2014-03-31 03:37:54 +00:00
|
|
|
-- | Specific configuation for Joey Hess's sites. Probably not useful to
|
|
|
|
-- others except as an example.
|
2014-03-31 02:14:14 +00:00
|
|
|
|
2014-04-01 20:58:11 +00:00
|
|
|
module Propellor.Property.SiteSpecific.JoeySites where
|
2014-03-31 02:14:14 +00:00
|
|
|
|
2014-03-31 03:55:59 +00:00
|
|
|
import Propellor
|
2014-03-31 03:37:54 +00:00
|
|
|
import qualified Propellor.Property.Apt as Apt
|
2014-04-13 18:01:30 +00:00
|
|
|
import qualified Propellor.Property.File as File
|
|
|
|
import qualified Propellor.Property.Gpg as Gpg
|
|
|
|
import qualified Propellor.Property.Ssh as Ssh
|
|
|
|
import qualified Propellor.Property.Git as Git
|
2014-04-14 18:53:19 +00:00
|
|
|
import qualified Propellor.Property.Cron as Cron
|
2014-04-13 18:01:30 +00:00
|
|
|
import qualified Propellor.Property.Service as Service
|
|
|
|
import qualified Propellor.Property.User as User
|
|
|
|
import qualified Propellor.Property.Obnam as Obnam
|
|
|
|
import qualified Propellor.Property.Apache as Apache
|
2014-07-18 01:16:03 +00:00
|
|
|
import qualified Propellor.Property.Postfix as Postfix
|
2014-04-13 20:38:58 +00:00
|
|
|
import Utility.SafeCommand
|
2014-05-01 00:55:12 +00:00
|
|
|
import Utility.FileMode
|
2014-07-05 19:55:21 +00:00
|
|
|
import Utility.Path
|
2014-03-31 02:14:14 +00:00
|
|
|
|
2014-04-18 03:32:42 +00:00
|
|
|
import Data.List
|
|
|
|
import System.Posix.Files
|
|
|
|
|
|
|
|
oldUseNetServer :: [Host] -> Property
|
|
|
|
oldUseNetServer hosts = propertyList ("olduse.net server")
|
|
|
|
[ oldUseNetInstalled "oldusenet-server"
|
|
|
|
, Obnam.latestVersion
|
|
|
|
, Obnam.backup datadir "33 4 * * *"
|
|
|
|
[ "--repository=sftp://2318@usw-s002.rsync.net/~/olduse.net"
|
|
|
|
, "--client-name=spool"
|
|
|
|
] Obnam.OnlyClient
|
2014-07-06 19:56:56 +00:00
|
|
|
`requires` Ssh.keyImported SshRsa "root" (Context "olduse.net")
|
2014-04-18 03:32:42 +00:00
|
|
|
`requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root"
|
|
|
|
, check (not . isSymbolicLink <$> getSymbolicLinkStatus newsspool) $
|
2014-04-18 07:59:06 +00:00
|
|
|
property "olduse.net spool in place" $ makeChange $ do
|
2014-04-18 03:32:42 +00:00
|
|
|
removeDirectoryRecursive newsspool
|
|
|
|
createSymbolicLink (datadir </> "news") newsspool
|
|
|
|
, Apt.installed ["leafnode"]
|
|
|
|
, "/etc/news/leafnode/config" `File.hasContent`
|
|
|
|
[ "# olduse.net configuration (deployed by propellor)"
|
|
|
|
, "expire = 1000000" -- no expiry via texpire
|
|
|
|
, "server = " -- no upstream server
|
|
|
|
, "debugmode = 1"
|
|
|
|
, "allowSTRANGERS = 42" -- lets anyone connect
|
|
|
|
, "nopost = 1" -- no new posting (just gather them)
|
|
|
|
]
|
2014-04-18 13:37:28 +00:00
|
|
|
, "/etc/hosts.deny" `File.lacksLine` "leafnode: ALL"
|
2014-04-18 03:32:42 +00:00
|
|
|
, Apt.serviceInstalledRunning "openbsd-inetd"
|
|
|
|
, File.notPresent "/etc/cron.daily/leafnode"
|
|
|
|
, File.notPresent "/etc/cron.d/leafnode"
|
|
|
|
, Cron.niceJob "oldusenet-expire" "11 1 * * *" "news" newsspool $ intercalate ";"
|
|
|
|
[ "find \\( -path ./out.going -or -path ./interesting.groups -or -path './*/.overview' \\) -prune -or -type f -ctime +60 -print | xargs --no-run-if-empty rm"
|
|
|
|
, "find -type d -empty | xargs --no-run-if-empty rmdir"
|
|
|
|
]
|
|
|
|
, Cron.niceJob "oldusenet-uucp" "*/5 * * * *" "news" "/" $
|
|
|
|
"/usr/bin/uucp " ++ datadir
|
|
|
|
, toProp $ Apache.siteEnabled "nntp.olduse.net" $ apachecfg "nntp.olduse.net" False
|
|
|
|
[ " DocumentRoot " ++ datadir ++ "/"
|
|
|
|
, " <Directory " ++ datadir ++ "/>"
|
|
|
|
, " Options Indexes FollowSymlinks"
|
|
|
|
, " AllowOverride None"
|
2014-04-18 14:14:30 +00:00
|
|
|
-- I had this in the file before.
