From 456dd534ce2984535a9fc36bad2aff9e6ee2863a Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 11:58:22 -0400 Subject: propellor spin --- Propellor/Property/File.hs | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) (limited to 'Propellor/Property/File.hs') diff --git a/Propellor/Property/File.hs b/Propellor/Property/File.hs index 10dee75e..d8caf366 100644 --- a/Propellor/Property/File.hs +++ b/Propellor/Property/File.hs @@ -1,8 +1,10 @@ module Propellor.Property.File where import Propellor +import Utility.FileMode import System.Posix.Files +import System.PosixCompat.Types type Line = String @@ -12,11 +14,15 @@ f `hasContent` newcontent = fileProperty ("replace " ++ f) (\_oldcontent -> newcontent) f -- | Ensures a file has contents that comes from PrivData. --- Note: Does not do anything with the permissions of the file to prevent --- it from being seen. +-- +-- The file's permissions are preserved if the file already existed. +-- Otherwise, they're set to 600. hasPrivContent :: FilePath -> Property -hasPrivContent f = Property ("privcontent " ++ f) $ - withPrivData (PrivFile f) (\v -> ensureProperty $ f `hasContent` lines v) +hasPrivContent f = Property desc $ withPrivData (PrivFile f) $ \privcontent -> + ensureProperty $ fileProperty' writeFileProtected desc + (\_oldcontent -> lines privcontent) f + where + desc = "privcontent " ++ f -- | Ensures that a line is present in a file, adding it to the end if not. containsLine :: FilePath -> Line -> Property @@ -38,7 +44,9 @@ notPresent f = check (doesFileExist f) $ Property (f ++ " not present") $ makeChange $ nukeFile f fileProperty :: Desc -> ([Line] -> [Line]) -> FilePath -> Property -fileProperty desc a f = Property desc $ go =<< liftIO (doesFileExist f) +fileProperty = fileProperty' writeFile +fileProperty' :: (FilePath -> String -> IO ()) -> Desc -> ([Line] -> [Line]) -> FilePath -> Property +fileProperty' writer desc a f = Property desc $ go =<< liftIO (doesFileExist f) where go True = do ls <- liftIO $ lines <$> readFile f @@ -46,13 +54,15 @@ fileProperty desc a f = Property desc $ go =<< liftIO (doesFileExist f) if ls' == ls then noChange else makeChange $ viaTmp updatefile f (unlines ls') - go False = makeChange $ writeFile f (unlines $ a []) + go False = makeChange $ writer f (unlines $ a []) -- viaTmp makes the temp file mode 600. - -- Replicate the original file mode before moving it into place. + -- Replicate the original file's owner and mode. updatefile f' content = do - writeFile f' content - getFileStatus f >>= setFileMode f' . fileMode + writer f' content + s <- getFileStatus f + setFileMode f' (fileMode s) + setOwnerAndGroup f' (fileOwner s) (fileGroup s) -- | Ensures a directory exists. dirExists :: FilePath -> Property @@ -68,3 +78,9 @@ ownerGroup f owner group = Property (f ++ " owner " ++ og) $ do else noChange where og = owner ++ ":" ++ group + +-- | Ensures that a file/dir has the specfied mode. +mode :: FilePath -> FileMode -> Property +mode f v = Property (f ++ " mode " ++ show v) $ do + liftIO $ modifyFileMode f (\_old -> v) + noChange -- cgit v1.3-2-g0d8e From 479045277b29919797cee341b11d30bbd15ab3d7 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 12:21:43 -0400 Subject: propellor spin --- Propellor/Property/File.hs | 5 +++++ Propellor/Property/OpenId.hs | 13 ++++--------- config-joey.hs | 20 ++++++++++++++------ 3 files changed, 23 insertions(+), 15 deletions(-) (limited to 'Propellor/Property/File.hs') diff --git a/Propellor/Property/File.hs b/Propellor/Property/File.hs index d8caf366..bd33c9b8 100644 --- a/Propellor/Property/File.hs +++ b/Propellor/Property/File.hs @@ -24,6 +24,11 @@ hasPrivContent f = Property desc $ withPrivData (PrivFile f) $ \privcontent -> where desc = "privcontent " ++ f +-- | Leaves the file world-readable. +hasPrivContentExposed :: FilePath -> Property +hasPrivContentExposed f = hasPrivContent f `onChange` + mode f (combineModes (ownerWriteMode:readModes)) + -- | Ensures that a line is present in a file, adding it to the end if not. containsLine :: FilePath -> Line -> Property f `containsLine` l = fileProperty (f ++ " contains:" ++ l) go f diff --git a/Propellor/Property/OpenId.hs b/Propellor/Property/OpenId.hs index b896180f..d06bf88f 100644 --- a/Propellor/Property/OpenId.hs +++ b/Propellor/Property/OpenId.hs @@ -4,7 +4,6 @@ import Propellor import qualified Propellor.Property.File as File import qualified Propellor.Property.Apt as Apt import qualified Propellor.Property.Service as Service -import Utility.FileMode import Data.List import System.Posix.Files @@ -25,11 +24,7 @@ providerFor users baseurl = propertyList desc $ "define('SIMPLEID_BASE_URL', '"++url++"');" | otherwise = l - identfile u = combineProperties desc - [ File.hasPrivContent f - -- the identitites directory controls access, so open up - -- file mode - , File.mode f (combineModes (ownerWriteMode:readModes)) - ] - where - f = concat $ [ "/var/lib/simpleid/identities/", u, ".identity" ] + -- the identitites directory controls access, so open up + -- file mode + identfile u = File.hasPrivContentExposed $ + concat $ [ "/var/lib/simpleid/identities/", u, ".identity" ] diff --git a/config-joey.hs b/config-joey.hs index 7537b10a..2245f8dd 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -85,18 +85,15 @@ hosts = `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" `requires` Ssh.authorizedKeys "family" `requires` User.accountFor "family" - & Apt.installed ["git", "git-annex", "rsync", "kgb-client"] + & Apt.installed ["git", "git-annex", "rsync", "kgb-client-git"] & Git.daemonRunning "/srv/git" -- ssh keys for branchable and github repo hooks -- TODO: upgrade to newer git-annex-shell for notification -- gitweb & cname "kgb.kitenet.net" - & Apt.serviceInstalledRunning "kgb-bot" - & File.hasPrivContent "/etc/kgb-bot/kgb.conf" - & File.hasPrivContent "/etc/kgb-bot/kgb-client.conf" - & "/etc/default/kgb-bot" `File.containsLine` "BOT_ENABLED=1" - `onChange` Service.running "kgb-bot" + & Docker.docked hosts "kgb-server" + & File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" & cname "downloads.kitenet.net" & Apt.buildDep ["git-annex"] `period` Daily @@ -127,7 +124,18 @@ hosts = & Docker.publish "8081:80" & OpenId.providerFor ["joey", "liw"] "openid.kitenet.net:8081" + + -- The kgb irc bot, in a container for security and because I need + -- features not in the stable version. + , standardContainer "kgb-server" Unstable "amd64" + & Docker.publish "9999:9999" + & Apt.serviceInstalledRunning "kgb-bot" + & File.hasPrivContent "/etc/kgb-bot/kgb.conf" + & "/etc/default/kgb-bot" `File.containsLine` "BOT_ENABLED=1" + `describe` "kgb bot enabled" + `onChange` Service.running "kgb-bot" + -- Exhibit: kite's 90's website. , standardContainer "ancient-kitenet" Stable "amd64" & Docker.publish "1994:80" & Apt.serviceInstalledRunning "apache2" -- cgit v1.3-2-g0d8e From 1495db6cd103bf5f9f4635dbbfe807c7c1f39b2e Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 14:01:30 -0400 Subject: propellor spin --- Propellor/Property/Apache.hs | 28 +++++++++ Propellor/Property/File.hs | 9 ++- Propellor/Property/SiteSpecific/JoeySites.hs | 92 ++++++++++++++++++++++++++++ config-joey.hs | 38 +++--------- debian/changelog | 1 + propellor.cabal | 1 + 6 files changed, 136 insertions(+), 33 deletions(-) create mode 100644 Propellor/Property/Apache.hs (limited to 'Propellor/Property/File.hs') diff --git a/Propellor/Property/Apache.hs b/Propellor/Property/Apache.hs new file mode 100644 index 00000000..5e32b0da --- /dev/null +++ b/Propellor/Property/Apache.hs @@ -0,0 +1,28 @@ +module Propellor.Property.Apache where + +import Propellor +import qualified Propellor.Property.File as File +import qualified Propellor.Property.Apt as Apt + +type ConfigFile = [String] + +siteEnabled :: HostName -> ConfigFile -> RevertableProperty +siteEnabled hn cf = RevertableProperty enable disable + where + enable = siteAvailable hn cf + `onChange` cmdProperty "a2ensite" ["--quiet", hn] + `requires` Apt.installed ["apache2"] + disable = File.notPresent (siteCfg hn) + `onChange` cmdProperty "a2dissite" ["--quiet", hn] + +siteAvailable :: HostName -> ConfigFile -> Property +siteAvailable hn cf = siteCfg hn `File.hasContent` (comment:cf) + `describe` ("apache