Whitespace cleanup to get in sync with AniNIX/Uniglot hooks

.gitignore

@@ -3,7 +3,9 @@ roles/Nazara/files/dns
 roles/Nazara/files/dhcp
 roles/Node/files/vm-definitions/**
 roles/ShadowArch/files/mirrorlist
-venv/
+roles/Foundation/files/custom/public/img/**
+venv/**
+**/pkg/**
 **pkg.tar.zst
 
 # ---> Python

examples/msn0.yml

@@ -38,8 +38,8 @@ all:
                             static: true
                             sslidentity: aninix.net-0001
                             secdetection: true
-                            iptv_location: Milwaukee
-                        Node0: 
+                            iptv_location: "Milwaukee|Madison"
+                        Node0:
                             ipinterface: enp1s0f0
                             ip: 10.0.1.4
                             mac: DE:8B:9E:19:55:1D
@@ -67,7 +67,7 @@ all:
                             memory: 2
                             vnc: 9
                             bridge: br0
-                            disks: 
+                            disks:
                               - '-drive format=raw,index=0,media=disk,file=/dev/sdd'
                         Maat:
                             ip: 10.0.1.18
@@ -147,7 +147,7 @@ all:
                             cores: 2
                             memory: 2
                             bridge: br0
-                            vnc: 6
+                            vnc: 10
                             disks:
                               - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test1.qcow2'
                         test2:
@@ -157,7 +157,7 @@ all:
                             cores: 2
                             memory: 2
                             bridge: br0
-                            vnc: 5
+                            vnc: 11
                             disks:
                               - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test2.qcow2'
                         test3:
@@ -167,7 +167,7 @@ all:
                             cores: 2
                             memory: 2
                             bridge: br0
-                            vnc: 4
+                            vnc: 12
                             disks:
                               - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test3.qcow2'
                 appliances:
@@ -183,7 +183,7 @@ all:
                             mac: 70:74:14:4F:8E:42
                         Games:
                             ip: 10.0.1.66
-                            mac: 00:1F:BC:10:1C:F8
+                            mac: E0:BE:03:77:0E:88
                         Print:
                             ip: 10.0.1.67
                             mac: 00:80:92:77:CE:E4
@@ -201,7 +201,7 @@ all:
                             mac: 80:D2:1D:17:63:10
                         Tachikoma:
                             ip: 10.0.1.72
-                            mac: B8:76:3F:70:DB:C1
+                            mac: 90:0f:0c:1a:d3:23
                         Dedsec:
                             ip: 10.0.1.73
                             mac: 34:F6:4B:36:12:8F

playbooks/vars-debugging.yml

@@ -12,7 +12,7 @@
 # Expects ANSIBLE_VAULT_FILE to be set in the environment to path the vault
 # Also set ANSIBLE_VAULT_PASSWORD_FILE to your password file location if you want it.
 #
-- hosts: "{{ targets | default('all') }}"
+- hosts: "{{ targets | default('managed') }}"
   order: sorted
   serial: "{{ threads | default('8') }}"
   gather_facts: true

precommit-hooks/find-incomplete-roles

@@ -1,19 +0,0 @@
-#!/bin/bash
-
-cd ~/src/Ubiqtorate/roles
-
-if [ -n "$(git status | grep roles &>/dev/null)" ]; then
-    echo There are roles that are not committed yet.
-    exit 1;
-fi
-
-unset bad
-for i in `ls -1`; do
-    if ! grep "$i" ../playbooks/deploy.yml &>/dev/null; then
-        echo "$i is not used in playbooks/deploy.yml"
-        bad="1"
-    fi
-done
-if [ -n "$bad" ]; then
-    exit 1;
-fi

precommit-hooks/find-large-files

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Limit files in git to 1M.
+find . -type f -exec du -k {} \; | egrep -v '^[[:digit:]]?[[:digit:]]?[[:digit:]][[:space:]]|\s./.git/'
+
+if [ $? -ne 1 ]; then
+    echo
+    echo "These files are probably larger than you want to commit to Git. Please try to find an alternate delivery path, such as a CDN or Git-LFS."
+    exit 1;
+fi

precommit-hooks/find-missing-customizations

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+retcode=0
+for host in `ansible -i "examples/msn0.yml" --list-hosts managed | grep -v ' hosts '`; do
+    if [ ! -f roles/ShadowArch/files/motd/"$host" ]; then
+        echo "Need MOTD for $host"
+        retcode=1;
+    fi
+    if [ ! -f roles/Sharingan/files/monit/hostdefs/"$host" ]; then
+        echo "Need Sharingan-Data file for $host"
+        retcode=1;
+    fi
+done
+exit $retcode

precommit-hooks/find-passwords-in-files

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Ignore Ansibilized templates.
+saferegex='\s+}}"?\s*$'
+# Ignore comments
+saferegex="$saferegex"'|^[a-z,A-Z,0-9,_,-,/,.]+:\s*;|^[a-z,A-Z,0-9,_,-,/,.]+:\s*#|^[a-z,A-Z,0-9,_,-,/,.]+:\s*//'
+# Ignore binary file matches.
+saferegex="$saferegex"'|binary\ file\ matches'
+# AniNIX Constructs
+saferegex="$saferegex"'|password.aninix.net|aur.list'
+# Web constructs
+saferegex="$saferegex"'|.css:|.html:|.md:|htdocs|htpasswd'
+# Ignore template text to set policy
+saferegex="$saferegex"'|_LENGTH|Set new|attempt|pwdchange'
+# haveibeenpwned is referenced in comments
+saferegex="$saferegex"'|haveibeenpwned'
+# Unset variables.
+saferegex="$saferegex"'|\s+=\s*$|\s+yes$|\s+no$'
+# Ignore LDAP attributes
+saferegex="$saferegex"'|pwpolicies|pwdLastSuccess|pwdAttribute|pwdMaxAge|pwdExpireWarning|pwdInHistory|pwdCheckQuality|pwdMaxFailure|pwdLockout|pwdLockoutDuration|pwdGraceAuthNLimit|pwdFailureCountInterval|pwdMustChange|pwdMinLength|pwdAllowUserChange|pwdSafeModify|pwdChangedTime|pwdPolicy|last changed their password on|/root/.ldappass'
+
+egrep -ir 'secret|password|pw|passphrase' roles/*/{files,templates} 2>&1 | egrep -v "$saferegex"
+if [ $? -ne 1 ]; then
+    echo
+    echo If these are false positives, you need to add the signature to the whitelist in $0.
+    echo Otherwise, convert any files above to templates and encode the passphrase into your vault.
+    exit 1;
+fi

roles/Cyberbrain/tasks/main.yml

@@ -8,7 +8,7 @@
  - name: Standardize the servicefile
    become: yes
    register: servicefile
-   copy: 
+   copy:
      src: cyberbrain.service
      dest: /usr/lib/systemd/system/cyberbrain.service
      owner: root
@@ -20,7 +20,7 @@
    service:
      name: webssh
      state: stopped
-     enabled: no 
+     enabled: no
 
  - systemd:
      daemon_reload: true

roles/DarkNet/README.md

@@ -11,8 +11,8 @@ A basic VM to provide DarkNet functionality in an AniNIX replica only needs the
 * Virtualized NIC
 * 150G of storage for any [AniNIX/WolfPack](/AniNIX/WolfPack) downloads, preferably on a unique physical harddrive that can be pulled and drilled
 
-# Hosted Services 
-The DarkNet uses a small package list. It uses a couple services to achieve its goals. First, it uses [NordVPN](http://nordvpn.com/) to protect all traffic -- very simply, all one has to do to connect to the VPN is to run `nordvpn connect` and provide your login credentials to the service. We also use TOR for further anonymity -- torsocks and tor-browser-en provide functionality to cover that. 
+# Hosted Services
+The DarkNet uses a small package list. It uses a couple services to achieve its goals. First, it uses [NordVPN](http://nordvpn.com/) to protect all traffic -- very simply, all one has to do to connect to the VPN is to run `nordvpn connect` and provide your login credentials to the service. We also use TOR for further anonymity -- torsocks and tor-browser-en provide functionality to cover that.
 
