propellor

propellor config for hosts.
git clone git://git.ricketyspace.net/propellor.git
Log | Files | Refs | LICENSE

joeyconfig.hs (24106B)


      1 -- This is the live config file used by propellor's author.
      2 -- https://propellor.branchable.com/
      3 module Main where
      4 
      5 import Propellor
      6 import Propellor.Property.Scheduled
      7 import Propellor.Property.DiskImage
      8 import Propellor.Property.Chroot
      9 import Propellor.Property.Machine
     10 import Propellor.Property.Bootstrap
     11 import qualified Propellor.Property.File as File
     12 import qualified Propellor.Property.Apt as Apt
     13 import qualified Propellor.Property.Network as Network
     14 import qualified Propellor.Property.Ssh as Ssh
     15 import qualified Propellor.Property.Cron as Cron
     16 import qualified Propellor.Property.Sudo as Sudo
     17 import qualified Propellor.Property.User as User
     18 import qualified Propellor.Property.Hostname as Hostname
     19 import qualified Propellor.Property.Fstab as Fstab
     20 import qualified Propellor.Property.Tor as Tor
     21 import qualified Propellor.Property.Dns as Dns
     22 import qualified Propellor.Property.Git as Git
     23 import qualified Propellor.Property.Postfix as Postfix
     24 import qualified Propellor.Property.Apache as Apache
     25 import qualified Propellor.Property.LetsEncrypt as LetsEncrypt
     26 import qualified Propellor.Property.Locale as Locale
     27 import qualified Propellor.Property.Grub as Grub
     28 import qualified Propellor.Property.Borg as Borg
     29 import qualified Propellor.Property.Gpg as Gpg
     30 import qualified Propellor.Property.OpenId as OpenId
     31 import qualified Propellor.Property.Systemd as Systemd
     32 import qualified Propellor.Property.Journald as Journald
     33 import qualified Propellor.Property.Fail2Ban as Fail2Ban
     34 import qualified Propellor.Property.Laptop as Laptop
     35 import qualified Propellor.Property.HostingProvider.Linode as Linode
     36 import qualified Propellor.Property.HostingProvider.DigitalOcean as DigitalOcean
     37 import qualified Propellor.Property.SiteSpecific.GitHome as GitHome
     38 import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder
     39 import qualified Propellor.Property.SiteSpecific.Branchable as Branchable
     40 import qualified Propellor.Property.SiteSpecific.JoeySites as JoeySites
     41 
     42 main :: IO ()           --     _         ______`|                       ,-.__
     43 main = defaultMain hosts --  /   \___-=O`/|O`/__|                      (____.'
     44   {- Propellor            -- \          / | /    )          _.-"-._
     45      Deployed -}          --  `/-==__ _/__|/__=-|          (       \_
     46 hosts :: [Host]          --   *             \ | |           '--------'
     47 hosts =                 --                  (o)  `
     48 	[ darkstar
     49 	, dragon
     50 	, clam
     51 	, orca
     52 	, baleen
     53 	, honeybee
     54 	, kite
     55 	, beaver
     56 	, sow
     57 	, mouse
     58 	, peregrine
     59 	, pell
     60 	, keysafe
     61 	] ++ monsters
     62 
     63 darkstar :: Host
     64 darkstar = host "darkstar.kitenet.net" $ props
     65 	& osDebian Unstable X86_64
     66 	& ipv6 "2001:4830:1600:187::2"
     67 	& Hostname.sane
     68 	& Hostname.mailname
     69 	& Apt.serviceInstalledRunning "swapspace"
