propellor spin

2015-01-04 16:54:43 -04:00 · 2015-01-04 16:54:43 -04:00 · 0af7629c98
parent a2bb647827
commit 0af7629c98
3 changed files with 64 additions and 34 deletions
--- a/config-joey.hs
+++ b/config-joey.hs
@ -151,6 +151,10 @@ kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64"
 	& Systemd.installed
 	& Systemd.persistentJournal
 	& Ssh.hostKeys (Context "kitenet.net")
 		[ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAO9tnPUT4p+9z7K6/OYuiBNHaij4Nzv5YVBih1vMl+ALz0gYAj8RWJzXmqp5buFAyfgOoLw+H9s1bBS01Sy3i07Dm6cx1fWG4RXL/E/3w1tavX99GD2bBxDBu890ebA5Tp+eFRJkS9+JwSvFiF6CP7NbVjifCagoUO56Ig048RwDAAAAFQDPY2xM3q6KwsVQliel23nrd0rV2QAAAIEAga3hj1hL00rYPNnAUzT8GAaSP62S4W68lusErH+KPbsMwFBFY/Ib1FVf8k6Zn6dZLh/HH/RtJi0JwdzPI1IFW+lwVbKfwBvhQ1lw9cH2rs1UIVgi7Wxdgfy8gEWxf+QIqn62wG+Ulf/HkWGvTrRpoJqlYRNS/gnOWj9Z/4s99koAAACBAM/uJIo2I0nK15wXiTYs/NYUZA7wcErugFn70TRbSgduIFH6U/CQa3rgHJw9DCPCQJLq7pwCnFH7too/qaK+czDk04PsgqV0+Jc7957gU5miPg50d60eJMctHV4eQ1FpwmGGfXxRBR9k2ZvikWYatYir3L6/x1ir7M0bA9IzNU45")
 		, (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA2QAJEuvbTmaN9ex9i9bjPhMGj+PHUYq2keIiaIImJ+8mo+yKSaGUxebG4tpuDPx6KZjdycyJt74IXfn1voGUrfzwaEY9NkqOP3v6OWTC3QeUGqDCeJ2ipslbEd9Ep9XBp+/ldDQm60D0XsIZdmDeN6MrHSbKF4fXv1bqpUoUILk=")
 		, (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLF+dzqBJZix+CWUkAd3Bd3cofFCKwHMNRIfwx1G7dL4XFe6fMKxmrNetQcodo2edyufwoPmCPr3NmnwON9vyh0=")
 		]
 	& Ssh.passwordAuthentication True
 	-- Since ssh password authentication is allowed:
 	& Apt.serviceInstalledRunning "fail2ban"
@ -214,6 +218,9 @@ diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64"
 	& DigitalOcean.distroKernel
 	& Ssh.hostKeys hostContext
 		[ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAO9tnPUT4p+9z7K6/OYuiBNHaij4Nzv5YVBih1vMl+ALz0gYAj8RWJzXmqp5buFAyfgOoLw+H9s1bBS01Sy3i07Dm6cx1fWG4RXL/E/3w1tavX99GD2bBxDBu890ebA5Tp+eFRJkS9+JwSvFiF6CP7NbVjifCagoUO56Ig048RwDAAAAFQDPY2xM3q6KwsVQliel23nrd0rV2QAAAIEAga3hj1hL00rYPNnAUzT8GAaSP62S4W68lusErH+KPbsMwFBFY/Ib1FVf8k6Zn6dZLh/HH/RtJi0JwdzPI1IFW+lwVbKfwBvhQ1lw9cH2rs1UIVgi7Wxdgfy8gEWxf+QIqn62wG+Ulf/HkWGvTrRpoJqlYRNS/gnOWj9Z/4s99koAAACBAM/uJIo2I0nK15wXiTYs/NYUZA7wcErugFn70TRbSgduIFH6U/CQa3rgHJw9DCPCQJLq7pwCnFH7too/qaK+czDk04PsgqV0+Jc7957gU5miPg50d60eJMctHV4eQ1FpwmGGfXxRBR9k2ZvikWYatYir3L6/x1ir7M0bA9IzNU45")
 		, (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA2QAJEuvbTmaN9ex9i9bjPhMGj+PHUYq2keIiaIImJ+8mo+yKSaGUxebG4tpuDPx6KZjdycyJt74IXfn1voGUrfzwaEY9NkqOP3v6OWTC3QeUGqDCeJ2ipslbEd9Ep9XBp+/ldDQm60D0XsIZdmDeN6MrHSbKF4fXv1bqpUoUILk=")
 		]
 	& Apt.unattendedUpgrades
 	& Apt.serviceInstalledRunning "ntp"
 	& Postfix.satellite
@ -278,7 +285,10 @@ elephant = standardSystem "elephant.kitenet.net" Unstable "amd64"
 	& Systemd.installed
 	& Systemd.persistentJournal
 	& Ssh.hostKeys hostContext
-	& Ssh.pubKey SshEcdsa "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0="
