diff options
Diffstat (limited to 'src/Propellor/Property/SiteSpecific')
| -rw-r--r-- | src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs | 10 | ||||
| -rw-r--r-- | src/Propellor/Property/SiteSpecific/JoeySites.hs | 97 |
2 files changed, 66 insertions, 41 deletions
diff --git a/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs b/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs index 7fc523f9..102e6a1d 100644 --- a/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs +++ b/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs @@ -9,7 +9,7 @@ import qualified Propellor.Property.Cron as Cron import qualified Propellor.Property.Ssh as Ssh import qualified Propellor.Property.File as File import qualified Propellor.Property.Docker as Docker -import Propellor.Property.Cron (CronTimes) +import Propellor.Property.Cron (Times) builduser :: UserName builduser = "builder" @@ -25,7 +25,7 @@ builddir = gitbuilderdir </> "build" type TimeOut = String -- eg, 5h -autobuilder :: Architecture -> CronTimes -> TimeOut -> Property HasInfo +autobuilder :: Architecture -> Times -> TimeOut -> Property HasInfo autobuilder arch crontimes timeout = combineProperties "gitannexbuilder" $ props & Apt.serviceInstalledRunning "cron" & Cron.niceJob "gitannexbuilder" crontimes builduser gitbuilderdir @@ -102,10 +102,10 @@ standardAutoBuilderContainer dockerImage arch buildminute timeout = Docker.conta & User.accountFor builduser & tree arch & buildDepsApt - & autobuilder arch (show buildminute ++ " * * * *") timeout + & autobuilder arch (Cron.Times $ show buildminute ++ " * * * *") timeout & Docker.tweaked -androidAutoBuilderContainer :: (System -> Docker.Image) -> Cron.CronTimes -> TimeOut -> Docker.Container +androidAutoBuilderContainer :: (System -> Docker.Image) -> Times -> TimeOut -> Docker.Container androidAutoBuilderContainer dockerImage crontimes timeout = androidContainer dockerImage "android-git-annex-builder" (tree "android") builddir & Apt.unattendedUpgrades @@ -166,7 +166,7 @@ armelCompanionContainer dockerImage = Docker.container "armel-git-annex-builder- & Ssh.authorizedKeys builduser (Context "armel-git-annex-builder") & Docker.tweaked -armelAutoBuilderContainer :: (System -> Docker.Image) -> Cron.CronTimes -> TimeOut -> Docker.Container +armelAutoBuilderContainer :: (System -> Docker.Image) -> Times -> TimeOut -> Docker.Container armelAutoBuilderContainer dockerImage crontimes timeout = Docker.container "armel-git-annex-builder" (dockerImage $ System (Debian Unstable) "armel") & os (System (Debian Testing) "armel") diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 34a5f02f..9644cb72 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -24,6 +24,7 @@ import Data.String.Utils oldUseNetServer :: [Host] -> Property HasInfo oldUseNetServer hosts = propertyList "olduse.net server" $ props + & Apt.installed ["leafnode"] & oldUseNetInstalled "oldusenet-server" & Obnam.latestVersion & oldUseNetBackup @@ -32,7 +33,6 @@ oldUseNetServer hosts = propertyList "olduse.net server" $ props removeDirectoryRecursive newsspool createSymbolicLink (datadir </> "news") newsspool ) - & Apt.installed ["leafnode"] & "/etc/news/leafnode/config" `File.hasContent` [ "# olduse.net configuration (deployed by propellor)" , "expire = 1000000" -- no expiry via texpire @@ -45,8 +45,8 @@ oldUseNetServer hosts = propertyList "olduse.net server" $ props & Apt.serviceInstalledRunning "openbsd-inetd" & File.notPresent "/etc/cron.daily/leafnode" & File.notPresent "/etc/cron.d/leafnode" - & Cron.niceJob "oldusenet-expire" "11 1 * * *" "news" newsspool