/srv/salt/provision/dnsmasq-cache/init.sls b/srv/salt/provision/dnsmasq-cache/init.sls new file mode 100644 index 0000000..518f510 --- /dev/null +++ b/srv/salt/provision/dnsmasq-cache/init.sls @@ -0,0 +1,40 @@ +dnsmasq: + pkg: + - installed + service: + - running + + +/etc/dnsmasq.conf: + file.managed: + - source: salt://dnsmasq-cache/files/dnsmasq.conf + - template: jinja + - watch_in: + - service: dnsmasq + - require: + - pkg: dnsmasq + + +/etc/dnsmasq.d/00_main.conf: + file.managed: + - source: salt://dnsmasq-cache/files/00_main.conf + - template: jinja + - watch_in: + - service: dnsmasq + - require: + - file: /etc/dnsmasq.conf + - context: + main_settings: {{ salt['pillar.get']('dnsmasq_cache:main', []) }} + + +/etc/default/dnsmasq: + file.managed: + - source: salt://dnsmasq-cache/files/etc_default_dnsmasq + - user: root + - group: root + - mode: 644 + - template: jinja + - watch_in: + - service: dnsmasq + - require: + - file: /etc/dnsmasq.conf diff --git a/srv/salt/provision/hosts-block/README.rst b/srv/salt/provision/hosts-block/README.rst new file mode 100644 index 0000000..170e316 --- /dev/null +++ b/srv/salt/provision/hosts-block/README.rst @@ -0,0 +1,8 @@ +hosts-block +=========== + +These states, accompanied with pillar data, assist in ensuring +relatively consistent hosts files. + +Note that when a host is listed for two different ip addresses, +the entry that is higher up in the file wins. diff --git a/srv/salt/provision/hosts-block/files/hosts b/srv/salt/provision/hosts-block/files/hosts new file mode 100644 index 0000000..44fb1e3 --- /dev/null +++ b/srv/salt/provision/hosts-block/files/hosts @@ -0,0 +1,6 @@ +127.0.0.1 localhost.localdomain localhost +127.0.1.1 {{ grains['fqdn'] }} {{ grains['host'] }} + +# Begin hosts-block-managed entries -- DO NOT EDIT THIS SECTION + +# End hosts-block-managed entries diff --git a/srv/salt/provision/hosts-block/init.sls b/srv/salt/provision/hosts-block/init.sls new file mode 100644 index 0000000..583ef5b --- /dev/null +++ b/srv/salt/provision/hosts-block/init.sls @@ -0,0 +1,42 @@ +{% if salt['pillar.get']('hosts_block', False) %} +{# Only run these states if necessary pillar data exists #} + +/etc/hosts: + file.managed: + - source: salt://hosts-block/files/hosts + - user: root + - group: root + - mode: 644 + - template: jinja + +/etc/hosts_blockreplace: + file.blockreplace: + - name: /etc/hosts + - append_if_not_found: True + - show_changes: True + - marker_start: "# Begin hosts-block-managed entries -- DO NOT EDIT THIS SECTION" + - marker_end: "# End hosts-block-managed entries" + +hosts_file_{{ grains['host'] }}_accumulated: + file.accumulated: + - filename: /etc/hosts + - text: | + +{%- for subsection in salt['pillar.get']('hosts_block', []) %} + {%- for header, entries in subsection.iteritems() %} + + # {{ header }} + {%- for entry in entries %} + {%- for ip, names in entry.iteritems() -%} + {%- if names|length > 0 %} + {{ ip }}{% for host in names %} {{ host }}{% endfor %} + {%- endif -%} + {%- endfor -%} + {% endfor -%} + {% endfor %} +{% endfor %} + - require_in: + - file: /etc/hosts_blockreplace + + +{% endif %} diff --git a/srv/salt/provision/iptables-persistent/README.rst b/srv/salt/provision/iptables-persistent/README.rst new file mode 100644 index 0000000..5825e60 --- /dev/null +++ b/srv/salt/provision/iptables-persistent/README.rst @@ -0,0 +1,19 @@ +iptables-persistent +=================== + +Installs iptables-persistent and applies basic tuning. Custom rule management +is not handled by these states. + +iptables-persistent states will only be applied if the iptables_enabled +grain is set to True: + + salt-call grains.setval iptables_enabled True + +To prevent these states from being applied: + + salt-call grains.setval iptables_enabled False + +To fully