From d7697a4b256e1c154aec875d1f4aea84a19a20d8 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 29 Jan 2015 01:04:59 -0400 Subject: propellor spin --- src/Propellor/Property/File.hs | 2 +- src/Propellor/Property/Tor.hs | 46 +++++++++++++++++++++++++++++++++++++++--- 2 files changed, 44 insertions(+), 4 deletions(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/File.hs b/src/Propellor/Property/File.hs index 7167d61e..12d9202f 100644 --- a/src/Propellor/Property/File.hs +++ b/src/Propellor/Property/File.hs @@ -21,7 +21,7 @@ hasPrivContent :: IsContext c => FilePath -> c -> Property HasInfo hasPrivContent f = hasPrivContentFrom (PrivDataSourceFile (PrivFile f) f) f -- | Like hasPrivContent, but allows specifying a source --- for PrivData, rather than using PrivDataSourceFile. +-- for PrivData, rather than using PrivDataSourceFile . hasPrivContentFrom :: (IsContext c, IsPrivDataSource s) => s -> FilePath -> c -> Property HasInfo hasPrivContentFrom = hasPrivContent' writeFileProtected diff --git a/src/Propellor/Property/Tor.hs b/src/Propellor/Property/Tor.hs index 9a0fe477..d6cd81fd 100644 --- a/src/Propellor/Property/Tor.hs +++ b/src/Propellor/Property/Tor.hs @@ -7,19 +7,48 @@ import qualified Propellor.Property.Service as Service import Utility.FileMode import System.Posix.Files +import Data.Char type HiddenServiceName = String +type BridgeName = String + +-- | Sets up a tor bridge relay. (Not an exit node.) isBridge :: Property NoInfo -isBridge = setup `requires` Apt.installed ["tor"] +isBridge = isBridge' [] + +isBridge' :: [String] -> Property NoInfo +isBridge' extraconfig = setup + `requires` Apt.installed ["tor", "ntp"] `describe` "tor bridge" where - setup = mainConfig `File.hasContent` + setup = mainConfig `File.hasContent` config + `onChange` restarted + config = [ "SocksPort 0" , "ORPort 443" , "BridgeRelay 1" , "Exitpolicy reject *:*" - ] `onChange` restarted + ] ++ extraconfig + +-- | Sets up a tor bridge relay with a known name and private key. +-- +-- This can be moved to a different IP without needing to wait to +-- accumulate trust. +-- +-- The isBridge property can be used to start +-- and then upgraded to this one later. +isNamedBridge :: BridgeName -> Property HasInfo +isNamedBridge bn = isBridge' ["Nickname " ++ saneNickname bn] + `requires` torPrivKey (Context ("tor bridge " ++ bn)) + +torPrivKey :: Context -> Property HasInfo +torPrivKey context = f `File.hasPrivContent` context + `onChange` File.ownerGroup f user user + -- install tor first, so the directory exists with right perms + `requires` Apt.installed ["tor"] + where + f = "/var/lib/tor/keys/secret_id_key" hiddenServiceAvailable :: HiddenServiceName -> Int -> Property NoInfo hiddenServiceAvailable hn port = hiddenServiceHostName prop @@ -80,3 +109,14 @@ varRun = "/var/run/tor" user :: UserName user = "debian-tor" + +type NickName = String + +-- | Convert String to a valid tor NickName. +saneNickname :: String -> NickName +saneNickname s + | null n = "unnamed" + | otherwise = n + where + legal c = isNumber c || isAsciiUpper c || isAsciiLower c + n = take 19 $ filter legal s -- cgit v1.3-2-g0d8e From 3585f14d4e551f58bd6150d5e5b29435be929837 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 29 Jan 2015 01:37:53 -0400 Subject: propellor spin --- config-joey.hs | 2 +- src/Propellor/Property/Tor.hs | 58 ++++++++++++++++++++++++++++++++----------- 2 files changed, 45 insertions(+), 15 deletions(-) (limited to 'src/Propellor/Property') diff --git a/config-joey.hs b/config-joey.hs index e09da527..a3d434e5 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -86,7 +86,7 @@ clam = standardSystem "clam.kitenet.net" Unstable "amd64" & Ssh.randomHostKeys & Apt.unattendedUpgrades & Network.ipv6to4 - & Tor.isNamedBridge "kite1" + & Tor.named "kite1" Tor.isRelay' & Postfix.satellite & Docker.configured diff --git a/src/Propellor/Property/Tor.hs b/src/Propellor/Property/Tor.hs index d6cd81fd..8176e643 100644 --- a/src/Propellor/Property/Tor.hs +++ b/src/Propellor/Property/Tor.hs @@ -11,36 +11,66 @@ import Data.Char type HiddenServiceName = String -type BridgeName = String +type NodeName = String --- | Sets up a tor bridge relay. (Not an exit node.) +-- | Sets up a tor bridge. (Not a relay or exit node.) +-- +-- Uses port 443 isBridge :: Property NoInfo isBridge = isBridge' [] isBridge' :: [String] -> Property NoInfo -isBridge' extraconfig = setup - `requires` Apt.installed ["tor", "ntp"] +isBridge' extraconfig = server config `describe` "tor bridge" where - setup = mainConfig `File.hasContent` config - `onChange` restarted config = - [ "SocksPort 0" + [ "BridgeRelay 1" + , "Exitpolicy reject *:*" , "ORPort 443" - , "BridgeRelay 1" + ] ++ extraconfig + +-- | Sets up a tor relay. +-- +-- Uses port 443 +isRelay :: Property NoInfo +isRelay = isRelay' [] + +isRelay' :: [String] -> Property NoInfo +isRelay' extraconfig = server config + `describe` "tor relay" + where + config = + [ "BridgeRelay 0" , "Exitpolicy reject *:*" + , "ORPort 443" ] ++ extraconfig --- | Sets up a tor bridge relay with a known name and private key. +-- | Converts a property like isBridge' or isRelay' to be a named +-- node, with a known private key. -- -- This can be moved to a different IP without needing to wait to -- accumulate trust. -- --- The isBridge property can be used to start --- and then upgraded to this one later. -isNamedBridge :: BridgeName -> Property HasInfo -isNamedBridge bn = isBridge' ["Nickname " ++ saneNickname bn] - `requires` torPrivKey (Context ("tor bridge " ++ bn)) +-- The base property can be used to start out and then upgraded to +-- a named property later. +named :: NodeName -> ([String] -> Property NoInfo) -> Property HasInfo +named n basep = p `describe` (getDesc p ++ " " ++ n) + where + p = basep ["Nickname " ++ saneNickname n] + `requires` torPrivKey (Context ("tor " ++ n)) + +-- | A tor server (bridge, relay, or exit) +-- Don't use if you just want to run tor for personal use. +server :: [String] -> Property NoInfo +server extraconfig = setup + `requires` Apt.installed ["tor", "ntp"] + `describe` "tor server" + where + setup = mainConfig `File.hasContent` config + `onChange` restarted + config = + [ "SocksPort 0" + ] ++ extraconfig torPrivKey :: Context -> Property HasInfo torPrivKey context = f `File.hasPrivContent` context -- cgit v1.3-2-g0d8e From 1b7a00372b7beecb76b295af7d1ec2ead723ba9e Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 1 Feb 2015 13:14:45 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 34a5f02f..a63dac4e 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -514,8 +514,13 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props , "# Filter out client relay lines from headers." , "header_checks = pcre:$config_directory/obscure_client_relay.pcre" + , "# Password auth for relaying" + , "smtpd_sasl_auth_enable = yes" + , "smtpd_sasl_security_options = noanonymous" + , "smtpd_sasl_local_domain = kitenet.net" + , "# Enable postgrey." - , "smtpd_recipient_restrictions = permit_tls_clientcerts,permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023" + , "smtpd_recipient_restrictions = permit_tls_clientcerts,permit_sasl_authenticated,,permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023" , "# Enable spamass-milter, amavis-milter, opendkim" , "smtpd_milters = unix:/spamass/spamass.sock unix:amavis/amavis.sock inet:localhost:8891" -- cgit v1.3-2-g0d8e From f276466cf280b9ce91bbfefce35d2a27ebc87843 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 1 Feb 2015 13:36:58 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index a63dac4e..7b6a61e4 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -516,6 +516,8 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props , "# Password auth for relaying" , "smtpd_sasl_auth_enable = yes" + , "smtpd_sasl_type = dovecot" + , "smtpd_sasl_path = private/auth" , "smtpd_sasl_security_options = noanonymous" , "smtpd_sasl_local_domain = kitenet.net" -- cgit v1.3-2-g0d8e From bcdc5754fce030fd9a7b213d46ffd27b502f398a Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 1 Feb 2015 14:48:13 -0400 Subject: propellor spin --- src/Propellor/Property/Postfix.hs | 32 ++++++++++++++++++++++-- src/Propellor/Property/SiteSpecific/JoeySites.hs | 4 ++- 2 files changed, 33 insertions(+), 3 deletions(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/Postfix.hs b/src/Propellor/Property/Postfix.hs index fbb1ea51..f37e179e 100644 --- a/src/Propellor/Property/Postfix.hs +++ b/src/Propellor/Property/Postfix.hs @@ -4,8 +4,9 @@ module Propellor.Property.Postfix where import Propellor import qualified Propellor.Property.Apt as Apt -import Propellor.Property.File +import qualified Propellor.Property.File as File import qualified Propellor.Property.Service as Service +import qualified Propellor.Property.User as User import qualified Data.Map as M import Data.List @@ -103,7 +104,7 @@ mainCfIsSet name = do -- Note that multiline configurations that continue onto the next line -- are not currently supported. dedupMainCf :: Property NoInfo -dedupMainCf = fileProperty "postfix main.cf dedupped" dedupCf mainCfFile +dedupMainCf = File.fileProperty "postfix main.cf dedupped" dedupCf mainCfFile dedupCf :: [String] -> [String] dedupCf ls = @@ -125,3 +126,30 @@ dedupCf ls = dedup c kc ((Right (k, v)):rest) = case M.lookup k kc of Just n | n > 1 -> dedup c (M.insert k (n - 1) kc) rest _ -> dedup (fmt k v:c) kc rest + +-- | Installs saslauthd and configures it for postfix. +-- +-- Does not configure postfix to use it; eg smtpd_sasl_auth_enable = yes +-- needs to be set to enable use. See +-- https://wiki.debian.org/PostfixAndSASL +saslAuthdInstalled :: Property NoInfo +saslAuthdInstalled = setupdaemon + `requires` Service.running "saslauthd" + `requires` postfixgroup + `requires` dirperm + `requires` Apt.installed ["sasl2-bin"] + `requires` smtpdconf + where + setupdaemon = "/etc/default/saslauthd" `File.containsLines` + [ "START=yes" + , "OPTIONS=\"-c -m /var/spool/postfix/var/run/saslauthd\"" + ] + `onChange` Service.restarted "saslauthd" + smtpdconf = "/etc/postfix/sasl/smtpd.conf" `File.containsLines` + [ "pwcheck_method: saslauthd" + , "mech_list: PLAIN LOGIN" + ] + dirperm = cmdProperty "dpkg-statoverride" + [ "--add", "root", "sasl", "710", "/var/spool/postfix/var/run/saslauthd"] + postfixgroup = "postfix" `User.hasGroup` "sasl" + `onChange` restarted diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 7b6a61e4..0d4687e7 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -450,6 +450,8 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props & dkimInstalled + & Postfix.saslAuthdInstalled + & Apt.installed ["maildrop"] & "/etc/maildroprc" `File.hasContent` [ "# Global maildrop filter file (deployed with propellor)" @@ -514,7 +516,7 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props , "# Filter out client relay lines from headers." , "header_checks = pcre:$config_directory/obscure_client_relay.pcre" - , "# Password auth for relaying" + , "# Password auth for relaying (used by errol)" , "smtpd_sasl_auth_enable = yes" , "smtpd_sasl_type = dovecot" , "smtpd_sasl_path = private/auth" -- cgit v1.3-2-g0d8e From 3c7c40dd67a48a81d19e24df8d2ca148ae553bd1 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 1 Feb 2015 14:50:54 -0400 Subject: propellor spin --- src/Propellor/Property/Postfix.hs | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/Postfix.hs b/src/Propellor/Property/Postfix.hs index f37e179e..1e1a3a23 100644 --- a/src/Propellor/Property/Postfix.hs +++ b/src/Propellor/Property/Postfix.hs @@ -142,14 +142,16 @@ saslAuthdInstalled = setupdaemon where setupdaemon = "/etc/default/saslauthd" `File.containsLines` [ "START=yes" - , "OPTIONS=\"-c -m /var/spool/postfix/var/run/saslauthd\"" + , "OPTIONS=\"-c -m " ++ dir ++ "\"" ] `onChange` Service.restarted "saslauthd" smtpdconf = "/etc/postfix/sasl/smtpd.conf" `File.containsLines` [ "pwcheck_method: saslauthd" , "mech_list: PLAIN LOGIN" ] - dirperm = cmdProperty "dpkg-statoverride" - [ "--add", "root", "sasl", "710", "/var/spool/postfix/var/run/saslauthd"] + dirperm = check (not <$> doesDirectoryExist dir) $ + cmdProperty "dpkg-statoverride" + [ "--add", "root", "sasl", "710", dir ] postfixgroup = "postfix" `User.hasGroup` "sasl" `onChange` restarted + dir = "/var/spool/postfix/var/run/saslauthd" -- cgit v1.3-2-g0d8e From 0ea97943246f44a3a2b32c6bc67a1f40b97103b7 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 1 Feb 2015 15:08:30 -0400 Subject: propellor spin --- src/Propellor/Property/Postfix.hs | 3 ++- src/Propellor/Property/SiteSpecific/JoeySites.hs | 2 -- 2 files changed, 2 insertions(+), 3 deletions(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/Postfix.hs b/src/Propellor/Property/Postfix.hs index 1e1a3a23..0abd783e 100644 --- a/src/Propellor/Property/Postfix.hs +++ b/src/Propellor/Property/Postfix.hs @@ -127,7 +127,8 @@ dedupCf ls = Just n | n > 1 -> dedup c (M.insert k (n - 1) kc) rest _ -> dedup (fmt k v:c) kc rest --- | Installs saslauthd and configures it for postfix. +-- | Installs saslauthd and configures it for postfix, authenticating +-- against PAM. -- -- Does not configure postfix to use it; eg smtpd_sasl_auth_enable = yes -- needs to be set to enable use. See diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 0d4687e7..a3413d67 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -518,8 +518,6 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props , "# Password auth for relaying (used by errol)" , "smtpd_sasl_auth_enable = yes" - , "smtpd_sasl_type = dovecot" - , "smtpd_sasl_path = private/auth" , "smtpd_sasl_security_options = noanonymous" , "smtpd_sasl_local_domain = kitenet.net" -- cgit v1.3-2-g0d8e From db7a9aa9f6f6300f487f25f758758af11bd481bf Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 1 Feb 2015 16:19:37 -0400 Subject: propellor spin --- config-joey.hs | 13 ++++++++----- src/Propellor/Property/Ssh.hs | 2 +- 2 files changed, 9 insertions(+), 6 deletions(-) (limited to 'src/Propellor/Property') diff --git a/config-joey.hs b/config-joey.hs index a3d434e5..aa583e8d 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -47,6 +47,7 @@ hosts = -- (o) ` , kite , diatom , elephant + , beaver ] ++ monsters testvm :: Host @@ -328,6 +329,13 @@ elephant = standardSystem "elephant.kitenet.net" Unstable "amd64" -- block 22. & Ssh.listenPort 80 +beaver :: Host +beaver = host "beaver.kitenet.net" + & ipv6 "2001:4830:1600:195::2" + & Apt.installed ["ssh"] + & Ssh.pubKey SshDsa "ssh-dss AAAAB3NzaC1kc3MAAACBAIrLX260fY0Jjj/p0syNhX8OyR8hcr6feDPGOj87bMad0k/w/taDSOzpXe0Wet7rvUTbxUjH+Q5wPd4R9zkaSDiR/tCb45OdG6JsaIkmqncwe8yrU+pqSRCxttwbcFe+UU+4AAcinjVedZjVRDj2rRaFPc9BXkPt7ffk8GwEJ31/AAAAFQCG/gOjObsr86vvldUZHCteaJttNQAAAIB5nomvcqOk/TD07DLaWKyG7gAcW5WnfY3WtnvLRAFk09aq1EuiJ6Yba99Zkb+bsxXv89FWjWDg/Z3Psa22JMyi0HEDVsOevy/1sEQ96AGH5ijLzFInfXAM7gaJKXASD7hPbVdjySbgRCdwu0dzmQWHtH+8i1CMVmA2/a5Y/wtlJAAAAIAUZj2US2D378jBwyX1Py7e4sJfea3WSGYZjn4DLlsLGsB88POuh32aOChd1yzF6r6C2sdoPBHQcWBgNGXcx4gF0B5UmyVHg3lIX2NVSG1ZmfuLNJs9iKNu4cHXUmqBbwFYQJBvB69EEtrOw4jSbiTKwHFmqdA/mw1VsMB+khUaVw==" + & alias "backup.kitenet.net" + & alias "usbackup.kitenet.net" --' __|II| ,. ---- __|II|II|__ ( \_,/\ @@ -474,13 +482,8 @@ monsters = -- but do want to track their public keys etc. , host "turtle.kitenet.net" & ipv4 "67.223.19.96" & ipv6 "2001:4978:f:2d9::2" - & alias "backup.kitenet.net" - & alias "usbackup.kitenet.net" - & Ssh.pubKey SshRsa "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAokMXQiX/NZjA1UbhMdgAscnS5dsmy+Q7bWrQ6tsTZ/o+6N/T5cbjoBHOdpypXJI3y/PiJTDJaQtXIhLa8gFg/EvxMnMz/KG9skADW1361JmfCc4BxicQIO2IOOe6eilPr+YsnOwiHwL0vpUnuty39cppuMWVD25GzxXlS6KQsLCvXLzxLLuNnGC43UAM0q4UwQxDtAZEK1dH2o3HMWhgMP2qEQupc24dbhpO3ecxh2C9678a3oGDuDuNf7mLp3s7ptj5qF3onitpJ82U5o7VajaHoygMaSRFeWxP2c13eM57j3bLdLwxVXFhePcKXARu1iuFTLS5uUf3hN6MkQcOGw==" , host "mouse.kitenet.net" & ipv6 "2001:4830:1600:492::2" - , host "beaver.kitenet.net" - & ipv6 "2001:4830:1600:195::2" , host "branchable.com" & ipv4 "66.228.46.55" & ipv6 "2600:3c03::f03c:91ff:fedf:c0e5" diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index 9290ea1e..6bbf2b15 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -178,7 +178,7 @@ fromKeyType SshDsa = "dsa" fromKeyType SshEcdsa = "ecdsa" fromKeyType SshEd25519 = "ed25519" --- | Puts some host's ssh public key(s), as set using 'pubKey', +-- | Puts some host's ssh public key(s), as set using 'pubKey' or 'hostKey' -- into the known_hosts file for a user. knownHost :: [Host] -> HostName -> UserName -> Property NoInfo knownHost hosts hn user = property desc $ -- cgit v1.3-2-g0d8e From 8ff2b77385b0be1c884ef0f1d88de92f4e8f97fb Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 1 Feb 2015 16:40:03 -0400 Subject: propellor spin --- config-joey.hs | 2 +- src/Propellor/Property/SiteSpecific/JoeySites.hs | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) (limited to 'src/Propellor/Property') diff --git a/config-joey.hs b/config-joey.hs index aa583e8d..18fbb870 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -295,7 +295,6 @@ elephant = standardSystem "elephant.kitenet.net" Unstable "amd64" & JoeySites.obnamRepos ["wren", "pell", "kite"] & JoeySites.githubBackup & JoeySites.rsyncNetBackup hosts - & JoeySites.backupsBackedupTo hosts "usbackup.kitenet.net" "lib/backup/eubackup" & alias "podcatcher.kitenet.net" & JoeySites.podcatcher @@ -336,6 +335,7 @@ beaver = host "beaver.kitenet.net" & Ssh.pubKey SshDsa "ssh-dss AAAAB3NzaC1kc3MAAACBAIrLX260fY0Jjj/p0syNhX8OyR8hcr6feDPGOj87bMad0k/w/taDSOzpXe0Wet7rvUTbxUjH+Q5wPd4R9zkaSDiR/tCb45OdG6JsaIkmqncwe8yrU+pqSRCxttwbcFe+UU+4AAcinjVedZjVRDj2rRaFPc9BXkPt7ffk8GwEJ31/AAAAFQCG/gOjObsr86vvldUZHCteaJttNQAAAIB5nomvcqOk/TD07DLaWKyG7gAcW5WnfY3WtnvLRAFk09aq1EuiJ6Yba99Zkb+bsxXv89FWjWDg/Z3Psa22JMyi0HEDVsOevy/1sEQ96AGH5ijLzFInfXAM7gaJKXASD7hPbVdjySbgRCdwu0dzmQWHtH+8i1CMVmA2/a5Y/wtlJAAAAIAUZj2US2D378jBwyX1Py7e4sJfea3WSGYZjn4DLlsLGsB88POuh32aOChd1yzF6r6C2sdoPBHQcWBgNGXcx4gF0B5UmyVHg3lIX2NVSG1ZmfuLNJs9iKNu4cHXUmqBbwFYQJBvB69EEtrOw4jSbiTKwHFmqdA/mw1VsMB+khUaVw==" & alias "backup.kitenet.net" & alias "usbackup.kitenet.net" + & JoeySites.backupsBackedupFrom hosts "eubackup.kitenet.net" "lib/backup" --' __|II| ,. ---- __|II|II|__ ( \_,/\ diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index a3413d67..35419576 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -114,11 +114,11 @@ mumbleServer hosts = combineProperties hn $ props & Apt.serviceInstalledRunning "mumble-server" & Obnam.latestVersion & Obnam.backup "/var/lib/mumble-server" "55 5 * * *" - [ "--repository=sftp://joey@usbackup.kitenet.net/~/lib/backup/" ++ hn ++ ".obnam" + [ "--repository=sftp://2318@usw-s002.rsync.net/~/" ++ hn ++ ".obnam" , "--client-name=mumble" ] Obnam.OnlyClient `requires` Ssh.keyImported SshRsa "root" (Context hn) - `requires` Ssh.knownHost hosts "usbackup.kitenet.net" "root" + `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" & trivial (cmdProperty "chown" ["-R", "mumble-server:mumble-server", "/var/lib/mumble-server"]) where hn = "mumble.debian.net" @@ -389,13 +389,13 @@ rsyncNetBackup hosts = Cron.niceJob "rsync.net copied in daily" "30 5 * * *" "joey" "/home/joey/lib/backup" "mkdir -p rsync.net && rsync --delete -az 2318@usw-s002.rsync.net: rsync.net" `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "joey" -backupsBackedupTo :: [Host] -> HostName -> FilePath -> Property NoInfo -backupsBackedupTo hosts desthost destdir = Cron.niceJob desc - "1 1 * * 3" "joey" "/" cmd - `requires` Ssh.knownHost hosts desthost "joey" +backupsBackedupFrom :: [Host] -> HostName -> FilePath -> Property NoInfo +backupsBackedupFrom hosts srchost destdir = Cron.niceJob desc + "@reboot" "joey" "/" cmd + `requires` Ssh.knownHost hosts srchost "joey" where - desc = "backups copied to " ++ desthost ++ " weekly" - cmd = "rsync -az --delete /home/joey/lib/backup " ++ desthost ++ ":" ++ destdir + desc = "backups copied from " ++ srchost ++ " on boot" + cmd = "rsync -az --delete " ++ srchost ++ ":lib/backup " ++ destdir srchost obnamRepos :: [String] -> Property NoInfo obnamRepos rs = propertyList ("obnam repos for " ++ unwords rs) -- cgit v1.3-2-g0d8e From b3bdb95ed033c4ee3560ab0c23c805d3bd58f239 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 1 Feb 2015 16:51:55 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 35419576..5867d01d 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -395,7 +395,7 @@ backupsBackedupFrom hosts srchost destdir = Cron.niceJob desc `requires` Ssh.knownHost hosts srchost "joey" where desc = "backups copied from " ++ srchost ++ " on boot" - cmd = "rsync -az --delete " ++ srchost ++ ":lib/backup " ++ destdir srchost + cmd = "rsync -az --partial --delete " ++ srchost ++ ":lib/backup " ++ destdir srchost obnamRepos :: [String] -> Property NoInfo obnamRepos rs = propertyList ("obnam repos for " ++ unwords rs) -- cgit v1.3-2-g0d8e From 2e2e30fc390d59803792571e53c0edbc23fa6e80 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 1 Feb 2015 16:58:32 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 5867d01d..976a72e3 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -395,7 +395,7 @@ backupsBackedupFrom hosts srchost destdir = Cron.niceJob desc `requires` Ssh.knownHost hosts srchost "joey" where desc = "backups copied from " ++ srchost ++ " on boot" - cmd = "rsync -az --partial --delete " ++ srchost ++ ":lib/backup " ++ destdir srchost + cmd = "rsync -az --partial --delete " ++ srchost ++ ":lib/backup/ " ++ destdir srchost obnamRepos :: [String] -> Property NoInfo obnamRepos rs = propertyList ("obnam repos for " ++ unwords rs) -- cgit v1.3-2-g0d8e From 30c8621f5c0c4833652ae04510f98706166efd7c Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 1 Feb 2015 17:01:32 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 976a72e3..9f960aba 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -395,7 +395,7 @@ backupsBackedupFrom hosts srchost destdir = Cron.niceJob desc `requires` Ssh.knownHost hosts srchost "joey" where desc = "backups copied from " ++ srchost ++ " on boot" - cmd = "rsync -az --partial --delete " ++ srchost ++ ":lib/backup/ " ++ destdir srchost + cmd = "rsync -az --bwlimit=300K --partial --delete " ++ srchost ++ ":lib/backup/ " ++ destdir srchost obnamRepos :: [String] -> Property NoInfo obnamRepos rs = propertyList ("obnam repos for " ++ unwords rs) -- cgit v1.3-2-g0d8e From 8edc7ed3ae1062af745fbe21b0753df6ad83fe6a Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 1 Feb 2015 17:34:04 -0400 Subject: propellor spin --- config-joey.hs | 14 +++++---- debian/changelog | 4 ++- propellor.cabal | 2 +- src/Propellor/Property/Cron.hs | 35 ++++++++++++++++------ src/Propellor/Property/Obnam.hs | 6 ++-- .../Property/SiteSpecific/GitAnnexBuilder.hs | 10 +++---- src/Propellor/Property/SiteSpecific/JoeySites.hs | 26 ++++++++-------- 7 files changed, 60 insertions(+), 37 deletions(-) (limited to 'src/Propellor/Property') diff --git a/config-joey.hs b/config-joey.hs index 5862b5b4..4b8ec46c 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -119,8 +119,8 @@ orca = standardSystem "orca.kitenet.net" Unstable "amd64" & Docker.docked (GitAnnexBuilder.standardAutoBuilderContainer dockerImage "amd64" 15 "2h") & Docker.docked (GitAnnexBuilder.standardAutoBuilderContainer dockerImage "i386" 45 "2h") & Docker.docked (GitAnnexBuilder.armelCompanionContainer dockerImage) - & Docker.docked (GitAnnexBuilder.armelAutoBuilderContainer dockerImage "1 3 * * *" "5h") - & Docker.docked (GitAnnexBuilder.androidAutoBuilderContainer dockerImage "1 1 * * *" "3h") + & Docker.docked (GitAnnexBuilder.armelAutoBuilderContainer dockerImage (Cron.Times "1 3 * * *") "5h") + & Docker.docked (GitAnnexBuilder.androidAutoBuilderContainer dockerImage (Cron.Times "1 1 * * *") "3h") & Docker.garbageCollected `period` Daily & Apt.buildDep ["git-annex"] `period` Daily @@ -151,7 +151,7 @@ kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" & Ssh.passwordAuthentication True -- Since ssh password authentication is allowed: & Apt.serviceInstalledRunning "fail2ban" - & Obnam.backupEncrypted "/" "33 1 * * *" + & Obnam.backupEncrypted "/" (Cron.Times "33 1 * * *") [ "--repository=sftp://joey@eubackup.kitenet.net/~/lib/backup/kite.obnam" , "--client-name=kitenet.net" , "--exclude=/var/cache" @@ -331,11 +331,15 @@ elephant = standardSystem "elephant.kitenet.net" Unstable "amd64" beaver :: Host beaver = host "beaver.kitenet.net" & ipv6 "2001:4830:1600:195::2" + & Apt.serviceInstalledRunning "aiccu" & Apt.installed ["ssh"] & Ssh.pubKey SshDsa "ssh-dss AAAAB3NzaC1kc3MAAACBAIrLX260fY0Jjj/p0syNhX8OyR8hcr6feDPGOj87bMad0k/w/taDSOzpXe0Wet7rvUTbxUjH+Q5wPd4R9zkaSDiR/tCb45OdG6JsaIkmqncwe8yrU+pqSRCxttwbcFe+UU+4AAcinjVedZjVRDj2rRaFPc9BXkPt7ffk8GwEJ31/AAAAFQCG/gOjObsr86vvldUZHCteaJttNQAAAIB5nomvcqOk/TD07DLaWKyG7gAcW5WnfY3WtnvLRAFk09aq1EuiJ6Yba99Zkb+bsxXv89FWjWDg/Z3Psa22JMyi0HEDVsOevy/1sEQ96AGH5ijLzFInfXAM7gaJKXASD7hPbVdjySbgRCdwu0dzmQWHtH+8i1CMVmA2/a5Y/wtlJAAAAIAUZj2US2D378jBwyX1Py7e4sJfea3WSGYZjn4DLlsLGsB88POuh32aOChd1yzF6r6C2sdoPBHQcWBgNGXcx4gF0B5UmyVHg3lIX2NVSG1ZmfuLNJs9iKNu4cHXUmqBbwFYQJBvB69EEtrOw4jSbiTKwHFmqdA/mw1VsMB+khUaVw==" - & alias "backup.kitenet.net" & alias "usbackup.kitenet.net" & JoeySites.backupsBackedupFrom hosts "eubackup.kitenet.net" "/home/joey/lib/backup" + & Apt.serviceInstalledRunning "anacron" + & Cron.niceJob "system disk backed up" Cron.Weekly "root" "/" + "rsync -a -x / /home/joey/lib/backup/beaver.kitenet.net/" + --' __|II| ,. ---- __|II|II|__ ( \_,/\ @@ -419,7 +423,7 @@ standardSystemUnhardened hn suite arch motd = host hn & Sudo.enabledFor "joey" & GitHome.installedFor "joey" & Apt.installed ["vim", "screen", "less"] - & Cron.runPropellor "30 * * * *" + & Cron.runPropellor (Cron.Times "30 * * * *") -- I use postfix, or no MTA. & Apt.removed ["exim4", "exim4-daemon-light", "exim4-config", "exim4-base"] `onChange` Apt.autoRemove diff --git a/debian/changelog b/debian/changelog index 9aef3d03..0076087c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,9 @@ -propellor (2.0.1) UNRELEASED; urgency=medium +propellor (2.1.0) UNRELEASED; urgency=medium * Additional tor properties, including support for making relays, and naming bridges, relays, etc. + * New Cron.Times data type, which allows Cron.job to install + * daily/monthly/weekly jobs that anacron can run. (API change) -- Joey Hess Thu, 29 Jan 2015 01:41:07 -0400 diff --git a/propellor.cabal b/propellor.cabal index 6f4dba2f..41520baa 100644 --- a/propellor.cabal +++ b/propellor.cabal @@ -1,5 +1,5 @@ Name: propellor -Version: 2.0.0 +Version: 2.1.0 Cabal-Version: >= 1.6 License: BSD3 Maintainer: Joey Hess diff --git a/src/Propellor/Property/Cron.hs b/src/Propellor/Property/Cron.hs index 15cdd983..e75f5ee3 100644 --- a/src/Propellor/Property/Cron.hs +++ b/src/Propellor/Property/Cron.hs @@ -8,18 +8,26 @@ import Utility.FileMode import Data.Char -type CronTimes = String +-- | When to run a cron job. +-- +-- The Daily, Monthly, and Weekly options allow the cron job to be run +-- by anacron, which is useful for non-servers. +data Times + = Times String -- ^ formatted as in crontab(5) + | Daily + | Weekly + | Monthly --- | Installs a cron job, run as a specified user, in a particular --- directory. Note that the Desc must be unique, as it is used for the --- cron.d/ filename. +-- | Installs a cron job, that will run as a specified user in a particular +-- directory. Note that the Desc must be unique, as it is used for the +-- cron job filename. -- -- Only one instance of the cron job is allowed to run at a time, no matter -- how long it runs. This is accomplished using flock locking of the cron -- job file. -- -- The cron job's output will only be emailed if it exits nonzero. -job :: Desc -> CronTimes -> UserName -> FilePath -> String -> Property NoInfo +job :: Desc -> Times -> UserName -> FilePath -> String -> Property NoInfo job desc times user cddir command = combineProperties ("cronned " ++ desc) [ cronjobfile `File.hasContent` [ "# Generated by propellor" @@ -27,7 +35,11 @@ job desc times user cddir command = combineProperties ("cronned " ++ desc) , "SHELL=/bin/sh" , "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" , "" - , times ++ "\t" ++ user ++ "\tchronic " ++ shellEscape scriptfile + , case times of + Times t -> t ++ "\t" ++ user ++ "\tchronic " ++ shellEscape scriptfile + _ -> case user of + "root" -> "chronic " ++ shellEscape scriptfile + _ -> "chronic su " ++ user ++ " -c " ++ shellEscape scriptfile ] -- Use a separate script because it makes the cron job name -- prettier in emails, and also allows running the job manually. @@ -44,7 +56,12 @@ job desc times user cddir command = combineProperties ("cronned " ++ desc) `requires` Apt.installed ["util-linux", "moreutils"] where cmdline = "cd " ++ cddir ++ " && ( " ++ command ++ " )" - cronjobfile = "/etc/cron.d/" ++ name + cronjobfile = "/etc" cronjobdir name + cronjobdir = case times of + Times _ -> "cron.d" + Daily -> "cron.daily" + Weekly -> "cron.weekly" + Monthly -> "cron.monthly" scriptfile = "/usr/local/bin/" ++ name ++ "_cronjob" name = map sanitize desc sanitize c @@ -52,10 +69,10 @@ job desc times user cddir command = combineProperties ("cronned " ++ desc) | otherwise = '_' -- | Installs a cron job, and runs it niced and ioniced. -niceJob :: Desc -> CronTimes -> UserName -> FilePath -> String -> Property NoInfo +niceJob :: Desc -> Times -> UserName -> FilePath -> String -> Property NoInfo niceJob desc times user cddir command = job desc times user cddir ("nice ionice -c 3 sh -c " ++ shellEscape command) -- | Installs a cron job to run propellor. -runPropellor :: CronTimes -> Property NoInfo +runPropellor :: Times -> Property NoInfo runPropellor times = niceJob "propellor" times "root" localdir "./propellor" diff --git a/src/Propellor/Property/Obnam.hs b/src/Propellor/Property/Obnam.hs index adaf255c..c066d9f7 100644 --- a/src/Propellor/Property/Obnam.hs +++ b/src/Propellor/Property/Obnam.hs @@ -36,7 +36,7 @@ data NumClients = OnlyClient | MultipleClients -- > `requires` Ssh.keyImported SshRsa "root" (Context hostname) -- -- How awesome is that? -backup :: FilePath -> Cron.CronTimes -> [ObnamParam] -> NumClients -> Property NoInfo +backup :: FilePath -> Cron.Times -> [ObnamParam] -> NumClients -> Property NoInfo backup dir crontimes params numclients = backup' dir crontimes params numclients `requires` restored dir params @@ -46,7 +46,7 @@ backup dir crontimes params numclients = -- -- The gpg secret key will be automatically imported -- into root's keyring using Propellor.Property.Gpg.keyImported -backupEncrypted :: FilePath -> Cron.CronTimes -> [ObnamParam] -> NumClients -> Gpg.GpgKeyId -> Property HasInfo +backupEncrypted :: FilePath -> Cron.Times -> [ObnamParam] -> NumClients -> Gpg.GpgKeyId -> Property HasInfo backupEncrypted dir crontimes params numclients keyid = backup dir crontimes params' numclients `requires` Gpg.keyImported keyid "root" @@ -54,7 +54,7 @@ backupEncrypted dir crontimes params numclients keyid = params' = ("--encrypt-with=" ++ Gpg.getGpgKeyId keyid) : params -- | Does a backup, but does not automatically restore. -backup' :: FilePath -> Cron.CronTimes -> [ObnamParam] -> NumClients -> Property NoInfo +backup' :: FilePath -> Cron.Times -> [ObnamParam] -> NumClients -> Property NoInfo backup' dir crontimes params numclients = cronjob `describe` desc where desc = dir ++ " backed up by obnam" diff --git a/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs b/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs index 7fc523f9..102e6a1d 100644 --- a/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs +++ b/src/Propellor/Property/SiteSpecific/GitAnnexBuilder.hs @@ -9,7 +9,7 @@ import qualified Propellor.Property.Cron as Cron import qualified Propellor.Property.Ssh as Ssh import qualified Propellor.Property.File as File import qualified Propellor.Property.Docker as Docker -import Propellor.Property.Cron (CronTimes) +import Propellor.Property.Cron (Times) builduser :: UserName builduser = "builder" @@ -25,7 +25,7 @@ builddir = gitbuilderdir "build" type TimeOut = String -- eg, 5h -autobuilder :: Architecture -> CronTimes -> TimeOut -> Property HasInfo +autobuilder :: Architecture -> Times -> TimeOut -> Property HasInfo autobuilder arch crontimes timeout = combineProperties "gitannexbuilder" $ props & Apt.serviceInstalledRunning "cron" & Cron.niceJob "gitannexbuilder" crontimes builduser gitbuilderdir @@ -102,10 +102,10 @@ standardAutoBuilderContainer dockerImage arch buildminute timeout = Docker.conta & User.accountFor builduser & tree arch & buildDepsApt - & autobuilder arch (show buildminute ++ " * * * *") timeout + & autobuilder arch (Cron.Times $ show buildminute ++ " * * * *") timeout & Docker.tweaked -androidAutoBuilderContainer :: (System -> Docker.Image) -> Cron.CronTimes -> TimeOut -> Docker.Container +androidAutoBuilderContainer :: (System -> Docker.Image) -> Times -> TimeOut -> Docker.Container androidAutoBuilderContainer dockerImage crontimes timeout = androidContainer dockerImage "android-git-annex-builder" (tree "android") builddir & Apt.unattendedUpgrades @@ -166,7 +166,7 @@ armelCompanionContainer dockerImage = Docker.container "armel-git-annex-builder- & Ssh.authorizedKeys builduser (Context "armel-git-annex-builder") & Docker.tweaked -armelAutoBuilderContainer :: (System -> Docker.Image) -> Cron.CronTimes -> TimeOut -> Docker.Container +armelAutoBuilderContainer :: (System -> Docker.Image) -> Times -> TimeOut -> Docker.Container armelAutoBuilderContainer dockerImage crontimes timeout = Docker.container "armel-git-annex-builder" (dockerImage $ System (Debian Unstable) "armel") & os (System (Debian Testing) "armel") diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 9f960aba..32b19764 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -45,8 +45,8 @@ oldUseNetServer hosts = propertyList "olduse.net server" $ props & Apt.serviceInstalledRunning "openbsd-inetd" & File.notPresent "/etc/cron.daily/leafnode" & File.notPresent "/etc/cron.d/leafnode" - & Cron.niceJob "oldusenet-expire" "11 1 * * *" "news" newsspool expirecommand - & Cron.niceJob "oldusenet-uucp" "*/5 * * * *" "news" "/" uucpcommand + & Cron.niceJob "oldusenet-expire" (Cron.Times "11 1 * * *") "news" newsspool expirecommand + & Cron.niceJob "oldusenet-uucp" (Cron.Times "*/5 * * * *") "news" "/" uucpcommand & Apache.siteEnabled "nntp.olduse.net" nntpcfg where newsspool = "/var/spool/news" @@ -65,7 +65,7 @@ oldUseNetServer hosts = propertyList "olduse.net server" $ props , " " ] - oldUseNetBackup = Obnam.backup datadir "33 4 * * *" + oldUseNetBackup = Obnam.backup datadir (Cron.Times "33 4 * * *") [ "--repository=sftp://2318@usw-s002.rsync.net/~/olduse.net" , "--client-name=spool" ] Obnam.OnlyClient @@ -113,7 +113,7 @@ mumbleServer :: [Host] -> Property HasInfo mumbleServer hosts = combineProperties hn $ props & Apt.serviceInstalledRunning "mumble-server" & Obnam.latestVersion - & Obnam.backup "/var/lib/mumble-server" "55 5 * * *" + & Obnam.backup "/var/lib/mumble-server" (Cron.Times "55 5 * * *") [ "--repository=sftp://2318@usw-s002.rsync.net/~/" ++ hn ++ ".obnam" , "--client-name=mumble" ] Obnam.OnlyClient @@ -138,7 +138,7 @@ obnamLowMem = combineProperties "obnam tuned for low memory use" gitServer :: [Host] -> Property HasInfo gitServer hosts = propertyList "git.kitenet.net setup" $ props & Obnam.latestVersion - & Obnam.backupEncrypted "/srv/git" "33 3 * * *" + & Obnam.backupEncrypted "/srv/git" (Cron.Times "33 3 * * *") [ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net" , "--client-name=wren" -- historical ] Obnam.OnlyClient (Gpg.GpgKeyId "1B169BE1") @@ -297,7 +297,7 @@ twitRss = combineProperties "twitter rss" $ props & feed "http://twitter.com/search/realtime?q=olduse+OR+git-annex+OR+debhelper+OR+etckeeper+OR+ikiwiki+-ashley_ikiwiki" "twittergrep" where dir = "/srv/web/tmp.kitenet.net/twitrss" - crontime = "15 * * * *" + crontime = Cron.Times "15 * * * *" feed url desc = Cron.job desc crontime "joey" dir $ "./twitRss " ++ shellEscape url ++ " > " ++ shellEscape ("../" ++ desc ++ ".rss") compiled = userScriptProperty "joey" @@ -313,7 +313,7 @@ twitRss = combineProperties "twitter rss" $ props -- Work around for expired ssl cert. -- (no longer expired, TODO remove this and change urls) pumpRss :: Property NoInfo -pumpRss = Cron.job "pump rss" "15 * * * *" "joey" "/srv/web/tmp.kitenet.net/" +pumpRss = Cron.job "pump rss" (Cron.Times "15 * * * *") "joey" "/srv/web/tmp.kitenet.net/" "wget https://pump2rss.com/feed/joeyh@identi.ca.atom -O pump.atom --no-check-certificate 2>/dev/null" ircBouncer :: Property HasInfo @@ -323,7 +323,7 @@ ircBouncer = propertyList "IRC bouncer" $ props & File.dirExists (takeDirectory conf) & File.hasPrivContent conf anyContext & File.ownerGroup conf "znc" "znc" - & Cron.job "znconboot" "@reboot" "znc" "~" "znc" + & Cron.job "znconboot" (Cron.Times "@reboot") "znc" "~" "znc" -- ensure running if it was not already & trivial (userScriptProperty "znc" ["znc || true"]) `describe` "znc running" @@ -347,9 +347,9 @@ githubBackup :: Property HasInfo githubBackup = propertyList "github-backup box" $ props & Apt.installed ["github-backup", "moreutils"] & githubKeys - & Cron.niceJob "github-backup run" "30 4 * * *" "joey" + & Cron.niceJob "github-backup run" (Cron.Times "30 4 * * *") "joey" "/home/joey/lib/backup" backupcmd - & Cron.niceJob "gitriddance" "30 4 * * *" "joey" + & Cron.niceJob "gitriddance" (Cron.Times "30 4 * * *") "joey" "/home/joey/lib/backup" gitriddancecmd where backupcmd = intercalate "&&" $ @@ -385,13 +385,13 @@ githubMirrors = plzuseurl u = "please submit changes to " ++ u ++ " instead of using github pull requests" rsyncNetBackup :: [Host] -> Property NoInfo -rsyncNetBackup hosts = Cron.niceJob "rsync.net copied in daily" "30 5 * * *" +rsyncNetBackup hosts = Cron.niceJob "rsync.net copied in daily" (Cron.Times "30 5 * * *") "joey" "/home/joey/lib/backup" "mkdir -p rsync.net && rsync --delete -az 2318@usw-s002.rsync.net: rsync.net" `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "joey" backupsBackedupFrom :: [Host] -> HostName -> FilePath -> Property NoInfo backupsBackedupFrom hosts srchost destdir = Cron.niceJob desc - "@reboot" "joey" "/" cmd + (Cron.Times "@reboot") "joey" "/" cmd `requires` Ssh.knownHost hosts srchost "joey" where desc = "backups copied from " ++ srchost ++ " on boot" @@ -408,7 +408,7 @@ obnamRepos rs = propertyList ("obnam repos for " ++ unwords rs) `before` File.ownerGroup d "joey" "joey" podcatcher :: Property NoInfo -podcatcher = Cron.niceJob "podcatcher run hourly" "55 * * * *" +podcatcher = Cron.niceJob "podcatcher run hourly" (Cron.Times "55 * * * *") "joey" "/home/joey/lib/sound/podcasts" "xargs git-annex importfeed -c annex.genmetadata=true < feeds; mr --quiet update" `requires` Apt.installed ["git-annex", "myrepos"] -- cgit v1.3-2-g0d8e From 162df37da4b2f3d58ccde81495c70445f1970c7c Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 1 Feb 2015 17:38:05 -0400 Subject: propellor spin --- src/Propellor/Property/Cron.hs | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/Cron.hs b/src/Propellor/Property/Cron.hs index e75f5ee3..fd365c8f 100644 --- a/src/Propellor/Property/Cron.hs +++ b/src/Propellor/Property/Cron.hs @@ -41,6 +41,9 @@ job desc times user cddir command = combineProperties ("cronned " ++ desc) "root" -> "chronic " ++ shellEscape scriptfile _ -> "chronic su " ++ user ++ " -c " ++ shellEscape scriptfile ] + , case times of + Times _ -> doNothing + _ -> cronjobfile `File.mode` combineModes (readModes ++ executeModes) -- Use a separate script because it makes the cron job name -- prettier in emails, and also allows running the job manually. , scriptfile `File.hasContent` -- cgit v1.3-2-g0d8e From 991249185c1b0ef7504e5480892ff1f090beb0fc Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 9 Feb 2015 18:51:07 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 32b19764..e8acd2a4 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -129,8 +129,8 @@ obnamLowMem = combineProperties "obnam tuned for low memory use" , "/etc/obnam.conf" `File.containsLines` [ "[config]" , "# Suggested by liw to keep Obnam memory consumption down (at some speed cost)." - , "upload-queue-size = 128" - , "lru-size = 128" + , "upload-queue-size = 64" + , "lru-size = 64" ] ] -- cgit v1.3-2-g0d8e From d1ebc7c1450225434341e8c257efca13bacdecd6 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 10:02:37 -0400 Subject: propellor spin --- config-joey.hs | 1 + src/Propellor/Property/HostingProvider/Linode.hs | 9 +++++++++ 2 files changed, 10 insertions(+) (limited to 'src/Propellor/Property') diff --git a/config-joey.hs b/config-joey.hs index bac02cc3..afd14e88 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -144,6 +144,7 @@ kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" & Network.static "eth0" `requires` Network.cleanInterfacesFile & Apt.installed ["linux-image-amd64"] & Linode.chainPVGrub 5 + & Linode.mlocateEnabled & Apt.unattendedUpgrades & Systemd.installed & Systemd.persistentJournal diff --git a/src/Propellor/Property/HostingProvider/Linode.hs b/src/Propellor/Property/HostingProvider/Linode.hs index 90f41bf8..4dd66129 100644 --- a/src/Propellor/Property/HostingProvider/Linode.hs +++ b/src/Propellor/Property/HostingProvider/Linode.hs @@ -2,9 +2,18 @@ module Propellor.Property.HostingProvider.Linode where import Propellor import qualified Propellor.Property.Grub as Grub +import qualified Propellor.Property.File as File +import Utility.FileMode -- | Linode's pv-grub-x86_64 does not currently support booting recent -- Debian kernels compressed with xz. This sets up pv-grub chaing to enable -- it. chainPVGrub :: Grub.TimeoutSecs -> Property NoInfo chainPVGrub = Grub.chainPVGrub "hd0" "xen/xvda" + +-- | Linode disables mlocate's cron job's execute permissions, +-- presumably to avoid disk IO. This ensures it's executable. +mlocateEnabled :: Property NoInfo +mlocateEnabled = "/etc/cron.daily/mlocate" + `File.mode` combineModes (readModes ++ executeModes) + -- cgit v1.3-2-g0d8e From 057509c5cd259b0f84137f3f0d3e8c2e9f428188 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 15:09:57 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index e8acd2a4..f7bbb466 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -129,8 +129,8 @@ obnamLowMem = combineProperties "obnam tuned for low memory use" , "/etc/obnam.conf" `File.containsLines` [ "[config]" , "# Suggested by liw to keep Obnam memory consumption down (at some speed cost)." - , "upload-queue-size = 64" - , "lru-size = 64" + , "upload-queue-size = 96" + , "lru-size = 96" ] ] -- cgit v1.3-2-g0d8e