Merge branch 'joeyconfig'
This commit is contained in:
commit
2fab1a08b4
2
LICENSE
2
LICENSE
|
@ -1,4 +1,4 @@
|
||||||
Copyright 2014 Joey Hess <joeyh@debian.org> and contributors.
|
Copyright 2014 Joey Hess <id@joeyh.name> and contributors.
|
||||||
|
|
||||||
Redistribution and use in source and binary forms, with or without
|
Redistribution and use in source and binary forms, with or without
|
||||||
modification, are permitted provided that the following conditions
|
modification, are permitted provided that the following conditions
|
||||||
|
|
|
@ -23,6 +23,7 @@ import qualified Propellor.Property.Apache as Apache
|
||||||
import qualified Propellor.Property.Postfix as Postfix
|
import qualified Propellor.Property.Postfix as Postfix
|
||||||
import qualified Propellor.Property.Grub as Grub
|
import qualified Propellor.Property.Grub as Grub
|
||||||
import qualified Propellor.Property.Obnam as Obnam
|
import qualified Propellor.Property.Obnam as Obnam
|
||||||
|
import qualified Propellor.Property.Gpg as Gpg
|
||||||
import qualified Propellor.Property.HostingProvider.DigitalOcean as DigitalOcean
|
import qualified Propellor.Property.HostingProvider.DigitalOcean as DigitalOcean
|
||||||
import qualified Propellor.Property.HostingProvider.CloudAtCost as CloudAtCost
|
import qualified Propellor.Property.HostingProvider.CloudAtCost as CloudAtCost
|
||||||
import qualified Propellor.Property.HostingProvider.Linode as Linode
|
import qualified Propellor.Property.HostingProvider.Linode as Linode
|
||||||
|
@ -122,7 +123,7 @@ kite = standardSystemUnhardened "kite.kitenet.net" Unstable "amd64"
|
||||||
, "--exclude=/home/joey/lib"
|
, "--exclude=/home/joey/lib"
|
||||||
, "--exclude=.*/tmp/"
|
, "--exclude=.*/tmp/"
|
||||||
, "--one-file-system"
|
, "--one-file-system"
|
||||||
] Obnam.OnlyClient "98147487"
|
] Obnam.OnlyClient (Gpg.GpgKeyId "98147487")
|
||||||
`requires` Ssh.keyImported SshRsa "root"
|
`requires` Ssh.keyImported SshRsa "root"
|
||||||
(Context "kite.kitenet.net")
|
(Context "kite.kitenet.net")
|
||||||
`requires` Ssh.knownHost hosts "eubackup.kitenet.net" "root"
|
`requires` Ssh.knownHost hosts "eubackup.kitenet.net" "root"
|
||||||
|
|
|
@ -4,6 +4,9 @@ propellor (0.9.3) UNRELEASED; urgency=medium
|
||||||
* Can be used to configure tor hidden services. Thanks, Félix Sipma.
|
* Can be used to configure tor hidden services. Thanks, Félix Sipma.
|
||||||
* When multiple gpg keys are added, ensure that the privdata file
|
* When multiple gpg keys are added, ensure that the privdata file
|
||||||
can be decrypted by all of them.
|
can be decrypted by all of them.
|
||||||
|
* Convert GpgKeyId to newtype.
|
||||||
|
* DigitalOcean.distroKernel property now reboots into the distribution
|
||||||
|
kernel when necessary.
|
||||||
|
|
||||||
-- Joey Hess <joeyh@debian.org> Mon, 10 Nov 2014 11:15:27 -0400
|
-- Joey Hess <joeyh@debian.org> Mon, 10 Nov 2014 11:15:27 -0400
|
||||||
|
|
||||||
|
|
|
@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
|
||||||
Source: native package
|
Source: native package
|
||||||
|
|
||||||
Files: *
|
Files: *
|
||||||
Copyright: © 2010-2014 Joey Hess <joey@kitenet.net>
|
Copyright: © 2010-2014 Joey Hess <id@joeyh.name>
|
||||||
License: BSD-2-clause
|
License: BSD-2-clause
|
||||||
|
|
||||||
License: BSD-2-clause
|
License: BSD-2-clause
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
Name: propellor
|
Name: propellor
|
||||||
Version: 0.9.2
|
Version: 0.9.3
|
||||||
Cabal-Version: >= 1.6
|
Cabal-Version: >= 1.6
|
||||||
License: BSD3
|
License: BSD3
|
||||||
Maintainer: Joey Hess <joey@kitenet.net>
|
Maintainer: Joey Hess <joey@kitenet.net>
|
||||||
|
|
|
@ -91,3 +91,6 @@ cloned owner url dir mbranch = check originurl (property desc checkout)
|
||||||
-- installed here.
|
-- installed here.
