diff --git a/.gitignore b/.gitignore index 09f7d51..94499ed 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,6 @@ -roles/Vanik/files +roles/Node/files/** +roles/Nazara/files/dns +roles/Nazara/files/dhcp venv/ # ---> Python diff --git a/bin/generate-mirrorlist b/bin/generate-mirrorlist new file mode 100644 index 0000000..58ffe48 --- /dev/null +++ b/bin/generate-mirrorlist @@ -0,0 +1,4 @@ +#!/bin/bash + +curl -s https://raw.githubusercontent.com/archlinux/svntogit-packages/packages/pacman-mirrorlist/trunk/mirrorlist | awk '/^## United States$/{f=1; next}f==0{next}/^$/{exit}{print substr($0, 1);}' | sed 's/^#Server/Server/' > /tmp/candidates +rankmirrors -n 6 /tmp/candidates > ../roles/ShadowArch/files/mirrorlist diff --git a/bin/generate-pihole-dns-dhcp.py b/bin/generate-pihole-dns-dhcp.py index 022fbf6..c682527 100755 --- a/bin/generate-pihole-dns-dhcp.py +++ b/bin/generate-pihole-dns-dhcp.py @@ -25,7 +25,7 @@ def WriteDHCPEntry(content,hosttype,hostclass): with open(dhcpfilepath,'a') as dhcpfile: for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']: try: - dhcpfile.write('dhcp-host=' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['vars']['mac'] + ',' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['vars']['ip'] + '\n') + dhcpfile.write('dhcp-host=' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['vars']['mac'] + ',' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['vars']['ip'] + ',' + host + '.' + content['all']['vars']['replica_domain'] + '\n') except: print(host + ' is not complete for DHCP.') @@ -63,11 +63,11 @@ def GenerateFiles(file): # Add DNS entries for each host hosttype = 'managed' - for hostclass in ['physical','virtual','geth-hubs']: + for hostclass in ['physical','virtual','geth_hubs']: WriteDNSEntry(content,hosttype,hostclass) WriteDHCPEntry(content,hosttype,hostclass) hosttype = 'unmanaged' - for hostclass in ['ovas','hardware','iot']: + for hostclass in ['ovas','appliances','iot']: WriteDNSEntry(content,hosttype,hostclass) WriteDHCPEntry(content,hosttype,hostclass) diff --git a/bin/generate-ssh-keyscan b/bin/generate-ssh-keyscan new file mode 100755 index 0000000..3696a54 --- /dev/null +++ b/bin/generate-ssh-keyscan @@ -0,0 +1,21 @@ +#!/bin/bash + +# File: gen-ssh-keyscan +# +# Description: This file generates a known_host block for the inventory. +# +# Package: AniNIX/HelloWorld +# Copyright: WTFPL +# +# Author: DarkFeather + +inventory="$1" + +replicadomain="$(grep replica_domain:\ "$inventory" | awk '{ print $2; }';)" + +for short in `ansible -i "$inventory" --list-hosts managed | grep -v hosts | sed 's/^\s\+//'`; do + long="$short"'.'"$replicadomain" + ip="$(dig "$long" +short)" + ssh-keyscan -t ed25519 -f <(echo "$long" "$long","$short","$ip") 2>&1 + ssh-keyscan -t rsa -f <(echo "$long" "$long","$short","$ip") 2>/dev/null +done diff --git a/examples/msn0.yml b/examples/msn0.yml index cc30438..0604a26 100644 --- a/examples/msn0.yml +++ b/examples/msn0.yml @@ -1,11 +1,13 @@ all: vars: # Environment-wide data - replica_domain: MSN0.AniNIX.net + external_domain: AniNIX.net + replica_domain: "MSN0.{{ external_domain }}" time_zone: "America/Chicago" # Services used by all router: 10.0.1.1 - dns: 10.0.1.7 # TODO will change once IPs are resegmented. + netmask: 24 + dns: 10.0.1.2 dhcprange: '10.0.1.224,10.0.1.254,255.255.255.0,12h' staticrange: '10.0.1.1,10.0.1.223,255.255.255.0,12h' logserver: "Sharingan.{{ replica_domain }}" @@ -13,190 +15,175 @@ all: # Standards daemon_shell: /sbin/nologin user_shell: /bin/bash + ansible_become_method: sudo + ansible_become_user: root + static: false + wireless_ssid: 'Shadowfeed' + ansible_python_interpreter: auto_silent children: managed: children: - physical: # 10.0.1.0/29 - vars: - depriv_user: pi + physical: # 10.0.1.0/28 hosts: Nazara: - vars: ipinterface: eth0 ip: 10.0.1.2 mac: B8:27:EB:B6:AA:0C - Node-1: - vars: - ipinterface: eth0 + static: true + Core: + ipinterface: enp1s0f0 ip: 10.0.1.3 - mac: B8:27:EB:B6:AA:0C - Node-2: - vars: - ipinterface: eth0 + mac: 00:25:90:0d:6e:86 + static: true + sslidentity: aninix.net-0001 + Node0: + ipinterface: enp1s0f0 ip: 10.0.1.4 - mac: B8:27:EB:B6:AA:0C - Node-3: - vars: - ipinterface: eth0 - ip: 10.0.1.5 - mac: B8:27:EB:B6:AA:0C - Node-4: - vars: - ipinterface: eth0 - ip: 10.0.1.6 - mac: B8:27:EB:B6:AA:0C - Node-5: - vars: - ipinterface: eth0 - ip: 10.0.1.7 - mac: B8:27:EB:B6:AA:0C - virtual: # 10.0.1.8/29 + mac: DE:8B:9E:19:55:1D + static: true + virtual: # 10.0.1.16/28 vars: - depriv_user: depriv hosts: Sharingan: - vars: - ip: 10.0.1.8 - mac: 00:15:5D:01:02:05 - cores: 4 - memory: 4 + ip: 10.0.1.16 + ipinterface: ens3 + mac: 00:15:5D:01:02:10 + cores: 6 + memory: 6 + vnc: 8 bridge: br0 disks: - - '-drive file=/srv/maat/vm/Sharingan.qcow2,format=qcow2,l2-cache-size=1M' + - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/Sharingan.qcow2' DarkNet: - vars: - ip: 10.0.1.9 - mac: 00:15:5D:01:02:04 + ip: 10.0.1.17 + ipinterface: eth0 + mac: 00:15:5D:01:02:05 cores: 2 memory: 2 + vnc: 9 bridge: br0 disks: - - '-hda /dev/sdb' + - '-drive if=none,id=disk0,cache=none,format=raw,aio=native,file=/dev/sdb' Maat: - vars: - ip: 10.0.1.10 - mac: 00:15:5d:01:02:06 - cores: 2 - memory: 2 - bridge: br0 - disks: - - '-drive file=/srv/maat/vm/MaatBuilder.qcow2,format=qcow2,l2-cache-size=1M' - Aether: - vars: - ip: 10.0.1.11 + ip: 10.0.1.18 + ipinterface: ens3 mac: 00:15:5d:01:02:07 cores: 2 memory: 2 bridge: br0 + vnc: 7 disks: - - '-hda /dev/sdd' - - '-cdrom /srv/maat/iso/archlinux.iso -boot order=d' - Core: - vars: - depriv_user: DarkFeather - ipinterface: enp1s0f0 - ip: 10.0.1.12 - mac: 00:25:90:0d:6e:86 - geth-hubs: # 10.0.1.16/29 + - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/Maat.qcow2' + geth_hubs: # 10.0.1.32/28 vars: - depriv_user: pi + motion_enabled: yes hosts: Geth-Hub-1: - vars: - ip: 10.0.1.16 + ip: 10.0.1.32 mac: 84:16:F9:14:15:C5 Geth-Hub-2: - vars: - ip: 10.0.1.17 + ip: 10.0.1.33 mac: 84:16:F9:13:B6:E6 -# Geth-Hub-3: -# vars: -# ip: 10.0.1.18 -# mac: b8:27:eb:60:73:68 + motion_enabled: no + Geth-Hub-3: + ip: 10.0.1.34 + mac: b8:27:eb:60:73:68 unmanaged: children: - ovas: # 10.0.1.24/29 + ovas: # 10.0.1.48/28 hosts: - DedNet: - vars: - ip: 10.0.1.24 + TDS-Jump: + ip: 10.0.1.48 mac: 00:15:5d:01:02:08 cores: 2 memory: 2 + vnc: 4 bridge: br0 disks: - - '-drive file=/srv/maat/vm/DedNet.qcow2,format=qcow2' - - '-cdrom /srv/maat/iso/kali-linux.iso -boot order=d' + - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/TDSJump.qcow2' Geth: - vars: - ip: 10.0.1.25 + ip: 10.0.1.49 + mac: DE:8B:9E:19:55:1E + cores: 2 + memory: 2 + vnc: 6 + bridge: br0 + disks: + - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/hassos_ova-5.13.qcow2' + DedNet: + ip: 10.0.1.50 mac: 00:15:5d:01:02:09 cores: 2 memory: 2 + vnc: 3 bridge: br0 disks: - - '-drive file=/srv/maat/vm/DedNet.qcow2,format=qcow2' + - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/DedNet.qcow2' - '-cdrom /srv/maat/iso/kali-linux.iso -boot order=d' - hardware: - hosts: # 10.0.1.32/28 - Tachikoma: - vars: - ip: 10.0.1.32 - mac: aa:aa:aa:aa:aa:aa - Dedsec: - vars: - ip: 10.0.1.33 - mac: 34:f6:4b:36:12:8f - DarkFeather: - vars: - ip: 10.0.1.34 - mac: 64:C2:DE:78:BB:40 - Lykos: - vars: - ip: 10.0.1.35 - mac: 64:C2:DE:0C:AB:0D - Games: - vars: - ip: 10.0.1.36 - mac: 00:1F:BC:10:1C:F7 + Aether: + ip: 10.0.1.51 + mac: 00:15:5d:01:02:11 + cores: 2 + memory: 2 + vnc: 5 + bridge: br0 + disks: + - '-drive if=none,id=disk0,cache=none,format=raw,aio=native,file=/dev/sdc' + - '-cdrom /srv/maat/iso/archlinux.iso -boot order=d' + + appliances: + hosts: # 10.0.1.64/27 Shadowfeed: - vars: ip: 10.0.1.1 mac: 2c:30:33:64:f4:03 + DarkFeather: + ip: 10.0.1.64 + mac: D0:40:EF:D4:14:CF + Lykos: + ip: 10.0.1.65 + mac: 70:74:14:4F:8E:42 + Games: + ip: 10.0.1.66 + mac: 00:1F:BC:10:1C:F8 Print: - vars: - ip: 10.0.1.37 + ip: 10.0.1.67 mac: 00:80:92:77:CE:E4 - Core-Console: - vars: - ip: 10.0.1.38 - mac: 00:25:90:0D:82:5B - Maat-Console: - vars: - ip: 10.0.1.39 - mac: 00:25:90:3E:C6:8C Geth-Eyes: - vars: - ip: 10.0.1.40 - mac: 9c:a3:aa:33:a3:99 - # dhcp build space: 10.0.1.224/27 + ip: 10.0.1.68 + mac: 9C:A3:AA:33:A3:99 + LivingRoomTV: + ip: 10.0.1.69 + mac: 80:D2:1D:17:63:0E + BedRoomTV: + ip: 10.0.1.70 + mac: 80:D2:1D:17:63:0F + TraingRoomTV: + ip: 10.0.1.71 + mac: 80:D2:1D:17:63:10 + Tachikoma: + ip: 10.0.1.72 + mac: B8:76:3F:70:DB:C1 + Dedsec: + ip: 10.0.1.73 + mac: 34:F6:4B:36:12:8F + "Core.Console": + ip: 10.0.1.74 + mac: 00:25:90:0D:82:5B + "Node0.Console": + ip: 10.0.1.75 + mac: 00:25:90:3E:C6:8C + # dhcp build space: 10.0.1.224/27 iot: # 10.0.2.0/24 hosts: LinKeuei: - vars: ip: 10.0.2.2 mac: 64:16:66:08:57:F5 Canary: - vars: ip: 10.0.2.3 mac: 18:B4:30:2F:F1:37 Charon: - vars: ip: 10.0.2.4 mac: 64:52:99:14:28:2B Skitarii-1: - vars: ip: 10.0.2.5 mac: 40:9F:38:95:06:34 - - diff --git a/precommit-hooks/find-bad-ipam b/precommit-hooks/find-bad-ipam new file mode 100755 index 0000000..dc2ca44 --- /dev/null +++ b/precommit-hooks/find-bad-ipam @@ -0,0 +1,57 @@ +#!/usr/bin/bash + +# File: find-bad-ipam +# +# Description: This file finds bad IPAM entries in an inventory. +# +# Package: AniNIX/Ubiqtorate +# Copyright: WTFPL +# +# Author: DarkFeather + +file="examples/msn0.yml" + +function findBadTerm() { + ### Check for a term to be duplicated. + # param file: the file + # param term: the term to search for duplicates + file="$1" + term="$2" + results="$(grep "$term:" "$file" | sed 's/\s\+'"$term"':\s*//' | sort)" + + if ! diff <(echo "$results") <(echo "$results" | uniq); then + echo "Some ${term^^} entries are duplicated. Search for the above terms in your inventory and deduplicate." + exit 2 + fi +} + +function Usage() { + ### Helptext + # param retcode: what to return + retcode="$1" + echo "Usage: $0 -f SOMEFILE" + echo " $0 -h" + echo "Add -v for verbosity." + exit $retcode +} + +while getopts 'f:hv' OPTION; do + ### Parse arguments + case "$OPTION" in + f) file="$OPTARG" ;; + h) echo "Find bad IPAM entries in an inventory." ; Usage 0 ;; + v) set -x ;; + *) Usage 1 ;; + esac +done + +# Sanity check +if [ -z "$file" ] || [ ! -f "$file" ]; then + echo Need an inventory to process. + Usage 3; +fi + +# Check for the unique attributes. +for i in ip vnc mac; do + findBadTerm "$file" "$i" +done diff --git a/bin/find-incomplete-roles b/precommit-hooks/find-incomplete-roles similarity index 100% rename from bin/find-incomplete-roles rename to precommit-hooks/find-incomplete-roles diff --git a/roles/Geth-Hub/files/lircd.conf.Geth-Hub-1 b/roles/Geth-Hub/files/lircd.conf/Geth-Hub-1 similarity index 100% rename from roles/Geth-Hub/files/lircd.conf.Geth-Hub-1 rename to roles/Geth-Hub/files/lircd.conf/Geth-Hub-1 diff --git a/roles/Geth-Hub/files/lircd.conf.Geth-Hub-2 b/roles/Geth-Hub/files/lircd.conf/Geth-Hub-2 similarity index 100% rename from roles/Geth-Hub/files/lircd.conf.Geth-Hub-2 rename to roles/Geth-Hub/files/lircd.conf/Geth-Hub-2 diff --git a/roles/Geth-Hub/files/lircd.conf/Geth-Hub-3 b/roles/Geth-Hub/files/lircd.conf/Geth-Hub-3 new file mode 100644 index 0000000..2499ade --- /dev/null +++ b/roles/Geth-Hub/files/lircd.conf/Geth-Hub-3 @@ -0,0 +1,44 @@ + +# Please make this file available to others +# by sending it to +# +# this config file was automatically generated +# using lirc-0.9.0-pre1(default) on Thu Jun 29 00:24:26 2017 +# +# contributed by darkfeather@aninix.net +# +# brand: LG.conf +# model no. of remote control: AKB73715608 +# devices being controlled by this remote: TV +# + +begin remote + + name LG-AKB73715608 + bits 16 + flags SPACE_ENC|CONST_LENGTH + eps 30 + aeps 100 + + header 9063 4496 + one 579 1673 + zero 579 546 + ptrail 580 + repeat 9066 2248 + pre_data_bits 16 + pre_data 0x20DF + gap 108528 + toggle_bit_mask 0x0 + + begin codes + KEY_POWER 0x10EF + KEY_VOLUMEUP 0x40BF + KEY_VOLUMEDOWN 0xC03F + KEY_CONFIG 0xD02F + KEY_ENTER 0x22DD + KEY_MUTE 0x906F + end codes + +end remote + + diff --git a/roles/Geth-Hub/files/motion.conf b/roles/Geth-Hub/files/motion.conf/Geth-Hub-1 similarity index 100% rename from roles/Geth-Hub/files/motion.conf rename to roles/Geth-Hub/files/motion.conf/Geth-Hub-1 diff --git a/roles/Geth-Hub/files/motion.conf/Geth-Hub-2 b/roles/Geth-Hub/files/motion.conf/Geth-Hub-2 new file mode 100644 index 0000000..5963148 --- /dev/null +++ b/roles/Geth-Hub/files/motion.conf/Geth-Hub-2 @@ -0,0 +1,770 @@ +# Rename this distribution example file to motion.conf +# +# This config file was generated by motion 4.0.1 + + +############################################################ +# Daemon +############################################################ + +# Start in daemon (background) mode and release terminal (default: off) +daemon on + +# File to store the process ID, also called pid file. (default: not defined) +process_id_file /var/run/motion/motion.pid + +############################################################ +# Basic Setup Mode +############################################################ + +# Start in Setup-Mode, daemon disabled. (default: off) +setup_mode off + + +# Use a file to save logs messages, if not defined stderr and syslog is used. (default: not defined) +;logfile /tmp/motion.log + +# Level of log messages [1..9] (EMG, ALR, CRT, ERR, WRN, NTC, INF, DBG, ALL). (default: 6 / NTC) +log_level 6 + +# Filter to log messages by type (COR, STR, ENC, NET, DBL, EVT, TRK, VID, ALL). (default: ALL) +log_type all + +########################################################### +# Capture device options +############################################################ + +# Videodevice to be used for capturing (default /dev/video0) +# for FreeBSD default is /dev/bktr0 +videodevice /dev/video0 + +# v4l2_palette allows one to choose preferable palette to be use by motion +# to capture from those supported by your videodevice. (default: 17) +# E.g. if your videodevice supports both V4L2_PIX_FMT_SBGGR8 and +# V4L2_PIX_FMT_MJPEG then motion will by default use V4L2_PIX_FMT_MJPEG. +# Setting v4l2_palette to 2 forces motion to use V4L2_PIX_FMT_SBGGR8 +# instead. +# +# Values : +# V4L2_PIX_FMT_SN9C10X : 0 'S910' +# V4L2_PIX_FMT_SBGGR16 : 1 'BYR2' +# V4L2_PIX_FMT_SBGGR8 : 2 'BA81' +# V4L2_PIX_FMT_SPCA561 : 3 'S561' +# V4L2_PIX_FMT_SGBRG8 : 4 'GBRG' +# V4L2_PIX_FMT_SGRBG8 : 5 'GRBG' +# V4L2_PIX_FMT_PAC207 : 6 'P207' +# V4L2_PIX_FMT_PJPG : 7 'PJPG' +# V4L2_PIX_FMT_MJPEG : 8 'MJPEG' +# V4L2_PIX_FMT_JPEG : 9 'JPEG' +# V4L2_PIX_FMT_RGB24 : 10 'RGB3' +# V4L2_PIX_FMT_SPCA501 : 11 'S501' +# V4L2_PIX_FMT_SPCA505 : 12 'S505' +# V4L2_PIX_FMT_SPCA508 : 13 'S508' +# V4L2_PIX_FMT_UYVY : 14 'UYVY' +# V4L2_PIX_FMT_YUYV : 15 'YUYV' +# V4L2_PIX_FMT_YUV422P : 16 '422P' +# V4L2_PIX_FMT_YUV420 : 17 'YU12' +# +v4l2_palette 17 + +# Tuner device to be used for capturing using tuner as source (default /dev/tuner0) +# This is ONLY used for FreeBSD. Leave it commented out for Linux +; tunerdevice /dev/tuner0 + +# The video input to be used (default: -1) +# Should normally be set to 0 or 1 for video/TV cards, and -1 for USB cameras +# Set to 0 for uvideo(4) on OpenBSD +input -1 + +# The video norm to use (only for video capture and TV tuner cards) +# Values: 0 (PAL), 1 (NTSC), 2 (SECAM), 3 (PAL NC no colour). Default: 0 (PAL) +norm 0 + +# The frequency to set the tuner to (kHz) (only for TV tuner cards) (default: 0) +frequency 0 + +# Override the power line frequency for the webcam. (normally not necessary) +# Values: +# -1 : Do not modify device setting +# 0 : Power line frequency Disabled +# 1 : 50hz +# 2 : 60hz +# 3 : Auto +power_line_frequency -1 + +# Rotate image this number of degrees. The rotation affects all saved images as +# well as movies. Valid values: 0 (default = no rotation), 90, 180 and 270. +rotate 0 + +# Image width (pixels). Valid range: Camera dependent, default: 352 +width 640 + +# Image height (pixels). Valid range: Camera dependent, default: 288 +height 480 + +# Maximum number of frames to be captured per second. +# Valid range: 2-100. Default: 100 (almost no