Finalizing Cyberbrain role
This commit is contained in:
parent
cea66f285a
commit
e244895552
GPG Key ID:
1CC1E3F4ED06F296
|
|
@ -1,12 +1,16 @@
|
|||
Cyberbrain is a way to ensure that so long as a person is connected to the Internet and authorized, they're able to connect to, use, and control the AniNIX. It's a web-based shell emulator for connecting to the system. It can serve as an alternative to using the [Terminal & SSH add-on](https://www.home-assistant.io/common-tasks/supervised/#installing-and-using-the-ssh-add-on-requires-enabling-advanced-mode-for-the-ha-user) for [AniNIX/Geth](../Geth/) in cases where a separate security posture is needed for each.
|
||||
Cyberbrain is a way to ensure that so long as a person is connected to the Internet and authorized, they're able to connect to, use, and control the AniNIX.
|
||||
|
||||
**Warning**: This is a fallback measure -- browsers are still inherently less secure than hard clients like [Git Bash](https://git-scm.com/download/win) or [OpenSSH](https://www.openssh.com/portable.html).
|
||||
It can serve as an alternative to using the [Terminal & SSH add-on](https://www.home-assistant.io/common-tasks/supervised/#installing-and-using-the-ssh-add-on-requires-enabling-advanced-mode-for-the-ha-user) for [AniNIX/Geth](../Geth/) in cases where a separate security posture is needed for each.
|
||||
|
||||
# Etymology
|
||||
A [cyberbrain](https://ghostintheshell.fandom.com/wiki/Cyberbrain) is a concept from the series *Ghost in the Shell*. It's the integration of a normal brain with electronic, usually networked components. Similarly, this app serves as a core bridge between the shell environment of the AniNIX and any authorized user.
|
||||
|
||||
# Relevant Files and Software
|
||||
This service uses a file, [/etc/conf.d/webssh](file:///etc/conf.d/webssh), to control the service. Additionally, there's a password file [/opt/openresty/nginx/passwords/cyberbrain.htpasswd](file:///opt/openresty/nginx/passwords/cyberbrain.htpasswd) that controls an initial authentication to the webserver socket.
|
||||
This service is deployed as a Docker image from [FileStash](https://www.filestash.app/docs/install-and-upgrade/). This image is pointed back at the AniNIX/Yggdrasil's SFTP service.
|
||||
|
||||
Configuration is done in [the app](http://10.0.1.8:8334/admin/). A unique password should be configured, and then the only authorized backend is SFTP with passthrough authentication on the 'username_and_password' strategy. The SFTP host is then jailed as AniNIX/Yggdrasil's internal IP and port, with the `{{ .user }}` and `{{ .password }}` attributes populated.
|
||||
|
||||
This app can be proxied to the outside world and protected by encryption & a web-application firewall. This happens through [a WebServer configuration file](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf.d/Core/adhan.conf).
|
||||
|
||||
## Backups
|
||||
No backup is needed.
|
||||
|
|
|
|||
|
|
@ -1,22 +0,0 @@
|
|||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name cyberbrain.aninix.net;
|
||||
|
||||
include sec.conf;
|
||||
include default.csp.conf;
|
||||
include letsencrypt.conf;
|
||||
|
||||
location /
|
||||
{
|
||||
auth_basic "Cyberbrain";
|
||||
auth_basic_user_file ../passwords/cyberbrain.htpasswd;
|
||||
proxy_pass http://127.0.0.1:8822;
|
||||
proxy_http_version 1.1;
|
||||
proxy_read_timeout 300;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Real-PORT $remote_port;
|
||||
}
|
||||
}
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
[Unit]
|
||||
Description=AniNIX/Cyberbrain | SSH Web Front End, powered by python-webssh
|
||||
|
||||
[Service]
|
||||
User=webssh
|
||||
EnvironmentFile=/etc/conf.d/webssh
|
||||
ExecStart=/usr/bin/wssh $WEBSSH_ARGS
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -1,71 +0,0 @@
|
|||
---
|
||||
- name: Install python-webssh
|
||||
become: yes
|
||||
package:
|
||||
name: python-webssh
|
||||
state: present
|
||||
|
||||
- name: Standardize the servicefile
|
||||
become: yes
|
||||
register: servicefile
|
||||
copy:
|
||||
src: cyberbrain.service
|
||||
dest: /usr/lib/systemd/system/cyberbrain.service
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: Ensure default webssh service file is off.
