From 74a02add291f13b27fb6a1813b870a0730e1142b Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 6 Feb 2016 20:04:00 -0400 Subject: Obnam: To cause old generations to be forgotten, keepParam can be passed to a backup property; this causes obnam forget to be run. --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/Propellor/Property/SiteSpecific') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 7e6d3f8c..03f2efcb 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -140,6 +140,7 @@ oldUseNetServer hosts = propertyList "olduse.net server" $ props [ "--repository=sftp://2318@usw-s002.rsync.net/~/olduse.net" , "--client-name=spool" , "--ssh-key=" ++ keyfile + , Obnam.keepParam [Obnam.KeepDays 30] ] Obnam.OnlyClient `requires` Ssh.userKeyAt (Just keyfile) (User "root") @@ -194,6 +195,7 @@ mumbleServer hosts = combineProperties hn $ props [ "--repository=sftp://2318@usw-s002.rsync.net/~/" ++ hn ++ ".obnam" , "--ssh-key=" ++ sshkey , "--client-name=mumble" + , Obnam.keepParam [Obnam.KeepDays 30] ] Obnam.OnlyClient `requires` Ssh.userKeyAt (Just sshkey) (User "root") @@ -213,6 +215,7 @@ gitServer hosts = propertyList "git.kitenet.net setup" $ props [ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net" , "--ssh-key=" ++ sshkey , "--client-name=wren" -- historical + , Obnam.keepParam [Obnam.KeepDays 30] ] Obnam.OnlyClient (Gpg.GpgKeyId "1B169BE1") `requires` Ssh.userKeyAt (Just sshkey) (User "root") -- cgit v1.3-2-g0d8e From c90282fc7bb77bcba19cdd4adfe96af3fb1162f8 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 7 Feb 2016 16:54:17 -0400 Subject: propellor spin --- src/Propellor/Property/Apache.hs | 35 ++++++++++++++++++++---- src/Propellor/Property/SiteSpecific/JoeySites.hs | 24 ++++++---------- 2 files changed, 38 insertions(+), 21 deletions(-) (limited to 'src/Propellor/Property/SiteSpecific') diff --git a/src/Propellor/Property/Apache.hs b/src/Propellor/Property/Apache.hs index 709c1753..5b8128a4 100644 --- a/src/Propellor/Property/Apache.hs +++ b/src/Propellor/Property/Apache.hs @@ -15,7 +15,9 @@ restarted = Service.restarted "apache2" reloaded :: Property NoInfo reloaded = Service.reloaded "apache2" -type ConfigFile = [String] +type ConfigLine = String + +type ConfigFile = [ConfigLine] siteEnabled :: Domain -> ConfigFile -> RevertableProperty NoInfo siteEnabled domain cf = siteEnabled' domain cf siteDisabled domain @@ -101,7 +103,7 @@ multiSSL = check (doesDirectoryExist "/etc/apache2/conf.d") $ -- -- Works with multiple versions of apache that have different ways to do -- it. -allowAll :: String +allowAll :: ConfigLine allowAll = unlines [ "" , "Order allow,deny" @@ -112,12 +114,27 @@ allowAll = unlines , "" ] +-- | Config file fragment that can be inserted into a +-- stanza to allow apache to display directory index icons. +iconDir :: ConfigLine +iconDir = unlines + [ "" + , "Options Indexes MultiViews" + , "AllowOverride None" + , allowAll + , " " + ] + type WebRoot = FilePath -- | A basic virtual host, publishing a directory, and logging to -- the combined apache log file. Not https capable. virtualHost :: Domain -> Port -> WebRoot -> RevertableProperty NoInfo -virtualHost domain (Port p) docroot = siteEnabled domain +virtualHost domain (Port p) docroot = virtualHost' domain (Port p) docroot [] + +-- | Like `virtualHost` but with additional config lines added. +virtualHost' :: Domain -> Port -> WebRoot -> [ConfigLine] -> RevertableProperty NoInfo +virtualHost' domain (Port p) docroot addedcfg = siteEnabled domain $ [ "" , "ServerName "++domain++":"++show p , "DocumentRoot " ++ docroot @@ -125,7 +142,9 @@ virtualHost domain (Port p) docroot = siteEnabled domain , "LogLevel warn" , "CustomLog /var/log/apache2/access.log combined" , "ServerSignature On" - , "" + ] + ++ addedcfg ++ + [ "" ] -- | A virtual host using https, with the certificate obtained @@ -138,7 +157,11 @@ virtualHost domain (Port p) docroot = siteEnabled domain -- > httpsVirtualHost "example.com" "/var/www" -- > (LetsEncrypt.AgreeTos (Just "me@my.domain")) httpsVirtualHost :: Domain -> WebRoot -> LetsEncrypt.AgreeTOS -> Property NoInfo -httpsVirtualHost domain docroot letos = setup +httpsVirtualHost domain docroot letos = httpsVirtualHost' domain docroot letos [] + +-- | Like `httpsVirtualHost` but with