Compare commits
24 Commits
main
...
improved-i
Author | SHA1 | Date |
---|---|---|
DarkFeather | 9366d8b6d7 | |
DarkFeather | 5c3eb7f358 | |
DarkFeather | 33cf371a0d | |
DarkFeather | 9aa0a89b79 | |
DarkFeather | 3a01543c8b | |
DarkFeather | 87973dfb6e | |
DarkFeather | 85286b5412 | |
DarkFeather | 6f36d515e3 | |
DarkFeather | 323b4dd306 | |
DarkFeather | e75d03a313 | |
DarkFeather | 930441ae9a | |
DarkFeather | f9a3bd789b | |
DarkFeather | 15dd844093 | |
DarkFeather | 43d7375dae | |
DarkFeather | cd3210c5fb | |
DarkFeather | 221ce69a80 | |
DarkFeather | 1ca0272031 | |
DarkFeather | e244895552 | |
DarkFeather | cea66f285a | |
DarkFeather | 50167c0f03 | |
DarkFeather | 7b98c953b1 | |
DarkFeather | 528af8b0f5 | |
DarkFeather | 9b317d1677 | |
DarkFeather | 5fa67890c2 |
|
@ -1,12 +1,14 @@
|
||||||
# Generated files
|
# Generated files
|
||||||
roles/Node/files/*-vm.service
|
roles/Node/files/*-vm.service
|
||||||
roles/Nazara/files/dns
|
roles/Chappaai/files/dns
|
||||||
roles/Nazara/files/dhcp
|
roles/Chappaai/files/dhcp
|
||||||
roles/Node/files/vm-definitions/**
|
roles/Node/files/vm-definitions/**
|
||||||
roles/ShadowArch/files/mirrorlist
|
roles/ShadowArch/files/mirrorlist
|
||||||
roles/Sharingan/files/monit/checks/availability
|
roles/Sharingan/files/monit/checks/availability
|
||||||
roles/Foundation/files/custom/public/img/**
|
roles/Foundation/files/custom/public/img/**
|
||||||
|
roles/Maat/files/pacoloco.yaml
|
||||||
venv/**
|
venv/**
|
||||||
|
wiki/**
|
||||||
**/pkg/**
|
**/pkg/**
|
||||||
**/src/**
|
**/src/**
|
||||||
**pkg.tar.zst
|
**pkg.tar.zst
|
||||||
|
|
4
PKGBUILD
4
PKGBUILD
|
@ -4,10 +4,10 @@ pkgrel=1
|
||||||
pkgrel() {
|
pkgrel() {
|
||||||
git log "$(git describe --tag --abbrev=0)"..HEAD | grep -c commit
|
git log "$(git describe --tag --abbrev=0)"..HEAD | grep -c commit
|
||||||
}
|
}
|
||||||
epoch=
|
epoch="$(git log | grep -c commit)"
|
||||||
pkgdesc="$(head -n 1 README.md)"
|
pkgdesc="$(head -n 1 README.md)"
|
||||||
arch=("x86_64")
|
arch=("x86_64")
|
||||||
url="https://aninix.net/foundation/${pkgname}"
|
url="$(git config remote.origin.url | sed 's/.git$//')"
|
||||||
license=('custom')
|
license=('custom')
|
||||||
groups=()
|
groups=()
|
||||||
depends=('bash>=4.4' 'python>=3.11' 'ansible>=8.3' 'tmux' 'openssh')
|
depends=('bash>=4.4' 'python>=3.11' 'ansible>=8.3' 'tmux' 'openssh')
|
||||||
|
|
26
README.md
26
README.md
|
@ -1,10 +1,10 @@
|
||||||
This project will discover and provide inventory intelligence to Sora, Shadowfeed, Geth, and Sharingan.
|
This project is our Infrastructure-as-Code solution, detailing the deployment & some repeatable operational tasks of the AniNIX.
|
||||||
|
|
||||||
*Note*: This project is in progress -- former Makefiles from [ConfigPackages](/AniNIX/ConfigPackages) are being upgraded into Ansible playbooks here.
