Merge branch 'joeyconfig'

Conflicts:
	privdata.joey/privdata.gpg

config-joey.hs

@@ -30,6 +30,7 @@ import qualified Propellor.Property.HostingProvider.CloudAtCost as CloudAtCost
 import qualified Propellor.Property.HostingProvider.Linode as Linode
 import qualified Propellor.Property.SiteSpecific.GitHome as GitHome
 import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder
+import qualified Propellor.Property.SiteSpecific.IABak as IABak
 import qualified Propellor.Property.SiteSpecific.JoeySites as JoeySites
 
 
@@ -251,7 +252,7 @@ elephant = standardSystem "elephant.kitenet.net" Unstable "amd64"
 
 	& alias "eubackup.kitenet.net"
 	& Apt.installed ["obnam", "sshfs", "rsync"]
-	& JoeySites.obnamRepos ["wren", "pell", "kite"]
+	& JoeySites.obnamRepos ["pell", "kite"]
 	& JoeySites.githubBackup
 	& JoeySites.rsyncNetBackup hosts
 
@@ -304,29 +305,31 @@ beaver = host "beaver.kitenet.net"
 
 iabak :: Host
 iabak = host "iabak.archiveteam.org"
-	& alias "ia-bak.joeyh.name"
 	& ipv4 "124.6.40.227"
+	& Hostname.sane
 	& os (System (Debian Testing) "amd64")
+	& Systemd.persistentJournal
+	& Cron.runPropellor (Cron.Times "30 * * * *")
 	& Apt.stdSourcesList `onChange` Apt.upgrade
-	& Apt.installed ["git"]
-	& Apt.installed ["etckeeper"]
-	& Apt.installed ["ssh"]
-	& Apt.installed ["vim", "screen", "less"]
+	& Apt.installed ["git", "ssh"]
+	& Ssh.hostKeys (Context "iabak.archiveteam.org")
+		[ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAMhuYTshLxavWCpfyJxg3j/GWyIRlL3VTharsfUTzMOqyMSWantZjflfJX21z2KzFDtPEA711GYztsgMVXMrsPQInaOKNISe/R9cfgnEktKTxeppWTfw0GTNcpCeeecddU0FCPVW3a6yDoT6+Rv0jPvkQoDGmhQ40MhauMrO0mJ9AAAAFQDpCbXG8o/3Sg7wrsp5abizJoQ0yQAAAIEAxxyHo/ZhDPP+EWtDS05s5dwiDMUsxIllk1NeleAOQIyLtFkaifOeskDJybIPWYPGX1trjcPoGuXJ5GBYrRaPiu6FBvYdYMFRLr4uNBsaSHHqlHhBPkP3RzCrdUyau4XyjdE4iA0EQlO+u11A+o3f7aTuJSveM0YRfbqvaatG89EAAACAWd0h0SkRLnGjBzkou0SQfYujFY9ilhWXPWV/oOs+bieDSpvfmnaEfLSinVFRrJPvQp/dtpxPLEm+StrK3w6dmwTZVUM5JEoB1mRjBkVs6gPC9PVVg9qLpzC2/x+r5cTfrffjyRrlPdkwLKpO6oiPxTIxAyCW8ixjafkxe2hAeJo=")
