/etc/salt/grains

The grains interface presents Salt with grains of information about the underlying systems such as OS, domain name, IP address, kernel, OS type, memory etc.

To help configure servers that are managed by MOOSE it is possible to customise SaltStack’s “grains” which are saved in /etc/salt/grains on your server. The grains interface presents Salt with “grains of information” about the underlying systems such as domain name, IP address, kernel, OS type, memory and many other properties of the system.

Grains are made available to Salt modules so that the right salt minion commands are automatically available on the right systems.


System

fqdn and domain

The fully-qualified domain name is used as the main identifier for your server. Your server overview page will be made available at this address.

fqdn: server.example.com
domain: example.com

moose:packages

This is a list of extra packages to install. We recommend using this if you want to be able to deploy an identical instance of your machine from a barebones installation

moose:
  packages:
    - vim
    - emacs24-nox

cron

Contains a mapping of hours and minutes (past the hour) for hourly, daily, weekly, and monthly cronjobs. These are set randomly the first time your server is provisioned so as to spread the workload. Weekly jobs always run on Sunday. Monthly jobs always run on the first day of the month.

cron:
  hourly:
    minute: '17'
  daily:
    hour: '6'
    minute: '25'
  weekly:
    hour: '6'
    minute: '47'
  monthly:
    hour: '6'
    minute: '52'

email:default

A list of email addresses to receive automated information from server. Some packages only support one recipient, and so only the first item in the list will be used.

email:
  default:
    - webmaster@example.com
    - alice@example.com
    - bob@example.com

moose:owner

It is possible to show the owner of your server on its overview page.

moose:
  owner:
    name: Network Moose
    url: https://twitter.com/NetworkMoose

Security

firewall

Deploy a firewall on instantiation and bootup using netfilter-persistent.

firewall:
  tcp4:
    22:
      46.227.200.129/32: FAELIX Teleport jumphost
      192.0.2.0/24: our network
  udp6:
    53:
      "2001:db8::/64": our network

root

XXXTODO needs expanding

root:
  authorized_keys:
    faelix_noc: True
    faelix_soc: True

sshd

XXXTODO needs expanding

sshd:
  installed: True
  port: 22
  listenaddress: '::'
  permitrootlogin: 'without-password'
  passwordauthentication: 'yes'
  x11forwarding: 'no'
  tcpkeepalive: 'yes'
  allowtcpforwarding: 'yes'
  permittunnel: 'yes'
  allowagentforwarding: 'yes'

portsentry

XXXTODO needs expanding

lynis

lynis:
  skip-tests:
  - SSH-7408:permitrootlogin
  - SSH-7408:port
  - FILE-6310
  - FIRE-4513
  - LOGG-2190

teleport

Install Teleport on the server. Optionally configure it to allow login, act as a proxy, or manage authentication.

teleport:
  nodename: teleport.faelix.net
  advertise_ip: 192.0.2.1
  auth_servers:
    - teleport.faelix.net:3025
  auth_token: "TcAvq2tvKnIUVHbqRCTICBtDv67Ph7Vw"
  ciphers:
    - aes256-ctr
    - aes128-gcm@openssh.com
  kex_algos:
    - curve25519-sha256@libssh.org
  mac_algos:
    - hmac-sha2-256-etm@openssh.com
    - hmac-sha2-256

  ssh_service:
    listen_addr: "[::]:3022"
    labels:
      role: bastion

  proxy_service:
    listen_addr: "[::]:3023"
    tunnel_listen_addr: "[::]:3024"
    web_listen_addr: "[::]:3080"

  auth_service:
    listen_addr: "[::]:3025"
    cluster_name: teleport.faelix.net
    tokens:
      - "node:VMYL7K0PvBwjX7lktLUGkXc37VdgiPONucAbWJXOvfIWJv0v"

Other tokens which will be set automatically include:

  • lastsalt: ISO 8601 formatted date SaltStack last updated teleport.yaml
  • salt: version of SaltStack installed
  • arch: OS architecture
  • platform: virtual/physical

email:security

A list of email addresses to receive alerts about the security posture of your server. Some packages only support one recipient, and so only the first item in the list will be used.

email:
  security:
    - hostmaster@example.com
    - security@example.com

If unset, email:default will be used instead.

Hostname Resolution

moose:network

If set to “dynamic” then /etc/resolv.conf will not be autoconfigured.

moose:nameservers

A list of nameservers. Defaults to Faelix’s standard ones.

moose:
  nameservers:
    - "46.227.200.54"
    - "46.227.200.55"

moose:hosts

A dictionary of lists to put into /etc/hosts

moose:
  hosts:
    "192.0.2.1":
      - myrouter.example.com
      - myrouter
    "2001:db8::42":
      - myrouter.example.com
      - myrouter

Backup

backup:borg

Use borgbackup to automatically store snapshots of the server. This is used to generate the /etc/cron.daily/borgbackup script and its configuration file /etc/faelix/moose/borgbackup.

