Merge branch 'joeyconfig'

1 files changed, 378 insertions, 10 deletions

diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs
index c770907b..fa8773de 100644
--- a/src/Propellor/Property/SiteSpecific/JoeySites.hs
+++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs
@@ -14,12 +14,14 @@ import qualified Propellor.Property.Service as Service
 import qualified Propellor.Property.User as User
 import qualified Propellor.Property.Obnam as Obnam
 import qualified Propellor.Property.Apache as Apache
+import qualified Propellor.Property.Postfix as Postfix
 import Utility.SafeCommand
 import Utility.FileMode
 import Utility.Path
 
 import Data.List
 import System.Posix.Files
+import Data.String.Utils
 
 oldUseNetServer :: [Host] -> Property
 oldUseNetServer hosts = propertyList ("olduse.net server")
@@ -59,9 +61,7 @@ oldUseNetServer hosts = propertyList ("olduse.net server")
 		, "  <Directory " ++ datadir ++ "/>"
 		, "    Options Indexes FollowSymlinks"
 		, "    AllowOverride None"
-		-- I had this in the file before.
-		-- This may be needed by a newer version of apache?
-		--, "    Require all granted"
+		, Apache.allowAll
 		, "  </Directory>"
 		]
 	]
@@ -114,11 +114,11 @@ mumbleServer hosts = combineProperties hn
 	[ Apt.serviceInstalledRunning "mumble-server"
 	, Obnam.latestVersion
 	, Obnam.backup "/var/lib/mumble-server" "55 5 * * *"
-		[ "--repository=sftp://joey@turtle.kitenet.net/~/lib/backup/" ++ hn ++ ".obnam"
+		[ "--repository=sftp://joey@usbackup.kitenet.net/~/lib/backup/" ++ hn ++ ".obnam"
 		, "--client-name=mumble"
 		] Obnam.OnlyClient
 		`requires` Ssh.keyImported SshRsa "root" (Context hn)
-		`requires` Ssh.knownHost hosts "turtle.kitenet.net" "root"
+		`requires` Ssh.knownHost hosts "usbackup.kitenet.net" "root"
 	, trivial $ cmdProperty "chown" ["-R", "mumble-server:mumble-server", "/var/lib/mumble-server"]
 	]
   where
@@ -142,7 +142,7 @@ gitServer hosts = propertyList "git.kitenet.net setup"
 	, Obnam.backup "/srv/git" "33 3 * * *"
 		[ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net"
 		, "--encrypt-with=1B169BE1"
-		, "--client-name=wren"
+		, "--client-name=wren" -- historical
 		] Obnam.OnlyClient
 		`requires` Gpg.keyImported "1B169BE1" "root"
 		`requires` Ssh.keyImported SshRsa "root" (Context "git.kitenet.net")
@@ -191,8 +191,8 @@ gitServer hosts = propertyList "git.kitenet.net setup"
 type AnnexUUID = String
 
 -- | A website, with files coming from a git-annex repository.
