summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess2016-11-11 19:57:56 -0400
committerJoey Hess2016-11-11 19:57:56 -0400
commitbafa1691900970efcf2a772f094db1db874dacaf (patch)
treeaf1d37094a29b5ad6ec25d0971b5c6b684af230d
parent55ad7e25aa15549d631894d78e89a47eda8f9514 (diff)
iabak is moving out of joeyconfig to its own separate config
This is to allow multiple admins of iabak to access the privdata. Since there's a single privdata file for all machines in a propellor deployment, and I don't want them to see all my secrets, we needed to break it out.
-rw-r--r--joeyconfig.hs41
-rw-r--r--propellor.cabal1
-rw-r--r--src/Propellor/Property/SiteSpecific/IABak.hs121
3 files changed, 0 insertions, 163 deletions
diff --git a/joeyconfig.hs b/joeyconfig.hs
index 22744ffc..c5a98531 100644
--- a/joeyconfig.hs
+++ b/joeyconfig.hs
@@ -35,7 +35,6 @@ import qualified Propellor.Property.HostingProvider.Linode as Linode
import qualified Propellor.Property.HostingProvider.DigitalOcean as DigitalOcean
import qualified Propellor.Property.SiteSpecific.GitHome as GitHome
import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder
-import qualified Propellor.Property.SiteSpecific.IABak as IABak
import qualified Propellor.Property.SiteSpecific.Branchable as Branchable
import qualified Propellor.Property.SiteSpecific.JoeySites as JoeySites
import Propellor.Property.DiskImage
@@ -58,7 +57,6 @@ hosts = -- (o) `
, beaver
, pell
, keysafe
- , iabak
] ++ monsters
testvm :: Host
@@ -513,45 +511,6 @@ keysafe = host "keysafe.joeyh.name" $ props
, "&& rsync -a --delete --max-delete 3 ", backupdir , rsyncnetbackup
]
-iabak :: Host
-iabak = host "iabak.archiveteam.org" $ props
- & ipv4 "124.6.40.227"
- & Hostname.sane
- & osDebian Testing X86_64
- & Systemd.persistentJournal
- & Cron.runPropellor (Cron.Times "30 * * * *")
- & Apt.stdSourcesList `onChange` Apt.upgrade
- & Apt.installed ["git", "ssh"]
- & Ssh.hostKeys (Context "iabak.archiveteam.org")
- [ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAMhuYTshLxavWCpfyJxg3j/GWyIRlL3VTharsfUTzMOqyMSWantZjflfJX21z2KzFDtPEA711GYztsgMVXMrsPQInaOKNISe/R9cfgnEktKTxeppWTfw0GTNcpCeeecddU0FCPVW3a6yDoT6+Rv0jPvkQoDGmhQ40MhauMrO0mJ9AAAAFQDpCbXG8o/3Sg7wrsp5abizJoQ0yQAAAIEAxxyHo/ZhDPP+EWtDS05s5dwiDMUsxIllk1NeleAOQIyLtFkaifOeskDJybIPWYPGX1trjcPoGuXJ5GBYrRaPiu6FBvYdYMFRLr4uNBsaSHHqlHhBPkP3RzCrdUyau4XyjdE4iA0EQlO+u11A+o3f7aTuJSveM0YRfbqvaatG89EAAACAWd0h0SkRLnGjBzkou0SQfYujFY9ilhWXPWV/oOs+bieDSpvfmnaEfLSinVFRrJPvQp/dtpxPLEm+StrK3w6dmwTZVUM5JEoB1mRjBkVs6gPC9PVVg9qLpzC2/x+r5cTfrffjyRrlPdkwLKpO6oiPxTIxAyCW8ixjafkxe2hAeJo=")
- , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP13oPRLRY0V9ZDWojb8TgHbUdE30Nq3b541TwPmlLMbYPAhldxGHkuXGlX8g9/FYP/1AgkPcxs2Uc61ZV+1Ss7q7t52f4R0bO4WHqxfdXHd9FlLzMLWxMU3aMr693pGlhnUp3/xH6O6/+bNEIo3VGGgv9XDr2cAxypS9J7X9ibHZcZ3BGvoCR+nnFJ00ERG2tREKZBPDWKk76lhCiM21fG/CSmcApXaA45FHDaM9/2Clj1sXvoS72f0hEKpl1m08sUx+F0GPzQESnKqNFl+xXdYPPbfhdrgCnDmx9tL5NnXsJU2beFiuxpICOeB1HV6DJsdlO18WqwXYhOg/2A1H3")
- , (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHb0kXcrF5ThwS8wB0Hez404Zp9bz78ZxEGSqnwuF4d/N3+bymg7/HAj7l/SzRoEXKHsJ7P5320oMxBHeM16Y+k=")
- ]
- & Apt.installed ["etckeeper", "sudo"]
- -- vital but generic tools
- & Apt.installed ["vim", "screen", "tmux", "less", "emacs-nox", "netcat", "nano"]
- -- tools for creating shards
- & Apt.installed ["jq", "python3", "python3-aiohttp"]
- & User.hasSomePassword (User "root")
- & propertyList "admin accounts"
- (toProps $ map User.accountFor admins
- ++ map (Group.hasUser (Group "staff")) admins
- ++ map Sudo.enabledFor admins)
- & User.hasSomePassword (User "joey")
- & GitHome.installedFor (User "joey")
- & Ssh.authorizedKey (User "db48x") "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAIAQDQ6urXcMDeyuFf4Ga7CuGezTShKnEMPHKJm7RQUtw3yXCPX5wnbvPS2+UFnHMzJvWOX5S5b/XpBpOusP0jLpxwOCEg4nA5b7uvWJ2VIChlMqopYMo+tDOYzK/Q74MZiNWi2hvf1tn3N9SnqOa7muBMKMENIX5KJdH8cJ/BaPqAP883gF8r2SwSZFvaB0xYCT/CIylC593n/+0+Lm07NUJIO8jil3n2SwXdVg6ib65FxZoO86M46wTghnB29GXqrzraOg+5DY1zzCWpIUtFwGr4DP0HqLVtmAkC7NI14l1M0oHE0UEbhoLx/a+mOIMD2DuzW3Rs3ZmHtGLj4PL/eBU8D33AqSeM0uR/0pEcoq6A3a8ixibj9MBYD2lMh+Doa2audxS1OLM//FeNccbm1zlvvde82PZtiO11P98uN+ja4A+CfgQU5s0z0wikc4gXNhWpgvz8DrOEJrjstwOoqkLg2PpIdHRw7dhpp3K1Pc+CGAptDwbKkxs4rzUgMbO9DKI7fPcXXgKHLLShMpmSA2vsQUMfuCp2cVrQJ+Vkbwo29N0Js5yU7L4NL4H854Nbk5uwWJCs/mjXtvTimN2va23HEecTpk44HDUjJ9NyevAfPcO9q1ZtgXFTQSMcdv1m10Fvmnaiy8biHnopL6MBo1VRITh5UFiJYfK4kpTTg2vSspii/FYkkYOAnnZtXZqMehP7OZjJ6HWJpsCVR2hxP3sKOoQu+kcADWa/4obdp+z7gY8iMMjd6kwuIWsNV8KsX+eVJ4UFpAi/L00ZjI2B9QLVCsOg6D1fT0698wEchwUROy5vZZJq0078BdAGnwC0WGLt+7OUgn3O2gUAkb9ffD0odbZSqq96NCelM6RaHA+AaIE4tjGL3lFkyOtb+IGPNACQ73/lmaRQd6Cgasq9cEo0g22Ew5NQi0CBuu1aLDk7ezu3SbU09eB9lcZ+8lFnl5K2eQFeVJStFJbJNfOvgKyOb7ePsrUFF5GJ2J/o1F60fRnG64HizZHxyFWkEOh+k3i8qO+whPa5MTQeYLYb6ysaTPrUwNRcSNNCcPEN8uYOh1dOFAtIYDcYA56BZ321yz0b5umj+pLsrFU+4wMjWxZi0inJzDS4dVegBVcRm0NP5u8VRosJQE9xdbt5K1I0khzhrEW1kowoTbhsZCaDHhL9LZo73Z1WIHvulvlF3RLZip5hhtQu3ZVkbdV5uts8AWaEWVnIu9z0GtQeeOuseZpT0u1/1xjVAOKIzuY3sB7FKOaipe8TDvmdiQf/ICySqqYaYhN6GOhiYccSleoX6yzhYuCvzTgAyWHIfW0t25ff1CM7Vn+Vo9cVplIer1pbwhZZy4QkROWTOE+3yuRlQ+o6op4hTGdAZhjKh9zkDW7rzqQECFrZrX/9mJhxYKjhpkk0X3dSipPt9SUHagc4igya+NgCygQkWBOQfr4uia0LcwDxy4Kchw7ZuypHuGVZkGhNHXS+9JdAHopnSqYwDMG/z1ys1vQihgER0b9g3TchvGF+nmHe2kbM1iuIYMNNlaZD1yGZ5qR7wr/8dw8r0NBEwzsUfak3BUPX7H6X0tGS96llwUxmvQD85WNNoef0uryuAtDEwWlfN1RmWysZDc57Rn4gZi0M5jXmQD23ZiYXYBcG849OeqNzlxONEFsForXO/29Ud4x/Hqa9tf+kJbqMRsaLFO+PXhHzgl6ZHLAljQDxrJ6keNnkqaYfqQ8wyRi1mKv4Ab57kde7mUsZhe7w93GaE9Lxfvu7d3pB+lXfI9NJCSITHreUP4JfmFW+p/eVg+r/1wbElNylGna4I4+qYObOUncGwFKYdFPdtU1XLDKXmywTEgbEh7iI9zX0xD3bPHQLMg+TTtXiU9dQm1x/0zRf9trwDsRDJCbG4/P4iQYkcVvYx2CCfi0JSHv8tWsLi3GJKJLXUxZyzfvY2lThPeYnnY/HFrPJCyJUN55QuRmfzbu8rHgWlcyOlVpKtz+7kn823kEQykiIYKIKrb0G6VBzuMtAk9XzJPv+Wu7suOGXHlVfCqPLk6RjHDm4kTYciW9VgxDts5Y+zwcAbrUeA4UuN/6KisWpivMrfDSIHUCeH/lHBtNkqKohdrUKJMEOx5X6r2dJbmoTFBDi5XtYu/5cBtiDMmupNB0S+pZ2JD5/RKtj6kgzTeE1q/OG4q/eq1O1rjf0vIS31luy27K/YHFIGE0D/CmuXE74Uyaxm27RnrKUxEBl84V70GaIF4F5On8pSThxxizigXTRTKiczc+A5Zi29mid+1EFeUAJOa/DuHJfpVNY4pYEmhPl/Bk66L8kzlbJz6Hg/LIiJIRcy3UKrbSxPFIDpXn33drBHgklMDlrIVDZDXF6cn0Ml71SabB4A3TM6TK+oWZoyvftPIhcWhVwAWQj7nFNAiMEl1z/29ovHrRooqQFozf7GDW8Mjiu7ChZP9zx2H8JB/AAEFuWMwGV4AHICYdS9lOl/v+cDhgsnXdeuKEuxHhYlRxuRxJk/f17Sm/5H85UIzlu85wi3q/DW2FTZnlw4iJLnL6FArUIMzuBOZyoEhh0SPR41Xc4kkucDhnENybTZSR/yDzb0P1B7qjZ4GqcSEFja/hm/LH1oKJzZg8MEqeUoKYCUdVv9ek4IUGUONtVs53V5SOwFWR/nVuDk2BENr7NadYYVtu6MjBwgjso7NuhoNxVwIEP3BW67OQ8bxfNBtJJQNJejAhgZiqJItI9ucAfjQ== db48x@anglachel"
- & Ssh.authorizedKey (User "db48x") "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQkqIgZ7D8WHW5Y3o+fpZC/4xtv/3IQrORJrTPCt7KY db48x@erebor"
- & Ssh.authorizedKey (User "hcross") "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5OhU2Lita9RdjPkX9N0w9wZnmVlednUDEx24bVn4Mk IABAK key - Harry C"
- & Ssh.authorizedKey (User "kaz") "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHhFYMd9Htlf9wPZzIDyqbYYNwuo3m+kWQ9/pfAD/TE9 Kaz IABAK"
- & Ssh.authorizedKey (User "yipdw") "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo2mGPw2TTJMHp7G86hMBh6n9/+abzg1oXIIlkwWwzo trythil@aglarond"
- & Ssh.noPasswords
- & IABak.gitServer monsters
- & IABak.registrationServer monsters
- & IABak.graphiteServer
- & IABak.publicFace
- where
- admins = map User ["joey", "db48x", "hcross", "kaz", "yipdw"]
-
--' __|II| ,.