+		, (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP13oPRLRY0V9ZDWojb8TgHbUdE30Nq3b541TwPmlLMbYPAhldxGHkuXGlX8g9/FYP/1AgkPcxs2Uc61ZV+1Ss7q7t52f4R0bO4WHqxfdXHd9FlLzMLWxMU3aMr693pGlhnUp3/xH6O6/+bNEIo3VGGgv9XDr2cAxypS9J7X9ibHZcZ3BGvoCR+nnFJ00ERG2tREKZBPDWKk76lhCiM21fG/CSmcApXaA45FHDaM9/2Clj1sXvoS72f0hEKpl1m08sUx+F0GPzQESnKqNFl+xXdYPPbfhdrgCnDmx9tL5NnXsJU2beFiuxpICOeB1HV6DJsdlO18WqwXYhOg/2A1H3")
+		, (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHb0kXcrF5ThwS8wB0Hez404Zp9bz78ZxEGSqnwuF4d/N3+bymg7/HAj7l/SzRoEXKHsJ7P5320oMxBHeM16Y+k=")
+		]
+	& Apt.installed ["etckeeper", "sudo"]
+	& Apt.installed ["vim", "screen", "tmux", "less", "emax-nox", "netcat"]
 	& User.hasSomePassword "root"
-	& User.accountFor "joey"
+	& propertyList "admin accounts"
+		(map User.accountFor admins ++ map Sudo.enabledFor admins)
 	& User.hasSomePassword "joey"
-	& Sudo.enabledFor "joey"
 	& GitHome.installedFor "joey"
-	& Git.cloned "root" repo "/usr/local/IA.BAK" (Just "server")
-	& Git.cloned "www-data" repo "/usr/local/IA.BAK/pubkeys" (Just "pubkey")
-	& Apt.serviceInstalledRunning "apache2"
-	& cmdProperty "ln" ["-sf", "/usr/local/IA.BAK/pushme.cgi", "/usr/lib/cgi-bin/pushme.cgi"]
+	& Ssh.authorizedKey "db48x" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAIAQDQ6urXcMDeyuFf4Ga7CuGezTShKnEMPHKJm7RQUtw3yXCPX5wnbvPS2+UFnHMzJvWOX5S5b/XpBpOusP0jLpxwOCEg4nA5b7uvWJ2VIChlMqopYMo+tDOYzK/Q74MZiNWi2hvf1tn3N9SnqOa7muBMKMENIX5KJdH8cJ/BaPqAP883gF8r2SwSZFvaB0xYCT/CIylC593n/+0+Lm07NUJIO8jil3n2SwXdVg6ib65FxZoO86M46wTghnB29GXqrzraOg+5DY1zzCWpIUtFwGr4DP0HqLVtmAkC7NI14l1M0oHE0UEbhoLx/a+mOIMD2DuzW3Rs3ZmHtGLj4PL/eBU8D33AqSeM0uR/0pEcoq6A3a8ixibj9MBYD2lMh+Doa2audxS1OLM//FeNccbm1zlvvde82PZtiO11P98uN+ja4A+CfgQU5s0z0wikc4gXNhWpgvz8DrOEJrjstwOoqkLg2PpIdHRw7dhpp3K1Pc+CGAptDwbKkxs4rzUgMbO9DKI7fPcXXgKHLLShMpmSA2vsQUMfuCp2cVrQJ+Vkbwo29N0Js5yU7L4NL4H854Nbk5uwWJCs/mjXtvTimN2va23HEecTpk44HDUjJ9NyevAfPcO9q1ZtgXFTQSMcdv1m10Fvmnaiy8biHnopL6MBo1VRITh5UFiJYfK4kpTTg2vSspii/FYkkYOAnnZtXZqMehP7OZjJ6HWJpsCVR2hxP3sKOoQu+kcADWa/4obdp+z7gY8iMMjd6kwuIWsNV8KsX+eVJ4UFpAi/L00ZjI2B9QLVCsOg6D1fT0698wEchwUROy5vZZJq0078BdAGnwC0WGLt+7OUgn3O2gUAkb9ffD0odbZSqq96NCelM6RaHA+AaIE4tjGL3lFkyOtb+IGPNACQ73/lmaRQd6Cgasq9cEo0g22Ew5NQi0CBuu1aLDk7ezu3SbU09eB9lcZ+8lFnl5K2eQFeVJStFJbJNfOvgKyOb7ePsrUFF5GJ2J/o1F60fRnG64HizZHxyFWkEOh+k3i8qO+whPa5MTQeYLYb6ysaTPrUwNRcSNNCcPEN8uYOh1dOFAtIYDcYA56BZ321yz0b5umj+pLsrFU+4wMjWxZi0inJzDS4dVegBVcRm0NP5u8VRosJQE9xdbt5K1I0khzhrEW1kowoTbhsZCaDHhL9LZo73Z1WIHvulvlF3RLZip5hhtQu3ZVkbdV5uts8AWaEWVnIu9z0GtQeeOuseZpT0u1/1xjVAOKIzuY3sB7FKOaipe8TDvmdiQf/ICySqqYaYhN6GOhiYccSleoX6yzhYuCvzTgAyWHIfW0t25ff1CM7Vn+Vo9cVplIer1pbwhZZy4QkROWTOE+3yuRlQ+o6op4hTGdAZhjKh9zkDW7rzqQECFrZrX/9mJhxYKjhpkk0X3dSipPt9SUHagc4igya+NgCygQkWBOQfr4uia0LcwDxy4Kchw7ZuypHuGVZkGhNHXS+9JdAHopnSqYwDMG/z1ys1vQihgER0b9g3TchvGF+nmHe2kbM1iuIYMNNlaZD1yGZ5qR7wr/8dw8r0NBEwzsUfak3BUPX7H6X0tGS96llwUxmvQD85WNNoef0uryuAtDEwWlfN1RmWysZDc57Rn4gZi0M5jXmQD23ZiYXYBcG849OeqNzlxONEFsForXO/29Ud4x/Hqa9tf+kJbqMRsaLFO+PXhHzgl6ZHLAljQDxrJ6keNnkqaYfqQ8wyRi1mKv4Ab57kde7mUsZhe7w93GaE9Lxfvu7d3pB+lXfI9NJCSITHreUP4JfmFW+p/eVg+r/1wbElNylGna4I4+qYObOUncGwFKYdFPdtU1XLDKXmywTEgbEh7iI9zX0xD3bPHQLMg+TTtXiU9dQm1x/0zRf9trwDsRDJCbG4/P4iQYkcVvYx2CCfi0JSHv8tWsLi3GJKJLXUxZyzfvY2lThPeYnnY/HFrPJCyJUN55QuRmfzbu8rHgWlcyOlVpKtz+7kn823kEQykiIYKIKrb0G6VBzuMtAk9XzJPv+Wu7suOGXHlVfCqPLk6RjHDm4kTYciW9VgxDts5Y+zwcAbrUeA4UuN/6KisWpivMrfDSIHUCeH/lHBtNkqKohdrUKJMEOx5X6r2dJbmoTFBDi5XtYu/5cBtiDMmupNB0S+pZ2JD5/RKtj6kgzTeE1q/OG4q/eq1O1rjf0vIS31luy27K/YHFIGE0D/CmuXE74Uyaxm27RnrKUxEBl84V70GaIF4F5On8pSThxxizigXTRTKiczc+A5Zi29mid+1EFeUAJOa/DuHJfpVNY4pYEmhPl/Bk66L8kzlbJz6Hg/LIiJIRcy3UKrbSxPFIDpXn33drBHgklMDlrIVDZDXF6cn0Ml71SabB4A3TM6TK+oWZoyvftPIhcWhVwAWQj7nFNAiMEl1z/29ovHrRooqQFozf7GDW8Mjiu7ChZP9zx2H8JB/AAEFuWMwGV4AHICYdS9lOl/v+cDhgsnXdeuKEuxHhYlRxuRxJk/f17Sm/5H85UIzlu85wi3q/DW2FTZnlw4iJLnL6FArUIMzuBOZyoEhh0SPR41Xc4kkucDhnENybTZSR/yDzb0P1B7qjZ4GqcSEFja/hm/LH1oKJzZg8MEqeUoKYCUdVv9ek4IUGUONtVs53V5SOwFWR/nVuDk2BENr7NadYYVtu6MjBwgjso7NuhoNxVwIEP3BW67OQ8bxfNBtJJQNJejAhgZiqJItI9ucAfjQ== db48x@anglachel"
 	& Apt.installed ["sudo"]
-	& File.containsLine "/etc/sudoers" "www-data ALL=NOPASSWD:/usr/local/IA.BAK/pushed.sh"
-	& Cron.niceJob "shardstats" (Cron.Times "*/30 * * * *") "root" "/"
-		"/usr/local/IA.BAK/shardstats SHARD1"
+	& IABak.gitServer
+	& IABak.graphiteServer
   where
-	repo = "https://github.com/ArchiveTeam/IA.BAK/"
+	admins = ["joey", "db48x"]
 
