propellor/config-joey.hs

331 lines
13 KiB
Haskell
Raw Normal View History

2014-04-19 21:16:13 +00:00
-- This is the live config file used by propellor's author.
module Main where
2014-04-03 16:06:58 +00:00
import Propellor
import Propellor.CmdLine
2014-04-09 04:54:27 +00:00
import Propellor.Property.Scheduled
2014-04-03 16:06:58 +00:00
import qualified Propellor.Property.File as File
import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.Network as Network
import qualified Propellor.Property.Ssh as Ssh
import qualified Propellor.Property.Cron as Cron
import qualified Propellor.Property.Sudo as Sudo
import qualified Propellor.Property.User as User
import qualified Propellor.Property.Hostname as Hostname
2014-04-11 03:20:12 +00:00
--import qualified Propellor.Property.Reboot as Reboot
2014-04-03 16:06:58 +00:00
import qualified Propellor.Property.Tor as Tor
2014-04-10 05:46:33 +00:00
import qualified Propellor.Property.Dns as Dns
2014-04-08 20:58:11 +00:00
import qualified Propellor.Property.OpenId as OpenId
2014-04-03 16:06:58 +00:00
import qualified Propellor.Property.Docker as Docker
2014-04-10 06:51:25 +00:00
import qualified Propellor.Property.Git as Git
2014-04-14 00:22:35 +00:00
import qualified Propellor.Property.Apache as Apache
2014-04-14 19:35:29 +00:00
import qualified Propellor.Property.Postfix as Postfix
2014-04-29 20:48:20 +00:00
import qualified Propellor.Property.Service as Service
2014-05-23 16:30:25 +00:00
import qualified Propellor.Property.HostingProvider.DigitalOcean as DigitalOcean
import qualified Propellor.Property.HostingProvider.CloudAtCost as CloudAtCost
2014-04-03 16:06:58 +00:00
import qualified Propellor.Property.SiteSpecific.GitHome as GitHome
import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder
import qualified Propellor.Property.SiteSpecific.JoeySites as JoeySites
2014-04-19 15:23:09 +00:00
main :: IO ()
main = defaultMain hosts
2014-04-14 06:24:55 +00:00
-- _ ______`| ,-.__
{- Propellor -- / \___-=O`/|O`/__| (____.'
Deployed -} -- \ / | / ) _.-"-._
-- `/-==__ _/__|/__=-| ( \_
hosts :: [Host] -- * \ | | '--------'
hosts = -- (o) `
2014-04-11 03:20:12 +00:00
-- My laptop
[ host "darkstar.kitenet.net"
2014-04-19 03:20:07 +00:00
& ipv6 "2001:4830:1600:187::2" -- sixxs tunnel
2014-04-11 03:20:12 +00:00
& Docker.configured
& Apt.buildDep ["git-annex"] `period` Daily
-- Nothing super-important lives here.
, standardSystem "clam.kitenet.net" Unstable "amd64"
& ipv4 "162.248.143.249"
& ipv6 "2002:5044:5531::1"
2014-05-23 16:30:25 +00:00
& CloudAtCost.decruft
2014-04-11 01:09:20 +00:00
& Apt.unattendedUpgrades
& Network.ipv6to4
& Tor.isBridge
2014-04-14 19:35:29 +00:00
& Postfix.satellite
2014-04-11 01:09:20 +00:00
& Docker.configured
2014-04-14 19:35:29 +00:00
2014-04-19 05:28:46 +00:00
& alias "shell.olduse.net"
2014-04-11 03:20:12 +00:00
& JoeySites.oldUseNetShellBox
2014-04-19 05:28:46 +00:00
& alias "openid.kitenet.net"
2014-04-11 04:14:50 +00:00
& Docker.docked hosts "openid-provider"
2014-05-10 19:39:16 +00:00
`requires` Apt.serviceInstalledRunning "ntp"
2014-04-11 03:20:12 +00:00
2014-04-19 05:28:46 +00:00
& alias "ancient.kitenet.net"
2014-04-11 04:14:50 +00:00
& Docker.docked hosts "ancient-kitenet"
2014-04-11 03:20:12 +00:00
2014-04-13 18:01:30 +00:00
-- I'd rather this were on diatom, but it needs unstable.
