diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/Propellor/Property/Restic.hs | 14 | ||||
| -rw-r--r-- | src/Propellor/Property/User.hs | 25 |
2 files changed, 25 insertions, 14 deletions
diff --git a/src/Propellor/Property/Restic.hs b/src/Propellor/Property/Restic.hs index 64cd4091..d9d4d4be 100644 --- a/src/Propellor/Property/Restic.hs +++ b/src/Propellor/Property/Restic.hs @@ -9,6 +9,7 @@ module Propellor.Property.Restic , init , restored , backup + , backup' , KeepPolicy (..) ) where @@ -138,17 +139,17 @@ restored dir repo = go -- backup job will be run at a time. Other jobs will wait their turns to -- run. backup :: FilePath -> ResticRepo -> Cron.Times -> [ResticParam] -> [KeepPolicy] -> Property (HasInfo + DebianLike) -backup dir repo crontimes extraargs kp = backup' dir repo crontimes extraargs kp +backup dir repo crontimes extraargs kp = backup' [dir] repo crontimes extraargs kp `requires` restored dir repo -- | Does a backup, but does not automatically restore. -backup' :: FilePath -> ResticRepo -> Cron.Times -> [ResticParam] -> [KeepPolicy] -> Property (HasInfo + DebianLike) -backup' dir repo crontimes extraargs kp = cronjob +backup' :: [FilePath] -> ResticRepo -> Cron.Times -> [ResticParam] -> [KeepPolicy] -> Property (HasInfo + DebianLike) +backup' dirs repo crontimes extraargs kp = cronjob `describe` desc `requires` init repo where desc = val repo ++ " restic backup" - cronjob = Cron.niceJob ("restic_backup" ++ dir) crontimes (User "root") "/" $ + cronjob = Cron.niceJob ("restic_backup" ++ intercalate "_" dirs) crontimes (User "root") "/" $ "flock " ++ shellEscape lockfile ++ " sh -c " ++ shellEscape backupcmd lockfile = "/var/lock/propellor-restic.lock" backupcmd = intercalate " && " $ @@ -162,9 +163,8 @@ backup' dir repo crontimes extraargs kp = cronjob , shellEscape (getPasswordFile repo) ] ++ map shellEscape extraargs ++ - [ "backup" - , shellEscape dir - ] + [ "backup" ] + ++ map shellEscape dirs pruneCommand = unwords $ [ "restic" , "-r" diff --git a/src/Propellor/Property/User.hs b/src/Propellor/Property/User.hs index ce2611bc..0b5bdddc 100644 --- a/src/Propellor/Property/User.hs +++ b/src/Propellor/Property/User.hs @@ -22,17 +22,18 @@ systemAccountFor :: User -> Property DebianLike systemAccountFor user@(User u) = systemAccountFor' user Nothing (Just (Group u)) systemAccountFor' :: User -> Maybe FilePath -> Maybe Group -> Property DebianLike -systemAccountFor' (User u) mhome mgroup = tightenTargets $ check nouser go +systemAccountFor' (User u) mhome mgroup = case mgroup of + Nothing -> prop + Just g -> prop + `requires` systemGroup g `describe` ("system account for " ++ u) where + prop = tightenTargets $ check nouser go nouser = isNothing <$> catchMaybeIO (getUserEntryForName u) go = cmdProperty "adduser" $ - [ "--system" ] + [ "--system", "--home" ] ++ - "--home" : maybe - ["/nonexistent", "--no-create-home"] - ( \h -> [ h ] ) - mhome + maybe ["/nonexistent", "--no-create-home"] ( \h -> [h] ) mhome ++ maybe [] ( \(Group g) -> ["--ingroup", g] ) mgroup ++ @@ -42,6 +43,16 @@ systemAccountFor' (User u) mhome mgroup = tightenTargets $ check nouser go , u ] +systemGroup :: Group -> Property UnixLike +systemGroup (Group g) = check nogroup go + `describe` ("system account for " ++ g) + where + nogroup = isNothing <$> catchMaybeIO (getGroupEntryForName g) + go = cmdProperty "addgroup" + [ "--system" + , g + ] + -- | Removes user home directory!! Use with caution. nuked :: User -> Eep -> Property Linux nuked user@(User u) _ = tightenTargets $ check hashomedir go @@ -111,7 +122,7 @@ chpasswd (User user) v ps = makeChange $ withHandle StdinHandle createProcessSuc hClose h lockedPassword :: User -> Property DebianLike -lockedPassword user@(User u) = tightenTargets $ +lockedPassword user@(User u) = tightenTargets $ check (not <$> isLockedPassword user) go `describe` ("locked " ++ u ++ " password") where |