cadey
/
propellor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

propellor spin

This commit is contained in:
Joey Hess 2014-07-18 02:08:13 -04:00
parent 2812719e54
commit 6957f28945
Failed to extract signature
3 changed files with 21 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
config-joey.hs
View File

@ -75,7 +75,10 @@ hosts = -- (o) `
& Docker.garbageCollected `period` Daily & Docker.garbageCollected `period` Daily
& Apt.buildDep ["git-annex"] `period` Daily & Apt.buildDep ["git-annex"] `period` Daily
, standardSystem "kite.kitenet.net" Unstable "amd64" -- This is not a complete description of kite, since it's a
-- multiuser system with eg, user passwords that are not deployed
-- with propellor.
, standardSystemUnhardened "kite.kitenet.net" Unstable "amd64"
[ "Welcome to the new kitenet.net server!" [ "Welcome to the new kitenet.net server!"
, "This is still under construction and not yet live.." , "This is still under construction and not yet live.."
] ]
@ -102,6 +105,8 @@ hosts = -- (o) `
& JoeySites.kiteMailServer & JoeySites.kiteMailServer
& Apt.installed ["mutt", "alpine", "git-annex", "myrepos"] & Apt.installed ["mutt", "alpine", "git-annex", "myrepos"]
-- Since password authentication is allowed:
& Apt.serviceInstalledRunning "fail2ban"
, standardSystem "diatom.kitenet.net" Stable "amd64" , standardSystem "diatom.kitenet.net" Stable "amd64"
[ "Important stuff that needs not too much memory or CPU." ] [ "Important stuff that needs not too much memory or CPU." ]
@ -280,7 +285,14 @@ type Motd = [String]
-- This is my standard system setup. -- This is my standard system setup.
standardSystem :: HostName -> DebianSuite -> Architecture -> Motd -> Host standardSystem :: HostName -> DebianSuite -> Architecture -> Motd -> Host
standardSystem hn suite arch motd = host hn standardSystem hn suite arch motd = standardSystemUnhardened hn suite arch motd
-- Harden the system, but only once root's authorized_keys
-- is safely in place.
& check (Ssh.hasAuthorizedKeys "root")
(Ssh.passwordAuthentication False)
standardSystemUnhardened :: HostName -> DebianSuite -> Architecture -> Motd -> Host
standardSystemUnhardened hn suite arch motd = host hn
& os (System (Debian suite) arch) & os (System (Debian suite) arch)
& Hostname.sane & Hostname.sane
& Hostname.searchDomain & Hostname.searchDomain
@ -291,10 +303,6 @@ standardSystem hn suite arch motd = host hn
& Apt.installed ["ssh"] & Apt.installed ["ssh"]
& GitHome.installedFor "root" & GitHome.installedFor "root"
& User.hasSomePassword "root" (Context hn) & User.hasSomePassword "root" (Context hn)
-- Harden the system, but only once root's authorized_keys
-- is safely in place.
& check (Ssh.hasAuthorizedKeys "root")
(Ssh.passwordAuthentication False)
& User.accountFor "joey" & User.accountFor "joey"
& User.hasSomePassword "joey" (Context hn) & User.hasSomePassword "joey" (Context hn)
& Sudo.enabledFor "joey" & Sudo.enabledFor "joey"

3
src/Propellor/Property/Postfix.hs
View File

@ -15,6 +15,9 @@ installed = Apt.serviceInstalledRunning "postfix"
restarted :: Property restarted :: Property
restarted = Service.restarted "postfix" restarted = Service.restarted "postfix"
reloaded :: Property
reloaded = Service.reloaded "postfix"
-- | Configures postfix as a satellite system, which -- | Configures postfix as a satellite system, which
-- relats all mail through a relay host, which defaults to smtp.domain. -- relats all mail through a relay host, which defaults to smtp.domain.
-- --

8
src/Propellor/Property/SiteSpecific/JoeySites.hs
View File

@ -435,11 +435,11 @@ kiteMailServer = propertyList "kitenet.net mail server"
, "/ikiwiki\\.info/\tOK" , "/ikiwiki\\.info/\tOK"
, "/joeyh\\.name/\tOK" , "/joeyh\\.name/\tOK"
] ]
`onChange` Postfix.restarted `onChange` Postfix.reloaded
`describe` "postfix mydomain file configured" `describe` "postfix mydomain file configured"
, "/etc/postfix/obscure_client_relay.pcre" `File.containsLine` , "/etc/postfix/obscure_client_relay.pcre" `File.containsLine`
"/^Received: from ([^.]+)\\.kitenet\\.net.*using TLS.*by kitenet\\.net \\(([^)]+)\\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ IGNORE" "/^Received: from ([^.]+)\\.kitenet\\.net.*using TLS.*by kitenet\\.net \\(([^)]+)\\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ IGNORE"
`onChange` Postfix.restarted `onChange` Postfix.reloaded
`describe` "postfix obscure_client_relay file configured" `describe` "postfix obscure_client_relay file configured"
, Postfix.mappedFile "/etc/postfix/virtual" , Postfix.mappedFile "/etc/postfix/virtual"
(flip File.containsLines (flip File.containsLines
@ -447,7 +447,7 @@ kiteMailServer = propertyList "kitenet.net mail server"
, "@joeyh.name\tjoey" , "@joeyh.name\tjoey"
] ]
) `describe` "postfix virtual file configured" ) `describe` "postfix virtual file configured"
`onChange` Postfix.restarted `onChange` Postfix.reloaded
, Postfix.mappedFile "/etc/postfix/relay_clientcerts" $ , Postfix.mappedFile "/etc/postfix/relay_clientcerts" $
flip File.hasPrivContentExposed ctx flip File.hasPrivContentExposed ctx
, Postfix.mainCf `File.containsLines` , Postfix.mainCf `File.containsLines`
@ -492,7 +492,7 @@ kiteMailServer = propertyList "kitenet.net mail server"
, "smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache" , "smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache"
] ]
`onChange` Postfix.dedupMainCf `onChange` Postfix.dedupMainCf
`onChange` Postfix.restarted `onChange` Postfix.reloaded
`describe` "postfix configured" `describe` "postfix configured"
, Apt.serviceInstalledRunning "dovecot-imapd" , Apt.serviceInstalledRunning "dovecot-imapd"