propellor/config-joey.hs

524 lines
25 KiB
Haskell
Raw Normal View History

2014-04-19 21:16:13 +00:00
-- This is the live config file used by propellor's author.
2014-08-29 23:07:18 +00:00
-- https://propellor.branchable.com/
module Main where
2014-04-03 16:06:58 +00:00
import Propellor
import Propellor.CmdLine
2014-04-09 04:54:27 +00:00
import Propellor.Property.Scheduled
2014-04-03 16:06:58 +00:00
import qualified Propellor.Property.File as File
import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.Network as Network
2014-09-09 17:58:01 +00:00
import qualified Propellor.Property.Service as Service
2014-04-03 16:06:58 +00:00
import qualified Propellor.Property.Ssh as Ssh
import qualified Propellor.Property.Cron as Cron
import qualified Propellor.Property.Sudo as Sudo
import qualified Propellor.Property.User as User
import qualified Propellor.Property.Hostname as Hostname
import qualified Propellor.Property.Tor as Tor
2014-04-10 05:46:33 +00:00
import qualified Propellor.Property.Dns as Dns
2014-04-08 20:58:11 +00:00
import qualified Propellor.Property.OpenId as OpenId
2014-04-03 16:06:58 +00:00
import qualified Propellor.Property.Docker as Docker
2014-04-10 06:51:25 +00:00
import qualified Propellor.Property.Git as Git
2014-04-14 19:35:29 +00:00
import qualified Propellor.Property.Postfix as Postfix
2014-07-07 06:58:34 +00:00
import qualified Propellor.Property.Grub as Grub
2014-07-17 19:06:24 +00:00
import qualified Propellor.Property.Obnam as Obnam
2014-11-15 21:02:25 +00:00
import qualified Propellor.Property.Gpg as Gpg
import qualified Propellor.Property.Systemd as Systemd
2015-01-22 03:28:47 +00:00
import qualified Propellor.Property.Journald as Journald
2014-11-27 15:49:23 +00:00
import qualified Propellor.Property.OS as OS
2014-05-23 16:30:25 +00:00
import qualified Propellor.Property.HostingProvider.CloudAtCost as CloudAtCost
2014-07-07 07:08:12 +00:00
import qualified Propellor.Property.HostingProvider.Linode as Linode
2014-04-03 16:06:58 +00:00
import qualified Propellor.Property.SiteSpecific.GitHome as GitHome
import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder
2015-04-07 16:34:02 +00:00
import qualified Propellor.Property.SiteSpecific.IABak as IABak
2014-04-03 16:06:58 +00:00
import qualified Propellor.Property.SiteSpecific.JoeySites as JoeySites
2014-04-19 15:23:09 +00:00
2014-05-28 05:32:54 +00:00
main :: IO () -- _ ______`| ,-.__
main = defaultMain hosts -- / \___-=O`/|O`/__| (____.'
{- Propellor -- \ / | / ) _.-"-._
Deployed -} -- `/-==__ _/__|/__=-| ( \_
hosts :: [Host] -- * \ | | '--------'
2014-08-29 17:15:44 +00:00
hosts = -- (o) `
[ darkstar
2015-04-14 18:47:33 +00:00
, gnu
2014-08-29 17:15:44 +00:00
, clam
, orca
, kite
, elephant
2015-02-01 20:19:37 +00:00
, beaver
2015-03-26 18:51:18 +00:00
, iabak
] ++ monsters
2014-08-29 17:15:44 +00:00
2014-11-27 15:49:23 +00:00
testvm :: Host
testvm = host "testvm.kitenet.net"
2014-12-04 21:11:15 +00:00
& os (System (Debian Unstable) "amd64")
& OS.cleanInstallOnce (OS.Confirmed "testvm.kitenet.net")
`onChange` propertyList "fixing up after clean install"
[ OS.preserveRootSshAuthorized
, OS.preserveResolvConf
, Apt.update
, Grub.boots "/dev/sda"
`requires` Grub.installed Grub.PC
2014-12-04 21:11:15 +00:00
]
& Hostname.sane
& Hostname.searchDomain
& Apt.installed ["linux-image-amd64"]
& Apt.installed ["ssh"]
2014-12-06 19:50:42 +00:00
& User.hasPassword "root"
2014-11-27 15:49:23 +00:00
2014-08-29 17:15:44 +00:00
darkstar :: Host
darkstar = host "darkstar.kitenet.net"
& ipv6 "2001:4830:1600:187::2" -- sixxs tunnel
& Apt.buildDep ["git-annex"] `period` Daily
& Docker.configured
! Docker.docked gitAnnexAndroidDev
2014-08-29 17:15:44 +00:00
2015-01-09 02:44:36 +00:00
& JoeySites.postfixClientRelay (Context "darkstar.kitenet.net")
& JoeySites.dkimMilter
2015-04-14 18:47:33 +00:00
gnu :: Host
gnu = host "gnu.kitenet.net"
