summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
l---------config.hs2
-rw-r--r--debian/changelog18
-rw-r--r--doc/forum/--spin_tries_to_pull_from_central_repository__63__.mdwn28
-rw-r--r--doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_1_be4533d304096f431ac8d35bbf990dab._comment13
-rw-r--r--doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_2_7b1f28e3eeb7f181f5715863bc836bb7._comment8
-rw-r--r--doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_10_8d27d1de5e891160c3e881bd1230829f._comment8
-rw-r--r--doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_11_67fe9f07dd726f890cf1c7956cbb1d86._comment17
-rw-r--r--doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_12_aea497eeecb077659db3f1dfb1e5f289._comment20
-rw-r--r--doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_13_a3039c7e86f85af4ff44bdbcd7b46313._comment12
-rw-r--r--doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_9_f6d40ae7c03a9d94cfe8e16f11264622._comment21
-rw-r--r--doc/news/version_5.3.2.mdwn10
-rw-r--r--doc/news/version_5.3.3.mdwn8
-rw-r--r--privdata/relocate1
-rw-r--r--propellor.cabal3
-rw-r--r--src/Propellor/DotDir.hs54
-rw-r--r--src/Propellor/Git.hs4
-rw-r--r--src/Propellor/Git/VerifiedBranch.hs11
-rw-r--r--src/Propellor/Property/Atomic.hs2
-rw-r--r--src/Propellor/Property/Openssl.hs29
-rw-r--r--src/Propellor/Property/Systemd.hs4
20 files changed, 246 insertions, 27 deletions
diff --git a/config.hs b/config.hs
index 97d90636..ec313725 120000
--- a/config.hs
+++ b/config.hs
@@ -1 +1 @@
-joeyconfig.hs \ No newline at end of file
+config-simple.hs \ No newline at end of file
diff --git a/debian/changelog b/debian/changelog
index d613401b..b97b12b0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,12 +1,26 @@
-propellor (5.3.2) UNRELEASED; urgency=medium
+propellor (5.3.3) unstable; urgency=medium
+
+ * Warn again about new upstream version when ~/.propellor was cloned from the
+ Debian git bundle using an older version of propellor that set up an
+ upstream remote.
+ * Avoid crashing if initial fetch from origin fails when spinning a host.
+ * Added Propllor.Property.Openssl module contributed by contributed by
+ Félix Sipma.
+
+ -- Joey Hess <id@joeyh.name> Mon, 26 Feb 2018 14:34:37 -0400
+
+propellor (5.3.2) unstable; urgency=medium
* Added Propellor.Property.Atomic, which can make a non-atomic property
that operates on a directory into an atomic property.
(Inspired by Vaibhav Sagar's talk on Functional Devops in a
Dysfunctional World at LCA 2018.)
* Added Git.pulled.
+ * Systemd.machined: Install systemd-container on Debian
+ stretch.
+ Thanks, Sean Whitton
- -- Joey Hess <id@joeyh.name> Sun, 11 Feb 2018 11:58:04 -0400
+ -- Joey Hess <id@joeyh.name> Sun, 18 Feb 2018 14:31:39 -0400
propellor (5.3.1) unstable; urgency=medium
diff --git a/doc/forum/--spin_tries_to_pull_from_central_repository__63__.mdwn b/doc/forum/--spin_tries_to_pull_from_central_repository__63__.mdwn
new file mode 100644
index 00000000..5bd97367
--- /dev/null
+++ b/doc/forum/--spin_tries_to_pull_from_central_repository__63__.mdwn
@@ -0,0 +1,28 @@
+Did something changed recently concerning `--spin`? It seems like I can't use it without a central repo anymore...
+
+
+ $ ./propellor --spin server
+ Preprocessing executable 'propellor-config' for propellor-5.3.2...
+ Propellor build ... done
+ [master cabbc1b4e] propellor spin
+ Git commit ... done
+ Counting objects: 1, done.
+ Writing objects: 100% (1/1), 860 bytes | 860.00 KiB/s, done.
+ Total 1 (delta 0), reused 0 (delta 0)
+ To example.org:/var/lib/git/private/propellor.git
+ 8c8c1b2f6..cabbc1b4e master -> master
+ Push to central git repository ... done
+ gpg: encrypted with 4096-bit RSA key, ID EC0B9FA927E29C5C, created 2013-01-29
+ "Félix Sipma <felix.sipma@riseup.net>"
+ Host key verification failed.