2014-04-19 05:28:46 +00:00
& alias "kgb.kitenet.net"
2014-04-13 18:01:30 +00:00
& JoeySites.kgbServer
2014-04-20 02:22:23 +00:00
& alias "mumble.kitenet.net"
& JoeySites.mumbleServer hosts
2014-04-19 15:23:09 +00:00
& alias "ns9.kitenet.net"
& myDnsSecondary
2014-05-09 12:34:09 +00:00
& alias "znc.kitenet.net"
2014-05-09 13:31:30 +00:00
& JoeySites.ircBouncer
2014-04-29 20:48:20 +00:00
-- Nothing is using https on clam, so listen on that port
-- for ssh, for traveling on bad networks.
& "/etc/ssh/sshd_config" `File.containsLine` "Port 443"
`onChange` Service.restarted "ssh"
2014-05-09 12:34:09 +00:00
& Docker.garbageCollected `period` Daily
& Apt.installed ["git-annex", "mtr", "screen"]
2014-04-11 03:20:12 +00:00
2014-04-11 01:09:20 +00:00
-- Orca is the main git-annex build box.
, standardSystem "orca.kitenet.net" Unstable "amd64"
& ipv4 "138.38.108.179"
2014-04-11 01:09:20 +00:00
& Hostname.sane
& Apt.unattendedUpgrades
2014-04-14 19:35:29 +00:00
& Postfix.satellite
2014-04-11 01:09:20 +00:00
& Docker.configured
2014-04-11 03:20:12 +00:00
& Docker.docked hosts "amd64-git-annex-builder"
& Docker.docked hosts "i386-git-annex-builder"
2014-05-21 17:07:36 +00:00
& Docker.docked hosts "armel-git-annex-builder-companion"
& Docker.docked hosts "armel-git-annex-builder"
2014-05-24 04:05:47 +00:00
& Docker.docked hosts "android-git-annex-builder"
2014-04-11 01:09:20 +00:00
& Docker.garbageCollected `period` Daily
& Apt.buildDep ["git-annex"] `period` Daily
2014-04-11 03:20:12 +00:00
2014-04-11 01:09:20 +00:00
-- Important stuff that needs not too much memory or CPU.
, standardSystem "diatom.kitenet.net" Stable "amd64"
& ipv4 "107.170.31.195"
2014-05-23 16:30:25 +00:00
& DigitalOcean.distroKernel
2014-04-11 01:09:20 +00:00
& Hostname.sane
2014-04-13 18:01:30 +00:00
& Ssh.hostKey SshDsa
& Ssh.hostKey SshRsa
& Ssh.hostKey SshEcdsa
2014-04-11 01:09:20 +00:00
& Apt.unattendedUpgrades
& Apt.serviceInstalledRunning "ntp"
2014-04-14 19:35:29 +00:00
& Postfix.satellite
2014-04-21 15:10:14 +00:00
-- Diatom has 500 mb of memory, so tune for that.
