From 0460a04474d2ea4f439708bb9f8ded24fba329ac Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Tue, 8 Apr 2014 16:58:11 -0400 Subject: propellor spin --- Propellor/Property/File.hs | 7 +++++++ Propellor/Property/OpenId.hs | 15 +++++++++++++++ Propellor/Types.hs | 1 + config-joey.hs | 14 +++++++++++++- 4 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 Propellor/Property/OpenId.hs diff --git a/Propellor/Property/File.hs b/Propellor/Property/File.hs index 80c69d9b..0c1155fe 100644 --- a/Propellor/Property/File.hs +++ b/Propellor/Property/File.hs @@ -11,6 +11,13 @@ hasContent :: FilePath -> [Line] -> Property f `hasContent` newcontent = fileProperty ("replace " ++ f) (\_oldcontent -> newcontent) f +-- | Ensures a file has contents that comes from PrivData. +-- Note: Does not do anything with the permissions of the file to prevent +-- it from being seen. +hasPrivContent :: FilePath -> Property +hasPrivContent f = Property ("privcontent " ++ f) $ + withPrivData (PrivFile f) (\v -> ensureProperty $ f `hasContent` lines v) + -- | Ensures that a line is present in a file, adding it to the end if not. containsLine :: FilePath -> Line -> Property f `containsLine` l = fileProperty (f ++ " contains:" ++ l) go f diff --git a/Propellor/Property/OpenId.hs b/Propellor/Property/OpenId.hs new file mode 100644 index 00000000..4ebf18f0 --- /dev/null +++ b/Propellor/Property/OpenId.hs @@ -0,0 +1,15 @@ +module Propellor.Property.OpenId where + +import Propellor +import qualified Propellor.Property.File as File +import qualified Propellor.Property.Apt as Apt + +providerFor :: [UserName] -> Property +providerFor users = propertyList ("openid provider") $ + [ serviceRunning "apache2" + `requires` Apt.installed ["apache2"] + , Apt.installed ["simpleid"] + ] ++ map identfile users + where + identfile u = File.hasPrivContent $ concat + [ "/var/lib/simpleid/identities/", u, ".identity" ] diff --git a/Propellor/Types.hs b/Propellor/Types.hs index 52c0c999..856e0ea9 100644 --- a/Propellor/Types.hs +++ b/Propellor/Types.hs @@ -100,6 +100,7 @@ data PrivDataField = DockerAuthentication | SshPrivKey UserName | Password UserName + | PrivFile FilePath deriving (Read, Show, Ord, Eq) diff --git a/config-joey.hs b/config-joey.hs index f2cc5e78..f38fc836 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -12,6 +12,7 @@ import qualified Propellor.Property.User as User import qualified Propellor.Property.Hostname as Hostname --import qualified Propellor.Property.Reboot as Reboot import qualified Propellor.Property.Tor as Tor +import qualified Propellor.Property.OpenId as OpenId import qualified Propellor.Property.Docker as Docker import qualified Propellor.Property.SiteSpecific.GitHome as GitHome import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder @@ -35,6 +36,7 @@ host hostname@"clam.kitenet.net" = standardSystem Unstable $ props & Apt.installed ["git-annex", "mtr"] & Tor.isBridge & JoeySites.oldUseNetshellBox + & Docker.docked container hostname "openid-provider" & Docker.configured & Docker.garbageCollected -- Orca is the main git-annex build box. @@ -59,7 +61,8 @@ host _ = Nothing -- | This is where Docker containers are set up. A container -- can vary by hostname where it's used, or be the same everywhere. container :: HostName -> Docker.ContainerName -> Maybe (Docker.Container) -container _host name +container _parenthost name + -- Simple web server, publishing the outside host's /var/www | name == "webserver" = Just $ Docker.containerFrom (image $ System (Debian Unstable) "amd64") [ Docker.publish "8080:80" @@ -68,6 +71,14 @@ container _host name & serviceRunning "apache2" `requires` Apt.installed ["apache2"] ] + -- My own openid provider. Uses php, so containerized for security + -- and administrative sanity. + | name == "openid-provider" = Just $ Docker.containerFrom + (image $ System (Debian Stable) "amd64") + [ Docker.publish "8081:80" + , Docker.inside $ props + & OpenId.providerFor ["joey", "liw"] + ] -- armel builder has a companion container that run amd64 and -- runs the build first to get TH splices. They share a home @@ -96,6 +107,7 @@ container _host name -- | Docker images I prefer to use. image :: System -> Docker.Image image (System (Debian Unstable) arch) = "joeyh/debian-unstable-" ++ arch +image (System (Debian Stable) arch) = "joeyh/debian-stable-" ++ arch image _ = "debian-stable-official" -- does not currently exist! -- This is my standard system setup -- cgit v1.2.3