remove the grain (generally unnecessary): + + salt-call grains.delval iptables_enabled destructive=True + diff --git a/srv/salt/provision/iptables-persistent/files/iptables.conf b/srv/salt/provision/iptables-persistent/files/iptables.conf new file mode 100644 index 0000000..285c3fb --- /dev/null +++ b/srv/salt/provision/iptables-persistent/files/iptables.conf @@ -0,0 +1,3 @@ +# This file is managed by salt + +options nf_conntrack hashsize={{ nf_conntrack_hashsize }} diff --git a/srv/salt/provision/iptables-persistent/files/rules.v4 b/srv/salt/provision/iptables-persistent/files/rules.v4 new file mode 100644 index 0000000..f5a7844 --- /dev/null +++ b/srv/salt/provision/iptables-persistent/files/rules.v4 @@ -0,0 +1,22 @@ +*mangle +:PREROUTING ACCEPT [2103:416284] +:INPUT ACCEPT [2101:416122] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [2103:114189] +:POSTROUTING ACCEPT [2103:114189] +COMMIT +# Completed on Wed Dec 9 00:55:10 2015 +# Generated by iptables-save v1.4.21 on Wed Dec 9 00:55:10 2015 +*nat +:PREROUTING ACCEPT [2:162] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [1189:76540] +:POSTROUTING ACCEPT [1189:76540] +COMMIT +# Completed on Wed Dec 9 00:55:10 2015 +# Generated by iptables-save v1.4.21 on Wed Dec 9 00:55:10 2015 +*filter +:INPUT ACCEPT [2101:416122] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [2103:114189] +COMMIT diff --git a/srv/salt/provision/iptables-persistent/init.sls b/srv/salt/provision/iptables-persistent/init.sls new file mode 100644 index 0000000..ee6a907 --- /dev/null +++ b/srv/salt/provision/iptables-persistent/init.sls @@ -0,0 +1,29 @@ +{% if 'iptables_enabled' in grains and grains['iptables_enabled'] %} + +iptables-persistent: + pkg: + - installed + service: + - running + - enable: True + - require: + - pkg: iptables-persistent + - watch: + - file: /etc/iptables/rules.v4 + +/etc/iptables/rules.v4: + file.managed: + - source: salt://iptables-persistent/files/rules.v4 + - template: jinja + - user: root + - group: root + - mode: 644 + - require: + - pkg: iptables-persistent + +include: + - iptables-persistent/tuning + + +{% endif %} + diff --git a/srv/salt/provision/iptables-persistent/tuning.sls b/srv/salt/provision/iptables-persistent/tuning.sls new file mode 100644 index 0000000..e845ef7 --- /dev/null +++ b/srv/salt/provision/iptables-persistent/tuning.sls @@ -0,0 +1,61 @@ +{# Could move this to pillar and a for loop, but there are only a few settings + and keeping this as simple as possible for now. This state file + should not be called directly, it is included by init.sls +#} + +{% set nf_conntrack_hashsize = 24576 %} + +{# Only active after a reboot #} +/etc/modprobe.d/iptables.conf: + file.managed: + - source: salt://iptables-persistent/files/iptables.conf + - template: jinja + - context: + nf_conntrack_hashsize: {{ nf_conntrack_hashsize }} + - user: root + - group: root + - mode: 644 + - watch_in: + - service: iptables-persistent + +{# Set dynamically #} +"echo {{ nf_conntrack_hashsize }} > /sys/module/nf_conntrack/parameters/hashsize": + cmd.wait: + - watch: + - file: /etc/modprobe.d/iptables.conf + +net.netfilter.nf_conntrack_max: + sysctl.present: + - value: 2359296 + - require: + - service: iptables-persistent + +net.netfilter.nf_conntrack_tcp_timeout_time_wait: + sysctl.present: + - value: 30 + - require: + - service: iptables-persistent + +net.netfilter.nf_conntrack_generic_timeout: + sysctl.present: + - value: 120 + - require: + - service: iptables-persistent + +net.netfilter.nf_conntrack_tcp_timeout_fin_wait: + sysctl.present: + - value: 15 + - require: + - service: iptables-persistent + +net.netfilter.nf_conntrack_tcp_timeout_close_wait: + sysctl.present: + - value: 15 + - require: + - service: iptables-persistent + +net.netfilter.nf_conntrack_tcp_timeout_established: + sysctl.present: + - value: 86400 + - require: + - service: iptables-persistent diff --git a/srv/salt/provision/kernel-install/README.rst b/srv/salt/provision/kernel-install/README.rst new file mode 100644 index 0000000..55ceaa6 --- /dev/null +++ b/srv/salt/provision/kernel-install/README.rst @@ -0,0 +1,13 @@ +kernel-install +============== + +Not included in the top.sls by default, but allows for installation of +a specific kernel and setting it as the default for subsequent reboots. + +To select the kernel version, a 'kernel_version' grain must be set on a +per-minion basis. For example: + +salt-call grains.setval kernel_version 3.13.0-43-generic + +Note that both the init.sls and kernel_debug.sls state files allow for a +default kernel version to be set, which will be used if the grain is not set. diff --git a/srv/salt/provision/kernel-install/debug_kernel.sls b/srv/salt/provision/kernel-install/debug_kernel.sls new file mode 100644 index 0000000..5c0ee07 --- /dev/null +++ b/srv/salt/provision/kernel-install/debug_kernel.sls @@ -0,0 +1,12 @@ +{# Install a debug kernel, generally into /usr/lib/debug/boot/ #} +{% set default_kernel_version = '3.13.0-52-generic-dbgsym' %} + +{% set kernel_version = grains['kernel_version']|default(default_kernel_version) %} + + +linux_kernel: + pkg.installed: + - pkgs: + - linux-image-{{ kernel_version }} + - hold: False + diff --git a/srv/salt/provision/kernel-install/files/99_overrides.cfg b/srv/salt/provision/kernel-install/files/99_overrides.cfg new file mode 100644 index 0000000..397b448 --- /dev/null +++ b/srv/salt/provision/kernel-install/files/99_overrides.cfg @@ -0,0 +1 @@ +GRUB_DEFAULT="Advanced options for Ubuntu>Ubuntu, with Linux {{ kernel_version }}" diff --git a/srv/salt/provision/kernel-install/init.sls b/srv/salt/provision/kernel-install/init.sls new file mode 100644 index 0000000..fb21302 --- /dev/null +++ b/srv/salt/provision/kernel-install/init.sls @@ -0,0 +1,46 @@ +{% set default_kernel_version = '3.13.0-71-generic' %} + +{% set kernel_version = grains['kernel_version']|default(default_kernel_version) %} + +/etc/default/grub.d/50-cloudimg-settings.cfg: + file.absent: + - require_in: + - cmd: update_grub + +linux_kernel: + pkg.installed: + - pkgs: + - linux-image-{{ kernel_version }} + - linux-image-extra-{{ kernel_version }} + - linux-headers-{{ kernel_version }} + - hold: True + + +override_file: + file.managed: + - name: /etc/default/grub.d/99_overrides.cfg + - source: salt://kernel-install/files/99_overrides.cfg + - template: jinja + - require: + - pkg: linux_kernel + - context: + kernel_version: {{ kernel_version }} + - makedirs: True + - dir_mode: 755 + + +update_grub: + cmd.run: + - name: /usr/sbin/update-grub + - watch: + - file: override_file + + +{# Remove the override file after update-grub is run so future upgrades will select + the proper kernel automatically in the grub.cfg #} +remove_overrides: + file.absent: + - name: /etc/default/grub.d/99_overrides.cfg + - require: + - cmd: update_grub + diff --git a/srv/salt/provision/limits/README.rst b/srv/salt/provision/limits/README.rst new file mode 100644 index 0000000..6eb8fcb --- /dev/null +++ b/srv/salt/provision/limits/README.rst @@ -0,0 +1,12 @@ +limits +====== + +The limits formula is capable of maintaining both the limits.conf file and +limits.d/\*.conf files. This is all handled in init.sls, but it could quite +easily be split up into separate states if desired. Currently at provision +time, it is only maintaining low-step-numbered limits.d files. + +For any customizations, the pillar data must be modified. + +Note that no clean-up occurs, so if a step section is removed from the pillar +data after a run, a subsequent run will not remove the step file. diff --git