 We recommend whitelisting your replica's subnet so that NordVPN doesn't see local traffic and services like log aggregation and administration can happen without exposing access across the VPN.
 ```

roles/DarkNet/tasks/main.yml

@@ -18,7 +18,7 @@
       name: "{{ item }}"
       state: started
       enabled: yes
-    loop: 
+    loop:
       - tor
       - nordvpnd
       - deluged
@@ -26,3 +26,9 @@
   - debug:
       msg: "Remember to use the nordvpn-bin command to set up your account."
 
+
+        # TODO Add yaml for OVPN file, user, pass to Vault
+        # TODO Enforce vpn.service on server instead of nordvpnd.
+        # TODO Add /etc/bashrc.d file for `alias torlynx='torsocks elinks https://check.torproject.org/'`
+        # TODO Add monit checks for tor and openvpn services
+        # TODO Shift deluged to WolfPack

roles/DedSec/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+ # Consider https://blackarch.org/blackarch-guide-en.pdf
+ - name: Install DedSec packages
+   become: yes
+   package:
+     name:
+       - tcpdump
+       - wireshark

roles/Foundation/files/custom/bin/gen-aninix-custom

@@ -1,7 +1,5 @@
 #!/bin/bash
 
-set -x
-
 URI=https://aninix.net/assets/css/theme-arc-green.css
 
 # Gitea arc-green palette
@@ -59,7 +57,7 @@ a {
 cd /var/lib/gitea/web-snippets
 head="$(curl -ks https://aninix.net/ | egrep -B 99999 '^<div class="home"')"
 foot="$(curl -ks https://aninix.net/ | egrep -A 99999 '<footer>')"
-for i in `find . -type f`; do 
+for i in `find . -type f`; do
     (echo "$head"
     cat "$i"
     echo "$foot") > /var/lib/gitea/custom/public/"$i".html

roles/Foundation/files/custom/bin/sitemap.php

@@ -1,6 +1,6 @@
-<?php 
+<?php
 
-/* 
+/*
  * Build a sitemap dynamically.
  * Update Gitea's sitemap with: `php ./sitemap.php > /var/lib/gitea/custom/sitemap.xml`
  *
@@ -15,7 +15,7 @@ echo '<?xml version="1.0" encoding="UTF-8"?>
 ';
 
 exec("(echo /srv/http/aninix.net/index.php; find /srv/http/aninix.net/pages -type f; find /srv/http/aninix.net/martialarts/ -type f) | egrep \.php\$ | egrep -v ^./unlisted\|^./errors/\|head.php\|foot.php\|test\|Template\|darknet", $output);
-foreach ($output as &$file) { 
+foreach ($output as &$file) {
     echo '    <url>
 ';
 echo '        <loc>https://aninix.net/'.substr($file,strlen($path)).'</loc>
@@ -23,10 +23,10 @@ echo '        <loc>https://aninix.net/'.substr($file,strlen($path)).'</loc>
 echo '        <lastmod>'.date('Y-m-d',filemtime($file)).'</lastmod>
 ';
 echo '    </url>
-'; 
+';
 }
 
-/* Print footer */ 
+/* Print footer */
 echo '</urlset>
 ';
 ?>

roles/Foundation/files/custom/options/license/AniNIX-WTFPL

@@ -1,31 +1,31 @@
-# http://www.wtfpl.net/about/
-
-            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
-                    Version 2, December 2004
-
- Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
-
- Everyone is permitted to copy and distribute verbatim or modified
- copies of this license document, and changing it is allowed as long
- as the name is changed.
-
-            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. You just DO WHAT THE FUCK YOU WANT TO.
-
-                        ANINIX ADDENDUM
-
- Trademark 2017 (https://aninix.net/)
- 
- The "AniNIX" name and |> logo are trademarked as of 2017/11/21.
- AniNIX materials may be reproduced and re-used (though you must
- contact the admins of the network to get written permission to use  
- the AniNIX name or logo) so long as such reproduction or re-use
- does not inhibit the original AniNIX use of the same.
-
- Attribution is appreciated for other materials but not legally
- required or necessary.
-
- "AniNIX" trademark serial: 87177883
- |> Logo trademark serial: 87177887 
+# http://www.wtfpl.net/about/
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+                    Version 2, December 2004
+
+ Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
+
+ Everyone is permitted to copy and distribute verbatim or modified
+ copies of this license document, and changing it is allowed as long
+ as the name is changed.
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. You just DO WHAT THE FUCK YOU WANT TO.
+
+                        ANINIX ADDENDUM
+
+ Trademark 2017 (https://aninix.net/)
+
+ The "AniNIX" name and |> logo are trademarked as of 2017/11/21.
+ AniNIX materials may be reproduced and re-used (though you must
+ contact the admins of the network to get written permission to use
+ the AniNIX name or logo) so long as such reproduction or re-use
+ does not inhibit the original AniNIX use of the same.
+
+ Attribution is appreciated for other materials but not legally
+ required or necessary.
+
+ "AniNIX" trademark serial: 87177883
+ |> Logo trademark serial: 87177887

roles/Foundation/files/custom/public/img/favicon.png

@@ -1 +0,0 @@
-AniNIX.png

roles/Foundation/files/custom/public/img/gitea-lg.png

@@ -1 +0,0 @@
-AniNIX.png

roles/Foundation/files/custom/public/img/gitea-safari.svg

@@ -1 +0,0 @@
-AniNIX.png

roles/Foundation/files/custom/public/img/gitea-sm.png

@@ -1 +0,0 @@
-AniNIX.png

roles/Foundation/files/custom/public/img/icons

@@ -1 +0,0 @@
-/srv/yggdrasil/Pictures/AniNIX/Icons/

roles/Foundation/files/web-snippets/martialarts/index

@@ -17,7 +17,7 @@
                     <div class="eight wide center column">
                         <h1 class="hero ui icon header">
                             <img width=20px height=20px src='/assets/img/icons/FoundationIcon.png'/>
-                            <a href="/user/login?redirect_to=%2fAniNIX_Martial_Arts">Open-source</a>
+                            <a href="/mawiki">Open-source</a>
                         </h1>
                         <p class="large">
                         We want your training with our system to become a part of your life. This means that we provide access to a revision-controlled copy of our notes that all our students can download, keep, and contribute to. We're tired of the old era where how the system works is kept hidden from students and piecemealed out as a marketing ploy -- we want to be as trasparent as possible in how our program and our martial art function. Transparency keeps our instructors honest and our students engaged -- this means a better martial arts experience for everyone.
@@ -116,13 +116,13 @@
                         >
                           Checkout
                         </button>
-                        
+
                         <div id="error-message"></div>
-                        
+
                         <script>
                         (function() {
                           var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
-                        
+
                           var checkoutButton = document.getElementById('checkout-button-price_1HTuhvI49P1uFPoXXoSjPm2w');
                           checkoutButton.addEventListener('click', function () {
                             // When the customer clicks on the button, redirect
@@ -148,7 +148,7 @@
                             });
                           });
                         })();
-                        </script> 
+                        </script>
                         <! -- END STRIPE CODE -->
                         </p>
                     </div>
@@ -170,13 +170,13 @@
                         >
                           Checkout
                         </button>
-                        
+
                         <div id="error-message"></div>
-                        
+
                         <script>
                         (function() {
                           var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
-                        
+
                           var checkoutButton = document.getElementById('checkout-button-price_1HThmcI49P1uFPoXMDCRVXTl');
                           checkoutButton.addEventListener('click', function () {
                             // When the customer clicks on the button, redirect
@@ -202,8 +202,8 @@
                             });
                           });
                         })();
-                        </script> 
-                        <! -- END STRIPE CODE --> 
+                        </script>
+                        <! -- END STRIPE CODE -->
                         </p> </div>
                 </div>
                 <div class="ui stackable middle very relaxed page grid">
@@ -225,13 +225,13 @@
                         >
                           Checkout
                         </button>
-                        
+
                         <div id="error-message"></div>
-                        
+
                         <script>
                         (function() {
                           var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
-                        
+
                           var checkoutButton = document.getElementById('checkout-button-price_1HTucZI49P1uFPoXshtbIl8W');
                           checkoutButton.addEventListener('click', function () {
                             // When the customer clicks on the button, redirect
@@ -258,8 +258,8 @@
                           });
                         })();
                         </script>
-                        <! -- END STRIPE CODE -->                         
-                        </p> 
+                        <! -- END STRIPE CODE -->
+                        </p>
                     </div>
                     <div class="eight wide center column" style="border: 1px solid #FFF;">
                         <h1 class="hero ui icon header">
@@ -296,13 +296,13 @@
                         >
                           Checkout
                         </button>
-                        
+
                         <div id="error-message"></div>
-                        
+
                         <script>
                         (function() {
                           var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
-                        
+
                           var checkoutButton = document.getElementById('checkout-button-price_1HTuYII49P1uFPoXaIk9puyu');
                           checkoutButton.addEventListener('click', function () {
                             // When the customer clicks on the button, redirect

roles/Foundation/files/web-snippets/pay/index

@@ -13,7 +13,7 @@
                 <div class="ui stackable middle very relaxed page grid">
                     <div class="sixteen wide center column" >
                         <h1 class="hero ui icon header">
-                            <img width=20px height=20px src='/img/icons/CoreIcon.png'/>
+                            <img width=20px height=20px src='/assets/img/icons/CoreIcon.png'/>
                             Cybersecurity Consulting
                         </h1>
                         <p class="large">The AniNIX offers cybersecurity consulting and advice services on a limited basis. We bill at $20 an hour -- please select your need below after negotiating with an admin.</p>