additional config lines added. +httpsVirtualHost' :: Domain -> WebRoot -> LetsEncrypt.AgreeTOS -> [ConfigLine] -> Property NoInfo +httpsVirtualHost' domain docroot letos addedcfg = setup `requires` modEnabled "rewrite" `requires` modEnabled "ssl" `before` LetsEncrypt.letsEncrypt letos domain docroot certinstaller @@ -176,6 +199,6 @@ httpsVirtualHost domain docroot letos = setup , "LogLevel warn" , "CustomLog /var/log/apache2/access.log combined" , "ServerSignature On" - ] ++ ls ++ + ] ++ ls ++ addedcfg ++ [ "" ] diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 03f2efcb..0bb98489 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -18,6 +18,7 @@ import qualified Propellor.Property.Apache as Apache import qualified Propellor.Property.Postfix as Postfix import qualified Propellor.Property.Systemd as Systemd import qualified Propellor.Property.Fail2Ban as Fail2Ban +import qualified Propellor.Property.LetsEncrypt as LetsEncrypt import Utility.FileMode import Data.List @@ -290,24 +291,21 @@ annexWebSite origin hn uuid remotes = propertyList (hn ++" website using git-ann , "git update-server-info" ] addremote (name, url) = "git remote add " ++ shellEscape name ++ " " ++ shellEscape url - setupapache = apacheSite hn True + setupapache = Apache.httpsVirtualHost' hn dir letos [ " ServerAlias www."++hn - , "" - , " DocumentRoot /srv/web/"++hn - , " " - , " Options FollowSymLinks" - , " AllowOverride None" - , Apache.allowAll - , " " - , " " + , Apache.iconDir + , " " , " Options Indexes FollowSymLinks ExecCGI" , " AllowOverride None" , " AddHandler cgi-script .cgi" , " DirectoryIndex index.html index.cgi" - , Apache.allowAll + , Apache.allowAll , " " ] +letos :: LetsEncrypt.AgreeTOS +letos = LetsEncrypt.AgreeTOS (Just "id@joeyh.name") + apacheSite :: HostName -> Bool -> Apache.ConfigFile -> RevertableProperty NoInfo apacheSite hn withssl middle = Apache.siteEnabled hn $ apachecfg hn withssl middle @@ -329,11 +327,7 @@ apachecfg hn withssl middle , " CustomLog /var/log/apache2/access.log combined" , " ServerSignature On" , " " - , " " - , " Options Indexes MultiViews" - , " AllowOverride None" - , Apache.allowAll - , " " + , Apache.iconDir , "" ] where -- cgit v1.3-2-g0d8e From 12ff3991270b1aeb9a3822ebbcbee9037cc7f401 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 7 Feb 2016 17:08:06 -0400 Subject: temporarily revert using letsencrypt It's currently not letting me make a cert for kitenet.net as I made too many during testing. --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) (limited to 'src/Propellor/Property/SiteSpecific') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 0bb98489..03f2efcb 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -18,7 +18,6 @@ import qualified Propellor.Property.Apache as Apache import qualified Propellor.Property.Postfix as Postfix import qualified Propellor.Property.Systemd as Systemd import qualified Propellor.Property.Fail2Ban as Fail2Ban -import qualified Propellor.Property.LetsEncrypt as LetsEncrypt import Utility.FileMode import Data.List @@ -291,21 +290,24 @@ annexWebSite origin hn uuid remotes = propertyList (hn ++" website using git-ann , "git update-server-info" ] addremote (name, url) = "git remote add " ++ shellEscape name ++ " " ++ shellEscape url - setupapache = Apache.httpsVirtualHost' hn dir letos + setupapache = apacheSite hn True [ " ServerAlias www."++hn - , Apache.iconDir - , " " + , "" + , " DocumentRoot /srv/web/"++hn + , " " + , " Options FollowSymLinks" + , " AllowOverride None" + , Apache.allowAll + , " " + , " " , " Options Indexes FollowSymLinks ExecCGI" , " AllowOverride None" , " AddHandler cgi-script .cgi" , " DirectoryIndex index.html index.cgi" - , Apache.allowAll + , Apache.allowAll , " " ] -letos :: LetsEncrypt.AgreeTOS -letos = LetsEncrypt.AgreeTOS (Just "id@joeyh.name") - apacheSite :: HostName -> Bool -> Apache.ConfigFile -> RevertableProperty NoInfo apacheSite hn withssl middle = Apache.siteEnabled hn $ apachecfg hn withssl middle @@ -327,7 +329,11 @@ apachecfg hn withssl middle , " CustomLog /var/log/apache2/access.log combined" , " ServerSignature On" , " " - , Apache.iconDir + , " " + , " Options Indexes MultiViews" + , " AllowOverride None" + , Apache.allowAll + , " " , "" ] where -- cgit v1.3-2-g0d8e