& Apt.buildDep ["git-annex"] `period` Daily
& Docker.configured
& JoeySites.postfixClientRelay (Context "gnu.kitenet.net")
& JoeySites.dkimMilter
2014-08-29 17:15:44 +00:00
clam :: Host
clam = standardSystem "clam.kitenet.net" Unstable "amd64"
[ "Unreliable server. Anything here may be lost at any time!" ]
2015-01-01 20:59:38 +00:00
& ipv4 "167.88.41.194"
2014-08-29 17:15:44 +00:00
& CloudAtCost.decruft
& Ssh.randomHostKeys
2014-08-29 17:15:44 +00:00
& Apt.unattendedUpgrades
& Network.ipv6to4
2015-02-27 22:55:51 +00:00
& Tor.isRelay
& Tor.named "kite1"
2015-02-27 23:14:20 +00:00
& Tor.bandwidthRate (Tor.PerMonth "400 GB")
2014-08-29 17:15:44 +00:00
& Docker.configured
& Docker.garbageCollected `period` Daily
& Docker.docked webserver
2014-08-29 23:17:28 +00:00
& File.dirExists "/var/www/html"
2014-08-29 23:24:16 +00:00
& File.notPresent "/var/www/html/index.html"
2014-08-29 23:22:51 +00:00
& "/var/www/index.html" `File.hasContent` ["hello, world"]
2014-08-29 23:09:12 +00:00
& alias "helloworld.kitenet.net"
2014-12-22 01:01:46 +00:00
& Docker.docked oldusenetShellBox
2015-03-12 20:12:36 +00:00
2015-03-12 02:06:08 +00:00
& JoeySites.scrollBox
2015-03-12 20:12:36 +00:00
& alias "scroll.joeyh.name"
& alias "us.scroll.joeyh.name"
2014-08-29 23:07:18 +00:00
2014-09-23 17:25:47 +00:00
-- ssh on some extra ports to deal with horrible networks
-- while travelling
& alias "travelling.kitenet.net"
! Ssh.listenPort 80
! Ssh.listenPort 443
2014-11-20 00:41:35 +00:00
& Systemd.persistentJournal
2014-08-29 17:15:44 +00:00
orca :: Host
orca = standardSystem "orca.kitenet.net" Unstable "amd64"
[ "Main git-annex build box." ]
& ipv4 "138.38.108.179"
& Apt.unattendedUpgrades
& Postfix.satellite
2014-11-22 03:23:07 +00:00
& Systemd.persistentJournal
2014-08-29 17:15:44 +00:00
& Docker.configured
& Docker.docked (GitAnnexBuilder.standardAutoBuilderContainer dockerImage "amd64" 15 "2h")
& Docker.docked (GitAnnexBuilder.standardAutoBuilderContainer dockerImage "i386" 45 "2h")
& Docker.docked (GitAnnexBuilder.armelCompanionContainer dockerImage)
2015-02-01 21:34:04 +00:00
& Docker.docked (GitAnnexBuilder.armelAutoBuilderContainer dockerImage (Cron.Times "1 3 * * *") "5h")
& Docker.docked (GitAnnexBuilder.androidAutoBuilderContainer dockerImage (Cron.Times "1 1 * * *") "3h")
2014-08-29 17:15:44 +00:00
& Docker.garbageCollected `period` Daily
& Apt.buildDep ["git-annex"] `period` Daily
2015-01-04 22:32:39 +00:00
2014-08-29 17:15:44 +00:00
-- This is not a complete description of kite, since it's a
-- multiuser system with eg, user passwords that are not deployed
-- with propellor.
kite :: Host
2014-11-28 15:40:03 +00:00
kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64"
[ "Welcome to kite!" ]
2014-10-08 17:17:11 +00:00
& ipv4 "66.228.36.95"
2014-09-08 15:56:35 +00:00
& ipv6 "2600:3c03::f03c:91ff:fe73:b0d2"
2014-09-08 14:56:08 +00:00
& alias "kitenet.net"
& alias "wren.kitenet.net" -- temporary
2014-08-29 17:15:44 +00:00
& Ssh.hostKeys (Context "kitenet.net")
2015-01-04 20:54:43 +00:00
[ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAO9tnPUT4p+9z7K6/OYuiBNHaij4Nzv5YVBih1vMl+ALz0gYAj8RWJzXmqp5buFAyfgOoLw+H9s1bBS01Sy3i07Dm6cx1fWG4RXL/E/3w1tavX99GD2bBxDBu890ebA5Tp+eFRJkS9+JwSvFiF6CP7NbVjifCagoUO56Ig048RwDAAAAFQDPY2xM3q6KwsVQliel23nrd0rV2QAAAIEAga3hj1hL00rYPNnAUzT8GAaSP62S4W68lusErH+KPbsMwFBFY/Ib1FVf8k6Zn6dZLh/HH/RtJi0JwdzPI1IFW+lwVbKfwBvhQ1lw9cH2rs1UIVgi7Wxdgfy8gEWxf+QIqn62wG+Ulf/HkWGvTrRpoJqlYRNS/gnOWj9Z/4s99koAAACBAM/uJIo2I0nK15wXiTYs/NYUZA7wcErugFn70TRbSgduIFH6U/CQa3rgHJw9DCPCQJLq7pwCnFH7too/qaK+czDk04PsgqV0+Jc7957gU5miPg50d60eJMctHV4eQ1FpwmGGfXxRBR9k2ZvikWYatYir3L6/x1ir7M0bA9IzNU45")
, (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA2QAJEuvbTmaN9ex9i9bjPhMGj+PHUYq2keIiaIImJ+8mo+yKSaGUxebG4tpuDPx6KZjdycyJt74IXfn1voGUrfzwaEY9NkqOP3v6OWTC3QeUGqDCeJ2ipslbEd9Ep9XBp+/ldDQm60D0XsIZdmDeN6MrHSbKF4fXv1bqpUoUILk=")