@@ -45,7 +45,7 @@
                         <br/>
                         </form>
                         <!-- START STRIPE CODE -->
-                        
+
                         <!-- Create a button that your customers click to complete their purchase. Customize the styling to suit your branding. -->
                         <button
                           style="background-color:#6772E5;color:#FFF;padding:8px 12px;border:0;border-radius:4px;font-size:1em"
@@ -55,13 +55,13 @@
                         >
                           Checkout
                         </button>
-                        
+
                         <div id="error-message"></div>
-                        
+
                         <script>
                         (function() {
                           var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
-                        
+
                           var checkoutButton = document.getElementById('checkout-button-price_1HTuehI49P1uFPoXCW9pJg5E');
                           checkoutButton.addEventListener('click', function () {
                             // When the customer clicks on the button, redirect
@@ -91,5 +91,17 @@
                         <! -- END STRIPE CODE -->
                         </p>
                     </div>
-                <hr style="margin-top: 50px;" />
+                </div>
+                <div class="ui stackable middle very relaxed page grid">
+                <div class="sixteen wide center column" >
+                <hr style="margin-top: 50px;" />
+                <h2>Donate</h2>
+                <p>If you like what we do, you can also donate on one of these platforms:</p>
+                <ul style="width:500px;text-align: left;margin:auto;">
+                <li><a href="https://store.steampowered.com/wishlist/id/darkfeather664/#sort=order">Steam (games)</a></li>
+                <li><a href="https://www.amazon.com/hz/wishlist/ls/3CORZU03RNWST?ref_=wl_share">Amazon (hardware)</a></li>
+                <li>BTC 38Nd3SgytdvSmcX3gfHeNAE2B6aPyYbS7s</li>
+                <li>Coinbase USDC 0x21a05e628Ed622F7594f62Ea3C764bAEF7fE3Bf3</li>
+                </ul>
+                </div>
                 </div>

roles/Foundation/files/web-snippets/pay/thank-you

@@ -1,7 +1,7 @@
                 <div class="ui stackable middle very relaxed page grid">
                     <div class="sixteen wide center aligned centered column">
                         <div>
-                            <img class="logo" src="/img/icons/CoreIcon.png" />
+                            <img class="logo" src="/assets/img/icons/CoreIcon.png" />
                         </div>
                         <div class="hero">
                             <h2 class="ui icon header title">

roles/Foundation/templates/app.ini.j2

@@ -13,7 +13,7 @@ RUN_MODE = prod
 ROOT                                           = repos
 SCRIPT_TYPE                                    = bash
 ; Default ANSI charset
-ANSI_CHARSET                                   = 
+ANSI_CHARSET                                   =
 ; Force every new repository to be private
 FORCE_PRIVATE                                  = false
 ; Default privacy setting when creating a new repository, allowed values: last, private, public. Default is last which means the last setting used.
@@ -31,7 +31,7 @@ PREFERRED_LICENSES                             = AniNIX-WTFPL
 DISABLE_HTTP_GIT                               = false
 ; Value for Access-Control-Allow-Origin header, default is not to present
 ; WARNING: This maybe harmful to you website if you do not give it a right value.
-ACCESS_CONTROL_ALLOW_ORIGIN                    = 
+ACCESS_CONTROL_ALLOW_ORIGIN                    =
 ; Force ssh:// clone url instead of scp-style uri when default SSH port is used
 USE_COMPAT_SSH_URI                             = false
 ; Close issues as long as a commit on any branch marks it as fixed
@@ -57,7 +57,7 @@ ENABLED       = true
 ; Path for uploads. Defaults to `data/tmp/uploads` (tmp gets deleted on gitea restart)
 TEMP_PATH     = data/tmp/uploads
 ; One or more allowed types, e.g. image/jpeg|image/png. Nothing means any file type
-ALLOWED_TYPES = 
+ALLOWED_TYPES =
 ; Max size of each file in megabytes. Defaults to 3MB
 FILE_MAX_SIZE = 3
 ; Max number of files per upload. Defaults to 5
@@ -138,7 +138,7 @@ KEYWORDS    = go,git,self-hosted,gitea,aninix,aninix::foundation
 ENABLE_HARD_LINE_BREAK = false
 ; List of custom URL-Schemes that are allowed as links when rendering Markdown
 ; for example git,magnet
-CUSTOM_URL_SCHEMES     = 
+CUSTOM_URL_SCHEMES     =
 ; List of file extensions that should be rendered/edited as Markdown
 ; Separate the extensions with a comma. To render files without any extension as markdown, just put a comma
 FILE_EXTENSIONS        = .md,.markdown,.mdown,.mkd
@@ -156,7 +156,7 @@ HTTP_PORT                       = 3000
 ; ROOT_URL.  Defaults are false for REDIRECT_OTHER_PORT and 80 for
 ; PORT_TO_REDIRECT.
 REDIRECT_OTHER_PORT             = false
-PORT_TO_REDIRECT                = 3000 
+PORT_TO_REDIRECT                = 3000
 ; Permission for unix socket
 UNIX_SOCKET_PERMISSION          = 660
 ; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service.
@@ -169,17 +169,17 @@ DISABLE_SSH                     = false
 ; Whether to use the builtin SSH server or not.
 START_SSH_SERVER                = false
 ; Username to use for the builtin SSH server. If blank, then it is the value of RUN_USER.
-BUILTIN_SSH_SERVER_USER         = 
+BUILTIN_SSH_SERVER_USER         =
 ; Domain name to be exposed in clone URL
 SSH_DOMAIN                      = foundation.aninix.net
 ; The network interface the builtin SSH server should listen on
-SSH_LISTEN_HOST                 = 
+SSH_LISTEN_HOST                 =
 ; Port number to be exposed in clone URL
 SSH_PORT                        = 22
 ; The port number the builtin SSH server should listen on
 SSH_LISTEN_PORT                 = %(SSH_PORT)s
 ; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
-SSH_ROOT_PATH                   = 
+SSH_ROOT_PATH                   =
 ; Gitea will create a authorized_keys file by default when it is not using the internal ssh server
 ; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off.
 SSH_CREATE_AUTHORIZED_KEYS_FILE = true
@@ -194,7 +194,7 @@ SSH_SERVER_KEY_EXCHANGES        = diffie-hellman-group1-sha1, diffie-hellman-gro
 SSH_SERVER_MACS                 = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1, hmac-sha1-96
 ; Directory to create temporary files in when testing public keys using ssh-keygen,
 ; default is the system temporary directory.
-SSH_KEY_TEST_PATH               = 
+SSH_KEY_TEST_PATH               =
 ; Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call.
 SSH_KEYGEN_PATH                 = ssh-keygen
 ; Enable SSH Authorized Key Backup when rewriting all keys, default is true
@@ -208,7 +208,7 @@ OFFLINE_MODE                    = true
 DISABLE_ROUTER_LOG              = false
 ; Generate steps:
 ; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com
-; 
+;
 ; Or from a .pfx file exported from the Windows certificate store (do
 ; not forget to export the private key):
 ; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
@@ -301,7 +301,7 @@ DISABLE_REGULAR_ORG_CREATION = true
 ; Whether the installer is disabled
 INSTALL_LOCK                       = true
 ; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
-SECRET_KEY                         = {{ secrets.Foundation.secret_key }} 
+SECRET_KEY                         = {{ secrets.Foundation.secret_key }}
 ; How long to remember that an user is logged in before requiring relogin (in days)
 LOGIN_REMEMBER_DAYS                = 7
 COOKIE_USERNAME                    = gitea_awesome
@@ -318,15 +318,15 @@ DISABLE_GIT_HOOKS                  = false
 INTERNAL_TOKEN                     = {{ secrets.Foundation.internal_token }}
 
 [openid]
-; 
+;
 ; OpenID is an open, standard and decentralized authentication protocol.
 ; Your identity is the address of a webpage you provide, which describes
 ; how to prove you are in control of that page.
-; 
+;
 ; For more info: https://en.wikipedia.org/wiki/OpenID
-; 
+;
 ; Current implementation supports OpenID-2.0
-; 
+;
 ; Tested to work providers at the time of writing:
 ; - Any GNUSocial node (your.hostname.tld/username)
 ; - Any SimpleID provider (http://simpleid.koinic.net)
@@ -334,7 +334,7 @@ INTERNAL_TOKEN                     = {{ secrets.Foundation.internal_token }}
 ; - openid.stackexchange.com
 ; - login.launchpad.net
 ; - <username>.livejournal.com
-; 
+;
 ; Whether to allow signin in via OpenID
 ENABLE_OPENID_SIGNIN = FALSE
 ; Whether to allow registering via OpenID
@@ -344,12 +344,12 @@ ENABLE_OPENID_SIGNIN = FALSE
 ; Space separated.
 ; Only these would be allowed if non-blank.
 ; Example value: trusted.domain.org trusted.domain.net
-WHITELISTED_URIS     = 
+WHITELISTED_URIS     =
 ; Forbidden URI patterns (POSIX regexp).
 ; Space separated.
 ; Only used if WHITELISTED_URIS is blank.
 ; Example value: loadaverage.org/badguy stackexchange.com/.*spammer
-BLACKLISTED_URIS     = 
+BLACKLISTED_URIS     =
 ENABLE_OPENID_SIGNUP = false
 
 [service]
@@ -361,7 +361,7 @@ RESET_PASSWD_CODE_LIVE_MINUTES                = 180
 REGISTER_EMAIL_CONFIRM                        = false
 ; List of domain names that are allowed to be used to register on a Gitea instance
 ; gitea.io,example.com
-EMAIL_DOMAIN_WHITELIST                        = 
+EMAIL_DOMAIN_WHITELIST                        =
 ; Disallow registration, only allow admins to create accounts.
 DISABLE_REGISTRATION                          = true
 ; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
@@ -380,8 +380,8 @@ ENABLE_CAPTCHA                                = false
 CAPTCHA_TYPE                                  = image
 ; Enable recaptcha to use Google's recaptcha service
 ; Go to https://www.google.com/recaptcha/admin to sign up for a key
-RECAPTCHA_SECRET                              = 
-RECAPTCHA_SITEKEY                             = 
+RECAPTCHA_SECRET                              =
+RECAPTCHA_SITEKEY                             =
 ; Change this to use recaptcha.net or other recaptcha service
 RECAPTCHA_URL                                 = https://www.google.com/recaptcha/
 ; Default value for KeepEmailPrivate
@@ -435,18 +435,18 @@ ENABLED            = false
 ; Buffer length of channel, keep it as it is if you don't know what it is.
 SEND_BUFFER_LEN    = 100
 ; Prefix displayed before subject in mail
-SUBJECT_PREFIX     = 
+SUBJECT_PREFIX     =
 ; Mail server
 ; Gmail: smtp.gmail.com:587
 ; QQ: smtp.qq.com:465
 ; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
-HOST               = 
+HOST               =
 ; Disable HELO operation when hostnames are different.
-DISABLE_HELO       = 
