summaryrefslogtreecommitdiffhomepage
path: root/src/Propellor/Property/SiteSpecific/SPW/Sites.hs
blob: 8e085b835cce82416c2e6a2a6017b34c0429d694 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
module Propellor.Property.SiteSpecific.SPW.Sites where

import Propellor.Base
import qualified Propellor.Property.Apache as Apache
import qualified Propellor.Property.Systemd as Systemd
import qualified Propellor.Property.SiteSpecific.SPW as SPW
import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.File as File
import qualified Propellor.Property.Git as Git
import qualified Propellor.Property.Ssh as Ssh
import qualified Propellor.Property.User as User
import qualified Propellor.Property.LetsEncrypt as LetsEncrypt

-- | The spwhitton.name Ikiwiki, plus simple file hosting out of my home
-- directory.
--
-- Needs to be passed the user whose home directory is to be served, and whose
-- homedir contains the ikiwiki data, i.e. my own login on this host
personalWebsite :: User -> Property (HasInfo + DebianLike)
personalWebsite user@(User u) = combineProperties "spwhitton.name website set up" $ props
	& Apt.serviceInstalledRunning "apache2"

	& Apt.installed [ "ikiwiki"

			-- ikiwiki module dependencies
			, "perlmagick"
			, "xapian-omega"
			, "libsearch-xapian-perl"
			, "libdigest-sha-perl"
			, "libhtml-scrubber-perl"
			, "libtext-typography-perl"
			, "libhighlight-perl"
			]

	& Apache.modEnabled "bw"
	`requires` Apt.installed ["libapache2-mod-bw"]
	-- while ikiwiki manual claims to need cgi, rather than cgid, this setup
	-- has been working for some time now
	& Apache.modEnabled "cgid"
	& Apache.modEnabled "ssl"
	& Apache.modEnabled "rewrite"
	& Apache.modEnabled "wsgi"
	`requires` Apt.installed ["libapache2-mod-wsgi-py3"]

	& File.dirExists "/var/www/spw"
	& File.ownerGroup "/var/www/spw" user (Group "www-data")
	`describe` "/var/www/spw has correct permissions"
	& File.hasPrivContent "/var/www/spw-htpasswd" (Context "athena")
	& File.ownerGroup "/var/www/spw-htpasswd" (User "www-data") (Group "www-data")

	& SPW.withHome user "Sean's public & private files symlinked into /var/www"
		(\h -> tightenTargets $
			File.dirExists (h </> "local")
			`before` File.dirExists (h </> "local/files")
			`before` File.dirExists (h </> "local/files/pub")
			`before` File.dirExists (h </> "local/files/pub/hidden")
			`before` User.ownsWithPrimaryGroup user (h </> "local")
			`before` User.ownsWithPrimaryGroup user (h </> "local/files")
			`before` User.ownsWithPrimaryGroup user (h </> "local/files/pub")
			`before` User.ownsWithPrimaryGroup user (h </> "local/files/pub/hidden"))
	& SPW.withHome user "Sean's public files symlinked into /var/www"
		(\h -> tightenTargets $ setupRevertableProperty $
		"/var/www/spw/pub" `File.isSymlinkedTo`
			(File.LinkTarget (h </> "local/files/pub")))
	& SPW.withHome user "Sean's public files header.html in place"
		(\h -> tightenTargets $ File.hasContent (h </> "local/files/pub/header.html")
			[ "<pre>     _     _ __   __  ______ _______ _______          __   _ _______ _______"
			, "      \\___/    \\_/   |_____/ |_____| |______ |        | \\  | |______    |"
			, "     _/   \\_    |    |    \\_ |     | |______ |_____ . |  \\_| |______    |</pre>"
			])
	& SPW.withHome user "Sean's public files header.html has correct permissions"
		(\h -> tightenTargets $
			User.ownsWithPrimaryGroup user (h </> "local/files/pub/header.html"))
	& SPW.withHome user "Sean's public files symlinked into ~/local"
		(\h -> tightenTargets $ setupRevertableProperty $
		(h </> "local/pub") `File.isSymlinkedTo`
			(File.LinkTarget (h </> "local/files/pub")))
	& File.dirExists "/var/www/spw/files"
	& Apt.installed ["wfm"]
	`before` File.isCopyOf "/var/www/spw/files/wfm.cgi" "/usr/lib/cgi-bin/wfm.cgi"
	`before` User.ownsWithPrimaryGroup user "/var/www/spw/files/wfm.cgi"
	`before` File.mode "/var/www/spw/files/wfm.cgi" 0O6755
	& File.hasContent "/var/www/spw/files/wfm.cgi.cfg"
		[ "tagline=spwhitton.name file manager"
		, "directory=/home/spwhitton/local/files"
		, "recursive-du=true"
		, "large-file-set=false"
		, "favicon=move.gif"
		, "access-htauth=rw:spwhitton"
		]