-annexWebSite :: [Host] -> Git.RepoUrl -> HostName -> AnnexUUID -> [(String, Git.RepoUrl)] -> Property
-annexWebSite hosts origin hn uuid remotes = propertyList (hn ++" website using git-annex")
+annexWebSite :: Git.RepoUrl -> HostName -> AnnexUUID -> [(String, Git.RepoUrl)] -> Property
+annexWebSite origin hn uuid remotes = propertyList (hn ++" website using git-annex")
 	[ Git.cloned "joey" origin dir Nothing
 		`onChange` setup
 	, postupdatehook `File.hasContent`
@@ -206,8 +206,6 @@ annexWebSite hosts origin hn uuid remotes = propertyList (hn ++" website using g
 	dir = "/srv/web/" ++ hn
 	postupdatehook = dir </> ".git/hooks/post-update"
 	setup = userScriptProperty "joey" setupscript
-		`requires` Ssh.keyImported SshRsa "joey" (Context hn)
-		`requires` Ssh.knownHost hosts "turtle.kitenet.net" "joey"
 	setupscript = 
 		[ "cd " ++ shellEscape dir
 		, "git config annex.uuid " ++ shellEscape uuid
@@ -348,8 +346,27 @@ githubBackup = propertyList "github-backup box"
 	, let f = "/home/joey/.github-keys"
 	  in File.hasPrivContent f anyContext
 		`onChange` File.ownerGroup f "joey" "joey"
+	, Cron.niceJob "github-backup run" "30 4 * * *" "joey"
+		"/home/joey/lib/backup" $ intercalate "&&"
+			[ "mkdir -p github"
+			, "cd github"
+			, ". $HOME/.github-keys && github-backup joeyh"
+			]
 	]
 
+rsyncNetBackup :: [Host] -> Property
+rsyncNetBackup hosts = Cron.niceJob "rsync.net copied in daily" "30 5 * * *"
+	"joey" "/home/joey/lib/backup" "mkdir -p rsync.net && rsync --delete -az 2318@usw-s002.rsync.net: rsync.net"
+	`requires` Ssh.knownHost hosts "usw-s002.rsync.net" "joey"
+
+backupsBackedupTo :: [Host] -> HostName -> FilePath -> Property
+backupsBackedupTo hosts desthost destdir = Cron.niceJob desc
+	"1 1 * * 3" "joey" "/" cmd
+	`requires` Ssh.knownHost hosts desthost "joey"
+  where
+	desc = "backups copied to " ++ desthost ++ " weekly"
+	cmd = "rsync -az --delete /home/joey/lib/backup " ++ desthost ++ ":" ++ destdir
+
 obnamRepos :: [String] -> Property
 obnamRepos rs = propertyList ("obnam repos for " ++ unwords rs)
 	(mkbase : map mkrepo rs)
@@ -360,3 +377,354 @@ obnamRepos rs = propertyList ("obnam repos for " ++ unwords rs)
 	mkdir d = File.dirExists d
 		`before` File.ownerGroup d "joey" "joey"
 
+podcatcher :: Property
+podcatcher = Cron.niceJob "podcatcher run hourly" "55 * * * *"
+	"joey" "/home/joey/lib/sound/podcasts"
+	"xargs git-annex importfeed -c annex.genmetadata=true < feeds; mr --quiet update"
+	`requires` Apt.installed ["git-annex", "myrepos"]
+
+kiteMailServer :: Property
+kiteMailServer = propertyList "kitenet.net mail server"
+	[ Postfix.installed
+	, Apt.installed ["postfix-pcre"]
+	, Apt.serviceInstalledRunning "postgrey"
+
+	, Apt.serviceInstalledRunning "spamassassin"
+	, "/etc/default/spamassassin" `File.containsLines`
+		[ "# Propellor deployed"
+		, "ENABLED=1"
+		, "CRON=1"
+		, "OPTIONS=\"--create-prefs --max-children 5 --helper-home-dir\""
+		, "CRON=1"
+		, "NICE=\"--nicelevel 15\""
+		] `onChange` Service.restarted "spamassassin"
+		`describe` "spamd enabled"
+		`requires` Apt.serviceInstalledRunning "cron"
+	
+	, Apt.serviceInstalledRunning "spamass-milter"
+	-- Add -m to prevent modifying messages Subject or body.
