cadey
/
propellor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'joeyconfig' 

Conflicts:
	debian/changelog
	privdata/privdata.gpg
This commit is contained in:
Joey Hess 2014-10-10 11:36:47 -04:00
parent 2028464268 31f84270fd
commit 07f745ef9c
20 changed files with 337 additions and 304 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
config-joey.hs
View File

@ -1,4 +1,5 @@
-- This is the live config file used by propellor's author.
-- https://propellor.branchable.com/
module Main where
import Propellor
@ -7,6 +8,7 @@ import Propellor.Property.Scheduled
import qualified Propellor.Property.File as File
import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.Network as Network
import qualified Propellor.Property.Service as Service
import qualified Propellor.Property.Ssh as Ssh
import qualified Propellor.Property.Gpg as Gpg
import qualified Propellor.Property.Cron as Cron
@ -36,14 +38,24 @@ main = defaultMain hosts -- / \___-=O`/|O`/__| (____.'
Deployed -} -- `/-==__ _/__|/__=-| ( \_
hosts :: [Host] -- * \ | | '--------'
hosts = -- (o) `
[ host "darkstar.kitenet.net"
[ darkstar
, clam
, orca
, kite
, diatom
, elephant
] ++ containers ++ monsters
darkstar :: Host
darkstar = host "darkstar.kitenet.net"
& ipv6 "2001:4830:1600:187::2" -- sixxs tunnel
& Apt.buildDep ["git-annex"] `period` Daily
& Docker.configured
! Docker.docked hosts "android-git-annex"
, standardSystem "clam.kitenet.net" Unstable "amd64"
clam :: Host
clam = standardSystem "clam.kitenet.net" Unstable "amd64"
[ "Unreliable server. Anything here may be lost at any time!" ]
& ipv4 "162.248.9.29"
@ -55,15 +67,20 @@ hosts = -- (o) `
& Docker.configured
& Docker.garbageCollected `period` Daily
& Docker.docked hosts "webserver"
& File.dirExists "/var/www/html"
& File.notPresent "/var/www/html/index.html"
& "/var/www/index.html" `File.hasContent` ["hello, world"]
& alias "helloworld.kitenet.net"
-- ssh on some extra ports to deal with horrible networks
-- while travelling
& alias "travelling.kitenet.net"
& Ssh.listenPort 80
& Ssh.listenPort 443
! Ssh.listenPort 80
! Ssh.listenPort 443
-- Orca is the main git-annex build box.
, standardSystem "orca.kitenet.net" Unstable "amd64"
orca :: Host
orca = standardSystem "orca.kitenet.net" Unstable "amd64"
[ "Main git-annex build box." ]
& ipv4 "138.38.108.179"
@ -78,28 +95,30 @@ hosts = -- (o) `
& Docker.garbageCollected `period` Daily
& Apt.buildDep ["git-annex"] `period` Daily
-- This is not a complete description of kite, since it's a
-- multiuser system with eg, user passwords that are not deployed
-- with propellor.
, standardSystemUnhardened "kite.kitenet.net" Unstable "amd64"
-- This is not a complete description of kite, since it's a
-- multiuser system with eg, user passwords that are not deployed
-- with propellor.
kite :: Host
kite = standardSystemUnhardened "kite.kitenet.net" Unstable "amd64"
[ "Welcome to the new kitenet.net server!"
, "This is still under construction and not yet live.."
