diff options
18 files changed, 199 insertions, 10 deletions
@@ -1 +1 @@ -joeyconfig.hs
\ No newline at end of file +config-simple.hs
\ No newline at end of file diff --git a/debian/changelog b/debian/changelog index b081d04f..3d9e82cb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +propellor (5.3.4) unstable; urgency=medium + + * Apt.trustsKey: Use apt-key to add key rather than manually driving gpg, + which seems to not work anymore. + Thanks, Russell Sim. + * Firewall: Reorder iptables parameters that are order + dependant to make --to-dest and --to-source work. + Thanks, Russell Sim + + -- Joey Hess <id@joeyh.name> Wed, 21 Mar 2018 14:59:15 -0400 + propellor (5.3.3) unstable; urgency=medium * Warn again about new upstream version when ~/.propellor was cloned from the diff --git a/doc/FreeBSD.mdwn b/doc/FreeBSD.mdwn index 47b9c65b..ca340163 100644 --- a/doc/FreeBSD.mdwn +++ b/doc/FreeBSD.mdwn @@ -6,5 +6,5 @@ additional porting to support FreeBSD. Such properties have types like `Property DebianLike`. The type checker will detect and reject attempts to combine such properties with `Property FreeBSD`. -[Sample config file](http://git.joeyh.name/?p=propellor.git;a=blob;f=config-freebsd.hs) +[Sample config file](https://git.joeyh.name/index.cgi/propellor.git/tree/config-freebsd.hs) which configures a FreeBSD system, as well as a Linux one. diff --git a/doc/forum/Apt:_use_deb.debian.org__47__debian-security.mdwn b/doc/forum/Apt:_use_deb.debian.org__47__debian-security.mdwn new file mode 100644 index 00000000..a918a402 --- /dev/null +++ b/doc/forum/Apt:_use_deb.debian.org__47__debian-security.mdwn @@ -0,0 +1 @@ +Maybe we could use deb.debian.org/debian-security instead of security.debian.org in Apt properties. What do you think about this? diff --git a/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_1_8f06ef23b94f1df693f0da4689f39edf._comment b/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_1_8f06ef23b94f1df693f0da4689f39edf._comment new file mode 100644 index 00000000..8565ee93 --- /dev/null +++ b/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_1_8f06ef23b94f1df693f0da4689f39edf._comment @@ -0,0 +1,8 @@ +[[!comment format=mdwn + username="spwhitton" + avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb" + subject="comment 1" + date="2018-04-03T00:20:41Z" + content=""" +What would that achieve? +"""]] diff --git a/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn new file mode 100644 index 00000000..c3260c1c --- /dev/null +++ b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn @@ -0,0 +1,3 @@ +Hello, + +where can I find practical, working examples on how to use Propellor? For example, how to use Propellor to setup a LAMP debian or ubuntu server. diff --git a/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__/comment_1_cc518b5ae9f82d13be9eda19822db85c._comment b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__/comment_1_cc518b5ae9f82d13be9eda19822db85c._comment new file mode 100644 index 00000000..b2124dd7 --- /dev/null +++ b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__/comment_1_cc518b5ae9f82d13be9eda19822db85c._comment @@ -0,0 +1,9 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 1""" + date="2018-04-03T22:39:14Z" + content=""" +Mostly I point people at my [personal propellor config file](https://git.joeyh.name/index.cgi/propellor.git/tree/joeyconfig.hs) +which is quite big, but demos a lot of propellor's features. And unlike +an artificial example, it's always tested and