+DISABLE_HELO       =
 ; Custom hostname for HELO operation, if no value is provided, one is retrieved from system.
-HELO_HOSTNAME      = 
+HELO_HOSTNAME      =
 ; Do not verify the certificate of the server. Only use this for self-signed certificates
-SKIP_VERIFY        = 
+SKIP_VERIFY        =
 ; Use client certificate
 USE_CERTIFICATE    = false
 CERT_FILE          = custom/mailer/cert.pem
@@ -454,11 +454,11 @@ KEY_FILE           = custom/mailer/key.pem
 ; Should SMTP connection use TLS
 IS_TLS_ENABLED     = false
 ; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
-FROM               = 
+FROM               =
 ; Mailer user name and password
-USER               = 
+USER               =
 ; Use PASSWD = `your password` for quoting if you use special characters in the password.
-PASSWD             = 
+PASSWD             =
 ; Send mails as plain text
 SEND_AS_PLAIN_TEXT = false
 ; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log)
@@ -466,7 +466,7 @@ MAILER_TYPE        = smtp
 ; Specify an alternative sendmail binary
 SENDMAIL_PATH      = sendmail
 ; Specify any extra sendmail arguments
-SENDMAIL_ARGS      = 
+SENDMAIL_ARGS      =
 
 [cache]
 ; Either "memory", "redis", or "memcache", default is "memory"
@@ -476,7 +476,7 @@ INTERVAL = 60
 ; For "redis" and "memcache", connection host address
 ; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
 ; memcache: `127.0.0.1:11211`
-HOST     = 
+HOST     =
 ; Time to keep items in cache if not used, default is 16 hours.
 ; Setting it to 0 disables caching
 ITEM_TTL = 16h
@@ -541,7 +541,7 @@ MAX_FILES     = 5
 ; Specifies the format for fully outputted dates. Defaults to RFC1123
 ; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano
 ; For more information about the format see http://golang.org/pkg/time/#pkg-constants
-FORMAT = 
+FORMAT =
 
 [log]
 ROOT_PATH            = /var/log/gitea/
@@ -564,22 +564,22 @@ STACKTRACE_LEVEL     = Critical
 ; Generic log modes
 [log.x]
 FLAGS      = stdflags
-EXPRESSION = 
-PREFIX     = 
+EXPRESSION =
+PREFIX     =
 COLORIZE   = false
 
 ; For "console" mode only
 [log.console]
-LEVEL  = 
+LEVEL  =
 COLORIZE   = false
 STDERR = false
 
 ; For "file" mode only
 [log.file]
-LEVEL             = 
+LEVEL             =
 ; Set the file_name for the logger. If this is a relative path this
 ; will be relative to ROOT_PATH
-FILE_NAME         = 
+FILE_NAME         =
 ; This enables automated log rotate(switch of following options), default is true
 LOG_ROTATE        = true
 ; Max number of lines in a single file, default is 1000000
@@ -597,7 +597,7 @@ COMPRESSION_LEVEL = -1
 
 ; For "conn" mode only
 [log.conn]
-LEVEL            = 
+LEVEL            =
 ; Reconnect host for every single message, default is false
 RECONNECT_ON_MSG = false
 ; Try to reconnect when connection is lost, default is false
@@ -605,21 +605,21 @@ RECONNECT        = false
 ; Either "tcp", "unix" or "udp", default is "tcp"
 PROTOCOL         = tcp
 ; Host address
-ADDR             = 
+ADDR             =
 
 ; For "smtp" mode only
 [log.smtp]
-LEVEL     = 
+LEVEL     =
 ; Name displayed in mail title, default is "Diagnostic message from server"
 SUBJECT   = Diagnostic message from server
 ; Mail server
-HOST      = 
+HOST      =
 ; Mailer user name and password
-USER      = 
+USER      =
 ; Use PASSWD = `your password` for quoting if you use special characters in the password.
-PASSWD    = 
+PASSWD    =
 ; Receivers, can be one or more, e.g. 1@example.com,2@example.com
-RECEIVERS = 
+RECEIVERS =
 
 [cron]
 ; Enable running cron tasks periodically.
@@ -637,7 +637,7 @@ SCHEDULE = @every 24h
 TIMEOUT  = 60s
 ; Arguments for command 'git fsck', e.g. "--unreachable --tags"
 ; see more on http://git-scm.com/docs/git-fsck
-ARGS     = 
+ARGS     =
 
 ; Check repository statistics
 [cron.check_repo_stats]
@@ -676,7 +676,7 @@ MAX_GIT_DIFF_LINE_CHARACTERS = 5000
 MAX_GIT_DIFF_FILES           = 100
 ; Arguments for command 'git gc', e.g. "--aggressive --auto"
 ; see more on http://git-scm.com/docs/git-gc/
-GC_ARGS                      = 
+GC_ARGS                      =
 ; If use git wire protocol version 2 when git version >= 2.18, default is true, set to false when you always want git wire protocol version 1
 EnableAutoGitWireProtocol    = true
 
@@ -780,5 +780,5 @@ IS_INPUT_FILE   = false
 ; Enables metrics endpoint. True or false; default is false.
 ENABLED = false
 ; If you want to add authorization, specify a token here
-TOKEN   = 
+TOKEN   =
 

roles/Games/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+
+ - name: Install Games packages
+   become: yes
+   package:
+     name:
+       - mgba-qt
+       - steam
+       - steam-native-runtime
+       - discord

roles/Geth-Hub/files/hardware.conf

@@ -14,7 +14,7 @@ LOAD_MODULES=true
 
 # Run "lircd --driver=help" for a list of supported drivers.
 DRIVER="default"
-# usually /dev/lirc0 is the correct setting for systems using udev 
+# usually /dev/lirc0 is the correct setting for systems using udev
 DEVICE="/dev/lirc0"
 MODULES="lirc_rpi"
 

roles/Geth-Hub/files/lircd.conf/Geth-Hub-1

@@ -5,9 +5,9 @@
 # this config file was automatically generated
 # using lirc-0.9.0-pre1(default) on Thu Feb  9 18:06:50 2017
 #
-# contributed by 
+# contributed by
 #
-# brand:                       Insignia 
+# brand:                       Insignia
 # model no. of remote control: NS-RC4NA-14
 # devices being controlled by this remote: TV
 #

roles/Geth-Hub/files/lircd.conf/Geth-Hub-2

@@ -8,7 +8,7 @@
 # contributed by darkfeather@aninix.net
 #
 # brand:                       LG.conf
-# model no. of remote control: AKB73715608  
+# model no. of remote control: AKB73715608
 # devices being controlled by this remote: TV
 #
 
@@ -49,10 +49,10 @@ end remote
 # this config file was automatically generated
 # using lirc-0.9.0-pre1(default) on Tue May  1 06:40:29 2018
 #
-# contributed by 
+# contributed by
 #
 # brand:                       ./lasko.conf
-# model no. of remote control: 
+# model no. of remote control:
 # devices being controlled by this remote:
 #
 
@@ -118,9 +118,9 @@ end remote
 # this config file was automatically generated
 # using lirc-0.9.0-pre1(default) on Thu Feb  9 18:06:50 2017
 #
-# contributed by 
+# contributed by
 #
-# brand:                       Insignia 
+# brand:                       Insignia
 # model no. of remote control: NS-RC4NA-14
 # devices being controlled by this remote: TV
 #

roles/Geth-Hub/files/lircd.conf/Geth-Hub-3

@@ -8,7 +8,7 @@
 # contributed by darkfeather@aninix.net
 #
 # brand:                       LG.conf
-# model no. of remote control: AKB73715608  
+# model no. of remote control: AKB73715608
 # devices being controlled by this remote: TV
 #
 

roles/Geth-Hub/tasks/main.yml

@@ -16,7 +16,7 @@
      user: "{{ ansible_user_id }}"
      state: present
      key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/geth.pub') }}"
- 
+
  - name: Copy the motion config
    become: yes
    register: motion_config
@@ -32,13 +32,13 @@
      owner: motion
      group: motion
      mode: 0750
-   loop: 
+   loop:
      - "/var/log/motion"
      - "/var/run/motion"
 
  - name: Restart the motion service
    become: yes
-   when: motion_config.changed and motion_enabled 
+   when: motion_config.changed and motion_enabled
    service:
      name: motion
      state: started
@@ -119,7 +119,7 @@
  - name: Copy lircd remote config
    register: lircd_remote_config
    become: yes
-   copy: 
+   copy:
      src: "lircd.conf/{{ inventory_hostname }}"
      dest: /etc/lirc/lircd.conf
 

roles/Geth/tasks/main.yml

@@ -5,4 +5,4 @@
      name:
        - openhab2
 
- - name: 
+ - name:

roles/IRC-Bots/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+
+ - user:
+     name: "{{ item }}"
+     state: present
+     shell: "{{ daemon_shell | default('/sbin/nologin') }}"
+     local: yes
+     groups: ircd
+   loop:
+     - bitbot
+     - dsbridge
+     - theraven
+     - werewolf
+
+   # Install TheRaven package
+ - package:
+     name:
+       - TheRaven
+
+ - git:
+     repo: 'https://github.com/jesopo/bitbot.git'
+     dest: /usr/local/src/bitbot/
+     clone: yes
+     update: yes
+
+ - git:
+     repo:
+
+ -

roles/IRC/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 
- - name: IRC packages 
+ - name: IRC packages
    become: yes
    package:
      name:
@@ -10,7 +10,7 @@
 
  - name: KiwiIRC Web Front
    become: yes
-   git: 
+   git:
      repo: https://github.com/prawnsalad/KiwiIRC.git
      dest: /usr/local/src/KiwiIRC
 

roles/Maat/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+ - name: Sharingan packages
+   become: yes
+   package:
+     name:
+       - openvas
+       - greenbone-security-assistant
+       - elasticsearch6
+       - mongodb
+       - graylog

roles/Nazara/tasks/main.yml

@@ -1,5 +1,5 @@
 ---
- 
+
  - name: Clone pi-hole
    become: yes
    git:
@@ -10,7 +10,7 @@
  - name: Install pi-hole if needed
    become: yes
    register: pihole_install
-   command: 
+   command:
        creates: /usr/bin/pihole-FTL
        cmd: false # bash basic-install.sh
        chdir: '/opt/pi-hole/automated install'
@@ -30,7 +30,7 @@
    register: dns_updated
    copy:
      dest: /etc/pihole/custom.list
-     src: dns 
+     src: dns
      owner: pihole
      group: pihole
      mode: 0644

roles/Node/tasks/main.yml

@@ -14,11 +14,11 @@
        - qemu-emulators-full
        - ddrescue
      state: present
-      
+
  - name: Copy VM definitions
    become: yes
    register: vmdefs
-   copy: 
+   copy:
      src: vm-definitions/
      dest: /usr/lib/systemd/system
      owner: root
@@ -28,7 +28,7 @@
  - name: Reload systemd daemon
    become: yes
    when: vmdefs.changed
-   systemd: 
+   systemd:
      daemon_reload: yes
 
  - name: QEMU Bridge Config

roles/SSH/tasks/main.yml

@@ -1,30 +1,28 @@
 ---
 
- - name: SSH
+ - name: SSH (ArchLinux)
    become: yes
+   when: ansible_os_family == "Archlinux"
    package:
+     state: present
      name:
-       - bash
-       - sudo
+       - openssh
 
- - name: SSH Config
+ - name: SSH (Raspbian)
    become: yes
-   copy: 
-       src: ssh_config
-       dest: /etc/ssh/ssh_config
-
- - name: SSHD Config
-   become: yes
-   copy: 
-       src: sshd_config
-       dest: /etc/ssh/sshd_config
+   when: ansible_os_family == "Debian"
+   package:
+     state: present
+     name:
+       - openssh-server
+       - openssh-client
 
  - name: Mark SSH keys as immutable
    become: yes
    file:
-       path: "{{ item }}" 
+       path: "{{ item }}"
        attributes: i
-   loop: 
+   loop:
        - /etc/ssh/ssh_host_ed25519_key
        - /etc/ssh/ssh_host_ed25519_key.pub
        - /etc/ssh/ssh_host_rsa_key
@@ -32,17 +30,52 @@
 
  - name: Add SSH control groups
    become: yes
-   group: 
+   group:
        name: "{{ item }}"
        state: present
-   loop: 
+   loop:
        - ssh-allow
        - ssh-forward
        - sftp-home-jail
 
  - name: Add SSH user to ssh-allow
    become: yes
-   user: 
+   user:
        name: "{{ ansible_user_id }}"
        groups: ssh-allow
        append: yes
+
+ - name: Copy the SSH key
+   authorized_key:
+     user: "{{ ansible_user_id }}"
+     state: present
+     key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/deploy.pub') }}"
+
+ - name: SSH Config
+   become: yes
+   copy:
+       src: ssh_config
+       dest: /etc/ssh/ssh_config
+
+ - name: SSHD Config
+   become: yes
+   register: sshd_config
+   copy:
+       src: sshd_config
+       dest: /etc/ssh/sshd_config
+
+ - name: Restart SSHD (ArchLinux)
+   become: yes
+   when: ansible_os_family == "Archlinux" and sshd_config.changed
+   service:
+     name: sshd
+     state: restarted
+     enabled: yes
+
+ - name: Restart SSHD (Raspbian)
+   become: yes
+   when: ansible_os_family == "Debian" and sshd_config.changed
+   service:
+     name: ssh
+     state: restarted
+     enabled: yes

roles/SSL/tasks/main.yml

@@ -2,8 +2,8 @@
 
  - name: SSL packages
    become: yes
-   package: 
-     name: 
+   package:
+     name:
       - certbot
       - openssl
 
@@ -16,7 +16,7 @@
      owner: root
      group: root
      mode: 0644
-   loop: 
+   loop:
      - "certbot.service"
      - "certbot.timer"
 
@@ -28,7 +28,7 @@
      name: certbot.timer
      enabled: yes
      state: started
- 
+
  - name: Create letsencrypt folder
    become: yes
    file:
@@ -50,7 +50,7 @@
    become: yes
    command: /usr/local/sbin/tlsa-generation.bash
    register: tlsa_records
- 
+
  - name: Show proposed TLSA records
    debug:
      msg: "{{ tlsa_records.stdout_lines }}"
@@ -60,7 +60,7 @@
    run_once: yes
    command: "/bin/bash -c 'printf _443._tcp\\ ; dig _443._tcp.{{ external_domain }} TLSA +short; printf _6697._tcp\\ ; dig _6697._tcp.{{ external_domain }} TLSA +short'"
    register: ext_tlsa_records
- 
+
  - name: Show TLSA records
    debug:
      msg: "{{ ext_tlsa_records.stdout_lines }}"

roles/ShadowArch/bin/find-mirrors

@@ -1,9 +1,9 @@
 #!/bin/bash
 
 # File: find-mirrors
-# 
+#
 # Description: This file generates a pacman mirrorlist to ensure hosts use the right mirrors for performance.
-# 
+#
 # Package: AniNIX::Foundation/HelloWorld
 # Copyright: WTFPL
 #
@@ -11,6 +11,6 @@
 
 country="United States"
 
-curl -s https://raw.githubusercontent.com/archlinux/svntogit-packages/packages/pacman-mirrorlist/trunk/mirrorlist | awk '/^## '"$country"'$/{f=1; next}f==0{next}/^$/{exit}{print substr($0, 1);}' | sed 's/^#Server/Server/' > /tmp/mirrorlist 
+curl -s https://raw.githubusercontent.com/archlinux/svntogit-packages/packages/pacman-mirrorlist/trunk/mirrorlist | awk '/^## '"$country"'$/{f=1; next}f==0{next}/^$/{exit}{print substr($0, 1);}' | sed 's/^#Server/Server/' > /tmp/mirrorlist
 rankmirrors -n 6 /tmp/mirrorlist > files/mirrorlist
 rm /tmp/mirrorlist

roles/ShadowArch/files/bashrc

@@ -0,0 +1,10 @@
+#
+# /etc/bash.bashrc
+#
+
+# If not running interactively, don't do anything
+[[ $- != *i* ]] && return
+
+[[ $DISPLAY ]] && shopt -s checkwinsize
+
+[ -r /usr/share/bash-completion/bash_completion ] && . /usr/share/bash-completion/bash_completion

roles/ShadowArch/files/pacman.conf

@@ -99,7 +99,7 @@ Include = /etc/pacman.d/mirrorlist.shadowarch
 #[custom]
 #SigLevel = Optional TrustAll
 #Server = file:///home/custompkgs
- 
+
 [AniNIX]
 SigLevel = Required DatabaseOptional
 Server = https://maat.aninix.net/

roles/ShadowArch/files/vimrc

@@ -0,0 +1,32 @@
+" All system-wide defaults are set in $VIMRUNTIME/archlinux.vim (usually just
+" /usr/share/vim/vimfiles/archlinux.vim) and sourced by the call to :runtime
+" you can find below.  If you wish to change any of those settings, you should
+" do it in this file (/etc/vimrc), since archlinux.vim will be overwritten
+" everytime an upgrade of the vim packages is performed.  It is recommended to
+" make changes after sourcing archlinux.vim since it alters the value of the
+" 'compatible' option.
+
+" This line should not be removed as it ensures that various options are
+" properly set to work with the Vim-related packages.
+runtime! archlinux.vim
+
+" If you prefer the old-style vim functionalty, add 'runtime! vimrc_example.vim'
+" Or better yet, read /usr/share/vim/vim74/vimrc_example.vim or the vim manual
+" and configure vim to your own liking!
+syntax on
+filetype on
+" Support CSharp files like Java
+au BufNewFile,BufRead *.csharp set filetype=java
+au BufNewFile,BufRead *.cs set filetype=java
+set number
+set mouse-=a
+colorscheme desert
+
+" This establishes the indenting policy.
+filetype plugin indent on
+" show existing tab with 4 spaces width
+set tabstop=4
+" when indenting with '>', use 4 spaces width
+set shiftwidth=4
+" On pressing tab, insert 4 spaces
+set expandtab

roles/ShadowArch/tasks/archlinux-network.yml

@@ -1,4 +1,4 @@
---- 
+---
 
   - name: ArchLinux network packages
     become: yes
@@ -30,4 +30,4 @@
 
   - name: Enable network config
     become: yes
-    command: "netctl enable {{ ipinterface }}" 
+    command: "netctl enable {{ ipinterface }}"

roles/ShadowArch/tasks/bash.yml

@@ -0,0 +1,37 @@
+
+
+   - name: Set Bash MOTD
+    become: yes
+    copy:
+      src: "motd/{{ inventory_hostname }}"
+      dest: /etc/bash.motd
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: Nullify overall MOTD
+    become: yes
+    copy:
+      src: /dev/null
+      dest: /etc/motd
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: Bashrc
+    become: yes
+    copy:
+      src: bashrc
+      dest: /etc/bashrc
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: vimrc
+    become: yes
+    copy:
+      src: vimrc
+      dest: /etc/vimrc
+      owner: root
+      group: root
+      mode: 0644

roles/ShadowArch/tasks/dns.yml

@@ -2,8 +2,8 @@
   - name: Install DNS packages
     become: yes
     ignore_errors: yes
-    package: 
-        name: 
+    package:
+        name:
           - bind
           - net-tools
           - iputils

roles/ShadowArch/tasks/main.yml

@@ -58,10 +58,14 @@
     ignore_errors: yes
     register: root_password_test
     vars:
+      ansible_become_user: "{{ item }}"
       ansible_become_method: su
       ansible_become_password: "{{ passwords[inventory_hostname] }}"
     become: yes
     command: id
+    loop:
+      - root
+      - "{{ ansible_user_id }}"
 
   - name: Define passwords
     vars:
@@ -70,7 +74,7 @@
     become: yes
     when: root_password_test.rc is not defined or root_password_test.rc != 0
     command:
-      cmd: /bin/bash -l -c "printf '%s\n%s\n' '{{ passwords[inventory_hostname] }}' '{{ passwords[inventory_hostname] }}' | passwd {{ item }}"
+      cmd: /bin/bash -l -c "echo '{{item}}:{{ passwords[inventory_hostname] }}' | chpasswd {{ item }}"
     loop:
       - root
       - "{{ ansible_user_id }}"
@@ -163,24 +167,6 @@
     hostname:
       name: "{{ inventory_hostname }}.{{ replica_domain }}"
 
-  - name: Set Bash MOTD
-    become: yes
-    copy:
-      src: "motd/{{ inventory_hostname }}"
-      dest: /etc/bash.motd
-      owner: root
-      group: root
-      mode: 0644
-
-  - name: Nullify overall MOTD
-    become: yes
-    copy:
-      src: /dev/null
-      dest: /etc/motd
-      owner: root
-      group: root
-      mode: 0644
-
   - include: archlinux-network.yml
     when: ansible_os_family == "Archlinux"
 
@@ -190,3 +176,5 @@
   - include: dns.yml
 
   - include: ntp.yml
+
+  - include: bash.yml

roles/ShadowArch/tasks/ntp.yml

@@ -10,7 +10,7 @@
   - name: Remove legacy NTP services
     become: yes
     ignore_errors: yes
-    service: 
+    service:
         name: "{{ item }}"
         state: stopped
         enabled: no
@@ -20,15 +20,15 @@
 
   - name: Remove legacy NTP packages
     become: yes
-    package: 
-        name: 
+    package:
+        name:
             - ntp
             - openntpd
         state: absent
 
   - name: Install NTP packages
     become: yes
-    package: 
+    package:
         name: chrony
         state: present
 

roles/ShadowArch/tasks/raspbian-network.yml

@@ -1,4 +1,4 @@
---- 
+---
 
   - name: Rasbian network packages
     become: yes
@@ -17,7 +17,7 @@
         group: root
         mode: 0644
 
-  - name: Rasbian network config (static) 
+  - name: Rasbian network config (static)
     become: yes
     when: static
     template:

roles/Sharingan/README.md

@@ -5,7 +5,7 @@ Sharingan is named after the mythical technique from the Naruto anime series. Sh
 
 # Relevant Files and Software
 
-We use Graylog on a dedicated VM to aggregate results. By default, all servers in a datacenter should send journald via syslog to `sharingan.$datacenter.aninix.net`. 
+We use Graylog on a dedicated VM to aggregate results. By default, all servers in a datacenter should send journald via syslog to `sharingan.$datacenter.aninix.net`.
 
 ## Syslog-ng
 
@@ -13,7 +13,7 @@ We use a lot of services in the AniNIX ecosystem -- some create files, some pipe
 
 ## Journald
 
-ArchLinux and most systemd-based Linux distributions use journald to track system log files. 
+ArchLinux and most systemd-based Linux distributions use journald to track system log files.
 
 ## Suricata
 
@@ -32,12 +32,12 @@ TODO
 ## Graylog
 
 ## Elasticsearch
-Elasticsearch acts as graylog's data backend. 
+Elasticsearch acts as graylog's data backend.
 
-We have seen issues where poor disk i/o or unplanned shutdown can cause Elasticsearch to have index corruption. 
+We have seen issues where poor disk i/o or unplanned shutdown can cause Elasticsearch to have index corruption.
 
 1. Stop elasticsearch
-1. From `/usr/share/elasticsearch/lib`, you can use `java -cp lucene-core*.jar -ea:org.apache.lucene... org.apache.lucene.index.CheckIndex /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index -verbose -exorcise` (on the right index) to exorcise the corrupted data. 
+1. From `/usr/share/elasticsearch/lib`, you can use `java -cp lucene-core*.jar -ea:org.apache.lucene... org.apache.lucene.index.CheckIndex /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index -verbose -exorcise` (on the right index) to exorcise the corrupted data.
 1. Remove corruption flags: `rm /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index/corrupted_*`
 1. Restart elasticsearch
 1. Retry shard allocation:

roles/Sharingan/files/monit/checks/system

@@ -7,7 +7,7 @@
 ## performed should a test fail.
 check system $HOST
   if loadavg (1min) per core > 2 for 25 times within 30 cycles then exec "/etc/monit.d/scripts/critical Load average is high"
-  if memory usage > 75% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Memory is overused."
+  if memory usage > 90% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Memory is overused."
   if swap usage > 25% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Swap is overused."
   group system
 #

roles/Sharingan/files/monit/checks/warrant-canary

@@ -0,0 +1,2 @@
+check program warrant_canary with path "/etc/monit.d/scripts/check-warrant-canary"