        --'                        __|II|      ,.
      ----                      __|II|II|__   (  \_,/\

src/Propellor/Property/SiteSpecific/IABak.hs

@@ -0,0 +1,67 @@
+module Propellor.Property.SiteSpecific.IABak where
+
+import Propellor
+import qualified Propellor.Property.Apt as Apt
+import qualified Propellor.Property.Git as Git
+import qualified Propellor.Property.Cron as Cron
+import qualified Propellor.Property.File as File
+import qualified Propellor.Property.Apache as Apache
+
+gitServer :: Property HasInfo
+gitServer = propertyList "iabak git server" $ props
+	& Git.cloned "root" repo "/usr/local/IA.BAK" (Just "server")
+	& Git.cloned "root" repo "/usr/local/IA.BAK/client" (Just "master")
+	& Git.cloned "www-data" repo "/usr/local/IA.BAK/pubkeys" (Just "pubkey")
+	& Apt.serviceInstalledRunning "apache2"
+	& cmdProperty "ln" ["-sf", "/usr/local/IA.BAK/pushme.cgi", "/usr/lib/cgi-bin/pushme.cgi"]
+	& File.containsLine "/etc/sudoers" "www-data ALL=NOPASSWD:/usr/local/IA.BAK/pushed.sh"
+	& Cron.niceJob "shardstats" (Cron.Times "*/30 * * * *") "root" "/"
+		"/usr/local/IA.BAK/shardstats-all"
+  where
+	repo = "https://github.com/ArchiveTeam/IA.BAK/"
+
+graphiteServer :: Property HasInfo
+graphiteServer = propertyList "iabak graphite server" $ props
+	& Apt.serviceInstalledRunning "apache2"
+	& Apt.installed ["libapache2-mod-wsgi", "graphite-carbon", "graphite-web"]
+	& File.hasContent "/etc/carbon/storage-schemas.conf"
+		[ "[carbon]"
+		, "pattern = ^carbon\\."
+		, "retentions = 60:90d"
+		, "[iabak]"
+		, "pattern = ^iabak\\."
+		, "retentions = 10m:30d,1h:1y,3h,10y"
+		, "[default_1min_for_1day]"
+		, "pattern = .*"
+		, "retentions = 60s:1d"
+		]
+	& graphiteCSRF
+	& cmdProperty "graphite-manage" ["syncdb", "--noinput"] `flagFile` "/etc/flagFiles/graphite-syncdb"
+	& cmdProperty "graphite-manage" ["createsuperuser", "--noinput", "--username=joey", "--email=joey@localhost"] `flagFile` "/etc/flagFiles/graphite-user-joey"
+		`flagFile` "/etc/graphite-superuser-joey"
+	& cmdProperty "graphite-manage" ["createsuperuser", "--noinput", "--username=db48x", "--email=db48x@localhost"] `flagFile` "/etc/flagFiles/graphite-user-db48x"
+		`flagFile` "/etc/graphite-superuser-db48x"
+	-- TODO: deal with passwords somehow
+	& File.ownerGroup "/var/lib/graphite/graphite.db" "_graphite" "_graphite"
+	& "/etc/apache2/ports.conf" `File.containsLine` "Listen 8080"
+		`onChange` Apache.restarted
+	& Apache.siteEnabled "iabak-graphite-web"
+		[ "<VirtualHost *:8080>"
+		, "        WSGIDaemonProcess _graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120 user=_graphite group=_graphite"
+		, "        WSGIProcessGroup _graphite"
+		, "        WSGIImportScript /usr/share/graphite-web/graphite.wsgi process-group=_graphite application-group=%{GLOBAL}"
+		, "        WSGIScriptAlias / /usr/share/graphite-web/graphite.wsgi"
+		, "        Alias /content/ /usr/share/graphite-web/static/"
+		, "        <Location \"/content/\">"
+		, "                SetHandler None"
+		, "        </Location>"
+		, "        ErrorLog ${APACHE_LOG_DIR}/graphite-web_error.log"
+		, "        LogLevel warn"
+		, "        CustomLog ${APACHE_LOG_DIR}/graphite-web_access.log combined"
+		, "</VirtualHost>"
+		]
+  where
+	graphiteCSRF = withPrivData (Password "csrf-token") (Context "iabak.archiveteam.org") $
+		\gettoken -> property "graphite-web CSRF token" $
+			gettoken $ \token -> ensureProperty $ File.containsLine
+				"/etc/graphite/local_settings.py" ("SECRET_KEY = '"++ token ++"'")

src/Propellor/Property/SiteSpecific/JoeySites.hs

@@ -460,7 +460,7 @@ githubMirrors =
 	, ("etckeeper", plzuseurl "http://etckeeper.branchable.com/todo/")
 	]
   where
-	plzuseurl u = "please submit changes to " ++ u ++ " instead of using github pull requests"
+	plzuseurl u = "Please submit changes to " ++ u ++ " instead of using github pull requests, which are not part of my workflow. -- A robot acting on behalf of Joey Hess"
 
 rsyncNetBackup :: [Host] -> Property NoInfo
 rsyncNetBackup hosts = Cron.niceJob "rsync.net copied in daily" (Cron.Times "30 5 * * *")

src/Propellor/Property/Ssh.hs

@@ -242,7 +242,7 @@ authorizedKey user l = property desc $ do
 		, File.ownerGroup (takeDirectory f) user user
 		]
   where
-	desc = user ++ " has autorized_keys line " ++ l
+	desc = user ++ " has autorized_keys"
 
 -- | Makes the ssh server listen on a given port, in addition to any other
 -- ports it is configured to listen on.