summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess2017-08-25 18:52:52 -0400
committerJoey Hess2017-08-25 18:52:52 -0400
commit8f2d77265a0cbf76d0f155da7d33222549caf311 (patch)
tree681733696c47a79881e643dffa05e04ade832e8f
parent427c2ba5997a2c0ab5c54335646de39abdb73563 (diff)
parent87f4281250d09d53c5cf399e7286520bfdcc387d (diff)
Merge branch 'joeyconfig'
-rw-r--r--joeyconfig.hs2
-rw-r--r--src/Propellor/Property/Borg.hs4
-rw-r--r--src/Propellor/Property/SiteSpecific/Branchable.hs30
-rw-r--r--src/Propellor/Property/SiteSpecific/JoeySites.hs24
4 files changed, 34 insertions, 26 deletions
diff --git a/joeyconfig.hs b/joeyconfig.hs
index e98e5b51..49480718 100644
--- a/joeyconfig.hs
+++ b/joeyconfig.hs
@@ -373,7 +373,7 @@ elephant = host "elephant.kitenet.net" $ props
& Apt.serviceInstalledRunning "swapspace"
& alias "eubackup.kitenet.net"
- & Apt.installed ["obnam", "sshfs", "rsync"]
+ & Apt.installed ["obnam", "sshfs", "rsync", "borgbackup"]
& JoeySites.obnamRepos ["pell", "kite"]
& JoeySites.githubBackup
& JoeySites.rsyncNetBackup hosts
diff --git a/src/Propellor/Property/Borg.hs b/src/Propellor/Property/Borg.hs
index 7ed39794..c02c5fb5 100644
--- a/src/Propellor/Property/Borg.hs
+++ b/src/Propellor/Property/Borg.hs
@@ -92,8 +92,8 @@ restored dir backupdir = go `requires` installed
-- > ["--exclude=/srv/git/tobeignored"]
-- > [Borg.KeepDays 7, Borg.KeepWeeks 4, Borg.KeepMonths 6, Borg.KeepYears 1]
--
--- Note that this property does not make borg encrypt the backup
--- repository.
+-- Note that this property does not initialize the backup repository,
+-- so that will need to be done once, before-hand.
--
-- Since borg uses a fair amount of system resources, only one borg
-- backup job will be run at a time. Other jobs will wait their turns to
diff --git a/src/Propellor/Property/SiteSpecific/Branchable.hs b/src/Propellor/Property/SiteSpecific/Branchable.hs
index 239bcbeb..ce679083 100644
--- a/src/Propellor/Property/SiteSpecific/Branchable.hs
+++ b/src/Propellor/Property/SiteSpecific/Branchable.hs
@@ -8,6 +8,8 @@ import qualified Propellor.Property.Ssh as Ssh
import qualified Propellor.Property.Postfix as Postfix
import qualified Propellor.Property.Gpg as Gpg
import qualified Propellor.Property.Sudo as Sudo
+import qualified Propellor.Property.Borg as Borg
+import qualified Propellor.Property.Cron as Cron
server :: [Host] -> Property (HasInfo + DebianLike)
server hosts = propertyList "branchable server" $ props
@@ -37,18 +39,24 @@ server hosts = propertyList "branchable server" $ props
& Postfix.installed
& Postfix.mainCf ("mailbox_command", "procmail -a \"$EXTENSION\"")
- -- Obnam is run by a cron job in ikiwiki-hosting.
