summaryrefslogtreecommitdiffhomepage
path: root/config.hs
blob: b17643a381d8c84cfcaeaa279d553ef387db8855 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
{-

\----------------------------------\
 \                                  \        __
  \                                  \       | \
   >  Sean's Propellor configuration  >------|  \       ______
  /                                  /       --- \_____/**|_|_\____  |
 /                                  /          \_______ --------- __>-)
/----------------------------------/              /  \_____|_____/   |
                                                  *         |
                                                           {O}

-}

import           Propellor
import           Propellor.Property.Scheduled

import qualified Propellor.Property.Apt                          as Apt
import qualified Propellor.Property.Chroot                       as Chroot
import qualified Propellor.Property.ConfFile                     as ConfFile
import qualified Propellor.Property.EtcDefault                   as EtcDefault
import qualified Propellor.Property.File                         as File
import qualified Propellor.Property.Fstab                        as Fstab
import qualified Propellor.Property.Git                          as Git
import qualified Propellor.Property.Grub                         as Grub
import qualified Propellor.Property.HostingProvider.Exoscale     as Exoscale
import qualified Propellor.Property.HostingProvider.Linode       as Linode
import qualified Propellor.Property.Laptop                       as Laptop
import qualified Propellor.Property.LightDM                      as LightDM
import qualified Propellor.Property.Localdir                     as Localdir
import qualified Propellor.Property.Locale                       as Locale
import qualified Propellor.Property.Mount                        as Mount
import qualified Propellor.Property.Network                      as Network
import qualified Propellor.Property.Sbuild                       as Sbuild
import qualified Propellor.Property.Schroot                      as Schroot
import qualified Propellor.Property.SiteSpecific.Dotfiles        as Dotfiles
import qualified Propellor.Property.SiteSpecific.SPW             as SPW
import qualified Propellor.Property.SiteSpecific.SPW.Athenet     as Athenet
import qualified Propellor.Property.SiteSpecific.SPW.Hostname    as SPW.Hostname
import qualified Propellor.Property.SiteSpecific.SPW.Services    as SPW.Services
import qualified Propellor.Property.SiteSpecific.SPW.Sites       as SPW.Sites
import qualified Propellor.Property.Ssh                          as Ssh
import qualified Propellor.Property.Systemd                      as Systemd
import qualified Propellor.Property.Timezone                     as Timezone
import qualified Propellor.Property.User                         as User

import           Data.List                                       hiding (foldr1, partition)
import           Prelude                                         hiding (foldr1)
import           Propellor.Base                                  (doesDirectoryExist)

-- #### Spin up propellor

main :: IO ()
main = defaultMain hosts

hosts :: [Host]
hosts =
	[ hephaestus
	, quentin
	, poseidon
	, zephyr
	, iris
        , melete
	, athena
	, hestia
	, federer
	, develacc
	] ++ otherHosts

-- #### Sean's desktop workstation in Sheffield

zephyr :: Host
zephyr = host "zephyr.silentflame.com" $ props
	& SPW.workstation
		(User "swhitton")
		SPW.AutoSpun
		(Stable "buster")
		X86_32
	& Timezone.configured "Europe/London"
	& SPW.debianDevSetup (User "swhitton") X86_32 Sbuild.UseCcache
	& Schroot.useOverlays
	& Apt.noPDiffs
	& Apt.installed ["sscan"] `requires` SPW.athenaApt
	& SPW.dhtChroot (User "swhitton") X86_32

	& Apt.installed ["intel-microcode"]
	& Apt.serviceInstalledRunning "swapspace"

	-- netselect-apt says this mirror is optimal
	& Apt.mirror "http://debian.mirror.uk.sargasso.net/debian/"

	& Apt.installed ["memtest86+"]

	-- Annie's HP Officejet 6600
	& Apt.installed ["hplip"]

	-- try commenting this out; maybe unneeded
	-- -- FastMail's relay is only accessible over ipv4, but postfix
	-- -- seems to be defaulting to ipv6 -- ideally, we'd just
	-- -- restrict the relayhost to ipv4
	-- & Postfix.mainCf ("inet_protocols", "ipv4")
	-- `onChange` Postfix.reloaded

	-- USB WiFi adapter
	& Apt.installed ["firmware-misc-nonfree"]
	& "/etc/modprobe.d/rt2800usb.conf" `File.hasContent`
		["options rt2800usb nohwcrypt=1"]
	-- attempt to improve WiFi performance
	& cmdProperty "iwconfig" ["wlan0", "power", "off"] `assume` NoChange
	-- & cmdProperty "iwconfig" ["wlan0", "rate", "15M", "fixed"] `assume` NoChange

	-- Without this, under kernels 4.9 and 4.13 (at least), a few seconds
	-- after resume from suspend one sees
	--
	--     ata1: SRST failed (errno=-16)

	-- and /sometimes/ also:
	--
	--     ata3: reset failed, giving up
	--
	-- (so it seems like problems with both ata1 and ata3).  System
	-- responsiveness varies (sometimes existing processes respond but can't
	-- spawn new ones but does not degrade; the ata1 case above) and might
	-- in addition see a slew of I/O errors for the encrypted root partition
	-- (the ata3 case above).  The actual resume from the suspend seems to
	-- work, though.
	--
	-- Note that ata1 is PATA, not SATA.  So it is not my HDDs but rather my
	-- optical drives or floppy drive.  Not sure about ata3.
	& "/etc/rc.local" `File.hasContent` ["#!/bin/sh", "", "echo 0 >/sys/power/pm_async"]
	& "/etc/rc.local" `File.mode` 0O0755

	& Athenet.viaAthena "zephyr" (IPv4 "172.27.21.2") Athenet.LocalDiscovery
	& SPW.workstationNMUnmanaged

	& "/etc/systemd/logind.conf" `ConfFile.containsIniSetting`
		("Login", "HandlePowerKey", "suspend")

-- #### Sean's old laptop

iris :: Host
iris = host "iris.silentflame.com" $ props
	& SPW.workstation (User "spwhitton") SPW.OnlineSpun (Stable "buster") X86_64

