Merge branch 'joeyconfig'

4 files changed, 34 insertions, 26 deletions

diff --git a/joeyconfig.hs b/joeyconfig.hs
index e98e5b51..49480718 100644
--- a/joeyconfig.hs
+++ b/joeyconfig.hs
@@ -373,7 +373,7 @@ elephant = host "elephant.kitenet.net" $ props
 	& Apt.serviceInstalledRunning "swapspace"
 
 	& alias "eubackup.kitenet.net"
-	& Apt.installed ["obnam", "sshfs", "rsync"]
+	& Apt.installed ["obnam", "sshfs", "rsync", "borgbackup"]
 	& JoeySites.obnamRepos ["pell", "kite"]
 	& JoeySites.githubBackup
 	& JoeySites.rsyncNetBackup hosts
diff --git a/src/Propellor/Property/Borg.hs b/src/Propellor/Property/Borg.hs
index 7ed39794..c02c5fb5 100644
--- a/src/Propellor/Property/Borg.hs
+++ b/src/Propellor/Property/Borg.hs
@@ -92,8 +92,8 @@ restored dir backupdir = go `requires` installed
 -- >		["--exclude=/srv/git/tobeignored"]
 -- >		[Borg.KeepDays 7, Borg.KeepWeeks 4, Borg.KeepMonths 6, Borg.KeepYears 1]
 --
--- Note that this property does not make borg encrypt the backup
--- repository.
+-- Note that this property does not initialize the backup repository,
+-- so that will need to be done once, before-hand.
 --
 -- Since borg uses a fair amount of system resources, only one borg
 -- backup job will be run at a time. Other jobs will wait their turns to
diff --git a/src/Propellor/Property/SiteSpecific/Branchable.hs b/src/Propellor/Property/SiteSpecific/Branchable.hs
index 239bcbeb..ce679083 100644
--- a/src/Propellor/Property/SiteSpecific/Branchable.hs
+++ b/src/Propellor/Property/SiteSpecific/Branchable.hs
@@ -8,6 +8,8 @@ import qualified Propellor.Property.Ssh as Ssh
 import qualified Propellor.Property.Postfix as Postfix
 import qualified Propellor.Property.Gpg as Gpg
 import qualified Propellor.Property.Sudo as Sudo
+import qualified Propellor.Property.Borg as Borg
+import qualified Propellor.Property.Cron as Cron
 
 server :: [Host] -> Property (HasInfo + DebianLike)
 server hosts = propertyList "branchable server" $ props
@@ -37,18 +39,24 @@ server hosts = propertyList "branchable server" $ props
 	& Postfix.installed
 	& Postfix.mainCf ("mailbox_command", "procmail -a \"$EXTENSION\"")
 	
-	-- Obnam is run by a cron job in ikiwiki-hosting.
-	& "/etc/obnam.conf" `File.hasContent`
-		[ "[config]"
-		, "repository = sftp://joey@eubackup.kitenet.net/home/joey/lib/backup/pell.obnam"
-		, "log = /var/log/obnam.log"
-		, "encrypt-with = " ++ obnamkey
-		, "log-level = info"
-		, "log-max = 1048576"
-		, "keep = 7d,5w,12m"
-		, "upload-queue-size = 128"
-		, "lru-size = 128"
+	& Borg.backup "/" "joey@eubackup.kitenet.net:/home/joey/lib/backup/branchable/pell.borg" Cron.Daily
+		[ "--exclude=/proc/*"
+		, "--exclude=/sys/*"
+		, "--exclude=/run/*"
+		, "--exclude=/tmp/*"
+		, "--exclude=/var/tmp/*"
+		, "--exclude=/var/backups/ikiwiki-hosting-web/*"
+		, "--exclude=/var/cache/*"
+		, "--exclude=/home/*/source/*"
+		, "--exclude=/home/*/public_html/*"
+		, "--exclude=/home/*/.git/*"
 		]
+		[ Borg.KeepDays 7
+		, Borg.KeepWeeks 5
+		, Borg.KeepMonths 12
+		, Borg.KeepYears 1
+		]
+	-- gpg key that can be used to decrypt the borg backup key
 	& Gpg.keyImported (Gpg.GpgKeyId obnamkey) (User "root")
 	& Ssh.userKeys (User "root") (Context "branchable.com")
 		[ (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2PqTSupwncqeffNwZQXacdEWp7L+TxllIxH7WjfRMb3U74mQxWI0lwqLVW6Fox430DvhSqF1y5rJBvTHh4i49Tc9lZ7mwAxA6jNOP6bmdfteaKKYmUw5qwtJW0vISBFu28qBO11Nq3uJ1D3Oj6N+b3mM/0D3Y3NoGgF8+2dLdi81u9+l6AQ5Jsnozi2Ni/Osx2oVGZa+IQDO6gX8VEP4OrcJFNJe8qdnvItcGwoivhjbIfzaqNNvswKgGzhYLOAS5KT8HsjvIpYHWkyQ5QUX7W/lqGSbjP+6B8C3tkvm8VLXbmaD+aSkyCaYbuoXC2BoJdS7Jh8phKMwPJmdYVepn")
diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs
index f02dc6f0..34b0af44 100644
--- a/src/Propellor/Property/SiteSpecific/JoeySites.hs
+++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs
@@ -520,6 +520,7 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props
 
