From 145aa0669915a8134f77075f8a53c33216320df4 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Aug 2016 15:53:07 -0400 Subject: propellor spin --- joeyconfig.hs | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'joeyconfig.hs') diff --git a/joeyconfig.hs b/joeyconfig.hs index 364882b2..e504695c 100644 --- a/joeyconfig.hs +++ b/joeyconfig.hs @@ -55,6 +55,7 @@ hosts = -- (o) ` , elephant , beaver , pell + , k1 , iabak ] ++ monsters @@ -453,6 +454,19 @@ pell = host "pell.branchable.com" $ props & Apt.unattendedUpgrades & Branchable.server hosts +k1 :: Host +k1 = host "k1.kitenet.net" $ props + & ipv4 "139.59.17.168" + & Hostname.sane + & osDebian (Stable "jessie") X86_64 + & Cron.runPropellor (Cron.Times "30 * * * *") + & Apt.stdSourcesList `onChange` Apt.upgrade + & Apt.installed ["openssh-server"] + & Ssh.noPasswords + & Apt.installed ["etckeeper", "sudo"] + & User.hasSomePassword (User "root") + & User.hasSomePassword (User "joey") + iabak :: Host iabak = host "iabak.archiveteam.org" $ props & ipv4 "124.6.40.227" -- cgit v1.3-2-g0d8e From 0245d741337a6d1ebf878b074fe8c34650466290 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Aug 2016 15:58:18 -0400 Subject: propellor spin --- joeyconfig.hs | 2 ++ 1 file changed, 2 insertions(+) (limited to 'joeyconfig.hs') diff --git a/joeyconfig.hs b/joeyconfig.hs index e504695c..91ce6348 100644 --- a/joeyconfig.hs +++ b/joeyconfig.hs @@ -31,6 +31,7 @@ import qualified Propellor.Property.Aiccu as Aiccu import qualified Propellor.Property.OS as OS import qualified Propellor.Property.HostingProvider.CloudAtCost as CloudAtCost import qualified Propellor.Property.HostingProvider.Linode as Linode +import qualified Propellor.Property.HostingProvider.DigitalOcean as DigitalOcean import qualified Propellor.Property.SiteSpecific.GitHome as GitHome import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder import qualified Propellor.Property.SiteSpecific.IABak as IABak @@ -459,6 +460,7 @@ k1 = host "k1.kitenet.net" $ props & ipv4 "139.59.17.168" & Hostname.sane & osDebian (Stable "jessie") X86_64 + & DigitalOcean.distroKernel & Cron.runPropellor (Cron.Times "30 * * * *") & Apt.stdSourcesList `onChange` Apt.upgrade & Apt.installed ["openssh-server"] -- cgit v1.3-2-g0d8e From 3d2b5bb851fc9898ced38137dfcac3eadf39efae Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Aug 2016 15:59:08 -0400 Subject: propellor spin --- joeyconfig.hs | 1 + 1 file changed, 1 insertion(+) (limited to 'joeyconfig.hs') diff --git a/joeyconfig.hs b/joeyconfig.hs index 91ce6348..d4634b02 100644 --- a/joeyconfig.hs +++ b/joeyconfig.hs @@ -468,6 +468,7 @@ k1 = host "k1.kitenet.net" $ props & Apt.installed ["etckeeper", "sudo"] & User.hasSomePassword (User "root") & User.hasSomePassword (User "joey") + & Apt.serviceInstalledRunning "swapspace" iabak :: Host iabak = host "iabak.archiveteam.org" $ props -- cgit v1.3-2-g0d8e From 99e3208d8829cd42a7d949c97790f104d7165b53 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Aug 2016 17:20:21 -0400 Subject: propellor spin --- joeyconfig.hs | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'joeyconfig.hs') diff --git a/joeyconfig.hs