|
|
||||||
|
|
||||||
# Etymology
|
# Etymology
|
||||||
|
|
||||||
It is named after the fictional Star Wars Imperial Intelligence organization that oversaw the various divisions of Intelligence and orchestrated their operations. Like its namesake, this project oversees the various tools within our ecosystem and enforces compliance with standards.
|
It is named after flagship carrier Kapisi from the game [Homeworld: Deserts of Kharak](https://store.steampowered.com/app/281610?snr=5000_5100___primarylinks). The carrier was the command and production center of Operation Khadiim, an expedition to understand an anomaly on their world & escape the fanaticism of their Gaalsien rivals. The S'jet were able to succeed in this mission not only due to the military efficacy of their forces but also through the research and production capabilities available to the Kapisi.
|
||||||
|
|
||||||
|
This project seeks to give other admins and engineers to launch their own infrastructures and break out of any strangleholds that may have entangled them, whether that is tribalism, vendor lock, or stigma.
|
||||||
|
|
||||||
# Relevant Files and Software
|
# Relevant Files and Software
|
||||||
|
|
||||||
|
@ -14,7 +14,7 @@ export ANSIBLE_VAULT_PASSWORD_FILE=$HOME/password-store/${organization}.vault.pa
|
||||||
export ANSIBLE_VAULT_FILE=$HOME/password-store/${organization}.vault
|
export ANSIBLE_VAULT_FILE=$HOME/password-store/${organization}.vault
|
||||||
```
|
```
|
||||||
|
|
||||||
Take a look at `examples/msn0.yml` as an example inventory -- make sure you populate one of your own.
|
Take a look at `examples/msn0.yml` as an example inventory -- make sure you populate one of your own. The scripts here expect inventories to have layers of groups -- the top group under `all` must be managed vs. unmanaged. The rest of the scripts use YAMLPath to sort out the rest of the groups.
|
||||||
|
|
||||||
Once you have your vault and inventory, use [AniNIX/ShadowArch](/AniNIX/ShadowArch) with your hypervisor to provision the base image for your machines, or [Raspbian](https://www.raspberrypi.org/).
|
Once you have your vault and inventory, use [AniNIX/ShadowArch](/AniNIX/ShadowArch) with your hypervisor to provision the base image for your machines, or [Raspbian](https://www.raspberrypi.org/).
|
||||||
|
|
||||||
|
@ -30,14 +30,22 @@ We've also added two scripts in `./bin` to make your life easier:
|
||||||
|
|
||||||
Happy hacking!
|
Happy hacking!
|
||||||
|
|
||||||
## Exceptions
|
# Etymology
|
||||||
|
|
||||||
Some services, such as AniNIX/Sharingan and AniNIX/Geth, store their configuration in internal datastructures and databases such that we cannot easily export our build for others to use. We will document what we have done for each of these as best we can in the README.md files for others to replicate. Backups of these services into AniNIX/Aether are therefore dumps of these databases and not available to share.
|
The [Ubiqtorate](https://starwars.fandom.com/wiki/Ubiqtorate/Legends) was a far-reaching security orchestration entity within Palpatine's Empire. It was mean to collect and act on intelligence to improve the security posture of the regime. We use this project similarly -- Ubiqtorate is the Infrastructure-as-Code behind the throne, making changes and ensuring services stay in line.
|
||||||
|
|
||||||
|
# Relevant Files and Software
|
||||||
|
|
||||||
|
This project is mostly built on [Ansible](https://docs.ansible.com/). You will need to understand inventories, playbooks, and vaults at the minimum.
|
||||||
|
|
||||||
# Available Clients
|
# Available Clients
|
||||||
|
|
||||||
This service is a management tool -- its files get used by the Ansible toolset. There are no clients to connect directly to this service, as we have chosen a serverless approach.
|
None -- this project is used to describe actions for other services to take.
|
||||||
|
|
||||||
# Equivalents or Competition
|
# Equivalents or Competition
|
||||||
|
|
||||||
This service is our elected Infrastructure-as-Code solution -- many professional tools like Ansible Tower, Terraform, etc. do the same thing. Some apps ship OVA's, or prebuilt images, of their software. Docker registries also serve as similar way to document the means by which services are built.