	-- #### Other basic properties

	& SPW.Hostname.sane
	& Apt.serviceInstalledRunning "swapspace"
	& Apt.installed ["elpa-org-d20"] `requires` SPW.athenaApt
	& Fstab.mounted "tmpfs" "tmpfs" "/tmp" (Mount.toMountOpts "defaults,nodev,nosuid")

	-- iris is usually in the US
	& "en_US.UTF-8" `Locale.selectedFor`
		[ "LC_PAPER"
		, "LC_ADDRESS"
		, "LC_MONETARY"
		, "LC_TELEPHONE"
		, "LC_TIME"
		-- also consider enabling:
		-- , "LC_COLLATE"
		-- , "LC_MONETARY"
		-- , "LC_MEASUREMENT"
		]
	& "/etc/papersize" `File.hasContent` ["letter"]
		`onChange` Apt.reConfigure "libpaper1" []
		`describe` "default paper size is letter"

	-- #### Network

	& SPW.laptopFirewall
	& Athenet.viaAthena "iris" (IPv4 "172.27.21.5") Athenet.NoLocalDiscovery
        & SPW.workstationNMUnmanaged

	-- #### Development

	& SPW.debianDevSetup (User "spwhitton") X86_64 Sbuild.UseCcache
	& Schroot.overlaysInTmpfs
	& SPW.dhtChroot (User "spwhitton") X86_64

	-- crossbuild for athena/zephyr
	! stretchi386Schroot
        & busteri386Schroot

	-- #### ThinkPad x220-specific

	& Laptop.trimSSD
	-- To test the following (thanks, Debian wiki):
	--
	-- % for f in /sys/block/sd?/queue/scheduler; do printf "$f is "; cat $f; done
	& "/etc/udev/rules.d/60-schedulers.rules" `File.hasContent`
		[ "# set deadline scheduler for non-rotating disks"
		, "ACTION==\"add|change\", KERNEL==\"sd[a-z]\", ATTR{queue/rotational}==\"0\", ATTR{queue/scheduler}=\"deadline\""
		, ""
		, "# set cfq scheduler for rotating disks"
		, "ACTION==\"add|change\", KERNEL==\"sd[a-z]\", ATTR{queue/rotational}==\"1\", ATTR{queue/scheduler}=\"cfq\""
		] `describe` "IO schedulers selected"

	& Apt.installed ["intel-microcode"]

	& Apt.installed
		-- prefer tlp to laptop-mode-tools because better integration
		-- with tp-smapi and acpi-call for ThinkPads
		[ "tlp"
		-- this is for stop_charge_thresh
		, "tp-smapi-dkms"
		-- this is needed for tpacpi-bat for start_charge_thresh
		, "acpi-call-dkms"
		]
	`before` EtcDefault.set "tlp" "START_CHARGE_THRESH_BAT0" "70"
	`before` EtcDefault.set "tlp" "STOP_CHARGE_THRESH_BAT0" "80"
	-- This is the default, but it's important, so ensure it anyway
	`before` EtcDefault.set "tlp" "DISK_APM_LEVEL_ON_BAT" "128 128"

	-- iris doesn't support Secure Boot, so avoid any shims being installed
	-- to /boot/efi by grub-install, as that can render it unbootable
	& Apt.removed
		[ "shim-helpers-amd64-signed"
		, "shim-signed"
		, "shim-signed-common"
		, "shim-unsigned"
		]

	-- #### Laptop

	-- Configure lid switch
	& "/etc/systemd/logind.conf" `ConfFile.containsIniSetting`
		("Login", "HandleLidSwitch", "suspend")
	`describe` "suspend on lid switch"
	-- Do nothing when I've connected an external monitor
	& "/etc/systemd/logind.conf" `ConfFile.containsIniSetting`
		("Login", "HandleLidSwitchDocked", "ignore")
	`describe` "ignore lid switch when docked"
	& "/etc/systemd/logind.conf" `ConfFile.containsIniSetting`
		("Login", "LidSwitchIgnoreInhibited", "no")
	`describe` "lid switch respects inhibitions"

	-- We boot from an external drive, so ensure grub is not upgraded
	-- unattended (note this is a regexp, matching grub-common etc.)
	& File.hasContent "/etc/apt/apt.conf.d/50unattended-upgrades-blacklist"
		[ "Unattended-Upgrade::Package-Blacklist {\"grub\";};" ]

	-- & "/etc/systemd/system/goodmorning.timer" `File.hasContent`
	-- 	[ "[Unit]"
	-- 	, "Description=good morning"
	-- 	, ""
	-- 	, "[Timer]"
	-- 	, "Unit=goodmorning.service"
	-- 	, "OnCalendar=Mon,Tue,Wed,Thu,Fri,Sun *-*-* 7:00"
	-- 	, "WakeSystem=true"
	-- 	, "Persistent=false"
	-- 	, ""
	-- 	, "[Install]"
	-- 	, "WantedBy=multi-user.target"
	-- 	] `onChange` Systemd.daemonReloaded
	-- & "/etc/systemd/system/goodmorning.service" `File.hasContent`
	-- 	[ "[Unit]"
	-- 	, "Description=good morning"
	-- 	, "RefuseManualStart=true"
	-- 	, "RefuseManualStop=true"
	-- 	-- this makes it unlikely to trigger if laptop left
	-- 	-- inside my backpack
	-- 	, "ConditionACPower=true"
	-- 	, ""
	-- 	, "[Service]"
	-- 	, "Type=oneshot"
	-- 	, "ExecStart=/bin/systemd-inhibit --what=handle-lid-switch --why=goodmorning /bin/su spwhitton -c \"/usr/bin/timeout 45m /home/spwhitton/bin/goodmorning\""
	-- 	] `onChange` Systemd.daemonReloaded
	-- & Systemd.enabled "goodmorning.timer"
	-- & Systemd.started "goodmorning.timer"