working. +"""]] diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_14_a65bf71d16401e2621f1dff93701247d._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_14_a65bf71d16401e2621f1dff93701247d._comment new file mode 100644 index 00000000..c5427cd7 --- /dev/null +++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_14_a65bf71d16401e2621f1dff93701247d._comment @@ -0,0 +1,35 @@ +[[!comment format=mdwn + username="picca" + avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c" + subject="comment 14" + date="2018-03-04T10:41:01Z" + content=""" +Hello, sorry to bother you with this BUT :)) + +Now I have the right message which explain how to upgrade my .propellor +(sorry for the french) + + picca@mordor:~$ propellor + Fusion automatique de src/Propellor/Property/Systemd.hs + Fusion automatique de src/Propellor/Property/SiteSpecific/JoeySites.hs + Fusion automatique de src/Propellor/Property/Git.hs + Fusion automatique de src/Propellor/Git/VerifiedBranch.hs + Fusion automatique de src/Propellor/Git.hs + Fusion automatique de src/Propellor/EnsureProperty.hs + Fusion automatique de src/Propellor/DotDir.hs + Fusion automatique de propellor.cabal + Fusion automatique de joeyconfig.hs + Fusion automatique de doc/README.mdwn + Fusion automatique de debian/changelog + ** warning: ** Your ~/.propellor/ is out of date.. + A newer upstream version is available in /usr/src/propellor/propellor.git + To merge it, run: git merge upstream/master + +but when I try to do the merge, I get this error message + + picca@mordor:~/.propellor$ LANG=C git merge upstream/master + fatal: refusing to merge unrelated histories + +How can I help to solve this issue ? + +"""]] diff --git a/doc/forum/can__39__t_get_Apt.trustsKey_to_work.mdwn b/doc/forum/can__39__t_get_Apt.trustsKey_to_work.mdwn new file mode 100644 index 00000000..3c0853db --- /dev/null +++ b/doc/forum/can__39__t_get_Apt.trustsKey_to_work.mdwn @@ -0,0 +1,90 @@ +I've been hitting a problem when importing APT keys on a debian stretch VM. I'm using a property like + + mybox :: Host + mybox = host "henry1.home" $ props + & osDebian (Stable "stretch") X86_64 + & Apt.stdSourcesList + & Apt.unattendedUpgrades + & installKubernetes + + + installKubernetes :: Property DebianLike + installKubernetes = Apt.installed ["kubelet", "kubeadm", "kubectl"] + `requires` Apt.setSourcesListD ["deb http://apt.kubernetes.io/ kubernetes-xenial main"] "google-cloud" + `requires` Apt.trustsKey googleKey + + googleKey :: Apt.AptKey + googleKey = + Apt.AptKey "google-key" $ unlines + [ "-----BEGIN PGP PUBLIC KEY BLOCK-----" + , "" + , "mQENBFUd6rIBCAD6mhKRHDn3UrCeLDp7U5IE7AhhrOCPpqGF7mfTemZYHf/5Jdjx" + , "cOxoSFlK7zwmFr3lVqJ+tJ9L1wd1K6P7RrtaNwCiZyeNPf/Y86AJ5NJwBe0VD0xH" + , "TXzPNTqRSByVYtdN94NoltXUYFAAPZYQls0x0nUD1hLMlOlC2HdTPrD1PMCnYq/N" + , "uL/Vk8sWrcUt4DIS+0RDQ8tKKe5PSV0+PnmaJvdF5CKawhh0qGTklS2MXTyKFoqj" + , "XgYDfY2EodI9ogT/LGr9Lm/+u4OFPvmN9VN6UG+s0DgJjWvpbmuHL/ZIRwMEn/tp" + , "uneaLTO7h1dCrXC849PiJ8wSkGzBnuJQUbXnABEBAAG0QEdvb2dsZSBDbG91ZCBQ" + , "YWNrYWdlcyBBdXRvbWF0aWMgU2lnbmluZyBLZXkgPGdjLXRlYW1AZ29vZ2xlLmNv" + , "bT6JAT4EEwECACgFAlUd6rICGy8FCQWjmoAGCwkIBwMCBhUIAgkKCwQWAgMBAh4B" + , "AheAAAoJEDdGwginMXsPcLcIAKi2yNhJMbu4zWQ2tM/rJFovazcY28MF2rDWGOnc" + , "9giHXOH0/BoMBcd8rw0lgjmOosBdM2JT0HWZIxC/Gdt7NSRA0WOlJe04u82/o3OH" + , "WDgTdm9MS42noSP0mvNzNALBbQnlZHU0kvt3sV1YsnrxljoIuvxKWLLwren/GVsh" + , "FLPwONjw3f9Fan6GWxJyn/dkX3OSUGaduzcygw51vksBQiUZLCD2Tlxyr9NvkZYT" + , "qiaWW78L6regvATsLc9L/dQUiSMQZIK6NglmHE+cuSaoK0H4ruNKeTiQUw/EGFaL" + , "ecay6Qy/s3Hk7K0QLd+gl0hZ1w1VzIeXLo2BRlqnjOYFX4A=" + , "=HVTm" + , "-----END