/ joeyconfig.hs
joeyconfig.hs
1 -- This is the live config file used by propellor's author. 2 -- https://propellor.branchable.com/ 3 module Main where 4 5 import Propellor 6 import Propellor.Property.Scheduled 7 import Propellor.Property.DiskImage 8 import Propellor.Property.Chroot 9 import Propellor.Property.Machine 10 import Propellor.Property.Bootstrap 11 import qualified Propellor.Property.File as File 12 import qualified Propellor.Property.Apt as Apt 13 import qualified Propellor.Property.Network as Network 14 import qualified Propellor.Property.Ssh as Ssh 15 import qualified Propellor.Property.Cron as Cron 16 import qualified Propellor.Property.Sudo as Sudo 17 import qualified Propellor.Property.User as User 18 import qualified Propellor.Property.Hostname as Hostname 19 import qualified Propellor.Property.Tor as Tor 20 import qualified Propellor.Property.Dns as Dns 21 import qualified Propellor.Property.Git as Git 22 import qualified Propellor.Property.Postfix as Postfix 23 import qualified Propellor.Property.Apache as Apache 24 import qualified Propellor.Property.LetsEncrypt as LetsEncrypt 25 import qualified Propellor.Property.Locale as Locale 26 import qualified Propellor.Property.Grub as Grub 27 import qualified Propellor.Property.Borg as Borg 28 import qualified Propellor.Property.Systemd as Systemd 29 import qualified Propellor.Property.Journald as Journald 30 import qualified Propellor.Property.Fail2Ban as Fail2Ban 31 import qualified Propellor.Property.FlashKernel as FlashKernel 32 import qualified Propellor.Property.Laptop as Laptop 33 import qualified Propellor.Property.LightDM as LightDM 34 import qualified Propellor.Property.HostingProvider.Linode as Linode 35 import qualified Propellor.Property.SiteSpecific.GitHome as GitHome 36 import qualified Propellor.Property.SiteSpecific.GitAnnexBuilder as GitAnnexBuilder 37 import qualified Propellor.Property.SiteSpecific.Branchable as Branchable 38 import qualified Propellor.Property.SiteSpecific.JoeySites as JoeySites 39 40 main :: IO () -- _ ______`| ,-.__ 41 main = defaultMain hosts -- / \___-=O`/|O`/__| (____.' 42 {- Propellor -- \ / | / ) _.-"-._ 43 Deployed -} -- `/-==__ _/__|/__=-| ( \_ 44 hosts :: [Host] -- * \ | | '--------' 45 hosts = -- (o) ` 46 [ darkstar 47 , dragon 48 , oyster 49 , house 50 , gate 51 , kite 52 , sparrow 53 , beaver 54 , sow 55 , mouse 56 , peregrine 57 , eel 58 , pell 59 ] ++ monsters 60 61 darkstar :: Host 62 darkstar = host "darkstar.kitenet.net" $ props 63 & osDebian Unstable X86_64 64 & Hostname.sane 65 & Hostname.mailname 66 & Apt.serviceInstalledRunning "swapspace" 67 & Laptop.powertopAutoTuneOnBoot 68 & Laptop.trimSSD 69 ! Grub.cmdline_Linux_default "quiet" 70 & User.hasGroup (User "joey") (Group "dialout") 71 72 & JoeySites.dkimMilter 73 & JoeySites.postfixSaslPasswordClient 74 & JoeySites.laptopSoftware 75 & JoeySites.userDirHtml 76 & JoeySites.thinkPadLedsOff 77 & Ssh.userKeys (User "joey") hostContext 78 [ (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfFntnesZcYz2B2T41ay45igfckXRSh5uVffkuCQkLv joey@darkstar") 79 ] 80 ! imageBuiltFor house 81 (RawDiskImage "/srv/house.img") 82 (Debootstrapped mempty) 83 84 dragon :: Host 85 dragon = host "dragon.kitenet.net" $ props 86 & JoeySites.dkimMilter 87 & JoeySites.postfixSaslPasswordClient 88 89 oyster :: Host 90 oyster = host "oyster.kitenet.net" $ props 91 & standardSystem (Stable "bookworm") X86_64 92 ["Unreliable server. Anything here may be lost at any time!" ] 93 & ipv4 "45.87.155.118" 94 95 & User.hasPassword (User "root") 96 & Apt.unattendedUpgrades 97 98 house :: Host 99 house = host "house.lan" $ props 100 & standardSystem (Stable "bookworm") ARMHF [ "House main computer." ] 101 & Apt.removed ["rsyslog"] 102 103 & cubietech_Cubietruck 104 -- fsck when needed on boot 105 & "/etc/default/flash-kernel" 106 `File.containsLine` "LINUX_KERNEL_CMDLINE=\"fsck.repair=yes\"" 107 `onChange` FlashKernel.flashKernel 108 & hasPartition 109 ( partition EXT3 110 `mountedAt` "/" 111 `setSize` MegaBytes 16000 112 ) 113 & JoeySites.cubieTruckOneWire 114 & Systemd.persistentJournal 115 & Apt.installed ["firmware-atheros"] 116 & Apt.serviceInstalledRunning "systemd-timesyncd" -- no hardware clock 117 & bootstrappedFrom GitRepoOutsideChroot 118 & Ssh.hostKeys hostContext 119 [ (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIS/hDYq1MAxfOBf49htym3BOYlx4Gk9SDpiHjv7u6IC") 120 ] 121 & Ssh.userKeys (User "joey") hostContext 122 [ (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAYgEgsDmN26goPBGPN0HIvtkZfxlc996nPfBPDWxGuh") 123 ] 124 125 & JoeySites.house 126 (User "joey") 127 hosts 128 (Context "house.joeyh.name") 129 (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAmVYddg/RgCbIj+cLcEiddeFXaYFnbEJ3uGj9G/EyV joey@honeybee") 130 131 -- Use network-manager to connect to wifi on whatever usb wifi is connected. 132 & Apt.installed ["network-manager"] 133 & File.hasContent "/etc/NetworkManager/system-connections/hollow.nmconnection" 134 [ "[connection]" 135 , "id=hollow" 136 , "uuid=dfa672be-79d2-4151-9a26-ae7cb3729681" 137 , "type=wifi" 138 , "interface-name=wlan1" 139 , "" 140 , "[wifi]" 141 , "mode=infrastructure" 142 , "ssid=hollow" 143 , "" 144 , "[ipv4]" 145 , "method=manual" 146 , "addresses=10.1.1.2/24" 147 , "gateway=10.1.1.1" 148 , "dns=10.1.1.1" 149 , "" 150 , "[ipv6]" 151 , "addr-gen-mode=default" 152 , "method=auto" 153 , "" 154 , "[proxy]" 155 ] 156 & Systemd.enabled "NetworkManager" 157 & "/etc/resolv.conf" `File.containsLine` "search lan" 158 159 & Apt.installed ["mtr-tiny", "iftop", "screen", "nmap"] 160 & Postfix.satellite 161 162 -- This is a raspberry pi and is installed using https://raspi.debian.net/tested-images/ 163 -- before propellor is run on it. 164 gate :: Host 165 gate = host "gate.lan" $ props 166 & standardSystem (Stable "trixie") ARM64 [ "Wifi router." ] 167 & Apt.removed ["rsyslog"] 168 169 & Apt.installed ["raspi-firmware", "firmware-misc-nonfree"] 170 & Apt.serviceInstalledRunning "systemd-timesyncd" -- no