+	, "/etc/default/spamass-milter" `File.containsLine`
+		"OPTIONS=\"-m -u spamass-milter -i 127.0.0.1\""
+		`onChange` Service.restarted "spamass-milter"
+		`describe` "spamass-milter configured"
+	
+	, Apt.serviceInstalledRunning "amavisd-milter"
+	, "/etc/default/amavisd-milter" `File.containsLines`
+		[ "# Propellor deployed"
+		, "MILTERSOCKET=/var/spool/postfix/amavis/amavis.sock"
+		, "MILTERSOCKETOWNER=\"postfix:postfix\""
+		, "MILTERSOCKETMODE=\"0660\""
+		]
+		`onChange` Service.restarted "amavisd-milter"
+		`describe` "amavisd-milter configured for postfix"
+	, Apt.serviceInstalledRunning "clamav-freshclam"
+
+	, Apt.installed ["maildrop"]
+	, "/etc/maildroprc" `File.hasContent`
+		[ "# Global maildrop filter file (deployed with propellor)"
+		, "DEFAULT=\"$HOME/Maildir\""
+		, "MAILBOX=\"$DEFAULT/.\""
+		, "# Filter spam to a spam folder, unless .keepspam exists"
+		, "if (/^X-Spam-Status: Yes/)"
+		, "{"
+		, "  `test -e \"$HOME/.keepspam\"`"
+		, "  if ( $RETURNCODE != 0 )"
+		, "  to ${MAILBOX}spam"
+		, "}"
+		]
+		`describe` "maildrop configured"
+
+	, "/etc/aliases" `File.hasPrivContentExposed` ctx
+		`onChange` Postfix.newaliases
+	, hasJoeyCAChain
+	, "/etc/ssl/certs/postfix.pem" `File.hasPrivContentExposed` ctx
+	, "/etc/ssl/private/postfix.pem" `File.hasPrivContent` ctx
+
+	, "/etc/postfix/mydomain" `File.containsLines`
+		[ "/.*\\.kitenet\\.net/\tOK"
+		, "/ikiwiki\\.info/\tOK"
+		, "/joeyh\\.name/\tOK"
+		]
+		`onChange` Postfix.reloaded
+		`describe` "postfix mydomain file configured"
+	, "/etc/postfix/obscure_client_relay.pcre" `File.containsLine`
+		"/^Received: from ([^.]+)\\.kitenet\\.net.*using TLS.*by kitenet\\.net \\(([^)]+)\\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ IGNORE"
+		`onChange` Postfix.reloaded
+		`describe` "postfix obscure_client_relay file configured"
+	, Postfix.mappedFile "/etc/postfix/virtual"
+		(flip File.containsLines
+			[ "# *@joeyh.name to joey"
+			, "@joeyh.name\tjoey"
+			]
+		) `describe` "postfix virtual file configured"
+		`onChange` Postfix.reloaded
+	, Postfix.mappedFile "/etc/postfix/relay_clientcerts" $
+		flip File.hasPrivContentExposed ctx
+	, Postfix.mainCfFile `File.containsLines`
+		[ "myhostname = kitenet.net"
+		, "mydomain = $myhostname"
+		, "append_dot_mydomain = no"
+		, "myorigin = kitenet.net"
+		, "mydestination = $myhostname, localhost.$mydomain, $mydomain, kite.$mydomain., localhost, regexp:$config_directory/mydomain"
+		, "mailbox_command = maildrop"
+		, "virtual_alias_maps = hash:/etc/postfix/virtual"
+
+		, "# Allow clients with trusted certs to relay mail through."
+		, "relay_clientcerts = hash:/etc/postfix/relay_clientcerts"
+		, "smtpd_relay_restrictions = permit_mynetworks,permit_tls_clientcerts,permit_sasl_authenticated,reject_unauth_destination"
+
+		, "# Filter out client relay lines from headers."
+		, "header_checks = pcre:$config_directory/obscure_client_relay.pcre"
+
+		, "# Enable postgrey."
+		, "smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023"
+
+		, "# Enable spamass-milter and amavis-milter."