From 824ebdd76f64a61f95f424aac56120c016e2e785 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 19:57:18 -0400 Subject: propellor spin --- config-joey.hs | 2 ++ src/Propellor/Property/SiteSpecific/JoeySites.hs | 6 ++---- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'src/Propellor/Property') diff --git a/config-joey.hs b/config-joey.hs index 2da16c57..59b11044 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -204,6 +204,8 @@ kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" & Docker.configured & Docker.garbageCollected `period` Daily & Docker.docked oldusenetShellBox + + & JoeySites.gitServer hosts diatom :: Host diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64" diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index f7bbb466..ae71a3ca 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -147,10 +147,8 @@ gitServer hosts = propertyList "git.kitenet.net setup" $ props `requires` Ssh.authorizedKeys "family" (Context "git.kitenet.net") `requires` User.accountFor "family" & Apt.installed ["git", "rsync", "gitweb"] - -- backport avoids channel flooding on branch merge - & Apt.installedBackport ["kgb-client"] - -- backport supports ssh event notification - & Apt.installedBackport ["git-annex"] + & Apt.installed ["kgb-client"] + & Apt.installed ["git-annex"] & File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" anyContext & Git.daemonRunning "/srv/git" & "/etc/gitweb.conf" `File.containsLines` -- cgit v1.3-2-g0d8e From d08c98d8b33cab9c7008ee36ff88950c96af2e38 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 20:29:04 -0400 Subject: propellor spin --- config-joey.hs | 7 +------ src/Propellor/Property/SiteSpecific/JoeySites.hs | 15 +++++++++++++-- src/Propellor/Property/Ssh.hs | 18 ++++++++++++++---- 3 files changed, 28 insertions(+), 12 deletions(-) (limited to 'src/Propellor/Property') diff --git a/config-joey.hs b/config-joey.hs index 37dea8d7..7fb31f6d 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -236,12 +236,7 @@ diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64" & alias "git.joeyh.name" & JoeySites.gitServer hosts - & JoeySites.annexWebSite "/srv/git/downloads.git" - "downloads.kitenet.net" - "840760dc-08f0-11e2-8c61-576b7e66acfd" - [("eubackup", "ssh://eubackup.kitenet.net/~/lib/downloads/")] - `requires` Ssh.keyImported SshRsa "joey" (Context "downloads.kitenet.net") - `requires` Ssh.knownHost hosts "eubackup.kitenet.net" "joey" + & JoeySites.downloads hosts & JoeySites.gitAnnexDistributor & JoeySites.annexWebSite "/srv/git/joey/tmp.git" diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index ae71a3ca..114a30d4 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -68,9 +68,11 @@ oldUseNetServer hosts = propertyList "olduse.net server" $ props oldUseNetBackup = Obnam.backup datadir (Cron.Times "33 4 * * *") [ "--repository=sftp://2318@usw-s002.rsync.net/~/olduse.net" , "--client-name=spool" + , "--ssh-key=" ++ keyfile ] Obnam.OnlyClient - `requires` Ssh.keyImported SshRsa "root" (Context "olduse.net") + `requires` Ssh.keyImported' (Just keyfile) SshRsa "root" (Context "olduse.net") `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" + keyfile = "/root/.ssh/olduse.net.key" oldUseNetShellBox :: Property HasInfo oldUseNetShellBox = propertyList "olduse.net shellbox" $ props @@ -140,9 +142,10 @@ gitServer hosts = propertyList "git.kitenet.net setup" $ props & Obnam.latestVersion & Obnam.backupEncrypted "/srv/git" (Cron.Times "33 3 * * *") [ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net" + , "--ssh-key=" ++ sshkey , "--client-name=wren" -- historical ] Obnam.OnlyClient (Gpg.GpgKeyId "1B169BE1") - `requires` Ssh.keyImported SshRsa "root" (Context "git.kitenet.net") + `requires` Ssh.keyImported' (Just sshkey) SshRsa "root" (Context "git.kitenet.net") `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "root" `requires` Ssh.authorizedKeys "family" (Context "git.kitenet.net") `requires` User.accountFor "family" @@ -166,6 +169,7 @@ gitServer hosts = propertyList "git.kitenet.net setup" $ props & website "git.joeyh.name" & Apache.modEnabled "cgi" where + sshkey = "/root/.ssh/git.kitenet.net.key" website hn = apacheSite hn True [ " DocumentRoot /srv/web/git.kitenet.net/" , " " @@ -266,6 +270,13 @@ mainhttpscert True = , " SSLCertificateKeyFile /etc/ssl/private/web.pem" , " SSLCertificateChainFile /etc/ssl/certs/startssl.pem" ] + +downloads :: [Host] -> Property HasInfo +downloads hosts = annexWebSite "/srv/git/downloads.git" + "downloads.kitenet.net" + "840760dc-08f0-11e2-8c61-576b7e66acfd" + [("eubackup", "ssh://eubackup.kitenet.net/~/lib/downloads/")] + `requires` Ssh.knownHost hosts "eubackup.kitenet.net" "joey" gitAnnexDistributor :: Property HasInfo gitAnnexDistributor = combineProperties "git-annex distributor, including rsync server and signer" $ props diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index 6bbf2b15..d9cf9a48 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -12,6 +12,7 @@ module Propellor.Property.Ssh ( pubKey, getPubKey, keyImported, + keyImported', knownHost, authorizedKeys, listenPort @@ -147,8 +148,15 @@ getPubKey = asks (_sshPubKey . hostInfo) -- | Sets up a user with a ssh private key and public key pair from the -- PrivData. +-- +-- If the user already has a private/public key, it is left unchanged. keyImported :: IsContext c => SshKeyType -> UserName -> c -> Property HasInfo -keyImported keytype user context = combineProperties desc +keyImported = keyImported' Nothing + +-- | A file can be speficied to write the key to somewhere other than +-- usual. Allows a user to have multiple keys for different roles. +keyImported' :: IsContext c => Maybe FilePath -> SshKeyType -> UserName -> c -> Property HasInfo +keyImported' dest keytype user context = combineProperties desc [ installkey (SshPubKey keytype user) (install writeFile ".pub") , installkey (SshPrivKey keytype user) (install writeFileProtected "") ] @@ -168,9 +176,11 @@ keyImported keytype user context = combineProperties desc , File.ownerGroup (takeDirectory f) user user ] ) - keyfile ext = do - home <- homeDirectory <$> getUserEntryForName user - return $ home ".ssh" "id_" ++ fromKeyType keytype ++ ext + keyfile ext = case dest of + Nothing -> do + home <- homeDirectory <$> getUserEntryForName user + return $ home ".ssh" "id_" ++ fromKeyType keytype ++ ext + Just f -> return $ f ++ ext fromKeyType :: SshKeyType -> String fromKeyType SshRsa = "rsa" -- cgit v1.3-2-g0d8e From 0119bf8531076265aee3bf99cdf081b8425f0e57 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 20:56:57 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 2 +- src/Propellor/Property/Ssh.hs | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 114a30d4..0994a62f 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -150,7 +150,7 @@ gitServer hosts = propertyList "git.kitenet.net setup" $ props `requires` Ssh.authorizedKeys "family" (Context "git.kitenet.net") `requires` User.accountFor "family" & Apt.installed ["git", "rsync", "gitweb"] - & Apt.installed ["kgb-client"] + & Apt.installed ["kgb-client", "kgb-bot"] & Apt.installed ["git-annex"] & File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" anyContext & Git.daemonRunning "/srv/git" diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index d9cf9a48..fe2794a5 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -161,7 +161,12 @@ keyImported' dest keytype user context = combineProperties desc , installkey (SshPrivKey keytype user) (install writeFileProtected "") ] where - desc = user ++ " has ssh key (" ++ fromKeyType keytype ++ ")" + desc = unwords $ catMaybes + [ Just user + , Just "has ssh key" + , dest + , Just $ "(" ++ fromKeyType keytype ++ ")" + ] installkey p a = withPrivData p context $ \getkey -> property desc $ getkey a install writer ext key = do -- cgit v1.3-2-g0d8e From 5ae2a1dc3cb59046bf5e26b140d9ce23394a09f7 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 20:58:47 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 0994a62f..114a30d4 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -150,7 +150,7 @@ gitServer hosts = propertyList "git.kitenet.net setup" $ props `requires` Ssh.authorizedKeys "family" (Context "git.kitenet.net") `requires` User.accountFor "family" & Apt.installed ["git", "rsync", "gitweb"] - & Apt.installed ["kgb-client", "kgb-bot"] + & Apt.installed ["kgb-client"] & Apt.installed ["git-annex"] & File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" anyContext & Git.daemonRunning "/srv/git" -- cgit