a/srv/salt/provision/limits/files/limits.conf b/srv/salt/provision/limits/files/limits.conf new file mode 100644 index 0000000..6017696 --- /dev/null +++ b/srv/salt/provision/limits/files/limits.conf @@ -0,0 +1,68 @@ +# This file is managed by salt. Manual changes risk being overwritten. +# +# /etc/security/limits.conf +# +#Each line describes a limit for a user in the form: +# +# +# +#Where: +# can be: +# - a user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# - NOTE: group and wildcard limits are not applied to root. +# To apply a limit to the root user, must be +# the literal username root. +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open files +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit (KB) +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to values: [-20, 19] +# - rtprio - max realtime priority +# - chroot - change root to directory (Debian-specific) +# +# +# + +#* soft core 0 +#root hard core 100000 +#* hard rss 10000 +#@student hard nproc 20 +#@faculty soft nproc 20 +#@faculty hard nproc 50 +#ftp hard nproc 0 +#ftp - chroot /ftp +#@student - maxlogins 4 + +{% if settings -%} + {% for domain in settings -%} + {% for name, parameters in domain.iteritems() %} + {% for parameter_set in parameters %} +{{ name }} {{ parameter_set['type'] }} {{ parameter_set['item'] }} {{ parameter_set['value'] }} + {%- endfor %} + {%- endfor -%} + {% endfor %} +{% endif %} +# End of file + diff --git a/srv/salt/provision/limits/files/limits_d.conf b/srv/salt/provision/limits/files/limits_d.conf new file mode 100644 index 0000000..ac18fd6 --- /dev/null +++ b/srv/salt/provision/limits/files/limits_d.conf @@ -0,0 +1,12 @@ +# This file is managed by salt. Manual changes risk being overwritten. +# +{% if settings -%} + {% for domain in settings -%} + {% for name, parameters in domain.iteritems() %} + {% for parameter_set in parameters %} +{{ name }} {{ parameter_set['type'] }} {{ parameter_set['item'] }} {{ parameter_set['value'] }} + {%- endfor %} + {%- endfor -%} + {% endfor %} +{% endif %} + diff --git a/srv/salt/provision/limits/init.sls b/srv/salt/provision/limits/init.sls new file mode 100644 index 0000000..3cd065d --- /dev/null +++ b/srv/salt/provision/limits/init.sls @@ -0,0 +1,25 @@ +{% from "limits/map.jinja" import limits with context %} + +{{ limits.limits_conf }}: + file.managed: + - source: {{ limits.limits_conf_src }} + - user: root + - group: root + - mode: 644 + - template: jinja + - context: + settings: {{ salt['pillar.get']('limits:conf') }} + +{% for limits_d_step in salt['pillar.get']('limits:d') %} + {% for step_name, settings in limits_d_step.iteritems() %} +{{ limits.limits_d }}{{ step_name }}.conf: + file.managed: + - source: {{ limits.limits_d_conf_src }} + - user: root + - group: root + - mode: 644 + - template: jinja + - context: + settings: {{ settings }} + {% endfor %} +{% endfor %} diff --git a/srv/salt/provision/limits/map.jinja b/srv/salt/provision/limits/map.jinja new file mode 100644 index 0000000..432053a --- /dev/null +++ b/srv/salt/provision/limits/map.jinja @@ -0,0 +1,8 @@ +{% set limits = salt['grains.filter_by']({ + 'Debian': { + 'limits_conf': '/etc/security/limits.conf', + 'limits_d': '/etc/security/limits.d/', + 'limits_conf_src': 'salt://limits/files/limits.conf', + 'limits_d_conf_src': 'salt://limits/files/limits_d.conf', + }, +}) %} diff --git a/srv/salt/provision/motd/10-help-text b/srv/salt/provision/motd/10-help-text new file mode 100755 index 0000000..219c6a8 --- /dev/null +++ b/srv/salt/provision/motd/10-help-text @@ -0,0 +1,16 @@ +#!/bin/sh + +echo " +============================================================================== +| Insert legalese here... | +| | +| | +| | +| | +| | +| | +| | +| | +| | +============================================================================== +" diff --git a/srv/salt/provision/motd/files/10-help-text b/srv/salt/provision/motd/files/10-help-text new file mode 100755 index 0000000..219c6a8 --- /dev/null +++ b/srv/salt/provision/motd/files/10-help-text @@ -0,0 +1,16 @@ +#!