hardware clock 171 172 & "/etc/systemd/network/10-gate.link" `File.containsLines` 173 [ "[Match]" 174 , "MACAddress=9c:ef:d5:fc:d6:f3" -- USB wifi adapter 175 , "" 176 , "[Link]" 177 , "Name=" ++ JoeySites.wifiInterface ifs 178 ] 179 180 & Ssh.hostKeys hostContext 181 [ (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG19v7K59SzFp/OntM9iyhlKOj2pShFSPJeqR1aiYhPF2NqztcmsY6WvIDqh6jmaISnyV1IqZZ60zvGTVRoOyMY=") 182 ] 183 & Ssh.userKeys (User "joey") hostContext 184 [ (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOmwEfM5qTjA7xuJgygEgHfa1Y/WrRBpu7xBY8D82ul+") 185 ] 186 & Postfix.satellite 187 188 & JoeySites.connectStarlinkDish ifs 189 & JoeySites.homeRouter "gate.lan" ifs "hollow" JoeySites.hostapd2GhzConfig_mt76 190 where 191 ifs = JoeySites.Interfaces 192 { JoeySites.ethernetInterface = "eth0" 193 , JoeySites.wifiInterface = "wlan-gate" 194 , JoeySites.wifiInterfaceOld = "wlan1" 195 } 196 197 -- This is not a complete description of kite, since it's a 198 -- multiuser system with eg, user passwords that are not deployed 199 -- with propellor. 200 kite :: Host 201 kite = host "kite.kitenet.net" $ props 202 & standardSystemUnhardened (Stable "trixie") X86_64 [ "Welcome to kite!" ] 203 & ipv4 "66.228.36.95" 204 & ipv6 "2600:3c03::f03c:91ff:fe73:b0d2" 205 & alias "kitenet.net" 206 & Ssh.hostKeys (Context "kitenet.net") 207 [ (SshDsa, "ssh-dss AAAAB3NzaC1kc3MAAACBAO9tnPUT4p+9z7K6/OYuiBNHaij4Nzv5YVBih1vMl+ALz0gYAj8RWJzXmqp5buFAyfgOoLw+H9s1bBS01Sy3i07Dm6cx1fWG4RXL/E/3w1tavX99GD2bBxDBu890ebA5Tp+eFRJkS9+JwSvFiF6CP7NbVjifCagoUO56Ig048RwDAAAAFQDPY2xM3q6KwsVQliel23nrd0rV2QAAAIEAga3hj1hL00rYPNnAUzT8GAaSP62S4W68lusErH+KPbsMwFBFY/Ib1FVf8k6Zn6dZLh/HH/RtJi0JwdzPI1IFW+lwVbKfwBvhQ1lw9cH2rs1UIVgi7Wxdgfy8gEWxf+QIqn62wG+Ulf/HkWGvTrRpoJqlYRNS/gnOWj9Z/4s99koAAACBAM/uJIo2I0nK15wXiTYs/NYUZA7wcErugFn70TRbSgduIFH6U/CQa3rgHJw9DCPCQJLq7pwCnFH7too/qaK+czDk04PsgqV0+Jc7957gU5miPg50d60eJMctHV4eQ1FpwmGGfXxRBR9k2ZvikWYatYir3L6/x1ir7M0bA9IzNU45") 208 , (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA2QAJEuvbTmaN9ex9i9bjPhMGj+PHUYq2keIiaIImJ+8mo+yKSaGUxebG4tpuDPx6KZjdycyJt74IXfn1voGUrfzwaEY9NkqOP3v6OWTC3QeUGqDCeJ2ipslbEd9Ep9XBp+/ldDQm60D0XsIZdmDeN6MrHSbKF4fXv1bqpUoUILk=") 209 , (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLF+dzqBJZix+CWUkAd3Bd3cofFCKwHMNRIfwx1G7dL4XFe6fMKxmrNetQcodo2edyufwoPmCPr3NmnwON9vyh0=") 210 , (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFZftKMnH/zH29BHMKbcBO4QsgTrstYFVhbrzrlRzBO3") 211 ] 212 213 & Network.preserveStatic "eth0" `requires` Network.cleanInterfacesFile 214 & Apt.installed ["linux-image-amd64"] 215 & Linode.serialGrub 216 & Linode.locateEnabled 217 & Apt.unattendedUpgrades 218 & Systemd.installed 219 & Systemd.persistentJournal 220 & Journald.systemMaxUse "500MiB" 221 & Ssh.passwordAuthentication True 222 & Fail2Ban.installed -- since ssh password authentication is allowed 223 -- Allow ssh -R to forward ports via kite 224 & Ssh.setSshdConfig "GatewayPorts" "clientspecified" 225 & Apt.installed ["wtmpdb"] 226 & Apt.serviceInstalledRunning "ntp" 227 & "/etc/timezone" `File.hasContent` ["US/Eastern"] 228 229 & Borg.backup "/" (JoeySites.rsyncNetBorgRepo "kite.borg" []) Cron.Daily 230 [ "--exclude=/proc/*" 231 , "--exclude=/sys/*" 232 , "--exclude=/run/*" 233 , "--exclude=/mnt/*" 234 , "--exclude=/tmp/*" 235 , "--exclude=/var/tmp/*" 236 , "--exclude=/var/cache/*" 237 , "--exclude=/var/lib/swapspace/*" 238 , "--exclude=/var/lib/container/*" 239 , "--exclude=/home/joey/lib" 240 -- These directories are backed up and restored separately. 241 , "--exclude=/srv/git" 242 ] 243 [ Borg.KeepDays 7 244 , Borg.KeepWeeks 4 245 , Borg.KeepMonths 3 246 ] 247 `requires` Ssh.knownHost hosts "usw-s002.rsync.net" (User "root") 248 `requires` Ssh.userKeys (User "root") 249 (Context "kite.kitenet.net") 250 [ (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKyciu8E8qspcO8lnTSUBAxUdYfmk7FaFlvT5yxUaP+0 root@kite") 251 ] 252 253 & alias "smtp.kitenet.net" 254 & alias "imap.kitenet.net" 255 & alias "pop.kitenet.net" 256 & alias "mail.kitenet.net" 257 & JoeySites.kiteMailServer 258 259 & JoeySites.legacyWebSites 260 & File.ownerGroup "/srv/web" (User "joey") (Group "joey") 261 & Apt.installed ["analog"] 262 263 & alias "git.kitenet.net" 264 & alias "git.joeyh.name" 265 & JoeySites.gitServer hosts 266 267 & JoeySites.downloads 268 & JoeySites.gitAnnexDistributor 269 & JoeySites.tmp 270 271 & Apt.installed 272 [ "git-annex", "myrepos" 273 , "build-essential", "make" 274 , "rss2email", "chewmail" 275 , "devscripts" 276 -- Some users have zsh as their login shell. 277 , "zsh" 278 ] 279 280 & alias "znc.kitenet.net" 281 & JoeySites.ircBouncer 282 283 & alias "kgb.kitenet.net" 284 & JoeySites.kgbServer 285 286 & alias "ns4.kitenet.net" 287 & myDnsPrimary "kitenet.net" 288 [ (RelDomain "mouse-onion", CNAME $ AbsDomain "htieo6yu2qtcn2j3.onion") 289 , (RelDomain "beaver-onion", CNAME $ AbsDomain "tl4xsvaxryjylgxs.onion") 290 , (RelDomain "peregrine-onion", CNAME $ AbsDomain "rsdwvaabir6ty2kdzblq7wdda26ib4fuc6hzxzwum75jbn6thqbojvid.onion") 291 , (RelDomain "eel-onion", CNAME $ AbsDomain "4yuc425lsa6ho2c6dlsg4cinadxvsn7vvir7a36ljv7wdyvg52h3inid.onion") 292 , (RelDomain "sow-onion", CNAME $ AbsDomain "urt4g2tq32qktgtp.onion") 293 ] 294 & myDnsPrimary "joeyh.name" [] 295 & myDnsPrimary "ikiwiki.info" [] 296 ! myDnsPrimary "olduse.net" 297 [ (RelDomain "article", CNAME $ AbsDomain "virgil.koldfront.dk") 298 ] 299 ! myDnsPrimary "quarantimer.app" [] 300 & alias "ns4.branchable.com" 301 & branchableSecondary 302 -- Use its own name server (amoung other things this avoids 303 -- spamassassin URIBL_BLOCKED. 