Merge branch 'joeyconfig'

Conflicts:
	debian/changelog
	privdata/privdata.gpg
This commit is contained in:
Joey Hess 2014-10-10 11:36:47 -04:00
commit 07f745ef9c
20 changed files with 337 additions and 304 deletions

View File

@ -1,4 +1,5 @@
-- This is the live config file used by propellor's author.
-- https://propellor.branchable.com/
module Main where
import Propellor
@ -7,6 +8,7 @@ import Propellor.Property.Scheduled
import qualified Propellor.Property.File as File
import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.Network as Network
import qualified Propellor.Property.Service as Service
import qualified Propellor.Property.Ssh as Ssh
import qualified Propellor.Property.Gpg as Gpg
import qualified Propellor.Property.Cron as Cron
@ -35,209 +37,239 @@ main = defaultMain hosts -- / \___-=O`/|O`/__| (____.'
{- Propellor -- \ / | / ) _.-"-._
Deployed -} -- `/-==__ _/__|/__=-| ( \_
hosts :: [Host] -- * \ | | '--------'
hosts = -- (o) `
[ host "darkstar.kitenet.net"
& ipv6 "2001:4830:1600:187::2" -- sixxs tunnel
hosts = -- (o) `
[ darkstar
, clam
, orca
, kite
, diatom
, elephant
] ++ containers ++ monsters
& Apt.buildDep ["git-annex"] `period` Daily
& Docker.configured
! Docker.docked hosts "android-git-annex"
darkstar :: Host
darkstar = host "darkstar.kitenet.net"
& ipv6 "2001:4830:1600:187::2" -- sixxs tunnel
, standardSystem "clam.kitenet.net" Unstable "amd64"
[ "Unreliable server. Anything here may be lost at any time!" ]
& ipv4 "162.248.9.29"
& Apt.buildDep ["git-annex"] `period` Daily
& Docker.configured
! Docker.docked hosts "android-git-annex"
& CloudAtCost.decruft
& Apt.unattendedUpgrades
& Network.ipv6to4
& Tor.isBridge
& Postfix.satellite
clam :: Host
clam = standardSystem "clam.kitenet.net" Unstable "amd64"
[ "Unreliable server. Anything here may be lost at any time!" ]
& ipv4 "162.248.9.29"
& Docker.configured
& Docker.garbageCollected `period` Daily
-- ssh on some extra ports to deal with horrible networks
-- while travelling
& alias "travelling.kitenet.net"
& Ssh.listenPort 80
& Ssh.listenPort 443
& CloudAtCost.decruft
& Apt.unattendedUpgrades
& Network.ipv6to4
& Tor.isBridge
& Postfix.satellite
& Docker.configured
& Docker.garbageCollected `period` Daily
& Docker.docked hosts "webserver"
& File.dirExists "/var/www/html"
& File.notPresent "/var/www/html/index.html"
& "/var/www/index.html" `File.hasContent` ["hello, world"]
& alias "helloworld.kitenet.net"
-- Orca is the main git-annex build box.
, standardSystem "orca.kitenet.net" Unstable "amd64"
[ "Main git-annex build box." ]
& ipv4 "138.38.108.179"
& Apt.unattendedUpgrades
& Postfix.satellite
& Docker.configured
& Docker.docked hosts "amd64-git-annex-builder"
& Docker.docked hosts "i386-git-annex-builder"
& Docker.docked hosts "android-git-annex-builder"
& Docker.docked hosts "armel-git-annex-builder-companion"
& Docker.docked hosts "armel-git-annex-builder"
& Docker.garbageCollected `period` Daily
& Apt.buildDep ["git-annex"] `period` Daily
-- ssh on some extra ports to deal with horrible networks
-- while travelling
& alias "travelling.kitenet.net"
! Ssh.listenPort 80
! Ssh.listenPort 443
-- This is not a complete description of kite, since it's a
-- multiuser system with eg, user passwords that are not deployed
-- with propellor.
, standardSystemUnhardened "kite.kitenet.net" Unstable "amd64"
[ "Welcome to the new kitenet.net server!"
, "This is still under construction and not yet live.."
orca :: Host
orca = standardSystem "orca.kitenet.net" Unstable "amd64"
[ "Main git-annex build box." ]
& ipv4 "138.38.108.179"
& Apt.unattendedUpgrades
& Postfix.satellite
& Docker.configured
& Docker.docked hosts "amd64-git-annex-builder"
& Docker.docked hosts "i386-git-annex-builder"
& Docker.docked hosts "android-git-annex-builder"
& Docker.docked hosts "armel-git-annex-builder-companion"
& Docker.docked hosts "armel-git-annex-builder"
& Docker.garbageCollected `period` Daily
& Apt.buildDep ["git-annex"] `period` Daily
-- This is not a complete description of kite, since it's a
-- multiuser system with eg, user passwords that are not deployed
-- with propellor.
kite :: Host
kite = standardSystemUnhardened "kite.kitenet.net" Unstable "amd64"
[ "Welcome to the new kitenet.net server!"
]
& ipv4 "66.228.36.95"
& ipv6 "2600:3c03::f03c:91ff:fe73:b0d2"
& alias "kitenet.net"
& alias "wren.kitenet.net" -- temporary
& Apt.installed ["linux-image-amd64"]
& Linode.chainPVGrub 5
& Apt.unattendedUpgrades
& Apt.installed ["systemd"]
& Ssh.hostKeys (Context "kitenet.net")
& Ssh.passwordAuthentication True
-- Since ssh password authentication is allowed:
& Apt.serviceInstalledRunning "fail2ban"
& Obnam.backup "/" "33 1 * * *"
[ "--repository=sftp://joey@eubackup.kitenet.net/~/lib/backup/kite.obnam"
, "--client-name=kitenet.net"
, "--encrypt-with=98147487"
, "--exclude=/var/cache"
, "--exclude=/var/tmp"
, "--exclude=/home/joey/lib"
, "--exclude=.*/tmp/"
