From bafa1691900970efcf2a772f094db1db874dacaf Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Fri, 11 Nov 2016 19:57:56 -0400 Subject: iabak is moving out of joeyconfig to its own separate config This is to allow multiple admins of iabak to access the privdata. Since there's a single privdata file for all machines in a propellor deployment, and I don't want them to see all my secrets, we needed to break it out. --- joeyconfig.hs | 41 --------- propellor.cabal | 1 - src/Propellor/Property/SiteSpecific/IABak.hs | 121 --------------------------- 3 files changed, 163 deletions(-) delete mode 100644 src/Propellor/Property/SiteSpecific/IABak.hs diff --git a/joeyconfig.hs b/joeyconfig.hs index 22744ffc..c5a98531 100644 --- a/joeyconfig.hs +++ b/joeyconfig.hs @@ -35,7 +35,6 @@ import qualified Propellor.Property.HostingProvider.Linode as Linode import qualified Propellor.Property.HostingProvider.DigitalOcean as DigitalOcean import qualified Propellor.Property.SiteSpecific.GitHome as GitHome import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder -import qualified Propellor.Property.SiteSpecific.IABak as IABak import qualified Propellor.Property.SiteSpecific.Branchable as Branchable import qualified Propellor.Property.SiteSpecific.JoeySites as JoeySites import Propellor.Property.DiskImage @@ -58,7 +57,6 @@ hosts = -- (o) ` , beaver , pell , keysafe - , iabak ] ++ monsters testvm :: Host @@ -513,45 +511,6 @@ keysafe = host "keysafe.joeyh.name" $ props , "&& rsync -a --delete --max-delete 3 ", backupdir , rsyncnetbackup ] -iabak :: Host -iabak = host "iabak.archiveteam.org" $ props - & ipv4 "124.6.40.227" - & Hostname.sane - & osDebian Testing X86_64 - & Systemd.persistentJournal - & Cron.runPropellor (Cron.Times "30 * * * *") - & Apt.stdSourcesList `onChange` Apt.upgrade - & Apt.installed ["git", "ssh"] - & Ssh.hostKeys (Context "iabak.archiveteam.org") - [ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAMhuYTshLxavWCpfyJxg3j/GWyIRlL3VTharsfUTzMOqyMSWantZjflfJX21z2KzFDtPEA711GYztsgMVXMrsPQInaOKNISe/R9cfgnEktKTxeppWTfw0GTNcpCeeecddU0FCPVW3a6yDoT6+Rv0jPvkQoDGmhQ40MhauMrO0mJ9AAAAFQDpCbXG8o/3Sg7wrsp5abizJoQ0yQAAAIEAxxyHo/ZhDPP+EWtDS05s5dwiDMUsxIllk1NeleAOQIyLtFkaifOeskDJybIPWYPGX1trjcPoGuXJ5GBYrRaPiu6FBvYdYMFRLr4uNBsaSHHqlHhBPkP3RzCrdUyau4XyjdE4iA0EQlO+u11A+o3f7aTuJSveM0YRfbqvaatG89EAAACAWd0h0SkRLnGjBzkou0SQfYujFY9ilhWXPWV/oOs+bieDSpvfmnaEfLSinVFRrJPvQp/dtpxPLEm+StrK3w6dmwTZVUM5JEoB1mRjBkVs6gPC9PVVg9qLpzC2/x+r5cTfrffjyRrlPdkwLKpO6oiPxTIxAyCW8ixjafkxe2hAeJo=") - , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDP13oPRLRY0V9ZDWojb8TgHbUdE30Nq3b541TwPmlLMbYPAhldxGHkuXGlX8g9/FYP/1AgkPcxs2Uc61ZV+1Ss7q7t52f4R0bO4WHqxfdXHd9FlLzMLWxMU3aMr693pGlhnUp3/xH6O6/+bNEIo3VGGgv9XDr2cAxypS9J7X9ibHZcZ3BGvoCR+nnFJ00ERG2tREKZBPDWKk76lhCiM21fG/CSmcApXaA45FHDaM9/2Clj1sXvoS72f0hEKpl1m08sUx+F0GPzQESnKqNFl+xXdYPPbfhdrgCnDmx9tL5NnXsJU2beFiuxpICOeB1HV6DJsdlO18WqwXYhOg/2A1H3") - , (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHb0kXcrF5ThwS8wB0Hez404Zp9bz78ZxEGSqnwuF4d/N3+bymg7/HAj7l/SzRoEXKHsJ7P5320oMxBHeM16Y+k=") - ] - & Apt.installed ["etckeeper", "sudo"] - -- vital but generic tools - & Apt.installed ["vim", "screen", "tmux", "less", "emacs-nox", "netcat", "nano"] - -- tools for creating shards - & Apt.installed ["jq", "python3", "python3-aiohttp"] - & User.hasSomePassword (User "root") - & propertyList "admin accounts" - (toProps $ map User.accountFor admins - ++ map (Group.hasUser (Group "staff")) admins - ++ map Sudo.enabledFor admins) - & User.hasSomePassword (User "joey") - & GitHome.installedFor (User "joey") - & Ssh.authorizedKey (User "db48x") "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAIAQDQ6urXcMDeyuFf4Ga7CuGezTShKnEMPHKJm7RQUtw3yXCPX5wnbvPS2+UFnHMzJvWOX5S5b/XpBpOusP0jLpxwOCEg4nA5b7uvWJ2VIChlMqopYMo+tDOYzK/Q74MZiNWi2hvf1tn3N9SnqOa7muBMKMENIX5KJdH8cJ/BaPqAP883gF8r2SwSZFvaB0xYCT/CIylC593n/+0+Lm07NUJIO8jil3n2SwXdVg6ib65FxZoO86M46wTghnB29GXqrzraOg+5DY1zzCWpIUtFwGr4DP0HqLVtmAkC7NI14l1M0oHE0UEbhoLx/a+mOIMD2DuzW3Rs3ZmHtGLj4PL/eBU8D33AqSeM0uR/0pEcoq6A3a8ixibj9MBYD2lMh+Doa2audxS1OLM//FeNccbm1zlvvde82PZtiO11P98uN+ja4A+CfgQU5s0z0wikc4gXNhWpgvz8DrOEJrjstwOoqkLg2PpIdHRw7dhpp3K1Pc+CGAptDwbKkxs4rzUgMbO9DKI7fPcXXgKHLLShMpmSA2vsQUMfuCp2cVrQJ+Vkbwo29N0Js5yU7L4NL4H854Nbk5uwWJCs/mjXtvTimN2va23HEecTpk44HDUjJ9NyevAfPcO9q1ZtgXFTQSMcdv1m10Fvmnaiy8biHnopL6MBo1VRITh5UFiJYfK4kpTTg2vSspii/FYkkYOAnnZtXZqMehP7OZjJ6HWJpsCVR2hxP3sKOoQu+kcADWa/4obdp+z7gY8iMMjd6kwuIWsNV8KsX+eVJ4UFpAi/L00ZjI2B9QLVCsOg6D1fT0698wEchwUROy5vZZJq0078BdAGnwC0WGLt+7OUgn3O2gUAkb9ffD0odbZSqq96NCelM6RaHA+AaIE4tjGL3lFkyOtb+IGPNACQ73/lmaRQd6Cgasq9cEo0g22Ew5NQi0CBuu1aLDk7ezu3SbU09eB9lcZ+8lFnl5K2eQFeVJStFJbJNfOvgKyOb7ePsrUFF5GJ2J/o1F60fRnG64HizZHxyFWkEOh+k3i8qO+whPa5MTQeYLYb6ysaTPrUwNRcSNNCcPEN8uYOh1dOFAtIYDcYA56BZ321yz0b5umj+pLsrFU+4wMjWxZi0inJzDS4dVegBVcRm0NP5u8VRosJQE9xdbt5K1I0khzhrEW1kowoTbhsZCaDHhL9LZo73Z1WIHvulvlF3RLZip5hhtQu3ZVkbdV5uts8AWaEWVnIu9z0GtQeeOuseZpT0u1/1xjVAOKIzuY3sB7FKOaipe8TDvmdiQf/ICySqqYaYhN6GOhiYccSleoX6yzhYuCvzTgAyWHIfW0t25ff1CM7Vn+Vo9cVplIer1pbwhZZy4QkROWTOE+3yuRlQ+o6op4hTGdAZhjKh9zkDW7rzqQECFrZrX/9mJhxYKjhpkk0X3dSipPt9SUHagc4igya+NgCygQkWBOQfr4uia0LcwDxy4Kchw7ZuypHuGVZkGhNHXS+9JdAHopnSqYwDMG/z1ys1vQihgER0b9g3TchvGF+nmHe2kbM1iuIYMNNlaZD1yGZ5qR7wr/8dw8r0NBEwzsUfak3BUPX7H6X0tGS96llwUxmvQD85WNNoef0uryuAtDEwWlfN1RmWysZDc57Rn4gZi0M5jXmQD23ZiYXYBcG849OeqNzlxONEFsForXO/29Ud4x/Hqa9tf+kJbqMRsaLFO+PXhHzgl6ZHLAljQDxrJ6keNnkqaYfqQ8wyRi1mKv4Ab57kde7mUsZhe7w93GaE9Lxfvu7d3pB+lXfI9NJCSITHreUP4JfmFW+p/eVg+r/1wbElNylGna4I4+qYObOUncGwFKYdFPdtU1XLDKXmywTEgbEh7iI9zX0xD3bPHQLMg+TTtXiU9dQm1x/0