propellor spin

config-joey.hs

@@ -41,9 +41,7 @@ hosts =                 --                  (o)  `
 		& Apt.buildDep ["git-annex"] `period` Daily
 		& Docker.docked hosts "android-git-annex"
 
-	-- Nothing super-important lives here.
+	-- Nothing super-important lives here and mostly it's docker containers.
-	-- Any services I care about are containerized so they can easily
-	-- be moved.
 	, standardSystem "clam.kitenet.net" Unstable "amd64"
 		& ipv4 "162.248.143.249"
 		& ipv6 "2002:5044:5531::1"
@@ -78,6 +76,11 @@ hosts =                 --                  (o)  `
 		& alias "znc.kitenet.net"
 		& JoeySites.ircBouncer
 
+		-- For https port 443, shellinabox with ssh login to
+		-- kitenet.net
+		& alias "shell.kitenet.net"
+		& JoeySites.kiteShellBox
+
 		-- Nothing is using http port 80 on clam, so listen on
 		-- that port for ssh, for traveling on bad networks that
 		-- block 22.

src/Propellor/Property/SiteSpecific/JoeySites.hs

@@ -317,3 +317,25 @@ ircBouncer = propertyList "IRC bouncer"
 	]
   where
 	conf = "/home/znc/.znc/configs/znc.conf"
+
+kiteShellBox :: Property
+kiteShellBox = propertyList "kitenet.net shellinabox"
+	[ Apt.installed ["shellinabox"]
+
+	-- Install ssl cert, let shellinabox read it.
+	, File.dirExists certdir
+	, File.ownerGroup certdir "shellinabox" "shellinabox"
+	, File.mode certdir (combineModes [ownerWriteMode, ownerReadMode, ownerExecuteMode])
+	, File.hasPrivContentExposed (certdir </> "certificate.pem")
+
+	, File.hasContent "/etc/default/shellinabox"
+		[ "# Deployed by propellor"
+		, "SHELLINABOX_DAEMON_START=1"
+		, "SHELLINABOX_PORT=443"
+		, "SHELLINABOX_ARGS=\"--no-beep --service=/:SSH:kitenet.net --cert=" ++ certdir ++ "\""
+		]
+		`onChange` Service.restarted "shellinabox"
+	, Service.running "shellinabox"
+	]
+  where
+	certdir = "/etc/shellinabox/certs"