	& SPW.withHome user "spwhitton.name Ikiwiki added to wikilist"
		(\h -> tightenTargets $
			File.containsLine "/etc/ikiwiki/wikilist"
				(u ++ " " ++ h </> "src/athpriv/spwhitton.setup"))

	-- Previously had ikiwikiPermissionsFixed property here (see
	-- ~/doc/org/old_propellor_config.org) but it is not needed with current
	-- gitolite setup

	& "/etc/apache2/conf-available/stapling.conf" `File.hasContent`
		[ "SSLStaplingCache shmcb:/tmp/stapling_cache(128000)" ]
	& Apache.confEnabled "stapling"

	-- we can't use 'Apache.httpsVirtualHost'' here because it does not
	-- handle "www." in the way I'd like.  But the following is modelled on
	-- that property -- see comments in that property's source, and recall
	-- that the semantics of 'combineProperties' entails that these
	-- properties are executed in the order they are written
	& alias "spwhitton.name"
	& alias "www.spwhitton.name"
	& File.dirExists "/etc/apache2/sites-available/ssl/spwhitton.name"
	& Apache.siteEnabled' "spwhitton.name"
		[ "IncludeOptional /etc/apache2/sites-available/ssl/spwhitton.name/*.conf"

		, "<VirtualHost *:80>"
		, "  DocumentRoot /var/www/spw"
		, "  ServerName spwhitton.name"
		, "  RewriteEngine On"
		, "  RewriteRule ^/.well-known/(.*) - [L]"
		, "  RewriteRule ^/(.*) https://spwhitton.name/$1 [L,R,NE]"
		, "  <Directory /var/www/spw>"
		,      Apache.allowAll
		, "  </Directory>"
		, "</VirtualHost>"

		, "<VirtualHost *:80>"
		, "  DocumentRoot /var/www/spw"
		, "  ServerName www.spwhitton.name"
		, "  RewriteEngine On"
		, "  RewriteRule ^/.well-known/(.*) - [L]"
		, "  RewriteRule ^/(.*) https://www.spwhitton.name/$1 [L,R,NE]"
		, "  <Directory /var/www/spw>"
		,      Apache.allowAll
		, "  </Directory>"
		, "</VirtualHost>"
		]
	& LetsEncrypt.letsEncrypt' letos "spwhitton.name" ["www.spwhitton.name"] "/var/www/spw"
	`onChange` (combineProperties "spwhitton.name SSL cert installed" $ props
		& File.hasContent "/etc/apache2/sites-available/ssl/spwhitton.name/letsencrypt.conf"
			[ "<VirtualHost *:443>"

			, "DocumentRoot /var/www/spw"
			, "ServerName spwhitton.name"
			, "ServerAlias www.spwhitton.name"
			,  Apache.iconDir

			-- bandwidth limitation.  Might also set `BandWidthError 510'
			-- and `ErrorDocument 510 /var/blah/blah'
			, "BandWidthModule On"
			, "ForceBandWidthModule On"
			, "BandWidth all 102400"
			, "MinBandWidth all 1024"
			, "MaxConnection all 10"

			, "<Directory /var/www/spw>"
			,    Apache.allowAll
			, "  Options +ExecCGI"
			, "  AddHandler cgi-script .cgi"
			, "  AddType text/plain el"
			, "</Directory>"