2014-04-21 05:00:59 +00:00
& JoeySites.obnamLowMem
2014-04-21 15:10:14 +00:00
& Apt.serviceInstalledRunning "swapspace"
2014-04-14 00:22:35 +00:00
2014-04-11 01:09:20 +00:00
& Apt.serviceInstalledRunning "apache2"
2014-04-14 00:22:35 +00:00
& File.hasPrivContent "/etc/ssl/certs/web.pem"
& File.hasPrivContent "/etc/ssl/private/web.pem"
& File.hasPrivContent "/etc/ssl/certs/startssl.pem"
& Apache.modEnabled "ssl"
2014-04-14 01:04:34 +00:00
& Apache.multiSSL
2014-04-13 20:53:33 +00:00
& File.ownerGroup "/srv/web" "joey" "joey"
2014-04-23 20:30:48 +00:00
& Apt.installed ["analog"]
2014-04-13 07:09:00 +00:00
2014-04-19 05:28:46 +00:00
& alias "git.kitenet.net"
& alias "git.joeyh.name"
2014-04-13 18:01:30 +00:00
& JoeySites.gitServer hosts
2014-04-13 15:58:22 +00:00
2014-04-19 05:28:46 +00:00
& alias "downloads.kitenet.net"
2014-04-13 21:03:21 +00:00
& JoeySites.annexWebSite hosts "/srv/git/downloads.git"
2014-04-13 20:38:58 +00:00
"downloads.kitenet.net"
"840760dc-08f0-11e2-8c61-576b7e66acfd"
[("turtle", "ssh://turtle.kitenet.net/~/lib/downloads/")]
2014-04-21 15:10:14 +00:00
& JoeySites.gitAnnexDistributor
2014-04-13 20:38:58 +00:00
2014-04-19 05:28:46 +00:00
& alias "tmp.kitenet.net"
2014-04-13 21:03:21 +00:00
& JoeySites.annexWebSite hosts "/srv/git/joey/tmp.git"
2014-04-13 20:38:58 +00:00
"tmp.kitenet.net"
2014-04-13 21:03:21 +00:00
"26fd6e38-1226-11e2-a75f-ff007033bdba"
2014-04-13 20:38:58 +00:00
[]
2014-04-14 18:40:57 +00:00
& JoeySites.twitRss
2014-04-13 20:38:58 +00:00
2014-04-19 05:28:46 +00:00
& alias "nntp.olduse.net"
2014-04-19 06:08:00 +00:00
& alias "resources.olduse.net"
2014-04-18 03:32:42 +00:00
& JoeySites.oldUseNetServer hosts
2014-04-19 15:23:09 +00:00
& alias "ns2.kitenet.net"
2014-04-21 02:38:59 +00:00
& myDnsPrimary "kitenet.net" []
2014-04-21 02:21:55 +00:00
& myDnsPrimary "joeyh.name" []
& myDnsPrimary "ikiwiki.info" []
& myDnsPrimary "olduse.net"
[ (RelDomain "article",
CNAME $ AbsDomain "virgil.koldfront.dk") ]
2014-04-21 02:38:59 +00:00
& alias "ns3.branchable.com"
2014-04-21 02:42:20 +00:00
& branchableSecondary
2014-04-23 18:27:26 +00:00
& Dns.secondaryFor ["animx"] hosts "animx.eu.org"
2014-04-14 06:27:09 +00:00
2014-04-13 01:34:25 +00:00
--' __|II| ,.
---- __|II|II|__ ( \_,/\
------'\o/-'-.-'-.-'-.- __|II|II|II|II|___/ __/ -'-.-'-.-'-.-'-.-'-
----------------------- | [Docker] / ----------------------
----------------------- : / -----------------------
------------------------ \____, o ,' ------------------------
------------------------- '--,___________,' -------------------------
2014-04-11 03:20:12 +00:00
2014-04-08 20:58:11 +00:00
-- Simple web server, publishing the outside host's /var/www
2014-04-11 03:20:12 +00:00
, standardContainer "webserver" Stable "amd64"
& Docker.publish "8080:80"
& Docker.volume "/var/www:/var/www"
& Apt.serviceInstalledRunning "apache2"
2014-04-08 21:10:52 +00:00
2014-04-08 20:58:11 +00:00
-- My own openid provider. Uses php, so containerized for security
-- and administrative sanity.
2014-04-11 03:20:12 +00:00
, standardContainer "openid-provider" Stable "amd64"
& Docker.publish "8081:80"
& OpenId.providerFor ["joey", "liw"]
"openid.kitenet.net:8081"
2014-04-13 16:21:43 +00:00
-- Exhibit: kite's 90's website.