]
& ipv4 "66.228.36.95"
& ipv6 "2600:3c03::f03c:91ff:fe73:b0d2"
-- & alias "kitenet.net" -- not yet live!
& alias "kitenet.net"
& alias "wren.kitenet.net" -- temporary
& Apt.installed ["linux-image-amd64"]
& Linode.chainPVGrub 5
& Apt.unattendedUpgrades
& Apt.installed ["systemd"]
& Ssh.hostKeys (Context "kitenet.net")
& Ssh.passwordAuthentication True
-- Since ssh password authentication is allowed:
& Apt.serviceInstalledRunning "fail2ban"
& Obnam.backup "/" "33 1 * * *"
[ "--repository=sftp://joey@eubackup.kitenet.net/~/lib/backup/kite.obnam"
, "--client-name=kitenet.net"
, "--encrypt-with="
, "--encrypt-with=98147487"
, "--exclude=/var/cache"
, "--exclude=/var/tmp"
, "--exclude=/home/joey/lib"
@ -110,22 +129,40 @@ hosts = -- (o) `
`requires` Ssh.keyImported SshRsa "root"
(Context "kite.kitenet.net")
`requires` Ssh.knownHost hosts "eubackup.kitenet.net" "root"
& Apt.serviceInstalledRunning "ntp"
& "/etc/timezone" `File.hasContent` ["US/Eastern"]
-- & alias "smtp.kitenet.net" -- not yet live!
-- & alias "imap.kitenet.net" -- not yet live!
-- & alias "mail.kitenet.net" -- not yet live!
& alias "smtp.kitenet.net"
& alias "imap.kitenet.net"
& alias "pop.kitenet.net"
& alias "mail.kitenet.net"
& JoeySites.kiteMailServer
& JoeySites.legacyWebSites
& alias "bitlbee.kitenet.net"
& Apt.serviceInstalledRunning "bitlbee"
& "/etc/bitlbee/bitlbee.conf" `File.hasContent`
[ "[settings]"
, "User = bitlbee"
, "AuthMode = Registered"
, "[defaults]"
]
`onChange` Service.restarted "bitlbee"
& "/etc/default/bitlbee" `File.containsLine` "BITLBEE_PORT=\"6767\""
`onChange` Service.restarted "bitlbee"
& Apt.installed
["git-annex", "myrepos"
, "build-essential", "make"
, "rss2email", "archivemail"
, "devscripts"
-- Some users have zsh as their login shell.
, "zsh"
]
, standardSystem "diatom.kitenet.net" Stable "amd64"
diatom :: Host
diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64"
[ "Important stuff that needs not too much memory or CPU." ]
& ipv4 "107.170.31.195"
@ -157,7 +194,6 @@ hosts = -- (o) `
`requires` Ssh.keyImported SshRsa "joey" (Context "downloads.kitenet.net")
`requires` Ssh.knownHost hosts "usbackup.kitenet.net" "joey"
& JoeySites.gitAnnexDistributor
& alias "tmp.kitenet.net"
& JoeySites.annexWebSite "/srv/git/joey/tmp.git"
"tmp.kitenet.net"
@ -183,13 +219,12 @@ hosts = -- (o) `
& Dns.secondaryFor ["animx"] hosts "animx.eu.org"
, let ctx = Context "elephant.kitenet.net"
in standardSystem "elephant.kitenet.net" Unstable "amd64"
elephant :: Host
elephant = standardSystem "elephant.kitenet.net" Unstable "amd64"
[ "Storage, big data, and backups, omnomnom!"
, "(Encrypt all data stored here.)"
]
& ipv4 "193.234.225.114"
& Grub.chainPVGrub "hd0,0" "xen/xvda1" 30
& Postfix.satellite
& Apt.unattendedUpgrades
@ -197,24 +232,20 @@ hosts = -- (o) `
& sshPubKey "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0="
& Ssh.keyImported SshRsa "joey" ctx
& Apt.serviceInstalledRunning "swapspace"
& alias "eubackup.kitenet.net"
