From bce6ef57455fd979281ba7a64e100d34ed5a868b Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Dec 2014 11:43:57 -0400 Subject: propellor spin --- config-joey.hs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'config-joey.hs') diff --git a/config-joey.hs b/config-joey.hs index 4525f22e..634d2774 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -452,7 +452,9 @@ myDnsPrimary domain extras = Dns.primary hosts domain , (RootDomain, NS $ AbsDomain "ns3.kitenet.net") , (RootDomain, NS $ AbsDomain "ns6.gandi.net") , (RootDomain, MX 0 $ AbsDomain "kitenet.net") - , (RootDomain, TXT "v=spf1 a ?all") + -- SPF only allows IP address of domain to send email, + -- and hard-fails on email from other IPs. + , (RootDomain, TXT "v=spf1 a -all") ] ++ extras -- cgit v1.3-2-g0d8e From 95cdedc0985f98de7cd5ab0384a857053b023491 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Dec 2014 12:53:11 -0400 Subject: propellor spin --- config-joey.hs | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'config-joey.hs') diff --git a/config-joey.hs b/config-joey.hs index 634d2774..9ef7acee 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -452,9 +452,8 @@ myDnsPrimary domain extras = Dns.primary hosts domain , (RootDomain, NS $ AbsDomain "ns3.kitenet.net") , (RootDomain, NS $ AbsDomain "ns6.gandi.net") , (RootDomain, MX 0 $ AbsDomain "kitenet.net") - -- SPF only allows IP address of domain to send email, - -- and hard-fails on email from other IPs. - , (RootDomain, TXT "v=spf1 a -all") + -- SPF only allows IP address of kitenet.net to send mail. + , (RootDomain, TXT "v=spf1 a ip4:66.228.36.95 -all") ] ++ extras -- cgit v1.3-2-g0d8e From 5374708b6c210a21d51f73e834fa0142a5b84b44 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Dec 2014 12:59:11 -0400 Subject: propellor spin --- config-joey.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config-joey.hs') diff --git a/config-joey.hs b/config-joey.hs index 9ef7acee..65256364 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -453,7 +453,7 @@ myDnsPrimary domain extras = Dns.primary hosts domain , (RootDomain, NS $ AbsDomain "ns6.gandi.net") , (RootDomain, MX 0 $ AbsDomain "kitenet.net") -- SPF only allows IP address of kitenet.net to send mail. - , (RootDomain, TXT "v=spf1 a ip4:66.228.36.95 -all") + , (RootDomain, TXT "v=spf1 a:kitenet.net -all") ] ++ extras -- cgit v1.3-2-g0d8e From 6d4f2b54a660b164f185141ed719b3edf689df74 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Dec 2014 13:15:09 -0400 Subject: propellor spin --- config-joey.hs | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'config-joey.hs') diff --git a/config-joey.hs b/config-joey.hs index 65256364..33624147 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -191,6 +191,10 @@ kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" & alias "pop.kitenet.net" & alias "mail.kitenet.net" & JoeySites.kiteMailServer + + & alias "ns4.kitenet.net" + & myDnsSecondary + & branchableSecondary & JoeySites.legacyWebSites -- cgit v1.3-2-g0d8e From bc5cbee3807797043d69b7eafe3517b3522db488 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Dec 2014 13:22:08 -0400 Subject: propellor spin --- config-joey.hs | 1 + 1 file changed, 1 insertion(+) (limited to 'config-joey.hs') diff --git a/config-joey.hs b/config-joey.hs index 33624147..26bedd41 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -194,6 +194,7 @@ kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" & alias "ns4.kitenet.net" & myDnsSecondary + & alias "ns4.branchable.com" & branchableSecondary & JoeySites.legacyWebSites -- cgit v1.3-2-g0d8e From 32a104d10411882bc356b50ab8ced98016c18af3 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 1 Jan 2015 12:41:24 -0400 Subject: propellor spin --- config-joey.hs | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) (limited to 'config-joey.hs') diff --git a/config-joey.hs b/config-joey.hs index 26bedd41..1ed3ea01 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -48,7 +48,6 @@ hosts = -- (o) ` , kite , diatom , elephant - , alien , testvm ] ++ monsters @@ -94,7 +93,7 @@ website hn = Apache.siteEnabled hn apachecfg clam :: Host clam = standardSystem "clam.kitenet.net" Unstable "amd64" [ "Unreliable server. Anything here may be lost at any time!" ] - & ipv4 "162.248.9.29" + & ipv4 "162.244.28.85" & CloudAtCost.decruft & Apt.unattendedUpgrades @@ -118,20 +117,6 @@ clam = standardSystem "clam.kitenet.net" Unstable "amd64" ! Ssh.listenPort 443 & Systemd.persistentJournal - ! Systemd.nspawned meow - -meow :: Systemd.Container -meow = Systemd.container "meow" (Chroot.debootstrapped (System (Debian Unstable) "amd64") mempty) - & Apt.serviceInstalledRunning "uptimed" - & alias "meow.kitenet.net" - -alien :: Host -alien = host "alientest.kitenet.net" - & ipv4 "104.131.106.199" - & Chroot.provisioned - ( Chroot.debootstrapped (System (Debian Unstable) "amd64") Debootstrap.MinBase "/debian" - & Apt.serviceInstalledRunning "uptimed" - ) orca :: Host orca = standardSystem "orca.kitenet.net" Unstable "amd64" -- cgit v1.3-2-g0d8e From 73ac94f2d2123cbf0a97e5e21abdfa042d539dd0 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 1 Jan 2015 16:01:33 -0400 Subject: propellor spin --- config-joey.