From 8da3102b6140868c4d5937d968541e245ac310f1 Mon Sep 17 00:00:00 2001
From: Frank Brehm <frank@brehm-online.com>
Date: Thu, 8 Apr 2021 19:29:01 +0200
Subject: [PATCH] committing changes in /etc made by "apt dist-upgrade -y"

Package changes:
+python3-dateutil 2.7.3-3 all
+python3-distro 1.3.0-1 all
+python3-jinja2 2.10-2 all
+python3-markupsafe 1.1.0-1 amd64
+python3-msgpack 0.5.6-1+b1 amd64
+python3-psutil 5.5.1-1 amd64
+python3-pycryptodome 3.6.1-2+b1 amd64
+python3-systemd 234-2+b1 amd64
+python3-zmq 17.1.2-2+deb10u1 amd64
-salt-common 2019.2.0+ds-1 all
-salt-master 2019.2.0+ds-1 all
-salt-minion 2019.2.0+ds-1 all
-salt-ssh 2019.2.0+ds-1 all
+salt-common 3003+ds-1 all
+salt-master 3003+ds-1 all
+salt-minion 3003+ds-1 all
+salt-ssh 3003+ds-1 all
---
 .etckeeper                     |  1 +
 salt/master                    | 53 +++++++++++++++++++++++++++++++---
 salt/minion                    | 44 ++++++++++++++++++++++++----
 ufw/applications.d/salt-master |  6 ++++
 4 files changed, 95 insertions(+), 9 deletions(-)
 create mode 100644 ufw/applications.d/salt-master

diff --git a/.etckeeper b/.etckeeper
index 2f6b20b..29135bb 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -1733,6 +1733,7 @@ maybe chmod 0755 'ufw/applications.d'
 maybe chmod 0644 'ufw/applications.d/bind9'
 maybe chmod 0644 'ufw/applications.d/openssh-server'
 maybe chmod 0644 'ufw/applications.d/postfix'
+maybe chmod 0644 'ufw/applications.d/salt-master'
 maybe chmod 0600 'ulogd.conf'
 maybe chmod 0755 'update-motd.d'
 maybe chmod 0755 'update-motd.d/10-uname'
diff --git a/salt/master b/salt/master
index a1ced68..fa70219 100644
--- a/salt/master
+++ b/salt/master
@@ -27,6 +27,9 @@
 # modified files cause conflicts, set verify_env to False.
 #user: root
 
+# Tell the master to also use salt-ssh when running commands against minions.
+#enable_ssh_minions: False
+
 # The port used by the communication interface. The ret (return) port is the
 # interface used for the file server, authentication, job returns, etc.
 #ret_port: 4506
@@ -151,7 +154,7 @@
 # Store all returns in the given returner.
 # Setting this option requires that any returner-specific configuration also
 # be set. See various returners in salt/returners for details on required
-# configuration values. (See also, event_return_queue below.)
+# configuration values. (See also, event_return_queue, and event_return_queue_max_seconds below.)
 #
 #event_return: mysql
 
@@ -161,6 +164,12 @@
 # By default, events are not queued.
 #event_return_queue: 0
 
+# In some cases enabling event return queueing can be very helpful, but the bus
+# may not busy enough to flush the queue consistently.  Setting this to a reasonable
+# value (1-30 seconds) will cause the queue to be flushed when the oldest event is older
+# than `event_return_queue_max_seconds` regardless of how many events are in the queue.
+#event_return_queue_max_seconds: 0
+
 # Only return events matching tags in a whitelist, supports glob matches.
 #event_return_whitelist:
 #  - salt/master/a_tag
@@ -341,7 +350,7 @@
 # the autosign_file and the auto_accept setting.
 #autoreject_file: /etc/salt/autoreject.conf
 
-# If the autosign_grains_dir is specified, incoming keys from minons with grain
+# If the autosign_grains_dir is specified, incoming keys from minions with grain
 # values matching those defined in files in this directory will be accepted
 # automatically. This is insecure. Minions need to be configured to send the grains.
 #autosign_grains_dir: /etc/salt/autosign_grains
@@ -497,6 +506,12 @@
 # Boolean to run command via sudo.
 #ssh_sudo: False
 