& Apt.installed ["obnam", "sshfs", "rsync"]
& JoeySites.obnamRepos ["wren", "pell", "kite"]
& JoeySites.githubBackup
& JoeySites.rsyncNetBackup hosts
& JoeySites.backupsBackedupTo hosts "usbackup.kitenet.net" "lib/backup/eubackup"
& alias "podcatcher.kitenet.net"
& JoeySites.podcatcher
& alias "znc.kitenet.net"
& JoeySites.ircBouncer
-- I'd rather this were on diatom, but it needs unstable.
& alias "kgb.kitenet.net"
& JoeySites.kgbServer
& alias "mumble.kitenet.net"
& JoeySites.mumbleServer hosts
@ -222,7 +253,6 @@ hosts = -- (o) `
& myDnsSecondary
& Docker.configured
& Docker.docked hosts "oldusenet-shellbox"
& Docker.docked hosts "openid-provider"
`requires` Apt.serviceInstalledRunning "ntp"
@ -238,6 +268,8 @@ hosts = -- (o) `
-- that port for ssh, for traveling on bad networks that
-- block 22.
& Ssh.listenPort 80
where
ctx = Context "elephant.kitenet.net"
--' __|II| ,.
@ -247,30 +279,31 @@ hosts = -- (o) `
----------------------- : / -----------------------
------------------------ \____, o ,' ------------------------
------------------------- '--,___________,' -------------------------
containers :: [Host]
containers =
-- Simple web server, publishing the outside host's /var/www
, standardContainer "webserver" Stable "amd64"
& Docker.publish "8080:80"
[ standardStableContainer "webserver"
& Docker.publish "80:80"
& Docker.volume "/var/www:/var/www"
& Apt.serviceInstalledRunning "apache2"
-- My own openid provider. Uses php, so containerized for security
-- and administrative sanity.
, standardContainer "openid-provider" Stable "amd64"
, standardStableContainer "openid-provider"
& alias "openid.kitenet.net"
& Docker.publish "8081:80"
& OpenId.providerFor ["joey", "liw"]
"openid.kitenet.net:8081"
-- Exhibit: kite's 90's website.
, standardContainer "ancient-kitenet" Stable "amd64"
, standardStableContainer "ancient-kitenet"
& alias "ancient.kitenet.net"
& Docker.publish "1994:80"
& Apt.serviceInstalledRunning "apache2"
& Git.cloned "root" "git://kitenet-net.branchable.com/" "/var/www"
(Just "remotes/origin/old-kitenet.net")
, standardContainer "oldusenet-shellbox" Stable "amd64"
, standardStableContainer "oldusenet-shellbox"
& alias "shell.olduse.net"
& Docker.publish "4200:4200"
& JoeySites.oldUseNetShellBox
@ -287,7 +320,7 @@ hosts = -- (o) `
, let gitannexdir = GitAnnexBuilder.homedir </> "git-annex"
in GitAnnexBuilder.androidContainer dockerImage "android-git-annex" doNothing gitannexdir
& Docker.volume ("/home/joey/src/git-annex:" ++ gitannexdir)
] ++ monsters
]
type Motd = [String]
@ -321,6 +354,9 @@ standardSystemUnhardened hn suite arch motd = host hn
& Apt.removed ["exim4", "exim4-daemon-light", "exim4-config", "exim4-base"]
`onChange` Apt.autoRemove
standardStableContainer :: Docker.ContainerName -> Host
standardStableContainer name = standardContainer name (Stable "wheezy") "amd64"
-- This is my standard container setup, featuring automatic upgrades.