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config-joey.hs') diff --git a/config-joey.hs b/config-joey.hs index 1ed3ea01..39c255f9 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -93,7 +93,7 @@ website hn = Apache.siteEnabled hn apachecfg clam :: Host clam = standardSystem "clam.kitenet.net" Unstable "amd64" [ "Unreliable server. Anything here may be lost at any time!" ] - & ipv4 "162.244.28.85" + & ipv4 "167.88.41.54" & CloudAtCost.decruft & Apt.unattendedUpgrades -- cgit v1.3-2-g0d8e From 138629941da64fb471850fda72e3b2c88e7fa88f Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 1 Jan 2015 16:59:38 -0400 Subject: propellor spin --- config-joey.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config-joey.hs') diff --git a/config-joey.hs b/config-joey.hs index 39c255f9..8d83458a 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -93,7 +93,7 @@ website hn = Apache.siteEnabled hn apachecfg clam :: Host clam = standardSystem "clam.kitenet.net" Unstable "amd64" [ "Unreliable server. Anything here may be lost at any time!" ] - & ipv4 "167.88.41.54" + & ipv4 "167.88.41.194" & CloudAtCost.decruft & Apt.unattendedUpgrades -- cgit v1.3-2-g0d8e From 3d21a2df5433a725b6060d9533da86aacb7a6527 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 4 Jan 2015 13:33:14 -0400 Subject: propellor spin --- config-joey.hs | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'config-joey.hs') diff --git a/config-joey.hs b/config-joey.hs index 8d83458a..73674ea6 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -25,8 +25,6 @@ import qualified Propellor.Property.Grub as Grub import qualified Propellor.Property.Obnam as Obnam import qualified Propellor.Property.Gpg as Gpg import qualified Propellor.Property.Systemd as Systemd -import qualified Propellor.Property.Chroot as Chroot -import qualified Propellor.Property.Debootstrap as Debootstrap import qualified Propellor.Property.OS as OS import qualified Propellor.Property.HostingProvider.DigitalOcean as DigitalOcean import qualified Propellor.Property.HostingProvider.CloudAtCost as CloudAtCost @@ -256,7 +254,7 @@ diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64" & alias "ns2.kitenet.net" & myDnsPrimary "kitenet.net" [] - & myDnsPrimary "joeyh.name" [] + & myDnsPrimary' "joeyh.name" [] & myDnsPrimary "ikiwiki.info" [] & myDnsPrimary "olduse.net" [ (RelDomain "article", @@ -437,6 +435,16 @@ branchableSecondary = Dns.secondaryFor ["branchable.com"] hosts "branchable.com" -- kite handles all mail. myDnsPrimary :: Domain -> [(BindDomain, Record)] -> RevertableProperty myDnsPrimary domain extras = Dns.primary hosts domain + (Dns.mkSOA "ns2.kitenet.net" 100) $ + [ (RootDomain, NS $ AbsDomain "ns2.kitenet.net") + , (RootDomain, NS $ AbsDomain "ns3.kitenet.net") + , (RootDomain, NS $ AbsDomain "ns6.gandi.net") + , (RootDomain, MX 0 $ AbsDomain "kitenet.net") + -- SPF only allows IP address of kitenet.net to send mail. + , (RootDomain, TXT "v=spf1 a:kitenet.net -all") + ] ++ extras +myDnsPrimary' :: Domain -> [(BindDomain, Record)] -> RevertableProperty +myDnsPrimary' domain extras = Dns.signedPrimary Daily hosts domain (Dns.mkSOA "ns2.kitenet.net" 100) $ [ (RootDomain, NS $ AbsDomain "ns2.kitenet.net") , (RootDomain, NS $ AbsDomain "ns3.kitenet.net") -- cgit v1.3-2-g0d8e From ad984e74e4c85f0305d9ce8255ac8909038be82d Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 4 Jan 2015 15:00:40 -0400 Subject: propellor spin --- config-joey.hs | 22 ++++++---------------- src/Propellor/Property/Dns.hs | 5 ++--- 2 files changed, 8 insertions(+), 19 deletions(-) (limited to 'config-joey.hs') diff --git a/config-joey.hs b/config-joey.hs index 73674ea6..8cfb9250 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -253,10 +253,10 @@ diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64" & JoeySites.oldUseNetServer hosts & alias "ns2.kitenet.net" - & myDnsPrimary "kitenet.net" [] - & myDnsPrimary' "joeyh.name" [] - & myDnsPrimary "ikiwiki.info" [] - & myDnsPrimary "olduse.net" + & myDnsPrimary False "kitenet.net" [] + & myDnsPrimary True "joeyh.name" [] + & myDnsPrimary False "ikiwiki.info" [] + & myDnsPrimary False "olduse.net" [ (RelDomain "article", CNAME $ AbsDomain "virgil.koldfront.dk") ] @@ -433,18 +433,8 @@ branchableSecondary = Dns.secondaryFor ["branchable.com"] hosts "branchable.com" -- Currently using diatom (ns2) as primary with secondaries -- elephant (ns3) and gandi. -- kite handles all mail. -myDnsPrimary :: Domain -> [(BindDomain, Record)] -> RevertableProperty -myDnsPrimary domain extras = Dns.primary hosts domain - (Dns.mkSOA "ns2.kitenet.net" 100) $ - [ (RootDomain, NS $ AbsDomain "ns2.kitenet.net") - , (RootDomain, NS $ AbsDomain "ns3.kitenet.net") - , (RootDomain, NS $ AbsDomain "ns6.gandi.net") - , (RootDomain, MX 0 $ AbsDomain "kitenet.net") - -- SPF only allows IP address of kitenet.net to send mail. - , (RootDomain, TXT "v=spf1 a:kitenet.net -all") - ] ++ extras -myDnsPrimary' :: Domain -> [(BindDomain, Record)] -> RevertableProperty -myDnsPrimary' domain extras = Dns.signedPrimary Daily hosts domain +myDnsPrimary :: Bool -> Domain -> [(BindDomain, Record)] -> RevertableProperty +myDnsPrimary dnssec domain extras = (if dnssec then Dns.signedPrimary (Weekly Nothing) else Dns.primary) hosts domain (Dns.mkSOA "ns2.kitenet.net" 100) $ [ (RootDomain, NS $ AbsDomain "ns2.kitenet.net") , (RootDomain, NS $ AbsDomain "ns3.kitenet.net") diff --git a/src/Propellor/Property/Dns.hs b/src/Propellor/Property/Dns.hs index e9c7c769..b5c97d35 100644 --- a/src/Propellor/Property/Dns.hs +++ b/src/Propellor/Property/Dns.hs @@ -126,15 +126,14 @@ cleanupPrimary zonefile domain = check (doesFileExist zonefile) $ -- -- The 'Recurrance' controls how frequently the signature -- should be regenerated, using a new random salt, to prevent --- zone walking attacks. `Daily` is a reasonable choice. +-- zone walking attacks. `Weekly Nothing` is a reasonable choice. signedPrimary :: Recurrance -> [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup where - -- TODO enable dnssec options. - -- dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; setup = combineProperties ("dns primary for " ++ domain ++ " (signed)") [ setupPrimary zonefile signedZoneFile hosts domain soa rs' , toProp (zoneSigned domain zonefile) + , forceZoneSigned domain zonefile `period` recurrance ] `onChange` Service.reloaded "bind9" -- cgit v1.3-2-g0d8e From 52664e622084b2986bc123f9725a0243a6794ace Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 4 Jan 2015 15:36:10 -0400 Subject: sshPubKey is renamed to Ssh.pubKey --- config-joey.hs | 8 ++++---- debian/changelog | 3 ++- propellor.cabal | 2 +- src/Propellor/Engine.hs | 2 +- src/Propellor/Info.hs | 7 ------- src/Propellor/Property/Ssh.hs | 19 +++++++++++++++---- 6 files changed, 23 insertions(+), 18 deletions(-) (limited to 'config-joey.hs') diff --git a/config-joey.hs b/config-joey.hs index 8cfb9250..dbf3196b 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -278,7 +278,7 @@ elephant = standardSystem "elephant.kitenet.net" Unstable "amd64" & Systemd.installed & Systemd.persistentJournal & Ssh.hostKeys hostContext - & sshPubKey "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0=" + & Ssh.pubKey "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0=" & Ssh.keyImported SshRsa "joey" hostContext & Apt.serviceInstalledRunning "swapspace" @@ -459,9 +459,9 @@ myDnsPrimary dnssec domain extras = (if dnssec then Dns.signedPrimary (Weekly No monsters :: [Host] -- Systems I don't manage with propellor, monsters = -- but do want to track their public keys etc. [ host "usw-s002.rsync.net" - & sshPubKey "ssh-dss AAAAB3NzaC1kc3MAAAEBAI6ZsoW8a+Zl6NqUf9a4xXSMcV1akJHDEKKBzlI2YZo9gb9YoCf5p9oby8THUSgfh4kse7LJeY7Nb64NR6Y/X7I2/QzbE1HGGl5mMwB6LeUcJ74T3TQAlNEZkGt/MOIVLolJHk049hC09zLpkUDtX8K0t1yaCirC9SxDGLTCLEhvU9+vVdVrdQlKZ9wpLUNbdAzvbra+O/IVvExxDZ9WCHrnfNA8ddVZIGEWMqsoNgiuCxiXpi8qL+noghsSQNFTXwo7W2Vp9zj1JkCt3GtSz5IzEpARQaXEAWNEM0n1nJ686YUOhou64iRM8bPC1lp3QXvvZNgj3m+QHhIempx+de8AAAAVAKB5vUDaZOg14gRn7Bp81ja/ik+RAAABACPH/bPbW912x1NxNiikzGR6clLh+bLpIp8Qie3J7DwOr8oC1QOKjNDK+UgQ7mDQEgr4nGjNKSvpDi4c1QCw4sbLqQgx1y2VhT0SmUPHf5NQFldRQyR/jcevSSwOBxszz3aq9AwHiv9OWaO3XY18suXPouiuPTpIcZwc2BLDNHFnDURQeGEtmgqj6gZLIkTY0iw7q9Tj5FOyl4AkvEJC5B4CSzaWgey93Wqn1Imt7KI8+H9lApMKziVL1q+K7xAuNkGmx5YOSNlE6rKAPtsIPHZGxR7dch0GURv2jhh0NQYvBRn3ukCjuIO5gx56HLgilq59/o50zZ4NcT7iASF76TcAAAEAC6YxX7rrs8pp13W4YGiJHwFvIO1yXLGOdqu66JM0plO4J1ItV1AQcazOXLiliny3p2/W+wXZZKd5HIRt52YafCA8YNyMk/sF7JcTR4d4z9CfKaAxh0UpzKiAk+0j/Wu3iPoTOsyt7N0j1+dIyrFodY2sKKuBMT4TQ0yqQpbC+IDQv2i1IlZAPneYGfd5MIGygs2QMfaMQ1jWAKJvEO0vstZ7GB6nDAcg4in3ZiBHtomx3PL5w+zg48S4Ed69BiFXLZ1f6MnjpUOP75pD4MP6toS0rgK9b93xCrEQLgm4oD/7TCHHBo2xR7wwcsN2OddtwWsEM2QgOkt/jdCAoVCqwQ==" + & Ssh.pubKey "ssh-dss AAAAB3NzaC1kc3MAAAEBAI6ZsoW8a+Zl6NqUf9a4xXSMcV1akJHDEKKBzlI2YZo9gb9YoCf5p9oby8THUSgfh4kse7LJeY7Nb64NR6Y/X7I2/QzbE1HGGl5mMwB6LeUcJ74T3TQAlNEZkGt/MOIVLolJHk049hC09zLpkUDtX8K0t1yaCirC9SxDGLTCLEhvU9+vVdVrdQlKZ9wpLUNbdAzvbra+O/IVvExxDZ9WCHrnfNA8ddVZIGEWMqsoNgiuCxiXpi8qL+noghsSQNFTXwo7W2Vp9zj1JkCt3GtSz5IzEpARQaXEAWNEM0n1nJ686YUOhou64iRM8bPC1lp3QXvvZNgj3m+QHhIempx+de8AAAAVAKB5vUDaZOg14gRn7Bp81ja/ik+RAAABACPH/bPbW912x1NxNiikzGR6clLh+bLpIp8Qie3J7DwOr8oC1QOKjNDK+UgQ7mDQEgr4nGjNKSvpDi4c1QCw4sbLqQgx1y2VhT0SmUPHf5NQFldRQyR/jcevSSwOBxszz3aq9AwHiv9OWaO3XY18suXPouiuPTpIcZwc2BLDNHFnDURQeGEtmgqj6gZLIkTY0iw7q9Tj5FOyl4AkvEJC5B4CSzaWgey93Wqn1Imt7KI8+H9lApMKziVL1q+K7xAuNkGmx5YOSNlE6rKAPtsIPHZGxR7dch0GURv2jhh0NQYvBRn3ukCjuIO5gx56HLgilq59/o50zZ4NcT7iASF76TcAAAEAC6YxX7rrs8pp13W4YGiJHwFvIO1yXLGOdqu66JM0plO4J1ItV1AQcazOXLiliny3p2/W+wXZZKd5HIRt52YafCA8YNyMk/sF7JcTR4d4z9CfKaAxh0UpzKiAk+0j/Wu3iPoTOsyt7N0j1+dIyrFodY2sKKuBMT4TQ0yqQpbC+IDQv2i1IlZAPneYGfd5MIGygs2QMfaMQ1jWAKJvEO0vstZ7GB6nDAcg4in3ZiBHtomx3PL5w+zg48S4Ed69BiFXLZ1f6MnjpUOP75pD4MP6toS0rgK9b93xCrEQLgm4oD/7TCHHBo2xR7wwcsN2OddtwWsEM2QgOkt/jdCAoVCqwQ==" , host "github.com" - & sshPubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==" + & Ssh.pubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==" , host "ns6.gandi.net" & ipv4 "217.70.177.40" , host "turtle.kitenet.net" @@ -469,7 +469,7 @@ monsters = -- but do want to track their public keys etc. & ipv6 "2001:4978:f:2d9::2" & alias "backup.kitenet.net" & alias "usbackup.kitenet.net" - & sshPubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAokMXQiX/NZjA1UbhMdgAscnS5dsmy+Q7bWrQ6tsTZ/o+6N/T5cbjoBHOdpypXJI3y/PiJTDJaQtXIhLa8gFg/EvxMnMz/KG9skADW1361JmfCc4BxicQIO2IOOe6eilPr+YsnOwiHwL0vpUnuty39cppuMWVD25GzxXlS6KQsLCvXLzxLLuNnGC43UAM0q4UwQxDtAZEK1dH2o3HMWhgMP2qEQupc24dbhpO3ecxh2C9678a3oGDuDuNf7mLp3s7ptj5qF3onitpJ82U5o7VajaHoygMaSRFeWxP2c13eM57j3bLdLwxVXFhePcKXARu1iuFTLS5uUf3hN6MkQcOGw==" + & Ssh.pubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAokMXQiX/NZjA1UbhMdgAscnS5dsmy+Q7bWrQ6tsTZ/o+6N/T5cbjoBHOdpypXJI3y/PiJTDJaQtXIhLa8gFg/EvxMnMz/KG9skADW1361JmfCc4BxicQIO2IOOe6eilPr+YsnOwiHwL0vpUnuty39cppuMWVD25GzxXlS6KQsLCvXLzxLLuNnGC43UAM0q4UwQxDtAZEK1dH2o3HMWhgMP2qEQupc24dbhpO3ecxh2C9678a3oGDuDuNf7mLp3s7ptj5qF3onitpJ82U5o7VajaHoygMaSRFeWxP2c13eM57j3bLdLwxVXFhePcKXARu1iuFTLS5uUf3hN6MkQcOGw==" , host "old.kitenet.net" & ipv4 "80.68.85.49" , host "mouse.kitenet.net" diff --git a/debian/changelog b/debian/changelog index 79109a18..dee084ec 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -propellor (1.2.3) UNRELEASED; urgency=medium +propellor (1.3.0) UNRELEASED; urgency=medium * --spin checks if the DNS matches any configured IP address property of the host, and if not, sshes to the host by IP address. @@ -6,6 +6,7 @@ propellor (1.2.3) UNRELEASED; urgency=medium that docker exec doesn't enter a chroot. * Update intermediary propellor in --spin --via * Added support for DNSSEC. + * sshPubKey is renamed to Ssh.pubKey * Fix build with process 1.2.1.0. -- Joey Hess Thu, 01 Jan 2015 13:27:23 -0400 diff --git a/propellor.cabal b/propellor.cabal index 09cb19cf..a239bf4a 100644 --- a/propellor.cabal +++ b/propellor.cabal @@ -1,5 +1,5 @@ Name: propellor -Version: 1.2.2 +Version: 1.3.0 Cabal-Version: >= 1.6 License: BSD3 Maintainer: Joey Hess diff --git a/src/Propellor/Engine.hs b/src/Propellor/Engine.hs index f29ce1a9..667f6bfb 100644 --- a/src/Propellor/Engine.hs +++ b/src/Propellor/Engine.hs @@ -77,7 +77,7 @@ ensureProperties ps = ensure ps NoChange -- | Lifts an action into a different host. -- --- For example, `fromHost hosts "otherhost" getSshPubKey` +-- For example, `fromHost hosts "otherhost" getPubKey` fromHost :: [Host] -> HostName -> Propellor a -> Propellor (Maybe a) fromHost l hn getter = case findHost l hn of Nothing -> return Nothing diff --git a/src/Propellor/Info.hs b/src/Propellor/Info.hs index 3af3fc15..b7ca81b5 100644 --- a/src/Propellor/Info.hs +++ b/src/Propellor/Info.hs @@ -70,13 +70,6 @@ addDNS r = pureInfoProperty (rdesc r) $ mempty { _dns = S.singleton r } ddesc (RelDomain domain) = domain ddesc RootDomain = "@" -sshPubKey :: String -> Property -sshPubKey k = pureInfoProperty ("ssh pubkey known") $ - mempty { _sshPubKey = Val k } - -getSshPubKey :: Propellor (Maybe String) -getSshPubKey = askInfo _sshPubKey - hostMap :: [Host] -> M.Map HostName Host hostMap l = M.fromList $ zip (map hostName l) l diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index 695b67cb..8b03d8a9 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -6,6 +6,7 @@ module Propellor.Property.Ssh ( authorizedKey, restarted, randomHostKeys, + pubKey, hostKeys, hostKey, keyImported, @@ -79,7 +80,16 @@ randomHostKeys = flagFile prop "/etc/ssh/.unique_host_keys" ensureProperty $ scriptProperty [ "DPKG_MAINTSCRIPT_NAME=postinst DPKG_MAINTSCRIPT_PACKAGE=openssh-server /var/lib/dpkg/info/openssh-server.postinst configure" ] --- | Sets all types of ssh host keys from the privdata. +-- | When a host has a well-known public key, this can be used to indicate +-- what the key is. It does not cause the key to be installed. +pubKey :: String -> Property +pubKey k = pureInfoProperty ("ssh pubkey known") $ + mempty { _sshPubKey = Val k } + +getPubKey :: Propellor (Maybe String) +getPubKey = askInfo _sshPubKey + +-- | Installs all commonly used types of ssh host keys from the privdata. hostKeys :: IsContext c => c -> Property hostKeys ctx = propertyList "known ssh host keys" [ hostKey SshDsa ctx @@ -87,7 +97,7 @@ hostKeys ctx = propertyList "known ssh host keys" , hostKey SshEcdsa ctx ] --- | Sets a single ssh host key from the privdata. +-- | Installs a single ssh host key from the privdata. hostKey :: IsContext c => SshKeyType -> c -> Property hostKey keytype context = combineProperties desc [ installkey (keysrc ".pub" (SshPubKey keytype "")) (install writeFile ".pub") @@ -140,10 +150,11 @@ fromKeyType SshDsa = "dsa" fromKeyType SshEcdsa = "ecdsa" fromKeyType SshEd25519 = "ed25519" --- | Puts some host's ssh public key into the known_hosts file for a user. +-- | Puts some host's ssh public key, as set using 'pubKey', +-- into the known_hosts file for a user. knownHost :: [Host] -> HostName -> UserName -> Property knownHost hosts hn user = property desc $ - go =<< fromHost hosts hn getSshPubKey + go =<< fromHost hosts hn getPubKey where desc = user ++ " knows ssh key for " ++ hn go (Just (Just k)) = do -- cgit v1.3-2-g0d8e From f1a1d0001a4c9bbfb0d658131314d014d7deb5c8 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 4 Jan 2015 15:55:53 -0400 Subject: sshPubKey is renamed to Ssh.pubKey, and has an added SshKeyType parameter. --- config-joey.hs | 8 ++++---- debian/changelog | 3 ++- src/Propellor/PrivData.hs | 2 +- src/Propellor/Property/Ssh.hs | 32 +++++++++++++++++++------------- src/Propellor/Types.hs | 5 +++-- 5 files changed, 29 insertions(+), 21 deletions(-) (limited to 'config-joey.hs') diff --git a/config-joey.hs b/config-joey.hs index dbf3196b..3ff0d48d 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -278,7 +278,7 @@ elephant = standardSystem "elephant.kitenet.net" Unstable "amd64" & Systemd.installed & Systemd.persistentJournal & Ssh.hostKeys hostContext - & Ssh.pubKey "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0=" + & Ssh.pubKey SshEcdsa "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0=" & Ssh.keyImported SshRsa "joey" hostContext & Apt.serviceInstalledRunning "swapspace" @@ -459,9 +459,9 @@ myDnsPrimary dnssec domain extras = (if dnssec then Dns.signedPrimary (Weekly No monsters :: [Host] -- Systems I don't manage with propellor, monsters = -- but do want to track their public keys etc. [ host "usw-s002.rsync.net" - & Ssh.pubKey "ssh-dss AAAAB3NzaC1kc3MAAAEBAI6ZsoW8a+Zl6NqUf9a4xXSMcV1akJHDEKKBzlI2YZo9gb9YoCf5p9oby8THUSgfh4kse7LJeY7Nb64NR6Y/X7I2/QzbE1HGGl5mMwB6LeUcJ74T3TQAlNEZkGt/MOIVLolJHk049hC09zLpkUDtX8K0t1yaCirC9SxDGLTCLEhvU9+vVdVrdQlKZ9wpLUNbdAzvbra+O/IVvExxDZ9WCHrnfNA8ddVZIGEWMqsoNgiuCxiXpi8qL+noghsSQNFTXwo7W2Vp9zj1JkCt3GtSz5IzEpARQaXEAWNEM0n1nJ686YUOhou64iRM8bPC1lp3QXvvZNgj3m+QHhIempx+de8AAAAVAKB5vUDaZOg14gRn7Bp81ja/ik+RAAABACPH/bPbW912x1NxNiikzGR6clLh+bLpIp8Qie3J7DwOr8oC1QOKjNDK+UgQ7mDQEgr4nGjNKSvpDi4c1QCw4sbLqQgx1y2VhT0SmUPHf5NQFldRQyR/jcevSSwOBxszz3aq9AwHiv9OWaO3XY18suXPouiuPTpIcZwc2BLDNHFnDURQeGEtmgqj6gZLIkTY0iw7q9Tj5FOyl4AkvEJC5B4CSzaWgey93Wqn1Imt7KI8+H9lApMKziVL1q+K7xAuNkGmx5YOSNlE6rKAPtsIPHZGxR7dch0GURv2jhh0NQYvBRn3ukCjuIO5gx56HLgilq59/o50zZ4NcT7iASF76TcAAAEAC6YxX7rrs8pp13W4YGiJHwFvIO1yXLGOdqu66JM0plO4J1ItV1AQcazOXLiliny3p2/W+wXZZKd5HIRt52YafCA8YNyMk/sF7JcTR4d4z9CfKaAxh0UpzKiAk+0j/Wu3iPoTOsyt7N0j1+dIyrFodY2sKKuBMT4TQ0yqQpbC+IDQv2i1IlZAPneYGfd5MIGygs2QMfaMQ1jWAKJvEO0vstZ7GB6nDAcg4in3ZiBHtomx3PL5w+zg48S4Ed69BiFXLZ1f6MnjpUOP75pD4MP6toS0rgK9b93xCrEQLgm4oD/7TCHHBo2xR7wwcsN2OddtwWsEM2QgOkt/jdCAoVCqwQ==" + & Ssh.pubKey SshDsa "ssh-dss AAAAB3NzaC1kc3MAAAEBAI6ZsoW8a+Zl6NqUf9a4xXSMcV1akJHDEKKBzlI2YZo9gb9YoCf5p9oby8THUSgfh4kse7LJeY7Nb64NR6Y/X7I2/QzbE1HGGl5mMwB6LeUcJ74T3TQAlNEZkGt/MOIVLolJHk049hC09zLpkUDtX8K0t1yaCirC9SxDGLTCLEhvU9+vVdVrdQlKZ9wpLUNbdAzvbra+O/IVvExxDZ9WCHrnfNA8ddVZIGEWMqsoNgiuCxiXpi8qL+noghsSQNFTXwo7W2Vp9zj1JkCt3GtSz5IzEpARQaXEAWNEM0n1nJ686YUOhou64iRM8bPC1lp3QXvvZNgj3m+QHhIempx+de8AAAAVAKB5vUDaZOg14gRn7Bp81ja/ik+RAAABACPH/bPbW912x1NxNiikzGR6clLh+bLpIp8Qie3J7DwOr8oC1QOKjNDK+UgQ7mDQEgr4nGjNKSvpDi4c1QCw4sbLqQgx1y2VhT0SmUPHf5NQFldRQyR/jcevSSwOBxszz3aq9AwHiv9OWaO3XY18suXPouiuPTpIcZwc2BLDNHFnDURQeGEtmgqj6gZLIkTY0iw7q9Tj5FOyl4AkvEJC5B4CSzaWgey93Wqn1Imt7KI8+H9lApMKziVL1q+K7xAuNkGmx5YOSNlE6rKAPtsIPHZGxR7dch0GURv2jhh0NQYvBRn3ukCjuIO5gx56HLgilq59/o50zZ4NcT7iASF76TcAAAEAC6YxX7rrs8pp13W4YGiJHwFvIO1yXLGOdqu66JM0plO4J1ItV1AQcazOXLiliny3p2/W+wXZZKd5HIRt52YafCA8YNyMk/sF7JcTR4d4z9CfKaAxh0UpzKiAk+0j/Wu3iPoTOsyt7N0j1+dIyrFodY2sKKuBMT4TQ0yqQpbC+IDQv2i1IlZAPneYGfd5MIGygs2QMfaMQ1jWAKJvEO0vstZ7GB6nDAcg4in3ZiBHtomx3PL5w+zg48S4Ed69BiFXLZ1f6MnjpUOP75pD4MP6toS0rgK9b93xCrEQLgm4oD/7TCHHBo2xR7wwcsN2OddtwWsEM2QgOkt/jdCAoVCqwQ==" , host "github.com" - & Ssh.pubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==" + & Ssh.pubKey SshRsa "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==" , host "ns6.gandi.net" & ipv4 "217.70.177.40" , host "turtle.kitenet.net" @@ -469,7 +469,7 @@ monsters = -- but do want to track their public keys etc. & ipv6 "2001:4978:f:2d9::2" & alias "backup.kitenet.net" & alias "usbackup.kitenet.net" - & Ssh.pubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAokMXQiX/NZjA1UbhMdgAscnS5dsmy+Q7bWrQ6tsTZ/o+6N/T5cbjoBHOdpypXJI3y/PiJTDJaQtXIhLa8gFg/EvxMnMz/KG9skADW1361JmfCc4BxicQIO2IOOe6eilPr+YsnOwiHwL0vpUnuty39cppuMWVD25GzxXlS6KQsLCvXLzxLLuNnGC43UAM0q4UwQxDtAZEK1dH2o3HMWhgMP2qEQupc24dbhpO3ecxh2C9678a3oGDuDuNf7mLp3s7ptj5qF3onitpJ82U5o7VajaHoygMaSRFeWxP2c13eM57j3bLdLwxVXFhePcKXARu1iuFTLS5uUf3hN6MkQcOGw==" + & Ssh.pubKey SshRsa "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAokMXQiX/NZjA1UbhMdgAscnS5dsmy+Q7bWrQ6tsTZ/o+6N/T5cbjoBHOdpypXJI3y/PiJTDJaQtXIhLa8gFg/EvxMnMz/KG9skADW1361JmfCc4BxicQIO2IOOe6eilPr+YsnOwiHwL0vpUnuty39cppuMWVD25GzxXlS6KQsLCvXLzxLLuNnGC43UAM0q4UwQxDtAZEK1dH2o3HMWhgMP2qEQupc24dbhpO3ecxh2C9678a3oGDuDuNf7mLp3s7ptj5qF3onitpJ82U5o7VajaHoygMaSRFeWxP2c13eM57j3bLdLwxVXFhePcKXARu1iuFTLS5uUf3hN6MkQcOGw==" , host "old.kitenet.net" & ipv4 "80.68.85.49" , host "mouse.kitenet.net" diff --git a/debian/changelog b/debian/changelog index dee084ec..0176daf1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,7 +6,8 @@ propellor (1.3.0) UNRELEASED; urgency=medium that docker exec doesn't enter a chroot. * Update intermediary propellor in --spin --via * Added support for DNSSEC. - * sshPubKey is renamed to Ssh.pubKey + * sshPubKey is renamed to Ssh.pubKey, and has an added SshKeyType + parameter. * Fix build with process 1.2.1.0. -- Joey Hess Thu, 01 Jan 2015 13:27:23 -0400 diff --git a/src/Propellor/PrivData.hs b/src/Propellor/PrivData.hs index 6253e924..2b27f221 100644 --- a/src/Propellor/PrivData.hs +++ b/src/Propellor/PrivData.hs @@ -55,7 +55,7 @@ withPrivData -> Property withPrivData s = withPrivData' snd [s] --- Like withPrivData, but here any of a list of PrivDataFields can be used. +-- Like withPrivData, but here any one of a