better types for systemd port publishing

config-joey.hs

@@ -104,8 +104,8 @@ clam = standardSystem "clam.kitenet.net" Unstable "amd64"
 	& Docker.garbageCollected `period` Daily
 	! Docker.docked webserver'
 	& File.dirExists "/var/www/html"
-	& File.notPresent "/var/www/html/index.html"
+	& File.notPresent "/var/www/index.html"
-	& "/var/www/index.html" `File.hasContent` ["hello, world"]
+	& "/var/www/html/index.html" `File.hasContent` ["hello, world"]
 	& alias "helloworld.kitenet.net"
 	& Docker.docked oldusenetShellBox
 

debian/changelog

@@ -8,15 +8,16 @@ propellor (2.5.0) UNRELEASED; urgency=medium
   * createProcess from Propellor.Property.Cmd, so they are available
     for use in constricting your own Properties when using propellor
     as a library.
-  * Improve enter-machine scripts for nspawn containers to unset most
+  * Improve enter-machine scripts for systemd-nspawn containers to unset most
     environment variables.
   * Fix Postfix.satellite bug; the default relayhost was set to the
     domain, not to smtp.domain as documented.
   * Mount /proc inside a chroot before provisioning it, to work around #787227
   * --spin now works when given a short hostname that only resolves to an
     ipv6 address.
-  * Added publish property for systemd-spawn containers.
+  * Added publish and publish' properties for systemd-spawn containers.
     (Needs systemd version 220.)
+  * Added bind and bindRo properties for systemd-spawn containers.
 
  -- Joey Hess <id@joeyh.name>  Thu, 07 May 2015 12:08:34 -0400
 

src/Propellor/Property/Systemd.hs

@@ -1,3 +1,5 @@
+{-# LANGUAGE TypeSynonymInstances #-}
+
 module Propellor.Property.Systemd (
 	-- * Services
 	module Propellor.Property.Systemd.Core,
@@ -22,9 +24,12 @@ module Propellor.Property.Systemd (
 	-- * Container configuration
 	containerCfg,
 	resolvConfed,
-	publish,
+	Publishable(..),
+	privateNetwork,
+	ForwardedPort(..),
 	Proto(..),
-	publish',
+	PortSpec(..),
+	publish,
 	bind,
 	bindRo,
 ) where
@@ -288,32 +293,36 @@ resolvConfed = containerCfg "bind=/etc/resolv.conf"
 privateNetwork :: RevertableProperty
 privateNetwork = containerCfg "private-network"
 
--- | Publish a container's (tcp) port to same port on the host.
+class Publishable a where
--- 
+	toPublish :: a -> String
--- This automatically enables privateNetwork, so all non-published ports
+
--- will not be accessible outside the container.
+instance Publishable Port where
---
+	toPublish p = show p
--- Note that this feature was first added in systemd version 220.
+
-publish :: Port -> RevertableProperty
+data ForwardedPort = ForwardedPort
-publish p = publish' TCP p p
+	{ hostPort :: Port
-	`requires` privateNetwork
+	, containerPort :: Port
+	}
+
+instance Publishable ForwardedPort where
+	toPublish fp = show (hostPort fp) ++ ":" ++ show (containerPort fp)
 
 data Proto = TCP | UDP
 
-publish'
+data PortSpec = PortSpec Proto ForwardedPort
-	:: Proto
+
-	-> Port -- ^ Host port
+instance Publishable PortSpec where
-	-> Port -- ^ Container port
+	toPublish (PortSpec TCP fp) = "tcp:" ++ toPublish fp
-	-> RevertableProperty
+	toPublish (PortSpec UDP fp) = "udp:" ++ toPublish fp
-publish' proto hostport containerport = containerCfg $ "--port=" ++
+
-	intercalate ":"
+-- | Publish a port from the container on the host.
-		[ sproto proto
+--
-		, show hostport
+-- Note that this will only work if the container's network is set up
-		, show containerport
+-- by other properties.
-		]
+--
-  where
+-- This feature was first added in systemd version 220.
-	sproto TCP = "tcp"
+publish :: Publishable p => p -> RevertableProperty
-	sproto UDP = "udp"
+publish p = containerCfg $ "--port=" ++ toPublish p
 
 -- | Bind mount a file or directory from the host into the container.
 --