From c97285a21ea0e392e8c63c1898ee2deeb34e99a0 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 02:28:40 -0400 Subject: propellor spin --- Propellor/Property/SiteSpecific/GitHome.hs | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/SiteSpecific/GitHome.hs b/Propellor/Property/SiteSpecific/GitHome.hs index 1ba56b94..ee46a9e4 100644 --- a/Propellor/Property/SiteSpecific/GitHome.hs +++ b/Propellor/Property/SiteSpecific/GitHome.hs @@ -11,8 +11,7 @@ installedFor user = check (not <$> hasGitDir user) $ Property ("githome " ++ user) (go =<< liftIO (homedir user)) `requires` Apt.installed ["git"] where - go Nothing = noChange - go (Just home) = do + go home = do let tmpdir = home "githome" ensureProperty $ combineProperties "githome setup" [ userScriptProperty user ["git clone " ++ url ++ " " ++ tmpdir] @@ -32,5 +31,4 @@ url = "git://git.kitenet.net/joey/home" hasGitDir :: UserName -> IO Bool hasGitDir user = go =<< homedir user where - go Nothing = return False - go (Just home) = doesDirectoryExist (home ".git") + go home = doesDirectoryExist (home ".git") -- cgit v1.3-2-g0d8e From 1495db6cd103bf5f9f4635dbbfe807c7c1f39b2e Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 14:01:30 -0400 Subject: propellor spin --- Propellor/Property/Apache.hs | 28 +++++++++ Propellor/Property/File.hs | 9 ++- Propellor/Property/SiteSpecific/JoeySites.hs | 92 ++++++++++++++++++++++++++++ config-joey.hs | 38 +++--------- debian/changelog | 1 + propellor.cabal | 1 + 6 files changed, 136 insertions(+), 33 deletions(-) create mode 100644 Propellor/Property/Apache.hs (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/Apache.hs b/Propellor/Property/Apache.hs new file mode 100644 index 00000000..5e32b0da --- /dev/null +++ b/Propellor/Property/Apache.hs @@ -0,0 +1,28 @@ +module Propellor.Property.Apache where + +import Propellor +import qualified Propellor.Property.File as File +import qualified Propellor.Property.Apt as Apt + +type ConfigFile = [String] + +siteEnabled :: HostName -> ConfigFile -> RevertableProperty +siteEnabled hn cf = RevertableProperty enable disable + where + enable = siteAvailable hn cf + `onChange` cmdProperty "a2ensite" ["--quiet", hn] + `requires` Apt.installed ["apache2"] + disable = File.notPresent (siteCfg hn) + `onChange` cmdProperty "a2dissite" ["--quiet", hn] + +siteAvailable :: HostName -> ConfigFile -> Property +siteAvailable hn cf = siteCfg hn `File.hasContent` (comment:cf) + `describe` ("apache site available " ++ hn) + where + comment = "# deployed with propellor, do not modify" + +siteCfg :: HostName -> FilePath +siteCfg hn = "/etc/apache2/sites-available/" ++ hn ++ ".conf" + +restart :: Property +restart = cmdProperty "service" ["apache2", "restart"] diff --git a/Propellor/Property/File.hs b/Propellor/Property/File.hs index bd33c9b8..8f23dab7 100644 --- a/Propellor/Property/File.hs +++ b/Propellor/Property/File.hs @@ -31,11 +31,14 @@ hasPrivContentExposed f = hasPrivContent f `onChange` -- | Ensures that a line is present in a file, adding it to the end if not. containsLine :: FilePath -> Line -> Property -f `containsLine` l = fileProperty (f ++ " contains:" ++ l) go f +f `containsLine` l = f `containsLines` [l] + +containsLines :: FilePath -> [Line] -> Property +f `containsLines` l = fileProperty (f ++ " contains:" ++ show l) go f where go ls - | l `elem` ls = ls - | otherwise = ls++[l] + | all (`elem` ls) l = ls + | otherwise = ls++l -- | Ensures that a line is not present in a file. -- Note that the file is ensured to exist, so if it doesn't, an empty diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index 46373170..81557b32 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -5,6 +5,14 @@ module Propellor.Property.SiteSpecific.JoeySites where import Propellor import qualified Propellor.Property.Apt as Apt +import qualified Propellor.Property.File as File +import qualified Propellor.Property.Gpg as Gpg +import qualified Propellor.Property.Ssh as Ssh +import qualified Propellor.Property.Git as Git +import qualified Propellor.Property.Service as Service +import qualified Propellor.Property.User as User +import qualified Propellor.Property.Obnam as Obnam +import qualified Propellor.Property.Apache as Apache oldUseNetShellBox :: Property oldUseNetShellBox = check (not <$> Apt.isInstalled "oldusenet") $ @@ -21,3 +29,87 @@ oldUseNetShellBox = check (not <$> Apt.isInstalled "oldusenet") $ , "rm -rf /root/tmp/oldusenet" ] `describe` "olduse.net built" ] + +-- git.kitenet.net and git.joeyh.name +gitServer :: [Host] -> Property +gitServer hosts = propertyList "git.kitenet.net setup" + [ Obnam.backup "/srv/git" "33 3 * * *" + [ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net" + , "--encrypt-with=1B169BE1" + , "--client-name=wren" + ] Obnam.OnlyClient + `requires` Gpg.keyImported "1B169BE1" "root" + `requires` Ssh.keyImported SshRsa "root" + `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" + `requires` Ssh.authorizedKeys "family" + `requires` User.accountFor "family" + , Apt.installed ["git", "git-annex", "rsync", "kgb-client-git", "gitweb"] + , File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" + , toProp $ Git.daemonRunning "/srv/git" + , "/etc/gitweb.conf" `File.containsLines` + [ "$projectroot = 'srv/git';" + , "@git_base_url_list = ('git://git.kitenet.net', 'http://git.kitenet.net/git', 'ssh://git.kitenet.net/srv/git');" + , "# disable snapshot download; overloads