	-- Local DNS cache as laptop roams between networks, some of
	-- which are unreliable.
	-- Rely on NetworkManager to start up the dnsmasq instance
	& "/etc/NetworkManager/NetworkManager.conf"
		`ConfFile.containsIniSetting`
		("main", "dns", "dnsmasq")
	& "/etc/NetworkManager/dnsmasq.d/00-opendns.conf" `File.hasContent`
		[ "no-resolv"
		-- OpenDNS
		, "server=208.67.222.222"
		, "server=208.67.220.220"
		]

	& SPW.xkbVariantSelected "us"

	& "/usr/local/bin/set-brightness" `File.hasContent`
		[ "#!/bin/sh"
		, ""
		, "echo \"$1\" >/sys/class/backlight/intel_backlight/brightness"
		]
	& "/usr/local/bin/set-brightness" `File.mode` 0O0755

	-- use hephaestus's scanner
	& Apt.installed ["sane"]
	& File.containsLine "/etc/sane.d/net.conf" "172.27.21.4"
  where
	stretchi386Schroot = Sbuild.built Sbuild.UseCcache $ props
		& osDebian (Stable "stretch") X86_32
	busteri386Schroot = Sbuild.built Sbuild.UseCcache $ props
		& osDebian (Stable "buster") X86_32
		& Sbuild.osDebianStandard
		& Sbuild.update `period` Weekly Nothing
		-- point at apt-cacher-ng set up above
		& Apt.proxy "http://127.0.0.1:3142"

develacc :: Host
develacc = host "develacc.melete.silentflame.com" $ props

	-- #### Basic properties

	& case meleteSpun of
		SPW.Unpropelled -> SPW.develaccForHost SPW.OnlineSpun X86_64
		_               -> SPW.develaccForHost develaccSpun   X86_64

	-- #### ThinkPad X1C8-specific

	& SPW.meleteXkbSetup

	-- #### Temporary properties applied for devel tasks

	-- & Apt.suiteAvailablePinned Testing 100

	& Chroot.provisioned sidChroot
  where
	-- Toggle this between SPW.OnlineSpun and SPW.ManuallySpun
	-- depending on whether breakage in sid is preventing develacc
	-- from being spun cleanly by propellor
	develaccSpun = SPW.OnlineSpun
	-- develaccSpun SPW.ManuallySpun

	sidChroot = Chroot.debootstrapped mempty "/srv/chroot/sid" $ props
		& osDebian Unstable X86_64

-- #### Sean's laptop

-- Notes:
--
-- - melete moves around, so manually set its timezone (& its develacc's)
--
-- - for the same reason, we don't select a geographical Apt mirror
--
-- - not included in the following: installation of SOF firmware

meleteSpun  :: SPW.HowSpun
meleteSuite :: DebianSuite

-- #### Debian suite configuration

-- Choose a block to uncomment:

-- Use this block during most of the release cycle, and in the later
-- part of the *hard* freeze when backports, stable-updates
-- etc. suites are available, such that propellor's assumptions for a
-- stable suite are not violated
meleteSpun  = SPW.ManuallySpun -- usually SPW.OnlineSpun; manual while working on Consfigurator particularly intensively
meleteSuite = (Stable "bullseye")

-- Use this block during the earlier parts of *hard* freeze when
-- backports suites not available, etc., such that propellor's
-- assumptions about a stable release are violated
-- meleteSpun  = SPW.ManuallySpun
-- meleteSuite = Testing

-- Use this line when won't have ready access to modify propellor
-- config, so don't want propellor trying to change anything.  Leave
-- the meleteSuite setting above uncommented as switching to this block
-- should not involve changing the suite
-- meleteSpun  = SPW.Unpropelled

melete :: Host
melete = host "melete.silentflame.com" $ props
	& SPW.workstation (User "spwhitton") meleteSpun meleteSuite X86_64

	-- #### Other basic properties

	& SPW.Hostname.sane
	& Apt.serviceInstalledRunning "swapspace"
	& Apt.installed ["elpa-org-d20"]
	& Fstab.mounted "tmpfs" "tmpfs" "/tmp" (Mount.toMountOpts "defaults,nodev,nosuid")

	-- melete is usually in the US
	& "en_US.UTF-8" `Locale.selectedFor`
		[ "LC_PAPER"
		, "LC_ADDRESS"
		, "LC_MONETARY"
		, "LC_TELEPHONE"
		, "LC_TIME"
		-- also consider enabling:
		-- , "LC_COLLATE"
		-- , "LC_MONETARY"
		-- , "LC_MEASUREMENT"
		]
	& "/etc/papersize" `File.hasContent` ["letter"]
		`onChange` Apt.reConfigure "libpaper1" []
		`describe` "default paper size is letter"

	-- #### Network

	& SPW.laptopFirewall
	& Athenet.viaAthena "melete" (IPv4 "172.27.21.6") Athenet.NoLocalDiscovery
        & SPW.workstationNMUnmanaged

        -- #### Development

	& SPW.debianDevSetup (User "spwhitton") X86_64 Sbuild.UseCcache
	& Schroot.overlaysInTmpfs
	-- & SPW.dhtChroot (User "spwhitton") X86_64

	-- & SPW.develaccProvisioned (User "spwhitton") develacc X86_64

	-- crossbuild for athena/zephyr
	& busteri386Schroot
	-- & bullseyeARM64Schroot

	-- #### ThinkPad X1C8-specific

	& Apt.installed
		[ "cryptsetup"
		, "lvm2"
		, "grub-efi-amd64"
		, "gdisk"
		, "scdaemon"
		]
	& Laptop.trimSSD
	-- To test the following (thanks, Debian wiki):
	--
	-- % for f in /sys/block/sd?/queue/scheduler; do printf "$f is "; cat $f; done
	& "/etc/udev/rules.d/60-schedulers.rules" `File.hasContent`
		[ "# set deadline scheduler for non-rotating disks"
		, "ACTION==\"add|change\", KERNEL==\"sd[a-z]\", ATTR{queue/rotational}==\"0\", ATTR{queue/scheduler}=\"deadline\""
                , "ACTION==\"add|change\", KERNEL==\"nvme[0-9]n[0-9]\", ATTR{queue/rotational}==\"0\", ATTR{queue/scheduler}=\"deadline\""
		, ""
		, "# set cfq scheduler for rotating disks"
		, "ACTION==\"add|change\", KERNEL==\"sd[a-z]\", ATTR{queue/rotational}==\"1\", ATTR{queue/scheduler}=\"cfq\""
		] `describe` "IO schedulers selected"