|
||||||
, Just "git update-server-info"
|
, Just "git update-server-info"
|
||||||
]
|
]
|
||||||
|
|
||||||
|
isGitDir :: FilePath -> IO Bool
|
||||||
|
isGitDir dir = isNothing <$> catchMaybeIO (readProcess "git" ["rev-parse", "--resolve-git-dir", dir])
|
||||||
|
|
|
@ -9,7 +9,8 @@ import System.PosixCompat
|
||||||
installed :: Property
|
installed :: Property
|
||||||
installed = Apt.installed ["gnupg"]
|
installed = Apt.installed ["gnupg"]
|
||||||
|
|
||||||
type GpgKeyId = String
|
-- A numeric id, or a description of the key, in a form understood by gpg.
|
||||||
|
newtype GpgKeyId = GpgKeyId { getGpgKeyId :: String }
|
||||||
|
|
||||||
-- | Sets up a user with a gpg key from the privdata.
|
-- | Sets up a user with a gpg key from the privdata.
|
||||||
--
|
--
|
||||||
|
@ -19,11 +20,8 @@ type GpgKeyId = String
|
||||||
--
|
--
|
||||||
-- Recommend only using this for low-value dedicated role keys.
|
-- Recommend only using this for low-value dedicated role keys.
|
||||||
-- No attempt has been made to scrub the key out of memory once it's used.
|
-- No attempt has been made to scrub the key out of memory once it's used.
|
||||||
--
|
|
||||||
-- The GpgKeyId does not have to be a numeric id; it can just as easily
|
|
||||||
-- be a description of the key.
|
|
||||||
keyImported :: GpgKeyId -> UserName -> Property
|
keyImported :: GpgKeyId -> UserName -> Property
|
||||||
keyImported keyid user = flagFile' prop genflag
|
keyImported (GpgKeyId keyid) user = flagFile' prop genflag
|
||||||
`requires` installed
|
`requires` installed
|
||||||
where
|
where
|
||||||
desc = user ++ " has gpg key " ++ show keyid
|
desc = user ++ " has gpg key " ++ show keyid
|
||||||
|
|
|
@ -1,21 +1,50 @@
|
||||||
module Propellor.Property.HostingProvider.DigitalOcean where
|
module Propellor.Property.HostingProvider.DigitalOcean (
|
||||||
|
distroKernel
|
||||||
|
) where
|
||||||
|
|
||||||
import Propellor
|
import Propellor
|
||||||
import qualified Propellor.Property.Apt as Apt
|
import qualified Propellor.Property.Apt as Apt
|
||||||
import qualified Propellor.Property.File as File
|
import qualified Propellor.Property.File as File
|
||||||
|
|
||||||
|
import Data.List
|
||||||
|
|
||||||
-- Digital Ocean does not provide any way to boot
|
-- Digital Ocean does not provide any way to boot
|
||||||
-- the kernel provided by the distribution, except using kexec.
|
-- the kernel provided by the distribution, except using kexec.
|
||||||
-- Without this, some old, and perhaps insecure kernel will be used.
|
-- Without this, some old, and perhaps insecure kernel will be used.
|
||||||
--
|
--
|
||||||
-- Note that this only causes the new kernel to be loaded on reboot.
|
-- This property causes the distro kernel to be loaded on reboot, using kexec.
|
||||||
-- If the power is cycled, the old kernel still boots up.
|
--
|
||||||
-- TODO: detect this and reboot immediately?
|
-- If the power is cycled, the non-distro kernel still boots up.
|
||||||
|
-- So, this property also checks if the running kernel is present in /boot,
|
||||||
|
-- and if not, reboots immediately into a distro kernel.