			, "RewriteEngine On"
			, "RewriteRule ^/cgi-bin/ikiwiki.cgi$ /ikiwiki.cgi [L]"

			, "  SSLEngine on"
			, "  SSLCertificateFile /etc/letsencrypt/live/spwhitton.name/cert.pem"
			, "  SSLCertificateKeyFile /etc/letsencrypt/live/spwhitton.name/privkey.pem"
			, "  SSLCertificateChainFile /etc/letsencrypt/live/spwhitton.name/chain.pem"
			, "  SSLUseStapling on"

			, "<Directory /var/www/spw/files>"
			, "  AuthType Basic"
			, "  AuthName \"creds plz\""
			, "  AuthUserFile /var/www/spw-htpasswd"
			, "  require valid-user"
			, "  DirectoryIndex wfm.cgi"
			, "</Directory>"

			-- , "<Directory /var/www/spw/org>"
			-- , "  AuthType Basic"
			-- , "  AuthName \"creds plz\""
			-- , "  AuthUserFile /var/www/spw-htpasswd"
			-- , "  require valid-user"
			-- , "</Directory>"

			-- previously ~/local/files/priv
			-- , "<Directory /var/www/spw/priv>"
			-- , "  AuthType Basic"
			-- , "  AuthName \"creds plz\""
			-- , "  AuthUserFile /var/www/spw-htpasswd"
			-- , "  require valid-user"
			-- , "</Directory>"

			, "<Directory /var/www/spw/pub>"
			, "  IndexIgnore hidden header.html"
			, "  HeaderName header.html"
			, "</Directory>"

			, "<Directory /var/www/spw/pub/hidden>"
			, "  Options -Indexes"
			, "  DirectoryIndex disabled"
			, "</Directory>"

			, "</VirtualHost>"
			]
		& Apache.reloaded)

-- | Sean's git repositories at git.spwhitton.name.
--
-- The @user@ passed will be added to the @git@ group to clone repositories
-- across the local filesystem
personalGit :: [Host] -> User -> Property (HasInfo + DebianLike)
personalGit hosts user = combineProperties "git.spwhitton.name git server" $ props
	& Apt.installed ["python3-markdown", "python3-pygments"]
	& Apt.installed ["gitolite3"] `onChange` (Apt.reConfigure "gitolite3"
		[ ("gitolite3/gituser", "string", "git")
		, ("gitolite3/gitdir", "string", "/srv/git")
		, ("gitolite3/adminkey", "string", SPW.mySSHKey)
		] `before` cleanup)

	-- config and keys for mirroring to GitHub & sr.ht
	& File.dirExists "/srv/git/local/hooks/repo-specific"
	& File.hasContent "/srv/git/local/hooks/repo-specific/github-mirror"
		[ "#!/bin/sh"
		, ""
		, "git push --mirror git@github.com:spwhitton/$GL_REPO.git"
		]
	& File.mode "/srv/git/local/hooks/repo-specific/github-mirror" 0O0755
	& File.applyPath "/srv/git/local/hooks" "repo-specific/github-mirror"
		(\f -> File.ownerGroup f (User "git") (Group "git"))
	& File.hasContent "/srv/git/local/hooks/repo-specific/srht-mirror"
		[ "#!/bin/sh"
		, ""
		, "git push --mirror git@git.sr.ht:~spwhitton/$GL_REPO"
		]
	& File.mode "/srv/git/local/hooks/repo-specific/srht-mirror" 0O0755
	& File.ownerGroup "/srv/git/local/hooks/repo-specific/srht-mirror"
		(User "git") (Group "git")
	& Ssh.userKeys (User "git") (Context "athena")
		[(SshRsa, githubPushPubKey)]
	& Ssh.knownHost hosts "github.com" (User "git")
	& Ssh.knownHost hosts "git.sr.ht" (User "git")

	-- ensure I can clone across the local filesystem
	& user `User.hasGroup` (Group "git")
	`describe` "Sean can read gitolite repos"