|
|
|
|
-- This may be needed by a newer version of apache?
|
|
|
|
--, " Require all granted"
|
2014-04-18 03:32:42 +00:00
|
|
|
, " </Directory>"
|
|
|
|
]
|
|
|
|
]
|
|
|
|
where
|
|
|
|
newsspool = "/var/spool/news"
|
|
|
|
datadir = "/var/spool/oldusenet"
|
|
|
|
|
2014-04-11 01:09:20 +00:00
|
|
|
oldUseNetShellBox :: Property
|
2014-04-18 03:32:42 +00:00
|
|
|
oldUseNetShellBox = oldUseNetInstalled "oldusenet"
|
|
|
|
|
|
|
|
oldUseNetInstalled :: Apt.Package -> Property
|
|
|
|
oldUseNetInstalled pkg = check (not <$> Apt.isInstalled pkg) $
|
|
|
|
propertyList ("olduse.net " ++ pkg)
|
2014-03-31 02:38:33 +00:00
|
|
|
[ Apt.installed (words "build-essential devscripts debhelper git libncursesw5-dev libpcre3-dev pkg-config bison libicu-dev libidn11-dev libcanlock2-dev libuu-dev ghc libghc-strptime-dev libghc-hamlet-dev libghc-ifelse-dev libghc-hxt-dev libghc-utf8-string-dev libghc-missingh-dev libghc-sha-dev")
|
2014-03-31 02:14:14 +00:00
|
|
|
`describe` "olduse.net build deps"
|
|
|
|
, scriptProperty
|
2014-03-31 02:25:11 +00:00
|
|
|
[ "rm -rf /root/tmp/oldusenet" -- idenpotency
|
2014-03-31 02:24:21 +00:00
|
|
|
, "git clone git://olduse.net/ /root/tmp/oldusenet/source"
|
2014-03-31 02:14:14 +00:00
|
|
|
, "cd /root/tmp/oldusenet/source/"
|
|
|
|
, "dpkg-buildpackage -us -uc"
|
2014-04-18 03:32:42 +00:00
|
|
|
, "dpkg -i ../" ++ pkg ++ "_*.deb || true"
|
2014-03-31 02:40:55 +00:00
|
|
|
, "apt-get -fy install" -- dependencies
|
2014-03-31 02:14:14 +00:00
|
|
|
, "rm -rf /root/tmp/oldusenet"
|
2014-07-05 21:56:44 +00:00
|
|
|
-- screen fails unless the directory has this mode.
|
|
|
|
-- not sure what's going on.
|
|
|
|
, "chmod 777 /var/run/screen"
|
2014-03-31 02:14:14 +00:00
|
|
|
] `describe` "olduse.net built"
|
|
|
|
]
|
2014-04-13 18:01:30 +00:00
|
|
|
|
2014-04-18 03:32:42 +00:00
|
|
|
|
2014-04-13 20:38:58 +00:00
|
|
|
kgbServer :: Property
|
2014-07-06 21:15:27 +00:00
|
|
|
kgbServer = propertyList desc
|
|
|
|
[ withOS desc $ \o -> case o of
|
|
|
|
(Just (System (Debian Unstable) _)) ->
|
|
|
|
ensureProperty $ propertyList desc
|
|
|
|
[ Apt.serviceInstalledRunning "kgb-bot"
|
|
|
|
, "/etc/default/kgb-bot" `File.containsLine` "BOT_ENABLED=1"
|
|
|
|
`describe` "kgb bot enabled"
|
|
|
|
`onChange` Service.running "kgb-bot"
|
|
|
|
]
|
|
|
|
_ -> error "kgb server needs Debian unstable (for kgb-bot 1.31+)"
|
|
|
|
, File.hasPrivContent "/etc/kgb-bot/kgb.conf" anyContext
|
|
|
|
`onChange` Service.restarted "kgb-bot"
|
|
|
|
]
|
2014-04-13 20:38:58 +00:00
|
|
|
where
|
|
|
|
desc = "kgb.kitenet.net setup"
|
|
|
|
|
2014-04-20 02:22:23 +00:00
|
|
|
mumbleServer :: [Host] -> Property
|
2014-07-06 19:56:56 +00:00
|
|
|
mumbleServer hosts = combineProperties hn
|
2014-05-09 12:42:45 +00:00
|
|
|
[ Apt.serviceInstalledRunning "mumble-server"
|
|
|
|
, Obnam.latestVersion
|
2014-04-20 02:22:23 +00:00
|
|
|
, Obnam.backup "/var/lib/mumble-server" "55 5 * * *"
|
2014-07-06 19:56:56 +00:00
|
|
|
[ "--repository=sftp://joey@turtle.kitenet.net/~/lib/backup/" ++ hn ++ ".obnam"
|
2014-04-20 02:22:23 +00:00
|
|
|
, "--client-name=mumble"
|
|
|
|
] Obnam.OnlyClient
|