zRf9trwDsRDJCbG4/P4iQYkcVvYx2CCfi0JSHv8tWsLi3GJKJLXUxZyzfvY2lThPeYnnY/HFrPJCyJUN55QuRmfzbu8rHgWlcyOlVpKtz+7kn823kEQykiIYKIKrb0G6VBzuMtAk9XzJPv+Wu7suOGXHlVfCqPLk6RjHDm4kTYciW9VgxDts5Y+zwcAbrUeA4UuN/6KisWpivMrfDSIHUCeH/lHBtNkqKohdrUKJMEOx5X6r2dJbmoTFBDi5XtYu/5cBtiDMmupNB0S+pZ2JD5/RKtj6kgzTeE1q/OG4q/eq1O1rjf0vIS31luy27K/YHFIGE0D/CmuXE74Uyaxm27RnrKUxEBl84V70GaIF4F5On8pSThxxizigXTRTKiczc+A5Zi29mid+1EFeUAJOa/DuHJfpVNY4pYEmhPl/Bk66L8kzlbJz6Hg/LIiJIRcy3UKrbSxPFIDpXn33drBHgklMDlrIVDZDXF6cn0Ml71SabB4A3TM6TK+oWZoyvftPIhcWhVwAWQj7nFNAiMEl1z/29ovHrRooqQFozf7GDW8Mjiu7ChZP9zx2H8JB/AAEFuWMwGV4AHICYdS9lOl/v+cDhgsnXdeuKEuxHhYlRxuRxJk/f17Sm/5H85UIzlu85wi3q/DW2FTZnlw4iJLnL6FArUIMzuBOZyoEhh0SPR41Xc4kkucDhnENybTZSR/yDzb0P1B7qjZ4GqcSEFja/hm/LH1oKJzZg8MEqeUoKYCUdVv9ek4IUGUONtVs53V5SOwFWR/nVuDk2BENr7NadYYVtu6MjBwgjso7NuhoNxVwIEP3BW67OQ8bxfNBtJJQNJejAhgZiqJItI9ucAfjQ== db48x@anglachel" - & Ssh.authorizedKey (User "db48x") "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQkqIgZ7D8WHW5Y3o+fpZC/4xtv/3IQrORJrTPCt7KY db48x@erebor" - & Ssh.authorizedKey (User "hcross") "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5OhU2Lita9RdjPkX9N0w9wZnmVlednUDEx24bVn4Mk IABAK key - Harry C" - & Ssh.authorizedKey (User "kaz") "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHhFYMd9Htlf9wPZzIDyqbYYNwuo3m+kWQ9/pfAD/TE9 Kaz IABAK" - & Ssh.authorizedKey (User "yipdw") "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEo2mGPw2TTJMHp7G86hMBh6n9/+abzg1oXIIlkwWwzo trythil@aglarond" - & Ssh.noPasswords - & IABak.gitServer monsters - & IABak.registrationServer monsters - & IABak.graphiteServer - & IABak.publicFace - where - admins = map User ["joey", "db48x", "hcross", "kaz", "yipdw"] - --' __|II| ,. ---- __|II|II|__ ( \_,/\ --'-------'\o/-'-.-'-.-'-.- __|II|II|II|II|___/ __/ -'-.-'-.-'-.-'-.-'-.-'- diff --git a/propellor.cabal b/propellor.cabal index 5490a67c..e0e15b0d 100644 --- a/propellor.cabal +++ b/propellor.cabal @@ -158,7 +158,6 @@ Library Propellor.Property.SiteSpecific.JoeySites Propellor.Property.SiteSpecific.GitAnnexBuilder Propellor.Property.SiteSpecific.Branchable - Propellor.Property.SiteSpecific.IABak Propellor.PropAccum Propellor.Utilities Propellor.CmdLine diff --git a/src/Propellor/Property/SiteSpecific/IABak.hs b/src/Propellor/Property/SiteSpecific/IABak.hs deleted file mode 100644 index b245e444..00000000 --- a/src/Propellor/Property/SiteSpecific/IABak.hs +++ /dev/null @@ -1,121 +0,0 @@ -module Propellor.Property.SiteSpecific.IABak where - -import Propellor.Base -import qualified Propellor.Property.Apt as Apt -import qualified Propellor.Property.Git as Git -import qualified Propellor.Property.Cron as Cron -import qualified Propellor.Property.File as File -import qualified Propellor.Property.Apache as Apache -import qualified