	-- make my SSH keys available to gitolite
	& File.hasContent "/srv/git/.gitolite/keydir/spwhitton.pub"
		[SPW.mySSHKey] `onChange` recompile
	& File.dirExists "/srv/git/.gitolite/keydir/workstation"
	& File.hasContent "/srv/git/.gitolite/keydir/workstation/spwhitton.pub"
		[workstationPubKey] `onChange` recompile

	-- gitolite configuration

	-- Previously, repository descriptions, default branches and whether or
	-- not I could force-push to a repo were stored in this file.  This was
	-- unwieldly.  Now we are using gitolite's wildcard repository creation,
	-- its 'desc' and 'symbolic-ref' commands, and I can force-push every
	-- repo

	-- (If these commands are yielding permission denied errors on a repo,
	-- manually ensure that repo contains a file named gl-creator containing
	-- 'spwhitton' with no final newline, and owner by git:git)
	& File.hasContent "/srv/git/.gitolite/conf/gitolite.conf"
		-- These repos should not exist outside of the priv/
		-- subdir.  They are listed here to avoid accidental
		-- creation as wildcard repos by pushing or cloning from
		-- hosts with outdated remote URIs (use of square
		-- brackets makes this a pattern, so the repo is not
		-- created simply because it's listed in this config)
		[ "@denied_priv = do[c] anne[x] athpri[v] podcast[s] pri[v] r[t]"

		-- These repos have been archived to
		-- ~/lib/annex/old/scm.  They are listed here to avoid
		-- accidental recreation as wildcard repos by pushing or
		-- cloning from hosts with outdated remote URIs.
		-- Temporary, short-lived repos that were only checked
		-- out on one host need not be added to this list
		, "@denied_old = test_pu[b] apvl[v] autodep[8] bur[p] piupart[s] xfonts-terminu[s] myrepo[s] grai[l] pdfr[w] eulerh[s] eulerp[y] ical2im[g] rrlis[t] rrsyncma[n] rw[h] softbee[p] xmonad-contri[b] priv/ksp-dc1[8] priv/fa[e]"

		, "@github-mirrored = sariulclocks srem pandoc-citeproc-preamble oso2pdf haskell-tab-indent git-remote-gcrypt sscan org-d20 mailscripts p5-Git-Annex p5-API-GitForge consfigurator"

		-- mirrored to git.sr.ht for the purpose of quick clones to
		-- builds.sr.ht -- shouldn't ever need something to be in both
		-- @github-mirrored and @srht-mirrored, as sr.ht has github
		-- integrations.
		--
		-- on git.sr.ht these repos should probably be set to "Unlisted"

