It is the 16th of October 2017

How to setup a Debian Wheezy mail and DNS server using SaltStack. Common configuration

In the last chapter I have prepared my project and development environment. The current directory structure is:

  • /path/to/master.prograssing.com
    • ./salt/top.sls
    • ./Vagrantfile (optional)
    • ./vagrantconfig.yaml (optional)

First things first

In the common sate I will install several packages and configurations I probably want on every minion:

I have somewhat shortened the state file below for things you might not find necessary like rtorrent or privoxy and Tor. You should get the idea from reading the simple state file below how to adjust for your own needs

The state file is pretty much self explanatory. Further information can be found in the salt documentation of course. I use pillar variables in case there is a difference between my live server and the development vagrant box. As I mentioned before these files are not what you call tidy so feel free to tweak them for your needs.

I have based the setup on things I found on howtoforge, xenforo and xpd259 and several entries from serverfault and superuser.

./salt/common/init.sls:

common-pkgs:
  pkg.installed:
    - pkgs:
      - make
      - curl
      - vim-nox
      - ntp
      - ntpdate
      - git
      - gcc
      - screen
      - binutils
      - rkhunter
      - openssl
      - zip
      - unzip
      - bzip2
      - daemon
      - clamav
      - clamav-daemon
      - clamav-freshclam
      - libjpeg8-dev
      - libfreetype6-dev
      - lynis
      - apticron
      - update-notifier-common
      - debian-goodies
      - sysstat
      - htop
      - mc
      - libpam-cracklib
      - libpam-passwdqc
      - auditd
      - aide
      - e2fsprogs
      - libss2

root:
  user.present:
    - password: <pwd_hash>
    - shell: /bin/bash
  ssh_auth:
    - present
    - user: root
    - source: salt://common/herbert.id_rsa.pub

herbert:
  user.present:
    - password: <pwd_hash>
    - shell: /bin/bash
    - groups:
      - sudo
      - mail
  ssh_auth:
    - present
    - user: herbert
    - source: salt://common/herbert.id_rsa.pub
    - require:
      - user: herbert

/etc/bash.bashrc:
  file.managed:
    - user: root
    - group: root
    - mode: 644
    - source: salt://common/bash.bashrc

/etc/profile.d/bash_aliases.sh:
  file.managed:
    - user: root
    - group: root
    - mode: 755
    - source: salt://common/bash_aliases

###############
# iptables

/etc/iptables.rules:
  file.managed:
    - user: root
    - group: root
    - mode: 640
    - source: {{ pillar['iptables_rules'] }}

/etc/network/if-pre-up.d/iptables:
  file.managed:
    - user: root
    - group: root
    - mode: 755
    - source: salt://common/iptables

iptables-restore < /etc/iptables.rules:
  cmd.run:
    - require:
      - file: /etc/iptables.rules

sysctl net.ipv4.ip_forward=1:
  cmd.run

#########################################################
# install nodejs + npm + common node modules (lessc..)

nodejs:
  pkgrepo.managed:
    - humanname: Wheezy Backports
    - name: deb http://ftp.us.debian.org/debian wheezy-backports main
  pkg.latest:
    - name: nodejs-legacy
    - refresh: True

/tmp/npm-install.sh:
  file:
    - managed
    - mode: 700
    - source: salt://base/npm-install.sh
  cmd.run:
    - unless: test -e /usr/bin/npm
    - require:
      - pkg: nodejs
      - pkg: base-pkgs

npm install -g less stylus coffee-script:
  cmd.run:
    - unless: test -e /usr/bin/lessc
    - require: 
      - cmd: /tmp/npm-install.sh

Configuration files

Below are the configuration files referenced in the state file. I will outline the relevant lines I find useful. It is up to you to find your ideal configuration for many things like bashrc...

Keep eternal history

from debian-administration.org

./salt/common/bash.bashrc

shopt -s histappend
...
HISTCONTROL=ignoredups:ignorespace
HISTSIZE=10000
HISTFILESIZE=12000
# Append to history on every command
PROMPT_COMMAND="${PROMPT_COMMAND:-:} ; history -a" 
# Mirror to .bash_eternal_history on every command: PID USER INDEX TIMESTAMP COMMAND
HISTTIMEFORMAT="%s "
PROMPT_COMMAND="${PROMPT_COMMAND:-:} ;"'echo $$ $USER \
               "$(history 1)" >> ~/.bash_eternal_history'

Bash aliases I like

./salt/common/bash_aliases

alias o='less'
alias ..='cd ..'
alias ...='cd ../..'
alias cd..='cd ..'
alias rd=rmdir
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
alias grep='grep --color=auto'
alias md='mkdir -p'
alias sudo="PATH=$PATH:/sbin:/usr/sbin sudo"
alias cp="rsync -avWh --progress"
alias mkdir="mkdir -pv"
alias scp="rsync -avz --progress"
alias dir='ls -l'
alias ll='ls -l'
alias la='ls -la'
alias l='ls -alF'
alias ls-l='ls -l'

Iptables

I found this site as a good starting point for firewall rules.

Based on this principle I created two different sets of rules for my live server and the vagrant development machine.
In order to use different rules for different minions I introduce the first pillar variable as referenced in our state file and load it to our base pillar:

./pillar/common/init.sls

{% if grains['id'].startswith('vagrant') %}
iptables_rules: salt://common/vagrant_iptables.rules
{% else %}
iptables_rules: salt://common/iptables.rules
{% endif %}

./pillar/top.sls

base:
  '*':
    - common

Nodejs

The node setup process and install script can be found on the NodeJS site.


Read the next chapter for SSH setup.

Featured Apps

Free Money