summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
l---------config.hs2
-rw-r--r--debian/changelog18
-rw-r--r--doc/FreeBSD.mdwn2
-rw-r--r--doc/forum/Apt:_use_deb.debian.org__47__debian-security.mdwn1
-rw-r--r--doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_1_8f06ef23b94f1df693f0da4689f39edf._comment8
-rw-r--r--doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn3
-rw-r--r--doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__/comment_1_cc518b5ae9f82d13be9eda19822db85c._comment9
-rw-r--r--doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_14_a65bf71d16401e2621f1dff93701247d._comment35
-rw-r--r--doc/forum/can__39__t_get_Apt.trustsKey_to_work.mdwn90
-rw-r--r--doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_1_8ee5b69f068c369e88c31c639d692f60._comment14
-rw-r--r--doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_2_ffca1d5942d4fd152657dd3afe21b935._comment11
-rw-r--r--doc/index.mdwn2
-rw-r--r--doc/news/version_5.3.4.mdwn8
-rw-r--r--privdata/relocate1
-rw-r--r--propellor.cabal2
-rw-r--r--src/Propellor/Property/Apt.hs8
-rw-r--r--src/Propellor/Property/Firewall.hs4
-rw-r--r--src/Propellor/Property/Systemd.hs4
18 files changed, 212 insertions, 10 deletions
diff --git a/config.hs b/config.hs
index 97d90636..ec313725 120000
--- a/config.hs
+++ b/config.hs
@@ -1 +1 @@
-joeyconfig.hs \ No newline at end of file
+config-simple.hs \ No newline at end of file
diff --git a/debian/changelog b/debian/changelog
index b081d04f..9af87222 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+propellor (5.3.5) UNRELEASED; urgency=medium
+
+ * Apt.stdSourcesList now adds stable-updates suite
+ Thanks, Sean Whitton
+
+ -- Joey Hess <id@joeyh.name> Wed, 18 Apr 2018 10:12:21 -0400
+
+propellor (5.3.4) unstable; urgency=medium
+
+ * Apt.trustsKey: Use apt-key to add key rather than manually driving gpg,
+ which seems to not work anymore.
+ Thanks, Russell Sim.
+ * Firewall: Reorder iptables parameters that are order
+ dependant to make --to-dest and --to-source work.
+ Thanks, Russell Sim
+
+ -- Joey Hess <id@joeyh.name> Wed, 21 Mar 2018 14:59:15 -0400
+
propellor (5.3.3) unstable; urgency=medium
* Warn again about new upstream version when ~/.propellor was cloned from the
diff --git a/doc/FreeBSD.mdwn b/doc/FreeBSD.mdwn
index 47b9c65b..ca340163 100644
--- a/doc/FreeBSD.mdwn
+++ b/doc/FreeBSD.mdwn
@@ -6,5 +6,5 @@ additional porting to support FreeBSD. Such properties have types like
`Property DebianLike`. The type checker will detect and reject attempts
to combine such properties with `Property FreeBSD`.
-[Sample config file](http://git.joeyh.name/?p=propellor.git;a=blob;f=config-freebsd.hs)
+[Sample config file](https://git.joeyh.name/index.cgi/propellor.git/tree/config-freebsd.hs)
which configures a FreeBSD system, as well as a Linux one.
diff --git a/doc/forum/Apt:_use_deb.debian.org__47__debian-security.mdwn b/doc/forum/Apt:_use_deb.debian.org__47__debian-security.mdwn
new file mode 100644
index 00000000..a918a402
--- /dev/null
+++ b/doc/forum/Apt:_use_deb.debian.org__47__debian-security.mdwn
@@ -0,0 +1 @@
+Maybe we could use deb.debian.org/debian-security instead of security.debian.org in Apt properties. What do you think about this?
diff --git a/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_1_8f06ef23b94f1df693f0da4689f39edf._comment b/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_1_8f06ef23b94f1df693f0da4689f39edf._comment
new file mode 100644
index 00000000..8565ee93
--- /dev/null
+++ b/doc/forum/Apt:_use_deb.debian.org__47__debian-security/comment_1_8f06ef23b94f1df693f0da4689f39edf._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 1"
+ date="2018-04-03T00:20:41Z"
+ content="""
+What would that achieve?