server" + , "$feature{'snapshot'}{'default'} = [];" + ] + `describe` "gitweb configured" + , website "git.kitenet.net" + , website "git.joeyh.name" + -- ssh keys for branchable and github repo hooks + -- TODO: upgrade to newer git-annex-shell for notification + -- gitweb + ] + where + website hn = toProp $ Apache.siteEnabled hn (gitapacheconf hn) + +gitapacheconf :: HostName -> Apache.ConfigFile +gitapacheconf hn = + [ "" + , " ServerAdmin joey@kitenet.net" + , "" + , " ServerName " ++ hn ++ ":80" + , "" + , " DocumentRoot /srv/web/git.kitenet.net/" + , " " + , " Options Indexes ExecCGI FollowSymlinks" + , " AllowOverride None" + , " DirectoryIndex index.cgi" + , " " + , "" + , " ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/" + , " " + , " SetHandler cgi-script" + , " Options ExecCGI" + , " " + , "" + , " ErrorLog /var/log/apache2/error.log" + , " LogLevel warn" + , " CustomLog /var/log/apache2/access.log combined" + , "" + , " # Possible values include: debug, info, notice, warn, error, crit," + , " # alert, emerg." + , " LogLevel warn" + , "" + , " CustomLog /var/log/apache2/access.log combined" + , " ServerSignature On" + , " " + , " " + , " Options Indexes MultiViews" + , " AllowOverride None" + , " Order allow,deny" + , " Allow from all" + , " " + , "" + ] + +-- Note: needs debian unstable for new kgb +kgbServer :: Property +kgbServer = propertyList "kgb.kitenet.net setup" + [ Apt.serviceInstalledRunning "kgb-bot" + , File.hasPrivContent "/etc/kgb-bot/kgb.conf" + `onChange` Service.restarted "kgb-bot" + , "/etc/default/kgb-bot" `File.containsLine` "BOT_ENABLED=1" + `describe` "kgb bot enabled" + `onChange` Service.running "kgb-bot" + ] + diff --git a/config-joey.hs b/config-joey.hs index 9976592e..aba648dc 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -5,7 +5,6 @@ import Propellor.CmdLine import Propellor.Property.Scheduled import qualified Propellor.Property.File as File import qualified Propellor.Property.Apt as Apt -import qualified Propellor.Property.Service as Service import qualified Propellor.Property.Network as Network import qualified Propellor.Property.Ssh as Ssh import qualified Propellor.Property.Cron as Cron @@ -18,8 +17,6 @@ import qualified Propellor.Property.Dns as Dns import qualified Propellor.Property.OpenId as OpenId import qualified Propellor.Property.Docker as Docker import qualified Propellor.Property.Git as Git -import qualified Propellor.Property.Gpg as Gpg -import qualified Propellor.Property.Obnam as Obnam import qualified Propellor.Property.SiteSpecific.GitHome as GitHome import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder import qualified Propellor.Property.SiteSpecific.JoeySites as JoeySites @@ -48,15 +45,10 @@ hosts = & cname "ancient.kitenet.net" & Docker.docked hosts "ancient-kitenet" - -- I'd rather this were on diatom, but I use features - -- not available in stable. + -- I'd rather this were on diatom, but it needs unstable. & cname "kgb.kitenet.net" - & Apt.serviceInstalledRunning "kgb-bot" - & File.hasPrivContent "/etc/kgb-bot/kgb.conf" - `onChange` Service.restarted "kgb-bot" - & "/etc/default/kgb-bot" `File.containsLine` "BOT_ENABLED=1" - `describe` "kgb bot enabled" - `onChange` Service.running "kgb-bot" + & JoeySites.kgbServer + & Docker.garbageCollected `period` Daily & Apt.installed ["git-annex", "mtr", "screen"] @@ -75,31 +67,17 @@ hosts = -- Important stuff that needs not too much memory or CPU. , standardSystem "diatom.kitenet.net" Stable & Hostname.sane + & Ssh.hostKey SshDsa + & Ssh.hostKey SshRsa + & Ssh.hostKey SshEcdsa & Apt.unattendedUpgrades & Apt.serviceInstalledRunning "ntp" & Dns.zones myDnsSecondary & Apt.serviceInstalledRunning "apache2" & cname "git.kitenet.net" - & Ssh.hostKey SshDsa - & Ssh.hostKey SshRsa - & Ssh.hostKey SshEcdsa - & Obnam.backup "/srv/git" "33 3 * * *" - [ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net" - , "--encrypt-with=1B169BE1" - , "--client-name=wren" - ] Obnam.OnlyClient - `requires` Gpg.keyImported "1B169BE1" "root" - `requires` Ssh.keyImported SshRsa "root" - `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" - `requires` Ssh.authorizedKeys "family" - `requires` User.accountFor "family" - & Apt.installed ["git", "git-annex", "rsync", "kgb-client-git"] - & File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" - & Git.daemonRunning "/srv/git" - -- ssh keys for branchable and github repo hooks - -- TODO: upgrade to newer git-annex-shell for notification - -- gitweb + & cname "git.joeyh.name" + & JoeySites.gitServer hosts & cname "downloads.kitenet.net" & Apt.buildDep ["git-annex"] `period` Daily diff --git a/debian/changelog b/debian/changelog index 6593c95d..b3cc554a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,7 @@ propellor (0.3.1) UNRELEASED; urgency=medium * Merge scheduler bug fix from git-annex. * Support for provisioning hosts with ssh and gpg keys. * Obnam support. + * Apache support. -- Joey Hess Fri, 11 Apr 2014 15:00:11 -0400 diff --git a/propellor.cabal b/propellor.cabal index cc616c17..a7b7fbca 100644 --- a/propellor.cabal +++ b/propellor.cabal @@ -68,6 +68,7 @@ Library Exposed-Modules: Propellor Propellor.Property + Propellor.Property.Apache Propellor.Property.Apt Propellor.Property.Cmd Propellor.Property.Hostname -- cgit v1.3-2-g0d8e From 2e128c8fe25fb92ecfbd0bbe79ea777d53fa11ca Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 14:12:11 -0400 Subject: propellor spin --- Propellor/Property/Git.hs | 6 ++++-- Propellor/Property/SiteSpecific/JoeySites.hs | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/Git.hs b/Propellor/Property/Git.hs index 6541dc74..431f4134 100644 --- a/Propellor/Property/Git.hs +++ b/Propellor/Property/Git.hs @@ -75,8 +75,10 @@ cloned owner url dir mbranch = check originurl (Property desc checkout) , return True ) checkout = do - liftIO $ whenM (doesDirectoryExist dir) $ - removeDirectoryRecursive dir + liftIO $ do + whenM (doesDirectoryExist dir) $ + removeDirectoryRecursive dir + createDirectoryIfMissing True (takeDirectory dir) ensureProperty $ userScriptProperty owner $ catMaybes [ Just $ "git clone " ++ shellEscape url ++ " " ++ shellEscape dir , Just $ "cd " ++ shellEscape dir diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index 81557b32..fa444160 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -53,11 +53,12 @@ gitServer hosts = propertyList "git.kitenet.net setup" , "$feature{'snapshot'}{'default'} = [];" ] `describe` "gitweb configured" + -- I keep the website used for gitweb checked into git.. + , Git.cloned "joey" "/srv/git/joey/git.kitenet.net.git" "/srv/web/git.kitenet.net" Nothing , website "git.kitenet.net" , website "git.joeyh.name" -- ssh keys for branchable and github repo hooks -- TODO: upgrade to newer git-annex-shell for notification - -- gitweb ] where website hn = toProp $ Apache.siteEnabled hn (gitapacheconf hn) -- cgit v1.3-2-g0d8e From 8fb347b694378a4445106dec400bde0584593b1b Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 14:13:26 -0400 Subject: propellor spin --- Propellor/Property/SiteSpecific/JoeySites.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index fa444160..907233bd 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -54,7 +54,7 @@ gitServer hosts = propertyList "git.kitenet.net setup" ] `describe` "gitweb configured" -- I keep the website used for gitweb checked into git.. - , Git.cloned "joey" "/srv/git/joey/git.kitenet.net.git" "/srv/web/git.kitenet.net" Nothing + , Git.cloned "root" "/srv/git/joey/git.kitenet.net.git" "/srv/web/git.kitenet.net" Nothing , website "git.kitenet.net" , website "git.joeyh.name" -- ssh keys for branchable and github repo hooks -- cgit v1.3-2-g0d8e From 96f07ef513f6447baec8f66d52d4490ef627a588 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 14:36:19 -0400 Subject: propellor spin --- Propellor/Property/Apache.hs | 32 ++++++++++++++++++++++------ Propellor/Property/Git.hs | 3 +++ Propellor/Property/SiteSpecific/JoeySites.hs | 1 + 3 files changed, 30 insertions(+), 6 deletions(-) (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/Apache.hs b/Propellor/Property/Apache.hs index 5e32b0da..81daf9e7 100644 --- a/Propellor/Property/Apache.hs +++ b/Propellor/Property/Apache.hs @@ -3,17 +3,21 @@ module Propellor.Property.Apache where import Propellor import qualified Propellor.Property.File as File import qualified Propellor.Property.Apt as Apt +import qualified Propellor.Property.Service as Service type ConfigFile = [String] siteEnabled :: HostName -> ConfigFile -> RevertableProperty siteEnabled hn cf = RevertableProperty enable disable where - enable = siteAvailable hn cf - `onChange` cmdProperty "a2ensite" ["--quiet", hn] - `requires` Apt.installed ["apache2"] + enable = cmdProperty "a2ensite" ["--quiet", hn] + `requires` siteAvailable hn cf + `requires` installed + `onChange` reloaded disable = File.notPresent (siteCfg hn) `onChange` cmdProperty "a2dissite" ["--quiet", hn] + `requires` installed + `onChange` reloaded siteAvailable :: HostName -> ConfigFile -> Property siteAvailable hn cf = siteCfg hn `File.hasContent` (comment:cf) @@ -21,8 +25,24 @@ siteAvailable hn cf = siteCfg hn `File.hasContent` (comment:cf) where comment = "# deployed with propellor, do not modify" +modEnabled :: String -> RevertableProperty +modEnabled modname = RevertableProperty enable disable + where + enable = cmdProperty "a2enmod" ["--quiet", modname] + `requires` installed + `onChange` reloaded + disable = cmdProperty "a2dismod" ["--quiet", modname] + `requires` installed + `onChange` reloaded + siteCfg :: HostName -> FilePath -siteCfg hn = "/etc/apache2/sites-available/" ++ hn ++ ".conf" +siteCfg hn = "/etc/apache2/sites-available/" ++ hn + +installed :: Property +installed = Apt.installed ["apache2"] + +restarted :: Property +restarted = cmdProperty "service" ["apache2", "restart"] -restart :: Property -restart = cmdProperty "service" ["apache2", "restart"] +reloaded :: Property +reloaded = Service.reloaded "apache2" diff --git a/Propellor/Property/Git.hs b/Propellor/Property/Git.hs index b2a53800..1dae94bf 100644 --- a/Propellor/Property/Git.hs +++ b/Propellor/Property/Git.hs @@ -80,6 +80,9 @@ cloned owner url dir mbranch = check originurl (Property desc checkout) removeDirectoryRecursive dir createDirectoryIfMissing True (takeDirectory dir) ensureProperty $ userScriptProperty owner $ catMaybes + -- The mbranch diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index 907233bd..4b98fe0b 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -57,6 +57,7 @@ gitServer hosts = propertyList "git.kitenet.net setup" , Git.cloned "root" "/srv/git/joey/git.kitenet.net.git" "/srv/web/git.kitenet.net" Nothing , website "git.kitenet.net" , website "git.joeyh.name" + , toProp $ Apache.modEnabled "cgi" -- ssh keys for branchable and github repo hooks -- TODO: upgrade to newer git-annex-shell for notification ] -- cgit v1.3-2-g0d8e From 