, "--one-file-system"
] Obnam.OnlyClient
`requires` Gpg.keyImported "98147487" "root"
`requires` Ssh.keyImported SshRsa "root"
(Context "kite.kitenet.net")
`requires` Ssh.knownHost hosts "eubackup.kitenet.net" "root"
& Apt.serviceInstalledRunning "ntp"
& "/etc/timezone" `File.hasContent` ["US/Eastern"]
& alias "smtp.kitenet.net"
& alias "imap.kitenet.net"
& alias "pop.kitenet.net"
& alias "mail.kitenet.net"
& JoeySites.kiteMailServer
& JoeySites.legacyWebSites
& alias "bitlbee.kitenet.net"
& Apt.serviceInstalledRunning "bitlbee"
& "/etc/bitlbee/bitlbee.conf" `File.hasContent`
[ "[settings]"
, "User = bitlbee"
, "AuthMode = Registered"
, "[defaults]"
]
`onChange` Service.restarted "bitlbee"
& "/etc/default/bitlbee" `File.containsLine` "BITLBEE_PORT=\"6767\""
`onChange` Service.restarted "bitlbee"
& Apt.installed
["git-annex", "myrepos"
, "build-essential", "make"
, "rss2email", "archivemail"
, "devscripts"
-- Some users have zsh as their login shell.
, "zsh"
]
& ipv4 "66.228.36.95"
& ipv6 "2600:3c03::f03c:91ff:fe73:b0d2"
-- & alias "kitenet.net" -- not yet live!
& Apt.installed ["linux-image-amd64"]
& Linode.chainPVGrub 5
& Apt.unattendedUpgrades
& Apt.installed ["systemd"]
& Ssh.hostKeys (Context "kitenet.net")
-- Since ssh password authentication is allowed:
& Apt.serviceInstalledRunning "fail2ban"
& Obnam.backup "/" "33 1 * * *"
[ "--repository=sftp://joey@eubackup.kitenet.net/~/lib/backup/kite.obnam"
, "--client-name=kitenet.net"
, "--encrypt-with="
, "--exclude=/var/cache"
, "--exclude=/var/tmp"
, "--exclude=/home/joey/lib"
, "--exclude=.*/tmp/"
, "--one-file-system"
] Obnam.OnlyClient
`requires` Gpg.keyImported "98147487" "root"
`requires` Ssh.keyImported SshRsa "root"
(Context "kite.kitenet.net")
`requires` Ssh.knownHost hosts "eubackup.kitenet.net" "root"
diatom :: Host
diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64"
[ "Important stuff that needs not too much memory or CPU." ]
& ipv4 "107.170.31.195"
-- & alias "smtp.kitenet.net" -- not yet live!
-- & alias "imap.kitenet.net" -- not yet live!
-- & alias "mail.kitenet.net" -- not yet live!
& JoeySites.kiteMailServer
& DigitalOcean.distroKernel
& Ssh.hostKeys (Context "diatom.kitenet.net")
& Apt.unattendedUpgrades
& Apt.serviceInstalledRunning "ntp"
& Postfix.satellite
& JoeySites.legacyWebSites
& Apt.installed
["git-annex", "myrepos"
, "build-essential", "make"
-- Some users have zsh as their login shell.
, "zsh"
]
, standardSystem "diatom.kitenet.net" Stable "amd64"
[ "Important stuff that needs not too much memory or CPU." ]
& ipv4 "107.170.31.195"
& DigitalOcean.distroKernel
& Ssh.hostKeys (Context "diatom.kitenet.net")
& Apt.unattendedUpgrades
& Apt.serviceInstalledRunning "ntp"
& Postfix.satellite
-- Diatom has 500 mb of memory, so tune for that.
& JoeySites.obnamLowMem
& Apt.serviceInstalledRunning "swapspace"
-- Diatom has 500 mb of memory, so tune for that.
& JoeySites.obnamLowMem
& Apt.serviceInstalledRunning "swapspace"
& Apt.serviceInstalledRunning "apache2"
& JoeySites.kitenetHttps
& Apache.multiSSL
& File.ownerGroup "/srv/web" "joey" "joey"
& Apt.installed ["analog"]
& Apt.serviceInstalledRunning "apache2"
& JoeySites.kitenetHttps
& Apache.multiSSL
& File.ownerGroup "/srv/web" "joey" "joey"
& Apt.installed ["analog"]
& alias "git.kitenet.net"
& alias "git.joeyh.name"
& JoeySites.gitServer hosts
& alias "git.kitenet.net"
& alias "git.joeyh.name"
& JoeySites.gitServer hosts
& alias "downloads.kitenet.net"
& JoeySites.annexWebSite "/srv/git/downloads.git"
"downloads.kitenet.net"
"840760dc-08f0-11e2-8c61-576b7e66acfd"
[("usbackup", "ssh://usbackup.kitenet.net/~/lib/downloads/")]
`requires` Ssh.keyImported SshRsa "joey" (Context "downloads.kitenet.net")
`requires` Ssh.knownHost hosts "usbackup.kitenet.net" "joey"
& JoeySites.gitAnnexDistributor
& alias "downloads.kitenet.net"
& JoeySites.annexWebSite "/srv/git/downloads.git"
"downloads.kitenet.net"
"840760dc-08f0-11e2-8c61-576b7e66acfd"
[("usbackup", "ssh://usbackup.kitenet.net/~/lib/downloads/")]
`requires` Ssh.keyImported SshRsa "joey" (Context "downloads.kitenet.net")
`requires` Ssh.knownHost hosts "usbackup.kitenet.net" "joey"
& JoeySites.gitAnnexDistributor
& alias "tmp.kitenet.net"
& JoeySites.annexWebSite "/srv/git/joey/tmp.git"
"tmp.kitenet.net"
"26fd6e38-1226-11e2-a75f-ff007033bdba"
[]
& JoeySites.twitRss
& JoeySites.pumpRss
& JoeySites.annexWebSite "/srv/git/joey/tmp.git"
"tmp.kitenet.net"
"26fd6e38-1226-11e2-a75f-ff007033bdba"
[]
& JoeySites.twitRss
& JoeySites.pumpRss
& alias "nntp.olduse.net"
& alias "resources.olduse.net"
& JoeySites.oldUseNetServer hosts
& alias "ns2.kitenet.net"
& myDnsPrimary "kitenet.net" []
& myDnsPrimary "joeyh.name" []
& myDnsPrimary "ikiwiki.info" []
& myDnsPrimary "olduse.net"
[ (RelDomain "article",
CNAME $ AbsDomain "virgil.koldfront.dk") ]
& alias "nntp.olduse.net"
& alias "resources.olduse.net"
& JoeySites.oldUseNetServer hosts
& alias "ns3.branchable.com"
& branchableSecondary
& Dns.secondaryFor ["animx"] hosts "animx.eu.org"
& alias "ns2.kitenet.net"
& myDnsPrimary "kitenet.net" []
& myDnsPrimary "joeyh.name" []
& myDnsPrimary "ikiwiki.info" []
& myDnsPrimary "olduse.net"
[ (RelDomain "article",
CNAME $ AbsDomain "virgil.koldfront.dk") ]
, let ctx = Context "elephant.kitenet.net"
in standardSystem "elephant.kitenet.net" Unstable "amd64"
[ "Storage, big data, and backups, omnomnom!"
, "(Encrypt all data stored here.)"
]
& ipv4 "193.234.225.114"
& alias "ns3.branchable.com"
& branchableSecondary
& Dns.secondaryFor ["animx"] hosts "animx.eu.org"
elephant :: Host
elephant = standardSystem "elephant.kitenet.net" Unstable "amd64"
[ "Storage, big data, and backups, omnomnom!"
, "(Encrypt all data stored here.)"
]
& ipv4 "193.234.225.114"
& Grub.chainPVGrub "hd0,0" "xen/xvda1" 30
& Postfix.satellite
& Apt.unattendedUpgrades
& Ssh.hostKeys ctx
& sshPubKey "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0="
& Ssh.keyImported SshRsa "joey" ctx
& Apt.serviceInstalledRunning "swapspace"
& Postfix.satellite
& Apt.unattendedUpgrades
& Ssh.hostKeys ctx
& sshPubKey "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0="
& Ssh.keyImported SshRsa "joey" ctx
& Apt.serviceInstalledRunning "swapspace"
& alias "eubackup.kitenet.net"
& Apt.installed ["obnam", "sshfs", "rsync"]
& JoeySites.obnamRepos ["wren", "pell", "kite"]
& JoeySites.githubBackup
& JoeySites.rsyncNetBackup hosts
& JoeySites.backupsBackedupTo hosts "usbackup.kitenet.net" "lib/backup/eubackup"
& Apt.installed ["obnam", "sshfs", "rsync"]
& JoeySites.obnamRepos ["wren", "pell", "kite"]
& JoeySites.githubBackup
& JoeySites.rsyncNetBackup hosts
& JoeySites.backupsBackedupTo hosts "usbackup.kitenet.net" "lib/backup/eubackup"
& alias "podcatcher.kitenet.net"
& JoeySites.podcatcher
& alias "znc.kitenet.net"
& JoeySites.ircBouncer
-- I'd rather this were on diatom, but it needs unstable.
& alias "kgb.kitenet.net"
& JoeySites.kgbServer
& JoeySites.podcatcher
& alias "znc.kitenet.net"
& JoeySites.ircBouncer
-- I'd rather this were on diatom, but it needs unstable.
& alias "kgb.kitenet.net"
& JoeySites.kgbServer
& alias "mumble.kitenet.net"
& JoeySites.mumbleServer hosts
& alias "ns3.kitenet.net"
& myDnsSecondary
& Docker.configured
& JoeySites.mumbleServer hosts
& alias "ns3.kitenet.net"
& myDnsSecondary
& Docker.configured
& Docker.docked hosts "oldusenet-shellbox"
& Docker.docked hosts "openid-provider"
`requires` Apt.serviceInstalledRunning "ntp"
& Docker.docked hosts "ancient-kitenet"
& Docker.docked hosts "openid-provider"
`requires` Apt.serviceInstalledRunning "ntp"
& Docker.docked hosts "ancient-kitenet"
& Docker.garbageCollected `period` (Weekly (Just 1))
-- For https port 443, shellinabox with ssh login to
-- kitenet.net
& alias "shell.kitenet.net"
& JoeySites.kiteShellBox
-- Nothing is using http port 80, so listen on
-- that port for ssh, for traveling on bad networks that
-- block 22.
& Ssh.listenPort 80
& Docker.garbageCollected `period` (Weekly (Just 1))
-- For https port 443, shellinabox with ssh login to
-- kitenet.net
& alias "shell.kitenet.net"
& JoeySites.kiteShellBox
-- Nothing is using http port 80, so listen on
-- that port for ssh, for traveling on bad networks that
-- block 22.
& Ssh.listenPort 80
where
ctx = Context "elephant.kitenet.net"
--' __|II| ,.
@ -247,30 +279,31 @@ hosts = -- (o) `
----------------------- : / -----------------------
------------------------ \____, o ,' ------------------------
------------------------- '--,___________,' -------------------------
containers :: [Host]
containers =
-- Simple web server, publishing the outside host's /var/www
, standardContainer "webserver" Stable "amd64"
& Docker.publish "8080:80"
[ standardStableContainer "webserver"
& Docker.publish "80:80"
& Docker.volume "/var/www:/var/www"
& Apt.serviceInstalledRunning "apache2"
-- My own openid provider. Uses php, so containerized for security
-- and administrative sanity.
, standardContainer "openid-provider" Stable "amd64"
, standardStableContainer "openid-provider"
& alias "openid.kitenet.net"
& Docker.publish "8081:80"
& OpenId.providerFor ["joey", "liw"]
"openid.kitenet.net:8081"
-- Exhibit: kite's 90's website.
, standardContainer "ancient-kitenet" Stable "amd64"
, standardStableContainer "ancient-kitenet"
& alias "ancient.kitenet.net"
& Docker.publish "1994:80"
& Apt.serviceInstalledRunning "apache2"
& Git.cloned "root" "git://kitenet-net.branchable.com/" "/var/www"
(Just "remotes/origin/old-kitenet.net")
, standardContainer "oldusenet-shellbox" Stable "amd64"
, standardStableContainer "oldusenet-shellbox"
& alias "shell.olduse.net"
& Docker.publish "4200:4200"
& JoeySites.oldUseNetShellBox
@ -287,7 +320,7 @@ hosts = -- (o) `
, let gitannexdir = GitAnnexBuilder.homedir </> "git-annex"
in GitAnnexBuilder.androidContainer dockerImage "android-git-annex" doNothing gitannexdir
& Docker.volume ("/home/joey/src/git-annex:" ++ gitannexdir)
] ++ monsters
]
type Motd = [String]
@ -321,6 +354,9 @@ standardSystemUnhardened hn suite arch motd = host hn
& Apt.removed ["exim4", "exim4-daemon-light", "exim4-config", "exim4-base"]
`onChange` Apt.autoRemove
standardStableContainer :: Docker.ContainerName -> Host
standardStableContainer name = standardContainer name (Stable "wheezy") "amd64"
-- This is my standard container setup, featuring automatic upgrades.
standardContainer :: Docker.ContainerName -> DebianSuite -> Architecture -> Host
standardContainer name suite arch = Docker.container name (dockerImage system)
@ -329,6 +365,7 @@ standardContainer name suite arch = Docker.container name (dockerImage system)
& Apt.installed ["systemd"]
& Apt.unattendedUpgrades
& Apt.cacheCleaned
& Docker.tweaked
where
system = System (Debian suite) arch
@ -336,7 +373,7 @@ standardContainer name suite arch = Docker.container name (dockerImage system)
dockerImage :: System -> Docker.Image
dockerImage (System (Debian Unstable) arch) = "joeyh/debian-unstable-" ++ arch
dockerImage (System (Debian Testing) arch) = "joeyh/debian-unstable-" ++ arch
dockerImage (System (Debian Stable) arch) = "joeyh/debian-stable-" ++ arch
dockerImage (System (Debian (Stable _)) arch) = "joeyh/debian-stable-" ++ arch
dockerImage _ = "debian-stable-official" -- does not currently exist!
myDnsSecondary :: Property
@ -376,7 +413,7 @@ myDnsPrimary domain extras = Dns.primary hosts domain
monsters :: [Host] -- Systems I don't manage with propellor,
monsters = -- but do want to track their public keys etc.
monsters = -- but do want to track their public keys etc.
[ host "usw-s002.rsync.net"
& sshPubKey "ssh-dss AAAAB3NzaC1kc3MAAAEBAI6ZsoW8a+Zl6NqUf9a4xXSMcV1akJHDEKKBzlI2YZo9gb9YoCf5p9oby8THUSgfh4kse7LJeY7Nb64NR6Y/X7I2/QzbE1HGGl5mMwB6LeUcJ74T3TQAlNEZkGt/MOIVLolJHk049hC09zLpkUDtX8K0t1yaCirC9SxDGLTCLEhvU9+vVdVrdQlKZ9wpLUNbdAzvbra+O/IVvExxDZ9WCHrnfNA8ddVZIGEWMqsoNgiuCxiXpi8qL+noghsSQNFTXwo7W2Vp9zj1JkCt3GtSz5IzEpARQaXEAWNEM0n1nJ686YUOhou64iRM8bPC1lp3QXvvZNgj3m+QHhIempx+de8AAAAVAKB5vUDaZOg14gRn7Bp81ja/ik+RAAABACPH/bPbW912x1NxNiikzGR6clLh+bLpIp8Qie3J7DwOr8oC1QOKjNDK+UgQ7mDQEgr4nGjNKSvpDi4c1QCw4sbLqQgx1y2VhT0SmUPHf5NQFldRQyR/jcevSSwOBxszz3aq9AwHiv9OWaO3XY18suXPouiuPTpIcZwc2BLDNHFnDURQeGEtmgqj6gZLIkTY0iw7q9Tj5FOyl4AkvEJC5B4CSzaWgey93Wqn1Imt7KI8+H9lApMKziVL1q+K7xAuNkGmx5YOSNlE6rKAPtsIPHZGxR7dch0GURv2jhh0NQYvBRn3ukCjuIO5gx56HLgilq59/o50zZ4NcT7iASF76TcAAAEAC6YxX7rrs8pp13W4YGiJHwFvIO1yXLGOdqu66JM0plO4J1ItV1AQcazOXLiliny3p2/W+wXZZKd5HIRt52YafCA8YNyMk/sF7JcTR4d4z9CfKaAxh0UpzKiAk+0j/Wu3iPoTOsyt7N0j1+dIyrFodY2sKKuBMT4TQ0yqQpbC+IDQv2i1IlZAPneYGfd5MIGygs2QMfaMQ1jWAKJvEO0vstZ7GB6nDAcg4in3ZiBHtomx3PL5w+zg48S4Ed69BiFXLZ1f6MnjpUOP75pD4MP6toS0rgK9b93xCrEQLgm4oD/7TCHHBo2xR7wwcsN2OddtwWsEM2QgOkt/jdCAoVCqwQ=="
, host "github.com"
@ -389,55 +426,8 @@ monsters = -- but do want to track their public keys etc.
& alias "backup.kitenet.net"
& alias "usbackup.kitenet.net"
& sshPubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAokMXQiX/NZjA1UbhMdgAscnS5dsmy+Q7bWrQ6tsTZ/o+6N/T5cbjoBHOdpypXJI3y/PiJTDJaQtXIhLa8gFg/EvxMnMz/KG9skADW1361JmfCc4BxicQIO2IOOe6eilPr+YsnOwiHwL0vpUnuty39cppuMWVD25GzxXlS6KQsLCvXLzxLLuNnGC43UAM0q4UwQxDtAZEK1dH2o3HMWhgMP2qEQupc24dbhpO3ecxh2C9678a3oGDuDuNf7mLp3s7ptj5qF3onitpJ82U5o7VajaHoygMaSRFeWxP2c13eM57j3bLdLwxVXFhePcKXARu1iuFTLS5uUf3hN6MkQcOGw=="
, host "wren.kitenet.net"
, host "old.kitenet.net"
& ipv4 "80.68.85.49"
& ipv6 "2001:41c8:125:49::10"
& alias "kitenet.net"
& alias "ns1.kitenet.net"
& alias "ftp.kitenet.net"
& alias "mail.kitenet.net"
& alias "smtp.kitenet.net"
& alias "bitlbee.kitenet.net"
{- Remaining services on kite:
-
- / = ready to go on kite.kitenet.net
-
- mail
- /postfix
- /postgrey
- mailman
- /spamassassin
- sqwebmail (cannot use this with dovecot, alternatives?)
- /imap server
- /pop server
- /apache
- bitlbee (EOL?)
- prosody (EOL?)
- ftpd (EOL)
-
- Pre-transition:
- - re-rsync /home (skip ~joey and .pine*)
- cd /home && rsync -4 --progress -avz root@wren.kitenet.net:/home/ ./ --exclude='.pine*' --exclude='joey/*' --delete
-
- Transition plan:
- - on darkstar: offlineimap run & disable cron job
- & move offlineimap files to tmp
- - take down wren pstfix, imap, pop servers
- - log all users out of wren
- - final /home rsync (skip ~joey and .pine*)
- - rsync /var/mail
- - rsync mailman and mailman list archives dirs
- - switch kitenet.net dns and enable pop.kitenet.net etc aliass
- - point wren.kitenet.net at kite.kitenet.net temporarily
- (make real-wren.kitenet.net alias)
- - reconfigure errol's email client to use new server
- - on darkstar: re-run offlinimap against new server
- - test mail
- - test virus filtering
- - test http://kitenet.net/~kyle/ (user home dirs)
- - test mailman
- - migrate user cron jobs
-}
, host "mouse.kitenet.net"
& ipv6 "2001:4830:1600:492::2"
, host "beaver.kitenet.net"

