From 8f7807213687f8316f3dce5105d4036a939d2bcd Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 19 Aug 2018 23:37:49 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 2425ddb9..9be16a1d 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -1214,9 +1214,9 @@ cubieTruckOneWire = -- My home networked attached storage server. homeNAS :: Property DebianLike homeNAS = propertyList "home NAS" $ props - & autoMountDrive "archive-10" (USBHubPort 1) (Just "archive") + & autoMountDrive "archive-10" (USBHubPort 1) (Just "archive-older") & autoMountDrive "archive-11" (USBHubPort 2) (Just "archive-old") - & autoMountDrive "archive-12" (USBHubPort 3) (Just "archive-older") + & autoMountDrive "archive-12" (USBHubPort 3) (Just "archive") & autoMountDrive "passport" (USBHubPort 4) Nothing & Apt.installed ["git-annex", "borgbackup"] -- cgit v1.2.3 From 23d8b7de4618ab6436fff6a8ddd5e42335d26a1e Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 19 Aug 2018 23:59:59 -0400 Subject: avoid "Mounted Mount" in journal --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 9be16a1d..1dc14275 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -1238,7 +1238,7 @@ autoMountDrive label (USBHubPort port) malias = propertyList desc $ props Nothing -> doNothing doNothing & File.hasContent ("/etc/systemd/system/" ++ mount) [ "[Unit]" - , "Description=Mount " ++ label + , "Description=" ++ label , "Requires=" ++ hub , "After=" ++ hub , "[Mount]" -- cgit v1.2.3 From f994c60d7282fb782ecc94cd9370953944c25f3b Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 20 Aug 2018 01:51:45 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 1dc14275..e2acae33 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -1242,7 +1242,9 @@ autoMountDrive label (USBHubPort port) malias = propertyList desc $ props , "Requires=" ++ hub , "After=" ++ hub , "[Mount]" - , "Type=auto" + -- avoid mounting whenever the block device is available, + -- only want to automount on deman + , "Options=noauto" , "What=/dev/disk/by-label/" ++ label , "Where=" ++ mountpoint , "[Install]" -- cgit v1.2.3 From ec8fd8609b004dbb10e1e50ea1b262d720776418 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 20 Aug 2018 02:50:57 -0400 Subject: comment typo --- src/Propellor/Property/Sudo.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Propellor/Property/Sudo.hs b/src/Propellor/Property/Sudo.hs index 1614801d..ad955a7a 100644 --- a/src/Propellor/Property/Sudo.hs +++ b/src/Propellor/Property/Sudo.hs @@ -34,7 +34,7 @@ enabledFor user@(User u) = setup `requires` Apt.installed ["sudo"] cleanup sudoline True = sudobaseline ++ " NOPASSWD:ALL" sudoline False = sudobaseline ++ " ALL" wanted locked l - -- TOOD: Full sudoers file format parse.. + -- TODO: Full sudoers file format parse.. | notuserline l = True | "NOPASSWD" `isInfixOf` l = locked | otherwise = True -- cgit v1.2.3 From f7014a2f64d4ec56519f82e90479a1a12daaec1e Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 20 Aug 2018 09:06:29 -0400 Subject: hub perms --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index e2acae33..e94aca00 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -1214,6 +1214,11 @@ cubieTruckOneWire = -- My home networked attached storage server. homeNAS :: Property DebianLike homeNAS = propertyList "home NAS" $ props + & Apt.installed ["uhubctl"] + & "/etc/udev/rules.d/52-startech-hub.rules" `File.hasContent` + [ "# let users power control startech hub with uhubctl" + , "ATTR{idVendor}==\"0409\", ATTR{idProduct}==\"005a\", MODE=\"0666\"" + ] & autoMountDrive "archive-10" (USBHubPort 1) (Just "archive-older") & autoMountDrive "archive-11" (USBHubPort 2) (Just "archive-old") & autoMountDrive "archive-12" (USBHubPort 3) (Just "archive") @@ -1227,9 +1232,8 @@ newtype USBHubPort = USBHubPort Int -- -- The hub port is turned on and off automatically