cadey
/
propellor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

propellor spin

This commit is contained in:
Joey Hess 2014-03-30 20:18:45 -04:00
parent 385a1de0ce
commit 614d497895
2 changed files with 21 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Propellor.hs
View File

@ -19,8 +19,6 @@ getProperties :: HostName -> [Property]
getProperties hostname@"clam.kitenet.net" = getProperties hostname@"clam.kitenet.net" =
[ cleanCloudAtCost hostname [ cleanCloudAtCost hostname
, standardSystem Apt.Unstable , standardSystem Apt.Unstable
, User.hasPassword "root"
, User.hasPassword "joey"
-- Clam is a tor bridge. -- Clam is a tor bridge.
, Tor.isBridge , Tor.isBridge
, Apt.installed ["docker.io"] , Apt.installed ["docker.io"]
@ -44,19 +42,19 @@ standardSystem suite = propertyList "standard system"
, Apt.installed ["etckeeper"] , Apt.installed ["etckeeper"]
, Apt.installed ["ssh"] , Apt.installed ["ssh"]
, GitHome.installedFor "root" , GitHome.installedFor "root"
, User.hasSomePassword "root"
-- Harden the system, but only once root's authorized_keys -- Harden the system, but only once root's authorized_keys
-- is safely in place. -- is safely in place.
, check (Ssh.hasAuthorizedKeys "root") $ , check (Ssh.hasAuthorizedKeys "root") $
Ssh.passwordAuthentication False Ssh.passwordAuthentication False
, check (Ssh.hasAuthorizedKeys "root") $
User.lockedPassword "root"
, Apt.installed ["vim"]
, User.sshAccountFor "joey" , User.sshAccountFor "joey"
, Apt.installed ["sudo"] , Apt.installed ["sudo"]
-- nopasswd because no password is set up for joey. -- nopasswd because no password is set up for joey.
, "sudoer joey" ==> , "sudoer joey" ==>
"/etc/sudoers" `File.containsLine` "joey ALL=(ALL:ALL) NOPASSWD:ALL" "/etc/sudoers" `File.containsLine` "joey ALL=(ALL:ALL) NOPASSWD:ALL"
, User.hasSomePassword "joey"
, GitHome.installedFor "joey" , GitHome.installedFor "joey"
, Apt.installed ["vim", "screen"]
-- I use postfix, or no MTA. -- I use postfix, or no MTA.
, Apt.removed ["exim4"] `onChange` Apt.autoRemove , Apt.removed ["exim4"] `onChange` Apt.autoRemove
] ]

22
Property/User.hs
View File

@ -22,6 +22,12 @@ nuked user _ = check (isJust <$> homedir user) $ cmdProperty "userdel"
] ]
`describe` ("nuked user " ++ user) `describe` ("nuked user " ++ user)
{- Only ensures that the user has some password set. It may or may
- not be the password from the PrivData. -}
hasSomePassword :: UserName -> Property
hasSomePassword user = check ((/= HasPassword) <$> getPasswordStatus user) $
hasPassword user
hasPassword :: UserName -> Property hasPassword :: UserName -> Property
hasPassword user = Property (user ++ " has password") $ hasPassword user = Property (user ++ " has password") $
withPrivData (Password user) $ \password -> makeChange $ withPrivData (Password user) $ \password -> makeChange $
@ -37,11 +43,19 @@ lockedPassword user = check (not <$> isLockedPassword user) $ cmdProperty "passw
] ]
`describe` ("locked " ++ user ++ " password") `describe` ("locked " ++ user ++ " password")
isLockedPassword :: UserName -> IO Bool data PasswordStatus = NoPassword | LockedPassword | HasPassword
isLockedPassword user = parse . words <$> readProcess "passwd" ["-S", user] deriving (Eq)
getPasswordStatus :: UserName -> IO PasswordStatus
getPasswordStatus user = parse . words <$> readProcess "passwd" ["-S", user]
where where
parse (_:"L":_) = True parse (_:"L":_) = LockedPassword
parse _ = False parse (_:"NP":_) = NoPassword
parse (_:"P":_) = HasPassword
parse _ = NoPassword
isLockedPassword :: UserName -> IO Bool
isLockedPassword user = (== LockedPassword) <$> getPasswordStatus user
homedir :: UserName -> IO (Maybe FilePath) homedir :: UserName -> IO (Maybe FilePath)
homedir user = catchMaybeIO $ homeDirectory <$> getUserEntryForName user homedir user = catchMaybeIO $ homeDirectory <$> getUserEntryForName user