, (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLF+dzqBJZix+CWUkAd3Bd3cofFCKwHMNRIfwx1G7dL4XFe6fMKxmrNetQcodo2edyufwoPmCPr3NmnwON9vyh0=")
2015-01-04 22:14:40 +00:00
, (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFZftKMnH/zH29BHMKbcBO4QsgTrstYFVhbrzrlRzBO3")
2015-01-04 20:54:43 +00:00
]
2015-01-04 22:32:39 +00:00
& Network.static "eth0" `requires` Network.cleanInterfacesFile
2015-01-04 22:32:39 +00:00
& Apt.installed ["linux-image-amd64"]
& Linode.chainPVGrub 5
2015-02-10 14:02:37 +00:00
& Linode.mlocateEnabled
2015-01-04 22:32:39 +00:00
& Apt.unattendedUpgrades
& Systemd.installed
& Systemd.persistentJournal
2015-01-22 03:22:42 +00:00
& Journald.systemMaxUse "500MiB"
2014-09-10 19:43:32 +00:00
& Ssh.passwordAuthentication True
2014-08-29 17:15:44 +00:00
-- Since ssh password authentication is allowed:
& Apt.serviceInstalledRunning "fail2ban"
2015-02-01 21:34:04 +00:00
& Obnam.backupEncrypted "/" (Cron.Times "33 1 * * *")
2014-08-29 17:15:44 +00:00
[ "--repository=sftp://joey@eubackup.kitenet.net/~/lib/backup/kite.obnam"
, "--client-name=kitenet.net"
, "--exclude=/var/cache"
, "--exclude=/var/tmp"
, "--exclude=/home/joey/lib"
, "--exclude=.*/tmp/"
, "--one-file-system"
2014-11-15 21:02:25 +00:00
] Obnam.OnlyClient (Gpg.GpgKeyId "98147487")
2014-08-29 17:15:44 +00:00
`requires` Ssh.keyImported SshRsa "root"
(Context "kite.kitenet.net")
`requires` Ssh.knownHost hosts "eubackup.kitenet.net" "root"
2014-09-08 18:44:34 +00:00
& Apt.serviceInstalledRunning "ntp"
2014-09-08 18:48:42 +00:00
& "/etc/timezone" `File.hasContent` ["US/Eastern"]
2014-08-29 17:15:44 +00:00
2014-09-08 14:56:08 +00:00
& alias "smtp.kitenet.net"
& alias "imap.kitenet.net"
& alias "pop.kitenet.net"
& alias "mail.kitenet.net"
2014-08-29 17:15:44 +00:00
& JoeySites.kiteMailServer
2014-12-31 17:15:09 +00:00
2015-02-11 01:46:31 +00:00
& JoeySites.kitenetHttps
& JoeySites.legacyWebSites
2015-02-11 01:55:39 +00:00
& File.ownerGroup "/srv/web" "joey" "joey"
& Apt.installed ["analog"]
2015-02-11 01:46:31 +00:00
& alias "git.kitenet.net"
& alias "git.joeyh.name"
& JoeySites.gitServer hosts
& JoeySites.downloads hosts
& JoeySites.gitAnnexDistributor
& JoeySites.tmp
2014-08-29 17:15:44 +00:00
2014-09-09 17:39:24 +00:00
& alias "bitlbee.kitenet.net"
& Apt.serviceInstalledRunning "bitlbee"
2014-09-09 17:51:04 +00:00
& "/etc/bitlbee/bitlbee.conf" `File.hasContent`
[ "[settings]"
, "User = bitlbee"
, "AuthMode = Registered"
, "[defaults]"
2014-09-09 19:21:47 +00:00
]
`onChange` Service.restarted "bitlbee"
& "/etc/default/bitlbee" `File.containsLine` "BITLBEE_PORT=\"6767\""
`onChange` Service.restarted "bitlbee"
2014-09-09 17:39:24 +00:00
2014-08-29 17:15:44 +00:00
& Apt.installed
2015-01-04 22:32:39 +00:00
[ "git-annex", "myrepos"
2014-08-29 17:15:44 +00:00
, "build-essential", "make"
2014-09-08 18:58:34 +00:00
, "rss2email", "archivemail"
, "devscripts"
2014-08-29 17:15:44 +00:00
-- Some users have zsh as their login shell.
, "zsh"
2014-07-07 07:22:53 +00:00
]
2014-10-25 17:20:14 +00:00
& Docker.configured
& Docker.garbageCollected `period` Daily
2015-02-11 01:55:39 +00:00
2015-02-11 02:34:27 +00:00
& alias "nntp.olduse.net"
2015-02-11 01:55:39 +00:00
& JoeySites.oldUseNetServer hosts
2015-02-11 02:31:00 +00:00
2015-02-11 02:39:02 +00:00
& alias "ns4.kitenet.net"
& myDnsPrimary True "kitenet.net" []
& myDnsPrimary True "joeyh.name" []
& myDnsPrimary True "ikiwiki.info" []
& myDnsPrimary True "olduse.net"
[ (RelDomain "article", CNAME $ AbsDomain "virgil.koldfront.dk")
]
& alias "ns4.branchable.com"
& branchableSecondary
2015-02-11 02:31:00 +00:00
& Dns.secondaryFor ["animx"] hosts "animx.eu.org"
2015-02-11 01:41:19 +00:00
2014-08-29 17:15:44 +00:00
elephant :: Host
elephant = standardSystem "elephant.kitenet.net" Unstable "amd64"
2014-10-08 17:17:11 +00:00
[ "Storage, big data, and backups, omnomnom!"
2014-08-29 17:15:44 +00:00
, "(Encrypt all data stored here.)"