     70 	& Laptop.powertopAutoTuneOnBoot
     71 	& Laptop.trimSSD
     72 	& Grub.cmdline_Linux_default "i915.enable_psr=1"
     73 	! Grub.cmdline_Linux_default "quiet"
     74 	& User.hasGroup (User "joey") (Group "dialout")
     75 
     76 	& JoeySites.dkimMilter
     77 	& JoeySites.postfixSaslPasswordClient
     78 	-- & JoeySites.alarmClock "*-*-* 7:30" (User "joey")
     79 	--	"/usr/bin/timeout 45m /home/joey/bin/goodmorning"
     80 	& JoeySites.laptopSoftware
     81 	& JoeySites.userDirHtml
     82 	& Ssh.userKeys (User "joey") hostContext
     83 		[ (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfFntnesZcYz2B2T41ay45igfckXRSh5uVffkuCQkLv joey@darkstar")
     84 		]
     85 	& imageBuiltFor honeybee
     86 		(RawDiskImage "/srv/honeybee.img")
     87 		(Debootstrapped mempty)
     88 	! imageBuiltFor banana
     89 		(RawDiskImage "/srv/banana.img")
     90 		(Debootstrapped mempty)
     91 
     92 dragon :: Host
     93 dragon = host "dragon.kitenet.net" $ props
     94 	& ipv6 "2001:4830:1600:187::2"
     95 	& JoeySites.dkimMilter
     96 	& JoeySites.postfixSaslPasswordClient
     97 
     98 clam :: Host
     99 clam = host "clam.kitenet.net" $ props
    100 	& standardSystem (Stable "stretch") X86_64
    101 		["Unreliable server. Anything here may be lost at any time!" ]
    102 	& ipv4 "178.33.208.168"
    103 
    104 	& User.hasPassword (User "root")
    105 	& Ssh.hostKeys hostContext
    106 		[ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAI3WUq0RaigLlcUivgNG4sXpso2ORZkMvfqKz6zkc60L6dpxvWDNmZVEH8hEjxRSYG07NehcuOgQqeyFnS++xw1hdeGjf37JqCUH49i02lra3Zxv8oPpRxyeqe5MmuzUJhlWvBdlc3O/nqZ4bTUfnxMzSYWyy6++s/BpSHttZplNAAAAFQC1DE0vzgVeNAv9smHLObQWZFe2VQAAAIBECtpJry3GC8NVTFsTHDGWksluoFPIbKiZUFFztZGdM0AO2VwAbiJ6Au6M3VddGFANgTlni6d2/9yS919zO90TaFoIjywZeXhxE2CSuRfU7sx2hqDBk73jlycem/ER0sanFhzpHVpwmLfWneTXImWyq37vhAxatJANOtbj81vQ3AAAAIBV3lcyTT9xWg1Q4vERJbvyF8mCliwZmnIPa7ohveKkxlcgUk5d6dnaqFfjVaiXBPN3Qd08WXoQ/a9k3chBPT9nW2vWgzzM8l36j2MbHLmaxGwevAc9+vx4MXqvnGHzd2ex950mC33ct3j0fzMZlO6vqEsgD4CYmiASxhfefj+JCQ==")
    107 		, (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJybAjUPUWIhvVMmer8K5ZgdfI54DM6vc8Mzw+5KmVKL0TwkvzbR1HAB4heyMGtN1F8YzkWhsI3/Txh+MQUJ+i4u8SvSYc6D1q3j3ZyCi06wZ3DJS25tZrOM/thOOA1DFA4Hhb0uI/1Kg8PguNNNSMXn8F7q3F6cFQizYgszs6z6ktiST/BTC+IXWovhcnn2vQXXU8FTcTsqBFqA5dEjZbp1WDzqp3km84ZyXGmoVlpqzXeMvlkWTIshYiQjXIwPOkALzlGYjp1lw1OaxPVI1IGFcgCbIWQQWoCReb+genX2VaR+odAYXjaOdRx0lQj7UCPTBCpqMyzBMLtT5Yiaqh")
    108 		, (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPhfvcOuw0Yt+MnsFc4TI2gWkKi62Eajxz+TgbHMO/uRTYF8c5V8fOI3o+J/3m5+lT0S5o8j8a7xIC3COvi+AVw=")
    109 		]
    110 	& Apt.unattendedUpgrades
    111 	& Apt.serviceInstalledRunning "swapspace"
    112 
    113 	& Tor.isRelay
    114 	& Tor.named "kite1"
    115 	& Tor.bandwidthRate (Tor.PerMonth "400 GB")
    116 	
    117 	& "/etc/resolv.conf" `File.hasContent`
    118 		[ "nameserver 8.8.8.8"
    119 		, "nameserver 8.8.4.4"
    120 		, "nameserver 1.1.1.1"
    121 		, "domain kitenet.net"
    122 		, "search kitenet.net"
    123 		]
    124 
    125 baleen :: Host
    126 baleen = host "baleen.kitenet.net" $ props
    127 	& standardSystem Unstable X86_64 [ "New git-annex build box." ]
    128 
    129 	-- Not on public network; ssh access via bounce host.
    130 	& ipv4 "138.38.77.40"
    131 	
    132 	-- The root filesystem content may be lost if the VM is resized.
    133 	-- /dev/vdb contains persistent storage.
