Browse Source

First bunch of ffho salt configuration files to be public.

Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Maximilian Wilhelm 8 years ago
parent
commit
d243476e23
55 changed files with 1568 additions and 0 deletions
  1. 67 0
      bash/bash_aliases.root
  2. 23 0
      bash/bashrc.root
  3. 20 0
      bash/init.sls
  4. 72 0
      console-tools/config
  5. 21 0
      console-tools/init.sls
  6. 3 0
      console-tools/issue.Debian.jessie
  7. 25 0
      locales/init.sls
  8. 13 0
      locales/locale.gen
  9. 11 0
      mosh/init.sls
  10. 4 0
      mosh/mosh.ufw.conf
  11. 12 0
      ntp/init.sls
  12. 44 0
      ntp/ntp.conf
  13. 15 0
      postfix/aliases
  14. 46 0
      postfix/init.sls
  15. 115 0
      postfix/master.cf
  16. 115 0
      postfix/master.cf.ops
  17. 1 0
      rsyslog/ffho.conf
  18. 18 0
      rsyslog/ffho.logrotate
  19. 6 0
      rsyslog/ffho/20-bird.conf
  20. 6 0
      rsyslog/ffho/20-dhcp.conf
  21. 6 0
      rsyslog/ffho/20-fastd.conf
  22. 6 0
      rsyslog/ffho/20-named.conf
  23. 6 0
      rsyslog/ffho/20-openvpn.conf
  24. 6 0
      rsyslog/ffho/30-net.conf
  25. 6 0
      rsyslog/ffho/50-auth.conf
  26. 6 0
      rsyslog/ffho/50-kern.conf
  27. 12 0
      rsyslog/ffho/50-messages.conf
  28. 6 0
      rsyslog/ffho/50-user.conf
  29. 6 0
      rsyslog/ffho/90-cron.conf
  30. 12 0
      rsyslog/ffho/99-debug.conf
  31. 43 0
      rsyslog/init.sls
  32. 123 0
      rsyslog/rsyslog.conf
  33. 121 0
      rsyslog/rsyslog.conf.logserver
  34. 11 0
      screen/init.sls
  35. 17 0
      screen/screenrc.root
  36. 22 0
      snmpd/default_snmpd
  37. 155 0
      snmpd/ifAlias
  38. 51 0
      snmpd/init.sls
  39. 94 0
      snmpd/snmpd.conf
  40. 8 0
      sudo/ffho.tmpl
  41. 4 0
      sudo/hosts/services.in.ffho.net
  42. 23 0
      sudo/init.sls
  43. 3 0
      sudo/roles/gateway
  44. 1 0
      sudo/roles/kvm_host
  45. 27 0
      sudo/sudoers
  46. 12 0
      sysctl/NAT.conf
  47. 7 0
      sysctl/arp_caches.conf
  48. 17 0
      sysctl/init.sls
  49. 2 0
      sysctl/ip_forward.conf
  50. 3 0
      sysctl/kernel.conf
  51. 4 0
      sysctl/nf-ignore-bridge.conf
  52. 36 0
      sysctl/router.sls
  53. 60 0
      sysctl/sysctl.conf
  54. 11 0
      vim/init.sls
  55. 4 0
      vim/vimrc

+ 67 - 0
bash/bash_aliases.root

@@ -0,0 +1,67 @@
+#!/bin/bash
+#
+# Nifty shell aliases for debugging (Salt managed)
+#
+
+function peer2v6ffpb()
+{
+	peername=$1
+	peer2v6ll $1 fdca:ffee:ff12:132:
+}
+
+function peer2v6ll()
+{
+	peername=$1
+	prefix=$2
+	if [ -z "$prefix" ]; then
+		prefix="fe80::"
+	fi
+
+	mac=$(grep MAC /etc/freifunk/peers/$peername | cut -d ' ' -f 3)
+	if [ -z "${mac}" ]; then
+		echo "no peer named '${peername}' found, did you spell it correctly?" >&2
+		return 1
+	else
+		euid64=$(ipv6calc -q --action geneui64 -I mac ${mac})
+		echo ${prefix}${euid64}
+		return 0
+	fi
+}
+
+function connect2peer()
+{
+	peername=$1
+	target=$(peer2v6ll $peername)
+	if [ "$?" == "0" ]; then
+		echo "trying to ssh into peer '${peername}' (${target})"
+		ssh -l root -6 ${target}%br-ffpb
+	fi
+}
+
+function pingpeer()
+{
+	peername=$1
+	target=$(peer2v6ll $peername)
+	if [ "$?" == "0" ]; then
+		echo "pinging peer '${peername}' (${target})"
+		ping6 ${target}%br-ffpb
+	fi
+}
+
+function peerstatus()
+{
+	peername=$1
+	target=$(peer2v6ll $peername fdca:ffee:ff12:132:)
+	tf=`tempfile`
+	echo -en "\e[97mFetching node status of '$peername' ...\e[39m "
+	wget -q "http://[$target]/cgi-bin/status" -O $tf
+	if [ $? -eq 0 ]; then
+		echo -e "\e[92mOK\e[39m"
+		cp $tf /tmp/ffpb-nodestatus-$peername.htm
+		#less /tmp/ffpb-nodestatus-$peername.htm
+		lynx -dump /tmp/ffpb-nodestatus-$peername.htm
+	else
+		echo -e "\e[91mERROR\e[39m"
+	fi
+	rm $tf
+}

+ 23 - 0
bash/bashrc.root

@@ -0,0 +1,23 @@
+# ~/.bashrc: executed by bash(1) for non-login shells.
+
+# Note: PS1 and umask are already set in /etc/profile. You should not
+# need this unless you want different defaults for root.
+fqdn=$(hostname -f)
+PS1='${debian_chroot:+($debian_chroot)}${fqdn}:\w\$ '
+# umask 022
+
+# You may uncomment the following lines if you want `ls' to be colorized:
+export LS_OPTIONS='--color=auto'
+eval "`dircolors`"
+alias ls='ls $LS_OPTIONS'
+# alias ll='ls $LS_OPTIONS -l'
+# alias l='ls $LS_OPTIONS -lA'
+#
+# Some more alias to avoid making mistakes:
+# alias rm='rm -i'
+# alias cp='cp -i'
+# alias mv='mv -i'
+
+if [ -f ~/.bash_aliases ]; then
+	. ~/.bash_aliases
+fi