At a minimum both backup:borg:destination and backup:borg:passphrase need to be set. Extra backup repositories can be set under the repo key, with their own retention policy and exclusion lists.

backup:
  borg:
    destination: borg1.w.faelix.net
    user: borg
    passphrase: gibberishJGVRM8L3ZYAQWAJTpassword
    repo:
      owncloud:
        path: /var/www/owncloud
        exclude:
        - /var/www/owncloud/data/*.log
        keep_daily: 7
        keep_monthly: 1
        keep_weekly: 1

Monitoring

collectd:faelix

Explicitly set this to False if you do not with for statistics to be sent to FAELIX’s collectd service.

collectd:
  faelix: True

collectd:servers

Other servers to send collectd statistics to.

collectd:
  servers:
    192.0.2.1:
      username: foo
      password: bar
      securitylevel: Encrypt
      port: 25826

collectd:user_suffix and collectd:password

The username and password used to send packets to Faelix’s monitoring systems is specified by these two grains. Changing them will probably prevent expected functioning.

collectd:ping

Specify extra hosts you would like to ping from your server as a list.

collectd:
  ping:
    hosts:
      - "192.0.2.1"
      - "192.0.2.2"
      - "2001:db8::13"
    interval: 8
    timeout: 0.9
    source_address: "192.0.2.254"
    device: eth0

Web Server

php

php:
  max_execution_time: 30
  error_reporting: "E_ALL & ~E_DEPRECATED & ~E_STRICT"
  memory_limit: "128M"
  max_input_time: 60
  post_max_size: "128M"
  upload_max_filesize: "128M"
  max_file_uploads: 32
  default_socket_timeout: 60
  date_timezone: UTC

xcache

XXXTODO needs expanding

xcache:
  admin:
    password: FxU35eJ2Ow6vsNh1
  cacher: False

xcache:admin:enable_auth

XXXTODO expand

xcache:admin:password

XXXTODO expand

xcache:stat

XXXTODO expand

xcache:cacher

Set this to False on systems where you encounter problems caused by XCache.

Mail Server

postfixadmin

When Postfix Admin is installed, databases are automatically created and the credentials recorded here. Three different MySQL users are created, one for each of the various components that need to query the postfixadmin database.

postfixadmin:
  pfa-dovecot:
    password: YnQquVWHy3G52fE6
  pfa-postfix:
    password: a34Iv36SsEP7D7Do
  pfa-vacation:
    password: K23SQCK0na6Ye0qU

postfix

postfix:
  smtp_tls_security_level: may
  smtpd_tls_security_level: may
  smtpd_tls_eecdh_grade: strong
  tls_eecdh_strong_curve: prime256v1
  tls_eecdh_ultra_curve: secp384r1
  tls:
    v12: False
  tls_policy_map:
    example.com: encrypt

roundcube

roundcube:
  config:
    des_key: ot4wAP3yYQzAIXHz3hF4lhxd
  mysql:
    password: k24Nxy66U0aeIQ0r

amavis

amavis:
  sa_spam_subject_tag: "***SPAM***"
  sa_tag_level_deflt: -999
  sa_tag2_level_deflt: 6.31
  sa_kill_level_deflt: 6.31
  sa_dsn_cutoff_level: 10
  sa_mail_body_size_limit: "200*1024"
  sa_local_tests_only: False
  final_virus_destiny: D_DISCARD
  final_banned_destiny: D_REJECT
  final_spam_destiny:  D_DISCARD
  final_bad_header_destiny: D_PASS

ntp

ntp:
  servers:
    ntp2.inrim.it: {}
    time-a.nist.gov: {}
    stdtime.gov.hk: {}
    ntp.ix.ru: {}
    46.227.200.70:
      flags:
        - iburst
    46.227.200.72:
      flags:
        - iburst
    185.134.196.166:
      flags:
        - iburst
        - peer
    127.127.1.0:
      fudge:
        stratum: 11

nginx

nginx:
  release: vendor
  ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2"
  client_max_body_size: "128m"

php

php:
  release: distribution

XXXTODO expand

  • distribution for the version of PHP included in your server’s operation system distribution
  • 7.0 for PHP 7.0 from packages.sury.org
  • 7.2 for PHP 7.2 from packages.sury.org
  • 7.3 for PHP 7.3 from packages.sury.org

nexcloud

nextcloud:
  host: cloud.example.com

XXXTODO expand