304 & "/etc/resolv.conf" `File.hasContent` 305 [ "nameserver 127.0.0.1" 306 , "domain kitenet.net" 307 , "search kitenet.net" 308 ] 309 310 & alias "debug-me.joeyh.name" 311 & Apt.installed ["debug-me", "debug-me-server"] 312 & Systemd.enabled "debug-me" 313 314 -- testing 315 & Apache.httpsVirtualHost "letsencrypt.joeyh.name" "/var/www/html" 316 (LetsEncrypt.AgreeTOS (Just "id@joeyh.name")) 317 & alias "letsencrypt.joeyh.name" 318 319 & Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer 320 (GitAnnexBuilder.standardAutoBuilder True) 321 Unstable X86_64 mempty Nothing (Cron.Times "15 * * * *") "2h") 322 & Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer 323 (GitAnnexBuilder.standardAutoBuilder True) 324 Unstable X86_32 mempty Nothing (Cron.Times "30 * * * *") "2h") 325 & Apt.serviceInstalledRunning "swapspace" 326 327 sparrow :: Host 328 sparrow = host "sparrow.kitenet.net" $ props 329 & standardSystem (Stable "trixie") ARM64 [ "Welcome to sparrow!" ] 330 & ipv4 "128.140.52.168" 331 & ipv6 "2a01:4f8:c17:ed3a::1" 332 & Apt.installed ["ssh"] 333 & Apt.installed [ "git-annex", "myrepos", "build-essential", "make"] 334 -- In case compiler needs more than available ram 335 & Apt.serviceInstalledRunning "swapspace" 336 337 & Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer 338 (GitAnnexBuilder.standardAutoBuilder True) 339 Testing ARM64 mempty Nothing (Cron.Times "1 * * * *") "2h") 340 & Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer 341 GitAnnexBuilder.stackAutoBuilder 342 (Stable "bullseye") ARM64 mempty 343 (Just "ancient") (Cron.Times "20 * * * *") "2h") 344 & Systemd.nspawned (GitAnnexBuilder.autoBuilderContainer 345 (GitAnnexBuilder.armAutoBuilder (GitAnnexBuilder.standardAutoBuilder True)) 346 Testing ARMEL mempty Nothing (Cron.Times "40 * * * *") "2h") 347 348 ! Systemd.nspawned ancientKitenet 349 350 & Borg.backup "/root" (JoeySites.rsyncNetBorgRepo "sparrow.borg" []) Cron.Daily 351 [ ] 352 [ Borg.KeepDays 7 353 , Borg.KeepWeeks 4 354 , Borg.KeepMonths 3 355 ] 356 `requires` Ssh.knownHost hosts "usw-s002.rsync.net" (User "root") 357 `requires` Ssh.userKeys (User "root") 358 (Context "sparrow.kitenet.net") 359 [ (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID3mgBXLLzp+DnzZqH6Azly+0uZe/d2TK69oZYcFz+gN root@sparrow") 360 ] 361 362 beaver :: Host 363 beaver = host "beaver.kitenet.net" $ props 364 & Apt.installed ["ssh"] 365 & Ssh.hostPubKey SshDsa "ssh-dss AAAAB3NzaC1kc3MAAACBAIrLX260fY0Jjj/p0syNhX8OyR8hcr6feDPGOj87bMad0k/w/taDSOzpXe0Wet7rvUTbxUjH+Q5wPd4R9zkaSDiR/tCb45OdG6JsaIkmqncwe8yrU+pqSRCxttwbcFe+UU+4AAcinjVedZjVRDj2rRaFPc9BXkPt7ffk8GwEJ31/AAAAFQCG/gOjObsr86vvldUZHCteaJttNQAAAIB5nomvcqOk/TD07DLaWKyG7gAcW5WnfY3WtnvLRAFk09aq1EuiJ6Yba99Zkb+bsxXv89FWjWDg/Z3Psa22JMyi0HEDVsOevy/1sEQ96AGH5ijLzFInfXAM7gaJKXASD7hPbVdjySbgRCdwu0dzmQWHtH+8i1CMVmA2/a5Y/wtlJAAAAIAUZj2US2D378jBwyX1Py7e4sJfea3WSGYZjn4DLlsLGsB88POuh32aOChd1yzF6r6C2sdoPBHQcWBgNGXcx4gF0B5UmyVHg3lIX2NVSG1ZmfuLNJs9iKNu4cHXUmqBbwFYQJBvB69EEtrOw4jSbiTKwHFmqdA/mw1VsMB+khUaVw==" 366 & Tor.installed 367 & Tor.hiddenServiceAvailable "ssh" (Port 22) 368 369 sow :: Host 370 sow = host "sow.kitenet.net" $ props 371 & Apt.installed ["ssh"] 372 & Ssh.hostPubKey SshDsa "ssh-dss