+    if status != 0 then exec "/etc/monit.d/scripts/critical Warrant Canary needs to be updated"

roles/Sharingan/files/monit/hostdefs/Core

@@ -1 +1,2 @@
 include "/etc/monit.d/checks/system"
+include "/etc/monit.d/checks/warrant-canary"

roles/Sharingan/files/monit/scripts/check-warrant-canary

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+daysinadvance=14
+url=https://aninix.net/AniNIX/WarrantCanary/raw/branch/main/canary
+
+# ID the update expected date
+canarydate="$(curl -s "$url" | grep -A 1 'next two updates' | tail -n 1 | sed 's/^..//' )"
+if [ -z "$canarydate" ]; then
+    echo "Cannot identify the canary's next time."
+    exit 2
+fi
+epochcanarydate="$(date -d "$canarydate" +%s)"
+
+# Remove a one-month padding
+updatecanarydate=$(( $epochcanarydate - 2592000 ))
+
+# ID today
+today="$(date +%s)"
+
+
+if [[ $today -gt $updatecanarydate ]]; then
+    echo Time to reseed the warrant canary.
+    exit 2
+else
+    echo Warrant canary seems to have the right time.
+    exit 0
+fi

roles/Sharingan/files/oinkmaster/oinkmaster.conf

@@ -1,11 +1,11 @@
 # $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ #
 
-# This file is pretty big by default, but don't worry. 
-# The only things required are "path" and "update_files". You must also 
-# set "url" to point to the correct rules archive for your version of 
+# This file is pretty big by default, but don't worry.
+# The only things required are "path" and "update_files". You must also
+# set "url" to point to the correct rules archive for your version of
 # Snort, unless you prefer to specify this on the command line.
 # The rest in here is just a few recommended defaults, and examples
-# how to use all the other optional features and give some ideas how they 
+# how to use all the other optional features and give some ideas how they
 # could be used.
 
 # Remember not to let untrusted users edit Oinkmaster configuration
@@ -14,15 +14,15 @@
 
 
 
-# Use "url = <url>" to specify the location of the rules archive to 
-# download. The url must begin with http://, https://, ftp://, file:// 
-# or scp:// and end with .tar.gz or .tgz, and the file must be a 
+# Use "url = <url>" to specify the location of the rules archive to
+# download. The url must begin with http://, https://, ftp://, file://
+# or scp:// and end with .tar.gz or .tgz, and the file must be a
 # gzipped tarball what contains a directory named "rules".
 # You can also point to a local directory with dir://<directory>.
 # Multiple "url = <url>" lines can be specified to grab multiple rules
 # archives from different locations.
 #
-# Note: if URL is specified on the command line, it overrides all 
+# Note: if URL is specified on the command line, it overrides all
 #       possible URLs specified in the configuration file(s).
 #
 # The location of the official Snort rules you should use depends
@@ -30,10 +30,10 @@
 # http://www.snort.org/rules/ and follow the instructions
 # there to pick the right URL for your version of Snort
 # (and remember to update the URL when upgrading Snort in the
-# future). You can of course also specify locations to third party 
+# future). You can of course also specify locations to third party
 # rules.
 #
-# As of March 2005, you must register on the Snort site to get access 
+# As of March 2005, you must register on the Snort site to get access
 # to the official Snort rules. This will get you an "oinkcode".
 # You then specify the URL as
 # http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename>
@@ -45,7 +45,7 @@
 # more information.
 
 
-# URL examples follows. Replace <oinkcode> with the code you get on the 
+# URL examples follows. Replace <oinkcode> with the code you get on the
 # Snort site in your registered user profile.
 
 # Example for Snort
@@ -73,18 +73,18 @@
 # Only OpenSSH is tested. See the FAQ for more information.
 # url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz
 
-# If you use -u scp://... and need to specify a private ssh key (passed 
-# as -i <key> to the scp command) you can specify it here or add an 
-# entry in ~/.ssh/config for the Oinkmaster user as described in the 
-# OpenSSH manual. 
+# If you use -u scp://... and need to specify a private ssh key (passed
+# as -i <key> to the scp command) you can specify it here or add an
+# entry in ~/.ssh/config for the Oinkmaster user as described in the
+# OpenSSH manual.
 # scp_key = /home/oinkmaster/oinkmaster_privkey
 
 
-# The PATH to use during execution. If you prefer to use external 
-# binaries (i.e. use_external_bins=1, see below), tar and gzip must be 
-# found, and also wget if downloading via ftp, http or https. All with 
-# optional .exe suffix. If you're on Cygwin, make sure that the path 
-# contains the Cygwin binaries and not the native Win32 binaries or 
+# The PATH to use during execution. If you prefer to use external
+# binaries (i.e. use_external_bins=1, see below), tar and gzip must be
+# found, and also wget if downloading via ftp, http or https. All with
+# optional .exe suffix. If you're on Cygwin, make sure that the path
+# contains the Cygwin binaries and not the native Win32 binaries or
 # you will get problems.
 # Assume UNIX style by default:
 path = /bin:/usr/bin:/usr/local/bin
@@ -96,17 +96,17 @@ path = /bin:/usr/bin:/usr/local/bin
 # path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin
 
 
-# We normally use external binaries (wget, tar and gzip) since they're 
-# already available on most systems and do a good job. If you have the 
+# We normally use external binaries (wget, tar and gzip) since they're
+# already available on most systems and do a good job. If you have the
 # Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use
-# those instead if you like. You can set use_external_bins below to 
-# choose which method you prefer. It's set to 0 by default on Win32 
-# (i.e. use Perl modules), and 1 on other systems (i.e. use external 
+# those instead if you like. You can set use_external_bins below to
+# choose which method you prefer. It's set to 0 by default on Win32
+# (i.e. use Perl modules), and 1 on other systems (i.e. use external
 # binaries). The reason for that is that the required Perl modules
-# are included on Windows/ActivePerl 5.8.1+, so it's easier to use 
-# those than to install the ported Unix tools. (Note that if you're 
-# using scp to download the archive, external scp  binary is still 
-# used.) 
+# are included on Windows/ActivePerl 5.8.1+, so it's easier to use
+# those than to install the ported Unix tools. (Note that if you're
+# using scp to download the archive, external scp  binary is still
+# used.)
 # use_external_bins = 0
 
 
@@ -133,7 +133,7 @@ path = /bin:/usr/bin:/usr/local/bin
 # umask = 0027
 
 
-# Files in the archive(s) matching this regular expression will be 
+# Files in the archive(s) matching this regular expression will be
 # checked for changes, and then updated or added if needed.
 # All other files will be ignored. You can then choose to skip
 # individual files by specifying the "skipfile" keyword below.
@@ -159,10 +159,10 @@ update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
 # min_rules = 1
 
 
-# By default, a basic sanity check is performed on most paths/filenames 
-# to see if they contain illegal characters that may screw things up. 
-# If this check is too strict for your system (e.g. you get bogus 
-# "illegal characters in filename" errors because of your local language 
+# By default, a basic sanity check is performed on most paths/filenames
+# to see if they contain illegal characters that may screw things up.
+# If this check is too strict for your system (e.g. you get bogus
+# "illegal characters in filename" errors because of your local language
 # etc) and you're sure you want to disable the checks completely,
 # set use_path_checks to 0.
 # use_path_checks = 1
@@ -174,11 +174,11 @@ update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
 
 
 # You can include other files anywhere in here by using
-# "include <file>". <file> will be parsed just like a regular 
-# oinkmaster.conf as soon as the include statement is seen, and then 
-# return and continue parsing the rest of the original file. If an 
-# option is redefined, it will override the previous value. You can use 
-# as many "include" statements as you wish, and also include even more 
+# "include <file>". <file> will be parsed just like a regular
+# oinkmaster.conf as soon as the include statement is seen, and then
+# return and continue parsing the rest of the original file. If an
+# option is redefined, it will override the previous value. You can use
+# as many "include" statements as you wish, and also include even more
 # files from included files. Example to load stuff from "/etc/foo.conf".
 # include /etc/foo.conf
 
@@ -191,34 +191,34 @@ update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
 # or:     skipfile filename1, filename2, filename3, ...               #
 #######################################################################
 
-# Ignore local.rules from the rules archive by default since we might 
-# have put some local rules in our own local.rules and we don't want it 
-# to get overwritten by the empty one from the archive after each 
+# Ignore local.rules from the rules archive by default since we might
+# have put some local rules in our own local.rules and we don't want it
+# to get overwritten by the empty one from the archive after each
 # update.
 skipfile local.rules
 
-# The file deleted.rules contains rules that have been deleted from 
+# The file deleted.rules contains rules that have been deleted from
 # other files, so there is usually no point in updating it.
 skipfile deleted.rules
 
-# Also skip snort.conf by default since we don't want to overwrite our 
-# own snort.conf if we have it in the same directory as the rules. If 
-# you have your own production copy of snort.conf in another directory, 
-# it may be really nice to check for changes in this file though, 
-# especially since variables are sometimes added or modified and 
+# Also skip snort.conf by default since we don't want to overwrite our
+# own snort.conf if we have it in the same directory as the rules. If
+# you have your own production copy of snort.conf in another directory,
+# it may be really nice to check for changes in this file though,
+# especially since variables are sometimes added or modified and
 # new/old files are included/excluded.
 skipfile snort.conf
 
-# You may want to consider ignoring threshold.conf for the same reasons 
-# as for snort.conf, i.e. if you customize it locally and don't want it 
-# to become overwritten by the default one. It may be better to put 
-# local thresholding/suppressing in some local file and still update 
-# and use the official one though, in case important stuff is added to 
+# You may want to consider ignoring threshold.conf for the same reasons
+# as for snort.conf, i.e. if you customize it locally and don't want it