2014-07-06 19:56:56 +00:00
|
|
|
`requires` Ssh.keyImported SshRsa "root" (Context hn)
|
2014-04-20 02:22:23 +00:00
|
|
|
`requires` Ssh.knownHost hosts "turtle.kitenet.net" "root"
|
2014-04-21 01:55:40 +00:00
|
|
|
, trivial $ cmdProperty "chown" ["-R", "mumble-server:mumble-server", "/var/lib/mumble-server"]
|
2014-04-20 02:22:23 +00:00
|
|
|
]
|
2014-07-06 19:56:56 +00:00
|
|
|
where
|
|
|
|
hn = "mumble.debian.net"
|
2014-04-20 02:22:23 +00:00
|
|
|
|
2014-04-21 05:00:59 +00:00
|
|
|
obnamLowMem :: Property
|
2014-04-21 15:10:14 +00:00
|
|
|
obnamLowMem = combineProperties "obnam tuned for low memory use"
|
2014-04-21 05:00:59 +00:00
|
|
|
[ Obnam.latestVersion
|
|
|
|
, "/etc/obnam.conf" `File.containsLines`
|
2014-04-23 17:53:51 +00:00
|
|
|
[ "[config]"
|
|
|
|
, "# Suggested by liw to keep Obnam memory consumption down (at some speed cost)."
|
2014-04-21 05:00:59 +00:00
|
|
|
, "upload-queue-size = 128"
|
|
|
|
, "lru-size = 128"
|
|
|
|
]
|
|
|
|
]
|
|
|
|
|
2014-04-13 18:01:30 +00:00
|
|
|
-- git.kitenet.net and git.joeyh.name
|
|
|
|
gitServer :: [Host] -> Property
|
|
|
|
gitServer hosts = propertyList "git.kitenet.net setup"
|
2014-04-18 02:25:09 +00:00
|
|
|
[ Obnam.latestVersion
|
|
|
|
, Obnam.backup "/srv/git" "33 3 * * *"
|
2014-04-18 02:30:23 +00:00
|
|
|
[ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net"
|
2014-04-13 18:01:30 +00:00
|
|
|
, "--encrypt-with=1B169BE1"
|
2014-07-17 19:53:12 +00:00
|
|
|
, "--client-name=wren" -- historical
|
2014-04-13 18:01:30 +00:00
|
|
|
] Obnam.OnlyClient
|
|
|
|
`requires` Gpg.keyImported "1B169BE1" "root"
|
2014-07-06 19:56:56 +00:00
|
|
|
`requires` Ssh.keyImported SshRsa "root" (Context "git.kitenet.net")
|
2014-04-18 02:30:23 +00:00
|
|
|
`requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root"
|
2014-07-06 19:56:56 +00:00
|
|
|
`requires` Ssh.authorizedKeys "family" (Context "git.kitenet.net")
|
2014-04-13 18:01:30 +00:00
|
|
|
`requires` User.accountFor "family"
|
2014-05-26 15:55:30 +00:00
|
|
|
, Apt.installed ["git", "rsync", "gitweb"]
|
|
|
|
-- backport avoids channel flooding on branch merge
|
|
|
|
, Apt.installedBackport ["kgb-client"]
|
|
|
|
-- backport supports ssh event notification
|
2014-04-13 20:06:23 +00:00
|
|
|
, Apt.installedBackport ["git-annex"]
|
2014-07-06 19:56:56 +00:00
|
|
|
, File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" anyContext
|
2014-04-13 18:01:30 +00:00
|
|
|
, toProp $ Git.daemonRunning "/srv/git"
|
|
|
|
, "/etc/gitweb.conf" `File.containsLines`
|
2014-04-13 18:45:18 +00:00
|
|
|
[ "$projectroot = '/srv/git';"
|
2014-04-14 01:04:34 +00:00
|
|
|
, "@git_base_url_list = ('git://git.kitenet.net', 'http://git.kitenet.net/git', 'https://git.kitenet.net/git', 'ssh://git.kitenet.net/srv/git');"
|
2014-04-13 18:01:30 +00:00
|
|
|
, "# disable snapshot download; overloads server"
|
|
|
|
, "$feature{'snapshot'}{'default'} = [];"
|
|
|
|
]
|
|
|
|
`describe` "gitweb configured"
|
2014-04-13 20:49:49 +00:00
|
|
|
-- Repos push on to github.
|
|
|
|
, Ssh.knownHost hosts "github.com" "joey"
|
2014-04-13 18:12:11 +00:00
|
|
|
-- I keep the website used for gitweb checked into git..