    134 	& Fstab.mounted "auto" "/dev/vdb" "/var/lib/container" mempty
    135 	
    136 	& Apt.unattendedUpgrades
    137 	& Postfix.satellite
    138 	& Apt.serviceInstalledRunning "ntp"
    139 	& Systemd.persistentJournal
    140 
    141 orca :: Host
    142 orca = host "orca.kitenet.net" $ props
    143 	& standardSystem Unstable X86_64 [ "Main git-annex build box." ]
    144 	& ipv4 "138.38.108.179"
    145 
    146 	& Apt.unattendedUpgrades
    147 	& Postfix.satellite
    148 	& Apt.serviceInstalledRunning "ntp"
    149 	& Systemd.persistentJournal
    150 
    151 	& Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer
    152 		GitAnnexBuilder.standardAutoBuilder
    153 		Unstable X86_64 Nothing (Cron.Times "15 * * * *") "2h")
    154 	& Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer
    155 		GitAnnexBuilder.standardAutoBuilder
    156 		Unstable X86_32 Nothing (Cron.Times "30 * * * *") "2h")
    157 	& Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer
    158 		GitAnnexBuilder.stackAutoBuilder
    159 		(Stable "jessie") X86_32 (Just "ancient") (Cron.Times "45 * * * *") "2h")
    160 	& Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer
    161 		GitAnnexBuilder.standardAutoBuilder
    162 		Testing ARM64 Nothing (Cron.Times "1 * * * *") "4h")
    163 
    164 banana :: Host
    165 banana = host "banana.kitenet.net" $ props
    166 	& lemaker_Banana_Pi
    167 	& hasPartition
    168 		( partition EXT4
    169 			`mountedAt` "/"
    170 			`setSize` MegaBytes 950
    171 		)
    172 	& osDebian Testing ARMHF
    173 	& User.hasInsecurePassword (User "root") "root"
    174 
    175 honeybee :: Host
    176 honeybee = host "honeybee.kitenet.net" $ props
    177 	& standardSystem Testing ARMHF
    178 		[ "Home router and arm git-annex build box." ]
    179 	& Apt.removed ["rsyslog"]
    180 	
    181 	& cubietech_Cubietruck
    182 	& hasPartition
    183 		( partition EXT3
    184 			`mountedAt` "/"
    185 			`setSize` MegaBytes 16000
    186 		)
    187 	& JoeySites.cubieTruckOneWire
    188 	& Systemd.persistentJournal
    189 	& Apt.installed ["firmware-atheros"]
    190 	& Apt.serviceInstalledRunning "ntp" -- no hardware clock
    191 	& bootstrappedFrom GitRepoOutsideChroot
    192 	& Ssh.hostKeys hostContext
    193 		[ (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIS/hDYq1MAxfOBf49htym3BOYlx4Gk9SDpiHjv7u6IC")
    194 		]
    195 
    196 	& JoeySites.house
    197 		(User "joey")
    198 		hosts
    199 		(Context "house.joeyh.name")
    200 		(SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAmVYddg/RgCbIj+cLcEiddeFXaYFnbEJ3uGj9G/EyV joey@honeybee")
    201 	& JoeySites.homeRouter
    202 	& JoeySites.homeNAS
    203 	& Apt.installed ["mtr-tiny", "iftop", "screen"]
    204 	& Postfix.satellite
    205 
    206 	& check (not <$> hasContainerCapability Systemd.FilesystemContained) 
    207 		(setupRevertableProperty autobuilder)
    208 	-- In case compiler needs more than available ram
    209 	& Apt.serviceInstalledRunning "swapspace"
    210   where
    211 	autobuilder = Systemd.nspawned $ GitAnnexBuilder.autoBuilderContainer
    212 		(GitAnnexBuilder.armAutoBuilder GitAnnexBuilder.standardAutoBuilder)
    213 		Testing ARMEL Nothing (Cron.Times "15 15 * * *") "10h"
    214 
    215 -- This is not a complete description of kite, since it's a
    216 -- multiuser system with eg, user passwords that are not deployed
    217 -- with propellor.
