Whitespace cleanup to get in sync with AniNIX/Uniglot hooks

This commit is contained in:
DarkFeather 2022-11-20 20:03:01 -06:00
parent a43cb4b6bb
commit a34c96df6b
Signed by: DarkFeather
GPG Key ID: 1CC1E3F4ED06F296
96 changed files with 713 additions and 400 deletions

4
.gitignore vendored
View File

@ -3,7 +3,9 @@ roles/Nazara/files/dns
roles/Nazara/files/dhcp
roles/Node/files/vm-definitions/**
roles/ShadowArch/files/mirrorlist
venv/
roles/Foundation/files/custom/public/img/**
venv/**
**/pkg/**
**pkg.tar.zst
# ---> Python

View File

@ -38,7 +38,7 @@ all:
static: true
sslidentity: aninix.net-0001
secdetection: true
iptv_location: Milwaukee
iptv_location: "Milwaukee|Madison"
Node0:
ipinterface: enp1s0f0
ip: 10.0.1.4
@ -147,7 +147,7 @@ all:
cores: 2
memory: 2
bridge: br0
vnc: 6
vnc: 10
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test1.qcow2'
test2:
@ -157,7 +157,7 @@ all:
cores: 2
memory: 2
bridge: br0
vnc: 5
vnc: 11
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test2.qcow2'
test3:
@ -167,7 +167,7 @@ all:
cores: 2
memory: 2
bridge: br0
vnc: 4
vnc: 12
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test3.qcow2'
appliances:
@ -183,7 +183,7 @@ all:
mac: 70:74:14:4F:8E:42
Games:
ip: 10.0.1.66
mac: 00:1F:BC:10:1C:F8
mac: E0:BE:03:77:0E:88
Print:
ip: 10.0.1.67
mac: 00:80:92:77:CE:E4
@ -201,7 +201,7 @@ all:
mac: 80:D2:1D:17:63:10
Tachikoma:
ip: 10.0.1.72
mac: B8:76:3F:70:DB:C1
mac: 90:0f:0c:1a:d3:23
Dedsec:
ip: 10.0.1.73
mac: 34:F6:4B:36:12:8F

View File

@ -12,7 +12,7 @@
# Expects ANSIBLE_VAULT_FILE to be set in the environment to path the vault
# Also set ANSIBLE_VAULT_PASSWORD_FILE to your password file location if you want it.
#
- hosts: "{{ targets | default('all') }}"
- hosts: "{{ targets | default('managed') }}"
order: sorted
serial: "{{ threads | default('8') }}"
gather_facts: true

View File

@ -1,19 +0,0 @@
#!/bin/bash
cd ~/src/Ubiqtorate/roles
if [ -n "$(git status | grep roles &>/dev/null)" ]; then
echo There are roles that are not committed yet.
exit 1;
fi
unset bad
for i in `ls -1`; do
if ! grep "$i" ../playbooks/deploy.yml &>/dev/null; then
echo "$i is not used in playbooks/deploy.yml"
bad="1"
fi
done
if [ -n "$bad" ]; then
exit 1;
fi

View File

@ -0,0 +1,10 @@
#!/bin/bash
# Limit files in git to 1M.
find . -type f -exec du -k {} \; | egrep -v '^[[:digit:]]?[[:digit:]]?[[:digit:]][[:space:]]|\s./.git/'
if [ $? -ne 1 ]; then
echo
echo "These files are probably larger than you want to commit to Git. Please try to find an alternate delivery path, such as a CDN or Git-LFS."
exit 1;
fi

View File

@ -0,0 +1,14 @@
#!/bin/bash
retcode=0
for host in `ansible -i "examples/msn0.yml" --list-hosts managed | grep -v ' hosts '`; do
if [ ! -f roles/ShadowArch/files/motd/"$host" ]; then
echo "Need MOTD for $host"
retcode=1;
fi
if [ ! -f roles/Sharingan/files/monit/hostdefs/"$host" ]; then
echo "Need Sharingan-Data file for $host"
retcode=1;
fi
done
exit $retcode

