cadey
/
propellor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'joeyconfig' 

Conflicts:
	debian/changelog
	privdata/privdata.gpg
This commit is contained in:
Joey Hess 2014-10-10 11:36:47 -04:00
parent 2028464268 31f84270fd
commit 07f745ef9c
20 changed files with 337 additions and 304 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

148
config-joey.hs
View File

@ -1,4 +1,5 @@
-- This is the live config file used by propellor's author. -- This is the live config file used by propellor's author.
-- https://propellor.branchable.com/
module Main where module Main where
import Propellor import Propellor
@ -7,6 +8,7 @@ import Propellor.Property.Scheduled
import qualified Propellor.Property.File as File import qualified Propellor.Property.File as File
import qualified Propellor.Property.Apt as Apt import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.Network as Network import qualified Propellor.Property.Network as Network
import qualified Propellor.Property.Service as Service
import qualified Propellor.Property.Ssh as Ssh import qualified Propellor.Property.Ssh as Ssh
import qualified Propellor.Property.Gpg as Gpg import qualified Propellor.Property.Gpg as Gpg
import qualified Propellor.Property.Cron as Cron import qualified Propellor.Property.Cron as Cron
@ -36,14 +38,24 @@ main = defaultMain hosts -- / \___-=O`/|O`/__| (____.'
Deployed -} -- `/-==__ _/__|/__=-| ( \_ Deployed -} -- `/-==__ _/__|/__=-| ( \_
hosts :: [Host] -- * \ | | '--------' hosts :: [Host] -- * \ | | '--------'
hosts = -- (o) ` hosts = -- (o) `
[ host "darkstar.kitenet.net" [ darkstar
, clam
, orca
, kite
, diatom
, elephant
] ++ containers ++ monsters
darkstar :: Host
darkstar = host "darkstar.kitenet.net"
& ipv6 "2001:4830:1600:187::2" -- sixxs tunnel & ipv6 "2001:4830:1600:187::2" -- sixxs tunnel
& Apt.buildDep ["git-annex"] `period` Daily & Apt.buildDep ["git-annex"] `period` Daily
& Docker.configured & Docker.configured
! Docker.docked hosts "android-git-annex" ! Docker.docked hosts "android-git-annex"
, standardSystem "clam.kitenet.net" Unstable "amd64" clam :: Host
clam = standardSystem "clam.kitenet.net" Unstable "amd64"
[ "Unreliable server. Anything here may be lost at any time!" ] [ "Unreliable server. Anything here may be lost at any time!" ]
& ipv4 "162.248.9.29" & ipv4 "162.248.9.29"
@ -55,15 +67,20 @@ hosts = -- (o) `
& Docker.configured & Docker.configured
& Docker.garbageCollected `period` Daily & Docker.garbageCollected `period` Daily
& Docker.docked hosts "webserver"
& File.dirExists "/var/www/html"
& File.notPresent "/var/www/html/index.html"
& "/var/www/index.html" `File.hasContent` ["hello, world"]
& alias "helloworld.kitenet.net"
-- ssh on some extra ports to deal with horrible networks -- ssh on some extra ports to deal with horrible networks
-- while travelling -- while travelling
& alias "travelling.kitenet.net" & alias "travelling.kitenet.net"
& Ssh.listenPort 80 ! Ssh.listenPort 80
& Ssh.listenPort 443 ! Ssh.listenPort 443
-- Orca is the main git-annex build box. orca :: Host
, standardSystem "orca.kitenet.net" Unstable "amd64" orca = standardSystem "orca.kitenet.net" Unstable "amd64"
[ "Main git-annex build box." ] [ "Main git-annex build box." ]
& ipv4 "138.38.108.179" & ipv4 "138.38.108.179"
@ -81,25 +98,27 @@ hosts = -- (o) `
-- This is not a complete description of kite, since it's a -- This is not a complete description of kite, since it's a
-- multiuser system with eg, user passwords that are not deployed -- multiuser system with eg, user passwords that are not deployed
-- with propellor. -- with propellor.
, standardSystemUnhardened "kite.kitenet.net" Unstable "amd64" kite :: Host
kite = standardSystemUnhardened "kite.kitenet.net" Unstable "amd64"
[ "Welcome to the new kitenet.net server!" [ "Welcome to the new kitenet.net server!"
, "This is still under construction and not yet live.."
] ]
& ipv4 "66.228.36.95" & ipv4 "66.228.36.95"
& ipv6 "2600:3c03::f03c:91ff:fe73:b0d2" & ipv6 "2600:3c03::f03c:91ff:fe73:b0d2"
-- & alias "kitenet.net" -- not yet live! & alias "kitenet.net"
& alias "wren.kitenet.net" -- temporary
& Apt.installed ["linux-image-amd64"] & Apt.installed ["linux-image-amd64"]
& Linode.chainPVGrub 5 & Linode.chainPVGrub 5
& Apt.unattendedUpgrades & Apt.unattendedUpgrades
& Apt.installed ["systemd"] & Apt.installed ["systemd"]
& Ssh.hostKeys (Context "kitenet.net") & Ssh.hostKeys (Context "kitenet.net")