/bin/sh + +echo " +============================================================================== +| Insert legalese here... | +| | +| | +| | +| | +| | +| | +| | +| | +| | +============================================================================== +" diff --git a/srv/salt/provision/motd/init.sls b/srv/salt/provision/motd/init.sls new file mode 100644 index 0000000..912c180 --- /dev/null +++ b/srv/salt/provision/motd/init.sls @@ -0,0 +1,6 @@ +motd: + file.managed: + {% if grains['os_family'] == 'Debian' %} + - name: /etc/update-motd.d/10-help-text + - source: salt://motd/files/10-help-text + {% endif %} diff --git a/srv/salt/provision/postfix/README.rst b/srv/salt/provision/postfix/README.rst new file mode 100644 index 0000000..ef9d854 --- /dev/null +++ b/srv/salt/provision/postfix/README.rst @@ -0,0 +1,5 @@ +postfix +======= + +A very basic postfix setup that uses 'smtp' (must be resolvable) as its relay host. +Edit files/main.cf to customize, or consider moving some settings to pillar. diff --git a/srv/salt/provision/postfix/files/main.cf b/srv/salt/provision/postfix/files/main.cf new file mode 100644 index 0000000..060f1e1 --- /dev/null +++ b/srv/salt/provision/postfix/files/main.cf @@ -0,0 +1,41 @@ +# This file is managed by salt, local modification may be overwritten. +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# TLS parameters +#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +#smtpd_use_tls=yes +#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for +# information on enabling SSL in the smtp client. + +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination +myhostname = {{ grains['fqdn'] }} +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = {{ grains['fqdn'] }}, localhost +relayhost = smtp +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = localhost diff --git a/srv/salt/provision/postfix/files/master.cf b/srv/salt/provision/postfix/files/master.cf new file mode 100644 index 0000000..94ae4f4 --- /dev/null +++ b/srv/salt/provision/postfix/files/master.cf @@ -0,0 +1,125 @@ +# This file is managed by salt, local modification may be overwritten. +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - - - - smtpd +#smtp inet n - - - 1 postscreen +#smtpd pass - - - - - smtpd +#dnsblog unix - - - - 0 dnsblog +#tlsproxy unix - - - - 0 tlsproxy +#submission inet n - - - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - - - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_reject_unlisted_recipient=no +# -o smtpd_client_restrictions=$mua_client_restrictions +# -o smtpd_helo_restrictions=$mua_helo_restrictions +# -o smtpd_sender_restrictions=$mua_sender_restrictions +# -o smtpd_recipient_restrictions= +# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - - - - qmqpd +pickup unix n - - 60 1 pickup +cleanup unix n - - - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - - 1000? 1 tlsmgr +rewrite unix - - - - - trivial-rewrite +bounce unix - - - - 0 bounce +defer unix - - - - 0 bounce +trace unix - - - - 0 bounce +verify unix - - - - 1 verify +flush unix n - - 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - - - - smtp +relay unix - - - - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - - - - showq +error unix - - - - - error +retry unix - - - - - error +discard unix - - - - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - - - - lmtp +anvil unix - - - - 1 anvil +scache unix - - - - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + diff --git a/srv/salt/provision/postfix/init.sls b/srv/salt/provision/postfix/init.sls new file