diff --git a/.gitignore b/.gitignore
index 6c33b32..f497be5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,7 +3,9 @@ roles/Nazara/files/dns
 roles/Nazara/files/dhcp
 roles/Node/files/vm-definitions/**
 roles/ShadowArch/files/mirrorlist
-venv/
+roles/Foundation/files/custom/public/img/**
+venv/**
+**/pkg/**
 **pkg.tar.zst
 
 # ---> Python
diff --git a/examples/msn0.yml b/examples/msn0.yml
index c4273c5..07505b6 100644
--- a/examples/msn0.yml
+++ b/examples/msn0.yml
@@ -38,8 +38,8 @@ all:
                             static: true
                             sslidentity: aninix.net-0001
                             secdetection: true
-                            iptv_location: Milwaukee
-                        Node0: 
+                            iptv_location: "Milwaukee|Madison"
+                        Node0:
                             ipinterface: enp1s0f0
                             ip: 10.0.1.4
                             mac: DE:8B:9E:19:55:1D
@@ -67,7 +67,7 @@ all:
                             memory: 2
                             vnc: 9
                             bridge: br0
-                            disks: 
+                            disks:
                               - '-drive format=raw,index=0,media=disk,file=/dev/sdd'
                         Maat:
                             ip: 10.0.1.18
@@ -147,7 +147,7 @@ all:
                             cores: 2
                             memory: 2
                             bridge: br0
-                            vnc: 6
+                            vnc: 10
                             disks:
                               - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test1.qcow2'
                         test2:
@@ -157,7 +157,7 @@ all:
                             cores: 2
                             memory: 2
                             bridge: br0
-                            vnc: 5
+                            vnc: 11
                             disks:
                               - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test2.qcow2'
                         test3:
@@ -167,7 +167,7 @@ all:
                             cores: 2
                             memory: 2
                             bridge: br0
-                            vnc: 4
+                            vnc: 12
                             disks:
                               - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test3.qcow2'
                 appliances:
@@ -183,7 +183,7 @@ all:
                             mac: 70:74:14:4F:8E:42
                         Games:
                             ip: 10.0.1.66
-                            mac: 00:1F:BC:10:1C:F8
+                            mac: E0:BE:03:77:0E:88
                         Print:
                             ip: 10.0.1.67
                             mac: 00:80:92:77:CE:E4
@@ -201,7 +201,7 @@ all:
                             mac: 80:D2:1D:17:63:10
                         Tachikoma:
                             ip: 10.0.1.72
-                            mac: B8:76:3F:70:DB:C1
+                            mac: 90:0f:0c:1a:d3:23
                         Dedsec:
                             ip: 10.0.1.73
                             mac: 34:F6:4B:36:12:8F
diff --git a/playbooks/vars-debugging.yml b/playbooks/vars-debugging.yml
index 5207c3c..696587b 100644
--- a/playbooks/vars-debugging.yml
+++ b/playbooks/vars-debugging.yml
@@ -12,7 +12,7 @@
 # Expects ANSIBLE_VAULT_FILE to be set in the environment to path the vault
 # Also set ANSIBLE_VAULT_PASSWORD_FILE to your password file location if you want it.
 #
-- hosts: "{{ targets | default('all') }}"
+- hosts: "{{ targets | default('managed') }}"
   order: sorted
   serial: "{{ threads | default('8') }}"
   gather_facts: true
diff --git a/precommit-hooks/find-incomplete-roles b/precommit-hooks/find-incomplete-roles
index ad84081..e69de29 100644
--- a/precommit-hooks/find-incomplete-roles
+++ b/precommit-hooks/find-incomplete-roles
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-cd ~/src/Ubiqtorate/roles
-
-if [ -n "$(git status | grep roles &>/dev/null)" ]; then
-    echo There are roles that are not committed yet.
-    exit 1;
-fi
-
-unset bad
-for i in `ls -1`; do
-    if ! grep "$i" ../playbooks/deploy.yml &>/dev/null; then
-        echo "$i is not used in playbooks/deploy.yml"
-        bad="1"
-    fi
-done
-if [ -n "$bad" ]; then
-    exit 1;
-fi
diff --git a/precommit-hooks/find-large-files b/precommit-hooks/find-large-files
new file mode 100644
index 0000000..a37c96b
--- /dev/null
+++ b/precommit-hooks/find-large-files
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# Limit files in git to 1M.
+find . -type f -exec du -k {} \; | egrep -v '^[[:digit:]]?[[:digit:]]?[[:digit:]][[:space:]]|\s./.git/'
+
+if [ $? -ne 1 ]; then
+    echo
+    echo "These files are probably larger than you want to commit to Git. Please try to find an alternate delivery path, such as a CDN or Git-LFS."
+    exit 1;
+fi
diff --git a/precommit-hooks/find-missing-customizations b/precommit-hooks/find-missing-customizations
new file mode 100644
index 0000000..2c2921f
--- /dev/null
+++ b/precommit-hooks/find-missing-customizations
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+retcode=0
+for host in `ansible -i "examples/msn0.yml" --list-hosts managed | grep -v ' hosts '`; do
+    if [ ! -f roles/ShadowArch/files/motd/"$host" ]; then
+        echo "Need MOTD for $host"
+        retcode=1;
+    fi
+    if [ ! -f roles/Sharingan/files/monit/hostdefs/"$host" ]; then
+        echo "Need Sharingan-Data file for $host"
+        retcode=1;
+    fi
+done
+exit $retcode
diff --git a/precommit-hooks/find-passwords-in-files b/precommit-hooks/find-passwords-in-files
new file mode 100644
index 0000000..c19204f
--- /dev/null
+++ b/precommit-hooks/find-passwords-in-files
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Ignore Ansibilized templates.
+saferegex='\s+}}"?\s*$'
+# Ignore comments
+saferegex="$saferegex"'|^[a-z,A-Z,0-9,_,-,/,.]+:\s*;|^[a-z,A-Z,0-9,_,-,/,.]+:\s*#|^[a-z,A-Z,0-9,_,-,/,.]+:\s*//'
+# Ignore binary file matches.
+saferegex="$saferegex"'|binary\ file\ matches'
+# AniNIX Constructs
+saferegex="$saferegex"'|password.aninix.net|aur.list'
+# Web constructs
+saferegex="$saferegex"'|.css:|.html:|.md:|htdocs|htpasswd'
+# Ignore template text to set policy
+saferegex="$saferegex"'|_LENGTH|Set new|attempt|pwdchange'
+# haveibeenpwned is referenced in comments
+saferegex="$saferegex"'|haveibeenpwned'
+# Unset variables.
+saferegex="$saferegex"'|\s+=\s*$|\s+yes$|\s+no$'
+# Ignore LDAP attributes
+saferegex="$saferegex"'|pwpolicies|pwdLastSuccess|pwdAttribute|pwdMaxAge|pwdExpireWarning|pwdInHistory|pwdCheckQuality|pwdMaxFailure|pwdLockout|pwdLockoutDuration|pwdGraceAuthNLimit|pwdFailureCountInterval|pwdMustChange|pwdMinLength|pwdAllowUserChange|pwdSafeModify|pwdChangedTime|pwdPolicy|last changed their password on|/root/.ldappass'
+
+egrep -ir 'secret|password|pw|passphrase' roles/*/{files,templates} 2>&1 | egrep -v "$saferegex"
+if [ $? -ne 1 ]; then
+    echo
+    echo If these are false positives, you need to add the signature to the whitelist in $0.
+    echo Otherwise, convert any files above to templates and encode the passphrase into your vault.
+    exit 1;
+fi
diff --git a/roles/Cyberbrain/tasks/main.yml b/roles/Cyberbrain/tasks/main.yml
index 641e76a..0f09ae3 100644
--- a/roles/Cyberbrain/tasks/main.yml
+++ b/roles/Cyberbrain/tasks/main.yml
@@ -8,7 +8,7 @@
  - name: Standardize the servicefile
    become: yes
    register: servicefile
-   copy: 
+   copy:
      src: cyberbrain.service
      dest: /usr/lib/systemd/system/cyberbrain.service
      owner: root
@@ -20,7 +20,7 @@
    service:
      name: webssh
      state: stopped
-     enabled: no 
+     enabled: no
 
  - systemd:
      daemon_reload: true
diff --git a/roles/DarkNet/README.md b/roles/DarkNet/README.md
index d640890..376c285 100644
--- a/roles/DarkNet/README.md
+++ b/roles/DarkNet/README.md
@@ -11,8 +11,8 @@ A basic VM to provide DarkNet functionality in an AniNIX replica only needs the
 * Virtualized NIC
 * 150G of storage for any [AniNIX/WolfPack](/AniNIX/WolfPack) downloads, preferably on a unique physical harddrive that can be pulled and drilled
 
-# Hosted Services 
-The DarkNet uses a small package list. It uses a couple services to achieve its goals. First, it uses [NordVPN](http://nordvpn.com/) to protect all traffic -- very simply, all one has to do to connect to the VPN is to run `nordvpn connect` and provide your login credentials to the service. We also use TOR for further anonymity -- torsocks and tor-browser-en provide functionality to cover that. 
+# Hosted Services
+The DarkNet uses a small package list. It uses a couple services to achieve its goals. First, it uses [NordVPN](http://nordvpn.com/) to protect all traffic -- very simply, all one has to do to connect to the VPN is to run `nordvpn connect` and provide your login credentials to the service. We also use TOR for further anonymity -- torsocks and tor-browser-en provide functionality to cover that.
 
 We recommend whitelisting your replica's subnet so that NordVPN doesn't see local traffic and services like log aggregation and administration can happen without exposing access across the VPN.
 ```
diff --git a/roles/DarkNet/tasks/main.yml b/roles/DarkNet/tasks/main.yml
index 111073c..2470e04 100644
--- a/roles/DarkNet/tasks/main.yml
+++ b/roles/DarkNet/tasks/main.yml
@@ -18,7 +18,7 @@
       name: "{{ item }}"
       state: started
       enabled: yes
-    loop: 
+    loop:
       - tor
       - nordvpnd
       - deluged
@@ -26,3 +26,9 @@
   - debug:
       msg: "Remember to use the nordvpn-bin command to set up your account."
 
+
+        # TODO Add yaml for OVPN file, user, pass to Vault
+        # TODO Enforce vpn.service on server instead of nordvpnd.
+        # TODO Add /etc/bashrc.d file for `alias torlynx='torsocks elinks https://check.torproject.org/'`
+        # TODO Add monit checks for tor and openvpn services
+        # TODO Shift deluged to WolfPack
diff --git a/roles/DedSec/tasks/main.yml b/roles/DedSec/tasks/main.yml
new file mode 100644
index 0000000..e4b3fe3
--- /dev/null
+++ b/roles/DedSec/tasks/main.yml
@@ -0,0 +1,8 @@
+---
+ # Consider https://blackarch.org/blackarch-guide-en.pdf
+ - name: Install DedSec packages
+   become: yes
+   package:
+     name:
+       - tcpdump
+       - wireshark
diff --git a/roles/Foundation/files/custom/bin/gen-aninix-custom b/roles/Foundation/files/custom/bin/gen-aninix-custom
index 5e5c607..300decb 100644
--- a/roles/Foundation/files/custom/bin/gen-aninix-custom
+++ b/roles/Foundation/files/custom/bin/gen-aninix-custom
@@ -1,7 +1,5 @@
 #!/bin/bash
 
-set -x
-
 URI=https://aninix.net/assets/css/theme-arc-green.css
 
 # Gitea arc-green palette
@@ -59,7 +57,7 @@ a {
 cd /var/lib/gitea/web-snippets
 head="$(curl -ks https://aninix.net/ | egrep -B 99999 '^<div class="home"')"
 foot="$(curl -ks https://aninix.net/ | egrep -A 99999 '<footer>')"
-for i in `find . -type f`; do 
+for i in `find . -type f`; do
     (echo "$head"
     cat "$i"
     echo "$foot") > /var/lib/gitea/custom/public/"$i".html
diff --git a/roles/Foundation/files/custom/bin/sitemap.php b/roles/Foundation/files/custom/bin/sitemap.php
index 1fed5c8..3b70e8f 100644
--- a/roles/Foundation/files/custom/bin/sitemap.php
+++ b/roles/Foundation/files/custom/bin/sitemap.php
@@ -1,6 +1,6 @@
-<?php 
+<?php
 
-/* 
+/*
  * Build a sitemap dynamically.