]
& ipv4 "193.234.225.114"
2014-12-07 19:21:55 +00:00
& Ssh.hostKeys hostContext
2015-01-04 20:54:43 +00:00
[ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBANxXGWac0Yz58akI3UbLkphAa8VPDCGswTS0CT3D5xWyL9OeArISAi/OKRIvxA4c+9XnWtNXS7nYVFDJmzzg8v3ZMx543AxXK82kXCfvTOc/nAlVz9YKJAA+FmCloxpmOGrdiTx1k36FE+uQgorslGW/QTxnOcO03fDZej/ppJifAAAAFQCnenyJIw6iJB1+zuF/1TSLT8UAeQAAAIEA1WDrI8rKnxnh2rGaQ0nk+lOcVMLEr7AxParnZjgC4wt2mm/BmkF/feI1Fjft2z4D+V1W7MJHOqshliuproxhFUNGgX9fTbstFJf66p7h7OLAlwK8ZkpRk/uV3h5cIUPel6aCwjL5M2gN6/yq+gcCTXeHLq9OPyUTmlN77SBL71UAAACBAJJiCHWxPAGooe7Vv3W7EIBbsDyf7b2kDH3bsIlo+XFcKIN6jysBu4kn9utjFlrlPeHUDzGQHe+DmSqTUQQ0JPCRGcAcuJL8XUqhJi6A6ye51M9hVt51cJMXmERx9TjLOP/adkEuxpv3Fj20FxRUr1HOmvRvewSHrJ1GeA1bjbYL")
, (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrEQ7aNmRYyLKY7xHILQsyV/w0B3++D98vn5IvjHkDnitrUWjB+vPxlS7LYKLzN9Jx7Hb14R2lg7+wdgtFMxLZZukA8b0tqFpTdRFBvBYGh8IM8Id1iE/6io/NZl+hTQEDp0LJP+RljH1CLfz7J3qtc+v6NbfTP5cOgH104mWYoLWzJGaZ4p53jz6THRWnVXy5nPO3dSBr2f/SQgRuJQWHNIh0jicRGD8H2kzOQzilpo+Y46PWtkufl3Yu3UsP5UMAyLRIXwZ6nNRZqRiVWrX44hoNfDbooTdFobbHlqMl+y6291bOXaOA6PACk8B4IVcC89/gmc9Oe4EaDuszU5kD")
, (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0=")
2015-01-04 22:20:18 +00:00
, (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6VtXi0uygxZeCo26n6PuCTlSFCBcwRifv6N8HdWh2Z")
2015-01-04 20:54:43 +00:00
]
2015-01-04 22:32:39 +00:00
& Grub.chainPVGrub "hd0,0" "xen/xvda1" 30
& Postfix.satellite
& Apt.unattendedUpgrades
& Systemd.installed
& Systemd.persistentJournal
2014-12-07 19:21:55 +00:00
& Ssh.keyImported SshRsa "joey" hostContext
2014-08-29 17:15:44 +00:00
& Apt.serviceInstalledRunning "swapspace"
2014-11-22 03:23:07 +00:00
& alias "eubackup.kitenet.net"
2014-08-29 17:15:44 +00:00
& Apt.installed ["obnam", "sshfs", "rsync"]
2015-04-09 04:41:41 +00:00
& JoeySites.obnamRepos ["pell", "kite"]
2014-08-29 17:15:44 +00:00
& JoeySites.githubBackup
& JoeySites.rsyncNetBackup hosts
2014-11-22 03:23:07 +00:00
& alias "podcatcher.kitenet.net"
2014-08-29 17:15:44 +00:00
& JoeySites.podcatcher
& alias "znc.kitenet.net"
& JoeySites.ircBouncer
& alias "kgb.kitenet.net"
& JoeySites.kgbServer
2014-11-22 03:23:07 +00:00
& alias "mumble.kitenet.net"
2014-08-29 17:15:44 +00:00
& JoeySites.mumbleServer hosts
& alias "ns3.kitenet.net"
& myDnsSecondary
& Docker.configured
& Docker.docked oldusenetShellBox
& Docker.docked openidProvider
2014-10-08 17:17:11 +00:00
`requires` Apt.serviceInstalledRunning "ntp"
& Docker.docked ancientKitenet
2015-01-08 19:30:11 +00:00
& Docker.docked jerryPlay
2014-08-29 17:15:44 +00:00
& Docker.garbageCollected `period` (Weekly (Just 1))
2015-03-12 20:12:36 +00:00
& JoeySites.scrollBox
& alias "scroll.joeyh.name"
& alias "eu.scroll.joeyh.name"
2014-08-29 17:15:44 +00:00
-- For https port 443, shellinabox with ssh login to
-- kitenet.net
& alias "shell.kitenet.net"
2015-03-12 23:57:09 +00:00
& Docker.docked kiteShellBox
2014-08-29 17:15:44 +00:00
-- Nothing is using http port 80, so listen on
-- that port for ssh, for traveling on bad networks that
-- block 22.
& Ssh.listenPort 80
2014-07-05 19:21:19 +00:00
2015-02-01 20:19:37 +00:00
beaver :: Host
beaver = host "beaver.kitenet.net"
& ipv6 "2001:4830:1600:195::2"
2015-02-01 21:34:04 +00:00
& Apt.serviceInstalledRunning "aiccu"
2015-02-01 20:19:37 +00:00
& Apt.installed ["ssh"]