limit). +framerate 100 + +# Minimum time in seconds between capturing picture frames from the camera. +# Default: 0 = disabled - the capture rate is given by the camera framerate. +# This option is used when you want to capture images at a rate lower than 2 per second. +minimum_frame_time 0 + +# URL to use if you are using a network camera, size will be autodetected (incl http:// ftp:// mjpg:// rtsp:// mjpeg:// or file:///) +# Must be a URL that returns single jpeg pictures or a raw mjpeg stream. A trailing slash may be required for some cameras. +# Default: Not defined +; netcam_url value + +# Username and password for network camera (only if required). Default: not defined +# Syntax is user:password +; netcam_userpass value + +# The setting for keep-alive of network socket, should improve performance on compatible net cameras. +# off: The historical implementation using HTTP/1.0, closing the socket after each http request. +# force: Use HTTP/1.0 requests with keep alive header to reuse the same connection. +# on: Use HTTP/1.1 requests that support keep alive as default. +# Default: off +netcam_keepalive off + +# URL to use for a netcam proxy server, if required, e.g. "http://myproxy". +# If a port number other than 80 is needed, use "http://myproxy:1234". +# Default: not defined +; netcam_proxy value + +# Set less strict jpeg checks for network cameras with a poor/buggy firmware. +# Default: off +netcam_tolerant_check off + +# RTSP connection uses TCP to communicate to the camera. Can prevent image corruption. +# Default: on +rtsp_uses_tcp on + +# Name of camera to use if you are using a camera accessed through OpenMax/MMAL +# Default: Not defined +; mmalcam_name vc.ril.camera + +# Camera control parameters (see raspivid/raspistill tool documentation) +# Default: Not defined +; mmalcam_control_params -hf + +# Let motion regulate the brightness of a video device (default: off). +# The auto_brightness feature uses the brightness option as its target value. +# If brightness is zero auto_brightness will adjust to average brightness value 128. +# Only recommended for cameras without auto brightness +auto_brightness off + +# Set the initial brightness of a video device. +# If auto_brightness is enabled, this value defines the average brightness level +# which Motion will try and adjust to. +# Valid range 0-255, default 0 = disabled +brightness 0 + +# Set the contrast of a video device. +# Valid range 0-255, default 0 = disabled +contrast 0 + +# Set the saturation of a video device. +# Valid range 0-255, default 0 = disabled +saturation 0 + +# Set the hue of a video device (NTSC feature). +# Valid range 0-255, default 0 = disabled +hue 0 + + +############################################################ +# Round Robin (multiple inputs on same video device name) +############################################################ + +# Number of frames to capture in each roundrobin step (default: 1) +roundrobin_frames 1 + +# Number of frames to skip before each roundrobin step (default: 1) +roundrobin_skip 1 + +# Try to filter out noise generated by roundrobin (default: off) +switchfilter off + + +############################################################ +# Motion Detection Settings: +############################################################ + +# Threshold for number of changed pixels in an image that +# triggers motion detection (default: 1500) +threshold 1500 + +# Automatically tune the threshold down if possible (default: off) +threshold_tune off + +# Noise threshold for the motion detection (default: 32) +noise_level 32 + +# Automatically tune the noise threshold (default: on) +noise_tune on + +# Despeckle motion image using (e)rode or (d)ilate or (l)abel (Default: not defined) +# Recommended value is EedDl. Any combination (and number of) of E, e, d, and D is valid. +# (l)abeling must only be used once and the 'l' must be the last letter. +# Comment out to disable +despeckle_filter EedDl + +# Detect motion in predefined areas (1 - 9). Areas are numbered like that: 1 2 3 +# A script (on_area_detected) is started immediately when motion is 4 5 6 +# detected in one of the given areas, but only once during an event. 7 8 9 +# One or more areas can be specified with this option. Take care: This option +# does NOT restrict detection to these areas! (Default: not defined) +; area_detect value + +# PGM file to use as a sensitivity mask. +# Full path name to. (Default: not defined) +; mask_file value + +# Dynamically create a mask file during operation (default: 0) +# Adjust speed of mask changes from 0 (off) to 10 (fast) +smart_mask_speed 0 + +# Ignore sudden massive light intensity changes given as a percentage of the picture +# area that changed intensity. Valid range: 0 - 100 , default: 0 = disabled +lightswitch 0 + +# Picture frames must contain motion at least the specified number of frames +# in a row before they are detected as true motion. At the default of 1, all +# motion is detected. Valid range: 1 to thousands, recommended 1-5 +minimum_motion_frames 1 + +# Specifies the number of pre-captured (buffered) pictures from before motion +# was detected that will be output at motion detection. +# Recommended range: 0 to 5 (default: 0) +# Do not use large values! Large values will cause Motion to skip video frames and +# cause unsmooth movies. To smooth movies use larger values of post_capture instead. +pre_capture 0 + +# Number of frames to capture after motion is no longer detected (default: 0) +post_capture 0 + +# Event Gap is the seconds of no motion detection that triggers the end of an event. +# An event is defined as a series of motion images taken within a short timeframe. +# Recommended value is 60 seconds (Default). The value -1 is allowed and disables +# events causing all Motion to be written to one single movie file and no pre_capture. +# If set to 0, motion is running in gapless mode. Movies don't have gaps anymore. An +# event ends right after no more motion is detected and post_capture is over. +event_gap 60 + +# Maximum length in seconds of a movie +# When value is exceeded a new movie file is created. (Default: 0 = infinite) +max_movie_time 0 + +# Always save images even if there was no motion (default: off) +emulate_motion off + + +############################################################ +# Image File Output +############################################################ + +# Output 'normal' pictures when motion is detected (default: on) +# Valid values: on, off, first, best, center +# When set to 'first', only the first picture of an event is saved. +# Picture with most motion of an event is saved when set to 'best'. +# Picture with motion nearest center of picture is saved when set to 'center'. +# Can be used as preview shot for the corresponding movie. +output_pictures off + +# Output pictures with only the pixels moving object (ghost images) (default: off) +output_debug_pictures off + +# The quality (in percent) to be used by the jpeg compression (default: 75) +quality 75 + +# Type of output images +# Valid values: jpeg, ppm (default: jpeg) +picture_type jpeg + +############################################################ +# FFMPEG related options +# Film (movies) file output, and deinterlacing of the video input +# The options movie_filename and timelapse_filename are also used +# by the ffmpeg feature +############################################################ + +# Use ffmpeg to encode movies in realtime (default: off) +ffmpeg_output_movies off + +# Use ffmpeg to make movies with only the pixels moving +# object (ghost images) (default: off) +ffmpeg_output_debug_movies off + +# Use ffmpeg to encode a timelapse movie +# Default value 0 = off - else save frame every Nth second +ffmpeg_timelapse 0 + +# The file rollover mode of the timelapse video +# Valid values: hourly, daily (default), weekly-sunday, weekly-monday, monthly, manual +ffmpeg_timelapse_mode daily + +# Bitrate to be used by the ffmpeg encoder (default: 400000) +# This option is ignored if ffmpeg_variable_bitrate is not 0 (disabled) +ffmpeg_bps 400000 + +# Enables and defines variable bitrate for the ffmpeg encoder. +# ffmpeg_bps is ignored if variable bitrate is enabled. +# Valid values: 0 (default) = fixed bitrate defined by ffmpeg_bps, +# or the range 1 - 100 where 1 means worst quality and 100 is best. +ffmpeg_variable_bitrate 0 + +# Codec to used by ffmpeg for the video compression. +# Timelapse videos have two options. +# mpg - Creates mpg file with mpeg-2 encoding. +# If motion is shutdown and restarted, new pics will be appended +# to any previously created file with name indicated for timelapse. +# mpeg4 - Creates avi file with the default encoding. +# If motion is shutdown and restarted, new pics will create a +# new file with the name indicated for timelapse. +# Supported formats are: +# mpeg4 or msmpeg4 - gives you files with extension .avi +# msmpeg4 is recommended for use with Windows Media Player because +# it requires no installation of codec on the Windows client. +# swf - gives you a flash film with extension .swf +# flv - gives you a flash video with extension .flv +# ffv1 - FF video codec 1 for Lossless Encoding +# mov - QuickTime +# mp4 - MPEG-4 Part 14 H264 encoding +# mkv - Matroska H264 encoding +# hevc - H.265 / HEVC (High Efficiency Video Coding) +ffmpeg_video_codec mpeg4 + +# When creating videos, should frames be duplicated in order +# to keep up with the requested frames per second +# (default: true) +ffmpeg_duplicate_frames true + +############################################################ +# SDL Window +############################################################ + +# Number of motion thread to show in SDL Window (default: 0 = disabled) +#sdl_threadnr 0 + +############################################################ +# External pipe to video encoder +# Replacement for FFMPEG builtin encoder for ffmpeg_output_movies only. +# The options movie_filename and timelapse_filename are also used +# by the ffmpeg feature +############################################################# + +# Bool to enable or disable extpipe (default: off) +use_extpipe off + +# External program (full path and opts) to pipe raw video to +# Generally, use '-' for STDIN... +;extpipe mencoder -demuxer rawvideo -rawvideo w=%w:h=%h:i420 -ovc x264 -x264encopts bframes=4:frameref=1:subq=1:scenecut=-1:nob_adapt:threads=1:keyint=1000:8x8dct:vbv_bufsize=4000:crf=24:partitions=i8x8,i4x4:vbv_maxrate=800:no-chroma-me -vf denoise3d=16:12:48:4,pp=lb -of avi -o %f.avi - -fps %fps +;extpipe x264 - --input-res %wx%h --fps %fps --bitrate 2000 --preset ultrafast --quiet -o %f.mp4 +;extpipe mencoder -demuxer rawvideo -rawvideo w=%w:h=%h:fps=%fps -ovc x264 -x264encopts preset=ultrafast -of lavf -o %f.mp4 - -fps %fps +;extpipe ffmpeg -y -f rawvideo -pix_fmt yuv420p -video_size %wx%h -framerate %fps -i pipe:0 -vcodec libx264 -preset ultrafast -f mp4 %f.mp4 + + +############################################################ +# Snapshots (Traditional Periodic Webcam File Output) +############################################################ + +# Make automated snapshot every N seconds (default: 0 = disabled) +snapshot_interval 0 + + +############################################################ +# Text Display +# %Y = year, %m = month, %d = date, +# %H = hour, %M = minute, %S = second, %T = HH:MM:SS, +# %v = event, %q = frame number, %t = camera id number, +# %D = changed pixels, %N = noise level, \n = new line, +# %i and %J = width and height of motion area, +# %K and %L = X and Y coordinates of motion center +# %C = value defined by text_event - do not use with text_event! +# You can put quotation marks around the text to allow +# leading spaces +############################################################ + +# Locate and draw a box around the moving object. +# Valid values: on, off, preview (default: off) +# Set to 'preview' will only draw a box in preview_shot pictures. +locate_motion_mode off + +# Set the look and style of the locate box if enabled. +# Valid values: box, redbox, cross, redcross (default: box) +# Set to 'box' will draw the traditional box. +# Set to 'redbox' will draw a red box. +# Set to 'cross' will draw a little cross to mark center. +# Set to 'redcross' will draw a little red cross to mark center. +locate_motion_style box + +# Draws the timestamp using same options as C function strftime(3) +# Default: %Y-%m-%d\n%T = date in ISO format and time in 24 hour clock +# Text is placed in lower right corner +text_right %Y-%m-%d\n%T-%q + +# Draw a user defined text on the images using same options as C function strftime(3) +# Default: Not defined = no text +# Text is placed in lower left corner +; text_left CAMERA %t + +# Draw the number of changed pixed on the images (default: off) +# Will normally be set to off except when you setup and adjust the motion settings +# Text is placed in upper right corner +text_changes off + +# This option defines the value of the special event conversion specifier %C +# You can use any conversion specifier in this option except %C. Date and time +# values are from the timestamp of the first image in the current event. +# Default: %Y%m%d%H%M%S +# The idea is that %C can be used filenames and text_left/right for creating +# a unique identifier for each event. +text_event %Y%m%d%H%M%S + +# Draw characters at twice normal size on images. (default: off) +text_double off + + +# Text to include in a JPEG EXIF comment +# May be any text, including conversion specifiers. +# The EXIF timestamp is included independent of this text. +;exif_text %i%J/%K%L + +############################################################ +# Target Directories and filenames For Images And Films +# For the options snapshot_, picture_, movie_ and timelapse_filename +# you can use conversion specifiers +# %Y = year, %m = month, %d = date, +# %H = hour, %M = minute, %S = second, +# %v = event, %q = frame number, %t = camera id number, +# %D = changed pixels, %N = noise level, +# %i and %J = width and height of motion area, +# %K and %L = X and Y coordinates of motion center +# %C = value defined by text_event +# Quotation marks round string are allowed. +############################################################ + +# Target base directory for pictures and films +# Recommended to use absolute path. (Default: current working directory) +target_dir /var/run/motion/capture + +# File path for snapshots (jpeg or ppm) relative to target_dir +# Default: %v-%Y%m%d%H%M%S-snapshot +# Default value is equivalent to legacy oldlayout option +# For Motion 3.0 compatible mode choose: %Y/%m/%d/%H/%M/%S-snapshot +# File extension .jpg or .ppm is automatically added so do not include this. +# Note: A symbolic link called lastsnap.jpg created in the target_dir will always +# point to the latest snapshot, unless snapshot_filename is exactly 'lastsnap' +snapshot_filename %v-%Y%m%d%H%M%S-snapshot + +# File path for motion triggered images (jpeg or ppm) relative to target_dir +# Default: %v-%Y%m%d%H%M%S-%q +# Default value is equivalent to legacy oldlayout option +# For Motion 3.0 compatible mode choose: %Y/%m/%d/%H/%M/%S-%q +# File extension .jpg or .ppm is automatically added so do not include this +# Set to 'preview' together with best-preview feature enables special naming +# convention for preview shots. See motion guide for details +picture_filename %v-%Y%m%d%H%M%S-%q + +# File path for motion triggered ffmpeg films (movies) relative to target_dir +# Default: %v-%Y%m%d%H%M%S +# File extensions(.mpg .avi) are automatically added so do not include them +movie_filename %v-%Y%m%d%H%M%S + +# File path for timelapse movies relative to target_dir +# Default: %Y%m%d-timelapse +# File extensions(.mpg .avi) are automatically added so do not include them +timelapse_filename %Y%m%d-timelapse + +############################################################ +# Global Network Options +############################################################ +# Enable IPv6 (default: off) +ipv6_enabled off + +############################################################ +# Live Stream Server +############################################################ + +# The mini-http server listens to this port for requests (default: 0 = disabled) +stream_port 8081 + +# Quality of the jpeg (in percent) images produced (default: 50) +stream_quality 50 + +# Output frames at 1 fps when no motion is detected and increase to the +# rate given by stream_maxrate when motion is detected (default: off) +stream_motion off + +# Maximum framerate for stream streams (default: 1) +stream_maxrate 1 + +# Restrict stream connections to localhost only (default: on) +stream_localhost off + +# Limits the number of images per connection (default: 0 = unlimited) +# Number can be defined by multiplying actual stream rate by desired number of seconds +# Actual stream rate is the smallest of the numbers framerate and stream_maxrate +stream_limit 0 + +# Set the authentication method (default: 0) +# 0 = disabled +# 1 = Basic authentication +# 2 = MD5 digest (the safer authentication) +stream_auth_method 0 + +# Authentication for the stream. Syntax username:password +# Default: not defined (Disabled) +; stream_authentication username:password + +# Percentage to scale the stream image for preview +# Default: 25 +; stream_preview_scale 25 + +# Have stream preview image start on a new line +# Default: no +; stream_preview_newline no + +############################################################ +# HTTP Based Control +############################################################ + +# TCP/IP port for the http server to listen on (default: 0 = disabled) +webcontrol_port 8080 + +# Restrict control connections to localhost only (default: on) +webcontrol_localhost on + +# Output for http server, select off to choose raw text plain (default: on) +webcontrol_html_output on + +# Authentication for the http based control. Syntax username:password +# Default: not defined (Disabled) +; webcontrol_authentication username:password + + +############################################################ +# Tracking (Pan/Tilt) +############################################################# + +# Type of tracker (0=none (default), 1=stepper, 2=iomojo, 3=pwc, 4=generic, 5=uvcvideo, 6=servo) +# The generic type enables the definition of motion center and motion size to +# be used with the conversion specifiers for options like on_motion_detected +track_type 0 + +# Enable auto tracking (default: off) +track_auto off + +# Serial port of motor (default: none) +;track_port /dev/ttyS0 + +# Motor number for x-axis (default: 0) +;track_motorx 0 + +# Set motorx reverse (default: 0) +;track_motorx_reverse 0 + +# Motor number for y-axis (default: 0) +;track_motory 1 + +# Set motory reverse (default: 0) +;track_motory_reverse 0 + +# Maximum value on x-axis (default: 0) +;track_maxx 200 + +# Minimum value on x-axis (default: 0) +;track_minx 50 + +# Maximum value on y-axis (default: 0) +;track_maxy 200 + +# Minimum value on y-axis (default: 0) +;track_miny 50 + +# Center value on x-axis (default: 0) +;track_homex 128 + +# Center value on y-axis (default: 0) +;track_homey 128 + +# ID of an iomojo camera if used (default: 0) +track_iomojo_id 0 + +# Angle in degrees the camera moves per step on the X-axis +# with auto-track (default: 10) +# Currently only used with pwc type cameras +track_step_angle_x 10 + +# Angle in degrees the camera moves per step on the Y-axis +# with auto-track (default: 10) +# Currently only used with pwc type cameras +track_step_angle_y 10 + +# Delay to wait for after tracking movement as number +# of picture frames (default: 10) +track_move_wait 10 + +# Speed to set the motor to (stepper motor option) (default: 255) +track_speed 255 + +# Number of steps to make (stepper motor option) (default: 40) +track_stepsize 40 + + +############################################################ +# External Commands, Warnings and Logging: +# You can use conversion specifiers for the on_xxxx commands +# %Y = year, %m = month, %d = date, +# %H = hour, %M = minute, %S = second, +# %v = event, %q = frame number, %t = camera id number, +# %D = changed pixels, %N = noise level, +# %i and %J = width and height of motion area, +# %K and %L = X and Y coordinates of motion center +# %C = value defined by text_event +# %f = filename with full path +# %n = number indicating filetype +# Both %f and %n are only defined for on_picture_save, +# on_movie_start and on_movie_end +# Quotation marks round string are allowed. +############################################################ + +# Do not sound beeps when detecting motion (default: on) +# Note: Motion never beeps when running in daemon mode. +quiet on + +# Command to be executed when an event starts. (default: none) +# An event starts at first motion detected after a period of no motion defined by event_gap +; on_event_start value + +# Command to be executed when an event ends after a period of no motion +# (default: none). The period of no motion is defined by option event_gap. +; on_event_end value + +# Command to be executed when a picture (.ppm|.jpg) is saved (default: none) +# To give the filename as an argument to a command append it with %f +; on_picture_save value + +# Command to be executed when a motion frame is detected (default: none) +; on_motion_detected value + +# Command to be executed when motion in a predefined area is detected +# Check option 'area_detect'. (default: none) +; on_area_detected value + +# Command to be executed when a movie file (.mpg|.avi) is created. (default: none) +# To give the filename as an argument to a command append it with %f +; on_movie_start value + +# Command to be executed when a movie file (.mpg|.avi) is closed. (default: none) +# To give the filename as an argument to a command append it with %f +; on_movie_end value + +# Command to be executed when a camera can't be opened or if it is lost +# NOTE: There is situations when motion don't detect a lost camera! +# It depends on the driver, some drivers dosn't detect a lost camera at all +# Some hangs the motion thread. Some even hangs the PC! (default: none) +; on_camera_lost value + +##################################################################### +# Common Options for database features. +# Options require database options to be active also. +##################################################################### + +# Log to the database when creating motion triggered picture file (default: on) +; sql_log_picture on + +# Log to the database when creating a snapshot image file (default: on) +; sql_log_snapshot on + +# Log to the database when creating motion triggered movie file (default: off) +; sql_log_movie off + +# Log to the database when creating timelapse movies file (default: off) +; sql_log_timelapse off + +# SQL query string that is sent to the database +# Use same conversion specifiers has for text features +# Additional special conversion specifiers are +# %n = the number representing the file_type +# %f = filename with full path +# Default value: +# Create tables : +## +# Mysql +# CREATE TABLE security (camera int, filename char(80) not null, frame int, file_type int, time_stamp timestamp(14), event_time_stamp timestamp(14)); +# +# Postgresql +# CREATE TABLE security (camera int, filename char(80) not null, frame int, file_type int, time_stamp timestamp without time zone, event_time_stamp timestamp without time zone); +# +# insert into security(camera, filename, frame, file_type, time_stamp, text_event) values('%t', '%f', '%q', '%n', '%Y-%m-%d %T', '%C') +; sql_query insert into security(camera, filename, frame, file_type, time_stamp, event_time_stamp) values('%t', '%f', '%q', '%n', '%Y-%m-%d %T', '%C') + + +############################################################ +# Database Options +############################################################ + +# database type : mysql, postgresql, sqlite3 (default : not defined) +; database_type value + +# database to log to (default: not defined) +# for sqlite3, the full path and name for the database. +; database_dbname value + +# The host on which the database is located (default: localhost) +; database_host value + +# User account name for database (default: not defined) +; database_user value + +# User password for database (default: not defined) +; database_password value + +# Port on which the database is located +# mysql 3306 , postgresql 5432 (default: not defined) +; database_port value + +# Database wait time in milliseconds for locked database to +# be unlocked before returning database locked error (default 0) +; database_busy_timeout 0 + + + +############################################################ +# Video Loopback Device (vloopback project) +############################################################ + +# Output images to a video4linux loopback device +# The value '-' means next available (default: not defined) +; video_pipe value + +# Output motion images to a video4linux loopback device +# The value '-' means next available (default: not defined) +; motion_video_pipe value + + +############################################################## +# camera config files - One for each camera. +# Except if only one camera - You only need this config file. +# If you have more than one camera you MUST define one camera +# config file for each camera in addition to this config file. +############################################################## + +# Remember: If you have more than one camera you must have one +# camera file for each camera. E.g. 2 cameras requires 3 files: +# This motion.conf file AND camera1.conf and camera2.conf. +# Only put the options that are unique to each camera in the +# camera config files. +; camera /etc/motion/camera1.conf +; camera /etc/motion/camera2.conf +; camera /etc/motion/camera3.conf +; camera /etc/motion/camera4.conf + + +############################################################## +# Camera config directory - One for each camera. +############################################################## +# +; camera_dir /etc/motion/conf.d diff --git a/roles/Geth-Hub/files/motion.conf/Geth-Hub-3 b/roles/Geth-Hub/files/motion.conf/Geth-Hub-3 new file mode 100644 index 0000000..5963148 --- /dev/null +++ b/roles/Geth-Hub/files/motion.conf/Geth-Hub-3 @@ -0,0 +1,770 @@ +# Rename this distribution example file to motion.conf +# +# This config file was generated by motion 4.0.1 + + +############################################################ +# Daemon +############################################################ + +# Start in daemon (background) mode and release terminal (default: off) +daemon on + +# File to store the process ID, also called pid file. (default: not defined) +process_id_file /var/run/motion/motion.pid + +############################################################ +# Basic Setup Mode +############################################################ + +# Start in Setup-Mode, daemon disabled. (default: off) +setup_mode off + + +# Use a file to save logs messages, if not defined stderr and syslog is used. (default: not defined) +;logfile /tmp/motion.log + +# Level of log messages [1..9] (EMG, ALR, CRT, ERR, WRN, NTC, INF, DBG, ALL). (default: 6 / NTC) +log_level 6 + +# Filter to log messages by type (COR, STR, ENC, NET, DBL, EVT, TRK, VID, ALL). (default: ALL) +log_type all + +########################################################### +# Capture device options +############################################################ + +# Videodevice to be used for capturing (default /dev/video0) +# for FreeBSD default is /dev/bktr0 +videodevice /dev/video0 + +# v4l2_palette allows one to choose preferable palette to be use by motion +# to capture from those supported by your videodevice. (default: 17) +# E.g. if your videodevice supports both V4L2_PIX_FMT_SBGGR8 and +# V4L2_PIX_FMT_MJPEG then motion will by default use V4L2_PIX_FMT_MJPEG. +# Setting v4l2_palette to 2 forces motion to use V4L2_PIX_FMT_SBGGR8 +# instead. +# +# Values : +# V4L2_PIX_FMT_SN9C10X : 0 'S910' +# V4L2_PIX_FMT_SBGGR16 : 1 'BYR2' +# V4L2_PIX_FMT_SBGGR8 : 2 'BA81' +# V4L2_PIX_FMT_SPCA561 : 3 'S561' +# V4L2_PIX_FMT_SGBRG8 : 4 'GBRG' +# V4L2_PIX_FMT_SGRBG8 : 5 'GRBG' +# V4L2_PIX_FMT_PAC207 : 6 'P207' +# V4L2_PIX_FMT_PJPG : 7 'PJPG' +# V4L2_PIX_FMT_MJPEG : 8 'MJPEG' +# V4L2_PIX_FMT_JPEG : 9 'JPEG' +# V4L2_PIX_FMT_RGB24 : 10 'RGB3' +# V4L2_PIX_FMT_SPCA501 : 11 'S501' +# V4L2_PIX_FMT_SPCA505 : 12 'S505' +# V4L2_PIX_FMT_SPCA508 : 13 'S508' +# V4L2_PIX_FMT_UYVY : 14 'UYVY' +# V4L2_PIX_FMT_YUYV : 15 'YUYV' +# V4L2_PIX_FMT_YUV422P : 16 '422P' +# V4L2_PIX_FMT_YUV420 : 17 'YU12' +# +v4l2_palette 17 + +# Tuner device to be used for capturing using tuner as source (default /dev/tuner0) +# This is ONLY used for FreeBSD. Leave it commented out for Linux +; tunerdevice /dev/tuner0 + +# The video input to be used (default: -1) +# Should normally be set to 0 or 1 for video/TV cards, and -1 for USB cameras +# Set to 0 for uvideo(4) on OpenBSD +input -1 + +# The video norm to use (only for video capture and TV tuner cards) +# Values: 0 (PAL), 1 (NTSC), 2 (SECAM), 3 (PAL NC no colour). Default: 0 (PAL) +norm 0 + +# The frequency to set the tuner to (kHz) (only for TV tuner cards) (default: 0) +frequency 0 + +# Override the power line frequency for the webcam. (normally not necessary) +# Values: +# -1 : Do not modify device setting +# 0 : Power line frequency Disabled +# 1 : 50hz +# 2 : 60hz +# 3 : Auto +power_line_frequency -1 + +# Rotate image this number of degrees. The rotation affects all saved images as +# well as movies. Valid values: 0 (default = no rotation), 90, 180 and 270. +rotate 0 + +# Image width (pixels). Valid range: Camera dependent, default: 352 +width 640 + +# Image height (pixels). Valid range: Camera dependent, default: 288 +height 480 + +# Maximum number of frames to be captured per second. +# Valid range: 2-100. Default: 100 (almost no limit). +framerate 100 + +# Minimum time in seconds between capturing picture frames from the camera. +# Default: 0 = disabled - the capture rate is given by the camera framerate. +# This option is used when you want to capture images at a rate lower than 2 per second. +minimum_frame_time 0 + +# URL to use if you are using a network camera, size will be autodetected (incl http:// ftp:// mjpg:// rtsp:// mjpeg:// or file:///) +# Must be a URL that returns single jpeg pictures or a raw mjpeg stream. A trailing slash may be required for some cameras. +# Default: Not defined +; netcam_url value + +# Username and password for network camera (only if required). Default: not defined +# Syntax is user:password +; netcam_userpass value + +# The setting for keep-alive of network socket, should improve performance on compatible net cameras. +# off: The historical implementation using HTTP/1.0, closing the socket after each http request. +# force: Use HTTP/1.0 requests with keep alive header to reuse the same connection. +# on: Use HTTP/1.1 requests that support keep alive as default. +# Default: off +netcam_keepalive off + +# URL to use for a netcam proxy server, if required, e.g. "http://myproxy". +# If a port number other than 80 is needed, use "http://myproxy:1234". +# Default: not defined +; netcam_proxy value + +# Set less strict jpeg checks for network cameras with a poor/buggy firmware. +# Default: off +netcam_tolerant_check off + +# RTSP connection uses TCP to communicate to the camera. Can prevent image corruption. +# Default: on +rtsp_uses_tcp on + +# Name of camera to use if you are using a camera accessed through OpenMax/MMAL +# Default: Not defined +; mmalcam_name vc.ril.camera + +# Camera control parameters (see raspivid/raspistill tool documentation) +# Default: Not defined +; mmalcam_control_params -hf + +# Let motion regulate the brightness of a video device (default: off). +# The auto_brightness feature uses the brightness option as its target value. +# If brightness is zero auto_brightness will adjust to average brightness value 128. +# Only recommended for cameras without auto brightness +auto_brightness off + +# Set the initial brightness of a video device. +# If auto_brightness is enabled, this value defines the average brightness level +# which Motion will try and adjust to. +# Valid range 0-255, default 0 = disabled +brightness 0 + +# Set the contrast of a video device. +# Valid range 0-255, default 0 = disabled +contrast 0 + +# Set the saturation of a video device. +# Valid range 0-255, default 0 = disabled +saturation 0 + +# Set the hue of a video device (NTSC feature). +# Valid range 0-255, default 0 = disabled +hue 0 + + +############################################################ +# Round Robin (multiple inputs on same video device name) +############################################################ + +# Number of frames to capture in each roundrobin step (default: 1) +roundrobin_frames 1 + +# Number of frames to skip before each roundrobin step (default: 1) +roundrobin_skip 1 + +# Try to filter out noise generated by roundrobin (default: off) +switchfilter off + + +############################################################ +# Motion Detection Settings: +############################################################ + +# Threshold for number of changed pixels in an image that +# triggers motion detection (default: 1500) +threshold 1500 + +# Automatically tune the threshold down if possible (default: off) +threshold_tune off + +# Noise threshold for the motion detection (default: 32) +noise_level 32 + +# Automatically tune the noise threshold (default: on) +noise_tune on + +# Despeckle motion image using (e)rode or (d)ilate or (l)abel (Default: not defined) +# Recommended value is EedDl. Any combination (and number of) of E, e, d, and D is valid. +# (l)abeling must only be used once and the 'l' must be the last letter. +# Comment out to disable +despeckle_filter EedDl + +# Detect motion in predefined areas (1 - 9). Areas are numbered like that: 1 2 3 +# A script (on_area_detected) is started immediately when motion is 4 5 6 +# detected in one of the given areas, but only once during an event. 