2014-04-11 03:20:12 +00:00
, standardContainer "ancient-kitenet" Stable "amd64"
& Docker.publish "1994:80"
& Apt.serviceInstalledRunning "apache2"
2014-04-20 02:22:23 +00:00
& Git.cloned "root" "git://kitenet-net.branchable.com/" "/var/www"
2014-04-13 00:21:33 +00:00
(Just "remotes/origin/old-kitenet.net")
2014-04-10 15:02:29 +00:00
2014-04-11 03:20:12 +00:00
-- git-annex autobuilder containers
2014-05-23 01:42:57 +00:00
, GitAnnexBuilder.standardContainer dockerImage "amd64" 15 "2h"
, GitAnnexBuilder.standardContainer dockerImage "i386" 45 "2h"
, GitAnnexBuilder.armelCompanionContainer dockerImage
, GitAnnexBuilder.armelContainer dockerImage "1 3 * * *" "5h"
2014-05-24 04:05:47 +00:00
, GitAnnexBuilder.androidContainer dockerImage "1 1 * * *" "3h"
2014-04-14 06:31:58 +00:00
] ++ monsters
2014-04-03 16:06:58 +00:00
2014-04-11 04:14:50 +00:00
-- This is my standard system setup.
standardSystem :: HostName -> DebianSuite -> Architecture -> Host
standardSystem hn suite arch = host hn
& os (System (Debian suite) arch)
2014-04-18 02:25:09 +00:00
& Apt.stdSourcesList suite
2014-04-18 02:09:29 +00:00
`onChange` Apt.upgrade
2014-04-10 04:10:08 +00:00
& Apt.installed ["etckeeper"]
& Apt.installed ["ssh"]
& GitHome.installedFor "root"
& User.hasSomePassword "root"
-- Harden the system, but only once root's authorized_keys
-- is safely in place.
& check (Ssh.hasAuthorizedKeys "root")
(Ssh.passwordAuthentication False)
& User.accountFor "joey"
& User.hasSomePassword "joey"
& Sudo.enabledFor "joey"
& GitHome.installedFor "joey"
& Apt.installed ["vim", "screen", "less"]
& Cron.runPropellor "30 * * * *"
-- I use postfix, or no MTA.
& Apt.removed ["exim4", "exim4-daemon-light", "exim4-config", "exim4-base"]
`onChange` Apt.autoRemove
2014-04-09 01:28:15 +00:00
-- This is my standard container setup, featuring automatic upgrades.
2014-04-11 03:20:12 +00:00
standardContainer :: Docker.ContainerName -> DebianSuite -> Architecture -> Host
2014-05-23 01:42:57 +00:00
standardContainer name suite arch = Docker.container name (dockerImage system)
& os (System (Debian suite) arch)
2014-04-11 03:20:12 +00:00
& Apt.stdSourcesList suite
& Apt.unattendedUpgrades
where
system = System (Debian suite) arch
2014-04-19 21:16:13 +00:00
-- Docker images I prefer to use.
2014-05-23 01:42:57 +00:00
dockerImage :: System -> Docker.Image
dockerImage (System (Debian Unstable) arch) = "joeyh/debian-unstable-" ++ arch
dockerImage (System (Debian Stable) arch) = "joeyh/debian-stable-" ++ arch
dockerImage _ = "debian-stable-official" -- does not currently exist!
2014-04-08 23:42:54 +00:00
myDnsSecondary :: Property
myDnsSecondary = propertyList "dns secondary for all my domains" $ map toProp
2014-04-21 02:52:18 +00:00
[ Dns.secondary hosts "kitenet.net"
, Dns.secondary hosts "joeyh.name"
, Dns.secondary hosts "ikiwiki.info"
2014-04-19 05:55:32 +00:00
, Dns.secondary hosts "olduse.net"
2014-04-10 05:46:33 +00:00
]
2014-04-21 02:42:20 +00:00
branchableSecondary :: RevertableProperty
branchableSecondary = Dns.secondaryFor ["branchable.com"] hosts "branchable.com"
2014-04-11 01:09:20 +00:00
2014-04-21 02:38:59 +00:00
-- Currently using diatom (ns2) as primary with secondaries
-- clam (ns9) and gandi.