& Ssh.pubKey SshDsa "ssh-dss AAAAB3NzaC1kc3MAAACBAIrLX260fY0Jjj/p0syNhX8OyR8hcr6feDPGOj87bMad0k/w/taDSOzpXe0Wet7rvUTbxUjH+Q5wPd4R9zkaSDiR/tCb45OdG6JsaIkmqncwe8yrU+pqSRCxttwbcFe+UU+4AAcinjVedZjVRDj2rRaFPc9BXkPt7ffk8GwEJ31/AAAAFQCG/gOjObsr86vvldUZHCteaJttNQAAAIB5nomvcqOk/TD07DLaWKyG7gAcW5WnfY3WtnvLRAFk09aq1EuiJ6Yba99Zkb+bsxXv89FWjWDg/Z3Psa22JMyi0HEDVsOevy/1sEQ96AGH5ijLzFInfXAM7gaJKXASD7hPbVdjySbgRCdwu0dzmQWHtH+8i1CMVmA2/a5Y/wtlJAAAAIAUZj2US2D378jBwyX1Py7e4sJfea3WSGYZjn4DLlsLGsB88POuh32aOChd1yzF6r6C2sdoPBHQcWBgNGXcx4gF0B5UmyVHg3lIX2NVSG1ZmfuLNJs9iKNu4cHXUmqBbwFYQJBvB69EEtrOw4jSbiTKwHFmqdA/mw1VsMB+khUaVw=="
& alias "usbackup.kitenet.net"
2015-02-01 20:54:01 +00:00
& JoeySites.backupsBackedupFrom hosts "eubackup.kitenet.net" "/home/joey/lib/backup"
2015-02-01 21:34:04 +00:00
& Apt.serviceInstalledRunning "anacron"
& Cron.niceJob "system disk backed up" Cron.Weekly "root" "/"
"rsync -a -x / /home/joey/lib/backup/beaver.kitenet.net/"
2015-03-26 18:51:18 +00:00
iabak :: Host
2015-04-02 01:13:35 +00:00
iabak = host "iabak.archiveteam.org"
2015-03-26 18:51:18 +00:00
& ipv4 "124.6.40.227"
2015-04-07 16:21:07 +00:00
& Hostname.sane
2015-04-01 16:26:23 +00:00
& os (System (Debian Testing) "amd64")
2015-04-09 04:41:41 +00:00
& Systemd.persistentJournal
2015-04-07 16:34:02 +00:00
& Cron.runPropellor (Cron.Times "30 * * * *")
2015-04-01 16:27:43 +00:00
& Apt.stdSourcesList `onChange` Apt.upgrade
2015-04-09 04:41:41 +00:00
& Apt.installed ["git", "ssh"]
2015-04-10 03:09:49 +00:00
& Ssh.hostKeys (Context "iabak.archiveteam.org")
[ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAMhuYTshLxavWCpfyJxg3j/GWyIRlL3VTharsfUTzMOqyMSWantZjflfJX21z2KzFDtPEA711GYztsgMVXMrsPQInaOKNISe/R9cfgnEktKTxeppWTfw0GTNcpCeeecddU0FCPVW3a6yDoT6+Rv0jPvkQoDGmhQ40MhauMrO0mJ9AAAAFQDpCbXG8o/3Sg7wrsp5abizJoQ0yQAAAIEAxxyHo/ZhDPP+EWtDS05s5dwiDMUsxIllk1NeleAOQIyLtFkaifOeskDJybIPWYPGX1trjcPoGuXJ5GBYrRaPiu6FBvYdYMFRLr4uNBsaSHHqlHhBPkP3RzCrdUyau4XyjdE4iA0EQlO+u11A+o3f7aTuJSveM0YRfbqvaatG89EAAACAWd0h0SkRLnGjBzkou0SQfYujFY9ilhWXPWV/oOs+bieDSpvfmnaEfLSinVFRrJPvQp/dtpxPLEm+StrK3w6dmwTZVUM5JEoB1mRjBkVs6gPC9PVVg9qLpzC2/x+r5cTfrffjyRrlPdkwLKpO6oiPxTIxAyCW8ixjafkxe2hAeJo=")
, (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP13oPRLRY0V9ZDWojb8TgHbUdE30Nq3b541TwPmlLMbYPAhldxGHkuXGlX8g9/FYP/1AgkPcxs2Uc61ZV+1Ss7q7t52f4R0bO4WHqxfdXHd9FlLzMLWxMU3aMr693pGlhnUp3/xH6O6/+bNEIo3VGGgv9XDr2cAxypS9J7X9ibHZcZ3BGvoCR+nnFJ00ERG2tREKZBPDWKk76lhCiM21fG/CSmcApXaA45FHDaM9/2Clj1sXvoS72f0hEKpl1m08sUx+F0GPzQESnKqNFl+xXdYPPbfhdrgCnDmx9tL5NnXsJU2beFiuxpICOeB1HV6DJsdlO18WqwXYhOg/2A1H3")
, (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHb0kXcrF5ThwS8wB0Hez404Zp9bz78ZxEGSqnwuF4d/N3+bymg7/HAj7l/SzRoEXKHsJ7P5320oMxBHeM16Y+k=")
]
2015-04-09 04:41:41 +00:00
& Apt.installed ["etckeeper", "sudo"]
& Apt.installed ["vim", "screen", "tmux", "less", "emax-nox", "netcat"]
2015-03-26 18:51:18 +00:00
& User.hasSomePassword "root"
2015-04-09 04:41:41 +00:00
& propertyList "admin accounts"
(map User.accountFor admins ++ map Sudo.enabledFor admins)
2015-03-26 18:51:18 +00:00
& User.hasSomePassword "joey"
& GitHome.installedFor "joey"
2015-04-09 04:41:41 +00:00
& Ssh.authorizedKey "db48x" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAIAQDQ6urXcMDeyuFf4Ga7CuGezTShKnEMPHKJm7RQUtw3yXCPX5wnbvPS2+UFnHMzJvWOX5S5b/XpBpOusP0jLpxwOCEg4nA5b7uvWJ2VIChlMqopYMo+tDOYzK/Q74MZiNWi2hvf1tn3N9SnqOa7muBMKMENIX5KJdH8cJ/BaPqAP883gF8r2SwSZFvaB0xYCT/CIylC593n/+0+Lm07NUJIO8jil3n2SwXdVg6ib65FxZoO86M46wTghnB29GXqrzraOg+5DY1zzCWpIUtFwGr4DP0HqLVtmAkC7NI14l1M0oHE0UEbhoLx/a+mOIMD2DuzW3Rs3ZmHtGLj4PL/eBU8D33AqSeM0uR/0pEcoq6A3a8ixibj9MBYD2lMh+Doa2audxS1OLM//FeNccbm1zlvvde82PZtiO11P98uN+ja4A+CfgQU5s0z0wikc4gXNhWpgvz8DrOEJrjstwOoqkLg2PpIdHRw7dhpp3K1Pc+CGAptDwbKkxs4rzUgMbO9DKI7fPcXXgKHLLShMpmSA2vsQUMfuCp2cVrQJ+Vkbwo29N0Js5yU7L4NL4H854Nbk5uwWJCs/mjXtvTimN2va23HEecTpk44HDUjJ9NyevAfPcO9q1ZtgXFTQSMcdv1m10Fvmnaiy8biHnopL6MBo1VRITh5UFiJYfK4kpTTg2vSspii/FYkkYOAnnZtXZqMehP7OZjJ6HWJpsCVR2hxP3sKOoQu+kcADWa/4obdp+z7gY8iMMjd6kwuIWsNV8KsX+eVJ4UFpAi/L00ZjI2B9QLVCsOg6D1fT0698wEchwUROy5vZZJq0078BdAGnwC0WGLt+7OUgn3O2gUAkb9ffD0odbZSqq96NCelM6RaHA+AaIE4tjGL3lFkyOtb+IGPNACQ73/lmaRQd6Cgasq9cEo0g22Ew5NQi0CBuu1aLDk7ezu3SbU09eB9lcZ+8lFnl5K2eQFeVJStFJbJNfOvgKyOb7ePsrUFF5GJ2J/o1F60fRnG64HizZHxyFWkEOh+k3i8qO+whPa5MTQeYLYb6ysaTPrUwNRcSNNCcPEN8uYOh1dOFAtIYDcYA56BZ321yz0b5umj+pLsrFU+4wMjWxZi0inJzDS4dVegBVcRm0NP5u8VRosJQE9xdbt5K1I0khzhrEW1kowoTbhsZCaDHhL9LZo73Z1WIHvulvlF3RLZip5hhtQu3ZVkbdV5uts8AWaEWVnIu9z0GtQeeOuseZpT0u1/1xjVAOKIzuY3sB7FKOaipe8TDvmdiQf/ICySqqYaYhN6GOhiYccSleoX6yzhYuCvzTgAyWHIfW0t25ff1CM7Vn+Vo9cVplIer1pbwhZZy4QkROWTOE+3yuRlQ+o6op4hTGdAZhjKh9zkDW7rzqQECFrZrX/9mJhxYKjhpkk0X3dSipPt9SUHagc4igya+NgCygQkWBOQfr4uia0LcwDxy4Kchw7ZuypHuGVZkGhNHXS+9JdAHopnSqYwDMG/z1ys1vQihgER0b9g3TchvGF+nmHe2kbM1iuIYMNNlaZD1yGZ5qR7wr/8dw8r0NBEwzsUfak3BUPX7H6X0tGS96llwUxmvQD85WNNoef0uryuAtDEwWlfN1RmWysZDc57Rn4gZi0M5jXmQD23ZiYXYBcG849OeqNzlxONEFsForXO/29Ud4x/Hqa9tf+kJbqMRsaLFO+PXhHzgl6ZHLAljQDxrJ6keNnkqaYfqQ8wyRi1mKv4Ab57kde7mUsZhe7w93GaE9Lxfvu7d3pB+lXfI9NJCSITHreUP4JfmFW+p/eVg+r/1wbElNylGna4I4+qYObOUncGwFKYdFPdtU1XLDKXmywTEgbEh7iI9zX0xD3bPHQLMg+TTtXiU9dQm1x/0zRf9trwDsRDJCbG4/P4iQYkcVvYx2CCfi0JSHv8tWsLi3GJKJLXUxZyzfvY2lThPeYnnY/HFrPJCyJUN55QuRmfzbu8rHgWlcyOlVpKtz+7kn823kEQykiIYKIKrb0G6VBzuMtAk9XzJPv+Wu7suOGXHlVfCqPLk6RjHDm4kTYciW9VgxDts5Y+zwcAbrUeA4UuN/6KisWpivMrfDSIHUCeH/lHBtNkqKohdrUKJMEOx5X6r2dJbmoTFBDi5XtYu/5cBtiDMmupNB0S+pZ2JD5/RKtj6kgzTeE1q/OG4q/eq1O1rjf0vIS31luy27K/YHFIGE0D/CmuXE74Uyaxm27RnrKUxEBl84V70GaIF4F5On8pSThxxizigXTRTKiczc+A5Zi29mid+1EFeUAJOa/DuHJfpVNY4pYEmhPl/Bk66L8kzlbJz6Hg/LIiJIRcy3UKrbSxPFIDpXn33drBHgklMDlrIVDZDXF6cn0Ml71SabB4A3TM6TK+oWZoyvftPIhcWhVwAWQj7nFNAiMEl1z/29ovHrRooqQFozf7GDW8Mjiu7ChZP9zx2H8JB/AAEFuWMwGV4AHICYdS9lOl/v+cDhgsnXdeuKEuxHhYlRxuRxJk/f17Sm/5H85UIzlu85wi3q/DW2FTZnlw4iJLnL6FArUIMzuBOZyoEhh0SPR41Xc4kkucDhnENybTZSR/yDzb0P1B7qjZ4GqcSEFja/hm/LH1oKJzZg8MEqeUoKYCUdVv9ek4IUGUONtVs53V5SOwFWR/nVuDk2BENr7NadYYVtu6MjBwgjso7NuhoNxVwIEP3BW67OQ8bxfNBtJJQNJejAhgZiqJItI9ucAfjQ== db48x@anglachel"
2015-04-01 15:37:18 +00:00
& Apt.installed ["sudo"]
2015-04-07 16:34:02 +00:00
& IABak.gitServer
& IABak.graphiteServer
2015-04-09 04:41:41 +00:00
where
admins = ["joey", "db48x"]
2014-06-01 12:06:34 +00:00
2015-01-16 00:35:40 +00:00
--' __|II| ,.
---- __|II|II|__ ( \_,/\
--'-------'\o/-'-.-'-.-'-.- __|II|II|II|II|___/ __/ -'-.-'-.-'-.-'-.-'-.-'-
-------------------------- | [Docker] / --------------------------
-------------------------- : / ---------------------------
--------------------------- \____, o ,' ----------------------------
---------------------------- '--,___________,' -----------------------------
-- Simple web server, publishing the outside host's /var/www
webserver :: Docker.Container
webserver = standardStableContainer "webserver"
& Docker.publish "80:80"
& Docker.volume "/var/www:/var/www"
& Apt.serviceInstalledRunning "apache2"
-- My own openid provider. Uses php, so containerized for security
-- and administrative sanity.
openidProvider :: Docker.Container
openidProvider = standardStableContainer "openid-provider"
& alias "openid.kitenet.net"
& Docker.publish "8081:80"
& OpenId.providerFor ["joey", "liw"]
"openid.kitenet.net:8081"
-- Exhibit: kite's 90's website.