    218 kite :: Host
    219 kite = host "kite.kitenet.net" $ props
    220 	& standardSystemUnhardened Testing X86_64 [ "Welcome to kite!" ]
    221 	& ipv4 "66.228.36.95"
    222 	& ipv6 "2600:3c03::f03c:91ff:fe73:b0d2"
    223 	& alias "kitenet.net"
    224 	& Ssh.hostKeys (Context "kitenet.net")
    225 		[ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAO9tnPUT4p+9z7K6/OYuiBNHaij4Nzv5YVBih1vMl+ALz0gYAj8RWJzXmqp5buFAyfgOoLw+H9s1bBS01Sy3i07Dm6cx1fWG4RXL/E/3w1tavX99GD2bBxDBu890ebA5Tp+eFRJkS9+JwSvFiF6CP7NbVjifCagoUO56Ig048RwDAAAAFQDPY2xM3q6KwsVQliel23nrd0rV2QAAAIEAga3hj1hL00rYPNnAUzT8GAaSP62S4W68lusErH+KPbsMwFBFY/Ib1FVf8k6Zn6dZLh/HH/RtJi0JwdzPI1IFW+lwVbKfwBvhQ1lw9cH2rs1UIVgi7Wxdgfy8gEWxf+QIqn62wG+Ulf/HkWGvTrRpoJqlYRNS/gnOWj9Z/4s99koAAACBAM/uJIo2I0nK15wXiTYs/NYUZA7wcErugFn70TRbSgduIFH6U/CQa3rgHJw9DCPCQJLq7pwCnFH7too/qaK+czDk04PsgqV0+Jc7957gU5miPg50d60eJMctHV4eQ1FpwmGGfXxRBR9k2ZvikWYatYir3L6/x1ir7M0bA9IzNU45")
    226 		, (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA2QAJEuvbTmaN9ex9i9bjPhMGj+PHUYq2keIiaIImJ+8mo+yKSaGUxebG4tpuDPx6KZjdycyJt74IXfn1voGUrfzwaEY9NkqOP3v6OWTC3QeUGqDCeJ2ipslbEd9Ep9XBp+/ldDQm60D0XsIZdmDeN6MrHSbKF4fXv1bqpUoUILk=")
    227 		, (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLF+dzqBJZix+CWUkAd3Bd3cofFCKwHMNRIfwx1G7dL4XFe6fMKxmrNetQcodo2edyufwoPmCPr3NmnwON9vyh0=")
    228 		, (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFZftKMnH/zH29BHMKbcBO4QsgTrstYFVhbrzrlRzBO3")
    229 		]
    230 
    231 	& Network.preserveStatic "eth0" `requires` Network.cleanInterfacesFile
    232 	& Apt.installed ["linux-image-amd64"]
    233 	& Apt.serviceInstalledRunning "swapspace"
    234 	& Linode.serialGrub
    235 	& Linode.mlocateEnabled
    236 	& Apt.unattendedUpgrades
    237 	& Systemd.installed
    238 	& Systemd.persistentJournal
    239 	& Journald.systemMaxUse "500MiB"
    240 	& Ssh.passwordAuthentication True
    241 	& Fail2Ban.installed -- since ssh password authentication is allowed
    242 	-- Allow ssh -R to forward ports via kite
    243 	& Ssh.setSshdConfig "GatewayPorts" "clientspecified"
    244 	& Apt.serviceInstalledRunning "ntp"
    245 	& "/etc/timezone" `File.hasContent` ["US/Eastern"]
    246 	
    247 	& Borg.backup "/" (JoeySites.rsyncNetBorgRepo "kite.borg" []) Cron.Daily
    248 		[ "--exclude=/proc/*"
    249 		, "--exclude=/sys/*"
    250 		, "--exclude=/run/*"
    251 		, "--exclude=/mnt/*"
    252 		, "--exclude=/tmp/*"
    253 		, "--exclude=/var/tmp/*"
    254 		, "--exclude=/var/cache/*"
    255 		, "--exclude=/var/lib/swapspace/*"
    256 		, "--exclude=/var/lib/container/*"
    257 		, "--exclude=/home/joey/lib"
    258 		-- These directories are backed up and restored separately.
    259 		, "--exclude=/srv/git"
    260 		, "--exclude=/var/spool/oldusenet"
    261 		]
    262 		[ Borg.KeepDays 7
    263 		, Borg.KeepWeeks 4
    264 		, Borg.KeepMonths 3
    265 		]
    266 		`requires` Ssh.knownHost hosts "usw-s002.rsync.net" (User "root")
    267 		`requires` Ssh.userKeys (User "root")
    268 			(Context "kite.kitenet.net")
    269 			[ (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Gza2sNqSKfNtUN4dN/Z3rlqw18nijmXFx6df2GtBoZbkIak73uQfDuZLP+AXlyfHocwdkdHEf/zrxgXS4EokQMGLZhJ37Pr3edrEn/NEnqroiffw7kyd7EqaziA6UOezcLTjWGv+Zqg9JhitYs4WWTpNzrPH3yQf1V9FunZnkzb4gJGndts13wGmPEwSuf+QHbgQvjMOMCJwWSNcJGdhDR66hFlxfG26xx50uIczXYAbgLfHp5W6WuR/lcaS9J6i7HAPwcsPDA04XDinrcpl29QwsMW1HyGS/4FSCgrDqNZ2jzP49Bka78iCLRqfl1efyYas/Zo1jQ0x+pxq2RMr root@kite")
    270 			]
    271 
    272 	& alias "smtp.kitenet.net"
    273 	& alias "imap.kitenet.net"
    274 	& alias "pop.kitenet.net"
    275 	& alias "mail.kitenet.net"
    276 	& JoeySites.kiteMailServer
    277 
    278 	& JoeySites.legacyWebSites
    279 	& File.ownerGroup "/srv/web" (User "joey") (Group "joey")
    280 	& Apt.installed ["analog"]
    281 
    282 	& alias "git.kitenet.net"
    283 	& alias "git.joeyh.name"
    284 	& JoeySites.gitServer hosts
    285 
    286 	& JoeySites.downloads
    287 	& JoeySites.gitAnnexDistributor
    288 	& JoeySites.tmp
    289 
    290 	& Apt.installed
    291 		[ "git-annex", "myrepos"
    292 		, "build-essential", "make"
    293 		, "rss2email", "archivemail"
    294 		, "devscripts"
    295 		-- Some users have zsh as their login shell.
