Merge branch 'joeyconfig'

Conflicts: privdata.joey/privdata.gpg
2015-05-22 14:16:16 -04:00 · 2015-05-22 14:16:16 -04:00 · 53f2646c45
parent da4636eb28 e661aad6c4
commit 53f2646c45
8 changed files with 130 additions and 30 deletions
--- a/config-joey.hs
+++ b/config-joey.hs
@ -31,6 +31,7 @@ import qualified Propellor.Property.HostingProvider.Linode as Linode
 import qualified Propellor.Property.SiteSpecific.GitHome as GitHome
 import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder
 import qualified Propellor.Property.SiteSpecific.IABak as IABak
+import qualified Propellor.Property.SiteSpecific.Branchable as Branchable
 import qualified Propellor.Property.SiteSpecific.JoeySites as JoeySites


@ -47,6 +48,7 @@ hosts =                --                  (o)  `
 	, kite
 	, elephant
 	, beaver
+	, pell
 	, iabak
 	] ++ monsters

@ -311,6 +313,30 @@ beaver = host "beaver.kitenet.net"
 	& Cron.niceJob "system disk backed up" Cron.Weekly (User "root") "/"
 		"rsync -a -x / /home/joey/lib/backup/beaver.kitenet.net/"

+-- Branchable is not completely deployed with propellor yet.
+pell :: Host
+pell = host "pell.branchable.com"
+	& ipv4 "66.228.46.55"
+	& ipv6 "2600:3c03::f03c:91ff:fedf:c0e5"
+	
+	-- All the websites I host at branchable that don't use
+	-- branchable.com dns.
+	& alias "olduse.net"
+	& alias "www.olduse.net"
+	& alias "www.kitenet.net"
+	& alias "joeyh.name"
+	& alias "campaign.joeyh.name"
+	& alias "ikiwiki.info"
+	& alias "git.ikiwiki.info"
+	& alias "l10n.ikiwiki.info"
+	& alias "dist-bugs.kitenet.net"
+	& alias "family.kitenet.net"
+
+	& Apt.installed ["linux-image-amd64"]
+	& Linode.chainPVGrub 5
+	& Apt.unattendedUpgrades
+	& Branchable.server hosts
+
 iabak :: Host
 iabak = host "iabak.archiveteam.org"
 	& ipv4 "124.6.40.227"
@ -338,6 +364,7 @@ iabak = host "iabak.archiveteam.org"
 	& IABak.gitServer monsters
 	& IABak.registrationServer monsters
 	& IABak.graphiteServer
+	& IABak.publicFace
  where
 	admins = map User ["joey", "db48x"]

@ -491,19 +518,6 @@ monsters =            -- but do want to track their public keys etc.
 		& ipv6 "2001:4978:f:2d9::2"
 	, host "mouse.kitenet.net"
 		& ipv6 "2001:4830:1600:492::2"
-	, host "branchable.com"
-		& ipv4 "66.228.46.55"
-		& ipv6 "2600:3c03::f03c:91ff:fedf:c0e5"
-		& alias "olduse.net"
-		& alias "www.olduse.net"
-		& alias "www.kitenet.net"
-		& alias "joeyh.name"
-		& alias "campaign.joeyh.name"
-		& alias "ikiwiki.info"
-		& alias "git.ikiwiki.info"
-		& alias "l10n.ikiwiki.info"
-		& alias "dist-bugs.kitenet.net"
-		& alias "family.kitenet.net"
 	, host "animx"
 		& ipv4 "76.7.162.101"
 		& ipv4 "76.7.162.186"
--- a/propellor.cabal
+++ b/propellor.cabal
@ -110,6 +110,8 @@ Library
    Propellor.Property.SiteSpecific.GitHome
    Propellor.Property.SiteSpecific.JoeySites
    Propellor.Property.SiteSpecific.GitAnnexBuilder
+    Propellor.Property.SiteSpecific.Branchable
+    Propellor.Property.SiteSpecific.IABak
    Propellor.PropAccum
    Propellor.CmdLine
    Propellor.Info
--- a/src/Propellor/Property/Docker.hs
+++ b/src/Propellor/Property/Docker.hs
@ -1,4 +1,4 @@
-{-# LANGUAGE FlexibleContexts #-}
+{-# LANGUAGE FlexibleContexts, TypeSynonymInstances, FlexibleInstances #-}