mode 100644 index 0000000..512770f --- /dev/null +++ b/srv/salt/provision/postfix/init.sls @@ -0,0 +1,28 @@ +{% from "postfix/map.jinja" import postfix with context %} + +{{ postfix.package_name }}: + pkg: + - installed + service.running: + - enable: True + - require: + - pkg: {{ postfix.package_name }} + - watch: + - file: {{ postfix.postfix_conf_dir }}* + + +{{ postfix.postfix_conf_dir }}main.cf: + file.managed: + - source: 'salt://postfix/files/main.cf' + - user: root + - group: root + - mode: 644 + - template: jinja + +{{ postfix.postfix_conf_dir }}master.cf: + file.managed: + - source: 'salt://postfix/files/master.cf' + - user: root + - group: root + - mode: 644 + - template: jinja diff --git a/srv/salt/provision/postfix/map.jinja b/srv/salt/provision/postfix/map.jinja new file mode 100644 index 0000000..9817da0 --- /dev/null +++ b/srv/salt/provision/postfix/map.jinja @@ -0,0 +1,6 @@ +{% set postfix = salt['grains.filter_by']({ + 'Debian': { + 'package_name': 'postfix', + 'postfix_conf_dir': '/etc/postfix/', + }, +}) %} diff --git a/srv/salt/provision/provision-final/README.rst b/srv/salt/provision/provision-final/README.rst new file mode 100644 index 0000000..e7fc94b --- /dev/null +++ b/srv/salt/provision/provision-final/README.rst @@ -0,0 +1,2 @@ +A simple state that writes /root/.alkali_provisioned.txt +to indicate that a full provision highstate has been run. diff --git a/srv/salt/provision/provision-final/files/alkali_provisioned.txt b/srv/salt/provision/provision-final/files/alkali_provisioned.txt new file mode 100644 index 0000000..3696930 --- /dev/null +++ b/srv/salt/provision/provision-final/files/alkali_provisioned.txt @@ -0,0 +1,2 @@ +A provision highstate has been run. The provision-final +state generated this file on {{ datetime }}. diff --git a/srv/salt/provision/provision-final/init.sls b/srv/salt/provision/provision-final/init.sls new file mode 100644 index 0000000..d12aa00 --- /dev/null +++ b/srv/salt/provision/provision-final/init.sls @@ -0,0 +1,10 @@ +{% set datetime = salt['cmd.run']('date') %} +/root/.alkali_provisioned.txt: + file.managed: + - source: salt://provision-final/files/alkali_provisioned.txt + - user: root + - group: root + - mode: 444 + - template: jinja + - context: + 'datetime': {{ datetime }} diff --git a/srv/salt/provision/rsyslog-client/README.rst b/srv/salt/provision/rsyslog-client/README.rst new file mode 100644 index 0000000..942996d --- /dev/null +++ b/srv/salt/provision/rsyslog-client/README.rst @@ -0,0 +1,7 @@ +rsyslog +======= + +The rsyslog states perform basic client configuration and send log +data to a remote server, which should be resolvable as "logger". +The centralized syslog server to send to may be name differently by +editing files/99-remote.conf and changing the Target setting. diff --git a/srv/salt/provision/rsyslog-client/files/99-RepeatedMsgReduction.conf b/srv/salt/provision/rsyslog-client/files/99-RepeatedMsgReduction.conf new file mode 100644 index 0000000..7872ee9 --- /dev/null +++ b/srv/salt/provision/rsyslog-client/files/99-RepeatedMsgReduction.conf @@ -0,0 +1,2 @@ +# Don't filter duplicated messages +$RepeatedMsgReduction off diff --git a/srv/salt/provision/rsyslog-client/files/99-remote.conf b/srv/salt/provision/rsyslog-client/files/99-remote.conf new file mode 100644 index 0000000..371b6ab --- /dev/null +++ b/srv/salt/provision/rsyslog-client/files/99-remote.conf @@ -0,0 +1,6 @@ +if $inputname != "imudp" then { + action(type="omfwd" + Target="logger" + Port="514" + Protocol="udp") +} diff --git a/srv/salt/provision/rsyslog-client/init.sls b/srv/salt/provision/rsyslog-client/init.sls new file mode 100644 index 0000000..d4a0ac3 --- /dev/null +++ b/srv/salt/provision/rsyslog-client/init.sls @@ -0,0 +1,30 @@ +{% from "rsyslog-client/map.jinja" import