& Ssh.passwordAuthentication True
-- Since ssh password authentication is allowed: -- Since ssh password authentication is allowed:
& Apt.serviceInstalledRunning "fail2ban" & Apt.serviceInstalledRunning "fail2ban"
& Obnam.backup "/" "33 1 * * *" & Obnam.backup "/" "33 1 * * *"
[ "--repository=sftp://joey@eubackup.kitenet.net/~/lib/backup/kite.obnam" [ "--repository=sftp://joey@eubackup.kitenet.net/~/lib/backup/kite.obnam"
, "--client-name=kitenet.net" , "--client-name=kitenet.net"
, "--encrypt-with=" , "--encrypt-with=98147487"
, "--exclude=/var/cache" , "--exclude=/var/cache"
, "--exclude=/var/tmp" , "--exclude=/var/tmp"
, "--exclude=/home/joey/lib" , "--exclude=/home/joey/lib"
@ -110,22 +129,40 @@ hosts = -- (o) `
`requires` Ssh.keyImported SshRsa "root" `requires` Ssh.keyImported SshRsa "root"
(Context "kite.kitenet.net") (Context "kite.kitenet.net")
`requires` Ssh.knownHost hosts "eubackup.kitenet.net" "root" `requires` Ssh.knownHost hosts "eubackup.kitenet.net" "root"
& Apt.serviceInstalledRunning "ntp"
& "/etc/timezone" `File.hasContent` ["US/Eastern"]
-- & alias "smtp.kitenet.net" -- not yet live! & alias "smtp.kitenet.net"
-- & alias "imap.kitenet.net" -- not yet live! & alias "imap.kitenet.net"
-- & alias "mail.kitenet.net" -- not yet live! & alias "pop.kitenet.net"
& alias "mail.kitenet.net"
& JoeySites.kiteMailServer & JoeySites.kiteMailServer
& JoeySites.legacyWebSites & JoeySites.legacyWebSites
& alias "bitlbee.kitenet.net"
& Apt.serviceInstalledRunning "bitlbee"
& "/etc/bitlbee/bitlbee.conf" `File.hasContent`
[ "[settings]"
, "User = bitlbee"
, "AuthMode = Registered"
, "[defaults]"
]
`onChange` Service.restarted "bitlbee"
& "/etc/default/bitlbee" `File.containsLine` "BITLBEE_PORT=\"6767\""
`onChange` Service.restarted "bitlbee"
& Apt.installed & Apt.installed
["git-annex", "myrepos" ["git-annex", "myrepos"
, "build-essential", "make" , "build-essential", "make"
, "rss2email", "archivemail"
, "devscripts"
-- Some users have zsh as their login shell. -- Some users have zsh as their login shell.
, "zsh" , "zsh"
] ]
, standardSystem "diatom.kitenet.net" Stable "amd64" diatom :: Host
diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64"
[ "Important stuff that needs not too much memory or CPU." ] [ "Important stuff that needs not too much memory or CPU." ]
& ipv4 "107.170.31.195" & ipv4 "107.170.31.195"
@ -157,7 +194,6 @@ hosts = -- (o) `
`requires` Ssh.keyImported SshRsa "joey" (Context "downloads.kitenet.net") `requires` Ssh.keyImported SshRsa "joey" (Context "downloads.kitenet.net")
`requires` Ssh.knownHost hosts "usbackup.kitenet.net" "joey" `requires` Ssh.knownHost hosts "usbackup.kitenet.net" "joey"
& JoeySites.gitAnnexDistributor & JoeySites.gitAnnexDistributor
& alias "tmp.kitenet.net" & alias "tmp.kitenet.net"
& JoeySites.annexWebSite "/srv/git/joey/tmp.git" & JoeySites.annexWebSite "/srv/git/joey/tmp.git"
"tmp.kitenet.net" "tmp.kitenet.net"
@ -183,13 +219,12 @@ hosts = -- (o) `
& Dns.secondaryFor ["animx"] hosts "animx.eu.org" & Dns.secondaryFor ["animx"] hosts "animx.eu.org"
, let ctx = Context "elephant.kitenet.net" elephant :: Host
in standardSystem "elephant.kitenet.net" Unstable "amd64" elephant = standardSystem "elephant.kitenet.net" Unstable "amd64"
[ "Storage, big data, and backups, omnomnom!" [ "Storage, big data, and backups, omnomnom!"
, "(Encrypt all data stored here.)" , "(Encrypt all data stored here.)"
] ]
& ipv4 "193.234.225.114" & ipv4 "193.234.225.114"
& Grub.chainPVGrub "hd0,0" "xen/xvda1" 30 & Grub.chainPVGrub "hd0,0" "xen/xvda1" 30
& Postfix.satellite & Postfix.satellite
& Apt.unattendedUpgrades & Apt.unattendedUpgrades
@ -197,24 +232,20 @@ hosts = -- (o) `
& sshPubKey "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0=" & sshPubKey "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0="
& Ssh.keyImported SshRsa "joey" ctx & Ssh.keyImported SshRsa "joey" ctx
& Apt.serviceInstalledRunning "swapspace" & Apt.serviceInstalledRunning "swapspace"
& alias "eubackup.kitenet.net" & alias "eubackup.kitenet.net"
& Apt.installed ["obnam", "sshfs", "rsync"] & Apt.installed ["obnam", "sshfs", "rsync"]
& JoeySites.obnamRepos ["wren", "pell", "kite"] & JoeySites.obnamRepos ["wren", "pell", "kite"]
& JoeySites.githubBackup & JoeySites.githubBackup
& JoeySites.rsyncNetBackup hosts & JoeySites.rsyncNetBackup hosts
& JoeySites.backupsBackedupTo hosts "usbackup.kitenet.net" "lib/backup/eubackup" & JoeySites.backupsBackedupTo hosts "usbackup.kitenet.net" "lib/backup/eubackup"
& alias "podcatcher.kitenet.net" & alias "podcatcher.kitenet.net"
& JoeySites.podcatcher & JoeySites.podcatcher
& alias "znc.kitenet.net" & alias "znc.kitenet.net"
& JoeySites.ircBouncer & JoeySites.ircBouncer
-- I'd rather this were on diatom, but it needs unstable. -- I'd rather this were on diatom, but it needs unstable.
& alias "kgb.kitenet.net" & alias "kgb.kitenet.net"
& JoeySites.kgbServer & JoeySites.kgbServer
& alias "mumble.kitenet.net" & alias "mumble.kitenet.net"
& JoeySites.mumbleServer hosts & JoeySites.mumbleServer hosts
@ -222,7 +253,6 @@ hosts = -- (o) `
& myDnsSecondary & myDnsSecondary
& Docker.configured & Docker.configured
& Docker.docked hosts "oldusenet-shellbox" & Docker.docked hosts "oldusenet-shellbox"
& Docker.docked hosts "openid-provider" & Docker.docked hosts "openid-provider"
`requires` Apt.serviceInstalledRunning "ntp" `requires` Apt.serviceInstalledRunning "ntp"
@ -238,6 +268,8 @@ hosts = -- (o) `
-- that port for ssh, for traveling on bad networks that -- that port for ssh, for traveling on bad networks that
-- block 22. -- block 22.
& Ssh.listenPort 80 & Ssh.listenPort 80
where
ctx = Context "elephant.kitenet.net"
--' __|II| ,. --' __|II| ,.
@ -247,30 +279,31 @@ hosts = -- (o) `
----------------------- : / ----------------------- ----------------------- : / -----------------------
------------------------ \____, o ,' ------------------------ ------------------------ \____, o ,' ------------------------
------------------------- '--,___________,' ------------------------- ------------------------- '--,___________,' -------------------------
containers :: [Host]
containers =
-- Simple web server, publishing the outside host's /var/www -- Simple web server, publishing the outside host's /var/www
, standardContainer "webserver" Stable "amd64" [ standardStableContainer "webserver"
& Docker.publish "8080:80" & Docker.publish "80:80"
& Docker.volume "/var/www:/var/www" & Docker.volume "/var/www:/var/www"
& Apt.serviceInstalledRunning "apache2" & Apt.serviceInstalledRunning "apache2"
-- My own openid provider. Uses php, so containerized for security -- My own openid provider. Uses php, so containerized for security
-- and administrative sanity. -- and administrative sanity.
, standardContainer "openid-provider" Stable "amd64" , standardStableContainer "openid-provider"
& alias "openid.kitenet.net" & alias "openid.kitenet.net"
& Docker.publish "8081:80" & Docker.publish "8081:80"
& OpenId.providerFor ["joey", "liw"] & OpenId.providerFor ["joey", "liw"]
"openid.kitenet.net:8081" "openid.kitenet.net:8081"
-- Exhibit: kite's 90's website. -- Exhibit: kite's 90's website.
, standardContainer "ancient-kitenet" Stable "amd64" , standardStableContainer "ancient-kitenet"
& alias "ancient.kitenet.net" & alias "ancient.kitenet.net"
& Docker.publish "1994:80" & Docker.publish "1994:80"
& Apt.serviceInstalledRunning "apache2" & Apt.serviceInstalledRunning "apache2"
& Git.cloned "root" "git://kitenet-net.branchable.com/" "/var/www" & Git.cloned "root" "git://kitenet-net.branchable.com/" "/var/www"
(Just "remotes/origin/old-kitenet.net") (Just "remotes/origin/old-kitenet.net")
, standardContainer "oldusenet-shellbox" Stable "amd64" , standardStableContainer "oldusenet-shellbox"
& alias "shell.olduse.net" & alias "shell.olduse.net"
& Docker.publish "4200:4200" & Docker.publish "4200:4200"
& JoeySites.oldUseNetShellBox & JoeySites.oldUseNetShellBox
@ -287,7 +320,7 @@ hosts = -- (o) `
, let gitannexdir = GitAnnexBuilder.homedir </> "git-annex" , let gitannexdir = GitAnnexBuilder.homedir </> "git-annex"
in GitAnnexBuilder.androidContainer dockerImage "android-git-annex" doNothing gitannexdir in GitAnnexBuilder.androidContainer dockerImage "android-git-annex" doNothing gitannexdir
& Docker.volume ("/home/joey/src/git-annex:" ++ gitannexdir) & Docker.volume ("/home/joey/src/git-annex:" ++ gitannexdir)
] ++ monsters ]
type Motd = [String] type Motd = [String]
@ -321,6 +354,9 @@ standardSystemUnhardened hn suite arch motd = host hn
& Apt.removed ["exim4", "exim4-daemon-light", "exim4-config", "exim4-base"] & Apt.removed ["exim4", "exim4-daemon-light", "exim4-config", "exim4-base"]
`onChange` Apt.autoRemove `onChange` Apt.autoRemove