	& Apt.installed ["intel-microcode"]

	-- Apparently TLP interferes with Lenovo's firmware, so best avoided
	-- if possible.  Seems that with natacpi in recent kernels we can just
	-- set the thresholds without TLP (though the latter, from
	-- buster-backports or newer, can do it too).  Do not want the
	-- tp-smapi or acpi-call kernel modules -- now it's just natacpi which
	-- is already in the kernel.
	& "/usr/local/bin/set-battery-thresholds" `File.hasContent`
		[ "#!/bin/sh"
		, ""
		, "stop=${2:-80}"
		, "start=${1:-70}"
		, ""
		, "echo $stop >/sys/class/power_supply/BAT0/charge_stop_threshold"
		, "echo $start >/sys/class/power_supply/BAT0/charge_start_threshold"
		]
	& File.mode "/usr/local/bin/set-battery-thresholds" 0O0755
	& "/etc/systemd/system/set-battery-thresholds.service" `File.hasContent`
		[ "[Service]"
		, "Type=oneshot"
		, "RemainAfterExit=yes"
		, "ExecStart=/usr/local/bin/set-battery-thresholds"
		, ""
		, "[Install]"
		, "WantedBy=multi-user.target"
		]
	& Systemd.enabled "set-battery-thresholds"
	& Systemd.started "set-battery-thresholds"

	-- #### Laptop

	-- Configure lid switch
	& "/etc/systemd/logind.conf" `ConfFile.containsIniSetting`
		("Login", "HandleLidSwitch", "suspend")
	`describe` "suspend on lid switch"
	-- -- Do nothing when I've connected an external monitor
	-- & "/etc/systemd/logind.conf" `ConfFile.containsIniSetting`
	-- 	("Login", "HandleLidSwitchDocked", "ignore")
	-- `describe` "ignore lid switch when docked"
	& "/etc/systemd/logind.conf" `ConfFile.containsIniSetting`
		("Login", "LidSwitchIgnoreInhibited", "no")
	`describe` "lid switch respects inhibitions"

	-- We boot from an external drive, so ensure grub is not upgraded
	-- unattended (note this is a regexp, matching grub-common etc.)
	& File.hasContent "/etc/apt/apt.conf.d/50unattended-upgrades-blacklist"
		[ "Unattended-Upgrade::Package-Blacklist {\"grub\";};" ]

	-- Local DNS cache as laptop roams between networks, some of
	-- which are unreliable.
	-- Rely on NetworkManager to start up the dnsmasq instance
	& "/etc/NetworkManager/NetworkManager.conf"
		`ConfFile.containsIniSetting`
		("main", "dns", "dnsmasq")
	& "/etc/NetworkManager/dnsmasq.d/00-opendns.conf" `File.hasContent`
		[ "no-resolv"
		-- OpenDNS
		, "server=208.67.222.222"
		, "server=208.67.220.220"
		]

	& SPW.meleteXkbSetup

	& "/usr/local/bin/set-brightness" `File.hasContent`
		[ "#!/bin/sh"
		, ""
		, "echo \"$1\" >/sys/class/backlight/intel_backlight/brightness"
		]
	& "/usr/local/bin/set-brightness" `File.mode` 0O0755

	& Apt.installed ["bluetooth", "blueman"]

	-- use hephaestus's scanner
	& Apt.installed ["sane"]
	& File.containsLine "/etc/sane.d/net.conf" "172.27.21.4"

	-- #### Building grml disk images using grml-live

	& Apt.installedMin
		[ "bc"
		, "bzip2"
		, "dosfstools"
		, "fai-client"
		, "fai-server"
		, "isolinux"
		, "memtest86+"
		, "mksh"
		, "moreutils"
		, "mtools"
		, "pciutils"
		, "rsync"
		, "squashfs-tools"
		, "syslinux"
		, "xorriso"
		, "grub-pc-bin"
		, "imagemagick"
		, "ipxe"
		, "syslinux-utils"
		, "libdbd-sqlite3-perl"
		, "libdbi-perl"
		, "libtimedate-perl"
		, "sqlite3"
		]
  where
	busteri386Schroot = Sbuild.built Sbuild.UseCcache $ props
		& osDebian (Stable "buster") X86_32
		& Sbuild.osDebianStandard
		& Sbuild.update `period` Weekly Nothing
		-- point at apt-cacher-ng set up above
		& Apt.proxy "http://127.0.0.1:3142"
	bullseyeARM64Schroot = Sbuild.built Sbuild.UseCcache $ props
		& osDebian (Stable "bullseye") ARM64
		& Sbuild.osDebianStandard
		& Sbuild.update `period` Weekly Nothing
		-- point at apt-cacher-ng set up above
		& Apt.proxy "http://127.0.0.1:3142"

-- #### Sean's desktop workstation in Tucson

hephaestus :: Host
hephaestus = host "hephaestus.silentflame.com" $ props
	& SPW.workstation
		(User "spwhitton")
		SPW.AutoSpun
		(Stable "buster")
		X86_64
	& Apt.noPDiffs
	& Apt.installed ["sscan"] `requires` SPW.athenaApt
	& Apt.installed ["cups"]

	-- close to Tucson
	& Apt.mirror "http://mirror.keystealth.org/debian/"

	-- wired network connection
	& Systemd.disabled "network-manager"
	& Network.dhcp' "enp2s0"
		-- "up" line needed to avoid immediate wake up from suspend on
		-- dorm LAN.  NM way to do this is `nmcli c modify "Wired
		-- connection 1" 802-3-ethernet.wake-up-on-lan none`
		[ ("up", "ethtool -s enp2s0 wol d")
		, ("wpa-driver", "wired")
		, ("wpa-conf", "/etc/wpa_supplicant_laaldea.conf")
		]
	`requires` Network.cleanInterfacesFile
	`requires` Apt.installed ["ethtool", "wpasupplicant"]
	`requires` File.hasPrivContent "/etc/wpa_supplicant_laaldea.conf" anyContext
        -- TODO don't try to ensure this when that file is chattr'd immutable,
        -- as /etc/tinc/athenet-gateway/hosts/athena-up does
	& "/etc/resolv.conf" `File.hasContent`
		[ "domain arizona.edu"
		, "search arizona.edu"
		, "nameserver 128.196.11.234"
		, "nameserver 128.196.11.235"
		]

