From bafa1691900970efcf2a772f094db1db874dacaf Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Fri, 11 Nov 2016 19:57:56 -0400 Subject: iabak is moving out of joeyconfig to its own separate config This is to allow multiple admins of iabak to access the privdata. Since there's a single privdata file for all machines in a propellor deployment, and I don't want them to see all my secrets, we needed to break it out. --- src/Propellor/Property/SiteSpecific/IABak.hs | 121 --------------------------- 1 file changed, 121 deletions(-) delete mode 100644 src/Propellor/Property/SiteSpecific/IABak.hs (limited to 'src/Propellor/Property/SiteSpecific') diff --git a/src/Propellor/Property/SiteSpecific/IABak.hs b/src/Propellor/Property/SiteSpecific/IABak.hs deleted file mode 100644 index b245e444..00000000 --- a/src/Propellor/Property/SiteSpecific/IABak.hs +++ /dev/null @@ -1,121 +0,0 @@ -module Propellor.Property.SiteSpecific.IABak where - -import Propellor.Base -import qualified Propellor.Property.Apt as Apt -import qualified Propellor.Property.Git as Git -import qualified Propellor.Property.Cron as Cron -import qualified Propellor.Property.File as File -import qualified Propellor.Property.Apache as Apache -import qualified Propellor.Property.User as User -import qualified Propellor.Property.Ssh as Ssh - -repo :: String -repo = "https://github.com/ArchiveTeam/IA.BAK/" - -userrepo :: String -userrepo = "git@gitlab.com:archiveteam/IA.bak.users.git" - -publicFace :: Property DebianLike -publicFace = propertyList "iabak public face" $ props - & Git.cloned (User "root") repo "/usr/local/IA.BAK" (Just "server") - & Apt.serviceInstalledRunning "apache2" - & Cron.niceJob "graph-gen" (Cron.Times "*/10 * * * *") (User "root") "/" - "/usr/local/IA.BAK/web/graph-gen.sh" - -gitServer :: [Host] -> Property (HasInfo + DebianLike) -gitServer knownhosts = propertyList "iabak git server" $ props - & Git.cloned (User "root") repo "/usr/local/IA.BAK" (Just "server") - & Git.cloned (User "root") repo "/usr/local/IA.BAK/client" (Just "master") - & Ssh.userKeys (User "root") (Context "IA.bak.users.git") sshKeys - & Ssh.knownHost knownhosts "gitlab.com" (User "root") - & Git.cloned (User "root") userrepo "/usr/local/IA.BAK/pubkeys" (Just "master") - & Apt.serviceInstalledRunning "apache2" - & "/usr/lib/cgi-bin/pushme.cgi" `File.isSymlinkedTo` File.LinkTarget "/usr/local/IA.BAK/pushme.cgi" - & File.containsLine "/etc/sudoers" "www-data ALL=NOPASSWD:/usr/local/IA.BAK/pushed.sh" - & Cron.niceJob "shardstats" (Cron.Times "*/30 * * * *") (User "root") "/" - "/usr/local/IA.BAK/shardstats-all" - & Cron.niceJob "shardmaint" Cron.Daily (User "root") "/" - "/usr/local/IA.BAK/shardmaint-fast; /usr/local/IA.BAK/shardmaint" - & Apt.installed ["git-annex"] - & Apt.installed ["libmail-sendmail-perl"] - & Cron.niceJob "expireemailer" Cron.Daily (User "root") - "/usr/local/IA.BAK" - "./expireemailer" - -registrationServer :: [Host] -> Property (HasInfo + DebianLike) -registrationServer knownhosts = propertyList "iabak registration server" $ props - & User.accountFor (User "registrar") - & Ssh.userKeys (User "registrar") (Context "IA.bak.users.git") sshKeys - & Ssh.knownHost knownhosts "gitlab.com" (User "registrar") - & Git.cloned (User "registrar") repo "/home/registrar/IA.BAK" (Just "server") - & Git.cloned (User "registrar") userrepo "/home/registrar/users" (Just "master") - & Apt.serviceInstalledRunning "apache2" - & Apt.installed ["perl", "perl-modules"] - & link `File.isSymlinkedTo` File.LinkTarget "/home/registrar/IA.BAK/registrar/register.cgi" - & cmdProperty "chown" ["-h", "registrar:registrar", link] - `changesFile` link - & File.containsLine "/etc/sudoers" "www-data ALL=(registrar) NOPASSWD:/home/registrar/IA.BAK/registrar/register.pl" - & Apt.installed ["kgb-client"] - & File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" anyContext - `requires` File.dirExists "/etc/kgb-bot/" - where - link = "/usr/lib/cgi-bin/register.cgi" - -sshKeys :: [(SshKeyType, Ssh.PubKeyText)] -sshKeys = - [ (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoiE+CPiIQyfWnl/E9iKG3eo4QzlH30vi7xAgKolGaTu6qKy4XPtl+8MNm2Dqn9QEYRVyyOT/XH0yP5dRc6uyReT8dBy03MmLkVbj8Q+nKCz5YOMTxrY3sX6RRXU1zVGjeVd0DtC+rKRT7reoCxef42LAJTm8nCyZu/enAuso5qHqBbqulFz2YXEKfU1SEEXLawtvgGck1KmCyg+pqazeI1eHWXrojQf5isTBKfPQLWVppBkWAf5cA4wP5U1vN9dVirIdw66ds1M8vnGlkTBjxP/HLGBWGYhZHE7QXjXRsk2RIXlHN9q6GdNu8+F3HXS22mst47E4UAeRoiXSMMtF5") - ] - -graphiteServer :: Property (HasInfo + DebianLike) -graphiteServer = propertyList "iabak graphite server" $ props - & Apt.serviceInstalledRunning "apache2" - & Apt.installed ["libapache2-mod-wsgi", "graphite-carbon", "graphite-web"] - & File.hasContent "/etc/carbon/storage-schemas.conf" - [ "[carbon]" - , "pattern = ^carbon\\." - , "retentions = 60:90d" - , "[iabak-connections]" - , "pattern = ^iabak\\.shardstats\\.connections" - , "retentions = 1h:1y,3h:10y" - , "[iabak-default]" - , "pattern = ^iabak\\." - , "retentions = 10m:30d,1h:1y,3h:10y" - , "[default_1min_for_1day]" - , "pattern = .*" - , "retentions = 60s:1d" - ] - & graphiteCSRF - & cmdProperty "graphite-manage" ["syncdb", "--noinput"] - `assume` MadeChange - `flagFile` "/etc/flagFiles/graphite-syncdb" - & cmdProperty "graphite-manage" ["createsuperuser", "--noinput", "--username=joey", "--email=joey@localhost"] - `assume` MadeChange - `flagFile` "/etc/flagFiles/graphite-user-joey" - & cmdProperty "graphite-manage" ["createsuperuser", "--noinput", "--username=db48x", "--email=db48x@localhost"] - `assume` MadeChange - `flagFile` "/etc/flagFiles/graphite-user-db48x" - -- TODO: deal with passwords somehow - & File.ownerGroup "/var/lib/graphite/graphite.db" (User "_graphite") (Group "_graphite") - & "/etc/apache2/ports.conf" `File.containsLine` "Listen 8080" - `onChange` Apache.restarted - & Apache.siteEnabled "iabak-graphite-web" - [ "" - , " WSGIDaemonProcess _graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120 user=_graphite group=_graphite" - , " WSGIProcessGroup _graphite" - , " WSGIImportScript /usr/share/graphite-web/graphite.wsgi process-group=_graphite application-group=%{GLOBAL}" - , " WSGIScriptAlias / /usr/share/graphite-web/graphite.wsgi" - , " Alias /content/ /usr/share/graphite-web/static/" - , " " - , " SetHandler None" - , " " - , " ErrorLog ${APACHE_LOG_DIR}/graphite-web_error.log" - , " LogLevel warn" - , " CustomLog ${APACHE_LOG_DIR}/graphite-web_access.log combined" - , "" - ] - where - graphiteCSRF :: Property (HasInfo + DebianLike) - graphiteCSRF = withPrivData (Password "csrf-token") (Context "iabak.archiveteam.org") $ - \gettoken -> property' "graphite-web CSRF token" $ \w -> - gettoken $ \token -> ensureProperty w $ File.containsLine - "/etc/graphite/local_settings.py" ("SECRET_KEY = '"++ privDataVal token ++"'") -- cgit v1.2.3