From 9556734c02a0b05764e83419ae72710908419cdc Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 7 Mar 2016 18:20:31 -0400 Subject: got tired of needing to cherry-pick changes into joeyconfig, wrote a hook So, when I merge some branch into joeyconfig, config.hs will automatically be updated to point to joeyconfig.hs again, even if the merge changes it. And, when I merge joeyconfig into master, config.hs will be pointed back to config-simple.hs This may also be useful for others who maintain a branch like joeyconfig. --- config-joey.hs | 627 --------------------------------------------- config.hs | 2 +- contrib/post-checkout-hook | 28 ++ doc/index.mdwn | 2 +- joeyconfig.hs | 627 +++++++++++++++++++++++++++++++++++++++++++++ propellor.cabal | 3 +- 6 files changed, 659 insertions(+), 630 deletions(-) delete mode 100644 config-joey.hs create mode 100755 contrib/post-checkout-hook create mode 100644 joeyconfig.hs diff --git a/config-joey.hs b/config-joey.hs deleted file mode 100644 index bab8f466..00000000 --- a/config-joey.hs +++ /dev/null @@ -1,627 +0,0 @@ --- This is the live config file used by propellor's author. --- https://propellor.branchable.com/ -module Main where - -import Propellor -import Propellor.Property.Scheduled -import qualified Propellor.Property.File as File -import qualified Propellor.Property.Apt as Apt -import qualified Propellor.Property.Network as Network -import qualified Propellor.Property.Service as Service -import qualified Propellor.Property.Ssh as Ssh -import qualified Propellor.Property.Cron as Cron -import qualified Propellor.Property.Sudo as Sudo -import qualified Propellor.Property.User as User -import qualified Propellor.Property.Hostname as Hostname -import qualified Propellor.Property.Tor as Tor -import qualified Propellor.Property.Dns as Dns -import qualified Propellor.Property.OpenId as OpenId -import qualified Propellor.Property.Git as Git -import qualified Propellor.Property.Postfix as Postfix -import qualified Propellor.Property.Apache as Apache -import qualified Propellor.Property.LetsEncrypt as LetsEncrypt -import qualified Propellor.Property.Grub as Grub -import qualified Propellor.Property.Obnam as Obnam -import qualified Propellor.Property.Gpg as Gpg -import qualified Propellor.Property.Systemd as Systemd -import qualified Propellor.Property.Journald as Journald -import qualified Propellor.Property.Chroot as Chroot -import qualified Propellor.Property.Fail2Ban as Fail2Ban -import qualified Propellor.Property.Aiccu as Aiccu -import qualified Propellor.Property.OS as OS -import qualified Propellor.Property.HostingProvider.CloudAtCost as CloudAtCost -import qualified Propellor.Property.HostingProvider.Linode as Linode -import qualified Propellor.Property.SiteSpecific.GitHome as GitHome -import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder -import qualified Propellor.Property.SiteSpecific.IABak as IABak -import qualified Propellor.Property.SiteSpecific.Branchable as Branchable -import qualified Propellor.Property.SiteSpecific.JoeySites as JoeySites -import Propellor.Property.DiskImage - -main :: IO () -- _ ______`| ,-.__ -main = defaultMain hosts -- / \___-=O`/|O`/__| (____.' - {- Propellor -- \ / | / ) _.-"-._ - Deployed -} -- `/-==__ _/__|/__=-| ( \_ -hosts :: [Host] -- * \ | | '--------' -hosts = -- (o) ` - [ darkstar - , gnu - , clam - , mayfly - , oyster - , orca - , honeybee - , kite - , elephant - , beaver - , pell - , iabak - ] ++ monsters - -testvm :: Host -testvm = host "testvm.kitenet.net" - & os (System (Debian Unstable) "amd64") - & OS.cleanInstallOnce (OS.Confirmed "testvm.kitenet.net") - `onChange` propertyList "fixing up after clean install" - [ OS.preserveRootSshAuthorized - , OS.preserveResolvConf - , Apt.update - , Grub.boots "/dev/sda" - `requires` Grub.installed Grub.PC - ] - & Hostname.sane - & Hostname.searchDomain - & Apt.installed ["linux-image-amd64"] - & Apt.installed ["ssh"] - & User.hasPassword (User "root") - -darkstar :: Host -darkstar = host "darkstar.kitenet.net" - & ipv6 "2001:4830:1600:187::2" - & Aiccu.hasConfig "T18376" "JHZ2-SIXXS" - - & Apt.buildDep ["git-annex"] `period` Daily - - & JoeySites.postfixClientRelay (Context "darkstar.kitenet.net") - & JoeySites.dkimMilter - & JoeySites.alarmClock "*-*-* 7:30" (User "joey") - "/usr/bin/timeout 45m /home/joey/bin/goodmorning" - - ! imageBuilt "/tmp/img" c MSDOS (grubBooted PC) - [ partition EXT2 `mountedAt` "/boot" - `setFlag` BootFlag - , partition EXT4 `mountedAt` "/" - `mountOpt` errorReadonly - , swapPartition (MegaBytes 256) - ] - where - c d = Chroot.debootstrapped mempty d - & os (System (Debian Unstable) "amd64") - & Hostname.setTo "demo" - & Apt.installed ["linux-image-amd64"] - & User "root" `User.hasInsecurePassword` "root" - -gnu :: Host -gnu = host "gnu.kitenet.net" - & Apt.buildDep ["git-annex"] `period` Daily - - & JoeySites.postfixClientRelay (Context "gnu.kitenet.net") - & JoeySites.dkimMilter - -clam :: Host -clam = standardSystem "clam.kitenet.net" Unstable "amd64" - [ "Unreliable server. Anything here may be lost at any time!" ] - & ipv4 "167.88.41.194" - - & CloudAtCost.decruft - & Ssh.hostKeys hostContext - [ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAI3WUq0RaigLlcUivgNG4sXpso2ORZkMvfqKz6zkc60L6dpxvWDNmZVEH8hEjxRSYG07NehcuOgQqeyFnS++xw1hdeGjf37JqCUH49i02lra3Zxv8oPpRxyeqe5MmuzUJhlWvBdlc3O/nqZ4bTUfnxMzSYWyy6++s/BpSHttZplNAAAAFQC1DE0vzgVeNAv9smHLObQWZFe2VQAAAIBECtpJry3GC8NVTFsTHDGWksluoFPIbKiZUFFztZGdM0AO2VwAbiJ6Au6M3VddGFANgTlni6d2/9yS919zO90TaFoIjywZeXhxE2CSuRfU7sx2hqDBk73jlycem/ER0sanFhzpHVpwmLfWneTXImWyq37vhAxatJANOtbj81vQ3AAAAIBV3lcyTT9xWg1Q4vERJbvyF8mCliwZmnIPa7ohveKkxlcgUk5d6dnaqFfjVaiXBPN3Qd08WXoQ/a9k3chBPT9nW2vWgzzM8l36j2MbHLmaxGwevAc9+vx4MXqvnGHzd2ex950mC33ct3j0fzMZlO6vqEsgD4CYmiASxhfefj+JCQ==") - , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJybAjUPUWIhvVMmer8K5ZgdfI54DM6vc8Mzw+5KmVKL0TwkvzbR1HAB4heyMGtN1F8YzkWhsI3/Txh+MQUJ+i4u8SvSYc6D1q3j3ZyCi06wZ3DJS25tZrOM/thOOA1DFA4Hhb0uI/1Kg8PguNNNSMXn8F7q3F6cFQizYgszs6z6ktiST/BTC+IXWovhcnn2vQXXU8FTcTsqBFqA5dEjZbp1WDzqp3km84ZyXGmoVlpqzXeMvlkWTIshYiQjXIwPOkALzlGYjp1lw1OaxPVI1IGFcgCbIWQQWoCReb+genX2VaR+odAYXjaOdRx0lQj7UCPTBCpqMyzBMLtT5Yiaqh") - , (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPhfvcOuw0Yt+MnsFc4TI2gWkKi62Eajxz+TgbHMO/uRTYF8c5V8fOI3o+J/3m5+lT0S5o8j8a7xIC3COvi+AVw=") - ] - & Apt.unattendedUpgrades - & Network.ipv6to4 - & Systemd.persistentJournal - & Journald.systemMaxUse "500MiB" - - & Tor.isRelay - & Tor.named "kite1" - & Tor.bandwidthRate (Tor.PerMonth "400 GB") - - & Systemd.nspawned webserver - & File.dirExists "/var/www/html" - & File.notPresent "/var/www/index.html" - & "/var/www/html/index.html" `File.hasContent` ["hello, world"] - & alias "helloworld.kitenet.net" - - & Systemd.nspawned oldusenetShellBox - - & JoeySites.scrollBox - & alias "scroll.joeyh.name" - & alias "us.scroll.joeyh.name" - -mayfly :: Host -mayfly = standardSystem "mayfly.kitenet.net" (Stable "jessie") "amd64" - [ "Scratch VM. Contents can change at any time!" ] - & ipv4 "104.167.118.15" - - & CloudAtCost.decruft - & Apt.unattendedUpgrades - & Network.ipv6to4 - & Systemd.persistentJournal - & Journald.systemMaxUse "500MiB" - - & Tor.isRelay - & Tor.named "kite3" - & Tor.bandwidthRate (Tor.PerMonth "400 GB") - -oyster :: Host -oyster = standardSystem "oyster.kitenet.net" Unstable "amd64" - [ "Unreliable server. Anything here may be lost at any time!" ] - & ipv4 "104.167.117.109" - - & CloudAtCost.decruft - & Ssh.hostKeys hostContext - [ (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP0ws/IxQegVU0RhqnIm5A/vRSPTO70wD4o2Bd1jL970dTetNyXzvWGe1spEbLjIYSLIO7WvOBSE5RhplBKFMUU=") - ] - & Apt.unattendedUpgrades - & Network.ipv6to4 - & Systemd.persistentJournal - & Journald.systemMaxUse "500MiB" - - & Tor.isRelay - & Tor.named "kite2" - & Tor.bandwidthRate (Tor.PerMonth "400 GB") - - -- Nothing is using http port 80, so listen on - -- that port for ssh, for traveling on bad networks that - -- block 22. - & Ssh.listenPort (Port 80) - -orca :: Host -orca = standardSystem "orca.kitenet.net" Unstable "amd64" - [ "Main git-annex build box." ] - & ipv4 "138.38.108.179" - - & Apt.unattendedUpgrades - & Postfix.satellite - & Apt.serviceInstalledRunning "ntp" - & Systemd.persistentJournal - - & Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer - GitAnnexBuilder.standardAutoBuilder - (System (Debian Unstable) "amd64") Nothing (Cron.Times "15 * * * *") "2h") - & Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer - GitAnnexBuilder.standardAutoBuilder - (System (Debian Unstable) "i386") Nothing (Cron.Times "30 * * * *") "2h") - & Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer - GitAnnexBuilder.stackAutoBuilder - (System (Debian (Stable "jessie")) "i386") (Just "ancient") (Cron.Times "45 * * * *") "2h") - & Systemd.nspawned (GitAnnexBuilder.androidAutoBuilderContainer - (Cron.Times "1 1 * * *") "3h") - -honeybee :: Host -honeybee = standardSystem "honeybee.kitenet.net" Testing "armhf" - [ "Arm git-annex build box." ] - - -- I have to travel to get console access, so no automatic - -- upgrades, and try to be robust. - & "/etc/default/rcS" `File.containsLine` "FSCKFIX=yes" - - & Apt.installed ["flash-kernel"] - & "/etc/flash-kernel/machine" `File.hasContent` ["Cubietech Cubietruck"] - & Apt.installed ["linux-image-armmp"] - & Network.dhcp "eth0" `requires` Network.cleanInterfacesFile - & Postfix.satellite - - -- ipv6 used for remote access thru firewalls - & Apt.serviceInstalledRunning "aiccu" - & ipv6 "2001:4830:1600:187::2" - -- restart to deal with failure to connect, tunnel issues, etc - & Cron.job "aiccu restart daily" Cron.Daily (User "root") "/" - "service aiccu stop; service aiccu start" - - -- In case compiler needs more than available ram - & Apt.serviceInstalledRunning "swapspace" - - -- No hardware clock. - & Apt.serviceInstalledRunning "ntp" - - & Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer - GitAnnexBuilder.armAutoBuilder - (System (Debian Unstable) "armel") Nothing Cron.Daily "22h") - --- This is not a complete description of kite, since it's a --- multiuser system with eg, user passwords that are not deployed --- with propellor. -kite :: Host -kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" - [ "Welcome to kite!" ] - & ipv4 "66.228.36.95" - & ipv6 "2600:3c03::f03c:91ff:fe73:b0d2" - & alias "kitenet.net" - & alias "wren.kitenet.net" -- temporary - & Ssh.hostKeys (Context "kitenet.net") - [ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAO9tnPUT4p+9z7K6/OYuiBNHaij4Nzv5YVBih1vMl+ALz0gYAj8RWJzXmqp5buFAyfgOoLw+H9s1bBS01Sy3i07Dm6cx1fWG4RXL/E/3w1tavX99GD2bBxDBu890ebA5Tp+eFRJkS9+JwSvFiF6CP7NbVjifCagoUO56Ig048RwDAAAAFQDPY2xM3q6KwsVQliel23nrd0rV2QAAAIEAga3hj1hL00rYPNnAUzT8GAaSP62S4W68lusErH+KPbsMwFBFY/Ib1FVf8k6Zn6dZLh/HH/RtJi0JwdzPI1IFW+lwVbKfwBvhQ1lw9cH2rs1UIVgi7Wxdgfy8gEWxf+QIqn62wG+Ulf/HkWGvTrRpoJqlYRNS/gnOWj9Z/4s99koAAACBAM/uJIo2I0nK15wXiTYs/NYUZA7wcErugFn70TRbSgduIFH6U/CQa3rgHJw9DCPCQJLq7pwCnFH7too/qaK+czDk04PsgqV0+Jc7957gU5miPg50d60eJMctHV4eQ1FpwmGGfXxRBR9k2ZvikWYatYir3L6/x1ir7M0bA9IzNU45") - , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA2QAJEuvbTmaN9ex9i9bjPhMGj+PHUYq2keIiaIImJ+8mo+yKSaGUxebG4tpuDPx6KZjdycyJt74IXfn1voGUrfzwaEY9NkqOP3v6OWTC3QeUGqDCeJ2ipslbEd9Ep9XBp+/ldDQm60D0XsIZdmDeN6MrHSbKF4fXv1bqpUoUILk=") - , (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLF+dzqBJZix+CWUkAd3Bd3cofFCKwHMNRIfwx1G7dL4XFe6fMKxmrNetQcodo2edyufwoPmCPr3NmnwON9vyh0=") - , (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFZftKMnH/zH29BHMKbcBO4QsgTrstYFVhbrzrlRzBO3") - ] - - & Network.static "eth0" `requires` Network.cleanInterfacesFile - & Apt.installed ["linux-image-amd64"] - & Linode.chainPVGrub 5 - & Linode.mlocateEnabled - & Apt.unattendedUpgrades - & Systemd.installed - & Systemd.persistentJournal - & Journald.systemMaxUse "500MiB" - & Ssh.passwordAuthentication True - -- Since ssh password authentication is allowed: - & Fail2Ban.installed - & Apt.serviceInstalledRunning "ntp" - & "/etc/timezone" `File.hasContent` ["US/Eastern"] - - & Obnam.backupEncrypted "/" (Cron.Times "33 1 * * *") - [ "--repository=sftp://2318@usw-s002.rsync.net/~/kite-root.obnam" - , "--client-name=kitenet.net" - , "--exclude=/home" - , "--exclude=/var/cache" - , "--exclude=/var/tmp" - , "--exclude=/srv/git" - , "--exclude=/var/spool/oldusenet" - , "--exclude=.*/tmp/" - , "--one-file-system" - , Obnam.keepParam [Obnam.KeepDays 7, Obnam.KeepWeeks 4, Obnam.KeepMonths 6] - ] Obnam.OnlyClient (Gpg.GpgKeyId "98147487") - `requires` rootsshkey - `requires` Ssh.knownHost hosts "usw-s002.rsync.net" (User "root") - & Obnam.backupEncrypted "/home" (Cron.Times "33 3 * * *") - [ "--repository=sftp://2318@usw-s002.rsync.net/~/kite-home.obnam" - , "--client-name=kitenet.net" - , "--exclude=/home/joey/lib" - , "--one-file-system" - , Obnam.keepParam [Obnam.KeepDays 7, Obnam.KeepWeeks 4, Obnam.KeepMonths 6] - ] Obnam.OnlyClient (Gpg.GpgKeyId "98147487") - `requires` rootsshkey - `requires` Ssh.knownHost hosts "usw-s002.rsync.net" (User "root") - - & alias "smtp.kitenet.net" - & alias "imap.kitenet.net" - & alias "pop.kitenet.net" - & alias "mail.kitenet.net" - & JoeySites.kiteMailServer - - & JoeySites.kitenetHttps - & JoeySites.legacyWebSites - & File.ownerGroup "/srv/web" (User "joey") (Group "joey") - & Apt.installed ["analog"] - - & alias "git.kitenet.net" - & alias "git.joeyh.name" - & JoeySites.gitServer hosts - - & JoeySites.downloads hosts - & JoeySites.gitAnnexDistributor - & JoeySites.tmp - - & alias "bitlbee.kitenet.net" - & Apt.serviceInstalledRunning "bitlbee" - & "/etc/bitlbee/bitlbee.conf" `File.hasContent` - [ "[settings]" - , "User = bitlbee" - , "AuthMode = Registered" - , "[defaults]" - ] - `onChange` Service.restarted "bitlbee" - & "/etc/default/bitlbee" `File.containsLine` "BITLBEE_PORT=\"6767\"" - `onChange` Service.restarted "bitlbee" - - & Apt.installed - [ "git-annex", "myrepos" - , "build-essential", "make" - , "rss2email", "archivemail" - , "devscripts" - -- Some users have zsh as their login shell. - , "zsh" - ] - - & alias "nntp.olduse.net" - & JoeySites.oldUseNetServer hosts - - & alias "ns4.kitenet.net" - & myDnsPrimary True "kitenet.net" [] - & myDnsPrimary True "joeyh.name" [] - & myDnsPrimary True "ikiwiki.info" [] - & myDnsPrimary True "olduse.net" - [ (RelDomain "article", CNAME $ AbsDomain "virgil.koldfront.dk") - ] - & alias "ns4.branchable.com" - & branchableSecondary - & Dns.secondaryFor ["animx"] hosts "animx.eu.org" - - -- testing - & Apache.httpsVirtualHost "letsencrypt.joeyh.name" "/var/www/html" - (LetsEncrypt.AgreeTOS (Just "id@joeyh.name")) - & alias "letsencrypt.joeyh.name" - where - rootsshkey = Ssh.userKeys (User "root") - (Context "kite.kitenet.net") - [ (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Gza2sNqSKfNtUN4dN/Z3rlqw18nijmXFx6df2GtBoZbkIak73uQfDuZLP+AXlyfHocwdkdHEf/zrxgXS4EokQMGLZhJ37Pr3edrEn/NEnqroiffw7kyd7EqaziA6UOezcLTjWGv+Zqg9JhitYs4WWTpNzrPH3yQf1V9FunZnkzb4gJGndts13wGmPEwSuf+QHbgQvjMOMCJwWSNcJGdhDR66hFlxfG26xx50uIczXYAbgLfHp5W6WuR/lcaS9J6i7HAPwcsPDA04XDinrcpl29QwsMW1HyGS/4FSCgrDqNZ2jzP49Bka78iCLRqfl1efyYas/Zo1jQ0x+pxq2RMr root@kite") - ] - -elephant :: Host -elephant = standardSystem "elephant.kitenet.net" Unstable "amd64" - [ "Storage, big data, and backups, omnomnom!" - , "(Encrypt all data stored here.)" - ] - & ipv4 "193.234.225.114" - & Ssh.hostKeys hostContext - [ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBANxXGWac0Yz58akI3UbLkphAa8VPDCGswTS0CT3D5xWyL9OeArISAi/OKRIvxA4c+9XnWtNXS7nYVFDJmzzg8v3ZMx543AxXK82kXCfvTOc/nAlVz9YKJAA+FmCloxpmOGrdiTx1k36FE+uQgorslGW/QTxnOcO03fDZej/ppJifAAAAFQCnenyJIw6iJB1+zuF/1TSLT8UAeQAAAIEA1WDrI8rKnxnh2rGaQ0nk+lOcVMLEr7AxParnZjgC4wt2mm/BmkF/feI1Fjft2z4D+V1W7MJHOqshliuproxhFUNGgX9fTbstFJf66p7h7OLAlwK8ZkpRk/uV3h5cIUPel6aCwjL5M2gN6/yq+gcCTXeHLq9OPyUTmlN77SBL71UAAACBAJJiCHWxPAGooe7Vv3W7EIBbsDyf7b2kDH3bsIlo+XFcKIN6jysBu4kn9utjFlrlPeHUDzGQHe+DmSqTUQQ0JPCRGcAcuJL8XUqhJi6A6ye51M9hVt51cJMXmERx9TjLOP/adkEuxpv3Fj20FxRUr1HOmvRvewSHrJ1GeA1bjbYL") - , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrEQ7aNmRYyLKY7xHILQsyV/w0B3++D98vn5IvjHkDnitrUWjB+vPxlS7LYKLzN9Jx7Hb14R2lg7+wdgtFMxLZZukA8b0tqFpTdRFBvBYGh8IM8Id1iE/6io/NZl+hTQEDp0LJP+RljH1CLfz7J3qtc+v6NbfTP5cOgH104mWYoLWzJGaZ4p53jz6THRWnVXy5nPO3dSBr2f/SQgRuJQWHNIh0jicRGD8H2kzOQzilpo+Y46PWtkufl3Yu3UsP5UMAyLRIXwZ6nNRZqRiVWrX44hoNfDbooTdFobbHlqMl+y6291bOXaOA6PACk8B4IVcC89/gmc9Oe4EaDuszU5kD") - , (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0=") - , (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6VtXi0uygxZeCo26n6PuCTlSFCBcwRifv6N8HdWh2Z") - ] - - & Grub.chainPVGrub "hd0,0" "xen/xvda1" 30 - & Postfix.satellite - & Apt.unattendedUpgrades - & Systemd.installed - & Systemd.persistentJournal - & Ssh.userKeys (User "joey") hostContext - [ (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4wJuQEGno+nJvtE75IKL6JQ08sJHZ9Bzs9Dvu0zuxSEZE30MWK98/twNwCH9PVf2N9m4apfN7f9GHgHTUongfo8xnLAk4PuBSTV74YgKyOCvNYqANuKKa+76PsS/vFf/or3ct++uTEWsRyYD29cQndufwKA4rthAqHG+fifbLDC53AjcldI0zI1RckpPzT+AMazlnSBFMlpKvGD2uzSXALVRXa3vSqWkWd0z7qmIkpmpq0AAgbDLwrGBcUGV/h0rOa2s8zSeirA0tLmHNROl4cZsX0T/6VBGfBRkrHSxL67xJziATw4WPq6spYlxg84pC/5qJVr9SC5HosppbDqgj joey@elephant") - ] - & Apt.serviceInstalledRunning "swapspace" - - & alias "eubackup.kitenet.net" - & Apt.installed ["obnam", "sshfs", "rsync"] - & JoeySites.obnamRepos ["pell", "kite"] - & JoeySites.githubBackup - & JoeySites.rsyncNetBackup hosts - - & alias "podcatcher.kitenet.net" - & JoeySites.podcatcher - - & alias "znc.kitenet.net" - & JoeySites.ircBouncer - & alias "kgb.kitenet.net" - & JoeySites.kgbServer - - & alias "mumble.kitenet.net" - & JoeySites.mumbleServer hosts - - & alias "ns3.kitenet.net" - & myDnsSecondary - - & Systemd.nspawned oldusenetShellBox - & Systemd.nspawned ancientKitenet - & Systemd.nspawned openidProvider - `requires` Apt.serviceInstalledRunning "ntp" - - & JoeySites.scrollBox - & alias "scroll.joeyh.name" - & alias "eu.scroll.joeyh.name" - - -- For https port 443, shellinabox with ssh login to - -- kitenet.net - & alias "shell.kitenet.net" - & Systemd.nspawned kiteShellBox - -- Nothing is using http port 80, so listen on - -- that port for ssh, for traveling on bad networks that - -- block 22. - & Ssh.listenPort (Port 80) - -beaver :: Host -beaver = host "beaver.kitenet.net" - & ipv6 "2001:4830:1600:195::2" - & Apt.serviceInstalledRunning "aiccu" - & Apt.installed ["ssh"] - & Ssh.hostPubKey SshDsa "ssh-dss AAAAB3NzaC1kc3MAAACBAIrLX260fY0Jjj/p0syNhX8OyR8hcr6feDPGOj87bMad0k/w/taDSOzpXe0Wet7rvUTbxUjH+Q5wPd4R9zkaSDiR/tCb45OdG6JsaIkmqncwe8yrU+pqSRCxttwbcFe+UU+4AAcinjVedZjVRDj2rRaFPc9BXkPt7ffk8GwEJ31/AAAAFQCG/gOjObsr86vvldUZHCteaJttNQAAAIB5nomvcqOk/TD07DLaWKyG7gAcW5WnfY3WtnvLRAFk09aq1EuiJ6Yba99Zkb+bsxXv89FWjWDg/Z3Psa22JMyi0HEDVsOevy/1sEQ96AGH5ijLzFInfXAM7gaJKXASD7hPbVdjySbgRCdwu0dzmQWHtH+8i1CMVmA2/a5Y/wtlJAAAAIAUZj2US2D378jBwyX1Py7e4sJfea3WSGYZjn4DLlsLGsB88POuh32aOChd1yzF6r6C2sdoPBHQcWBgNGXcx4gF0B5UmyVHg3lIX2NVSG1ZmfuLNJs9iKNu4cHXUmqBbwFYQJBvB69EEtrOw4jSbiTKwHFmqdA/mw1VsMB+khUaVw==" - & alias "usbackup.kitenet.net" - & JoeySites.backupsBackedupFrom hosts "eubackup.kitenet.net" "/home/joey/lib/backup" - & Apt.serviceInstalledRunning "anacron" - & Cron.niceJob "system disk backed up" Cron.Weekly (User "root") "/" - "rsync -a -x / /home/joey/lib/backup/beaver.kitenet.net/" - --- Branchable is not completely deployed with propellor yet. -pell :: Host -pell = host "pell.branchable.com" - & alias "branchable.com" - & ipv4 "66.228.46.55" - & ipv6 "2600:3c03::f03c:91ff:fedf:c0e5" - - -- All the websites I host at branchable that don't use - -- branchable.com dns. - & alias "olduse.net" - & alias "www.olduse.net" - & alias "www.kitenet.net" - & alias "joeyh.name" - & alias "campaign.joeyh.name" - & alias "ikiwiki.info" - & alias "git.ikiwiki.info" - & alias "l10n.ikiwiki.info" - & alias "dist-bugs.kitenet.net" - & alias "family.kitenet.net" - - & Apt.installed ["linux-image-amd64"] - & Linode.chainPVGrub 5 - & Apt.unattendedUpgrades - & Branchable.server hosts - -iabak :: Host -iabak = host "iabak.archiveteam.org" - & ipv4 "124.6.40.227" - & Hostname.sane - & os (System (Debian Testing) "amd64") - & Systemd.persistentJournal - & Cron.runPropellor (Cron.Times "30 * * * *") - & Apt.stdSourcesList `onChange` Apt.upgrade - & Apt.installed ["git", "ssh"] - & Ssh.hostKeys (Context "iabak.archiveteam.org") - [ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAMhuYTshLxavWCpfyJxg3j/GWyIRlL3VTharsfUTzMOqyMSWantZjflfJX21z2KzFDtPEA711GYztsgMVXMrsPQInaOKNISe/R9cfgnEktKTxeppWTfw0GTNcpCeeecddU0FCPVW3a6yDoT6+Rv0jPvkQoDGmhQ40MhauMrO0mJ9AAAAFQDpCbXG8o/3Sg7wrsp5abizJoQ0yQAAAIEAxxyHo/ZhDPP+EWtDS05s5dwiDMUsxIllk1NeleAOQIyLtFkaifOeskDJybIPWYPGX1trjcPoGuXJ5GBYrRaPiu6FBvYdYMFRLr4uNBsaSHHqlHhBPkP3RzCrdUyau4XyjdE4iA0EQlO+u11A+o3f7aTuJSveM0YRfbqvaatG89EAAACAWd0h0SkRLnGjBzkou0SQfYujFY9ilhWXPWV/oOs+bieDSpvfmnaEfLSinVFRrJPvQp/dtpxPLEm+StrK3w6dmwTZVUM5JEoB1mRjBkVs6gPC9PVVg9qLpzC2/x+r5cTfrffjyRrlPdkwLKpO6oiPxTIxAyCW8ixjafkxe2hAeJo=") - , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP13oPRLRY0V9ZDWojb8TgHbUdE30Nq3b541TwPmlLMbYPAhldxGHkuXGlX8g9/FYP/1AgkPcxs2Uc61ZV+1Ss7q7t52f4R0bO4WHqxfdXHd9FlLzMLWxMU3aMr693pGlhnUp3/xH6O6/+bNEIo3VGGgv9XDr2cAxypS9J7X9ibHZcZ3BGvoCR+nnFJ00ERG2tREKZBPDWKk76lhCiM21fG/CSmcApXaA45FHDaM9/2Clj1sXvoS72f0hEKpl1m08sUx+F0GPzQESnKqNFl+xXdYPPbfhdrgCnDmx9tL5NnXsJU2beFiuxpICOeB1HV6DJsdlO18WqwXYhOg/2A1H3") - , (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHb0kXcrF5ThwS8wB0Hez404Zp9bz78ZxEGSqnwuF4d/N3+bymg7/HAj7l/SzRoEXKHsJ7P5320oMxBHeM16Y+k=") - ] - & Apt.installed ["etckeeper", "sudo"] - & Apt.installed ["vim", "screen", "tmux", "less", "emax-nox", "netcat"] - & User.hasSomePassword (User "root") - & propertyList "admin accounts" - (map User.accountFor admins ++ map Sudo.enabledFor admins) - & User.hasSomePassword (User "joey") - & GitHome.installedFor (User "joey") - & Ssh.authorizedKey (User "db48x") "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAIAQDQ6urXcMDeyuFf4Ga7CuGezTShKnEMPHKJm7RQUtw3yXCPX5wnbvPS2+UFnHMzJvWOX5S5b/XpBpOusP0jLpxwOCEg4nA5b7uvWJ2VIChlMqopYMo+tDOYzK/Q74MZiNWi2hvf1tn3N9SnqOa7muBMKMENIX5KJdH8cJ/BaPqAP883gF8r2SwSZFvaB0xYCT/CIylC593n/+0+Lm07NUJIO8jil3n2SwXdVg6ib65FxZoO86M46wTghnB29GXqrzraOg+5DY1zzCWpIUtFwGr4DP0HqLVtmAkC7NI14l1M0oHE0UEbhoLx/a+mOIMD2DuzW3Rs3ZmHtGLj4PL/eBU8D33AqSeM0uR/0pEcoq6A3a8ixibj9MBYD2lMh+Doa2audxS1OLM//FeNccbm1zlvvde82PZtiO11P98uN+ja4A+CfgQU5s0z0wikc4gXNhWpgvz8DrOEJrjstwOoqkLg2PpIdHRw7dhpp3K1Pc+CGAptDwbKkxs4rzUgMbO9DKI7fPcXXgKHLLShMpmSA2vsQUMfuCp2cVrQJ+Vkbwo29N0Js5yU7L4NL4H854Nbk5uwWJCs/mjXtvTimN2va23HEecTpk44HDUjJ9NyevAfPcO9q1ZtgXFTQSMcdv1m10Fvmnaiy8biHnopL6MBo1VRITh5UFiJYfK4kpTTg2vSspii/FYkkYOAnnZtXZqMehP7OZjJ6HWJpsCVR2hxP3sKOoQu+kcADWa/4obdp+z7gY8iMMjd6kwuIWsNV8KsX+eVJ4UFpAi/L00ZjI2B9QLVCsOg6D1fT0698wEchwUROy5vZZJq0078BdAGnwC0WGLt+7OUgn3O2gUAkb9ffD0odbZSqq96NCelM6RaHA+AaIE4tjGL3lFkyOtb+IGPNACQ73/lmaRQd6Cgasq9cEo0g22Ew5NQi0CBuu1aLDk7ezu3SbU09eB9lcZ+8lFnl5K2eQFeVJStFJbJNfOvgKyOb7ePsrUFF5GJ2J/o1F60fRnG64HizZHxyFWkEOh+k3i8qO+whPa5MTQeYLYb6ysaTPrUwNRcSNNCcPEN8uYOh1dOFAtIYDcYA56BZ321yz0b5umj+pLsrFU+4wMjWxZi0inJzDS4dVegBVcRm0NP5u8VRosJQE9xdbt5K1I0khzhrEW1kowoTbhsZCaDHhL9LZo73Z1WIHvulvlF3RLZip5hhtQu3ZVkbdV5uts8AWaEWVnIu9z0GtQeeOuseZpT0u1/1xjVAOKIzuY3sB7FKOaipe8TDvmdiQf/ICySqqYaYhN6GOhiYccSleoX6yzhYuCvzTgAyWHIfW0t25ff1CM7Vn+Vo9cVplIer1pbwhZZy4QkROWTOE+3yuRlQ+o6op4hTGdAZhjKh9zkDW7rzqQECFrZrX/9mJhxYKjhpkk0X3dSipPt9SUHagc4igya+NgCygQkWBOQfr4uia0LcwDxy4Kchw7ZuypHuGVZkGhNHXS+9JdAHopnSqYwDMG/z1ys1vQihgER0b9g3TchvGF+nmHe2kbM1iuIYMNNlaZD1yGZ5qR7wr/8dw8r0NBEwzsUfak3BUPX7H6X0tGS96llwUxmvQD85WNNoef0uryuAtDEwWlfN1RmWysZDc57Rn4gZi0M5jXmQD23ZiYXYBcG849OeqNzlxONEFsForXO/29Ud4x/Hqa9tf+kJbqMRsaLFO+PXhHzgl6ZHLAljQDxrJ6keNnkqaYfqQ8wyRi1mKv4Ab57kde7mUsZhe7w93GaE9Lxfvu7d3pB+lXfI9NJCSITHreUP4JfmFW+p/eVg+r/1wbElNylGna4I4+qYObOUncGwFKYdFPdtU1XLDKXmywTEgbEh7iI9zX0xD3bPHQLMg+TTtXiU9dQm1x/0zRf9trwDsRDJCbG4/P4iQYkcVvYx2CCfi0JSHv8tWsLi3GJKJLXUxZyzfvY2lThPeYnnY/HFrPJCyJUN55QuRmfzbu8rHgWlcyOlVpKtz+7kn823kEQykiIYKIKrb0G6VBzuMtAk9XzJPv+Wu7suOGXHlVfCqPLk6RjHDm4kTYciW9VgxDts5Y+zwcAbrUeA4UuN/6KisWpivMrfDSIHUCeH/lHBtNkqKohdrUKJMEOx5X6r2dJbmoTFBDi5XtYu/5cBtiDMmupNB0S+pZ2JD5/RKtj6kgzTeE1q/OG4q/eq1O1rjf0vIS31luy27K/YHFIGE0D/CmuXE74Uyaxm27RnrKUxEBl84V70GaIF4F5On8pSThxxizigXTRTKiczc+A5Zi29mid+1EFeUAJOa/DuHJfpVNY4pYEmhPl/Bk66L8kzlbJz6Hg/LIiJIRcy3UKrbSxPFIDpXn33drBHgklMDlrIVDZDXF6cn0Ml71SabB4A3TM6TK+oWZoyvftPIhcWhVwAWQj7nFNAiMEl1z/29ovHrRooqQFozf7GDW8Mjiu7ChZP9zx2H8JB/AAEFuWMwGV4AHICYdS9lOl/v+cDhgsnXdeuKEuxHhYlRxuRxJk/f17Sm/5H85UIzlu85wi3q/DW2FTZnlw4iJLnL6FArUIMzuBOZyoEhh0SPR41Xc4kkucDhnENybTZSR/yDzb0P1B7qjZ4GqcSEFja/hm/LH1oKJzZg8MEqeUoKYCUdVv9ek4IUGUONtVs53V5SOwFWR/nVuDk2BENr7NadYYVtu6MjBwgjso7NuhoNxVwIEP3BW67OQ8bxfNBtJJQNJejAhgZiqJItI9ucAfjQ== db48x@anglachel" - & Apt.installed ["sudo"] - & Ssh.noPasswords - & IABak.gitServer monsters - & IABak.registrationServer monsters - & IABak.graphiteServer - & IABak.publicFace - where - admins = map User ["joey", "db48x"] - - --' __|II| ,. - ---- __|II|II|__ ( \_,/\ ---'-------'\o/-'-.-'-.-'-.- __|II|II|II|II|___/ __/ -'-.-'-.-'-.-'-.-'-.-'- --------------------------- | [Containers] / -------------------------- --------------------------- : / --------------------------- ---------------------------- \____, o ,' ---------------------------- ----------------------------- '--,___________,' ----------------------------- - --- Simple web server, publishing the outside host's /var/www -webserver :: Systemd.Container -webserver = standardStableContainer "webserver" - & Systemd.bind "/var/www" - & Apache.installed - --- My own openid provider. Uses php, so containerized for security --- and administrative sanity. -openidProvider :: Systemd.Container -openidProvider = standardStableContainer "openid-provider" - & alias hn - & OpenId.providerFor [User "joey", User "liw"] hn (Just (Port 8081)) - where - hn = "openid.kitenet.net" - --- Exhibit: kite's 90's website on port 1994. -ancientKitenet :: Systemd.Container -ancientKitenet = standardStableContainer "ancient-kitenet" - & alias hn - & Git.cloned (User "root") "git://kitenet-net.branchable.com/" "/var/www/html" - (Just "remotes/origin/old-kitenet.net") - & Apache.installed - & Apache.listenPorts [p] - & Apache.virtualHost hn p "/var/www/html" - & Apache.siteDisabled "000-default" - where - p = Port 1994 - hn = "ancient.kitenet.net" - -oldusenetShellBox :: Systemd.Container -oldusenetShellBox = standardStableContainer "oldusenet-shellbox" - & alias "shell.olduse.net" - & JoeySites.oldUseNetShellBox - -kiteShellBox :: Systemd.Container -kiteShellBox = standardStableContainer "kiteshellbox" - & JoeySites.kiteShellBox - -type Motd = [String] - --- This is my standard system setup. -standardSystem :: HostName -> DebianSuite -> Architecture -> Motd -> Host -standardSystem hn suite arch motd = standardSystemUnhardened hn suite arch motd - & Ssh.noPasswords - -standardSystemUnhardened :: HostName -> DebianSuite -> Architecture -> Motd -> Host -standardSystemUnhardened hn suite arch motd = host hn - & os (System (Debian suite) arch) - & Hostname.sane - & Hostname.searchDomain - & File.hasContent "/etc/motd" ("":motd++[""]) - & Apt.stdSourcesList `onChange` Apt.upgrade - & Apt.cacheCleaned - & Apt.installed ["etckeeper"] - & Apt.installed ["ssh", "mosh"] - & GitHome.installedFor (User "root") - & User.hasSomePassword (User "root") - & User.accountFor (User "joey") - & User.hasSomePassword (User "joey") - & Sudo.enabledFor (User "joey") - & GitHome.installedFor (User "joey") - & Apt.installed ["vim", "screen", "less"] - & Cron.runPropellor (Cron.Times "30 * * * *") - -- I use postfix, or no MTA. - & Apt.removed ["exim4", "exim4-daemon-light", "exim4-config", "exim4-base"] - `onChange` Apt.autoRemove - --- This is my standard container setup, Featuring automatic upgrades. -standardContainer :: Systemd.MachineName -> DebianSuite -> Architecture -> Systemd.Container -standardContainer name suite arch = - Systemd.container name system (Chroot.debootstrapped mempty) - & Apt.stdSourcesList `onChange` Apt.upgrade - & Apt.unattendedUpgrades - & Apt.cacheCleaned - where - system = System (Debian suite) arch - -standardStableContainer :: Systemd.MachineName -> Systemd.Container -standardStableContainer name = standardContainer name (Stable "jessie") "amd64" - -myDnsSecondary :: Property HasInfo -myDnsSecondary = propertyList "dns secondary for all my domains" $ props - & Dns.secondary hosts "kitenet.net" - & Dns.secondary hosts "joeyh.name" - & Dns.secondary hosts "ikiwiki.info" - & Dns.secondary hosts "olduse.net" - -branchableSecondary :: RevertableProperty HasInfo -branchableSecondary = Dns.secondaryFor ["branchable.com"] hosts "branchable.com" - --- Currently using kite (ns4) as primary with secondaries --- elephant (ns3) and gandi. --- kite handles all mail. -myDnsPrimary :: Bool -> Domain -> [(BindDomain, Record)] -> RevertableProperty HasInfo -myDnsPrimary dnssec domain extras = (if dnssec then Dns.signedPrimary (Weekly Nothing) else Dns.primary) hosts domain - (Dns.mkSOA "ns4.kitenet.net" 100) $ - [ (RootDomain, NS $ AbsDomain "ns4.kitenet.net") - , (RootDomain, NS $ AbsDomain "ns3.kitenet.net") - , (RootDomain, NS $ AbsDomain "ns6.gandi.net") - , (RootDomain, MX 0 $ AbsDomain "kitenet.net") - , (RootDomain, TXT "v=spf1 a a:kitenet.net ~all") - , JoeySites.domainKey - ] ++ extras - - -monsters :: [Host] -- Systems I don't manage with propellor, -monsters = -- but do want to track their public keys etc. - [ host "usw-s002.rsync.net" - & Ssh.hostPubKey SshEd25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7yTEBGfQYdwG/oeL+U9XPMIh/dW7XNs9T+M79YIOrd" - , host "github.com" - & Ssh.hostPubKey SshRsa "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==" - , host "gitlab.com" - & Ssh.hostPubKey SshEcdsa "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=" - , host "ns6.gandi.net" - & ipv4 "217.70.177.40" - , host "turtle.kitenet.net" - & ipv4 "67.223.19.96" - & ipv6 "2001:4978:f:2d9::2" - , host "mouse.kitenet.net" - & ipv6 "2001:4830:1600:492::2" - , host "animx" - & ipv4 "76.7.162.101" - & ipv4 "76.7.162.186" - ] - - - - -- o - -- ___ o o - {-----\ / o \ ___o o - { \ __ \ / _ (X___>-- __o - _____________________{ ______\___ \__/ | \__/ \____ |X__> - < \___//|\\___/\ \____________ _ - \ ___/ | \___ # # \ (-) - \ O O O # | \ # >=) - \______________________________# # / #__________________/ (-} - - diff --git a/config.hs b/config.hs index 07959a0a..97d90636 120000 --- a/config.hs +++ b/config.hs @@ -1 +1 @@ -config-joey.hs \ No newline at end of file +joeyconfig.hs \ No newline at end of file diff --git a/contrib/post-checkout-hook b/contrib/post-checkout-hook new file mode 100755 index 00000000..38998398 --- /dev/null +++ b/contrib/post-checkout-hook @@ -0,0 +1,28 @@ +#!