summaryrefslogtreecommitdiff
path: root/config-joey.hs
diff options
context:
space:
mode:
authorJoey Hess2014-07-18 02:08:13 -0400
committerJoey Hess2014-07-18 02:08:13 -0400
commit6957f28945bc4360882c8337f91d471de8fbadee (patch)
treea1082238e19abb21210d7e0cad38a47c0fddae97 /config-joey.hs
parent2812719e5466d2676db3fd5c4ac36c45bb873e89 (diff)
propellor spin
Diffstat (limited to 'config-joey.hs')
-rw-r--r--config-joey.hs20
1 files changed, 14 insertions, 6 deletions
diff --git a/config-joey.hs b/config-joey.hs
index 6db3e81d..b95a3278 100644
--- a/config-joey.hs
+++ b/config-joey.hs
@@ -75,7 +75,10 @@ hosts = -- (o) `
& Docker.garbageCollected `period` Daily
& Apt.buildDep ["git-annex"] `period` Daily
- , standardSystem "kite.kitenet.net" Unstable "amd64"
+ -- This is not a complete description of kite, since it's a
+ -- multiuser system with eg, user passwords that are not deployed
+ -- with propellor.
+ , standardSystemUnhardened "kite.kitenet.net" Unstable "amd64"
[ "Welcome to the new kitenet.net server!"
, "This is still under construction and not yet live.."
]
@@ -102,6 +105,8 @@ hosts = -- (o) `
& JoeySites.kiteMailServer
& Apt.installed ["mutt", "alpine", "git-annex", "myrepos"]
+ -- Since password authentication is allowed:
+ & Apt.serviceInstalledRunning "fail2ban"
, standardSystem "diatom.kitenet.net" Stable "amd64"
[ "Important stuff that needs not too much memory or CPU." ]
@@ -280,7 +285,14 @@ type Motd = [String]
-- This is my standard system setup.
standardSystem :: HostName -> DebianSuite -> Architecture -> Motd -> Host
-standardSystem hn suite arch motd = host hn
+standardSystem hn suite arch motd = standardSystemUnhardened hn suite arch motd
+ -- Harden the system, but only once root's authorized_keys
+ -- is safely in place.
+ & check (Ssh.hasAuthorizedKeys "root")
+ (Ssh.passwordAuthentication False)
+
+standardSystemUnhardened :: HostName -> DebianSuite -> Architecture -> Motd -> Host
+standardSystemUnhardened hn suite arch motd = host hn
& os (System (Debian suite) arch)
& Hostname.sane
& Hostname.searchDomain
@@ -291,10 +303,6 @@ standardSystem hn suite arch motd = host hn
& Apt.installed ["ssh"]
& GitHome.installedFor "root"
& User.hasSomePassword "root" (Context hn)
- -- Harden the system, but only once root's authorized_keys
- -- is safely in place.
- & check (Ssh.hasAuthorizedKeys "root")
- (Ssh.passwordAuthentication False)
& User.accountFor "joey"
& User.hasSomePassword "joey" (Context hn)
& Sudo.enabledFor "joey"