as needed, using -- uhubctl. -autoMountDrive :: Mount.Label -> USBHubPort -> Maybe FilePath -> Property DebianLike +autoMountDrive :: Mount.Label -> USBHubPort -> Maybe FilePath -> Property Linux autoMountDrive label (USBHubPort port) malias = propertyList desc $ props - & Apt.installed ["uhubctl"] & File.ownerGroup mountpoint (User "joey") (Group "joey") & File.dirExists mountpoint & case malias of -- cgit v1.2.3 From 36ee54ed2feb8adf4d8a9b072617b512cb9a7bed Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 20 Aug 2018 16:36:00 -0400 Subject: Added Sudo.sudoersDFile property. This commit was sponsored by Ewen McNeill on Patreon. --- debian/changelog | 1 + src/Propellor/Property/Sudo.hs | 12 ++++++++++++ 2 files changed, 13 insertions(+) diff --git a/debian/changelog b/debian/changelog index eff0efd3..f0b8db04 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,7 @@ propellor (5.5.0) UNRELEASED; urgency=medium guesses can lead to ugly surprises. (API change) * Added Systemd.escapePath helper function useful when creating mount units. + * Added Sudo.sudoersDFile property. -- Joey Hess Thu, 09 Aug 2018 10:54:41 -0400 diff --git a/src/Propellor/Property/Sudo.hs b/src/Propellor/Property/Sudo.hs index ad955a7a..c2f0ac4e 100644 --- a/src/Propellor/Property/Sudo.hs +++ b/src/Propellor/Property/Sudo.hs @@ -41,3 +41,15 @@ enabledFor user@(User u) = setup `requires` Apt.installed ["sudo"] cleanup modify locked ls | sudoline locked `elem` ls = ls | otherwise = ls ++ [sudoline locked] + +-- | Sets up a file in /etc/sudoers.d/, which /etc/sudoers includes, +-- with the specified content. +-- +-- The FilePath can be relative to that directory. +sudoersDFile :: FilePath -> [Line] -> RevertableProperty DebianLike Linux +sudoersDFile dfile content = setup `requires` Apt.installed ["sudo"] cleanup + where + f = "/etc/sudoers.d" dfile + -- sudoers.d files should not be world readable + setup = hasContentProtected f content + cleanup = tightenTargets $ notPresent f -- cgit v1.2.3 From 4be2ad75fc22080a11ac3a0988bfc8113345fcaa Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 20 Aug 2018 17:03:09 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index e94aca00..909ff929 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -16,6 +16,7 @@ import qualified Propellor.Property.Cron as Cron import qualified Propellor.Property.Service as Service import qualified Propellor.Property.User as User import qualified Propellor.Property.Group as Group +import qualified Propellor.Property.Sudo as Sudo import qualified Propellor.Property.Borg as Borg import qualified Propellor.Property.Apache as Apache import qualified Propellor.Property.Postfix as Postfix @@ -1232,7 +1233,7 @@ newtype USBHubPort = USBHubPort Int -- -- The hub port is turned on and off automatically as needed, using -- uhubctl. -autoMountDrive :: Mount.Label -> USBHubPort -> Maybe FilePath -> Property Linux +autoMountDrive :: Mount.Label -> USBHubPort -> Maybe FilePath -> Property DebianLike autoMountDrive label (USBHubPort port) malias = propertyList desc $ props & File.ownerGroup mountpoint (User "joey") (Group "joey") & File.dirExists mountpoint @@ -1283,6 +1284,9 @@ autoMountDrive label (USBHubPort port) malias = propertyList desc $ props `onChange` Systemd.daemonReloaded & Systemd.enabled automount & Systemd.started automount + & Sudo.sudoersDFile ("automount-" ++ label) + [ "%joey ALL= NOPASSWD: " ++ sudocommands + ] where mountpoint = "/media/joey/" ++ label desc = "auto mount " ++ mountpoint @@ -1290,3 +1294,7 @@ autoMountDrive label (USBHubPort port) malias = propertyList desc $ props automount = svcbase ++ ".automount" mount = svcbase ++ ".mount" svcbase = Systemd.escapePath mountpoint + sudocommands = intercalate " , " $ map (\c -> "/bin/systemctl " ++ c) + [ "stop " ++ mountpoint + , "start " ++ mountpoint + ] -- cgit v1.2.3 From 8690c09cc914da6ac3a6ba46ab3ba7690a344cf9 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 20 Aug 2018 18:00:13 -0400 Subject: Sudo.enabledFor: Write to /etc/sudoers.d/000users rather than to /etc/sudoers (Any old lines it wrote to /etc/sudoers will be removed.) This fixes a potential ordering problem; the property used to append the line to /etc/sudoers, but that would override more specific lines in the include directory. By putting it in a file that is included first, it'll come before all includes, without needing to parse the sudoers file in order to put it before the includedir line. Note that, if there is a more specific line for the user in /etc/sudoers before the includedir, it will be overridden by the line in /etc/sudoers.d/000users. But, this is not a behavior change from before, when the line was appended to the end. This commit was sponsored by Jeff Goeke-Smith on Patreon. --- debian/changelog | 5 ++++ src/Propellor/Property/SiteSpecific/JoeySites.hs | 2 +- src/Propellor/Property/Sudo.hs | 29 +++++++++++++++++------- 3 files changed, 27 insertions(+), 9 deletions(-) diff --git a/debian/changelog b/debian/changelog index f0b8db04..8faca945 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,11 @@ propellor (5.5.0) UNRELEASED; urgency=medium * Added Systemd.escapePath helper function useful when creating mount units. * Added Sudo.sudoersDFile property. + * Sudo.enabledFor: Write to /etc/sudoers.d/000users rather than to + /etc/sudoers. (Any old lines it wrote to /etc/sudoers will be removed.) + This fixes a potential ordering problem; the property used to append + the line to /etc/sudoers, but that would override more specific lines + in the include directory. -- Joey Hess Thu, 09 Aug 2018 10:54:41 -0400 diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 909ff929..fa7cb064 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -1285,7 +1285,7 @@ autoMountDrive label (USBHubPort port) malias = propertyList desc $ props & Systemd.enabled automount & Systemd.started automount & Sudo.sudoersDFile ("automount-" ++ label) - [ "%joey ALL= NOPASSWD: " ++ sudocommands + [ "joey ALL= NOPASSWD: " ++ sudocommands ] where mountpoint = "/media/joey/" ++ label diff --git a/src/Propellor/Property/Sudo.hs b/src/Propellor/Property/Sudo.hs index c2f0ac4e..12660aa9 100644 --- a/src/Propellor/Property/Sudo.hs +++ b/src/Propellor/Property/Sudo.hs @@ -7,34 +7,47 @@ import Propellor.Property.File import qualified Propellor.Property.Apt as Apt import Propellor.Property.User --- | Allows a user to sudo. If the user has a password, sudo is configured --- to require it. If not, NOPASSWORD is enabled for the user. +-- | Allows a user to run any command with sudo. +-- If the user has a password, sudo is configured to require it. +-- If not, NOPASSWORD is enabled for the user. +-- +-- Writes to the file /etc/sudoers.d/000users rather than the main sudoers +-- file. This file should come before other include files that may eg, +-- allow running more specific commands without a password, since sudo +-- uses the last matching configuration line. +-- +-- If the main sudoers file contains a conflicting line for +-- the user for ALL commands, the line will be removed. enabledFor :: User -> RevertableProperty DebianLike DebianLike enabledFor user@(User u) = setup `requires` Apt.installed ["sudo"] cleanup where setup :: Property UnixLike setup = property' desc $ \w -> do locked <- liftIO $ isLockedPassword user - ensureProperty w $ - fileProperty desc + ensureProperty w $ combineProperties desc $ props + & fileProperty desc (modify locked . filter (wanted locked)) - sudoers + dfile + & removeconflicting sudoers where desc = u ++ " is sudoer" cleanup :: Property DebianLike - cleanup = tightenTargets $ - fileProperty desc (filter notuserline) sudoers + cleanup = tightenTargets $ combineProperties desc $ props + & removeconflicting sudoers + & removeconflicting dfile where desc = u ++ " is not sudoer" + removeconflicting = fileProperty "remove conflicting" (filter notuserline) + sudoers = "/etc/sudoers" + dfile = "/etc/sudoers.d/000users" sudobaseline = u ++ " ALL=(ALL:ALL)" notuserline l = not (sudobaseline `isPrefixOf` l) sudoline True = sudobaseline ++ " NOPASSWD:ALL" sudoline False = sudobaseline ++ " ALL" wanted locked l - -- TODO: Full sudoers file format parse.. | notuserline l = True | "NOPASSWD" `isInfixOf` l = locked | otherwise = True -- cgit v1.2.3 -- cgit v1.2.3 From 2a499012b680db73df20b6b5b0bc4959ab65006d Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 20 Aug 2018 20:46:30 -0400 Subject: Removed HostingProvider.CloudatCost module as it lacks a maintainer (If anyone would like to maintain it, send a patch adding it back.) (API change) --- debian/changelog | 3 ++ propellor.cabal | 1 - .../Property/HostingProvider/CloudAtCost.hs | 34 ---------------------- 3 files changed, 3 insertions(+), 35 deletions(-) delete mode 100644 src/Propellor/Property/HostingProvider/CloudAtCost.hs diff --git a/debian/changelog b/debian/changelog index 8faca945..225b71b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,9 @@ propellor (5.5.0) UNRELEASED; urgency=medium * letsencrypt': Pass --expand to support expanding the list of domains * Split mailname property out of Hostname.sane, since bad mailname guesses can lead to ugly surprises. (API change) + * Removed HostingProvider.CloudatCost module as it lacks a maintainer. + (If anyone would like to maintain it, send a patch adding it back.) + (API change) * Added Systemd.escapePath helper function useful when creating mount units. * Added Sudo.sudoersDFile property. diff --git a/propellor.cabal b/propellor.cabal index 904a8f64..0454fc92 100644 --- a/propellor.cabal +++ b/propellor.cabal @@ -144,7 +144,6 @@ Library Propellor.Property.ZFS Propellor.Property.ZFS.Process Propellor.Property.ZFS.Properties - Propellor.Property.HostingProvider.CloudAtCost Propellor.Property.HostingProvider.DigitalOcean Propellor.Property.HostingProvider.Exoscale Propellor.Property.HostingProvider.Linode diff --git a/src/Propellor/Property/HostingProvider/CloudAtCost.hs b/src/Propellor/Property/HostingProvider/CloudAtCost.hs deleted file mode 100644 index 839aa14e..00000000 --- a/src/Propellor/Property/HostingProvider/CloudAtCost.hs +++ /dev/null @@ -1,34 +0,0 @@ --- | Maintainer: currently unmaintained; your name here! - -module Propellor.Property.HostingProvider.CloudAtCost - {-# WARNING "This module does not have a maintainer. It might not work right anymore. If you use it, please consider becoming its maintainer." #-} - where - -import Propellor.Base -import qualified Propellor.Property.Hostname as Hostname -import qualified Propellor.Property.File as File -import qualified Propellor.Property.User as User - --- Clean up a system as installed by cloudatcost.com -decruft :: Property DebianLike -decruft = propertyList "cloudatcost cleanup" $ props - & Hostname.sane - & Hostname.mailname - & grubbugfix - & nukecruft - where - grubbugfix :: Property DebianLike - grubbugfix = tightenTargets $ - "/etc/default/grub" `File.containsLine` "GRUB_DISABLE_LINUX_UUID=true" - `describe` "worked around grub/lvm boot bug #743126" - `onChange` (cmdProperty "update-grub" [] `assume` MadeChange) - `onChange` (cmdProperty "update-initramfs" ["-u"] `assume` MadeChange) - nukecruft :: Property Linux - nukecruft = tightenTargets $ - combineProperties "nuked cloudatcost cruft" $ props - & File.notPresent "/etc/rc.local" - & File.notPresent "/etc/init.d/S97-setup.sh" - & File.notPresent "/zang-debian.sh" - & File.notPresent "/bin/npasswd" - & User.nuked (User "user") User.YesReallyDeleteHome - -- cgit v1.2.3