+ 20 - 0
bash/init.sls

@@ -0,0 +1,20 @@
+#
+# Bash
+#
+
+{%- import "globals.sls" as globals with context %}
+
+#
+# .bashrc for root
+/root/.bashrc:
+  file.managed:
+    - source: salt://bash/bashrc.root
+    - template: jinja
+
+#
+# Nifty aliases for gateway
+{% if 'gateway' in globals.ROLES %}
+/root/.bash_aliases:
+  file.managed:
+    - source: salt://bash/bash_aliases.root
+{% endif %}

+ 72 - 0
console-tools/config

@@ -0,0 +1,72 @@
+#
+# This files tells the console-tools package: (Salt managed)
+#
+# - whether to load a specific font and boot (and maybe a screen-font map,
+# but you should avoid that if possible).
+# - whether to setup an Application-Charset Map other than the default CP437.
+# - whether to start "vcstime" to have time on all text VC'S.
+#
+# You can also specify per-VC settings by suffixing variable names as in
+# the examples below. This only works on framebuffer devices.
+#
+# CAVEATS:
+#
+# - When using the new framebuffer devices, the "global setting" for a font
+# only affects the current console (ie., at boot-time, the first one)
+# - ACM setting involves 2 steps (maybe loading a user ACM, and activating
+# it on a given charset slot - see charset(1) for details), the 1st of which
+# affects the entire system, but the 2nd of which only affects the current
+# VC (ie., at boot-time, the first one).  So that if you want to use the same
+# ACM on all VCs, you have to specify "APP_CHARSET_MAP_vc<N>=user" for all
+# relevant values of <N>.
+#
+# Example:
+#
+#SCREEN_FONT=iso01.f16
+#SCREEN_FONT_vc2=LatArCyrHeb-16
+#
+#APP_CHARSET_MAP=iso05
+#APP_CHARSET_MAP_vc2=user
+#
+# Set the following - more euro-friendly default than kernel font.
+# SCREEN_FONT=latcyrheb-sun16.psf
+
+#DO_VCSTIME=yes
+#
+# Forget this one unless you _know_ it is necessary for your font:
+#SCREEN_FONT_MAP=iso01
+
+#  **** screen saver/DPMS settings: all VCs ****
+# These settings are commented by default to avoid the chance of damage to
+# very old monitors that don't support DPMS signalling.
+
+# screen blanking timeout.  monitor remains on, but the screen is cleared to
+# range: 0-60 min (0==never)  kernels I've looked at default to 10 minutes.
+# (see linux/drivers/char/console.c)
+BLANK_TIME=0
+
+# blanking method (VESA DPMS mode to use after BLANK_TIME, before powerdown):
+# on: the default, no DPMS signalling. near instant powerup, no power saving
+# vsync: DPMS Standby mode. nearly instant recovery, uses 110/120W (17" screen)
+# hsync: DPMS Suspend mode. typically 3s recovery, uses 15/120W (17" screen)
+# powerdown,off: DPMS Off mode, typ. 10s recovery, uses  5/120W (17" screen)
+
+# Those values are for my 17" Mag, but some monitors do suspend the same as
+# standby.  xset dpms force {off|standby|suspend|on} is useful for this, if X
+# supports DPMS on your video card.  Set X's DPMS screensaver with xset dpms
+# or use option power_saver in XF86Config
+#
+# DPMS set by default to off, because hsync can cause problems on certain
+# hardware, such as Armada E500 laptops
+BLANK_DPMS=off
+
+# Powerdown time.  The console will go to DPMS Off mode POWERDOWN_TIME
+# minutes _after_ blanking.  (POWERDOWN_TIME + BLANK_TIME after the last input)
+POWERDOWN_TIME=0
+
+# rate and delay can get only specific values, consult kbdrate(1) for help
+#KEYBOARD_RATE="30"
+#KEYBOARD_DELAY="250"
+
+# Turn on numlock by default
+#LEDS=+num

+ 21 - 0
console-tools/init.sls

@@ -0,0 +1,21 @@
+#
+# Install and configure console-tools to disable scree blanking
+#
+
+{% if grains['oscodename'] == 'wheezy' %}
+console-tools:
+  pkg.installed:
+    - name: console-tools
+
+/etc/console-tools/config:
+  file.managed:
+    - source: salt://console-tools/config
+    - require:
+      - pkg: console-tools
+{%- endif %}
+
+{% if grains['oscodename'] == 'jessie' %}
+/etc/issue:
+  file.managed:
+    - source: salt://console-tools/issue.Debian.jessie
+{% endif %}

+ 3 - 0
console-tools/issue.Debian.jessie

@@ -0,0 +1,3 @@
+Debian GNU/Linux 8 \n \l
+
+[9;0]

+ 25 - 0
locales/init.sls

@@ -0,0 +1,25 @@
+#
+# Configure locales
+#
+
+locales:
+  pkg.installed
+
+# Workaround missing locale.present in our salt version
+/etc/locale.gen:
+  file.managed:
+    - source: salt://locales/locale.gen
+    - require:
+      - pkg: locales
+
+locale-gen:
+  cmd.wait:
+    - watch:
+      - file: /etc/locale.gen
+
+en_US.UTF-8:
+  locale.system:
+    - require:
+      - file: /etc/locale.gen
+
+

+ 13 - 0
locales/locale.gen

@@ -0,0 +1,13 @@
+#
+# Locale to be generated (Salt managed)
+#
+# This file lists locales that you wish to have built. You can find a list
+# of valid supported locales at /usr/share/i18n/SUPPORTED, and you can add
+# user defined locales to /usr/local/share/i18n/SUPPORTED. If you change
+# this file, you need to rerun locale-gen.
+
+de_DE.UTF-8 UTF-8
+de_DE@euro ISO-8859-15
+
+en_US.ISO-8859-15 ISO-8859-15
+en_US.UTF-8 UTF-8

