Merge branch 'joeyconfig'

This commit is contained in:
Joey Hess 2014-11-17 17:02:47 -04:00
commit 2fab1a08b4
10 changed files with 53 additions and 18 deletions

View File

@ -1,4 +1,4 @@
Copyright 2014 Joey Hess <joeyh@debian.org> and contributors. Copyright 2014 Joey Hess <id@joeyh.name> and contributors.
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions modification, are permitted provided that the following conditions

View File

@ -23,6 +23,7 @@ import qualified Propellor.Property.Apache as Apache
import qualified Propellor.Property.Postfix as Postfix import qualified Propellor.Property.Postfix as Postfix
import qualified Propellor.Property.Grub as Grub import qualified Propellor.Property.Grub as Grub
import qualified Propellor.Property.Obnam as Obnam import qualified Propellor.Property.Obnam as Obnam
import qualified Propellor.Property.Gpg as Gpg
import qualified Propellor.Property.HostingProvider.DigitalOcean as DigitalOcean import qualified Propellor.Property.HostingProvider.DigitalOcean as DigitalOcean
import qualified Propellor.Property.HostingProvider.CloudAtCost as CloudAtCost import qualified Propellor.Property.HostingProvider.CloudAtCost as CloudAtCost
import qualified Propellor.Property.HostingProvider.Linode as Linode import qualified Propellor.Property.HostingProvider.Linode as Linode
@ -122,7 +123,7 @@ kite = standardSystemUnhardened "kite.kitenet.net" Unstable "amd64"
, "--exclude=/home/joey/lib" , "--exclude=/home/joey/lib"
, "--exclude=.*/tmp/" , "--exclude=.*/tmp/"
, "--one-file-system" , "--one-file-system"
] Obnam.OnlyClient "98147487" ] Obnam.OnlyClient (Gpg.GpgKeyId "98147487")
`requires` Ssh.keyImported SshRsa "root" `requires` Ssh.keyImported SshRsa "root"
(Context "kite.kitenet.net") (Context "kite.kitenet.net")
`requires` Ssh.knownHost hosts "eubackup.kitenet.net" "root" `requires` Ssh.knownHost hosts "eubackup.kitenet.net" "root"

3
debian/changelog vendored
View File

@ -4,6 +4,9 @@ propellor (0.9.3) UNRELEASED; urgency=medium
* Can be used to configure tor hidden services. Thanks, Félix Sipma. * Can be used to configure tor hidden services. Thanks, Félix Sipma.
* When multiple gpg keys are added, ensure that the privdata file * When multiple gpg keys are added, ensure that the privdata file
can be decrypted by all of them. can be decrypted by all of them.
* Convert GpgKeyId to newtype.
* DigitalOcean.distroKernel property now reboots into the distribution
kernel when necessary.
-- Joey Hess <joeyh@debian.org> Mon, 10 Nov 2014 11:15:27 -0400 -- Joey Hess <joeyh@debian.org> Mon, 10 Nov 2014 11:15:27 -0400

2
debian/copyright vendored
View File

@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Source: native package Source: native package
Files: * Files: *
Copyright: © 2010-2014 Joey Hess <joey@kitenet.net> Copyright: © 2010-2014 Joey Hess <id@joeyh.name>
License: BSD-2-clause License: BSD-2-clause
License: BSD-2-clause License: BSD-2-clause

View File

@ -1,5 +1,5 @@
Name: propellor Name: propellor
Version: 0.9.2 Version: 0.9.3
Cabal-Version: >= 1.6 Cabal-Version: >= 1.6
License: BSD3 License: BSD3
Maintainer: Joey Hess <joey@kitenet.net> Maintainer: Joey Hess <joey@kitenet.net>

View File

@ -91,3 +91,6 @@ cloned owner url dir mbranch = check originurl (property desc checkout)
-- installed here. -- installed here.
, Just "git update-server-info" , Just "git update-server-info"
] ]
isGitDir :: FilePath -> IO Bool
isGitDir dir = isNothing <$> catchMaybeIO (readProcess "git" ["rev-parse", "--resolve-git-dir", dir])

View File

@ -9,7 +9,8 @@ import System.PosixCompat
installed :: Property installed :: Property
installed = Apt.installed ["gnupg"] installed = Apt.installed ["gnupg"]
type GpgKeyId = String -- A numeric id, or a description of the key, in a form understood by gpg.
newtype GpgKeyId = GpgKeyId { getGpgKeyId :: String }
-- | Sets up a user with a gpg key from the privdata. -- | Sets up a user with a gpg key from the privdata.
-- --
@ -19,11 +20,8 @@ type GpgKeyId = String
-- --
-- Recommend only using this for low-value dedicated role keys. -- Recommend only using this for low-value dedicated role keys.
-- No attempt has been made to scrub the key out of memory once it's used. -- No attempt has been made to scrub the key out of memory once it's used.
--
-- The GpgKeyId does not have to be a numeric id; it can just as easily
-- be a description of the key.
keyImported :: GpgKeyId -> UserName -> Property keyImported :: GpgKeyId -> UserName -> Property
keyImported keyid user = flagFile' prop genflag keyImported (GpgKeyId keyid) user = flagFile' prop genflag
`requires` installed `requires` installed
where where
desc = user ++ " has gpg key " ++ show keyid desc = user ++ " has gpg key " ++ show keyid