	-- hephaestus is in the US
	& "en_US.UTF-8" `Locale.selectedFor`
		[ "LC_PAPER"
		, "LC_ADDRESS"
		, "LC_MONETARY"
		, "LC_TELEPHONE"
		, "LC_TIME"
		]
	& "/etc/papersize" `File.hasContent` ["letter"]
		`onChange` Apt.reConfigure "libpaper1" []

	& SPW.xkbVariantSelected "us"

	-- hephaestus has an optical drive
	& Apt.installed ["abcde", "eyed3"]

	& Athenet.viaAthena "hephaestus" (IPv4 "172.27.21.4") Athenet.NoLocalDiscovery
        & Athenet.hippotatClient
	& SPW.sshSourceLockdown

	-- power button suspends/unsuspends
	& "/etc/systemd/logind.conf" `ConfFile.containsIniSetting`
		("Login", "HandlePowerKey", "suspend")

	-- share scanner with athenet
	& Apt.installed ["sane"]
	& File.containsLine "/etc/sane.d/saned.conf" "172.27.21.1/24"
	& Systemd.enabled "saned.socket"
	& Systemd.started "saned.socket"
	-- work around #918358 on buster
	& File.hasContent "/etc/udev/rules.d/65-libsane.rules"
		["ENV{libsane_matched}==\"yes\", RUN+=\"/bin/setfacl -m g:scanner:rw $env{DEVNAME}\""]

-- #### Debian Haskell Group build machine

poseidon :: Host
poseidon = host "poseidon.silentflame.com" $ props
	& Exoscale.distroKernel "amd64"
	& SPW.machine
		(User "spwhitton")
		SPW.AutoSpun
		(Stable "stretch")
		X86_64
	& Apt.installed ["piuparts", "autopkgtest", "lintian"]
	& Apt.useLocalCacher
	& sidSchroot
	& Sbuild.usableBy (User "spwhitton")
	`describe` "sbuild usable by Sean"
	& Schroot.overlaysInTmpfs
	& Fstab.mounted "tmpfs" "tmpfs" "/tmp" (Mount.toMountOpts "defaults,nodev,nosuid")
	& Git.pulled (User "spwhitton")
		"https://salsa.debian.org/haskell-team/package-plan.git"
		"/home/spwhitton/src/package-plan"
		Nothing
	& Git.pulled (User "spwhitton")
		"https://salsa.debian.org/haskell-team/DHG_packages.git"
		"/home/spwhitton/src/DHG_packages"
		Nothing
	& Apt.installed ["pkg-haskell-tools"]
	& "/etc/schroot/sbuild/fstab"
		`File.containsLine` "/tmp /tmp none rw,bind 0 0"
	& "/etc/schroot/chroot.d/unstable-amd64-sbuild-propellor"
		`ConfFile.containsIniSetting`
		("unstable-amd64-sbuild"
		, "aliases"
		, "UNRELEASED,UNRELEASED-amd64-sbuild,sid,rc-buggy,experimental,haskell")
	& "/etc/webfsd.conf" `File.containsLines`
	[ "web_root=\"/home/spwhitton/src/DHG_packages/lab\""
	, "web_port=\"80\""
	]
	`requires` Apt.serviceInstalledRunning "webfs"
	`requires` File.dirExists "/home/spwhitton/src/DHG_packages/lab"
	`describe` "webfs serving DHG packages lab"

	& "/home/spwhitton/local/bin/dht-make-all" `File.hasContent`
		[ "#!/bin/sh"
		, ""
		, "stamp=\"$(date '+%Y%m%d-%H%M')\""
		, "string=\"$(date)\""
		, "stdout=\"lab/stdout.$stamp.log\""
		, "stderr=\"lab/stderr.$stamp.log\""
		, ""
		-- TODO sid apt source and test this line
		-- , "test -e $HOME/src/DHG_packages/p/pandoc || ( cd $HOME/src/DHG_packages/p && apt-get source pandoc/sid && mv pandoc-* pandoc)"
		, ""
		, "cd $HOME/src/DHG_packages"
		, "mkdir -p lab"
		, "rm -f lab/*_amd64.build            # removes symlinks only"
		, ""
		, "echo \"starting build at $string\" | tee -a $stdout"
		, ""
		, "dht make-all -j2 --keep-going \\"
		, "    --sbuild-option --no-run-lintian \\"
		, "    --sbuild-option --no-run-piuparts \\"
		, "    >>$stdout 2>$stderr"
		]
	-- & Cron.job "dht-make-all" (Cron.Times "0 */5 * * *")
	-- 	(User "spwhitton") "/" "/home/spwhitton/local/bin/dht-make-all"
	& Ssh.authorizedKey (User "spwhitton") "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1T32zKC6rjpGqKr5tYLJtsKgm/RXJj4bI0Hzew+oNcPSmC7r9kxDzZxfpBr53HkZSCfiebiK4jHVFnIY5E13b59C8WUSnDNQcMit4sqY0J6/Mksq9s9z/3hgdF0etZEwz7v27muCOB3NDpmIcBy3fmnNHo1WWGUV0RHnc19WDYhMMCJXVj5ZRw4NDBdL3ExGw6Zi27VyjFf2PRr3ve709M88DOCi7AT8SJwMzgTAzc82wzrZcfZ2FYS9jSN19N04+QMkvMuD59uk1K13h2kXtFGycP6OT+LpLcWToVHIljyXIEgFNP1H9wZg5jt7j7RYbJ1wu3Jv4W19bO4j0Lhsx Clint Adams <clint@debian.org>"
  where
	sidSchroot = Sbuild.built Sbuild.UseCcache $ props
		& osDebian Unstable X86_64
		& Sbuild.osDebianStandard
		& Sbuild.update `period` Daily
		-- point at apt-cacher-ng set up above
		& Apt.proxy "http://127.0.0.1:3142"
		& Apt.setSourcesListD
			["deb http://incoming.debian.org/debian-buildd/ buildd-unstable main"]
			"buildd-unstable"