standardContainer :: Docker.ContainerName -> DebianSuite -> Architecture -> Host
standardContainer name suite arch = Docker.container name (dockerImage system)
@ -329,6 +365,7 @@ standardContainer name suite arch = Docker.container name (dockerImage system)
& Apt.installed ["systemd"]
& Apt.unattendedUpgrades
& Apt.cacheCleaned
& Docker.tweaked
where
system = System (Debian suite) arch
@ -336,7 +373,7 @@ standardContainer name suite arch = Docker.container name (dockerImage system)
dockerImage :: System -> Docker.Image
dockerImage (System (Debian Unstable) arch) = "joeyh/debian-unstable-" ++ arch
dockerImage (System (Debian Testing) arch) = "joeyh/debian-unstable-" ++ arch
dockerImage (System (Debian Stable) arch) = "joeyh/debian-stable-" ++ arch
dockerImage (System (Debian (Stable _)) arch) = "joeyh/debian-stable-" ++ arch
dockerImage _ = "debian-stable-official" -- does not currently exist!
myDnsSecondary :: Property
@ -389,55 +426,8 @@ monsters = -- but do want to track their public keys etc.
& alias "backup.kitenet.net"
& alias "usbackup.kitenet.net"
& sshPubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAokMXQiX/NZjA1UbhMdgAscnS5dsmy+Q7bWrQ6tsTZ/o+6N/T5cbjoBHOdpypXJI3y/PiJTDJaQtXIhLa8gFg/EvxMnMz/KG9skADW1361JmfCc4BxicQIO2IOOe6eilPr+YsnOwiHwL0vpUnuty39cppuMWVD25GzxXlS6KQsLCvXLzxLLuNnGC43UAM0q4UwQxDtAZEK1dH2o3HMWhgMP2qEQupc24dbhpO3ecxh2C9678a3oGDuDuNf7mLp3s7ptj5qF3onitpJ82U5o7VajaHoygMaSRFeWxP2c13eM57j3bLdLwxVXFhePcKXARu1iuFTLS5uUf3hN6MkQcOGw=="
, host "wren.kitenet.net"
, host "old.kitenet.net"
& ipv4 "80.68.85.49"
& ipv6 "2001:41c8:125:49::10"
& alias "kitenet.net"
& alias "ns1.kitenet.net"
& alias "ftp.kitenet.net"
& alias "mail.kitenet.net"
& alias "smtp.kitenet.net"
& alias "bitlbee.kitenet.net"
{- Remaining services on kite:
-
- / = ready to go on kite.kitenet.net
-
- mail
- /postfix
- /postgrey
- mailman
- /spamassassin
- sqwebmail (cannot use this with dovecot, alternatives?)
- /imap server
- /pop server
- /apache
- bitlbee (EOL?)
- prosody (EOL?)
- ftpd (EOL)
-
- Pre-transition:
- - re-rsync /home (skip ~joey and .pine*)
- cd /home && rsync -4 --progress -avz root@wren.kitenet.net:/home/ ./ --exclude='.pine*' --exclude='joey/*' --delete
-
- Transition plan:
- - on darkstar: offlineimap run & disable cron job
- & move offlineimap files to tmp
- - take down wren pstfix, imap, pop servers
- - log all users out of wren
- - final /home rsync (skip ~joey and .pine*)
- - rsync /var/mail
- - rsync mailman and mailman list archives dirs
- - switch kitenet.net dns and enable pop.kitenet.net etc aliass
- - point wren.kitenet.net at kite.kitenet.net temporarily
- (make real-wren.kitenet.net alias)
- - reconfigure errol's email client to use new server
- - on darkstar: re-run offlinimap against new server
- - test mail
- - test virus filtering
- - test http://kitenet.net/~kyle/ (user home dirs)
- - test mailman
- - migrate user cron jobs
-}
, host "mouse.kitenet.net"
& ipv6 "2001:4830:1600:492::2"
, host "beaver.kitenet.net"