|
2014-04-13 18:13:26 +00:00
|
|
|
, Git.cloned "root" "/srv/git/joey/git.kitenet.net.git" "/srv/web/git.kitenet.net" Nothing
|
2014-04-13 18:01:30 +00:00
|
|
|
, website "git.kitenet.net"
|
|
|
|
, website "git.joeyh.name"
|
2014-04-13 18:36:19 +00:00
|
|
|
, toProp $ Apache.modEnabled "cgi"
|
2014-04-13 18:01:30 +00:00
|
|
|
]
|
|
|
|
where
|
2014-04-14 00:22:35 +00:00
|
|
|
website hn = toProp $ Apache.siteEnabled hn $ apachecfg hn True
|
|
|
|
[ " DocumentRoot /srv/web/git.kitenet.net/"
|
|
|
|
, " <Directory /srv/web/git.kitenet.net/>"
|
|
|
|
, " Options Indexes ExecCGI FollowSymlinks"
|
|
|
|
, " AllowOverride None"
|
|
|
|
, " AddHandler cgi-script .cgi"
|
|
|
|
, " DirectoryIndex index.cgi"
|
|
|
|
, " </Directory>"
|
|
|
|
, ""
|
|
|
|
, " ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/"
|
|
|
|
, " <Directory /usr/lib/cgi-bin>"
|
|
|
|
, " SetHandler cgi-script"
|
|
|
|
, " Options ExecCGI"
|
|
|
|
, " </Directory>"
|
|
|
|
]
|
2014-04-13 18:01:30 +00:00
|
|
|
|
2014-04-13 20:38:58 +00:00
|
|
|
type AnnexUUID = String
|
|
|
|
|
|
|
|
-- | A website, with files coming from a git-annex repository.
|
2014-07-17 19:54:32 +00:00
|
|
|
annexWebSite :: Git.RepoUrl -> HostName -> AnnexUUID -> [(String, Git.RepoUrl)] -> Property
|
|
|
|
annexWebSite origin hn uuid remotes = propertyList (hn ++" website using git-annex")
|
2014-04-14 01:04:34 +00:00
|
|
|
[ Git.cloned "joey" origin dir Nothing
|
|
|
|
`onChange` setup
|
2014-05-01 00:55:12 +00:00
|
|
|
, postupdatehook `File.hasContent`
|
2014-05-01 00:56:24 +00:00
|
|
|
[ "#!/bin/sh"
|
2014-05-01 00:55:12 +00:00
|
|
|
, "exec git update-server-info"
|
|
|
|
] `onChange`
|
|
|
|
(postupdatehook `File.mode` (combineModes (ownerWriteMode:readModes ++ executeModes)))
|
2014-04-14 01:04:34 +00:00
|
|
|
, setupapache
|
|
|
|
]
|
2014-04-13 20:38:58 +00:00
|
|
|
where
|
|
|
|
dir = "/srv/web/" ++ hn
|
2014-05-01 00:55:12 +00:00
|
|
|
postupdatehook = dir </> ".git/hooks/post-update"
|
2014-04-13 21:03:21 +00:00
|
|
|
setup = userScriptProperty "joey" setupscript
|
|
|
|
setupscript =
|
2014-04-13 20:38:58 +00:00
|
|
|
[ "cd " ++ shellEscape dir
|
|
|
|
, "git config annex.uuid " ++ shellEscape uuid
|
|
|
|
] ++ map addremote remotes ++
|
|
|
|
[ "git annex get"
|
|
|
|
]
|
|
|
|
addremote (name, url) = "git remote add " ++ shellEscape name ++ " " ++ shellEscape url
|
2014-04-14 00:22:35 +00:00
|
|
|
setupapache = toProp $ Apache.siteEnabled hn $ apachecfg hn True $
|
|
|
|
[ " ServerAlias www."++hn
|
|
|
|
, ""
|
|
|
|
, " DocumentRoot /srv/web/"++hn
|
|
|
|
, " <Directory /srv/web/"++hn++">"
|
|
|
|
, " Options FollowSymLinks"
|
|
|
|
, " AllowOverride None"
|
|
|
|
, " </Directory>"
|
|
|
|
, " <Directory /srv/web/"++hn++">"
|
|
|
|
, " Options Indexes FollowSymLinks ExecCGI"
|
|
|
|
, " AllowOverride None"
|
2014-04-14 18:04:18 +00:00
|
|
|
, " AddHandler cgi-script .cgi"
|
2014-04-14 18:05:42 +00:00
|
|
|
, " DirectoryIndex index.html index.cgi"
|
2014-04-14 00:22:35 +00:00
|
|
|
, " Order allow,deny"