-- #### Old Packard Bell notebook, deep in the Limousin
-- Under Wheezy, quentin was known as 'quentinou'

-- not included in this config: Google talk plugin installed

quentin :: Host
quentin = host "quentin.silentflame.com" $ props
	& Apt.mirror "http://mirrors.ircam.fr/pub/debian/"
	& Locale.available "fr_FR.UTF-8"
	-- marked as manually spun because the propellor cronjob rejects
	-- new changes because its copy of my PGP key has expired.  Needs a
	-- manual spin to fix this (possibly also involving a nuke of
	-- /usr/local/propellor)
	& SPW.machine
		(User "swhitton")
		SPW.ManuallySpun
		(Stable "stretch")
		X86_32
	& Timezone.configured "Europe/Paris"
	& User.accountFor (User "pawhitton")
	& User.hasDesktopGroups (User "pawhitton")
	& LightDM.autoLogin (User "pawhitton")
	& Grub.configured "GRUB_TIMEOUT" "1"
	& Apt.installed ["thunderbird"]

	-- this is so I don't have to use azerty at the tty
	& Apt.installed ["console-data"]

	-- We need vesa rather than openchrome, or startx locks up the machine.
	-- It might be possible to do this with dexconf, the Debian X
	-- Configuration tool, using values from the debconf database.
	& "/etc/X11/xorg.conf" `File.hasContent`
		[ "Section \"Monitor\""
		, "\tIdentifier \"Configured Monitor\""
		, "EndSection"
		, ""
		, "Section \"Screen\""
		, "\tIdentifier \"Default Screen\""
		, "\tMonitor \"Configured Monitor\""
		, "\tDevice \"Configured Video Device\""
		, "EndSection"
		, ""
		, "Section \"Device\""
		, "\tIdentifier \"Configured Video Device\""
		, "\tDriver \"vesa\""
		, "EndSection"
		]

-- #### Web and file server

-- Not included in this description:
--
-- - git repos created by gitolite
--   - including repository descriptions and gitweb.homepage config values
-- - gcrypt repos created in /srv/gcrypt
-- - what is rsync'd to /srv/rsync
-- - /etc/fstab content, edited during install (see ~/doc/org/comproc.org)
-- - user account passwords

athena :: Host
athena = host "athena.silentflame.com" $ props
	& SPW.machine
		(User "spwhitton")
		SPW.AutoSpun
		(Stable "buster")
		X86_32
	& Timezone.configured "Etc/UTC"
	& Apt.noPDiffs

	-- athena is now hosted by Linode.  Since I installed its OS
	-- myself, we don't need 'Linode.mlocateEnabled'
	& ipv4 "50.116.29.24"
	& ipv6 "2600:3c00::f03c:91ff:fe7a:acfd"
	& Network.preserveStatic "ens3" `requires` Network.cleanInterfacesFile
	& Apt.mirror "http://dallas.mirrors.linode.com/debian/"
	& Linode.serialGrub
	& Ssh.hostKeys hostContext
		[ (SshRsa, "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvSLr129FgzxWsadMfnKpA3hzSSMPPZpi7Y83udGUAy5Y2fOlYlDrDkThguMjZHXawQeqeU6sM7zzj1Te/HxiMH6DHpcAT0lffUDTRt7LCAdlr+R82FYpdQpZ8rwJVp+T/bE5QvOFuAsPWucTaxFnoDps5uWbimf1kUcmPO6Wi9Jjcjtnv3ihm6eqxdQHOow2ZJimTYX95VGVdZh9b4XJsAs9j+41Baqb57HEQYqDjVA2jm2YFYD5PJ8Ybf0nrVPzMZs7g2zx1AlQcYbZkUxugIzZyYQm/c/wQJ+22zuseaJcQh8/C7frJYJTbF8t1wL0+VS5+SQeWMwlfAubth+qf root@athena")
		, (SshEcdsa, "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJrnc4Ny4pCuwkmxLaXcOVSyiccXOZq7iHTxfjsSZGwg+Fg/bZI8NpvFnjQh1MHX8nsBAuEeI39VnmAP2ctGz5o= root@athena")
		, (SshEd25519, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApmmDVXZ9dnWpaiQglcA8bmT3Qmwd70uH7RXAhAKA93 root@athena")
		]