Propellor.Property.User as User -import qualified Propellor.Property.Ssh as Ssh - -repo :: String -repo = "https://github.com/ArchiveTeam/IA.BAK/" - -userrepo :: String -userrepo = "git@gitlab.com:archiveteam/IA.bak.users.git" - -publicFace :: Property DebianLike -publicFace = propertyList "iabak public face" $ props - & Git.cloned (User "root") repo "/usr/local/IA.BAK" (Just "server") - & Apt.serviceInstalledRunning "apache2" - & Cron.niceJob "graph-gen" (Cron.Times "*/10 * * * *") (User "root") "/" - "/usr/local/IA.BAK/web/graph-gen.sh" - -gitServer :: [Host] -> Property (HasInfo + DebianLike) -gitServer knownhosts = propertyList "iabak git server" $ props - & Git.cloned (User "root") repo "/usr/local/IA.BAK" (Just "server") - & Git.cloned (User "root") repo "/usr/local/IA.BAK/client" (Just "master") - & Ssh.userKeys (User "root") (Context "IA.bak.users.git") sshKeys - & Ssh.knownHost knownhosts "gitlab.com" (User "root") - & Git.cloned (User "root") userrepo "/usr/local/IA.BAK/pubkeys" (Just "master") - & Apt.serviceInstalledRunning "apache2" - & "/usr/lib/cgi-bin/pushme.cgi" `File.isSymlinkedTo` File.LinkTarget "/usr/local/IA.BAK/pushme.cgi" - & File.containsLine "/etc/sudoers" "www-data ALL=NOPASSWD:/usr/local/IA.BAK/pushed.sh" - & Cron.niceJob "shardstats" (Cron.Times "*/30 * * * *") (User "root") "/" - "/usr/local/IA.BAK/shardstats-all" - & Cron.niceJob "shardmaint" Cron.Daily (User "root") "/" - "/usr/local/IA.BAK/shardmaint-fast; /usr/local/IA.BAK/shardmaint" - & Apt.installed ["git-annex"] - & Apt.installed ["libmail-sendmail-perl"] - & Cron.niceJob "expireemailer" Cron.Daily (User "root") - "/usr/local/IA.BAK" - "./expireemailer" - -registrationServer :: [Host] -> Property (HasInfo + DebianLike) -registrationServer knownhosts = propertyList "iabak registration server" $ props - & User.accountFor (User "registrar") - & Ssh.userKeys (User "registrar") (Context "IA.bak.users.git") sshKeys - & Ssh.knownHost knownhosts "gitlab.com" (User "registrar") - & Git.cloned (User "registrar") repo "/home/registrar/IA.BAK" (Just "server") - & Git.cloned (User "registrar") userrepo "/home/registrar/users" (Just "master") - & Apt.serviceInstalledRunning "apache2" - & Apt.installed ["perl", "perl-modules"] - & link `File.isSymlinkedTo` File.LinkTarget "/home/registrar/IA.BAK/registrar/register.cgi" - & cmdProperty "chown" ["-h", "registrar:registrar", link] - `changesFile` link - & File.containsLine "/etc/sudoers" "www-data ALL=(registrar) NOPASSWD:/home/registrar/IA.BAK/registrar/register.pl" - & Apt.installed ["kgb-client"] - & File.hasPrivContentExposed "/etc/kgb-bot/kgb-client.conf" anyContext - `requires` File.dirExists "/etc/kgb-bot/" - where - link = "/usr/lib/cgi-bin/register.cgi" - -sshKeys :: [(SshKeyType, Ssh.PubKeyText)] -sshKeys = - [ (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoiE+CPiIQyfWnl/E9iKG3eo4QzlH30vi7xAgKolGaTu6qKy4XPtl+8MNm2Dqn9QEYRVyyOT/XH0yP5dRc6uyReT8dBy03MmLkVbj8Q+nKCz5YOMTxrY3sX6RRXU1zVGjeVd0DtC+rKRT7reoCxef42LAJTm8nCyZu/enAuso5qHqBbqulFz2YXEKfU1SEEXLawtvgGck1KmCyg+pqazeI1eHWXrojQf5isTBKfPQLWVppBkWAf5cA4wP5U1vN9dVirIdw66ds1M8vnGlkTBjxP/HLGBWGYhZHE7QXjXRsk2RIXlHN9q6GdNu8+F3HXS22mst47E4UAeRoiXSMMtF5") - ] - -graphiteServer :: Property (HasInfo + DebianLike) -graphiteServer = propertyList "iabak graphite server" $ props - & Apt.serviceInstalledRunning "apache2" - & Apt.installed ["libapache2-mod-wsgi", "graphite-carbon", "graphite-web"] - & File.hasContent "/etc/carbon/storage-schemas.conf" - [ "[carbon]" - , "pattern = ^carbon\\." - , "retentions = 60:90d" - , "[iabak-connections]" - , "pattern = ^iabak\\.shardstats\\.connections" - , "retentions = 1h:1y,3h:10y" - , "[iabak-default]" - , "pattern = ^iabak\\." - , "retentions = 10m:30d,1h:1y,3h:10y" - , "[default_1min_for_1day]" - , "pattern = .*" - , "retentions = 60s:1d" - ] - & graphiteCSRF - & cmdProperty "graphite-manage" ["syncdb", "--noinput"] - `assume` MadeChange - `flagFile` "/etc/flagFiles/graphite-syncdb" - & cmdProperty "graphite-manage" ["createsuperuser", "--noinput", "--username=joey", "--email=joey@localhost"] - `assume` MadeChange - `flagFile` "/etc/flagFiles/graphite-user-joey" - & cmdProperty "graphite-manage" ["createsuperuser", "--noinput", "--username=db48x", "--email=db48x@localhost"] - `assume` MadeChange - `flagFile` "/etc/flagFiles/graphite-user-db48x" - -- TODO: deal with passwords somehow - & File.ownerGroup "/var/lib/graphite/graphite.db" (User "_graphite") (Group "_graphite") - & "/etc/apache2/ports.conf" `File.containsLine` "Listen 8080" - `onChange` Apache.restarted - & Apache.siteEnabled "iabak-graphite-web" - [ "" - , " WSGIDaemonProcess _graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120 user=_graphite group=_graphite" - , " WSGIProcessGroup _graphite" - , " WSGIImportScript /usr/share/graphite-web/graphite.wsgi process-group=_graphite application-group=%{GLOBAL}" - , " WSGIScriptAlias / /usr/share/graphite-web/graphite.wsgi" - , " Alias /content/ /usr/share/graphite-web/static/" - , " " - , " SetHandler None" - , " " - , " ErrorLog ${APACHE_LOG_DIR}/graphite-web_error.log" - , " LogLevel warn" - , " CustomLog ${APACHE_LOG_DIR}/graphite-web_access.log combined" - , "" - ] - where - graphiteCSRF :: Property (HasInfo + DebianLike) - graphiteCSRF = withPrivData (Password "csrf-token") (Context "iabak.archiveteam.org") $ - \gettoken -> property' "graphite-web CSRF token" $ \w -> - gettoken $ \token -> ensureProperty w $ File.containsLine - "/etc/graphite/local_settings.py" ("SECRET_KEY = '"++ privDataVal token ++"'") -- cgit v1.2.3