|
||||||
distroKernel :: Property
|
distroKernel :: Property
|
||||||
distroKernel = propertyList "digital ocean distro kernel hack"
|
distroKernel = propertyList "digital ocean distro kernel hack"
|
||||||
[ Apt.installed ["grub-pc", "kexec-tools"]
|
[ Apt.installed ["grub-pc", "kexec-tools", "file"]
|
||||||
, "/etc/default/kexec" `File.containsLines`
|
, "/etc/default/kexec" `File.containsLines`
|
||||||
[ "LOAD_KEXEC=true"
|
[ "LOAD_KEXEC=true"
|
||||||
, "USE_GRUB_CONFIG=true"
|
, "USE_GRUB_CONFIG=true"
|
||||||
] `describe` "kexec configured"
|
] `describe` "kexec configured"
|
||||||
|
, check (not <$> runningInstalledKernel)
|
||||||
|
(cmdProperty "reboot" [])
|
||||||
|
`describe` "running installed kernel"
|
||||||
]
|
]
|
||||||
|
|
||||||
|
runningInstalledKernel :: IO Bool
|
||||||
|
runningInstalledKernel = do
|
||||||
|
kernelver <- takeWhile (/= '\n') <$> readProcess "uname" ["-r"]
|
||||||
|
when (null kernelver) $
|
||||||
|
error "failed to read uname -r"
|
||||||
|
kernelimages <- concat <$> mapM kernelsIn ["/", "/boot/"]
|
||||||
|
when (null kernelimages) $
|
||||||
|
error "failed to find any installed kernel images"
|
||||||
|
findVersion kernelver <$>
|
||||||
|
readProcess "file" ("-L" : kernelimages)
|
||||||
|
|
||||||
|
-- File output looks something like this, we want to unambiguously
|
||||||
|
-- match the running kernel version:
|
||||||
|
-- Linux kernel x86 boot executable bzImage, version 3.16-3-amd64 (debian-kernel@lists.debian.org) #1 SMP Debian 3.1, RO-rootFS, swap_dev 0x2, Normal VGA
|
||||||
|
findVersion :: String -> String -> Bool
|
||||||
|
findVersion ver s = (" version " ++ ver ++ " ") `isInfixOf` s
|
||||||
|
|
||||||
|
kernelsIn :: FilePath -> IO [FilePath]
|
||||||
|
kernelsIn d = filter ("vmlinu" `isInfixOf`) <$> dirContents d
|
||||||
|
|
|
@ -48,8 +48,10 @@ backup dir crontimes params numclients =
|
||||||
-- into root's keyring using Propellor.Property.Gpg.keyImported
|
-- into root's keyring using Propellor.Property.Gpg.keyImported
|
||||||
backupEncrypted :: FilePath -> Cron.CronTimes -> [ObnamParam] -> NumClients -> Gpg.GpgKeyId -> Property
|
backupEncrypted :: FilePath -> Cron.CronTimes -> [ObnamParam] -> NumClients -> Gpg.GpgKeyId -> Property
|
||||||
backupEncrypted dir crontimes params numclients keyid =
|
backupEncrypted dir crontimes params numclients keyid =
|
||||||
backup dir crontimes (("--encrypt-with=" ++ keyid):params) numclients
|
backup dir crontimes params' numclients
|
||||||
`requires` Gpg.keyImported keyid "root"
|
`requires` Gpg.keyImported keyid "root"
|
||||||
|
where
|
||||||
|
params' = ("--encrypt-with=" ++ Gpg.getGpgKeyId keyid) : params
|
||||||
|
|
||||||
-- | Does a backup, but does not automatically restore.
|
-- | Does a backup, but does not automatically restore.
|
||||||
backup' :: FilePath -> Cron.CronTimes -> [ObnamParam] -> NumClients -> Property
|
backup' :: FilePath -> Cron.CronTimes -> [ObnamParam] -> NumClients -> Property
|
||||||
|
|
|
@ -144,9 +144,8 @@ gitServer hosts = propertyList "git.kitenet.net setup"
|
||||||
[ Obnam.latestVersion
|
[ Obnam.latestVersion
|
||||||
, Obnam.backupEncrypted "/srv/git" "33 3 * * *"
|
, Obnam.backupEncrypted "/srv/git" "33 3 * * *"
|
||||||
[ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net"
|
[ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net"
|
||||||
, "--encrypt-with=1B169BE1"
|
|
||||||
, "--client-name=wren" -- historical
|
, "--client-name=wren" -- historical
|
||||||
] Obnam.OnlyClient "1B169BE1"
|
] Obnam.OnlyClient (Gpg.GpgKeyId "1B169BE1")
|
||||||
`requires` Ssh.keyImported SshRsa "root" (Context "git.kitenet.net")
|
`requires` Ssh.keyImported SshRsa "root" (Context "git.kitenet.net")
|
||||||
`requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root"
|
`requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root"
|
||||||
`requires` Ssh.authorizedKeys "family" (Context "git.kitenet.net")
|
`requires` Ssh.authorizedKeys "family" (Context "git.kitenet.net")
|
||||||
|
@ -283,7 +282,7 @@ gitAnnexDistributor = combineProperties "git-annex distributor, including rsync
|
||||||
, endpoint "/srv/web/downloads.kitenet.net/git-annex/autobuild"
|
, endpoint "/srv/web/downloads.kitenet.net/git-annex/autobuild"
|
||||||
, endpoint "/srv/web/downloads.kitenet.net/git-annex/autobuild/x86_64-apple-mavericks"
|
, endpoint "/srv/web/downloads.kitenet.net/git-annex/autobuild/x86_64-apple-mavericks"
|
||||||
-- git-annex distribution signing key
|
-- git-annex distribution signing key
|
||||||
, Gpg.keyImported "89C809CB" "joey"
|
, Gpg.keyImported (Gpg.GpgKeyId "89C809CB") "joey"
|
||||||
]
|
]
|
||||||
where
|
where
|
||||||
endpoint d = combineProperties ("endpoint " ++ d)
|
endpoint d = combineProperties ("endpoint " ++ d)
|
||||||
|
|
Loading…
Reference in New Issue