2014-04-21 02:21:55 +00:00
-- kite handles all mail.
myDnsPrimary :: Domain -> [(BindDomain, Record)] -> RevertableProperty
myDnsPrimary domain extras = Dns.primary hosts domain
(Dns.mkSOA "ns2.kitenet.net" 100) $
[ (RootDomain, NS $ AbsDomain "ns2.kitenet.net")
, (RootDomain, NS $ AbsDomain "ns6.gandi.net")
, (RootDomain, NS $ AbsDomain "ns9.kitenet.net")
, (RootDomain, MX 0 $ AbsDomain "kitenet.net")
, (RootDomain, TXT "v=spf1 a ?all")
] ++ extras
2014-04-14 06:24:55 +00:00
-- o
-- ___ o o
{-----\ / o \ ___o o
{ \ __ \ / _ (X___>-- __o
_____________________{ ______\___ \__/ | \__/ \____ |X__>
< \___//|\\___/\ \____________ _
\ ___/ | \___ # # \ (-)
2014-04-14 06:45:58 +00:00
\ O O O # | \ # >=)
2014-04-14 06:24:55 +00:00
\______________________________# # / #__________________/ (-}
2014-04-14 06:31:58 +00:00
monsters :: [Host] -- Systems I don't manage with propellor,
monsters = -- but do want to track their public keys etc.
2014-04-14 06:31:58 +00:00
[ host "usw-s002.rsync.net"
& sshPubKey "ssh-dss AAAAB3NzaC1kc3MAAAEBAI6ZsoW8a+Zl6NqUf9a4xXSMcV1akJHDEKKBzlI2YZo9gb9YoCf5p9oby8THUSgfh4kse7LJeY7Nb64NR6Y/X7I2/QzbE1HGGl5mMwB6LeUcJ74T3TQAlNEZkGt/MOIVLolJHk049hC09zLpkUDtX8K0t1yaCirC9SxDGLTCLEhvU9+vVdVrdQlKZ9wpLUNbdAzvbra+O/IVvExxDZ9WCHrnfNA8ddVZIGEWMqsoNgiuCxiXpi8qL+noghsSQNFTXwo7W2Vp9zj1JkCt3GtSz5IzEpARQaXEAWNEM0n1nJ686YUOhou64iRM8bPC1lp3QXvvZNgj3m+QHhIempx+de8AAAAVAKB5vUDaZOg14gRn7Bp81ja/ik+RAAABACPH/bPbW912x1NxNiikzGR6clLh+bLpIp8Qie3J7DwOr8oC1QOKjNDK+UgQ7mDQEgr4nGjNKSvpDi4c1QCw4sbLqQgx1y2VhT0SmUPHf5NQFldRQyR/jcevSSwOBxszz3aq9AwHiv9OWaO3XY18suXPouiuPTpIcZwc2BLDNHFnDURQeGEtmgqj6gZLIkTY0iw7q9Tj5FOyl4AkvEJC5B4CSzaWgey93Wqn1Imt7KI8+H9lApMKziVL1q+K7xAuNkGmx5YOSNlE6rKAPtsIPHZGxR7dch0GURv2jhh0NQYvBRn3ukCjuIO5gx56HLgilq59/o50zZ4NcT7iASF76TcAAAEAC6YxX7rrs8pp13W4YGiJHwFvIO1yXLGOdqu66JM0plO4J1ItV1AQcazOXLiliny3p2/W+wXZZKd5HIRt52YafCA8YNyMk/sF7JcTR4d4z9CfKaAxh0UpzKiAk+0j/Wu3iPoTOsyt7N0j1+dIyrFodY2sKKuBMT4TQ0yqQpbC+IDQv2i1IlZAPneYGfd5MIGygs2QMfaMQ1jWAKJvEO0vstZ7GB6nDAcg4in3ZiBHtomx3PL5w+zg48S4Ed69BiFXLZ1f6MnjpUOP75pD4MP6toS0rgK9b93xCrEQLgm4oD/7TCHHBo2xR7wwcsN2OddtwWsEM2QgOkt/jdCAoVCqwQ=="
, host "github.com"
& sshPubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="
