From 6957f28945bc4360882c8337f91d471de8fbadee Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Fri, 18 Jul 2014 02:08:13 -0400 Subject: [PATCH] propellor spin --- config-joey.hs | 20 +++++++++++++------ src/Propellor/Property/Postfix.hs | 3 +++ .../Property/SiteSpecific/JoeySites.hs | 8 ++++---- 3 files changed, 21 insertions(+), 10 deletions(-) diff --git a/config-joey.hs b/config-joey.hs index 6db3e81..b95a327 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -75,7 +75,10 @@ hosts = -- (o) ` & Docker.garbageCollected `period` Daily & Apt.buildDep ["git-annex"] `period` Daily - , standardSystem "kite.kitenet.net" Unstable "amd64" + -- This is not a complete description of kite, since it's a + -- multiuser system with eg, user passwords that are not deployed + -- with propellor. + , standardSystemUnhardened "kite.kitenet.net" Unstable "amd64" [ "Welcome to the new kitenet.net server!" , "This is still under construction and not yet live.." ] @@ -102,6 +105,8 @@ hosts = -- (o) ` & JoeySites.kiteMailServer & Apt.installed ["mutt", "alpine", "git-annex", "myrepos"] + -- Since password authentication is allowed: + & Apt.serviceInstalledRunning "fail2ban" , standardSystem "diatom.kitenet.net" Stable "amd64" [ "Important stuff that needs not too much memory or CPU." ] @@ -280,7 +285,14 @@ type Motd = [String] -- This is my standard system setup. standardSystem :: HostName -> DebianSuite -> Architecture -> Motd -> Host -standardSystem hn suite arch motd = host hn +standardSystem hn suite arch motd = standardSystemUnhardened hn suite arch motd + -- Harden the system, but only once root's authorized_keys + -- is safely in place. + & check (Ssh.hasAuthorizedKeys "root") + (Ssh.passwordAuthentication False) + +standardSystemUnhardened :: HostName -> DebianSuite -> Architecture -> Motd -> Host +standardSystemUnhardened hn suite arch motd = host hn & os (System (Debian suite) arch) & Hostname.sane & Hostname.searchDomain @@ -291,10 +303,6 @@ standardSystem hn suite arch motd = host hn & Apt.installed ["ssh"] & GitHome.installedFor "root" & User.hasSomePassword "root" (Context hn) - -- Harden the system, but only once root's authorized_keys - -- is safely in place. - & check (Ssh.hasAuthorizedKeys "root") - (Ssh.passwordAuthentication False) & User.accountFor "joey" & User.hasSomePassword "joey" (Context hn) & Sudo.enabledFor "joey" diff --git a/src/Propellor/Property/Postfix.hs b/src/Propellor/Property/Postfix.hs index 1711a7d..fbe3929 100644 --- a/src/Propellor/Property/Postfix.hs +++ b/src/Propellor/Property/Postfix.hs @@ -15,6 +15,9 @@ installed = Apt.serviceInstalledRunning "postfix" restarted :: Property restarted = Service.restarted "postfix" +reloaded :: Property +reloaded = Service.reloaded "postfix" + -- | Configures postfix as a satellite system, which -- relats all mail through a relay host, which defaults to smtp.domain. -- diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 0838af4..a6be241 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -435,11 +435,11 @@ kiteMailServer = propertyList "kitenet.net mail server" , "/ikiwiki\\.info/\tOK" , "/joeyh\\.name/\tOK" ] - `onChange` Postfix.restarted + `onChange` Postfix.reloaded `describe` "postfix mydomain file configured" , "/etc/postfix/obscure_client_relay.pcre" `File.containsLine` "/^Received: from ([^.]+)\\.kitenet\\.net.*using TLS.*by kitenet\\.net \\(([^)]+)\\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ IGNORE" - `onChange` Postfix.restarted + `onChange` Postfix.reloaded `describe` "postfix obscure_client_relay file configured" , Postfix.mappedFile "/etc/postfix/virtual" (flip File.containsLines @@ -447,7 +447,7 @@ kiteMailServer = propertyList "kitenet.net mail server" , "@joeyh.name\tjoey" ] ) `describe` "postfix virtual file configured" - `onChange` Postfix.restarted + `onChange` Postfix.reloaded , Postfix.mappedFile "/etc/postfix/relay_clientcerts" $ flip File.hasPrivContentExposed ctx , Postfix.mainCf `File.containsLines` @@ -492,7 +492,7 @@ kiteMailServer = propertyList "kitenet.net mail server" , "smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache" ] `onChange` Postfix.dedupMainCf - `onChange` Postfix.restarted + `onChange` Postfix.reloaded `describe` "postfix configured" , Apt.serviceInstalledRunning "dovecot-imapd"