  * Update Gitea's sitemap with: `php ./sitemap.php > /var/lib/gitea/custom/sitemap.xml`
  *
@@ -15,7 +15,7 @@ echo '<?xml version="1.0" encoding="UTF-8"?>
 ';
 
 exec("(echo /srv/http/aninix.net/index.php; find /srv/http/aninix.net/pages -type f; find /srv/http/aninix.net/martialarts/ -type f) | egrep \.php\$ | egrep -v ^./unlisted\|^./errors/\|head.php\|foot.php\|test\|Template\|darknet", $output);
-foreach ($output as &$file) { 
+foreach ($output as &$file) {
     echo '    <url>
 ';
 echo '        <loc>https://aninix.net/'.substr($file,strlen($path)).'</loc>
@@ -23,10 +23,10 @@ echo '        <loc>https://aninix.net/'.substr($file,strlen($path)).'</loc>
 echo '        <lastmod>'.date('Y-m-d',filemtime($file)).'</lastmod>
 ';
 echo '    </url>
-'; 
+';
 }
 
-/* Print footer */ 
+/* Print footer */
 echo '</urlset>
 ';
 ?>
diff --git a/roles/Foundation/files/custom/options/license/AniNIX-WTFPL b/roles/Foundation/files/custom/options/license/AniNIX-WTFPL
index bffb679..e15653d 100644
--- a/roles/Foundation/files/custom/options/license/AniNIX-WTFPL
+++ b/roles/Foundation/files/custom/options/license/AniNIX-WTFPL
@@ -1,31 +1,31 @@
-# http://www.wtfpl.net/about/
-
-            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
-                    Version 2, December 2004
-
- Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
-
- Everyone is permitted to copy and distribute verbatim or modified
- copies of this license document, and changing it is allowed as long
- as the name is changed.
-
-            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. You just DO WHAT THE FUCK YOU WANT TO.
-
-                        ANINIX ADDENDUM
-
- Trademark 2017 (https://aninix.net/)
- 
- The "AniNIX" name and |> logo are trademarked as of 2017/11/21.
- AniNIX materials may be reproduced and re-used (though you must
- contact the admins of the network to get written permission to use  
- the AniNIX name or logo) so long as such reproduction or re-use
- does not inhibit the original AniNIX use of the same.
-
- Attribution is appreciated for other materials but not legally
- required or necessary.
-
- "AniNIX" trademark serial: 87177883
- |> Logo trademark serial: 87177887 
+# http://www.wtfpl.net/about/
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+                    Version 2, December 2004
+
+ Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
+
+ Everyone is permitted to copy and distribute verbatim or modified
+ copies of this license document, and changing it is allowed as long
+ as the name is changed.
+
+            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. You just DO WHAT THE FUCK YOU WANT TO.
+
+                        ANINIX ADDENDUM
+
+ Trademark 2017 (https://aninix.net/)
+
+ The "AniNIX" name and |> logo are trademarked as of 2017/11/21.
+ AniNIX materials may be reproduced and re-used (though you must
+ contact the admins of the network to get written permission to use
+ the AniNIX name or logo) so long as such reproduction or re-use
+ does not inhibit the original AniNIX use of the same.
+
+ Attribution is appreciated for other materials but not legally
+ required or necessary.
+
+ "AniNIX" trademark serial: 87177883
+ |> Logo trademark serial: 87177887
diff --git a/roles/Foundation/files/custom/public/img/AniNIX.png b/roles/Foundation/files/custom/public/img/AniNIX.png
deleted file mode 100755
index 3b01845..0000000
Binary files a/roles/Foundation/files/custom/public/img/AniNIX.png and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/img/avatar_default.png b/roles/Foundation/files/custom/public/img/avatar_default.png
deleted file mode 100755
index 3b01845..0000000
Binary files a/roles/Foundation/files/custom/public/img/avatar_default.png and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/img/favicon.png b/roles/Foundation/files/custom/public/img/favicon.png
deleted file mode 120000
index 8b0f8d2..0000000
--- a/roles/Foundation/files/custom/public/img/favicon.png
+++ /dev/null
@@ -1 +0,0 @@
-AniNIX.png
\ No newline at end of file
diff --git a/roles/Foundation/files/custom/public/img/gitea-lg.png b/roles/Foundation/files/custom/public/img/gitea-lg.png
deleted file mode 120000
index 8b0f8d2..0000000
--- a/roles/Foundation/files/custom/public/img/gitea-lg.png
+++ /dev/null
@@ -1 +0,0 @@
-AniNIX.png
\ No newline at end of file
diff --git a/roles/Foundation/files/custom/public/img/gitea-safari.svg b/roles/Foundation/files/custom/public/img/gitea-safari.svg
deleted file mode 120000
index 8b0f8d2..0000000
--- a/roles/Foundation/files/custom/public/img/gitea-safari.svg
+++ /dev/null
@@ -1 +0,0 @@
-AniNIX.png
\ No newline at end of file
diff --git a/roles/Foundation/files/custom/public/img/gitea-sm.png b/roles/Foundation/files/custom/public/img/gitea-sm.png
deleted file mode 120000
index 8b0f8d2..0000000
--- a/roles/Foundation/files/custom/public/img/gitea-sm.png
+++ /dev/null
@@ -1 +0,0 @@
-AniNIX.png
\ No newline at end of file
diff --git a/roles/Foundation/files/custom/public/img/icons b/roles/Foundation/files/custom/public/img/icons
deleted file mode 120000
index 5aebaa4..0000000
--- a/roles/Foundation/files/custom/public/img/icons
+++ /dev/null
@@ -1 +0,0 @@
-/srv/yggdrasil/Pictures/AniNIX/Icons/
\ No newline at end of file
diff --git a/roles/Foundation/files/custom/public/img/qr.png b/roles/Foundation/files/custom/public/img/qr.png
deleted file mode 100755
index 3dbec4c..0000000
Binary files a/roles/Foundation/files/custom/public/img/qr.png and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/img/rss.png b/roles/Foundation/files/custom/public/img/rss.png
deleted file mode 100755
index 0925b26..0000000
Binary files a/roles/Foundation/files/custom/public/img/rss.png and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/img/social/discord.ico b/roles/Foundation/files/custom/public/img/social/discord.ico
deleted file mode 100755
index ac7417a..0000000
Binary files a/roles/Foundation/files/custom/public/img/social/discord.ico and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/img/social/facebook.png b/roles/Foundation/files/custom/public/img/social/facebook.png
deleted file mode 100755
index b8770ee..0000000
Binary files a/roles/Foundation/files/custom/public/img/social/facebook.png and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/img/social/github.png b/roles/Foundation/files/custom/public/img/social/github.png
deleted file mode 100755
index 17fe0e3..0000000
Binary files a/roles/Foundation/files/custom/public/img/social/github.png and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/img/social/linkedin.png b/roles/Foundation/files/custom/public/img/social/linkedin.png
deleted file mode 100755
index 9aa6024..0000000
Binary files a/roles/Foundation/files/custom/public/img/social/linkedin.png and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/img/social/nextdoor.png b/roles/Foundation/files/custom/public/img/social/nextdoor.png
deleted file mode 100755
index e94c029..0000000
Binary files a/roles/Foundation/files/custom/public/img/social/nextdoor.png and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/img/social/rss.png b/roles/Foundation/files/custom/public/img/social/rss.png
deleted file mode 100755
index 0925b26..0000000
Binary files a/roles/Foundation/files/custom/public/img/social/rss.png and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/img/social/strava.png b/roles/Foundation/files/custom/public/img/social/strava.png
deleted file mode 100755
index 5e918f0..0000000
Binary files a/roles/Foundation/files/custom/public/img/social/strava.png and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/img/social/wtfpl.png b/roles/Foundation/files/custom/public/img/social/wtfpl.png
deleted file mode 100755
index 035f8ea..0000000
Binary files a/roles/Foundation/files/custom/public/img/social/wtfpl.png and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/img/social/youtube.png b/roles/Foundation/files/custom/public/img/social/youtube.png
deleted file mode 100755
index 68dda67..0000000
Binary files a/roles/Foundation/files/custom/public/img/social/youtube.png and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/img/ushf.jpg b/roles/Foundation/files/custom/public/img/ushf.jpg
deleted file mode 100755
index 6520ea8..0000000
Binary files a/roles/Foundation/files/custom/public/img/ushf.jpg and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/img/wtfpl.png b/roles/Foundation/files/custom/public/img/wtfpl.png
deleted file mode 100755
index 035f8ea..0000000
Binary files a/roles/Foundation/files/custom/public/img/wtfpl.png and /dev/null differ
diff --git a/roles/Foundation/files/custom/public/martialarts/mil-gi.jpeg b/roles/Foundation/files/custom/public/martialarts/mil-gi.jpeg
deleted file mode 100755
index 40ebba2..0000000
Binary files a/roles/Foundation/files/custom/public/martialarts/mil-gi.jpeg and /dev/null differ
diff --git a/roles/Foundation/files/web-snippets/martialarts/index b/roles/Foundation/files/web-snippets/martialarts/index
index 4f372f8..ce5320d 100644
--- a/roles/Foundation/files/web-snippets/martialarts/index
+++ b/roles/Foundation/files/web-snippets/martialarts/index
@@ -17,7 +17,7 @@
                     <div class="eight wide center column">
                         <h1 class="hero ui icon header">
                             <img width=20px height=20px src='/assets/img/icons/FoundationIcon.png'/>
-                            <a href="/user/login?redirect_to=%2fAniNIX_Martial_Arts">Open-source</a>
+                            <a href="/mawiki">Open-source</a>
                         </h1>
                         <p class="large">
                         We want your training with our system to become a part of your life. This means that we provide access to a revision-controlled copy of our notes that all our students can download, keep, and contribute to. We're tired of the old era where how the system works is kept hidden from students and piecemealed out as a marketing ploy -- we want to be as trasparent as possible in how our program and our martial art function. Transparency keeps our instructors honest and our students engaged -- this means a better martial arts experience for everyone.
@@ -116,13 +116,13 @@
                         >
                           Checkout
                         </button>
-                        
+
                         <div id="error-message"></div>
-                        
+
                         <script>
                         (function() {
                           var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
-                        
+
                           var checkoutButton = document.getElementById('checkout-button-price_1HTuhvI49P1uFPoXXoSjPm2w');
                           checkoutButton.addEventListener('click', function () {
                             // When the customer clicks on the button, redirect
@@ -148,7 +148,7 @@
                             });
                           });
                         })();
-                        </script> 
+                        </script>
                         <! -- END STRIPE CODE -->
                         </p>
                     </div>
@@ -170,13 +170,13 @@
                         >
                           Checkout
                         </button>
-                        
+
                         <div id="error-message"></div>
-                        
+
                         <script>
                         (function() {
                           var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
-                        
+
                           var checkoutButton = document.getElementById('checkout-button-price_1HThmcI49P1uFPoXMDCRVXTl');
                           checkoutButton.addEventListener('click', function () {
                             // When the customer clicks on the button, redirect
@@ -202,8 +202,8 @@
                             });
                           });
                         })();
-                        </script> 
-                        <! -- END STRIPE CODE --> 
+                        </script>
+                        <! -- END STRIPE CODE -->
                         </p> </div>
                 </div>
                 <div class="ui stackable middle very relaxed page grid">
@@ -225,13 +225,13 @@
                         >
                           Checkout
                         </button>
-                        
+
                         <div id="error-message"></div>
-                        
+
                         <script>
                         (function() {
                           var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
-                        
+
                           var checkoutButton = document.getElementById('checkout-button-price_1HTucZI49P1uFPoXshtbIl8W');
                           checkoutButton.addEventListener('click', function () {
                             // When the customer clicks on the button, redirect
@@ -258,8 +258,8 @@
                           });
                         })();
                         </script>
-                        <! -- END STRIPE CODE -->                         
-                        </p> 
+                        <! -- END STRIPE CODE -->
+                        </p>
                     </div>
                     <div class="eight wide center column" style="border: 1px solid #FFF;">
                         <h1 class="hero ui icon header">
@@ -296,13 +296,13 @@
                         >
                           Checkout
                         </button>
-                        
+
                         <div id="error-message"></div>
-                        
+
                         <script>
                         (function() {
                           var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
-                        
+
                           var checkoutButton = document.getElementById('checkout-button-price_1HTuYII49P1uFPoXaIk9puyu');
                           checkoutButton.addEventListener('click', function () {
                             // When the customer clicks on the button, redirect
diff --git a/roles/Foundation/files/web-snippets/pay/index b/roles/Foundation/files/web-snippets/pay/index
index 1391148..499a241 100644
--- a/roles/Foundation/files/web-snippets/pay/index
+++ b/roles/Foundation/files/web-snippets/pay/index
@@ -13,7 +13,7 @@
                 <div class="ui stackable middle very relaxed page grid">
                     <div class="sixteen wide center column" >
                         <h1 class="hero ui icon header">
-                            <img width=20px height=20px src='/img/icons/CoreIcon.png'/>
+                            <img width=20px height=20px src='/assets/img/icons/CoreIcon.png'/>
                             Cybersecurity Consulting
                         </h1>
                         <p class="large">The AniNIX offers cybersecurity consulting and advice services on a limited basis. We bill at $20 an hour -- please select your need below after negotiating with an admin.</p>
@@ -45,7 +45,7 @@
                         <br/>
                         </form>
                         <!-- START STRIPE CODE -->
-                        
+
                         <!-- Create a button that your customers click to complete their purchase. Customize the styling to suit your branding. -->
                         <button
                           style="background-color:#6772E5;color:#FFF;padding:8px 12px;border:0;border-radius:4px;font-size:1em"
@@ -55,13 +55,13 @@
                         >
                           Checkout
                         </button>
-                        
+
                         <div id="error-message"></div>
-                        
+
                         <script>
                         (function() {
                           var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
-                        
+
                           var checkoutButton = document.getElementById('checkout-button-price_1HTuehI49P1uFPoXCW9pJg5E');
                           checkoutButton.addEventListener('click', function () {
                             // When the customer clicks on the button, redirect
@@ -91,5 +91,17 @@
                         <! -- END STRIPE CODE -->
                         </p>
                     </div>
-                <hr style="margin-top: 50px;" />
+                </div>
+                <div class="ui stackable middle very relaxed page grid">
+                <div class="sixteen wide center column" >
+                <hr style="margin-top: 50px;" />
+                <h2>Donate</h2>
+                <p>If you like what we do, you can also donate on one of these platforms:</p>
+                <ul style="width:500px;text-align: left;margin:auto;">
+                <li><a href="https://store.steampowered.com/wishlist/id/darkfeather664/#sort=order">Steam (games)</a></li>
+                <li><a href="https://www.amazon.com/hz/wishlist/ls/3CORZU03RNWST?ref_=wl_share">Amazon (hardware)</a></li>
+                <li>BTC 38Nd3SgytdvSmcX3gfHeNAE2B6aPyYbS7s</li>
+                <li>Coinbase USDC 0x21a05e628Ed622F7594f62Ea3C764bAEF7fE3Bf3</li>
+                </ul>
+                </div>
                 </div>
diff --git a/roles/Foundation/files/web-snippets/pay/thank-you b/roles/Foundation/files/web-snippets/pay/thank-you
index 727953a..aaad36c 100644
--- a/roles/Foundation/files/web-snippets/pay/thank-you
+++ b/roles/Foundation/files/web-snippets/pay/thank-you
@@ -1,7 +1,7 @@
                 <div class="ui stackable middle very relaxed page grid">
                     <div class="sixteen wide center aligned centered column">
                         <div>
-                            <img class="logo" src="/img/icons/CoreIcon.png" />
+                            <img class="logo" src="/assets/img/icons/CoreIcon.png" />
                         </div>
                         <div class="hero">
                             <h2 class="ui icon header title">
diff --git a/roles/Foundation/templates/app.ini.j2 b/roles/Foundation/templates/app.ini.j2
index 771395f..de444f2 100644
--- a/roles/Foundation/templates/app.ini.j2
+++ b/roles/Foundation/templates/app.ini.j2
@@ -13,7 +13,7 @@ RUN_MODE = prod
 ROOT                                           = repos
 SCRIPT_TYPE                                    = bash
 ; Default ANSI charset
-ANSI_CHARSET                                   = 
+ANSI_CHARSET                                   =
 ; Force every new repository to be private
 FORCE_PRIVATE                                  = false
 ; Default privacy setting when creating a new repository, allowed values: last, private, public. Default is last which means the last setting used.