+# to become overwritten by the default one. It may be better to put
+# local thresholding/suppressing in some local file and still update
+# and use the official one though, in case important stuff is added to
 # it some day. We do update it by default, but it's your call.
 # skipfile threshold.conf
 
-# If you update from multiple URLs at the same time you may need to 
-# ignore the sid-msg.map (and generate it yourself if you need one) as 
+# If you update from multiple URLs at the same time you may need to
+# ignore the sid-msg.map (and generate it yourself if you need one) as
 # it's usually included in each rules tarball. See the FAQ for more info.
 # skipfile sid-msg.map
 
@@ -243,11 +243,11 @@ skipfile snort.conf
 # situations.                                                            #
 #                                                                        #
 # Syntax:                                                                #
-#   modifysid SID "replacethis" | "withthis"                             #    
+#   modifysid SID "replacethis" | "withthis"                             #
 # or:                                                                    #
 #   modifysid SID1, SID2, SID3, ... "replacethis" | "withthis"           #
 # or:                                                                    #
-#   modifysid file "replacethis" | "withthis"                            #    
+#   modifysid file "replacethis" | "withthis"                            #
 # or:                                                                    #
 #   modifysid * "replacethis" | "withthis"                               #
 #                                                                        #
@@ -289,11 +289,11 @@ skipfile snort.conf
 # Example to add "tag" stuff to SID 1325.
 # modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"
 
-# Example to make SID 1378 a 'drop' rule (valid if you're running 
+# Example to make SID 1378 a 'drop' rule (valid if you're running
 # Snort_inline).
 # modifysid 1378 "^alert" | "drop"
 
-# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET 
+# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET
 # in SID 302.
 # modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"
 
@@ -306,17 +306,17 @@ skipfile snort.conf
 # modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
 #                "${1} replace:"\/foo\/sh";"
 
-# If you for some reason would like to add a comment inside the actual 
-# rules file, like the reason why you disabled this rule, you can do 
-# like this (you would normally add such comments in oinkmaster.conf 
+# If you for some reason would like to add a comment inside the actual
+# rules file, like the reason why you disabled this rule, you can do
+# like this (you would normally add such comments in oinkmaster.conf
 # though).
 # modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"
 
-# Here is an example that is actually useful. Let's say you don't care 
-# about incoming welchia pings (detected by SID 483 at the time of 
-# writing) but you want to know when infected hosts on your network 
-# scans hosts on the outside. (Remember that watching for outgoing 
-# malicious packets is often just as important as watching for incoming 
+# Here is an example that is actually useful. Let's say you don't care
+# about incoming welchia pings (detected by SID 483 at the time of
+# writing) but you want to know when infected hosts on your network
+# scans hosts on the outside. (Remember that watching for outgoing
+# malicious packets is often just as important as watching for incoming
 # ones, especially in this case.) The rule currently looks like
 # "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
 # but we want to switch that so it becomes
@@ -326,34 +326,34 @@ skipfile snort.conf
 # "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
 # "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"
 
-# The wildcard (modifysid * ...) can be used to do all kinds of 
-# interesting things. The substitution expression will be applied on all 
-# matching rules. First, a silly example to replace "foo" with "bar" in 
-# all rules (that have the string "foo" in them, that is.) 
+# The wildcard (modifysid * ...) can be used to do all kinds of
+# interesting things. The substitution expression will be applied on all
+# matching rules. First, a silly example to replace "foo" with "bar" in
+# all rules (that have the string "foo" in them, that is.)
 # modifysid * "foo" | "bar"
 
-# If you for some reason don't want to use the stream preprocessor to 
-# match established streams, you may want to replace the 'flow' 
+# If you for some reason don't want to use the stream preprocessor to
+# match established streams, you may want to replace the 'flow'
 # statement with 'flags:A+;' in all those rules.
 # modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"
 
-# Example to convert all rules of classtype attempted-admin to 'drop' 
+# Example to convert all rules of classtype attempted-admin to 'drop'
 # rules (for Snort_inline only, obviously).
 # modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"
 
-# This one will append some text to the 'msg' string for all rules that 
+# This one will append some text to the 'msg' string for all rules that
 # have the 'tag' keyword in them.
 # modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
 #             "${1}, going to tag this baby"${2}"
 
-# There may be times when you want to replace multiple occurrences of a 
-# certain keyword/string in a rule and not just the first one. To 
-# replace the first two occurrences of "foo" with "bar" in SID 100, 
+# There may be times when you want to replace multiple occurrences of a
+# certain keyword/string in a rule and not just the first one. To
+# replace the first two occurrences of "foo" with "bar" in SID 100,
 # simply repeat the modifysid statement:
 # modifysid 100 "foo" | "bar"
 # modifysid 100 "foo" | "bar"
- 
-# Or you can even specify a SID list but repeat the same SID as many 
+
+# Or you can even specify a SID list but repeat the same SID as many
 # times as required, like:
 # modifysid 100,100,100 "foo" | "bar"
 

roles/Sharingan/files/rkhunter/rkhunter.conf

@@ -90,7 +90,7 @@
 #
 # If the mirrors file is read-only, then the '--versioncheck' command-line
 # option can only be used if this option is set to '0'.
-# 
+#
 # The default value is '1'.
 #
 #ROTATE_MIRRORS=1
@@ -635,7 +635,7 @@ ALLOWHIDDENDIR=/dev/.udev
 # This option may be specified more than once, and may use wildcard characters.
 #
 # The default value is the null string.
-# 
+#
 #ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
 #ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
 #ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
@@ -907,7 +907,7 @@ ALLOWHIDDENDIR=/dev/.udev
 #
 #APP_WHITELIST=""
 
-# 
+#
 # Set this option to scan for suspicious files in directories which pose a
 # relatively higher risk due to user write access.
 #
@@ -918,7 +918,7 @@ ALLOWHIDDENDIR=/dev/.udev
 #
 # Please consider adding all directories the user the (web)server runs as,
 # and has write access to, including the document root (e.g: '/var/www') and
-# log directories (e.g: '/var/log/httpd'). 
+# log directories (e.g: '/var/log/httpd').
 #
 # This is a space-separated list of directory pathnames. The option may be
 # specified more than once.
@@ -968,7 +968,7 @@ ALLOWHIDDENDIR=/dev/.udev
 
 #
 # The following options can be used to whitelist network ports which are known
-# to have been used by malware. 
+# to have been used by malware.
 #
 # The PORT_WHITELIST option is a space-separated list of one or more of two
 # types of whitelisting. These are:
@@ -1233,10 +1233,10 @@ ALLOWHIDDENDIR=/dev/.udev
 #
 # You should only activate this feature as part of a more thorough
 # investigation, which should be based on relevant best practices and
-# procedures. 
+# procedures.
 #
 # Enabling this feature implies you have the knowledge to interpret the
-# results properly. 
+# results properly.
 #
 # The default value is the null string.
 #

roles/Sharingan/files/suricata/suricata.yaml

@@ -134,7 +134,7 @@ outputs:
         # Header name were the actual IP address will be reported, if more than
         # one IP address is present, the last IP address will be the one taken
         # into consideration.
-        header: X-Forwarded-For 
+        header: X-Forwarded-For
 
   # a line based log of HTTP requests (no alerts)
   - http-log:

roles/Sharingan/tasks/data.yml

@@ -1,10 +1,10 @@
---- 
- 
+---
+
  - name: Sharingan data packages
    become: yes
    package:
      state: present
-     name: 
+     name:
        - syslog-ng
        - monit
        - monitoring-plugins
@@ -18,13 +18,13 @@
  - name: Sharingan-Data include apps dir
    become: yes
    register: base_config
-   lineinfile: 
+   lineinfile:
      path: /etc/syslog-ng/syslog-ng.conf
      line: "{{ item }}"
-   loop: 
+   loop:
      - '# Allow compartmentalization of config'
      - '@include "apps.d/*.conf"'
- 
+
  - name: Sharingan-Data conf
    become: yes
    template:

roles/Sharingan/tasks/heartbeat.yml

@@ -9,9 +9,9 @@
      owner: root
      group: root
      mode: 0750
-   loop: 
+   loop:
      - sharingan-heartbeat.timer
-     - sharingan-heartbeat.service 
+     - sharingan-heartbeat.service
 
  - name: Sharingan-Data heartbeat timer
    become: yes

roles/Sharingan/tasks/ids.yml

@@ -4,7 +4,7 @@
    become: yes
    register: package_install
    package:
-     name: 
+     name:
        - sshguard
        - suricata
        - oinkmaster
@@ -45,7 +45,7 @@
  - name: Copy rkhunter service
    register: rkhunter_service
    become: yes
-   loop: 
+   loop:
      - rkhunter.service
      - rkhunter.timer
    copy:
@@ -69,7 +69,7 @@
  - name: Copy oinkmaster service
    register: oinkmaster_service
    become: yes
-   loop: 
+   loop:
      - oinkmaster.service
      - oinkmaster.timer
    copy:
@@ -88,7 +88,7 @@
    become: yes
    when: package_install.changed or oinkmaster_conf.changed
    service:
-     name: oinkmaster.service 
+     name: oinkmaster.service
      state: started
 
  - name: Update rkhunter DB
@@ -98,12 +98,12 @@
 
  - name: IDS services
    become: yes
-   loop: 
+   loop:
      - suricata.service
      - sshguard.service
      - oinkmaster.timer
      - rkhunter.timer
-   service: 
+   service:
      name: "{{ item }}"
      state: restarted
      enabled: yes

roles/Sharingan/tasks/main.yml

@@ -1,5 +1,5 @@
---- 
- 
+---
+
  - import_tasks: ../roles/Sharingan/tasks/data.yml
  - import_tasks: ../roles/Sharingan/tasks/eval.yml
  - import_tasks: ../roles/Sharingan/tasks/heartbeat.yml

roles/Sharingan/tasks/scans.yml

@@ -24,7 +24,7 @@
    become: yes
    register: lynis_svc
    copy:
-     src: "lynis/{{ item }}" 
+     src: "lynis/{{ item }}"
      dest: /usr/lib/systemd/system/
