propellor spin
This commit is contained in:
Joey Hess
parent
385a1de0ce
commit
614d497895
|
|
@ -19,8 +19,6 @@ getProperties :: HostName -> [Property]
|
|||
getProperties hostname@"clam.kitenet.net" =
|
||||
[ cleanCloudAtCost hostname
|
||||
, standardSystem Apt.Unstable
|
||||
, User.hasPassword "root"
|
||||
, User.hasPassword "joey"
|
||||
-- Clam is a tor bridge.
|
||||
, Tor.isBridge
|
||||
, Apt.installed ["docker.io"]
|
||||
|
|
@ -44,19 +42,19 @@ standardSystem suite = propertyList "standard system"
|
|||
, Apt.installed ["etckeeper"]
|
||||
, Apt.installed ["ssh"]
|
||||
, GitHome.installedFor "root"
|
||||
, User.hasSomePassword "root"
|
||||
-- Harden the system, but only once root's authorized_keys
|
||||
-- is safely in place.
|
||||
, check (Ssh.hasAuthorizedKeys "root") $
|
||||
Ssh.passwordAuthentication False
|
||||
, check (Ssh.hasAuthorizedKeys "root") $
|
||||
User.lockedPassword "root"
|
||||
, Apt.installed ["vim"]
|
||||
, User.sshAccountFor "joey"
|
||||
, Apt.installed ["sudo"]
|
||||
-- nopasswd because no password is set up for joey.
|
||||
, "sudoer joey" ==>
|
||||
"/etc/sudoers" `File.containsLine` "joey ALL=(ALL:ALL) NOPASSWD:ALL"
|
||||
, User.hasSomePassword "joey"
|
||||
, GitHome.installedFor "joey"
|
||||
, Apt.installed ["vim", "screen"]
|
||||
-- I use postfix, or no MTA.
|
||||
, Apt.removed ["exim4"] `onChange` Apt.autoRemove
|
||||
]
|
||||
|
|
|
|||
|
|
@ -22,6 +22,12 @@ nuked user _ = check (isJust <$> homedir user) $ cmdProperty "userdel"
|
|||
]
|
||||
`describe` ("nuked user " ++ user)
|
||||
|
||||
{- Only ensures that the user has some password set. It may or may
|
||||
- not be the password from the PrivData. -}
|
||||
hasSomePassword :: UserName -> Property
|
||||
hasSomePassword user = check ((/= HasPassword) <$> getPasswordStatus user) $
|
||||
hasPassword user
|
||||
|
||||
hasPassword :: UserName -> Property
|
||||
hasPassword user = Property (user ++ " has password") $
|
||||
withPrivData (Password user) $ \password -> makeChange $
|
||||
|
|
@ -37,11 +43,19 @@ lockedPassword user = check (not <$> isLockedPassword user) $ cmdProperty "passw
|
|||
]
|
||||
`describe` ("locked " ++ user ++ " password")
|
||||
|
||||
isLockedPassword :: UserName -> IO Bool
|
||||
isLockedPassword user = parse . words <$> readProcess "passwd" ["-S", user]
|
||||
data PasswordStatus = NoPassword | LockedPassword | HasPassword
|
||||
deriving (Eq)
|
||||
|
||||
getPasswordStatus :: UserName -> IO PasswordStatus
|
||||
getPasswordStatus user = parse . words <$> readProcess "passwd" ["-S", user]
|
||||
where
|
||||
parse (_:"L":_) = True
|
||||
parse _ = False
|
||||
parse (_:"L":_) = LockedPassword
|
||||
parse (_:"NP":_) = NoPassword
|
||||
parse (_:"P":_) = HasPassword
|
||||
parse _ = NoPassword
|
||||
|
||||
isLockedPassword :: UserName -> IO Bool
|
||||
isLockedPassword user = (== LockedPassword) <$> getPasswordStatus user
|
||||
|
||||
homedir :: UserName -> IO (Maybe FilePath)
|
||||
homedir user = catchMaybeIO $ homeDirectory <$> getUserEntryForName user
|
||||
|
|
|
|||
Loading…
Reference in New Issue