 	& "/etc/aliases" `File.hasPrivContentExposed` ctx
 		`onChange` Postfix.newaliases
+	& hasPostfixCert ctx
 
 	& "/etc/postfix/mydomain" `File.containsLines`
 		[ "/.*\\.kitenet\\.net/\tOK"
@@ -582,9 +583,9 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props
 		, "milter_default_action = accept"
 
 		, "# TLS setup -- server"
-		, "smtpd_tls_CAfile = /etc/letsencrypt/live/kitenet.net/fullchain.pem"
-		, "smtpd_tls_cert_file = /etc/letsencrypt/live/kitenet.net/cert.pem"
-		, "smtpd_tls_key_file = /etc/letsencrypt/live/kitenet.net/privkey.pem"
+		, "smtpd_tls_CAfile = /etc/ssl/certs/joeyca.pem"
+		, "smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem"
+		, "smtpd_tls_key_file = /etc/ssl/private/postfix.pem"
 		, "smtpd_tls_loglevel = 1"
 		, "smtpd_tls_received_header = yes"
 		, "smtpd_use_tls = yes"
@@ -592,9 +593,9 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props
 		, "smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache"
 
 		, "# TLS setup -- client"
-		, "smtp_tls_CAfile = /etc/letsencrypt/live/kitenet.net/fullchain.pem"
-		, "smtp_tls_cert_file = /etc/letsencrypt/live/kitenet.net/cert.pem"
-		, "smtp_tls_key_file = /etc/letsencrypt/live/kitenet.net/privkey.pem"
+		, "smtp_tls_CAfile = /etc/ssl/certs/joeyca.pem"
+		, "smtp_tls_cert_file = /etc/ssl/certs/postfix.pem"
+		, "smtp_tls_key_file = /etc/ssl/private/postfix.pem"
 		, "smtp_tls_loglevel = 1"
 		, "smtp_use_tls = yes"
 		, "smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache"
@@ -613,12 +614,6 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props
 		"!include auth-passwdfile.conf.ext"
 		`onChange` Service.restarted "dovecot"
 		`describe` "dovecot auth.conf"
-	& "/etc/dovecot/conf.d/10-ssl.conf" `File.containsLines`
-		[ "ssl_cert = </etc/letsencrypt/live/kitenet.net/fullchain.pem"
-		, "ssl_key = </etc/letsencrypt/live/kitenet.net/privkey.pem"
-		]
-		`onChange` Service.restarted "dovecot"
-		`describe` "dovecot letsencrypt certs"
 	& File.hasPrivContent dovecotusers ctx
 		`onChange` (dovecotusers `File.mode`
 			combineModes [ownerReadMode, groupReadMode])
@@ -719,6 +714,11 @@ postfixSaslPasswordClient = combineProperties "postfix uses SASL password to aut
 		]
 		`onChange` Postfix.reloaded
 
+hasPostfixCert :: Context -> Property (HasInfo + UnixLike)
+hasPostfixCert ctx = combineProperties "postfix tls cert installed" $ props
+	& "/etc/ssl/certs/postfix.pem" `File.hasPrivContentExposed` ctx
+	& "/etc/ssl/private/postfix.pem" `File.hasPrivContent` ctx
+
 -- Legacy static web sites and redirections from kitenet.net to newer
 -- sites.
 legacyWebSites :: Property (HasInfo + DebianLike)