+ 11 - 0
mosh/init.sls

@@ -0,0 +1,11 @@
+#
+# Mosh
+#
+
+mosh:
+  pkg.installed:
+    - name: 'mosh'
+
+/etc/ufw/applications.d/mosh:
+  file.managed:
+    - source: salt://mosh/mosh.ufw.conf

+ 4 - 0
mosh/mosh.ufw.conf

@@ -0,0 +1,4 @@
+[mosh]
+title=Mosh (mobile shell)
+description=Mobile shell that supports roaming and intelligent local echo
+ports=60000:60010/udp

+ 12 - 0
ntp/init.sls

@@ -0,0 +1,12 @@
+#
+# NTP
+#
+
+ntp:
+  pkg.installed:
+    - name: ntp
+
+
+/etc/ntp.conf:
+  file.managed:
+    - source: salt://ntp/ntp.conf

+ 44 - 0
ntp/ntp.conf

@@ -0,0 +1,44 @@
+#
+# /etc/ntp.conf (Salt managed)
+#
+# configuration for ntpd; see ntp.conf(5) for help
+#
+driftfile /var/lib/ntp/ntp.drift
+
+# Enable this if you want statistics to be logged.
+#statsdir /var/log/ntpstats/
+
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+
+
+# You do need to talk to an NTP server or two (or three).
+#server ntp.your-provider.example
+
+# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
+# pick a different set every time it starts up.  Please consider joining the
+# pool: <http://www.pool.ntp.org/join.html>
+server 0.debian.pool.ntp.org iburst
+server 1.debian.pool.ntp.org iburst
+server 2.debian.pool.ntp.org iburst
+
+# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
+# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
+# might also be helpful.
+#
+# Note that "restrict" applies to both servers and clients, so a configuration
+# that might be intended to block requests from certain clients could also end
+# up blocking replies from your own upstream servers.
+
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery
+restrict -6 default kod notrap nomodify nopeer noquery
+
+# Local users may interrogate the ntp server more closely.
+restrict 127.0.0.1
+restrict ::1
+
+# CVE-2013-5211
+disable monitor

+ 15 - 0
postfix/aliases

@@ -0,0 +1,15 @@
+# /etc/aliases
+mailer-daemon: postmaster
+postmaster: root
+nobody: root
+hostmaster: root
+usenet: root
+news: root
+webmaster: root
+www: root
+ftp: root
+abuse: root
+noc: root
+security: root
+
+root: ops@ffho.net

+ 46 - 0
postfix/init.sls

@@ -0,0 +1,46 @@
+#
+# Postfix
+#
+
+# Force installation of bsd-mailx as it's not installed anymore in Debian Jessie..
+bsd-mailx:
+  pkg.installed:
+    - name: bsd-mailx
+
+
+postfix:
+  pkg.installed:
+    - name: postfix
+    - requires:
+      - file: /etc/mailname
+  service.running:
+    - enable: true
+    - reload: true
+
+#
+# Don't listen on port 25, by default, a unix socket is enough.
+/etc/postfix/master.cf:
+  file.managed:
+    - source:
+      - salt://postfix/master.cf.{{ grains['nodename'] }}
+      - salt://postfix/master.cf
+    - watch_in:
+      - service: postfix
+
+#
+# Send root mail to ops@ffho.net
+/etc/aliases:
+  file.managed:
+    - source: salt://postfix/aliases
+
+newaliases:
+  cmd.wait:
+    - name: /usr/bin/newaliases
+    - watch:
+      - file: /etc/aliases
+
+
+# Set mailname for xxx.paderborn.freifunk.net (FIXME)
+/etc/mailname:
+  file.managed:
+    - contents: "{{ grains.nodename }}.paderborn.freifunk.net"

+ 115 - 0
postfix/master.cf

@@ -0,0 +1,115 @@
+#
+# Postfix master config (Salt managed)
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master").
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+#smtp      inet  n       -       -       -       -       smtpd
+#smtp      inet  n       -       -       -       1       postscreen
+#smtpd     pass  -       -       -       -       -       smtpd
+#dnsblog   unix  -       -       -       -       0       dnsblog
+#tlsproxy  unix  -       -       -       -       0       tlsproxy
+#submission inet n       -       -       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#smtps     inet  n       -       -       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       -       -       -       qmqpd
+pickup    fifo  n       -       -       60      1       pickup
+cleanup   unix  n       -       -       -       0       cleanup
+qmgr      fifo  n       -       n       300     1       qmgr
+#qmgr     fifo  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       -       1000?   1       tlsmgr
+rewrite   unix  -       -       -       -       -       trivial-rewrite
+bounce    unix  -       -       -       -       0       bounce
+defer     unix  -       -       -       -       0       bounce
+trace     unix  -       -       -       -       0       bounce
+verify    unix  -       -       -       -       1       verify
+flush     unix  n       -       -       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       -       -       -       smtp
+relay     unix  -       -       -       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       -       -       -       showq
+error     unix  -       -       -       -       -       error
+retry     unix  -       -       -       -       -       error
+discard   unix  -       -       -       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       -       -       -       lmtp
+anvil     unix  -       -       -       -       1       anvil
+scache    unix  -       -       -       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix	-	n	n	-	2	pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}
+