+# Boolean to run ssh_pre_flight script defined in roster. By default
+# the script will only run if the thin_dir does not exist on the targeted
+# minion. This forces the script to run regardless of the thin dir existing
+# or not.
+#ssh_run_pre_flight: True
+
 # Number of seconds to wait for a response when establishing an SSH connection.
 #ssh_timeout: 60
 
@@ -620,6 +635,10 @@
 # states is cluttering the logs. Set it to True to ignore them.
 #state_output_diff: False
 
+# The state_output_profile setting changes whether profile information
+# will be shown for each state run.
+#state_output_profile: True
+
 # Automatically aggregate all states that have support for mod_aggregate by
 # setting to 'True'. Or pass a list of state module names to automatically
 # aggregate just those types.
@@ -662,7 +681,9 @@
 
 # The master_roots setting configures a master-only copy of the file_roots dictionary,
 # used by the state compiler.
-#master_roots: /srv/salt-master
+#master_roots:
+#  base:
+#    - /srv/salt-master
 
 # When using multiple environments, each with their own top file, the
 # default behaviour is an unordered merge. To prevent top files from
@@ -1007,6 +1028,24 @@
 #
 #pillar_cache_backend: disk
 
+# A master can also cache GPG data locally to bypass the expense of having to render them
+# for each minion on every request. This feature should only be enabled in cases
+# where pillar rendering time is known to be unsatisfactory and any attendant security
+# concerns about storing decrypted GPG data in a master cache have been addressed.
+#
+# When enabling this feature, be certain to read through the additional ``gpg_cache_*``
+# configuration options to fully understand the tunable parameters and their implications.
+#gpg_cache: False
+
+# If and only if a master has set ``gpg_cache: True``, the cache TTL controls the amount
+# of time, in seconds, before the cache is considered invalid by a master and a fresh
+# pillar is recompiled and stored.
+#gpg_cache_ttl: 86400
+
+# If and only if a master has set `gpg_cache: True`, one of several storage providers
+# can be utilized. Available options are the same as ``pillar_cache_backend``.
+#gpg_cache_backend: disk
+
 
 ######        Reactor Settings        #####
 ###########################################
@@ -1263,7 +1302,7 @@
 ############################################
 # Warning: Failure to set TCP keepalives on the salt-master can result in
 # not detecting the loss of a minion when the connection is lost or when
-# it's host has been terminated without first closing the socket.
+# its host has been terminated without first closing the socket.
 # Salt's Presence System depends on this connection status to know if a minion
 # is "present".
 # ZeroMQ now includes support for configuring SO_KEEPALIVE if supported by
@@ -1290,3 +1329,9 @@
 # use OS defaults, typically 75 seconds on Linux, see
 # /proc/sys/net/ipv4/tcp_keepalive_intvl.
 #tcp_keepalive_intvl: -1
+
+
+#####         NetAPI settings          #####
+############################################
+# Allow the raw_shell parameter to be used when calling Salt SSH client via API
+#netapi_allow_raw_shell: True
diff --git a/salt/minion b/salt/minion
index f2b6655..b87397e 100644
--- a/salt/minion
+++ b/salt/minion
@@ -42,7 +42,7 @@
 # value to "str".  Failover masters can be requested by setting
 # to "failover".  MAKE SURE TO SET master_alive_interval if you are
 # using failover.
-# Setting master_type to 'disable' let's you have a running minion (with engines and
+# Setting master_type to 'disable' lets you have a running minion (with engines and
 # beacons) without a master connection
 # master_type: str
 