11
debian/changelog vendored
View File

@ -1,9 +1,16 @@
propellor (0.8.4) UNRELEASED; urgency=medium
propellor (0.9.0) UNRELEASED; urgency=medium
* Avoid encoding the current stable suite in propellor's code,
since that poses a difficult transition around the release,
and can easily be wrong if an older version of propellor is used.
Instead, the os property for a stable system includes the suite name
to use, eg Stable "wheezy".
* stdSourcesList uses the stable suite name, to avoid unwanted
immediate upgrades to the next stable release.
* debCdn switched from cdn.debian.net to http.debian.net, which seems to be
better managed now.
-- Joey Hess <joeyh@debian.org> Sat, 23 Aug 2014 13:18:46 -0700
-- Joey Hess <joeyh@debian.org> Fri, 10 Oct 2014 11:08:55 -0400
propellor (0.8.3) unstable; urgency=medium

2
propellor.cabal
View File

@ -1,5 +1,5 @@
Name: propellor
Version: 0.8.3
Version: 0.9.0
Cabal-Version: >= 1.6
License: BSD3
Maintainer: Joey Hess <joey@kitenet.net>

1
src/Propellor/CmdLine.hs
View File

@ -237,6 +237,7 @@ spin hn hst = do
sendMarked toh marker s
return True
-- Initial git clone, used for bootstrapping.
sendGitClone :: HostName -> String -> IO ()
sendGitClone hn url = void $ actionMessage ("Pushing git repository to " ++ hn) $ do
branch <- getCurrentBranch

2
src/Propellor/Property/Apache.hs
View File

@ -54,7 +54,7 @@ installed :: Property
installed = Apt.installed ["apache2"]
restarted :: Property
restarted = cmdProperty "service" ["apache2", "restart"]
restarted = Service.restarted "apache2"
reloaded :: Property
reloaded = Service.reloaded "apache2"

32
src/Propellor/Property/Apt.hs
View File

@ -20,14 +20,14 @@ type Section = String
type SourcesGenerator = DebianSuite -> [Line]
showSuite :: DebianSuite -> String
showSuite Stable = "stable"
showSuite (Stable s) = s
showSuite Testing = "testing"
showSuite Unstable = "unstable"
showSuite Experimental = "experimental"
showSuite (DebianRelease r) = r
backportSuite :: String
backportSuite = showSuite stableRelease ++ "-backports"
backportSuite :: DebianSuite -> Maybe String
backportSuite (Stable s) = Just (s ++ "-backports")
backportSuite _ = Nothing
debLine :: String -> Url -> [Section] -> Line
debLine suite mirror sections = unwords $
@ -42,12 +42,17 @@ stdSections :: [Section]
stdSections = ["main", "contrib", "non-free"]
binandsrc :: String -> SourcesGenerator
binandsrc url suite
| isStable suite = [l, srcLine l, bl, srcLine bl]
| otherwise = [l, srcLine l]
binandsrc url suite = catMaybes
[ Just l
, Just $ srcLine l
, bl
, srcLine <$> bl
]
where
l = debLine (showSuite suite) url stdSections
bl = debLine backportSuite url stdSections
bl = do
bs <- backportSuite suite
return $ debLine bs url stdSections
debCdn :: SourcesGenerator
debCdn = binandsrc "http://http.debian.net/debian"
@ -128,13 +133,14 @@ installed' params ps = robustly $ check (isInstallable ps) go
installedBackport :: [Package] -> Property
installedBackport ps = trivial $ withOS desc $ \o -> case o of
Nothing -> error "cannot install backports; os not declared"
(Just (System (Debian suite) _))
| isStable suite ->
ensureProperty $ runApt $
["install", "-t", backportSuite, "-y"] ++ ps
_ -> error $ "backports not supported on " ++ show o
(Just (System (Debian suite) _)) -> case backportSuite suite of
Nothing -> notsupported o
Just bs -> ensureProperty $ runApt $
["install", "-t", bs, "-y"] ++ ps
_ -> notsupported o
where
desc = (unwords $ "apt installed backport":ps)
notsupported o = error $ "backports not supported on " ++ show o
-- | Minimal install of package, without recommends.
installedMin :: [Package] -> Property

11
src/Propellor/Property/Docker.hs
View File

@ -13,6 +13,7 @@ module Propellor.Property.Docker (
docked,
memoryLimited,
garbageCollected,
tweaked,
Image,
ContainerName,
-- * Container configuration
@ -176,6 +177,16 @@ garbageCollected = propertyList "docker garbage collected"
gcimages = property "docker images garbage collected" $ do
liftIO $ report <$> (mapM removeImage =<< listImages)
-- | Tweaks a container to work well with docker.
--
-- Currently, this consists of making pam_loginuid lines optional in
-- the pam config, to work around https://github.com/docker/docker/issues/5663
-- which affects docker 1.2.0.
tweaked :: Property
tweaked = trivial $
cmdProperty "sh" ["-c", "sed -ri 's/^session\\s+required\\s+pam_loginuid.so$/session optional pam_loginuid.so/' /etc/pam.d/*"]
`describe` "tweaked for docker"
-- | Configures the kernel to respect docker memory limits.
--
-- This assumes the system boots using grub 2. And that you don't need any

