My personal server configuration using saltstack
SaltStack Python HTML Scheme Shell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
_modules
_runners
_states
bin
formulas
pillars
states
.editorconfig
.gitignore
.gitmodules
README.md
Vagrantfile
cloud
cloud.profiles
cloud.providers.example
dev
mapfile
master
setup.sh

README.md

bgw-salt

My (in development) personal infrastructure configuration using Salt, with the goal of replacing and expanding upon my current Ansible-configured infrastructure.

Project State

Not currently being used in production.

Features

  • Is developed for Debian Jessie.

  • Configures OpenVPN using good crypto, with faster options chosen when the security benefits would be negligible (eg. AES-128-CBC instead of AES-256-CBC).

  • An OpenSSL CA generates certificates on the server, and are available for download via nginx with https and password protection.

  • Safe handling of file and program permissions. Certificates aren't world readable, daemons drop permissions to their own unprivileged users/groups, etc.

  • Runs dnsmasq, a lightweight caching DNS server, using google's DNS as the upstream provider.

  • Uses static IP addresses and injects DNS entries, allowing *.vpn addresses to refer to hosts on the virtual LAN.

  • Generates both *.ovpn files and shell scripts for use with network-manager, which can't use inline certificates in *.ovpn files. Deployment on Debian and Android clients is tested and easy.

  • Automatic updates with unattended-upgrade. This may cause reboots, but they're set to occur at 5AM to minimize issues.

  • All testing and deployment happens within vagrant, requiring minimal mucking with system settings, while avoiding the general bugginess of salt-ssh.

  • Vagrant setup is done using libvirt/kvm and uses snapshots and aggressive filesystem caching, which is significantly faster and more reliable than the virtualbox provider.

Development Environment

Prerequisites and Dependencies

  • A functioning gpg-agent configuration on your host with a private key
  • libvirt
  • vagrant

Steps

  1. Clone git submodules:

    $ git submodule update --init --recursive
    
  2. Install libvirt and make sure you can run a libvirt kvm guest as your current user (this usually involves adding yourself to a group). virt-manager is good for testing this.

  3. Install vagrant (get it from here) and nfs-kernel-server/nfs-server/nfsd.

  4. Install the needed vagrant plugins:

    $ vagrant plugin install vagrant-libvirt
    $ vagrant plugin install vagrant-cachier  # optional, but highly recommended
  5. Generate the cryptographic keys needed:

    ./setup.sh
  6. Run vagrant up:

    vagrant up

Possible Issues

  • If NFS fails to mount, this may because the nfs server isn't actually running. It might not start when /etc/exports is initially empty. Restart it with

    $ sudo service nfs-kernel-server restart

    The vagrant documentation on nfs mounts is helpful here too, especially the section on modifying /etc/sudoers to whitelist the nfs setup commands.

  • 10.20.0.0/24 is used for private networking between the minion and master. If you're already using that IP space for real hosts, you may want to modify the IP addresses in the Vagrantfile.