|
Similar tools include Puppet, chef, salty, Ansible Tower, Terraform, etc. We have chosen to go the raw Ansible route, so that we don't have to maintain the build infrastructure separately and to make our responses more agile.
|
||||||
|
|
||||||
|
# Exceptions
|
||||||
|
|
||||||
|
Some services, such as AniNIX/Sharingan and AniNIX/Geth, store their configuration in internal datastructures and databases such that we cannot easily export our build for others to use. We will document what we have done for each of these as best we can in the README.md files for others to replicate. Backups of these services into AniNIX/Aether are therefore dumps of these databases and not available to share.
|
||||||
|
|
|
@ -11,6 +11,7 @@
|
||||||
import os
|
import os
|
||||||
import subprocess
|
import subprocess
|
||||||
import sys
|
import sys
|
||||||
|
import re
|
||||||
import yaml
|
import yaml
|
||||||
|
|
||||||
rolepath='../roles/Sharingan/files'
|
rolepath='../roles/Sharingan/files'
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
# File: generate-pihole-dns-dhcp.py
|
# File: generate-pihole-dns-dhcp.py
|
||||||
#
|
#
|
||||||
# Description: This file generates the DNS and DHCP files for pihole.
|
# Description: This file generates the DNS and DHCP files for pihole.
|
||||||
|
# It expects that the inventory has two levels of grouping.
|
||||||
#
|
#
|
||||||
# Package: AniNIX/Ubiqtorate
|
# Package: AniNIX/Ubiqtorate
|
||||||
# Copyright: WTFPL
|
# Copyright: WTFPL
|
||||||
|
@ -9,43 +10,37 @@
|
||||||
# Author: DarkFeather <darkfeather@aninix.net>
|
# Author: DarkFeather <darkfeather@aninix.net>
|
||||||
|
|
||||||
import os
|
import os
|
||||||
|
import re
|
||||||
import subprocess
|
import subprocess
|
||||||
import sys
|
import sys
|
||||||
import yaml
|
from kapisi_lib import *
|
||||||
|
|
||||||
rolepath='../roles/Nazara/files'
|
rolepath='../roles/Chappaai/files'
|
||||||
dnsfilepath=rolepath+"/dns"
|
dnsfilepath=rolepath+"/dns"
|
||||||
dhcpfilepath=rolepath+"/dhcp"
|
dhcpfilepath=rolepath+"/dhcp"
|
||||||
|
entryset={}
|
||||||
|
|
||||||
def WriteDHCPEntry(content,hosttype,hostclass):
|
def WriteDHCPEntries(replica_domain,dhcpfile):
|
||||||
### Create the DHCP entry
|
### Create the DHCP entry
|
||||||
# param content: the yaml content to parse
|
# param content: the yaml content to parse
|
||||||
# param hosttype: managed or unmanaged
|
# param hosttype: managed or unmanaged
|
||||||
# param hostclass: the type of host as classified in the yaml
|
# param hostclass: the type of host as classified in the yaml
|
||||||
global dhcpfile
|
global entryset
|
||||||
|
for host in entryset:
|
||||||
|
# Entries should be:
|
||||||
|
# dhcp-host=mac,ip,fqdn
|
||||||
|
dhcpfile.write('dhcp-host=' + entryset[host][1] + ',' + entryset[host][0] + ',' + host + '.' + replica_domain + '\n')
|
||||||
|
|
||||||
with open(dhcpfilepath,'a') as dhcpfile:
|
def WriteDNSEntries(replica_domain,dnsfile):
|
||||||
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
|
|
||||||
try:
|
|
||||||
dhcpfile.write('dhcp-host=' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['mac'] + ',' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['ip'] + ',' + host + '.' + content['all']['vars']['replica_domain'] + '\n')
|
|
||||||
except:
|
|
||||||
print(host + ' is not complete for DHCP.')