+		, "smtpd_milters = unix:/spamass/spamass.sock unix:amavis/amavis.sock"
+		, "milter_connect_macros = j {daemon_name} v {if_name} _"
+
+		, "# TLS setup -- server"
+		, "smtpd_tls_CAfile = /etc/ssl/certs/joeyca.pem"
+		, "smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem"
+		, "smtpd_tls_key_file = /etc/ssl/private/postfix.pem"
+		, "smtpd_tls_loglevel = 1"
+		, "smtpd_tls_received_header = yes"
+		, "smtpd_use_tls = yes"
+		, "smtpd_tls_ask_ccert = yes"
+		, "smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache"
+
+		, "# TLS setup -- client"
+		, "smtp_tls_CAfile = /etc/ssl/certs/joeyca.pem"
+		, "smtp_tls_cert_file = /etc/ssl/certs/postfix.pem"
+		, "smtp_tls_key_file = /etc/ssl/private/postfix.pem"
+		, "smtp_tls_loglevel = 1"
+		, "smtp_use_tls = yes"
+		, "smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache"
+		]
+		`onChange` Postfix.dedupMainCf
+		`onChange` Postfix.reloaded
+		`describe` "postfix configured"
+	
+	, Apt.serviceInstalledRunning "dovecot-imapd"
+	, Apt.serviceInstalledRunning "dovecot-pop3d"
+	, "/etc/dovecot/conf.d/10-mail.conf" `File.containsLine`
+		"mail_location = maildir:~/Maildir"
+		`onChange` Service.reloaded "dovecot"
+		`describe` "dovecot mail.conf"
+	, "/etc/dovecot/conf.d/10-auth.conf" `File.containsLine`
+		"!include auth-passwdfile.conf.ext"
+		`onChange` Service.restarted "dovecot"
+		`describe` "dovecot auth.conf"
+	, File.hasPrivContent dovecotusers ctx
+		`onChange` (dovecotusers `File.mode`
+			combineModes [ownerReadMode, groupReadMode])
+	, File.ownerGroup dovecotusers "root" "dovecot"
+
+	, Apt.installed ["mutt", "bsd-mailx", "alpine"]
+
+	, pinescript `File.hasContent`
+		[ "#!/bin/sh"
+		, "# deployed with propellor"
+		, "set -e"
+		, "pass=$HOME/.pine-password"
+		, "if [ ! -e $pass ]; then"
+		, "\ttouch $pass"
+		, "fi"
+		, "chmod 600 $pass"
+		, "exec alpine -passfile $pass \"$@\""
+		]
+		`onChange` (pinescript `File.mode`
+			combineModes (readModes ++ executeModes))
+		`describe` "pine wrapper script"
+	, "/etc/pine.conf" `File.containsLines`
+		[ "inbox-path={localhost/novalidate-cert}inbox"
+		]
+		`describe` "pine configured to use local imap server"
+	]
+  where
+	ctx = Context "kitenet.net"
+	pinescript = "/usr/local/bin/pine"
+	dovecotusers = "/etc/dovecot/users"
+
+hasJoeyCAChain :: Property
+hasJoeyCAChain = "/etc/ssl/certs/joeyca.pem" `File.hasPrivContentExposed`
+	Context "joeyca.pem"
+
+kitenetHttps :: Property
+kitenetHttps = propertyList "kitenet.net https certs"
+	[ File.hasPrivContent "/etc/ssl/certs/web.pem" ctx
+	, File.hasPrivContent "/etc/ssl/private/web.pem" ctx
+	, File.hasPrivContent "/etc/ssl/certs/startssl.pem" ctx
+	, toProp $ Apache.modEnabled "ssl"
+	]
+  where
+	ctx = Context "kitenet.net"
+
+-- Legacy static web sites and redirections from kitenet.net to newer
+-- sites.
