summaryrefslogtreecommitdiff
path: root/src/Propellor/Property/SiteSpecific/JoeySites.hs
diff options
context:
space:
mode:
Diffstat (limited to 'src/Propellor/Property/SiteSpecific/JoeySites.hs')
-rw-r--r--src/Propellor/Property/SiteSpecific/JoeySites.hs388
1 files changed, 378 insertions, 10 deletions
diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs
index c770907b..fa8773de 100644
--- a/src/Propellor/Property/SiteSpecific/JoeySites.hs
+++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs
@@ -14,12 +14,14 @@ import qualified Propellor.Property.Service as Service
import qualified Propellor.Property.User as User
import qualified Propellor.Property.Obnam as Obnam
import qualified Propellor.Property.Apache as Apache
+import qualified Propellor.Property.Postfix as Postfix
import Utility.SafeCommand
import Utility.FileMode
import Utility.Path
import Data.List
import System.Posix.Files
+import Data.String.Utils
oldUseNetServer :: [Host] -> Property
oldUseNetServer hosts = propertyList ("olduse.net server")
@@ -59,9 +61,7 @@ oldUseNetServer hosts = propertyList ("olduse.net server")
, " <Directory " ++ datadir ++ "/>"
, " Options Indexes FollowSymlinks"
, " AllowOverride None"
- -- I had this in the file before.
- -- This may be needed by a newer version of apache?
- --, " Require all granted"
+ , Apache.allowAll
, " </Directory>"
]
]
@@ -114,11 +114,11 @@ mumbleServer hosts = combineProperties hn
[ Apt.serviceInstalledRunning "mumble-server"
, Obnam.latestVersion
, Obnam.backup "/var/lib/mumble-server" "55 5 * * *"
- [ "--repository=sftp://joey@turtle.kitenet.net/~/lib/backup/" ++ hn ++ ".obnam"
+ [ "--repository=sftp://joey@usbackup.kitenet.net/~/lib/backup/" ++ hn ++ ".obnam"
, "--client-name=mumble"
] Obnam.OnlyClient
`requires` Ssh.keyImported SshRsa "root" (Context hn)
- `requires` Ssh.knownHost hosts "turtle.kitenet.net" "root"
+ `requires` Ssh.knownHost hosts "usbackup.kitenet.net" "root"
, trivial $ cmdProperty "chown" ["-R", "mumble-server:mumble-server", "/var/lib/mumble-server"]
]
where
@@ -142,7 +142,7 @@ gitServer hosts = propertyList "git.kitenet.net setup"
, Obnam.backup "/srv/git" "33 3 * * *"
[ "--repository=sftp://2318@usw-s002.rsync.net/~/git.kitenet.net"
, "--encrypt-with=1B169BE1"
- , "--client-name=wren"
+ , "--client-name=wren" -- historical
] Obnam.OnlyClient
`requires` Gpg.keyImported "1B169BE1" "root"
`requires` Ssh.keyImported SshRsa "root" (Context "git.kitenet.net")
@@ -191,8 +191,8 @@ gitServer hosts = propertyList "git.kitenet.net setup"
type AnnexUUID = String
-- | A website, with files coming from a git-annex repository.