		, "@srht-mirrored = ocrmypdf"
		, ""
		, "repo @github-mirrored"
		, "    option hook.post-update = github-mirror"
		, ""
		, "repo @srht-mirrored"
		, "    option hook.post-update = srht-mirror"
		, ""
		, ""
		, "repo priv/.*"
		, "    - = gitweb daemon"
		, "    option deny-rules = 1"
		, ""
		, "repo @denied_priv @denied_old priv/wikianne[x]" -- something is pushing to priv/wikiannex
		, "    - = gitweb daemon spwhitton"
		, "    option deny-rules = 1"
		, ""
		, "repo [a-zA-Z].*"
		, "    C = spwhitton"
		, ""
		, "repo @all"
		, "    RW+ = spwhitton"
		, "    R = gitweb daemon"
		, "    config receive.fsckObjects = true"
		]
	`onChange` recompile
	& File.hasContent "/srv/git/.gitolite.rc"
		[ "%RC = ("
		, ""
		, "    # ------------------------------------------------------------------"
		, ""
		, "    # default umask gives you perms of '0700'; see the rc file docs for"
		, "    # how/why you might change this"
		-- this is needed so that spwhitton and www-data can be members
		-- of the git group and can read repos -- an alternative is to
		-- add "config core.sharedRepository = true" to the gitolite
		-- config for each repo that we want the git group to be able to
		-- read
		, "    UMASK                           =>  0027,"
		, ""
		, "    # look for \"git-config\" in the documentation"
		, "    GIT_CONFIG_KEYS                 =>  '.*',"
		, ""
		, "    # comment out if you don't need all the extra detail in the logfile"
		, "    LOG_EXTRA                       =>  1,"
		, "    # syslog options"
		, "    # 1. leave this section as is for normal gitolite logging"
		, "    # 2. uncomment this line to log only to syslog:"
		, "    # LOG_DEST                      => 'syslog',"
		, "    # 3. uncomment this line to log to syslog and the normal gitolite log:"
		, "    # LOG_DEST                      => 'syslog,normal',"
		, ""
		, "    # roles.  add more roles (like MANAGER, TESTER, ...) here."
		, "    #   WARNING: if you make changes to this hash, you MUST run 'gitolite"
		, "    #   compile' afterward, and possibly also 'gitolite trigger POST_COMPILE'"
		, "    ROLES => {"
		, "        READERS                     =>  1,"
		, "        WRITERS                     =>  1,"
		, "    },"
		, ""
		, "    # enable caching (currently only Redis).  PLEASE RTFM BEFORE USING!!!"
		, "    # CACHE                         =>  'Redis',"
		, ""
		, "    # ------------------------------------------------------------------"
		, ""
		, "    # rc variables used by various features"
		, ""
		, "    # the 'info' command prints this as additional info, if it is set"
		, "        # SITE_INFO                 =>  'Please see http://blahblah/gitolite for more help',"
		, ""
		, "    # the CpuTime feature uses these"
		, "        # display user, system, and elapsed times to user after each git operation"
		, "        # DISPLAY_CPU_TIME          =>  1,"
		, "        # display a warning if total CPU times (u, s, cu, cs) crosses this limit"
		, "        # CPU_TIME_WARN_LIMIT       =>  0.1,"
		, ""
		, "    # the Mirroring feature needs this"
		, "        # HOSTNAME                  =>  \"foo\","
		, ""
		, "    # TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING!"
		, "        # CACHE_TTL                 =>  600,"
		, ""
		, "    # ------------------------------------------------------------------"
		, ""
		, "    # suggested locations for site-local gitolite code (see cust.html)"
		, ""
		, "        # this one is managed directly on the server"
		, "        LOCAL_CODE                =>  \"$ENV{HOME}/local\","
		, ""
		, "        # or you can use this, which lets you put everything in a subdirectory"
		, "        # called \"local\" in your gitolite-admin repo.  For a SECURITY WARNING"
		, "        # on this, see http://gitolite.com/gitolite/cust.html#pushcode"
		, "        # LOCAL_CODE                =>  \"$rc{GL_ADMIN_BASE}/local\","
		, ""
		, "    # ------------------------------------------------------------------"
		, ""
		, "    # List of commands and features to enable"
		, ""
		, "    ENABLE => ["
		, ""
		, "        # COMMANDS"
		, ""
		, "            # These are the commands enabled by default"
		, "            'help',"
		, "            'desc',"
		, "            'info',"
		, "            'perms',"
		, "            'writable',"
		, ""
		, "            # Uncomment or add new commands here."
		, "            # 'create',"
		, "            # 'fork',"
		, "            # 'mirror',"
		, "            # 'readme',"
		, "            # 'sskm',"
		, "            'D',"
		, "            'symbolic-ref',"
		, ""
		, "        # These FEATURES are enabled by default."
		, ""
		, "            # essential (unless you're using smart-http mode)"
		, "            'ssh-authkeys',"
		, ""
		, "            # creates git-config enties from gitolite.conf file entries like 'config foo.bar = baz'"
		, "            'git-config',"
		, ""
		, "            # creates git-daemon-export-ok files; if you don't use git-daemon, comment this out"
		, "            'daemon',"
		, ""
		, "            # creates projects.list file; if you don't use gitweb, comment this out"
		, "            'gitweb',"
		, ""
		, "        # These FEATURES are disabled by default; uncomment to enable.  If you"
		, "        # need to add new ones, ask on the mailing list :-)"
		, ""
		, "        # user-visible behaviour"
		, ""
		, "            # prevent wild repos auto-create on fetch/clone"
		, "            'no-create-on-read',"
		, "            # no auto-create at all (don't forget to enable the 'create' command!)"
		, "            # 'no-auto-create',"
		, ""
		, "            # access a repo by another (possibly legacy) name"
		, "            # 'Alias',"
		, ""
		, "            # give some users direct shell access.  See documentation in"
		, "            # sts.html for details on the following two choices."
		, "            # \"Shell $ENV{HOME}/.gitolite.shell-users\","
		, "            # 'Shell alice bob',"
		, ""
		, "            # set default roles from lines like 'option default.roles-1 = ...', etc."
		, "            # 'set-default-roles',"
		, ""
		, "            # show more detailed messages on deny"
		, "            # 'expand-deny-messages',"
		, ""
		, "            # show a message of the day"
		, "            # 'Motd',"
		, ""
		, "        # system admin stuff"
		, ""
		, "            # enable mirroring (don't forget to set the HOSTNAME too!)"
		, "            # 'Mirroring',"
		, ""
		, "            # allow people to submit pub files with more than one key in them"
		, "            # 'ssh-authkeys-split',"
		, ""
		, "            # selective read control hack"
		, "            # 'partial-copy',"
		, ""
		, "            # manage local, gitolite-controlled, copies of read-only upstream repos"
		, "            # 'upstream',"
		, ""
		, "            # updates 'description' file instead of 'gitweb.description' config item"
		, "            'cgit',"
		, ""
		, "            # allow repo-specific hooks to be added"
		, "            'repo-specific-hooks',"
		, ""
		, "        # performance, logging, monitoring..."
		, ""
		, "            # be nice"
		, "            # 'renice 10',"
		, ""
		, "            # log CPU times (user, system, cumulative user, cumulative system)"
		, "            # 'CpuTime',"
		, ""
		, "        # syntactic_sugar for gitolite.conf and included files"
		, ""
		, "            # allow backslash-escaped continuation lines in gitolite.conf"
		, "            # 'continuation-lines',"
		, ""
		, "            # create implicit user groups from directory names in keydir/"
		, "            # 'keysubdirs-as-groups',"
		, ""
		, "            # allow simple line-oriented macros"
		, "            # 'macros',"
		, ""
		, "        # Kindergarten mode"
		, ""
		, "            # disallow various things that sensible people shouldn't be doing anyway"
		, "            # 'Kindergarten',"
		, ""
		, "        # enable usage of the git-annex shell"
		, ""
		, "            'git-annex-shell ua',"
		, "    ],"
		, ""
		, ");"
		, ""
		, "1;"
		]
	`onChange` recompile