list of PrivDataFields can be used. withSomePrivData :: (IsContext c, IsPrivDataSource s) => [s] diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index 8b03d8a9..9a0b2153 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -23,6 +23,7 @@ import Utility.SafeCommand import Utility.FileMode import System.PosixCompat +import qualified Data.Map as M sshBool :: Bool -> String sshBool True = "yes" @@ -80,16 +81,16 @@ randomHostKeys = flagFile prop "/etc/ssh/.unique_host_keys" ensureProperty $ scriptProperty [ "DPKG_MAINTSCRIPT_NAME=postinst DPKG_MAINTSCRIPT_PACKAGE=openssh-server /var/lib/dpkg/info/openssh-server.postinst configure" ] --- | When a host has a well-known public key, this can be used to indicate --- what the key is. It does not cause the key to be installed. -pubKey :: String -> Property -pubKey k = pureInfoProperty ("ssh pubkey known") $ - mempty { _sshPubKey = Val k } +-- | When a host has a well-known public host key, this can be used +-- to indicate what the key is. It does not cause the key to be installed. +pubKey :: SshKeyType -> String -> Property +pubKey t k = pureInfoProperty ("ssh pubkey known") $ + mempty { _sshPubKey = M.singleton t k } -getPubKey :: Propellor (Maybe String) -getPubKey = askInfo _sshPubKey +getPubKey :: Propellor (M.Map SshKeyType String) +getPubKey = asks (_sshPubKey . hostInfo) --- | Installs all commonly used types of ssh host keys from the privdata. +-- | Installs all commonly used types of ssh host keys. hostKeys :: IsContext c => c -> Property hostKeys ctx = propertyList "known ssh host keys" [ hostKey SshDsa ctx @@ -97,7 +98,11 @@ hostKeys ctx = propertyList "known ssh host keys" , hostKey SshEcdsa ctx ] --- | Installs a single ssh host key from the privdata. +-- | Installs a single ssh host key. +-- +-- The private key comes from the privdata. +-- +-- The public key is set using 'pubKey'. hostKey :: IsContext c => SshKeyType -> c -> Property hostKey keytype context = combineProperties desc [ installkey (keysrc ".pub" (SshPubKey keytype "")) (install writeFile ".pub") @@ -150,22 +155,23 @@ fromKeyType SshDsa = "dsa" fromKeyType SshEcdsa = "ecdsa" fromKeyType SshEd25519 = "ed25519" --- | Puts some host's ssh public key, as set using 'pubKey', +-- | Puts some host's ssh public key(s), as set using 'pubKey', -- into the known_hosts file for a user. knownHost :: [Host] -> HostName -> UserName -> Property knownHost hosts hn user = property desc $ go =<< fromHost hosts hn getPubKey where desc = user ++ " knows ssh key for " ++ hn - go (Just (Just k)) = do + go (Just m) | not (M.null m) = do f <- liftIO $ dotFile "known_hosts" user ensureProperty $ combineProperties desc [ File.dirExists (takeDirectory f) - , f `File.containsLine` (hn ++ " " ++ k) + , f `File.containsLines` + (map (\k -> hn ++ " " ++ k) (M.elems m)) , File.ownerGroup f user user ] go _ = do - warningMessage $ "no configred sshPubKey for " ++ hn + warningMessage $ "no configred pubKey for " ++ hn return FailedChange -- | Makes a user have authorized_keys from the PrivData diff --git a/src/Propellor/Types.hs b/src/Propellor/Types.hs index fc10cb20..ca3a9582 100644 --- a/src/Propellor/Types.hs +++ b/src/Propellor/Types.hs @@ -37,6 +37,7 @@ import System.Posix.Types import "mtl" Control.Monad.RWS.Strict import "MonadCatchIO-transformers" Control.Monad.CatchIO import qualified Data.Set as S +import qualified Data.Map as M import qualified Propellor.Types.Dns as Dns import Propellor.Types.OS @@ -176,7 +177,7 @@ data CmdLine data Info = Info { _os :: Val System , _privDataFields :: S.Set (PrivDataField, HostContext) - , _sshPubKey :: Val String + , _sshPubKey :: M.Map SshKeyType String , _aliases :: S.Set HostName , _dns :: S.Set Dns.Record , _namedconf :: Dns.NamedConfMap @@ -190,7 +191,7 @@ instance Monoid Info where mappend old new = Info { _os = _os old <> _os new , _privDataFields = _privDataFields old <> _privDataFields new - , _sshPubKey = _sshPubKey old <> _sshPubKey new + , _sshPubKey = _sshPubKey new `M.union` _sshPubKey old , _aliases = _aliases old <> _aliases new , _dns = _dns old <> _dns new , _namedconf = _namedconf old <> _namedconf new -- cgit v1.3-2-g0d8e From 0af7629c988dbce4b1074e6c760b8c2967411483 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 4 Jan 2015 16:54:43 -0400 Subject: propellor spin --- config-joey.hs | 12 ++++++- debian/changelog | 9 ++--- src/Propellor/Property/Ssh.hs | 77 +++++++++++++++++++++++++++---------------- 3 files changed, 64 insertions(+), 34 deletions(-) (limited to 'config-joey.hs') diff --git a/config-joey.hs b/config-joey.hs index 3ff0d48d..18bdf99e 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -151,6 +151,10 @@ kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" & Systemd.installed & Systemd.persistentJournal & Ssh.hostKeys (Context "kitenet.net") + [ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAO9tnPUT4p+9z7K6/OYuiBNHaij4Nzv5YVBih1vMl+ALz0gYAj8RWJzXmqp5buFAyfgOoLw+H9s1bBS01Sy3i07Dm6cx1fWG4RXL/E/3w1tavX99GD2bBxDBu890ebA5Tp+eFRJkS9+JwSvFiF6CP7NbVjifCagoUO56Ig048RwDAAAAFQDPY2xM3q6KwsVQliel23nrd0rV2QAAAIEAga3hj1hL00rYPNnAUzT8GAaSP62S4W68lusErH+KPbsMwFBFY/Ib1FVf8k6Zn6dZLh/HH/RtJi0JwdzPI1IFW+lwVbKfwBvhQ1lw9cH2rs1UIVgi7Wxdgfy8gEWxf+QIqn62wG+Ulf/HkWGvTrRpoJqlYRNS/gnOWj9Z/4s99koAAACBAM/uJIo2I0nK15wXiTYs/NYUZA7wcErugFn70TRbSgduIFH6U/CQa3rgHJw9DCPCQJLq7pwCnFH7too/qaK+czDk04PsgqV0+Jc7957gU5miPg50d60eJMctHV4eQ1FpwmGGfXxRBR9k2ZvikWYatYir3L6/x1ir7M0bA9IzNU45") + , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA2QAJEuvbTmaN9ex9i9bjPhMGj+PHUYq2keIiaIImJ+8mo+yKSaGUxebG4tpuDPx6KZjdycyJt74IXfn1voGUrfzwaEY9NkqOP3v6OWTC3QeUGqDCeJ2ipslbEd9Ep9XBp+/ldDQm60D0XsIZdmDeN6MrHSbKF4fXv1bqpUoUILk=") + , (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLF+dzqBJZix+CWUkAd3Bd3cofFCKwHMNRIfwx1G7dL4XFe6fMKxmrNetQcodo2edyufwoPmCPr3NmnwON9vyh0=") + ] & Ssh.passwordAuthentication True -- Since ssh password authentication is allowed: & Apt.serviceInstalledRunning "fail2ban" @@ -214,6 +218,9 @@ diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64" & DigitalOcean.distroKernel & Ssh.hostKeys hostContext + [ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAO9tnPUT4p+9z7K6/OYuiBNHaij4Nzv5YVBih1vMl+ALz0gYAj8RWJzXmqp5buFAyfgOoLw+H9s1bBS01Sy3i07Dm6cx1fWG4RXL/E/3w1tavX99GD2bBxDBu890ebA5Tp+eFRJkS9+JwSvFiF6CP7NbVjifCagoUO56Ig048RwDAAAAFQDPY2xM3q6KwsVQliel23nrd0rV2QAAAIEAga3hj1hL00rYPNnAUzT8GAaSP62S4W68lusErH+KPbsMwFBFY/Ib1FVf8k6Zn6dZLh/HH/RtJi0JwdzPI1IFW+lwVbKfwBvhQ1lw9cH2rs1UIVgi7Wxdgfy8gEWxf+QIqn62wG+Ulf/HkWGvTrRpoJqlYRNS/gnOWj9Z/4s99koAAACBAM/uJIo2I0nK15wXiTYs/NYUZA7wcErugFn70TRbSgduIFH6U/CQa3rgHJw9DCPCQJLq7pwCnFH7too/qaK+czDk04PsgqV0+Jc7957gU5miPg50d60eJMctHV4eQ1FpwmGGfXxRBR9k2ZvikWYatYir3L6/x1ir7M0bA9IzNU45") + , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA2QAJEuvbTmaN9ex9i9bjPhMGj+PHUYq2keIiaIImJ+8mo+yKSaGUxebG4tpuDPx6KZjdycyJt74IXfn1voGUrfzwaEY9NkqOP3v6OWTC3QeUGqDCeJ2ipslbEd9Ep9XBp+/ldDQm60D0XsIZdmDeN6MrHSbKF4fXv1bqpUoUILk=") + ] & Apt.unattendedUpgrades & Apt.serviceInstalledRunning "ntp" & Postfix.satellite @@ -278,7 +285,10 @@ elephant = standardSystem "elephant.kitenet.net" Unstable "amd64" & Systemd.installed & Systemd.persistentJournal & Ssh.hostKeys hostContext - & Ssh.pubKey SshEcdsa "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0=" + [ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBANxXGWac0Yz58akI3UbLkphAa8VPDCGswTS0CT3D5xWyL9OeArISAi/OKRIvxA4c+9XnWtNXS7nYVFDJmzzg8v3ZMx543AxXK82kXCfvTOc/nAlVz9YKJAA+FmCloxpmOGrdiTx1k36FE+uQgorslGW/QTxnOcO03fDZej/ppJifAAAAFQCnenyJIw6iJB1+zuF/1TSLT8UAeQAAAIEA1WDrI8rKnxnh2rGaQ0nk+lOcVMLEr7AxParnZjgC4wt2mm/BmkF/feI1Fjft2z4D+V1W7MJHOqshliuproxhFUNGgX9fTbstFJf66p7h7OLAlwK8ZkpRk/uV3h5cIUPel6aCwjL5M2gN6/yq+gcCTXeHLq9OPyUTmlN77SBL71UAAACBAJJiCHWxPAGooe7Vv3W7EIBbsDyf7b2kDH3bsIlo+XFcKIN6jysBu4kn9utjFlrlPeHUDzGQHe+DmSqTUQQ0JPCRGcAcuJL8XUqhJi6A6ye51M9hVt51cJMXmERx9TjLOP/adkEuxpv3Fj20FxRUr1HOmvRvewSHrJ1GeA1bjbYL") + , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrEQ7aNmRYyLKY7xHILQsyV/w0B3++D98vn5IvjHkDnitrUWjB+vPxlS7LYKLzN9Jx7Hb14R2lg7+wdgtFMxLZZukA8b0tqFpTdRFBvBYGh8IM8Id1iE/6io/NZl+hTQEDp0LJP+RljH1CLfz7J3qtc+v6NbfTP5cOgH104mWYoLWzJGaZ4p53jz6THRWnVXy5nPO3dSBr2f/SQgRuJQWHNIh0jicRGD8H2kzOQzilpo+Y46PWtkufl3Yu3UsP5UMAyLRIXwZ6nNRZqRiVWrX44hoNfDbooTdFobbHlqMl+y6291bOXaOA6PACk8B4IVcC89/gmc9Oe4EaDuszU5kD") + , (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0=") + ] & Ssh.keyImported SshRsa "joey" hostContext & Apt.serviceInstalledRunning "swapspace" diff --git a/debian/changelog b/debian/changelog index 11d52e3c..63089cbc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,12 +6,13 @@ propellor (1.3.0) UNRELEASED; urgency=medium that docker exec doesn't enter a chroot. * Update intermediary propellor in --spin --via * Added support for DNSSEC. + * Ssh.hostKey and Ssh.hostKeys no longer install public keys from + the privdata. Instead, the public keys are included in the + configuration. (API change) + * Ssh.hostKeys now removes any host keys of types that the host is not + configured to have. * sshPubKey is renamed to Ssh.pubKey, and has an added SshKeyType parameter. (API change) - * Ssh.hostKey and Ssh.hostKeys no longer install public keys from - the privdata. Instead, the public keys of a host should be set using - Ssh.pubKey. - * Ssh.hostKeys now also installs any available SshEd25519 keys. * Fix build with process 1.2.1.0. -- Joey Hess Thu, 01 Jan 2015 13:27:23 -0400 diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index 8642d990..571adfd5 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -6,9 +6,9 @@ module Propellor.Property.Ssh ( authorizedKey, restarted, randomHostKeys, - pubKey, hostKeys, hostKey, + pubKey, keyImported, knownHost, authorizedKeys, @@ -25,6 +25,8 @@ import Utility.FileMode import System.PosixCompat import qualified Data.Map as M +type PubKeyText = String + sshBool :: Bool -> String sshBool True = "yes" sshBool False = "no" @@ -81,41 +83,43 @@ randomHostKeys = flagFile prop "/etc/ssh/.unique_host_keys" ensureProperty $ scriptProperty [ "DPKG_MAINTSCRIPT_NAME=postinst DPKG_MAINTSCRIPT_PACKAGE=openssh-server /var/lib/dpkg/info/openssh-server.postinst configure" ] --- | When a host has a well-known public host key, this can be used --- to indicate what the key is. It does not cause the key to be installed. -pubKey :: SshKeyType -> String -> Property -pubKey t k = pureInfoProperty ("ssh pubkey known") $ - mempty { _sshPubKey = M.singleton t k } - -getPubKey :: Propellor (M.Map SshKeyType String) -getPubKey = asks (_sshPubKey . hostInfo) - --- | Installs all available types of ssh host keys. -hostKeys :: IsContext c => c -> Property -hostKeys ctx = propertyList "known ssh host keys" $ - map (flip hostKey ctx) [minBound..maxBound] +-- | Installs the specified list of ssh host keys. +-- +-- The corresponding private keys come from the privdata. +-- +-- Any host keysthat are not in the list are removed from the host. +hostKeys :: IsContext c => c -> [(SshKeyType, PubKeyText)] -> Property +hostKeys ctx l = propertyList desc $ catMaybes $ + map (\(t, pub) -> Just $ hostKey ctx t pub) l ++ [cleanup] + where + desc = "ssh host keys configured " ++ typelist (map fst l) + typelist tl = "(" ++ unwords (map fromKeyType tl) ++ ")" + alltypes = [minBound..maxBound] + staletypes = filter (`notElem` alltypes) (map fst l) + removestale b = map (File.notPresent . flip keyFile b) staletypes + cleanup + | null staletypes = Nothing + | otherwise = Just $ property ("stale keys removed " ++ typelist staletypes) $ + ensureProperty $ + combineProperties desc (removestale True ++ removestale False) + `onChange` restarted -- | Installs a single ssh host key of a particular type. -- --- The private key comes from the privdata; --- the public key is set using 'pubKey'. -hostKey :: IsContext c => SshKeyType -> c -> Property -hostKey keytype context = combineProperties desc - [ property desc $ do - v <- M.lookup keytype <$> getPubKey - case v of - Just k -> install writeFile ".pub" k - Nothing -> do - warningMessage $ "Missing ssh pubKey " ++ show keytype - return FailedChange +-- The public key is provided to this function; +-- the private key comes from the privdata; +hostKey :: IsContext c => c -> SshKeyType -> PubKeyText -> Property +hostKey context keytype pub = combineProperties desc + [ pubKey keytype pub + , property desc $ install writeFile True pub , withPrivData (keysrc "" (SshPrivKey keytype "")) context $ \getkey -> - property desc $ getkey $ install writeFileProtected "" + property desc $ getkey $ install writeFileProtected False ] `onChange` restarted where - desc = "known ssh host key (" ++ fromKeyType keytype ++ ")" - install writer ext key = do - let f = "/etc/ssh/ssh_host_" ++ fromKeyType keytype ++ "_key" ++ ext + desc = "ssh host key configured (" ++ fromKeyType keytype ++ ")" + install writer ispub key = do + let f = keyFile keytype ispub s <- liftIO $ readFileStrict f if s == key then noChange @@ -123,6 +127,21 @@ hostKey keytype context = combineProperties desc keysrc ext field = PrivDataSourceFileFromCommand field ("sshkey"++ext) ("ssh-keygen -t " ++ sshKeyTypeParam keytype ++ " -f sshkey") +keyFile :: SshKeyType -> Bool -> FilePath +keyFile keytype ispub = "/etc/ssh/ssh_host_" ++ fromKeyType keytype ++ "_key" ++ ext + where + ext = if ispub then ".pub" else "" + +-- | Indicates the host key that is used by a Host, but does not actually +-- configure the host to use it. Normally this does not need to be used; +-- use 'hostKey' instead. +pubKey :: SshKeyType -> PubKeyText -> Property +pubKey t k = pureInfoProperty ("ssh pubkey known") $ + mempty { _sshPubKey = M.singleton t k } + +getPubKey :: Propellor (M.Map SshKeyType String) +getPubKey = asks (_sshPubKey . hostInfo) + -- | Sets up a user with a ssh private key and public key pair from the -- PrivData. keyImported :: IsContext c => SshKeyType -> UserName -> c -> Property -- cgit v1.3-2-g0d8e From ab8ff9a00e76d3cc395136d3c676286aae28eb19 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 4 Jan 2015 17:15:29 -0400 Subject: randomHostKeys is removed from CloudAtCost.deCruft. --- config-joey.hs | 1 + debian/changelog | 1 + src/Propellor/Property/HostingProvider/CloudAtCost.hs | 1 - 3 files changed, 2 insertions(+), 1 deletion(-) (limited to 'config-joey.hs') diff --git a/config-joey.hs b/config-joey.hs index 18bdf99e..d81a18c6 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -94,6 +94,7 @@ clam = standardSystem "clam.kitenet.net" Unstable "amd64" & ipv4 "167.88.41.194" & CloudAtCost.decruft + & Ssh.randomHostKeys & Apt.unattendedUpgrades & Network.ipv6to4 & Tor.isBridge diff --git a/debian/changelog b/debian/changelog index 63089cbc..6bcee3eb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -13,6 +13,7 @@ propellor (1.3.0) UNRELEASED; urgency=medium configured to have. * sshPubKey is renamed to Ssh.pubKey, and has an added SshKeyType parameter. (API change) + * CloudAtCost.deCruft no longer forces randomHostKeys. * Fix build with process 1.2.1.0. -- Joey Hess Thu, 01 Jan 2015 13:27:23 -0400 diff --git a/src/Propellor/Property/HostingProvider/CloudAtCost.hs b/src/Propellor/Property/HostingProvider/CloudAtCost.hs index cce80920..f45a4aa8 100644 --- a/src/Propellor/Property/HostingProvider/CloudAtCost.hs +++ b/src/Propellor/Property/HostingProvider/CloudAtCost.hs @@ -10,7 +10,6 @@ import qualified Propellor.Property.User as User decruft :: Property decruft = propertyList "cloudatcost cleanup" [ Hostname.sane - , Ssh.randomHostKeys , "worked around grub/lvm boot bug #743126" ==> "/etc/default/grub" `File.containsLine` "GRUB_DISABLE_LINUX_UUID=true" `onChange` cmdProperty "update-grub" [] -- cgit v1.3-2-g0d8e