expirecommand - & Cron.niceJob "oldusenet-uucp" "*/5 * * * *" "news" "/" uucpcommand + & Cron.niceJob "oldusenet-expire" (Cron.Times "11 1 * * *") "news" newsspool expirecommand + & Cron.niceJob "oldusenet-uucp" (Cron.Times "*/5 * * * *") "news" "/" uucpcommand & Apache.siteEnabled "nntp.olduse.net" nntpcfg where newsspool = "/var/spool/news" @@ -65,12 +65,14 @@ oldUseNetServer hosts = propertyList "olduse.net server" $ props , " </Directory>" ] - oldUseNetBackup = Obnam.backup datadir "33 4 * * *" + oldUseNetBackup = Obnam.backup datadir (Cron.Times "33 4 * * *") [ "--repository=sftp://2318@usw-s002.rsync.net/~/olduse.net" , "--client-name=spool" + , "--ssh-key=" ++ keyfile ] Obnam.OnlyClient - `requires` Ssh.keyImported SshRsa "root" (Context "olduse.net") + `requires` Ssh.keyImported' (Just keyfile) SshRsa "root" (Context "olduse.net") `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" + keyfile = "/root/.ssh/olduse.net.key" oldUseNetShellBox :: Property HasInfo oldUseNetShellBox = propertyList "olduse.net shellbox" $ props @@ -113,12 +115,12 @@ mumbleServer :: [Host] -> Property HasInfo mumbleServer hosts = combineProperties hn $ props & Apt.serviceInstalledRunning "mumble-server" & Obnam.latestVersion - & Obnam.backup "/var/lib/mumble-server" "55 5 * * *" - [ "--repository=sftp://joey@usbackup.kitenet.net/~/lib/backup/" ++ hn ++ ".obnam" + & Obnam.backup "/var/lib/mumble-server" (Cron.Times "55 5 * * *") + [ "--repository=sftp://2318@usw-s002.rsync.net/~/" ++ hn ++ ".obnam" , "--client-name=mumble" ] Obnam.OnlyClient `requires` Ssh.keyImported SshRsa "root" (Context hn) - `requires` Ssh.knownHost hosts "usbackup.kitenet.net" "root" + `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" & trivial (cmdProperty "chown" ["-R", "mumble-server:mumble-server", "/var/lib/mumble-server"]) where hn = "mumble.debian.net" @@ -129,8 +131,8 @@ obnamLowMem = combineProperties "obnam tuned for low memory use" , "/etc/obnam.conf" `File.containsLines` [ "[config]" , "# Suggested by liw to keep Obnam memory consumption down (at some speed cost)." - , "upload-queue-size = 128" - , "lru-size = 128" + , "upload-queue-size = 96" + , "lru-size = 96" ] ] @@ -138,20 +140,20 @@ obnamLowMem = combineProperties "obnam tuned for low memory use" gitServer :: [Host] -> Property HasInfo gitServer hosts = propertyList "git.kitenet.net setup" $ props & Obnam.latestVersion - & Obnam.backupEncrypted "/srv/git" "33 3 * * *" + & Obnam.backupEncrypted "/srv/git" (Cron.Times "33 3 * * *") [ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net" + , "--ssh-key=" ++ sshkey , "--client-name=wren" -- historical ] Obnam.OnlyClient (Gpg.GpgKeyId "1B169BE1") - `requires` Ssh.keyImported SshRsa "root" (Context "git.kitenet.net") + `requires` Ssh.keyImported' (Just sshkey) SshRsa "root" (Context "git.kitenet.net") `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" `requires` Ssh.authorizedKeys "family" (Context "git.kitenet.net") `requires` User.accountFor "family" & Apt.installed ["git", "rsync", "gitweb"] - -- backport avoids channel flooding on branch merge - & Apt.installedBackport ["kgb-client"] - -- backport supports ssh event notification - & Apt.installedBackport ["git-annex"] + & Apt.installed ["git-annex"] + & Apt.installed ["kgb-client"] & File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" anyContext + `requires` File.dirExists "/etc/kgb-bot/" & Git.daemonRunning "/srv/git" & "/etc/gitweb.conf" `File.containsLines` [ "$projectroot = '/srv/git';" @@ -168,6 +170,7 @@ gitServer hosts = propertyList "git.kitenet.net