From e1c42aeeb1770b42373ae04ef21c897248f62380 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 3 Apr 2014 13:49:56 -0400 Subject: [PATCH 1/4] propellor spin From b14b56d84a448664bb86cde8079812ff11a9a79d Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 3 Apr 2014 13:58:21 -0400 Subject: [PATCH 2/4] propellor spin --- Propellor/CmdLine.hs | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/Propellor/CmdLine.hs b/Propellor/CmdLine.hs index f1c002a..a9c6199 100644 --- a/Propellor/CmdLine.hs +++ b/Propellor/CmdLine.hs @@ -68,24 +68,15 @@ defaultMain getprops = do go True cmdline@(Spin _) = buildFirst cmdline $ go False cmdline go True cmdline = updateFirst cmdline $ go False cmdline go False (Spin host) = withprops host $ const $ spin host - go False cmdline@(Run host) = withprops host $ - asRoot cmdline . ensureProperties + go False (Run host) = ifM ((==) 0 <$> getRealUserID) + ( withprops host ensureProperties + , go True (Spin host) + ) go False (Boot host) = withprops host $ boot withprops host a = maybe (unknownhost host) a $ headMaybe $ catMaybes $ map (\get -> get host) getprops -asRoot :: CmdLine -> IO a -> IO a -asRoot cmdline a = ifM ((==) 0 <$> getRealUserID) - ( a - , do - hPutStrLn stderr "Need to be root to provision the local host! Running sudo propellor..." - hFlush stderr - (_, _, _, pid) <- createProcess $ - proc "sudo" ["./propellor", show (Continue cmdline)] - exitWith =<< waitForProcess pid - ) - unknownhost :: HostName -> IO a unknownhost h = errorMessage $ unlines [ "Unknown host: " ++ h From 2f3cac42f3233b2a6a92db9621fc8f63df781867 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 3 Apr 2014 14:02:21 -0400 Subject: [PATCH 3/4] propellor spin --- privdata/darkstar.kitenet.net.gpg | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 privdata/darkstar.kitenet.net.gpg diff --git a/privdata/darkstar.kitenet.net.gpg b/privdata/darkstar.kitenet.net.gpg new file mode 100644 index 0000000..9a6de1c --- /dev/null +++ b/privdata/darkstar.kitenet.net.gpg @@ -0,0 +1,22 @@ +-----BEGIN PGP MESSAGE----- +Version: GnuPG v1 + +hQIMA7ODiaEXBlRZAQ/9HdpfvTbfOnyqLlEK1WC9QO3HrF9w9yrEH8hCrVFJ/86r +xHK62+7I6wrV2W1UAHRx1b4H9qEkbD8+MAmjB2JYVmJUqvdzNv1jhsWwPpAcTQN1 +RVWR95Auc2rjXXSiZRudLaWdxZdDBg5PWApH5+NW5grtNRKsTbYB1/No2iYJvDuv +WcbBkuFyEa0WbRiqUaUIyO9XAGyj4hqVDQSXH2Gzei8oB3PZh9+Lwv7i05lvSup+ +dtbtEsEdDiJbCTzIakV6vEQT1BDVMpe6jRQbv7c+LXLeM65Tpl+2hnTPSTy1zcr0 +bjfkFa6A75sHmIf0WGKAZj+jmNchp4AMdjmoMiXkHacDsBw623NgiMgzUnfWVkFm +BIrdk5AGBi50nqPxwtY7nWd0cbApvNvT1zlx8MlRBSZQ2zcijo5AjiCwb+eLLVhv +6oiKqpYGC1XpdNFFsaKHnHBCgsPIIetwx4ng0+lvRgBO+DEQ4RvvdKMhy/3nXrpz +NVdr/gG+HMBW1BjyCd9ArmTtSITQWDT8vnLmyFbc0aJ88c2rEjv2BpXmhKjxEoEn +IMxc3/9cLrVVRocnlq7YvKDZpfuwjgDs86D3e03Up7hQZhLU4+r8Wq7azxk3wE06 +lAQIS0OwCe75EZvVWYHwhZ3vEoBE/TeqeaRyhKpofFS5GvtIJsZBjenmRcdOJTPS +wDQB/c3XkjuIrJErMBx/KrNQc2mAjcUpvW4+Ukj5vtpusi3qmSfsyaVJ4ZS9SwVv +7RPqLsH5Iz3Ga6u4of/mg+iG/wqJPJy2A9A/XOnsNVCVR3a+NxjPqevEjW1Pr6RL +SOMQSK6OuwuT1H13M1Z7R6dbg+pCcbc+hek9/6KzeZS9q4Di7aqq7+XeDr4c51+Q +2ojS4DG0/vAJmOO+E8ZatGiwdI8kmELrzAF8zzGz+ZujXSuiPXVd2kw/JdfUaTRq +KrtNhiGWWM44YWS43TYuYCoVgokrdVXzsZyKyhHzgXKCits3R5+QcUgUx2vESuOs ++FdM8fAd +=a0dr +-----END PGP MESSAGE----- From 680d480921e2aadd143d55533a55af5a02666d84 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 3 Apr 2014 14:07:32 -0400 Subject: [PATCH 4/4] docs --- README.md | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 15d2846..b870c9e 100644 --- a/README.md +++ b/README.md @@ -35,7 +35,7 @@ and so it's easy to factor out things like classes of hosts as desired. `apt-get install propellor` 2. Run propellor for the first time. It will set up a `~/.propellor/` git repository for you. -3. In `~/.propellor/`, use git to push the repository to a central +3. `cd ~/.propellor/`; use git to push the repository to a central server (github, or your own git server). Configure that central server as the origin remote of the repository. 4. If you don't have a gpg private key, generate one: `gpg --gen-key` @@ -49,19 +49,19 @@ and so it's easy to factor out things like classes of hosts as desired. So, edit `~/.propellor/config.hs` to configure the host (maybe start with a few simple properties), and re-run step 7. Repeat until happy and move on to the next host. :) -9. To move beyond manually running propellor --spin against hosts - when you change configuration, add a property to your hosts +9. To move beyond manually running `propellor --spin` against hosts + when you change their properties, add a property to your hosts like: `Cron.runPropellor "30 * * * *"` Now they'll automatically update every 30 minutes, and you can `git commit -S` and `git push` changes that affect any number of hosts. -8. Write some neat new properties and send patches to ! +10. Write some neat new properties and send patches to ! ## security Propellor's security model is that the hosts it's used to deploy are -untrusted, and that the central git repository server is untrusted. +untrusted, and that the central git repository server is untrusted too. The only trusted machine is the laptop where you run `propellor --spin` to connect to a remote host. And that one only because you have a ssh key @@ -71,13 +71,13 @@ Since the hosts propellor deploys are not trusted by the central git repository, they have to use git:// or http:// to pull from the central git repository, rather than ssh://. -So, to avoid a MITM attack, propellor checks that any commit it fetched +So, to avoid a MITM attack, propellor checks that any commit it fetches from origin is gpg signed by a trusted gpg key, and refuses to deploy it otherwise. That is only done when privdata/keyring.gpg exists. To set it up: - gpg --gen-key # only if you don't already have a gpg key + gpg --gen-key # only if you don't already have a gpg key propellor --add-key $MYKEYID In order to be secure from the beginning, when `propellor --spin` is used @@ -88,9 +88,10 @@ gpg key, and will use it to verify git fetches. Since the propoellor git repository is public, you can't store in cleartext private data such as passwords, ssh private keys, etc. -Instead, `propellor --spin $host` looks for a `~/.propellor/privdata/$host.gpg` file and -if found decrypts it and sends it to the remote host using ssh. This lets -a remote host know its own private data, without seeing all the rest. +Instead, `propellor --spin $host` looks for a +`~/.propellor/privdata/$host.gpg` file and if found decrypts it and sends +it to the remote host using ssh. This lets a remote host know its own +private data, without seeing all the rest. To securely store private data, use: `propellor --set $host $field` The field name will be something like 'Password "root"'; see PrivData.hs