|
| 1 | +# External Host Requirements for PSF Salt Management |
| 2 | + |
| 3 | +This document outlines the requirements and processes for external hosts that will be managed by the |
| 4 | +Python Software Foundation's Salt infrastructure. |
| 5 | + |
| 6 | +## Overview |
| 7 | + |
| 8 | +When providing hardware for PSF services, your server will be managed through our Salt configuration management system. |
| 9 | +This document details the network, security, and access requirements for integration with our infrastructure. |
| 10 | + |
| 11 | +## Network Requirements |
| 12 | + |
| 13 | +### Required Ports |
| 14 | + |
| 15 | +Your server MUST allow **outbound** connections to the following ports on our Salt master: |
| 16 | + |
| 17 | +| Port | Protocol | Purpose | Salt Master | |
| 18 | +|----------|----------|------------------------------|--------------------| |
| 19 | +| **4505** | TCP | Salt Publisher (ZeroMQ) | salt-master.psf.io | |
| 20 | +| **4506** | TCP | Salt Request Server (ZeroMQ) | salt-master.psf.io | |
| 21 | + |
| 22 | +### Inbound Access Requirements |
| 23 | + |
| 24 | +Your server MUST allow **inbound** connections on: |
| 25 | + |
| 26 | +| Port | Protocol | Purpose | Access | |
| 27 | +|--------|----------|----------------|---------------| |
| 28 | +| **22** | TCP | SSH Management | PSF Sysadmins | |
| 29 | + |
| 30 | +### DNS Requirements |
| 31 | + |
| 32 | +- Preferrably, the Server will be accessible via a stable DNS name |
| 33 | +- PSF Salt master is accessible at `salt-master.psf.io` |
| 34 | +- Static IP address preferred (IP changes require coordination) |
| 35 | + |
| 36 | +## Security Configuration |
| 37 | + |
| 38 | +### SSH Access |
| 39 | + |
| 40 | +**Initial Setup:** |
| 41 | +- Root SSH access required for initial bootstrap |
| 42 | +- SSH key-based authentication only (no password authentication) |
| 43 | + - Source keys from GitHub profiles ([@JacobCoffee](https://github.com/JacobCoffee.keys), [@ewdurbin](https://github.com/ewdurbin.keys)) |
| 44 | + |
| 45 | +> **Note**: Root login will be disabled after user accounts are created |
| 46 | +
|
| 47 | +**Production Access:** |
| 48 | +- SSH access provided to PSF sysadmins and service managers (see [User Management](#user-management)) |
| 49 | +- All access through SSH keys managed in Salt pillar data |
| 50 | +- No direct root access after initial setup |
| 51 | + |
| 52 | +### System Hardening |
| 53 | + |
| 54 | +Salt will automatically apply comprehensive security hardening (see [Salt harden state](../../salt/base/harden)): |
| 55 | + |
| 56 | +**SSH Hardening:** |
| 57 | +- Root login disabled after bootstrap |
| 58 | +- Password authentication disabled |
| 59 | +- Strong cryptographic algorithms only |
| 60 | +- Connection limits and timeout controls |
| 61 | +- X11 forwarding disabled |
| 62 | + |
| 63 | +**System Security:** |
| 64 | +- Firewall rules (iptables) with default deny policy |
| 65 | +- File system permissions hardened |
| 66 | +- Core dumps disabled |
| 67 | +- Account lockout policies (5 failed attempts = 10 minute lockout) |
| 68 | +- System resource limits configured |
| 69 | + |
| 70 | +**Network Security:** |
| 71 | +- Stateful firewall with connection tracking |
| 72 | +- IPv4 and IPv6 rules applied |
| 73 | +- Only explicitly allowed ports accessible |
| 74 | +- Internal network traffic restrictions |
| 75 | + |
| 76 | +## User Management |
| 77 | + |
| 78 | +### User Accounts |
| 79 | + |
| 80 | +**User Management:** |
| 81 | +- Created from PSF pillar data (see [Salt users pillar data](../../pillar/base/users)) |
| 82 | +- The pillar data determines, per service, which users are created, their roles (root, etc.), and their SSH keys |
| 83 | +- Sudo access granted to `psf-admin` group (see [Salt sudo pillar data](../../pillar/base/sudoers/init.sls)) |
| 84 | + |
| 85 | +### SSH Key Management |
| 86 | + |
| 87 | +**Key Sources:** |
| 88 | +- SSH keys stored in Salt pillar data |
| 89 | +- Automated key rotation capabilities via Salt highstate runs and Git repository updates |
| 90 | + |
| 91 | +**Key Deployment:** |
| 92 | +- Keys automatically deployed during Salt runs |
| 93 | +- `authorized_keys` files managed by Salt |
| 94 | +- Revocation through pillar data updates |
| 95 | + |
| 96 | +## Security Updates |
| 97 | + |
| 98 | +### Automatic Updates |
| 99 | + |
| 100 | +Salt configures Ubuntu's unattended upgrades: |
| 101 | + |
| 102 | +**Update Sources:** |
| 103 | +- Ubuntu security updates |
| 104 | +- Ubuntu stable updates |
| 105 | +- Critical package updates |
| 106 | + |
| 107 | +**Configuration:** |
| 108 | +- Automatic installation of security updates |
| 109 | +- Email notifications to `[email protected]` (see [Salt unattended-upgrades ](../../salt/unattended-upgrades/config/50unattended-upgrades)) |
| 110 | + |
| 111 | +**Monitoring:** |
| 112 | +- Monitoring generally happens through Sentry or Datadog metric checks. |
0 commit comments