v1.3-2-g0d8e From 8d73419dbec51ea51e51b2507d9eab809b937f31 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 21:01:38 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 114a30d4..69458eec 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -150,9 +150,10 @@ gitServer hosts = propertyList "git.kitenet.net setup" $ props `requires` Ssh.authorizedKeys "family" (Context "git.kitenet.net") `requires` User.accountFor "family" & Apt.installed ["git", "rsync", "gitweb"] - & Apt.installed ["kgb-client"] & Apt.installed ["git-annex"] + & Apt.installed ["kgb-client"] & File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" anyContext + `requires` File.dirExists "/etc/kgb-bot/" & Git.daemonRunning "/srv/git" & "/etc/gitweb.conf" `File.containsLines` [ "$projectroot = '/srv/git';" -- cgit v1.3-2-g0d8e From e32f1573741bcbbe93a7e801cecdea560b64c713 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 21:04:32 -0400 Subject: Fix Git.daemonRunning to restart inetd after enabling the git server. --- debian/changelog | 1 + src/Propellor/Property/Git.hs | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'src/Propellor/Property') diff --git a/debian/changelog b/debian/changelog index 6bac1899..ff1cdf1d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,7 @@ propellor (2.1.0) UNRELEASED; urgency=medium and naming bridges, relays, etc. * New Cron.Times data type, which allows Cron.job to install daily/monthly/weekly jobs that anacron can run. (API change) + * Fix Git.daemonRunning to restart inetd after enabling the git server. -- Joey Hess Thu, 29 Jan 2015 01:41:07 -0400 diff --git a/src/Propellor/Property/Git.hs b/src/Propellor/Property/Git.hs index c363d8c8..91f1e3ed 100644 --- a/src/Propellor/Property/Git.hs +++ b/src/Propellor/Property/Git.hs @@ -23,7 +23,7 @@ daemonRunning exportdir = setup unsetup `requires` Apt.serviceInstalledRunning "openbsd-inetd" `onChange` - Service.running "openbsd-inetd" + Service.reloaded "openbsd-inetd" `describe` ("git-daemon exporting " ++ exportdir) unsetup = lacksLine conf (mkl "tcp4") `requires` -- cgit v1.3-2-g0d8e From 920b7bf56dddeabfd8129255ec365e29746cbd77 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 21:18:41 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 69458eec..396968c3 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -178,6 +178,8 @@ gitServer hosts = propertyList "git.kitenet.net setup" $ props , " AllowOverride None" , " AddHandler cgi-script .cgi" , " DirectoryIndex index.cgi" + , " Order allow,deny" + , " Allow from all" , " " , "" , " ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/" -- cgit v1.3-2-g0d8e From b2dccb5fb5dbfdfc742e521fcd928d2a01d80658 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 21:21:51 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 396968c3..06608c6b 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -178,8 +178,7 @@ gitServer hosts = propertyList "git.kitenet.net setup" $ props , " AllowOverride None" , " AddHandler cgi-script .cgi" , " DirectoryIndex index.cgi" - , " Order allow,deny" - , " Allow from all" + , Apache.allowAll , " " , "" , " ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/" -- cgit v1.3-2-g0d8e From f5c82083fef89004be1e4896bd7b0a05d33e7948 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 21:39:16 -0400 Subject: propellor spin --- config-joey.hs | 11 +++-------- src/Propellor/Property/SiteSpecific/JoeySites.hs | 25 ++++++++++++++++-------- 2 files changed, 20 insertions(+), 16 deletions(-) (limited to 'src/Propellor/Property') diff --git a/config-joey.hs b/config-joey.hs index 79d133d1..7ce893c0 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -241,15 +241,10 @@ diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64" -- & alias "git.joeyh.name" -- & JoeySites.gitServer hosts - & JoeySites.downloads hosts - & JoeySites.gitAnnexDistributor + -- & JoeySites.downloads hosts + -- & JoeySites.gitAnnexDistributor - & JoeySites.annexWebSite "/srv/git/joey/tmp.git" - "tmp.kitenet.net" - "26fd6e38-1226-11e2-a75f-ff007033bdba" - [] - & JoeySites.twitRss - & JoeySites.pumpRss + & JoeySites.tmp & JoeySites.annexWebSite "/srv/git/user-liberation.git" "user-liberation.joeyh.name" diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 06608c6b..edca2aa4 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -208,7 +208,7 @@ annexWebSite origin hn uuid remotes = propertyList (hn ++" website using git-ann setup = userScriptProperty "joey" setupscript setupscript = [ "cd " ++ shellEscape dir - , "git config annex.uuid " ++ shellEscape uuid + , "git annex reinit " ++ shellEscape uuid ] ++ map addremote remotes ++ [ "git annex get" , "git update-server-info" @@ -272,13 +272,6 @@ mainhttpscert True = , " SSLCertificateKeyFile /etc/ssl/private/web.pem" , " SSLCertificateChainFile /etc/ssl/certs/startssl.pem" ] - -downloads :: [Host] -> Property HasInfo -downloads hosts = annexWebSite "/srv/git/downloads.git" - "downloads.kitenet.net" - "840760dc-08f0-11e2-8c61-576b7e66acfd" - [("eubackup", "ssh://eubackup.kitenet.net/~/lib/downloads/")] - `requires` Ssh.knownHost hosts "eubackup.kitenet.net" "joey" gitAnnexDistributor :: Property HasInfo gitAnnexDistributor = combineProperties "git-annex distributor, including rsync server and signer" $ props @@ -299,6 +292,22 @@ gitAnnexDistributor = combineProperties "git-annex distributor, including rsync , File.ownerGroup d "joey" "joey" ] +downloads :: [Host] -> Property HasInfo +downloads hosts = annexWebSite "/srv/git/downloads.git" + "downloads.kitenet.net" + "840760dc-08f0-11e2-8c61-576b7e66acfd" + [("eubackup", "ssh://eubackup.kitenet.net/~/lib/downloads/")] + `requires` Ssh.knownHost hosts "eubackup.kitenet.net" "joey" + +tmp :: Property HasInfo +tmp = propertyList "tmp.kitenet.net" $ props + & annexWebSite "/srv/git/joey/tmp.git" + "tmp.kitenet.net" + "26fd6e38-1226-11e2-a75f-ff007033bdba" + [] + & twitRss + & pumpRss + -- Twitter, you kill us. twitRss :: Property HasInfo twitRss = combineProperties "twitter rss" $ props -- cgit v1.3-2-g0d8e From 8f813dc87548a88bb28c326745b0399c74e344d8 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 21:46:31 -0400 Subject: propellor spin --- config-joey.hs | 23 ++++++++++++----------- src/Propellor/Property/SiteSpecific/JoeySites.hs | 7 +++---- 2 files changed, 15 insertions(+), 15 deletions(-) (limited to 'src/Propellor/Property') diff --git a/config-joey.hs b/config-joey.hs index 6acba336..99deef43 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -173,13 +173,23 @@ kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" & alias "mail.kitenet.net" & JoeySites.kiteMailServer + & JoeySites.kitenetHttps + & Apache.multiSSL + & JoeySites.legacyWebSites + + & alias "git.kitenet.net" + & alias "git.joeyh.name" + & JoeySites.gitServer hosts + + & JoeySites.downloads hosts + & JoeySites.gitAnnexDistributor + & JoeySites.tmp + & alias "ns4.kitenet.net" & myDnsSecondary & alias "ns4.branchable.com" & branchableSecondary - & JoeySites.legacyWebSites - & alias "bitlbee.kitenet.net" & Apt.serviceInstalledRunning "bitlbee" & "/etc/bitlbee/bitlbee.conf" `File.hasContent` @@ -204,15 +214,6 @@ kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" & Docker.configured & Docker.garbageCollected `period` Daily ! Docker.docked oldusenetShellBox - - & alias "git.kitenet.net" - & alias "git.joeyh.name" - & JoeySites.gitServer hosts - - & JoeySites.downloads hosts - & JoeySites.gitAnnexDistributor - - & JoeySites.tmp diatom :: Host diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64" diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index edca2aa4..3341a3dd 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -221,14 +221,14 @@ annexWebSite origin hn uuid remotes = propertyList (hn ++" website using git-ann , " " , " Options FollowSymLinks" , " AllowOverride None" + , Apache.allowAll , " " , " " , " Options Indexes FollowSymLinks ExecCGI" , " AllowOverride None" , " AddHandler cgi-script .cgi" , " DirectoryIndex index.html index.cgi" - , " Order allow,deny" - , " allow from all" + , Apache.allowAll , " " ] @@ -256,8 +256,7 @@ apachecfg hn withssl middle , " " , " Options Indexes MultiViews" , " AllowOverride None" - , " Order allow,deny" - , " Allow from all" + , Apache.allowAll , " " , "" ] -- cgit v1.3-2-g0d8e From a407af3f03b31ec653a21ba0e1db49389c68c246 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 21:55:39 -0400 Subject: propellor spin --- config-joey.hs | 25 ++++++++++++++----------- src/Propellor/Property/Apache.hs | 16 ++++++++++------ 