+legacyWebSites :: Property
+legacyWebSites = propertyList "legacy web sites"
+	[ Apt.serviceInstalledRunning "apache2"
+	, toProp $ Apache.modEnabled "rewrite"
+	, toProp $ Apache.modEnabled "cgi"
+	, toProp $ Apache.modEnabled "speling"
+	, userDirHtml
+	, kitenetHttps
+	, toProp $ Apache.siteEnabled "kitenet.net" $ apachecfg "kitenet.net" True
+		-- /var/www is empty
+		[ "DocumentRoot /var/www"
+		, "<Directory /var/www>"
+		, "  Options Indexes FollowSymLinks MultiViews ExecCGI Includes"
+		, "  AllowOverride None"
+		, Apache.allowAll
+		, "</Directory>"
+		, "ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/"
+
+		-- for mailman cgi scripts
+		, "<Directory /usr/lib/cgi-bin>"
+		, "  AllowOverride None"
+		, "  Options ExecCGI"
+		, Apache.allowAll
+		, "</Directory>"
+		, "Alias /pipermail/ /var/lib/mailman/archives/public/"
+		, "<Directory /var/lib/mailman/archives/public/>"
+		, "  Options Indexes MultiViews FollowSymlinks"
+		, "  AllowOverride None"
+		, Apache.allowAll
+		, "</Directory>"
+		, "Alias /images/ /usr/share/images/"
+		, "<Directory /usr/share/images/>"
+		, "  Options Indexes MultiViews"
+		, "  AllowOverride None"
+		, Apache.allowAll
+		, "</Directory>"
+
+		, "RewriteEngine On"
+		, "# Force hostname to kitenet.net"
+		, "RewriteCond %{HTTP_HOST} !^kitenet\\.net [NC]"
+		, "RewriteCond %{HTTP_HOST} !^$"
+		, "RewriteRule ^/(.*) http://kitenet\\.net/$1 [L,R]"
+
+		, "# Moved pages"
+		, "RewriteRule /programs/debhelper http://joeyh.name/code/debhelper/ [L]"
+		, "RewriteRule /programs/satutils http://joeyh.name/code/satutils/ [L]"
+		, "RewriteRule /programs/filters http://joeyh.name/code/filters/ [L]"
+		, "RewriteRule /programs/ticker http://joeyh.name/code/ticker/ [L]"
+		, "RewriteRule /programs/pdmenu http://joeyh.name/code/pdmenu/ [L]"
+		, "RewriteRule /programs/sleepd http://joeyh.name/code/sleepd/ [L]"
+		, "RewriteRule /programs/Lingua::EN::Words2Nums http://joeyh.name/code/Words2Nums/ [L]"
+		, "RewriteRule /programs/wmbattery http://joeyh.name/code/wmbattery/ [L]"
+		, "RewriteRule /programs/dpkg-repack http://joeyh.name/code/dpkg-repack/ [L]"
+		, "RewriteRule /programs/debconf http://joeyh.name/code/debconf/ [L]"
+		, "RewriteRule /programs/perlmoo http://joeyh.name/code/perlmoo/ [L]"
+		, "RewriteRule /programs/alien http://joeyh.name/code/alien/ [L]"
+		, "RewriteRule /~joey/blog/entry/(.+)-[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]-[0-9][0-9]-[0-9][0-9].html http://joeyh.name/blog/entry/$1/ [L]"
+		, "RewriteRule /~anna/.* http://waldeneffect\\.org/ [R]"
+		, "RewriteRule /~anna/.* http://waldeneffect\\.org/ [R]"
+		, "RewriteRule /~anna http://waldeneffect\\.org/ [R]"
+		, "RewriteRule /simpleid/ http://openid.kitenet.net:8081/simpleid/"
+		, "# Even the kite home page is not here any more!"
+		, "RewriteRule ^/$ http://www.kitenet.net/ [R]"
+		, "RewriteRule ^/index.html http://www.kitenet.net/ [R]"
+		, "RewriteRule ^/joey http://www.kitenet.net/joey/ [R]"
+		, "RewriteRule ^/joey/index.html http://www.kitenet.net/joey/ [R]"
+		, "RewriteRule ^/wifi http://www.kitenet.net/wifi/ [R]"
+		, "RewriteRule ^/wifi/index.html http://www.kitenet.net/wifi/ [R]"
+		
+		, "# Old ikiwiki filenames for kitenet.net wiki."
+		, "rewritecond $1 !^/~"
+		, "rewritecond $1 !^/doc/"
+		, "rewritecond $1 !^/pipermail/"
+		, "rewritecond $1 !^/cgi-bin/"
+		, "rewritecond $1 !.*/index$"
+		, "rewriterule (.+).html$ $1/ [r]"
+
+		, "# Old ikiwiki filenames for joey's wiki."
+		, "rewritecond $1 ^/~joey/"
+		, "rewritecond $1 !.*/index$"
+		, "rewriterule (.+).html$ http://kitenet.net/$1/ [L,R]"
+
+		, "# ~joey to joeyh.name"
+		, "rewriterule /~joey/(.*) http://joeyh.name/$1 [L]"
+
+		, "# Old familywiki location."