+ 115 - 0
postfix/master.cf.ops

@@ -0,0 +1,115 @@
+#
+# Postfix master config (Salt managed)
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master").
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (yes)   (never) (100)
+# ==========================================================================
+smtp      inet  n       -       -       -       -       smtpd
+#smtp      inet  n       -       -       -       1       postscreen
+#smtpd     pass  -       -       -       -       -       smtpd
+#dnsblog   unix  -       -       -       -       0       dnsblog
+#tlsproxy  unix  -       -       -       -       0       tlsproxy
+#submission inet n       -       -       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#smtps     inet  n       -       -       -       -       smtpd
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       -       -       -       qmqpd
+pickup    fifo  n       -       -       60      1       pickup
+cleanup   unix  n       -       -       -       0       cleanup
+qmgr      fifo  n       -       n       300     1       qmgr
+#qmgr     fifo  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       -       1000?   1       tlsmgr
+rewrite   unix  -       -       -       -       -       trivial-rewrite
+bounce    unix  -       -       -       -       0       bounce
+defer     unix  -       -       -       -       0       bounce
+trace     unix  -       -       -       -       0       bounce
+verify    unix  -       -       -       -       1       verify
+flush     unix  n       -       -       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       -       -       -       smtp
+relay     unix  -       -       -       -       -       smtp
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       -       -       -       showq
+error     unix  -       -       -       -       -       error
+retry     unix  -       -       -       -       -       error
+discard   unix  -       -       -       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       -       -       -       lmtp
+anvil     unix  -       -       -       -       1       anvil
+scache    unix  -       -       -       -       1       scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop  unix  -       n       n       -       -       pipe
+  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp      unix  -       n       n       -       -       pipe
+  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail    unix  -       n       n       -       -       pipe
+  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp     unix  -       n       n       -       -       pipe
+  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix	-	n	n	-	2	pipe
+  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman   unix  -       n       n       -       -       pipe
+  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+  ${nexthop} ${user}
+

+ 1 - 0
rsyslog/ffho.conf

@@ -0,0 +1 @@
+$IncludeConfig /etc/rsyslog.d/ffho/*.conf

+ 18 - 0
rsyslog/ffho.logrotate

@@ -0,0 +1,18 @@
+/var/log/bird.log
+/var/log/dhcp.log
+/var/log/fastd.log
+/var/log/named.log
+/var/log/net.log
+/var/log/openvpn.log
+{
+        rotate 7
+        daily
+        missingok
+        notifempty
+        delaycompress
+        compress
+        postrotate
+                invoke-rc.d rsyslog rotate > /dev/null
+        endscript
+}
+

+ 6 - 0
rsyslog/ffho/20-bird.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+if $programname == 'bird' or $programname == 'bird6' then /var/log/bird.log
+& ~

+ 6 - 0
rsyslog/ffho/20-dhcp.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+if $programname == 'dhcpd' then /var/log/dhcp.log
+& ~

+ 6 - 0
rsyslog/ffho/20-fastd.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+if $programname == 'fastd' then /var/log/fastd.log
+& ~

+ 6 - 0
rsyslog/ffho/20-named.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+if $programname == 'named' then /var/log/named.log
+& ~

+ 6 - 0
rsyslog/ffho/20-openvpn.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+if $programname startswith 'ovpn' then /var/log/openvpn.log
+& ~

+ 6 - 0
rsyslog/ffho/30-net.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+if $fromhost-ip startswith '172.30.' and $syslogfacility-text == 'local0' then /var/log/net.log
+& ~

+ 6 - 0
rsyslog/ffho/50-auth.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+auth.*,authpriv.*                        /var/log/auth.log
+& ~

+ 6 - 0
rsyslog/ffho/50-kern.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root 
+$FileGroup adm
+
+kern.*                          -/var/log/kern.log
+& ~

+ 12 - 0
rsyslog/ffho/50-messages.conf

@@ -0,0 +1,12 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+*.=info;*.=notice;*.=warn;*.=emerg;\
+        auth.none,authpriv.none;\
+        cron.none,daemon.none;\
+        mail.none,news.none;\          
+        local0.none,local1.none;\          
+        local2.none,local3.none;\          
+        local4.none,local5.none;\          
+        local6.none,local7.none          -/var/log/messages

+ 6 - 0
rsyslog/ffho/50-user.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+user.*                          -/var/log/user.log
+& ~

+ 6 - 0
rsyslog/ffho/90-cron.conf

@@ -0,0 +1,6 @@
+$FileCreateMode 0640
+$FileOwner root 
+$FileGroup adm
+
+#crons sollten nicht auf dem logserver geloggt werden. Falls doch bitte mit Einzelfilter und höherer Priorität
+cron.* ~ 

+ 12 - 0
rsyslog/ffho/99-debug.conf

@@ -0,0 +1,12 @@
+$FileCreateMode 0640
+$FileOwner root
+$FileGroup adm
+
+#*.=debug;\
+#        auth,authpriv.none;\
+#        news.none;mail.none     -/var/log/debug
+
+#fängt vorerst alle Nachrichten ab, die nicht in anderen Logs landen um rauszufinden was noch interessant sein könnte
+
+*.* /var/log/debug
+& ~

+ 43 - 0
rsyslog/init.sls

@@ -0,0 +1,43 @@
+#
+# Rsyslog configuration
+#
+
+{% set roles = pillar.get ('roles', []) %}
+
+rsyslog:
+  pkg.installed:
+    - name: rsyslog
+  service.running:
+    - enable: True
+
+/etc/rsyslog.conf:
+  file.managed:
+    - watch_in:
+      - service: rsyslog
+{% if 'logserver' in roles %}
+    - source: salt://rsyslog/rsyslog.conf.logserver
+{% else %}
+    - source: salt://rsyslog/rsyslog.conf
+{% endif %}
+
+{% if 'logserver' in roles %}
+/etc/rsyslog.d/ffho.conf:
+  file.managed:
+    - source: salt://rsyslog/ffho.conf
+
+/etc/rsyslog.d/ffho:
+  file.recurse:
+    - source: salt://rsyslog/ffho
+    - file_mode: 644
+    - dir_mode: 755
+    - user: root
+    - group: root
+    - clean: true
+    - watch_in:
+      - service: rsyslog
+
+/etc/logrotate.d/ffho:
+  file.managed:
+    - source: salt://rsyslog/ffho.logrotate
+
+{% endif %}