View File

@ -0,0 +1,28 @@
#!/bin/bash
# Ignore Ansibilized templates.
saferegex='\s+}}"?\s*$'
# Ignore comments
saferegex="$saferegex"'|^[a-z,A-Z,0-9,_,-,/,.]+:\s*;|^[a-z,A-Z,0-9,_,-,/,.]+:\s*#|^[a-z,A-Z,0-9,_,-,/,.]+:\s*//'
# Ignore binary file matches.
saferegex="$saferegex"'|binary\ file\ matches'
# AniNIX Constructs
saferegex="$saferegex"'|password.aninix.net|aur.list'
# Web constructs
saferegex="$saferegex"'|.css:|.html:|.md:|htdocs|htpasswd'
# Ignore template text to set policy
saferegex="$saferegex"'|_LENGTH|Set new|attempt|pwdchange'
# haveibeenpwned is referenced in comments
saferegex="$saferegex"'|haveibeenpwned'
# Unset variables.
saferegex="$saferegex"'|\s+=\s*$|\s+yes$|\s+no$'
# Ignore LDAP attributes
saferegex="$saferegex"'|pwpolicies|pwdLastSuccess|pwdAttribute|pwdMaxAge|pwdExpireWarning|pwdInHistory|pwdCheckQuality|pwdMaxFailure|pwdLockout|pwdLockoutDuration|pwdGraceAuthNLimit|pwdFailureCountInterval|pwdMustChange|pwdMinLength|pwdAllowUserChange|pwdSafeModify|pwdChangedTime|pwdPolicy|last changed their password on|/root/.ldappass'
egrep -ir 'secret|password|pw|passphrase' roles/*/{files,templates} 2>&1 | egrep -v "$saferegex"
if [ $? -ne 1 ]; then
echo
echo If these are false positives, you need to add the signature to the whitelist in $0.
echo Otherwise, convert any files above to templates and encode the passphrase into your vault.
exit 1;
fi

View File

@ -26,3 +26,9 @@
- debug:
msg: "Remember to use the nordvpn-bin command to set up your account."
# TODO Add yaml for OVPN file, user, pass to Vault
# TODO Enforce vpn.service on server instead of nordvpnd.
# TODO Add /etc/bashrc.d file for `alias torlynx='torsocks elinks https://check.torproject.org/'`
# TODO Add monit checks for tor and openvpn services
# TODO Shift deluged to WolfPack

View File

@ -0,0 +1,8 @@
---
# Consider https://blackarch.org/blackarch-guide-en.pdf
- name: Install DedSec packages
become: yes
package:
name:
- tcpdump
- wireshark

View File

@ -1,7 +1,5 @@
#!/bin/bash
set -x
URI=https://aninix.net/assets/css/theme-arc-green.css
# Gitea arc-green palette

Binary file not shown.

Before

Width:  |  Height:  |  Size: 7.2 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 7.2 KiB

View File

@ -1 +0,0 @@
AniNIX.png

View File

@ -1 +0,0 @@
AniNIX.png

View File

@ -1 +0,0 @@
AniNIX.png

View File

@ -1 +0,0 @@
AniNIX.png

View File

@ -1 +0,0 @@
/srv/yggdrasil/Pictures/AniNIX/Icons/

Binary file not shown.

Before

Width:  |  Height:  |  Size: 113 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 24 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 614 B

Binary file not shown.

Before

Width:  |  Height:  |  Size: 170 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 21 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 657 B

Binary file not shown.

Before

Width:  |  Height:  |  Size: 439 B

Binary file not shown.

Before

Width:  |  Height:  |  Size: 24 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 44 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 42 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 64 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 9.7 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 42 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 342 KiB

View File

@ -17,7 +17,7 @@
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/icons/FoundationIcon.png'/>
<a href="/user/login?redirect_to=%2fAniNIX_Martial_Arts">Open-source</a>
<a href="/mawiki">Open-source</a>
</h1>
<p class="large">
We want your training with our system to become a part of your life. This means that we provide access to a revision-controlled copy of our notes that all our students can download, keep, and contribute to. We're tired of the old era where how the system works is kept hidden from students and piecemealed out as a marketing ploy -- we want to be as trasparent as possible in how our program and our martial art function. Transparency keeps our instructors honest and our students engaged -- this means a better martial arts experience for everyone.

View File

@ -13,7 +13,7 @@
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center column" >
<h1 class="hero ui icon header">
<img width=20px height=20px src='/img/icons/CoreIcon.png'/>
<img width=20px height=20px src='/assets/img/icons/CoreIcon.png'/>
Cybersecurity Consulting
</h1>
<p class="large">The AniNIX offers cybersecurity consulting and advice services on a limited basis. We bill at $20 an hour -- please select your need below after negotiating with an admin.</p>
@ -91,5 +91,17 @@
<! -- END STRIPE CODE -->
</p>
</div>
<hr style="margin-top: 50px;" />
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center column" >
<hr style="margin-top: 50px;" />
<h2>Donate</h2>
<p>If you like what we do, you can also donate on one of these platforms:</p>
<ul style="width:500px;text-align: left;margin:auto;">
<li><a href="https://store.steampowered.com/wishlist/id/darkfeather664/#sort=order">Steam (games)</a></li>
<li><a href="https://www.amazon.com/hz/wishlist/ls/3CORZU03RNWST?ref_=wl_share">Amazon (hardware)</a></li>
<li>BTC 38Nd3SgytdvSmcX3gfHeNAE2B6aPyYbS7s</li>
<li>Coinbase USDC 0x21a05e628Ed622F7594f62Ea3C764bAEF7fE3Bf3</li>
</ul>
</div>
</div>