+		, "rewriterule /~family/(.*).html http://family.kitenet.net/$1 [L]"
+		, "rewriterule /~family/(.*).rss http://family.kitenet.net/$1/index.rss [L]"
+		, "rewriterule /~family(.*) http://family.kitenet.net$1 [L]"
+
+		, "rewriterule /~kyle/bywayofscience(.*) http://bywayofscience.branchable.com$1 [L]"
+		, "rewriterule /~kyle/family/wiki/(.*).html http://macleawiki.branchable.com/$1 [L]"
+		, "rewriterule /~kyle/family/wiki/(.*).rss http://macleawiki.branchable.com/$1/index.rss [L]"
+		, "rewriterule /~kyle/family/wiki(.*) http://macleawiki.branchable.com$1 [L]"
+		]
+	, alias "anna.kitenet.net"
+	, toProp $ Apache.siteEnabled "anna.kitenet.net" $ apachecfg "anna.kitenet.net" False
+		[ "DocumentRoot /home/anna/html"
+		, "<Directory /home/anna/html/>"
+		, "  Options Indexes ExecCGI"
+		, "  AllowOverride None"
+		, Apache.allowAll
+		, "</Directory>"
+		]
+	, alias "sows-ear.kitenet.net"
+	, alias "www.sows-ear.kitenet.net"
+	, toProp $ Apache.siteEnabled "sows-ear.kitenet.net" $ apachecfg "sows-ear.kitenet.net" False
+		[ "ServerAlias www.sows-ear.kitenet.net"
+		, "DocumentRoot /srv/web/sows-ear.kitenet.net"
+		, "<Directory /srv/web/sows-ear.kitenet.net>"
+		, "  Options FollowSymLinks"
+		, "  AllowOverride None"
+		, Apache.allowAll
+		, "</Directory>"
+		]
+	, alias "wortroot.kitenet.net"
+	, alias "www.wortroot.kitenet.net"
+	, toProp $ Apache.siteEnabled "wortroot.kitenet.net" $ apachecfg "wortroot.kitenet.net" False
+		[ "ServerAlias www.wortroot.kitenet.net"
+		, "DocumentRoot /srv/web/wortroot.kitenet.net"
+		, "<Directory /srv/web/wortroot.kitenet.net>"
+		, "  Options FollowSymLinks"
+		, "  AllowOverride None"
+		, Apache.allowAll
+		, "</Directory>"
+		]
+	, alias "creeksidepress.com"
+	, toProp $ Apache.siteEnabled "creeksidepress.com" $ apachecfg "creeksidepress.com" False
+		[ "ServerAlias www.creeksidepress.com"
+		, "DocumentRoot /srv/web/www.creeksidepress.com"
+		, "<Directory /srv/web/www.creeksidepress.com>"
+		, "  Options FollowSymLinks"
+		, "  AllowOverride None"
+		, Apache.allowAll
+		, "</Directory>"
+		]
+	, alias "joey.kitenet.net"
+	, toProp $ Apache.siteEnabled "joey.kitenet.net" $ apachecfg "joey.kitenet.net" False
+		[ "DocumentRoot /home/joey/html"
+		, "<Directory /home/joey/html/>"
+		, "  Options Indexes ExecCGI"
+		, "  AllowOverride None"
+		, Apache.allowAll
+		, "</Directory>"
+
+		, "RewriteEngine On"
+
+		, "# Old ikiwiki filenames for joey's wiki."
+		, "rewritecond $1 !.*/index$"
+		, "rewriterule (.+).html$ http://joeyh.name/$1/ [l]"
+
+		, "rewritecond $1 !.*/index$"
+		, "rewriterule (.+).rss$ http://joeyh.name/$1/index.rss [l]"
+		
+		, "# Redirect all to joeyh.name."
+		, "rewriterule (.*) http://joeyh.name$1 [r]"
+		]
+	]
+
+userDirHtml :: Property
+userDirHtml = File.fileProperty "apache userdir is html" (map munge) conf
+	`onChange` Apache.reloaded
+	`requires` (toProp $ Apache.modEnabled "userdir")
+  where
+	munge = replace "public_html" "html"
+	conf = "/etc/apache2/mods-available/userdir.conf"