propellor

propellor config for hosts.
git clone git://git.ricketyspace.net/propellor.git
Log | Files | Refs | LICENSE

commit 0c04e484d56485aa78fbcb79e9b0134ab3835468
parent 966c750a57eecd090268473a523d4a34ded4dbd7
Author: rsiddharth <s@ricketyspace.net>
Date:   Sun, 27 Aug 2017 23:35:00 -0400

s' config.hs

Diffstat:
config.hs | 2--
config.hs | 492+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 492 insertions(+), 2 deletions(-)

diff --git a/config.hs b/config.hs @@ -1 +0,0 @@ -config-simple.hs- \ No newline at end of file diff --git a/config.hs b/config.hs @@ -0,0 +1,492 @@ +-- This is the main configuration file for Propellor, and is used to build +-- the propellor program. https://propellor.branchable.com/ + +-- Copyright © 2017 rsiddharth <s@ricketyspace.net> +-- License: GNU General Public License version 3 or higher. +-- +-- _________ +-- < s' lazy > +-- --------- +-- \ ., +-- \ . .TR d' +-- \ k,l .R.b .t .Je +-- \ .P q. a|.b .f .Z% +-- .b .h .E` # J: 2` . +-- .,.a .E ,L.M' ?:b `| ..J9!`., +-- q,.h.M` `.., ..,""` ..2"` +-- .M, J8` `: ` 3; +-- . Jk ..., `^7"90c. +-- j, ,! .7"'`j,.| .n. ... +-- j, 7' .r` 4: L `... +-- ..,m. J` ..,|.. J` 7TWi +-- ..JJ,.: % oo ,. ...., +-- .,E 3 7`g.M: P 41 +-- JT7"' O. .J,; `` V"7N. +-- G. ""Q+ .Zu.,!` Z` +-- .9.. . J&..J! . ,: +-- 7"9a JM"! +-- .5J. .. ..F` +-- 78a.. ` ..2' +-- J9Ksaw0"' +-- .EJ?A...a. +-- q...g...gi +-- .m...qa..,y: +-- .HQFNB&...mm +-- ,Z|,m.a.,dp +-- .,?f` ,E?:"^7b +-- `A| . .F^^7'^4, +-- .MMMMMMMMMMMQzna, +-- ...f"A.JdT J: Jp, +-- `JNa..........A....af` +-- `^^^^^'` + +import Propellor +import qualified Propellor.Property.Apt as Apt +import qualified Propellor.Property.Cron as Cron +import qualified Propellor.Property.Docker as Docker +import qualified Propellor.Property.File as File +import qualified Propellor.Property.Nginx as Nginx +import qualified Propellor.Property.Ssh as Ssh +import qualified Propellor.Property.User as User + + +main :: IO () +main = defaultMain hosts + +-- The hosts propellor knows about. +hosts :: [Host] +hosts = [ cygnus ] + +-- configure cygnus. +cygnus :: Host +cygnus = host "cygnus.ricketyspace.net" $ props + & osDebian Unstable X86_64 + -- apt config. + & Apt.stdSourcesList + & Apt.unattendedUpgrades + & Apt.safeUpgrade + & Apt.installed ["tor", "torsocks" + , "curl" + , "zsh", "rxvt-unicode", "screen" + , "cvs", "git", "git-doc", "git-ftp", "git-email" + , "xinit", "x11-xserver-utils" + , "stumpwm", "i3lock" + , "xfonts-terminus", "fonts-noto", "unifont" + , "imagemagick", "inkscape", "gimp", "sane" + , "keychain", "parcimonie", "pass", "pinentry-gtk2" + , "python-virtualenv", "python-pip" + , "make", "make-doc", "gcc", "gcc-doc", "gcc-doc-base" + , "glibc-doc", "glibc-doc-reference" + , "gdb", "valgrind" + , "mdk", "mdk-doc" + , "default-jdk" + , "udisks2", "etckeeper", "acpi-support" + , "ntp", "ntp-doc", "mosh", "