View File

@ -1,7 +1,7 @@
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center aligned centered column">
<div>
<img class="logo" src="/img/icons/CoreIcon.png" />
<img class="logo" src="/assets/img/icons/CoreIcon.png" />
</div>
<div class="hero">
<h2 class="ui icon header title">

View File

@ -0,0 +1,10 @@
---
- name: Install Games packages
become: yes
package:
name:
- mgba-qt
- steam
- steam-native-runtime
- discord

View File

@ -0,0 +1,29 @@
---
- user:
name: "{{ item }}"
state: present
shell: "{{ daemon_shell | default('/sbin/nologin') }}"
local: yes
groups: ircd
loop:
- bitbot
- dsbridge
- theraven
- werewolf
# Install TheRaven package
- package:
name:
- TheRaven
- git:
repo: 'https://github.com/jesopo/bitbot.git'
dest: /usr/local/src/bitbot/
clone: yes
update: yes
- git:
repo:
-

10
roles/Maat/tasks/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Sharingan packages
become: yes
package:
name:
- openvas
- greenbone-security-assistant
- elasticsearch6
- mongodb
- graylog

View File

@ -1,23 +1,21 @@
---
- name: SSH
- name: SSH (ArchLinux)
become: yes
when: ansible_os_family == "Archlinux"
package:
state: present
name:
- bash
- sudo
- openssh
- name: SSH Config
- name: SSH (Raspbian)
become: yes
copy:
src: ssh_config
dest: /etc/ssh/ssh_config
- name: SSHD Config
become: yes
copy:
src: sshd_config
dest: /etc/ssh/sshd_config
when: ansible_os_family == "Debian"
package:
state: present
name:
- openssh-server
- openssh-client
- name: Mark SSH keys as immutable
become: yes
@ -46,3 +44,38 @@
name: "{{ ansible_user_id }}"
groups: ssh-allow
append: yes
- name: Copy the SSH key
authorized_key:
user: "{{ ansible_user_id }}"
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/deploy.pub') }}"
- name: SSH Config
become: yes
copy:
src: ssh_config
dest: /etc/ssh/ssh_config
- name: SSHD Config
become: yes
register: sshd_config
copy:
src: sshd_config
dest: /etc/ssh/sshd_config
- name: Restart SSHD (ArchLinux)
become: yes
when: ansible_os_family == "Archlinux" and sshd_config.changed
service:
name: sshd
state: restarted
enabled: yes
- name: Restart SSHD (Raspbian)
become: yes
when: ansible_os_family == "Debian" and sshd_config.changed
service:
name: ssh
state: restarted
enabled: yes

View File

@ -0,0 +1,10 @@
#
# /etc/bash.bashrc
#
# If not running interactively, don't do anything
[[ $- != *i* ]] && return
[[ $DISPLAY ]] && shopt -s checkwinsize
[ -r /usr/share/bash-completion/bash_completion ] && . /usr/share/bash-completion/bash_completion

View File

@ -0,0 +1,32 @@
" All system-wide defaults are set in $VIMRUNTIME/archlinux.vim (usually just
" /usr/share/vim/vimfiles/archlinux.vim) and sourced by the call to :runtime
" you can find below. If you wish to change any of those settings, you should
" do it in this file (/etc/vimrc), since archlinux.vim will be overwritten
" everytime an upgrade of the vim packages is performed. It is recommended to
" make changes after sourcing archlinux.vim since it alters the value of the
" 'compatible' option.
" This line should not be removed as it ensures that various options are
" properly set to work with the Vim-related packages.
runtime! archlinux.vim
" If you prefer the old-style vim functionalty, add 'runtime! vimrc_example.vim'
" Or better yet, read /usr/share/vim/vim74/vimrc_example.vim or the vim manual
" and configure vim to your own liking!
syntax on
filetype on
" Support CSharp files like Java
au BufNewFile,BufRead *.csharp set filetype=java
au BufNewFile,BufRead *.cs set filetype=java
set number
set mouse-=a
colorscheme desert
" This establishes the indenting policy.
filetype plugin indent on
" show existing tab with 4 spaces width
set tabstop=4
" when indenting with '>', use 4 spaces width
set shiftwidth=4
" On pressing tab, insert 4 spaces
set expandtab

