From 24f3a5e34c1423b5b2e8239a4b79000c6adbc5b9 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Mon, 7 Jul 2025 13:36:51 -0500 Subject: [PATCH 1/4] docs: add guide for externally controlled hardware --- docs/guides/external-host-requirements.md | 112 ++++++++++++++++++++++ docs/guides/index.rst | 1 + 2 files changed, 113 insertions(+) create mode 100644 docs/guides/external-host-requirements.md diff --git a/docs/guides/external-host-requirements.md b/docs/guides/external-host-requirements.md new file mode 100644 index 00000000..2b5e60b4 --- /dev/null +++ b/docs/guides/external-host-requirements.md @@ -0,0 +1,112 @@ +# External Host Requirements for PSF Salt Management + +This document outlines the requirements and processes for external hosts that will be managed by the +Python Software Foundation's Salt infrastructure. + +## Overview + +When providing hardware for PSF services, your serve will be managed through our Salt configuration management system. +This document details the network, security, and access requirements for integration with our infrastructure. + +## Network Requirements + +### Required Ports + +Your server MUST allow **outbound** connections to the following ports on our Salt master: + +| Port | Protocol | Purpose | Salt Master | +|----------|----------|------------------------------|--------------------| +| **4505** | TCP | Salt Publisher (ZeroMQ) | salt-master.psf.io | +| **4506** | TCP | Salt Request Server (ZeroMQ) | salt-master.psf.io | + +### Inbound Access Requirements + +Your server MUST allow **inbound** connections on: + +| Port | Protocol | Purpose | Access | +|--------|----------|----------------|---------------| +| **22** | TCP | SSH Management | PSF Sysadmins | + +### DNS Requirements + +- Preferrably, the Server will be accessible via a stable DNS name +- PSF Salt master is accessible at `salt-master.psf.io` +- Static IP address preferred (IP changes require coordination) + +## Security Configuration + +### SSH Access + +**Initial Setup:** +- Root SSH access required for initial bootstrap +- SSH key-based authentication only (no password authentication) + - Source keys from GitHub profiles ([@JacobCoffee](https://github.com/JacobCoffee.keys), [@ewdurbin](https://github.com/ewdurbin.keys)) + +> **Note**: Root login will be disabled after user accounts are created + +**Production Access:** +- SSH access provided to PSF sysadmins and service managers +- All access through SSH keys managed in Salt pillar data +- No direct root access after initial setup + +### System Hardening + +Salt will automatically apply comprehensive security hardening (see [Salt harden state](../salt/base/harden)): + +**SSH Hardening:** +- Root login disabled after bootstrap +- Password authentication disabled +- Strong cryptographic algorithms only +- Connection limits and timeout controls +- X11 forwarding disabled + +**System Security:** +- Firewall rules (iptables) with default deny policy +- File system permissions hardened +- Core dumps disabled +- Account lockout policies (5 failed attempts = 10 minute lockout) +- System resource limits configured + +**Network Security:** +- Stateful firewall with connection tracking +- IPv4 and IPv6 rules applied +- Only explicitly allowed ports accessible +- Internal network traffic restrictions + +## User Management + +### User Accounts + +**User Management:** +- Created from PSF pillar data (see [Salt users pillar data](../pillar/base/users)) +- The pillar data determines, per service, which users are created, their roles (root, etc.), and their SSH keys +- Sudo access granted to `psf-admin` group (see [Salt sudo pillar data](../pillar/base/sudoers/init.sls)) + +### SSH Key Management + +**Key Sources:** +- SSH keys stored in Salt pillar data +- Automated key rotation capabilities via Salt highstate runs and Git repository updates + +**Key Deployment:** +- Keys automatically deployed during Salt runs +- `authorized_keys` files managed by Salt +- Revocation through pillar data updates + +## Security Updates + +### Automatic Updates + +Salt configures Ubuntu's unattended upgrades: + +**Update Sources:** +- Ubuntu security updates +- Ubuntu stable updates +- Critical package updates + +**Configuration:** +- Automatic installation of security updates +- Email notifications to `infrastructure-staff@python.org` (see [Salt unattended-upgrades](../salt/unattended-upgrades/config/50unattended-upgrades)) + +**Monitoring:** +- Monitoring generally happens through Sentry or Datadog metric checks. diff --git a/docs/guides/index.rst b/docs/guides/index.rst index 80fccc0e..4be41527 100644 --- a/docs/guides/index.rst +++ b/docs/guides/index.rst @@ -9,3 +9,4 @@ Guides migration-recipe.md haproxy-registration-guide.md port-guide.md + external-host-requirements.md From 43bcabcc4bb83b75b33273f71661b9b544e99ca2 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Mon, 7 Jul 2025 15:14:07 -0500 Subject: [PATCH 2/4] Apply suggestions from code review --- docs/guides/external-host-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/external-host-requirements.md b/docs/guides/external-host-requirements.md index 2b5e60b4..7e3cb80f 100644 --- a/docs/guides/external-host-requirements.md +++ b/docs/guides/external-host-requirements.md @@ -5,7 +5,7 @@ Python Software Foundation's Salt infrastructure. ## Overview -When providing hardware for PSF services, your serve will be managed through our Salt configuration management system. +When providing hardware for PSF services, your server will be managed through our Salt configuration management system. This document details the network, security, and access requirements for integration with our infrastructure. ## Network Requirements From e5a9f37bdd9e2aa6446c133cb2e5b1f3e3ac9209 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Mon, 7 Jul 2025 16:05:02 -0500 Subject: [PATCH 3/4] docs: add anchor link to user mgmt --- docs/guides/external-host-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/external-host-requirements.md b/docs/guides/external-host-requirements.md index 7e3cb80f..6f1d6cef 100644 --- a/docs/guides/external-host-requirements.md +++ b/docs/guides/external-host-requirements.md @@ -45,7 +45,7 @@ Your server MUST allow **inbound** connections on: > **Note**: Root login will be disabled after user accounts are created **Production Access:** -- SSH access provided to PSF sysadmins and service managers +- SSH access provided to PSF sysadmins and service managers (see [User Management](#user-management)) - All access through SSH keys managed in Salt pillar data - No direct root access after initial setup From 66b8312a9a951246311c9df8e213f4787a568656 Mon Sep 17 00:00:00 2001 From: Jacob Coffee Date: Mon, 7 Jul 2025 16:11:44 -0500 Subject: [PATCH 4/4] fix: links after moving into guides --- docs/guides/external-host-requirements.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/guides/external-host-requirements.md b/docs/guides/external-host-requirements.md index 6f1d6cef..0f01b81c 100644 --- a/docs/guides/external-host-requirements.md +++ b/docs/guides/external-host-requirements.md @@ -51,7 +51,7 @@ Your server MUST allow **inbound** connections on: ### System Hardening -Salt will automatically apply comprehensive security hardening (see [Salt harden state](../salt/base/harden)): +Salt will automatically apply comprehensive security hardening (see [Salt harden state](../../salt/base/harden)): **SSH Hardening:** - Root login disabled after bootstrap @@ -78,9 +78,9 @@ Salt will automatically apply comprehensive security hardening (see [Salt harden ### User Accounts **User Management:** -- Created from PSF pillar data (see [Salt users pillar data](../pillar/base/users)) +- Created from PSF pillar data (see [Salt users pillar data](../../pillar/base/users)) - The pillar data determines, per service, which users are created, their roles (root, etc.), and their SSH keys -- Sudo access granted to `psf-admin` group (see [Salt sudo pillar data](../pillar/base/sudoers/init.sls)) +- Sudo access granted to `psf-admin` group (see [Salt sudo pillar data](../../pillar/base/sudoers/init.sls)) ### SSH Key Management @@ -106,7 +106,7 @@ Salt configures Ubuntu's unattended upgrades: **Configuration:** - Automatic installation of security updates -- Email notifications to `infrastructure-staff@python.org` (see [Salt unattended-upgrades](../salt/unattended-upgrades/config/50unattended-upgrades)) +- Email notifications to `infrastructure-staff@python.org` (see [Salt unattended-upgrades](../../salt/unattended-upgrades/config/50unattended-upgrades)) **Monitoring:** - Monitoring generally happens through Sentry or Datadog metric checks.