-annexWebSite :: [Host] -> Git.RepoUrl -> HostName -> AnnexUUID -> [(String, Git.RepoUrl)] -> Property
-annexWebSite hosts origin hn uuid remotes = propertyList (hn ++" website using git-annex")
+annexWebSite :: Git.RepoUrl -> HostName -> AnnexUUID -> [(String, Git.RepoUrl)] -> Property
+annexWebSite origin hn uuid remotes = propertyList (hn ++" website using git-annex")
[ Git.cloned "joey" origin dir Nothing
`onChange` setup
, postupdatehook `File.hasContent`
@@ -206,8 +206,6 @@ annexWebSite hosts origin hn uuid remotes = propertyList (hn ++" website using g
dir = "/srv/web/" ++ hn
postupdatehook = dir </> ".git/hooks/post-update"
setup = userScriptProperty "joey" setupscript
- `requires` Ssh.keyImported SshRsa "joey" (Context hn)
- `requires` Ssh.knownHost hosts "turtle.kitenet.net" "joey"
setupscript =
[ "cd " ++ shellEscape dir
, "git config annex.uuid " ++ shellEscape uuid
@@ -348,8 +346,27 @@ githubBackup = propertyList "github-backup box"
, let f = "/home/joey/.github-keys"
in File.hasPrivContent f anyContext
`onChange` File.ownerGroup f "joey" "joey"
+ , Cron.niceJob "github-backup run" "30 4 * * *" "joey"
+ "/home/joey/lib/backup" $ intercalate "&&"
+ [ "mkdir -p github"
+ , "cd github"
+ , ". $HOME/.github-keys && github-backup joeyh"
+ ]
]
+rsyncNetBackup :: [Host] -> Property
+rsyncNetBackup hosts = Cron.niceJob "rsync.net copied in daily" "30 5 * * *"
+ "joey" "/home/joey/lib/backup" "mkdir -p rsync.net && rsync --delete -az 2318@usw-s002.rsync.net: rsync.net"
+ `requires` Ssh.knownHost hosts "usw-s002.rsync.net" "joey"
+
+backupsBackedupTo :: [Host] -> HostName -> FilePath -> Property
+backupsBackedupTo hosts desthost destdir = Cron.niceJob desc
+ "1 1 * * 3" "joey" "/" cmd
+ `requires` Ssh.knownHost hosts desthost "joey"
+ where
+ desc = "backups copied to " ++ desthost ++ " weekly"
+ cmd = "rsync -az --delete /home/joey/lib/backup " ++ desthost ++ ":" ++ destdir
+
obnamRepos :: [String] -> Property
obnamRepos rs = propertyList ("obnam repos for " ++ unwords rs)
(mkbase : map mkrepo rs)
@@ -360,3 +377,354 @@ obnamRepos rs = propertyList ("obnam repos for " ++ unwords rs)
mkdir d = File.dirExists d
`before` File.ownerGroup d "joey" "joey"
+podcatcher :: Property
+podcatcher = Cron.niceJob "podcatcher run hourly" "55 * * * *"
+ "joey" "/home/joey/lib/sound/podcasts"
+ "xargs git-annex importfeed -c annex.genmetadata=true < feeds; mr --quiet update"
+ `requires` Apt.installed ["git-annex", "myrepos"]
+
+kiteMailServer :: Property
+kiteMailServer = propertyList "kitenet.net mail server"
+ [ Postfix.installed
+ , Apt.installed ["postfix-pcre"]
+ , Apt.serviceInstalledRunning "postgrey"
+
+ , Apt.serviceInstalledRunning "spamassassin"
+ , "/etc/default/spamassassin" `File.containsLines`
+ [ "# Propellor deployed"
+ , "ENABLED=1"
+ , "CRON=1"
+ , "OPTIONS=\"--create-prefs --max-children 5 --helper-home-dir\""
+ , "CRON=1"
+ , "NICE=\"--nicelevel 15\""
+ ] `onChange` Service.restarted "spamassassin"
+ `describe` "spamd enabled"
+ `requires` Apt.serviceInstalledRunning "cron"
+
+ , Apt.serviceInstalledRunning "spamass-milter"
+ -- Add -m to prevent modifying messages Subject or body.