+"""]]
diff --git a/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn
new file mode 100644
index 00000000..c3260c1c
--- /dev/null
+++ b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__.mdwn
@@ -0,0 +1,3 @@
+Hello,
+
+where can I find practical, working examples on how to use Propellor? For example, how to use Propellor to setup a LAMP debian or ubuntu server.
diff --git a/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__/comment_1_cc518b5ae9f82d13be9eda19822db85c._comment b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__/comment_1_cc518b5ae9f82d13be9eda19822db85c._comment
new file mode 100644
index 00000000..b2124dd7
--- /dev/null
+++ b/doc/forum/Where_can_I_find_practical_examples_on_how_to_use_Propellor__63__/comment_1_cc518b5ae9f82d13be9eda19822db85c._comment
@@ -0,0 +1,9 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-04-03T22:39:14Z"
+ content="""
+Mostly I point people at my [personal propellor config file](https://git.joeyh.name/index.cgi/propellor.git/tree/joeyconfig.hs)
+which is quite big, but demos a lot of propellor's features. And unlike
+an artificial example, it's always tested and working.
+"""]]
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_14_a65bf71d16401e2621f1dff93701247d._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_14_a65bf71d16401e2621f1dff93701247d._comment
new file mode 100644
index 00000000..c5427cd7
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_14_a65bf71d16401e2621f1dff93701247d._comment
@@ -0,0 +1,35 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 14"
+ date="2018-03-04T10:41:01Z"
+ content="""
+Hello, sorry to bother you with this BUT :))
+
+Now I have the right message which explain how to upgrade my .propellor
+(sorry for the french)
+
+ picca@mordor:~$ propellor
+ Fusion automatique de src/Propellor/Property/Systemd.hs
+ Fusion automatique de src/Propellor/Property/SiteSpecific/JoeySites.hs
+ Fusion automatique de src/Propellor/Property/Git.hs
+ Fusion automatique de src/Propellor/Git/VerifiedBranch.hs
+ Fusion automatique de src/Propellor/Git.hs
+ Fusion automatique de src/Propellor/EnsureProperty.hs
+ Fusion automatique de src/Propellor/DotDir.hs
+ Fusion automatique de propellor.cabal
+ Fusion automatique de joeyconfig.hs
+ Fusion automatique de doc/README.mdwn
+ Fusion automatique de debian/changelog
+ ** warning: ** Your ~/.propellor/ is out of date..
+ A newer upstream version is available in /usr/src/propellor/propellor.git
+ To merge it, run: git merge upstream/master
+
+but when I try to do the merge, I get this error message
+
+ picca@mordor:~/.propellor$ LANG=C git merge upstream/master
+ fatal: refusing to merge unrelated histories
+
+How can I help to solve this issue ?
+
+"""]]
diff --git a/doc/forum/can__39__t_get_Apt.trustsKey_to_work.mdwn b/doc/forum/can__39__t_get_Apt.trustsKey_to_work.mdwn
new file mode 100644
index 00000000..3c0853db
--- /dev/null
+++ b/doc/forum/can__39__t_get_Apt.trustsKey_to_work.mdwn
@@ -0,0 +1,90 @@
+I've been hitting a problem when importing APT keys on a debian stretch VM. I'm using a property like
+
+ mybox :: Host
+ mybox = host "henry1.home" $ props
+ & osDebian (Stable "stretch") X86_64
+ & Apt.stdSourcesList
+ & Apt.unattendedUpgrades
+ & installKubernetes
+
+
+ installKubernetes :: Property DebianLike
+ installKubernetes = Apt.installed ["kubelet", "kubeadm", "kubectl"]
+ `requires` Apt.setSourcesListD ["deb http://apt.kubernetes.io/ kubernetes-xenial main"] "google-cloud"
+ `requires` Apt.trustsKey googleKey
+
+ googleKey :: Apt.AptKey
+ googleKey =
+ Apt.AptKey "google-key" $ unlines
+ [ "-----BEGIN PGP PUBLIC KEY BLOCK-----"
+ , ""
+ , "mQENBFUd6rIBCAD6mhKRHDn3UrCeLDp7U5IE7AhhrOCPpqGF7mfTemZYHf/5Jdjx"
+ , "cOxoSFlK7zwmFr3lVqJ+tJ9L1wd1K6P7RrtaNwCiZyeNPf/Y86AJ5NJwBe0VD0xH"
+ , "TXzPNTqRSByVYtdN94NoltXUYFAAPZYQls0x0nUD1hLMlOlC2HdTPrD1PMCnYq/N"
+ , "uL/Vk8sWrcUt4DIS+0RDQ8tKKe5PSV0+PnmaJvdF5CKawhh0qGTklS2MXTyKFoqj"
+ , "XgYDfY2EodI9ogT/LGr9Lm/+u4OFPvmN9VN6UG+s0DgJjWvpbmuHL/ZIRwMEn/tp"
+ , "uneaLTO7h1dCrXC849PiJ8wSkGzBnuJQUbXnABEBAAG0QEdvb2dsZSBDbG91ZCBQ"
+ , "YWNrYWdlcyBBdXRvbWF0aWMgU2lnbmluZyBLZXkgPGdjLXRlYW1AZ29vZ2xlLmNv"
+ , "bT6JAT4EEwECACgFAlUd6rICGy8FCQWjmoAGCwkIBwMCBhUIAgkKCwQWAgMBAh4B"
+ , "AheAAAoJEDdGwginMXsPcLcIAKi2yNhJMbu4zWQ2tM/rJFovazcY28MF2rDWGOnc"
+ , "9giHXOH0/BoMBcd8rw0lgjmOosBdM2JT0HWZIxC/Gdt7NSRA0WOlJe04u82/o3OH"
+ , "WDgTdm9MS42noSP0mvNzNALBbQnlZHU0kvt3sV1YsnrxljoIuvxKWLLwren/GVsh"
+ , "FLPwONjw3f9Fan6GWxJyn/dkX3OSUGaduzcygw51vksBQiUZLCD2Tlxyr9NvkZYT"
+ , "qiaWW78L6regvATsLc9L/dQUiSMQZIK6NglmHE+cuSaoK0H4ruNKeTiQUw/EGFaL"
+ , "ecay6Qy/s3Hk7K0QLd+gl0hZ1w1VzIeXLo2BRlqnjOYFX4A="
+ , "=HVTm"
+ , "-----END PGP PUBLIC KEY BLOCK-----"
+ ]
+
+
+the import works fine, but the packages fail to install because the key isn't valid, i can list the key
+
+ root@henry1:~# apt-key list | grep -A 6 google-key
+ Warning: apt-key output should not be parsed (stdout is not a terminal)
+ /etc/apt/trusted.gpg.d/google-key.gpg
+ -------------------------------------
+ pub rsa2048 2015-04-03 [SCEA] [expires: 2018-04-02]
+ D0BC 747F D8CA F711 7500 D6FA 3746 C208 A731 7B0F
+ uid [ unknown] Google Cloud Packages Automatic Signing Key <gc-team@google.com>
+
+
+but i can't export it. I've tried the gpg command listed in the Apt.trustsKey function and running it locally (on the vm) with a local file doesn't work either.
+
+ root@henry1:~# apt-key export D6FA3746A7317B0F
+ gpg: [don't know]: invalid packet (ctb=00)
+ gpg: WARNING: nothing exported
+ gpg: key export failed: Invalid packet
+
+
+Gpg version info
+
+ root@henry1:~# gpg --version
+ gpg (GnuPG) 2.1.18
+ libgcrypt 1.7.6-beta
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
+ This is free software: you are free to change and redistribute it.