rsyslog with context %} + +{{ rsyslog.package_name }}: + pkg: + - installed + service: + - running + - enable: True + - require: + - pkg: {{ rsyslog.package_name }} + - watch: + - file: {{ rsyslog.rsyslog_d }}* + +{{ rsyslog.rsyslog_d }}99-remote.conf: + file.managed: + - source: 'salt://rsyslog-client/files/99-remote.conf' + - user: root + - group: root + - mode: 644 + - template: jinja + +{# This limits out-of-order messages #} +{{ rsyslog.rsyslog_d }}99-RepeatedMsgReduction.conf: + file.managed: + - source: 'salt://rsyslog-client/files/99-RepeatedMsgReduction.conf' + - user: root + - group: root + - mode: 644 + - template: jinja + diff --git a/srv/salt/provision/rsyslog-client/map.jinja b/srv/salt/provision/rsyslog-client/map.jinja new file mode 100644 index 0000000..d74911e --- /dev/null +++ b/srv/salt/provision/rsyslog-client/map.jinja @@ -0,0 +1,6 @@ +{% set rsyslog = salt['grains.filter_by']({ + 'Debian': { + 'package_name': 'rsyslog', + 'rsyslog_d': '/etc/rsyslog.d/', + }, +}) %} diff --git a/srv/salt/provision/sysctl/README.rst b/srv/salt/provision/sysctl/README.rst new file mode 100644 index 0000000..91b37f8 --- /dev/null +++ b/srv/salt/provision/sysctl/README.rst @@ -0,0 +1,18 @@ +sysctl +====== + +Set and apply sysctl.conf settings. The default pillar +used by this state file contains defaults for all systems, +as well as targeted_defaults which have a few obvious +example settings for systems running services like mongo, +but the targeted settings are only applied if a +function_class grain is properly set. + +For example, setting function_class to redis will receive +all 'default' pillar settings, plus any redis targeted +default settings, which override or extend the defaults. + +To set the function_class grain on a minion, using grains.setval +is one option: + +salt-call grains.setval function_class mariadb diff --git a/srv/salt/provision/sysctl/init.sls b/srv/salt/provision/sysctl/init.sls new file mode 100644 index 0000000..d824ebd --- /dev/null +++ b/srv/salt/provision/sysctl/init.sls @@ -0,0 +1,21 @@ +{# Get the targeted defaults #} +{% + set sysctl_overrides = salt['grains.filter_by']( + salt['pillar.get']('sysctl:targeted_defaults', {}), + grain='function_class') +%} + +{# Get the defaults, then merge the targeted defaults on top #} +{% + set sysctl_settings = salt['grains.filter_by']( + salt['pillar.get']('sysctl:defaults', {}), + grain='function_class', merge=sysctl_overrides) +%} + +{# Apply sysctl.present state for merged settings. #} +{% for setting_name, setting_value in sysctl_settings.iteritems() %} +{{ setting_name }}: + sysctl.present: + - value: {{ setting_value }} +{% endfor %} + diff --git a/srv/salt/provision/timezone/README.rst b/srv/salt/provision/timezone/README.rst new file mode 100644 index 0000000..21e8353 --- /dev/null +++ b/srv/salt/provision/timezone/README.rst @@ -0,0 +1,5 @@ +timezone +======== + +This very simple example sets the default timezone to America/Los_Angeles. + diff --git a/srv/salt/provision/timezone/init.sls b/srv/salt/provision/timezone/init.sls new file mode 100644 index 0000000..083b587 --- /dev/null +++ b/srv/salt/provision/timezone/init.sls @@ -0,0 +1,3 @@ +America/Los_Angeles: + timezone.system: + - utc: True diff --git a/srv/salt/provision/top.sls b/srv/salt/provision/top.sls new file mode 100644 index 0000000..18fa9f1 --- /dev/null +++ b/srv/salt/provision/top.sls @@ -0,0 +1,21 @@ +provision: + 'in_provisioning:True': + - match: grain + - postfix + - aliases + - apt + - apt-sources + - base-packages + - disy + - dnsmasq-cache + - hosts-block + - iptables-persistent + #- kernel-install + - limits + - motd + - rsyslog-client + - sysctl + - timezone + - provision-final # This should be last in the list + # DO NOT PUT ADDITIONAL TARGETS IN THIS FILE +