+ , "/etc/default/spamass-milter" `File.containsLine`
+ "OPTIONS=\"-m -u spamass-milter -i 127.0.0.1\""
+ `onChange` Service.restarted "spamass-milter"
+ `describe` "spamass-milter configured"
+
+ , Apt.serviceInstalledRunning "amavisd-milter"
+ , "/etc/default/amavisd-milter" `File.containsLines`
+ [ "# Propellor deployed"
+ , "MILTERSOCKET=/var/spool/postfix/amavis/amavis.sock"
+ , "MILTERSOCKETOWNER=\"postfix:postfix\""
+ , "MILTERSOCKETMODE=\"0660\""
+ ]
+ `onChange` Service.restarted "amavisd-milter"
+ `describe` "amavisd-milter configured for postfix"
+ , Apt.serviceInstalledRunning "clamav-freshclam"
+
+ , Apt.installed ["maildrop"]
+ , "/etc/maildroprc" `File.hasContent`
+ [ "# Global maildrop filter file (deployed with propellor)"
+ , "DEFAULT=\"$HOME/Maildir\""
+ , "MAILBOX=\"$DEFAULT/.\""
+ , "# Filter spam to a spam folder, unless .keepspam exists"
+ , "if (/^X-Spam-Status: Yes/)"
+ , "{"
+ , " `test -e \"$HOME/.keepspam\"`"
+ , " if ( $RETURNCODE != 0 )"
+ , " to ${MAILBOX}spam"
+ , "}"
+ ]
+ `describe` "maildrop configured"
+
+ , "/etc/aliases" `File.hasPrivContentExposed` ctx
+ `onChange` Postfix.newaliases
+ , hasJoeyCAChain
+ , "/etc/ssl/certs/postfix.pem" `File.hasPrivContentExposed` ctx
+ , "/etc/ssl/private/postfix.pem" `File.hasPrivContent` ctx
+
+ , "/etc/postfix/mydomain" `File.containsLines`
+ [ "/.*\\.kitenet\\.net/\tOK"
+ , "/ikiwiki\\.info/\tOK"
+ , "/joeyh\\.name/\tOK"
+ ]
+ `onChange` Postfix.reloaded
+ `describe` "postfix mydomain file configured"
+ , "/etc/postfix/obscure_client_relay.pcre" `File.containsLine`
+ "/^Received: from ([^.]+)\\.kitenet\\.net.*using TLS.*by kitenet\\.net \\(([^)]+)\\) with (E?SMTPS?A?) id ([A-F[:digit:]]+)(.*)/ IGNORE"
+ `onChange` Postfix.reloaded
+ `describe` "postfix obscure_client_relay file configured"
+ , Postfix.mappedFile "/etc/postfix/virtual"
+ (flip File.containsLines
+ [ "# *@joeyh.name to joey"
+ , "@joeyh.name\tjoey"
+ ]
+ ) `describe` "postfix virtual file configured"
+ `onChange` Postfix.reloaded
+ , Postfix.mappedFile "/etc/postfix/relay_clientcerts" $
+ flip File.hasPrivContentExposed ctx
+ , Postfix.mainCfFile `File.containsLines`
+ [ "myhostname = kitenet.net"
+ , "mydomain = $myhostname"
+ , "append_dot_mydomain = no"
+ , "myorigin = kitenet.net"
+ , "mydestination = $myhostname, localhost.$mydomain, $mydomain, kite.$mydomain., localhost, regexp:$config_directory/mydomain"
+ , "mailbox_command = maildrop"
+ , "virtual_alias_maps = hash:/etc/postfix/virtual"
+
+ , "# Allow clients with trusted certs to relay mail through."
+ , "relay_clientcerts = hash:/etc/postfix/relay_clientcerts"
+ , "smtpd_relay_restrictions = permit_mynetworks,permit_tls_clientcerts,permit_sasl_authenticated,reject_unauth_destination"
+
+ , "# Filter out client relay lines from headers."
+ , "header_checks = pcre:$config_directory/obscure_client_relay.pcre"
+
+ , "# Enable postgrey."
+ , "smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:10023"
+
+ , "# Enable spamass-milter and amavis-milter."
