Salt distrohoppers tool

Linux distrohoppers tool with Saltstack

Github can be found here
My goal is to make a privacy minded distrohoppers toolbox. So that I can easily change distros and install all my needed aplications and configs. The other reason is to make privacy easy. If you run this you get https://someonewhocares.org/hosts/hosts hosts file. Firefox with disabled telemetry and duckduckgo as startpage, Nextcloud client and keepassxc and enables firewall. My goal is to make a salt like Tero Karvinen sirotin That when I try new Linux distros I can always just run a local salt putting everything in same state.

Firefox

  • Removes Titlebar!
  • Smooth scrolling like shown here
  • Removed all telemetry in about:config
  • Removed alert when closing multiple tabs
  • Enabled white default theme
  • Enabled autoscrolling

Destroy all the ads

My salt installs [someonewhocares hosts file] (https://someonewhocares.org/hosts/hosts) so you will not see ads and protects your privacy.

Firewall with only ssh enabled

nuf said
….
Okey here are some details it will add a watch state to salt so it will restart firewall if rules are changed. And port 22/tcp is only openone with ipv4 and ipv6

Installed aplications

  • neofetch
  • keepassxc (adds offical PPA)
  • httpie
  • nextcloud-client (adds offical PPA)
  • qbittorrent
  • htop
  • tree
  • firefox
  • ufw (enables it only ssh open)
  • vlc
  • # stacer (system monitor) (adds offical PPA, not ready for 18.10)
  • signal desktop (adds offical PPA)

Problems installing salt-minion

I have been running tests with many different Distros and I came across a problem, not all distros installed salt-minion with apt mainly Ubuntu 18.10 based distros that had some missing dependencies?
I found the official multiplatform bootstrap installer for salt. It works very well with but its not perfect. With linux mint and Kde Neon I get this error “No dependencies installation function found. Exitting…”

I made a workaround with

if [ ! -d /srv/]; then
curl -L https://bootstrap.saltstack.com -o install_salt.sh
sudo sh install_salt.sh -P 
fi

Dealing with error messages

xubuntu 18.04.1

Ubuntu 18.10
salt minion not found. trying to add sudo apt-add-repository multiverse to the instalation code. And I got this error

also happens on xubuntu 18.10

Update: I noticed that Stacer does not yet support 18.10 with ppa so you will get an error if you install it on newer machines. I have commented it out for now.

Still errors so the next thing I was wondering if the saltstack 2017 what comes with multiverse is the reason for my error messages so I searched for Saltstack PPA and found it. I added the file to my github and added these lines in the start of my instalation file

wget -O - https://repo.saltstack.com/apt/debian/9/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add -
cd /etc/apt/sources.list.d/
wget https://raw.githubusercontent.com/aksratamo/salt/master/saltstack.list

Now it wil install the 2018 Saltstack. And IT WORKS!
Tested with
* Xubuntu 18.04.1 and 18.10,
* Ubuntu 18.04.1 and 18.10
* Kubuntu 18.04.1 and 18.10
* Linux Mint 19.1 Cinnamon
* Linux Mint 19 Mate
* Linux Mint 19 Xfce
* ElementaryOs (adding ppa not working)
* KdeNeon (adding ppa not working)

But I still get some error messages with KdeNeon and ElementaryOS

Explaining the code

Installation

In https://github.com/aksratamo/salt/tree/master/instalation-scripts you will find 2 files called “linux-advanced.sh” and “linux-basic.sh” both do essentially the same. They first they check if it has run already bu checking if helloworld.txt exists (created if salt manages to run). The code was borrowed from an other student project jisosomppi.

if [ -f /tmp/helloworld.txt ]; then
    echo "===> This install script has already been run! It is intended to be run only once <==="
    exit 0
fi

Then it will add the official repo for Saltstack because the Saltstack on ubuntu repo does not work with 18.10.

wget -O - https://repo.saltstack.com/apt/debian/9/amd64/latest/SALTSTACK-GPG-KEY.pub | sudo apt-key add -
cd /etc/apt/sources.list.d/
wget https://raw.githubusercontent.com/aksratamo/salt/master/saltstack.list
cd

Next it will install Git and Salt minion and gives the minion ID. This is the only difference in advanced the minion ID is “linux-advanced” and with basic installation its “linux-apps”

sudo apt-get update 
sudo apt-get install git  salt-minion -y 
sudo echo -e "master: localhost\nid: linux-apps" | sudo tee /etc/salt/minion

And as last step it will pull my salt project from git and runs it.

cd /srv/
sudo git clone https://github.com/aksratamo/salt
cd salt/
sudo salt-call --local state.apply 

Salt code

The basic installation first installs apps I like. Then it configures Firewall and will watch the files so if the Salt files are changed it will restart Firewall automatically.

