---
message: "This node is using common data"

profile::sssd::enablemkhomedir: true

profile_allow_ssh_from_bastion::bastion_nodelist:
  - "141.142.148.5"
  - "141.142.236.22"
  - "141.142.236.23"
  - "141.142.148.24"
profile_allow_ssh_from_bastion::groups:
  - org_asd
  - org_irst

profile_sudo::configs:
  common_disabled_users:
    priority: 1
    content:
      - "#deny former NCSA users"
      - "%all_disabled_usr ALL=(ALL) !ALL"
profile_sudo::groups:
  org_asd: "ALL=(ALL) NOPASSWD: ALL"
  org_irst: "ALL=(ALL) NOPASSWD: ALL"

sssd::debug_level: 0
sssd::domains:
  ncsa.illinois.edu:
    access_provider: "simple"
    auth_provider: "krb5"
    cache_credentials: false
    chpass_provider: "krb5"
    debug_level: 0
    enumerate: false
    id_provider: "ldap"
    krb5_auth_timeout: 3
    krb5_lifetime: "25h"
    krb5_realm: "NCSA.EDU"
    krb5_renew_interval: 3600
    krb5_renewable_lifetime: "7d"
    krb5_use_kdcinfo: false
    krb5_validate: true
    ldap_backup_uri:
      - ldaps://ldap.ncsa.illinois.edu
      #- ldaps://ldap3.ncsa.illinois.edu
      #- ldaps://ldap4.ncsa.illinois.edu
    ldap_group_member: "uniqueMember"
    ldap_group_search_base: "dc=ncsa,dc=illinois,dc=edu"
    ldap_schema: "rfc2307bis"
    ldap_search_base: "dc=ncsa,dc=illinois,dc=edu"
    #ldap_tls_cacert: "/etc/pki/ca-trust/source/anchors/incommon-ca.pem"
    # Above not present on CentOS; below one is
    ldap_tls_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
    ldap_tls_reqcert: "demand"
    ldap_uri:
      - ldaps://ldap1.ncsa.illinois.edu
      - ldaps://ldap2.ncsa.illinois.edu
    ldap_user_search_base: "dc=ncsa,dc=illinois,dc=edu"
    # LEAVE simple_allow_groups BLANK - ncsa/sshd MODULE DYNAMICALLY ADDS GROUPS
    #simple_allow_groups:
    simple_deny_groups:
      - all_disabled_usr
sssd::services:
  nss:
    override_homedir: "/home/%u"
    shell_fallback: "/bin/bash"
    allowed_shells:
      - /usr/ncsa/bin/tcsh
      - /usr/ncsa/bin/bash
      - /usr/ncsa/bin/zsh
      - /bin/csh
      - /bin/tcsh
      - /bin/zsh
    vetoed_shells:
      - /usr/ncsa/bin/tcsh
      - /usr/ncsa/bin/bash
      - /usr/ncsa/bin/zsh
      - /bin/csh
    filter_groups:
      - adm
      - apache
      - asmadmin
      - asmdba
      - asmoper
      - audio
      - avahi
      - avahi-autoipd
      - backupdba
      - bin
      - cdrom
      - cgred
      - chronograf
      - chrony
      - condor
      - conserver
      - daemon
      - dba
      - dbus
      - dgdba
      - dhcpd
      - dialout
      - dip
      - disk
      - docker
      - elasticsearch
      - floppy
      - ftp
      - games
      - geoclue
      - git
      - gitlab-prometheus
      - gitlab-psql
      - gitlab-redis
      - gitlab-www
      - grafana
      - graylog
      - graylog-web
      - hsqldb
      - influxdb
      - input
      - kmdba
      - kmem
      - ldap
      - levelone
      - lock
      - lp
      - mail
      - man
      - mem
      - mongod
      - munge
      - myproxy
      - myproxyoauth
      - mysql
      - nagios
      - named
      - nfsnobody
      - nobody
      - nrpe
      - nscd
      - ntp
      - oinstall
      - oper
      - oprofile
      - pdagent
      - polkitd
      - postdrop
      - postfix
      - postgres
      - puppet
      - puppetdb
      - qserv
      - qualys
      - rabbitmq
      - racdba
      - redis
      - root
      - rpc
      - rpcuser
      - saslauth
      - screen
      - sfcb
      - simpleca
      - slocate
      - slurm
      - sshd
      - ssh_keys
      - sssd
      - stapdev
      - stapsys
      - stapusr
      - suiadmin
      - SupportAssistAdmins
      - SupportAssistUsers
      - sys
      - systemd-bus-proxy
      - systemd-journal
      - systemd-network
      - tape
      - tcpdump
      - telegraf
      - tss
      - tty
      - unbound
      - users
      - utempter
      - utmp
      - video
      - wheel
    filter_users:
      - activemq
      - adm
      - apache
      - avahi
      - avahi-autoipd
      - bin
      - chronograf
      - chrony
      - condor
      - daemon
      - dbus
      - docker
      - elasticsearch
      - ftp
      - games
      - geoclue
      - grafana
      - graylog
      - graylog-web
      - grid
      - halt
      - hsqldb
      - influxdb
      - ldap
      - lp
      - mail
      - mongod
      - munge
      - myproxy
      - myproxyoauth
      - mysql
      - nagios
      - nfsnobody
      - nobody
      - nrpe
      - nscd
      - nslcd
      - ntp
      - operator
      - oprofile
      - oracle
      - pdagent
      - polkitd
      - postfix
      - rabbitmq
      - redis
      - rsbackup
      - qserv
      - qualys
      - root
      - rpc
      - rpcuser
      - saslauth
      - shutdown
      - simpleca
      - slurm
      - sshd
      - sssd
      - suiadmin
      - sync
      - systemd-bus-proxy
      - systemd-network
      - tcpdump
      - telegraf
      - tomcat
      - tss
      - unbound
      - wireshark
      # NCSA LDAP users w/ uid below 1000:
      - acraig
      - bw
      - cbushell
      - ceperley
      - cox
      - ferguson
      - johns
      - lex
      - norman
      - proth
      - radha
      - redman
      - rkufrin
      - scott
      - scoyle
      - straka
      - svinson
      - u10956
      - welge
      - wicker
  pam: {}

telegraf::agent:
  flush_interval: "10s"
  metric_buffer_limit: "100000"
telegraf::flush_jitter: "10s"
telegraf::inputs:
  cpu:
    percpu: false
    totalcpu: true
  disk:
    ignore_fs:
      - "devtmpfs"
      - "devfs"
  ipmi_sensor:
    path: "/usr/bin/ipmitool"
    interval: "60s"
    timeout: "10s"
  mem: [{}]
  net:
    interfaces:
      - "e*"
      - "bond*"
  processes: [{}]
  puppetagent:
    location: "/opt/puppetlabs/puppet/cache/state/last_run_summary.yaml"
  swap: [{}]
  system: [{}]
  systemd_units:
    unittype: "service"
telegraf::interval: "60s"
telegraf::manage_repo: false
telegraf::outputs: {}