Merge branch 'main' into add-starttls

Author: ewdurbin

docs/conf.py

@@ -22,7 +22,7 @@
 # Add any Sphinx extension module names here, as strings. They can be
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
-extensions = ['myst_parser', "sphinx_copybutton"]
+extensions = ['myst_parser', "sphinx_copybutton", 'sphinxcontrib.jquery', 'sphinx_datatables']
 
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ["_templates"]
@@ -185,3 +185,9 @@
 
 # Output file base name for HTML help builder.
 htmlhelp_basename = "PythonInfrastructuredoc"
+
+# Enable MyST heading anchors
+myst_heading_anchors = 2
+
+# sphinx-datatables
+datatables_options = {"paging": False}

docs/guides/external-host-requirements.md

@@ -0,0 +1,112 @@
+# External Host Requirements for PSF Salt Management
+
+This document outlines the requirements and processes for external hosts that will be managed by the 
+Python Software Foundation's Salt infrastructure.
+
+## Overview
+
+When providing hardware for PSF services, your server will be managed through our Salt configuration management system. 
+This document details the network, security, and access requirements for integration with our infrastructure.
+
+## Network Requirements
+
+### Required Ports
+
+Your server MUST allow **outbound** connections to the following ports on our Salt master:
+
+| Port     | Protocol | Purpose                      | Salt Master        |
+|----------|----------|------------------------------|--------------------|
+| **4505** | TCP      | Salt Publisher (ZeroMQ)      | salt-master.psf.io |
+| **4506** | TCP      | Salt Request Server (ZeroMQ) | salt-master.psf.io |
+
+### Inbound Access Requirements
+
+Your server MUST allow **inbound** connections on:
+
+| Port   | Protocol | Purpose        | Access        |
+|--------|----------|----------------|---------------|
+| **22** | TCP      | SSH Management | PSF Sysadmins |
+
+### DNS Requirements
+
+- Preferrably, the Server will be accessible via a stable DNS name
+- PSF Salt master is accessible at `salt-master.psf.io`
+- Static IP address preferred (IP changes require coordination)
+
+## Security Configuration
+
+### SSH Access
+
+**Initial Setup:**
+- Root SSH access required for initial bootstrap
+- SSH key-based authentication only (no password authentication)
+  - Source keys from GitHub profiles ([@JacobCoffee](https://github.com/JacobCoffee.keys), [@ewdurbin](https://github.com/ewdurbin.keys)) 
+
+> **Note**: Root login will be disabled after user accounts are created
+
+**Production Access:**
+- SSH access provided to PSF sysadmins and service managers (see [User Management](#user-management))
+- All access through SSH keys managed in Salt pillar data
+- No direct root access after initial setup
+
+### System Hardening
+
+Salt will automatically apply comprehensive security hardening (see [Salt harden state](https://github.com/python/psf-salt/blob/main/salt/base/harden)):
+
+**SSH Hardening:**
+- Root login disabled after bootstrap
+- Password authentication disabled
+- Strong cryptographic algorithms only
+- Connection limits and timeout controls
+- X11 forwarding disabled
+
+**System Security:**
+- Firewall rules (iptables) with default deny policy
+- File system permissions hardened
+- Core dumps disabled
+- Account lockout policies (5 failed attempts = 10 minute lockout)
+- System resource limits configured
+
+**Network Security:**
+- Stateful firewall with connection tracking
+- IPv4 and IPv6 rules applied
+- Only explicitly allowed ports accessible
+- Internal network traffic restrictions
+
+## User Management
+
+### User Accounts
+
+**User Management:**
+- Created from PSF pillar data (see [Salt users pillar data](https://github.com/python/psf-salt/blob/main/pillar/base/users))
+- The pillar data determines, per service, which users are created, their roles (root, etc.), and their SSH keys
+- Sudo access granted to `psf-admin` group (see [Salt sudo pillar data](../../pillar/base/sudoers/init.sls))
+
+### SSH Key Management
+
+**Key Sources:**
+- SSH keys stored in Salt pillar data
+- Automated key rotation capabilities via Salt highstate runs and Git repository updates
+
+**Key Deployment:**
+- Keys automatically deployed during Salt runs
+- `authorized_keys` files managed by Salt
+- Revocation through pillar data updates
+
+## Security Updates
+
+### Automatic Updates
+
+Salt configures Ubuntu's unattended upgrades:
+
+**Update Sources:**
+- Ubuntu security updates
+- Ubuntu stable updates
+- Critical package updates
+
+**Configuration:**
+- Automatic installation of security updates
+- Email notifications to `[email protected]` (see [Salt unattended-upgrades](../../salt/unattended-upgrades/config/50unattended-upgrades))
+
+**Monitoring:**
+- Monitoring generally happens through Sentry or Datadog metric checks.