+ , "smtpd_milters = unix:/spamass/spamass.sock unix:amavis/amavis.sock"
+ , "milter_connect_macros = j {daemon_name} v {if_name} _"
+
+ , "# TLS setup -- server"
+ , "smtpd_tls_CAfile = /etc/ssl/certs/joeyca.pem"
+ , "smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem"
+ , "smtpd_tls_key_file = /etc/ssl/private/postfix.pem"
+ , "smtpd_tls_loglevel = 1"
+ , "smtpd_tls_received_header = yes"
+ , "smtpd_use_tls = yes"
+ , "smtpd_tls_ask_ccert = yes"
+ , "smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache"
+
+ , "# TLS setup -- client"
+ , "smtp_tls_CAfile = /etc/ssl/certs/joeyca.pem"
+ , "smtp_tls_cert_file = /etc/ssl/certs/postfix.pem"
+ , "smtp_tls_key_file = /etc/ssl/private/postfix.pem"
+ , "smtp_tls_loglevel = 1"
+ , "smtp_use_tls = yes"
+ , "smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache"
+ ]
+ `onChange` Postfix.dedupMainCf
+ `onChange` Postfix.reloaded
+ `describe` "postfix configured"
+
+ , Apt.serviceInstalledRunning "dovecot-imapd"
+ , Apt.serviceInstalledRunning "dovecot-pop3d"
+ , "/etc/dovecot/conf.d/10-mail.conf" `File.containsLine`
+ "mail_location = maildir:~/Maildir"
+ `onChange` Service.reloaded "dovecot"
+ `describe` "dovecot mail.conf"
+ , "/etc/dovecot/conf.d/10-auth.conf" `File.containsLine`
+ "!include auth-passwdfile.conf.ext"
+ `onChange` Service.restarted "dovecot"
+ `describe` "dovecot auth.conf"
+ , File.hasPrivContent dovecotusers ctx
+ `onChange` (dovecotusers `File.mode`
+ combineModes [ownerReadMode, groupReadMode])
+ , File.ownerGroup dovecotusers "root" "dovecot"
+
+ , Apt.installed ["mutt", "bsd-mailx", "alpine"]
+
+ , pinescript `File.hasContent`
+ [ "#!/bin/sh"
+ , "# deployed with propellor"
+ , "set -e"
+ , "pass=$HOME/.pine-password"
+ , "if [ ! -e $pass ]; then"
+ , "\ttouch $pass"
+ , "fi"
+ , "chmod 600 $pass"
+ , "exec alpine -passfile $pass \"$@\""
+ ]
+ `onChange` (pinescript `File.mode`
+ combineModes (readModes ++ executeModes))
+ `describe` "pine wrapper script"
+ , "/etc/pine.conf" `File.containsLines`
+ [ "inbox-path={localhost/novalidate-cert}inbox"
+ ]
+ `describe` "pine configured to use local imap server"
+ ]
+ where
+ ctx = Context "kitenet.net"
+ pinescript = "/usr/local/bin/pine"
+ dovecotusers = "/etc/dovecot/users"
+
+hasJoeyCAChain :: Property
+hasJoeyCAChain = "/etc/ssl/certs/joeyca.pem" `File.hasPrivContentExposed`
+ Context "joeyca.pem"
+
+kitenetHttps :: Property
+kitenetHttps = propertyList "kitenet.net https certs"
+ [ File.hasPrivContent "/etc/ssl/certs/web.pem" ctx
+ , File.hasPrivContent "/etc/ssl/private/web.pem" ctx
+ , File.hasPrivContent "/etc/ssl/certs/startssl.pem" ctx
+ , toProp $ Apache.modEnabled "ssl"
+ ]
+ where
+ ctx = Context "kitenet.net"
+
+-- Legacy static web sites and redirections from kitenet.net to newer
+-- sites.