	-- cgit
	& Apt.serviceInstalledRunning "apache2"
	& Apt.installed ["cgit"]
	& Apache.modEnabled "bw"
	& Apache.modEnabled "cgid"
	& Apache.modEnabled "ssl"
	& (User "www-data") `User.hasGroup` (Group "git")
	-- see https://github.com/sitaramc/gitolite/commit/2515992d8836b2fe333860ad0ed3267efd1cf698
	& "/srv/git/projects.list" `File.mode` 0O0640
	& File.containsLines "/etc/cgitrc"
		[ "enable-index-owner=0"
		, "enable-commit-graph=1"
		, "enable-http-clone=0"
		-- , "clone-url=https://git.spwhitton.name/$CGIT_REPO_URL git://spwhitton.name/$CGIT_REPO_URL ssh://git@spwhitton.name:$CGIT_REPO_URL"
                , "clone-url=https://git.spwhitton.name/$CGIT_REPO_URL git://git.spwhitton.name/$CGIT_REPO_URL"
		, "root-title=Sean's git repositories"
		, "root-desc=public personal git repositories"
		, "strict-export=git-daemon-export-ok"
		, "remove-suffix=1"
		, "project-list=/srv/git/projects.list"
		, "enable-git-config=1"
		, "snapshots=tar.gz"
		, "about-filter=/usr/lib/cgit/filters/about-formatting.sh"
		, "commit-filter=/usr/lib/cgit/filters/commit-links.sh"
		, "source-filter=/usr/lib/cgit/filters/syntax-highlighting.py"
		, "readme=master:README.rst"
		, "readme=master:README.md"
		-- note that scan-path has to come after very many of the above
		-- in order for them to have any effect
		, "scan-path=/srv/git/repositories"
		]
	-- Following does not include SSL stapling, but it ought to.
	& Apache.httpsVirtualHost' "git.spwhitton.name" "/var/www/html" letos
		[ "Alias /cgit-css \"/usr/share/cgit\""