6
src/Propellor/Property/Obnam.hs
View File

@ -105,12 +105,12 @@ installed = Apt.installed ["obnam"]
latestVersion :: Property
latestVersion = withOS "obnam latest version" $ \o -> case o of
(Just (System (Debian suite) _)) | isStable suite -> ensureProperty $
Apt.setSourcesListD stablesources "obnam"
Apt.setSourcesListD (stablesources suite) "obnam"
`requires` toProp (Apt.trustsKey key)
_ -> noChange
where
stablesources =
[ "deb http://code.liw.fi/debian " ++ Apt.showSuite stableRelease ++ " main"
stablesources suite =
[ "deb http://code.liw.fi/debian " ++ Apt.showSuite suite ++ " main"
]
-- gpg key used by the code.liw.fi repository.
key = Apt.AptKey "obnam" $ unlines

11
src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs
View File

@ -98,6 +98,7 @@ standardAutoBuilderContainer dockerImage arch buildminute timeout = Docker.conta
& tree arch
& buildDepsApt
& autobuilder arch (show buildminute ++ " * * * *") timeout
& Docker.tweaked
androidAutoBuilderContainer :: (System -> Docker.Image) -> Cron.CronTimes -> TimeOut -> Host
androidAutoBuilderContainer dockerImage crontimes timeout =
@ -108,8 +109,8 @@ androidAutoBuilderContainer dockerImage crontimes timeout =
-- Android is cross-built in a Debian i386 container, using the Android NDK.
androidContainer :: (System -> Docker.Image) -> Docker.ContainerName -> Property -> FilePath -> Host
androidContainer dockerImage name setupgitannexdir gitannexdir = Docker.container name
(dockerImage $ System (Debian Stable) "i386")
& os (System (Debian Stable) "i386")
(dockerImage osver)
& os osver
& Apt.stdSourcesList
& Apt.installed ["systemd"]
& User.accountFor builduser
@ -118,6 +119,7 @@ androidContainer dockerImage name setupgitannexdir gitannexdir = Docker.containe
& buildDepsNoHaskellLibs
& flagFile chrootsetup ("/chrootsetup")
`requires` setupgitannexdir
& Docker.tweaked
-- TODO: automate installing haskell libs
-- (Currently have to run
-- git-annex/standalone/android/install-haskell-packages
@ -129,6 +131,7 @@ androidContainer dockerImage name setupgitannexdir gitannexdir = Docker.containe
chrootsetup = scriptProperty
[ "cd " ++ gitannexdir ++ " && ./standalone/android/buildchroot-inchroot"
]
osver = System (Debian (Stable "wheezy")) "i386"
-- armel builder has a companion container using amd64 that
-- runs the build first to get TH splices. They need
@ -139,7 +142,6 @@ armelCompanionContainer dockerImage = Docker.container "armel-git-annex-builder-
& os (System (Debian Testing) "amd64")
& Apt.stdSourcesList
& Apt.installed ["systemd"]
& Apt.unattendedUpgrades
-- This volume is shared with the armel builder.
& Docker.volume gitbuilderdir
& User.accountFor builduser
@ -151,13 +153,13 @@ armelCompanionContainer dockerImage = Docker.container "armel-git-annex-builder-
& Docker.expose "22"
& Apt.serviceInstalledRunning "ssh"
& Ssh.authorizedKeys builduser (Context "armel-git-annex-builder")
& Docker.tweaked
armelAutoBuilderContainer :: (System -> Docker.Image) -> Cron.CronTimes -> TimeOut -> Host
armelAutoBuilderContainer dockerImage crontimes timeout = Docker.container "armel-git-annex-builder"
(dockerImage $ System (Debian Unstable) "armel")
& os (System (Debian Testing) "armel")
& Apt.stdSourcesList
& Apt.unattendedUpgrades
& Apt.installed ["systemd"]
& Apt.installed ["openssh-client"]
& Docker.link "armel-git-annex-builder-companion" "companion"
@ -172,6 +174,7 @@ armelAutoBuilderContainer dockerImage crontimes timeout = Docker.container "arme
`requires` tree "armel"
& Ssh.keyImported SshRsa builduser (Context "armel-git-annex-builder")
& trivial writecompanionaddress
& Docker.tweaked
where
writecompanionaddress = scriptProperty
[ "echo \"$COMPANION_PORT_22_TCP_ADDR\" > " ++ homedir </> "companion_address"