0b9879942fa5d00b8329fc3ebc14563de3d9fbf8 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 14:45:18 -0400 Subject: propellor spin --- Propellor/Property/SiteSpecific/JoeySites.hs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index 4b98fe0b..0594fe54 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -47,7 +47,7 @@ gitServer hosts = propertyList "git.kitenet.net setup" , File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" , toProp $ Git.daemonRunning "/srv/git" , "/etc/gitweb.conf" `File.containsLines` - [ "$projectroot = 'srv/git';" + [ "$projectroot = '/srv/git';" , "@git_base_url_list = ('git://git.kitenet.net', 'http://git.kitenet.net/git', 'ssh://git.kitenet.net/srv/git');" , "# disable snapshot download; overloads server" , "$feature{'snapshot'}{'default'} = [];" @@ -75,6 +75,7 @@ gitapacheconf hn = , " " , " Options Indexes ExecCGI FollowSymlinks" , " AllowOverride None" + , " AddHandler cgi-script .cgi" , " DirectoryIndex index.cgi" , " " , "" -- cgit v1.3-2-g0d8e From 576acfed33abfae2065354431100701713e83a23 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 14:58:56 -0400 Subject: propellor spin --- Propellor/Property/SiteSpecific/JoeySites.hs | 1 - 1 file changed, 1 deletion(-) (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index 0594fe54..9192786c 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -58,7 +58,6 @@ gitServer hosts = propertyList "git.kitenet.net setup" , website "git.kitenet.net" , website "git.joeyh.name" , toProp $ Apache.modEnabled "cgi" - -- ssh keys for branchable and github repo hooks -- TODO: upgrade to newer git-annex-shell for notification ] where -- cgit v1.3-2-g0d8e From f806a55649a5d06b479123e35fef4d592e6efe0d Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 15:37:43 -0400 Subject: propellor spin --- Propellor/Property/SiteSpecific/JoeySites.hs | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index 9192786c..3115d4b7 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -104,14 +104,17 @@ gitapacheconf hn = , "" ] --- Note: needs debian unstable for new kgb kgbServer :: Property -kgbServer = propertyList "kgb.kitenet.net setup" - [ Apt.serviceInstalledRunning "kgb-bot" - , File.hasPrivContent "/etc/kgb-bot/kgb.conf" - `onChange` Service.restarted "kgb-bot" - , "/etc/default/kgb-bot" `File.containsLine` "BOT_ENABLED=1" - `describe` "kgb bot enabled" - `onChange` Service.running "kgb-bot" - ] - +kgbServer = withOS desc $ \o -> case o of + (Just (System (Debian Unstable) _)) -> + ensureProperty $ propertyList desc + [ Apt.serviceInstalledRunning "kgb-bot" + , File.hasPrivContent "/etc/kgb-bot/kgb.conf" + `onChange` Service.restarted "kgb-bot" + , "/etc/default/kgb-bot" `File.containsLine` "BOT_ENABLED=1" + `describe` "kgb bot enabled" + `onChange` Service.running "kgb-bot" + ] + _ -> error "kgb server needs Debian unstable (for kgb-bot 1.31+)" + where + desc = "kgb.kitenet.net setup" -- cgit v1.3-2-g0d8e From f8e350e4c88c0b535e5ceba33a5ab226a9acd33a Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 16:06:23 -0400 Subject: propellor spin --- Propellor/Property/SiteSpecific/JoeySites.hs | 4 ++-- TODO | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index 3115d4b7..635d99ba 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -43,7 +43,8 @@ gitServer hosts = propertyList "git.kitenet.net setup" `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" `requires` Ssh.authorizedKeys "family" `requires` User.accountFor "family" - , Apt.installed ["git", "git-annex", "rsync", "kgb-client-git", "gitweb"] + , Apt.installed ["git", "rsync", "kgb-client-git", "gitweb"] + , Apt.installedBackport ["git-annex"] , File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" , toProp $ Git.daemonRunning "/srv/git" , "/etc/gitweb.conf" `File.containsLines` @@ -58,7 +59,6 @@ gitServer hosts = propertyList "git.kitenet.net setup" , website "git.kitenet.net" , website "git.joeyh.name" , toProp $ Apache.modEnabled "cgi" - -- TODO: upgrade to newer git-annex-shell for notification ] where website hn = toProp $ Apache.siteEnabled hn (gitapacheconf hn) diff --git a/TODO b/TODO index a203169c..93dcf0d4 100644 --- a/TODO +++ b/TODO @@ -2,9 +2,6 @@ run it once for the whole. For example, may want to restart apache, but only once despite many config changes being made to satisfy properties. onChange is a poor substitute. -* Currently only Debian and derivatives are supported by most Properties. - This could be improved by making the Distribution of the system part - of its HostAttr. * Display of docker container properties is a bit wonky. It always says they are unchanged even when they changed and triggered a reprovision. @@ -18,3 +15,7 @@ * There is no way for a property of a docker container to require some property be met outside the container. For example, some servers need ntp installed for a good date source. +* Attributes can only be set in the top level property list for a Host. + If an attribute is set inside a propertyList, it won't propigate out. + Fix this. Probably the fix involves combining AttrProperty into Property. + Then propertyList can gather the attributes from its list. -- cgit v1.3-2-g0d8e From feeec9d3819d39cbb0c0ece3b5c6628881f2d5a1 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 16:38:58 -0400 Subject: propellor spin --- Propellor/Property/SiteSpecific/JoeySites.hs | 94 +++++++++++++++++++++++----- config-joey.hs | 14 ++++- 2 files changed, 92 insertions(+), 16 