7 8 9 +# One or more areas can be specified with this option. Take care: This option +# does NOT restrict detection to these areas! (Default: not defined) +; area_detect value + +# PGM file to use as a sensitivity mask. +# Full path name to. (Default: not defined) +; mask_file value + +# Dynamically create a mask file during operation (default: 0) +# Adjust speed of mask changes from 0 (off) to 10 (fast) +smart_mask_speed 0 + +# Ignore sudden massive light intensity changes given as a percentage of the picture +# area that changed intensity. Valid range: 0 - 100 , default: 0 = disabled +lightswitch 0 + +# Picture frames must contain motion at least the specified number of frames +# in a row before they are detected as true motion. At the default of 1, all +# motion is detected. Valid range: 1 to thousands, recommended 1-5 +minimum_motion_frames 1 + +# Specifies the number of pre-captured (buffered) pictures from before motion +# was detected that will be output at motion detection. +# Recommended range: 0 to 5 (default: 0) +# Do not use large values! Large values will cause Motion to skip video frames and +# cause unsmooth movies. To smooth movies use larger values of post_capture instead. +pre_capture 0 + +# Number of frames to capture after motion is no longer detected (default: 0) +post_capture 0 + +# Event Gap is the seconds of no motion detection that triggers the end of an event. +# An event is defined as a series of motion images taken within a short timeframe. +# Recommended value is 60 seconds (Default). The value -1 is allowed and disables +# events causing all Motion to be written to one single movie file and no pre_capture. +# If set to 0, motion is running in gapless mode. Movies don't have gaps anymore. An +# event ends right after no more motion is detected and post_capture is over. +event_gap 60 + +# Maximum length in seconds of a movie +# When value is exceeded a new movie file is created. (Default: 0 = infinite) +max_movie_time 0 + +# Always save images even if there was no motion (default: off) +emulate_motion off + + +############################################################ +# Image File Output +############################################################ + +# Output 'normal' pictures when motion is detected (default: on) +# Valid values: on, off, first, best, center +# When set to 'first', only the first picture of an event is saved. +# Picture with most motion of an event is saved when set to 'best'. +# Picture with motion nearest center of picture is saved when set to 'center'. +# Can be used as preview shot for the corresponding movie. +output_pictures off + +# Output pictures with only the pixels moving object (ghost images) (default: off) +output_debug_pictures off + +# The quality (in percent) to be used by the jpeg compression (default: 75) +quality 75 + +# Type of output images +# Valid values: jpeg, ppm (default: jpeg) +picture_type jpeg + +############################################################ +# FFMPEG related options +# Film (movies) file output, and deinterlacing of the video input +# The options movie_filename and timelapse_filename are also used +# by the ffmpeg feature +############################################################ + +# Use ffmpeg to encode movies in realtime (default: off) +ffmpeg_output_movies off + +# Use ffmpeg to make movies with only the pixels moving +# object (ghost images) (default: off) +ffmpeg_output_debug_movies off + +# Use ffmpeg to encode a timelapse movie +# Default value 0 = off - else save frame every Nth second +ffmpeg_timelapse 0 + +# The file rollover mode of the timelapse video +# Valid values: hourly, daily (default), weekly-sunday, weekly-monday, monthly, manual +ffmpeg_timelapse_mode daily + +# Bitrate to be used by the ffmpeg encoder (default: 400000) +# This option is ignored if ffmpeg_variable_bitrate is not 0 (disabled) +ffmpeg_bps 400000 + +# Enables and defines variable bitrate for the ffmpeg encoder. +# ffmpeg_bps is ignored if variable bitrate is enabled. +# Valid values: 0 (default) = fixed bitrate defined by ffmpeg_bps, +# or the range 1 - 100 where 1 means worst quality and 100 is best. +ffmpeg_variable_bitrate 0 + +# Codec to used by ffmpeg for the video compression. +# Timelapse videos have two options. +# mpg - Creates mpg file with mpeg-2 encoding. +# If motion is shutdown and restarted, new pics will be appended +# to any previously created file with name indicated for timelapse. +# mpeg4 - Creates avi file with the default encoding. +# If motion is shutdown and restarted, new pics will create a +# new file with the name indicated for timelapse. +# Supported formats are: +# mpeg4 or msmpeg4 - gives you files with extension .avi +# msmpeg4 is recommended for use with Windows Media Player because +# it requires no installation of codec on the Windows client. +# swf - gives you a flash film with extension .swf +# flv - gives you a flash video with extension .flv +# ffv1 - FF video codec 1 for Lossless Encoding +# mov - QuickTime +# mp4 - MPEG-4 Part 14 H264 encoding +# mkv - Matroska H264 encoding +# hevc - H.265 / HEVC (High Efficiency Video Coding) +ffmpeg_video_codec mpeg4 + +# When creating videos, should frames be duplicated in order +# to keep up with the requested frames per second +# (default: true) +ffmpeg_duplicate_frames true + +############################################################ +# SDL Window +############################################################ + +# Number of motion thread to show in SDL Window (default: 0 = disabled) +#sdl_threadnr 0 + +############################################################ +# External pipe to video encoder +# Replacement for FFMPEG builtin encoder for ffmpeg_output_movies only. +# The options movie_filename and timelapse_filename are also used +# by the ffmpeg feature +############################################################# + +# Bool to enable or disable extpipe (default: off) +use_extpipe off + +# External program (full path and opts) to pipe raw video to +# Generally, use '-' for STDIN... +;extpipe mencoder -demuxer rawvideo -rawvideo w=%w:h=%h:i420 -ovc x264 -x264encopts bframes=4:frameref=1:subq=1:scenecut=-1:nob_adapt:threads=1:keyint=1000:8x8dct:vbv_bufsize=4000:crf=24:partitions=i8x8,i4x4:vbv_maxrate=800:no-chroma-me -vf denoise3d=16:12:48:4,pp=lb -of avi -o %f.avi - -fps %fps +;extpipe x264 - --input-res %wx%h --fps %fps --bitrate 2000 --preset ultrafast --quiet -o %f.mp4 +;extpipe mencoder -demuxer rawvideo -rawvideo w=%w:h=%h:fps=%fps -ovc x264 -x264encopts preset=ultrafast -of lavf -o %f.mp4 - -fps %fps +;extpipe ffmpeg -y -f rawvideo -pix_fmt yuv420p -video_size %wx%h -framerate %fps -i pipe:0 -vcodec libx264 -preset ultrafast -f mp4 %f.mp4 + + +############################################################ +# Snapshots (Traditional Periodic Webcam File Output) +############################################################ + +# Make automated snapshot every N seconds (default: 0 = disabled) +snapshot_interval 0 + + +############################################################ +# Text Display +# %Y = year, %m = month, %d = date, +# %H = hour, %M = minute, %S = second, %T = HH:MM:SS, +# %v = event, %q = frame number, %t = camera id number, +# %D = changed pixels, %N = noise level, \n = new line, +# %i and %J = width and height of motion area, +# %K and %L = X and Y coordinates of motion center +# %C = value defined by text_event - do not use with text_event! +# You can put quotation marks around the text to allow +# leading spaces +############################################################ + +# Locate and draw a box around the moving object. +# Valid values: on, off, preview (default: off) +# Set to 'preview' will only draw a box in preview_shot pictures. +locate_motion_mode off + +# Set the look and style of the locate box if enabled. +# Valid values: box, redbox, cross, redcross (default: box) +# Set to 'box' will draw the traditional box. +# Set to 'redbox' will draw a red box. +# Set to 'cross' will draw a little cross to mark center. +# Set to 'redcross' will draw a little red cross to mark center. +locate_motion_style box + +# Draws the timestamp using same options as C function strftime(3) +# Default: %Y-%m-%d\n%T = date in ISO format and time in 24 hour clock +# Text is placed in lower right corner +text_right %Y-%m-%d\n%T-%q + +# Draw a user defined text on the images using same options as C function strftime(3) +# Default: Not defined = no text +# Text is placed in lower left corner +; text_left CAMERA %t + +# Draw the number of changed pixed on the images (default: off) +# Will normally be set to off except when you setup and adjust the motion settings +# Text is placed in upper right corner +text_changes off + +# This option defines the value of the special event conversion specifier %C +# You can use any conversion specifier in this option except %C. Date and time +# values are from the timestamp of the first image in the current event. +# Default: %Y%m%d%H%M%S +# The idea is that %C can be used filenames and text_left/right for creating +# a unique identifier for each event. +text_event %Y%m%d%H%M%S + +# Draw characters at twice normal size on images. (default: off) +text_double off + + +# Text to include in a JPEG EXIF comment +# May be any text, including conversion specifiers. +# The EXIF timestamp is included independent of this text. +;exif_text %i%J/%K%L + +############################################################ +# Target Directories and filenames For Images And Films +# For the options snapshot_, picture_, movie_ and timelapse_filename +# you can use conversion specifiers +# %Y = year, %m = month, %d = date, +# %H = hour, %M = minute, %S = second, +# %v = event, %q = frame number, %t = camera id number, +# %D = changed pixels, %N = noise level, +# %i and %J = width and height of motion area, +# %K and %L = X and Y coordinates of motion center +# %C = value defined by text_event +# Quotation marks round string are allowed. +############################################################ + +# Target base directory for pictures and films +# Recommended to use absolute path. (Default: current working directory) +target_dir /var/run/motion/capture + +# File path for snapshots (jpeg or ppm) relative to target_dir +# Default: %v-%Y%m%d%H%M%S-snapshot +# Default value is equivalent to legacy oldlayout option +# For Motion 3.0 compatible mode choose: %Y/%m/%d/%H/%M/%S-snapshot +# File extension .jpg or .ppm is automatically added so do not include this. +# Note: A symbolic link called lastsnap.jpg created in the target_dir will always +# point to the latest snapshot, unless snapshot_filename is exactly 'lastsnap' +snapshot_filename %v-%Y%m%d%H%M%S-snapshot + +# File path for motion triggered images (jpeg or ppm) relative to target_dir +# Default: %v-%Y%m%d%H%M%S-%q +# Default value is equivalent to legacy oldlayout option +# For Motion 3.0 compatible mode choose: %Y/%m/%d/%H/%M/%S-%q +# File extension .jpg or .ppm is automatically added so do not include this +# Set to 'preview' together with best-preview feature enables special naming +# convention for preview shots. See motion guide for details +picture_filename %v-%Y%m%d%H%M%S-%q + +# File path for motion triggered ffmpeg films (movies) relative to target_dir +# Default: %v-%Y%m%d%H%M%S +# File extensions(.mpg .avi) are automatically added so do not include them +movie_filename %v-%Y%m%d%H%M%S + +# File path for timelapse movies relative to target_dir +# Default: %Y%m%d-timelapse +# File extensions(.mpg .avi) are automatically added so do not include them +timelapse_filename %Y%m%d-timelapse + +############################################################ +# Global Network Options +############################################################ +# Enable IPv6 (default: off) +ipv6_enabled off + +############################################################ +# Live Stream Server +############################################################ + +# The mini-http server listens to this port for requests (default: 0 = disabled) +stream_port 8081 + +# Quality of the jpeg (in percent) images produced (default: 50) +stream_quality 50 + +# Output frames at 1 fps when no motion is detected and increase to the +# rate given by stream_maxrate when motion is detected (default: off) +stream_motion off + +# Maximum framerate for stream streams (default: 1) +stream_maxrate 1 + +# Restrict stream connections to localhost only (default: on) +stream_localhost off + +# Limits the number of images per connection (default: 0 = unlimited) +# Number can be defined by multiplying actual stream rate by desired number of seconds +# Actual stream rate is the smallest of the numbers framerate and stream_maxrate +stream_limit 0 + +# Set the authentication method (default: 0) +# 0 = disabled +# 1 = Basic authentication +# 2 = MD5 digest (the safer authentication) +stream_auth_method 0 + +# Authentication for the stream. Syntax username:password +# Default: not defined (Disabled) +; stream_authentication username:password + +# Percentage to scale the stream image for preview +# Default: 25 +; stream_preview_scale 25 + +# Have stream preview image start on a new line +# Default: no +; stream_preview_newline no + +############################################################ +# HTTP Based Control +############################################################ + +# TCP/IP port for the http server to listen on (default: 0 = disabled) +webcontrol_port 8080 + +# Restrict control connections to localhost only (default: on) +webcontrol_localhost on + +# Output for http server, select off to choose raw text plain (default: on) +webcontrol_html_output on + +# Authentication for the http based control. Syntax username:password +# Default: not defined (Disabled) +; webcontrol_authentication username:password + + +############################################################ +# Tracking (Pan/Tilt) +############################################################# + +# Type of tracker (0=none (default), 1=stepper, 2=iomojo, 3=pwc, 4=generic, 5=uvcvideo, 6=servo) +# The generic type enables the definition of motion center and motion size to +# be used with the conversion specifiers for options like on_motion_detected +track_type 0 + +# Enable auto tracking (default: off) +track_auto off + +# Serial port of motor (default: none) +;track_port /dev/ttyS0 + +# Motor number for x-axis (default: 0) +;track_motorx 0 + +# Set motorx reverse (default: 0) +;track_motorx_reverse 0 + +# Motor number for y-axis (default: 0) +;track_motory 1 + +# Set motory reverse (default: 0) +;track_motory_reverse 0 + +# Maximum value on x-axis (default: 0) +;track_maxx 200 + +# Minimum value on x-axis (default: 0) +;track_minx 50 + +# Maximum value on y-axis (default: 0) +;track_maxy 200 + +# Minimum value on y-axis (default: 0) +;track_miny 50 + +# Center value on x-axis (default: 0) +;track_homex 128 + +# Center value on y-axis (default: 0) +;track_homey 128 + +# ID of an iomojo camera if used (default: 0) +track_iomojo_id 0 + +# Angle in degrees the camera moves per step on the X-axis +# with auto-track (default: 10) +# Currently only used with pwc type cameras +track_step_angle_x 10 + +# Angle in degrees the camera moves per step on the Y-axis +# with auto-track (default: 10) +# Currently only used with pwc type cameras +track_step_angle_y 10 + +# Delay to wait for after tracking movement as number +# of picture frames (default: 10) +track_move_wait 10 + +# Speed to set the motor to (stepper motor option) (default: 255) +track_speed 255 + +# Number of steps to make (stepper motor option) (default: 40) +track_stepsize 40 + + +############################################################ +# External Commands, Warnings and Logging: +# You can use conversion specifiers for the on_xxxx commands +# %Y = year, %m = month, %d = date, +# %H = hour, %M = minute, %S = second, +# %v = event, %q = frame number, %t = camera id number, +# %D = changed pixels, %N = noise level, +# %i and %J = width and height of motion area, +# %K and %L = X and Y coordinates of motion center +# %C = value defined by text_event +# %f = filename with full path +# %n = number indicating filetype +# Both %f and %n are only defined for on_picture_save, +# on_movie_start and on_movie_end +# Quotation marks round string are allowed. +############################################################ + +# Do not sound beeps when detecting motion (default: on) +# Note: Motion never beeps when running in daemon mode. +quiet on + +# Command to be executed when an event starts. (default: none) +# An event starts at first motion detected after a period of no motion defined by event_gap +; on_event_start value + +# Command to be executed when an event ends after a period of no motion +# (default: none). The period of no motion is defined by option event_gap. +; on_event_end value + +# Command to be executed when a picture (.ppm|.jpg) is saved (default: none) +# To give the filename as an argument to a command append it with %f +; on_picture_save value + +# Command to be executed when a motion frame is detected (default: none) +; on_motion_detected value + +# Command to be executed when motion in a predefined area is detected +# Check option 'area_detect'. (default: none) +; on_area_detected value + +# Command to be executed when a movie file (.mpg|.avi) is created. (default: none) +# To give the filename as an argument to a command append it with %f +; on_movie_start value + +# Command to be executed when a movie file (.mpg|.avi) is closed. (default: none) +# To give the filename as an argument to a command append it with %f +; on_movie_end value + +# Command to be executed when a camera can't be opened or if it is lost +# NOTE: There is situations when motion don't detect a lost camera! +# It depends on the driver, some drivers dosn't detect a lost camera at all +# Some hangs the motion thread. Some even hangs the PC! (default: none) +; on_camera_lost value + +##################################################################### +# Common Options for database features. +# Options require database options to be active also. +##################################################################### + +# Log to the database when creating motion triggered picture file (default: on) +; sql_log_picture on + +# Log to the database when creating a snapshot image file (default: on) +; sql_log_snapshot on + +# Log to the database when creating motion triggered movie file (default: off) +; sql_log_movie off + +# Log to the database when creating timelapse movies file (default: off) +; sql_log_timelapse off + +# SQL query string that is sent to the database +# Use same conversion specifiers has for text features +# Additional special conversion specifiers are +# %n = the number representing the file_type +# %f = filename with full path +# Default value: +# Create tables : +## +# Mysql +# CREATE TABLE security (camera int, filename char(80) not null, frame int, file_type int, time_stamp timestamp(14), event_time_stamp timestamp(14)); +# +# Postgresql +# CREATE TABLE security (camera int, filename char(80) not null, frame int, file_type int, time_stamp timestamp without time zone, event_time_stamp timestamp without time zone); +# +# insert into security(camera, filename, frame, file_type, time_stamp, text_event) values('%t', '%f', '%q', '%n', '%Y-%m-%d %T', '%C') +; sql_query insert into security(camera, filename, frame, file_type, time_stamp, event_time_stamp) values('%t', '%f', '%q', '%n', '%Y-%m-%d %T', '%C') + + +############################################################ +# Database Options +############################################################ + +# database type : mysql, postgresql, sqlite3 (default : not defined) +; database_type value + +# database to log to (default: not defined) +# for sqlite3, the full path and name for the database. +; database_dbname value + +# The host on which the database is located (default: localhost) +; database_host value + +# User account name for database (default: not defined) +; database_user value + +# User password for database (default: not defined) +; database_password value + +# Port on which the database is located +# mysql 3306 , postgresql 5432 (default: not defined) +; database_port value + +# Database wait time in milliseconds for locked database to +# be unlocked before returning database locked error (default 0) +; database_busy_timeout 0 + + + +############################################################ +# Video Loopback Device (vloopback project) +############################################################ + +# Output images to a video4linux loopback device +# The value '-' means next available (default: not defined) +; video_pipe value + +# Output motion images to a video4linux loopback device +# The value '-' means next available (default: not defined) +; motion_video_pipe value + + +############################################################## +# camera config files - One for each camera. +# Except if only one camera - You only need this config file. +# If you have more than one camera you MUST define one camera +# config file for each camera in addition to this config file. +############################################################## + +# Remember: If you have more than one camera you must have one +# camera file for each camera. E.g. 2 cameras requires 3 files: +# This motion.conf file AND camera1.conf and camera2.conf. +# Only put the options that are unique to each camera in the +# camera config files. +; camera /etc/motion/camera1.conf +; camera /etc/motion/camera2.conf +; camera /etc/motion/camera3.conf +; camera /etc/motion/camera4.conf + + +############################################################## +# Camera config directory - One for each camera. +############################################################## +# +; camera_dir /etc/motion/conf.d diff --git a/roles/Geth-Hub/files/sources.list b/roles/Geth-Hub/files/sources.list new file mode 100644 index 0000000..863aa0a --- /dev/null +++ b/roles/Geth-Hub/files/sources.list @@ -0,0 +1,3 @@ +deb http://raspbian.raspberrypi.org/raspbian/ bullseye main contrib non-free rpi +# Uncomment line below then 'apt-get update' to enable 'apt-get source' +#deb-src http://raspbian.raspberrypi.org/raspbian/ bullseye main contrib non-free rpi diff --git a/roles/Geth-Hub/tasks/main.yml b/roles/Geth-Hub/tasks/main.yml index 2e220c0..f2b8e19 100644 --- a/roles/Geth-Hub/tasks/main.yml +++ b/roles/Geth-Hub/tasks/main.yml @@ -1,15 +1,24 @@ --- + - name: Update the apt sources + become: yes + copy: + src: "sources.list" + dest: "/etc/apt/sources.list" + - name: Geth-Hub packages become: yes package: name: - motion - lirc + - libcamera-apps + - ir-keytable state: present + update_cache: yes - name: Copy the SSH key authorized_key: - user: "{{ depriv_user | default('pi') }}" + user: "{{ ansible_user_id }}" state: present key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/geth.pub') }}" @@ -17,27 +26,53 @@ become: yes register: motion_config copy: - src: "motion.conf" + src: "motion.conf/{{ inventory_hostname }}" dest: "/etc/motion/motion.conf" + - name: Create motion log folder + become: yes + file: + path: "{{ item }}" + state: directory + owner: motion + group: motion + mode: 0750 + loop: + - "/var/log/motion" + - "/var/run/motion" + - name: Restart the motion service become: yes - when: motion_config.changed + when: motion_config.changed and motion_enabled service: name: motion state: restarted enabled: yes + - name: Allow override of motion service + become: yes + when: not motion_enabled + service: + name: motion + state: stopped + enabled: no + + # Thanks to https://wiki.geekworm.com/Raspberry_Pi_IR_Control_Expansion_Board for instructions setting up lirc - name: Set the dtoverlay become: yes - lineinfile: + register: dtoverlay + blockinfile: path: "/boot/config.txt" - regexp: "^dtoverlay=" - line: "dtoverlay=lirc-rpi,gpio_in_pin={{ gpio_in_pin | default('18') }},gpio_out_pin={{ gpio_out_pin | default('17') }}" + insertafter: EOF + marker: "# {mark} Ubiqtorate Managed Block" + block: | + dtoverlay=gpio-ir,gpio_pin={{ gpio_in_pin | default('18') }} + dtoverlay=gpio-ir-tx,gpio_pin={{ gpio_out_pin | default('17') }} - name: Set the dtparam become: yes + register: dtparam lineinfile: path: "/boot/config.txt" regexp: "^dtparam=" @@ -45,10 +80,28 @@ - name: Copy the modules config become: yes + register: modules_config template: src: "modules.j2" dest: "/etc/modules" + - name: Copy the modules config, part 2 + become: yes + register: modules_config_2 + template: + src: "lirc_rpi.conf.j2" + dest: "/etc/modprobe.d/lirc_rpi.conf" + + - name: Reboot if needed + become: yes + when: modules_config.changed or dtparam.changed or dtoverlay.changed or modules_config_2.changed + reboot: + + - name: Wait if needed + become: yes + when: modules_config.changed or dtparam.changed or dtoverlay.changed or modules_config_2.changed + wait_for_connection: + - name: Copy lircd supplemental config register: lircd_supp_config become: yes @@ -60,13 +113,13 @@ register: lircd_remote_config become: yes copy: - src: "lircd.conf.{{ inventory_hostname }}" + src: "lircd.conf/{{ inventory_hostname }}" dest: /etc/lircd.conf - name: Start the services when: lircd_supp_config.changed or lircd_remote_config.changed become: yes service: - name: lirc + name: lircd state: restarted enabled: yes diff --git a/roles/Geth-Hub/templates/lirc_rpi.conf.j2 b/roles/Geth-Hub/templates/lirc_rpi.conf.j2 new file mode 100644 index 0000000..43957b7 --- /dev/null +++ b/roles/Geth-Hub/templates/lirc_rpi.conf.j2 @@ -0,0 +1 @@ +options gpio_ir_recv gpio_in_pin={{ gpio_in_pin | default('18') }} gpio_out_pin={{ gpio_out_pin | default('17') }} diff --git a/roles/Nazara/files/dhcp b/roles/Nazara/files/dhcp deleted file mode 100644 index 496ce73..0000000 --- a/roles/Nazara/files/dhcp +++ /dev/null @@ -1,34 +0,0 @@ -dhcp-range=10.0.1.224,10.0.1.254,255.255.255.0,12h -dhcp-option=option:router,10.0.1.1 -dhcp-option=option:dns-server,10.0.1.7 - -dhcp-range=10.0.1.1,10.0.1.223,255.255.255.0,12h -dhcp-host=B8:27:EB:B6:AA:0C,10.0.1.2 -dhcp-host=B8:27:EB:B6:AA:0C,10.0.1.3 -dhcp-host=B8:27:EB:B6:AA:0C,10.0.1.4 -dhcp-host=B8:27:EB:B6:AA:0C,10.0.1.5 -dhcp-host=B8:27:EB:B6:AA:0C,10.0.1.6 -dhcp-host=B8:27:EB:B6:AA:0C,10.0.1.7 -dhcp-host=00:15:5D:01:02:05,10.0.1.8 -dhcp-host=00:15:5D:01:02:04,10.0.1.9 -dhcp-host=00:15:5d:01:02:06,10.0.1.10 -dhcp-host=00:15:5d:01:02:07,10.0.1.11 -dhcp-host=00:25:90:0d:6e:86,10.0.1.12 -dhcp-host=84:16:F9:14:15:C5,10.0.1.16 -dhcp-host=84:16:F9:13:B6:E6,10.0.1.17 -dhcp-host=00:15:5d:01:02:08,10.0.1.24 -dhcp-host=00:15:5d:01:02:09,10.0.1.25 -dhcp-host=aa:aa:aa:aa:aa:aa,10.0.1.32 -dhcp-host=34:f6:4b:36:12:8f,10.0.1.33 -dhcp-host=64:C2:DE:78:BB:40,10.0.1.34 -dhcp-host=64:C2:DE:0C:AB:0D,10.0.1.35 -dhcp-host=00:1F:BC:10:1C:F7,10.0.1.36 -dhcp-host=2c:30:33:64:f4:03,10.0.1.1 -dhcp-host=00:80:92:77:CE:E4,10.0.1.37 -dhcp-host=00:25:90:0D:82:5B,10.0.1.38 -dhcp-host=00:25:90:3E:C6:8C,10.0.1.39 -dhcp-host=9c:a3:aa:33:a3:99,10.0.1.40 -dhcp-host=64:16:66:08:57:F5,10.0.2.2 -dhcp-host=18:B4:30:2F:F1:37,10.0.2.3 -dhcp-host=64:52:99:14:28:2B,10.0.2.4 -dhcp-host=40:9F:38:95:06:34,10.0.2.5 diff --git a/roles/Nazara/files/dns b/roles/Nazara/files/dns deleted file mode 100644 index 1a4bcfc..0000000 --- a/roles/Nazara/files/dns +++ /dev/null @@ -1,29 +0,0 @@ -10.0.1.2 Nazara.MSN0.AniNIX.net Nazara -10.0.1.3 Node-1.MSN0.AniNIX.net Node-1 -10.0.1.4 Node-2.MSN0.AniNIX.net Node-2 -10.0.1.5 Node-3.MSN0.AniNIX.net Node-3 -10.0.1.6 Node-4.MSN0.AniNIX.net Node-4 -10.0.1.7 Node-5.MSN0.AniNIX.net Node-5 -10.0.1.8 Sharingan.MSN0.AniNIX.net Sharingan -10.0.1.9 DarkNet.MSN0.AniNIX.net DarkNet -10.0.1.10 Maat.MSN0.AniNIX.net Maat -10.0.1.11 Aether.MSN0.AniNIX.net Aether -10.0.1.12 Core.MSN0.AniNIX.net Core -10.0.1.16 Geth-Hub-1.MSN0.AniNIX.net Geth-Hub-1 -10.0.1.17 Geth-Hub-2.MSN0.AniNIX.net Geth-Hub-2 -10.0.1.24 DedNet.MSN0.AniNIX.net DedNet -10.0.1.25 Geth.MSN0.AniNIX.net Geth -10.0.1.32 Tachikoma.MSN0.AniNIX.net Tachikoma -10.0.1.33 Dedsec.MSN0.AniNIX.net Dedsec -10.0.1.34 DarkFeather.MSN0.AniNIX.net DarkFeather -10.0.1.35 Lykos.MSN0.AniNIX.net Lykos -10.0.1.36 Games.MSN0.AniNIX.net Games -10.0.1.1 Shadowfeed.MSN0.AniNIX.net Shadowfeed -10.0.1.37 Print.MSN0.AniNIX.net Print -10.0.1.38 Core-Console.MSN0.AniNIX.net Core-Console -10.0.1.39 Maat-Console.MSN0.AniNIX.net Maat-Console -10.0.1.40 Geth-Eyes.MSN0.AniNIX.net Geth-Eyes -10.0.2.2 LinKeuei.MSN0.AniNIX.net LinKeuei -10.0.2.3 Canary.MSN0.AniNIX.net Canary -10.0.2.4 Charon.MSN0.AniNIX.net Charon -10.0.2.5 Skitarii-1.MSN0.AniNIX.net Skitarii-1 diff --git a/roles/Node/tasks/main.yml b/roles/Node/tasks/main.yml new file mode 100644 index 0000000..301f39d --- /dev/null +++ b/roles/Node/tasks/main.yml @@ -0,0 +1,55 @@ +--- + - name: Generate VM service files from inventory + delegate_to: localhost + register: systemd_files + run_once: true + command: "python3 ../bin/generate-systemd-vms.py {{ inventory_file }}" + + - name: Install virtualization packages + become: yes + package: + name: + - edk2-ovmf + - qemu-headless + - ddrescue + state: present + + - name: Copy VM definitions + become: yes + register: vmdefs + copy: + src: vm-definitions/ + dest: /usr/lib/systemd/system + owner: root + group: root + mode: 0644 + + - name: Reload systemd daemon + become: yes + when: vmdefs.changed + systemd: + daemon_reload: yes + + - name: QEMU Bridge Config + become: yes + copy: + src: bridge.conf + dest: /etc/qemu/bridge.conf + owner: root + group: root + mode: 0644 + + - name: System bridge interface + become: yes + register: br0 + copy: + src: br0 + dest: /etc/netctl/br0 + owner: root + group: root + mode: 0644 + + - name: Enable bridge + become: yes + when: br0.changed + command: "/bin/bash -l -c 'netctl enable br0 && netctl restart br0'" diff --git a/roles/Node/templates/vm.service.j2 b/roles/Node/templates/vm.service.j2 new file mode 100644 index 0000000..dabb51d --- /dev/null +++ b/roles/Node/templates/vm.service.j2 @@ -0,0 +1,14 @@ +[Unit] +Description=AniNIX/{{ inventory_hostname }} +After=network.target + +[Service] +ExecStart=/usr/sbin/qemu-system-x86_64 -name AniNIX/{{ inventory_hostname }} -machine type=pc,accel=kvm -bios /usr/share/edk2-ovmf/x64/OVMF.fd -cpu host -smp {{ cores }} {{ disks }} -net nic,macaddr={{ mac }},model=virtio -net bridge,br={{ bridge }} -vga std -nographic -vnc :{{ vnc }} -m size={{ memory }}G -device virtio-rng-pci +ExecReload=/bin/kill -HUP $MAINPID +KillMode=process +Restart=always +User=root +Group=root + +[Install] +WantedBy=multi-user.target diff --git a/roles/SSL/files/certbot.service b/roles/SSL/files/certbot.service new file mode 100755 index 0000000..3117aa2 --- /dev/null +++ b/roles/SSL/files/certbot.service @@ -0,0 +1,11 @@ +[Unit] +Description=Certbot + +[Service] +ExecStart=certbot renew -w /var/lib/letsencrypt/ --preferred-chain "ISRG Root X1" +ExecStartPost=/usr/bin/systemctl reload openresty +KillMode=process +Type=oneshot +RemainAfterExit=no +User=root +Group=root diff --git a/roles/SSL/files/certbot.timer b/roles/SSL/files/certbot.timer new file mode 100755 index 0000000..b1888bd --- /dev/null +++ b/roles/SSL/files/certbot.