2014-04-23 19:04:35 +00:00
, host "ns6.gandi.net"
& ipv4 "217.70.177.40"
, host "turtle.kitenet.net"
& ipv4 "67.223.19.96"
& ipv6 "2001:4978:f:2d9::2"
2014-04-21 02:21:55 +00:00
& alias "backup.kitenet.net"
& sshPubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAokMXQiX/NZjA1UbhMdgAscnS5dsmy+Q7bWrQ6tsTZ/o+6N/T5cbjoBHOdpypXJI3y/PiJTDJaQtXIhLa8gFg/EvxMnMz/KG9skADW1361JmfCc4BxicQIO2IOOe6eilPr+YsnOwiHwL0vpUnuty39cppuMWVD25GzxXlS6KQsLCvXLzxLLuNnGC43UAM0q4UwQxDtAZEK1dH2o3HMWhgMP2qEQupc24dbhpO3ecxh2C9678a3oGDuDuNf7mLp3s7ptj5qF3onitpJ82U5o7VajaHoygMaSRFeWxP2c13eM57j3bLdLwxVXFhePcKXARu1iuFTLS5uUf3hN6MkQcOGw=="
, host "wren.kitenet.net"
& ipv4 "80.68.85.49"
& ipv6 "2001:41c8:125:49::10"
2014-04-19 15:23:09 +00:00
& alias "kitenet.net"
2014-04-21 02:21:55 +00:00
& alias "kite.kitenet.net"
2014-04-19 15:23:09 +00:00
& alias "ns1.kitenet.net"
2014-04-21 02:21:55 +00:00
& alias "ftp.kitenet.net"
& alias "mail.kitenet.net"
& alias "smtp.kitenet.net"
& alias "sows-ear.kitenet.net"
& alias "www.sows-ear.kitenet.net"
& alias "wortroot.kitenet.net"
& alias "www.wortroot.kitenet.net"
& alias "joey.kitenet.net"
& alias "annex.kitenet.net"
& alias "ipv6.kitenet.net"
2014-05-09 13:17:39 +00:00
& alias "bitlbee.kitenet.net"
2014-04-21 02:21:55 +00:00
, host "mouse.kitenet.net"
& ipv6 "2001:4830:1600:492::2"
2014-04-21 03:02:46 +00:00
, host "beaver.kitenet.net"
2014-04-21 02:21:55 +00:00
& ipv6 "2001:4830:1600:195::2"
, host "hydra.kitenet.net"
& ipv4 "192.25.206.60"
2014-04-19 01:58:23 +00:00
, host "branchable.com"
& ipv4 "66.228.46.55"
& ipv6 "2600:3c03::f03c:91ff:fedf:c0e5"
2014-04-19 05:28:46 +00:00
& alias "olduse.net"
& alias "www.olduse.net"
2014-04-21 02:21:55 +00:00
& alias "www.kitenet.net"
2014-04-21 01:55:40 +00:00
& alias "joeyh.name"
& alias "campaign.joeyh.name"
& alias "ikiwiki.info"
2014-04-21 02:21:55 +00:00
& alias "git.ikiwiki.info"
2014-04-21 01:55:40 +00:00
& alias "l10n.ikiwiki.info"
2014-04-21 02:21:55 +00:00
& alias "dist-bugs.kitenet.net"
& alias "family.kitenet.net"
2014-04-23 18:27:26 +00:00
, host "animx"
& ipv4 "76.7.162.101"
2014-04-23 23:26:02 +00:00
& ipv4 "76.7.162.186"
2014-04-14 06:31:58 +00:00
]