standardStableContainer :: Docker.ContainerName -> Host
standardStableContainer name = standardContainer name (Stable "wheezy") "amd64"
-- This is my standard container setup, featuring automatic upgrades. -- This is my standard container setup, featuring automatic upgrades.
standardContainer :: Docker.ContainerName -> DebianSuite -> Architecture -> Host standardContainer :: Docker.ContainerName -> DebianSuite -> Architecture -> Host
standardContainer name suite arch = Docker.container name (dockerImage system) standardContainer name suite arch = Docker.container name (dockerImage system)
@ -329,6 +365,7 @@ standardContainer name suite arch = Docker.container name (dockerImage system)
& Apt.installed ["systemd"] & Apt.installed ["systemd"]
& Apt.unattendedUpgrades & Apt.unattendedUpgrades
& Apt.cacheCleaned & Apt.cacheCleaned
& Docker.tweaked
where where
system = System (Debian suite) arch system = System (Debian suite) arch
@ -336,7 +373,7 @@ standardContainer name suite arch = Docker.container name (dockerImage system)
dockerImage :: System -> Docker.Image dockerImage :: System -> Docker.Image
dockerImage (System (Debian Unstable) arch) = "joeyh/debian-unstable-" ++ arch dockerImage (System (Debian Unstable) arch) = "joeyh/debian-unstable-" ++ arch
dockerImage (System (Debian Testing) arch) = "joeyh/debian-unstable-" ++ arch dockerImage (System (Debian Testing) arch) = "joeyh/debian-unstable-" ++ arch
dockerImage (System (Debian Stable) arch) = "joeyh/debian-stable-" ++ arch dockerImage (System (Debian (Stable _)) arch) = "joeyh/debian-stable-" ++ arch
dockerImage _ = "debian-stable-official" -- does not currently exist! dockerImage _ = "debian-stable-official" -- does not currently exist!
myDnsSecondary :: Property myDnsSecondary :: Property
@ -389,55 +426,8 @@ monsters = -- but do want to track their public keys etc.
& alias "backup.kitenet.net" & alias "backup.kitenet.net"
& alias "usbackup.kitenet.net" & alias "usbackup.kitenet.net"
& sshPubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAokMXQiX/NZjA1UbhMdgAscnS5dsmy+Q7bWrQ6tsTZ/o+6N/T5cbjoBHOdpypXJI3y/PiJTDJaQtXIhLa8gFg/EvxMnMz/KG9skADW1361JmfCc4BxicQIO2IOOe6eilPr+YsnOwiHwL0vpUnuty39cppuMWVD25GzxXlS6KQsLCvXLzxLLuNnGC43UAM0q4UwQxDtAZEK1dH2o3HMWhgMP2qEQupc24dbhpO3ecxh2C9678a3oGDuDuNf7mLp3s7ptj5qF3onitpJ82U5o7VajaHoygMaSRFeWxP2c13eM57j3bLdLwxVXFhePcKXARu1iuFTLS5uUf3hN6MkQcOGw==" & sshPubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAokMXQiX/NZjA1UbhMdgAscnS5dsmy+Q7bWrQ6tsTZ/o+6N/T5cbjoBHOdpypXJI3y/PiJTDJaQtXIhLa8gFg/EvxMnMz/KG9skADW1361JmfCc4BxicQIO2IOOe6eilPr+YsnOwiHwL0vpUnuty39cppuMWVD25GzxXlS6KQsLCvXLzxLLuNnGC43UAM0q4UwQxDtAZEK1dH2o3HMWhgMP2qEQupc24dbhpO3ecxh2C9678a3oGDuDuNf7mLp3s7ptj5qF3onitpJ82U5o7VajaHoygMaSRFeWxP2c13eM57j3bLdLwxVXFhePcKXARu1iuFTLS5uUf3hN6MkQcOGw=="
, host "wren.kitenet.net" , host "old.kitenet.net"
& ipv4 "80.68.85.49" & ipv4 "80.68.85.49"
& ipv6 "2001:41c8:125:49::10"
& alias "kitenet.net"
& alias "ns1.kitenet.net"
& alias "ftp.kitenet.net"
& alias "mail.kitenet.net"
& alias "smtp.kitenet.net"
& alias "bitlbee.kitenet.net"
{- Remaining services on kite:
-
- / = ready to go on kite.kitenet.net
-
- mail
- /postfix
- /postgrey
- mailman
- /spamassassin
- sqwebmail (cannot use this with dovecot, alternatives?)
- /imap server
- /pop server
- /apache
- bitlbee (EOL?)
- prosody (EOL?)
- ftpd (EOL)
-
- Pre-transition:
- - re-rsync /home (skip ~joey and .pine*)
- cd /home && rsync -4 --progress -avz root@wren.kitenet.net:/home/ ./ --exclude='.pine*' --exclude='joey/*' --delete
-
- Transition plan:
- - on darkstar: offlineimap run & disable cron job
- & move offlineimap files to tmp
- - take down wren pstfix, imap, pop servers
- - log all users out of wren
- - final /home rsync (skip ~joey and .pine*)
- - rsync /var/mail
- - rsync mailman and mailman list archives dirs
- - switch kitenet.net dns and enable pop.kitenet.net etc aliass
- - point wren.kitenet.net at kite.kitenet.net temporarily
- (make real-wren.kitenet.net alias)
- - reconfigure errol's email client to use new server
- - on darkstar: re-run offlinimap against new server
- - test mail
- - test virus filtering
- - test http://kitenet.net/~kyle/ (user home dirs)
- - test mailman
- - migrate user cron jobs
-}
, host "mouse.kitenet.net" , host "mouse.kitenet.net"
& ipv6 "2001:4830:1600:492::2" & ipv6 "2001:4830:1600:492::2"
, host "beaver.kitenet.net" , host "beaver.kitenet.net"