+ 123 - 0
rsyslog/rsyslog.conf

@@ -0,0 +1,123 @@
+#  /etc/rsyslog.conf	Configuration file for rsyslog.
+#
+#			For more information see
+#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad imklog   # provides kernel logging support
+#$ModLoad immark  # provides --MARK-- message capability
+
+# provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+
+# provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# First some standard log files.  Log by facility.
+#
+auth,authpriv.*			/var/log/auth.log
+*.*;auth,authpriv.none		-/var/log/syslog
+#cron.*				/var/log/cron.log
+daemon.*			-/var/log/daemon.log
+kern.*				-/var/log/kern.log
+lpr.*				-/var/log/lpr.log
+mail.*				-/var/log/mail.log
+user.*				-/var/log/user.log
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+mail.info			-/var/log/mail.info
+mail.warn			-/var/log/mail.warn
+mail.err			/var/log/mail.err
+
+#
+# Logging for INN news system.
+#
+news.crit			/var/log/news/news.crit
+news.err			/var/log/news/news.err
+news.notice			-/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+*.=debug;\
+	auth,authpriv.none;\
+	news.none;mail.none	-/var/log/debug
+*.=info;*.=notice;*.=warn;\
+	auth,authpriv.none;\
+	cron,daemon.none;\
+	mail,news.none		-/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+*.emerg				:omusrmsg:*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+#	news.=crit;news.=err;news.=notice;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	/dev/tty8
+
+# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
+# you must invoke `xconsole' with the `-file' option:
+#
+#    $ xconsole -file /dev/xconsole [...]
+#
+# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
+#      busy site..
+#
+daemon.*;mail.*;\
+	news.err;\
+	*.=debug;*.=info;\
+	*.=notice;*.=warn	|/dev/xconsole
+
+*.*	@10.132.251.43

+ 121 - 0
rsyslog/rsyslog.conf.logserver

@@ -0,0 +1,121 @@
+#  /etc/rsyslog.conf	Configuration file for rsyslog.
+#
+#			For more information see
+#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+
+
+#################
+#### MODULES ####
+#################
+
+$ModLoad imuxsock # provides support for local system logging
+$ModLoad imklog   # provides kernel logging support
+#$ModLoad immark  # provides --MARK-- message capability
+
+# provides UDP syslog reception
+$ModLoad imudp
+$UDPServerRun 514
+
+# provides TCP syslog reception
+$ModLoad imtcp
+$InputTCPServerRun 514
+
+
+###########################
+#### GLOBAL DIRECTIVES ####
+###########################
+
+#
+# Use traditional timestamp format.
+# To enable high precision timestamps, comment out the following line.
+#
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+
+#
+# Where to place spool and state files
+#
+$WorkDirectory /var/spool/rsyslog
+
+#
+# Include all config files in /etc/rsyslog.d/
+#
+$IncludeConfig /etc/rsyslog.d/*.conf
+
+
+###############
+#### RULES ####
+###############
+
+#
+# First some standard log files.  Log by facility.
+#
+#auth,authpriv.*			/var/log/auth.log
+#*.*;auth,authpriv.none		-/var/log/syslog
+#cron.*				/var/log/cron.log
+#daemon.*			-/var/log/daemon.log
+#kern.*				-/var/log/kern.log
+#lpr.*				-/var/log/lpr.log
+#mail.*				-/var/log/mail.log
+#user.*				-/var/log/user.log
+
+#
+# Logging for the mail system.  Split it up so that
+# it is easy to write scripts to parse these files.
+#
+#mail.info			-/var/log/mail.info
+#mail.warn			-/var/log/mail.warn
+#mail.err			/var/log/mail.err
+
+#
+# Logging for INN news system.
+#
+#news.crit			/var/log/news/news.crit
+#news.err			/var/log/news/news.err
+#news.notice			-/var/log/news/news.notice
+
+#
+# Some "catch-all" log files.
+#
+#*.=debug;\
+#	auth,authpriv.none;\
+#	news.none;mail.none	-/var/log/debug
+#*.=info;*.=notice;*.=warn;\
+#	auth,authpriv.none;\
+#	cron,daemon.none;\
+#	mail,news.none		-/var/log/messages
+
+#
+# Emergencies are sent to everybody logged in.
+#
+#*.emerg				:omusrmsg:*
+
+#
+# I like to have messages displayed on the console, but only on a virtual
+# console I usually leave idle.
+#
+#daemon,mail.*;\
+#	news.=crit;news.=err;news.=notice;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	/dev/tty8
+
+# The named pipe /dev/xconsole is for the `xconsole' utility.  To use it,
+# you must invoke `xconsole' with the `-file' option:
+# 
+#    $ xconsole -file /dev/xconsole [...]
+#
+# NOTE: adjust the list below, or you'll go crazy if you have a reasonably
+#      busy site..
+#
+#daemon.*;mail.*;\
+#	news.err;\
+#	*.=debug;*.=info;\
+#	*.=notice;*.=warn	|/dev/xconsole

+ 11 - 0
screen/init.sls

@@ -0,0 +1,11 @@
+#
+# Screen
+#
+
+screen:
+  pkg.installed:
+    - name: screen
+
+/root/.screenrc:
+  file.managed:
+    - source: salt://screen/screenrc.root

+ 17 - 0
screen/screenrc.root

@@ -0,0 +1,17 @@
+#
+# /root/.screenrc (Salt managed)
+#
+
+nethack			on
+autodetach		on
+crlf			off
+deflogin		off
+hardcopy_append		off
+startup_message		off
+vbell			off
+defscrollback		10000
+silencewait		15
+hardstatus		alwayslastline " %H (%l) | %d.%m %c | %w"
+sorendition		02 10
+
+bind P paste          .