AAAAB3NzaC1kc3MAAACBAIrLX260fY0Jjj/p0syNhX8OyR8hcr6feDPGOj87bMad0k/w/taDSOzpXe0Wet7rvUTbxUjH+Q5wPd4R9zkaSDiR/tCb45OdG6JsaIkmqncwe8yrU+pqSRCxttwbcFe+UU+4AAcinjVedZjVRDj2rRaFPc9BXkPt7ffk8GwEJ31/AAAAFQCG/gOjObsr86vvldUZHCteaJttNQAAAIB5nomvcqOk/TD07DLaWKyG7gAcW5WnfY3WtnvLRAFk09aq1EuiJ6Yba99Zkb+bsxXv89FWjWDg/Z3Psa22JMyi0HEDVsOevy/1sEQ96AGH5ijLzFInfXAM7gaJKXASD7hPbVdjySbgRCdwu0dzmQWHtH+8i1CMVmA2/a5Y/wtlJAAAAIAUZj2US2D378jBwyX1Py7e4sJfea3WSGYZjn4DLlsLGsB88POuh32aOChd1yzF6r6C2sdoPBHQcWBgNGXcx4gF0B5UmyVHg3lIX2NVSG1ZmfuLNJs9iKNu4cHXUmqBbwFYQJBvB69EEtrOw4jSbiTKwHFmqdA/mw1VsMB+khUaVw==" 373 & Tor.installed 374 & Tor.hiddenServiceAvailable "ssh" (Port 22) 375 376 mouse :: Host 377 mouse = host "mouse.kitenet.net" $ props 378 & Apt.installed ["ssh"] 379 & Tor.installed 380 & Tor.hiddenServiceAvailable "ssh" (Port 22) 381 382 eel :: Host 383 eel = host "eel.kitenet.net" $ props 384 & Apt.installed ["ssh", "screen", "git-annex"] 385 & Tor.installed 386 & Tor.hiddenServiceAvailable "ssh" (Port 22) 387 & LightDM.autoLogin (User "desktop") 388 389 peregrine :: Host 390 peregrine = host "peregrine.kitenet.net" $ props 391 & Apt.installed ["ssh", "screen", "variety", "git-annex"] 392 & Tor.installed 393 & Tor.hiddenServiceAvailable "ssh" (Port 22) 394 & LightDM.autoLogin (User "desktop") 395 396 -- Branchable is not completely deployed with propellor yet. 397 pell :: Host 398 pell = host "pell.branchable.com" $ props 399 & alias "branchable.com" 400 & ipv4 "66.228.46.55" 401 & ipv6 "2600:3c03::f03c:91ff:fedf:c0e5" 402 403 -- All the websites I host at branchable that don't use 404 -- branchable.com dns. 405 & alias "www.kitenet.net" 406 & alias "joeyh.name" 407 & alias "www.joeyh.name" 408 & alias "campaign.joeyh.name" 409 & alias "ikiwiki.info" 410 & alias "www.ikiwiki.info" 411 & alias "git.ikiwiki.info" 412 & alias "l10n.ikiwiki.info" 413 & alias "dist-bugs.kitenet.net" 414 & alias "family.kitenet.net" 415 416 & osDebian (Stable "bookworm") X86_32 417 & Apt.installed ["linux-image-686-pae"] 418 & Apt.stdSourcesList `onChange` Apt.upgrade 419 & Apt.unattendedUpgrades 420 & Branchable.server hosts 421 & Linode.serialGrub 422 423 424 425 --' __|II| ,. 426 ---- __|II|II|__ ( \_,/\ 427 --'-------'\o/-'-.-'-.-'-.- __|II|II|II|II|___/ __/ -'-.-'-.-'-.-'-.-'-.-'- 428 -------------------------- | [Containers] / -------------------------- 429 -------------------------- : / --------------------------- 430 --------------------------- \____, o ,' ---------------------------- 431 ---------------------------- '--,___________,' ----------------------------- 432 433 -- Exhibit: kite's 90's website on port 1994. 434 ancientKitenet :: Systemd.Container 435 ancientKitenet = Systemd.debContainer "ancient-kitenet" $ props 436 & standardContainer (Stable "trixie") ARM64 437 & alias hn 438 & Git.cloned (User "root") "git://kitenet-net.branchable.com/" "/var/www/html" 439 (Just "remotes/origin/old-kitenet.net") 440 & Apache.installed 441 & Apache.listenPorts [p] 442 & Apache.virtualHost hn p "/var/www/html" 443 & Apache.siteDisabled "000-default" 444 where 445 p = Port 1994 446 hn = "ancient.kitenet.net" 447 448 type Motd = [String] 449 450 -- This is my standard system setup. 