System

Overview

Configures system-wide settings including APT updates, network optimizations, sysctl tunings, CPU performance mode, timezone, locale, and log rotation.

---

Saltbox dependency.

Deployment

sb install system

Role Defaults

Info

Variables can be overridden in /srv/git/saltbox/inventories/host_vars/localhost.yml.

Example Override

run_sysctl_tasks: true

GeneralGlobal Override Options

run_sysctl_tasks

# Type: bool (true/false)
run_sysctl_tasks: true

cpu_performance_mode

# Type: bool (true/false)
cpu_performance_mode: true

system_inotify

# Type: string
system_inotify: "524288"

pam_limit_nofile

# Type: string
pam_limit_nofile: "100000"

timezone

# Type: string
timezone: "{{ tz }}"

timezone_string

# Type: string
timezone_string: "Time zone: {{ timezone }}"

timezone_use_local_rtc

# Type: bool (true/false)
timezone_use_local_rtc: false

system_locale

# Type: string
system_locale: "en_US.UTF-8"

system_language

# Type: string
system_language: "en_US.UTF-8"

saltbox_max_log_size

# Type: string
saltbox_max_log_size: 2M

sysctl_settings

# Type: dict
sysctl_settings: 
  fs.inotify.max_user_watches: "{{ system_inotify }}"
  net.core.default_qdisc: fq
  net.core.netdev_budget: 50000
  net.core.netdev_max_backlog: 100000
  net.core.rmem_max: 67108864
  net.core.somaxconn: 4096
  net.core.wmem_max: 67108864
  net.ipv4.conf.all.accept_redirects: 0
  net.ipv4.conf.all.accept_source_route: 0
  net.ipv4.conf.all.secure_redirects: 0
  net.ipv4.tcp_adv_win_scale: 2
  net.ipv4.tcp_congestion_control: bbr
  net.ipv4.tcp_fin_timeout: 10
  net.ipv4.tcp_max_syn_backlog: 30000
  net.ipv4.tcp_max_tw_buckets: 2000000
  net.ipv4.tcp_mtu_probing: 1
  net.ipv4.tcp_rfc1337: 1
  net.ipv4.tcp_rmem: "4096 87380 33554432"
  net.ipv4.tcp_sack: 1
  net.ipv4.tcp_slow_start_after_idle: 0
  net.ipv4.tcp_tw_reuse: 1
  net.ipv4.tcp_window_scaling: 1
  net.ipv4.tcp_wmem: "4096 87380 33554432"
  net.ipv4.udp_rmem_min: 8192
  net.ipv4.udp_wmem_min: 8192
  vm.dirty_background_ratio: 10
  vm.dirty_ratio: 15
  vm.swappiness: 10
  net.ipv4.neigh.default.gc_thresh1: 1024
  net.ipv4.neigh.default.gc_thresh2: 2048
  net.ipv4.neigh.default.gc_thresh3: 4096

sysctl_netdev_budget_usecs

# Reminder to change the conditional in sysctl.yml if defaults change
# Type: string
sysctl_netdev_budget_usecs: "5000"

sysctl_remove_settings

# Type: list
sysctl_remove_settings: 
  - fs.file-max

system_role_autoheal_enabled

# Enable or disable Autoheal monitoring for the container created when deploying
# Type: bool (true/false)
system_role_autoheal_enabled: true

system_role_depends_on

# List of container dependencies that must be running before the container start
# Type: string
system_role_depends_on: ""

system_role_depends_on_delay

# Delay in seconds before starting the container after dependencies are ready
# Type: string (quoted number)
system_role_depends_on_delay: "0"

system_role_depends_on_healthchecks

# Enable healthcheck waiting for container dependencies
# Type: string ("true"/"false")
system_role_depends_on_healthchecks:

system_role_diun_enabled

# Enable or disable Diun update notifications for the container created when deploying
# Type: bool (true/false)
system_role_diun_enabled: true

system_role_dns_enabled

# Enable or disable automatic DNS record creation for the container
# Type: bool (true/false)
system_role_dns_enabled: true

system_role_docker_controller

# Enable or disable Saltbox Docker Controller management for the container
# Type: bool (true/false)
system_role_docker_controller: true

system_role_traefik_autodetect_enabled

# Enable Traefik autodetect middleware for the container
# Type: bool (true/false)
system_role_traefik_autodetect_enabled: false

system_role_traefik_crowdsec_enabled

# Enable CrowdSec middleware for the container
# Type: bool (true/false)
system_role_traefik_crowdsec_enabled: false

system_role_traefik_error_pages_enabled

# Enable custom error pages middleware for the container
# Type: bool (true/false)
system_role_traefik_error_pages_enabled: false

system_role_traefik_gzip_enabled

# Enable gzip compression middleware for the container
# Type: bool (true/false)
system_role_traefik_gzip_enabled: false

system_role_traefik_middleware_http_api_insecure

# Type: bool (true/false)
system_role_traefik_middleware_http_api_insecure:

system_role_traefik_middleware_http_insecure

# Type: bool (true/false)
system_role_traefik_middleware_http_insecure:

system_role_traefik_robot_enabled

# Enable robots.txt middleware for the container
# Type: bool (true/false)
system_role_traefik_robot_enabled: true

system_role_traefik_tailscale_enabled

# Enable Tailscale-specific Traefik configuration for the container
# Type: bool (true/false)
system_role_traefik_tailscale_enabled: false

system_role_traefik_wildcard_enabled

# Enable wildcard certificate for the container
# Type: bool (true/false)
system_role_traefik_wildcard_enabled: true

system_role_web_fqdn_override

# Override the Traefik fully qualified domain name (FQDN) for the container
# Type: list
system_role_web_fqdn_override:

Example Override

system_role_web_fqdn_override:
  - "{{ traefik_host }}"
  - "system2.{{ user.domain }}"
  - "system.otherdomain.tld"

Note: Include {{ traefik_host }} to preserve the default FQDN alongside your custom entries

system_role_web_host_override

# Override the Traefik web host configuration for the container
# Type: string
system_role_web_host_override:

Example Override

system_role_web_host_override: "Host(`{{ traefik_host }}`) || Host(`{{ 'system2.' + user.domain }}`)"

Note: Use {{ traefik_host }} to include the default host configuration in your custom rule

system_role_web_scheme

# URL scheme to use for web access to the container
# Type: string ("http"/"https")
system_role_web_scheme: