pillar.example

# vim: ft=yaml
# yamllint disable rule:comments-indentation
# yamllint disable rule:line-length
---
vault:
    # Parameters for certificate generation via x509 module.
    # Set cert to false to disable.
  cert:
    ca_server: null
    cn: null
    days_remaining: 3
    days_valid: 7
    intermediate: []
    root: null
    san: null
    signing_cert: null
    signing_policy: null
    signing_private_key: null

    # Will be serialized as JSON
  config: {}

    # Whether to ensure swap is disabled
  disable_swap: false

    # Cluster initialization settings. Set this to false
    # to disable automatic initialization.
  init:
      # Number of generated key shares
    key_shares: 3
      # Number of key shares required to unlock Vault
    key_threshold: 2
      # Output the generated (encrypted) key shares and root token
      # into this directory
    output: /root/vault_init
      # List of GPG keys to use to encrypt the key shares.
      # Should be the same number as `key_shares`
      # (or a single one for "non-production")
    pgp_keys: []
      # GPG key that will be used to encrypt the initial root token
    root_token_pgp_key: null
      # HTTP(s) URI to connect to for cluster management
    vault_addr: null

    # Manage database secret backend mounts.
  database: {}
  # Example:
  ##########
  # mysql:              # <mount_name>
  #   galera_1:         # <connection_name>
  #     plugin: mysql   # Parameters to `vault_db.connection_present`
  #     connection_url: '{{username}}:{{password}}@tcp(galera.example.com:3306)/'
  #     username: vault
  #     password: correct horse battery staple
  #     roles:
  #       role_1:       # <role_name>
  #         # ...       # Parameters to `vault_db.role_present`
  ##########

    # Managed leases. This allows to ensure valid leases are present
    # and associate beacons with them and - if desired - a state
    # that will be emitted in the event when the lease expires.
  leases:
      # Database leases
    database: {}
    # Example:
    # mysql_gitea:
    #   role: gitea
    #   mount: galera
    #   valid_for: 1h  # at least at the time of the state run
    #   beacon: true
    #   beacon_interval: 240
    #   meta: gitea
    #   min_ttl: 13m   # below that, the beacon will emit events
    #   check_server: true

    # Automatically open relevant ports.
    # Supported on RedHat family only currently.
  manage_firewall: true

    # PKI backend management
  pki:
      # List of intermediate CAs to generate. List items are kwargs
      # to `vault_pki.intermediate_ca`.
    ca: []
      # Roles that should be available on the mount.
      # List items are kwargs to `vault_pki.role_present`.
    roles_absent: []
      # Roles that should be absent from the mount.
      # List items are kwargs to `vault_pki.role_absent`.
    roles_present: []
      # List of parameters to `vault_pki.urls_set`
    urls: []

    # List of plugins to pull and register.
  plugins: []
  # Example:
  ##########
  # Required:
  # --------
  # - name: influxdb2-database-plugin
  #   source: https://git.my.name/vault/influxdb2-database-plugin/releases/0.0.2/influxdb2-database-plugin_0.0.2_linux_amd64
  #   hash: https://git.my.name/vault/influxdb2-database-plugin/releases/0.0.2/SHA256
  #   type: database
  ##########
  # Optional for pulling (currently requires my updated gpg and file modules):
  # --------
  #   keyring: /my/custom/keyring.gpg
  #   gnupghome: /my/custom/gnupghome.gpg
  #   signature: https://git.my.name/vault/influxdb2-database-plugin/releases/0.0.2/influxdb2-database-plugin_0.0.2_linux_amd64.sig
  #   source_hash_sig: https://git.my.name/vault/influxdb2-database-plugin/releases/0.0.2/SHA256.sig
  ##########
  # Optional for registration:
  # --------
  #   args:
  #     - argument
  #   cmd_name: {name}_{version}
  #   env:
  #     - envvar=envval
  #   version: 0.0.2
  ##########

    # List of plugins to ensure are absent.
  plugins_absent: []
  # Example:
  ##########
  # - name: influxdb2-database-plugin
  #   type: database
  ##########

    # When applying `clean` states, do not prevent accidental data loss
  remove_all_data_for_sure: false

    # A mapping of path to parameters for vault_secret.present
    # for secrets to manage
  secrets: {}

    # A list of secret paths (or dicts with 'operation' and 'path' keys)
    # to ensure absence of
  secrets_absent: []

    # Manage SSH secret backend mounts. This should be a map of
    # mount name to mount configuration.
    # The mount configuration can have three keys, `ca`, `roles` and `roles_absent`.
    # `ca` specifies parameters for `vault_ssh.ca_present`,
    # `roles` is a mapping of role names to parameters to `vault_ssh.role_present`,
    # `roles_absent` is a list of roles that should not be present on the mount.
  ssh: {}
  # Example:
  ##########
  # ssh_host:
  #   ca:
  #     key_type: ed25519
  #   roles:
  #     host:
  #       key_type: ca
  #       allowed_domains:
  #         - example.com
  #       allow_subdomains: true
  #       allow_host_certificates: true
  ##########

    # `version` parameter for `pkg.installed`
  version: null

  lookup:
    group: vault
    paths:
      api_cert: /opt/vault/tls/server.pem
      api_key: /opt/vault/tls/server.key
      ca_cert: /opt/vault/tls/ca.pem
      client_cert: /opt/vault/tls/client.pem
      client_key: /opt/vault/tls/client.key
    user: vault

  tofs:
      # The files_switch key serves as a selector for alternative
      # directories under the formula files directory. See TOFS pattern
      # doc for more info.
      # Note: Any value not evaluated by `config.get` will be used literally.
      # This can be used to set custom paths, as many levels deep as required.
    files_switch:
      - any/path/can/be/used/here
      - id
      - roles
      - osfinger
      - os
      - os_family

      # All aspects of path/file resolution are customisable using the options below.
      # This is unnecessary in most cases; there are sensible defaults.
      # Default path: salt://< path_prefix >/< dirs.files >/< dirs.default >
      # I.e.: salt://vault/files/default
      # path_prefix: template_alt
      # dirs:
      #   files: files_alt
      #   default: default_alt
      # The entries under `source_files` are prepended to the default source files
      # given for the state
    source_files:
      Vault configuration is managed:
        - 'example_alt.tmpl'
        - 'example_alt.tmpl.jinja'