PGP PUBLIC KEY BLOCK-----" + ] + + +the import works fine, but the packages fail to install because the key isn't valid, i can list the key + + root@henry1:~# apt-key list | grep -A 6 google-key + Warning: apt-key output should not be parsed (stdout is not a terminal) + /etc/apt/trusted.gpg.d/google-key.gpg + ------------------------------------- + pub rsa2048 2015-04-03 [SCEA] [expires: 2018-04-02] + D0BC 747F D8CA F711 7500 D6FA 3746 C208 A731 7B0F + uid [ unknown] Google Cloud Packages Automatic Signing Key <gc-team@google.com> + + +but i can't export it. I've tried the gpg command listed in the Apt.trustsKey function and running it locally (on the vm) with a local file doesn't work either. + + root@henry1:~# apt-key export D6FA3746A7317B0F + gpg: [don't know]: invalid packet (ctb=00) + gpg: WARNING: nothing exported + gpg: key export failed: Invalid packet + + +Gpg version info + + root@henry1:~# gpg --version + gpg (GnuPG) 2.1.18 + libgcrypt 1.7.6-beta + Copyright (C) 2017 Free Software Foundation, Inc. + License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + Home: /root/.gnupg + Supported algorithms: + Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA + Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, + CAMELLIA128, CAMELLIA192, CAMELLIA256 + Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 + Compression: Uncompressed, ZIP, ZLIB, BZIP2 + +I ended up changing the Apt.trustsKey command to a version which uses apt-key and everything works now + + trustsKey' :: AptKey -> Property DebianLike + trustsKey' k = check (not <$> doesFileExist f) $ property desc $ makeChange $ do + withHandle StdinHandle createProcessSuccess + (proc "apt-key" ["--keyring", f, "add", "-"]) $ \h -> do + hPutStr h (pubkey k) + hClose h + nukeFile $ f ++ "~" -- gpg dropping + where + desc = "apt trusts key " ++ keyname k + f = aptKeyFile k + +Any thoughts as to why this wouldn't be working? Would it be reasonable to change this command upstream? diff --git a/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_1_8ee5b69f068c369e88c31c639d692f60._comment b/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_1_8ee5b69f068c369e88c31c639d692f60._comment new file mode 100644 index 00000000..b1f82b19 --- /dev/null +++ b/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_1_8ee5b69f068c369e88c31c639d692f60._comment @@ -0,0 +1,14 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 1""" + date="2018-03-01T22:20:54Z" + content=""" +I added trustsKey in 2014, but my current config is not using +it for anything, so it seems likely it's bitrotted in some way. +And there's no rationalle documented for why it manually drives gpg. + +I've applied your change to use apt-key. + +I wonder if the nukeFile of the "gpg dropping" is actually needed +anymore? +"""]] diff --git a/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_2_ffca1d5942d4fd152657dd3afe21b935._comment b/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_2_ffca1d5942d4fd152657dd3afe21b935._comment new file mode 100644 index 00000000..93248324 --- /dev/null +++ b/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_2_ffca1d5942d4fd152657dd3afe21b935._comment @@ -0,0 +1,11 @@ +[[!comment format=mdwn + username="dominik" + avatar="http://cdn.libravatar.org/avatar/41b0caab63708c0b81d8aeda611afad5" + subject="LUKS desired ;-)" + date="2018-03-01T11:40:27Z" + content=""" +I'd love to use LUKS partitions in