@@ -31,7 +31,7 @@ PREFERRED_LICENSES                             = AniNIX-WTFPL
 DISABLE_HTTP_GIT                               = false
 ; Value for Access-Control-Allow-Origin header, default is not to present
 ; WARNING: This maybe harmful to you website if you do not give it a right value.
-ACCESS_CONTROL_ALLOW_ORIGIN                    = 
+ACCESS_CONTROL_ALLOW_ORIGIN                    =
 ; Force ssh:// clone url instead of scp-style uri when default SSH port is used
 USE_COMPAT_SSH_URI                             = false
 ; Close issues as long as a commit on any branch marks it as fixed
@@ -57,7 +57,7 @@ ENABLED       = true
 ; Path for uploads. Defaults to `data/tmp/uploads` (tmp gets deleted on gitea restart)
 TEMP_PATH     = data/tmp/uploads
 ; One or more allowed types, e.g. image/jpeg|image/png. Nothing means any file type
-ALLOWED_TYPES = 
+ALLOWED_TYPES =
 ; Max size of each file in megabytes. Defaults to 3MB
 FILE_MAX_SIZE = 3
 ; Max number of files per upload. Defaults to 5
@@ -138,7 +138,7 @@ KEYWORDS    = go,git,self-hosted,gitea,aninix,aninix::foundation
 ENABLE_HARD_LINE_BREAK = false
 ; List of custom URL-Schemes that are allowed as links when rendering Markdown
 ; for example git,magnet
-CUSTOM_URL_SCHEMES     = 
+CUSTOM_URL_SCHEMES     =
 ; List of file extensions that should be rendered/edited as Markdown
 ; Separate the extensions with a comma. To render files without any extension as markdown, just put a comma
 FILE_EXTENSIONS        = .md,.markdown,.mdown,.mkd
@@ -156,7 +156,7 @@ HTTP_PORT                       = 3000
 ; ROOT_URL.  Defaults are false for REDIRECT_OTHER_PORT and 80 for
 ; PORT_TO_REDIRECT.
 REDIRECT_OTHER_PORT             = false
-PORT_TO_REDIRECT                = 3000 
+PORT_TO_REDIRECT                = 3000
 ; Permission for unix socket
 UNIX_SOCKET_PERMISSION          = 660
 ; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service.
@@ -169,17 +169,17 @@ DISABLE_SSH                     = false
 ; Whether to use the builtin SSH server or not.
 START_SSH_SERVER                = false
 ; Username to use for the builtin SSH server. If blank, then it is the value of RUN_USER.
-BUILTIN_SSH_SERVER_USER         = 
+BUILTIN_SSH_SERVER_USER         =
 ; Domain name to be exposed in clone URL
 SSH_DOMAIN                      = foundation.aninix.net
 ; The network interface the builtin SSH server should listen on
-SSH_LISTEN_HOST                 = 
+SSH_LISTEN_HOST                 =
 ; Port number to be exposed in clone URL
 SSH_PORT                        = 22
 ; The port number the builtin SSH server should listen on
 SSH_LISTEN_PORT                 = %(SSH_PORT)s
 ; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
-SSH_ROOT_PATH                   = 
+SSH_ROOT_PATH                   =
 ; Gitea will create a authorized_keys file by default when it is not using the internal ssh server
 ; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off.
 SSH_CREATE_AUTHORIZED_KEYS_FILE = true
@@ -194,7 +194,7 @@ SSH_SERVER_KEY_EXCHANGES        = diffie-hellman-group1-sha1, diffie-hellman-gro
 SSH_SERVER_MACS                 = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1, hmac-sha1-96
 ; Directory to create temporary files in when testing public keys using ssh-keygen,
 ; default is the system temporary directory.
-SSH_KEY_TEST_PATH               = 
+SSH_KEY_TEST_PATH               =
 ; Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call.
 SSH_KEYGEN_PATH                 = ssh-keygen
 ; Enable SSH Authorized Key Backup when rewriting all keys, default is true
@@ -208,7 +208,7 @@ OFFLINE_MODE                    = true
 DISABLE_ROUTER_LOG              = false
 ; Generate steps:
 ; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com
-; 
+;
 ; Or from a .pfx file exported from the Windows certificate store (do
 ; not forget to export the private key):
 ; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
@@ -301,7 +301,7 @@ DISABLE_REGULAR_ORG_CREATION = true
 ; Whether the installer is disabled
 INSTALL_LOCK                       = true
 ; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
-SECRET_KEY                         = {{ secrets.Foundation.secret_key }} 
+SECRET_KEY                         = {{ secrets.Foundation.secret_key }}
 ; How long to remember that an user is logged in before requiring relogin (in days)
 LOGIN_REMEMBER_DAYS                = 7
 COOKIE_USERNAME                    = gitea_awesome
@@ -318,15 +318,15 @@ DISABLE_GIT_HOOKS                  = false
 INTERNAL_TOKEN                     = {{ secrets.Foundation.internal_token }}
 
 [openid]
-; 
+;
 ; OpenID is an open, standard and decentralized authentication protocol.
 ; Your identity is the address of a webpage you provide, which describes
 ; how to prove you are in control of that page.
-; 
+;
 ; For more info: https://en.wikipedia.org/wiki/OpenID
-; 
+;
 ; Current implementation supports OpenID-2.0
-; 
+;
 ; Tested to work providers at the time of writing:
 ; - Any GNUSocial node (your.hostname.tld/username)
 ; - Any SimpleID provider (http://simpleid.koinic.net)
@@ -334,7 +334,7 @@ INTERNAL_TOKEN                     = {{ secrets.Foundation.internal_token }}
 ; - openid.stackexchange.com
 ; - login.launchpad.net
 ; - <username>.livejournal.com
-; 
+;
 ; Whether to allow signin in via OpenID
 ENABLE_OPENID_SIGNIN = FALSE
 ; Whether to allow registering via OpenID
@@ -344,12 +344,12 @@ ENABLE_OPENID_SIGNIN = FALSE
 ; Space separated.
 ; Only these would be allowed if non-blank.
 ; Example value: trusted.domain.org trusted.domain.net
-WHITELISTED_URIS     = 
+WHITELISTED_URIS     =
 ; Forbidden URI patterns (POSIX regexp).
 ; Space separated.
 ; Only used if WHITELISTED_URIS is blank.
 ; Example value: loadaverage.org/badguy stackexchange.com/.*spammer
-BLACKLISTED_URIS     = 
+BLACKLISTED_URIS     =
 ENABLE_OPENID_SIGNUP = false
 
 [service]
@@ -361,7 +361,7 @@ RESET_PASSWD_CODE_LIVE_MINUTES                = 180
 REGISTER_EMAIL_CONFIRM                        = false
 ; List of domain names that are allowed to be used to register on a Gitea instance
 ; gitea.io,example.com
-EMAIL_DOMAIN_WHITELIST                        = 
+EMAIL_DOMAIN_WHITELIST                        =
 ; Disallow registration, only allow admins to create accounts.
 DISABLE_REGISTRATION                          = true
 ; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
@@ -380,8 +380,8 @@ ENABLE_CAPTCHA                                = false
 CAPTCHA_TYPE                                  = image
 ; Enable recaptcha to use Google's recaptcha service
 ; Go to https://www.google.com/recaptcha/admin to sign up for a key
-RECAPTCHA_SECRET                              = 
-RECAPTCHA_SITEKEY                             = 
+RECAPTCHA_SECRET                              =
+RECAPTCHA_SITEKEY                             =
 ; Change this to use recaptcha.net or other recaptcha service
 RECAPTCHA_URL                                 = https://www.google.com/recaptcha/
 ; Default value for KeepEmailPrivate
@@ -435,18 +435,18 @@ ENABLED            = false
 ; Buffer length of channel, keep it as it is if you don't know what it is.
 SEND_BUFFER_LEN    = 100
 ; Prefix displayed before subject in mail
-SUBJECT_PREFIX     = 
+SUBJECT_PREFIX     =
 ; Mail server
 ; Gmail: smtp.gmail.com:587
 ; QQ: smtp.qq.com:465
 ; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
-HOST               = 
+HOST               =
 ; Disable HELO operation when hostnames are different.
-DISABLE_HELO       = 
+DISABLE_HELO       =
 ; Custom hostname for HELO operation, if no value is provided, one is retrieved from system.
-HELO_HOSTNAME      = 
+HELO_HOSTNAME      =
 ; Do not verify the certificate of the server. Only use this for self-signed certificates
-SKIP_VERIFY        = 
+SKIP_VERIFY        =
 ; Use client certificate
 USE_CERTIFICATE    = false
 CERT_FILE          = custom/mailer/cert.pem
@@ -454,11 +454,11 @@ KEY_FILE           = custom/mailer/key.pem
 ; Should SMTP connection use TLS
 IS_TLS_ENABLED     = false
 ; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
-FROM               = 
+FROM               =
 ; Mailer user name and password
-USER               = 
+USER               =
 ; Use PASSWD = `your password` for quoting if you use special characters in the password.
-PASSWD             = 
+PASSWD             =
 ; Send mails as plain text
 SEND_AS_PLAIN_TEXT = false
 ; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log)
@@ -466,7 +466,7 @@ MAILER_TYPE        = smtp
 ; Specify an alternative sendmail binary
 SENDMAIL_PATH      = sendmail
 ; Specify any extra sendmail arguments
-SENDMAIL_ARGS      = 
+SENDMAIL_ARGS      =
 
 [cache]
 ; Either "memory", "redis", or "memcache", default is "memory"
@@ -476,7 +476,7 @@ INTERVAL = 60
 ; For "redis" and "memcache", connection host address
 ; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
 ; memcache: `127.0.0.1:11211`
-HOST     = 
+HOST     =
 ; Time to keep items in cache if not used, default is 16 hours.