dnsutils", "nscd" + , "nfs-kernel-server" + , "nginx-full", "network-manager" + , "mpd", "mpc", "ncmpcpp", "mplayer", "alsa-utils" + , "texlive-full", "evince" + , "htop" + , "firefox-esr", "conkeror", "chromium", "w3m" + , "xbacklight", "redshift" + , "unzip", "zip" + , "weather-util", "weather-util-data" + , "sudo", "debian-goodies", "debootstrap" + , "aptitude" + , "systemd-container", "qemu", "docker-compose" + , "anarchism" + ] + & Docker.installed + -- s config. + & User.accountFor (User "s") + & User.hasSomePassword (User "s") + & Ssh.userKeyAt (Just sCanonicalSshKeyPath) + (User "s") hostContext (SshRsa, sCanonicalSshPubKey) + & User.hasGroup (User "s") (Group "docker") + --- crons. + & rsyncToChum + & rsyncToEntisol + & rsyncFromCruxToEntisol + & annexToChum + & annexToEntisol + & annexSyncFromHome + & updateGitAnnex + & morningNoise + & getCruxEtc + & autoCommitCygnusRepos + & removeEmptyHomeDirs + -- root config. + & User.hasSomePassword (User "root") + & Ssh.authorizedKey (User "root") sCanonicalSshPubKey + & Cron.job "etc-push" (Cron.Times "15 00 * * *") (User "root") + "/etc" "git push" + -- etc config. + & File.containsLines "/etc/hosts" cygnusHosts + & File.hasContent "/etc/mpd.conf" cygnusMpd + & File.hasContent "/etc/sudoers.d/s" cygnusSudoers + & File.containsLines "/etc/NetworkManager/NetworkManager.conf" + cygnusNetworkManager + --- nginx. + & Nginx.siteEnabled "cyngnus" cygnusNginx + -- propellor. + & Cron.runPropellor (Cron.Times "30 * * * *") + +-- keys. +sCanonicalSshKeyPath :: [Char] +sCanonicalSshKeyPath = "/home/s/.ssh/id_the_rsa" + +sCanonicalSshPubKey :: [Char] +sCanonicalSshPubKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDd7kT6tpH4zZ/hFlRmSVH1oJZZJJUvoMd89AiskXAq5rBrvZC90WVOF12OTQVQqslUVV2ze7BCC13UEfK5F2xP+7F6FDqSFApV4lBsJWLNbtDlZY23lTYqi/L6muq3x5tbqJLQjUK5ItORe0Ecqqz1ymSy+Zk+kHmHfnqyoWAQ7Z5GJkRu1B4J9uT3LJDIgLE8m4nJEOoCJ5vnycJfs0LCwHNZ67H38FV3Uw/sGibCNyCSJHQcG+nkKGYzABDcbXmWXedUq0MlRY2TjU22cOzjaAH0mf6M7m6KQCQeXjdxyyLaI3lNOzhBOU7j8/H9GqdRDH8pZ5e4xp+AG3tcrWi2E+47Qp4J9qv0YPgfj7JZ4oJhvCKGkgldOQZ8mkvjDLvAMGte0zpk2SPDlfJeFgfDHMre3nxAAzIfmhaIX2j86LdUh717BmcXDYD//9SubRLdAZrOKh4Iapcotm0STOFUlDa6nvh27DuKIIvq7v/+ID6P4fSNb4h1ktC/3lrhI21ei8ZjBulonJ9XV+BPGlnIzmWL7g5j4dMm90AqZXRRKQMAX9UIizLoCh58KR5gESszQ/8MSrELclI1fUwiY4Wxlvf6ZsGsg3c22xumxlnc85eiAYQ1LEPWNghcyqE96yrIhXrph3unLRsEbZcGxgXw/dcUtjIL9tjDO9zSN6ZuOQ== rsd@grus" + +-- start cygnus snafu. +sourceCygnusEnv :: [Char] -> [Char] +sourceCygnusEnv cmd = ". $HOME/.env; " ++ cmd + +--- backup paths. +---- chum. +chumFilter :: [Char] +chumFilter = "/home/s/v/git/rsd/dotfiles/rsync-backup/filter-chum" + +chumBackupPath :: [Char] +chumBackupPath = "/media/s/chum" + +chumAnnexPath :: [Char] +chumAnnexPath = "/media/s/chum/annex/" + +---- entisol. +entisolFilter :: [Char] +entisolFilter = "/home/s/v/git/rsd/dotfiles/rsync-backup/filter-entisol" + +entisolBackupPath :: [Char] +entisolBackupPath = "/home/s/.mnt/entisol/box/cygnus/latest/" + +entisolAnnexPath :: [Char] +entisolAnnexPath = "/home/s/.mnt/entisol/annex" + +---- crux. +cruxFilter :: [Char] +cruxFilter = "/home/s/v/git/rsd/dotfiles/rsync-backup/filter-crux" + +cruxBackupPath :: [Char] +cruxBackupPath = "/home/s/.mnt/entisol/box/crux/latest/" + +---- scripts. +rsyncBuTo :: [Char] -> [Char] -> [Char] -> [Char] +rsyncBuTo rbtFilter src dest = "./rsync-bu-to " + ++ rbtFilter ++ " " ++ src ++ " " ++ + dest + +annexTo :: [Char] -> [Char] -> [Char] +annexTo annexPath annexGetPath = "./annex-to " + ++ annexPath ++ " " ++ annexGetPath + +---- s's crons on cygnus. +rsyncToChum :: Property DebianLike +rsyncToChum = Cron.job "rsync-to-chum" (Cron.Times "*/30 * * * *") + (User "s") "/home/s/.bin" rsyncCmd + where + rsyncCmd = rsyncBuTo chumFilter "/home/s" chumBackupPath + +rsyncToEntisol :: Property DebianLike +rsyncToEntisol = Cron.job "rsync-to-entisol" (Cron.Times "20 00 * * *") + (User "s") "/home/s/.bin" rsyncCmd + where + rsyncCmd = rsyncBuTo entisolFilter "/home/s" entisolBackupPath + +rsyncFromCruxToEntisol :: Property DebianLike +rsyncFromCruxToEntisol = Cron.job "rsync-from-crux-to-entisol" + (Cron.Times "35 00 * * *") + (User "s") "/home/s/.bin" rsyncCmd + where + rsyncCmd = sourceCygnusEnv (rsyncBuTo cruxFilter "rspace:~/" + cruxBackupPath) + +annexToChum :: Property DebianLike +annexToChum = Cron.job "annex-to-chum" (Cron.Times "00 */1 * * *") + (User "s") "/home/s/.bin" annexCmd + where + annexCmd = annexTo chumAnnexPath "docs" + +annexToEntisol :: Property DebianLike +annexToEntisol = Cron.job "annex-to-entisol" (Cron.Times "50 00 * * *") + (User "s") "/home/s/.bin" annexCmd + where + annexCmd = annexTo entisolAnnexPath "." + +annexSyncFromHome :: Property DebianLike +annexSyncFromHome = Cron.job "annex-sync-from-home" + (Cron.Times "00 01 * * *") + (User "s") "/home/s/annex" annexCmd + where + annexCmd = "$HOME/.bin/git-annex sync" + +updateGitAnnex :: Property DebianLike +updateGitAnnex = Cron.job "update-git-annex" (Cron.Weekly) + (User "s") "/home/s/v/git/rsd/df" makeCmd + where + makeCmd = "make git-annex" + +morningNoise :: Property DebianLike +morningNoise = Cron.job "morning-noise" (Cron.Times "00 05 * * *") + (User "s") "/home/s" noiseCmd + where + noiseCmd = "mpc play" + +getCruxEtc :: Property DebianLike +getCruxEtc = Cron.job "get-crux-etc" (Cron.Times "00 23 * * *") + (User "s") "/home/s/v/git/rsd/crux-etc" gitCmd + where + gitCmd = sourceCygnusEnv "git pull origin" + +autoCommitCygnusRepos :: Property DebianLike +autoCommitCygnusRepos = Cron.job "auto-commit-repos" + (Cron.Times "00 22 * * *") + (User "s") "/home/s/.bin/" autoCommitCmd + where + autoCommitCmd = sourceCygnusEnv "./git-difme" + +removeEmptyHomeDirs :: Property DebianLike +removeEmptyHomeDirs = Cron.job "remove-empty-home-dirs" + (Cron.Times "*/10 * * * *") + (User "s") "/home/s/" cmd + where + cmd = "rm -rf Documents Public Desktop Downloads" ++ + " Music Pictures Templates Videos" + +---- etc +cygnusHosts :: [File.Line] +cygnusHosts = [ + "127.0.0.1 taoup.localhost" + , "127.0.0.1 gnu.localhost" + , "127.0.0.1 rsd.localhost" + , "127.0.0.1 sicp.localhost" + , "127.0.0.1 tmp.localhost" + , "127.0.0.1 localhost" + , "127.0.0.1 lp.localhost" + , "127.0.0.1 vm.localhost" + , "127.0.0.1 home.localhost" + , "127.0.0.1 rs.localhost" + , "127.0.0.1 lpsg.localhost" + ] + +cygnusMpd :: [File.Line] +cygnusMpd = [ + "music_directory \"/home/s/annex/music/\"" + , "playlist_directory \"/var/lib/mpd/playlists\"" + , "db_file \"/var/lib/mpd/tag_cache\"" + , "log_file \"/var/log/mpd/mpd.log\"" + , "pid_file \"/run/mpd/pid\"" + , "state_file \"/var/lib/mpd/state\"" + , "sticker_file \"/var/lib/mpd/sticker.sql\"" + , "user \"mpd\"" + , "bind_to_address \"localhost\"" + , "bind_to_address \"/run/mpd/socket\"" + , "port \"6600\"" + , "log_level \"verbose\"" + , "save_absolute_paths_in_playlists \"yes\"" + , "metadata_to_use \"artist,album,title,track,name,genre,date,composer," + ++ "performer,disc\"" + , "auto_update \"yes\"" + , "input {" + , " plugin \"curl\"" + , "}" + , "audio_output {" + , " type \"alsa\"" + , " name \"My ALSA Device\"" + , " mixer_type \"software\"" + , "}" + , "filesystem_charset \"UTF-8\"" + , "id3v1_encoding \"UTF-8\"" + ] + +cygnusNginx :: [String] +cygnusNginx = [ + "### vm server" + ,"server {" + ," ssi on;" + ," server_name vm.localhost;" + ," root /home/s/v/git/rsd/v-page;" + ," index index.php index.html;" + , "" + ," location / {" + ," autoindex on;" + ," include /etc/nginx/mime.types;" + ," rewrite ^/(land|macro|wp|wild|people|fashion).*$ " + ++ "/gallery/$1/ permanent;" + ," rewrite ^/as/photography-classes/?$ /as permanent;" + ," }" + , "" + ," location ~ \\.php$ {" + ," include snippets/fastcgi-php.conf;" + ," fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;" + ," }" + ,"}" + + ,"### rsd server" + ,"server {" + ," server_name rsd.localhost;" + ," root /home/s/v/git/rsd/rsd-w3;" + ," index index.html;" + , "" + ," location / {" + ," autoindex on;" + ," }" + ,"}" + + ,"### home server" + ,"server {" + ," server_name home.localhost;" + ," root /home/s/;" + ," index index.html;" + , "" + ," location / {" + ," autoindex on;" + ," }" + ,"}" + + ,"### ricketyspace server" + ,"server {" + ," server_name rs.localhost;" + ," root /home/s/v/git/rsd/rs;" + ," index index.html;" + , "" + ," location / {" + ," autoindex on;" + ," }" + ,"}" + + ,"### gnu server" + ,"server {" + ," ssi on;" + ," server_name gnu.localhost;" + ," root /home/s/v/cvs/www-gnu;" + ," index index.html, home.html;" + , "" + ," location /software/ {" + ," alias /home/s/v/cvs/gnu/software/;" + ," autoindex on;" + ," }" + , "" + ," location / {" + ," autoindex on;" + ," }" + ,"}" + + ,"### lp server" + ,"server {" + ," ssi on;" + ," server_name lp.localhost;" + ," root /home/s/v/git/fsf/lp-static;" + ," index index.html;" + ,"" + ," location / {" + ," autoindex on;" + ," }" + ,"}" + , "" + ,"### sicp server" + ,"server {" + ," ssi on;" + ," server_name sicp.localhost;" + ," root /home/s/annex/eat/sicp/mitpress.mit.edu/sicp;" + ," index index.html;" + ,"" + ," location / {" + ," autoindex on;" + ," }" + ,"}" + , "" + ,"### taoup server" + ,"server {" + ," ssi on;" + ," server_name taoup.localhost;" + ," root /home/s/annex/eat/taoup/www.catb.org/~esr/writings/taoup/html;" + ," index index.html;" + ,"" + ," location / {" + ," autoindex on;" + ," }" + ,"}" + , "" + ,"### combox server" + ,"server {" + ," ssi on;" + ," server_name combox.localhost;" + ," root /home/s/v/git/bgc/combox/docs/_build/html;" + ," index index.html;" + + ," location / {" + ," autoindex on;" + ," }" + ,"}" + , "" + ,"### lpschedule-generator server" + ,"server {" + ," ssi on;" + ," server_name lpsg.localhost;" + ," root /home/s/v/git/fsf/lpschedule-generator/docs/_build/html;" + ," index index.html;" + , "" + ," location / {" + + ," autoindex on;" + ," }" + ,"}" + , "" + ,"### tmp server" + ,"server {" + ," ssi on;" + ," server_name tmp.localhost;" + ," root /tmp;" + ," index index.html;" + , "" + ," location / {" + ," autoindex on;" + ," }" + ,"}" + ] + +cygnusSudoers :: [File.Line] +cygnusSudoers = [ + "# Host alias specification" + , "" + ,"# User alias specification" + ,"User_Alias CRYPTERS = s" + ,"User_Alias SANDBOXERS = s" + ,"User_Alias VAGRANTS = s" + ,"User_Alias SUPER_COWS = s" + , "" + ,"# Cmnd alias specification" + ,"Cmnd_Alias CRYPT = /sbin/losetup, /sbin/cryptsetup, \\" + ," /sbin/mkfs.ext4, /bin/mount, /bin/umount" + ,"Cmnd_Alias SANDBOX = /usr/sbin/debootstrap, /usr/bin/systemd-nspawn, \\" + ," /bin/machinectl" + , "" + , "# Vagrant command alias specification" + , "Cmnd_Alias VAGRANT_EXPORTS_CHOWN = /bin/chown 0\\:0 /tmp/*" + , "Cmnd_Alias VAGRANT_EXPORTS_MV = /bin/mv -f /tmp/* /etc/exports" + , "Cmnd_Alias VAGRANT_NFSD_CHECK = /bin/systemctl status nfs-kernel-server" + , "Cmnd_Alias VAGRANT_NFSD_START = /bin/systemctl start nfs-kernel-server" + , "Cmnd_Alias VAGRANT_NFSD_APPLY = /usr/sbin/exportfs -ar" + , "Cmnd_Alias VAGRANT = VAGRANT_EXPORTS_CHOWN, VAGRANT_EXPORTS_MV, \\" + , " VAGRANT_NFSD_CHECK, VAGRANT_NFSD_START, \\" + , " VAGRANT_NFSD_APPLY" + , "" + ,"# User privilege specification" + ,"root ALL=(ALL:ALL) ALL" + , "" + ,"# Allow super cows to execute any command" + ,"SUPER_COWS ALL=(ALL:ALL) ALL" + + , "" + ,"CRYPTERS ALL = NOPASSWD: CRYPT " + ,"SANDBOXERS ALL = NOPASSWD: SANDBOX" + ,"VAGRANTS ALL = NOPASSWD: VAGRANT" + ] + +cygnusNetworkManager :: [File.Line] +cygnusNetworkManager = [ + "[device]" + , "wifi.scan-rand-mac-address=no" + ] +-- end cygnus snafu.