ancientKitenet :: Docker.Container
ancientKitenet = standardStableContainer "ancient-kitenet"
& alias "ancient.kitenet.net"
& Docker.publish "1994:80"
& Apt.serviceInstalledRunning "apache2"
& Git.cloned "root" "git://kitenet-net.branchable.com/" "/var/www"
(Just "remotes/origin/old-kitenet.net")
oldusenetShellBox :: Docker.Container
oldusenetShellBox = standardStableContainer "oldusenet-shellbox"
& alias "shell.olduse.net"
& Docker.publish "4200:4200"
& JoeySites.oldUseNetShellBox
-- for development of git-annex for android, using my git-annex work tree
gitAnnexAndroidDev :: Docker.Container
gitAnnexAndroidDev = GitAnnexBuilder.androidContainer dockerImage "android-git-annex" doNothing gitannexdir
& Docker.volume ("/home/joey/src/git-annex:" ++ gitannexdir)
where
gitannexdir = GitAnnexBuilder.homedir </> "git-annex"
2015-01-08 19:30:11 +00:00
jerryPlay :: Docker.Container
jerryPlay = standardContainer "jerryplay" Unstable "amd64"
& alias "jerryplay.kitenet.net"
& Docker.publish "2202:22"
& Docker.publish "8001:80"
& Apt.installed ["ssh"]
& User.hasSomePassword "root"
2015-01-08 19:54:14 +00:00
& Ssh.permitRootLogin True
2015-03-12 23:45:55 +00:00
kiteShellBox :: Docker.Container
2015-03-12 23:49:18 +00:00
kiteShellBox = standardStableContainer "kiteshellbox"
2015-03-12 23:45:55 +00:00
& JoeySites.kiteShellBox
2015-03-12 23:57:09 +00:00
& Docker.publish "443:443"
2014-04-03 16:06:58 +00:00
2014-07-07 07:22:53 +00:00
type Motd = [String]
2014-04-11 04:14:50 +00:00
-- This is my standard system setup.
2014-07-07 07:22:53 +00:00
standardSystem :: HostName -> DebianSuite -> Architecture -> Motd -> Host
2014-07-18 06:08:13 +00:00
standardSystem hn suite arch motd = standardSystemUnhardened hn suite arch motd
-- Harden the system, but only once root's authorized_keys
-- is safely in place.
& check (Ssh.hasAuthorizedKeys "root")
(Ssh.passwordAuthentication False)
standardSystemUnhardened :: HostName -> DebianSuite -> Architecture -> Motd -> Host
standardSystemUnhardened hn suite arch motd = host hn
& os (System (Debian suite) arch)
2014-07-18 04:20:09 +00:00
& Hostname.sane
& Hostname.searchDomain
2014-07-07 07:22:53 +00:00
& File.hasContent "/etc/motd" ("":motd++[""])
& Apt.stdSourcesList `onChange` Apt.upgrade
2014-06-01 06:53:42 +00:00
& Apt.cacheCleaned
2014-04-10 04:10:08 +00:00
& Apt.installed ["etckeeper"]
& Apt.installed ["ssh"]
& GitHome.installedFor "root"
& User.hasSomePassword "root"
2014-04-10 04:10:08 +00:00
& User.accountFor "joey"
& User.hasSomePassword "joey"
2014-04-10 04:10:08 +00:00
& Sudo.enabledFor "joey"
& GitHome.installedFor "joey"
& Apt.installed ["vim", "screen", "less"]
2015-02-01 21:34:04 +00:00
& Cron.runPropellor (Cron.Times "30 * * * *")
2014-04-10 04:10:08 +00:00
-- I use postfix, or no MTA.
& Apt.removed ["exim4", "exim4-daemon-light", "exim4-config", "exim4-base"]
`onChange` Apt.autoRemove
standardStableContainer :: Docker.ContainerName -> Docker.Container
standardStableContainer name = standardContainer name (Stable "wheezy") "amd64"
2015-01-04 22:32:39 +00:00
-- This is my standard container setup, Featuring automatic upgrades.
standardContainer :: Docker.ContainerName -> DebianSuite -> Architecture -> Docker.Container
2014-05-23 01:42:57 +00:00
standardContainer name suite arch = Docker.container name (dockerImage system)
& os system
& Apt.stdSourcesList `onChange` Apt.upgrade
2014-04-11 03:20:12 +00:00
& Apt.unattendedUpgrades
2014-06-01 06:53:42 +00:00
& Apt.cacheCleaned
2014-09-19 03:50:13 +00:00
& Docker.tweaked
2014-04-11 03:20:12 +00:00
where
system = System (Debian suite) arch
2014-04-19 21:16:13 +00:00
-- Docker images I prefer to use.
2014-05-23 01:42:57 +00:00
dockerImage :: System -> Docker.Image
dockerImage (System (Debian Unstable) arch) = "joeyh/debian-unstable-" ++ arch
2014-06-10 04:53:54 +00:00
dockerImage (System (Debian Testing) arch) = "joeyh/debian-unstable-" ++ arch
dockerImage (System (Debian (Stable _)) arch) = "joeyh/debian-stable-" ++ arch
2014-05-23 01:42:57 +00:00
dockerImage _ = "debian-stable-official" -- does not currently exist!
2014-04-08 23:42:54 +00:00
myDnsSecondary :: Property HasInfo
myDnsSecondary = propertyList "dns secondary for all my domains" $ props
& Dns.secondary hosts "kitenet.net"
& Dns.secondary hosts "joeyh.name"
& Dns.secondary hosts "ikiwiki.info"
& Dns.secondary hosts "olduse.net"
2014-04-21 02:42:20 +00:00
branchableSecondary :: RevertableProperty
branchableSecondary = Dns.secondaryFor ["branchable.com"] hosts "branchable.com"
2014-04-11 01:09:20 +00:00
2015-02-11 02:56:52 +00:00
-- Currently using kite (ns4) as primary with secondaries
-- elephant (ns3) and gandi.
2014-04-21 02:21:55 +00:00
-- kite handles all mail.