 ; Setting it to 0 disables caching
 ITEM_TTL = 16h
@@ -541,7 +541,7 @@ MAX_FILES     = 5
 ; Specifies the format for fully outputted dates. Defaults to RFC1123
 ; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano
 ; For more information about the format see http://golang.org/pkg/time/#pkg-constants
-FORMAT = 
+FORMAT =
 
 [log]
 ROOT_PATH            = /var/log/gitea/
@@ -564,22 +564,22 @@ STACKTRACE_LEVEL     = Critical
 ; Generic log modes
 [log.x]
 FLAGS      = stdflags
-EXPRESSION = 
-PREFIX     = 
+EXPRESSION =
+PREFIX     =
 COLORIZE   = false
 
 ; For "console" mode only
 [log.console]
-LEVEL  = 
+LEVEL  =
 COLORIZE   = false
 STDERR = false
 
 ; For "file" mode only
 [log.file]
-LEVEL             = 
+LEVEL             =
 ; Set the file_name for the logger. If this is a relative path this
 ; will be relative to ROOT_PATH
-FILE_NAME         = 
+FILE_NAME         =
 ; This enables automated log rotate(switch of following options), default is true
 LOG_ROTATE        = true
 ; Max number of lines in a single file, default is 1000000
@@ -597,7 +597,7 @@ COMPRESSION_LEVEL = -1
 
 ; For "conn" mode only
 [log.conn]
-LEVEL            = 
+LEVEL            =
 ; Reconnect host for every single message, default is false
 RECONNECT_ON_MSG = false
 ; Try to reconnect when connection is lost, default is false
@@ -605,21 +605,21 @@ RECONNECT        = false
 ; Either "tcp", "unix" or "udp", default is "tcp"
 PROTOCOL         = tcp
 ; Host address
-ADDR             = 
+ADDR             =
 
 ; For "smtp" mode only
 [log.smtp]
-LEVEL     = 
+LEVEL     =
 ; Name displayed in mail title, default is "Diagnostic message from server"
 SUBJECT   = Diagnostic message from server
 ; Mail server
-HOST      = 
+HOST      =
 ; Mailer user name and password
-USER      = 
+USER      =
 ; Use PASSWD = `your password` for quoting if you use special characters in the password.
-PASSWD    = 
+PASSWD    =
 ; Receivers, can be one or more, e.g. 1@example.com,2@example.com
-RECEIVERS = 
+RECEIVERS =
 
 [cron]
 ; Enable running cron tasks periodically.
@@ -637,7 +637,7 @@ SCHEDULE = @every 24h
 TIMEOUT  = 60s
 ; Arguments for command 'git fsck', e.g. "--unreachable --tags"
 ; see more on http://git-scm.com/docs/git-fsck
-ARGS     = 
+ARGS     =
 
 ; Check repository statistics
 [cron.check_repo_stats]
@@ -676,7 +676,7 @@ MAX_GIT_DIFF_LINE_CHARACTERS = 5000
 MAX_GIT_DIFF_FILES           = 100
 ; Arguments for command 'git gc', e.g. "--aggressive --auto"
 ; see more on http://git-scm.com/docs/git-gc/
-GC_ARGS                      = 
+GC_ARGS                      =
 ; If use git wire protocol version 2 when git version >= 2.18, default is true, set to false when you always want git wire protocol version 1
 EnableAutoGitWireProtocol    = true
 
@@ -780,5 +780,5 @@ IS_INPUT_FILE   = false
 ; Enables metrics endpoint. True or false; default is false.
 ENABLED = false
 ; If you want to add authorization, specify a token here
-TOKEN   = 
+TOKEN   =
 
diff --git a/roles/Games/tasks/main.yml b/roles/Games/tasks/main.yml
new file mode 100644
index 0000000..5081f83
--- /dev/null
+++ b/roles/Games/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+
+ - name: Install Games packages
+   become: yes
+   package:
+     name:
+       - mgba-qt
+       - steam
+       - steam-native-runtime
+       - discord
diff --git a/roles/Geth-Hub/files/hardware.conf b/roles/Geth-Hub/files/hardware.conf
index 0594e8c..52940e6 100644
--- a/roles/Geth-Hub/files/hardware.conf
+++ b/roles/Geth-Hub/files/hardware.conf
@@ -14,7 +14,7 @@ LOAD_MODULES=true
 
 # Run "lircd --driver=help" for a list of supported drivers.
 DRIVER="default"
-# usually /dev/lirc0 is the correct setting for systems using udev 
+# usually /dev/lirc0 is the correct setting for systems using udev
 DEVICE="/dev/lirc0"
 MODULES="lirc_rpi"
 
diff --git a/roles/Geth-Hub/files/lircd.conf/Geth-Hub-1 b/roles/Geth-Hub/files/lircd.conf/Geth-Hub-1
index c5179d7..1eb5479 100644
--- a/roles/Geth-Hub/files/lircd.conf/Geth-Hub-1
+++ b/roles/Geth-Hub/files/lircd.conf/Geth-Hub-1
@@ -5,9 +5,9 @@
 # this config file was automatically generated
 # using lirc-0.9.0-pre1(default) on Thu Feb  9 18:06:50 2017
 #
-# contributed by 
+# contributed by
 #
-# brand:                       Insignia 
+# brand:                       Insignia
 # model no. of remote control: NS-RC4NA-14
 # devices being controlled by this remote: TV
 #
diff --git a/roles/Geth-Hub/files/lircd.conf/Geth-Hub-2 b/roles/Geth-Hub/files/lircd.conf/Geth-Hub-2
index 167166b..3f05b04 100644
--- a/roles/Geth-Hub/files/lircd.conf/Geth-Hub-2
+++ b/roles/Geth-Hub/files/lircd.conf/Geth-Hub-2
@@ -8,7 +8,7 @@
 # contributed by darkfeather@aninix.net
 #
 # brand:                       LG.conf
-# model no. of remote control: AKB73715608  
+# model no. of remote control: AKB73715608
 # devices being controlled by this remote: TV
 #
 
@@ -49,10 +49,10 @@ end remote
 # this config file was automatically generated
 # using lirc-0.9.0-pre1(default) on Tue May  1 06:40:29 2018
 #
-# contributed by 
+# contributed by
 #
 # brand:                       ./lasko.conf
-# model no. of remote control: 
+# model no. of remote control:
 # devices being controlled by this remote:
 #
 
@@ -118,9 +118,9 @@ end remote
 # this config file was automatically generated
 # using lirc-0.9.0-pre1(default) on Thu Feb  9 18:06:50 2017
 #
-# contributed by 
+# contributed by
 #
-# brand:                       Insignia 
+# brand:                       Insignia
 # model no. of remote control: NS-RC4NA-14
 # devices being controlled by this remote: TV
 #
diff --git a/roles/Geth-Hub/files/lircd.conf/Geth-Hub-3 b/roles/Geth-Hub/files/lircd.conf/Geth-Hub-3
index 2499ade..2ed829e 100644
--- a/roles/Geth-Hub/files/lircd.conf/Geth-Hub-3
+++ b/roles/Geth-Hub/files/lircd.conf/Geth-Hub-3
@@ -8,7 +8,7 @@
 # contributed by darkfeather@aninix.net
 #
 # brand:                       LG.conf
-# model no. of remote control: AKB73715608  
+# model no. of remote control: AKB73715608
 # devices being controlled by this remote: TV
 #
 
diff --git a/roles/Geth-Hub/tasks/main.yml b/roles/Geth-Hub/tasks/main.yml
index 92fd201..8fdadb6 100644
--- a/roles/Geth-Hub/tasks/main.yml
+++ b/roles/Geth-Hub/tasks/main.yml
@@ -16,7 +16,7 @@
      user: "{{ ansible_user_id }}"
      state: present
      key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/geth.pub') }}"
- 
+
  - name: Copy the motion config
    become: yes
    register: motion_config
@@ -32,13 +32,13 @@
      owner: motion
      group: motion
      mode: 0750
-   loop: 
+   loop:
      - "/var/log/motion"
      - "/var/run/motion"
 
  - name: Restart the motion service
    become: yes
-   when: motion_config.changed and motion_enabled 
+   when: motion_config.changed and motion_enabled
    service:
      name: motion
      state: started
@@ -119,7 +119,7 @@
  - name: Copy lircd remote config
    register: lircd_remote_config
    become: yes
-   copy: 
+   copy:
      src: "lircd.conf/{{ inventory_hostname }}"
      dest: /etc/lirc/lircd.conf
 
diff --git a/roles/Geth/tasks/main.yml b/roles/Geth/tasks/main.yml
index a6b36c0..5c10bcb 100644
--- a/roles/Geth/tasks/main.yml
+++ b/roles/Geth/tasks/main.yml
@@ -5,4 +5,4 @@
      name:
        - openhab2
 
- - name: 
+ - name:
diff --git a/roles/IRC-Bots/tasks/main.yml b/roles/IRC-Bots/tasks/main.yml
new file mode 100644
index 0000000..630f731
--- /dev/null
+++ b/roles/IRC-Bots/tasks/main.yml
@@ -0,0 +1,29 @@
+---
+
+ - user:
+     name: "{{ item }}"
+     state: present
+     shell: "{{ daemon_shell | default('/sbin/nologin') }}"
+     local: yes
+     groups: ircd
+   loop:
+     - bitbot
+     - dsbridge
+     - theraven
+     - werewolf
+
+   # Install TheRaven package
+ - package:
+     name:
+       - TheRaven
+
+ - git:
+     repo: 'https://github.com/jesopo/bitbot.git'
+     dest: /usr/local/src/bitbot/
+     clone: yes
+     update: yes
+
+ - git:
+     repo:
+
+ -
diff --git a/roles/IRC/tasks/main.yml b/roles/IRC/tasks/main.yml
index 28728aa..0107254 100644
--- a/roles/IRC/tasks/main.yml
+++ b/roles/IRC/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 
- - name: IRC packages 
+ - name: IRC packages
    become: yes
    package:
      name:
@@ -10,7 +10,7 @@
 
  - name: KiwiIRC Web Front
    become: yes
-   git: 
+   git:
      repo: https://github.com/prawnsalad/KiwiIRC.git
      dest: /usr/local/src/KiwiIRC
 
diff --git a/roles/Maat/tasks/main.yml b/roles/Maat/tasks/main.yml
new file mode 100644
index 0000000..a2f56ed
--- /dev/null
+++ b/roles/Maat/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+ - name: Sharingan packages
+   become: yes
+   package:
+     name:
+       - openvas
+       - greenbone-security-assistant
+       - elasticsearch6
+       - mongodb
+       - graylog
diff --git a/roles/Nazara/tasks/main.yml b/roles/Nazara/tasks/main.yml
index 2a871d4..23d34c6 100644
--- a/roles/Nazara/tasks/main.yml
+++ b/roles/Nazara/tasks/main.yml
@@ -1,5 +1,5 @@
 ---
- 
+
  - name: Clone pi-hole
    become: yes
    git:
@@ -10,7 +10,7 @@
  - name: Install pi-hole if needed
    become: yes
    register: pihole_install
-   command: 
+   command:
        creates: /usr/bin/pihole-FTL
        cmd: false # bash basic-install.sh
        chdir: '/opt/pi-hole/automated install'
@@ -30,7 +30,7 @@
    register: dns_updated
    copy:
      dest: /etc/pihole/custom.list
-     src: dns 
+     src: dns
      owner: pihole
      group: pihole
      mode: 0644
diff --git a/roles/Node/tasks/main.yml b/roles/Node/tasks/main.yml
index 86dc935..d266b9c 100644
--- a/roles/Node/tasks/main.yml
+++ b/roles/Node/tasks/main.yml
@@ -14,11 +14,11 @@
        - qemu-emulators-full
        - ddrescue
      state: present
-      
+
  - name: Copy VM definitions
    become: yes
    register: vmdefs
-   copy: 
+   copy:
      src: vm-definitions/
      dest: /usr/lib/systemd/system
      owner: root
@@ -28,7 +28,7 @@
  - name: Reload systemd daemon
    become: yes
    when: vmdefs.changed
-   systemd: 
+   systemd:
      daemon_reload: yes
 
  - name: QEMU Bridge Config
diff --git a/roles/SSH/tasks/main.yml b/roles/SSH/tasks/main.yml
index 0626ac6..eceb152 100644
--- a/roles/SSH/tasks/main.yml
+++ b/roles/SSH/tasks/main.yml
@@ -1,30 +1,28 @@
 ---
 
- - name: SSH
+ - name: SSH (ArchLinux)
    become: yes
+   when: ansible_os_family == "Archlinux"
    package:
+     state: present
      name:
-       - bash
-       - sudo
+       - openssh
 
- - name: SSH Config
+ - name: SSH (Raspbian)
    become: yes
-   copy: 
-       src: ssh_config
-       dest: /etc/ssh/ssh_config
-
- - name: SSHD Config
-   become: yes
-   copy: 
-       src: sshd_config
-       dest: /etc/ssh/sshd_config
+   when: ansible_os_family == "Debian"
+   package:
+     state: present
+     name:
+       - openssh-server
+       - openssh-client
 
  - name: Mark SSH keys as immutable
    become: yes
    file:
-       path: "{{ item }}" 
+       path: "{{ item }}"
        attributes: i
-   loop: 
+   loop:
        - /etc/ssh/ssh_host_ed25519_key
        - /etc/ssh/ssh_host_ed25519_key.pub
        - /etc/ssh/ssh_host_rsa_key
@@ -32,17 +30,52 @@
 
  - name: Add SSH control groups
    become: yes
-   group: 
+   group:
        name: "{{ item }}"
        state: present
-   loop: 
+   loop:
        - ssh-allow
        - ssh-forward
        - sftp-home-jail
 
  - name: Add SSH user to ssh-allow
    become: yes
-   user: 
+   user:
        name: "{{ ansible_user_id }}"
        groups: ssh-allow
        append: yes
+
+ - name: Copy the SSH key
+   authorized_key:
+     user: "{{ ansible_user_id }}"
+     state: present
+     key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/deploy.pub') }}"
+
+ - name: SSH Config
+   become: yes
+   copy:
+       src: ssh_config
+       dest: /etc/ssh/ssh_config
+
+ - name: SSHD Config
+   become: yes
+   register: sshd_config
+   copy:
+       src: sshd_config
+       dest: /etc/ssh/sshd_config
+
+ - name: Restart SSHD (ArchLinux)
+   become: yes
+   when: ansible_os_family == "Archlinux" and sshd_config.changed
+   service:
+     name: sshd
+     state: restarted
+     enabled: yes
+
+ - name: Restart SSHD (Raspbian)
+   become: yes
+   when: ansible_os_family == "Debian" and sshd_config.changed
+   service:
+     name: ssh
+     state: restarted
+     enabled: yes
diff --git a/roles/SSL/tasks/main.yml b/roles/SSL/tasks/main.yml
index 97e11a1..4b4fc2c 100644
--- a/roles/SSL/tasks/main.yml
+++ b/roles/SSL/tasks/main.yml
@@ -2,8 +2,8 @@
 
  - name: SSL packages
    become: yes
-   package: 
-     name: 
+   package:
+     name:
       - certbot
       - openssl
 
@@ -16,7 +16,7 @@
      owner: root
      group: root
      mode: 0644
-   loop: 
+   loop:
      - "certbot.service"
      - "certbot.timer"
 
@@ -28,7 +28,7 @@
      name: certbot.timer
      enabled: yes
      state: started
- 
+
  - name: Create letsencrypt folder
    become: yes
    file:
@@ -50,7 +50,7 @@
    become: yes
    command: /usr/local/sbin/tlsa-generation.bash
    register: tlsa_records
- 
+
  - name: Show proposed TLSA records
    debug:
      msg: "{{ tlsa_records.stdout_lines }}"
@@ -60,7 +60,7 @@
    run_once: yes
    command: "/bin/bash -c 'printf _443._tcp\\ ; dig _443._tcp.{{ external_domain }} TLSA +short; printf _6697._tcp\\ ; dig _6697._tcp.{{ external_domain }} TLSA +short'"
    register: ext_tlsa_records
- 
+
  - name: Show TLSA records
    debug:
      msg: "{{ ext_tlsa_records.stdout_lines }}"
diff --git a/roles/ShadowArch/bin/find-mirrors b/roles/ShadowArch/bin/find-mirrors
index fc1e31e..efb1e4c 100755
--- a/roles/ShadowArch/bin/find-mirrors
+++ b/roles/ShadowArch/bin/find-mirrors
@@ -1,9 +1,9 @@
 #!/bin/bash
 