+ There is NO WARRANTY, to the extent permitted by law.
+
+ Home: /root/.gnupg
+ Supported algorithms:
+ Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
+ Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
+ CAMELLIA128, CAMELLIA192, CAMELLIA256
+ Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
+ Compression: Uncompressed, ZIP, ZLIB, BZIP2
+
+I ended up changing the Apt.trustsKey command to a version which uses apt-key and everything works now
+
+ trustsKey' :: AptKey -> Property DebianLike
+ trustsKey' k = check (not <$> doesFileExist f) $ property desc $ makeChange $ do
+ withHandle StdinHandle createProcessSuccess
+ (proc "apt-key" ["--keyring", f, "add", "-"]) $ \h -> do
+ hPutStr h (pubkey k)
+ hClose h
+ nukeFile $ f ++ "~" -- gpg dropping
+ where
+ desc = "apt trusts key " ++ keyname k
+ f = aptKeyFile k
+
+Any thoughts as to why this wouldn't be working? Would it be reasonable to change this command upstream?
diff --git a/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_1_8ee5b69f068c369e88c31c639d692f60._comment b/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_1_8ee5b69f068c369e88c31c639d692f60._comment
new file mode 100644
index 00000000..b1f82b19
--- /dev/null
+++ b/doc/forum/can__39__t_get_Apt.trustsKey_to_work/comment_1_8ee5b69f068c369e88c31c639d692f60._comment
@@ -0,0 +1,14 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-03-01T22:20:54Z"
+ content="""
+I added trustsKey in 2014, but my current config is not using
+it for anything, so it seems likely it's bitrotted in some way.
+And there's no rationalle documented for why it manually drives gpg.
+
+I've applied your change to use apt-key.
+
+I wonder if the nukeFile of the "gpg dropping" is actually needed
+anymore?
+"""]]
diff --git a/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_2_ffca1d5942d4fd152657dd3afe21b935._comment b/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_2_ffca1d5942d4fd152657dd3afe21b935._comment
new file mode 100644
index 00000000..93248324
--- /dev/null
+++ b/doc/forum/dm-crypt__47__LUKS_encryption_and_key_management/comment_2_ffca1d5942d4fd152657dd3afe21b935._comment
@@ -0,0 +1,11 @@
+[[!comment format=mdwn
+ username="dominik"
+ avatar="http://cdn.libravatar.org/avatar/41b0caab63708c0b81d8aeda611afad5"
+ subject="LUKS desired ;-)"
+ date="2018-03-01T11:40:27Z"
+ content="""
+I'd love to use LUKS partitions in Propeller.
+
+Thanks Joey.
+
+"""]]
diff --git a/doc/index.mdwn b/doc/index.mdwn
index 1e3af9dd..264a6f48 100644
--- a/doc/index.mdwn
+++ b/doc/index.mdwn
@@ -4,7 +4,7 @@
[[Download]]
[API documentation](http://hackage.haskell.org/package/propellor)
[[Other Documentation|documentation]]
-[Sample config file](http://git.joeyh.name/?p=propellor.git;a=blob;f=joeyconfig.hs)
+[Sample config file](https://git.joeyh.name/index.cgi/propellor.git/tree/joeyconfig.hs)
[[Security]]
[[Todo]]
[[Forum]]
diff --git a/doc/news/version_5.3.4.mdwn b/doc/news/version_5.3.4.mdwn
new file mode 100644
index 00000000..09358138
--- /dev/null
+++ b/doc/news/version_5.3.4.mdwn
@@ -0,0 +1,8 @@
+propellor 5.3.4 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+ * Apt.trustsKey: Use apt-key to add key rather than manually driving gpg,
+ which seems to not work anymore.
+ Thanks, Russell Sim.
+ * Firewall: Reorder iptables parameters that are order
+ dependant to make --to-dest and --to-source work.