/bin/sh +# +# git post-checkout hook, used by propellor's author to maintain a +# joeyconfig branch where config.hs is a symlink to joeyconfig.hs +# +# Each time this hook is run, it checks if it's on a branch with +# name ending in "config". If so, config.hs is pointed at $branch.hs +# Otherwise, config.hs is pointed at config-simple.hs +# + +set -e +prevhead="$1" +newhead="$2" +branchcheckout="$3" +if [ "$branchcheckout" != 0 ]; then + branch="$(git symbolic-ref --short HEAD)" + case "$branch" in + "") + true + ;; + *config) + ln -sf "$branch".hs config.hs + ;; + *) + ln -sf config-simple.hs config.hs + ;; + esac +fi diff --git a/doc/index.mdwn b/doc/index.mdwn index 5961ae87..52c23021 100644 --- a/doc/index.mdwn +++ b/doc/index.mdwn @@ -4,7 +4,7 @@ [[Install]] [API documentation](http://hackage.haskell.org/package/propellor) [[Other Documentation|documentation]] -[Sample config file](http://git.joeyh.name/?p=propellor.git;a=blob;f=config-joey.hs) +[Sample config file](http://git.joeyh.name/?p=propellor.git;a=blob;f=joeyconfig.hs) [[Security]] [[Todo]] [[Forum]] diff --git a/joeyconfig.hs b/joeyconfig.hs new file mode 100644 index 00000000..bab8f466 --- /dev/null +++ b/joeyconfig.hs @@ -0,0 +1,627 @@ +-- This is the live config file used by propellor's author. +-- https://propellor.branchable.com/ +module Main where + +import Propellor +import Propellor.Property.Scheduled +import qualified Propellor.Property.File as File +import qualified Propellor.Property.Apt as Apt +import qualified Propellor.Property.Network as Network +import qualified Propellor.Property.Service as Service +import qualified Propellor.Property.Ssh as Ssh +import qualified Propellor.Property.Cron as Cron +import qualified Propellor.Property.Sudo as Sudo +import qualified Propellor.Property.User as User +import qualified Propellor.Property.Hostname as Hostname +import qualified Propellor.Property.Tor as Tor +import qualified Propellor.Property.Dns as Dns +import qualified Propellor.Property.OpenId as OpenId +import qualified Propellor.Property.Git as Git +import qualified Propellor.Property.Postfix as Postfix +import qualified Propellor.Property.Apache as Apache +import qualified Propellor.Property.LetsEncrypt as LetsEncrypt +import qualified Propellor.Property.Grub as Grub +import qualified Propellor.Property.Obnam as Obnam +import qualified Propellor.Property.Gpg as Gpg +import qualified Propellor.Property.Systemd as Systemd +import qualified Propellor.Property.Journald as Journald +import qualified Propellor.Property.Chroot as Chroot +import qualified Propellor.Property.Fail2Ban as Fail2Ban +import qualified Propellor.Property.Aiccu as Aiccu +import qualified Propellor.Property.OS as OS +import qualified Propellor.Property.HostingProvider.CloudAtCost as CloudAtCost +import qualified Propellor.Property.HostingProvider.Linode as Linode +import qualified Propellor.Property.SiteSpecific.GitHome as GitHome +import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder +import qualified Propellor.Property.SiteSpecific.IABak as IABak +import qualified Propellor.Property.SiteSpecific.Branchable as Branchable +import qualified Propellor.Property.SiteSpecific.JoeySites as JoeySites +import Propellor.Property.DiskImage + +main :: IO () -- _ ______`| ,-.__ +main = defaultMain hosts -- / \___-=O`/|O`/__| (____.' + {- Propellor -- \ / | / ) _.-"-._ + Deployed -} -- `/-==__ _/__|/__=-| ( \_ +hosts :: [Host] -- * \ | | '--------' +hosts = -- (o) ` + [ darkstar + , gnu + , clam + , mayfly + , oyster + , orca + , honeybee + , kite + , elephant + , beaver + , pell + , iabak + ] ++ monsters + +testvm :: Host +testvm = host "testvm.kitenet.net" + & os (System (Debian Unstable) "amd64") + & OS.cleanInstallOnce (OS.Confirmed "testvm.kitenet.net") + `onChange` propertyList "fixing up after clean install" + [ OS.preserveRootSshAuthorized + , OS.preserveResolvConf + , Apt.update + , Grub.boots "/dev/sda" + `requires` Grub.installed Grub.PC + ] + & Hostname.sane + & Hostname.searchDomain + & Apt.installed ["linux-image-amd64"] + & Apt.installed ["ssh"] + & User.hasPassword (User "root") + +darkstar :: Host +darkstar = host "darkstar.kitenet.net" + & ipv6 "2001:4830:1600:187::2" + & Aiccu.hasConfig "T18376" "JHZ2-SIXXS" + + & Apt.buildDep ["git-annex"] `period` Daily + + & JoeySites.postfixClientRelay (Context "darkstar.kitenet.net") + & JoeySites.dkimMilter + & JoeySites.alarmClock "*-*-* 7:30" (User "joey") + "/usr/bin/timeout 45m /home/joey/bin/goodmorning" + + ! imageBuilt "/tmp/img" c MSDOS (grubBooted PC) + [ partition EXT2 `mountedAt` "/boot" + `setFlag` BootFlag + , partition EXT4 `mountedAt` "/" + `mountOpt` errorReadonly + , swapPartition (MegaBytes 256) + ] + where + c d = Chroot.debootstrapped mempty d + & os (System (Debian Unstable) "amd64") + & Hostname.setTo "demo" + & Apt.installed ["linux-image-amd64"] + & User "root" `User.hasInsecurePassword` "root" + +gnu :: Host +gnu = host "gnu.kitenet.net" + & Apt.buildDep ["git-annex"] `period` Daily + + & JoeySites.postfixClientRelay (Context "gnu.kitenet.net") + & JoeySites.dkimMilter + +clam :: Host +clam = standardSystem "clam.kitenet.net" Unstable "amd64" + [ "Unreliable server. Anything here may be lost at any time!" ] + & ipv4 "167.88.41.194" + + & CloudAtCost.decruft + & Ssh.hostKeys hostContext + [ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAI3WUq0RaigLlcUivgNG4sXpso2ORZkMvfqKz6zkc60L6dpxvWDNmZVEH8hEjxRSYG07NehcuOgQqeyFnS++xw1hdeGjf37JqCUH49i02lra3Zxv8oPpRxyeqe5MmuzUJhlWvBdlc3O/nqZ4bTUfnxMzSYWyy6++s/BpSHttZplNAAAAFQC1DE0vzgVeNAv9smHLObQWZFe2VQAAAIBECtpJry3GC8NVTFsTHDGWksluoFPIbKiZUFFztZGdM0AO2VwAbiJ6Au6M3VddGFANgTlni6d2/9yS919zO90TaFoIjywZeXhxE2CSuRfU7sx2hqDBk73jlycem/ER0sanFhzpHVpwmLfWneTXImWyq37vhAxatJANOtbj81vQ3AAAAIBV3lcyTT9xWg1Q4vERJbvyF8mCliwZmnIPa7ohveKkxlcgUk5d6dnaqFfjVaiXBPN3Qd08WXoQ/a9k3chBPT9nW2vWgzzM8l36j2MbHLmaxGwevAc9+vx4MXqvnGHzd2ex950mC33ct3j0fzMZlO6vqEsgD4CYmiASxhfefj+JCQ==") + , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJybAjUPUWIhvVMmer8K5ZgdfI54DM6vc8Mzw+5KmVKL0TwkvzbR1HAB4heyMGtN1F8YzkWhsI3/Txh+MQUJ+i4u8SvSYc6D1q3j3ZyCi06wZ3DJS25tZrOM/thOOA1DFA4Hhb0uI/1Kg8PguNNNSMXn8F7q3F6cFQizYgszs6z6ktiST/BTC+IXWovhcnn2vQXXU8FTcTsqBFqA5dEjZbp1WDzqp3km84ZyXGmoVlpqzXeMvlkWTIshYiQjXIwPOkALzlGYjp1lw1OaxPVI1IGFcgCbIWQQWoCReb+genX2VaR+odAYXjaOdRx0lQj7UCPTBCpqMyzBMLtT5Yiaqh") + , (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPhfvcOuw0Yt+MnsFc4TI2gWkKi62Eajxz+TgbHMO/uRTYF8c5V8fOI3o+J/3m5+lT0S5o8j8a7xIC3COvi+AVw=") + ] + & Apt.unattendedUpgrades + & Network.ipv6to4 + & Systemd.persistentJournal + & Journald.systemMaxUse "500MiB" + + & Tor.isRelay + & Tor.named "kite1" + & Tor.bandwidthRate (Tor.PerMonth "400 GB") + + & Systemd.nspawned webserver + & File.dirExists "/var/www/html" + & File.notPresent "/var/www/index.html" + & "/var/www/html/index.html" `File.hasContent` ["hello, world"] + & alias "helloworld.kitenet.net" + + & Systemd.nspawned oldusenetShellBox + + & JoeySites.scrollBox + & alias "scroll.joeyh.name" + & alias "us.scroll.joeyh.name" + +mayfly :: Host +mayfly = standardSystem "mayfly.kitenet.net" (Stable "jessie") "amd64" + [ "Scratch VM. Contents can change at any time!" ] + & ipv4 "104.167.118.15" + + & CloudAtCost.decruft + & Apt.unattendedUpgrades + & Network.ipv6to4 + & Systemd.persistentJournal + & Journald.systemMaxUse "500MiB" + + & Tor.isRelay + & Tor.named "kite3" + & Tor.bandwidthRate (Tor.PerMonth "400 GB") + +oyster :: Host +oyster = standardSystem "oyster.kitenet.net" Unstable "amd64" + [ "Unreliable server. Anything here may be lost at any time!" ] + & ipv4 "104.167.117.109" + + & CloudAtCost.decruft + & Ssh.hostKeys hostContext + [ (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP0ws/IxQegVU0RhqnIm5A/vRSPTO70wD4o2Bd1jL970dTetNyXzvWGe1spEbLjIYSLIO7WvOBSE5RhplBKFMUU=") + ] + & Apt.unattendedUpgrades + & Network.ipv6to4 + & Systemd.persistentJournal + & Journald.systemMaxUse "500MiB" + + & Tor.isRelay + & Tor.named "kite2" + & Tor.bandwidthRate (Tor.PerMonth "400 GB") + + -- Nothing is using http port 80, so listen on + -- that port for ssh, for traveling on bad networks that + -- block 22. + & Ssh.listenPort (Port 80) + +orca :: Host +orca = standardSystem "orca.kitenet.net" Unstable "amd64" + [ "Main git-annex build box." ] + & ipv4 "138.38.108.179" + + & Apt.unattendedUpgrades + & Postfix.satellite + & Apt.serviceInstalledRunning "ntp" + & Systemd.persistentJournal + + & Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer + GitAnnexBuilder.standardAutoBuilder + (System (Debian Unstable) "amd64") Nothing (Cron.Times "15 * * * *") "2h") + & Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer + GitAnnexBuilder.standardAutoBuilder + (System (Debian Unstable) "i386") Nothing (Cron.Times "30 * * * *") "2h") + & Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer + GitAnnexBuilder.stackAutoBuilder + (System (Debian (Stable "jessie")) "i386") (Just "ancient") (Cron.Times "45 * * * *") "2h") + & Systemd.nspawned (GitAnnexBuilder.androidAutoBuilderContainer + (Cron.Times "1 1 * * *") "3h") + +honeybee :: Host +honeybee = standardSystem "honeybee.kitenet.net" Testing "armhf" + [ "Arm git-annex build box." ] + + -- I have to travel to get console access, so no automatic + -- upgrades, and try to be robust. + & "/etc/default/rcS" `File.containsLine` "FSCKFIX=yes" + + & Apt.installed ["flash-kernel"] + & "/etc/flash-kernel/machine" `File.hasContent` ["Cubietech Cubietruck"] + & Apt.installed ["linux-image-armmp"] + & Network.dhcp "eth0" `requires` Network.cleanInterfacesFile + & Postfix.satellite + + -- ipv6 used for remote access thru firewalls + & Apt.serviceInstalledRunning "aiccu" + & ipv6 "2001:4830:1600:187::2" + -- restart to deal with failure to connect, tunnel issues, etc + & Cron.job "aiccu restart daily" Cron.Daily (User "root") "/" + "service aiccu stop; service aiccu start" + + -- In case compiler needs more than available ram + & Apt.serviceInstalledRunning "swapspace" + + -- No hardware clock. + & Apt.serviceInstalledRunning "ntp" + + & Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer + GitAnnexBuilder.armAutoBuilder + (System (Debian Unstable) "armel") Nothing Cron.Daily "22h") + +-- This is not a complete description of kite, since it's a +-- multiuser system with eg, user passwords that are not deployed +-- with propellor. +kite :: Host +kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" + [ "Welcome to kite!" ] + & ipv4 "66.228.36.95" + & ipv6 "2600:3c03::f03c:91ff:fe73:b0d2" + & alias "kitenet.net" + & alias "wren.kitenet.net" -- temporary + & Ssh.hostKeys (Context "kitenet.net") + [ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAO9tnPUT4p+9z7K6/OYuiBNHaij4Nzv5YVBih1vMl+ALz0gYAj8RWJzXmqp5buFAyfgOoLw+H9s1bBS01Sy3i07Dm6cx1fWG4RXL/E/3w1tavX99GD2bBxDBu890ebA5Tp+eFRJkS9+JwSvFiF6CP7NbVjifCagoUO56Ig048RwDAAAAFQDPY2xM3q6KwsVQliel23nrd0rV2QAAAIEAga3hj1hL00rYPNnAUzT8GAaSP62S4W68lusErH+KPbsMwFBFY/Ib1FVf8k6Zn6dZLh/HH/RtJi0JwdzPI1IFW+lwVbKfwBvhQ1lw9cH2rs1UIVgi7Wxdgfy8gEWxf+QIqn62wG+Ulf/HkWGvTrRpoJqlYRNS/gnOWj9Z/4s99koAAACBAM/uJIo2I0nK15wXiTYs/NYUZA7wcErugFn70TRbSgduIFH6U/CQa3rgHJw9DCPCQJLq7pwCnFH7too/qaK+czDk04PsgqV0+Jc7957gU5miPg50d60eJMctHV4eQ1FpwmGGfXxRBR9k2ZvikWYatYir3L6/x1ir7M0bA9IzNU45") + , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA2QAJEuvbTmaN9ex9i9bjPhMGj+PHUYq2keIiaIImJ+8mo+yKSaGUxebG4tpuDPx6KZjdycyJt74IXfn1voGUrfzwaEY9NkqOP3v6OWTC3QeUGqDCeJ2ipslbEd9Ep9XBp+/ldDQm60D0XsIZdmDeN6MrHSbKF4fXv1bqpUoUILk=") + , (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLF+dzqBJZix+CWUkAd3Bd3cofFCKwHMNRIfwx1G7dL4XFe6fMKxmrNetQcodo2edyufwoPmCPr3NmnwON9vyh0=") + , (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFZftKMnH/zH29BHMKbcBO4QsgTrstYFVhbrzrlRzBO3") + ] + + & Network.static "eth0" `requires` Network.cleanInterfacesFile + & Apt.installed ["linux-image-amd64"] + & Linode.chainPVGrub 5 + & Linode.mlocateEnabled + & Apt.unattendedUpgrades + & Systemd.installed + & Systemd.persistentJournal + & Journald.systemMaxUse "500MiB" + & Ssh.passwordAuthentication True + -- Since ssh password authentication is allowed: + & Fail2Ban.installed + & Apt.serviceInstalledRunning "ntp" + & "/etc/timezone" `File.hasContent` ["US/Eastern"] + + & Obnam.backupEncrypted "/" (Cron.Times "33 1 * * *") + [ "--repository=sftp://2318@usw-s002.rsync.net/~/kite-root.obnam" + , "--client-name=kitenet.net" + , "--exclude=/home" + , "--exclude=/var/cache" + , "--exclude=/var/tmp" + , "--exclude=/srv/git" + , "--exclude=/var/spool/oldusenet" + , "--exclude=.*/tmp/" + , "--one-file-system" + , Obnam.keepParam [Obnam.KeepDays 7, Obnam.KeepWeeks 4, Obnam.KeepMonths 6] + ] Obnam.OnlyClient (Gpg.GpgKeyId "98147487") + `requires` rootsshkey + `requires` Ssh.knownHost hosts "usw-s002.rsync.net" (User "root") + & Obnam.backupEncrypted "/home" (Cron.Times "33 3 * * *") + [ "--repository=sftp://2318@usw-s002.rsync.net/~/kite-home.obnam" + , "--client-name=kitenet.net" + , "--exclude=/home/joey/lib" + , "--one-file-system" + , Obnam.keepParam [Obnam.KeepDays 7, Obnam.KeepWeeks 4, Obnam.KeepMonths 6] + ] Obnam.OnlyClient (Gpg.GpgKeyId "98147487") + `requires` rootsshkey + `requires` Ssh.knownHost hosts "usw-s002.rsync.net" (User "root") + + & alias "smtp.kitenet.net" + & alias "imap.kitenet.net" + & alias "pop.kitenet.net" + & alias "mail.kitenet.net" + & JoeySites.kiteMailServer + + & JoeySites.kitenetHttps + & JoeySites.legacyWebSites + & File.ownerGroup "/srv/web" (User "joey") (Group "joey") + & Apt.installed ["analog"] + + & alias "git.kitenet.net" + & alias "git.joeyh.name" + & JoeySites.gitServer hosts + + & JoeySites.downloads hosts + & JoeySites.gitAnnexDistributor + & JoeySites.tmp + + & alias "bitlbee.kitenet.net" + & Apt.serviceInstalledRunning "bitlbee" + & "/etc/bitlbee/bitlbee.conf" `File.hasContent` + [ "[settings]" + , "User = bitlbee" + , "AuthMode = Registered" + , "[defaults]" + ] + `onChange` Service.restarted "bitlbee" + & "/etc/default/bitlbee" `File.containsLine` "BITLBEE_PORT=\"6767\"" + `onChange` Service.restarted "bitlbee" + + & Apt.installed + [ "git-annex", "myrepos" + , "build-essential", "make" + , "rss2email", "archivemail" + , "devscripts" + -- Some users have zsh as their login shell. + , "zsh" + ] + + & alias "nntp.olduse.net" + & JoeySites.oldUseNetServer hosts + + & alias "ns4.kitenet.net" + & myDnsPrimary True "kitenet.net" [] + & myDnsPrimary True "joeyh.name" [] + & myDnsPrimary True "ikiwiki.info" [] + & myDnsPrimary True "olduse.net" + [ (RelDomain "article", CNAME $ AbsDomain "virgil.koldfront.dk") + ] + & alias "ns4.branchable.com" + & branchableSecondary + & Dns.secondaryFor ["animx"] hosts "animx.eu.org" + + -- testing + & Apache.httpsVirtualHost "letsencrypt.joeyh.name" "/var/www/html" + (LetsEncrypt.AgreeTOS (Just "id@joeyh.name")) + & alias "letsencrypt.joeyh.name" + where + rootsshkey = Ssh.userKeys (User "root") + (Context "kite.kitenet.net") + [ (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Gza2sNqSKfNtUN4dN/Z3rlqw18nijmXFx6df2GtBoZbkIak73uQfDuZLP+AXlyfHocwdkdHEf/zrxgXS4EokQMGLZhJ37Pr3edrEn/NEnqroiffw7kyd7EqaziA6UOezcLTjWGv+Zqg9JhitYs4WWTpNzrPH3yQf1V9FunZnkzb4gJGndts13wGmPEwSuf+QHbgQvjMOMCJwWSNcJGdhDR66hFlxfG26xx50uIczXYAbgLfHp5W6WuR/lcaS9J6i7HAPwcsPDA04XDinrcpl29QwsMW1HyGS/4FSCgrDqNZ2jzP49Bka78iCLRqfl1efyYas/Zo1jQ0x+pxq2RMr root@kite") + ] + +elephant :: Host +elephant = standardSystem "elephant.kitenet.net" Unstable "amd64" + [ "Storage, big data, and backups, omnomnom!" + , "(Encrypt all data stored here.)" + ] + & ipv4 "193.234.225.114" + & Ssh.hostKeys