deletions(-) (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index 635d99ba..e1119469 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -13,6 +13,7 @@ import qualified Propellor.Property.Service as Service import qualified Propellor.Property.User as User import qualified Propellor.Property.Obnam as Obnam import qualified Propellor.Property.Apache as Apache +import Utility.SafeCommand oldUseNetShellBox :: Property oldUseNetShellBox = check (not <$> Apt.isInstalled "oldusenet") $ @@ -30,6 +31,21 @@ oldUseNetShellBox = check (not <$> Apt.isInstalled "oldusenet") $ ] `describe` "olduse.net built" ] +kgbServer :: Property +kgbServer = withOS desc $ \o -> case o of + (Just (System (Debian Unstable) _)) -> + ensureProperty $ propertyList desc + [ Apt.serviceInstalledRunning "kgb-bot" + , File.hasPrivContent "/etc/kgb-bot/kgb.conf" + `onChange` Service.restarted "kgb-bot" + , "/etc/default/kgb-bot" `File.containsLine` "BOT_ENABLED=1" + `describe` "kgb bot enabled" + `onChange` Service.running "kgb-bot" + ] + _ -> error "kgb server needs Debian unstable (for kgb-bot 1.31+)" + where + desc = "kgb.kitenet.net setup" + -- git.kitenet.net and git.joeyh.name gitServer :: [Host] -> Property gitServer hosts = propertyList "git.kitenet.net setup" @@ -63,6 +79,69 @@ gitServer hosts = propertyList "git.kitenet.net setup" where website hn = toProp $ Apache.siteEnabled hn (gitapacheconf hn) +type AnnexUUID = String + +-- | A website, with files coming from a git-annex repository. +annexWebSite :: Git.RepoUrl -> HostName -> AnnexUUID -> [(String, Git.RepoUrl)] -> Property +annexWebSite origin hn uuid remotes = Git.cloned "joey" origin dir Nothing + `onChange` setup + `onChange` toProp (Apache.siteEnabled hn $ annexwebsiteconf hn) + where + dir = "/srv/web/" ++ hn + setup = userScriptProperty "joey" $ + [ "cd " ++ shellEscape dir + , "git config annex.uuid " ++ shellEscape uuid + ] ++ map addremote remotes ++ + [ "git annex get" + ] + addremote (name, url) = "git remote add " ++ shellEscape name ++ " " ++ shellEscape url + +annexwebsiteconf :: HostName -> Apache.ConfigFile +annexwebsiteconf hn = stanza 80 False ++ stanza 443 True + where + stanza :: Int -> Bool -> Apache.ConfigFile + stanza port withssl = catMaybes + [ Just $ "" + , Just $ " ServerAdmin joey@kitenet.net" + , Just $ "" + , Just $ " ServerName "++hn++":"++show port + , Just $ " ServerAlias www."++hn + , Just $ "" + , ssl $ " SSLEngine on" + , ssl $ " SSLCertificateFile /etc/ssl/certs/web.pem" + , ssl $ " SSLCertificateKeyFile /etc/ssl/private/web.pem" + , ssl $ " SSLCertificateChainFile /etc/ssl/certs/startssl.pem" + , Just $ "" + , Just $ " DocumentRoot /srv/web/"++hn + , Just $ " " + , Just $ " Options FollowSymLinks" + , Just $ " AllowOverride None" + , Just $ " " + , Just $ " " + , Just $ " Options Indexes FollowSymLinks ExecCGI" + , Just $ " AllowOverride None" + , Just $ " Order allow,deny" + , Just $ " allow from all" + , Just $ " " + , Just $ "" + , Just $ " ErrorLog /var/log/apache2/error.log" + , Just $ " LogLevel warn" + , Just $ " CustomLog /var/log/apache2/access.log combined" + , Just $ " ServerSignature On" + , Just $ " " + , Just $ " " + , Just $ " Options Indexes MultiViews" + , Just $ " AllowOverride None" + , Just $ " Order allow,deny" + , Just $ " Allow from all" + , Just $ " " + , Just $ "" + ] + where + ssl l + | withssl = Just l + | otherwise = Nothing + gitapacheconf :: HostName -> Apache.ConfigFile gitapacheconf hn = [ "" @@ -103,18 +182,3 @@ gitapacheconf hn = , " " , "" ] - -kgbServer :: Property -kgbServer = withOS desc $ \o -> case o of - (Just (System (Debian Unstable) _)) -> - ensureProperty $ propertyList desc - [ Apt.serviceInstalledRunning "kgb-bot" - , File.hasPrivContent "/etc/kgb-bot/kgb.conf" - `onChange` Service.restarted "kgb-bot" - , "/etc/default/kgb-bot" `File.containsLine` "BOT_ENABLED=1" - `describe` "kgb bot enabled" - `onChange` Service.running "kgb-bot" - ] - _ -> error "kgb server needs Debian unstable (for kgb-bot 1.31+)" - where - desc = "kgb.kitenet.net setup" diff --git a/config-joey.hs b/config-joey.hs index ed214e82..f1484031 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -74,14 +74,26 @@ hosts = & Apt.serviceInstalledRunning "ntp" & Dns.zones myDnsSecondary & Apt.serviceInstalledRunning "apache2" + & File.ownerGroup "/srv" "joey" "joey" & cname "git.kitenet.net" & cname "git.joeyh.name" & JoeySites.gitServer hosts & cname "downloads.kitenet.net" + & JoeySites.annexWebSite "/srv/git/download.git" + "downloads.kitenet.net" + "840760dc-08f0-11e2-8c61-576b7e66acfd" + [("turtle", "ssh://turtle.kitenet.net/~/lib/downloads/")] & Apt.buildDep ["git-annex"] `period` Daily - -- downloads.kitenet.net setup (including ssh key to turtle) + + & cname "tmp.kitenet.net" + & JoeySites.annexWebSite "/srv/git/joey/tmp.git" + "tmp.kitenet.net" + "274ce1ca-1226-11e2-bcbd-eb57078e31b1" + [] + + & Apt.installed ["ntop"] -- I don't run this system, so only relevant property is its -- public key. -- cgit v1.3-2-g0d8e From 32ffe1797271a269708ca06060bbe18f1b6f880a Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 16:49:49 -0400 Subject: propellor spin --- Propellor/Property/SiteSpecific/JoeySites.hs | 2 ++ config-joey.hs | 5 +++-- 2 files changed, 5 insertions(+), 2 deletions(-) (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index e1119469..ba77eaca 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -70,6 +70,8 @@ gitServer hosts = propertyList "git.kitenet.net setup" , "$feature{'snapshot'}{'default'} = [];" ] `describe` "gitweb configured" + -- Repos push on to github. + , Ssh.knownHost hosts "github.com" "joey" -- I keep the website used for gitweb checked into git.. , Git.cloned "root" "/srv/git/joey/git.kitenet.net.git" "/srv/web/git.kitenet.net" Nothing , website "git.kitenet.net" diff --git a/config-joey.hs b/config-joey.hs index f1484031..f0f2f293 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -95,10 +95,11 @@ hosts = & Apt.installed ["ntop"] - -- I don't run this system, so only relevant property is its - -- public key. + -- Systems I don't run, but do want to track their public keys. , host "usw-s002.rsync.net" & sshPubKey "ssh-dss AAAAB3NzaC1kc3MAAAEBAI6ZsoW8a+Zl6NqUf9a4xXSMcV1akJHDEKKBzlI2YZo9gb9YoCf5p9oby8THUSgfh4kse7LJeY7Nb64NR6Y/X7I2/QzbE1HGGl5mMwB6LeUcJ74T3TQAlNEZkGt/MOIVLolJHk049hC09zLpkUDtX8K0t1yaCirC9SxDGLTCLEhvU9+vVdVrdQlKZ9wpLUNbdAzvbra+O/IVvExxDZ9WCHrnfNA8ddVZIGEWMqsoNgiuCxiXpi8qL+noghsSQNFTXwo7W2Vp9zj1JkCt3GtSz5IzEpARQaXEAWNEM0n1nJ686YUOhou64iRM8bPC1lp3QXvvZNgj3m+QHhIempx+de8AAAAVAKB5vUDaZOg14gRn7Bp81ja/ik+RAAABACPH/bPbW912x1NxNiikzGR6clLh+bLpIp8Qie3J7DwOr8oC1QOKjNDK+UgQ7mDQEgr4nGjNKSvpDi4c1QCw4sbLqQgx1y2VhT0SmUPHf5NQFldRQyR/jcevSSwOBxszz3aq9AwHiv9OWaO3XY18suXPouiuPTpIcZwc2BLDNHFnDURQeGEtmgqj6gZLIkTY0iw7q9Tj5FOyl4AkvEJC5B4CSzaWgey93Wqn1Imt7KI8+H9lApMKziVL1q+K7xAuNkGmx5YOSNlE6rKAPtsIPHZGxR7dch0GURv2jhh0NQYvBRn3ukCjuIO5gx56HLgilq59/o50zZ4NcT7iASF76TcAAAEAC6YxX7rrs8pp13W4YGiJHwFvIO1yXLGOdqu66JM0plO4J1ItV1AQcazOXLiliny3p2/W+wXZZKd5HIRt52YafCA8YNyMk/sF7JcTR4d4z9CfKaAxh0UpzKiAk+0j/Wu3iPoTOsyt7N0j1+dIyrFodY2sKKuBMT4TQ0yqQpbC+IDQv2i1IlZAPneYGfd5MIGygs2QMfaMQ1jWAKJvEO0vstZ7GB6nDAcg4in3ZiBHtomx3PL5w+zg48S4Ed69BiFXLZ1f6MnjpUOP75pD4MP6toS0rgK9b93xCrEQLgm4oD/7TCHHBo2xR7wwcsN2OddtwWsEM2QgOkt/jdCAoVCqwQ==" + , host "github.com" + & sshPubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==" --' __|II| ,. ---- __|II|II|__ ( \_,/\ -- cgit v1.3-2-g0d8e From a79e33944d14a3ee050ce6663e3813e0c2f52b26 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 17:03:21 -0400 Subject: propellor spin --- Propellor/Property/SiteSpecific/JoeySites.hs | 9 ++++++--- config-joey.hs | 11 +++++++---- 2 files changed, 13 insertions(+), 7 deletions(-) (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index ba77eaca..6b149598 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -84,13 +84,16 @@ gitServer hosts = propertyList "git.kitenet.net setup" type AnnexUUID = String -- | A website, with files coming from a git-annex repository. -annexWebSite :: Git.RepoUrl -> HostName -> AnnexUUID -> [(String, Git.RepoUrl)] -> Property -annexWebSite origin hn uuid remotes = Git.cloned "joey" origin dir Nothing +annexWebSite :: [Host] -> Git.RepoUrl -> HostName -> AnnexUUID -> [(String, Git.RepoUrl)] -> Property +annexWebSite hosts origin hn uuid remotes = Git.cloned "joey" origin dir Nothing `onChange` setup `onChange` toProp (Apache.siteEnabled hn $ annexwebsiteconf hn) where dir = "/srv/web/" ++ hn - setup = userScriptProperty "joey" $ + setup = userScriptProperty "joey" setupscript + `requires` Ssh.keyImported SshRsa "joey" + `requires` Ssh.knownHost hosts "turtle.kitenet.net" "joey" + setupscript = [ "cd " ++ shellEscape dir , "git config annex.uuid " ++ shellEscape uuid ] ++ map addremote remotes ++ diff --git a/config-joey.hs b/config-joey.hs index ab878fb2..055c1a65 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -81,21 +81,24 @@ hosts = & JoeySites.gitServer hosts & cname "downloads.kitenet.net" - & JoeySites.annexWebSite "/srv/git/downloads.git" + & JoeySites.annexWebSite hosts "/srv/git/downloads.git" "downloads.kitenet.net" "840760dc-08f0-11e2-8c61-576b7e66acfd" [("turtle", "ssh://turtle.kitenet.net/~/lib/downloads/")] & Apt.buildDep ["git-annex"] `period` Daily & cname "tmp.kitenet.net" - & JoeySites.annexWebSite "/srv/git/joey/tmp.git" + & JoeySites.annexWebSite hosts "/srv/git/joey/tmp.git" "tmp.kitenet.net" - "274ce1ca-1226-11e2-bcbd-eb57078e31b1" + "26fd6e38-1226-11e2-a75f-ff007033bdba" [] & Apt.installed ["ntop"] - -- Systems I don't run, but do want to track their public keys. + -- Systems I don't manage with propellor, + -- but do want to track their public keys. + , host "turtle.kitenet.net" + & sshPubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAokMXQiX/NZjA1UbhMdgAscnS5dsmy+Q7bWrQ6tsTZ/o+6N/T5cbjoBHOdpypXJI3y/PiJTDJaQtXIhLa8gFg/EvxMnMz/KG9skADW1361JmfCc4BxicQIO2IOOe6eilPr+YsnOwiHwL0vpUnuty39cppuMWVD25GzxXlS6KQsLCvXLzxLLuNnGC43UAM0q4UwQxDtAZEK1dH2o3HMWhgMP2qEQupc24dbhpO3ecxh2C9678a3oGDuDuNf7mLp3s7ptj5qF3onitpJ82U5o7VajaHoygMaSRFeWxP2c13eM57j3bLdLwxVXFhePcKXARu1iuFTLS5uUf3hN6MkQcOGw==" , host "usw-s002.rsync.net" & sshPubKey "ssh-dss AAAAB3NzaC1kc3MAAAEBAI6ZsoW8a+Zl6NqUf9a4xXSMcV1akJHDEKKBzlI2YZo9gb9YoCf5p9oby8THUSgfh4kse7LJeY7Nb64NR6Y/X7I2/QzbE1HGGl5mMwB6LeUcJ74T3TQAlNEZkGt/MOIVLolJHk049hC09zLpkUDtX8K0t1yaCirC9SxDGLTCLEhvU9+vVdVrdQlKZ9wpLUNbdAzvbra+O/IVvExxDZ9WCHrnfNA8ddVZIGEWMqsoNgiuCxiXpi8qL+noghsSQNFTXwo7W2Vp9zj1JkCt3GtSz5IzEpARQaXEAWNEM0n1nJ686YUOhou64iRM8bPC1lp3QXvvZNgj3m+QHhIempx+de8AAAAVAKB5vUDaZOg14gRn7Bp81ja/ik+RAAABACPH/bPbW912x1NxNiikzGR6clLh+bLpIp8Qie3J7DwOr8oC1QOKjNDK+UgQ7mDQEgr4nGjNKSvpDi4c1QCw4sbLqQgx1y2VhT0SmUPHf5NQFldRQyR/jcevSSwOBxszz3aq9AwHiv9OWaO3XY18suXPouiuPTpIcZwc2BLDNHFnDURQeGEtmgqj6gZLIkTY0iw7q9Tj5FOyl4AkvEJC5B4CSzaWgey93Wqn1Imt7KI8+H9lApMKziVL1q+K7xAuNkGmx5YOSNlE6rKAPtsIPHZGxR7dch0GURv2jhh0NQYvBRn3ukCjuIO5gx56HLgilq59/o50zZ4NcT7iASF76TcAAAEAC6YxX7rrs8pp13W4YGiJHwFvIO1yXLGOdqu66JM0plO4J1ItV1AQcazOXLiliny3p2/W+wXZZKd5HIRt52YafCA8YNyMk/sF7JcTR4d4z9CfKaAxh0UpzKiAk+0j/Wu3iPoTOsyt7N0j1+dIyrFodY2sKKuBMT4TQ0yqQpbC+IDQv2i1IlZAPneYGfd5MIGygs2QMfaMQ1jWAKJvEO0vstZ7GB6nDAcg4in3ZiBHtomx3PL5w+zg48S4Ed69BiFXLZ1f6MnjpUOP75pD4MP6toS0rgK9b93xCrEQLgm4oD/7TCHHBo2xR7wwcsN2OddtwWsEM2QgOkt/jdCAoVCqwQ==" , host "github.com" -- cgit v1.3-2-g0d8e From b143b5af13272f162e3144a52d8dc97bea824648 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 18:41:02 -0400 Subject: propellor spin --- Propellor/Property/SiteSpecific/JoeySites.hs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index 6b149598..f7c432c0 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -87,7 +87,11 @@ type AnnexUUID = String annexWebSite :: [Host] -> Git.RepoUrl -> HostName -> AnnexUUID -> [(String, Git.RepoUrl)] -> Property annexWebSite hosts origin hn uuid remotes = Git.cloned "joey" origin dir Nothing `onChange` setup - `onChange` toProp (Apache.siteEnabled hn $ annexwebsiteconf hn) + `onChange` setupapache + `requires` File.hasPrivContent "/etc/ssl/certs/web.pem" + `requires` File.hasPrivContent "/etc/ssl/private/web.pem" + `requires` File.hasPrivContent "/etc/ssl/certs/startssl.pem" + `requires` toProp (Apache.modEnabled "ssl") where dir = "/srv/web/" ++ hn setup = userScriptProperty "joey" setupscript @@ -100,6 +104,7 @@ annexWebSite hosts origin hn uuid remotes = Git.cloned "joey" origin dir Nothing [ "git annex get" ] addremote (name, url) = "git remote add " ++ shellEscape name ++ " " ++ shellEscape url + setupapache = toProp (Apache.siteEnabled hn $ annexwebsiteconf hn) annexwebsiteconf :: HostName -> Apache.ConfigFile annexwebsiteconf hn = stanza 80 False ++ stanza 443 True -- cgit v1.3-2-g0d8e From fb1d65125b543b38151974e12a3ad3b672cc9aa6 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 20:22:35 -0400 Subject: propellor spin --- Propellor/Property/SiteSpecific/JoeySites.hs | 149 +++++++++++---------------- config-joey.hs | 6 ++ 2 files changed, 68 insertions(+), 87 deletions(-) (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index f7c432c0..bd6e93f3 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -79,7 +79,21 @@ gitServer hosts = propertyList "git.kitenet.net setup" , toProp $ Apache.modEnabled "cgi" ] where - website hn = toProp $ Apache.siteEnabled hn (gitapacheconf hn) + website hn = toProp $ Apache.siteEnabled hn $ apachecfg hn True + [ " DocumentRoot /srv/web/git.kitenet.net/" + , " " + , " Options Indexes ExecCGI FollowSymlinks" + , " AllowOverride None" + , " AddHandler cgi-script .cgi" + , " DirectoryIndex index.cgi" + , " " + , "" + , " ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/" + , " " + , " SetHandler cgi-script" + , " Options ExecCGI" + , " " + ] type AnnexUUID = String @@ -88,10 +102,6 @@ annexWebSite :: [Host] -> Git.RepoUrl -> HostName -> AnnexUUID -> [(String, Git. annexWebSite hosts origin hn uuid remotes = Git.cloned "joey" origin dir Nothing `onChange` setup `onChange` setupapache - `requires` File.hasPrivContent "/etc/ssl/certs/web.pem" - `requires` File.hasPrivContent "/etc/ssl/private/web.pem" - `requires` File.hasPrivContent "/etc/ssl/certs/startssl.pem" - `requires` toProp (Apache.modEnabled "ssl") where dir = "/srv/web/" ++ hn setup = userScriptProperty "joey" setupscript @@ -104,91 +114,56 @@ annexWebSite hosts origin hn uuid remotes = Git.cloned "joey" origin dir Nothing [ "git annex get" ] addremote (name, url) = "git remote add " ++ shellEscape name ++ " " ++ shellEscape url - setupapache = toProp (Apache.siteEnabled hn $ annexwebsiteconf hn) + setupapache = toProp $ Apache.siteEnabled hn $ apachecfg hn True $ + [ " ServerAlias www."++hn + , "" + , " DocumentRoot /srv/web/"++hn + , " " + , " Options FollowSymLinks" + , " AllowOverride None" + , " " + , " " + , " Options Indexes FollowSymLinks ExecCGI" + , " AllowOverride None" + , " Order allow,deny" + , " allow from all" + , " " + ] -annexwebsiteconf :: HostName -> Apache.ConfigFile -annexwebsiteconf hn = stanza 80 False ++ stanza 443 True +apachecfg :: HostName -> Bool -> Apache.ConfigFile -> Apache.ConfigFile +apachecfg hn withssl middle + | withssl = vhost False ++ vhost True + | otherwise = vhost False where - stanza :: Int -> Bool -> Apache.ConfigFile - stanza port withssl = catMaybes - [ Just $ "" - , Just $ " ServerAdmin joey@kitenet.net" - , Just $ "" - , Just $ " ServerName "++hn++":"++show port - , Just $ " ServerAlias www."++hn - , Just $ "" - , ssl $ " SSLEngine on" - , ssl $ " SSLCertificateFile /etc/ssl/certs/web.pem" - , ssl $ " SSLCertificateKeyFile /etc/ssl/private/web.pem" - , ssl $ " SSLCertificateChainFile /etc/ssl/certs/startssl.pem" - , Just $ "" - , Just $ " DocumentRoot /srv/web/"++hn - , Just $ " " - , Just $ " Options FollowSymLinks" - , Just $ " AllowOverride None" - , Just $ " " - , Just $ " " - , Just $ " Options Indexes FollowSymLinks ExecCGI" - , Just $ " AllowOverride None" - , Just $ " Order allow,deny" - , Just $ " allow from all" - , Just $ " " - , Just $ "" - , Just $ " ErrorLog /var/log/apache2/error.log" - , Just $ " LogLevel warn" - , Just $ " CustomLog /var/log/apache2/access.log combined" - , Just $ " ServerSignature On" - , Just $ " " - , Just $ " " - , Just $ " Options Indexes MultiViews" - , Just $ " AllowOverride None" - , Just $ " Order allow,deny" - , Just $ " Allow from all" - , Just $ " " - , Just $ "" + vhost ssl = + [ "" + , " ServerAdmin grue@joeyh.name" + , " ServerName "++hn++":"++show port + ] + ++ mainhttpscert ssl + ++ middle ++ + [ "" + , " ErrorLog /var/log/apache2/error.log" + , " LogLevel warn" + , " CustomLog /var/log/apache2/access.log combined" + , " ServerSignature On" + , " " + , " " + , " Options Indexes MultiViews" + , " AllowOverride None" + , " Order allow,deny" + , " Allow from all" + , " " + , "" ] where - ssl l - | withssl = Just l - | otherwise = Nothing + port = if ssl then 443 else 80 :: Int -gitapacheconf :: HostName -> Apache.ConfigFile -gitapacheconf hn = - [ "" - , " ServerAdmin joey@kitenet.net" - , "" - , " ServerName " ++ hn ++ ":80" - , "" - , " DocumentRoot /srv/web/git.kitenet.net/" - , " " - , " Options Indexes ExecCGI FollowSymlinks" - , " AllowOverride None" - , " AddHandler cgi-script .cgi" - , " DirectoryIndex index.cgi" - , " " - , "" - , " ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/" - , " " - , " SetHandler cgi-script" - , " Options ExecCGI" - , " " - , "" - , " ErrorLog /var/log/apache2/error.log" - , " LogLevel warn" - , " CustomLog /var/log/apache2/access.log combined" - , "" - , " # Possible values include: debug, info, notice, warn, error, crit," - , " # alert, emerg." - , " LogLevel warn" - , "" - , " CustomLog /var/log/apache2/access.log combined" - , " ServerSignature On" - , " " - , " " - , " Options Indexes MultiViews" - , " AllowOverride None" - , " Order allow,deny" - , " Allow from all" - , " " - , "" +mainhttpscert :: Bool -> Apache.ConfigFile +mainhttpscert False = [] +mainhttpscert True = + [ " SSLEngine on" + , " SSLCertificateFile /etc/ssl/certs/web.pem" + , " SSLCertificateKeyFile /etc/ssl/private/web.pem" + , " SSLCertificateChainFile /etc/ssl/certs/startssl.pem" ] diff --git a/config-joey.hs b/config-joey.hs index ca1c2205..08093043 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -17,6 +17,7 @@ import qualified Propellor.Property.Dns as Dns import qualified Propellor.Property.OpenId as OpenId import qualified Propellor.Property.Docker as Docker import qualified Propellor.Property.Git as Git +import qualified Propellor.Property.Apache as Apache import qualified Propellor.Property.Service as Service import qualified Propellor.Property.SiteSpecific.GitHome as GitHome import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder @@ -74,7 +75,12 @@ hosts = & Apt.unattendedUpgrades & Apt.serviceInstalledRunning "ntp" & Dns.zones myDnsSecondary + & Apt.serviceInstalledRunning "apache2" + & File.hasPrivContent "/etc/ssl/certs/web.pem" + & File.hasPrivContent "/etc/ssl/private/web.pem" + & File.hasPrivContent "/etc/ssl/certs/startssl.pem" + & Apache.modEnabled "ssl" & File.ownerGroup "/srv/web" "joey" "joey" & cname "git.kitenet.net" -- cgit v1.3-2-g0d8e From 56dd63916925627773cb2cf590f1c8191470dccc Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 13 Apr 2014 21:04:34 -0400 Subject: propellor spin --- Propellor/Property/Apache.hs | 10 ++++++++++ Propellor/Property/SiteSpecific/JoeySites.hs | 10 ++++++---- config-joey.hs | 1 + 3 files changed, 17 insertions(+), 4 deletions(-) (limited to 'Propellor/Property/SiteSpecific') diff --git a/Propellor/Property/Apache.hs b/Propellor/Property/Apache.hs index eab87862..f45ef9df 100644 --- a/Propellor/Property/Apache.hs +++ b/Propellor/Property/Apache.hs @@ -50,3 +50,13 @@ restarted = cmdProperty "service" ["apache2", "restart"] reloaded :: Property reloaded = Service.reloaded "apache2" + +-- | Configure apache to use SNI to differentiate between +-- https hosts. +multiSSL :: Property +multiSSL = "/etc/apache2/conf.d/ssl" `File.hasContent` + [ "NameVirtualHost *:443" + , "SSLStrictSNIVHostCheck off" + ] + `describe` "apache SNI enabled" + `onChange` reloaded diff --git a/Propellor/Property/SiteSpecific/JoeySites.hs b/Propellor/Property/SiteSpecific/JoeySites.hs index bd6e93f3..73a8f71f 100644 --- a/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/Propellor/Property/SiteSpecific/JoeySites.hs @@ -65,7 +65,7 @@ gitServer hosts = propertyList "git.kitenet.net setup" , toProp $ Git.daemonRunning "/srv/git" , "/etc/gitweb.conf" `File.containsLines` [ "$projectroot = '/srv/git';" - , "@git_base_url_list = ('git://git.kitenet.net', 'http://git.kitenet.net/git', 'ssh://git.kitenet.net/srv/git');" + , "@git_base_url_list = ('git://git.kitenet.net', 'http://git.kitenet.net/git', 'https://git.kitenet.net/git', 'ssh://git.kitenet.net/srv/git');" , "# disable snapshot download; overloads server" , "$feature{'snapshot'}{'default'} = [];" ] @@ -99,9 +99,11 @@ type AnnexUUID = String -- | A website, with files coming from a git-annex repository. annexWebSite :: [Host] -> Git.RepoUrl -> HostName -> AnnexUUID -> [(String, Git.RepoUrl)] -> Property -annexWebSite hosts origin hn uuid remotes = Git.cloned "joey" origin dir Nothing - `onChange` setup - `onChange` setupapache +annexWebSite hosts origin hn uuid remotes = propertyList (hn ++" website using git-annex") + [ Git.cloned "joey" origin dir Nothing + `onChange` setup + , setupapache + ] where dir = "/srv/web/" ++ hn setup = userScriptProperty "joey" setupscript diff --git a/config-joey.hs b/config-joey.hs index 08093043..235a749b 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -81,6 +81,7 @@ hosts = & File.hasPrivContent "/etc/ssl/private/web.pem" & File.hasPrivContent "/etc/ssl/certs/startssl.pem" & Apache.modEnabled "ssl" + & Apache.multiSSL & File.ownerGroup "/srv/web" "joey" "joey" & cname "git.kitenet.net" -- cgit v1.3-2-g0d8e