2 files changed, 24 insertions(+), 17 deletions(-) (limited to 'src/Propellor/Property') diff --git a/config-joey.hs b/config-joey.hs index 99deef43..91daff08 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -174,8 +174,9 @@ kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" & JoeySites.kiteMailServer & JoeySites.kitenetHttps - & Apache.multiSSL & JoeySites.legacyWebSites + & File.ownerGroup "/srv/web" "joey" "joey" + & Apt.installed ["analog"] & alias "git.kitenet.net" & alias "git.joeyh.name" @@ -214,6 +215,8 @@ kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" & Docker.configured & Docker.garbageCollected `period` Daily ! Docker.docked oldusenetShellBox + + & JoeySites.oldUseNetServer hosts diatom :: Host diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64" @@ -224,21 +227,21 @@ diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64" , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA2QAJEuvbTmaN9ex9i9bjPhMGj+PHUYq2keIiaIImJ+8mo+yKSaGUxebG4tpuDPx6KZjdycyJt74IXfn1voGUrfzwaEY9NkqOP3v6OWTC3QeUGqDCeJ2ipslbEd9Ep9XBp+/ldDQm60D0XsIZdmDeN6MrHSbKF4fXv1bqpUoUILk=") ] - & DigitalOcean.distroKernel - & Apt.unattendedUpgrades - & Apt.serviceInstalledRunning "ntp" - & Postfix.satellite + -- & DigitalOcean.distroKernel + -- & Apt.unattendedUpgrades + -- & Apt.serviceInstalledRunning "ntp" + -- & Postfix.satellite -- Diatom has 500 mb of memory, so tune for that. - & JoeySites.obnamLowMem + -- & JoeySites.obnamLowMem -- & Apt.serviceInstalledRunning "swapspace" - & Cron.job "memory use logged" (Cron.Times "*/5 * * * *") "root" "/" "(date; free; ps --sort -rss axl | head -n10) >> /var/log/memory.log" + -- & Cron.job "memory use logged" (Cron.Times "*/5 * * * *") "root" "/" "(date; free; ps --sort -rss axl | head -n10) >> /var/log/memory.log" & Apt.serviceInstalledRunning "apache2" - & JoeySites.kitenetHttps - & Apache.multiSSL - & File.ownerGroup "/srv/web" "joey" "joey" - & Apt.installed ["analog"] + -- & JoeySites.kitenetHttps + -- & Apache.multiSSL + -- & File.ownerGroup "/srv/web" "joey" "joey" + -- & Apt.installed ["analog"] -- & alias "git.kitenet.net" -- & alias "git.joeyh.name" diff --git a/src/Propellor/Property/Apache.hs b/src/Propellor/Property/Apache.hs index e598de1f..a7c7e690 100644 --- a/src/Propellor/Property/Apache.hs +++ b/src/Propellor/Property/Apache.hs @@ -70,13 +70,17 @@ reloaded = Service.reloaded "apache2" -- | Configure apache to use SNI to differentiate between -- https hosts. +-- +-- This was off by default in apache 2.2.22. Newver versions enable +-- it by default. This property uses the filename used by the old version. multiSSL :: Property NoInfo -multiSSL = "/etc/apache2/conf.d/ssl" `File.hasContent` - [ "NameVirtualHost *:443" - , "SSLStrictSNIVHostCheck off" - ] - `describe` "apache SNI enabled" - `onChange` reloaded +multiSSL = check (doesDirectoryExist "/etc/apache2/conf.d") $ + "/etc/apache2/conf.d/ssl" `File.hasContent` + [ "NameVirtualHost *:443" + , "SSLStrictSNIVHostCheck off" + ] + `describe` "apache SNI enabled" + `onChange` reloaded -- | Config file fragment that can be inserted into a -- stanza to allow global read access to the directory. -- cgit v1.3-2-g0d8e From ca2640d0371222ffade34044380a4086cb5917c4 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 10 Feb 2015 22:31:00 -0400 Subject: propellor spin --- config-joey.hs | 8 ++++---- src/Propellor/Property/SiteSpecific/JoeySites.hs | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'src/Propellor/Property') diff --git a/config-joey.hs b/config-joey.hs index 91daff08..5139ab9b 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -217,6 +217,8 @@ kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" ! Docker.docked oldusenetShellBox & JoeySites.oldUseNetServer hosts + + & Dns.secondaryFor ["animx"] hosts "animx.eu.org" diatom :: Host diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64" @@ -269,10 +271,8 @@ diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64" [ (RelDomain "article", CNAME $ AbsDomain "virgil.koldfront.dk") ] - & alias "ns3.branchable.com" - & branchableSecondary - - & Dns.secondaryFor ["animx"] hosts "animx.eu.org" + -- & alias "ns3.branchable.com" + -- & branchableSecondary elephant :: Host elephant = standardSystem "elephant.kitenet.net" Unstable "amd64" diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 3341a3dd..3d453a8a 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -24,6 +24,7 @@ import Data.String.Utils oldUseNetServer :: [Host] -> Property HasInfo oldUseNetServer hosts = propertyList "olduse.net server" $ props + & Apt.installed ["leafnode"] & oldUseNetInstalled "oldusenet-server" & Obnam.latestVersion & oldUseNetBackup @@ -32,7 +33,6 @@ oldUseNetServer hosts = propertyList "olduse.net server" $ props removeDirectoryRecursive newsspool createSymbolicLink (datadir "news") newsspool ) - & Apt.installed ["leafnode"] & "/etc/news/leafnode/config" `File.hasContent` [ "# olduse.net configuration (deployed by propellor)" , "expire = 1000000" -- no expiry via texpire -- cgit v1.3-2-g0d8e From da77276378ecbed7d6434145793bfb209c731b76 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 12 Feb 2015 12:35:15 -0400 Subject: ssh user perm fixes * Ssh.authorizedKey: Make the authorized_keys file and .ssh directory be owned by the user, not root. * Ssh.knownHost: Make the .ssh directory be owned by the user, not root. --- config-joey.hs | 2 +- debian/changelog | 3 +++ src/Propellor/Property/SiteSpecific/JoeySites.hs | 1 - src/Propellor/Property/Ssh.hs | 12 +++++++++--- 4 files changed, 13 insertions(+), 5 deletions(-) (limited to 'src/Propellor/Property') diff --git a/config-joey.hs b/config-joey.hs index f5c593ec..f87db43e 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -127,7 +127,7 @@ orca = standardSystem "orca.kitenet.net" Unstable "amd64" -- with propellor. kite :: Host kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" - [ "Welcome to the new kitenet.net server!" ] + [ "Welcome to kite!" ] & ipv4 "66.228.36.95" & ipv6 "2600:3c03::f03c:91ff:fe73:b0d2" & alias "kitenet.net" diff --git a/debian/changelog b/debian/changelog index ff1cdf1d..a8000c43 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,9 @@ propellor (2.1.0) UNRELEASED; urgency=medium * New Cron.Times data type, which allows Cron.job to install daily/monthly/weekly jobs that anacron can run. (API change) * Fix Git.daemonRunning to restart inetd after enabling the git server. + * Ssh.authorizedKey: Make the authorized_keys file and .ssh directory + be owned by the user, not root. + * Ssh.knownHost: Make the .ssh directory be owned by the user, not root. -- Joey Hess Thu, 29 Jan 2015 01:41:07 -0400 diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 3d453a8a..9644cb72 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -330,7 +330,6 @@ twitRss = combineProperties "twitter rss" $ props ] -- Work around for expired ssl cert. --- (no longer expired, TODO remove this and change urls) pumpRss :: Property NoInfo pumpRss = Cron.job "pump rss" (Cron.Times "15 * * * *") "joey" "/srv/web/tmp.kitenet.net/" "wget https://pump2rss.com/feed/joeyh@identi.ca.atom -O pump.atom --no-check-certificate 2>/dev/null" diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index fe2794a5..f44688c1 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -207,6 +207,7 @@ knownHost hosts hn user = property desc $ , f `File.containsLines` (map (\k -> hn ++ " " ++ k) (M.elems m)) , File.ownerGroup f user user + , File.ownerGroup (takeDirectory f) user user ] go _ = do warningMessage $ "no configred pubKey for " ++ hn @@ -230,12 +231,17 @@ authorizedKeys user context = withPrivData (SshAuthorizedKeys user) context $ \g -- | Ensures that a user's authorized_keys contains a line. -- Any other lines in the file are preserved as-is. authorizedKey :: UserName -> String -> Property NoInfo -authorizedKey user l = property (user ++ " has autorized_keys line " ++ l) $ do +authorizedKey user l = property desc $ do f <- liftIO $ dotFile "authorized_keys" user - ensureProperty $ - f `File.containsLine` l + ensureProperty $ combineProperties desc + [ f `File.containsLine` l `requires` File.dirExists (takeDirectory f) `onChange` File.mode f (combineModes [ownerWriteMode, ownerReadMode]) + , File.ownerGroup f user user + , File.ownerGroup (takeDirectory f) user user + ] + where + desc = user ++ " has autorized_keys line " ++ l -- | Makes the ssh server listen on a given port, in addition to any other -- ports it is configured to listen on. -- cgit v1.3-2-g0d8e