451 standardSystem :: DebianSuite -> Architecture -> Motd -> Property (HasInfo + Debian) 452 standardSystem suite arch motd = 453 standardSystemUnhardened suite arch motd 454 `before` Ssh.noPasswords 455 456 standardSystemUnhardened :: DebianSuite -> Architecture -> Motd -> Property (HasInfo + Debian) 457 standardSystemUnhardened suite arch motd = propertyList "standard system" $ props 458 & osDebian suite arch 459 & Hostname.sane 460 & Hostname.mailname 461 & Hostname.searchDomain 462 & Locale.available "en_US.UTF-8" 463 & File.hasContent "/etc/motd" ("":motd++[""]) 464 & Apt.stdSourcesList `onChange` Apt.upgrade 465 & Apt.cacheCleaned 466 & Apt.installed ["etckeeper"] 467 & Apt.installed ["ssh", "mosh"] 468 & GitHome.installedFor (User "root") 469 & User.hasSomePassword (User "root") 470 & User.accountFor (User "joey") 471 & User.hasSomePassword (User "joey") 472 & Sudo.enabledFor (User "joey") 473 & GitHome.installedFor (User "joey") 474 & Apt.installed ["vim", "screen", "less"] 475 & Cron.runPropellor (Cron.Times "30 * * * *") 476 -- I use postfix, or no MTA. 477 & JoeySites.noExim 478 479 -- This is my standard container setup, Featuring automatic upgrades. 480 standardContainer :: DebianSuite -> Architecture -> Property (HasInfo + Debian) 481 standardContainer suite arch = propertyList "standard container" $ props 482 & osDebian suite arch 483 -- Do not want to run mail daemon inside a random container.. 484 & JoeySites.noExim 485 & Apt.stdSourcesList `onChange` Apt.upgrade 486 & Apt.unattendedUpgrades 487 & Apt.cacheCleaned 488 489 branchableSecondary :: RevertableProperty (HasInfo + DebianLike) DebianLike 490 branchableSecondary = Dns.secondaryFor ["branchable.com"] hosts "branchable.com" 491 492 -- Currently using kite (ns4) as primary with gandi as secondary 493 -- kite handles all mail. 494 myDnsPrimary :: Domain -> [(BindDomain, Record)] -> RevertableProperty (HasInfo + DebianLike) DebianLike 495 myDnsPrimary domain extras = Dns.signedPrimary (Weekly Nothing) hosts domain 496 (Dns.mkSOA "ns4.kitenet.net" 100) $ 497 [ (RootDomain, NS $ AbsDomain "ns4.kitenet.net") 498 , (RootDomain, NS $ AbsDomain "ns6.gandi.net") 499 , (RootDomain, MX 0 $ AbsDomain "kitenet.net") 500 , (RootDomain, TXT "v=spf1 a a:kitenet.net ~all") 501 , JoeySites.domainKey 502 ] ++ extras 503 504 -- Systems I don't manage with propellor, 505 -- but do want to track their public keys etc. 506 monsters :: [Host] 507 monsters = 508 [ host "usw-s002.rsync.net" $ props 509 & Ssh.hostPubKey SshEd25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7yTEBGfQYdwG/oeL+U9XPMIh/dW7XNs9T+M79YIOrd" 510 , host "ns6.gandi.net" $ props 511 & ipv4 "217.70.177.40" 512 ] 513 514 515 516 -- o 517 -- ___ o o 518 {-----\ / o \ ___o o 519 { \ __ \ / _ (X___>-- __o 520 _____________________{ ______\___ \__/ | \__/ \____ |X__> 521 < \___//|\\___/\ \____________ _ 522 \ ___/ | \___ # # \ (-) 523 \ O O O # | \ # >=) 524 \______________________________# # / #__________________/ (-} 525 526