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Certbot + +[Timer] +OnCalendar=Sat *-*-* 00:00 +AccuracySec=1us +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/roles/SSL/files/manual-ssl-renew b/roles/SSL/files/manual-ssl-renew deleted file mode 100755 index a4dff94..0000000 --- a/roles/SSL/files/manual-ssl-renew +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - -if [ `whoami` != 'root' ]; then - sudo $0 $@ - exit -fi - -domain="$1" - -certbot certonly -d ${domain} -d "*.${domain}" --manual --force-interactive --reuse-key -cat /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/privkey.pem > /etc/letsencrypt/live/${domain}/certkey.pem - -# PKCS12 for Emby -echo | openssl pkcs12 -password stdin -export -out /etc/letsencrypt/live/${domain}/ssl.pfx -inkey /etc/letsencrypt/live/${domain}/privkey.pem -in /etc/letsencrypt/live/${domain}/cert.pem -certfile /etc/letsencrypt/live/${domain}/fullchain.pem -cat /etc/letsencrypt/live/${domain}/ssl.pfx > /var/lib/emby/ssl/yggdrasil.pfx - -systemctl restart webserver -systemctl restart yggdrasil - -echo -echo "Don't forget to send \`/raw reloadmodule m_ssl_openssl.so\` to a NetAdmin session on AniNIX/IRC" -echo Add these to the TLSA records for the domain - -bash ./tlsa-generation.bash diff --git a/roles/SSL/files/tlsa-generation.bash b/roles/SSL/files/tlsa-generation.bash deleted file mode 100644 index 3bed2ee..0000000 --- a/roles/SSL/files/tlsa-generation.bash +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash -openssl x509 -in /etc/letsencrypt/live/aninix.net/chain.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "le-ca TLSA 2 1 1", $NF}' -openssl x509 -in /etc/letsencrypt/live/aninix.net/cert.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "cert TLSA 3 1 1", $NF}' - diff --git a/roles/SSL/tasks/main.yml b/roles/SSL/tasks/main.yml index 1e78c34..7be4202 100644 --- a/roles/SSL/tasks/main.yml +++ b/roles/SSL/tasks/main.yml @@ -6,3 +6,60 @@ name: - certbot - openssl + + - name: Services + become: yes + register: services + copy: + src: "{{ item }}" + dest: /usr/lib/systemd/system + owner: root + group: root + mode: 0644 + loop: + - "certbot.service" + - "certbot.timer" + + - name: Enable timer + when: services.changed + systemd: + daemon_reload: yes + name: certbot.timer + enabled: yes + state: started + + - name: Create letsencrypt folder + become: yes + file: + path: /var/lib/letsencrypt + owner: root + group: http + mode: 2755 + + - name: Copy TLSA script + become: yes + template: + src: tlsa-generation.bash.j2 + dest: /usr/local/sbin/tlsa-generation.bash + owner: root + group: root + mode: 0700 + + - name: Get proposed TLSA records + become: yes + command: /usr/local/sbin/tlsa-generation.bash + register: tlsa_records + + - name: Show proposed TLSA records + debug: + msg: "{{ tlsa_records.stdout_lines }}" + + - name: Get TLSA records + delegate_to: localhost + run_once: yes + command: "/bin/bash -c 'printf _443._tcp\\ ; dig _443._tcp.{{ external_domain }} TLSA +short; printf _6697._tcp\\ ; dig _6697._tcp.{{ external_domain }} TLSA +short'" + register: ext_tlsa_records + + - name: Show TLSA records + debug: + msg: "{{ ext_tlsa_records.stdout_lines }}" diff --git a/roles/SSL/templates/tlsa-generation.bash.j2 b/roles/SSL/templates/tlsa-generation.bash.j2 new file mode 100644 index 0000000..ad056ee --- /dev/null +++ b/roles/SSL/templates/tlsa-generation.bash.j2 @@ -0,0 +1,4 @@ +#!/bin/bash +openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/chain.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "le-ca TLSA 2 1 1", $NF}' +openssl x509 -in /etc/letsencrypt/live/{{ sslidentity}}/cert.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "cert TLSA 3 1 1", $NF}' + diff --git a/roles/ShadowArch/README.md b/roles/ShadowArch/README.md new file mode 100644 index 0000000..37960b7 --- /dev/null +++ b/roles/ShadowArch/README.md @@ -0,0 +1 @@ +This role expands on the [AniNIX/ShadowArch](/AniNIX/ShadowArch) project for customizing ArchLinux to fit our needs. This role is intended to populate those settings driven from inventory data that can't be easily included in the package. diff --git a/roles/basics/bin/find-mirrors b/roles/ShadowArch/bin/find-mirrors similarity index 100% rename from roles/basics/bin/find-mirrors rename to roles/ShadowArch/bin/find-mirrors diff --git a/roles/ShadowArch/files/mirrorlist b/roles/ShadowArch/files/mirrorlist new file mode 100644 index 0000000..54258b7 --- /dev/null +++ b/roles/ShadowArch/files/mirrorlist @@ -0,0 +1,7 @@ +# Server list generated by rankmirrors on 2022-01-25 +Server = http://mirrors.kernel.org/archlinux/$repo/os/$arch +Server = http://arch.hu.fo/archlinux/$repo/os/$arch +Server = http://il.us.mirror.archlinux-br.org/$repo/os/$arch +Server = http://ftp.osuosl.org/pub/archlinux/$repo/os/$arch +Server = http://mirror.pit.teraswitch.com/archlinux/$repo/os/$arch +Server = http://mirrors.gigenet.com/archlinux/$repo/os/$arch diff --git a/roles/ShadowArch/files/motd/Core b/roles/ShadowArch/files/motd/Core new file mode 100644 index 0000000..d7702e4 --- /dev/null +++ b/roles/ShadowArch/files/motd/Core @@ -0,0 +1,5 @@ +################################################################################ +# Welcome to the AniNIX # +# # +# This is the network core VM. Let us know if services are gone or down. # +################################################################################ diff --git a/roles/ShadowArch/files/motd/DarkNet b/roles/ShadowArch/files/motd/DarkNet new file mode 100644 index 0000000..fb1bed0 --- /dev/null +++ b/roles/ShadowArch/files/motd/DarkNet @@ -0,0 +1,5 @@ +################################################################################ +# AniNIX/DarkNet # +# # +# This is the network anonymization platform. Make sure VPN and TOR are up. # +################################################################################ diff --git a/roles/ShadowArch/files/motd/Geth-Hub-1 b/roles/ShadowArch/files/motd/Geth-Hub-1 new file mode 100644 index 0000000..668bcbc --- /dev/null +++ b/roles/ShadowArch/files/motd/Geth-Hub-1 @@ -0,0 +1,3 @@ + +# AniNIX/Geth Hardware Platform (Raspbian Rpi 1 B+) # + diff --git a/roles/ShadowArch/files/motd/Geth-Hub-2 b/roles/ShadowArch/files/motd/Geth-Hub-2 new file mode 100644 index 0000000..668bcbc --- /dev/null +++ b/roles/ShadowArch/files/motd/Geth-Hub-2 @@ -0,0 +1,3 @@ + +# AniNIX/Geth Hardware Platform (Raspbian Rpi 1 B+) # + diff --git a/roles/ShadowArch/files/motd/Geth-Hub-3 b/roles/ShadowArch/files/motd/Geth-Hub-3 new file mode 100644 index 0000000..df08880 --- /dev/null +++ b/roles/ShadowArch/files/motd/Geth-Hub-3 @@ -0,0 +1,3 @@ + +# AniNIX/Geth Hardware Platform (Raspberry Pi 3 Model B Plus Rev 1.3) # + diff --git a/roles/ShadowArch/files/motd/Maat b/roles/ShadowArch/files/motd/Maat new file mode 100644 index 0000000..e7b92ba --- /dev/null +++ b/roles/ShadowArch/files/motd/Maat @@ -0,0 +1,5 @@ +################################################################################ +# AniNIX/Maat # +# # +# This is the network CI/CD platform. Check `systemctl status maat-builder` # +################################################################################ diff --git a/roles/ShadowArch/files/motd/Nazara b/roles/ShadowArch/files/motd/Nazara new file mode 100644 index 0000000..b1e7ac9 --- /dev/null +++ b/roles/ShadowArch/files/motd/Nazara @@ -0,0 +1,5 @@ +################################################################################ +# AniNIX/Nazara # +# # +# This is the network DNS/DHCP service, using Raspberry Pi pihole, and bastion # +################################################################################ diff --git a/roles/ShadowArch/files/motd/Node0 b/roles/ShadowArch/files/motd/Node0 new file mode 100644 index 0000000..d1ffe7a --- /dev/null +++ b/roles/ShadowArch/files/motd/Node0 @@ -0,0 +1,6 @@ +################################################################################ +# AniNIX/Node0 # +# # +# This is the network virtualization platform. VMs can be found with this: # +# cd /usr/lib/systemd/system; ls -1 *vm.service | xargs -n 1 systemctl status # +################################################################################ diff --git a/roles/ShadowArch/files/motd/Sharingan b/roles/ShadowArch/files/motd/Sharingan new file mode 100644 index 0000000..18de2ae --- /dev/null +++ b/roles/ShadowArch/files/motd/Sharingan @@ -0,0 +1,5 @@ +################################################################################ +# AniNIX/Sharingan # +# # +# This is the network monitoring platform. It will send alarms to #sharingan # +################################################################################ diff --git a/roles/basics/files/pacman.conf b/roles/ShadowArch/files/pacman.conf similarity index 94% rename from roles/basics/files/pacman.conf rename to roles/ShadowArch/files/pacman.conf index 6b5642a..c91ef6f 100644 --- a/roles/basics/files/pacman.conf +++ b/roles/ShadowArch/files/pacman.conf @@ -74,16 +74,16 @@ LocalFileSigLevel = Optional #Include = /etc/pacman.d/mirrorlist [core] -Include = /etc/pacman.d/mirrorlist +Include = /etc/pacman.d/mirrorlist.shadowarch [extra] -Include = /etc/pacman.d/mirrorlist +Include = /etc/pacman.d/mirrorlist.shadowarch #[community-testing] #Include = /etc/pacman.d/mirrorlist [community] -Include = /etc/pacman.d/mirrorlist +Include = /etc/pacman.d/mirrorlist.shadowarch # If you want to run 32 bit applications on your x86_64 system, # enable the multilib repositories as required here. @@ -92,7 +92,7 @@ Include = /etc/pacman.d/mirrorlist #Include = /etc/pacman.d/mirrorlist [multilib] -Include = /etc/pacman.d/mirrorlist +Include = /etc/pacman.d/mirrorlist.shadowarch # An example of a custom package repository. See the pacman manpage for # tips on creating your own repositories. diff --git a/roles/ShadowArch/files/raspbian-interfaces b/roles/ShadowArch/files/raspbian-interfaces new file mode 100644 index 0000000..57f133a --- /dev/null +++ b/roles/ShadowArch/files/raspbian-interfaces @@ -0,0 +1,17 @@ +# interfaces(5) file used by ifup(8) and ifdown(8) + +# Please note that this file is written to be used with dhcpcd +# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf' + +# Include files from /etc/network/interfaces.d: +source-directory /etc/network/interfaces.d + +auto lo +iface lo inet loopback + +iface eth0 inet manual + +auto wlan0 +allow-hotplug wlan0 +iface wlan0 inet dhcp + wpa-conf /etc/wpa_supplicant.conf diff --git a/roles/ShadowArch/files/raspbian-interfaces.static b/roles/ShadowArch/files/raspbian-interfaces.static new file mode 100644 index 0000000..830d585 --- /dev/null +++ b/roles/ShadowArch/files/raspbian-interfaces.static @@ -0,0 +1,3 @@ +# interfaces(5) file used by ifup(8) and ifdown(8) +# Include files from /etc/network/interfaces.d: +source /etc/network/interfaces.d/* diff --git a/roles/ShadowArch/tasks/archlinux-network.yml b/roles/ShadowArch/tasks/archlinux-network.yml new file mode 100644 index 0000000..5213e1c --- /dev/null +++ b/roles/ShadowArch/tasks/archlinux-network.yml @@ -0,0 +1,26 @@ +--- + + - name: ArchLinux network packages + become: yes + package: + name: + - netctl + state: present + + - name: Static ArchLinux network config + become: yes + when: static + template: + src: netctl-static.j2 + dest: "/etc/netctl/{{ ipinterface }}" + + - name: Dynamic ArchLinux network config + become: yes + when: static + template: + src: netctl-dhcp.j2 + dest: "/etc/netctl/{{ ipinterface }}" + + - name: Enable network config + become: yes + command: "netctl enable {{ ipinterface }}" diff --git a/roles/ShadowArch/tasks/dns.yml b/roles/ShadowArch/tasks/dns.yml new file mode 100644 index 0000000..8d5802b --- /dev/null +++ b/roles/ShadowArch/tasks/dns.yml @@ -0,0 +1,29 @@ +--- + - name: Install DNS packages + become: yes + ignore_errors: yes + package: + name: + - bind + - net-tools + - iputils + state: present + + - name: Set up /etc/resolv.conf + become: yes + copy: + dest: /etc/resolv.conf + content: "domain {{ replica_domain }}\nnameserver {{ dns }}\n" + owner: root + group: root + mode: 0644 + + - name: Set up /etc/hosts + vars: + ansible_become_password: "{{ passwords[inventory_hostname] }}" + become: yes + lineinfile: + dest: /etc/hosts + regexp: '^127.0.0.1[ \t]+localhost' + line: "127.0.0.1 localhost localhost.localdomain {{ inventory_hostname }} {{ inventory_hostname }}.