b/joeyconfig.hs index d4634b02..802878a5 100644 --- a/joeyconfig.hs +++ b/joeyconfig.hs @@ -56,7 +56,7 @@ hosts = -- (o) ` , elephant , beaver , pell - , k1 + , keysafe , iabak ] ++ monsters @@ -455,20 +455,21 @@ pell = host "pell.branchable.com" $ props & Apt.unattendedUpgrades & Branchable.server hosts -k1 :: Host -k1 = host "k1.kitenet.net" $ props +keysafe :: Host +keysafe = host "keysafe.joeyh.name" $ props & ipv4 "139.59.17.168" & Hostname.sane & osDebian (Stable "jessie") X86_64 + & Apt.stdSourcesList `onChange` Apt.upgrade & DigitalOcean.distroKernel + -- This is a 500 mb VM, so need more ram to build propellor. + & Apt.serviceInstalledRunning "swapspace" & Cron.runPropellor (Cron.Times "30 * * * *") - & Apt.stdSourcesList `onChange` Apt.upgrade - & Apt.installed ["openssh-server"] + & Apt.installed ["openssh-server", "etckeeper", "sudo"] & Ssh.noPasswords - & Apt.installed ["etckeeper", "sudo"] & User.hasSomePassword (User "root") + & User.accountFor (User "joey") & User.hasSomePassword (User "joey") - & Apt.serviceInstalledRunning "swapspace" iabak :: Host iabak = host "iabak.archiveteam.org" $ props -- cgit v1.3-2-g0d8e From b769419aafe2331d512e8ae02f5ba925bd5f7185 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Aug 2016 17:26:42 -0400 Subject: propellor spin --- joeyconfig.hs | 1 + 1 file changed, 1 insertion(+) (limited to 'joeyconfig.hs') diff --git a/joeyconfig.hs b/joeyconfig.hs index 802878a5..39ddaffd 100644 --- a/joeyconfig.hs +++ b/joeyconfig.hs @@ -470,6 +470,7 @@ keysafe = host "keysafe.joeyh.name" $ props & User.hasSomePassword (User "root") & User.accountFor (User "joey") & User.hasSomePassword (User "joey") + & Sudo.enabledFor (User "joey") iabak :: Host iabak = host "iabak.archiveteam.org" $ props -- cgit v1.3-2-g0d8e From f38a1d0c0d8e482198e3f2a29ac92702715a755a Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Aug 2016 17:32:23 -0400 Subject: propellor spin --- joeyconfig.hs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'joeyconfig.hs') diff --git a/joeyconfig.hs b/joeyconfig.hs index 39ddaffd..ae3e6ab1 100644 --- a/joeyconfig.hs +++ b/joeyconfig.hs @@ -466,11 +466,13 @@ keysafe = host "keysafe.joeyh.name" $ props & Apt.serviceInstalledRunning "swapspace" & Cron.runPropellor (Cron.Times "30 * * * *") & Apt.installed ["openssh-server", "etckeeper", "sudo"] - & Ssh.noPasswords & User.hasSomePassword (User "root") & User.accountFor (User "joey") & User.hasSomePassword (User "joey") & Sudo.enabledFor (User "joey") + & Ssh.randomHostKeys + & User "joey" `Ssh.authorizedKeysFrom` (User "joey", darkstar) + & Ssh.noPasswords iabak :: Host iabak = host "iabak.archiveteam.org" $ props -- cgit v1.3-2-g0d8e From 18a77aab556087cb744e08d3e631120c928b23d4 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Aug 2016 17:36:08 -0400 Subject: propellor spin --- joeyconfig.hs | 3 +++ src/Propellor/Property/Ssh.hs | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) (limited to 'joeyconfig.hs') diff --git a/joeyconfig.hs b/joeyconfig.hs index ae3e6ab1..588adfe3 100644 --- a/joeyconfig.hs +++ b/joeyconfig.hs @@ -90,6 +90,9 @@ darkstar = host "darkstar.kitenet.net" $ props & JoeySites.dkimMilter & JoeySites.alarmClock "*-*-* 7:30" (User "joey") "/usr/bin/timeout 45m /home/joey/bin/goodmorning" + & Ssh.userKeys (User "joey") hostContext + [ (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1YoyHxZwG5Eg0yiMTJLSWJ/+dMM6zZkZiR4JJ0iUfP+tT2bm/lxYompbSqBeiCq+PYcSC67mALxp1vfmdOV//LWlbXfotpxtyxbdTcQbHhdz4num9rJQz1tjsOsxTEheX5jKirFNC5OiKhqwIuNydKWDS9qHGqsKcZQ8p+n1g9Lr3nJVGY7eRRXzw/HopTpwmGmAmb9IXY6DC2k91KReRZAlOrk0287LaK3eCe1z0bu7LYzqqS+w99iXZ/Qs0m9OqAPnHZjWQQ0fN4xn5JQpZSJ7sqO38TBAimM+IHPmy2FTNVVn9zGM+vN1O2xr3l796QmaUG1+XLL0shfR/OZbb joey@darkstar") + ] ! imageBuilt "/tmp/img" c MSDOS (grubBooted PC) [ partition EXT2 `mountedAt` "/boot" diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index 6e1690d2..527ad444 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -362,7 +362,7 @@ modKnownHost user f p = p -- | Ensures that a local user's authorized_keys contains lines allowing -- logins from a remote user on the specified Host. -- --- The ssh keys of the remote user can be set using `keysImported` +-- The ssh keys of the remote user can be set using `userKeys` -- -- Any other lines in the authorized_keys file are preserved as-is. authorizedKeysFrom :: User -> (User, Host) -> Property UnixLike -- cgit v1.3-2-g0d8e From 1b4ce46fa0f6eb57768558f57b268e38890fbaf5 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Aug 2016 17:40:08 -0400 Subject: propellor spin --- joeyconfig.hs | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'joeyconfig.hs') diff --git a/joeyconfig.hs b/joeyconfig.hs index 588adfe3..c1b2bee4 100644 --- a/joeyconfig.hs +++ b/joeyconfig.hs @@ -468,15 +468,21 @@ keysafe = host "keysafe.joeyh.name" $ props -- This is a 500 mb VM, so need more ram to build propellor. & Apt.serviceInstalledRunning "swapspace" & Cron.runPropellor (Cron.Times "30 * * * *") - & Apt.installed ["openssh-server", "etckeeper", "sudo"] + & Apt.installed ["etckeeper", "sudo"] + & User.hasSomePassword (User "root") & User.accountFor (User "joey") & User.hasSomePassword (User "joey") & Sudo.enabledFor (User "joey") + + & Ssh.installed & Ssh.randomHostKeys + & User "root" `Ssh.authorizedKeysFrom` (User "joey", darkstar) & User "joey" `Ssh.authorizedKeysFrom` (User "joey", darkstar) & Ssh.noPasswords + & Tor.installed + iabak :: Host iabak = host "iabak.archiveteam.org" $ props & ipv4 "124.6.40.227" -- cgit v1.3-2-g0d8e From a8cee95e94b901ea4de4bf3be51820c4fe97dd37 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Aug 2016 17:44:10 -0400 Subject: propellor spin --- joeyconfig.hs | 1 + 1 file changed, 1 insertion(+) (limited to 'joeyconfig.hs') diff --git a/joeyconfig.hs b/joeyconfig.hs index c1b2bee4..0888d425 100644 --- a/joeyconfig.hs +++ b/joeyconfig.hs @@ -469,6 +469,7 @@ keysafe = host "keysafe.joeyh.name" $ props & Apt.serviceInstalledRunning "swapspace" & Cron.runPropellor (Cron.Times "30 * * * *") & Apt.installed ["etckeeper", "sudo"] + & Apt.removed ["nfs-common", "exim", "rsyslogd", "acpid", "rpcbind"] & User.hasSomePassword (User "root") & User.accountFor (User "joey") -- cgit v1.3-2-g0d8e From 3962a495c12fd26d354f6741a436e8fd6f7c0756 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Aug 2016 17:46:21 -0400 Subject: propellor spin --- joeyconfig.