setup" $ props & website "git.joeyh.name" & Apache.modEnabled "cgi" where + sshkey = "/root/.ssh/git.kitenet.net.key" website hn = apacheSite hn True [ " DocumentRoot /srv/web/git.kitenet.net/" , " <Directory /srv/web/git.kitenet.net/>" @@ -175,6 +178,7 @@ gitServer hosts = propertyList "git.kitenet.net setup" $ props , " AllowOverride None" , " AddHandler cgi-script .cgi" , " DirectoryIndex index.cgi" + , Apache.allowAll , " </Directory>" , "" , " ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/" @@ -204,7 +208,7 @@ annexWebSite origin hn uuid remotes = propertyList (hn ++" website using git-ann setup = userScriptProperty "joey" setupscript setupscript = [ "cd " ++ shellEscape dir - , "git config annex.uuid " ++ shellEscape uuid + , "git annex reinit " ++ shellEscape uuid ] ++ map addremote remotes ++ [ "git annex get" , "git update-server-info" @@ -217,14 +221,14 @@ annexWebSite origin hn uuid remotes = propertyList (hn ++" website using git-ann , " <Directory /srv/web/"++hn++">" , " Options FollowSymLinks" , " AllowOverride None" + , Apache.allowAll , " </Directory>" , " <Directory /srv/web/"++hn++">" , " Options Indexes FollowSymLinks ExecCGI" , " AllowOverride None" , " AddHandler cgi-script .cgi" , " DirectoryIndex index.html index.cgi" - , " Order allow,deny" - , " allow from all" + , Apache.allowAll , " </Directory>" ] @@ -252,8 +256,7 @@ apachecfg hn withssl middle , " <Directory \"/usr/share/apache2/icons\">" , " Options Indexes MultiViews" , " AllowOverride None" - , " Order allow,deny" - , " Allow from all" + , Apache.allowAll , " </Directory>" , "</VirtualHost>" ] @@ -288,6 +291,22 @@ gitAnnexDistributor = combineProperties "git-annex distributor, including rsync , File.ownerGroup d "joey" "joey" ] +downloads :: [Host] -> Property HasInfo +downloads hosts = annexWebSite "/srv/git/downloads.git" + "downloads.kitenet.net" + "840760dc-08f0-11e2-8c61-576b7e66acfd" + [("eubackup", "ssh://eubackup.kitenet.net/~/lib/downloads/")] + `requires` Ssh.knownHost hosts "eubackup.kitenet.net" "joey" + +tmp :: Property HasInfo +tmp = propertyList "tmp.kitenet.net" $ props + & annexWebSite "/srv/git/joey/tmp.git" + "tmp.kitenet.net" + "26fd6e38-1226-11e2-a75f-ff007033bdba" + [] + & twitRss + & pumpRss + -- Twitter, you kill us. twitRss :: Property HasInfo twitRss = combineProperties "twitter rss" $ props @@ -297,7 +316,7 @@ twitRss = combineProperties "twitter rss" $ props & feed "http://twitter.com/search/realtime?q=olduse+OR+git-annex+OR+debhelper+OR+etckeeper+OR+ikiwiki+-ashley_ikiwiki" "twittergrep" where dir = "/srv/web/tmp.kitenet.net/twitrss" - crontime = "15 * * * *" + crontime = Cron.Times "15 * * * *" feed url desc = Cron.job desc crontime "joey" dir $ "./twitRss " ++ shellEscape url ++ " > " ++ shellEscape ("../" ++ desc ++ ".rss") compiled = userScriptProperty "joey" @@ -311,9 +330,8 @@ twitRss = combineProperties "twitter rss" $ props ] -- Work around for expired ssl cert. --- (no longer expired, TODO remove this and change urls) pumpRss :: Property NoInfo -pumpRss = Cron.job "pump rss" "15 * * * *" "joey" "/srv/web/tmp.kitenet.net/" +pumpRss = Cron.job "pump rss" (Cron.Times "15 * * * *") "joey" "/srv/web/tmp.kitenet.net/" "wget https://pump2rss.com/feed/joeyh@identi.ca.atom -O pump.atom --no-check-certificate 2>/dev/null" ircBouncer :: Property HasInfo @@ -323,7 +341,7 @@ ircBouncer = propertyList "IRC bouncer" $ props & File.dirExists (takeDirectory conf) & File.hasPrivContent conf anyContext & File.ownerGroup conf "znc" "znc" - & Cron.job "znconboot" "@reboot" "znc" "~" "znc" + & Cron.job "znconboot" (Cron.Times "@reboot") "znc" "~" "znc" -- ensure running if it was not already & trivial (userScriptProperty "znc" ["znc || true"]) `describe` "znc running" @@ -347,9 +365,9 @@ githubBackup :: Property HasInfo githubBackup = propertyList "github-backup box" $ props & Apt.installed ["github-backup", "moreutils"] & githubKeys - & Cron.niceJob "github-backup run" "30 4 * * *" "joey" + & Cron.niceJob "github-backup run" (Cron.Times "30 4 * * *") "joey" "/home/joey/lib/backup" backupcmd - & Cron.niceJob "gitriddance" "30 4 * * *" "joey" + & Cron.niceJob "gitriddance" (Cron.Times "30 4 * * *") "joey" "/home/joey/lib/backup" gitriddancecmd where backupcmd = intercalate "&&" $ @@ -385,17 +403,17 @@ githubMirrors = plzuseurl u = "please submit changes to " ++ u ++ " instead of using github pull requests" rsyncNetBackup :: [Host] -> Property NoInfo -rsyncNetBackup hosts = Cron.niceJob "rsync.net copied in daily" "30 5 * * *" +rsyncNetBackup hosts = Cron.niceJob "rsync.net copied in daily" (Cron.Times "30 5 * * *") "joey" "/home/joey/lib/backup" "mkdir -p rsync.net && rsync --delete -az 2318@usw-s002.rsync.net: rsync.net" `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "joey" -backupsBackedupTo :: [Host] -> HostName -> FilePath -> Property NoInfo -backupsBackedupTo hosts desthost destdir = Cron.niceJob desc - "1 1 * * 3" "joey" "/" cmd - `requires` Ssh.knownHost hosts desthost "joey" +backupsBackedupFrom :: [Host] -> HostName -> FilePath -> Property NoInfo +backupsBackedupFrom hosts srchost destdir = Cron.niceJob desc + (Cron.Times "@reboot") "joey" "/" cmd + `requires` Ssh.knownHost hosts srchost "joey" where - desc = "backups copied to " ++ desthost ++ " weekly" - cmd = "rsync -az --delete /home/joey/lib/backup " ++ desthost ++ ":" ++ destdir + desc = "backups copied from " ++ srchost ++ " on boot" + cmd = "rsync -az --bwlimit=300K --partial --delete " ++ srchost ++ ":lib/backup/ " ++ destdir </> srchost obnamRepos :: [String] -> Property NoInfo obnamRepos rs = propertyList ("obnam repos for " ++ unwords rs) @@ -408,7 +426,7 @@ obnamRepos rs = propertyList ("obnam repos for " ++ unwords rs) `before` File.ownerGroup d "joey" "joey" podcatcher :: Property NoInfo -podcatcher = Cron.niceJob "podcatcher run hourly" "55 * * * *" +podcatcher = Cron.niceJob "podcatcher run hourly" (Cron.Times "55 * * * *") "joey" "/home/joey/lib/sound/podcasts" "xargs git-annex importfeed -c annex.genmetadata=true < feeds; mr --quiet update" `requires` Apt.installed ["git-annex", "myrepos"] @@ -450,6 +468,8 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props & dkimInstalled + & Postfix.saslAuthdInstalled + & Apt.installed ["maildrop"] & "/etc/maildroprc" `File.hasContent` [ "# Global maildrop filter file (deployed with propellor)" @@ -514,8 +534,13 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props , "# Filter out client relay lines from headers." , "header_checks = pcre:$config_directory/obscure_client_relay.pcre" + , "# Password auth for relaying (used by errol)" + , "smtpd_sasl_auth_enable = yes" + , "smtpd_sasl_security_options = noanonymous" + , "smtpd_sasl_local_domain = kitenet.net" + , "# Enable postgrey." - , "smtpd_recipient_restrictions = permit_tls_clientcerts,permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023" + , "smtpd_recipient_restrictions = permit_tls_clientcerts,permit_sasl_authenticated,,permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023" , "# Enable spamass-milter, amavis-milter, opendkim" , "smtpd_milters = unix:/spamass/spamass.sock unix:amavis/amavis.sock inet:localhost:8891" |