    296 		, "zsh"
    297 		]
    298 
    299 	& alias "nntp.olduse.net"
    300 	& JoeySites.oldUseNetServer hosts
    301 	& Systemd.nspawned oldusenetShellBox
    302 	
    303 	& alias "znc.kitenet.net"
    304 	& JoeySites.ircBouncer
    305 
    306 	& alias "kgb.kitenet.net"
    307 	& JoeySites.kgbServer
    308 	
    309 	& Systemd.nspawned ancientKitenet
    310 	& Systemd.nspawned openidProvider
    311 	
    312 	& alias "podcatcher.kitenet.net"
    313 	& JoeySites.podcatcher
    314 
    315 	& JoeySites.scrollBox
    316 	& alias "scroll.joeyh.name"
    317 	& alias "us.scroll.joeyh.name"
    318 
    319 	& alias "ns4.kitenet.net"
    320 	& myDnsPrimary "kitenet.net"
    321 		[ (RelDomain "mouse-onion", CNAME $ AbsDomain "htieo6yu2qtcn2j3.onion")
    322 		, (RelDomain "beaver-onion", CNAME $ AbsDomain "tl4xsvaxryjylgxs.onion")
    323 		, (RelDomain "peregrine-onion", CNAME $ AbsDomain "ahw47zqw6qszoufl.onion")
    324 		, (RelDomain "sow-onion", CNAME $ AbsDomain "urt4g2tq32qktgtp.onion")
    325 		]
    326 	& myDnsPrimary "joeyh.name" []
    327 	& myDnsPrimary "ikiwiki.info" []
    328 	& myDnsPrimary "olduse.net"
    329 		[ (RelDomain "article", CNAME $ AbsDomain "virgil.koldfront.dk")
    330 		]
    331 	& alias "ns4.branchable.com"
    332 	& branchableSecondary
    333 	& Dns.secondaryFor ["animx"] hosts "animx.eu.org"
    334 	-- Use its own name server (amoung other things this avoids
    335 	-- spamassassin URIBL_BLOCKED.
    336 	& "/etc/resolv.conf" `File.hasContent`
    337 		[ "nameserver 127.0.0.1"
    338 		, "domain kitenet.net"
    339 		, "search kitenet.net"
    340 		]
    341 	
    342 	& alias "debug-me.joeyh.name"
    343 	& Apt.installed ["debug-me"]
    344 	& Systemd.enabled "debug-me"
    345 
    346 	-- testing
    347 	& Apache.httpsVirtualHost "letsencrypt.joeyh.name" "/var/www/html"
    348 		(LetsEncrypt.AgreeTOS (Just "id@joeyh.name"))
    349 	& alias "letsencrypt.joeyh.name"
    350 
    351 beaver :: Host
    352 beaver = host "beaver.kitenet.net" $ props
    353 	& Apt.installed ["ssh"]
    354 	& Ssh.hostPubKey SshDsa "ssh-dss AAAAB3NzaC1kc3MAAACBAIrLX260fY0Jjj/p0syNhX8OyR8hcr6feDPGOj87bMad0k/w/taDSOzpXe0Wet7rvUTbxUjH+Q5wPd4R9zkaSDiR/tCb45OdG6JsaIkmqncwe8yrU+pqSRCxttwbcFe+UU+4AAcinjVedZjVRDj2rRaFPc9BXkPt7ffk8GwEJ31/AAAAFQCG/gOjObsr86vvldUZHCteaJttNQAAAIB5nomvcqOk/TD07DLaWKyG7gAcW5WnfY3WtnvLRAFk09aq1EuiJ6Yba99Zkb+bsxXv89FWjWDg/Z3Psa22JMyi0HEDVsOevy/1sEQ96AGH5ijLzFInfXAM7gaJKXASD7hPbVdjySbgRCdwu0dzmQWHtH+8i1CMVmA2/a5Y/wtlJAAAAIAUZj2US2D378jBwyX1Py7e4sJfea3WSGYZjn4DLlsLGsB88POuh32aOChd1yzF6r6C2sdoPBHQcWBgNGXcx4gF0B5UmyVHg3lIX2NVSG1ZmfuLNJs9iKNu4cHXUmqBbwFYQJBvB69EEtrOw4jSbiTKwHFmqdA/mw1VsMB+khUaVw=="
    355 	& Tor.installed
    356 	& Tor.hiddenServiceAvailable "ssh" (Port 22)
