propellor/README

This is a work in progress configuration management system using Haskell
and Git.

Propellor enures that the system it's run in satisfies a list of
properties, taking action as necessary when a property is not yet met.

The design is intentionally very minimal.

Propellor lives in a git repository. You'll typically want to have
the repository checked out on a laptop, in order to make changes and push
them out to hosts. Each host will also have a clone of the repository,
and in that clone "make" can be used to build and run propellor.
This can be done by a cron job (which propellor can set up),
or a remote host can be triggered to update by running propellor
on your laptop: propellor --spin $host

Properties are defined using Haskell. Edit config.hs to get started.

There is no special language as used in puppet, chef, ansible, etc.. just
the full power of Haskell. Hopefully that power can be put to good use in
making declarative properties that are powerful, nicely idempotent, and
easy to adapt to a system's special needs.

Also avoided is any form of node classification. Ie, which hosts are part
of which classes and share which configuration. It might be nice to use
reclass[1], but then again a host is configured using simply haskell code,
and so it's easy to factor out things like classes of hosts as desired.

## quick start

Clone propellor's git repository to your laptop (or whatever).


## security

Propellor's security model is that the hosts it's used to deploy are
untrusted, and that the central git repository server is untrusted.

The only trusted machine is the laptop where you run propellor --spin
to connect to a remote host. And that one only because you have a ssh key
or login password to the host.

Since the hosts propellor deploys are not trusted by the central git
repository, they have to use git:// or http:// to pull from the central
git repository, rather than ssh://. 

So, to avoid a MITM attack, propellor checks that any commit it fetched
from origin is gpg signed by a trusted gpg key, and refuses to deploy it
otherwise.

That is only done when privdata/keyring.gpg exists. To set it up:

gpg --gen-key                 # only if you don't already have a gpg key
propellor --add-key $MYKEYID

In order to be secure from the beginning, when propellor --spin is used
to bootstrap propellor on a new host, it transfers the local git repositry
to the remote host over ssh. After that, the remote host knows the
gpg key, and will use it to verify git fetches.

Since the propoellor git repository is public, you can't store
in cleartext private data such as passwords, ssh private keys, etc.

Instead, propellor --spin $host looks for a privdata/$host.gpg file and
if found decrypts it and sends it to the remote host using ssh. This lets
a remote host know its own private data, without seeing all the rest.

To securely store private data, use: propellor --set $host $field
The field name will be something like 'Password "root"'; see PrivData.hs
for available fields.

[1] http://reclass.pantsfullofunix.net/
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00			`This is a work in progress configuration management system using Haskell`
			`and Git.`

foo2 2014-03-30 06:46:05 +00:00			`Propellor enures that the system it's run in satisfies a list of`
			`properties, taking action as necessary when a property is not yet met.`

			`The design is intentionally very minimal.`
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00
propellor spin 2014-03-31 19:40:16 +00:00			`Propellor lives in a git repository. You'll typically want to have`
			`the repository checked out on a laptop, in order to make changes and push`
			`them out to hosts. Each host will also have a clone of the repository,`
			`and in that clone "make" can be used to build and run propellor.`
			`This can be done by a cron job (which propellor can set up),`
			`or a remote host can be triggered to update by running propellor`
			`on your laptop: propellor --spin $host`
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00
more prep 2014-03-31 03:59:07 +00:00			`Properties are defined using Haskell. Edit config.hs to get started.`
update 2014-03-30 06:50:04 +00:00
prepare for hackage 2014-03-31 03:37:54 +00:00			`There is no special language as used in puppet, chef, ansible, etc.. just`
update 2014-03-30 06:50:04 +00:00			`the full power of Haskell. Hopefully that power can be put to good use in`
			`making declarative properties that are powerful, nicely idempotent, and`
			`easy to adapt to a system's special needs.`
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00
			`Also avoided is any form of node classification. Ie, which hosts are part`
			`of which classes and share which configuration. It might be nice to use`
			`reclass[1], but then again a host is configured using simply haskell code,`
foo2 2014-03-30 06:46:05 +00:00			`and so it's easy to factor out things like classes of hosts as desired.`
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00
propellor spin 2014-03-31 23:12:27 +00:00			`## quick start`
propellor spin 2014-03-31 16:06:04 +00:00
propellor spin 2014-03-31 23:12:27 +00:00			`Clone propellor's git repository to your laptop (or whatever).`
propellor spin 2014-03-31 19:40:16 +00:00
propellor spin 2014-03-30 23:10:32 +00:00

propellor spin 2014-03-31 23:12:27 +00:00			`## security`
propellor spin 2014-03-30 23:10:32 +00:00
propellor spin 2014-03-31 23:12:27 +00:00			`Propellor's security model is that the hosts it's used to deploy are`
			`untrusted, and that the central git repository server is untrusted.`
propellor spin 2014-03-31 23:06:50 +00:00
propellor spin 2014-03-31 23:12:27 +00:00			`The only trusted machine is the laptop where you run propellor --spin`
			`to connect to a remote host. And that one only because you have a ssh key`
			`or login password to the host.`
propellor spin 2014-03-31 23:06:50 +00:00
propellor spin 2014-03-31 23:12:27 +00:00			`Since the hosts propellor deploys are not trusted by the central git`
			`repository, they have to use git:// or http:// to pull from the central`
			`git repository, rather than ssh://.`
propellor spin 2014-03-31 16:06:04 +00:00
propellor spin 2014-03-31 23:12:27 +00:00			`So, to avoid a MITM attack, propellor checks that any commit it fetched`
			`from origin is gpg signed by a trusted gpg key, and refuses to deploy it`
			`otherwise.`
propellor spin 2014-03-31 16:06:04 +00:00
propellor spin 2014-03-31 23:12:27 +00:00			`That is only done when privdata/keyring.gpg exists. To set it up:`
propellor spin 2014-03-31 16:06:04 +00:00
			`gpg --gen-key # only if you don't already have a gpg key`
			`propellor --add-key $MYKEYID`
propellor spin 2014-03-31 15:06:46 +00:00
propellor spin 2014-03-31 23:12:27 +00:00			`In order to be secure from the beginning, when propellor --spin is used`
propellor spin 2014-03-31 20:20:38 +00:00			`to bootstrap propellor on a new host, it transfers the local git repositry`
propellor spin 2014-03-31 23:12:27 +00:00			`to the remote host over ssh. After that, the remote host knows the`
			`gpg key, and will use it to verify git fetches.`

			`Since the propoellor git repository is public, you can't store`
			`in cleartext private data such as passwords, ssh private keys, etc.`

			`Instead, propellor --spin $host looks for a privdata/$host.gpg file and`
			`if found decrypts it and sends it to the remote host using ssh. This lets`
			`a remote host know its own private data, without seeing all the rest.`

			`To securely store private data, use: propellor --set $host $field`
			`The field name will be something like 'Password "root"'; see PrivData.hs`
			`for available fields.`
propellor spin 2014-03-31 20:20:38 +00:00
initial check-in too young to have a name 2014-03-30 03:10:52 +00:00			`[1] http://reclass.pantsfullofunix.net/`