 # File: find-mirrors
-# 
+#
 # Description: This file generates a pacman mirrorlist to ensure hosts use the right mirrors for performance.
-# 
+#
 # Package: AniNIX::Foundation/HelloWorld
 # Copyright: WTFPL
 #
@@ -11,6 +11,6 @@
 
 country="United States"
 
-curl -s https://raw.githubusercontent.com/archlinux/svntogit-packages/packages/pacman-mirrorlist/trunk/mirrorlist | awk '/^## '"$country"'$/{f=1; next}f==0{next}/^$/{exit}{print substr($0, 1);}' | sed 's/^#Server/Server/' > /tmp/mirrorlist 
+curl -s https://raw.githubusercontent.com/archlinux/svntogit-packages/packages/pacman-mirrorlist/trunk/mirrorlist | awk '/^## '"$country"'$/{f=1; next}f==0{next}/^$/{exit}{print substr($0, 1);}' | sed 's/^#Server/Server/' > /tmp/mirrorlist
 rankmirrors -n 6 /tmp/mirrorlist > files/mirrorlist
 rm /tmp/mirrorlist
diff --git a/roles/ShadowArch/files/bashrc b/roles/ShadowArch/files/bashrc
new file mode 100644
index 0000000..efb0b9b
--- /dev/null
+++ b/roles/ShadowArch/files/bashrc
@@ -0,0 +1,10 @@
+#
+# /etc/bash.bashrc
+#
+
+# If not running interactively, don't do anything
+[[ $- != *i* ]] && return
+
+[[ $DISPLAY ]] && shopt -s checkwinsize
+
+[ -r /usr/share/bash-completion/bash_completion ] && . /usr/share/bash-completion/bash_completion
diff --git a/roles/ShadowArch/files/pacman.conf b/roles/ShadowArch/files/pacman.conf
index c91ef6f..de3df99 100644
--- a/roles/ShadowArch/files/pacman.conf
+++ b/roles/ShadowArch/files/pacman.conf
@@ -99,7 +99,7 @@ Include = /etc/pacman.d/mirrorlist.shadowarch
 #[custom]
 #SigLevel = Optional TrustAll
 #Server = file:///home/custompkgs
- 
+
 [AniNIX]
 SigLevel = Required DatabaseOptional
 Server = https://maat.aninix.net/
diff --git a/roles/ShadowArch/files/vimrc b/roles/ShadowArch/files/vimrc
new file mode 100644
index 0000000..5e61be8
--- /dev/null
+++ b/roles/ShadowArch/files/vimrc
@@ -0,0 +1,32 @@
+" All system-wide defaults are set in $VIMRUNTIME/archlinux.vim (usually just
+" /usr/share/vim/vimfiles/archlinux.vim) and sourced by the call to :runtime
+" you can find below.  If you wish to change any of those settings, you should
+" do it in this file (/etc/vimrc), since archlinux.vim will be overwritten
+" everytime an upgrade of the vim packages is performed.  It is recommended to
+" make changes after sourcing archlinux.vim since it alters the value of the
+" 'compatible' option.
+
+" This line should not be removed as it ensures that various options are
+" properly set to work with the Vim-related packages.
+runtime! archlinux.vim
+
+" If you prefer the old-style vim functionalty, add 'runtime! vimrc_example.vim'
+" Or better yet, read /usr/share/vim/vim74/vimrc_example.vim or the vim manual
+" and configure vim to your own liking!
+syntax on
+filetype on
+" Support CSharp files like Java
+au BufNewFile,BufRead *.csharp set filetype=java
+au BufNewFile,BufRead *.cs set filetype=java
+set number
+set mouse-=a
+colorscheme desert
+
+" This establishes the indenting policy.
+filetype plugin indent on
+" show existing tab with 4 spaces width
+set tabstop=4
+" when indenting with '>', use 4 spaces width
+set shiftwidth=4
+" On pressing tab, insert 4 spaces
+set expandtab
diff --git a/roles/ShadowArch/tasks/archlinux-network.yml b/roles/ShadowArch/tasks/archlinux-network.yml
index dea47f7..cbf3630 100644
--- a/roles/ShadowArch/tasks/archlinux-network.yml
+++ b/roles/ShadowArch/tasks/archlinux-network.yml
@@ -1,4 +1,4 @@
---- 
+---
 
   - name: ArchLinux network packages
     become: yes
@@ -30,4 +30,4 @@
 
   - name: Enable network config
     become: yes
-    command: "netctl enable {{ ipinterface }}" 
+    command: "netctl enable {{ ipinterface }}"
diff --git a/roles/ShadowArch/tasks/bash.yml b/roles/ShadowArch/tasks/bash.yml
new file mode 100644
index 0000000..a4b9913
--- /dev/null
+++ b/roles/ShadowArch/tasks/bash.yml
@@ -0,0 +1,37 @@
+
+
+   - name: Set Bash MOTD
+    become: yes
+    copy:
+      src: "motd/{{ inventory_hostname }}"
+      dest: /etc/bash.motd
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: Nullify overall MOTD
+    become: yes
+    copy:
+      src: /dev/null
+      dest: /etc/motd
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: Bashrc
+    become: yes
+    copy:
+      src: bashrc
+      dest: /etc/bashrc
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: vimrc
+    become: yes
+    copy:
+      src: vimrc
+      dest: /etc/vimrc
+      owner: root
+      group: root
+      mode: 0644
diff --git a/roles/ShadowArch/tasks/dns.yml b/roles/ShadowArch/tasks/dns.yml
index 8d5802b..dbc141e 100644
--- a/roles/ShadowArch/tasks/dns.yml
+++ b/roles/ShadowArch/tasks/dns.yml
@@ -2,8 +2,8 @@
   - name: Install DNS packages
     become: yes
     ignore_errors: yes
-    package: 
-        name: 
+    package:
+        name:
           - bind
           - net-tools
           - iputils
diff --git a/roles/ShadowArch/tasks/main.yml b/roles/ShadowArch/tasks/main.yml
index 09c85c6..1761b76 100644
--- a/roles/ShadowArch/tasks/main.yml
+++ b/roles/ShadowArch/tasks/main.yml
@@ -58,10 +58,14 @@
     ignore_errors: yes
     register: root_password_test
     vars:
+      ansible_become_user: "{{ item }}"
       ansible_become_method: su
       ansible_become_password: "{{ passwords[inventory_hostname] }}"
     become: yes
     command: id
+    loop:
+      - root
+      - "{{ ansible_user_id }}"
 
   - name: Define passwords
     vars:
@@ -70,7 +74,7 @@
     become: yes
     when: root_password_test.rc is not defined or root_password_test.rc != 0
     command:
-      cmd: /bin/bash -l -c "printf '%s\n%s\n' '{{ passwords[inventory_hostname] }}' '{{ passwords[inventory_hostname] }}' | passwd {{ item }}"
+      cmd: /bin/bash -l -c "echo '{{item}}:{{ passwords[inventory_hostname] }}' | chpasswd {{ item }}"
     loop:
       - root
       - "{{ ansible_user_id }}"
@@ -163,24 +167,6 @@
     hostname:
       name: "{{ inventory_hostname }}.{{ replica_domain }}"
 
-  - name: Set Bash MOTD
-    become: yes
-    copy:
-      src: "motd/{{ inventory_hostname }}"
-      dest: /etc/bash.motd
-      owner: root
-      group: root
-      mode: 0644
-
-  - name: Nullify overall MOTD
-    become: yes
-    copy:
-      src: /dev/null
-      dest: /etc/motd
-      owner: root
-      group: root
-      mode: 0644
-
   - include: archlinux-network.yml
     when: ansible_os_family == "Archlinux"
 
@@ -190,3 +176,5 @@
   - include: dns.yml
 
   - include: ntp.yml
+
+  - include: bash.yml
diff --git a/roles/ShadowArch/tasks/ntp.yml b/roles/ShadowArch/tasks/ntp.yml
index e95450d..7a32e9a 100644
--- a/roles/ShadowArch/tasks/ntp.yml
+++ b/roles/ShadowArch/tasks/ntp.yml
@@ -10,7 +10,7 @@
   - name: Remove legacy NTP services
     become: yes
     ignore_errors: yes
-    service: 
+    service:
         name: "{{ item }}"
         state: stopped
         enabled: no
@@ -20,15 +20,15 @@
 
   - name: Remove legacy NTP packages
     become: yes
-    package: 
-        name: 
+    package:
+        name:
             - ntp
             - openntpd
         state: absent
 
   - name: Install NTP packages
     become: yes
-    package: 
+    package:
         name: chrony
         state: present
 
diff --git a/roles/ShadowArch/tasks/raspbian-network.yml b/roles/ShadowArch/tasks/raspbian-network.yml
index e8b697c..fd1cfb8 100644
--- a/roles/ShadowArch/tasks/raspbian-network.yml
+++ b/roles/ShadowArch/tasks/raspbian-network.yml
@@ -1,4 +1,4 @@
---- 
+---
 
   - name: Rasbian network packages
     become: yes
@@ -17,7 +17,7 @@
         group: root
         mode: 0644
 
-  - name: Rasbian network config (static) 
+  - name: Rasbian network config (static)
     become: yes
     when: static
     template:
diff --git a/roles/Sharingan/README.md b/roles/Sharingan/README.md
index c40c709..bebb322 100644
--- a/roles/Sharingan/README.md
+++ b/roles/Sharingan/README.md
@@ -5,7 +5,7 @@ Sharingan is named after the mythical technique from the Naruto anime series. Sh
 
 # Relevant Files and Software
 
-We use Graylog on a dedicated VM to aggregate results. By default, all servers in a datacenter should send journald via syslog to `sharingan.$datacenter.aninix.net`. 
+We use Graylog on a dedicated VM to aggregate results. By default, all servers in a datacenter should send journald via syslog to `sharingan.$datacenter.aninix.net`.
 
 ## Syslog-ng
 
@@ -13,7 +13,7 @@ We use a lot of services in the AniNIX ecosystem -- some create files, some pipe
 
 ## Journald
 
-ArchLinux and most systemd-based Linux distributions use journald to track system log files. 
+ArchLinux and most systemd-based Linux distributions use journald to track system log files.
 
 ## Suricata
 
@@ -32,12 +32,12 @@ TODO
 ## Graylog
 
 ## Elasticsearch
-Elasticsearch acts as graylog's data backend. 
+Elasticsearch acts as graylog's data backend.
 
-We have seen issues where poor disk i/o or unplanned shutdown can cause Elasticsearch to have index corruption. 
+We have seen issues where poor disk i/o or unplanned shutdown can cause Elasticsearch to have index corruption.
 
 1. Stop elasticsearch
-1. From `/usr/share/elasticsearch/lib`, you can use `java -cp lucene-core*.jar -ea:org.apache.lucene... org.apache.lucene.index.CheckIndex /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index -verbose -exorcise` (on the right index) to exorcise the corrupted data. 