@@ -118,6 +118,13 @@
 # set this config to ``False``.
 #minion_id_caching: True
 
+# Convert minion id to lowercase when it is being generated. Helpful when some
+# hosts get the minion id in uppercase. Cached ids will remain the same and
+# not converted. For example, Windows minions often have uppercase minion
+# names when they are set up but not always. To turn on, set this config to
+# ``True``.
+#minion_id_lowercase: False
+
 # Append a domain to a hostname in the event that it does not exist.  This is
 # useful for systems where socket.getfqdn() does not actually result in a
 # FQDN (for instance, Solaris).
@@ -157,6 +164,16 @@
 # Set the directory used to hold unix sockets.
 #sock_dir: /var/run/salt/minion
 
+# In order to calculate the fqdns grain, all the IP addresses from the minion
+# are processed with underlying calls to `socket.gethostbyaddr` which can take
+# 5 seconds to be released (after reaching `socket.timeout`) when there is no
+# fqdn for that IP. These calls to `socket.gethostbyaddr` are processed
+# asynchronously, however, it still adds 5 seconds every time grains are
+# generated if an IP does not resolve. In Windows grains are regenerated each
+# time a new process is spawned. Therefore, the default for Windows is `False`.
+# All other OSes default to `True`
+# enable_fqdns_grains: True
+
 # The minion can take a while to start up when lspci and/or dmidecode is used
 # to populate the grains for the minion. Set this to False if you do not need
 # GPU hardware grains for your minion.
@@ -315,7 +332,7 @@
 # reconnect 9: wait 33 seconds
 # reconnect x: etc.
 #
-# In a setup with ~6000 thousand hosts these settings would average the reconnects
+# In a setup with ~6000 hosts these settings would average the reconnects
 # to about 100 per second and all hosts would be reconnected within 60 seconds.
 # recon_default: 100
 # recon_max: 5000
@@ -391,7 +408,7 @@
 #mine_interval: 60
 
 # Windows platforms lack posix IPC and must rely on slower TCP based inter-
-# process communications. Set ipc_mode to 'tcp' on such systems
+# process communications.  ipc_mode is set to 'tcp' on such systems.
 #ipc_mode: ipc
 
 # Overwrite the default tcp ports used by the minion when ipc_mode is set to 'tcp'
@@ -513,11 +530,14 @@
 # enabled and can be disabled by changing this value to False.
 #clean_dynamic_modules: True
 #
-# Normally, the minion is not isolated to any single environment on the master
+# Renamed from ``environment`` to ``saltenv``. If ``environment`` is used,
+# ``saltenv`` will take its value. If both are used, ``environment`` will be
+# ignored and ``saltenv`` will be used.
+# Normally the minion is not isolated to any single environment on the master
 # when running states, but the environment can be isolated on the minion side
 # by statically setting it. Remember that the recommended way to manage
 # environments is to isolate via the top file.
-#environment: None
+#saltenv: None
 #
 # Isolates the pillar environment on the minion side. This functions the same
 # as the environment setting, but for pillar instead of states.
@@ -548,6 +568,11 @@
 #  - edit.vim
 #  - hyper
 #
+# List of grains to pass in start event when minion starts up:
+#start_event_grains:
+#  - machine_id
+#  - uuid
+#
 # Top file to execute if startup_states is 'top':
 #top_file: ''
 
@@ -560,6 +585,15 @@
 #
 #state_aggregate: False
 
+# Disable requisites during state runs by specifying a single requisite
+# or a list of requisites to disable.
+#
+# disabled_requisites: require_in
+#
+# disabled_requisites:
+#     - require
+#     - require_in
+
 #####     File Directory Settings    #####
 ##########################################
 # The Salt Minion can redirect all file server operations to a local directory,
diff --git a/ufw/applications.d/salt-master b/ufw/applications.d/salt-master
new file mode 100644
index 0000000..9dd120c
--- /dev/null
+++ b/ufw/applications.d/salt-master
@@ -0,0 +1,6 @@
+# Install into /etc/ufw/applications.d/ and run 'ufw app update' to add salt
+# firewall rules to systems with UFW.  Activate with 'ufw allow salt'
+[Salt]
+title=salt
+description=fast and powerful configuration management and remote execution
+ports=4505,4506/tcp
-- 
2.39.5