 -- | Docker support for propellor
 --
@ -18,7 +18,8 @@ module Propellor.Property.Docker (
 	tweaked,
 	Image,
 	ContainerName,
-	Container(..),
+	Container,
+	HasImage(..),
 	-- * Container configuration
 	dns,
 	hostname,
@ -79,10 +80,16 @@ configured = prop `requires` installed
 type ContainerName = String

 -- | A docker container.
-data Container = Container
-	{ containerImage :: Image
-	, containerHost :: Host
-	}
+data Container = Container Image Host
+
+class HasImage a where
+	getImageName :: a -> Image
+
+instance HasImage Image where
+	getImageName = id
+
+instance HasImage Container where
+	getImageName (Container i _) = i

 instance PropAccum Container where
 	(Container i h) & p = Container i (h & p)
@ -142,19 +149,21 @@ docked ctr@(Container _ h) =
 			]

 -- | Build the image from a directory containing a Dockerfile.
-imageBuilt :: FilePath -> Image -> Property NoInfo
-imageBuilt directory image = describe built msg
+imageBuilt :: HasImage c => FilePath -> c -> Property NoInfo
+imageBuilt directory ctr = describe built msg
  where
 	msg = "docker image " ++ image ++ " built from " ++ directory
 	built = Cmd.cmdProperty' dockercmd ["build", "--tag", image, "./"] workDir
 	workDir p = p { cwd = Just directory }
+	image = getImageName ctr

 -- | Pull the image from the standard Docker Hub registry.
-imagePulled :: Image -> Property NoInfo
-imagePulled image = describe pulled msg
+imagePulled :: HasImage c => c -> Property NoInfo
+imagePulled ctr = describe pulled msg
  where
 	msg = "docker image " ++ image ++ " pulled"
 	pulled = Cmd.cmdProperty dockercmd ["pull", image]
+	image = getImageName ctr

 propigateContainerInfo :: (IsProp (Property i)) => Container -> Property i -> Property HasInfo
 propigateContainerInfo ctr@(Container _ h) p = propigateContainer ctr p'
--- a/src/Propellor/Property/HostingProvider/DigitalOcean.hs
+++ b/src/Propellor/Property/HostingProvider/DigitalOcean.hs
@ -9,7 +9,7 @@ import qualified Propellor.Property.Reboot as Reboot

 import Data.List

-- Digital Ocean does not provide any way to boot
+-- | Digital Ocean does not provide any way to boot
 -- the kernel provided by the distribution, except using kexec.
 -- Without this, some old, and perhaps insecure kernel will be used.
 --
@ -40,7 +40,7 @@ runningInstalledKernel = do
 	findVersion kernelver <$>
 		readProcess "file" ("-L" : kernelimages)

-- File output looks something like this, we want to unambiguously
+-- | File output looks something like this, we want to unambiguously
 -- match the running kernel version:
 --   Linux kernel x86 boot executable bzImage, version 3.16-3-amd64 (debian-kernel@lists.debian.org) #1 SMP Debian 3.1, RO-rootFS, swap_dev 0x2, Normal VGA
 findVersion :: String -> String -> Bool
--- a/src/Propellor/Property/HostingProvider/Linode.hs
+++ b/src/Propellor/Property/HostingProvider/Linode.hs
@ -6,7 +6,7 @@ import qualified Propellor.Property.File as File
 import Utility.FileMode