+1. From `/usr/share/elasticsearch/lib`, you can use `java -cp lucene-core*.jar -ea:org.apache.lucene... org.apache.lucene.index.CheckIndex /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index -verbose -exorcise` (on the right index) to exorcise the corrupted data.
 1. Remove corruption flags: `rm /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index/corrupted_*`
 1. Restart elasticsearch
 1. Retry shard allocation:
diff --git a/roles/Sharingan/files/monit/checks/system b/roles/Sharingan/files/monit/checks/system
index 967b4be..cf55d92 100644
--- a/roles/Sharingan/files/monit/checks/system
+++ b/roles/Sharingan/files/monit/checks/system
@@ -7,7 +7,7 @@
 ## performed should a test fail.
 check system $HOST
   if loadavg (1min) per core > 2 for 25 times within 30 cycles then exec "/etc/monit.d/scripts/critical Load average is high"
-  if memory usage > 75% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Memory is overused."
+  if memory usage > 90% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Memory is overused."
   if swap usage > 25% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Swap is overused."
   group system
 #
diff --git a/roles/Sharingan/files/monit/checks/warrant-canary b/roles/Sharingan/files/monit/checks/warrant-canary
new file mode 100644
index 0000000..f02cced
--- /dev/null
+++ b/roles/Sharingan/files/monit/checks/warrant-canary
@@ -0,0 +1,2 @@
+check program warrant_canary with path "/etc/monit.d/scripts/check-warrant-canary"
+    if status != 0 then exec "/etc/monit.d/scripts/critical Warrant Canary needs to be updated"
diff --git a/roles/Sharingan/files/monit/hostdefs/Core b/roles/Sharingan/files/monit/hostdefs/Core
index 4229188..f1cde60 100644
--- a/roles/Sharingan/files/monit/hostdefs/Core
+++ b/roles/Sharingan/files/monit/hostdefs/Core
@@ -1 +1,2 @@
 include "/etc/monit.d/checks/system"
+include "/etc/monit.d/checks/warrant-canary"
diff --git a/roles/Sharingan/files/monit/scripts/check-warrant-canary b/roles/Sharingan/files/monit/scripts/check-warrant-canary
new file mode 100755
index 0000000..154b136
--- /dev/null
+++ b/roles/Sharingan/files/monit/scripts/check-warrant-canary
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+daysinadvance=14
+url=https://aninix.net/AniNIX/WarrantCanary/raw/branch/main/canary
+
+# ID the update expected date
+canarydate="$(curl -s "$url" | grep -A 1 'next two updates' | tail -n 1 | sed 's/^..//' )"
+if [ -z "$canarydate" ]; then
+    echo "Cannot identify the canary's next time."
+    exit 2
+fi
+epochcanarydate="$(date -d "$canarydate" +%s)"
+
+# Remove a one-month padding
+updatecanarydate=$(( $epochcanarydate - 2592000 ))
+
+# ID today
+today="$(date +%s)"
+
+
+if [[ $today -gt $updatecanarydate ]]; then
+    echo Time to reseed the warrant canary.
+    exit 2
+else
+    echo Warrant canary seems to have the right time.
+    exit 0
+fi
diff --git a/roles/Sharingan/files/oinkmaster/oinkmaster.conf b/roles/Sharingan/files/oinkmaster/oinkmaster.conf
index 743a247..4b88eae 100644
--- a/roles/Sharingan/files/oinkmaster/oinkmaster.conf
+++ b/roles/Sharingan/files/oinkmaster/oinkmaster.conf
@@ -1,11 +1,11 @@
 # $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ #
 
-# This file is pretty big by default, but don't worry. 
-# The only things required are "path" and "update_files". You must also 
-# set "url" to point to the correct rules archive for your version of 
+# This file is pretty big by default, but don't worry.
+# The only things required are "path" and "update_files". You must also
+# set "url" to point to the correct rules archive for your version of
 # Snort, unless you prefer to specify this on the command line.
 # The rest in here is just a few recommended defaults, and examples
-# how to use all the other optional features and give some ideas how they 
+# how to use all the other optional features and give some ideas how they
 # could be used.
 
 # Remember not to let untrusted users edit Oinkmaster configuration
@@ -14,15 +14,15 @@
 
 
 
-# Use "url = <url>" to specify the location of the rules archive to 
-# download. The url must begin with http://, https://, ftp://, file:// 
-# or scp:// and end with .tar.gz or .tgz, and the file must be a 
+# Use "url = <url>" to specify the location of the rules archive to
+# download. The url must begin with http://, https://, ftp://, file://
+# or scp:// and end with .tar.gz or .tgz, and the file must be a
 # gzipped tarball what contains a directory named "rules".
 # You can also point to a local directory with dir://<directory>.
 # Multiple "url = <url>" lines can be specified to grab multiple rules
 # archives from different locations.
 #
-# Note: if URL is specified on the command line, it overrides all 
+# Note: if URL is specified on the command line, it overrides all
 #       possible URLs specified in the configuration file(s).
 #
 # The location of the official Snort rules you should use depends
@@ -30,10 +30,10 @@
 # http://www.snort.org/rules/ and follow the instructions
 # there to pick the right URL for your version of Snort
 # (and remember to update the URL when upgrading Snort in the
-# future). You can of course also specify locations to third party 
+# future). You can of course also specify locations to third party
 # rules.
 #
-# As of March 2005, you must register on the Snort site to get access 
+# As of March 2005, you must register on the Snort site to get access
 # to the official Snort rules. This will get you an "oinkcode".
 # You then specify the URL as
 # http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename>
@@ -45,7 +45,7 @@
 # more information.
 
 
-# URL examples follows. Replace <oinkcode> with the code you get on the 
+# URL examples follows. Replace <oinkcode> with the code you get on the
 # Snort site in your registered user profile.
 
 # Example for Snort
@@ -73,18 +73,18 @@
 # Only OpenSSH is tested. See the FAQ for more information.
 # url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz
 
-# If you use -u scp://... and need to specify a private ssh key (passed 
-# as -i <key> to the scp command) you can specify it here or add an 
-# entry in ~/.ssh/config for the Oinkmaster user as described in the 
-# OpenSSH manual. 
+# If you use -u scp://... and need to specify a private ssh key (passed
+# as -i <key> to the scp command) you can specify it here or add an
+# entry in ~/.ssh/config for the Oinkmaster user as described in the
+# OpenSSH manual.
 # scp_key = /home/oinkmaster/oinkmaster_privkey
 
 
-# The PATH to use during execution. If you prefer to use external 
-# binaries (i.e. use_external_bins=1, see below), tar and gzip must be 
-# found, and also wget if downloading via ftp, http or https. All with 
-# optional .exe suffix. If you're on Cygwin, make sure that the path 
-# contains the Cygwin binaries and not the native Win32 binaries or 
+# The PATH to use during execution. If you prefer to use external
+# binaries (i.e. use_external_bins=1, see below), tar and gzip must be
+# found, and also wget if downloading via ftp, http or https. All with
+# optional .exe suffix. If you're on Cygwin, make sure that the path
+# contains the Cygwin binaries and not the native Win32 binaries or
 # you will get problems.
 # Assume UNIX style by default:
 path = /bin:/usr/bin:/usr/local/bin
@@ -96,17 +96,17 @@ path = /bin:/usr/bin:/usr/local/bin
 # path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin
 
 
-# We normally use external binaries (wget, tar and gzip) since they're 
-# already available on most systems and do a good job. If you have the 
+# We normally use external binaries (wget, tar and gzip) since they're
+# already available on most systems and do a good job. If you have the
 # Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use
-# those instead if you like. You can set use_external_bins below to 
-# choose which method you prefer. It's set to 0 by default on Win32 
-# (i.e. use Perl modules), and 1 on other systems (i.e. use external 
+# those instead if you like. You can set use_external_bins below to
+# choose which method you prefer. It's set to 0 by default on Win32
+# (i.e. use Perl modules), and 1 on other systems (i.e. use external
 # binaries). The reason for that is that the required Perl modules
-# are included on Windows/ActivePerl 5.8.1+, so it's easier to use 
-# those than to install the ported Unix tools. (Note that if you're 
-# using scp to download the archive, external scp  binary is still 
-# used.) 
+# are included on Windows/ActivePerl 5.8.1+, so it's easier to use
+# those than to install the ported Unix tools. (Note that if you're
+# using scp to download the archive, external scp  binary is still
+# used.)
 # use_external_bins = 0
 
 
@@ -133,7 +133,7 @@ path = /bin:/usr/bin:/usr/local/bin
 # umask = 0027
 
 
-# Files in the archive(s) matching this regular expression will be 
+# Files in the archive(s) matching this regular expression will be
 # checked for changes, and then updated or added if needed.
 # All other files will be ignored. You can then choose to skip
 # individual files by specifying the "skipfile" keyword below.
@@ -159,10 +159,10 @@ update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
 # min_rules = 1
 
 
-# By default, a basic sanity check is performed on most paths/filenames 
-# to see if they contain illegal characters that may screw things up. 
-# If this check is too strict for your system (e.g. you get bogus 
-# "illegal characters in filename" errors because of your local language 
+# By default, a basic sanity check is performed on most paths/filenames
+# to see if they contain illegal characters that may screw things up.
+# If this check is too strict for your system (e.g. you get bogus
+# "illegal characters in filename" errors because of your local language
 # etc) and you're sure you want to disable the checks completely,
 # set use_path_checks to 0.
 # use_path_checks = 1
@@ -174,11 +174,11 @@ update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
 
 
 # You can include other files anywhere in here by using
-# "include <file>". <file> will be parsed just like a regular 
-# oinkmaster.conf as soon as the include statement is seen, and then 
-# return and continue parsing the rest of the original file. If an 
-# option is redefined, it will override the previous value. You can use 
-# as many "include" statements as you wish, and also include even more 
+# "include <file>". <file> will be parsed just like a regular
+# oinkmaster.conf as soon as the include statement is seen, and then
+# return and continue parsing the rest of the original file. If an
+# option is redefined, it will override the previous value. You can use
+# as many "include" statements as you wish, and also include even more
 # files from included files. Example to load stuff from "/etc/foo.conf".
 # include /etc/foo.conf
 
@@ -191,34 +191,34 @@ update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
 # or:     skipfile filename1, filename2, filename3, ...               #
 #######################################################################
 
-# Ignore local.rules from the rules archive by default since we might 
-# have put some local rules in our own local.rules and we don't want it 
-# to get overwritten by the empty one from the archive after each 
+# Ignore local.rules from the rules archive by default since we might
+# have put some local rules in our own local.rules and we don't want it
+# to get overwritten by the empty one from the archive after each
 # update.
 skipfile local.rules
 
-# The file deleted.rules contains rules that have been deleted from 
+# The file deleted.rules contains rules that have been deleted from
 # other files, so there is usually no point in updating it.
 skipfile deleted.rules
 
-# Also skip snort.conf by default since we don't want to overwrite our 
-# own snort.conf if we have it in the same directory as the rules. If 
-# you have your own production copy of snort.conf in another directory, 
-# it may be really nice to check for changes in this file though, 
-# especially since variables are sometimes added or modified and 
+# Also skip snort.conf by default since we don't want to overwrite our
+# own snort.conf if we have it in the same directory as the rules. If
+# you have your own production copy of snort.conf in another directory,
+# it may be really nice to check for changes in this file though,
+# especially since variables are sometimes added or modified and
 # new/old files are included/excluded.
 skipfile snort.conf
 
-# You may want to consider ignoring threshold.conf for the same reasons 
-# as for snort.conf, i.e. if you customize it locally and don't want it 
-# to become overwritten by the default one. It may be better to put 
-# local thresholding/suppressing in some local file and still update 
-# and use the official one though, in case important stuff is added to 
+# You may want to consider ignoring threshold.conf for the same reasons
+# as for snort.conf, i.e. if you customize it locally and don't want it
+# to become overwritten by the default one. It may be better to put
+# local thresholding/suppressing in some local file and still update
+# and use the official one though, in case important stuff is added to
 # it some day. We do update it by default, but it's your call.
 # skipfile threshold.conf
 
-# If you update from multiple URLs at the same time you may need to 
-# ignore the sid-msg.map (and generate it yourself if you need one) as 
+# If you update from multiple URLs at the same time you may need to
+# ignore the sid-msg.map (and generate it yourself if you need one) as
 # it's usually included in each rules tarball. See the FAQ for more info.
 # skipfile sid-msg.map
 
@@ -243,11 +243,11 @@ skipfile snort.conf
 # situations.                                                            #
 #                                                                        #
 # Syntax:                                                                #
-#   modifysid SID "replacethis" | "withthis"                             #    
+#   modifysid SID "replacethis" | "withthis"                             #
 # or:                                                                    #
 #   modifysid SID1, SID2, SID3, ... "replacethis" | "withthis"           #
 # or:                                                                    #
-#   modifysid file "replacethis" | "withthis"                            #    
+#   modifysid file "replacethis" | "withthis"                            #
 # or:                                                                    #
 #   modifysid * "replacethis" | "withthis"                               #
 #                                                                        #
@@ -289,11 +289,11 @@ skipfile snort.conf
 # Example to add "tag" stuff to SID 1325.
 # modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"
 
-# Example to make SID 1378 a 'drop' rule (valid if you're running 
+# Example to make SID 1378 a 'drop' rule (valid if you're running
 # Snort_inline).
 # modifysid 1378 "^alert" | "drop"
 
-# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET 
+# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET
 # in SID 302.
 # modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"
 
@@ -306,17 +306,17 @@ skipfile snort.conf
 # modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
 #                "${1} replace:"\/foo\/sh";"
 
-# If you for some reason would like to add a comment inside the actual 
-# rules file, like the reason why you disabled this rule, you can do 
-# like this (you would normally add such comments in oinkmaster.conf 
+# If you for some reason would like to add a comment inside the actual
+# rules file, like the reason why you disabled this rule, you can do
+# like this (you would normally add such comments in oinkmaster.conf
 # though).
 # modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"
 
-# Here is an example that is actually useful. Let's say you don't care 
-# about incoming welchia pings (detected by SID 483 at the time of 
-# writing) but you want to know when infected hosts on your network 
-# scans hosts on the outside. (Remember that watching for outgoing 
-# malicious packets is often just as important as watching for incoming 
+# Here is an example that is actually useful. Let's say you don't care
+# about incoming welchia pings (detected by SID 483 at the time of
+# writing) but you want to know when infected hosts on your network
+# scans hosts on the outside. (Remember that watching for outgoing
+# malicious packets is often just as important as watching for incoming
 # ones, especially in this case.) The rule currently looks like
 # "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
 # but we want to switch that so it becomes
@@ -326,34 +326,34 @@ skipfile snort.conf
 # "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
 # "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"
 
-# The wildcard (modifysid * ...) can be used to do all kinds of 
-# interesting things. The substitution expression will be applied on all 
-# matching rules. First, a silly example to replace "foo" with "bar" in 
-# all rules (that have the string "foo" in them, that is.) 
