summaryrefslogtreecommitdiff
path: root/joeyconfig.hs
diff options
context:
space:
mode:
Diffstat (limited to 'joeyconfig.hs')
-rw-r--r--joeyconfig.hs206
1 files changed, 102 insertions, 104 deletions
diff --git a/joeyconfig.hs b/joeyconfig.hs
index 4c437664..85d323c1 100644
--- a/joeyconfig.hs
+++ b/joeyconfig.hs
@@ -4,6 +4,8 @@ module Main where
import Propellor
import Propellor.Property.Scheduled
+import Propellor.Property.DiskImage
+import Propellor.Property.Chroot
import qualified Propellor.Property.File as File
import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.Network as Network
@@ -13,6 +15,7 @@ import qualified Propellor.Property.Cron as Cron
import qualified Propellor.Property.Sudo as Sudo
import qualified Propellor.Property.User as User
import qualified Propellor.Property.Hostname as Hostname
+import qualified Propellor.Property.Fstab as Fstab
import qualified Propellor.Property.Tor as Tor
import qualified Propellor.Property.Dns as Dns
import qualified Propellor.Property.OpenId as OpenId
@@ -25,7 +28,6 @@ import qualified Propellor.Property.Obnam as Obnam
import qualified Propellor.Property.Gpg as Gpg
import qualified Propellor.Property.Systemd as Systemd
import qualified Propellor.Property.Journald as Journald
-import qualified Propellor.Property.Chroot as Chroot
import qualified Propellor.Property.Fail2Ban as Fail2Ban
import qualified Propellor.Property.Aiccu as Aiccu
import qualified Propellor.Property.OS as OS
@@ -36,7 +38,6 @@ import qualified Propellor.Property.SiteSpecific.GitHome as GitHome
import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder
import qualified Propellor.Property.SiteSpecific.Branchable as Branchable
import qualified Propellor.Property.SiteSpecific.JoeySites as JoeySites
-import Propellor.Property.DiskImage
main :: IO () -- _ ______`| ,-.__
main = defaultMain hosts -- / \___-=O`/|O`/__| (____.'
@@ -46,14 +47,15 @@ hosts :: [Host] -- * \ | | '--------'
hosts = -- (o) `
[ darkstar
, gnu
+ , dragon
, clam
- , mayfly
- , oyster
, orca
+ , baleen
, honeybee
, kite
, elephant
, beaver
+ , mouse
, pell
, keysafe
] ++ monsters
@@ -69,7 +71,7 @@ testvm = host "testvm.kitenet.net" $ props
& Apt.installed ["ssh"]
& User.hasPassword (User "root")
where
- postinstall :: Property DebianLike
+ postinstall :: Property (HasInfo + DebianLike)
postinstall = propertyList "fixing up after clean install" $ props
& OS.preserveRootSshAuthorized
& OS.preserveResolvConf
@@ -79,41 +81,45 @@ testvm = host "testvm.kitenet.net" $ props
darkstar :: Host
darkstar = host "darkstar.kitenet.net" $ props
+ & osDebian Unstable X86_64
& ipv6 "2001:4830:1600:187::2"
& Aiccu.hasConfig "T18376" "JHZ2-SIXXS"
- & Apt.buildDep ["git-annex"] `period` Daily
+ & User.nuked (User "nosuchuser") User.YesReallyDeleteHome
& JoeySites.dkimMilter
- & JoeySites.alarmClock "*-*-* 7:30" (User "joey")
- "/usr/bin/timeout 45m /home/joey/bin/goodmorning"
+ & JoeySites.postfixSaslPasswordClient
+ -- & JoeySites.alarmClock "*-*-* 7:30" (User "joey")
+ -- "/usr/bin/timeout 45m /home/joey/bin/goodmorning"
& Ssh.userKeys (User "joey") hostContext