 -- | Linode's pv-grub-x86_64 does not currently support booting recent
-- Debian kernels compressed with xz. This sets up pv-grub chaing to enable
+-- Debian kernels compressed with xz. This sets up pv-grub chaining to enable
 -- it.
 chainPVGrub :: Grub.TimeoutSecs -> Property NoInfo
 chainPVGrub = Grub.chainPVGrub "hd0" "xen/xvda"
--- a/src/Propellor/Property/SiteSpecific/Branchable.hs
+++ b/src/Propellor/Property/SiteSpecific/Branchable.hs
@ -0,0 +1,66 @@
+module Propellor.Property.SiteSpecific.Branchable where
+
+import Propellor
+import qualified Propellor.Property.Apt as Apt
+import qualified Propellor.Property.File as File
+import qualified Propellor.Property.User as User
+import qualified Propellor.Property.Ssh as Ssh
+import qualified Propellor.Property.Postfix as Postfix
+import qualified Propellor.Property.Gpg as Gpg
+import qualified Propellor.Property.Sudo as Sudo
+
+server :: [Host] -> Property HasInfo
+server hosts = propertyList "branchable server" $ props
+	& "/etc/timezone" `File.hasContent` ["Etc/UTC"]
+	& "/etc/locale.gen" `File.containsLines`
+		[ "en_GB.UTF-8 UTF-8"
+		, "en_US.UTF-8 UTF-8"
+		, "fi_FI.UTF-8 UTF-8"
+		]
+		`onChange` cmdProperty "locale-gen" []
+
+	& Apt.installed ["etckeeper", "ssh", "popularity-contest"]
+	& Apt.serviceInstalledRunning "apache2"
+	& Apt.serviceInstalledRunning "ntp"
+
+	& Apt.serviceInstalledRunning "openssh-server"
+	& Ssh.passwordAuthentication False
+	& Ssh.hostKeys (Context "branchable.com")
+		[ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAK9HnfpyIm8aEhKuF5oz6KyaLwFs2oWeToVkqVuykyy5Y8jWDZPtkpv+1TeOnjcOvJSZ1cCqB8iXlsP9Dr5z98w5MfzsRQM2wIw0n+wvmpPmUhjVdGh+wTpfP9bcyFHhj/f1Ymdq9hEWB26bnf4pbTbJW2ip8ULshMvn5CQ/ugV3AAAAFQCAjpRd1fquRiIuLJMwej0VcyoZKQAAAIBe91Grvz/icL3nlqXYrifXyr9dsw8bPN+BMu+hQtFsQXNJBylxwf8FtbRlmvZXmRjdVYqFVyxSsrL2pMsWlds51iXOr9pdsPG5a4OgJyRHsveBz3tz6HgYYPcr3Oxp7C6G6wrzwsaGK862SgRp/bbD226k9dODRBy3ogMhk/MvAgAAAIEApfknql3vZbDVa88ZnwbNKDOv8L1hb6blbKAMt2vJbqJMvu3EP9CsP9hGyEQh5YCAl2F9KEU3bJXN1BG76b7CiYtWK95lpL1XmCCWnJBCcdEhw998GfJS424frPw7qGmXLxJKYxEyioB90/IDp2dC+WaLcLOYHM9SroCQTIK5A1g= root@pell")
+		, (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1M0aNLgcgcgf0tkmt/8vCDZLok8Xixz7Nun9wB6NqVXxfzAR4te+zyO7FucVwyTY5QHmiwwpmyNfaC21AAILhXGm12SUKSAirF9BkQk7bhQuz4T/dPlEt3d3SxQ3OZlXtPp4LzXWOyS0OXSzIb+HeaDA+hFXlQnp/gE7RyAzR1+xhWPO7Mz1q5O/+4dXANnW32t6P7Puob6NsglVDpLrMRYjkO+0RgCVbYMzB5+UnkthkZsIINaYwsNhW2GKMKbRZeyp5en5t1NJprGXdw0BqdBqd/rcBpOxmhHE1U7rw+GS1uZwCFWWv0aZbaXEJ6wY7mETFkqs0QXi5jtoKn95Gw== root@pell")
+		]
+
+	& Apt.installed ["procmail", "bsd-mailx"]
+	& "/etc/aliases" `File.hasPrivContentExposed` (Context "branchable.com")
+		`onChange` Postfix.newaliases
+	& "/etc/mailname" `File.hasContent` ["branchable.com"]
+	& Postfix.installed
+	& Postfix.mainCf ("mailbox_command", "procmail -a \"$EXTENSION\"")
+	
+	-- Obnam is run by a cron job in ikiwiki-hosting.
+	& "/etc/obnam.conf" `File.hasContent`
+		[ "[config]"
+		, "repository = sftp://joey@eubackup.kitenet.net/home/joey/lib/backup/pell.obnam"
+		, "log = /var/log/obnam.log"
+		, "encrypt-with = " ++ obnamkey
+		, "log-level = info"
+		, "log-max = 1048576"
+		, "keep = 7d,5w,12m"
+		, "upload-queue-size = 128"
+		, "lru-size = 128"
+		]
+	& Gpg.keyImported (Gpg.GpgKeyId obnamkey) (User "root")
+	& Ssh.keyImported SshRsa (User "root") (Context "branchable.com")
+	& Ssh.knownHost hosts "eubackup.kitenet.net" (User "root")
+	& Ssh.knownHost hosts "usw-s002.rsync.net" (User "root")
+
+	& adminuser "joey"
+	& adminuser "liw"
+  where
+	obnamkey = "41E1A9B9"
+	adminuser u = propertyList ("admin user " ++ u) $ props
+		& User.accountFor (User u)
+		& User.hasSomePassword (User u)
+		& Sudo.enabledFor (User u)
+		& User.hasGroup (User u) (Group "adm")
+		& User.hasGroup (User u) (Group "systemd-journal")
--- a/src/Propellor/Property/SiteSpecific/IABak.hs
+++ b/src/Propellor/Property/SiteSpecific/IABak.hs
@ -15,6 +15,13 @@ repo = "https://github.com/ArchiveTeam/IA.BAK/"
 userrepo :: String
 userrepo = "git@gitlab.com:archiveteam/IA.bak.users.git"