+# The wildcard (modifysid * ...) can be used to do all kinds of
+# interesting things. The substitution expression will be applied on all
+# matching rules. First, a silly example to replace "foo" with "bar" in
+# all rules (that have the string "foo" in them, that is.)
 # modifysid * "foo" | "bar"
 
-# If you for some reason don't want to use the stream preprocessor to 
-# match established streams, you may want to replace the 'flow' 
+# If you for some reason don't want to use the stream preprocessor to
+# match established streams, you may want to replace the 'flow'
 # statement with 'flags:A+;' in all those rules.
 # modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"
 
-# Example to convert all rules of classtype attempted-admin to 'drop' 
+# Example to convert all rules of classtype attempted-admin to 'drop'
 # rules (for Snort_inline only, obviously).
 # modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"
 
-# This one will append some text to the 'msg' string for all rules that 
+# This one will append some text to the 'msg' string for all rules that
 # have the 'tag' keyword in them.
 # modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
 #             "${1}, going to tag this baby"${2}"
 
-# There may be times when you want to replace multiple occurrences of a 
-# certain keyword/string in a rule and not just the first one. To 
-# replace the first two occurrences of "foo" with "bar" in SID 100, 
+# There may be times when you want to replace multiple occurrences of a
+# certain keyword/string in a rule and not just the first one. To
+# replace the first two occurrences of "foo" with "bar" in SID 100,
 # simply repeat the modifysid statement:
 # modifysid 100 "foo" | "bar"
 # modifysid 100 "foo" | "bar"
- 
-# Or you can even specify a SID list but repeat the same SID as many 
+
+# Or you can even specify a SID list but repeat the same SID as many
 # times as required, like:
 # modifysid 100,100,100 "foo" | "bar"
 
diff --git a/roles/Sharingan/files/rkhunter/rkhunter.conf b/roles/Sharingan/files/rkhunter/rkhunter.conf
index c291594..864d83a 100644
--- a/roles/Sharingan/files/rkhunter/rkhunter.conf
+++ b/roles/Sharingan/files/rkhunter/rkhunter.conf
@@ -90,7 +90,7 @@
 #
 # If the mirrors file is read-only, then the '--versioncheck' command-line
 # option can only be used if this option is set to '0'.
-# 
+#
 # The default value is '1'.
 #
 #ROTATE_MIRRORS=1
@@ -635,7 +635,7 @@ ALLOWHIDDENDIR=/dev/.udev
 # This option may be specified more than once, and may use wildcard characters.
 #
 # The default value is the null string.
-# 
+#
 #ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
 #ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
 #ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
@@ -907,7 +907,7 @@ ALLOWHIDDENDIR=/dev/.udev
 #
 #APP_WHITELIST=""
 
-# 
+#
 # Set this option to scan for suspicious files in directories which pose a
 # relatively higher risk due to user write access.
 #
@@ -918,7 +918,7 @@ ALLOWHIDDENDIR=/dev/.udev
 #
 # Please consider adding all directories the user the (web)server runs as,
 # and has write access to, including the document root (e.g: '/var/www') and
-# log directories (e.g: '/var/log/httpd'). 
+# log directories (e.g: '/var/log/httpd').
 #
 # This is a space-separated list of directory pathnames. The option may be
 # specified more than once.
@@ -968,7 +968,7 @@ ALLOWHIDDENDIR=/dev/.udev
 
 #
 # The following options can be used to whitelist network ports which are known
-# to have been used by malware. 
+# to have been used by malware.
 #
 # The PORT_WHITELIST option is a space-separated list of one or more of two
 # types of whitelisting. These are:
@@ -1233,10 +1233,10 @@ ALLOWHIDDENDIR=/dev/.udev
 #
 # You should only activate this feature as part of a more thorough
 # investigation, which should be based on relevant best practices and
-# procedures. 
+# procedures.
 #
 # Enabling this feature implies you have the knowledge to interpret the
-# results properly. 
+# results properly.
 #
 # The default value is the null string.
 #
diff --git a/roles/Sharingan/files/suricata/suricata.yaml b/roles/Sharingan/files/suricata/suricata.yaml
index 62b9b1b..af93a76 100644
--- a/roles/Sharingan/files/suricata/suricata.yaml
+++ b/roles/Sharingan/files/suricata/suricata.yaml
@@ -134,7 +134,7 @@ outputs:
         # Header name were the actual IP address will be reported, if more than
         # one IP address is present, the last IP address will be the one taken
         # into consideration.
-        header: X-Forwarded-For 
+        header: X-Forwarded-For
 
   # a line based log of HTTP requests (no alerts)
   - http-log:
diff --git a/roles/Sharingan/tasks/data.yml b/roles/Sharingan/tasks/data.yml
index fc71599..eaec90e 100644
--- a/roles/Sharingan/tasks/data.yml
+++ b/roles/Sharingan/tasks/data.yml
@@ -1,10 +1,10 @@
---- 
- 
+---
+
  - name: Sharingan data packages
    become: yes
    package:
      state: present
-     name: 
+     name:
        - syslog-ng
        - monit
        - monitoring-plugins
@@ -18,13 +18,13 @@
  - name: Sharingan-Data include apps dir
    become: yes
    register: base_config
-   lineinfile: 
+   lineinfile:
      path: /etc/syslog-ng/syslog-ng.conf
      line: "{{ item }}"
-   loop: 
+   loop:
      - '# Allow compartmentalization of config'
      - '@include "apps.d/*.conf"'
- 
+
  - name: Sharingan-Data conf
    become: yes
    template:
diff --git a/roles/Sharingan/tasks/heartbeat.yml b/roles/Sharingan/tasks/heartbeat.yml
index 006ac43..cac92b1 100644
--- a/roles/Sharingan/tasks/heartbeat.yml
+++ b/roles/Sharingan/tasks/heartbeat.yml
@@ -9,9 +9,9 @@
      owner: root
      group: root
      mode: 0750
-   loop: 
+   loop:
      - sharingan-heartbeat.timer
-     - sharingan-heartbeat.service 
+     - sharingan-heartbeat.service
 
  - name: Sharingan-Data heartbeat timer
    become: yes
diff --git a/roles/Sharingan/tasks/ids.yml b/roles/Sharingan/tasks/ids.yml
index 498256d..d7f0224 100644
--- a/roles/Sharingan/tasks/ids.yml
+++ b/roles/Sharingan/tasks/ids.yml
@@ -4,7 +4,7 @@
    become: yes
    register: package_install
    package:
-     name: 
+     name:
        - sshguard
        - suricata
        - oinkmaster
@@ -45,7 +45,7 @@
  - name: Copy rkhunter service
    register: rkhunter_service
    become: yes
-   loop: 
+   loop:
      - rkhunter.service
      - rkhunter.timer
    copy:
@@ -69,7 +69,7 @@
  - name: Copy oinkmaster service
    register: oinkmaster_service
    become: yes
-   loop: 
+   loop:
      - oinkmaster.service
      - oinkmaster.timer
    copy:
@@ -88,7 +88,7 @@
    become: yes
    when: package_install.changed or oinkmaster_conf.changed
    service:
-     name: oinkmaster.service 
+     name: oinkmaster.service
      state: started
 
  - name: Update rkhunter DB
@@ -98,12 +98,12 @@
 
  - name: IDS services
    become: yes
-   loop: 
+   loop:
      - suricata.service
      - sshguard.service
      - oinkmaster.timer
      - rkhunter.timer
-   service: 
+   service:
      name: "{{ item }}"
      state: restarted
      enabled: yes
diff --git a/roles/Sharingan/tasks/main.yml b/roles/Sharingan/tasks/main.yml
index 2982405..2f9319b 100644
--- a/roles/Sharingan/tasks/main.yml
+++ b/roles/Sharingan/tasks/main.yml
@@ -1,5 +1,5 @@
---- 
- 
+---
+
  - import_tasks: ../roles/Sharingan/tasks/data.yml
  - import_tasks: ../roles/Sharingan/tasks/eval.yml
  - import_tasks: ../roles/Sharingan/tasks/heartbeat.yml
diff --git a/roles/Sharingan/tasks/scans.yml b/roles/Sharingan/tasks/scans.yml
index 970e9ff..2a5a079 100644
--- a/roles/Sharingan/tasks/scans.yml
+++ b/roles/Sharingan/tasks/scans.yml
@@ -24,7 +24,7 @@
    become: yes
    register: lynis_svc
    copy:
-     src: "lynis/{{ item }}" 
+     src: "lynis/{{ item }}"
      dest: /usr/lib/systemd/system/
      owner: root
      group: root
@@ -37,7 +37,7 @@
    become: yes
    register: clam_svc
    copy:
-     src: "clamav/{{ item }}" 
+     src: "clamav/{{ item }}"
      dest: /usr/lib/systemd/system/
      owner: root
      group: root
diff --git a/roles/Sharingan/tasks/siem.yml b/roles/Sharingan/tasks/siem.yml
index c21105c..462b539 100644
--- a/roles/Sharingan/tasks/siem.yml
+++ b/roles/Sharingan/tasks/siem.yml
@@ -16,7 +16,7 @@
        - mongodb
        - graylog
    service:
-     name: "{{ item }}" 
+     name: "{{ item }}"
      state: started
      enabled: yes
 
diff --git a/roles/Sharingan/templates/monitrc.j2 b/roles/Sharingan/templates/monitrc.j2
index 4464bcb..cb17ccd 100755
--- a/roles/Sharingan/templates/monitrc.j2
+++ b/roles/Sharingan/templates/monitrc.j2
@@ -153,7 +153,8 @@ set log syslog
 set httpd port 2812 and
     use address localhost  # only accept connection from localhost (drop if you use M/Monit)
     allow localhost        # allow localhost to connect to the server and
-    allow admin:"{{ monitcli | default('monit') }}"      # require user 'admin' with password 'monit'
+    # require user 'admin' with password
+    allow admin:"{{ secrets[Sharingan][monit] | default('monit') }}"
     #with ssl {            # enable SSL/TLS and set path to server certificate
     #    pemfile: /etc/ssl/certs/monit.pem
     #}
diff --git a/roles/Tachikoma/tasks/main.yml b/roles/Tachikoma/tasks/main.yml
new file mode 100644
index 0000000..a448865
--- /dev/null
+++ b/roles/Tachikoma/tasks/main.yml
@@ -0,0 +1,47 @@
+---
+
+ - name: Install Tachikoma packages
+   become: yes
+   package:
+     name:
+       - wifi-menu
+       - weechat
+       - elinks
+       - conky
+       - xfce4
+       - xfce4-goodies
+       - xfce4-screenshooter
+       - xscreensaver
+       - libreoffice-still
+       - hunspell
+       - hunspell-en_us
+       - google-chrome
+       - keepassxc
+       - sshfs
+       - vlc
+       - cups
+       - brother-mfc-j430w
+       - brscan4
+       - xsane
+       - mtpfs
+       - libmtp
+       - alsamixer
+
+ - name: Remove deprecated packages
+   become: yes
+   package:
+     name:
+       - chromium
+       - keepassx
+       - kpcli
+       - irssi
+       - lynx
+
+ - name: Enable services
+   become: yes
+   service:
+     name: "{{ item }}"
+     state: running
+     enabled: yes
+   with:
+     - cups.service
diff --git a/roles/Vanik/tasks/main.yml b/roles/Vanik/tasks/main.yml
index 0d7e6cf..0d6a860 100644
--- a/roles/Vanik/tasks/main.yml
+++ b/roles/Vanik/tasks/main.yml
@@ -1,4 +1,4 @@
---- 
+---
 
  - command: ./scripts/generate-dhcp.py
    delegate_to: localhost
diff --git a/roles/WebServer/README.md b/roles/WebServer/README.md
index 89cd31c..337dff6 100644
--- a/roles/WebServer/README.md
+++ b/roles/WebServer/README.md
@@ -6,7 +6,7 @@ The WebServer serves content on the Web -- its name is simple to match the funct
 # Relevant Files and Software
 Configuration files live in [/opt/openresty/nginx/](file:///opt/openresty/nginx), including ciphersuites, URI redirection, and pathing. It can be validated with the `openresty -t` command. Webserver isn't meant to hold files itself -- it generally proxies and SSL-terminates connections for other apps, using location-based hosting and fastcgi.