View File

@ -0,0 +1,37 @@
- name: Set Bash MOTD
become: yes
copy:
src: "motd/{{ inventory_hostname }}"
dest: /etc/bash.motd
owner: root
group: root
mode: 0644
- name: Nullify overall MOTD
become: yes
copy:
src: /dev/null
dest: /etc/motd
owner: root
group: root
mode: 0644
- name: Bashrc
become: yes
copy:
src: bashrc
dest: /etc/bashrc
owner: root
group: root
mode: 0644
- name: vimrc
become: yes
copy:
src: vimrc
dest: /etc/vimrc
owner: root
group: root
mode: 0644

View File

@ -58,10 +58,14 @@
ignore_errors: yes
register: root_password_test
vars:
ansible_become_user: "{{ item }}"
ansible_become_method: su
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
command: id
loop:
- root
- "{{ ansible_user_id }}"
- name: Define passwords
vars:
@ -70,7 +74,7 @@
become: yes
when: root_password_test.rc is not defined or root_password_test.rc != 0
command:
cmd: /bin/bash -l -c "printf '%s\n%s\n' '{{ passwords[inventory_hostname] }}' '{{ passwords[inventory_hostname] }}' | passwd {{ item }}"
cmd: /bin/bash -l -c "echo '{{item}}:{{ passwords[inventory_hostname] }}' | chpasswd {{ item }}"
loop:
- root
- "{{ ansible_user_id }}"
@ -163,24 +167,6 @@
hostname:
name: "{{ inventory_hostname }}.{{ replica_domain }}"
- name: Set Bash MOTD
become: yes
copy:
src: "motd/{{ inventory_hostname }}"
dest: /etc/bash.motd
owner: root
group: root
mode: 0644
- name: Nullify overall MOTD
become: yes
copy:
src: /dev/null
dest: /etc/motd
owner: root
group: root
mode: 0644
- include: archlinux-network.yml
when: ansible_os_family == "Archlinux"
@ -190,3 +176,5 @@
- include: dns.yml
- include: ntp.yml
- include: bash.yml

View File

@ -7,7 +7,7 @@
## performed should a test fail.
check system $HOST
if loadavg (1min) per core > 2 for 25 times within 30 cycles then exec "/etc/monit.d/scripts/critical Load average is high"
if memory usage > 75% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Memory is overused."
if memory usage > 90% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Memory is overused."
if swap usage > 25% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Swap is overused."
group system
#

View File

@ -0,0 +1,2 @@
check program warrant_canary with path "/etc/monit.d/scripts/check-warrant-canary"
if status != 0 then exec "/etc/monit.d/scripts/critical Warrant Canary needs to be updated"

View File

@ -1 +1,2 @@
include "/etc/monit.d/checks/system"
include "/etc/monit.d/checks/warrant-canary"

View File

@ -0,0 +1,27 @@
#!/bin/bash
daysinadvance=14
url=https://aninix.net/AniNIX/WarrantCanary/raw/branch/main/canary
# ID the update expected date
canarydate="$(curl -s "$url" | grep -A 1 'next two updates' | tail -n 1 | sed 's/^..//' )"
if [ -z "$canarydate" ]; then
echo "Cannot identify the canary's next time."
exit 2
fi
epochcanarydate="$(date -d "$canarydate" +%s)"
# Remove a one-month padding
updatecanarydate=$(( $epochcanarydate - 2592000 ))
# ID today
today="$(date +%s)"
if [[ $today -gt $updatecanarydate ]]; then
echo Time to reseed the warrant canary.
exit 2
else
echo Warrant canary seems to have the right time.
exit 0
fi

View File

@ -153,7 +153,8 @@ set log syslog
set httpd port 2812 and
use address localhost # only accept connection from localhost (drop if you use M/Monit)
allow localhost # allow localhost to connect to the server and
allow admin:"{{ monitcli | default('monit') }}" # require user 'admin' with password 'monit'
# require user 'admin' with password
allow admin:"{{ secrets[Sharingan][monit] | default('monit') }}"
#with ssl { # enable SSL/TLS and set path to server certificate
# pemfile: /etc/ssl/certs/monit.pem
#}

