My personal server configuration using saltstack
SaltStack Python HTML Scheme Shell
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


My (in development) personal infrastructure configuration using Salt, with the goal of replacing and expanding upon my current Ansible-configured infrastructure.

Project State

Not currently being used in production.


  • Is developed for Debian Jessie.

  • Configures OpenVPN using good crypto, with faster options chosen when the security benefits would be negligible (eg. AES-128-CBC instead of AES-256-CBC).

  • An OpenSSL CA generates certificates on the server, and are available for download via nginx with https and password protection.

  • Safe handling of file and program permissions. Certificates aren't world readable, daemons drop permissions to their own unprivileged users/groups, etc.

  • Runs dnsmasq, a lightweight caching DNS server, using google's DNS as the upstream provider.

  • Uses static IP addresses and injects DNS entries, allowing *.vpn addresses to refer to hosts on the virtual LAN.

  • Generates both *.ovpn files and shell scripts for use with network-manager, which can't use inline certificates in *.ovpn files. Deployment on Debian and Android clients is tested and easy.

  • Automatic updates with unattended-upgrade. This may cause reboots, but they're set to occur at 5AM to minimize issues.

  • All testing and deployment happens within vagrant, requiring minimal mucking with system settings, while avoiding the general bugginess of salt-ssh.

  • Vagrant setup is done using libvirt/kvm and uses snapshots and aggressive filesystem caching, which is significantly faster and more reliable than the virtualbox provider.

Development Environment

Prerequisites and Dependencies

  • A functioning gpg-agent configuration on your host with a private key
  • libvirt
  • vagrant


  1. Clone git submodules:

    $ git submodule update --init --recursive
  2. Install libvirt and make sure you can run a libvirt kvm guest as your current user (this usually involves adding yourself to a group). virt-manager is good for testing this.

  3. Install vagrant (get it from here) and nfs-kernel-server/nfs-server/nfsd.

  4. Install the needed vagrant plugins:

    $ vagrant plugin install vagrant-libvirt
    $ vagrant plugin install vagrant-cachier  # optional, but highly recommended
  5. Generate the cryptographic keys needed:

  6. Run vagrant up:

    vagrant up

Possible Issues

  • If NFS fails to mount, this may because the nfs server isn't actually running. It might not start when /etc/exports is initially empty. Restart it with

    $ sudo service nfs-kernel-server restart

    The vagrant documentation on nfs mounts is helpful here too, especially the section on modifying /etc/sudoers to whitelist the nfs setup commands.

  • is used for private networking between the minion and master. If you're already using that IP space for real hosts, you may want to modify the IP addresses in the Vagrantfile.