|
|
|
|
, " allow from all"
|
|
|
|
, " </Directory>"
|
|
|
|
]
|
2014-04-13 20:38:58 +00:00
|
|
|
|
2014-04-14 00:22:35 +00:00
|
|
|
apachecfg :: HostName -> Bool -> Apache.ConfigFile -> Apache.ConfigFile
|
|
|
|
apachecfg hn withssl middle
|
|
|
|
| withssl = vhost False ++ vhost True
|
|
|
|
| otherwise = vhost False
|
2014-04-13 20:38:58 +00:00
|
|
|
where
|
2014-04-14 00:22:35 +00:00
|
|
|
vhost ssl =
|
|
|
|
[ "<VirtualHost *:"++show port++">"
|
|
|
|
, " ServerAdmin grue@joeyh.name"
|
|
|
|
, " ServerName "++hn++":"++show port
|
|
|
|
]
|
|
|
|
++ mainhttpscert ssl
|
|
|
|
++ middle ++
|
|
|
|
[ ""
|
|
|
|
, " ErrorLog /var/log/apache2/error.log"
|
|
|
|
, " LogLevel warn"
|
|
|
|
, " CustomLog /var/log/apache2/access.log combined"
|
|
|
|
, " ServerSignature On"
|
|
|
|
, " "
|
|
|
|
, " <Directory \"/usr/share/apache2/icons\">"
|
|
|
|
, " Options Indexes MultiViews"
|
|
|
|
, " AllowOverride None"
|
|
|
|
, " Order allow,deny"
|
|
|
|
, " Allow from all"
|
|
|
|
, " </Directory>"
|
|
|
|
, "</VirtualHost>"
|
2014-04-13 20:38:58 +00:00
|
|
|
]
|
|
|
|
where
|
2014-04-14 00:22:35 +00:00
|
|
|
port = if ssl then 443 else 80 :: Int
|
2014-04-13 20:38:58 +00:00
|
|
|
|
2014-04-14 00:22:35 +00:00
|
|
|
mainhttpscert :: Bool -> Apache.ConfigFile
|
|
|
|
mainhttpscert False = []
|
|
|
|
mainhttpscert True =
|
|
|
|
[ " SSLEngine on"
|
|
|
|
, " SSLCertificateFile /etc/ssl/certs/web.pem"
|
|
|
|
, " SSLCertificateKeyFile /etc/ssl/private/web.pem"
|
|
|
|
, " SSLCertificateChainFile /etc/ssl/certs/startssl.pem"
|
2014-04-13 18:01:30 +00:00
|
|
|
]
|
2014-04-14 18:00:37 +00:00
|
|
|
|
2014-04-21 15:10:14 +00:00
|
|
|
gitAnnexDistributor :: Property
|
|
|
|
gitAnnexDistributor = combineProperties "git-annex distributor, including rsync server and signer"
|
2014-04-14 18:00:37 +00:00
|
|
|
[ Apt.installed ["rsync"]
|
2014-07-06 19:56:56 +00:00
|
|
|
, File.hasPrivContent "/etc/rsyncd.conf" (Context "git-annex distributor")
|
2014-05-26 22:59:13 +00:00
|
|
|
`onChange` Service.restarted "rsync"
|
2014-07-06 19:56:56 +00:00
|
|
|
, File.hasPrivContent "/etc/rsyncd.secrets" (Context "git-annex distributor")
|
2014-05-26 22:59:13 +00:00
|
|
|
`onChange` Service.restarted "rsync"
|
2014-04-14 18:00:37 +00:00
|
|
|
, "/etc/default/rsync" `File.containsLine` "RSYNC_ENABLE=true"
|
2014-05-26 22:59:13 +00:00
|
|
|
`onChange` Service.running "rsync"
|
2014-04-14 18:00:37 +00:00
|
|
|
, endpoint "/srv/web/downloads.kitenet.net/git-annex/autobuild"
|
|
|
|
, endpoint "/srv/web/downloads.kitenet.net/git-annex/autobuild/x86_64-apple-mavericks"
|
2014-04-21 15:11:47 +00:00
|
|
|
-- git-annex distribution signing key
|
2014-04-21 15:10:14 +00:00
|
|
|
, Gpg.keyImported "89C809CB" "joey"
|
2014-04-14 18:00:37 +00:00
|
|
|
]
|
|
|
|
where
|
|
|
|
endpoint d = combineProperties ("endpoint " ++ d)
|
|
|
|
[ File.dirExists d
|
|
|
|
, File.ownerGroup d "joey" "joey"
|
|
|
|
]
|
2014-04-14 18:40:57 +00:00
|
|
|
|
2014-04-14 18:53:19 +00:00
|
|
|
-- Twitter, you kill us.