[ (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1YoyHxZwG5Eg0yiMTJLSWJ/+dMM6zZkZiR4JJ0iUfP+tT2bm/lxYompbSqBeiCq+PYcSC67mALxp1vfmdOV//LWlbXfotpxtyxbdTcQbHhdz4num9rJQz1tjsOsxTEheX5jKirFNC5OiKhqwIuNydKWDS9qHGqsKcZQ8p+n1g9Lr3nJVGY7eRRXzw/HopTpwmGmAmb9IXY6DC2k91KReRZAlOrk0287LaK3eCe1z0bu7LYzqqS+w99iXZ/Qs0m9OqAPnHZjWQQ0fN4xn5JQpZSJ7sqO38TBAimM+IHPmy2FTNVVn9zGM+vN1O2xr3l796QmaUG1+XLL0shfR/OZbb joey@darkstar")
]
-
- ! imageBuilt "/tmp/img" c MSDOS (grubBooted PC)
+ & imageBuilt (VirtualBoxPointer "/srv/test.vmdk") mychroot MSDOS
[ partition EXT2 `mountedAt` "/boot"
- `setFlag` BootFlag
, partition EXT4 `mountedAt` "/"
- `mountOpt` errorReadonly
, swapPartition (MegaBytes 256)
]
where
- c d = Chroot.debootstrapped mempty d $ props
+ mychroot d = debootstrapped mempty d $ props
& osDebian Unstable X86_64
- & Hostname.setTo "demo"
& Apt.installed ["linux-image-amd64"]
- & User "root" `User.hasInsecurePassword` "root"
+ & Grub.installed PC
gnu :: Host
gnu = host "gnu.kitenet.net" $ props
- & Apt.buildDep ["git-annex"] `period` Daily
+ & Postfix.satellite
+
+dragon :: Host
+dragon = host "dragon.kitenet.net" $ props
+ & ipv6 "2001:4830:1600:187::2"
+ & JoeySites.dkimMilter
+ & JoeySites.postfixSaslPasswordClient
clam :: Host
clam = host "clam.kitenet.net" $ props
& standardSystem Unstable X86_64
["Unreliable server. Anything here may be lost at any time!" ]
- & ipv4 "167.88.41.194"
+ & ipv4 "45.62.211.6"
& CloudAtCost.decruft
& Ssh.hostKeys hostContext
@@ -122,65 +128,34 @@ clam = host "clam.kitenet.net" $ props
, (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPhfvcOuw0Yt+MnsFc4TI2gWkKi62Eajxz+TgbHMO/uRTYF8c5V8fOI3o+J/3m5+lT0S5o8j8a7xIC3COvi+AVw=")
]
& Apt.unattendedUpgrades
- & Network.ipv6to4
& Systemd.persistentJournal
- & Journald.systemMaxUse "500MiB"
+ & Journald.systemMaxUse "50MiB"
& Tor.isRelay
& Tor.named "kite1"
& Tor.bandwidthRate (Tor.PerMonth "400 GB")
- & Systemd.nspawned webserver
- & File.dirExists "/var/www/html"
- & File.notPresent "/var/www/index.html"
- & "/var/www/html/index.html" `File.hasContent` ["hello, world"]
- & alias "helloworld.kitenet.net"
-
& Systemd.nspawned oldusenetShellBox
& JoeySites.scrollBox
& alias "scroll.joeyh.name"
& alias "us.scroll.joeyh.name"
-mayfly :: Host
-mayfly = host "mayfly.kitenet.net" $ props
- & standardSystem (Stable "jessie") X86_64
- [ "Scratch VM. Contents can change at any time!" ]
- & ipv4 "167.88.36.193"
-
- & CloudAtCost.decruft
- & Apt.unattendedUpgrades
- & Network.ipv6to4
- & Systemd.persistentJournal
- & Journald.systemMaxUse "500MiB"
-
- & Tor.isRelay
- & Tor.named "kite3"
- & Tor.bandwidthRate (Tor.PerMonth "400 GB")
-
-oyster :: Host
-oyster = host "oyster.kitenet.net" $ props
- & standardSystem Unstable X86_64
- [ "Unreliable server. Anything here may be lost at any time!" ]
- & ipv4 "64.137.221.146"
-
- & CloudAtCost.decruft
- & Ssh.hostKeys hostContext
- [ (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP0ws/IxQegVU0RhqnIm5A/vRSPTO70wD4o2Bd1jL970dTetNyXzvWGe1spEbLjIYSLIO7WvOBSE5RhplBKFMUU=")
- ]
+baleen :: Host
+baleen = host "baleen.kitenet.net" $ props
+ & standardSystem Unstable X86_64 [ "New git-annex build box." ]
+
+ -- Not on public network; ssh access via bounce host.
+ & ipv4 "138.38.77.40"
+
+ -- The root filesystem content may be lost if the VM is resized.
+ -- /dev/vdb contains persistent storage.