+legacyWebSites :: Property
+legacyWebSites = propertyList "legacy web sites"
+ [ Apt.serviceInstalledRunning "apache2"
+ , toProp $ Apache.modEnabled "rewrite"
+ , toProp $ Apache.modEnabled "cgi"
+ , toProp $ Apache.modEnabled "speling"
+ , userDirHtml
+ , kitenetHttps
+ , toProp $ Apache.siteEnabled "kitenet.net" $ apachecfg "kitenet.net" True
+ -- /var/www is empty
+ [ "DocumentRoot /var/www"
+ , "<Directory /var/www>"
+ , " Options Indexes FollowSymLinks MultiViews ExecCGI Includes"
+ , " AllowOverride None"
+ , Apache.allowAll
+ , "</Directory>"
+ , "ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/"
+
+ -- for mailman cgi scripts
+ , "<Directory /usr/lib/cgi-bin>"
+ , " AllowOverride None"
+ , " Options ExecCGI"
+ , Apache.allowAll
+ , "</Directory>"
+ , "Alias /pipermail/ /var/lib/mailman/archives/public/"
+ , "<Directory /var/lib/mailman/archives/public/>"
+ , " Options Indexes MultiViews FollowSymlinks"
+ , " AllowOverride None"
+ , Apache.allowAll
+ , "</Directory>"
+ , "Alias /images/ /usr/share/images/"
+ , "<Directory /usr/share/images/>"
+ , " Options Indexes MultiViews"
+ , " AllowOverride None"
+ , Apache.allowAll
+ , "</Directory>"
+
+ , "RewriteEngine On"
+ , "# Force hostname to kitenet.net"
+ , "RewriteCond %{HTTP_HOST} !^kitenet\\.net [NC]"
+ , "RewriteCond %{HTTP_HOST} !^$"
+ , "RewriteRule ^/(.*) http://kitenet\\.net/$1 [L,R]"
+
+ , "# Moved pages"
+ , "RewriteRule /programs/debhelper http://joeyh.name/code/debhelper/ [L]"
+ , "RewriteRule /programs/satutils http://joeyh.name/code/satutils/ [L]"
+ , "RewriteRule /programs/filters http://joeyh.name/code/filters/ [L]"
+ , "RewriteRule /programs/ticker http://joeyh.name/code/ticker/ [L]"
+ , "RewriteRule /programs/pdmenu http://joeyh.name/code/pdmenu/ [L]"
+ , "RewriteRule /programs/sleepd http://joeyh.name/code/sleepd/ [L]"
+ , "RewriteRule /programs/Lingua::EN::Words2Nums http://joeyh.name/code/Words2Nums/ [L]"
+ , "RewriteRule /programs/wmbattery http://joeyh.name/code/wmbattery/ [L]"
+ , "RewriteRule /programs/dpkg-repack http://joeyh.name/code/dpkg-repack/ [L]"
+ , "RewriteRule /programs/debconf http://joeyh.name/code/debconf/ [L]"
+ , "RewriteRule /programs/perlmoo http://joeyh.name/code/perlmoo/ [L]"
+ , "RewriteRule /programs/alien http://joeyh.name/code/alien/ [L]"
+ , "RewriteRule /~joey/blog/entry/(.+)-[0-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9]-[0-9][0-9]-[0-9][0-9].html http://joeyh.name/blog/entry/$1/ [L]"
+ , "RewriteRule /~anna/.* http://waldeneffect\\.org/ [R]"
+ , "RewriteRule /~anna/.* http://waldeneffect\\.org/ [R]"
+ , "RewriteRule /~anna http://waldeneffect\\.org/ [R]"
+ , "RewriteRule /simpleid/ http://openid.kitenet.net:8081/simpleid/"
+ , "# Even the kite home page is not here any more!"
+ , "RewriteRule ^/$ http://www.kitenet.net/ [R]"
+ , "RewriteRule ^/index.html http://www.kitenet.net/ [R]"
+ , "RewriteRule ^/joey http://www.kitenet.net/joey/ [R]"
+ , "RewriteRule ^/joey/index.html http://www.kitenet.net/joey/ [R]"
+ , "RewriteRule ^/wifi http://www.kitenet.net/wifi/ [R]"
+ , "RewriteRule ^/wifi/index.html http://www.kitenet.net/wifi/ [R]"
+
+ , "# Old ikiwiki filenames for kitenet.net wiki."
+ , "rewritecond $1 !^/~"
+ , "rewritecond $1 !^/doc/"
+ , "rewritecond $1 !^/pipermail/"
+ , "rewritecond $1 !^/cgi-bin/"
+ , "rewritecond $1 !.*/index$"
+ , "rewriterule (.+).html$ $1/ [r]"
+
+ , "# Old ikiwiki filenames for joey's wiki."
+ , "rewritecond $1 ^/~joey/"
+ , "rewritecond $1 !.*/index$"
+ , "rewriterule (.+).html$ http://kitenet.net/$1/ [L,R]"
+
+ , "# ~joey to joeyh.name"
+ , "rewriterule /~joey/(.*) http://joeyh.name/$1 [L]"
+
+ , "# Old familywiki location."