View File

@ -1,21 +1,50 @@
module Propellor.Property.HostingProvider.DigitalOcean where module Propellor.Property.HostingProvider.DigitalOcean (
distroKernel
) where
import Propellor import Propellor
import qualified Propellor.Property.Apt as Apt import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.File as File import qualified Propellor.Property.File as File
import Data.List
-- Digital Ocean does not provide any way to boot -- Digital Ocean does not provide any way to boot
-- the kernel provided by the distribution, except using kexec. -- the kernel provided by the distribution, except using kexec.
-- Without this, some old, and perhaps insecure kernel will be used. -- Without this, some old, and perhaps insecure kernel will be used.
-- --
-- Note that this only causes the new kernel to be loaded on reboot. -- This property causes the distro kernel to be loaded on reboot, using kexec.
-- If the power is cycled, the old kernel still boots up. --
-- TODO: detect this and reboot immediately? -- If the power is cycled, the non-distro kernel still boots up.
-- So, this property also checks if the running kernel is present in /boot,
-- and if not, reboots immediately into a distro kernel.
distroKernel :: Property distroKernel :: Property
distroKernel = propertyList "digital ocean distro kernel hack" distroKernel = propertyList "digital ocean distro kernel hack"
[ Apt.installed ["grub-pc", "kexec-tools"] [ Apt.installed ["grub-pc", "kexec-tools", "file"]
, "/etc/default/kexec" `File.containsLines` , "/etc/default/kexec" `File.containsLines`
[ "LOAD_KEXEC=true" [ "LOAD_KEXEC=true"
, "USE_GRUB_CONFIG=true" , "USE_GRUB_CONFIG=true"
] `describe` "kexec configured" ] `describe` "kexec configured"
, check (not <$> runningInstalledKernel)
(cmdProperty "reboot" [])
`describe` "running installed kernel"
] ]
runningInstalledKernel :: IO Bool
runningInstalledKernel = do
kernelver <- takeWhile (/= '\n') <$> readProcess "uname" ["-r"]
when (null kernelver) $
error "failed to read uname -r"
kernelimages <- concat <$> mapM kernelsIn ["/", "/boot/"]
when (null kernelimages) $
error "failed to find any installed kernel images"
findVersion kernelver <$>
readProcess "file" ("-L" : kernelimages)
-- File output looks something like this, we want to unambiguously
-- match the running kernel version:
-- Linux kernel x86 boot executable bzImage, version 3.16-3-amd64 (debian-kernel@lists.debian.org) #1 SMP Debian 3.1, RO-rootFS, swap_dev 0x2, Normal VGA
findVersion :: String -> String -> Bool
findVersion ver s = (" version " ++ ver ++ " ") `isInfixOf` s
kernelsIn :: FilePath -> IO [FilePath]
kernelsIn d = filter ("vmlinu" `isInfixOf`) <$> dirContents d

View File

@ -48,8 +48,10 @@ backup dir crontimes params numclients =
-- into root's keyring using Propellor.Property.Gpg.keyImported -- into root's keyring using Propellor.Property.Gpg.keyImported
backupEncrypted :: FilePath -> Cron.CronTimes -> [ObnamParam] -> NumClients -> Gpg.GpgKeyId -> Property backupEncrypted :: FilePath -> Cron.CronTimes -> [ObnamParam] -> NumClients -> Gpg.GpgKeyId -> Property
backupEncrypted dir crontimes params numclients keyid = backupEncrypted dir crontimes params numclients keyid =
backup dir crontimes (("--encrypt-with=" ++ keyid):params) numclients backup dir crontimes params' numclients
`requires` Gpg.keyImported keyid "root" `requires` Gpg.keyImported keyid "root"
where
params' = ("--encrypt-with=" ++ Gpg.getGpgKeyId keyid) : params
-- | Does a backup, but does not automatically restore. -- | Does a backup, but does not automatically restore.
backup' :: FilePath -> Cron.CronTimes -> [ObnamParam] -> NumClients -> Property backup' :: FilePath -> Cron.CronTimes -> [ObnamParam] -> NumClients -> Property

View File

@ -144,9 +144,8 @@ gitServer hosts = propertyList "git.kitenet.net setup"
[ Obnam.latestVersion [ Obnam.latestVersion
, Obnam.backupEncrypted "/srv/git" "33 3 * * *" , Obnam.backupEncrypted "/srv/git" "33 3 * * *"
[ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net" [ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net"
, "--encrypt-with=1B169BE1"
, "--client-name=wren" -- historical , "--client-name=wren" -- historical
] Obnam.OnlyClient "1B169BE1" ] Obnam.OnlyClient (Gpg.GpgKeyId "1B169BE1")
`requires` Ssh.keyImported SshRsa "root" (Context "git.kitenet.net") `requires` Ssh.keyImported SshRsa "root" (Context "git.kitenet.net")
`requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root"
`requires` Ssh.authorizedKeys "family" (Context "git.kitenet.net") `requires` Ssh.authorizedKeys "family" (Context "git.kitenet.net")
@ -283,7 +282,7 @@ gitAnnexDistributor = combineProperties "git-annex distributor, including rsync
, endpoint "/srv/web/downloads.kitenet.net/git-annex/autobuild" , endpoint "/srv/web/downloads.kitenet.net/git-annex/autobuild"
, endpoint "/srv/web/downloads.kitenet.net/git-annex/autobuild/x86_64-apple-mavericks" , endpoint "/srv/web/downloads.kitenet.net/git-annex/autobuild/x86_64-apple-mavericks"
-- git-annex distribution signing key -- git-annex distribution signing key
, Gpg.keyImported "89C809CB" "joey" , Gpg.keyImported (Gpg.GpgKeyId "89C809CB") "joey"
] ]
where where
endpoint d = combineProperties ("endpoint " ++ d) endpoint d = combineProperties ("endpoint " ++ d)