11
debian/changelog vendored
View File

@ -1,9 +1,16 @@
propellor (0.8.4) UNRELEASED; urgency=medium propellor (0.9.0) UNRELEASED; urgency=medium
* Avoid encoding the current stable suite in propellor's code,
since that poses a difficult transition around the release,
and can easily be wrong if an older version of propellor is used.
Instead, the os property for a stable system includes the suite name
to use, eg Stable "wheezy".
* stdSourcesList uses the stable suite name, to avoid unwanted
immediate upgrades to the next stable release.
* debCdn switched from cdn.debian.net to http.debian.net, which seems to be * debCdn switched from cdn.debian.net to http.debian.net, which seems to be
better managed now. better managed now.
-- Joey Hess <joeyh@debian.org> Sat, 23 Aug 2014 13:18:46 -0700 -- Joey Hess <joeyh@debian.org> Fri, 10 Oct 2014 11:08:55 -0400
propellor (0.8.3) unstable; urgency=medium propellor (0.8.3) unstable; urgency=medium

2
propellor.cabal
View File

@ -1,5 +1,5 @@
Name: propellor Name: propellor
Version: 0.8.3 Version: 0.9.0
Cabal-Version: >= 1.6 Cabal-Version: >= 1.6
License: BSD3 License: BSD3
Maintainer: Joey Hess <joey@kitenet.net> Maintainer: Joey Hess <joey@kitenet.net>

1
src/Propellor/CmdLine.hs
View File

@ -237,6 +237,7 @@ spin hn hst = do
sendMarked toh marker s sendMarked toh marker s
return True return True
-- Initial git clone, used for bootstrapping.
sendGitClone :: HostName -> String -> IO () sendGitClone :: HostName -> String -> IO ()
sendGitClone hn url = void $ actionMessage ("Pushing git repository to " ++ hn) $ do sendGitClone hn url = void $ actionMessage ("Pushing git repository to " ++ hn) $ do
branch <- getCurrentBranch branch <- getCurrentBranch

2
src/Propellor/Property/Apache.hs
View File

@ -54,7 +54,7 @@ installed :: Property
installed = Apt.installed ["apache2"] installed = Apt.installed ["apache2"]
restarted :: Property restarted :: Property
restarted = cmdProperty "service" ["apache2", "restart"] restarted = Service.restarted "apache2"
reloaded :: Property reloaded :: Property
reloaded = Service.reloaded "apache2" reloaded = Service.reloaded "apache2"

32
src/Propellor/Property/Apt.hs
View File

@ -20,14 +20,14 @@ type Section = String
type SourcesGenerator = DebianSuite -> [Line] type SourcesGenerator = DebianSuite -> [Line]
showSuite :: DebianSuite -> String showSuite :: DebianSuite -> String
showSuite Stable = "stable" showSuite (Stable s) = s
showSuite Testing = "testing" showSuite Testing = "testing"
showSuite Unstable = "unstable" showSuite Unstable = "unstable"
showSuite Experimental = "experimental" showSuite Experimental = "experimental"
showSuite (DebianRelease r) = r
backportSuite :: String backportSuite :: DebianSuite -> Maybe String
backportSuite = showSuite stableRelease ++ "-backports" backportSuite (Stable s) = Just (s ++ "-backports")
backportSuite _ = Nothing
debLine :: String -> Url -> [Section] -> Line debLine :: String -> Url -> [Section] -> Line
debLine suite mirror sections = unwords $ debLine suite mirror sections = unwords $
@ -42,12 +42,17 @@ stdSections :: [Section]
stdSections = ["main", "contrib", "non-free"] stdSections = ["main", "contrib", "non-free"]
binandsrc :: String -> SourcesGenerator binandsrc :: String -> SourcesGenerator
binandsrc url suite binandsrc url suite = catMaybes
| isStable suite = [l, srcLine l, bl, srcLine bl] [ Just l
| otherwise = [l, srcLine l] , Just $ srcLine l
, bl
, srcLine <$> bl
]
where where
l = debLine (showSuite suite) url stdSections l = debLine (showSuite suite) url stdSections
bl = debLine backportSuite url stdSections bl = do
bs <- backportSuite suite
return $ debLine bs url stdSections
debCdn :: SourcesGenerator debCdn :: SourcesGenerator
debCdn = binandsrc "http://http.debian.net/debian" debCdn = binandsrc "http://http.debian.net/debian"
@ -128,13 +133,14 @@ installed' params ps = robustly $ check (isInstallable ps) go
installedBackport :: [Package] -> Property installedBackport :: [Package] -> Property
installedBackport ps = trivial $ withOS desc $ \o -> case o of installedBackport ps = trivial $ withOS desc $ \o -> case o of
Nothing -> error "cannot install backports; os not declared" Nothing -> error "cannot install backports; os not declared"
(Just (System (Debian suite) _)) (Just (System (Debian suite) _)) -> case backportSuite suite of
| isStable suite -> Nothing -> notsupported o
ensureProperty $ runApt $ Just bs -> ensureProperty $ runApt $
["install", "-t", backportSuite, "-y"] ++ ps ["install", "-t", bs, "-y"] ++ ps
_ -> error $ "backports not supported on " ++ show o _ -> notsupported o
where where
desc = (unwords $ "apt installed backport":ps) desc = (unwords $ "apt installed backport":ps)
notsupported o = error $ "backports not supported on " ++ show o
-- | Minimal install of package, without recommends. -- | Minimal install of package, without recommends.
installedMin :: [Package] -> Property installedMin :: [Package] -> Property

11
src/Propellor/Property/Docker.hs
View File

@ -13,6 +13,7 @@ module Propellor.Property.Docker (
docked, docked,
memoryLimited, memoryLimited,
garbageCollected, garbageCollected,
tweaked,
Image, Image,
ContainerName, ContainerName,
-- * Container configuration -- * Container configuration
@ -176,6 +177,16 @@ garbageCollected = propertyList "docker garbage collected"
gcimages = property "docker images garbage collected" $ do gcimages = property "docker images garbage collected" $ do
liftIO $ report <$> (mapM removeImage =<< listImages) liftIO $ report <$> (mapM removeImage =<< listImages)
-- | Tweaks a container to work well with docker.
--
-- Currently, this consists of making pam_loginuid lines optional in
-- the pam config, to work around https://github.com/docker/docker/issues/5663
-- which affects docker 1.2.0.
tweaked :: Property
tweaked = trivial $
cmdProperty "sh" ["-c", "sed -ri 's/^session\\s+required\\s+pam_loginuid.so$/session optional pam_loginuid.so/' /etc/pam.d/*"]
`describe` "tweaked for docker"
-- | Configures the kernel to respect docker memory limits. -- | Configures the kernel to respect docker memory limits.
-- --
-- This assumes the system boots using grub 2. And that you don't need any -- This assumes the system boots using grub 2. And that you don't need any