|
|
||||||
|
|
||||||
def WriteDNSEntry(content,hosttype,hostclass):
|
|
||||||
### Create the DNS entry
|
### Create the DNS entry
|
||||||
# param content: the yaml content to parse
|
# param content: the yaml content to parse
|
||||||
# param hosttype: managed or unmanaged
|
# param hosttype: managed or unmanaged
|
||||||
# param hostclass: the type of host as classified in the yaml
|
# param hostclass: the type of host as classified in the yaml
|
||||||
global dnsfile
|
global entryset
|
||||||
|
for host in entryset:
|
||||||
with open(dnsfilepath,'a') as dnsfile:
|
# Entries should be:
|
||||||
|
# ip host fqdn
|
||||||
# Write host entries
|
dnsfile.write(entryset[host][0] + ' ' + host + '.' + replica_domain + ' ' + host + '\n')
|
||||||
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
|
|
||||||
try:
|
|
||||||
dnsfile.write(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['ip'] + ' ' + host + '.' + content['all']['vars']['replica_domain'] + ' ' + host + '\n')
|
|
||||||
except:
|
|
||||||
print(host + ' is not complete for DNS.')
|
|
||||||
|
|
||||||
def GenerateFiles(file):
|
def GenerateFiles(file):
|
||||||
### Open the file and parse it
|
### Open the file and parse it
|
||||||
|
@ -58,29 +53,30 @@ def GenerateFiles(file):
|
||||||
# Parse the yaml
|
# Parse the yaml
|
||||||
with open(file, 'r') as stream:
|
with open(file, 'r') as stream:
|
||||||
content = yaml.safe_load(stream)
|
content = yaml.safe_load(stream)
|
||||||
|
replica_domain = content['all']['vars']['replica_domain']
|
||||||
|
external_domain = content['all']['vars']['external_domain']
|
||||||
|
|
||||||
# Clear the DNS file
|
# Clear the DNS file
|
||||||
with open(dhcpfilepath,'w') as dhcpfile:
|
with open(dhcpfilepath,'w') as dhcpfile:
|
||||||
dhcpfile.write('dhcp-range='+content['all']['vars']['dhcprange']+'\n')
|
dhcpfile.write('dhcp-range='+content['all']['vars']['dhcprange']+'\n')
|
||||||
dhcpfile.write('dhcp-option=option:dns-server,'+content['all']['vars']['dns']+'\n\n')
|
dhcpfile.write('dhcp-option=option:dns-server,'+content['all']['vars']['dns']+'\n\n')
|
||||||
dhcpfile.write('dhcp-range='+content['all']['vars']['staticrange']+'\n')
|
dhcpfile.write('dhcp-range='+content['all']['vars']['staticrange']+'\n')
|
||||||
|
WriteDHCPEntries(replica_domain,dhcpfile)
|
||||||
with open(dnsfilepath,'w') as dnsfile:
|
with open(dnsfilepath,'w') as dnsfile:
|
||||||
vips=subprocess.run(["/bin/bash", "-c", "echo | openssl s_client -connect "+content['all']['vars']['external_domain']+":443 | openssl x509 -text -noout | grep DNS: | tr ',' '\n' | sed 's/\s\+DNS://' | grep -ivE ^"+content['all']['vars']['external_domain']+" | tr '\n' ' '"], capture_output=True).stdout.decode("utf-8")
|
dnsfile.write(content['all']['vars']['webfront']+' '+external_domain+' '+content['all']['vars']['external_subdomains'].replace(' ','.'+external_domain+' ')+'.'+external_domain+' '+content['all']['vars']['hosted_domains']+"\n")
|
||||||
dnsfile.write(content['all']['vars']['webfront']+' '+content['all']['vars']['external_domain']+' '+vips+"\n")
|
WriteDNSEntries(replica_domain,dnsfile)
|
||||||
|
print('Files should be in '+rolepath);
|
||||||
# Add DNS entries for each host
|
|
||||||
hosttype = 'managed'
|
|
||||||
for hostclass in ['physical','virtual','geth_hubs']:
|
|
||||||
WriteDNSEntry(content,hosttype,hostclass)
|
|
||||||
WriteDHCPEntry(content,hosttype,hostclass)
|
|
||||||
hosttype = 'unmanaged'
|
|
||||||
for hostclass in ['ovas','test_ovas','appliances','adhoc_appliances','iot']:
|
|
||||||
WriteDNSEntry(content,hosttype,hostclass)
|
|
||||||
WriteDHCPEntry(content,hosttype,hostclass)
|
|
||||||
|
|
||||||
|
### Main function
|
||||||
|
# param sys.argv: Input arguments
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
if len(sys.argv) != 2:
|
if len(sys.argv) < 2:
|
||||||
print("You need to supply an inventory file.")
|
print("You need to supply an inventory file.")