- & "/etc/obnam.conf" `File.hasContent`
- [ "[config]"
- , "repository = sftp://joey@eubackup.kitenet.net/home/joey/lib/backup/pell.obnam"
- , "log = /var/log/obnam.log"
- , "encrypt-with = " ++ obnamkey
- , "log-level = info"
- , "log-max = 1048576"
- , "keep = 7d,5w,12m"
- , "upload-queue-size = 128"
- , "lru-size = 128"
+ & Borg.backup "/" "joey@eubackup.kitenet.net:/home/joey/lib/backup/branchable/pell.borg" Cron.Daily
+ [ "--exclude=/proc/*"
+ , "--exclude=/sys/*"
+ , "--exclude=/run/*"
+ , "--exclude=/tmp/*"
+ , "--exclude=/var/tmp/*"
+ , "--exclude=/var/backups/ikiwiki-hosting-web/*"
+ , "--exclude=/var/cache/*"
+ , "--exclude=/home/*/source/*"
+ , "--exclude=/home/*/public_html/*"
+ , "--exclude=/home/*/.git/*"
]
+ [ Borg.KeepDays 7
+ , Borg.KeepWeeks 5
+ , Borg.KeepMonths 12
+ , Borg.KeepYears 1
+ ]
+ -- gpg key that can be used to decrypt the borg backup key
& Gpg.keyImported (Gpg.GpgKeyId obnamkey) (User "root")
& Ssh.userKeys (User "root") (Context "branchable.com")
[ (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2PqTSupwncqeffNwZQXacdEWp7L+TxllIxH7WjfRMb3U74mQxWI0lwqLVW6Fox430DvhSqF1y5rJBvTHh4i49Tc9lZ7mwAxA6jNOP6bmdfteaKKYmUw5qwtJW0vISBFu28qBO11Nq3uJ1D3Oj6N+b3mM/0D3Y3NoGgF8+2dLdi81u9+l6AQ5Jsnozi2Ni/Osx2oVGZa+IQDO6gX8VEP4OrcJFNJe8qdnvItcGwoivhjbIfzaqNNvswKgGzhYLOAS5KT8HsjvIpYHWkyQ5QUX7W/lqGSbjP+6B8C3tkvm8VLXbmaD+aSkyCaYbuoXC2BoJdS7Jh8phKMwPJmdYVepn")
diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs
index f02dc6f0..34b0af44 100644
--- a/src/Propellor/Property/SiteSpecific/JoeySites.hs
+++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs
@@ -520,6 +520,7 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props
& "/etc/aliases" `File.hasPrivContentExposed` ctx
`onChange` Postfix.newaliases
+ & hasPostfixCert ctx
& "/etc/postfix/mydomain" `File.containsLines`
[ "/.*\\.kitenet\\.net/\tOK"
@@ -582,9 +583,9 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props
, "milter_default_action = accept"
, "# TLS setup -- server"
- , "smtpd_tls_CAfile = /etc/letsencrypt/live/kitenet.net/fullchain.pem"
- , "smtpd_tls_cert_file = /etc/letsencrypt/live/kitenet.net/cert.pem"
- , "smtpd_tls_key_file = /etc/letsencrypt/live/kitenet.net/privkey.pem"
+ , "smtpd_tls_CAfile = /etc/ssl/certs/joeyca.pem"
+ , "smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem"
+ , "smtpd_tls_key_file = /etc/ssl/private/postfix.pem"
, "smtpd_tls_loglevel = 1"
, "smtpd_tls_received_header = yes"
, "smtpd_use_tls = yes"
@@ -592,9 +593,9 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props
, "smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache"
, "# TLS setup -- client"
- , "smtp_tls_CAfile = /etc/letsencrypt/live/kitenet.net/fullchain.pem"
- , "smtp_tls_cert_file = /etc/letsencrypt/live/kitenet.net/cert.pem"
- , "smtp_tls_key_file = /etc/letsencrypt/live/kitenet.net/privkey.pem"
+ , "smtp_tls_CAfile = /etc/ssl/certs/joeyca.pem"
+ , "smtp_tls_cert_file = /etc/ssl/certs/postfix.pem"
+ , "smtp_tls_key_file = /etc/ssl/private/postfix.pem"
, "smtp_tls_loglevel = 1"
, "smtp_use_tls = yes"
, "smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache"
@@ -613,12 +614,6 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props
"!include auth-passwdfile.conf.ext"
`onChange` Service.restarted "dovecot"
`describe` "dovecot auth.conf"
- & "/etc/dovecot/conf.d/10-ssl.conf" `File.containsLines`
- [ "ssl_cert = </etc/letsencrypt/live/kitenet.net/fullchain.pem"
- , "ssl_key = </etc/letsencrypt/live/kitenet.net/privkey.pem"
- ]
- `onChange` Service.restarted "dovecot"
- `describe` "dovecot letsencrypt certs"
& File.hasPrivContent dovecotusers ctx
`onChange` (dovecotusers `File.mode`
combineModes [ownerReadMode, groupReadMode])
@@ -719,6 +714,11 @@ postfixSaslPasswordClient = combineProperties "postfix uses SASL password to aut
]
`onChange` Postfix.reloaded
+hasPostfixCert :: Context -> Property (HasInfo + UnixLike)
+hasPostfixCert ctx = combineProperties "postfix tls cert installed" $ props
+ & "/etc/ssl/certs/postfix.pem" `File.hasPrivContentExposed` ctx
+ & "/etc/ssl/private/postfix.pem" `File.hasPrivContent` ctx
+
-- Legacy static web sites and redirections from kitenet.net to newer
-- sites.
legacyWebSites :: Property (HasInfo + DebianLike)