    357 
    358 sow :: Host
    359 sow = host "sow.kitenet.net" $ props
    360 	& Apt.installed ["ssh"]
    361 	& Ssh.hostPubKey SshDsa "ssh-dss AAAAB3NzaC1kc3MAAACBAIrLX260fY0Jjj/p0syNhX8OyR8hcr6feDPGOj87bMad0k/w/taDSOzpXe0Wet7rvUTbxUjH+Q5wPd4R9zkaSDiR/tCb45OdG6JsaIkmqncwe8yrU+pqSRCxttwbcFe+UU+4AAcinjVedZjVRDj2rRaFPc9BXkPt7ffk8GwEJ31/AAAAFQCG/gOjObsr86vvldUZHCteaJttNQAAAIB5nomvcqOk/TD07DLaWKyG7gAcW5WnfY3WtnvLRAFk09aq1EuiJ6Yba99Zkb+bsxXv89FWjWDg/Z3Psa22JMyi0HEDVsOevy/1sEQ96AGH5ijLzFInfXAM7gaJKXASD7hPbVdjySbgRCdwu0dzmQWHtH+8i1CMVmA2/a5Y/wtlJAAAAIAUZj2US2D378jBwyX1Py7e4sJfea3WSGYZjn4DLlsLGsB88POuh32aOChd1yzF6r6C2sdoPBHQcWBgNGXcx4gF0B5UmyVHg3lIX2NVSG1ZmfuLNJs9iKNu4cHXUmqBbwFYQJBvB69EEtrOw4jSbiTKwHFmqdA/mw1VsMB+khUaVw=="
    362 	& Tor.installed
    363 	& Tor.hiddenServiceAvailable "ssh" (Port 22)
    364 
    365 mouse :: Host
    366 mouse = host "mouse.kitenet.net" $ props
    367 	& ipv4 "67.223.19.96"
    368 	& Apt.installed ["ssh"]
    369 	& Tor.installed
    370 	& Tor.hiddenServiceAvailable "ssh" (Port 22)
    371 
    372 peregrine :: Host
    373 peregrine = host "peregrine.kitenet.net" $ props
    374 	& Apt.installed ["ssh"]
    375 	& Tor.installed
    376 	& Tor.hiddenServiceAvailable "ssh" (Port 22)
    377 
    378 -- Branchable is not completely deployed with propellor yet.
    379 pell :: Host
    380 pell = host "pell.branchable.com" $ props
    381 	& alias "branchable.com"
    382 	& ipv4 "66.228.46.55"
    383 	& ipv6 "2600:3c03::f03c:91ff:fedf:c0e5"
    384 
    385 	-- All the websites I host at branchable that don't use
    386 	-- branchable.com dns.
    387 	& alias "olduse.net"
    388 	& alias "www.olduse.net"
    389 	& alias "www.kitenet.net"
    390 	& alias "joeyh.name"
    391 	& alias "www.joeyh.name"
    392 	& alias "campaign.joeyh.name"
    393 	& alias "ikiwiki.info"
    394 	& alias "www.ikiwiki.info"
    395 	& alias "git.ikiwiki.info"
    396 	& alias "l10n.ikiwiki.info"
    397 	& alias "dist-bugs.kitenet.net"
    398 	& alias "family.kitenet.net"
    399 
    400 	& osDebian (Stable "buster") X86_32
    401 	& Apt.installed ["linux-image-686-pae"]
    402 	& Apt.stdSourcesList `onChange` Apt.upgrade
    403 	& Apt.unattendedUpgrades
    404 	& Branchable.server hosts
    405 	& Linode.serialGrub
    406 
    407 -- See https://joeyh.name/code/keysafe/servers/ for requirements.
    408 keysafe :: Host
    409 keysafe = host "keysafe.joeyh.name" $ props
    410 	& ipv4 "139.59.17.168"
    411 	& Hostname.sane
    412 	& Hostname.mailname
    413 	& osDebian (Stable "buster") X86_64
    414 	& Apt.stdSourcesList `onChange` Apt.upgrade
    415 	& Apt.unattendedUpgrades
    416 	& DigitalOcean.distroKernel
    417 	-- This is a 500 mb VM, so need more ram to build propellor.