|
2014-04-14 18:40:57 +00:00
|
|
|
twitRss :: Property
|
|
|
|
twitRss = combineProperties "twitter rss"
|
|
|
|
[ Git.cloned "joey" "git://git.kitenet.net/twitrss.git" dir Nothing
|
2014-04-14 18:43:04 +00:00
|
|
|
, check (not <$> doesFileExist (dir </> "twitRss")) $
|
|
|
|
userScriptProperty "joey"
|
|
|
|
[ "cd " ++ dir
|
|
|
|
, "ghc --make twitRss"
|
|
|
|
]
|
2014-04-14 18:44:45 +00:00
|
|
|
`requires` Apt.installed
|
|
|
|
[ "libghc-xml-dev"
|
|
|
|
, "libghc-feed-dev"
|
2014-04-14 18:46:53 +00:00
|
|
|
, "libghc-tagsoup-dev"
|
2014-04-14 18:44:45 +00:00
|
|
|
]
|
2014-04-14 18:55:03 +00:00
|
|
|
, feed "http://twitter.com/search/realtime?q=git-annex" "git-annex-twitter"
|
|
|
|
, feed "http://twitter.com/search/realtime?q=olduse+OR+git-annex+OR+debhelper+OR+etckeeper+OR+ikiwiki+-ashley_ikiwiki" "twittergrep"
|
2014-04-14 18:40:57 +00:00
|
|
|
]
|
|
|
|
where
|
|
|
|
dir = "/srv/web/tmp.kitenet.net/twitrss"
|
2014-04-14 18:53:19 +00:00
|
|
|
crontime = "15 * * * *"
|
2014-04-14 18:55:03 +00:00
|
|
|
feed url desc = Cron.job desc crontime "joey" dir $
|
|
|
|
"./twitRss " ++ shellEscape url ++ " > " ++ shellEscape ("../" ++ desc ++ ".rss")
|
2014-05-09 13:31:30 +00:00
|
|
|
|
|
|
|
ircBouncer :: Property
|
|
|
|
ircBouncer = propertyList "IRC bouncer"
|
|
|
|
[ Apt.installed ["znc"]
|
|
|
|
, User.accountFor "znc"
|
2014-07-05 19:55:21 +00:00
|
|
|
, File.dirExists (parentDir conf)
|
2014-07-06 19:56:56 +00:00
|
|
|
, File.hasPrivContent conf anyContext
|
2014-05-09 13:31:30 +00:00
|
|
|
, File.ownerGroup conf "znc" "znc"
|
|
|
|
, Cron.job "znconboot" "@reboot" "znc" "~" "znc"
|
2014-07-05 20:24:22 +00:00
|
|
|
-- ensure running if it was not already
|
2014-07-06 21:42:25 +00:00
|
|
|
, trivial $ userScriptProperty "znc" ["znc || true"]
|
2014-07-06 21:43:48 +00:00
|
|
|
`describe` "znc running"
|
2014-05-09 13:31:30 +00:00
|
|
|
]
|
|
|
|
where
|
|
|
|
conf = "/home/znc/.znc/configs/znc.conf"
|
2014-05-31 18:15:16 +00:00
|
|
|
|
|
|
|
kiteShellBox :: Property
|
|
|
|
kiteShellBox = propertyList "kitenet.net shellinabox"
|
|
|
|
[ Apt.installed ["shellinabox"]
|
|
|
|
, File.hasContent "/etc/default/shellinabox"
|
|
|
|
[ "# Deployed by propellor"
|
|
|
|
, "SHELLINABOX_DAEMON_START=1"
|
|
|
|
, "SHELLINABOX_PORT=443"
|
2014-05-31 18:28:12 +00:00
|
|
|
, "SHELLINABOX_ARGS=\"--no-beep --service=/:SSH:kitenet.net\""
|
2014-05-31 18:15:16 +00:00
|
|
|
]
|
|
|
|
`onChange` Service.restarted "shellinabox"
|
|
|
|
, Service.running "shellinabox"
|
|
|
|
]
|
2014-06-01 17:07:31 +00:00
|
|
|
|
|
|
|
githubBackup :: Property
|
|
|
|
githubBackup = propertyList "github-backup box"
|
|
|
|
[ Apt.installed ["github-backup", "moreutils"]
|
|
|
|
, let f = "/home/joey/.github-keys"
|
2014-07-06 19:56:56 +00:00
|
|
|
in File.hasPrivContent f anyContext
|
2014-06-01 17:07:31 +00:00
|
|
|
`onChange` File.ownerGroup f "joey" "joey"
|
2014-07-17 19:33:02 +00:00
|
|
|
, Cron.niceJob "github-backup run" "30 4 * * *" "joey"
|
|
|
|
"/home/joey/lib/backup" $ intercalate "&"
|
|
|
|
[ "mkdir -p github"
|
|
|
|
, "cd github"
|
|
|
|
, "$HOME/.github-keys && github-backup joeyh"
|
|
|
|
]
|
2014-06-01 17:07:31 +00:00
|
|
|
]
|
2014-06-07 02:46:31 +00:00
|
|
|
|
2014-07-17 19:33:02 +00:00
|
|
|
rsyncNetBackup :: [Host] -> Property