View File

@ -0,0 +1,47 @@
---
- name: Install Tachikoma packages
become: yes
package:
name:
- wifi-menu
- weechat
- elinks
- conky
- xfce4
- xfce4-goodies
- xfce4-screenshooter
- xscreensaver
- libreoffice-still
- hunspell
- hunspell-en_us
- google-chrome
- keepassxc
- sshfs
- vlc
- cups
- brother-mfc-j430w
- brscan4
- xsane
- mtpfs
- libmtp
- alsamixer
- name: Remove deprecated packages
become: yes
package:
name:
- chromium
- keepassx
- kpcli
- irssi
- lynx
- name: Enable services
become: yes
service:
name: "{{ item }}"
state: running
enabled: yes
with:
- cups.service

View File

@ -1,25 +1,25 @@
server {
listen 443 ssl http2;
server_name default_server;
include sec.conf;
include letsencrypt.conf;
include default.csp.conf;
rewrite ^/(.*)$ https://aninix.net/$1 permanent;
}
server {
listen 443 ssl http2;
server_name aninix.net;
include sec.conf;
include letsencrypt.conf;
include default.csp.conf;
location /
{
rewrite ^/martialarts(\/*)$ /assets/martialarts/index.html;
rewrite /shadowarch /AniNIX/ShadowArch/raw/branch/main/EtcFiles/shadowarch
location / {
rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
location /aninix.xml {
proxy_hide_header Content-Type;
add_header content-type "application/atom+xml";
rewrite /aninix.xml /AniNIX/Wiki/raw/branch/main/rss/aninix.xml;
}
location /martialarts/maqotw.xml {
proxy_hide_header Content-Type;
add_header content-type "application/atom+xml";
rewrite /martialarts/maqotw.xml /AniNIX/Wiki/raw/branch/main/rss/maqotw.xml;
}
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
@ -27,8 +27,19 @@ server {
proxy_pass http://127.0.0.1:3000;
}
location /whatismyip
{
location /aninix.xml {
proxy_hide_header Content-Type;
add_header content-type "application/atom+xml";
rewrite /aninix.xml /AniNIX/Wiki/raw/branch/main/rss/aninix.xml;
}
location /martialarts/maqotw.xml {
proxy_hide_header Content-Type;
add_header content-type "application/atom+xml";
rewrite /martialarts/maqotw.xml /AniNIX/Wiki/raw/branch/main/rss/maqotw.xml;
}
location /whatismyip {
include ../conf.d/fastcgi.config;
root /usr/share/webapps/aninix/;
location ~* whatismyip {
@ -36,12 +47,10 @@ server {
expires max;
}
}
location /blackpage
{
location /blackpage {
root /usr/share/webapps/aninix/;
try_files $uri /blackpage.html;
}
include letsencrypt.conf;
}

View File

@ -32,13 +32,13 @@ server {
# deny access to . files, for security
#
location ~ /\.\. {
log_not_found off;
deny all;
log_not_found off;
deny all;
}
location ~ /scripts {
log_not_found off;
deny all;
log_not_found off;
deny all;
}
}

View File

@ -0,0 +1,25 @@
---
- name: Packages
become: yes
package:
name:
- wolfpack
- name: Config
become: yes
copy:
src: "{{ inventory_hostname }}"
dest: /usr/local/etc/WolfPack
- name: Timer
become: yes
systemd:
name: "{{ wolfpack_service | default('wolfpack.timer') }}"
state: started
enabled: yes
daemon_reload: yes
# TODO Add sshfs and mountpoint for Darknet
# TODO Add config folders and restart daemon on change
# TODO Deprecate offload-wolfpack for Deluge move to sshfs

View File

@ -24,7 +24,7 @@
- /srv/yggdrasil/Software
- name: LiveTV channels
command: /bin/bash -c "curl -s https://raw.githubusercontent.com/iptv-org/iptv/master/streams/us.m3u | egrep -A 1 {{ iptv_location }} 2>&1 | egrep -v '^--$'"
command: /bin/bash -c "curl -s https://raw.githubusercontent.com/iptv-org/iptv/master/streams/us.m3u | egrep -A 1 '{{ iptv_location }}' 2>&1 | egrep -v '^--$'"
register: livetv_channels
- name: Write to file

View File

@ -0,0 +1,5 @@
---
- debug:
msg: Importing common handlers.
### DO NOT CHANGE THIS FILE

View File

@ -1,7 +0,0 @@
import os
import re
import pytest
from modules import netdetect
def test_netdetect_usage():
assert True