---- __|II|II|__ ( \_,/\
--'-------'\o/-'-.-'-.-'-.- __|II|II|II|II|___/ __/ -'-.-'-.-'-.-'-.-'-.-'-
diff --git a/propellor.cabal b/propellor.cabal
index 5490a67c..e0e15b0d 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -158,7 +158,6 @@ Library
Propellor.Property.SiteSpecific.JoeySites
Propellor.Property.SiteSpecific.GitAnnexBuilder
Propellor.Property.SiteSpecific.Branchable
- Propellor.Property.SiteSpecific.IABak
Propellor.PropAccum
Propellor.Utilities
Propellor.CmdLine
diff --git a/src/Propellor/Property/SiteSpecific/IABak.hs b/src/Propellor/Property/SiteSpecific/IABak.hs
deleted file mode 100644
index b245e444..00000000
--- a/src/Propellor/Property/SiteSpecific/IABak.hs
+++ /dev/null
@@ -1,121 +0,0 @@
-module Propellor.Property.SiteSpecific.IABak where
-
-import Propellor.Base
-import qualified Propellor.Property.Apt as Apt
-import qualified Propellor.Property.Git as Git
-import qualified Propellor.Property.Cron as Cron
-import qualified Propellor.Property.File as File
-import qualified Propellor.Property.Apache as Apache
-import qualified Propellor.Property.User as User
-import qualified Propellor.Property.Ssh as Ssh
-
-repo :: String
-repo = "https://github.com/ArchiveTeam/IA.BAK/"
-
-userrepo :: String
-userrepo = "git@gitlab.com:archiveteam/IA.bak.users.git"
-
-publicFace :: Property DebianLike
-publicFace = propertyList "iabak public face" $ props
- & Git.cloned (User "root") repo "/usr/local/IA.BAK" (Just "server")
- & Apt.serviceInstalledRunning "apache2"
- & Cron.niceJob "graph-gen" (Cron.Times "*/10 * * * *") (User "root") "/"
- "/usr/local/IA.BAK/web/graph-gen.sh"
-
-gitServer :: [Host] -> Property (HasInfo + DebianLike)
-gitServer knownhosts = propertyList "iabak git server" $ props
- & Git.cloned (User "root") repo "/usr/local/IA.BAK" (Just "server")
- & Git.cloned (User "root") repo "/usr/local/IA.BAK/client" (Just "master")
- & Ssh.userKeys (User "root") (Context "IA.bak.users.git") sshKeys
- & Ssh.knownHost knownhosts "gitlab.com" (User "root")
- & Git.cloned (User "root") userrepo "/usr/local/IA.BAK/pubkeys" (Just "master")
- & Apt.serviceInstalledRunning "apache2"
- & "/usr/lib/cgi-bin/pushme.cgi" `File.isSymlinkedTo` File.LinkTarget "/usr/local/IA.BAK/pushme.cgi"
- & File.containsLine "/etc/sudoers" "www-data ALL=NOPASSWD:/usr/local/IA.BAK/pushed.sh"
- & Cron.niceJob "shardstats" (Cron.Times "*/30 * * * *") (User "root") "/"
- "/usr/local/IA.BAK/shardstats-all"
- & Cron.niceJob "shardmaint" Cron.Daily (User "root") "/"
- "/usr/local/IA.BAK/shardmaint-fast; /usr/local/IA.BAK/shardmaint"
- & Apt.installed ["git-annex"]
- & Apt.installed ["libmail-sendmail-perl"]
- & Cron.niceJob "expireemailer" Cron.Daily (User "root")
- "/usr/local/IA.BAK"
- "./expireemailer"
-
-registrationServer :: [Host] -> Property (HasInfo + DebianLike)
-registrationServer knownhosts = propertyList "iabak registration server" $ props
- & User.accountFor (User "registrar")
- & Ssh.userKeys (User "registrar") (Context "IA.bak.users.git") sshKeys
- & Ssh.knownHost knownhosts "gitlab.com" (User "registrar")
- & Git.cloned (User "registrar") repo "/home/registrar/IA.BAK" (Just "server")
- & Git.cloned (User "registrar") userrepo "/home/registrar/users" (Just "master")
- & Apt.serviceInstalledRunning "apache2"
- & Apt.installed ["perl", "perl-modules"]