+ 22 - 0
snmpd/default_snmpd

@@ -0,0 +1,22 @@
+# This file controls the activity of snmpd and snmptrapd (Salt managed)
+
+# Don't load any MIBs by default.
+# You might comment this lines once you have the MIBs downloaded.
+export MIBS=
+
+# snmpd control (yes means start daemon).
+SNMPDRUN=yes
+
+# snmpd options (use syslog, close stdin/out/err).
+SNMPDOPTS='-LSwd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid'
+
+# snmptrapd control (yes means start daemon).  As of net-snmp version
+# 5.0, master agentx support must be enabled in snmpd before snmptrapd
+# can be run.  See snmpd.conf(5) for how to do this.
+TRAPDRUN=no
+
+# snmptrapd options (use syslog).
+TRAPDOPTS='-LS5d -p /var/run/snmptrapd.pid'
+
+# create symlink on Debian legacy location to official RFC path
+SNMPDCOMPAT=yes

+ 155 - 0
snmpd/ifAlias

@@ -0,0 +1,155 @@
+#!/bin/bash
+# (c) 2013, 2014, f0o@devilcode.org
+# (c) 2015 by Maximilian Wilhelm <max@rfc2324.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+ALIASES_FILE="/etc/snmp/if_aliases"
+
+BASE='.1.3.6.1.2.1.31.1.1.1.18'
+ID=$(cut -d . -f 13 <<< $2)
+cache=$(ip l)
+
+if [ -z "$ID" ]; then
+	ID=0
+fi
+
+if [ "$1" = "-n" ]; then
+	IFS="
+"
+	for dev in $(grep mtu <<<"$cache" | cut -d : -f 1|sort -n); do
+		if [ "$LAST" == "$ID" ]; then
+			ID=$dev
+			BRK=1
+			break
+		else
+			LAST=$dev
+		fi
+	done
+	if [ -z "$BRK" ]; then
+		exit 0
+	fi
+fi
+
+IFACE=$(grep "^${ID}: " <<<"$cache" | sed 's/[:@]\s/ /g'| cut -d " " -f 2)
+
+echo ${BASE}.${ID}
+if [ "X${IFACE}" = "X" ]; then
+	echo noSuchName
+else
+	if_alias=""
+
+	# Try to figure out current Linux distribution to guess network configuration file
+	distro=""
+	if [ -x /usr/bin/distro ]; then
+		distro=$(distro | cut -d " " -f 1)
+	elif which lsb_release >/dev/null 2>/dev/null; then
+		distro="$(lsb_release -a 2>/dev/null | awk -F: '/^Distributor ID/ { print $2 }' | tr -d '[[:space:]]')"
+	fi
+
+	if [ "${distro}" ]; then
+		case "${distro}" in
+			Debian)
+				cnf="/etc/network/interfaces"
+				# TODO: Support /etc/network/interfaces.d/
+				;;
+
+			Gentoo)
+				cnf="/etc/conf.d/net"
+				;;
+
+			CentOS|RedHat|SuSE|Mandriva|Mandrake)
+				cnf="/etc/sysconfig/network-scripts/ifcfg-$IFACE"
+				;;
+
+			Archlinux)
+				cnf="/etc/conf.d/net-conf-$IFACE"
+				;;
+
+			*)
+				cnf=""
+				;;
+		esac
+	fi
+
+	if [ -n "$cnf" ]; then
+		if_alias=$(grep -i "^# $IFACE:" "${cnf}" | sed "s/^# $IFACE: //i")
+	fi
+
+	if [ ! "${if_alias}" -a -f "${ALIASES_FILE}" ]; then
+		if_alias=$(grep -i "^$IFACE:" "${ALIASES_FILE}" | sed -e "s/^$IFACE:[[:space:]]*//")
+	fi
+
+
+	# FFHO local
+	case "${IFACE}" in
+		# Transit
+		tun42)
+			if_alias="Transit: Perfect Privacy"
+			;;
+
+		he-ipv6)
+			if_alias="Transit: HE-IPv6"
+			;;
+
+		gre_ffrl*)
+			if_alias="Transit: FFRL"
+			;;
+
+		# Peerings
+		icvpn)
+			if_alias="Peering: ICVPN"
+			;;
+
+		# Core
+		core*)
+			if_alias="Core: core-vpn"
+			;;
+
+		bb-*)
+			if_alias="Core: Backbone-vpn"
+			;;
+
+		vlan1*)
+			if_alias="Core: X-Connect"
+			;;
+
+		inter-gw-vpn)
+			if_alias="Core: Inter-Gateway-B.A.T.M.A.N."
+			;;
+
+		# Server
+		infra-srv-vpn|user-srv-vpn)
+			if_alias="Server: ${IFACE}"
+			;;
+
+		vlan3*)
+			if_alias="Server: Mgmt"
+			;;
+
+		# Customer
+		mesh-*)
+			if_alias="Cust: B.A.T.M.A.N. mesh"
+			;;
+
+		vlan23)
+			if_alias="Cust: Local Mesh break-out"
+			;;
+	esac
+
+	echo "string"
+	echo ${if_alias}
+fi
+
+exit 0

+ 51 - 0
snmpd/init.sls

@@ -0,0 +1,51 @@
+#
+# SNMPd
+#
+
+include:
+  - network.interfaces
+
+#
+# Install and start SNMPd
+# Require /etc/network/interfaces to be installed (and ifreload'ed) so we
+# can simply pick lookback IP addresses from grains.
+snmpd:
+  pkg.installed:
+    - name: snmpd
+    - require:
+      - file: /etc/network/interfaces
+  service.running:
+    - enable: true
+    - reload: true
+
+
+/etc/default/snmpd:
+  file.managed:
+    - source: salt://snmpd/default_snmpd
+    - require:
+      - pkg: snmpd
+    - watch_in:
+      - service: snmpd
+
+
+/etc/snmp/snmpd.conf:
+  file.managed:
+    - template: jinja
+    - source: salt://snmpd/snmpd.conf
+    - require:
+      - pkg: snmpd
+    - watch_in:
+      - service: snmpd
+
+
+/etc/snmp/ifAlias:
+  file.managed:
+    - source: salt://snmpd/ifAlias
+    - user: root
+    - group: root
+    - mode: 755
+    - require:
+      - pkg: snmpd
+
+
+# TODO: Lookback-IP aus grains