hostContext + [ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBANxXGWac0Yz58akI3UbLkphAa8VPDCGswTS0CT3D5xWyL9OeArISAi/OKRIvxA4c+9XnWtNXS7nYVFDJmzzg8v3ZMx543AxXK82kXCfvTOc/nAlVz9YKJAA+FmCloxpmOGrdiTx1k36FE+uQgorslGW/QTxnOcO03fDZej/ppJifAAAAFQCnenyJIw6iJB1+zuF/1TSLT8UAeQAAAIEA1WDrI8rKnxnh2rGaQ0nk+lOcVMLEr7AxParnZjgC4wt2mm/BmkF/feI1Fjft2z4D+V1W7MJHOqshliuproxhFUNGgX9fTbstFJf66p7h7OLAlwK8ZkpRk/uV3h5cIUPel6aCwjL5M2gN6/yq+gcCTXeHLq9OPyUTmlN77SBL71UAAACBAJJiCHWxPAGooe7Vv3W7EIBbsDyf7b2kDH3bsIlo+XFcKIN6jysBu4kn9utjFlrlPeHUDzGQHe+DmSqTUQQ0JPCRGcAcuJL8XUqhJi6A6ye51M9hVt51cJMXmERx9TjLOP/adkEuxpv3Fj20FxRUr1HOmvRvewSHrJ1GeA1bjbYL") + , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrEQ7aNmRYyLKY7xHILQsyV/w0B3++D98vn5IvjHkDnitrUWjB+vPxlS7LYKLzN9Jx7Hb14R2lg7+wdgtFMxLZZukA8b0tqFpTdRFBvBYGh8IM8Id1iE/6io/NZl+hTQEDp0LJP+RljH1CLfz7J3qtc+v6NbfTP5cOgH104mWYoLWzJGaZ4p53jz6THRWnVXy5nPO3dSBr2f/SQgRuJQWHNIh0jicRGD8H2kzOQzilpo+Y46PWtkufl3Yu3UsP5UMAyLRIXwZ6nNRZqRiVWrX44hoNfDbooTdFobbHlqMl+y6291bOXaOA6PACk8B4IVcC89/gmc9Oe4EaDuszU5kD") + , (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAJkoPRhUGT8EId6m37uBdYEtq42VNwslKnc9mmO+89ody066q6seHKeFY6ImfwjcyIjM30RTzEwftuVNQnbEB0=") + , (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB6VtXi0uygxZeCo26n6PuCTlSFCBcwRifv6N8HdWh2Z") + ] + + & Grub.chainPVGrub "hd0,0" "xen/xvda1" 30 + & Postfix.satellite + & Apt.unattendedUpgrades + & Systemd.installed + & Systemd.persistentJournal + & Ssh.userKeys (User "joey") hostContext + [ (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4wJuQEGno+nJvtE75IKL6JQ08sJHZ9Bzs9Dvu0zuxSEZE30MWK98/twNwCH9PVf2N9m4apfN7f9GHgHTUongfo8xnLAk4PuBSTV74YgKyOCvNYqANuKKa+76PsS/vFf/or3ct++uTEWsRyYD29cQndufwKA4rthAqHG+fifbLDC53AjcldI0zI1RckpPzT+AMazlnSBFMlpKvGD2uzSXALVRXa3vSqWkWd0z7qmIkpmpq0AAgbDLwrGBcUGV/h0rOa2s8zSeirA0tLmHNROl4cZsX0T/6VBGfBRkrHSxL67xJziATw4WPq6spYlxg84pC/5qJVr9SC5HosppbDqgj joey@elephant") + ] + & Apt.serviceInstalledRunning "swapspace" + + & alias "eubackup.kitenet.net" + & Apt.installed ["obnam", "sshfs", "rsync"] + & JoeySites.obnamRepos ["pell", "kite"] + & JoeySites.githubBackup + & JoeySites.rsyncNetBackup hosts + + & alias "podcatcher.kitenet.net" + & JoeySites.podcatcher + + & alias "znc.kitenet.net" + & JoeySites.ircBouncer + & alias "kgb.kitenet.net" + & JoeySites.kgbServer + + & alias "mumble.kitenet.net" + & JoeySites.mumbleServer hosts + + & alias "ns3.kitenet.net" + & myDnsSecondary + + & Systemd.nspawned oldusenetShellBox + & Systemd.nspawned ancientKitenet + & Systemd.nspawned openidProvider + `requires` Apt.serviceInstalledRunning "ntp" + + & JoeySites.scrollBox + & alias "scroll.joeyh.name" + & alias "eu.scroll.joeyh.name" + + -- For https port 443, shellinabox with ssh login to + -- kitenet.net + & alias "shell.kitenet.net" + & Systemd.nspawned kiteShellBox + -- Nothing is using http port 80, so listen on + -- that port for ssh, for traveling on bad networks that + -- block 22. + & Ssh.listenPort (Port 80) + +beaver :: Host +beaver = host "beaver.kitenet.net" + & ipv6 "2001:4830:1600:195::2" + & Apt.serviceInstalledRunning "aiccu" + & Apt.installed ["ssh"] + & Ssh.hostPubKey SshDsa "ssh-dss AAAAB3NzaC1kc3MAAACBAIrLX260fY0Jjj/p0syNhX8OyR8hcr6feDPGOj87bMad0k/w/taDSOzpXe0Wet7rvUTbxUjH+Q5wPd4R9zkaSDiR/tCb45OdG6JsaIkmqncwe8yrU+pqSRCxttwbcFe+UU+4AAcinjVedZjVRDj2rRaFPc9BXkPt7ffk8GwEJ31/AAAAFQCG/gOjObsr86vvldUZHCteaJttNQAAAIB5nomvcqOk/TD07DLaWKyG7gAcW5WnfY3WtnvLRAFk09aq1EuiJ6Yba99Zkb+bsxXv89FWjWDg/Z3Psa22JMyi0HEDVsOevy/1sEQ96AGH5ijLzFInfXAM7gaJKXASD7hPbVdjySbgRCdwu0dzmQWHtH+8i1CMVmA2/a5Y/wtlJAAAAIAUZj2US2D378jBwyX1Py7e4sJfea3WSGYZjn4DLlsLGsB88POuh32aOChd1yzF6r6C2sdoPBHQcWBgNGXcx4gF0B5UmyVHg3lIX2NVSG1ZmfuLNJs9iKNu4cHXUmqBbwFYQJBvB69EEtrOw4jSbiTKwHFmqdA/mw1VsMB+khUaVw==" + & alias "usbackup.kitenet.net" + & JoeySites.backupsBackedupFrom hosts "eubackup.kitenet.net" "/home/joey/lib/backup" + & Apt.serviceInstalledRunning "anacron" + & Cron.niceJob "system disk backed up" Cron.Weekly (User "root") "/" + "rsync -a -x / /home/joey/lib/backup/beaver.kitenet.net/" + +-- Branchable is not completely deployed with propellor yet. +pell :: Host +pell = host "pell.branchable.com" + & alias "branchable.com" + & ipv4 "66.228.46.55" + & ipv6 "2600:3c03::f03c:91ff:fedf:c0e5" + + -- All the websites I host at branchable that don't use + -- branchable.com dns. + & alias "olduse.net" + & alias "www.olduse.net" + & alias "www.kitenet.net" + & alias "joeyh.name" + & alias "campaign.joeyh.name" + & alias "ikiwiki.info" + & alias "git.ikiwiki.info" + & alias "l10n.ikiwiki.info" + & alias "dist-bugs.kitenet.net" + & alias "family.kitenet.net" + + & Apt.installed ["linux-image-amd64"] + & Linode.chainPVGrub 5 + & Apt.unattendedUpgrades + & Branchable.server hosts + +iabak :: Host +iabak = host "iabak.archiveteam.org" + & ipv4 "124.6.40.227" + & Hostname.sane + & os (System (Debian Testing) "amd64") + & Systemd.persistentJournal + & Cron.runPropellor (Cron.Times "30 * * * *") + & Apt.stdSourcesList `onChange` Apt.upgrade + & Apt.installed ["git", "ssh"] + & Ssh.hostKeys (Context "iabak.archiveteam.org") + [ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAMhuYTshLxavWCpfyJxg3j/GWyIRlL3VTharsfUTzMOqyMSWantZjflfJX21z2KzFDtPEA711GYztsgMVXMrsPQInaOKNISe/R9cfgnEktKTxeppWTfw0GTNcpCeeecddU0FCPVW3a6yDoT6+Rv0jPvkQoDGmhQ40MhauMrO0mJ9AAAAFQDpCbXG8o/3Sg7wrsp5abizJoQ0yQAAAIEAxxyHo/ZhDPP+EWtDS05s5dwiDMUsxIllk1NeleAOQIyLtFkaifOeskDJybIPWYPGX1trjcPoGuXJ5GBYrRaPiu6FBvYdYMFRLr4uNBsaSHHqlHhBPkP3RzCrdUyau4XyjdE4iA0EQlO+u11A+o3f7aTuJSveM0YRfbqvaatG89EAAACAWd0h0SkRLnGjBzkou0SQfYujFY9ilhWXPWV/oOs+bieDSpvfmnaEfLSinVFRrJPvQp/dtpxPLEm+StrK3w6dmwTZVUM5JEoB1mRjBkVs6gPC9PVVg9qLpzC2/x+r5cTfrffjyRrlPdkwLKpO6oiPxTIxAyCW8ixjafkxe2hAeJo=") + , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP13oPRLRY0V9ZDWojb8TgHbUdE30Nq3b541TwPmlLMbYPAhldxGHkuXGlX8g9/FYP/1AgkPcxs2Uc61ZV+1Ss7q7t52f4R0bO4WHqxfdXHd9FlLzMLWxMU3aMr693pGlhnUp3/xH6O6/+bNEIo3VGGgv9XDr2cAxypS9J7X9ibHZcZ3BGvoCR+nnFJ00ERG2tREKZBPDWKk76lhCiM21fG/CSmcApXaA45FHDaM9/2Clj1sXvoS72f0hEKpl1m08sUx+F0GPzQESnKqNFl+xXdYPPbfhdrgCnDmx9tL5NnXsJU2beFiuxpICOeB1HV6DJsdlO18WqwXYhOg/2A1H3") + , (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHb0kXcrF5ThwS8wB0Hez404Zp9bz78ZxEGSqnwuF4d/N3+bymg7/HAj7l/SzRoEXKHsJ7P5320oMxBHeM16Y+k=") + ] + & Apt.installed ["etckeeper", "sudo"] + & Apt.installed ["vim", "screen", "tmux", "less", "emax-nox", "netcat"] + & User.hasSomePassword (User "root") + & propertyList "admin accounts" + (map User.accountFor admins ++ map Sudo.enabledFor admins) + & User.hasSomePassword (User "joey") + & GitHome.installedFor (User "joey") + & Ssh.authorizedKey (User "db48x") "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAIAQDQ6urXcMDeyuFf4Ga7CuGezTShKnEMPHKJm7RQUtw3yXCPX5wnbvPS2+UFnHMzJvWOX5S5b/XpBpOusP0jLpxwOCEg4nA5b7uvWJ2VIChlMqopYMo+tDOYzK/Q74MZiNWi2hvf1tn3N9SnqOa7muBMKMENIX5KJdH8cJ/BaPqAP883gF8r2SwSZFvaB0xYCT/CIylC593n/+0+Lm07NUJIO8jil3n2SwXdVg6ib65FxZoO86M46wTghnB29GXqrzraOg+5DY1zzCWpIUtFwGr4DP0HqLVtmAkC7NI14l1M0oHE0UEbhoLx/a+mOIMD2DuzW3Rs3ZmHtGLj4PL/eBU8D33AqSeM0uR/0pEcoq6A3a8ixibj9MBYD2lMh+Doa2audxS1OLM//FeNccbm1zlvvde82PZtiO11P98uN+ja4A+CfgQU5s0z0wikc4gXNhWpgvz8DrOEJrjstwOoqkLg2PpIdHRw7dhpp3K1Pc+CGAptDwbKkxs4rzUgMbO9DKI7fPcXXgKHLLShMpmSA2vsQUMfuCp2cVrQJ+Vkbwo29N0Js5yU7L4NL4H854Nbk5uwWJCs/mjXtvTimN2va23HEecTpk44HDUjJ9NyevAfPcO9q1ZtgXFTQSMcdv1m10Fvmnaiy8biHnopL6MBo1VRITh5UFiJYfK4kpTTg2vSspii/FYkkYOAnnZtXZqMehP7OZjJ6HWJpsCVR2hxP3sKOoQu+kcADWa/4obdp+z7gY8iMMjd6kwuIWsNV8KsX+eVJ4UFpAi/L00ZjI2B9QLVCsOg6D1fT0698wEchwUROy5vZZJq0078BdAGnwC0WGLt+7OUgn3O2gUAkb9ffD0odbZSqq96NCelM6RaHA+AaIE4tjGL3lFkyOtb+IGPNACQ73/lmaRQd6Cgasq9cEo0g22Ew5NQi0CBuu1aLDk7ezu3SbU09eB9lcZ+8lFnl5K2eQFeVJStFJbJNfOvgKyOb7ePsrUFF5GJ2J/o1F60fRnG64HizZHxyFWkEOh+k3i8qO+whPa5MTQeYLYb6ysaTPrUwNRcSNNCcPEN8uYOh1dOFAtIYDcYA56BZ321yz0b5umj+pLsrFU+4wMjWxZi0inJzDS4dVegBVcRm0NP5u8VRosJQE9xdbt5K1I0khzhrEW1kowoTbhsZCaDHhL9LZo73Z1WIHvulvlF3RLZip5hhtQu3ZVkbdV5uts8AWaEWVnIu9z0GtQeeOuseZpT0u1/1xjVAOKIzuY3sB7FKOaipe8TDvmdiQf/ICySqqYaYhN6GOhiYccSleoX6yzhYuCvzTgAyWHIfW0t25ff1CM7Vn+Vo9cVplIer1pbwhZZy4QkROWTOE+3yuRlQ+o6op4hTGdAZhjKh9zkDW7rzqQECFrZrX/9mJhxYKjhpkk0X3dSipPt9SUHagc4igya+NgCygQkWBOQfr4uia0LcwDxy4Kchw7ZuypHuGVZkGhNHXS+9JdAHopnSqYwDMG/z1ys1vQihgER0b9g3TchvGF+nmHe2kbM1iuIYMNNlaZD1yGZ5qR7wr/8dw8r0NBEwzsUfak3BUPX7H6X0tGS96llwUxmvQD85WNNoef0uryuAtDEwWlfN1RmWysZDc57Rn4gZi0M5jXmQD23ZiYXYBcG849OeqNzlxONEFsForXO/29Ud4x/Hqa9tf+kJbqMRsaLFO+PXhHzgl6ZHLAljQDxrJ6keNnkqaYfqQ8wyRi1mKv4Ab57kde7mUsZhe7w93GaE9Lxfvu7d3pB+lXfI9NJCSITHreUP4JfmFW+p/eVg+r/1wbElNylGna4I4+qYObOUncGwFKYdFPdtU1XLDKXmywTEgbEh7iI9zX0xD3bPHQLMg+TTtXiU9dQm1x/0zRf9trwDsRDJCbG4/P4iQYkcVvYx2CCfi0JSHv8tWsLi3GJKJLXUxZyzfvY2lThPeYnnY/HFrPJCyJUN55QuRmfzbu8rHgWlcyOlVpKtz+7kn823kEQykiIYKIKrb0G6VBzuMtAk9XzJPv+Wu7suOGXHlVfCqPLk6RjHDm4kTYciW9VgxDts5Y+zwcAbrUeA4UuN/6KisWpivMrfDSIHUCeH/lHBtNkqKohdrUKJMEOx5X6r2dJbmoTFBDi5XtYu/5cBtiDMmupNB0S+pZ2JD5/RKtj6kgzTeE1q/OG4q/eq1O1rjf0vIS31luy27K/YHFIGE0D/CmuXE74Uyaxm27RnrKUxEBl84V70GaIF4F5On8pSThxxizigXTRTKiczc+A5Zi29mid+1EFeUAJOa/DuHJfpVNY4pYEmhPl/Bk66L8kzlbJz6Hg/LIiJIRcy3UKrbSxPFIDpXn33drBHgklMDlrIVDZDXF6cn0Ml71SabB4A3TM6TK+oWZoyvftPIhcWhVwAWQj7nFNAiMEl1z/29ovHrRooqQFozf7GDW8Mjiu7ChZP9zx2H8JB/AAEFuWMwGV4AHICYdS9lOl/v+cDhgsnXdeuKEuxHhYlRxuRxJk/f17Sm/5H85UIzlu85wi3q/DW2FTZnlw4iJLnL6FArUIMzuBOZyoEhh0SPR41Xc4kkucDhnENybTZSR/yDzb0P1B7qjZ4GqcSEFja/hm/LH1oKJzZg8MEqeUoKYCUdVv9ek4IUGUONtVs53V5SOwFWR/nVuDk2BENr7NadYYVtu6MjBwgjso7NuhoNxVwIEP3BW67OQ8bxfNBtJJQNJejAhgZiqJItI9ucAfjQ== db48x@anglachel" + & Apt.installed ["sudo"] + & Ssh.noPasswords + & IABak.gitServer monsters + & IABak.registrationServer monsters + & IABak.graphiteServer + & IABak.publicFace + where + admins = map User ["joey", "db48x"] + + --' __|II| ,. + ---- __|II|II|__ ( \_,/\ +--'-------'\o/-'-.-'-.-'-.- __|II|II|II|II|___/ __/ -'-.-'-.-'-.-'-.-'-.-'- +-------------------------- | [Containers] / -------------------------- +-------------------------- : / --------------------------- +--------------------------- \____, o ,' ---------------------------- +---------------------------- '--,___________,' ----------------------------- + +-- Simple web server, publishing the outside host's /var/www +webserver :: Systemd.Container +webserver = standardStableContainer "webserver" + & Systemd.bind "/var/www" + & Apache.installed + +-- My own openid provider. Uses php, so containerized for security +-- and administrative sanity. +openidProvider :: Systemd.Container +openidProvider = standardStableContainer "openid-provider" + & alias hn + & OpenId.providerFor [User "joey", User "liw"] hn (Just (Port 8081)) + where + hn = "openid.kitenet.net" + +-- Exhibit: kite's 90's website on port 1994. +ancientKitenet :: Systemd.Container +ancientKitenet = standardStableContainer "ancient-kitenet" + & alias hn + & Git.cloned (User "root") "git://kitenet-net.branchable.com/" "/var/www/html" + (Just "remotes/origin/old-kitenet.net") + & Apache.installed + & Apache.listenPorts [p] + & Apache.virtualHost hn p "/var/www/html" + & Apache.siteDisabled "000-default" + where + p = Port 1994 + hn = "ancient.kitenet.net" + +oldusenetShellBox :: Systemd.Container +oldusenetShellBox = standardStableContainer "oldusenet-shellbox" + & alias "shell.olduse.net" + & JoeySites.oldUseNetShellBox + +kiteShellBox :: Systemd.Container +kiteShellBox = standardStableContainer "kiteshellbox" + & JoeySites.kiteShellBox + +type Motd = [String] + +-- This is my standard system setup. +standardSystem :: HostName -> DebianSuite -> Architecture -> Motd -> Host +standardSystem hn suite arch motd = standardSystemUnhardened hn suite arch motd + & Ssh.noPasswords + +standardSystemUnhardened :: HostName -> DebianSuite -> Architecture -> Motd -> Host +standardSystemUnhardened hn suite arch motd = host hn + & os (System (Debian suite) arch) + & Hostname.sane + & Hostname.searchDomain + & File.hasContent "/etc/motd" ("":motd++[""]) + & Apt.stdSourcesList `onChange` Apt.upgrade + & Apt.cacheCleaned + & Apt.installed ["etckeeper"] + & Apt.installed ["ssh", "mosh"] + & GitHome.installedFor (User "root") + & User.hasSomePassword (User "root") + & User.accountFor (User "joey") + & User.hasSomePassword (User "joey") + & Sudo.enabledFor (User "joey") + & GitHome.installedFor (User "joey") + & Apt.installed ["vim", "screen", "less"] + & Cron.runPropellor (Cron.Times "30 * * * *") + -- I use postfix, or no MTA. + & Apt.removed ["exim4", "exim4-daemon-light", "exim4-config", "exim4-base"] + `onChange` Apt.autoRemove + +-- This is my standard container setup, Featuring automatic upgrades. +standardContainer :: Systemd.MachineName -> DebianSuite -> Architecture -> Systemd.Container +standardContainer name suite arch = + Systemd.container name system (Chroot.debootstrapped mempty) + & Apt.stdSourcesList `onChange` Apt.upgrade + & Apt.unattendedUpgrades + & Apt.cacheCleaned + where + system = System (Debian suite) arch + +standardStableContainer :: Systemd.MachineName -> Systemd.Container +standardStableContainer name = standardContainer name (Stable "jessie") "amd64" + +myDnsSecondary :: Property HasInfo +myDnsSecondary = propertyList "dns secondary for all my domains" $ props + & Dns.secondary hosts "kitenet.net" + & Dns.secondary hosts "joeyh.name" + & Dns.secondary hosts "ikiwiki.info" + & Dns.secondary hosts "olduse.net" + +branchableSecondary :: RevertableProperty HasInfo +branchableSecondary = Dns.secondaryFor ["branchable.com"] hosts "branchable.com" + +-- Currently using kite (ns4) as primary with secondaries +-- elephant (ns3) and gandi. +-- kite handles all mail. +myDnsPrimary :: Bool -> Domain -> [(BindDomain, Record)] -> RevertableProperty HasInfo +myDnsPrimary dnssec domain extras = (if dnssec then Dns.signedPrimary (Weekly Nothing) else Dns.primary) hosts domain + (Dns.mkSOA "ns4.kitenet.net" 100) $ + [ (RootDomain, NS $ AbsDomain "ns4.kitenet.net") + , (RootDomain, NS $ AbsDomain "ns3.kitenet.net") + , (RootDomain, NS $ AbsDomain "ns6.gandi.net") + , (RootDomain, MX 0 $ AbsDomain "kitenet.net") + , (RootDomain, TXT "v=spf1 a a:kitenet.net ~all") + , JoeySites.domainKey + ] ++ extras + + +monsters :: [Host] -- Systems I don't manage with propellor, +monsters = -- but do want to track their public keys etc. + [ host "usw-s002.rsync.net" + & Ssh.hostPubKey SshEd25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7yTEBGfQYdwG/oeL+U9XPMIh/dW7XNs9T+M79YIOrd" + , host "github.com" + & Ssh.hostPubKey SshRsa "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==" + , host "gitlab.com" + & Ssh.hostPubKey SshEcdsa "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=" + , host "ns6.gandi.net" + & ipv4 "217.70.177.40" + , host "turtle.kitenet.net" + & ipv4 "67.223.19.96" + & ipv6 "2001:4978:f:2d9::2" + , host "mouse.kitenet.net" + & ipv6 "2001:4830:1600:492::2" + , host "animx" + & ipv4 "76.7.162.101" + & ipv4 "76.7.162.186" + ] + + + + -- o + -- ___ o o + {-----\ / o \ ___o o + { \ __ \ / _ (X___>-- __o + _____________________{ ______\___ \__/ | \__/ \____ |X__> + < \___//|\\___/\ \____________ _ + \ ___/ | \___ # # \ (-) + \ O O O # | \ # >=) + \______________________________# # / #__________________/ (-} + + diff --git a/propellor.cabal b/propellor.cabal index 7c781c43..1366d89e 100644 --- a/propellor.cabal +++ b/propellor.cabal @@ -16,8 +16,9 @@ Extra-Source-Files: CHANGELOG Makefile config-simple.hs - config-joey.hs + joeyconfig.hs config.hs + contrib/post-checkout-hook debian/changelog debian/README.Debian debian/compat -- cgit v1.2.3