#Enable Firewall and configs
/etc/ufw/ufw.conf:
  file.managed:
    - source: salt://linux-apps/ufw.conf
    - show_changes: False

/etc/ufw/user.rules:
  file.managed:
    - source: salt://linux-apps/user.rules
    - show_changes: False

/etc/ufw/user6.rules:
  file.managed:
    - source: salt://linux-apps/user6.rules
    - show_changes: False

ufwservice:
  service.running:
    - name: ufw       
    - watch:
      - file: /etc/ufw/user6.rules
      - file: /etc/ufw/user.rules
      - file: /etc/ufw/ufw.conf

Then it configures Firefox with included files

#Firefox preferences
/etc/firefox/syspref.js:
  file.managed:
    - source: salt://linux-apps/syspref.js


#Add someonewhocares host list to hostfile
/etc/hosts:
  file.managed:
    - source: salt://hosts
- show_changes: False

In advanced installation
First it adds the custom PPA when needed. I used two different ways for this for testing purposes

nextcloud-ppa:
  pkgrepo.managed:
    - ppa: nextcloud-devs/client

signal-desktop:
  pkgrepo.managed:
    - humanname: Signal-desktop PPA
    - name: deb  https://updates.signal.org/desktop/apt xenial main
    - file: /etc/apt/sources.list.d/signal-xenial.list
    - key_url: salt://linux-advanced/keys.asc

And in the end there is just a list for apps I want to be installed.

linux-advanced:
  pkg.installed:
    - pkgs:
      - neofetch
      - keepassxc
      - httpie
      - nextcloud-client
      - qbittorrent
      - signal-desktop

Sources

An other school project where I borrowed the idea of installing local master minion. https://github.com/jisosomppi/log-analysis
My project is mostly taken inspiration from my teachers masterless installation. https://github.com/terokarvinen/sirotin

LAMP with Salt

Installing LAMP (Linux, Apache, Mariadb, PHP) is quite easy with Salt. We will use my previous LAMP installing guide as reference.

First lets install apache:

lamp:
  pkg.installed:
   - pkgs:
- apache2

Thats it for the installing! So easy. But we need to remove default html page for security reasons, attackers will always look for newely installed apache instances with it and it could point to weaknesses. So we make a new index.html file inside our salt master that we will use to replace the default one. It can be anything, I made it to say.

Placeholder indexfile

And in salt we will continue to build the same salt file by adding

# Apache config
/var/www/html/index.html:
  file.managed:
- source: salt://lamp/index.html

PHP

Its as easy as with Apache now we just add PHP to the mix.

lamp:
  pkg.installed:
   - pkgs:
     - apache2
- libapache2-mod-php

Next part is to add normal users to be able to use PHP not just root for that we need a new file with our init.sls what looks like this:

<FilesMatch ".+\.ph(ar|p|tml)$">
    SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch ".+\.phps$">
    SetHandler application/x-httpd-php-source
    # Deny access to raw php sources by default
    # To re-enable it's recommended to enable access to the files
    # only in specific virtual host or directory
    Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(ar|p|ps|tml)$">
    Require all denied
</FilesMatch>

# Running PHP scripts in user directories is disabled by default
# 
# To re-enable PHP in user directories comment the following lines
# (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
# prevents .htaccess files from disabling it.
#<IfModule mod_userdir.c>
#    <Directory /home/*/public_html>
#        php_admin_flag engine Off
#    </Directory>
#</IfModule>

We add it to the minions pc with this code in init.sls

# PHP Config
/etc/apache2/mods-available/php7.2.conf:
  file.managed:
- source: salt://lamp/php7.2.conf

Mariadb

Installing mariadb just as before add mariadb to salt

lamp:
  pkg.installed:
   - pkgs:
     - apache2
     - libapache2-mod-php
     - php-mysql
     - mariadb-client
     - mariadb-server

The last thing to install is firewall with adding “-ufw” to the end. So the final config wil look like this “`yaml
lamp:
pkg.installed:
– pkgs:
– apache2
– libapache2-mod-php
– php-mysql
– mariadb-client
– mariadb-server
– ufw

Apache config

/var/www/html/index.html:
file.managed:
– source: salt://lamp/index.html

PHP Config

/etc/apache2/mods-available/php7.2.conf:
file.managed:
– source: salt://lamp/php7.2.conf
“`

This time assignment was left a bit unfinished do to playing too much around with the final courseproject. You can find it here.

Sources:

Assignment: http://terokarvinen.com/2018/aikataulu–palvelinten-hallinta-ict4tn022-3004-ti-ja-3002-to–loppukevat-2018-5p

Windows salt minion

You can use salt to control windos mashines too, but only as minion, salt master is only for linux. You just install windows minion. Add your salt masters IP and give the minion ID. Then you need to accept the new minions inside master with

sudo salt-key -A

You can see your salt masters IP with “hostname -I” command

On master you need to add support for windows with

 sudo salt-run winrepo.update_git_repos
 sudo salt -G 'os:windows' pkg.refresh_db

Installing programs

Now you can install programs on windows with salt. This code will install notepad++, chocolatey and using chocolatey it will install autohotkey.

windows_apps:
  pkg.installed:
    - pkgs:
      - npp
      - chocolatey

choco:
  chocolatey.installed:
- name: autohotkey 

Coding with Jinja 2

This code will check if the minion is linux or windows and will put the helloworld.txt in differend directorys depending on it.

{% if "Windows" == grains ["os"] %}
{%  set hellofile = "C:\helloworld.txt" %}
{% else %}
{%  set hellofile = "/tmp/helloworld.txt" %} 
{% endif %}

{{ hellofile }}:
  file.managed:
- source: salt://helloworld/helloworld.txt

In this example the helloworld file resides in the same directory as the helloworld init.sls on the master.

Sources:

Homework <http://terokarvinen.com/2018/aikataulu–palvelinten-hallinta-ict4tn022-3004-ti-ja-3002-to–loppukevat-2018-5p<
Windows salt helphttp://terokarvinen.com/2018/control-windows-with-salt