{{ replica_domain }}" + state: present diff --git a/roles/ShadowArch/tasks/main.yml b/roles/ShadowArch/tasks/main.yml new file mode 100644 index 0000000..f721281 --- /dev/null +++ b/roles/ShadowArch/tasks/main.yml @@ -0,0 +1,190 @@ +--- + ### + # This role installs the basic package and host setup for AniNIX operations. + + # This is an AniNIX convention to allow password management by Ansible. + - name: Base packages + vars: + ansible_become_method: su + ansible_become_password: "{{ passwords[inventory_hostname] }}" + become: yes + package: + name: + - bash + - sudo + - git + - tmux + - vim + - sysstat + - iotop + - lsof + - rsync + state: present + update_cache: yes + + - name: Ensure deploy user has sudo permissions. + vars: + ansible_become_method: su + ansible_become_password: "{{ passwords[inventory_hostname] }}" + become: yes + copy: + dest: /etc/sudoers.d/basics + content: "{{ ansible_user_id }} ALL=(ALL) NOPASSWD: ALL\n" + + - name: Ensure we include /etc/sudoers.d (Current) + vars: + ansible_become_method: su + ansible_become_password: "{{ passwords[inventory_hostname] }}" + become: yes + when: ansible_architecture != "armv6l" + lineinfile: + path: /etc/sudoers + regexp: "includedir /etc/sudoers.d" + line: "@includedir /etc/sudoers.d" + + - name: Ensure we include /etc/sudoers.d (Legacy) + vars: + ansible_become_method: su + ansible_become_password: "{{ passwords[inventory_hostname] }}" + become: yes + when: ansible_architecture == "armv6l" + lineinfile: + path: /etc/sudoers + regexp: "includedir /etc/sudoers.d" + line: "#includedir /etc/sudoers.d" + + - name: Test root password + ignore_errors: yes + register: root_password_test + vars: + ansible_become_method: su + ansible_become_password: "{{ passwords[inventory_hostname] }}" + become: yes + command: id + + - name: Define passwords + vars: + ansible_become_user: "root" + ansible_become_password: "{{ passwords[inventory_hostname] }}" + become: yes + when: root_password_test.rc is not defined or root_password_test.rc != 0 + command: + cmd: /bin/bash -l -c "printf '%s\n%s\n' '{{ passwords[inventory_hostname] }}' '{{ passwords[inventory_hostname] }}' | passwd {{ item }}" + loop: + - root + - "{{ ansible_user_id }}" + + - name: Set up pacman.conf + vars: + ansible_become_password: "{{ passwords[inventory_hostname] }}" + become: yes + copy: + src: pacman.conf + dest: /etc/pacman.conf + owner: root + group: root + mode: 0644 + when: ansible_os_family == "Archlinux" + + - name: Generate mirrorlist + delegate_to: localhost + run_once: yes + command: "bash ../bin/generate-mirrorlist" + + - name: Copy mirrorlist + become: yes + when: ansible_os_family == "Archlinux" + copy: + src: mirrorlist + dest: /etc/pacman.d/mirrorlist.shadowarch + owner: root + group: root + mode: 0644 + + - name: Set up apt sources.list + vars: + ansible_become_password: "{{ passwords[inventory_hostname] }}" + become: yes + copy: + content: | + deb http://raspbian.raspberrypi.org/raspbian/ bullseye main contrib non-free rpi + # deb-src http://archive.raspbian.org/raspbian/ stretch main contrib non-free rpi + dest: /etc/apt/sources.list + owner: root + group: root + mode: 0644 + when: ansible_os_family == "Debian" + + - name: Install ShadowArch (ArchLinux) + vars: + ansible_become_password: "{{ passwords[inventory_hostname] }}" + become: yes + pacman: + name: ShadowArch + state: present + update_cache: yes + when: ansible_os_family == "Archlinux" + + - name: Set up AniNIX-specific repository location (Other) + when: ansible_os_family != "Archlinux" + vars: + ansible_become_password: "{{ passwords[inventory_hostname] }}" + become: yes + file: + path: /opt/aninix + state: directory + + - name: Download ShadowArch (Other) + vars: + ansible_become_password: "{{ passwords[inventory_hostname] }}" + become: yes + ignore_errors: yes + git: + repo: 'https://foundation.aninix.net/AniNIX/ShadowArch' + dest: '/opt/aninix/ShadowArch' + update: yes + when: ansible_os_family != "Archlinux" + + - name: Install ShadowArch (Other) + vars: + ansible_become_password: "{{ passwords[inventory_hostname] }}" + become: yes + command: + chdir: '/opt/aninix/ShadowArch' + cmd: '/bin/bash -c "make install; /usr/local/sbin/shadowarch-sync"' + when: ansible_os_family != "Archlinux" + + - name: Set up hostname + vars: + ansible_become_password: "{{ passwords[inventory_hostname] }}" + become: yes + hostname: + name: "{{ inventory_hostname }}.{{ replica_domain }}" + + - name: Set Bash MOTD + become: yes + copy: + src: "motd/{{ inventory_hostname }}" + dest: /etc/bash.motd + owner: root + group: root + mode: 0644 + + - name: Nullify overall MOTD + become: yes + copy: + src: /dev/null + dest: /etc/motd + owner: root + group: root + mode: 0644 + + - include: archlinux-network.yml + when: ansible_os_family == "Archlinux" + + - include: raspbian-network.yml + when: ansible_os_family == "Debian" + + - include: dns.yml + + - include: ntp.yml diff --git a/roles/ShadowArch/tasks/ntp.yml b/roles/ShadowArch/tasks/ntp.yml new file mode 100644 index 0000000..e95450d --- /dev/null +++ b/roles/ShadowArch/tasks/ntp.yml @@ -0,0 +1,40 @@ +--- + - name: Set up time zone + become: yes + register: localtime + file: + src: "/usr/share/zoneinfo/{{ time_zone }}" + dest: /etc/localtime + state: link + + - name: Remove legacy NTP services + become: yes + ignore_errors: yes + service: + name: "{{ item }}" + state: stopped + enabled: no + loop: + - ntpd + - openntpd + + - name: Remove legacy NTP packages + become: yes + package: + name: + - ntp + - openntpd + state: absent + + - name: Install NTP packages + become: yes + package: + name: chrony + state: present + + - name: Start NTP service + become: yes + service: + name: chronyd + state: started + enabled: yes diff --git a/roles/ShadowArch/tasks/raspbian-network.yml b/roles/ShadowArch/tasks/raspbian-network.yml new file mode 100644 index 0000000..e8b697c --- /dev/null +++ b/roles/ShadowArch/tasks/raspbian-network.yml @@ -0,0 +1,43 @@ +--- + + - name: Rasbian network packages + become: yes + package: + name: + - netbase + state: present + + - name: Rasbian network config + become: yes + when: not static + copy: + src: raspbian-interfaces + dest: "/etc/network/interfaces" + owner: root + group: root + mode: 0644 + + - name: Rasbian network config (static) + become: yes + when: static + template: + src: raspbian-static.j2 + dest: "/etc/network/interfaces" + owner: root + group: root + mode: 0644 + + - name: Raspbian wireless + become: yes + command: + cmd: /bin/bash -c "wpa_passphrase {{ wireless_ssid }} '{{ passwords['Shadowfeed'] }}' > /etc/wpa_supplicant.conf" + creates: '/etc/wpa_supplicant.conf' + + - name: Raspbian wireless hardening + become: yes + file: + path: '/etc/wpa_supplicant.conf' + state: file + owner: root + group: root + mode: 0600 diff --git a/roles/ShadowArch/templates/netctl-dhcp.j2 b/roles/ShadowArch/templates/netctl-dhcp.j2 new file mode 100644 index 0000000..40084db --- /dev/null +++ b/roles/ShadowArch/templates/netctl-dhcp.j2 @@ -0,0 +1,4 @@ +Description='DHCP wired connection' +Interface={{ ipinterface }} +Connection=ethernet +IP=dhcp diff --git a/roles/ShadowArch/templates/netctl-static.j2 b/roles/ShadowArch/templates/netctl-static.j2 new file mode 100644 index 0000000..9978114 --- /dev/null +++ b/roles/ShadowArch/templates/netctl-static.j2 @@ -0,0 +1,7 @@ +Description='A basic static ethernet connection' +Interface={{ ipinterface }} +Connection=ethernet +IP=static +Address=('{{ ip }}/24') +Gateway='{{ router }}' +DNS=('{{ dns }}') diff --git a/roles/ShadowArch/templates/raspbian-static.j2 b/roles/ShadowArch/templates/raspbian-static.j2 new file mode 100644 index 0000000..e5cbb38 --- /dev/null +++ b/roles/ShadowArch/templates/raspbian-static.j2 @@ -0,0 +1,20 @@ +# interfaces(5) file used by ifup(8) and ifdown(8) + +# Please note that this file is written to be used with dhcpcd +# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf' + +# Include files from /etc/network/interfaces.d: +source-directory /etc/network/interfaces.d + +auto lo +iface lo inet loopback + +iface {{ ipinterface }} inet static + address {{ ansible_host }}/{{ netmask }} + gateway {{ router }} + +auto wlan0 +allow-hotplug wlan0 +iface wlan0 inet dhcp + wpa-conf /etc/wpa_supplicant.conf + diff --git a/roles/Sharingan-Data/files/Core b/roles/Sharingan-Data/files/Core new file mode 100644 index 0000000..cd5ac5f --- /dev/null +++ b/roles/Sharingan-Data/files/Core @@ -0,0 +1,9 @@ +check program anixix-HTTP with path "/usr/lib/monitoring-plugins/check_http -H aninix.net -e 301" + if status == 1 then exec "/usr/bin/bash /etc/monit.d/scripts/notify aninix.net HTTP is CRITICAL" + +check program anixix-HTTPS with path "/usr/lib/monitoring-plugins/check_http -S -H aninix.net -e 200" + if status == 1 then exec "/usr/bin/bash /etc/monit.d/scripts/notify aninix.net HTTPS is CRITICAL" + +check program foundation-HTTPS with path "/usr/lib/monitoring-plugins/check_http -S -H foundation.aninix.net -e 200" + if status == 1 then exec "/usr/bin/bash /etc/monit.d/scripts/notify aninix.net HTTPS is CRITICAL" + diff --git a/roles/Sharingan-Data/files/DarkNet b/roles/Sharingan-Data/files/DarkNet new file mode 100644 index 0000000..e69de29 diff --git a/roles/Sharingan-Data/files/Geth-Hub-1 b/roles/Sharingan-Data/files/Geth-Hub-1 new file mode 100644 index 0000000..e69de29 diff --git a/roles/Sharingan-Data/files/Geth-Hub-2 b/roles/Sharingan-Data/files/Geth-Hub-2 new file mode 100644 index 0000000..e69de29 diff --git a/roles/Sharingan-Data/files/Geth-Hub-3 b/roles/Sharingan-Data/files/Geth-Hub-3 new file mode 100644 index 0000000..e69de29 diff --git a/roles/Sharingan-Data/files/Maat b/roles/Sharingan-Data/files/Maat new file mode 100644 index 0000000..e69de29 diff --git a/roles/Sharingan-Data/files/Nazara b/roles/Sharingan-Data/files/Nazara new file mode 100644 index 0000000..e69de29 diff --git a/roles/Sharingan-Data/files/Node0 b/roles/Sharingan-Data/files/Node0 new file mode 100644 index 0000000..e69de29 diff --git a/roles/Sharingan-Data/files/Sharingan b/roles/Sharingan-Data/files/Sharingan new file mode 100644 index 0000000..e69de29 diff --git a/roles/Sharingan-Data/files/scripts/empty-dir b/roles/Sharingan-Data/files/scripts/empty-dir new file mode 100644 index 0000000..e69de29 diff --git a/roles/Sharingan-Data/files/scripts/notify b/roles/Sharingan-Data/files/scripts/notify new file mode 100644 index 0000000..10a547c --- /dev/null +++ b/roles/Sharingan-Data/files/scripts/notify @@ -0,0 +1,2 @@ +#!/bin/bash +systemd-cat -t sharingan-eval "$@" diff --git a/roles/Sharingan-Data/files/sharingan-data.service/Archlinux b/roles/Sharingan-Data/files/sharingan-data.service/Archlinux new file mode 100755 index 0000000..7391604 --- /dev/null +++ b/roles/Sharingan-Data/files/sharingan-data.service/Archlinux @@ -0,0 +1,19 @@ +[Unit] +Description=AniNIX/Sharingan | Data filer +Documentation=man:syslog-ng(8) +Conflicts=emergency.service emergency.target +Wants=network.target network-online.target +After=network.target network-online.target + +[Service] +Type=notify +EnvironmentFile=-/etc/default/syslog-ng@sharingan-data +EnvironmentFile=-/etc/sysconfig/syslog-ng@sharingan-data +ExecStart=/usr/bin/syslog-ng -F $OTHER_OPTIONS --cfgfile $CONFIG_FILE --control $CONTROL_FILE --persist-file $PERSIST_FILE --pidfile $PID_FILE +ExecReload=/usr/bin/kill -HUP $MAINPID +StandardOutput=journal +StandardError=journal +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/roles/Sharingan-Data/files/sharingan-data.service/Debian b/roles/Sharingan-Data/files/sharingan-data.service/Debian new file mode 100755 index 0000000..7a8dda2 --- /dev/null +++ b/roles/Sharingan-Data/files/sharingan-data.service/Debian @@ -0,0 +1,19 @@ +[Unit] +Description=AniNIX/Sharingan | Data filer +Documentation=man:syslog-ng(8) +Conflicts=emergency.service emergency.target +Wants=network.target network-online.target +After=network.target network-online.target + +[Service] +Type=notify +EnvironmentFile=-/etc/default/syslog-ng@sharingan-data +EnvironmentFile=-/etc/sysconfig/syslog-ng@sharingan-data +ExecStart=/usr/sbin/syslog-ng -F $OTHER_OPTIONS --cfgfile $CONFIG_FILE --control $CONTROL_FILE --persist-file $PERSIST_FILE --pidfile $PID_FILE +ExecReload=/usr/bin/kill -HUP $MAINPID +StandardOutput=journal +StandardError=journal +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/roles/Sharingan-Data/files/sharingan-eval.service b/roles/Sharingan-Data/files/sharingan-eval.service new file mode 100755 index 0000000..910c2f5 --- /dev/null +++ b/roles/Sharingan-Data/files/sharingan-eval.service @@ -0,0 +1,33 @@ +# This file is systemd template for monit service. To +# register monit with systemd, place the monit.service file +# to the /lib/systemd/system/ directory and then start it +# using systemctl (see bellow). +# +# Enable monit to start on boot: +# systemctl enable monit.service +# +# Start monit immediately: +# systemctl start monit.service +# +# Stop monit: +# systemctl stop monit.service +# +# Status: +# systemctl status monit.service + +[Unit] +Description=AniNIX/Sharingan | Evaluation service, powered by monit +After=network-online.target +Documentation=man:monit(1) https://mmonit.com/wiki/Monit/HowTo + +[Service] +Type=simple +KillMode=process +ExecStart=/usr/bin/monit -I +ExecStop=/usr/bin/monit quit +ExecReload=/usr/bin/monit reload +Restart=on-abnormal +StandardOutput=null + +[Install] +WantedBy=multi-user.target diff --git a/roles/Sharingan-Data/files/syslog-ng@sharingan-data b/roles/Sharingan-Data/files/syslog-ng@sharingan-data new file mode 100644 index 0000000..48316a1 --- /dev/null +++ b/roles/Sharingan-Data/files/syslog-ng@sharingan-data @@ -0,0 +1,5 @@ +CONFIG_FILE=/etc/syslog-ng/syslog-ng.conf +PERSIST_FILE=/var/lib/syslog-ng/syslog-ng.persist +CONTROL_FILE=/run/syslog-ng.ctl +PID_FILE=/run/syslog-ng.pid +OTHER_OPTIONS="--enable-core" diff --git a/roles/Sharingan-Data/files/templates/empty-dir b/roles/Sharingan-Data/files/templates/empty-dir new file mode 100644 index 0000000..e69de29 diff --git a/roles/Sharingan-Data/tasks/main.yml b/roles/Sharingan-Data/tasks/main.yml index 636b475..073daa1 100644 --- a/roles/Sharingan-Data/tasks/main.yml +++ b/roles/Sharingan-Data/tasks/main.yml @@ -5,6 +5,8 @@ state: present name: - syslog-ng + - monit + - monitoring-plugins - name: Sharingan-Data apps dir become: yes @@ -14,6 +16,7 @@ - name: Sharingan-Data include apps dir become: yes + register: base_config lineinfile: path: /etc/syslog-ng/syslog-ng.conf line: "{{ item }}" @@ -29,31 +32,75 @@ owner: root group: root mode: 0750 + - name: Sharingan-Data service conf + become: yes + copy: + src: syslog-ng@sharingan-data + dest: /etc/default/syslog-ng@sharingan-data + owner: root + group: root + mode: 0655 - name: Sharingan-Data filer service become: yes copy: - remote_src: yes - src: /usr/lib/systemd/system/syslog-ng@.service + src: "sharingan-data.service/{{ ansible_os_family }}" dest: /usr/lib/systemd/system/sharingan-data.service owner: root group: root mode: 0750 - - name: Sharingan-Data replace content + - name: Sharingan-Eval service become: yes - replace: - path: /usr/lib/systemd/system/sharingan-data.service - regexp: '%i' - replace: 'default' + copy: + src: sharingan-eval.service + dest: /usr/lib/systemd/system/sharingan-eval.service + owner: root + group: root + mode: 0750 - - name: Sharingan-Data set vanity description + - name: Sharingan-Eval monitrc become: yes - lineinfile: - path: /usr/lib/systemd/system/sharingan-data.service - regexp: 'Description=' - line: 'Description=AniNIX/Sharingan | Data filer' + template: + src: monitrc.j2 + dest: /etc/monitrc + owner: root + group: root + mode: 0700 + - name: Sharingan-Eval includes dir + become: yes + file: + path: /etc/monit.d + state: directory + + - name: Sharingan-Eval monit templates + become: yes + copy: + src: templates + dest: /etc/monit.d/templates + owner: root + group: root + mode: 0700 + + - name: Sharingan-Eval monit scripts + become: yes + copy: + src: templates + dest: /etc/monit.d/scripts + owner: root + group: root + mode: 0700 + + + - name: Sharingan-Eval monit host config + become: yes + copy: + src: "{{ inventory_hostname }}" + dest: "/etc/monit.d/{{ inventory_hostname }}" + owner: root + group: root + mode: 0700 - name: Sharingan-Data heartbeat service become: yes @@ -81,14 +128,16 @@ become: yes service: name: "{{ item }}" - state: started + state: restarted enabled: yes loop: - - sharingan-heartbeat.timer - sharingan-data.service + - sharingan-heartbeat.timer + - sharingan-eval.service - name: Disable default service become: yes + ignore_errors: yes service: name: syslog-ng@default.service state: stopped diff --git a/roles/Sharingan-Data/templates/monitrc.j2 b/roles/Sharingan-Data/templates/monitrc.j2 new file mode 100755 index 0000000..4464bcb --- /dev/null +++ b/roles/Sharingan-Data/templates/monitrc.j2 @@ -0,0 +1,300 @@ +############################################################################### +## Monit control file +############################################################################### +## +## Comments begin with a '#' and extend through the end of the line. Keywords +## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'. +## +## Below you will find examples of some frequently used statements. For +## information about the control file and a complete list of statements and +## options, please have a look in the Monit manual. +## +## +############################################################################### +## Global section +############################################################################### +set daemon 30 # check services at 30 seconds intervals + with start delay 240 # optional: delay the first check by 4-minutes (by + # default Monit check immediately after Monit start) +# +## Set syslog logging. If you want to log to a standalone log file instead, +## specify the full path to the log file +# +set