|
||||
become: yes
|
||||
service:
|
||||
name: webssh
|
||||
state: stopped
|
||||
enabled: no
|
||||
|
||||
- systemd:
|
||||
daemon_reload: true
|
||||
when: servicefile.changed
|
||||
become: yes
|
||||
|
||||
- name: Ensure service is restarted
|
||||
when: servicefile.changed
|
||||
become: yes
|
||||
service:
|
||||
name: cyberbrain.service
|
||||
enabled: yes
|
||||
state: started
|
||||
|
||||
- name: Ensure service is started
|
||||
when: not servicefile.changed
|
||||
become: yes
|
||||
service:
|
||||
name: cyberbrain.service
|
||||
enabled: yes
|
||||
state: started
|
||||
|
||||
- name: Add the webserver conf file
|
||||
become: yes
|
||||
register: webserver_conf
|
||||
copy:
|
||||
src: cyberbrain.conf
|
||||
dest: /opt/openresty/nginx/conf.d/cyberbrain.conf
|
||||
owner: root
|
||||
group: http
|
||||
mode: 0750
|
||||
|
||||
- name: Ensure the password file is seeded
|
||||
become: yes
|
||||
template:
|
||||
src: cyberbrain.htpasswd.j2
|
||||
dest: /opt/openresty/nginx/passwords/cyberbrain.htpasswd
|
||||
owner: root
|
||||
group: http
|
||||
mode: 0750
|
||||
|
||||
- name: Reload openresty
|
||||
become: yes
|
||||
when: webserver_conf.changed
|
||||
service:
|
||||
name: openresty.service
|
||||
state: reloaded
|
||||
|
||||
|
|
@ -1 +0,0 @@
|
|||
cyberbrain:{PLAIN}{{ passwords.Cyberbrain }}
|
||||
|
|
@ -2,47 +2,14 @@ server {
|
|||
listen 443 ssl;
|
||||
server_name cyberbrain.aninix.net;
|
||||
|
||||
include conf/local.conf;
|
||||
|
||||
root /usr/share/webapps/;
|
||||
|
||||
client_max_body_size 5m;
|
||||
client_body_timeout 60;
|
||||
|
||||
include conf.d/fastcgi.config;
|
||||
|
||||
location /mediawiki-gb/ {
|
||||
try_files $uri $uri/ @rewrite;
|
||||
rewrite ^/mediawiki-gb/(.*)$ /mediawiki/index.php?title=$1&$args;
|
||||
rewrite ^$ /mediawiki-gb/Main_Page;
|
||||
rewrite ^/$ /mediawiki-gb/Main_Page;
|
||||
rewrite ^mediawiki-gb$ /mediawiki-gb/Main_Page;
|
||||
rewrite ^mediawiki-gb/$ /mediawiki-gb/Main_Page;
|
||||
}
|
||||
|
||||
location /mediawiki-ma/ {
|
||||
try_files $uri $uri/ @rewrite;
|
||||
rewrite ^/mediawiki-ma/(.*)$ /mediawiki/index.php?title=$1&$args;
|
||||
rewrite ^$ /mediawiki-ma/Main_Page;
|
||||
rewrite ^/$ /mediawiki-ma/Main_Page;
|
||||
rewrite ^mediawiki-ma$ /mediawiki-ma/Main_Page;
|
||||
rewrite ^mediawiki-ma/$ /mediawiki-ma/Main_Page;
|
||||
}
|
||||
|
||||
location ^~ /maintenance/ {
|
||||
return 403;
|
||||
}
|
||||
|
||||
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
|
||||
try_files $uri /mediawiki/index.php;
|
||||
expires max;
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
location ^~ /cache/ {
|
||||
location ^~ /admin {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://10.0.1.8:8334;
|
||||
}
|
||||
|
||||
include conf/letsencrypt.conf;
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue