summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--config-joey.hs2
-rw-r--r--debian/changelog3
-rw-r--r--src/Propellor/Property/SiteSpecific/JoeySites.hs1
-rw-r--r--src/Propellor/Property/Ssh.hs12
4 files changed, 13 insertions, 5 deletions
diff --git a/config-joey.hs b/config-joey.hs
index f5c593ec..f87db43e 100644
--- a/config-joey.hs
+++ b/config-joey.hs
@@ -127,7 +127,7 @@ orca = standardSystem "orca.kitenet.net" Unstable "amd64"
-- with propellor.
kite :: Host
kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64"
- [ "Welcome to the new kitenet.net server!" ]
+ [ "Welcome to kite!" ]
& ipv4 "66.228.36.95"
& ipv6 "2600:3c03::f03c:91ff:fe73:b0d2"
& alias "kitenet.net"
diff --git a/debian/changelog b/debian/changelog
index ff1cdf1d..a8000c43 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,9 @@ propellor (2.1.0) UNRELEASED; urgency=medium
* New Cron.Times data type, which allows Cron.job to install
daily/monthly/weekly jobs that anacron can run. (API change)
* Fix Git.daemonRunning to restart inetd after enabling the git server.
+ * Ssh.authorizedKey: Make the authorized_keys file and .ssh directory
+ be owned by the user, not root.
+ * Ssh.knownHost: Make the .ssh directory be owned by the user, not root.
-- Joey Hess <id@joeyh.name> Thu, 29 Jan 2015 01:41:07 -0400
diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs
index 3d453a8a..9644cb72 100644
--- a/src/Propellor/Property/SiteSpecific/JoeySites.hs
+++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs
@@ -330,7 +330,6 @@ twitRss = combineProperties "twitter rss" $ props
]
-- Work around for expired ssl cert.
--- (no longer expired, TODO remove this and change urls)
pumpRss :: Property NoInfo
pumpRss = Cron.job "pump rss" (Cron.Times "15 * * * *") "joey" "/srv/web/tmp.kitenet.net/"
"wget https://pump2rss.com/feed/joeyh@identi.ca.atom -O pump.atom --no-check-certificate 2>/dev/null"
diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs
index fe2794a5..f44688c1 100644
--- a/src/Propellor/Property/Ssh.hs
+++ b/src/Propellor/Property/Ssh.hs
@@ -207,6 +207,7 @@ knownHost hosts hn user = property desc $
, f `File.containsLines`
(map (\k -> hn ++ " " ++ k) (M.elems m))
, File.ownerGroup f user user
+ , File.ownerGroup (takeDirectory f) user user
]
go _ = do
warningMessage $ "no configred pubKey for " ++ hn
@@ -230,12 +231,17 @@ authorizedKeys user context = withPrivData (SshAuthorizedKeys user) context $ \g
-- | Ensures that a user's authorized_keys contains a line.
-- Any other lines in the file are preserved as-is.
authorizedKey :: UserName -> String -> Property NoInfo
-authorizedKey user l = property (user ++ " has autorized_keys line " ++ l) $ do
+authorizedKey user l = property desc $ do
f <- liftIO $ dotFile "authorized_keys" user
- ensureProperty $
- f `File.containsLine` l
+ ensureProperty $ combineProperties desc
+ [ f `File.containsLine` l
`requires` File.dirExists (takeDirectory f)
`onChange` File.mode f (combineModes [ownerWriteMode, ownerReadMode])
+ , File.ownerGroup f user user
+ , File.ownerGroup (takeDirectory f) user user
+ ]
+ where
+ desc = user ++ " has autorized_keys line " ++ l
-- | Makes the ssh server listen on a given port, in addition to any other
-- ports it is configured to listen on.