    418 	& Apt.serviceInstalledRunning "swapspace"
    419 	& Cron.runPropellor (Cron.Times "30 * * * *")
    420 	& Apt.installed ["etckeeper", "sudo"]
    421 	& JoeySites.noExim
    422 	& Apt.removed ["nfs-common", "rsyslog", "acpid", "rpcbind", "at"]
    423 
    424 	& User.hasSomePassword (User "root")
    425 	& User.accountFor (User "joey")
    426 	& User.hasSomePassword (User "joey")
    427 	& Sudo.enabledFor (User "joey")
    428 
    429 	& Ssh.installed
    430 	& Ssh.randomHostKeys
    431 	& User "root" `Ssh.authorizedKeysFrom` (User "joey", darkstar)
    432 	& User "joey" `Ssh.authorizedKeysFrom` (User "joey", darkstar)
    433 	& Ssh.noPasswords
    434 
    435 	& Tor.installed
    436 	& Tor.hiddenServiceAvailable "keysafe" (Port 4242)
    437 		`requires` Tor.hiddenServiceData "keysafe" hostContext
    438 	& Tor.bandwidthRate (Tor.PerMonth "750 GB")
    439 
    440 	-- keysafe installed manually until package is available
    441 	& Systemd.enabled "keysafe"
    442 
    443 	& Gpg.keyImported (Gpg.GpgKeyId "CECE11AE") (User "root")
    444 	& Ssh.knownHost hosts "usw-s002.rsync.net" (User "root")
    445 	& Ssh.userKeys (User "root")
    446 		(Context "keysafe.joeyh.name")
    447 		[ (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEx8bK9ZbXVEgEvxQeXLjnr9cGa/QvoB459aglP529My root@keysafe")
    448 		]
    449 	-- Note that this is not an incremental backup; it uploads the
    450 	-- whole content every time. So, only run weekly.
    451 	& Cron.niceJob "keysafe backup" Cron.Weekly (User "root") "/" backupcmd
    452 		`requires` Apt.installed ["rsync"]
    453   where
    454 	datadir = "/var/lib/keysafe"
    455 	backupdir = "/var/backups/keysafe"
    456 	rsyncnetbackup = "2318@usw-s002.rsync.net:keysafe"
    457 	backupcmd = unwords
    458 		[ "keysafe --store-directory", datadir, "--backup-server", backupdir
    459 		, "&& rsync -a --delete --max-delete 3 ",  backupdir , rsyncnetbackup
    460 		]
    461 
    462        --'                        __|II|      ,.
    463      ----                      __|II|II|__   (  \_,/\
    464 --'-------'\o/-'-.-'-.-'-.- __|II|II|II|II|___/   __/ -'-.-'-.-'-.-'-.-'-.-'-
    465 -------------------------- |   [Containers]      / --------------------------
    466 -------------------------- :                    / ---------------------------
    467 --------------------------- \____, o          ,' ----------------------------
    468 ---------------------------- '--,___________,'  -----------------------------
    469 
    470 -- Exhibit: kite's 90's website on port 1994.
    471 ancientKitenet :: Systemd.Container
    472 ancientKitenet = Systemd.debContainer "ancient-kitenet" $ props
    473 	& standardContainer (Stable "buster")
    474 	& alias hn
    475 	& Git.cloned (User "root") "git://kitenet-net.branchable.com/" "/var/www/html"
    476 		(Just "remotes/origin/old-kitenet.net")
    477 	& Apache.installed
    478 	& Apache.listenPorts [p]
    479 	& Apache.virtualHost hn p "/var/www/html"
    480 	& Apache.siteDisabled "000-default"
    481   where
    482 	p = Port 1994
    483 	hn = "ancient.kitenet.net"
    484 
    485 oldusenetShellBox :: Systemd.Container
    486 oldusenetShellBox = Systemd.debContainer "oldusenet-shellbox" $ props
    487 	& standardContainer (Stable "buster")
    488 	& alias "shell.olduse.net"
    489 	& JoeySites.oldUseNetShellBox
    490 
    491 -- My own openid provider. Uses php, so containerized for security
    492 -- and administrative sanity.
    493 openidProvider :: Systemd.Container
    494 openidProvider = Systemd.debContainer "openid-provider" $ props
    495 	-- simpleid is not in buster
    496 	& standardContainer (Stable "stretch")
    497 	& alias hn
    498 	& OpenId.providerFor [User "joey", User "liw"] hn (Just (Port 8086))
    499   where
    500 	hn = "openid.kitenet.net"
    501 
    502 type Motd = [String]
    503 
    504 -- This is my standard system setup.