2015-01-04 19:00:40 +00:00
myDnsPrimary :: Bool -> Domain -> [(BindDomain, Record)] -> RevertableProperty
myDnsPrimary dnssec domain extras = (if dnssec then Dns.signedPrimary (Weekly Nothing) else Dns.primary) hosts domain
2015-02-11 02:56:52 +00:00
(Dns.mkSOA "ns4.kitenet.net" 100) $
[ (RootDomain, NS $ AbsDomain "ns4.kitenet.net")
2014-07-05 19:21:19 +00:00
, (RootDomain, NS $ AbsDomain "ns3.kitenet.net")
2014-04-21 02:21:55 +00:00
, (RootDomain, NS $ AbsDomain "ns6.gandi.net")
, (RootDomain, MX 0 $ AbsDomain "kitenet.net")
2015-01-16 01:00:54 +00:00
, (RootDomain, TXT "v=spf1 a a:kitenet.net ~all")
2015-01-09 01:41:55 +00:00
, JoeySites.domainKey
2014-04-21 02:21:55 +00:00
] ++ extras
2014-04-14 06:24:55 +00:00
2014-04-14 06:31:58 +00:00
monsters :: [Host] -- Systems I don't manage with propellor,
2014-10-08 17:17:11 +00:00
monsters = -- but do want to track their public keys etc.
2014-04-14 06:31:58 +00:00
[ host "usw-s002.rsync.net"
& Ssh.pubKey SshDsa "ssh-dss AAAAB3NzaC1kc3MAAAEBAI6ZsoW8a+Zl6NqUf9a4xXSMcV1akJHDEKKBzlI2YZo9gb9YoCf5p9oby8THUSgfh4kse7LJeY7Nb64NR6Y/X7I2/QzbE1HGGl5mMwB6LeUcJ74T3TQAlNEZkGt/MOIVLolJHk049hC09zLpkUDtX8K0t1yaCirC9SxDGLTCLEhvU9+vVdVrdQlKZ9wpLUNbdAzvbra+O/IVvExxDZ9WCHrnfNA8ddVZIGEWMqsoNgiuCxiXpi8qL+noghsSQNFTXwo7W2Vp9zj1JkCt3GtSz5IzEpARQaXEAWNEM0n1nJ686YUOhou64iRM8bPC1lp3QXvvZNgj3m+QHhIempx+de8AAAAVAKB5vUDaZOg14gRn7Bp81ja/ik+RAAABACPH/bPbW912x1NxNiikzGR6clLh+bLpIp8Qie3J7DwOr8oC1QOKjNDK+UgQ7mDQEgr4nGjNKSvpDi4c1QCw4sbLqQgx1y2VhT0SmUPHf5NQFldRQyR/jcevSSwOBxszz3aq9AwHiv9OWaO3XY18suXPouiuPTpIcZwc2BLDNHFnDURQeGEtmgqj6gZLIkTY0iw7q9Tj5FOyl4AkvEJC5B4CSzaWgey93Wqn1Imt7KI8+H9lApMKziVL1q+K7xAuNkGmx5YOSNlE6rKAPtsIPHZGxR7dch0GURv2jhh0NQYvBRn3ukCjuIO5gx56HLgilq59/o50zZ4NcT7iASF76TcAAAEAC6YxX7rrs8pp13W4YGiJHwFvIO1yXLGOdqu66JM0plO4J1ItV1AQcazOXLiliny3p2/W+wXZZKd5HIRt52YafCA8YNyMk/sF7JcTR4d4z9CfKaAxh0UpzKiAk+0j/Wu3iPoTOsyt7N0j1+dIyrFodY2sKKuBMT4TQ0yqQpbC+IDQv2i1IlZAPneYGfd5MIGygs2QMfaMQ1jWAKJvEO0vstZ7GB6nDAcg4in3ZiBHtomx3PL5w+zg48S4Ed69BiFXLZ1f6MnjpUOP75pD4MP6toS0rgK9b93xCrEQLgm4oD/7TCHHBo2xR7wwcsN2OddtwWsEM2QgOkt/jdCAoVCqwQ=="
2014-04-14 06:31:58 +00:00
, host "github.com"
& Ssh.pubKey SshRsa "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="
2014-04-23 19:04:35 +00:00
, host "ns6.gandi.net"
& ipv4 "217.70.177.40"
, host "turtle.kitenet.net"
& ipv4 "67.223.19.96"
& ipv6 "2001:4978:f:2d9::2"
2014-04-21 02:21:55 +00:00
, host "mouse.kitenet.net"
& ipv6 "2001:4830:1600:492::2"
2014-04-19 01:58:23 +00:00
, host "branchable.com"
& ipv4 "66.228.46.55"
& ipv6 "2600:3c03::f03c:91ff:fedf:c0e5"
2014-04-19 05:28:46 +00:00
& alias "olduse.net"
& alias "www.olduse.net"
2014-04-21 02:21:55 +00:00
& alias "www.kitenet.net"
2014-04-21 01:55:40 +00:00
& alias "joeyh.name"
& alias "campaign.joeyh.name"
& alias "ikiwiki.info"
2014-04-21 02:21:55 +00:00
& alias "git.ikiwiki.info"
2014-04-21 01:55:40 +00:00
& alias "l10n.ikiwiki.info"
2014-04-21 02:21:55 +00:00
& alias "dist-bugs.kitenet.net"
& alias "family.kitenet.net"
2014-04-23 18:27:26 +00:00
, host "animx"
& ipv4 "76.7.162.101"
2014-04-23 23:26:02 +00:00
& ipv4 "76.7.162.186"
2014-04-14 06:31:58 +00:00
]
2015-01-16 00:35:40 +00:00
-- o
-- ___ o o
{-----\ / o \ ___o o
{ \ __ \ / _ (X___>-- __o
_____________________{ ______\___ \__/ | \__/ \____ |X__>
< \___//|\\___/\ \____________ _
\ ___/ | \___ # # \ (-)
\ O O O # | \ # >=)
\______________________________# # / #__________________/ (-}