docs/guides/index.rst

@@ -9,3 +9,4 @@ Guides
     migration-recipe.md
     haproxy-registration-guide.md
     port-guide.md
+    external-host-requirements.md

docs/guides/migration-recipe.md

@@ -155,7 +155,7 @@ index 68387c9..7a8ace1 100644
     sudo service nginx stop
     ```
     ```{note}
-    Don't forget to pause service checks for both the old and new hosts in things like Dead Man's Snitch, Pingdom, etc.
+    Don't forget to pause service checks for both the old and new hosts in things like Sentry monitors, Pingdom, etc.
     ```
 4.  Ensure that any additional volumes are mounted and in the correct location: 
     - Check what disks are currently mounted and where: `df`

docs/overview.rst

@@ -63,6 +63,11 @@ Pingdom
   `Pingdom <https://www.pingdom.com>`_ provides monitoring and complains to us
   when services are down.
 
+Sentry
+    `Sentry <https://sentry.io>`_ is used for error reporting and monitoring of
+    many services. It also provides Salt highstate cron monitoring, which
+    notifies us when runs fail over a certain threshold.
+
 PagerDuty
   `PagerDuty <https://www.pagerduty.com>`_ is used for on-call rotation for PSF
   Infrastructure employees on the front-line, and volunteers as backup.

docs/requirements.txt

@@ -2,3 +2,4 @@ furo
 sphinx
 myst-parser
 sphinx-copybutton
+sphinx-datatables

docs/salt-server-list.rst

@@ -4,28 +4,29 @@
 
 
 .. csv-table::
-   :header: "Name", "Purpose", "Contact", "Distro", "Datacener"
+   :header: "Name", "Purpose", "Contact", "Distro", "Datacenter", "Category"
+   :class: sphinx-datatable display compact
 
 
-   "backup.sfo1.psf.io", "Automated backup of infrastructure", "Infrastructure staff", "Ubuntu-24.04", "sfo1"
-   "bugs.nyc1.psf.io", "Roundup hosting for CPython, Jython, and Roundup", "Infrastructure staff", "Ubuntu-22.04", "nyc1"
-   "buildbot.nyc1.psf.io", "Hosting for CPython buildbot server", "zware, haypo, pablogsa", "Ubuntu-24.04", "nyc1"
-   "cdn-logs.nyc1.psf.io", "Realtime log streaming from Fastly CDN for debug", "Infrastructure Staff", "Ubuntu-20.04", "nyc1"
-   "codespeed.nyc1.psf.io", "Hosting for speed.python.org and speed.pypy.org", "", "Ubuntu-22.04", "nyc1"
-   "consul-1.nyc1.psf.io", "Runs `Consul <https://www.consul.io/>`_ discovery service", "Infrastructure Staff", "Ubuntu-24.04", "nyc1"
-   "consul-2.nyc1.psf.io", "Runs `Consul <https://www.consul.io/>`_ discovery service", "Infrastructure Staff", "Ubuntu-24.04", "nyc1"
-   "consul-3.nyc1.psf.io", "Runs `Consul <https://www.consul.io/>`_ discovery service", "Infrastructure Staff", "Ubuntu-24.04", "nyc1"
-   "docs.nyc1.psf.io", "Builds and serves CPython's documentation", "mdk", "Ubuntu-24.04", "nyc1"
-   "downloads.nyc1.psf.io", "Serves python.org downloads", "CPython Release Managers", "Ubuntu-24.04", "nyc1"
-   "gnumailman.nyc1.psf.io", "GNU Mailman Project wiki and lists", "Mark Sapiro", "Ubuntu-20.04", "nyc1"
-   "hg.nyc1.psf.io", "Version Control Archives, serves hg.python.org and svn.python.org", "Infrastructure Staff", "Ubuntu-24.04", "nyc1"
-   "lb-0.nyc1.psf.io", "Load balancer", "Infrastructure Staff", "Ubuntu-24.04", "nyc1"
-   "lb-1.nyc1.psf.io", "Load balancer", "Infrastructure Staff", "Ubuntu-24.04", "nyc1"
-   "mail.ams1.psf.io", "Mail and mailman server", "postmasters", "Ubuntu-14.04", "ams1"
-   "moin.nyc1.psf.io", "Hosts moin sites for wiki.python.org, wiki.jython.org", "lemburg", "Ubuntu-20.04", "nyc1"
-   "planet.nyc1.psf.io", "Planet Python", "benjamin", "Ubuntu-18.04", "nyc1"
-   "pythontest.nyc3.psf.io", "Test resources for CPython's test suite.", "Infrastructure Staff", "Ubuntu-24.04", "nyc3"
-   "salt.nyc1.psf.io", "Salt server", "Infrastructure Staff", "Ubuntu-20.04", "nyc1"
+   "backup.sfo1.psf.io", "Automated backup of infrastructure", "Infrastructure staff", "Ubuntu-24.04", "sfo1", "infra-infra"
+   "bugs.nyc1.psf.io", "Roundup hosting for CPython, Jython, and Roundup", "Infrastructure staff", "Ubuntu-22.04", "nyc1", "python-core"
+   "buildbot.nyc1.psf.io", "Hosting for CPython buildbot server", "zware, haypo, pablogsa", "Ubuntu-24.04", "nyc1", "python-core"
+   "cdn-logs.nyc1.psf.io", "Realtime log streaming from Fastly CDN for debug", "Infrastructure Staff", "Ubuntu-20.04", "nyc1", "infra-infra"
+   "codespeed.nyc1.psf.io", "Hosting for speed.python.org and speed.pypy.org", "", "Ubuntu-22.04", "nyc1", "python-core"
+   "consul-1.nyc1.psf.io", "Runs `Consul <https://www.consul.io/>`_ discovery service", "Infrastructure Staff", "Ubuntu-24.04", "nyc1", "infra-infra"
+   "consul-2.nyc1.psf.io", "Runs `Consul <https://www.consul.io/>`_ discovery service", "Infrastructure Staff", "Ubuntu-24.04", "nyc1", "infra-infra"
+   "consul-3.nyc1.psf.io", "Runs `Consul <https://www.consul.io/>`_ discovery service", "Infrastructure Staff", "Ubuntu-24.04", "nyc1", "infra-infra"
+   "docs.nyc1.psf.io", "Builds and serves CPython's documentation", "mdk", "Ubuntu-24.04", "nyc1", "python-core"
+   "downloads.nyc1.psf.io", "Serves python.org downloads", "CPython Release Managers", "Ubuntu-24.04", "nyc1", "python-core"
+   "gnumailman.nyc1.psf.io", "GNU Mailman Project wiki and lists", "Mark Sapiro", "Ubuntu-20.04", "nyc1", "mail"
+   "hg.nyc1.psf.io", "Version Control Archives, serves hg.python.org and svn.python.org", "Infrastructure Staff", "Ubuntu-24.04", "nyc1", "python-core"
+   "lb-0.nyc1.psf.io", "Load balancer", "Infrastructure Staff", "Ubuntu-24.04", "nyc1", "infra-infra"
+   "lb-1.nyc1.psf.io", "Load balancer", "Infrastructure Staff", "Ubuntu-24.04", "nyc1", "infra-infra"
+   "mail.ams1.psf.io", "Mail and mailman server", "postmasters", "Ubuntu-14.04", "ams1", "mail"
+   "moin.nyc1.psf.io", "Hosts moin sites for wiki.python.org, wiki.jython.org", "lemburg", "Ubuntu-20.04", "nyc1", "community"
+   "planet.nyc1.psf.io", "Planet Python", "benjamin", "Ubuntu-24.04", "nyc1", "community"
+   "pythontest.nyc3.psf.io", "Test resources for CPython's test suite.", "Infrastructure Staff", "Ubuntu-24.04", "nyc3", "python-core"
+   "salt.nyc1.psf.io", "Salt server", "Infrastructure Staff", "Ubuntu-20.04", "nyc1", "infra-infra"
 
 ..
     END AUTOMATED SECTION **DO NOT DIRECTLY EDIT - Salt will blow away your changes!!!**

pillar/base/haproxy.sls

@@ -156,10 +156,6 @@ haproxy:
       hsts_preload: False
 
   listens:
-    hg_ssh:
-      bind: :20100
-      service: hg-ssh
-
     buildbot_worker:
       bind: :20101
       service: buildbot-master-worker

pillar/base/planet.sls

@@ -3,5 +3,15 @@ planet:
     - planetpython.org
     - www.planetpython.org
   sites:
-    planetpython.org:
+    planetpython:
+      domain: planetpython.org
+      cache: /srv/cache/
+      output: /srv/planetpython.org/
+      image: ghcr.io/python/planetpython:latest
+      config: config.ini
+    planetpython-3:
+      domain: 3.planetpython.org
+      cache: /srv/cache3/
+      output: /srv/planetpython.org/3/
+      image: ghcr.io/python/planetpython-3:latest
       config: config.ini

pillar/base/users/_admin/coffee.sls

@@ -3,5 +3,5 @@ users:
     admin: true
     fullname: Jacob Coffee
     ssh_keys:
-    - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAddLP9ByPv5ZzebYW5D0zVwmugZOlgkvTPOrj2FqpvPtA0lroLur8w606JV0DYQiAkud+/Q7+7fM8StnNld7oA=
-      Main@secretive.EcheXMBP.local
+    - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM+eCfVgXZw89gO6PMbwh4S2Xjkk/NPsMOM/F5IfIpatcS8ghoKj0lEfcDH9c+yCbOyzRioax5v5fAKNxUz6Tv4=
+      git@secretive.EcheXMBP.local