      owner: root
      group: root
@@ -37,7 +37,7 @@
    become: yes
    register: clam_svc
    copy:
-     src: "clamav/{{ item }}" 
+     src: "clamav/{{ item }}"
      dest: /usr/lib/systemd/system/
      owner: root
      group: root

roles/Sharingan/tasks/siem.yml

@@ -16,7 +16,7 @@
        - mongodb
        - graylog
    service:
-     name: "{{ item }}" 
+     name: "{{ item }}"
      state: started
      enabled: yes
 

roles/Sharingan/templates/monitrc.j2

@@ -153,7 +153,8 @@ set log syslog
 set httpd port 2812 and
     use address localhost  # only accept connection from localhost (drop if you use M/Monit)
     allow localhost        # allow localhost to connect to the server and
-    allow admin:"{{ monitcli | default('monit') }}"      # require user 'admin' with password 'monit'
+    # require user 'admin' with password
+    allow admin:"{{ secrets[Sharingan][monit] | default('monit') }}"
     #with ssl {            # enable SSL/TLS and set path to server certificate
     #    pemfile: /etc/ssl/certs/monit.pem
     #}

roles/Tachikoma/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+
+ - name: Install Tachikoma packages
+   become: yes
+   package:
+     name:
+       - wifi-menu
+       - weechat
+       - elinks
+       - conky
+       - xfce4
+       - xfce4-goodies
+       - xfce4-screenshooter
+       - xscreensaver
+       - libreoffice-still
+       - hunspell
+       - hunspell-en_us
+       - google-chrome
+       - keepassxc
+       - sshfs
+       - vlc
+       - cups
+       - brother-mfc-j430w
+       - brscan4
+       - xsane
+       - mtpfs
+       - libmtp
+       - alsamixer
+
+ - name: Remove deprecated packages
+   become: yes
+   package:
+     name:
+       - chromium
+       - keepassx
+       - kpcli
+       - irssi
+       - lynx
+
+ - name: Enable services
+   become: yes
+   service:
+     name: "{{ item }}"
+     state: running
+     enabled: yes
+   with:
+     - cups.service

roles/Vanik/tasks/main.yml

@@ -1,4 +1,4 @@
---- 
+---
 
  - command: ./scripts/generate-dhcp.py
    delegate_to: localhost

roles/WebServer/README.md

@@ -6,7 +6,7 @@ The WebServer serves content on the Web -- its name is simple to match the funct
 # Relevant Files and Software
 Configuration files live in [/opt/openresty/nginx/](file:///opt/openresty/nginx), including ciphersuites, URI redirection, and pathing. It can be validated with the `openresty -t` command. Webserver isn't meant to hold files itself -- it generally proxies and SSL-terminates connections for other apps, using location-based hosting and fastcgi.
 
-Of security note are the default.csp.conf and sec.conf files in [the conf folder](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf). These files include our security remediations, as we have been able to get them to work with our apps. 
+Of security note are the default.csp.conf and sec.conf files in [the conf folder](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf). These files include our security remediations, as we have been able to get them to work with our apps.
 
 **Please note:** We offer a redirect on www.aninix.net and http://aninix.net:80/ only as a legacy convenience as browsers do not yet support 443 by default -- no data is transmitted on these. When the webhosting community acknowledges the death of the empty www. subdomain and the necessity of encryption, we will drop these. However, for usability, we include them for now.
 

roles/WebServer/files/conf.d/Core/aaa_default.conf

@@ -1,25 +1,25 @@
 server {
     listen      443 ssl http2;
     server_name default_server;
+    include sec.conf;
+    include letsencrypt.conf;
+    include default.csp.conf;
+    rewrite ^/(.*)$ https://aninix.net/$1 permanent;
+
+}
+
+server {
+    listen      443 ssl http2;
+    server_name aninix.net;
 
     include sec.conf;
+    include letsencrypt.conf;
     include default.csp.conf;
 
-    location /
-    {
-      rewrite ^/martialarts(\/*)$ /assets/martialarts/index.html;
-      rewrite /shadowarch /AniNIX/ShadowArch/raw/branch/main/EtcFiles/shadowarch
+    location / {
+
+      rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
 
-      location /aninix.xml { 
-          proxy_hide_header Content-Type;
-          add_header content-type "application/atom+xml";
-          rewrite /aninix.xml /AniNIX/Wiki/raw/branch/main/rss/aninix.xml;
-      }
-      location /martialarts/maqotw.xml { 
-          proxy_hide_header Content-Type;
-          add_header content-type "application/atom+xml";
-          rewrite /martialarts/maqotw.xml /AniNIX/Wiki/raw/branch/main/rss/maqotw.xml;
-      }
       proxy_set_header Host $http_host;
       proxy_set_header X-Forwarded-Host $host;
       proxy_set_header X-Forwarded-Server $host;
@@ -27,8 +27,19 @@ server {
       proxy_pass       http://127.0.0.1:3000;
     }
 
-    location /whatismyip
-    {
+    location /aninix.xml {
+        proxy_hide_header Content-Type;
+        add_header content-type "application/atom+xml";
+        rewrite /aninix.xml /AniNIX/Wiki/raw/branch/main/rss/aninix.xml;
+    }
+
+    location /martialarts/maqotw.xml {
+        proxy_hide_header Content-Type;
+        add_header content-type "application/atom+xml";
+        rewrite /martialarts/maqotw.xml /AniNIX/Wiki/raw/branch/main/rss/maqotw.xml;
+    }
+
+    location /whatismyip {
         include ../conf.d/fastcgi.config;
         root /usr/share/webapps/aninix/;
         location ~* whatismyip {
@@ -36,12 +47,10 @@ server {
             expires max;
         }
     }
-    location /blackpage
-    {
+
+    location /blackpage {
         root /usr/share/webapps/aninix/;
         try_files $uri /blackpage.html;
     }
 
-    include letsencrypt.conf;
-
 }

roles/WebServer/files/conf.d/Core/adhan.conf

@@ -1,6 +1,6 @@
 server {
     listen      443 ssl http2;
-    server_name adhan.aninix.net; 
+    server_name adhan.aninix.net;
 
     include sec.conf;
     include default.csp.conf;

roles/WebServer/files/conf.d/Core/geth.conf

@@ -1,4 +1,4 @@
-map $http_upgrade $connection_upgrade { 
+map $http_upgrade $connection_upgrade {
     default upgrade;
     ''      close;
 }

roles/WebServer/files/conf.d/Core/lykos-wiki.conf

@@ -2,7 +2,7 @@ server {
     listen      443 ssl;
     server_name lykos.aninix.net;
 
-    include letsencrypt.conf;    
+    include letsencrypt.conf;
 
     root /usr/share/webapps/;
 

roles/WebServer/files/conf.d/Core/password.conf

@@ -1,19 +1,19 @@
 server {
     listen      443 ssl http2;
-    server_name password.aninix.net; 
+    server_name password.aninix.net;
 
     include sec.conf;
     include default.csp.conf;
     include letsencrypt.conf;
 
     root /usr/share/webapps/self-service-password/htdocs/;
-    
+
     # https://ltb-project.org/documentation/self-service-password/1.3/config_nginx
     index index.php index.html index.htm;
- 
+
     # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
     sendfile off;
-     
+
     gzip on;
     gzip_comp_level 6;
     gzip_min_length 1000;
@@ -21,24 +21,24 @@ server {
     gzip_vary on;
     gzip_proxied any;
     gzip_disable "MSIE [1-6]\.(?!.*SV1)";
- 
+
     # Add stdout logging
-     
+
     #error_log /dev/stdout warn;
     #access_log /dev/stdout info;
-     
+
     include ../conf.d/fastcgi.config;
-     
+
     # deny access to . files, for security
     #
     location ~ /\.\. {
-    		log_not_found off; 
-    		deny all;
+        log_not_found off;
+        deny all;
     }
-     
+
     location ~ /scripts {
-    		log_not_found off; 
-    		deny all;
+        log_not_found off;
+        deny all;
     }
- 
+
 }

roles/WebServer/files/conf.d/Core/sharingan.conf

@@ -7,7 +7,7 @@ server {
     # include default.csp.conf;
     include local.conf;
     include letsencrypt.conf;
-    
+
 
     location /
     {

roles/WebServer/files/conf.d/Core/singularity.conf

@@ -1,6 +1,6 @@
 server {
     listen      443 ssl;
-    server_name singularity.aninix.net; 
+    server_name singularity.aninix.net;
 
     include sec.conf;
     include default.csp.conf;

roles/WebServer/files/conf/sec.conf

@@ -1,5 +1,5 @@
 ssl_dhparam          /etc/ssl/certs/dhparam.pem;
-ssl_certificate      /etc/letsencrypt/live/aninix.net-0001/fullchain.pem; 
+ssl_certificate      /etc/letsencrypt/live/aninix.net-0001/fullchain.pem;
 ssl_certificate_key  /etc/letsencrypt/live/aninix.net-0001/privkey.pem;
 
 ssl_session_cache    shared:SSL:1m;

roles/WebServer/tasks/main.yml

@@ -58,13 +58,13 @@
    service:
      name: openresty
      state: stopped
-     enabled: no 
+     enabled: no
 
  - name: Ensure service is started
    become: yes
    when: conf.changed or confd.changed
    service:
-     name: "{{ item }}" 
+     name: "{{ item }}"
      enabled: yes
      state: restarted
    loop:

roles/WolfPack/tasks/main.yml

@@ -0,0 +1,25 @@
+---
+
+ - name: Packages
+   become: yes
+   package:
+     name:
+       - wolfpack
+
+ - name: Config
+   become: yes
+   copy:
+       src: "{{ inventory_hostname }}"
+       dest: /usr/local/etc/WolfPack
+
+ - name: Timer
+   become: yes
+   systemd:
+     name: "{{ wolfpack_service | default('wolfpack.timer') }}"
+     state: started
+     enabled: yes
+     daemon_reload: yes
+
+       # TODO Add sshfs and mountpoint for Darknet
+       # TODO Add config folders and restart daemon on change
+       # TODO Deprecate offload-wolfpack for Deluge move to sshfs

roles/Yggdrasil/tasks/main.yml

@@ -3,12 +3,12 @@
  - name: Yggdrasil packages
    become: yes
    package:
-     name: 
+     name:
        - emby-server
 
  - name: Yggdrasil directories
    become: yes
-   file: 
+   file:
      path: "{{ item }}"
      state: directory
      owner: http
@@ -24,7 +24,7 @@
      - /srv/yggdrasil/Software
 
  - name: LiveTV channels
-   command: /bin/bash -c "curl -s https://raw.githubusercontent.com/iptv-org/iptv/master/streams/us.m3u | egrep -A 1 {{ iptv_location }} 2>&1 | egrep -v '^--$'"
+   command: /bin/bash -c "curl -s https://raw.githubusercontent.com/iptv-org/iptv/master/streams/us.m3u | egrep -A 1 '{{ iptv_location }}' 2>&1 | egrep -v '^--$'"
    register: livetv_channels
 
  - name: Write to file

roles/common/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+ - debug:
+      msg: Importing common handlers.
+
+        ### DO NOT CHANGE THIS FILE

roles/hardware/tasks/main.yml

@@ -24,7 +24,7 @@
      group: root
      mode: 0700
    register: udev_iosched
-     
+
  - name: Reload udev
    become: yes
    command: /bin/bash -c 'udevadm control --reload; udevadm trigger'

roles/patching/tasks/main.yml

@@ -4,8 +4,8 @@
       register: df_output
 
     - name: Verify /var space
-      assert: 
-        that: 
+      assert:
+        that:
           - 90 > {{ df_output.stdout }}
         fail_msg: "Not enough free space"
 

tests/test_net-detect.py

@@ -1,7 +0,0 @@
-import os
-import re
-import pytest
-from modules import netdetect
-
-def test_netdetect_usage():
-    assert True