- & link `File.isSymlinkedTo` File.LinkTarget "/home/registrar/IA.BAK/registrar/register.cgi"
- & cmdProperty "chown" ["-h", "registrar:registrar", link]
- `changesFile` link
- & File.containsLine "/etc/sudoers" "www-data ALL=(registrar) NOPASSWD:/home/registrar/IA.BAK/registrar/register.pl"
- & Apt.installed ["kgb-client"]
- & File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" anyContext
- `requires` File.dirExists "/etc/kgb-bot/"
- where
- link = "/usr/lib/cgi-bin/register.cgi"
-
-sshKeys :: [(SshKeyType, Ssh.PubKeyText)]
-sshKeys =
- [ (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoiE+CPiIQyfWnl/E9iKG3eo4QzlH30vi7xAgKolGaTu6qKy4XPtl+8MNm2Dqn9QEYRVyyOT/XH0yP5dRc6uyReT8dBy03MmLkVbj8Q+nKCz5YOMTxrY3sX6RRXU1zVGjeVd0DtC+rKRT7reoCxef42LAJTm8nCyZu/enAuso5qHqBbqulFz2YXEKfU1SEEXLawtvgGck1KmCyg+pqazeI1eHWXrojQf5isTBKfPQLWVppBkWAf5cA4wP5U1vN9dVirIdw66ds1M8vnGlkTBjxP/HLGBWGYhZHE7QXjXRsk2RIXlHN9q6GdNu8+F3HXS22mst47E4UAeRoiXSMMtF5")
- ]
-
-graphiteServer :: Property (HasInfo + DebianLike)
-graphiteServer = propertyList "iabak graphite server" $ props
- & Apt.serviceInstalledRunning "apache2"
- & Apt.installed ["libapache2-mod-wsgi", "graphite-carbon", "graphite-web"]
- & File.hasContent "/etc/carbon/storage-schemas.conf"
- [ "[carbon]"
- , "pattern = ^carbon\\."
- , "retentions = 60:90d"
- , "[iabak-connections]"
- , "pattern = ^iabak\\.shardstats\\.connections"
- , "retentions = 1h:1y,3h:10y"
- , "[iabak-default]"
- , "pattern = ^iabak\\."
- , "retentions = 10m:30d,1h:1y,3h:10y"
- , "[default_1min_for_1day]"
- , "pattern = .*"
- , "retentions = 60s:1d"
- ]
- & graphiteCSRF
- & cmdProperty "graphite-manage" ["syncdb", "--noinput"]
- `assume` MadeChange
- `flagFile` "/etc/flagFiles/graphite-syncdb"
- & cmdProperty "graphite-manage" ["createsuperuser", "--noinput", "--username=joey", "--email=joey@localhost"]
- `assume` MadeChange
- `flagFile` "/etc/flagFiles/graphite-user-joey"
- & cmdProperty "graphite-manage" ["createsuperuser", "--noinput", "--username=db48x", "--email=db48x@localhost"]
- `assume` MadeChange
- `flagFile` "/etc/flagFiles/graphite-user-db48x"
- -- TODO: deal with passwords somehow
- & File.ownerGroup "/var/lib/graphite/graphite.db" (User "_graphite") (Group "_graphite")
- & "/etc/apache2/ports.conf" `File.containsLine` "Listen 8080"
- `onChange` Apache.restarted
- & Apache.siteEnabled "iabak-graphite-web"
- [ "<VirtualHost *:8080>"
- , " WSGIDaemonProcess _graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120 user=_graphite group=_graphite"
- , " WSGIProcessGroup _graphite"
- , " WSGIImportScript /usr/share/graphite-web/graphite.wsgi process-group=_graphite application-group=%{GLOBAL}"
- , " WSGIScriptAlias / /usr/share/graphite-web/graphite.wsgi"
- , " Alias /content/ /usr/share/graphite-web/static/"
- , " <Location \"/content/\">"
- , " SetHandler None"
- , " </Location>"
- , " ErrorLog ${APACHE_LOG_DIR}/graphite-web_error.log"
- , " LogLevel warn"
- , " CustomLog ${APACHE_LOG_DIR}/graphite-web_access.log combined"
- , "</VirtualHost>"
- ]
- where
- graphiteCSRF :: Property (HasInfo + DebianLike)
- graphiteCSRF = withPrivData (Password "csrf-token") (Context "iabak.archiveteam.org") $
- \gettoken -> property' "graphite-web CSRF token" $ \w ->
- gettoken $ \token -> ensureProperty w $ File.containsLine
- "/etc/graphite/local_settings.py" ("SECRET_KEY = '"++ privDataVal token ++"'")