11
debian/changelog vendored
View File

@ -1,9 +1,16 @@
propellor (0.8.4) UNRELEASED; urgency=medium
propellor (0.9.0) UNRELEASED; urgency=medium
* Avoid encoding the current stable suite in propellor's code,
since that poses a difficult transition around the release,
and can easily be wrong if an older version of propellor is used.
Instead, the os property for a stable system includes the suite name
to use, eg Stable "wheezy".
* stdSourcesList uses the stable suite name, to avoid unwanted
immediate upgrades to the next stable release.
* debCdn switched from cdn.debian.net to http.debian.net, which seems to be
better managed now.
-- Joey Hess <joeyh@debian.org> Sat, 23 Aug 2014 13:18:46 -0700
-- Joey Hess <joeyh@debian.org> Fri, 10 Oct 2014 11:08:55 -0400
propellor (0.8.3) unstable; urgency=medium

View File

@ -1,5 +1,5 @@
Name: propellor
Version: 0.8.3
Version: 0.9.0
Cabal-Version: >= 1.6
License: BSD3
Maintainer: Joey Hess <joey@kitenet.net>

View File

@ -37,9 +37,9 @@ usage = do
processCmdLine :: IO CmdLine
processCmdLine = go =<< getArgs
where
go ("--help":_) = usage
go ("--spin":h:[]) = return $ Spin h
go ("--boot":h:[]) = return $ Boot h
go ("--help":_) = usage
go ("--spin":h:[]) = return $ Spin h
go ("--boot":h:[]) = return $ Boot h
go ("--add-key":k:[]) = return $ AddKey k
go ("--set":f:c:[]) = withprivfield f c Set
go ("--dump":f:c:[]) = withprivfield f c Dump
@ -48,7 +48,7 @@ processCmdLine = go =<< getArgs
go ("--continue":s:[]) = case readish s of
Just cmdline -> return $ Continue cmdline
Nothing -> errorMessage "--continue serialization failure"
go ("--chain":h:[]) = return $ Chain h
go ("--chain":h:[]) = return $ Chain h
go ("--docker":h:[]) = return $ Docker h
go (h:[])
| "--" `isPrefixOf` h = usage
@ -237,6 +237,7 @@ spin hn hst = do
sendMarked toh marker s
return True
-- Initial git clone, used for bootstrapping.
sendGitClone :: HostName -> String -> IO ()
sendGitClone hn url = void $ actionMessage ("Pushing git repository to " ++ hn) $ do
branch <- getCurrentBranch

View File

@ -114,7 +114,7 @@ listPrivDataFields hosts = do
showtable "Data that would be used if set:" $
map mkrow (M.keys $ M.difference wantedmap m)
where
header = ["Field", "Context", "Used by"]
header = ["Field", "Context", "Used by"]
mkrow k@(field, (Context context)) =
[ shellEscape $ show field
, shellEscape context

View File

@ -31,7 +31,7 @@ propertyList desc ps = Property desc (ensureProperties ps) (combineInfos ps)
combineProperties :: Desc -> [Property] -> Property
combineProperties desc ps = Property desc (go ps NoChange) (combineInfos ps)
where
go [] rs = return rs
go [] rs = return rs
go (l:ls) rs = do
r <- ensureProperty l
case r of

View File

@ -54,7 +54,7 @@ installed :: Property
installed = Apt.installed ["apache2"]
restarted :: Property
restarted = cmdProperty "service" ["apache2", "restart"]
restarted = Service.restarted "apache2"
reloaded :: Property
reloaded = Service.reloaded "apache2"