30
src/Propellor/Property/SiteSpecific/JoeySites.hs
View File

@ -70,7 +70,10 @@ oldUseNetServer hosts = propertyList ("olduse.net server")
datadir = "/var/spool/oldusenet"
oldUseNetShellBox :: Property
oldUseNetShellBox = oldUseNetInstalled "oldusenet"
oldUseNetShellBox = propertyList "olduse.net shellbox"
[ oldUseNetInstalled "oldusenet"
, Service.running "oldusenet"
]
oldUseNetInstalled :: Apt.Package -> Property
oldUseNetInstalled pkg = check (not <$> Apt.isInstalled pkg) $
@ -452,8 +455,16 @@ kiteMailServer = propertyList "kitenet.net mail server"
]
`onChange` Postfix.reloaded
`describe` "postfix mydomain file configured"
, "/etc/postfix/obscure_client_relay.pcre" `File.containsLine`
"/^Received: from ([^.]+)\\.kitenet\\.net.*using TLS.*by kitenet\\.net \\(([^)]+)\\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ IGNORE"
, "/etc/postfix/obscure_client_relay.pcre" `File.hasContent`
-- Remove received lines for mails relayed from trusted
-- clients. These can be a privacy vilation, or trigger
-- spam filters.
[ "/^Received: from ([^.]+)\\.kitenet\\.net.*using TLS.*by kitenet\\.net \\(([^)]+)\\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ IGNORE"
-- Munge local Received line for postfix running on a
-- trusted client that relays through. These can trigger
-- spam filters.
, "/^Received: by ([^.]+)\\.kitenet\\.net.*/ REPLACE Received: by kitenet.net"
]
`onChange` Postfix.reloaded
`describe` "postfix obscure_client_relay file configured"
, Postfix.mappedFile "/etc/postfix/virtual"
@ -482,7 +493,7 @@ kiteMailServer = propertyList "kitenet.net mail server"
, "header_checks = pcre:$config_directory/obscure_client_relay.pcre"
, "# Enable postgrey."
, "smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023"
, "smtpd_recipient_restrictions = permit_tls_clientcerts,permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023"
, "# Enable spamass-milter and amavis-milter."
, "smtpd_milters = unix:/spamass/spamass.sock unix:amavis/amavis.sock"
@ -541,10 +552,13 @@ kiteMailServer = propertyList "kitenet.net mail server"
`onChange` (pinescript `File.mode`
combineModes (readModes ++ executeModes))
`describe` "pine wrapper script"
, "/etc/pine.conf" `File.containsLines`
[ "inbox-path={localhost/novalidate-cert}inbox"
, "/etc/pine.conf" `File.hasContent`
[ "# deployed with propellor"
, "inbox-path={localhost/novalidate-cert/NoRsh}inbox"
]
`describe` "pine configured to use local imap server"
, Apt.serviceInstalledRunning "mailman"
]
where
ctx = Context "kitenet.net"
@ -705,8 +719,8 @@ legacyWebSites = propertyList "legacy web sites"
]
, alias "joey.kitenet.net"
, toProp $ Apache.siteEnabled "joey.kitenet.net" $ apachecfg "joey.kitenet.net" False
[ "DocumentRoot /home/joey/html"
, "<Directory /home/joey/html/>"
[ "DocumentRoot /var/www"
, "<Directory /var/www/>"
, " Options Indexes ExecCGI"
, " AllowOverride None"
, Apache.allowAll

17
src/Propellor/Property/Ssh.hs
View File

@ -3,7 +3,7 @@ module Propellor.Property.Ssh (
permitRootLogin,
passwordAuthentication,
hasAuthorizedKeys,
restartSshd,
restarted,
randomHostKeys,
hostKeys,
hostKey,
@ -15,6 +15,7 @@ module Propellor.Property.Ssh (
import Propellor
import qualified Propellor.Property.File as File
import qualified Propellor.Property.Service as Service
import Propellor.Property.User
import Utility.SafeCommand
import Utility.FileMode
@ -33,7 +34,7 @@ setSshdConfig setting allowed = combineProperties "sshd config"
[ sshdConfig `File.lacksLine` (sshline $ not allowed)
, sshdConfig `File.containsLine` (sshline allowed)
]
`onChange` restartSshd
`onChange` restarted
`describe` unwords [ "ssh config:", setting, sshBool allowed ]
where
sshline v = setting ++ " " ++ sshBool v
@ -59,15 +60,15 @@ hasAuthorizedKeys = go <=< dotFile "authorized_keys"
where
go f = not . null <$> catchDefaultIO "" (readFile f)
restartSshd :: Property
restartSshd = cmdProperty "service" ["ssh", "restart"]
restarted :: Property
restarted = Service.restarted "ssh"
-- | Blows away existing host keys and make new ones.
-- Useful for systems installed from an image that might reuse host keys.
-- A flag file is used to only ever do this once.
randomHostKeys :: Property
randomHostKeys = flagFile prop "/etc/ssh/.unique_host_keys"
`onChange` restartSshd
`onChange` restarted
where
prop = property "ssh random host keys" $ do
void $ liftIO $ boolSystem "sh"
@ -91,7 +92,7 @@ hostKey keytype context = combineProperties desc
[ installkey (SshPubKey keytype "") (install writeFile ".pub")
, installkey (SshPrivKey keytype "") (install writeFileProtected "")
]
`onChange` restartSshd
`onChange` restarted
where
desc = "known ssh host key (" ++ fromKeyType keytype ++ ")"
installkey p a = withPrivData p context $ \getkey ->
@ -176,7 +177,7 @@ listenPort port = RevertableProperty enable disable
portline = "Port " ++ show port
enable = sshdConfig `File.containsLine` portline
`describe` ("ssh listening on " ++ portline)
`onChange` restartSshd
`onChange` restarted
disable = sshdConfig `File.lacksLine` portline
`describe` ("ssh not listening on " ++ portline)
`onChange` restartSshd
`onChange` restarted

7
src/Propellor/Property/Tor.hs
View File

@ -3,6 +3,7 @@ module Propellor.Property.Tor where
import Propellor
import qualified Propellor.Property.File as File
import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.Service as Service
isBridge :: Property
isBridge = setup `requires` Apt.installed ["tor"]
@ -13,7 +14,7 @@ isBridge = setup `requires` Apt.installed ["tor"]
, "ORPort 443"
, "BridgeRelay 1"
, "Exitpolicy reject *:*"
] `onChange` restartTor
] `onChange` restarted
restartTor :: Property
restartTor = cmdProperty "service" ["tor", "restart"]
restarted :: Property
restarted = Service.restarted "tor"

11
src/Propellor/Types/OS.hs
View File

@ -13,15 +13,14 @@ data Distribution
| Ubuntu Release
deriving (Show, Eq)
data DebianSuite = Experimental | Unstable | Testing | Stable | DebianRelease Release
-- | Debian has several rolling suites, and a number of stable releases,
-- such as Stable "wheezy".
data DebianSuite = Experimental | Unstable | Testing | Stable Release
deriving (Show, Eq)
-- | The release that currently corresponds to stable.
stableRelease :: DebianSuite
stableRelease = DebianRelease "wheezy"
isStable :: DebianSuite -> Bool
isStable s = s == Stable || s == stableRelease
isStable (Stable _) = True
isStable _ = False
type Release = String
type Architecture = String