site available " ++ hn) + where + comment = "# deployed with propellor, do not modify" + +siteCfg :: HostName -> FilePath +siteCfg hn = "/etc/apache2/sites-available/" ++ hn ++ ".conf" + +restart :: Property +restart = cmdProperty "service" ["apache2", "restart"] diff --git a/Propellor/Property/File.hs b/Propellor/Property/File.hs index bd33c9b8..8f23dab7 100644 --- a/Propellor/Property/File.hs +++ b/Propellor/Property/File.hs @@ -31,11 +31,14 @@ hasPrivContentExposed f = hasPrivContent f `onChange` -- | Ensures that a line is present in a file, adding it to the end if not. containsLine :: FilePath -> Line -> Property -f `containsLine` l = fileProperty (f ++ " contains:" ++ l) go f +f `containsLine` l = f `containsLines` [l] + +containsLines :: FilePath -> [Line] -> Property +f `containsLines` l = fileProperty (f ++ " contains:" ++ show l) go f where go ls - | l `elem` ls = ls - | otherwise = ls++[l] + | all (`elem` ls) l = ls + | otherwise = ls++l -- | Ensures that a line is not present in a file. -- Note that the file is ensured to exist, so if it doesn't, an empty diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index 46373170..81557b32 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -5,6 +5,14 @@ module Propellor.Property.SiteSpecific.JoeySites where import Propellor import qualified Propellor.Property.Apt as Apt +import qualified Propellor.Property.File as File +import qualified Propellor.Property.Gpg as Gpg +import qualified Propellor.Property.Ssh as Ssh +import qualified Propellor.Property.Git as Git +import qualified Propellor.Property.Service as Service +import qualified Propellor.Property.User as User +import qualified Propellor.Property.Obnam as Obnam +import qualified Propellor.Property.Apache as Apache oldUseNetShellBox :: Property oldUseNetShellBox = check (not <$> Apt.isInstalled "oldusenet") $ @@ -21,3 +29,87 @@ oldUseNetShellBox = check (not <$> Apt.isInstalled "oldusenet") $ , "rm -rf /root/tmp/oldusenet" ] `describe` "olduse.net built" ] + +-- git.kitenet.net and git.joeyh.name +gitServer :: [Host] -> Property +gitServer hosts = propertyList "git.kitenet.net setup" + [ Obnam.backup "/srv/git" "33 3 * * *" + [ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net" + , "--encrypt-with=1B169BE1" + , "--client-name=wren" + ] Obnam.OnlyClient + `requires` Gpg.keyImported "1B169BE1" "root" + `requires` Ssh.keyImported SshRsa "root" + `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" + `requires` Ssh.authorizedKeys "family" + `requires` User.accountFor "family" + , Apt.installed ["git", "git-annex", "rsync", "kgb-client-git", "gitweb"] + , File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" + , toProp $ Git.daemonRunning "/srv/git" + , "/etc/gitweb.conf" `File.containsLines` + [ "$projectroot = 'srv/git';" + , "@git_base_url_list = ('git://git.kitenet.net', 'http://git.kitenet.net/git', 'ssh://git.kitenet.net/srv/git');" + , "# disable snapshot download; overloads server" + , "$feature{'snapshot'}{'default'} = [];" + ] + `describe` "gitweb configured" + , website "git.kitenet.net" + , website "git.joeyh.name" + -- ssh keys for branchable and github repo hooks + -- TODO: upgrade to newer git-annex-shell for notification + -- gitweb + ] + where + website hn = toProp $ Apache.siteEnabled hn (gitapacheconf hn) + +gitapacheconf :: HostName -> Apache.ConfigFile +gitapacheconf hn = + [ "" + , " ServerAdmin joey@kitenet.net" + , "" + , " ServerName " ++ hn ++ ":80" + , "" + , " DocumentRoot /srv/web/git.kitenet.net/" + , " " + , " Options Indexes ExecCGI FollowSymlinks" + , " AllowOverride None" + , " DirectoryIndex index.cgi" + , " " + , "" + , " ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/" + , " " + , " SetHandler cgi-script" + , " Options ExecCGI" + , " " + , "" + , " ErrorLog /var/log/apache2/error.log" + , " LogLevel warn" + , " CustomLog /var/log/apache2/access.log combined" + , "" + , " # Possible values include: debug, info, notice, warn, error, crit," + , " # alert, emerg." + , " LogLevel warn" + , "" + , " CustomLog /var/log/apache2/access.log combined" + , " ServerSignature On" + , " " + , " " + , " Options