+ & Fstab.mounted "auto" "/dev/vdb" "/var/lib/container" mempty
+
& Apt.unattendedUpgrades
- & Network.ipv6to4
+ & Postfix.satellite
+ & Apt.serviceInstalledRunning "ntp"
& Systemd.persistentJournal
- & Journald.systemMaxUse "500MiB"
-
- & Tor.isRelay
- & Tor.named "kite2"
- & Tor.bandwidthRate (Tor.PerMonth "400 GB")
-
- -- Nothing is using http port 80, so listen on
- -- that port for ssh, for traveling on bad networks that
- -- block 22.
- & Ssh.listenPort (Port 80)
orca :: Host
orca = host "orca.kitenet.net" $ props
@@ -206,34 +181,46 @@ orca = host "orca.kitenet.net" $ props
honeybee :: Host
honeybee = host "honeybee.kitenet.net" $ props
- & standardSystem Testing ARMHF [ "Arm git-annex build box." ]
+ & standardSystem Testing ARMHF
+ [ "Home router and arm git-annex build box." ]
- -- I have to travel to get console access, so no automatic
- -- upgrades, and try to be robust.
+ -- Hard to get console access, so no automatic upgrades,
+ -- and try to be robust.
& "/etc/default/rcS" `File.containsLine` "FSCKFIX=yes"
+ -- Cubietruck
& Apt.installed ["flash-kernel"]
& "/etc/flash-kernel/machine" `File.hasContent` ["Cubietech Cubietruck"]
& Apt.installed ["linux-image-armmp"]
- & Network.dhcp "eth0" `requires` Network.cleanInterfacesFile
- & Postfix.satellite
-
- -- ipv6 used for remote access thru firewalls
- & Apt.serviceInstalledRunning "aiccu"
- & ipv6 "2001:4830:1600:187::2"
- -- restart to deal with failure to connect, tunnel issues, etc
- & Cron.job "aiccu restart daily" Cron.Daily (User "root") "/"
- "service aiccu stop; service aiccu start"
+ & Apt.installed ["firmware-brcm80211"]
+ -- Workaround for https://bugs.debian.org/844056
+ `requires` File.hasPrivContent "/lib/firmware/brcm/brcmfmac43362-sdio.txt" anyContext
+ `requires` File.dirExists "/lib/firmware/brcm"
- -- In case compiler needs more than available ram
- & Apt.serviceInstalledRunning "swapspace"
-
- -- No hardware clock.
+ -- No hardware clock
& Apt.serviceInstalledRunning "ntp"
+ & JoeySites.homePowerMonitor
+ (User "joey")
+ (Context "homepower.joeyh.name")
+ (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAmVYddg/RgCbIj+cLcEiddeFXaYFnbEJ3uGj9G/EyV joey@honeybee")
+ & JoeySites.homeRouter
+ & Apt.installed ["mtr-tiny", "iftop", "screen"]
+ & Postfix.satellite
+
& Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer
GitAnnexBuilder.armAutoBuilder
- Unstable ARMEL Nothing Cron.Daily "22h")
+ Unstable ARMEL Nothing (Cron.Times "15 10 * * *") "10h")
+ -- Disabled because it does not work, and the old systemd
+ -- in the container uses a ton of CPU
+ ! Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer
+ GitAnnexBuilder.stackAutoBuilder
+ (Stable "jessie") ARMEL (Just "ancient") weekdays "10h")
+ -- In case compiler needs more than available ram
+ & Apt.serviceInstalledRunning "swapspace"
+ where
+ weekdays = Cron.Times "15 10 * * 2-5"
+ -- weekends = Cron.Times "15 10 * * 6-7"
-- This is not a complete description of kite, since it's a
-- multiuser system with eg, user passwords that are not deployed
@@ -242,7 +229,7 @@ kite :: Host
kite = host "kite.kitenet.net" $ props
& standardSystemUnhardened Testing X86_64 [ "Welcome to kite!" ]
& ipv4 "66.228.36.95"
- & ipv6 "2600:3c03::f03c:91ff:fe73:b0d2"
+ -- & ipv6 "2600:3c03::f03c:91ff:fe73:b0d2"
& alias "kitenet.net"
& alias "wren.kitenet.net" -- temporary
& Ssh.hostKeys (Context "kitenet.net")
@@ -252,7 +239,7 @@ kite = host "kite.kitenet.net" $ props