Propeller. + +Thanks Joey. + +"""]] diff --git a/doc/index.mdwn b/doc/index.mdwn index 1e3af9dd..264a6f48 100644 --- a/doc/index.mdwn +++ b/doc/index.mdwn @@ -4,7 +4,7 @@ [[Download]] [API documentation](http://hackage.haskell.org/package/propellor) [[Other Documentation|documentation]] -[Sample config file](http://git.joeyh.name/?p=propellor.git;a=blob;f=joeyconfig.hs) +[Sample config file](https://git.joeyh.name/index.cgi/propellor.git/tree/joeyconfig.hs) [[Security]] [[Todo]] [[Forum]] diff --git a/doc/news/version_5.3.4.mdwn b/doc/news/version_5.3.4.mdwn new file mode 100644 index 00000000..09358138 --- /dev/null +++ b/doc/news/version_5.3.4.mdwn @@ -0,0 +1,8 @@ +propellor 5.3.4 released with [[!toggle text="these changes"]] +[[!toggleable text=""" + * Apt.trustsKey: Use apt-key to add key rather than manually driving gpg, + which seems to not work anymore. + Thanks, Russell Sim. + * Firewall: Reorder iptables parameters that are order + dependant to make --to-dest and --to-source work. + Thanks, Russell Sim"""]]
\ No newline at end of file diff --git a/privdata/relocate b/privdata/relocate deleted file mode 100644 index 271692d8..00000000 --- a/privdata/relocate +++ /dev/null @@ -1 +0,0 @@ -.joeyconfig diff --git a/propellor.cabal b/propellor.cabal index 5f6abc8b..18d28db3 100644 --- a/propellor.cabal +++ b/propellor.cabal @@ -1,5 +1,5 @@ Name: propellor -Version: 5.3.3 +Version: 5.3.4 Cabal-Version: >= 1.20 License: BSD2 Maintainer: Joey Hess <id@joeyh.name> diff --git a/src/Propellor/Property/Apt.hs b/src/Propellor/Property/Apt.hs index d44b5c38..7275205a 100644 --- a/src/Propellor/Property/Apt.hs +++ b/src/Propellor/Property/Apt.hs @@ -447,7 +447,7 @@ trustsKey k = trustsKey' k <!> untrustKey k trustsKey' :: AptKey -> Property DebianLike trustsKey' k = check (not <$> doesFileExist f) $ property desc $ makeChange $ do withHandle StdinHandle createProcessSuccess - (proc "gpg" ["--no-default-keyring", "--keyring", f, "--import", "-"]) $ \h -> do + (proc "apt-key" ["--keyring", f, "add", "-"]) $ \h -> do hPutStr h (pubkey k) hClose h nukeFile $ f ++ "~" -- gpg dropping diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs index 736a4458..bbc14473 100644 --- a/src/Propellor/Property/Firewall.hs +++ b/src/Propellor/Property/Firewall.hs @@ -44,8 +44,8 @@ rule c tb tg rs = property ("firewall rule: " <> show r) addIpTable toIpTable :: Rule -> [CommandParam] toIpTable r = map Param $ val (ruleChain r) : - toIpTableArg (ruleRules r) ++ - ["-t", val (ruleTable r), "-j", val (ruleTarget r)] + ["-t", val (ruleTable r), "-j", val (ruleTarget r)] ++ + toIpTableArg (ruleRules r) toIpTableArg :: Rules -> [String] toIpTableArg Everything = [] diff --git a/src/Propellor/Property/Systemd.hs b/src/Propellor/Property/Systemd.hs index 8fa236d2..39b4bd84 100644 --- a/src/Propellor/Property/Systemd.hs +++ b/src/Propellor/Property/Systemd.hs @@ -217,7 +217,7 @@ machined = withOS "machined installed" $ \w o -> -- to bootstrap. -- -- > container "webserver" $ \d -> Chroot.debootstrapped mempty d $ props --- > & osDebian Unstable X86_64 +-- > & osDebian Unstable X86_64 -- > & Apt.installedRunning "apache2" -- > & ... container :: MachineName -> (FilePath -> Chroot.Chroot) -> Container @@ -238,7 +238,7 @@ container name mkchroot = -- to bootstrap. -- -- > debContainer "webserver" $ props --- > & osDebian Unstable X86_64 +-- > & osDebian Unstable X86_64 -- > & Apt.installedRunning "apache2" -- > & ... debContainer :: MachineName -> Props metatypes -> Container |