    505 standardSystem :: DebianSuite -> Architecture -> Motd -> Property (HasInfo + Debian)
    506 standardSystem suite arch motd =
    507 	standardSystemUnhardened suite arch motd
    508 		`before` Ssh.noPasswords
    509 
    510 standardSystemUnhardened :: DebianSuite -> Architecture -> Motd -> Property (HasInfo + Debian)
    511 standardSystemUnhardened suite arch motd = propertyList "standard system" $ props
    512 	& osDebian suite arch
    513 	& Hostname.sane
    514 	& Hostname.mailname
    515 	& Hostname.searchDomain
    516 	& Locale.available "en_US.UTF-8"
    517 	& File.hasContent "/etc/motd" ("":motd++[""])
    518 	& Apt.stdSourcesList `onChange` Apt.upgrade
    519 	& Apt.cacheCleaned
    520 	& Apt.installed ["etckeeper"]
    521 	& Apt.installed ["ssh", "mosh"]
    522 	& GitHome.installedFor (User "root")
    523 	& User.hasSomePassword (User "root")
    524 	& User.accountFor (User "joey")
    525 	& User.hasSomePassword (User "joey")
    526 	& Sudo.enabledFor (User "joey")
    527 	& GitHome.installedFor (User "joey")
    528 	& Apt.installed ["vim", "screen", "less"]
    529 	& Cron.runPropellor (Cron.Times "30 * * * *")
    530 	-- I use postfix, or no MTA.
    531 	& JoeySites.noExim
    532 
    533 -- This is my standard container setup, Featuring automatic upgrades.
    534 standardContainer :: DebianSuite -> Property (HasInfo + Debian)
    535 standardContainer suite = propertyList "standard container" $ props
    536 	& osDebian suite X86_64
    537 	-- Do not want to run mail daemon inside a random container..
    538 	& JoeySites.noExim
    539 	& Apt.stdSourcesList `onChange` Apt.upgrade
    540 	& Apt.unattendedUpgrades
    541 	& Apt.cacheCleaned
    542 
    543 myDnsSecondary :: Property (HasInfo + DebianLike)
    544 myDnsSecondary = propertyList "dns secondary for all my domains" $ props
    545 	& Dns.secondary hosts "kitenet.net"
    546 	& Dns.secondary hosts "joeyh.name"
    547 	& Dns.secondary hosts "ikiwiki.info"
    548 	& Dns.secondary hosts "olduse.net"
    549 
    550 branchableSecondary :: RevertableProperty (HasInfo + DebianLike) DebianLike
    551 branchableSecondary = Dns.secondaryFor ["branchable.com"] hosts "branchable.com"
    552 
    553 -- Currently using kite (ns4) as primary with gandi as secondary
    554 -- kite handles all mail.
    555 myDnsPrimary :: Domain -> [(BindDomain, Record)] -> RevertableProperty (HasInfo + DebianLike) DebianLike
    556 myDnsPrimary domain extras = Dns.signedPrimary (Weekly Nothing) hosts domain
    557 	(Dns.mkSOA "ns4.kitenet.net" 100) $
    558 	[ (RootDomain, NS $ AbsDomain "ns4.kitenet.net")
    559 	, (RootDomain, NS $ AbsDomain "ns6.gandi.net")
    560 	, (RootDomain, MX 0 $ AbsDomain "kitenet.net")
    561 	, (RootDomain, TXT "v=spf1 a a:kitenet.net ~all")
    562 	, JoeySites.domainKey
    563 	] ++ extras
    564 
    565 -- Systems I don't manage with propellor,
    566 -- but do want to track their public keys etc.
    567 monsters :: [Host]
    568 monsters =
    569 	[ host "usw-s002.rsync.net" $ props
    570 		& Ssh.hostPubKey SshEd25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7yTEBGfQYdwG/oeL+U9XPMIh/dW7XNs9T+M79YIOrd"
    571 	, host "github.com" $ props
    572 		& Ssh.hostPubKey SshRsa "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="
    573 	, host "gitlab.com" $ props
    574 		& Ssh.hostPubKey SshEcdsa "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY="
    575 	, host "ns6.gandi.net" $ props
    576 		& ipv4 "217.70.177.40"
    577 	, host "animx" $ props
    578 		& ipv4 "76.7.174.49"
    579 	]
    580 
    581 
    582 
    583                           --                                o
    584                           --             ___                 o              o
    585                        {-----\          / o \              ___o            o
    586                        {      \    __   \   /   _        (X___>--         __o
    587   _____________________{ ______\___  \__/ | \__/ \____                  |X__>
    588  <                                  \___//|\\___/\     \____________   _
    589   \                                  ___/ | \___    # #             \ (-)
    590    \    O      O      O             #     |     \ #                  >=)
    591     \______________________________# #   /       #__________________/ (-}
    592 
    593