		-- bandwidth limitation.  Might also set `BandWidthError 510'
		-- and `ErrorDocument 510 /var/blah/blah'
		, "BandWidthModule On"
		, "ForceBandWidthModule On"
		, "BandWidth all 102400"
		, "MinBandWidth all 1024"
		, "MaxConnection all 10"

		-- from https://git-scm.com/docs/git-http-backend (cgit does not
		-- support smart http, only dumb) Note that we cannot let Apache
		-- serve objects and packfiles directly as that would expose our
		-- private repositories
		, "SetEnv GIT_PROJECT_ROOT /srv/git/repositories"
		, "ScriptAliasMatch \\"
		, "    \"(?x)^/(.*/(HEAD | \\"
		, "            info/refs | \\"
		, "            objects/(info/[^/]+ | \\"
		, "                 [0-9a-f]{2}/[0-9a-f]{38} | \\"
		, "                 pack/pack-[0-9a-f]{40}\\.(pack|idx)) | \\"
		, "            git-(upload|receive)-pack))$\" \\"
		, "    /usr/lib/git-core/git-http-backend/$1"

		-- DocumentRoot is /var/www/html but we need this alias to
		-- override cgit for LetsEncrypt
		, "Alias /.well-known \"/var/www/html/.well-known\""

		-- now point everything else to cgit
		, "ScriptAlias / \"/usr/lib/cgit/cgit.cgi/\""

		, "<Directory \"/usr/lib/cgit\">"
		, "  AllowOverride None"
		, "  Options ExecCGI FollowSymlinks"
		, "  Require all granted"
		, "</Directory>"

		, "<Directory \"/usr/lib/git-core\">"
		, "  Options +ExecCGI"
		, "  Require all granted"
		, "</Directory>"
		]

	-- git-daemon (cribbed from ArchLinux package)
	& File.hasContent "/etc/systemd/system/git-daemon.socket"
		[ "[Unit]"
		, "Description=Git Daemon Socket"
		, ""
		, "[Socket]"
		, "ListenStream=9418"
		, "Accept=true"
		, ""
		, "[Install]"
		, "WantedBy=sockets.target"
		]
	& File.hasContent "/etc/systemd/system/git-daemon@.service"
		[ "[Unit]"
		, "Description=Git Daemon Instance"
		, ""
		, "[Service]"
		, "User=git"
		, "# The '-' is to ignore non-zero exit statuses"
		, "ExecStart=-/usr/lib/git-core/git-daemon --inetd --base-path=/srv/git/repositories"
		, "StandardInput=socket"
		, "StandardOutput=inherit"
		, "StandardError=journal"
		]
	& Systemd.running "git-daemon.socket"
  where
	githubPushPubKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDB1XR42Z5GUrufi5OEVHakmXNi5hHEdPiFuWfjSHjPDLytNXpx4CHjmWkNxjd5bcazRYuBrpfjy/pENT9GD5oLC21IYVzZtOwHO3ziTiMst7wmQoeWdN17DZul6kRSzcSPcA6lSWtPh22MSxdOauQgxx+iIJ3wliS5JnhLNk2+bnJQeooEA4Qf1ERhuFJedEEto1+uTjCLNsXMxd+Va4cZ5kEE0gUc9hlMv7dvRHiNB/a4DMPuVIlCpOjjLe2BhUfNzSluxS4g3+oDSIMnjP5NYWpn640Tu6AoEbvn5ZL2b0U1aRQ7Dt/QCkWUqpD05JYLxZ0WvznnMvllJ56zWVnP git@athena"
	workstationPubKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKNOczVw1CNdV/saKCvFdqDjUhQVSDT4vAvSlxeYLCoGL8tOAfs22J6Rh71Pbksw1Fa1QzkOY3+INUN8RmLqsHYiUnX2eqS53maxkjYp8avVGOJjCo5MG2V9U//wXZXmIDBWSCwH0ViIxTQXccyrW5r23q6huj/irPpqn76p3gu3s7OiLE+EG6eysNE0eAsy2TpKSgu1+b5uCQzqRuYjPImLKbh6JlcZnYp/kyH7Nx6GXswfCTkiyhgNmsrfW0JS7gf+dlL701oh6w7DhoRuY2hkSlSdcNWQwFu2nHn+AAZoNAaHaYSiXi1NSmWGsXW7T7Cqs5V7lCiAArTMGopBhV workstation_to_athena"