, (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFZftKMnH/zH29BHMKbcBO4QsgTrstYFVhbrzrlRzBO3")
]
- & Network.static "eth0" `requires` Network.cleanInterfacesFile
+ & Network.preserveStatic "eth0" `requires` Network.cleanInterfacesFile
& Apt.installed ["linux-image-amd64"]
& Linode.serialGrub
& Linode.mlocateEnabled
@@ -262,6 +249,8 @@ kite = host "kite.kitenet.net" $ props
& Journald.systemMaxUse "500MiB"
& Ssh.passwordAuthentication True
& Fail2Ban.installed -- since ssh password authentication is allowed
+ -- Allow ssh -R to forward ports via kite
+ & Ssh.setSshdConfig "GatewayPorts" "clientspecified"
& Apt.serviceInstalledRunning "ntp"
& "/etc/timezone" `File.hasContent` ["US/Eastern"]
@@ -332,7 +321,10 @@ kite = host "kite.kitenet.net" $ props
& JoeySites.oldUseNetServer hosts
& alias "ns4.kitenet.net"
- & myDnsPrimary True "kitenet.net" []
+ & myDnsPrimary True "kitenet.net"
+ [ (RelDomain "mouse-onion", CNAME $ AbsDomain "htieo6yu2qtcn2j3.onion")
+ , (RelDomain "beaver-onion", CNAME $ AbsDomain "tl4xsvaxryjylgxs.onion")
+ ]
& myDnsPrimary True "joeyh.name" []
& myDnsPrimary True "ikiwiki.info" []
& myDnsPrimary True "olduse.net"
@@ -341,6 +333,16 @@ kite = host "kite.kitenet.net" $ props
& alias "ns4.branchable.com"
& branchableSecondary
& Dns.secondaryFor ["animx"] hosts "animx.eu.org"
+ -- Use its own name server (amoung other things this avoids
+ -- spamassassin URIBL_BLOCKED.
+ & "/etc/resolv.conf" `File.hasContent`
+ [ "nameserver 127.0.0.1"
+ , "domain kitenet.net"
+ , "search kitenet.net"
+ ]
+ & alias "debug-me.joeyh.name"
+ -- debug-me installed manually until package is available
+ & Systemd.enabled "debug-me"
-- testing
& Apache.httpsVirtualHost "letsencrypt.joeyh.name" "/var/www/html"
@@ -377,8 +379,7 @@ elephant = host "elephant.kitenet.net" $ props
& Apt.serviceInstalledRunning "swapspace"
& alias "eubackup.kitenet.net"
- & Apt.installed ["obnam", "sshfs", "rsync"]
- & JoeySites.obnamRepos ["pell", "kite"]
+ & Apt.installed ["obnam", "sshfs", "rsync", "borgbackup"]
& JoeySites.githubBackup
& JoeySites.rsyncNetBackup hosts
@@ -417,15 +418,23 @@ elephant = host "elephant.kitenet.net" $ props
beaver :: Host
beaver = host "beaver.kitenet.net" $ props
& ipv6 "2001:4830:1600:195::2"
- & Apt.serviceInstalledRunning "aiccu"
& Apt.installed ["ssh"]
& Ssh.hostPubKey SshDsa "ssh-dss AAAAB3NzaC1kc3MAAACBAIrLX260fY0Jjj/p0syNhX8OyR8hcr6feDPGOj87bMad0k/w/taDSOzpXe0Wet7rvUTbxUjH+Q5wPd4R9zkaSDiR/tCb45OdG6JsaIkmqncwe8yrU+pqSRCxttwbcFe+UU+4AAcinjVedZjVRDj2rRaFPc9BXkPt7ffk8GwEJ31/AAAAFQCG/gOjObsr86vvldUZHCteaJttNQAAAIB5nomvcqOk/TD07DLaWKyG7gAcW5WnfY3WtnvLRAFk09aq1EuiJ6Yba99Zkb+bsxXv89FWjWDg/Z3Psa22JMyi0HEDVsOevy/1sEQ96AGH5ijLzFInfXAM7gaJKXASD7hPbVdjySbgRCdwu0dzmQWHtH+8i1CMVmA2/a5Y/wtlJAAAAIAUZj2US2D378jBwyX1Py7e4sJfea3WSGYZjn4DLlsLGsB88POuh32aOChd1yzF6r6C2sdoPBHQcWBgNGXcx4gF0B5UmyVHg3lIX2NVSG1ZmfuLNJs9iKNu4cHXUmqBbwFYQJBvB69EEtrOw4jSbiTKwHFmqdA/mw1VsMB+khUaVw=="
+ & Tor.installed
+ & Tor.hiddenServiceAvailable "ssh" (Port 22)
& alias "usbackup.kitenet.net"
& JoeySites.backupsBackedupFrom hosts "eubackup.kitenet.net" "/home/joey/lib/backup"
& Apt.serviceInstalledRunning "anacron"
& Cron.niceJob "system disk backed up" Cron.Weekly (User "root") "/"
"rsync -a -x / /home/joey/lib/backup/beaver.kitenet.net/"
+mouse :: Host
+mouse = host "mouse.kitenet.net" $ props
+ & ipv4 "67.223.19.96"
+ & Apt.installed ["ssh"]
+ & Tor.installed
+ & Tor.hiddenServiceAvailable "ssh" (Port 22)
+
-- Branchable is not completely deployed with propellor yet.
