From c167e6b75f8df8119c9c18de5f7f63b902642d57 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 11 Jul 2015 20:58:52 -0400 Subject: propellor spin --- src/Propellor/Property/SiteSpecific/JoeySites.hs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index e876f0da..4039ad0d 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -387,7 +387,7 @@ twitRss = combineProperties "twitter rss" $ props -- Work around for expired ssl cert. pumpRss :: Property NoInfo pumpRss = Cron.job "pump rss" (Cron.Times "15 * * * *") (User "joey") "/srv/web/tmp.kitenet.net/" - "wget https://pump2rss.com/feed/joeyh@identi.ca.atom -O pump.atom.new --no-check-certificate 2>/dev/null; sed 's/ & / /g' pump.atom.new > pump.atom" + "wget https://rss.io.jpope.org/feed/joeyh@identi.ca.atom -O pump.atom.new --no-check-certificate 2>/dev/null; sed 's/ & / /g' pump.atom.new > pump.atom" ircBouncer :: Property HasInfo ircBouncer = propertyList "IRC bouncer" $ props -- cgit v1.2.3 From d885624983383106f2ace96f27295aa113333710 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 13 Jul 2015 19:08:39 -0400 Subject: clarify --- src/Propellor/Property/Systemd.hs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/Propellor/Property/Systemd.hs b/src/Propellor/Property/Systemd.hs index 718ceca6..5c8a35e3 100644 --- a/src/Propellor/Property/Systemd.hs +++ b/src/Propellor/Property/Systemd.hs @@ -134,7 +134,8 @@ type Option = String -- Does not ensure that the relevant daemon notices the change immediately. -- -- This assumes that there is only one [Header] per file, which is --- currently the case. And it assumes the file already exists with +-- currently the case for files like journald.conf and system.conf. +-- And it assumes the file already exists with -- the right [Header], so new lines can just be appended to the end. configured :: FilePath -> Option -> String -> Property NoInfo configured cfgfile option value = combineProperties desc -- cgit v1.2.3 From 8d971b83ba11fc0eb521d9d15e4a2ae281bc2ef5 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Mon, 20 Jul 2015 12:03:47 -0400 Subject: Ssh.permitRootLogin type changed to allow configuring WithoutPassword and ForcedCommandsOnly (API change) * Ssh.permitRootLogin type changed to allow configuring WithoutPassword and ForcedCommandsOnly (API change) * setSshdConfig type changed, and setSshdConfigBool added with old type. --- config-joey.hs | 2 +- debian/changelog | 8 ++++++++ src/Propellor/Property/Ssh.hs | 40 ++++++++++++++++++++++++++++++---------- 3 files changed, 39 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/config-joey.hs b/config-joey.hs index 8b53718a..32b70c14 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -441,7 +441,7 @@ jerryPlay = standardDockerContainer "jerryplay" Unstable "amd64" & Docker.publish "8001:80" & Apt.installed ["ssh"] & User.hasSomePassword (User "root") - & Ssh.permitRootLogin True + & Ssh.permitRootLogin (Ssh.RootLogin True) kiteShellBox :: Systemd.Container kiteShellBox = standardStableContainer "kiteshellbox" diff --git a/debian/changelog b/debian/changelog index 3b20a402..6b411fa2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +propellor (2.7.0) UNRELEASED; urgency=medium + + * Ssh.permitRootLogin type changed to allow configuring WithoutPassword + and ForcedCommandsOnly (API change) + * setSshdConfig type changed, and setSshdConfigBool added with old type. + + -- Joey Hess Mon, 20 Jul 2015 12:01:38 -0400 + propellor (2.6.0) unstable; urgency=medium * Replace String type synonym Docker.Image by a data type diff --git a/src/Propellor/Property/Ssh.hs b/src/Propellor/Property/Ssh.hs index 785f2787..fca7d037 100644 --- a/src/Propellor/Property/Ssh.hs +++ b/src/Propellor/Property/Ssh.hs @@ -1,7 +1,10 @@ module Propellor.Property.Ssh ( PubKeyText, sshdConfig, + ConfigKeyword, + setSshdConfigBool, setSshdConfig, + RootLogin(..), permitRootLogin, passwordAuthentication, noPasswords, @@ -28,6 +31,7 @@ import Utility.FileMode import System.PosixCompat import qualified Data.Map as M +import Data.List type PubKeyText = String @@ -38,21 +42,37 @@ sshBool False = "no" sshdConfig :: FilePath sshdConfig = "/etc/ssh/sshd_config" -setSshdConfig :: String -> Bool -> Property NoInfo -setSshdConfig setting allowed = combineProperties "sshd config" - [ sshdConfig `File.lacksLine` (sshline $ not allowed) - , sshdConfig `File.containsLine` (sshline allowed) - ] +type ConfigKeyword = String + +setSshdConfigBool :: ConfigKeyword -> Bool -> Property NoInfo +setSshdConfigBool setting allowed = setSshdConfig setting (sshBool allowed) + +setSshdConfig :: ConfigKeyword -> String -> Property NoInfo +setSshdConfig setting val = File.fileProperty desc f sshdConfig `onChange` restarted - `describe` unwords [ "ssh config:", setting, sshBool allowed ] where - sshline v = setting ++ " " ++ sshBool v + desc = unwords [ "ssh config:", setting, val ] + cfgline = setting ++ " " ++ val + wantedline s + | s == cfgline = True + | (setting ++ " ") `isPrefixOf` s = False + | otherwise = True + f ls + | cfgline `elem` ls = filter wantedline ls + | otherwise = filter wantedline ls ++ [cfgline] + +data RootLogin + = RootLogin Bool -- ^ allow or prevent root login + | WithoutPassword -- ^ disable password authentication for root, while allowing other authentication methods + | ForcedCommandsOnly -- ^ allow root login with public-key authentication, but only if a forced command has been specified for the public key -permitRootLogin :: Bool -> Property NoInfo -permitRootLogin = setSshdConfig "PermitRootLogin" +permitRootLogin :: RootLogin -> Property NoInfo +permitRootLogin (RootLogin b) = setSshdConfigBool "PermitRootLogin" b +permitRootLogin WithoutPassword = setSshdConfig "PermitRootLogin" "without-password" +permitRootLogin ForcedCommandsOnly = setSshdConfig "PermitRootLogin" "forced-commands-only" passwordAuthentication :: Bool -> Property NoInfo -passwordAuthentication = setSshdConfig "PasswordAuthentication" +passwordAuthentication = setSshdConfigBool "PasswordAuthentication" -- | Configure ssh to not allow password logins. -- -- cgit v1.2.3