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'joeyconfig.hs') diff --git a/joeyconfig.hs b/joeyconfig.hs index 0888d425..01311c3f 100644 --- a/joeyconfig.hs +++ b/joeyconfig.hs @@ -469,7 +469,7 @@ keysafe = host "keysafe.joeyh.name" $ props & Apt.serviceInstalledRunning "swapspace" & Cron.runPropellor (Cron.Times "30 * * * *") & Apt.installed ["etckeeper", "sudo"] - & Apt.removed ["nfs-common", "exim", "rsyslogd", "acpid", "rpcbind"] + & Apt.removed ["nfs-common", "exim4", "rsyslog", "acpid", "rpcbind"] & User.hasSomePassword (User "root") & User.accountFor (User "joey") -- cgit v1.3-2-g0d8e From 9eca0a9db77477f7a80ffb08ecd871c03362930b Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Aug 2016 17:49:12 -0400 Subject: propellor spin --- joeyconfig.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'joeyconfig.hs') diff --git a/joeyconfig.hs b/joeyconfig.hs index 01311c3f..f6a6926d 100644 --- a/joeyconfig.hs +++ b/joeyconfig.hs @@ -469,7 +469,7 @@ keysafe = host "keysafe.joeyh.name" $ props & Apt.serviceInstalledRunning "swapspace" & Cron.runPropellor (Cron.Times "30 * * * *") & Apt.installed ["etckeeper", "sudo"] - & Apt.removed ["nfs-common", "exim4", "rsyslog", "acpid", "rpcbind"] + & Apt.removed ["nfs-common", "exim4", "exim4-base", "exim4-daemon-light", "rsyslog", "acpid", "rpcbind"] & User.hasSomePassword (User "root") & User.accountFor (User "joey") -- cgit v1.3-2-g0d8e From 32ff11ca82b8a6369931e8fefdb6c37d58f3dd56 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 31 Aug 2016 18:46:49 -0400 Subject: updates --- doc/security.mdwn | 2 +- joeyconfig.hs | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'joeyconfig.hs') diff --git a/doc/security.mdwn b/doc/security.mdwn index b106b533..d0a5bb6c 100644 --- a/doc/security.mdwn +++ b/doc/security.mdwn @@ -20,7 +20,7 @@ That is only done when privdata/keyring.gpg exists. To set it up: propellor --add-key $MYKEYID In order to be secure from the beginning, when `propellor --spin` is used -to bootstrap propellor on a new host, it transfers the local git repositry +to bootstrap propellor on a new host, it transfers the local git repository to the remote host over ssh. After that, the host knows the gpg key, and will use it to verify git fetches. diff --git a/joeyconfig.hs b/joeyconfig.hs index f6a6926d..fa37e97b 100644 --- a/joeyconfig.hs +++ b/joeyconfig.hs @@ -469,7 +469,7 @@ keysafe = host "keysafe.joeyh.name" $ props & Apt.serviceInstalledRunning "swapspace" & Cron.runPropellor (Cron.Times "30 * * * *") & Apt.installed ["etckeeper", "sudo"] - & Apt.removed ["nfs-common", "exim4", "exim4-base", "exim4-daemon-light", "rsyslog", "acpid", "rpcbind"] + & Apt.removed ["nfs-common", "exim4", "exim4-base", "exim4-daemon-light", "rsyslog", "acpid", "rpcbind", "at"] & User.hasSomePassword (User "root") & User.accountFor (User "joey") @@ -483,6 +483,7 @@ keysafe = host "keysafe.joeyh.name" $ props & Ssh.noPasswords & Tor.installed + -- keysafe installed manually until package is available iabak :: Host iabak = host "iabak.archiveteam.org" $ props -- cgit v1.3-2-g0d8e