+publicFace :: Property HasInfo
+publicFace = propertyList "iabak public face" $ props
+	& Git.cloned (User "root") repo "/usr/local/IA.BAK" (Just "server")
+	& Apt.serviceInstalledRunning "apache2"
+	& Cron.niceJob "graph-gen" (Cron.Times "*/10 * * * *") (User "root") "/"
+		"/usr/local/IA.BAK/web/graph-gen.sh"
+
 gitServer :: [Host] -> Property HasInfo
 gitServer knownhosts = propertyList "iabak git server" $ props
 	& Git.cloned (User "root") repo "/usr/local/IA.BAK" (Just "server")
@ -56,12 +63,14 @@ graphiteServer = propertyList "iabak graphite server" $ props
 		[ "[carbon]"
 		, "pattern = ^carbon\\."
 		, "retentions = 60:90d"
-		, "[iabak]"
+		, "[iabak-connections]"
+		, "pattern = ^iabak\\.shardstats\\.connections"
+		, "retentions = 1h:1y,3h:10y"
+		, "[iabak-default]"
 		, "pattern = ^iabak\\."
-		, "retentions = 10m:30d,1h:1y,3h,10y"
+		, "retentions = 10m:30d,1h:1y,3h:10y"
 		, "[default_1min_for_1day]"
 		, "pattern = .*"
-		, "retentions = 60s:1d"
 		]
 	& graphiteCSRF
 	& cmdProperty "graphite-manage" ["syncdb", "--noinput"] `flagFile` "/etc/flagFiles/graphite-syncdb"
--- a/src/Propellor/Property/SiteSpecific/JoeySites.hs
+++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs
@ -470,7 +470,7 @@ backupsBackedupFrom hosts srchost destdir = Cron.niceJob desc
 	`requires` Ssh.knownHost hosts srchost (User "joey")
  where
 	desc = "backups copied from " ++ srchost ++ " on boot"
-	cmd = "rsync -az --bwlimit=300K --partial --delete " ++ srchost ++ ":lib/backup/ " ++ destdir </> srchost
+	cmd = "sleep 30m && rsync -az --bwlimit=300K --partial --delete " ++ srchost ++ ":lib/backup/ " ++ destdir </> srchost

 obnamRepos :: [String] -> Property NoInfo
 obnamRepos rs = propertyList ("obnam repos for " ++ unwords rs)