summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--config-joey.hs20
-rw-r--r--src/Propellor/Property/Postfix.hs3
-rw-r--r--src/Propellor/Property/SiteSpecific/JoeySites.hs8
3 files changed, 21 insertions, 10 deletions
diff --git a/config-joey.hs b/config-joey.hs
index 6db3e81d..b95a3278 100644
--- a/config-joey.hs
+++ b/config-joey.hs
@@ -75,7 +75,10 @@ hosts = -- (o) `
& Docker.garbageCollected `period` Daily
& Apt.buildDep ["git-annex"] `period` Daily
- , standardSystem "kite.kitenet.net" Unstable "amd64"
+ -- This is not a complete description of kite, since it's a
+ -- multiuser system with eg, user passwords that are not deployed
+ -- with propellor.
+ , standardSystemUnhardened "kite.kitenet.net" Unstable "amd64"
[ "Welcome to the new kitenet.net server!"
, "This is still under construction and not yet live.."
]
@@ -102,6 +105,8 @@ hosts = -- (o) `
& JoeySites.kiteMailServer
& Apt.installed ["mutt", "alpine", "git-annex", "myrepos"]
+ -- Since password authentication is allowed:
+ & Apt.serviceInstalledRunning "fail2ban"
, standardSystem "diatom.kitenet.net" Stable "amd64"
[ "Important stuff that needs not too much memory or CPU." ]
@@ -280,7 +285,14 @@ type Motd = [String]
-- This is my standard system setup.
standardSystem :: HostName -> DebianSuite -> Architecture -> Motd -> Host
-standardSystem hn suite arch motd = host hn
+standardSystem hn suite arch motd = standardSystemUnhardened hn suite arch motd
+ -- Harden the system, but only once root's authorized_keys
+ -- is safely in place.
+ & check (Ssh.hasAuthorizedKeys "root")
+ (Ssh.passwordAuthentication False)
+
+standardSystemUnhardened :: HostName -> DebianSuite -> Architecture -> Motd -> Host
+standardSystemUnhardened hn suite arch motd = host hn
& os (System (Debian suite) arch)
& Hostname.sane
& Hostname.searchDomain
@@ -291,10 +303,6 @@ standardSystem hn suite arch motd = host hn
& Apt.installed ["ssh"]
& GitHome.installedFor "root"
& User.hasSomePassword "root" (Context hn)
- -- Harden the system, but only once root's authorized_keys
- -- is safely in place.
- & check (Ssh.hasAuthorizedKeys "root")
- (Ssh.passwordAuthentication False)
& User.accountFor "joey"
& User.hasSomePassword "joey" (Context hn)
& Sudo.enabledFor "joey"
diff --git a/src/Propellor/Property/Postfix.hs b/src/Propellor/Property/Postfix.hs
index 1711a7dd..fbe39299 100644
--- a/src/Propellor/Property/Postfix.hs
+++ b/src/Propellor/Property/Postfix.hs
@@ -15,6 +15,9 @@ installed = Apt.serviceInstalledRunning "postfix"
restarted :: Property
restarted = Service.restarted "postfix"
+reloaded :: Property
+reloaded = Service.reloaded "postfix"
+
-- | Configures postfix as a satellite system, which
-- relats all mail through a relay host, which defaults to smtp.domain.
--
diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs
index 0838af47..a6be2411 100644
--- a/src/Propellor/Property/SiteSpecific/JoeySites.hs
+++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs
@@ -435,11 +435,11 @@ kiteMailServer = propertyList "kitenet.net mail server"
, "/ikiwiki\\.info/\tOK"
, "/joeyh\\.name/\tOK"
]
- `onChange` Postfix.restarted
+ `onChange` Postfix.reloaded
`describe` "postfix mydomain file configured"
, "/etc/postfix/obscure_client_relay.pcre" `File.containsLine`
"/^Received: from ([^.]+)\\.kitenet\\.net.*using TLS.*by kitenet\\.net \\(([^)]+)\\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ IGNORE"
- `onChange` Postfix.restarted
+ `onChange` Postfix.reloaded
`describe` "postfix obscure_client_relay file configured"
, Postfix.mappedFile "/etc/postfix/virtual"
(flip File.containsLines
@@ -447,7 +447,7 @@ kiteMailServer = propertyList "kitenet.net mail server"
, "@joeyh.name\tjoey"
]
) `describe` "postfix virtual file configured"
- `onChange` Postfix.restarted
+ `onChange` Postfix.reloaded
, Postfix.mappedFile "/etc/postfix/relay_clientcerts" $
flip File.hasPrivContentExposed ctx
, Postfix.mainCf `File.containsLines`
@@ -492,7 +492,7 @@ kiteMailServer = propertyList "kitenet.net mail server"
, "smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache"
]
`onChange` Postfix.dedupMainCf
- `onChange` Postfix.restarted
+ `onChange` Postfix.reloaded
`describe` "postfix configured"
, Apt.serviceInstalledRunning "dovecot-imapd"