cadey
/
propellor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'joeyconfig'

This commit is contained in:
Joey Hess 2015-07-20 12:06:36 -04:00
parent 5df1c9dc5a 8d971b83ba
commit 55c6b1cc30
5 changed files with 44 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config-joey.hs
View File

@ -441,7 +441,7 @@ jerryPlay = standardDockerContainer "jerryplay" Unstable "amd64"
& Docker.publish "8001:80" & Docker.publish "8001:80"
& Apt.installed ["ssh"] & Apt.installed ["ssh"]
& User.hasSomePassword (User "root") & User.hasSomePassword (User "root")
& Ssh.permitRootLogin True & Ssh.permitRootLogin (Ssh.RootLogin True)
kiteShellBox :: Systemd.Container kiteShellBox :: Systemd.Container
kiteShellBox = standardStableContainer "kiteshellbox" kiteShellBox = standardStableContainer "kiteshellbox"

8
debian/changelog vendored
View File

@ -1,3 +1,11 @@
propellor (2.7.0) UNRELEASED; urgency=medium
* Ssh.permitRootLogin type changed to allow configuring WithoutPassword
and ForcedCommandsOnly (API change)
* setSshdConfig type changed, and setSshdConfigBool added with old type.
-- Joey Hess <id@joeyh.name> Mon, 20 Jul 2015 12:01:38 -0400
propellor (2.6.0) unstable; urgency=medium propellor (2.6.0) unstable; urgency=medium
* Replace String type synonym Docker.Image by a data type * Replace String type synonym Docker.Image by a data type

2
src/Propellor/Property/SiteSpecific/JoeySites.hs
View File

@ -387,7 +387,7 @@ twitRss = combineProperties "twitter rss" $ props
-- Work around for expired ssl cert. -- Work around for expired ssl cert.
pumpRss :: Property NoInfo pumpRss :: Property NoInfo
pumpRss = Cron.job "pump rss" (Cron.Times "15 * * * *") (User "joey") "/srv/web/tmp.kitenet.net/" pumpRss = Cron.job "pump rss" (Cron.Times "15 * * * *") (User "joey") "/srv/web/tmp.kitenet.net/"
"wget https://pump2rss.com/feed/joeyh@identi.ca.atom -O pump.atom.new --no-check-certificate 2>/dev/null; sed 's/ & / /g' pump.atom.new > pump.atom" "wget https://rss.io.jpope.org/feed/joeyh@identi.ca.atom -O pump.atom.new --no-check-certificate 2>/dev/null; sed 's/ & / /g' pump.atom.new > pump.atom"
ircBouncer :: Property HasInfo ircBouncer :: Property HasInfo
ircBouncer = propertyList "IRC bouncer" $ props ircBouncer = propertyList "IRC bouncer" $ props

44
src/Propellor/Property/Ssh.hs
View File

@ -1,7 +1,10 @@
module Propellor.Property.Ssh ( module Propellor.Property.Ssh (
PubKeyText, PubKeyText,
sshdConfig, sshdConfig,
ConfigKeyword,
setSshdConfigBool,
setSshdConfig, setSshdConfig,
RootLogin(..),
permitRootLogin, permitRootLogin,
passwordAuthentication, passwordAuthentication,
noPasswords, noPasswords,
@ -28,6 +31,7 @@ import Utility.FileMode
import System.PosixCompat import System.PosixCompat
import qualified Data.Map as M import qualified Data.Map as M
import Data.List
type PubKeyText = String type PubKeyText = String
@ -38,21 +42,37 @@ sshBool False = "no"
sshdConfig :: FilePath sshdConfig :: FilePath
sshdConfig = "/etc/ssh/sshd_config" sshdConfig = "/etc/ssh/sshd_config"
setSshdConfig :: String -> Bool -> Property NoInfo type ConfigKeyword = String
setSshdConfig setting allowed = combineProperties "sshd config"
[ sshdConfig `File.lacksLine` (sshline $ not allowed)
, sshdConfig `File.containsLine` (sshline allowed)
]
`onChange` restarted
`describe` unwords [ "ssh config:", setting, sshBool allowed ]
where
sshline v = setting ++ " " ++ sshBool v
permitRootLogin :: Bool -> Property NoInfo setSshdConfigBool :: ConfigKeyword -> Bool -> Property NoInfo
permitRootLogin = setSshdConfig "PermitRootLogin" setSshdConfigBool setting allowed = setSshdConfig setting (sshBool allowed)
setSshdConfig :: ConfigKeyword -> String -> Property NoInfo
setSshdConfig setting val = File.fileProperty desc f sshdConfig
`onChange` restarted
where
desc = unwords [ "ssh config:", setting, val ]
cfgline = setting ++ " " ++ val
wantedline s
| s == cfgline = True
| (setting ++ " ") `isPrefixOf` s = False
| otherwise = True
f ls
| cfgline `elem` ls = filter wantedline ls
| otherwise = filter wantedline ls ++ [cfgline]
data RootLogin
= RootLogin Bool -- ^ allow or prevent root login
| WithoutPassword -- ^ disable password authentication for root, while allowing other authentication methods
| ForcedCommandsOnly -- ^ allow root login with public-key authentication, but only if a forced command has been specified for the public key
permitRootLogin :: RootLogin -> Property NoInfo
permitRootLogin (RootLogin b) = setSshdConfigBool "PermitRootLogin" b
permitRootLogin WithoutPassword = setSshdConfig "PermitRootLogin" "without-password"
permitRootLogin ForcedCommandsOnly = setSshdConfig "PermitRootLogin" "forced-commands-only"
passwordAuthentication :: Bool -> Property NoInfo passwordAuthentication :: Bool -> Property NoInfo
passwordAuthentication = setSshdConfig "PasswordAuthentication" passwordAuthentication = setSshdConfigBool "PasswordAuthentication"
-- | Configure ssh to not allow password logins. -- | Configure ssh to not allow password logins.
-- --

3
src/Propellor/Property/Systemd.hs
View File

@ -134,7 +134,8 @@ type Option = String
-- Does not ensure that the relevant daemon notices the change immediately. -- Does not ensure that the relevant daemon notices the change immediately.
-- --
-- This assumes that there is only one [Header] per file, which is -- This assumes that there is only one [Header] per file, which is
-- currently the case. And it assumes the file already exists with -- currently the case for files like journald.conf and system.conf.
-- And it assumes the file already exists with
-- the right [Header], so new lines can just be appended to the end. -- the right [Header], so new lines can just be appended to the end.
configured :: FilePath -> Option -> String -> Property NoInfo configured :: FilePath -> Option -> String -> Property NoInfo
configured cfgfile option value = combineProperties desc configured cfgfile option value = combineProperties desc