	cleanup = scriptProperty
		[ "rm -rf /srv/git/repositories/gitolite-admin.git"
		, "rm -rf /srv/git/repositories/testing.git"
		, "rm -f /srv/git/.gitolite/keydir/admin.pub"

		-- this ensures consistency with UMASK setting in .gitolite.rc
		, "chmod -R g+rX /srv/git/repositories /srv/git/projects.list"

		] `assume` MadeChange
		`describe` "clean up after gitolite Debian package's postinst"

	recompile = (userScriptProperty (User "git")
		["gitolite compile", "gitolite trigger POST_COMPILE"]
		`assume` MadeChange)

-- | athena.silentflame.com index.html
athweb :: Property DebianLike
athweb = Git.pulled (User "root") "/srv/git/repositories/athweb.git" "/var/www/html" Nothing

-- | http://athena.silentflame.com/debian apt repository
--
-- Assumes the repo is owned by spwhitton and is under /home/spwhitton
athenaApt :: Property DebianLike
athenaApt = combineProperties "athena apt repository space" $ props
	& "/etc/apache2/conf-available/athena-apt.conf" `File.hasContent`
		[ "<Directory \"/home/spwhitton/local/src/athena-apt\">"
		,    Apache.allowAll
		, "  Options Indexes FollowSymLinks Multiviews"
		, "  IndexIgnore conf db"
		, "</Directory>"
		, "<Directory \"/home/spwhitton/local/src/athena-apt/conf\">"
		, "  Require all denied"
		, "</Directory>"
		, "<Directory \"/home/spwhitton/local/src/athena-apt/db\">"
		, "  Require all denied"
		, "</Directory>"
		, "Alias \"/debian\" \"/home/spwhitton/local/src/athena-apt\""
		]
	& Apache.confEnabled "athena-apt"
	& Git.cloned (User "spwhitton")
		"https://git.spwhitton.name/athena-apt"
		"/home/spwhitton/local/src/athena-apt"
		Nothing `onChange` initRepo
	& Git.repoConfigured
		"/home/spwhitton/local/src/athena-apt"
		("receive.denyCurrentBranch", "updateInstead")
	& Git.repoConfigured
		"/home/spwhitton/local/src/athena-apt"
		("remote.origin.annex-ignore", "true")
  where
	initRepo :: Property UnixLike
	initRepo = userScriptProperty (User "spwhitton")
			[ "cd /home/spwhitton/local/src/athena-apt"
			, "git annex init --version=7"
			] `assume` MadeChange

consfiguratorDocs :: Property Debian
consfiguratorDocs = combineProperties "Consfigurator HTML docs" $ props
        & Apt.suiteAvailablePinned Unstable 1
	& ["cl-consfigurator"] `Apt.pinnedTo` [(Unstable, 900)]
	& File.dirExists "/var/www/spw/doc"
	& "/var/www/spw/doc/consfigurator" `File.isSymlinkedTo`
		(File.LinkTarget "/usr/share/doc/cl-consfigurator/html")

letos :: LetsEncrypt.AgreeTOS
letos = LetsEncrypt.AgreeTOS (Just "spwhitton@spwhitton.name")