 
-Of security note are the default.csp.conf and sec.conf files in [the conf folder](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf). These files include our security remediations, as we have been able to get them to work with our apps. 
+Of security note are the default.csp.conf and sec.conf files in [the conf folder](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf). These files include our security remediations, as we have been able to get them to work with our apps.
 
 **Please note:** We offer a redirect on www.aninix.net and http://aninix.net:80/ only as a legacy convenience as browsers do not yet support 443 by default -- no data is transmitted on these. When the webhosting community acknowledges the death of the empty www. subdomain and the necessity of encryption, we will drop these. However, for usability, we include them for now.
 
diff --git a/roles/WebServer/files/conf.d/Core/aaa_default.conf b/roles/WebServer/files/conf.d/Core/aaa_default.conf
index 4adaa6d..b60868d 100644
--- a/roles/WebServer/files/conf.d/Core/aaa_default.conf
+++ b/roles/WebServer/files/conf.d/Core/aaa_default.conf
@@ -1,25 +1,25 @@
 server {
     listen      443 ssl http2;
     server_name default_server;
+    include sec.conf;
+    include letsencrypt.conf;
+    include default.csp.conf;
+    rewrite ^/(.*)$ https://aninix.net/$1 permanent;
+
+}
+
+server {
+    listen      443 ssl http2;
+    server_name aninix.net;
 
     include sec.conf;
+    include letsencrypt.conf;
     include default.csp.conf;
 
-    location /
-    {
-      rewrite ^/martialarts(\/*)$ /assets/martialarts/index.html;
-      rewrite /shadowarch /AniNIX/ShadowArch/raw/branch/main/EtcFiles/shadowarch
+    location / {
+
+      rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
 
-      location /aninix.xml { 
-          proxy_hide_header Content-Type;
-          add_header content-type "application/atom+xml";
-          rewrite /aninix.xml /AniNIX/Wiki/raw/branch/main/rss/aninix.xml;
-      }
-      location /martialarts/maqotw.xml { 
-          proxy_hide_header Content-Type;
-          add_header content-type "application/atom+xml";
-          rewrite /martialarts/maqotw.xml /AniNIX/Wiki/raw/branch/main/rss/maqotw.xml;
-      }
       proxy_set_header Host $http_host;
       proxy_set_header X-Forwarded-Host $host;
       proxy_set_header X-Forwarded-Server $host;
@@ -27,8 +27,19 @@ server {
       proxy_pass       http://127.0.0.1:3000;
     }
 
-    location /whatismyip
-    {
+    location /aninix.xml {
+        proxy_hide_header Content-Type;
+        add_header content-type "application/atom+xml";
+        rewrite /aninix.xml /AniNIX/Wiki/raw/branch/main/rss/aninix.xml;
+    }
+
+    location /martialarts/maqotw.xml {
+        proxy_hide_header Content-Type;
+        add_header content-type "application/atom+xml";
+        rewrite /martialarts/maqotw.xml /AniNIX/Wiki/raw/branch/main/rss/maqotw.xml;
+    }
+
+    location /whatismyip {
         include ../conf.d/fastcgi.config;
         root /usr/share/webapps/aninix/;
         location ~* whatismyip {
@@ -36,12 +47,10 @@ server {
             expires max;
         }
     }
-    location /blackpage
-    {
+
+    location /blackpage {
         root /usr/share/webapps/aninix/;
         try_files $uri /blackpage.html;
     }
 
-    include letsencrypt.conf;
-
 }
diff --git a/roles/WebServer/files/conf.d/Core/adhan.conf b/roles/WebServer/files/conf.d/Core/adhan.conf
index 08bad48..a5edfd8 100644
--- a/roles/WebServer/files/conf.d/Core/adhan.conf
+++ b/roles/WebServer/files/conf.d/Core/adhan.conf
@@ -1,6 +1,6 @@
 server {
     listen      443 ssl http2;
-    server_name adhan.aninix.net; 
+    server_name adhan.aninix.net;
 
     include sec.conf;
     include default.csp.conf;
diff --git a/roles/WebServer/files/conf.d/Core/geth.conf b/roles/WebServer/files/conf.d/Core/geth.conf
index 1109928..fbb1b9e 100644
--- a/roles/WebServer/files/conf.d/Core/geth.conf
+++ b/roles/WebServer/files/conf.d/Core/geth.conf
@@ -1,4 +1,4 @@
-map $http_upgrade $connection_upgrade { 
+map $http_upgrade $connection_upgrade {
     default upgrade;
     ''      close;
 }
diff --git a/roles/WebServer/files/conf.d/Core/lykos-wiki.conf b/roles/WebServer/files/conf.d/Core/lykos-wiki.conf
index 5dafe2d..de1855a 100644
--- a/roles/WebServer/files/conf.d/Core/lykos-wiki.conf
+++ b/roles/WebServer/files/conf.d/Core/lykos-wiki.conf
@@ -2,7 +2,7 @@ server {
     listen      443 ssl;
     server_name lykos.aninix.net;
 
-    include letsencrypt.conf;    
+    include letsencrypt.conf;
 
     root /usr/share/webapps/;
 
diff --git a/roles/WebServer/files/conf.d/Core/password.conf b/roles/WebServer/files/conf.d/Core/password.conf
index 80256b8..0ec73e1 100644
--- a/roles/WebServer/files/conf.d/Core/password.conf
+++ b/roles/WebServer/files/conf.d/Core/password.conf
@@ -1,19 +1,19 @@
 server {
     listen      443 ssl http2;
-    server_name password.aninix.net; 
+    server_name password.aninix.net;
 
     include sec.conf;
     include default.csp.conf;
     include letsencrypt.conf;
 
     root /usr/share/webapps/self-service-password/htdocs/;
-    
+
     # https://ltb-project.org/documentation/self-service-password/1.3/config_nginx
     index index.php index.html index.htm;
- 
+
     # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
     sendfile off;
-     
+
     gzip on;
     gzip_comp_level 6;
     gzip_min_length 1000;
@@ -21,24 +21,24 @@ server {
     gzip_vary on;
     gzip_proxied any;
     gzip_disable "MSIE [1-6]\.(?!.*SV1)";
- 
+
     # Add stdout logging
-     
+
     #error_log /dev/stdout warn;
     #access_log /dev/stdout info;
-     
+
     include ../conf.d/fastcgi.config;
-     
+
     # deny access to . files, for security
     #
     location ~ /\.\. {
-    		log_not_found off; 
-    		deny all;
+        log_not_found off;
+        deny all;
     }
-     
+
     location ~ /scripts {
-    		log_not_found off; 
-    		deny all;
+        log_not_found off;
+        deny all;
     }
- 
+
 }
diff --git a/roles/WebServer/files/conf.d/Core/sharingan.conf b/roles/WebServer/files/conf.d/Core/sharingan.conf
index d3c3522..dacce8d 100644
--- a/roles/WebServer/files/conf.d/Core/sharingan.conf
+++ b/roles/WebServer/files/conf.d/Core/sharingan.conf
@@ -7,7 +7,7 @@ server {
     # include default.csp.conf;
     include local.conf;
     include letsencrypt.conf;
-    
+
 
     location /
     {
diff --git a/roles/WebServer/files/conf.d/Core/singularity.conf b/roles/WebServer/files/conf.d/Core/singularity.conf
index b3fe577..fcf57fc 100644
--- a/roles/WebServer/files/conf.d/Core/singularity.conf
+++ b/roles/WebServer/files/conf.d/Core/singularity.conf
@@ -1,6 +1,6 @@
 server {
     listen      443 ssl;
-    server_name singularity.aninix.net; 
+    server_name singularity.aninix.net;
 
     include sec.conf;
     include default.csp.conf;
diff --git a/roles/WebServer/files/conf/sec.conf b/roles/WebServer/files/conf/sec.conf
index f663cb3..85724fb 100644
--- a/roles/WebServer/files/conf/sec.conf
+++ b/roles/WebServer/files/conf/sec.conf
@@ -1,5 +1,5 @@
 ssl_dhparam          /etc/ssl/certs/dhparam.pem;
-ssl_certificate      /etc/letsencrypt/live/aninix.net-0001/fullchain.pem; 
+ssl_certificate      /etc/letsencrypt/live/aninix.net-0001/fullchain.pem;
 ssl_certificate_key  /etc/letsencrypt/live/aninix.net-0001/privkey.pem;
 
 ssl_session_cache    shared:SSL:1m;
diff --git a/roles/WebServer/tasks/main.yml b/roles/WebServer/tasks/main.yml
index bcdc971..898fd19 100644
--- a/roles/WebServer/tasks/main.yml
+++ b/roles/WebServer/tasks/main.yml
@@ -58,13 +58,13 @@
    service:
      name: openresty
      state: stopped
-     enabled: no 
+     enabled: no
 
  - name: Ensure service is started
    become: yes
    when: conf.changed or confd.changed
    service:
-     name: "{{ item }}" 
+     name: "{{ item }}"
      enabled: yes
      state: restarted
    loop:
diff --git a/roles/WolfPack/tasks/main.yml b/roles/WolfPack/tasks/main.yml
new file mode 100644
index 0000000..23f1987
--- /dev/null
+++ b/roles/WolfPack/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+
+ - name: Packages
+   become: yes
+   package:
+     name:
+       - wolfpack
+
+ - name: Config
+   become: yes
+   copy:
+       src: "{{ inventory_hostname }}"
+       dest: /usr/local/etc/WolfPack
+
+ - name: Timer
+   become: yes
+   systemd:
+     name: "{{ wolfpack_service | default('wolfpack.timer') }}"
+     state: started
+     enabled: yes
+     daemon_reload: yes
+
+       # TODO Add sshfs and mountpoint for Darknet
+       # TODO Add config folders and restart daemon on change
+       # TODO Deprecate offload-wolfpack for Deluge move to sshfs
diff --git a/roles/Yggdrasil/tasks/main.yml b/roles/Yggdrasil/tasks/main.yml
index 9b9679f..fc16df8 100644
--- a/roles/Yggdrasil/tasks/main.yml
+++ b/roles/Yggdrasil/tasks/main.yml
@@ -3,12 +3,12 @@
  - name: Yggdrasil packages
    become: yes
    package:
-     name: 
+     name:
        - emby-server
 
  - name: Yggdrasil directories
    become: yes
-   file: 
+   file:
      path: "{{ item }}"
      state: directory
      owner: http
@@ -24,7 +24,7 @@
      - /srv/yggdrasil/Software
 
  - name: LiveTV channels
-   command: /bin/bash -c "curl -s https://raw.githubusercontent.com/iptv-org/iptv/master/streams/us.m3u | egrep -A 1 {{ iptv_location }} 2>&1 | egrep -v '^--$'"
+   command: /bin/bash -c "curl -s https://raw.githubusercontent.com/iptv-org/iptv/master/streams/us.m3u | egrep -A 1 '{{ iptv_location }}' 2>&1 | egrep -v '^--$'"
    register: livetv_channels
 
  - name: Write to file
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
new file mode 100644
index 0000000..2c336fd
--- /dev/null
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,5 @@
+---
+ - debug:
+      msg: Importing common handlers.
+
+        ### DO NOT CHANGE THIS FILE
diff --git a/roles/hardware/tasks/main.yml b/roles/hardware/tasks/main.yml
index 5697181..b8cec13 100644
--- a/roles/hardware/tasks/main.yml
+++ b/roles/hardware/tasks/main.yml
@@ -24,7 +24,7 @@
      group: root
      mode: 0700
    register: udev_iosched
-     
+
  - name: Reload udev
    become: yes
    command: /bin/bash -c 'udevadm control --reload; udevadm trigger'
diff --git a/roles/patching/tasks/main.yml b/roles/patching/tasks/main.yml
index 046b0f8..1772ea4 100644
--- a/roles/patching/tasks/main.yml
+++ b/roles/patching/tasks/main.yml
@@ -4,8 +4,8 @@
       register: df_output
 
     - name: Verify /var space
-      assert: 
-        that: 
+      assert:
+        that:
           - 90 > {{ df_output.stdout }}
         fail_msg: "Not enough free space"
 
diff --git a/tests/test_net-detect.py b/tests/test_net-detect.py
deleted file mode 100644
index 2b250dc..0000000
--- a/tests/test_net-detect.py
+++ /dev/null
@@ -1,7 +0,0 @@
-import os
-import re
-import pytest
-from modules import netdetect
-
-def test_netdetect_usage():
-    assert True