	& Apt.serviceInstalledRunning "fail2ban"
	& "/etc/fail2ban/jail.local" `File.hasContent`
		[ "[DEFAULT]"
		, ""
		, "# \"ignoreip\" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban"
		, "# will not ban a host which matches an address in this list. Several addresses"
		, "# can be defined using space (and/or comma) separator."
		, "ignoreip = 127.0.0.1/8 ::1 172.27.21.0/25"
		, ""
		, "# \"bantime\" is the number of seconds that a host is banned."
		, "bantime  = 10m"
		, ""
		, "# A host is banned if it has generated \"maxretry\" during the last \"findtime\""
		, "# seconds."
		, "findtime  = 30m"
		, ""
		, "# \"maxretry\" is the number of failures before a host get banned."
		, "maxretry = 5"
		, ""
		, "# \"backend\" specifies the backend used to get files modification."
		, "# Available options are \"pyinotify\", \"gamin\", \"polling\", \"systemd\" and \"auto\"."
		, "# This option can be overridden in each jail as well."
		, "#"
		, "# pyinotify: requires pyinotify (a file alteration monitor) to be installed."
		, "#              If pyinotify is not installed, Fail2ban will use auto."
		, "# gamin:     requires Gamin (a file alteration monitor) to be installed."
		, "#              If Gamin is not installed, Fail2ban will use auto."
		, "# polling:   uses a polling algorithm which does not require external libraries."
		, "# systemd:   uses systemd python library to access the systemd journal."
		, "#              Specifying \"logpath\" is not valid for this backend."
		, "#              See \"journalmatch\" in the jails associated filter config"
		, "# auto:      will try to use the following backends, in order:"
		, "#              pyinotify, gamin, polling."
		, "#"
		, "# Note: if systemd backend is chosen as the default but you enable a jail"
		, "#       for which logs are present only in its own log files, specify some other"
		, "#       backend for that jail (e.g. polling) and provide empty value for"
		, "#       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200"
		, "backend = auto"
		, ""
		, "# \"usedns\" specifies if jails should trust hostnames in logs,"
		, "#   warn when DNS lookups are performed, or ignore all hostnames in logs"
		, "#"
		, "# yes:   if a hostname is encountered, a DNS lookup will be performed."
		, "# warn:  if a hostname is encountered, a DNS lookup will be performed,"
		, "#        but it will be logged as a warning."
		, "# no:    if a hostname is encountered, will not be used for banning,"
		, "#        but it will be logged as info."
		, "# raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)"
		, "usedns = warn"
		, ""
		, "# \"logencoding\" specifies the encoding of the log files handled by the jail"
		, "#   This is used to decode the lines from the log file."
		, "#   Typical examples:  \"ascii\", \"utf-8\""
		, "#"
		, "#   auto:   will use the system locale setting"
		, "logencoding = auto"
		, ""
		, "# \"enabled\" enables the jails."
		, "#  By default all jails are disabled, and it should stay this way."
		, "#  Enable only relevant to your setup jails in your .local or jail.d/*.conf"
		, "#"
		, "# true:  jail will be enabled and log files will get monitored for changes"
		, "# false: jail is not enabled"
		, "enabled = false"
		, ""
		, ""
		, "# \"mode\" defines the mode of the filter (see corresponding filter implementation for more info)."
		, "mode = normal"
		, ""
		, "# \"filter\" defines the filter to use by the jail."
		, "#  By default jails have names matching their filter name"
		, "#"
		, "filter = %(__name__)s[mode=%(mode)s]"
		, ""
		, "# Destination email address used solely for the interpolations in"
		, "# jail.{conf,local,d/*} configuration files."
		, "destemail = spwhitton@spwhitton.name"
		, ""
		, "# Sender email address used solely for some actions"
		, "sender = root@<fq-hostname>"
		, ""
		, "# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the"
		, "# mailing. Change mta configuration parameter to mail if you want to"
		, "# revert to conventional 'mail'."
		, "mta = mail"
		, ""
		, "# Default protocol"
		, "protocol = tcp"
		, ""
		, "# Specify chain where jumps would need to be added in ban-actions expecting parameter chain"
		, "chain = <known/chain>"
		, ""
		, "# Ports to be banned"
		, "# Usually should be overridden in a particular jail"
		, "port = 0:65535"
		, ""
		, "# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3"
		, "fail2ban_agent = Fail2Ban/%(fail2ban_version)s"
		, ""
		, "# Default banning action (e.g. iptables, iptables-new,"
		, "# iptables-multiport, shorewall, etc) It is used to define"
		, "# action_* variables. Can be overridden globally or per"
		, "# section within jail.local file"
		, "banaction = iptables-multiport"
		, "banaction_allports = iptables-allports"
		, ""
		, "# The simplest action to take: ban only"
		, "action_ = %(banaction)s[name=%(__name__)s, bantime=\"%(bantime)s\", port=\"%(port)s\", protocol=\"%(protocol)s\", chain=\"%(chain)s\"]"
		, ""
		, "[sshd]"
		, ""
		, "enabled  = false"
		, ""
		, "[apache-auth]"
		, ""
		, "enabled  = true"
		, "port     = http,https"
		, "logpath  = %(apache_error_log)s"
		]

	-- send mail via FastMail's servers
	& SPW.Services.personalPostfix

	-- users and their packages
	& User.hasSomePassword (User "root")
	& User.hasSomePassword (User "spwhitton")
	& Apt.installed [ "irssi"
			, "git-annex"
			, "mutt"
			, "isync"
			, "w3m"
			, "telnet"
			, "rss2email"
			, "mosh"
			, "debian-keyring"

			-- for ~/bin/locmaint
			, "libterm-ui-perl"
			, "libarray-iterator-perl"
			, "libfile-grep-perl"
			, "libdpkg-perl"
			, "libcapture-tiny-perl"
			, "libfile-chdir-perl"
			, "liblist-moreutils-perl"
			, "aptitude"
			, "libfile-chdir-perl"

			-- for ~/bin/git-push-all
			, "libarray-utils-perl"
			, "libgit-wrapper-perl"
			, "libconfig-gitlike-perl"
			, "liblist-moreutils-perl"

			-- for ~/bin/expand-annex-mboxes (which gets run as part
			-- of movemymail)
			, "libmail-box-perl"

                        -- for gmi2email
                        , "libdbd-sqlite3-perl"
                        , "libio-socket-ssl-perl"
                        , "libmime-lite-perl"
                        , "libemail-date-format-perl"
                        , "libtry-tiny-perl"
                        , "libmailtools-perl"
                        , "libxml-feed-perl"
			]
	& Apt.installedMin ["org-mode"]
	-- also for ~/bin/locmaint
	& Apt.installed ["libgit-annex-perl"] `requires` SPW.athenaApt
	-- drop once upgrade to bullseye
	& Apt.backportInstalled ["notmuch", "mailscripts"]

	-- services
	& Apt.serviceInstalledRunning "oidentd"
	& SPW.Services.bitlbee
	& SPW.Services.athenaDuplicity
	& SPW.Services.radicale
	& Athenet.athena
	-- & SPW.Services.hippotat

	-- sites
	& SPW.Sites.personalWebsite (User "spwhitton")
	& SPW.Sites.personalGit hosts (User "spwhitton")
	& SPW.Sites.athweb
	& SPW.Sites.athenaApt
	& SPW.Sites.consfiguratorDocs

	-- gcrypt repos
	& SPW.userDirExists (User "spwhitton") "/srv/gcrypt"