pell :: Host
pell = host "pell.branchable.com" $ props
@@ -448,7 +457,8 @@ pell = host "pell.branchable.com" $ props
& alias "dist-bugs.kitenet.net"
& alias "family.kitenet.net"
- & Apt.installed ["linux-image-amd64"]
+ & osDebian (Stable "stretch") X86_64
+ & Apt.installed ["linux-image-686-pae"]
& Apt.unattendedUpgrades
& Branchable.server hosts
& Linode.serialGrub
@@ -458,7 +468,7 @@ keysafe :: Host
keysafe = host "keysafe.joeyh.name" $ props
& ipv4 "139.59.17.168"
& Hostname.sane
- & osDebian (Stable "jessie") X86_64
+ & osDebian (Stable "stretch") X86_64
& Apt.stdSourcesList `onChange` Apt.upgrade
& Apt.unattendedUpgrades
& DigitalOcean.distroKernel
@@ -514,18 +524,11 @@ keysafe = host "keysafe.joeyh.name" $ props
--------------------------- \____, o ,' ----------------------------
---------------------------- '--,___________,' -----------------------------
--- Simple web server, publishing the outside host's /var/www
-webserver :: Systemd.Container
-webserver = Systemd.debContainer "webserver" $ props
- & standardContainer (Stable "jessie")
- & Systemd.bind "/var/www"
- & Apache.installed
-
-- My own openid provider. Uses php, so containerized for security
-- and administrative sanity.
openidProvider :: Systemd.Container
openidProvider = Systemd.debContainer "openid-provider" $ props
- & standardContainer (Stable "jessie")
+ & standardContainer (Stable "stretch")
& alias hn
& OpenId.providerFor [User "joey", User "liw"] hn (Just (Port 8081))
where
@@ -534,7 +537,7 @@ openidProvider = Systemd.debContainer "openid-provider" $ props
-- Exhibit: kite's 90's website on port 1994.
ancientKitenet :: Systemd.Container
ancientKitenet = Systemd.debContainer "ancient-kitenet" $ props
- & standardContainer (Stable "jessie")
+ & standardContainer (Stable "stretch")
& alias hn
& Git.cloned (User "root") "git://kitenet-net.branchable.com/" "/var/www/html"
(Just "remotes/origin/old-kitenet.net")
@@ -548,13 +551,13 @@ ancientKitenet = Systemd.debContainer "ancient-kitenet" $ props
oldusenetShellBox :: Systemd.Container
oldusenetShellBox = Systemd.debContainer "oldusenet-shellbox" $ props
- & standardContainer (Stable "jessie")
+ & standardContainer (Stable "stretch")
& alias "shell.olduse.net"
& JoeySites.oldUseNetShellBox
kiteShellBox :: Systemd.Container
kiteShellBox = Systemd.debContainer "kiteshellbox" $ props
- & standardContainer (Stable "jessie")
+ & standardContainer (Stable "stretch")
& JoeySites.kiteShellBox
type Motd = [String]
@@ -633,14 +636,9 @@ monsters = -- but do want to track their public keys etc.
& Ssh.hostPubKey SshEcdsa "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY="
, host "ns6.gandi.net" $ props
& ipv4 "217.70.177.40"
- , host "turtle.kitenet.net" $ props
- & ipv4 "67.223.19.96"
- & ipv6 "2001:4978:f:2d9::2"
- , host "mouse.kitenet.net" $ props
- & ipv6 "2001:4830:1600:492::2"
, host "animx" $ props
- & ipv4 "76.7.162.101"
& ipv4 "76.7.162.186"
+ & ipv4 "76.7.162.187"
]