+ Thanks, Russell Sim"""]] \ No newline at end of file
diff --git a/privdata/relocate b/privdata/relocate
deleted file mode 100644
index 271692d8..00000000
--- a/privdata/relocate
+++ /dev/null
@@ -1 +0,0 @@
-.joeyconfig
diff --git a/propellor.cabal b/propellor.cabal
index 5f6abc8b..18d28db3 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -1,5 +1,5 @@
Name: propellor
-Version: 5.3.3
+Version: 5.3.4
Cabal-Version: >= 1.20
License: BSD2
Maintainer: Joey Hess <id@joeyh.name>
diff --git a/src/Propellor/Property/Apt.hs b/src/Propellor/Property/Apt.hs
index d44b5c38..5080b1e2 100644
--- a/src/Propellor/Property/Apt.hs
+++ b/src/Propellor/Property/Apt.hs
@@ -88,6 +88,8 @@ binandsrc :: String -> SourcesGenerator
binandsrc url suite = catMaybes
[ Just l
, Just $ srcLine l
+ , sul
+ , srcLine <$> sul
, bl
, srcLine <$> bl
]
@@ -96,6 +98,10 @@ binandsrc url suite = catMaybes
bl = do
bs <- backportSuite suite
return $ debLine bs url stdSections
+ -- formerly known as 'volatile'
+ sul = do
+ sus <- stableUpdatesSuite suite
+ return $ debLine sus url stdSections
stdArchiveLines :: Propellor SourcesGenerator
stdArchiveLines = return . binandsrc =<< getMirror
@@ -447,7 +453,7 @@ trustsKey k = trustsKey' k <!> untrustKey k
trustsKey' :: AptKey -> Property DebianLike
trustsKey' k = check (not <$> doesFileExist f) $ property desc $ makeChange $ do
withHandle StdinHandle createProcessSuccess
- (proc "gpg" ["--no-default-keyring", "--keyring", f, "--import", "-"]) $ \h -> do
+ (proc "apt-key" ["--keyring", f, "add", "-"]) $ \h -> do
hPutStr h (pubkey k)
hClose h
nukeFile $ f ++ "~" -- gpg dropping
diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs
index 736a4458..bbc14473 100644
--- a/src/Propellor/Property/Firewall.hs
+++ b/src/Propellor/Property/Firewall.hs
@@ -44,8 +44,8 @@ rule c tb tg rs = property ("firewall rule: " <> show r) addIpTable
toIpTable :: Rule -> [CommandParam]
toIpTable r = map Param $
val (ruleChain r) :
- toIpTableArg (ruleRules r) ++
- ["-t", val (ruleTable r), "-j", val (ruleTarget r)]
+ ["-t", val (ruleTable r), "-j", val (ruleTarget r)] ++
+ toIpTableArg (ruleRules r)
toIpTableArg :: Rules -> [String]
toIpTableArg Everything = []
diff --git a/src/Propellor/Property/Systemd.hs b/src/Propellor/Property/Systemd.hs
index 8fa236d2..39b4bd84 100644
--- a/src/Propellor/Property/Systemd.hs
+++ b/src/Propellor/Property/Systemd.hs
@@ -217,7 +217,7 @@ machined = withOS "machined installed" $ \w o ->
-- to bootstrap.
--
-- > container "webserver" $ \d -> Chroot.debootstrapped mempty d $ props
--- > & osDebian Unstable X86_64
+-- > & osDebian Unstable X86_64
-- > & Apt.installedRunning "apache2"
-- > & ...
container :: MachineName -> (FilePath -> Chroot.Chroot) -> Container
@@ -238,7 +238,7 @@ container name mkchroot =
-- to bootstrap.
--
-- > debContainer "webserver" $ props
--- > & osDebian Unstable X86_64
+-- > & osDebian Unstable X86_64
-- > & Apt.installedRunning "apache2"
-- > & ...
debContainer :: MachineName -> Props metatypes -> Container