	-- rsync space: for annex content
	& SPW.userDirExists (User "spwhitton") "/srv/rsync"
	& SPW.userDirExists (User "spwhitton") "/srv/rsync/annex"

	-- compatibility symlink for dionysus syncs (and only this, I believe)
	& File.isSymlinkedTo "/home/swhitton" (File.LinkTarget "/home/spwhitton")

-- #### Something like a NAS -- an older model Raspberry Pi

-- Installed with 2018-04-18-raspbian-stretch-lite.img, so this is definitely
-- not a complete description.  I might add Raspbian support to propellor

-- Can't use SPW.machine because that does not know how to write Raspbian
-- sources.list files.  No automatic spins to reduce writes to root partition

-- Raspian has systemd-timesyncd installed by default, so don't need ntp

hestia :: Host
hestia = host "hestia.silentflame.com" $ props
	& osDebian (Stable "stretch") ARMHF
	-- & Timezone.configured "Europe/London"
	& SPW.Hostname.sane
	& SPW.basicProps
	& (User "root") `Ssh.authorizedKey` SPW.mySSHKey
	& Apt.installed ["openssh-server"] `before` Ssh.noPasswords
	& Apt.installed ["unattended-upgrades"]
	-- minimal config (based on the Raspian config in upstream
	-- unattended-upgrades)
	& "/etc/apt/apt.conf.d/50unattended-upgrades" `File.hasContent`
		[ "Unattended-Upgrade::Origins-Pattern {"
		, "        \"origin=Raspbian,codename=${distro_codename},label=Raspbian\";"
		, "        \"origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation\";"
		, "};"
		, "Unattended-Upgrade::Package-Blacklist {"
		, "};"
		]

	-- we don't want a swap file on either drive
	& Apt.removed ["dphys-swapfile"]
	-- reduce writes by not having a syslog daemon -- this means that so
	-- little gets written to /var/log that it does not need to be a tmpfs
	& Apt.removed ["rsyslog"]

	-- TODO deleting pi user and its group so /home is empty for the mount
	-- (User.nuked does not delete the group, so have done it manually)
	& Fstab.mounted "auto" "/dev/sda1" "/home" (Mount.toMountOpts "defaults,noatime")
	`before` User.accountFor (User "spwhitton")
	`before` Dotfiles.installedFor (User "spwhitton")
	`before` ((User "spwhitton") `Ssh.authorizedKey` SPW.mySSHKey)
	& SPW.seanCanSudo (User "spwhitton")
	& Apt.installed
		[ "emacs25-nox"
		, "rtorrent"
		, "aria2"
		, "git-annex"
		]

	-- some tmpfsen.  These days, /var/run is a symlink to /run which is tmpfs anyway
	& Fstab.mounted "tmpfs" "tmpfs" "/tmp"     (Mount.toMountOpts "defaults,nodev,nosuid,size=30M,mode=1777")
	& Fstab.mounted "tmpfs" "tmpfs" "/var/tmp" (Mount.toMountOpts "defaults,nodev,nosuid,size=30M,mode=1777")

	& Athenet.viaAthena "hestia" (IPv4 "172.27.21.3") Athenet.LocalDiscovery
	& SPW.sshSourceLockdown

	-- Some SD cards support trimming, and hestia's current one does,
	-- apparently.  Found this by trying `fstrim -v /` which succeeded (alt,
	-- which didn't work: `hdparm -I /dev/mmcblk0 | grep "TRIM supported"`)
	& Laptop.trimSSD
	-- on stretch, have to copy the files into place
	`requires` File.isCopyOf
		"/etc/systemd/system/fstrim.service"
		"/usr/share/doc/util-linux/examples/fstrim.service"
	`requires` File.isCopyOf
		"/etc/systemd/system/fstrim.timer"
		"/usr/share/doc/util-linux/examples/fstrim.timer"

-- #### HP Pavilion g6

federer :: Host
federer = host "federer.silentflame.com" $ props
	& osDebian (Stable "buster") X86_64
	& File.notPresent "/etc/apt/sources.list.d/athena.list"
	& File.notPresent "/etc/apt/sources.list.d/athena_extra.list"
	& File.notPresent "/root/.ssh/authorized_keys"
	& File.notPresent "/home/spwhitton/.ssh/authorized_keys"
	& File.notPresent "/etc/cron.d/propellor"
	& check (doesDirectoryExist "/etc/tinc/athenet")
		(scriptProperty
			[ "rm -rf /etc/tinc/athenet"
			])
	`describe` "athenet config gone"
	& Localdir.removed

-- #### Hosts I don't control (just to track SSH keys)

otherHosts :: [Host]
otherHosts =
	[ host "github.com" $ props
		& Ssh.hostPubKey SshRsa "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="
	, host "git.sr.ht" $ props
		& Ssh.hostPubKey SshRsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ+l/lvYmaeOAPeijHL8d4794Am0MOvmXPyvHTtrqvgmvCJB8pen/qkQX2S1fgl9VkMGSNxbp7NF7HmKgs5ajTGV9mB5A5zq+161lcp5+f1qmn3Dp1MWKp/AzejWXKW+dwPBd3kkudDBA1fa3uK6g1gK5nLw3qcuv/V4emX9zv3P2ZNlq9XRvBxGY2KzaCyCXVkL48RVTTJJnYbVdRuq8/jQkDRA8lHvGvKI+jqnljmZi2aIrK9OGT2gkCtfyTw2GvNDV6aZ0bEza7nDLU/I+xmByAOO79R1Uk4EYCvSc1WXDZqhiuO2sZRmVxa0pQSBDn1DB3rpvqPYW+UvKB3SOz"
		& Ssh.hostPubKey SshEd25519 "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZvRd4EtM7R+IHVMWmDkVU3VLQTSwQDSAvW0t2Tkj60"
		& Ssh.hostPubKey SshEcdsa "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCj6y+cJlqK3BHZRLZuM+KP2zGPrh4H66DacfliU1E2DHAd1GGwF4g1jwu3L8gOZUTIvUptqWTkmglpYhFp4Iy4="
	]