|
|
|
|
rsyncNetBackup hosts = Cron.niceJob "rsync.net copied in daily" "30 5 * * *"
|
|
|
|
"joey" "/home/joey/lib/backup" "mkdir -p rsync.net && rsync --delete -az 2318@usw-s002.rsync.net: rsync.net"
|
|
|
|
`requires` Ssh.knownHost hosts "usw-s002.rsync.net" "joey"
|
|
|
|
|
|
|
|
backupsBackedupTo :: [Host] -> HostName -> FilePath -> Property
|
2014-07-17 19:36:11 +00:00
|
|
|
backupsBackedupTo hosts desthost destdir = Cron.niceJob desc
|
2014-07-17 19:33:02 +00:00
|
|
|
"1 1 * * 3" "joey" "/" cmd
|
|
|
|
`requires` Ssh.knownHost hosts desthost "joey"
|
|
|
|
where
|
2014-07-17 19:36:11 +00:00
|
|
|
desc = "backups copied to " ++ desthost ++ " weekly"
|
2014-07-17 19:33:02 +00:00
|
|
|
cmd = "rsync -az --delete /home/joey/lib/backup " ++ desthost ++ ":" ++ destdir
|
|
|
|
|
2014-06-07 02:46:31 +00:00
|
|
|
obnamRepos :: [String] -> Property
|
|
|
|
obnamRepos rs = propertyList ("obnam repos for " ++ unwords rs)
|
|
|
|
(mkbase : map mkrepo rs)
|
|
|
|
where
|
2014-06-07 02:49:55 +00:00
|
|
|
mkbase = mkdir "/home/joey/lib/backup"
|
|
|
|
`requires` mkdir "/home/joey/lib"
|
2014-06-07 02:47:42 +00:00
|
|
|
mkrepo r = mkdir ("/home/joey/lib/backup/" ++ r ++ ".obnam")
|
2014-06-07 02:46:31 +00:00
|
|
|
mkdir d = File.dirExists d
|
2014-06-07 02:47:42 +00:00
|
|
|
`before` File.ownerGroup d "joey" "joey"
|
2014-06-07 02:46:31 +00:00
|
|
|
|
2014-07-17 19:33:02 +00:00
|
|
|
podcatcher :: Property
|
|
|
|
podcatcher = Cron.niceJob "podcatcher run hourly" "55 * * * *"
|
|
|
|
"joey" "/home/joey/lib/sound/podcasts"
|
|
|
|
"xargs git-annex importfeed -c annex.genmetadata=true < feeds; mr --quiet update"
|
2014-07-17 20:16:13 +00:00
|
|
|
`requires` Apt.installed ["git-annex", "myrepos"]
|
2014-07-18 01:16:03 +00:00
|
|
|
|
|
|
|
kiteMailServer :: Property
|
|
|
|
kiteMailServer = propertyList "kitenet.net mail server"
|
|
|
|
[ Postfix.installed
|
|
|
|
, Apt.installed ["postfix-pcre"]
|
|
|
|
, Apt.serviceInstalledRunning "postgrey"
|
|
|
|
, Apt.serviceInstalledRunning "spamassassin"
|
|
|
|
, "/etc/default/spamassassin" `File.containsLines`
|
|
|
|
[ "ENABLED=1"
|
|
|
|
, "OPTIONS=\"--create-prefs --max-children 5 --helper-home-dir\""
|
|
|
|
, "CRON=1"
|
|
|
|
, "NICE=\"--nicelevel 15\""
|
|
|
|
] `onChange` Service.restarted "spamassassin"
|
2014-07-18 02:23:49 +00:00
|
|
|
`describe` "spamd enabled"
|
2014-07-18 01:16:03 +00:00
|
|
|
, Apt.serviceInstalledRunning "spamass-miter"
|
|
|
|
, Apt.installed ["maildrop"]
|
|
|
|
, "/etc/aliases" `File.hasPrivContentExposed` ctx
|
|
|
|
`onChange` cmdProperty "newaliases" ["newaliases"]
|
2014-07-18 01:35:43 +00:00
|
|
|
, hasJoeyCAChain
|
2014-07-18 01:16:03 +00:00
|
|
|
, "/etc/ssl/certs/postfix.pem" `File.hasPrivContentExposed` ctx
|
|
|
|
, "/etc/ssl/private/postfix.pem" `File.hasPrivContent` ctx
|
|
|
|
, "/etc/postfix/mydomain" `File.containsLines`
|
|
|
|
[ "/.*\\.kitenet\\.net/\tOK"
|
|
|
|
, "/mooix\\.net/\tOK"
|
|
|
|
, "/ikiwiki\\.info/\tOK"
|
|
|
|
, "/joeyh\\.name/\tOK"
|
|
|
|
]
|
|
|
|
`onChange` Service.restarted "postfix"
|
2014-07-18 01:47:15 +00:00
|
|
|
`describe` "postfix mydomain file configured"
|
2014-07-18 01:16:03 +00:00
|
|
|
, "/etc/postfix/obscure_client_relay.pcre" `File.containsLine`
|
|
|
|