+ 94 - 0
snmpd/snmpd.conf

@@ -0,0 +1,94 @@
+{%- import "globals.sls" as globals with context %}
+{%- set ro_community = salt['pillar.get'] ('ffho:snmp:ro_community', "Configure ffho:snmp:ro_community in pillar...") %}
+#
+# /etc/snmp/snmpd.conf (Salt managed)
+#
+
+# Listen for connections from the local system
+agentAddress  udp:127.0.0.1:161
+agentAddress  udp6:[::1]:161
+
+# Listen for connections on Loopback-IPs
+{%- if globals.LOOPBACK_IPv4 %}
+agentAddress  udp:{{ globals.LOOPBACK_IPv4 }}:161
+{%- endif %}
+{%- if globals.LOOPBACK_IPv6 %}
+agentAddress  udp6:[{{ globals.LOOPBACK_IPv6 }}]:161
+{%- endif %}
+
+
+ocommunity   {{ ro_community }}	10.132.251.161
+rocommunity6 {{ ro_community }}	fdca:ffee:ff12:a251::161
+
+sysLocation    {{ globals.SYS_LOCATION }}
+sysContact     ops@ffho.net
+sysServices    72
+
+#
+# Network interfaces
+#
+{%- if 'gateway' in globals.ROLES %}
+# Set B.A.T.M.A.N. related devices to 100 MBit/s
+interface	bat0		6	100000000
+interface	inter-gw-vpn	6	100000000
+interface	mesh-vpn-v4	6	100000000
+interface	mesh-vpn-v6	6	100000000
+{%- endif %}
+
+{%- set ovpn_networks = [] %}
+{%- for netname, network in salt['pillar.get']('ovpn', {}).items () if grains['id'] in network %}
+  {%- do ovpn_networks.append (netname) %}
+{%- endfor %}
+{%- for netname in ovpn_networks|sort %}
+  {%- set network = salt['pillar.get']('ovpn:' ~ netname) %}
+  {%- set network_config = network.get ('config') %}
+  {%- set host_stanza = network.get (grains['id']) %}
+  {%- set host_config = host_stanza.get ('config', {}) %}
+  {%- set interface = host_config.get ('interface', network_config.get ('interface')) %}
+  {%- if loop.first %}
+# OpenVPN interfaces
+  {%- endif %}
+interface	{{ interface }}	6	100000000
+{%- endfor %}
+
+
+#
+# Try to figure out meaningful interface descriptions/aliases
+pass	.1.3.6.1.2.1.31.1.1.1.18	/etc/snmp/ifAlias
+
+
+#
+#  Disk Monitoring
+#
+                               # 10MBs required on root disk, 5% free on /var, 10% free on all other disks
+disk       /     10000
+disk       /var  5%
+includeAllDisks  10%
+
+#  Walk the UCD-SNMP-MIB::dskTable to see the resulting output
+#  Note that this table will be empty if there are no "disk" entries in the snmpd.conf file
+
+
+#
+#  System Load
+#
+                               # Unacceptable 1-, 5-, and 15-minute load averages
+load   12 10 5
+
+#  Walk the UCD-SNMP-MIB::laTable to see the resulting output
+#  Note that this table *will* be populated, even without a "load" entry in the snmpd.conf file
+
+
+#
+#  Event MIB - automatically generate alerts
+#
+                                   # Remember to activate the 'createUser' lines above
+iquerySecName   internalUser
+rouser          internalUser
+                                   # generate traps on UCD error conditions
+defaultMonitors          no
+                                   # generate traps on linkUp/Down
+linkUpDownNotifications  no
+
+
+master          agentx

+ 8 - 0
sudo/ffho.tmpl

@@ -0,0 +1,8 @@
+{%- import "globals.sls" as globals with context %}
+
+{% for role in globals.ROLES %}
+  {%- set file = "sudo/roles/" + role %}
+  {%- include file ignore missing %}
+{% endfor %}
+
+{%- include "sudo/hosts/" + grains['id'] ignore missing %}

+ 4 - 0
sudo/hosts/services.in.ffho.net

@@ -0,0 +1,4 @@
+nagios  ALL=NOPASSWD:/usr/local/share/nagios/plugins/check_gw_mesh
+nagios  ALL=NOPASSWD:/usr/local/share/nagios/plugins/check_gw_mesh_comm
+nagios  ALL=NOPASSWD:/usr/local/share/nagios/plugins/check_bat0_health
+nagios  ALL=NOPASSWD:/usr/local/share/nagios/plugins/check_rouge_gw

+ 23 - 0
sudo/init.sls

@@ -0,0 +1,23 @@
+#
+# Vim magic
+#
+
+sudo:
+  pkg.installed:
+    - name: sudo
+
+/etc/sudoers.d:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 755
+    - makedirs: True
+
+/etc/sudoers:
+  file.managed:
+    - source: salt://sudo/sudoers
+
+/etc/sudoers.d/ffho:
+  file.managed:
+    - source: salt://sudo/ffho.tmpl
+    - template: jinja

+ 3 - 0
sudo/roles/gateway

@@ -0,0 +1,3 @@
+nagios  ALL=NOPASSWD:/usr/local/share/nagios/plugins/check_gw_mesh
+nagios  ALL=NOPASSWD:/usr/local/share/nagios/plugins/check_gw_mesh_comm
+nagios  ALL=NOPASSWD:/usr/local/share/nagios/plugins/check_bat0_health

+ 1 - 0
sudo/roles/kvm_host

@@ -0,0 +1 @@
+nagios  ALL=NOPASSWD:/usr/lib/nagios/plugins/check_kvm

+ 27 - 0
sudo/sudoers

@@ -0,0 +1,27 @@
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
+#
+# See the man page for details on how to write a sudoers file.
+#
+Defaults        env_reset
+Defaults        mail_badpass
+Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+root    ALL=(ALL:ALL) ALL
+
+# Allow members of group sudo to execute any command
+%sudo   ALL=(ALL:ALL) ALL
+
+# See sudoers(5) for more information on "#include" directives:
+
+#includedir /etc/sudoers.d