log syslog + +# +# +## Set the location of the Monit lock file which stores the process id of the +## running Monit instance. By default this file is stored in $HOME/.monit.pid +# +# set pidfile /var/run/monit.pid +# +## Set the location of the Monit id file which stores the unique id for the +## Monit instance. The id is generated and stored on first Monit start. By +## default the file is placed in $HOME/.monit.id. +# +# set idfile /var/.monit.id +# +## Set the location of the Monit state file which saves monitoring states +## on each cycle. By default the file is placed in $HOME/.monit.state. If +## the state file is stored on a persistent filesystem, Monit will recover +## the monitoring state across reboots. If it is on temporary filesystem, the +## state will be lost on reboot which may be convenient in some situations. +# +# set statefile /var/.monit.state +# +# + +## Set limits for various tests. The following example shows the default values: +## +# set limits { +# programOutput: 512 B, # check program's output truncate limit +# sendExpectBuffer: 256 B, # limit for send/expect protocol test +# fileContentBuffer: 512 B, # limit for file content test +# httpContentBuffer: 1 MB, # limit for HTTP content test +# networkTimeout: 5 seconds # timeout for network I/O +# programTimeout: 300 seconds # timeout for check program +# stopTimeout: 30 seconds # timeout for service stop +# startTimeout: 30 seconds # timeout for service start +# restartTimeout: 30 seconds # timeout for service restart +# } + +## Set global SSL options (just most common options showed, see manual for +## full list). +# +# set ssl { +# verify : enable, # verify SSL certificates (disabled by default but STRONGLY RECOMMENDED) +# selfsigned : allow # allow self signed SSL certificates (reject by default) +#} +# +# +## Set the list of mail servers for alert delivery. Multiple servers may be +## specified using a comma separator. If the first mail server fails, Monit +# will use the second mail server in the list and so on. By default Monit uses +# port 25 - it is possible to override this with the PORT option. +# +# set mailserver mail.bar.baz, # primary mailserver +# backup.bar.baz port 10025, # backup mailserver on port 10025 +# localhost # fallback relay +# +# +## By default Monit will drop alert events if no mail servers are available. +## If you want to keep the alerts for later delivery retry, you can use the +## EVENTQUEUE statement. The base directory where undelivered alerts will be +## stored is specified by the BASEDIR option. You can limit the queue size +## by using the SLOTS option (if omitted, the queue is limited by space +## available in the back end filesystem). +# +# set eventqueue +# basedir /var/monit # set the base directory where events will be stored +# slots 100 # optionally limit the queue size +# +# +## Send status and events to M/Monit (for more information about M/Monit +## see https://mmonit.com/). By default Monit registers credentials with +## M/Monit so M/Monit can smoothly communicate back to Monit and you don't +## have to register Monit credentials manually in M/Monit. It is possible to +## disable credential registration using the commented out option below. +## Though, if safety is a concern we recommend instead using https when +## communicating with M/Monit and send credentials encrypted. The password +## should be URL encoded if it contains URL-significant characters like +## ":", "?", "@". Default timeout is 5 seconds, you can customize it by +## adding the timeout option. +# +# set mmonit http://monit:monit@192.168.1.10:8080/collector +# # with timeout 30 seconds # Default timeout is 5 seconds +# # and register without credentials # Don't register credentials +# +# +## Monit by default uses the following format for alerts if the mail-format +## statement is missing:: +## --8<-- +## set mail-format { +## from: Monit +## subject: monit alert -- $EVENT $SERVICE +## message: $EVENT Service $SERVICE +## Date: $DATE +## Action: $ACTION +## Host: $HOST +## Description: $DESCRIPTION +## +## Your faithful employee, +## Monit +## } +## --8<-- +## +## You can override this message format or parts of it, such as subject +## or sender using the MAIL-FORMAT statement. Macros such as $DATE, etc. +## are expanded at runtime. For example, to override the sender, use: +# +# set mail-format { from: monit@foo.bar } +# +# +## You can set alert recipients whom will receive alerts if/when a +## service defined in this file has errors. Alerts may be restricted on +## events by using a filter as in the second example below. +# +# set alert sysadm@foo.bar # receive all alerts +# +## Do not alert when Monit starts, stops or performs a user initiated action. +## This filter is recommended to avoid getting alerts for trivial cases. +# +# set alert your-name@your.domain not on { instance, action } +# +# +## Monit has an embedded HTTP interface which can be used to view status of +## services monitored and manage services from a web interface. The HTTP +## interface is also required if you want to issue Monit commands from the +## command line, such as 'monit status' or 'monit restart service' The reason +## for this is that the Monit client uses the HTTP interface to send these +## commands to a running Monit daemon. See the Monit Wiki if you want to +## enable SSL for the HTTP interface. +# +set httpd port 2812 and + use address localhost # only accept connection from localhost (drop if you use M/Monit) + allow localhost # allow localhost to connect to the server and + allow admin:"{{ monitcli | default('monit') }}" # require user 'admin' with password 'monit' + #with ssl { # enable SSL/TLS and set path to server certificate + # pemfile: /etc/ssl/certs/monit.pem + #} + +############################################################################### +## Services +############################################################################### +## +## Check general system resources such as load average, cpu and memory +## usage. Each test specifies a resource, conditions and the action to be +## performed should a test fail. +# +# check system $HOST +# if loadavg (1min) per core > 2 for 5 cycles then alert +# if loadavg (5min) per core > 1.5 for 10 cycles then alert +# if cpu usage > 95% for 10 cycles then alert +# if memory usage > 75% then alert +# if swap usage > 25% then alert +# +# +## Check if a file exists, checksum, permissions, uid and gid. In addition +## to alert recipients in the global section, customized alert can be sent to +## additional recipients by specifying a local alert handler. The service may +## be grouped using the GROUP option. More than one group can be specified by +## repeating the 'group name' statement. +# +# check file apache_bin with path /usr/local/apache/bin/httpd +# if failed checksum and +# expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor +# if failed permission 755 then unmonitor +# if failed uid "root" then unmonitor +# if failed gid "root" then unmonitor +# alert security@foo.bar on { +# checksum, permission, uid, gid, unmonitor +# } with the mail-format { subject: Alarm! } +# group server +# +# +## Check that a process is running, in this case Apache, and that it respond +## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory, +## and number of children. If the process is not running, Monit will restart +## it by default. In case the service is restarted very often and the +## problem remains, it is possible to disable monitoring using the TIMEOUT +## statement. This service depends on another service (apache_bin) which +## is defined above. +# +# check process apache with pidfile /usr/local/apache/logs/httpd.pid +# start program = "/etc/init.d/httpd start" with timeout 60 seconds +# stop program = "/etc/init.d/httpd stop" +# if cpu > 60% for 2 cycles then alert +# if cpu > 80% for 5 cycles then restart +# if totalmem > 200.0 MB for 5 cycles then restart +# if children > 250 then restart +# if disk read > 500 kb/s for 10 cycles then alert +# if disk write > 500 kb/s for 10 cycles then alert +# if failed host www.tildeslash.com port 80 protocol http and request "/somefile.html" then restart +# if failed port 443 protocol https with timeout 15 seconds then restart +# if 3 restarts within 5 cycles then unmonitor +# depends on apache_bin +# group server +# +# +## Check filesystem permissions, uid, gid, space usage, inode usage and disk I/O. +## Other services, such as databases, may depend on this resource and an automatically +## graceful stop may be cascaded to them before the filesystem will become full and data +## lost. +# +# check filesystem datafs with path /dev/sdb1 +# start program = "/bin/mount /data" +# stop program = "/bin/umount /data" +# if failed permission 660 then unmonitor +# if failed uid "root" then unmonitor +# if failed gid "disk" then unmonitor +# if space usage > 80% for 5 times within 15 cycles then alert +# if space usage > 99% then stop +# if inode usage > 30000 then alert +# if inode usage > 99% then stop +# if read rate > 1 MB/s for 5 cycles then alert +# if read rate > 500 operations/s for 5 cycles then alert +# if write rate > 1 MB/s for 5 cycles then alert +# if write rate > 500 operations/s for 5 cycles then alert +# if service time > 10 milliseconds for 3 times within 5 cycles then alert +# group server +# +# +## Check a file's timestamp. In this example, we test if a file is older +## than 15 minutes and assume something is wrong if its not updated. Also, +## if the file size exceed a given limit, execute a script +# +# check file database with path /data/mydatabase.db +# if failed permission 700 then alert +# if failed uid "data" then alert +# if failed gid "data" then alert +# if timestamp > 15 minutes then alert +# if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba +# +# +## Check directory permission, uid and gid. An event is triggered if the +## directory does not belong to the user with uid 0 and gid 0. In addition, +## the permissions have to match the octal description of 755 (see chmod(1)). +# +# check directory bin with path /bin +# if failed permission 755 then unmonitor +# if failed uid 0 then unmonitor +# if failed gid 0 then unmonitor +# +# +## Check a remote host availability by issuing a ping test and check the +## content of a response from a web server. Up to three pings are sent and +## connection to a port and an application level network check is performed. +# +# check host myserver with address 192.168.1.1 +# if failed ping then alert +# if failed port 3306 protocol mysql with timeout 15 seconds then alert +# if failed port 80 protocol http +# and request /some/path with content = "a string" +# then alert +# +# +## Check a network link status (up/down), link capacity changes, saturation +## and bandwidth usage. +# +# check network public with interface eth0 +# if failed link then alert +# if changed link then alert +# if saturation > 90% then alert +# if download > 10 MB/s then alert +# if total uploaded > 1 GB in last hour then alert +# +# +## Check custom program status output. +# +# check program myscript with path /usr/local/bin/myscript.sh +# if status != 0 then alert +# +# +############################################################################### +## Includes +############################################################################### +## +## It is possible to include additional configuration parts from other files or +## directories. +# +include /etc/monit.d/{{ inventory_hostname }} diff --git a/roles/basics/README.md b/roles/basics/README.md deleted file mode 100644 index 9cc1890..0000000 --- a/roles/basics/README.md +++ /dev/null @@ -1,7 +0,0 @@ -This role is defined to handle basic system setup tasks. - -# Scope -* Setting the hostname -* Installing [/AniNIX/ShadowArch] customizations -* Managing passwords -* Setting initial sudo permissions. diff --git a/roles/basics/tasks/main.yml b/roles/basics/tasks/main.yml deleted file mode 100644 index 7da5bbe..0000000 --- a/roles/basics/tasks/main.yml +++ /dev/null @@ -1,105 +0,0 @@ ---- -### -# This role installs the basic package and host setup for AniNIX operations. - - - name: Set up AniNIX-specific repository - become: yes - file: - path: /opt/aninix - state: directory - - - name: Set up pacman.conf - become: yes - blockinfile: - path: /etc/pacman.conf - insertafter: EOF - marker: "# {mark} Ubiqtorate Managed Block" - block: | - [AniNIX] - SigLevel = Required DatabaseOptional - Server = https://maat.aninix.net/ - - [aur] - SigLevel = Required DatabaseOptional - Server = https://maat.aninix.net/aur/ - when: ansible_os_family == "Archlinux" - - - name: Install ShadowArch (ArchLinux) - become: yes - pacman: - name: ShadowArch - state: present - update_cache: yes - when: ansible_os_family == "Archlinux" - - - name: Download ShadowArch (Other) - become: yes - git: - repo: 'https://foundation.aninix.net/AniNIX/ShadowArch' - dest: '/opt/aninix/ShadowArch' - update: yes - when: ansible_os_family != "Archlinux" - - - name: Install ShadowArch (Other) - become: yes - command: - chdir: '/opt/aninix/ShadowArch' - cmd: 'make install' - when: ansible_os_family != "Archlinux" - - - name: Base packages - become: yes - package: - name: - - bash - - sudo - - - name: Set up hostname - become: yes - hostname: - name: "{{ inventory_hostname }}.{{ replica_domain }}" - - - name: Set up /etc/hosts - become: yes - lineinfile: - dest: /etc/hosts - regexp: '^127.0.0.1[ \t]+localhost' - line: "127.0.0.1 localhost localhost.localdomain {{ inventory_hostname }} {{ inventory_hostname }}.{{ replica_domain }}" - state: present - - # This is an AniNIX convention to allow password management by Ansible. - - name: Ensure SSH user has sudo permissions. - become: yes - copy: - dest: /etc/sudoers.d/basics - content: "{{ ansible_user_id }} ALL=(ALL) NOPASSWD: ALL\n" - - - name: Ensure we include /etc/sudoers.d - become: yes - lineinfile: - path: /etc/sudoers - regexp: "includedir /etc/sudoers.d" - line: "includedir /etc/sudoers.d" - - - name: Test root password - ignore_errors: yes - register: root_password_test - become: yes - command: id - vars: - ansible_become_method: su - ansible_become_user: root - ansible_become_password: "{{ lookup('vars',inventory_hostname+'_password') }}" - - - name: Define root password - become: yes - when: root_password_test.rc is not defined or root_password_test.rc != 0 - command: - cmd: /bin/bash -l -c "printf '%s\n%s\n' '{{ lookup('vars',inventory_hostname+'_password') }}' '{{ lookup('vars',inventory_hostname+'_password') }}' | passwd" - - - name: Define depriv password - become: yes - when: root_password_test.rc is not defined or root_password_test.rc != 0 - command: - cmd: /bin/bash -l -c "printf '%s\n%s\n' '{{ lookup('vars',inventory_hostname+'_password') }}' '{{ lookup('vars',inventory_hostname+'_password') }}' | passwd {{ depriv_user.stdout }}" - diff --git a/roles/hardware/tasks/main.yml b/roles/hardware/tasks/main.yml new file mode 100644 index 0000000..5697181 --- /dev/null +++ b/roles/hardware/tasks/main.yml @@ -0,0 +1,34 @@ +--- + + - name: Install packages + become: yes + package: + name: + - smartmontools + - hdparm + - apcupsd + state: present + + - name: Set udev settings for drives + become: yes + copy: + dest: /etc/udev/rules.d/60-ioschedulers.rules + content: | + # set scheduler for NVMe + ACTION=="add|change", KERNEL=="nvme[0-9]n[0-9]", ATTR{queue/scheduler}="none" + # set scheduler for SSD and eMMC + ACTION=="add|change", KERNEL=="sd[a-z]*|mmcblk[0-9]*", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="mq-deadline" + # set scheduler for rotating disks + ACTION=="add|change", KERNEL=="sd[a-z]*", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="bfq" + owner: root + group: root + mode: 0700 + register: udev_iosched + + - name: Reload udev + become: yes + command: /bin/bash -c 'udevadm control --reload; udevadm trigger' + when: udev_iosched.changed + + +