+		[ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBANxXGWac0Yz58akI3UbLkphAa8VPDCGswTS0CT3D5xWyL9OeArISAi/OKRIvxA4c+9XnWtNXS7nYVFDJmzzg8v3ZMx543AxXK82kXCfvTOc/nAlVz9YKJAA+FmCloxpmOGrdiTx1k36FE+uQgorslGW/QTxnOcO03fDZej/ppJifAAAAFQCnenyJIw6iJB1+zuF/1TSLT8UAeQAAAIEA1WDrI8rKnxnh2rGaQ0nk+lOcVMLEr7AxParnZjgC4wt2mm/BmkF/feI1Fjft2z4D+V1W7MJHOqshliuproxhFUNGgX9fTbstFJf66p7h7OLAlwK8ZkpRk/uV3h5cIUPel6aCwjL5M2gN6/yq+gcCTXeHLq9OPyUTmlN77SBL71UAAACBAJJiCHWxPAGooe7Vv3W7EIBbsDyf7b2kDH3bsIlo+XFcKIN6jysBu4kn9utjFlrlPeHUDzGQHe+DmSqTUQQ0JPCRGcAcuJL8XUqhJi6A6ye51M9hVt51cJMXmERx9TjLOP/adkEuxpv3Fj20FxRUr1HOmvRvewSHrJ1GeA1bjbYL")
 		, (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrEQ7aNmRYyLKY7xHILQsyV/w0B3++D98vn5IvjHkDnitrUWjB+vPxlS7LYKLzN9Jx7Hb14R2lg7+wdgtFMxLZZukA8b0tqFpTdRFBvBYGh8IM8Id1iE/6io/NZl+hTQEDp0LJP+RljH1CLfz7J3qtc+v6NbfTP5cOgH104mWYoLWzJGaZ4p53jz6THRWnVXy5nPO3dSBr2f/SQgRuJQWHNIh0jicRGD8H2kzOQzilpo+Y46PWtkufl3Yu3UsP5UMAyLRIXwZ6nNRZqRiVWrX44hoNfDbooTdFobbHlqMl+y6291bOXaOA6PACk8B4IVcC89/gmc9Oe4EaDuszU5kD")
 		, (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0=")
 		]
 	& Ssh.keyImported SshRsa "joey" hostContext
 	& Apt.serviceInstalledRunning "swapspace"
--- a/debian/changelog
+++ b/debian/changelog
@ -6,12 +6,13 @@ propellor (1.3.0) UNRELEASED; urgency=medium
    that docker exec doesn't enter a chroot.
  * Update intermediary propellor in --spin --via
  * Added support for DNSSEC.
  * Ssh.hostKey and Ssh.hostKeys no longer install public keys from
    the privdata. Instead, the public keys are included in the
    configuration. (API change)
  * Ssh.hostKeys now removes any host keys of types that the host is not
    configured to have.
  * sshPubKey is renamed to Ssh.pubKey, and has an added SshKeyType
    parameter. (API change)
  * Ssh.hostKey and Ssh.hostKeys no longer install public keys from
    the privdata. Instead, the public keys of a host should be set using
    Ssh.pubKey.
  * Ssh.hostKeys now also installs any available SshEd25519 keys.
  * Fix build with process 1.2.1.0.
 -- Joey Hess <id@joeyh.name>  Thu, 01 Jan 2015 13:27:23 -0400
--- a/src/Propellor/Property/Ssh.hs
+++ b/src/Propellor/Property/Ssh.hs
@ -6,9 +6,9 @@ module Propellor.Property.Ssh (
 	authorizedKey,
 	restarted,
 	randomHostKeys,
 	pubKey,
 	hostKeys,
 	hostKey,
 	pubKey,
 	keyImported,
 	knownHost,
 	authorizedKeys,
@ -25,6 +25,8 @@ import Utility.FileMode
 import System.PosixCompat
 import qualified Data.Map as M
 type PubKeyText = String
 sshBool :: Bool -> String
 sshBool True = "yes"
 sshBool False = "no"
@ -81,41 +83,43 @@ randomHostKeys = flagFile prop "/etc/ssh/.unique_host_keys"
 		ensureProperty $ scriptProperty 
 			[ "DPKG_MAINTSCRIPT_NAME=postinst DPKG_MAINTSCRIPT_PACKAGE=openssh-server /var/lib/dpkg/info/openssh-server.postinst configure" ]
-- | When a host has a well-known public host key, this can be used
+-- | Installs the specified list of ssh host keys.