+ 12 - 0
sysctl/NAT.conf

@@ -0,0 +1,12 @@
+#
+# /etc/sysctl.d/NAT.conf (Salt managed)
+#
+# "Be conservative in what you do,
+#  be liberal in what you accept from others."
+#  If it's non-zero, we mark only out of window RST segments as INVALID.
+#  -- net/netfilter/nf_conntrack_proto_tcp.c
+#
+net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 1
+
+# Increase conntrack table size (default 32k)
+net.ipv4.netfilter.ip_conntrack_max = 16777216

+ 7 - 0
sysctl/arp_caches.conf

@@ -0,0 +1,7 @@
+net.ipv4.neigh.default.gc_thresh1 = 1024
+net.ipv4.neigh.default.gc_thresh2 = 2048
+net.ipv4.neigh.default.gc_thresh3 = 4096
+
+net.ipv6.neigh.default.gc_thresh1 = 1024
+net.ipv6.neigh.default.gc_thresh2 = 2048
+net.ipv6.neigh.default.gc_thresh3 = 4096

+ 17 - 0
sysctl/init.sls

@@ -0,0 +1,17 @@
+#
+# sysctl
+#
+
+# Define command to reload sysctl settings here without dependencies
+# and define inverse dependencies where useful (see sysctl.conf)
+reload-sysctl:
+  cmd.wait:
+    - watch: []
+    - name: /sbin/sysctl --system
+
+
+/etc/sysctl.conf:
+  file.managed:
+    - source: salt://sysctl/sysctl.conf
+    - watch_in:
+      - cmd: reload-sysctl

+ 2 - 0
sysctl/ip_forward.conf

@@ -0,0 +1,2 @@
+net.ipv4.ip_forward=1
+net.ipv6.conf.all.forwarding=1

+ 3 - 0
sysctl/kernel.conf

@@ -0,0 +1,3 @@
+# after kernel oops wait 1 sec, than reset system
+kernel.panic_on_oops = 1
+kernel.panic = 1

+ 4 - 0
sysctl/nf-ignore-bridge.conf

@@ -0,0 +1,4 @@
+# Don't filter packet passing a bridge and not being routed on this host.
+net.bridge.bridge-nf-call-iptables = 0
+net.bridge.bridge-nf-call-ip6tables = 0
+net.bridge.bridge-nf-call-arptables = 0

+ 36 - 0
sysctl/router.sls

@@ -0,0 +1,36 @@
+#
+# Sysctl stuff for routers
+#
+
+include:
+  - sysctl
+
+/etc/sysctl.d/21-ip_forward.conf:
+  file.managed:
+    - source: salt://sysctl/ip_forward.conf
+    - watch_in:
+      - cmd: reload-sysctl
+
+/etc/sysctl.d/20-arp_caches.conf:
+  file.managed:
+    - source: salt://sysctl/arp_caches.conf
+    - watch_in:
+      - cmd: reload-sysctl
+
+/etc/sysctl.d/22-kernel.conf:
+  file.managed:
+    - source: salt://sysctl/kernel.conf
+    - watch_in:
+      - cmd: reload-sysctl
+
+/etc/sysctl.d/NAT.conf:
+  file.managed:
+    - source: salt://sysctl/NAT.conf
+    - watch_in:
+      - cmd: reload-sysctl
+
+/etc/sysctl.d/nf-ignore-bridge.conf:
+  file.managed:
+    - source: salt://sysctl/nf-ignore-bridge.conf
+    - watch_in:
+      - cmd: reload-sysctl

+ 60 - 0
sysctl/sysctl.conf

@@ -0,0 +1,60 @@
+#
+# /etc/sysctl.conf - Configuration file for setting system variables
+# See /etc/sysctl.d/ for additional system variables
+# See sysctl.conf (5) for information.
+#
+
+#kernel.domainname = example.com
+
+# Uncomment the following to stop low-level messages on console
+#kernel.printk = 3 4 1 3
+
+##############################################################3
+# Functions previously found in netbase
+#
+
+# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
+# Turn on Source Address Verification in all interfaces to
+# prevent some spoofing attacks
+#net.ipv4.conf.default.rp_filter=1
+#net.ipv4.conf.all.rp_filter=1
+
+# Uncomment the next line to enable TCP/IP SYN cookies
+# See http://lwn.net/Articles/277146/
+# Note: This may impact IPv6 TCP sessions too
+#net.ipv4.tcp_syncookies=1
+
+# Uncomment the next line to enable packet forwarding for IPv4
+#net.ipv4.ip_forward=1
+
+# Uncomment the next line to enable packet forwarding for IPv6
+#  Enabling this option disables Stateless Address Autoconfiguration
+#  based on Router Advertisements for this host
+#net.ipv6.conf.all.forwarding=1
+
+
+###################################################################
+# Additional settings - these settings can improve the network
+# security of the host and prevent against some network attacks
+# including spoofing attacks and man in the middle attacks through
+# redirection. Some network environments, however, require that these
+# settings are disabled so review and enable them as needed.
+#
+# Do not accept ICMP redirects (prevent MITM attacks)
+#net.ipv4.conf.all.accept_redirects = 0
+#net.ipv6.conf.all.accept_redirects = 0
+# _or_
+# Accept ICMP redirects only for gateways listed in our default
+# gateway list (enabled by default)
+# net.ipv4.conf.all.secure_redirects = 1
+#
+# Do not send ICMP redirects (we are not a router)
+#net.ipv4.conf.all.send_redirects = 0
+#
+# Do not accept IP source route packets (we are not a router)
+#net.ipv4.conf.all.accept_source_route = 0
+#net.ipv6.conf.all.accept_source_route = 0
+#
+# Log Martian Packets
+#net.ipv4.conf.all.log_martians = 1
+#

+ 11 - 0
vim/init.sls

@@ -0,0 +1,11 @@
+#
+# Vim magic
+#
+
+vim:
+  pkg.installed:
+    - name: vim
+
+/root/.vimrc:
+  file.managed:
+    - source: salt://vim/vimrc

+ 4 - 0
vim/vimrc

@@ -0,0 +1,4 @@
+set nowrap
+set ai
+syn on
+color delek