Indexes MultiViews" + , " AllowOverride None" + , " Order allow,deny" + , " Allow from all" + , " " + , "" + ] + +-- Note: needs debian unstable for new kgb +kgbServer :: Property +kgbServer = propertyList "kgb.kitenet.net setup" + [ Apt.serviceInstalledRunning "kgb-bot" + , File.hasPrivContent "/etc/kgb-bot/kgb.conf" + `onChange` Service.restarted "kgb-bot" + , "/etc/default/kgb-bot" `File.containsLine` "BOT_ENABLED=1" + `describe` "kgb bot enabled" + `onChange` Service.running "kgb-bot" + ] + diff --git a/config-joey.hs b/config-joey.hs index 9976592e..aba648dc 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -5,7 +5,6 @@ import Propellor.CmdLine import Propellor.Property.Scheduled import qualified Propellor.Property.File as File import qualified Propellor.Property.Apt as Apt -import qualified Propellor.Property.Service as Service import qualified Propellor.Property.Network as Network import qualified Propellor.Property.Ssh as Ssh import qualified Propellor.Property.Cron as Cron @@ -18,8 +17,6 @@ import qualified Propellor.Property.Dns as Dns import qualified Propellor.Property.OpenId as OpenId import qualified Propellor.Property.Docker as Docker import qualified Propellor.Property.Git as Git -import qualified Propellor.Property.Gpg as Gpg -import qualified Propellor.Property.Obnam as Obnam import qualified Propellor.Property.SiteSpecific.GitHome as GitHome import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder import qualified Propellor.Property.SiteSpecific.JoeySites as JoeySites @@ -48,15 +45,10 @@ hosts = & cname "ancient.kitenet.net" & Docker.docked hosts "ancient-kitenet" - -- I'd rather this were on diatom, but I use features - -- not available in stable. + -- I'd rather this were on diatom, but it needs unstable. & cname "kgb.kitenet.net" - & Apt.serviceInstalledRunning "kgb-bot" - & File.hasPrivContent "/etc/kgb-bot/kgb.conf" - `onChange` Service.restarted "kgb-bot" - & "/etc/default/kgb-bot" `File.containsLine` "BOT_ENABLED=1" - `describe` "kgb bot enabled" - `onChange` Service.running "kgb-bot" + & JoeySites.kgbServer + & Docker.garbageCollected `period` Daily & Apt.installed ["git-annex", "mtr", "screen"] @@ -75,31 +67,17 @@ hosts = -- Important stuff that needs not too much memory or CPU. , standardSystem "diatom.kitenet.net" Stable & Hostname.sane + & Ssh.hostKey SshDsa + & Ssh.hostKey SshRsa + & Ssh.hostKey SshEcdsa & Apt.unattendedUpgrades & Apt.serviceInstalledRunning "ntp" & Dns.zones myDnsSecondary & Apt.serviceInstalledRunning "apache2" & cname "git.kitenet.net" - & Ssh.hostKey SshDsa - & Ssh.hostKey SshRsa - & Ssh.hostKey SshEcdsa - & Obnam.backup "/srv/git" "33 3 * * *" - [ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net" - , "--encrypt-with=1B169BE1" - , "--client-name=wren" - ] Obnam.OnlyClient - `requires` Gpg.keyImported "1B169BE1" "root" - `requires` Ssh.keyImported SshRsa "root" - `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" - `requires` Ssh.authorizedKeys "family" - `requires` User.accountFor "family" - & Apt.installed ["git", "git-annex", "rsync", "kgb-client-git"] - & File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" - & Git.daemonRunning "/srv/git" - -- ssh keys for branchable and github repo hooks - -- TODO: upgrade to newer git-annex-shell for notification - -- gitweb + & cname "git.joeyh.name" + & JoeySites.gitServer hosts & cname "downloads.kitenet.net" & Apt.buildDep ["git-annex"] `period` Daily diff --git a/debian/changelog b/debian/changelog index 6593c95d..b3cc554a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,7 @@ propellor (0.3.1) UNRELEASED; urgency=medium * Merge scheduler bug fix from git-annex. * Support for provisioning hosts with ssh and gpg keys. * Obnam support. + * Apache support. -- Joey Hess Fri, 11 Apr 2014 15:00:11 -0400 diff --git a/propellor.cabal b/propellor.cabal index cc616c17..a7b7fbca 100644 --- a/propellor.cabal +++ b/propellor.cabal @@ -68,6 +68,7 @@ Library Exposed-Modules: Propellor Propellor.Property + Propellor.Property.Apache Propellor.Property.Apt Propellor.Property.Cmd Propellor.Property.Hostname -- cgit v1.3-2-g0d8e