-- to indicate what the key is. It does not cause the key to be installed.
+--
-pubKey :: SshKeyType -> String -> Property
+-- The corresponding private keys come from the privdata.
-pubKey t k = pureInfoProperty ("ssh pubkey known") $
+--
-	mempty { _sshPubKey = M.singleton t k }
+-- Any host keysthat are not in the list are removed from the host.
-
+hostKeys :: IsContext c => c -> [(SshKeyType, PubKeyText)] -> Property
-getPubKey :: Propellor (M.Map SshKeyType String)
+hostKeys ctx l = propertyList desc $ catMaybes $
-getPubKey = asks (_sshPubKey . hostInfo)
+	map (\(t, pub) -> Just $ hostKey ctx t pub) l ++ [cleanup]
-
+  where
-- | Installs all available types of ssh host keys.
+	desc = "ssh host keys configured " ++ typelist (map fst l)
-hostKeys :: IsContext c => c -> Property
+	typelist tl = "(" ++ unwords (map fromKeyType tl) ++ ")"
-hostKeys ctx = propertyList "known ssh host keys" $
+	alltypes = [minBound..maxBound]
-	map (flip hostKey ctx) [minBound..maxBound]
+	staletypes = filter (`notElem` alltypes) (map fst l)
 	removestale b = map (File.notPresent . flip keyFile b) staletypes
 	cleanup
 		| null staletypes = Nothing
 		| otherwise = Just $ property ("stale keys removed " ++ typelist staletypes) $
 			ensureProperty $
 				combineProperties desc (removestale True ++ removestale False)
 				`onChange` restarted
 -- | Installs a single ssh host key of a particular type.
 --
-- The private key comes from the privdata; 
+-- The public key is provided to this function;
-- the public key is set using 'pubKey'.
+-- the private key comes from the privdata; 
-hostKey :: IsContext c => SshKeyType -> c -> Property
+hostKey :: IsContext c => c -> SshKeyType -> PubKeyText -> Property
-hostKey keytype context = combineProperties desc
+hostKey context keytype pub = combineProperties desc
-	[ property desc $ do
+	[ pubKey keytype pub
-		v <- M.lookup keytype <$> getPubKey
+	, property desc $ install writeFile True pub
 		case v of
 			Just k -> install writeFile ".pub" k
 			Nothing -> do
 				warningMessage $ "Missing ssh pubKey " ++ show keytype
 				return FailedChange
 	, withPrivData (keysrc "" (SshPrivKey keytype "")) context $ \getkey ->
-		property desc $ getkey $ install writeFileProtected ""
+		property desc $ getkey $ install writeFileProtected False
 	]
 	`onChange` restarted
  where
-	desc = "known ssh host key (" ++ fromKeyType keytype ++ ")"
+	desc = "ssh host key configured (" ++ fromKeyType keytype ++ ")"
-	install writer ext key = do
+	install writer ispub key = do
-		let f = "/etc/ssh/ssh_host_" ++ fromKeyType keytype ++ "_key" ++ ext
+		let f = keyFile keytype ispub
 		s <- liftIO $ readFileStrict f
 		if s == key
 			then noChange
@ -123,6 +127,21 @@ hostKey keytype context = combineProperties desc
 	keysrc ext field = PrivDataSourceFileFromCommand field ("sshkey"++ext)
 		("ssh-keygen -t " ++ sshKeyTypeParam keytype ++ " -f sshkey")
 keyFile :: SshKeyType -> Bool -> FilePath
 keyFile keytype ispub = "/etc/ssh/ssh_host_" ++ fromKeyType keytype ++ "_key" ++ ext
  where
 	ext = if ispub then ".pub" else ""
 -- | Indicates the host key that is used by a Host, but does not actually
 -- configure the host to use it. Normally this does not need to be used;
 -- use 'hostKey' instead.
 pubKey :: SshKeyType -> PubKeyText -> Property
 pubKey t k = pureInfoProperty ("ssh pubkey known") $
 	mempty { _sshPubKey = M.singleton t k }
 getPubKey :: Propellor (M.Map SshKeyType String)
 getPubKey = asks (_sshPubKey . hostInfo)
 -- | Sets up a user with a ssh private key and public key pair from the
 -- PrivData.
 keyImported :: IsContext c => SshKeyType -> UserName -> c -> Property