"/^Received: from ([^.]+)\\.kitenet\\.net.*using TLS.*by kitenet\\.net \\(([^)]+)\\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ IGNORE"
|
|
|
|
`onChange` Service.restarted "postfix"
|
2014-07-18 01:47:15 +00:00
|
|
|
`describe` "postfix obscure_client_relay file configured"
|
|
|
|
, Postfix.mappedFile "/etc/postfix/virtual"
|
|
|
|
(flip File.containsLines
|
2014-07-18 01:16:03 +00:00
|
|
|
[ "# *@joeyh.name to joey"
|
|
|
|
, "@joeyh.name\tjoey"
|
|
|
|
]
|
2014-07-18 01:47:15 +00:00
|
|
|
) `describe` "postfix virtual file configured"
|
2014-07-18 01:16:03 +00:00
|
|
|
, Postfix.mappedFile "/etc/postfix/relay_clientcerts" $
|
|
|
|
flip File.hasPrivContentExposed ctx
|
2014-07-18 02:20:16 +00:00
|
|
|
, Postfix.mainCf `File.containsLines`
|
2014-07-18 01:16:03 +00:00
|
|
|
[ "myhostname = kitenet.net"
|
|
|
|
, "mydomain = $myhostname"
|
|
|
|
, "append_dot_mydomain = no"
|
|
|
|
, "myorigin = kitenet.net"
|
|
|
|
, "mydestination = $myhostname, localhost.$mydomain, $mydomain, kite.$mydomain., localhost, regexp:$config_directory/mydomain"
|
|
|
|
, "mailbox_command = maildrop"
|
|
|
|
, "virtual_alias_maps = hash:/etc/postfix/virtual"
|
|
|
|
|
|
|
|
, "# Allow clients with trusted certs to relay mail through."
|
|
|
|
, "relay_clientcerts = hash:/etc/postfix/relay_clientcerts"
|
|
|
|
, "smtpd_relay_restrictions = permit_mynetworks,permit_tls_clientcerts,permit_sasl_authenticated,reject_unauth_destination"
|
|
|
|
|
|
|
|
, "# Filter out client relay lines from headers."
|
|
|
|
, "header_checks = pcre:$config_directory/obscure_client_relay.pcre"
|
|
|
|
|
|
|
|
, "# Enable postgrey."
|
|
|
|
, "smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023"
|
|
|
|
|
|
|
|
, "# Enable spamass-milter."
|
|
|
|
, "smtpd_milters = unix:/spamass/spamass.sock"
|
|
|
|
, "milter_connect_macros = j {daemon_name} v {if_name} _"
|
|
|
|
|
|
|
|
, "# TLS setup -- server"
|
|
|
|
, "smtpd_tls_CAfile = /etc/ssl/certs/joeyca.pem"
|
|
|
|
, "smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem"
|
|
|
|
, "smtpd_tls_key_file = /etc/ssl/private/postfix.pem"
|
|
|
|
, "smtpd_tls_loglevel = 1"
|
|
|
|
, "smtpd_tls_received_header = yes"
|
|
|
|
, "smtpd_use_tls = yes"
|
|
|
|
, "smtpd_tls_ask_ccert = yes"
|
|
|
|
, "smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache"
|
|
|
|
|
|
|
|
, "# TLS setup -- client"
|
|
|
|
, "smtp_tls_CAfile = /etc/ssl/certs/joeyca.pem"
|
|
|
|
, "smtp_tls_cert_file = /etc/ssl/certs/postfix.pem"
|
|
|
|
, "smtp_tls_key_file = /etc/ssl/private/postfix.pem"
|
|
|
|
, "smtp_tls_loglevel = 1"
|
|
|
|
, "smtp_use_tls = yes"
|
|
|
|
, "smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache"
|
|
|
|
]
|
2014-07-18 02:20:16 +00:00
|
|
|
`onChange` Postfix.dedupMainCf
|
2014-07-18 01:16:03 +00:00
|
|
|
`onChange` Service.restarted "postfix"
|
2014-07-18 01:47:15 +00:00
|
|
|
`describe` "postfix configured"
|
2014-07-18 01:16:03 +00:00
|
|
|
, Apt.serviceInstalledRunning "dovecot-imapd"
|
|
|
|
, Apt.serviceInstalledRunning "dovecot-pop3d"
|
|
|
|
, Apt.serviceInstalledRunning "cron"
|
|
|
|
]
|
|
|
|
where
|
|
|
|
ctx = Context "kitenet.net"
|
2014-07-18 01:35:43 +00:00
|
|
|
|
|
|
|
hasJoeyCAChain :: Property
|
|
|
|
hasJoeyCAChain = "/etc/ssl/certs/joeyca.pem" `File.hasPrivContentExposed`
|
|
|
|
Context "joeyca.pem"
|