View File

@ -20,14 +20,14 @@ type Section = String
type SourcesGenerator = DebianSuite -> [Line]
showSuite :: DebianSuite -> String
showSuite Stable = "stable"
showSuite (Stable s) = s
showSuite Testing = "testing"
showSuite Unstable = "unstable"
showSuite Experimental = "experimental"
showSuite (DebianRelease r) = r
backportSuite :: String
backportSuite = showSuite stableRelease ++ "-backports"
backportSuite :: DebianSuite -> Maybe String
backportSuite (Stable s) = Just (s ++ "-backports")
backportSuite _ = Nothing
debLine :: String -> Url -> [Section] -> Line
debLine suite mirror sections = unwords $
@ -42,12 +42,17 @@ stdSections :: [Section]
stdSections = ["main", "contrib", "non-free"]
binandsrc :: String -> SourcesGenerator
binandsrc url suite
| isStable suite = [l, srcLine l, bl, srcLine bl]
| otherwise = [l, srcLine l]
binandsrc url suite = catMaybes
[ Just l
, Just $ srcLine l
, bl
, srcLine <$> bl
]
where
l = debLine (showSuite suite) url stdSections
bl = debLine backportSuite url stdSections
bl = do
bs <- backportSuite suite
return $ debLine bs url stdSections
debCdn :: SourcesGenerator
debCdn = binandsrc "http://http.debian.net/debian"
@ -128,13 +133,14 @@ installed' params ps = robustly $ check (isInstallable ps) go
installedBackport :: [Package] -> Property
installedBackport ps = trivial $ withOS desc $ \o -> case o of
Nothing -> error "cannot install backports; os not declared"
(Just (System (Debian suite) _))
| isStable suite ->
ensureProperty $ runApt $
["install", "-t", backportSuite, "-y"] ++ ps
_ -> error $ "backports not supported on " ++ show o
(Just (System (Debian suite) _)) -> case backportSuite suite of
Nothing -> notsupported o
Just bs -> ensureProperty $ runApt $
["install", "-t", bs, "-y"] ++ ps
_ -> notsupported o
where
desc = (unwords $ "apt installed backport":ps)
notsupported o = error $ "backports not supported on " ++ show o
-- | Minimal install of package, without recommends.
installedMin :: [Package] -> Property

View File

@ -33,7 +33,7 @@ cmdProperty' cmd params env = property desc $ liftIO $ do
, return FailedChange
)
where
desc = unwords $ cmd : params
desc = unwords $ cmd : params
-- | A property that can be satisfied by running a series of shell commands.
scriptProperty :: [String] -> Property

View File

@ -117,7 +117,7 @@ secondaryFor masters hosts domain = RevertableProperty setup cleanup
`requires` servingZones
cleanup = namedConfWritten
desc = "dns secondary for " ++ domain
desc = "dns secondary for " ++ domain
conf = NamedConf
{ confDomain = domain
, confDnsServerType = Secondary
@ -380,7 +380,7 @@ genZone hosts zdomain soa =
[] -> [ret (CNAME c)]
l -> map (ret . Address) l
where
ret record = Right (c, record)
ret record = Right (c, record)
-- Adds any other DNS records for a host located in the zdomain.
hostrecords :: Host -> [Either WarningMessage (BindDomain, Record)]
@ -420,7 +420,7 @@ domainHost base (AbsDomain d)
addNamedConf :: NamedConf -> Info
addNamedConf conf = mempty { _namedconf = NamedConfMap (M.singleton domain conf) }
where
domain = confDomain conf
domain = confDomain conf
getNamedConf :: Propellor (M.Map Domain NamedConf)
getNamedConf = asks $ fromNamedConfMap . _namedconf . hostInfo

View File

@ -13,6 +13,7 @@ module Propellor.Property.Docker (
docked,
memoryLimited,
garbageCollected,
tweaked,
Image,
ContainerName,
-- * Container configuration
@ -102,7 +103,7 @@ docked hosts cn = RevertableProperty
where
go desc a = property (desc ++ " " ++ cn) $ do
hn <- asks hostName
let cid = ContainerId hn cn
let cid = ContainerId hn cn
ensureProperties [findContainer mhost cid cn $ a cid]
mhost = findHost hosts (cn2hn cn)
@ -152,7 +153,7 @@ mkContainer cid@(ContainerId hn _cn) h = Container
<*> pure (map (\a -> a hn) (_dockerRunParams info))
where
info = _dockerinfo $ hostInfo h'
h' = h
h' = h
-- expose propellor directory inside the container
& volume (localdir++":"++localdir)
-- name the container in a predictable way so we
@ -176,6 +177,16 @@ garbageCollected = propertyList "docker garbage collected"
gcimages = property "docker images garbage collected" $ do
liftIO $ report <$> (mapM removeImage =<< listImages)
-- | Tweaks a container to work well with docker.
--
-- Currently, this consists of making pam_loginuid lines optional in
-- the pam config, to work around https://github.com/docker/docker/issues/5663
-- which affects docker 1.2.0.
tweaked :: Property
tweaked = trivial $
cmdProperty "sh" ["-c", "sed -ri 's/^session\\s+required\\s+pam_loginuid.so$/session optional pam_loginuid.so/' /etc/pam.d/*"]
`describe` "tweaked for docker"
-- | Configures the kernel to respect docker memory limits.
--
-- This assumes the system boots using grub 2. And that you don't need any

View File

@ -105,12 +105,12 @@ installed = Apt.installed ["obnam"]
latestVersion :: Property
latestVersion = withOS "obnam latest version" $ \o -> case o of
(Just (System (Debian suite) _)) | isStable suite -> ensureProperty $
Apt.setSourcesListD stablesources "obnam"
Apt.setSourcesListD (stablesources suite) "obnam"
`requires` toProp (Apt.trustsKey key)
_ -> noChange
where
stablesources =
[ "deb http://code.liw.fi/debian " ++ Apt.showSuite stableRelease ++ " main"
stablesources suite =
[ "deb http://code.liw.fi/debian " ++ Apt.showSuite suite ++ " main"
]
-- gpg key used by the code.liw.fi repository.
key = Apt.AptKey "obnam" $ unlines

View File

@ -98,6 +98,7 @@ standardAutoBuilderContainer dockerImage arch buildminute timeout = Docker.conta
& tree arch
& buildDepsApt
& autobuilder arch (show buildminute ++ " * * * *") timeout
& Docker.tweaked
androidAutoBuilderContainer :: (System -> Docker.Image) -> Cron.CronTimes -> TimeOut -> Host
androidAutoBuilderContainer dockerImage crontimes timeout =
@ -108,8 +109,8 @@ androidAutoBuilderContainer dockerImage crontimes timeout =
-- Android is cross-built in a Debian i386 container, using the Android NDK.
androidContainer :: (System -> Docker.Image) -> Docker.ContainerName -> Property -> FilePath -> Host
androidContainer dockerImage name setupgitannexdir gitannexdir = Docker.container name
(dockerImage $ System (Debian Stable) "i386")
& os (System (Debian Stable) "i386")
(dockerImage osver)
& os osver
& Apt.stdSourcesList
& Apt.installed ["systemd"]
& User.accountFor builduser
@ -118,6 +119,7 @@ androidContainer dockerImage name setupgitannexdir gitannexdir = Docker.containe
& buildDepsNoHaskellLibs
& flagFile chrootsetup ("/chrootsetup")
`requires` setupgitannexdir
& Docker.tweaked
-- TODO: automate installing haskell libs
-- (Currently have to run
-- git-annex/standalone/android/install-haskell-packages
@ -129,6 +131,7 @@ androidContainer dockerImage name setupgitannexdir gitannexdir = Docker.containe
chrootsetup = scriptProperty
[ "cd " ++ gitannexdir ++ " && ./standalone/android/buildchroot-inchroot"
]
osver = System (Debian (Stable "wheezy")) "i386"
-- armel builder has a companion container using amd64 that
-- runs the build first to get TH splices. They need
@ -139,7 +142,6 @@ armelCompanionContainer dockerImage = Docker.container "armel-git-annex-builder-
& os (System (Debian Testing) "amd64")
& Apt.stdSourcesList
& Apt.installed ["systemd"]
& Apt.unattendedUpgrades
-- This volume is shared with the armel builder.
& Docker.volume gitbuilderdir
& User.accountFor builduser
@ -151,13 +153,13 @@ armelCompanionContainer dockerImage = Docker.container "armel-git-annex-builder-
& Docker.expose "22"
& Apt.serviceInstalledRunning "ssh"
& Ssh.authorizedKeys builduser (Context "armel-git-annex-builder")
& Docker.tweaked
armelAutoBuilderContainer :: (System -> Docker.Image) -> Cron.CronTimes -> TimeOut -> Host
armelAutoBuilderContainer dockerImage crontimes timeout = Docker.container "armel-git-annex-builder"
(dockerImage $ System (Debian Unstable) "armel")
& os (System (Debian Testing) "armel")
& Apt.stdSourcesList
& Apt.unattendedUpgrades
& Apt.installed ["systemd"]
& Apt.installed ["openssh-client"]
& Docker.link "armel-git-annex-builder-companion" "companion"
@ -172,6 +174,7 @@ armelAutoBuilderContainer dockerImage crontimes timeout = Docker.container "arme
`requires` tree "armel"
& Ssh.keyImported SshRsa builduser (Context "armel-git-annex-builder")
& trivial writecompanionaddress
& Docker.tweaked
where
writecompanionaddress = scriptProperty
[ "echo \"$COMPANION_PORT_22_TCP_ADDR\" > " ++ homedir </> "companion_address"

View File

@ -70,7 +70,10 @@ oldUseNetServer hosts = propertyList ("olduse.net server")
datadir = "/var/spool/oldusenet"
oldUseNetShellBox :: Property
oldUseNetShellBox = oldUseNetInstalled "oldusenet"
oldUseNetShellBox = propertyList "olduse.net shellbox"
[ oldUseNetInstalled "oldusenet"
, Service.running "oldusenet"
]
oldUseNetInstalled :: Apt.Package -> Property
oldUseNetInstalled pkg = check (not <$> Apt.isInstalled pkg) $
@ -376,7 +379,7 @@ obnamRepos :: [String] -> Property
obnamRepos rs = propertyList ("obnam repos for " ++ unwords rs)
(mkbase : map mkrepo rs)
where
mkbase = mkdir "/home/joey/lib/backup"
mkbase = mkdir "/home/joey/lib/backup"
`requires` mkdir "/home/joey/lib"
mkrepo r = mkdir ("/home/joey/lib/backup/" ++ r ++ ".obnam")
mkdir d = File.dirExists d
@ -452,8 +455,16 @@ kiteMailServer = propertyList "kitenet.net mail server"
]
`onChange` Postfix.reloaded
`describe` "postfix mydomain file configured"
, "/etc/postfix/obscure_client_relay.pcre" `File.containsLine`
"/^Received: from ([^.]+)\\.kitenet\\.net.*using TLS.*by kitenet\\.net \\(([^)]+)\\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ IGNORE"
, "/etc/postfix/obscure_client_relay.pcre" `File.hasContent`
-- Remove received lines for mails relayed from trusted
-- clients. These can be a privacy vilation, or trigger
-- spam filters.
[ "/^Received: from ([^.]+)\\.kitenet\\.net.*using TLS.*by kitenet\\.net \\(([^)]+)\\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ IGNORE"
-- Munge local Received line for postfix running on a
-- trusted client that relays through. These can trigger
-- spam filters.
, "/^Received: by ([^.]+)\\.kitenet\\.net.*/ REPLACE Received: by kitenet.net"
]
`onChange` Postfix.reloaded
`describe` "postfix obscure_client_relay file configured"
, Postfix.mappedFile "/etc/postfix/virtual"
@ -482,7 +493,7 @@ kiteMailServer = propertyList "kitenet.net mail server"
, "header_checks = pcre:$config_directory/obscure_client_relay.pcre"
, "# Enable postgrey."
, "smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023"
, "smtpd_recipient_restrictions = permit_tls_clientcerts,permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023"
, "# Enable spamass-milter and amavis-milter."
, "smtpd_milters = unix:/spamass/spamass.sock unix:amavis/amavis.sock"
@ -541,10 +552,13 @@ kiteMailServer = propertyList "kitenet.net mail server"
`onChange` (pinescript `File.mode`
combineModes (readModes ++ executeModes))
`describe` "pine wrapper script"
, "/etc/pine.conf" `File.containsLines`
[ "inbox-path={localhost/novalidate-cert}inbox"
, "/etc/pine.conf" `File.hasContent`
[ "# deployed with propellor"
, "inbox-path={localhost/novalidate-cert/NoRsh}inbox"
]
`describe` "pine configured to use local imap server"
, Apt.serviceInstalledRunning "mailman"
]
where
ctx = Context "kitenet.net"
@ -705,8 +719,8 @@ legacyWebSites = propertyList "legacy web sites"
]
, alias "joey.kitenet.net"
, toProp $ Apache.siteEnabled "joey.kitenet.net" $ apachecfg "joey.kitenet.net" False
[ "DocumentRoot /home/joey/html"
, "<Directory /home/joey/html/>"
[ "DocumentRoot /var/www"
, "<Directory /var/www/>"
, " Options Indexes ExecCGI"
, " AllowOverride None"
, Apache.allowAll

View File

@ -3,7 +3,7 @@ module Propellor.Property.Ssh (
permitRootLogin,
passwordAuthentication,
hasAuthorizedKeys,
restartSshd,
restarted,
randomHostKeys,
hostKeys,
hostKey,
@ -15,6 +15,7 @@ module Propellor.Property.Ssh (
import Propellor
import qualified Propellor.Property.File as File
import qualified Propellor.Property.Service as Service
import Propellor.Property.User
import Utility.SafeCommand
import Utility.FileMode
@ -33,7 +34,7 @@ setSshdConfig setting allowed = combineProperties "sshd config"
[ sshdConfig `File.lacksLine` (sshline $ not allowed)
, sshdConfig `File.containsLine` (sshline allowed)
]
`onChange` restartSshd
`onChange` restarted
`describe` unwords [ "ssh config:", setting, sshBool allowed ]
where
sshline v = setting ++ " " ++ sshBool v
@ -59,15 +60,15 @@ hasAuthorizedKeys = go <=< dotFile "authorized_keys"
where
go f = not . null <$> catchDefaultIO "" (readFile f)
restartSshd :: Property
restartSshd = cmdProperty "service" ["ssh", "restart"]
restarted :: Property
restarted = Service.restarted "ssh"
-- | Blows away existing host keys and make new ones.
-- Useful for systems installed from an image that might reuse host keys.
-- A flag file is used to only ever do this once.
randomHostKeys :: Property
randomHostKeys = flagFile prop "/etc/ssh/.unique_host_keys"
`onChange` restartSshd
`onChange` restarted
where
prop = property "ssh random host keys" $ do
void $ liftIO $ boolSystem "sh"
@ -91,9 +92,9 @@ hostKey keytype context = combineProperties desc
[ installkey (SshPubKey keytype "") (install writeFile ".pub")
, installkey (SshPrivKey keytype "") (install writeFileProtected "")
]
`onChange` restartSshd
`onChange` restarted
where
desc = "known ssh host key (" ++ fromKeyType keytype ++ ")"
desc = "known ssh host key (" ++ fromKeyType keytype ++ ")"
installkey p a = withPrivData p context $ \getkey ->
property desc $ getkey a
install writer ext key = do
@ -176,7 +177,7 @@ listenPort port = RevertableProperty enable disable
portline = "Port " ++ show port
enable = sshdConfig `File.containsLine` portline
`describe` ("ssh listening on " ++ portline)
`onChange` restartSshd
`onChange` restarted
disable = sshdConfig `File.lacksLine` portline
`describe` ("ssh not listening on " ++ portline)
`onChange` restartSshd
`onChange` restarted

View File

@ -27,6 +27,6 @@ enabledFor user = property desc go `requires` Apt.installed ["sudo"]
| not (sudobaseline `isPrefixOf` l) = True
| "NOPASSWD" `isInfixOf` l = locked
| otherwise = True
modify locked ls
modify locked ls
| sudoline locked `elem` ls = ls
| otherwise = ls ++ [sudoline locked]

View File

@ -3,6 +3,7 @@ module Propellor.Property.Tor where
import Propellor
import qualified Propellor.Property.File as File
import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.Service as Service
isBridge :: Property
isBridge = setup `requires` Apt.installed ["tor"]
@ -13,7 +14,7 @@ isBridge = setup `requires` Apt.installed ["tor"]
, "ORPort 443"
, "BridgeRelay 1"
, "Exitpolicy reject *:*"
] `onChange` restartTor
] `onChange` restarted
restartTor :: Property
restartTor = cmdProperty "service" ["tor", "restart"]
restarted :: Property
restarted = Service.restarted "tor"

View File

@ -48,8 +48,8 @@ simpleSh namedpipe = do
flip catchIO (\_e -> writeChan chan Done) $ do
let p = (proc cmd params)
{ std_in = Inherit
, std_out = CreatePipe
{ std_in = Inherit
, std_out = CreatePipe
, std_err = CreatePipe
}
(Nothing, Just outh, Just errh, pid) <- createProcess p

View File

@ -89,7 +89,7 @@ instance IsProp Property where
getInfo = propertyInfo
x `requires` y = Property (propertyDesc x) satisfy info
where
info = getInfo y <> getInfo x
info = getInfo y <> getInfo x
satisfy = do
r <- propertySatisfy y
case r of
@ -146,4 +146,4 @@ data CmdLine
| Continue CmdLine
| Chain HostName
| Docker HostName
deriving (Read, Show, Eq)
deriving (Read, Show, Eq)

View File

@ -13,15 +13,14 @@ data Distribution
| Ubuntu Release
deriving (Show, Eq)
data DebianSuite = Experimental | Unstable | Testing | Stable | DebianRelease Release
-- | Debian has several rolling suites, and a number of stable releases,
-- such as Stable "wheezy".
data DebianSuite = Experimental | Unstable | Testing | Stable Release
deriving (Show, Eq)
-- | The release that currently corresponds to stable.
stableRelease :: DebianSuite
stableRelease = DebianRelease "wheezy"
isStable :: DebianSuite -> Bool
isStable s = s == Stable || s == stableRelease
isStable (Stable _) = True
isStable _ = False
type Release = String
type Architecture = String