+ , "rewriterule /~family/(.*).html http://family.kitenet.net/$1 [L]"
+ , "rewriterule /~family/(.*).rss http://family.kitenet.net/$1/index.rss [L]"
+ , "rewriterule /~family(.*) http://family.kitenet.net$1 [L]"
+
+ , "rewriterule /~kyle/bywayofscience(.*) http://bywayofscience.branchable.com$1 [L]"
+ , "rewriterule /~kyle/family/wiki/(.*).html http://macleawiki.branchable.com/$1 [L]"
+ , "rewriterule /~kyle/family/wiki/(.*).rss http://macleawiki.branchable.com/$1/index.rss [L]"
+ , "rewriterule /~kyle/family/wiki(.*) http://macleawiki.branchable.com$1 [L]"
+ ]
+ , alias "anna.kitenet.net"
+ , toProp $ Apache.siteEnabled "anna.kitenet.net" $ apachecfg "anna.kitenet.net" False
+ [ "DocumentRoot /home/anna/html"
+ , "<Directory /home/anna/html/>"
+ , " Options Indexes ExecCGI"
+ , " AllowOverride None"
+ , Apache.allowAll
+ , "</Directory>"
+ ]
+ , alias "sows-ear.kitenet.net"
+ , alias "www.sows-ear.kitenet.net"
+ , toProp $ Apache.siteEnabled "sows-ear.kitenet.net" $ apachecfg "sows-ear.kitenet.net" False
+ [ "ServerAlias www.sows-ear.kitenet.net"
+ , "DocumentRoot /srv/web/sows-ear.kitenet.net"
+ , "<Directory /srv/web/sows-ear.kitenet.net>"
+ , " Options FollowSymLinks"
+ , " AllowOverride None"
+ , Apache.allowAll
+ , "</Directory>"
+ ]
+ , alias "wortroot.kitenet.net"
+ , alias "www.wortroot.kitenet.net"
+ , toProp $ Apache.siteEnabled "wortroot.kitenet.net" $ apachecfg "wortroot.kitenet.net" False
+ [ "ServerAlias www.wortroot.kitenet.net"
+ , "DocumentRoot /srv/web/wortroot.kitenet.net"
+ , "<Directory /srv/web/wortroot.kitenet.net>"
+ , " Options FollowSymLinks"
+ , " AllowOverride None"
+ , Apache.allowAll
+ , "</Directory>"
+ ]
+ , alias "creeksidepress.com"
+ , toProp $ Apache.siteEnabled "creeksidepress.com" $ apachecfg "creeksidepress.com" False
+ [ "ServerAlias www.creeksidepress.com"
+ , "DocumentRoot /srv/web/www.creeksidepress.com"
+ , "<Directory /srv/web/www.creeksidepress.com>"
+ , " Options FollowSymLinks"
+ , " AllowOverride None"
+ , Apache.allowAll
+ , "</Directory>"
+ ]
+ , alias "joey.kitenet.net"
+ , toProp $ Apache.siteEnabled "joey.kitenet.net" $ apachecfg "joey.kitenet.net" False
+ [ "DocumentRoot /home/joey/html"
+ , "<Directory /home/joey/html/>"
+ , " Options Indexes ExecCGI"
+ , " AllowOverride None"
+ , Apache.allowAll
+ , "</Directory>"
+
+ , "RewriteEngine On"
+
+ , "# Old ikiwiki filenames for joey's wiki."
+ , "rewritecond $1 !.*/index$"
+ , "rewriterule (.+).html$ http://joeyh.name/$1/ [l]"
+
+ , "rewritecond $1 !.*/index$"
+ , "rewriterule (.+).rss$ http://joeyh.name/$1/index.rss [l]"
+
+ , "# Redirect all to joeyh.name."
+ , "rewriterule (.*) http://joeyh.name$1 [r]"
+ ]
+ ]
+
+userDirHtml :: Property
+userDirHtml = File.fileProperty "apache userdir is html" (map munge) conf
+ `onChange` Apache.reloaded
+ `requires` (toProp $ Apache.modEnabled "userdir")
+ where
+ munge = replace "public_html" "html"
+ conf = "/etc/apache2/mods-available/userdir.conf"