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
if len(sys.argv) == 3:
|
||||||
|
entryset = TrackIPEntries(sys.argv[1],sys.argv[2])
|
||||||
|
else:
|
||||||
|
entryset = TrackIPEntries(sys.argv[1])
|
||||||
GenerateFiles(sys.argv[1])
|
GenerateFiles(sys.argv[1])
|
||||||
|
#dumper.dump(entryset)
|
||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# File: gen-ssh-keyscan
|
# File: ./generate-ssh-keyscan
|
||||||
#
|
#
|
||||||
# Description: This file generates a known_host block for the inventory.
|
# Description: This file generates a known_host block for the inventory.
|
||||||
#
|
#
|
||||||
|
|
|
@ -13,7 +13,7 @@ import shutil
|
||||||
import sys
|
import sys
|
||||||
import yaml
|
import yaml
|
||||||
|
|
||||||
filepath="roles/Node/files/vm-definitions/"
|
filepath="../roles/Node/files/vm-definitions/"
|
||||||
|
|
||||||
def WriteVMFile(content,hosttype,hostclass):
|
def WriteVMFile(content,hosttype,hostclass):
|
||||||
### Create the service files for the hosts
|
### Create the service files for the hosts
|
||||||
|
@ -54,7 +54,7 @@ def WriteVMFile(content,hosttype,hostclass):
|
||||||
vmfile.write('[Service]\n')
|
vmfile.write('[Service]\n')
|
||||||
vmfile.write('ExecStart=/usr/sbin/qemu-system-x86_64 -name AniNIX/' + host + ' -machine type=pc,accel=kvm')
|
vmfile.write('ExecStart=/usr/sbin/qemu-system-x86_64 -name AniNIX/' + host + ' -machine type=pc,accel=kvm')
|
||||||
if 'uefi' in content['all']['children'][hosttype]['children'][hostclass]['hosts'][host].keys(): vmfile.write(' -bios /usr/share/edk2-ovmf/x64/OVMF.fd')
|
if 'uefi' in content['all']['children'][hosttype]['children'][hostclass]['hosts'][host].keys(): vmfile.write(' -bios /usr/share/edk2-ovmf/x64/OVMF.fd')
|
||||||
vmfile.write(' -cpu qemu64 -smp ' + cores + ' ' + disks + ' -net nic,macaddr=' + mac + ',model=virtio -net bridge,br=' + bridge + ' -vga std -nographic -vnc :' + str(vnc) + ' -m size=' + str(memory) + 'G -device virtio-rng-pci\n')
|
vmfile.write(' -cpu host -smp ' + cores + ' ' + disks + ' -net nic,macaddr=' + mac + ',model=virtio -net bridge,br=' + bridge + ' -vga std -nographic -vnc :' + str(vnc) + ' -m size=' + str(memory) + 'G -device virtio-rng-pci\n')
|
||||||
vmfile.write('ExecReload=/bin/kill -HUP $MAINPID\n')
|
vmfile.write('ExecReload=/bin/kill -HUP $MAINPID\n')
|
||||||
vmfile.write('KillMode=process\n')
|
vmfile.write('KillMode=process\n')
|
||||||
vmfile.write('Restart=always\n')
|
vmfile.write('Restart=always\n')
|
||||||
|
@ -84,7 +84,7 @@ def GenerateFiles(file):
|
||||||
|
|
||||||
# Add service files for each host
|
# Add service files for each host
|
||||||
WriteVMFile(content,'managed','virtual')
|
WriteVMFile(content,'managed','virtual')
|
||||||
WriteVMFile(content,'unmanaged','ovas',
|
WriteVMFile(content,'unmanaged','ovas')
|
||||||
WriteVMFile(content,'unmanaged','test_ovas')
|
WriteVMFile(content,'unmanaged','test_ovas')
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
|
|
|
@ -0,0 +1,63 @@
|
||||||
|
import re
|
||||||
|
import yaml
|
||||||
|
from types import SimpleNamespace
|
||||||
|
from yamlpath.common import Parsers
|
||||||
|
from yamlpath.wrappers import ConsolePrinter
|
||||||
|
from yamlpath import Processor
|
||||||
|
from yamlpath import YAMLPath
|
||||||
|
from yamlpath.exceptions import YAMLPathException
|
||||||
|
|
||||||
|
def TrackIPEntries(yaml_file,searchstring='all.children.**.ip'):
|
||||||
|
### Try to parse an Ansible inventory for hosts with the 'ip' attribute.
|
||||||
|
# param file: the file to parse
|
||||||
|
# return: a populated entry set in form [{Host,[ip,mac]},...]
|
||||||
|
|
||||||
|
# Borrowing from upstream author's example at https://pypi.org/project/yamlpath/
|
||||||
|
|
||||||
|
entryset = {}
|
||||||
|
|
||||||
|
# The various classes of this library must be able to write messages somewhere
|
||||||
|
# when things go bad.
|
||||||
|
#logging_args = SimpleNamespace(quiet=True, verbose=False, debug=False)
|
||||||
|
logging_args = SimpleNamespace(quiet=True, verbose=True, debug=True)
|
||||||
|
log = ConsolePrinter(logging_args)
|
||||||
|
|
||||||
|
# Prep the YAML parser
|
||||||
|
yaml = Parsers.get_yaml_editor()
|
||||||
|
(yaml_data, doc_loaded) = Parsers.get_yaml_data(yaml, log, yaml_file)
|
||||||
|
if not doc_loaded:
|
||||||
|
exit(1)
|
||||||
|
processor = Processor(log, yaml_data)
|
||||||
|
|
||||||
|
yaml_path = YAMLPath(searchstring)
|
||||||
|
|
||||||
|
# Create a regex pattern to remove the end of the path
|
||||||
|
ippattern = re.compile('\.ip$')
|
||||||
|
try:
|
||||||
|
for node_coordinate in processor.get_nodes(yaml_path, mustexist=True):
|
||||||
|
# Strip the path to the host entry.
|
||||||
|
path = ippattern.sub("",str(node_coordinate.path))
|
||||||
|
# Pull the IP
|
||||||
|
ip = str(node_coordinate.node)
|
||||||
|
# Pull the hosname
|
||||||
|
splitpath = path.split('.')
|
||||||
|
hostname = splitpath[len(splitpath)-1]
|
||||||
|
#print("Got {} from '{}''.".format(ip,path))
|
||||||
|
|
||||||
|
# Path the MAC
|
||||||
|
mac_yaml_path = YAMLPath(path+".mac")
|
||||||
|
mac=""
|
||||||
|
try:
|
||||||
|
for node_coordinate in processor.get_nodes(mac_yaml_path, mustexist=True):
|
||||||
|
mac = str(node_coordinate.node)
|
||||||
|
except YAMLPathException as ex:
|
||||||
|
log.error(ex)
|
||||||
|
|
||||||
|
# Add the host to the entryset.
|
||||||
|
entryset.update({ hostname : [ip,mac] })
|
||||||
|
|
||||||
|
except YAMLPathException as ex:
|
||||||
|
log.error(ex)
|
||||||
|
|
||||||
|
finally:
|
||||||
|
return entryset
|
|
@ -21,7 +21,7 @@ function usage() {
|
||||||
# Show helptext
|
# Show helptext
|
||||||
# param retcode: what to exit
|
# param retcode: what to exit
|
||||||
retcode="$1"
|
retcode="$1"
|
||||||
echo "Usage: $0 [ -o offset ] [-g group ] -i inventory.yml"
|
echo "Usage: $0 [ -o offset ] [-g group ] [-i inventory.yml]"
|
||||||
echo " $0 -h"
|
echo " $0 -h"
|
||||||
echo "Group is optional -- add it if you only want to look at a specific subset."
|
echo "Group is optional -- add it if you only want to look at a specific subset."