+ fatal: Could not read from remote repository.
+
+ Please make sure you have the correct access rights
+ and the repository exists.
+ Pull from central git repository ... failed
+ fatal: ambiguous argument 'origin/master': unknown revision or path not in the working tree.
+ Use '--' to separate paths from revisions, like this:
+ 'git <command> [<revision>...] -- [<file>...]'
+ propellor: user error (git ["log","-n","1","--format=%G?","origin/master"] exited 128)
+ propellor: user error (ssh ["-o","ControlPath=/home/example/.ssh/propellor/server.example.org.sock","-o","ControlMaster=auto","-o","ControlPersist=yes","root@server.example.org","sh -c 'rm -rf /usr/local/propellor-precompiled ; if [ ! -d /usr/local/propellor/.git ] ; then (if ! git --version >/dev/null 2>&1; then apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -qq --no-install-recommends --no-upgrade -y install git; fi && echo STATUSNeedGitClone) || echo STATUSNeedPrecompiled ; else cd /usr/local/propellor && if ! cabal configure >/dev/null 2>&1; then ( apt-get update ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install gnupg ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install ghc ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install cabal-install ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-async-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-split-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-hslogger-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-unix-compat-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-ansi-terminal-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-ifelse-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-network-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-mtl-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-transformers-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-exceptions-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-stm-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-text-dev ; DEBIAN_FRONTEND=noninteractive apt-get -qq --no-upgrade --no-install-recommends -y install libghc-hashable-dev) || true; fi&& if ! test -x ./propellor; then cabal configure && cabal build -j1 propellor-config && ln -sf dist/build/propellor-config/propellor-config propellor; fi;if test -x ./propellor && ! ./propellor --check; then cabal clean && cabal configure && cabal build -j1 propellor-config && ln -sf dist/build/propellor-config/propellor-config propellor; fi && ./propellor --boot server.example.org ; fi'"] exited 1)
+
diff --git a/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_1_be4533d304096f431ac8d35bbf990dab._comment b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_1_be4533d304096f431ac8d35bbf990dab._comment
new file mode 100644
index 00000000..e79fabfb
--- /dev/null
+++ b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_1_be4533d304096f431ac8d35bbf990dab._comment
@@ -0,0 +1,13 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 1"""
+ date="2018-02-22T15:34:07Z"
+ content="""
+--spin has always pushed/pulled from origin, if there is
+a central git repository.
+
+It's an optional thing though, since the update is pushed directly to the
+host it spins too.
+
+I've improved the code to avoid this particular crash..
+"""]]
diff --git a/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_2_7b1f28e3eeb7f181f5715863bc836bb7._comment b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_2_7b1f28e3eeb7f181f5715863bc836bb7._comment
new file mode 100644
index 00000000..5cb2fc0b
--- /dev/null
+++ b/doc/forum/--spin_tries_to_pull_from_central_repository__63__/comment_2_7b1f28e3eeb7f181f5715863bc836bb7._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="gueux"
+ avatar="http://cdn.libravatar.org/avatar/2982bac2c2cd94ab3860efb189deafc8"
+ subject="comment 2"
+ date="2018-02-23T13:16:09Z"
+ content="""
+I don't want my central repo to be accessible to anyone, but I still want to push there and use it for some of my hosts. Anyway, your fix works great, thanks!
+"""]]
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_10_8d27d1de5e891160c3e881bd1230829f._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_10_8d27d1de5e891160c3e881bd1230829f._comment
new file mode 100644
index 00000000..25d6ff1e
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_10_8d27d1de5e891160c3e881bd1230829f._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="spwhitton"
+ avatar="http://cdn.libravatar.org/avatar/9c3f08f80e67733fd506c353239569eb"
+ subject="comment 10"
+ date="2018-02-18T21:35:23Z"
+ content="""
+Do you have a git remote named 'upstream'?
+"""]]
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_11_67fe9f07dd726f890cf1c7956cbb1d86._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_11_67fe9f07dd726f890cf1c7956cbb1d86._comment
new file mode 100644
index 00000000..106d993f
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_11_67fe9f07dd726f890cf1c7956cbb1d86._comment
@@ -0,0 +1,17 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 11"
+ date="2018-02-19T06:31:32Z"
+ content="""
+Yes sir :)
+
+ picca@mordor:~/.propellor$ git remote -v
+ deploy https://salsa.debian.org/picca/propellor.git (fetch)
+ deploy https://salsa.debian.org/picca/propellor.git (push)
+ origin git@salsa.debian.org:picca/propellor.git (fetch)
+ origin git@salsa.debian.org:picca/propellor.git (push)
+ upstream /usr/src/propellor/propellor.git (fetch)
+ upstream /usr/src/propellor/propellor.git (push)
+
+"""]]
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_12_aea497eeecb077659db3f1dfb1e5f289._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_12_aea497eeecb077659db3f1dfb1e5f289._comment
new file mode 100644
index 00000000..90d0ba2c
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_12_aea497eeecb077659db3f1dfb1e5f289._comment
@@ -0,0 +1,20 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 12"""
+ date="2018-02-19T15:48:21Z"
+ content="""
+What propellor --init sets up, when you select the clone option
+and the Debian package is installed, is no remote
+defined, but a remotes/upsteam/master tracking branch.
+
+So not normally this:
+
+ upstream /usr/src/propellor/propellor.git (fetch)
+
+Aha! The very first revision of propellor --init
+*did* set up an upstream remote pointing at the distrepo. At some point
+that changed to the above described behavior. You're bitten by being an
+early adopter.
+
+I've adjusted the logic to handle that case.
+"""]]
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_13_a3039c7e86f85af4ff44bdbcd7b46313._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_13_a3039c7e86f85af4ff44bdbcd7b46313._comment
new file mode 100644
index 00000000..39feff2e
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_13_a3039c7e86f85af4ff44bdbcd7b46313._comment
@@ -0,0 +1,12 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 13"
+ date="2018-02-20T05:58:48Z"
+ content="""
+Thanks a lot joey,
+
+and you are right, I am fund of your works :).
+
+Cheers.
+"""]]
diff --git a/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_9_f6d40ae7c03a9d94cfe8e16f11264622._comment b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_9_f6d40ae7c03a9d94cfe8e16f11264622._comment
new file mode 100644
index 00000000..492f40e1
--- /dev/null
+++ b/doc/forum/__42____42___warning:___42____42___Your___126____47__.propellor__47___is_out_of_date../comment_9_f6d40ae7c03a9d94cfe8e16f11264622._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ username="picca"
+ avatar="http://cdn.libravatar.org/avatar/7e61c80d28018b10d31f6db7dddb864c"
+ subject="comment 9"
+ date="2018-02-18T19:10:32Z"
+ content="""
+Hello, I think that my problem is related to this one.
+
+I have a repository created from the Debian package and which is from the 5.1.0 version.
+I just upgrade the package to 5.3.1 and now I do not have the message explaining that a new upstream version is available.
+So I do not know how to upgrade my current repository.
+
+Before, I just had to do
+
+ git merge upstream/master
+
+And now ?
+
+
+thanks for your help
+"""]]
diff --git a/doc/news/version_5.3.2.mdwn b/doc/news/version_5.3.2.mdwn
new file mode 100644
index 00000000..cd16116e
--- /dev/null
+++ b/doc/news/version_5.3.2.mdwn
@@ -0,0 +1,10 @@
+propellor 5.3.2 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+ * Added Propellor.Property.Atomic, which can make a non-atomic property
+ that operates on a directory into an atomic property.
+ (Inspired by Vaibhav Sagar's talk on Functional Devops in a
+ Dysfunctional World at LCA 2018.)
+ * Added Git.pulled.
+ * Systemd.machined: Install systemd-container on Debian
+ stretch.
+ Thanks, Sean Whitton"""]] \ No newline at end of file
diff --git a/doc/news/version_5.3.3.mdwn b/doc/news/version_5.3.3.mdwn
new file mode 100644
index 00000000..18f80d5f
--- /dev/null
+++ b/doc/news/version_5.3.3.mdwn
@@ -0,0 +1,8 @@
+propellor 5.3.3 released with [[!toggle text="these changes"]]
+[[!toggleable text="""
+ * Warn again about new upstream version when ~/.propellor was cloned from the
+ Debian git bundle using an older version of propellor that set up an
+ upstream remote.
+ * Avoid crashing if initial fetch from origin fails when spinning a host.
+ * Added Propllor.Property.Openssl module contributed by contributed by
+ Félix Sipma."""]] \ No newline at end of file
diff --git a/privdata/relocate b/privdata/relocate
deleted file mode 100644
index 271692d8..00000000
--- a/privdata/relocate
+++ /dev/null
@@ -1 +0,0 @@
-.joeyconfig
diff --git a/propellor.cabal b/propellor.cabal
index 48d34b47..5f6abc8b 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -1,5 +1,5 @@
Name: propellor
-Version: 5.3.1
+Version: 5.3.3
Cabal-Version: >= 1.20
License: BSD2
Maintainer: Joey Hess <id@joeyh.name>
@@ -140,6 +140,7 @@ Library
Propellor.Property.Nginx
Propellor.Property.Obnam
Propellor.Property.OpenId
+ Propellor.Property.Openssl
Propellor.Property.OS
Propellor.Property.Pacman
Propellor.Property.Parted
diff --git a/src/Propellor/DotDir.hs b/src/Propellor/DotDir.hs
index f62b38f8..125cec3f 100644
--- a/src/Propellor/DotDir.hs
+++ b/src/Propellor/DotDir.hs
@@ -387,13 +387,12 @@ checkRepoUpToDate = whenM (gitbundleavail <&&> dotpropellorpopulated) $ do
-- into the user's repository, as if fetching from a upstream remote,
-- yielding a new upstream/master branch.
--
--- If there's no upstream/master, the user is not using the distrepo,
--- so do nothing. And, if there's a remote named "upstream", the user
--- must have set that up is not using the distrepo, so do nothing.
+-- If there's no upstream/master, or the repo is not using the distrepo,
+-- do nothing.
updateUpstreamMaster :: String -> IO ()
-updateUpstreamMaster newref = unlessM (hasRemote "upstream") $ do
+updateUpstreamMaster newref = do
changeWorkingDirectory =<< dotPropellor
- go =<< catchMaybeIO getoldrev
+ go =<< getoldref
where
go Nothing = return ()
go (Just oldref) = do
@@ -421,19 +420,42 @@ updateUpstreamMaster newref = unlessM (hasRemote "upstream") $ do
cleantmprepo
warnoutofdate True
- getoldrev = takeWhile (/= '\n')
- <$> readProcess "git" ["show-ref", upstreambranch, "--hash"]
-
git = run "git"
run cmd ps = unlessM (boolSystem cmd (map Param ps)) $
error $ "Failed to run " ++ cmd ++ " " ++ show ps
+ -- Get ref that the upstreambranch points to, only when
+ -- the distrepo is being used.
+ getoldref = do
+ mref <- catchMaybeIO $ takeWhile (/= '\n')
+ <$> readProcess "git" ["show-ref", upstreambranch, "--hash"]
+ case mref of
+ Just _ -> do
+ -- Normally there will be no upstream
+ -- remote when the distrepo is used.
+ -- Older versions of propellor set up
+ -- an upstream remote pointing at the
+ -- distrepo.
+ ifM (hasRemote "upstream")
+ ( do
+ v <- remoteUrl "upstream"
+ return $ case v of
+ Just rurl | rurl == distrepo -> mref
+ _ -> Nothing
+ , return mref
+ )
+ Nothing -> return mref
+
+-- And, if there's a remote named "upstream"
+-- that does not point at the distrepo, the user must have set that up
+-- and is not using the distrepo, so do nothing.
warnoutofdate :: Bool -> IO ()
-warnoutofdate havebranch = do
- warningMessage ("** Your ~/.propellor/ is out of date..")
- let also s = infoMessage [" " ++ s]
- also ("A newer upstream version is available in " ++ distrepo)
- if havebranch
- then also ("To merge it, run: git merge " ++ upstreambranch)
- else also ("To merge it, find the most recent commit in your repository's history that corresponds to an upstream release of propellor, and set refs/remotes/" ++ upstreambranch ++ " to it. Then run propellor again.")
- also ""
+warnoutofdate havebranch = warningMessage $ unlines
+ [ "** Your ~/.propellor/ is out of date.."
+ , indent "A newer upstream version is available in " ++ distrepo
+ , indent $ if havebranch
+ then "To merge it, run: git merge " ++ upstreambranch
+ else "To merge it, find the most recent commit in your repository's history that corresponds to an upstream release of propellor, and set refs/remotes/" ++ upstreambranch ++ " to it. Then run propellor again."
+ ]
+ where
+ indent s = " " ++ s
diff --git a/src/Propellor/Git.hs b/src/Propellor/Git.hs
index 10b88ddd..c446f67a 100644
--- a/src/Propellor/Git.hs
+++ b/src/Propellor/Git.hs
@@ -30,6 +30,10 @@ hasRemote remotename = catchDefaultIO False $ do
rs <- lines <$> readProcess "git" ["remote"]
return $ remotename `elem` rs
+remoteUrl :: String -> IO (Maybe String)
+remoteUrl remotename = catchDefaultIO Nothing $ headMaybe . lines
+ <$> readProcess "git" ["config", "remote." ++ remotename ++ ".url"]
+
hasGitRepo :: IO Bool
hasGitRepo = doesFileExist ".git/HEAD"
diff --git a/src/Propellor/Git/VerifiedBranch.hs b/src/Propellor/Git/VerifiedBranch.hs
index 51fcb573..df607bd2 100644
--- a/src/Propellor/Git/VerifiedBranch.hs
+++ b/src/Propellor/Git/VerifiedBranch.hs
@@ -30,12 +30,17 @@ verifyOriginBranch originbranch = do
-- Returns True if HEAD is changed by fetching and merging from origin.
fetchOrigin :: IO Bool
fetchOrigin = do
+ fetched <- actionMessage "Pull from central git repository" $
+ boolSystem "git" [Param "fetch"]
+ if fetched
+ then mergeOrigin
+ else return False
+
+mergeOrigin :: IO Bool
+mergeOrigin = do
branchref <- getCurrentBranch
let originbranch = "origin" </> branchref
- void $ actionMessage "Pull from central git repository" $
- boolSystem "git" [Param "fetch"]
-
oldsha <- getCurrentGitSha1 branchref
keyring <- privDataKeyring
diff --git a/src/Propellor/Property/Atomic.hs b/src/Propellor/Property/Atomic.hs
index 5db17474..8519048b 100644
--- a/src/Propellor/Property/Atomic.hs
+++ b/src/Propellor/Property/Atomic.hs
@@ -144,7 +144,7 @@ checkDirLink d rp = liftIO $ do
-- Using atomicDirSync in the above example lets git only download
-- the changes once, rather than the same changes being downloaded a second
-- time to update the other copy of the directory the next time propellor
--- runs
+-- runs.
--
-- Suppose that a web server program is run from the git repository,
-- and needs to be restarted after the pull. That restart should be done
diff --git a/src/Propellor/Property/Openssl.hs b/src/Propellor/Property/Openssl.hs
new file mode 100644
index 00000000..a91b8195
--- /dev/null
+++ b/src/Propellor/Property/Openssl.hs
@@ -0,0 +1,29 @@
+-- | Maintainer: Félix Sipma <felix+propellor@gueux.org>
+
+module Propellor.Property.Openssl where
+
+import Propellor.Base
+import qualified Propellor.Property.Apt as Apt
+import qualified Propellor.Property.File as File
+import Utility.FileMode
+import Utility.SafeCommand
+
+
+installed :: Property DebianLike
+installed = Apt.installed ["openssl"]
+
+dhparamsLength :: Int
+dhparamsLength = 2048
+
+dhparams :: FilePath
+dhparams = "/etc/ssl/private/dhparams.pem"
+
+safeDhparams :: Property DebianLike
+safeDhparams = propertyList "safe dhparams" $ props
+ & File.dirExists (takeDirectory dhparams)
+ & installed
+ & check (not <$> doesFileExist dhparams) (createDhparams dhparams dhparamsLength)
+
+createDhparams :: FilePath -> Int -> Property UnixLike
+createDhparams f l = property ("generate new dhparams: " ++ f) $ liftIO $ withUmask 0o0177 $ withFile f WriteMode $ \h ->
+ cmdResult <$> boolSystem' "openssl" [Param "dhparam", Param (show l)] (\p -> p { std_out = UseHandle h })
diff --git a/src/Propellor/Property/Systemd.hs b/src/Propellor/Property/Systemd.hs
index 51d1313c..8fa236d2 100644
--- a/src/Propellor/Property/Systemd.hs
+++ b/src/Propellor/Property/Systemd.hs
@@ -205,8 +205,8 @@ machined = withOS "machined installed" $ \w o ->
case o of
-- Split into separate debian package since systemd 225.
(Just (System (Debian _ suite) _))
- | not (isStable suite) -> ensureProperty w $
- Apt.installed ["systemd-container"]
+ | not (isStable suite) || suite == (Stable "stretch") ->
+ ensureProperty w $ Apt.installed ["systemd-container"]
_ -> noChange
-- | Defines a container with a given machine name,