6
src/Propellor/Property/Obnam.hs
View File

@ -105,12 +105,12 @@ installed = Apt.installed ["obnam"]
latestVersion :: Property latestVersion :: Property
latestVersion = withOS "obnam latest version" $ \o -> case o of latestVersion = withOS "obnam latest version" $ \o -> case o of
(Just (System (Debian suite) _)) | isStable suite -> ensureProperty $ (Just (System (Debian suite) _)) | isStable suite -> ensureProperty $
Apt.setSourcesListD stablesources "obnam" Apt.setSourcesListD (stablesources suite) "obnam"
`requires` toProp (Apt.trustsKey key) `requires` toProp (Apt.trustsKey key)
_ -> noChange _ -> noChange
where where
stablesources = stablesources suite =
[ "deb http://code.liw.fi/debian " ++ Apt.showSuite stableRelease ++ " main" [ "deb http://code.liw.fi/debian " ++ Apt.showSuite suite ++ " main"
] ]
-- gpg key used by the code.liw.fi repository. -- gpg key used by the code.liw.fi repository.
key = Apt.AptKey "obnam" $ unlines key = Apt.AptKey "obnam" $ unlines

11
src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs
View File

@ -98,6 +98,7 @@ standardAutoBuilderContainer dockerImage arch buildminute timeout = Docker.conta
& tree arch & tree arch
& buildDepsApt & buildDepsApt
& autobuilder arch (show buildminute ++ " * * * *") timeout & autobuilder arch (show buildminute ++ " * * * *") timeout
& Docker.tweaked
androidAutoBuilderContainer :: (System -> Docker.Image) -> Cron.CronTimes -> TimeOut -> Host androidAutoBuilderContainer :: (System -> Docker.Image) -> Cron.CronTimes -> TimeOut -> Host
androidAutoBuilderContainer dockerImage crontimes timeout = androidAutoBuilderContainer dockerImage crontimes timeout =
@ -108,8 +109,8 @@ androidAutoBuilderContainer dockerImage crontimes timeout =
-- Android is cross-built in a Debian i386 container, using the Android NDK. -- Android is cross-built in a Debian i386 container, using the Android NDK.
androidContainer :: (System -> Docker.Image) -> Docker.ContainerName -> Property -> FilePath -> Host androidContainer :: (System -> Docker.Image) -> Docker.ContainerName -> Property -> FilePath -> Host
androidContainer dockerImage name setupgitannexdir gitannexdir = Docker.container name androidContainer dockerImage name setupgitannexdir gitannexdir = Docker.container name
(dockerImage $ System (Debian Stable) "i386") (dockerImage osver)
& os (System (Debian Stable) "i386") & os osver
& Apt.stdSourcesList & Apt.stdSourcesList
& Apt.installed ["systemd"] & Apt.installed ["systemd"]
& User.accountFor builduser & User.accountFor builduser
@ -118,6 +119,7 @@ androidContainer dockerImage name setupgitannexdir gitannexdir = Docker.containe
& buildDepsNoHaskellLibs & buildDepsNoHaskellLibs
& flagFile chrootsetup ("/chrootsetup") & flagFile chrootsetup ("/chrootsetup")
`requires` setupgitannexdir `requires` setupgitannexdir
& Docker.tweaked
-- TODO: automate installing haskell libs -- TODO: automate installing haskell libs
-- (Currently have to run -- (Currently have to run
-- git-annex/standalone/android/install-haskell-packages -- git-annex/standalone/android/install-haskell-packages
@ -129,6 +131,7 @@ androidContainer dockerImage name setupgitannexdir gitannexdir = Docker.containe
chrootsetup = scriptProperty chrootsetup = scriptProperty
[ "cd " ++ gitannexdir ++ " && ./standalone/android/buildchroot-inchroot" [ "cd " ++ gitannexdir ++ " && ./standalone/android/buildchroot-inchroot"
] ]
osver = System (Debian (Stable "wheezy")) "i386"
-- armel builder has a companion container using amd64 that -- armel builder has a companion container using amd64 that
-- runs the build first to get TH splices. They need -- runs the build first to get TH splices. They need
@ -139,7 +142,6 @@ armelCompanionContainer dockerImage = Docker.container "armel-git-annex-builder-
& os (System (Debian Testing) "amd64") & os (System (Debian Testing) "amd64")
& Apt.stdSourcesList & Apt.stdSourcesList
& Apt.installed ["systemd"] & Apt.installed ["systemd"]
& Apt.unattendedUpgrades
-- This volume is shared with the armel builder. -- This volume is shared with the armel builder.
& Docker.volume gitbuilderdir & Docker.volume gitbuilderdir
& User.accountFor builduser & User.accountFor builduser
@ -151,13 +153,13 @@ armelCompanionContainer dockerImage = Docker.container "armel-git-annex-builder-
& Docker.expose "22" & Docker.expose "22"
& Apt.serviceInstalledRunning "ssh" & Apt.serviceInstalledRunning "ssh"
& Ssh.authorizedKeys builduser (Context "armel-git-annex-builder") & Ssh.authorizedKeys builduser (Context "armel-git-annex-builder")
& Docker.tweaked
armelAutoBuilderContainer :: (System -> Docker.Image) -> Cron.CronTimes -> TimeOut -> Host armelAutoBuilderContainer :: (System -> Docker.Image) -> Cron.CronTimes -> TimeOut -> Host
armelAutoBuilderContainer dockerImage crontimes timeout = Docker.container "armel-git-annex-builder" armelAutoBuilderContainer dockerImage crontimes timeout = Docker.container "armel-git-annex-builder"
(dockerImage $ System (Debian Unstable) "armel") (dockerImage $ System (Debian Unstable) "armel")
& os (System (Debian Testing) "armel") & os (System (Debian Testing) "armel")
& Apt.stdSourcesList & Apt.stdSourcesList
& Apt.unattendedUpgrades
& Apt.installed ["systemd"] & Apt.installed ["systemd"]
& Apt.installed ["openssh-client"] & Apt.installed ["openssh-client"]
& Docker.link "armel-git-annex-builder-companion" "companion" & Docker.link "armel-git-annex-builder-companion" "companion"
@ -172,6 +174,7 @@ armelAutoBuilderContainer dockerImage crontimes timeout = Docker.container "arme
`requires` tree "armel" `requires` tree "armel"
& Ssh.keyImported SshRsa builduser (Context "armel-git-annex-builder") & Ssh.keyImported SshRsa builduser (Context "armel-git-annex-builder")
& trivial writecompanionaddress & trivial writecompanionaddress
& Docker.tweaked
where where
writecompanionaddress = scriptProperty writecompanionaddress = scriptProperty
[ "echo \"$COMPANION_PORT_22_TCP_ADDR\" > " ++ homedir </> "companion_address" [ "echo \"$COMPANION_PORT_22_TCP_ADDR\" > " ++ homedir </> "companion_address"

30
src/Propellor/Property/SiteSpecific/JoeySites.hs
View File

@ -70,7 +70,10 @@ oldUseNetServer hosts = propertyList ("olduse.net server")
datadir = "/var/spool/oldusenet" datadir = "/var/spool/oldusenet"
oldUseNetShellBox :: Property oldUseNetShellBox :: Property
oldUseNetShellBox = oldUseNetInstalled "oldusenet" oldUseNetShellBox = propertyList "olduse.net shellbox"
[ oldUseNetInstalled "oldusenet"
, Service.running "oldusenet"
]
oldUseNetInstalled :: Apt.Package -> Property oldUseNetInstalled :: Apt.Package -> Property
oldUseNetInstalled pkg = check (not <$> Apt.isInstalled pkg) $ oldUseNetInstalled pkg = check (not <$> Apt.isInstalled pkg) $
@ -452,8 +455,16 @@ kiteMailServer = propertyList "kitenet.net mail server"
] ]
`onChange` Postfix.reloaded `onChange` Postfix.reloaded
`describe` "postfix mydomain file configured" `describe` "postfix mydomain file configured"
, "/etc/postfix/obscure_client_relay.pcre" `File.containsLine` , "/etc/postfix/obscure_client_relay.pcre" `File.hasContent`
"/^Received: from ([^.]+)\\.kitenet\\.net.*using TLS.*by kitenet\\.net \\(([^)]+)\\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ IGNORE" -- Remove received lines for mails relayed from trusted
-- clients. These can be a privacy vilation, or trigger
-- spam filters.
[ "/^Received: from ([^.]+)\\.kitenet\\.net.*using TLS.*by kitenet\\.net \\(([^)]+)\\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ IGNORE"
-- Munge local Received line for postfix running on a
-- trusted client that relays through. These can trigger
-- spam filters.
, "/^Received: by ([^.]+)\\.kitenet\\.net.*/ REPLACE Received: by kitenet.net"
]
`onChange` Postfix.reloaded `onChange` Postfix.reloaded
`describe` "postfix obscure_client_relay file configured" `describe` "postfix obscure_client_relay file configured"
, Postfix.mappedFile "/etc/postfix/virtual" , Postfix.mappedFile "/etc/postfix/virtual"
@ -482,7 +493,7 @@ kiteMailServer = propertyList "kitenet.net mail server"
, "header_checks = pcre:$config_directory/obscure_client_relay.pcre" , "header_checks = pcre:$config_directory/obscure_client_relay.pcre"
, "# Enable postgrey." , "# Enable postgrey."
, "smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023" , "smtpd_recipient_restrictions = permit_tls_clientcerts,permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023"
, "# Enable spamass-milter and amavis-milter." , "# Enable spamass-milter and amavis-milter."
, "smtpd_milters = unix:/spamass/spamass.sock unix:amavis/amavis.sock" , "smtpd_milters = unix:/spamass/spamass.sock unix:amavis/amavis.sock"
@ -541,10 +552,13 @@ kiteMailServer = propertyList "kitenet.net mail server"
`onChange` (pinescript `File.mode` `onChange` (pinescript `File.mode`
combineModes (readModes ++ executeModes)) combineModes (readModes ++ executeModes))
`describe` "pine wrapper script" `describe` "pine wrapper script"
, "/etc/pine.conf" `File.containsLines` , "/etc/pine.conf" `File.hasContent`
[ "inbox-path={localhost/novalidate-cert}inbox" [ "# deployed with propellor"
, "inbox-path={localhost/novalidate-cert/NoRsh}inbox"
] ]
`describe` "pine configured to use local imap server" `describe` "pine configured to use local imap server"
, Apt.serviceInstalledRunning "mailman"
] ]
where where
ctx = Context "kitenet.net" ctx = Context "kitenet.net"
@ -705,8 +719,8 @@ legacyWebSites = propertyList "legacy web sites"
] ]
, alias "joey.kitenet.net" , alias "joey.kitenet.net"
, toProp $ Apache.siteEnabled "joey.kitenet.net" $ apachecfg "joey.kitenet.net" False , toProp $ Apache.siteEnabled "joey.kitenet.net" $ apachecfg "joey.kitenet.net" False
[ "DocumentRoot /home/joey/html" [ "DocumentRoot /var/www"
, "<Directory /home/joey/html/>" , "<Directory /var/www/>"
, " Options Indexes ExecCGI" , " Options Indexes ExecCGI"
, " AllowOverride None" , " AllowOverride None"
, Apache.allowAll , Apache.allowAll

17
src/Propellor/Property/Ssh.hs
View File

@ -3,7 +3,7 @@ module Propellor.Property.Ssh (
permitRootLogin, permitRootLogin,
passwordAuthentication, passwordAuthentication,
hasAuthorizedKeys, hasAuthorizedKeys,
restartSshd, restarted,
randomHostKeys, randomHostKeys,
hostKeys, hostKeys,
hostKey, hostKey,
@ -15,6 +15,7 @@ module Propellor.Property.Ssh (
import Propellor import Propellor
import qualified Propellor.Property.File as File import qualified Propellor.Property.File as File
import qualified Propellor.Property.Service as Service
import Propellor.Property.User import Propellor.Property.User
import Utility.SafeCommand import Utility.SafeCommand
import Utility.FileMode import Utility.FileMode
@ -33,7 +34,7 @@ setSshdConfig setting allowed = combineProperties "sshd config"
[ sshdConfig `File.lacksLine` (sshline $ not allowed) [ sshdConfig `File.lacksLine` (sshline $ not allowed)
, sshdConfig `File.containsLine` (sshline allowed) , sshdConfig `File.containsLine` (sshline allowed)
] ]
`onChange` restartSshd `onChange` restarted
`describe` unwords [ "ssh config:", setting, sshBool allowed ] `describe` unwords [ "ssh config:", setting, sshBool allowed ]
where where
sshline v = setting ++ " " ++ sshBool v sshline v = setting ++ " " ++ sshBool v
@ -59,15 +60,15 @@ hasAuthorizedKeys = go <=< dotFile "authorized_keys"
where where
go f = not . null <$> catchDefaultIO "" (readFile f) go f = not . null <$> catchDefaultIO "" (readFile f)
restartSshd :: Property restarted :: Property
restartSshd = cmdProperty "service" ["ssh", "restart"] restarted = Service.restarted "ssh"
-- | Blows away existing host keys and make new ones. -- | Blows away existing host keys and make new ones.
-- Useful for systems installed from an image that might reuse host keys. -- Useful for systems installed from an image that might reuse host keys.
-- A flag file is used to only ever do this once. -- A flag file is used to only ever do this once.
randomHostKeys :: Property randomHostKeys :: Property
randomHostKeys = flagFile prop "/etc/ssh/.unique_host_keys" randomHostKeys = flagFile prop "/etc/ssh/.unique_host_keys"
`onChange` restartSshd `onChange` restarted
where where
prop = property "ssh random host keys" $ do prop = property "ssh random host keys" $ do
void $ liftIO $ boolSystem "sh" void $ liftIO $ boolSystem "sh"
@ -91,7 +92,7 @@ hostKey keytype context = combineProperties desc
[ installkey (SshPubKey keytype "") (install writeFile ".pub") [ installkey (SshPubKey keytype "") (install writeFile ".pub")
, installkey (SshPrivKey keytype "") (install writeFileProtected "") , installkey (SshPrivKey keytype "") (install writeFileProtected "")
] ]
`onChange` restartSshd `onChange` restarted
where where
desc = "known ssh host key (" ++ fromKeyType keytype ++ ")" desc = "known ssh host key (" ++ fromKeyType keytype ++ ")"
installkey p a = withPrivData p context $ \getkey -> installkey p a = withPrivData p context $ \getkey ->
@ -176,7 +177,7 @@ listenPort port = RevertableProperty enable disable
portline = "Port " ++ show port portline = "Port " ++ show port
enable = sshdConfig `File.containsLine` portline enable = sshdConfig `File.containsLine` portline
`describe` ("ssh listening on " ++ portline) `describe` ("ssh listening on " ++ portline)
`onChange` restartSshd `onChange` restarted
disable = sshdConfig `File.lacksLine` portline disable = sshdConfig `File.lacksLine` portline
`describe` ("ssh not listening on " ++ portline) `describe` ("ssh not listening on " ++ portline)
`onChange` restartSshd `onChange` restarted

7
src/Propellor/Property/Tor.hs
View File

@ -3,6 +3,7 @@ module Propellor.Property.Tor where
import Propellor import Propellor
import qualified Propellor.Property.File as File import qualified Propellor.Property.File as File
import qualified Propellor.Property.Apt as Apt import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.Service as Service
isBridge :: Property isBridge :: Property
isBridge = setup `requires` Apt.installed ["tor"] isBridge = setup `requires` Apt.installed ["tor"]
@ -13,7 +14,7 @@ isBridge = setup `requires` Apt.installed ["tor"]
, "ORPort 443" , "ORPort 443"
, "BridgeRelay 1" , "BridgeRelay 1"
, "Exitpolicy reject *:*" , "Exitpolicy reject *:*"
] `onChange` restartTor ] `onChange` restarted
restartTor :: Property restarted :: Property
restartTor = cmdProperty "service" ["tor", "restart"] restarted = Service.restarted "tor"

11
src/Propellor/Types/OS.hs
View File

@ -13,15 +13,14 @@ data Distribution
| Ubuntu Release | Ubuntu Release
deriving (Show, Eq) deriving (Show, Eq)
data DebianSuite = Experimental | Unstable | Testing | Stable | DebianRelease Release -- | Debian has several rolling suites, and a number of stable releases,
-- such as Stable "wheezy".
data DebianSuite = Experimental | Unstable | Testing | Stable Release
deriving (Show, Eq) deriving (Show, Eq)
-- | The release that currently corresponds to stable.
stableRelease :: DebianSuite
stableRelease = DebianRelease "wheezy"
isStable :: DebianSuite -> Bool isStable :: DebianSuite -> Bool
isStable s = s == Stable || s == stableRelease isStable (Stable _) = True
isStable _ = False
type Release = String type Release = String
type Architecture = String type Architecture = String