|
||||||
echo "Add -v for verbosity."
|
echo "Add -v for verbosity."
|
||||||
|
@ -78,8 +78,7 @@ if [ "$(basename $0)" == "tmux-hosts" ]; then
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -z "$inventory" ]; then
|
if [ -z "$inventory" ]; then
|
||||||
echo Need an inventory.
|
inventory=$(grep -E ^inventory ~/.ansible.cfg | cut -f 2 -d '=')
|
||||||
usage 2;
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
tmuxHosts $(ansible -i "$inventory" --list-hosts "$group"\
|
tmuxHosts $(ansible -i "$inventory" --list-hosts "$group"\
|
||||||
|
|
|
@ -1,7 +1,9 @@
|
||||||
all:
|
all:
|
||||||
vars:
|
vars:
|
||||||
# Environment-wide data
|
# Environment-wide data
|
||||||
external_domain: aninix.net
|
external_domain: "aninix.net"
|
||||||
|
external_subdomains: "cyberbrain foundation irc lykos maat password sharingan singularity superintendent www yggdrasil"
|
||||||
|
hosted_domains: "travelpawscvt.com"
|
||||||
replica_domain: "MSN0.AniNIX.net"
|
replica_domain: "MSN0.AniNIX.net"
|
||||||
time_zone: "America/Chicago"
|
time_zone: "America/Chicago"
|
||||||
# Services used by all
|
# Services used by all
|
||||||
|
@ -19,7 +21,7 @@ all:
|
||||||
ansible_become_method: sudo
|
ansible_become_method: sudo
|
||||||
ansible_become_user: root
|
ansible_become_user: root
|
||||||
static: false
|
static: false
|
||||||
wireless_ssid: 'Shadowfeed'
|
wireless_ssid: 'Shadownet'
|
||||||
ansible_python_interpreter: auto_silent
|
ansible_python_interpreter: auto_silent
|
||||||
ldap:
|
ldap:
|
||||||
server: "10.0.1.3"
|
server: "10.0.1.3"
|
||||||
|
@ -32,47 +34,79 @@ all:
|
||||||
displayname: 'AniNIX'
|
displayname: 'AniNIX'
|
||||||
gpgkey: '904DE6275579CB589D85720C1CC1E3F4ED06F296'
|
gpgkey: '904DE6275579CB589D85720C1CC1E3F4ED06F296'
|
||||||
ssl: # Standard SSL cryptographic standards
|
ssl: # Standard SSL cryptographic standards
|
||||||
identity: 'aninix.net-0001' # The Let's Encrypt identity to use
|
identity: 'aninix.net-0002' # The Let's Encrypt identity to use
|
||||||
ciphersuite: "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
|
ciphersuite: "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
|
||||||
children:
|
children:
|
||||||
managed:
|
managed:
|
||||||
children:
|
children:
|
||||||
physical: # 10.0.1.0/28
|
physical: # 10.0.1.0/28
|
||||||
hosts:
|
hosts:
|
||||||
Nazara:
|
Chappaai:
|
||||||
ipinterface: eth0
|
ipinterface: eth0
|
||||||
ip: 10.0.1.2
|
ip: 10.0.1.2
|
||||||
mac: B8:27:EB:B6:AA:0C
|
mac: B8:27:EB:B6:AA:0C
|
||||||
static: true
|
static: true
|
||||||
Core:
|
Maker:
|
||||||
ipinterface: enp1s0f0
|
ipinterface: eth0
|
||||||
ip: 10.0.1.3
|
ip: 10.0.1.14
|
||||||
mac: 00:25:90:0d:6e:86
|
mac: B8:27:EB:B6:AA:0D
|
||||||
static: true
|
static: true
|
||||||
sslidentity: aninix.net-0001
|
children:
|
||||||
secdetection: true
|
Node:
|
||||||
iptv_location: "Milwaukee|Madison"
|
hosts:
|
||||||
aether_source: true
|
Node1:
|
||||||
Node0:
|
ipinterface: enp1s0
|
||||||
ipinterface: enp1s0f0
|
ip: 10.0.1.5
|
||||||
ip: 10.0.1.4
|
mac: FA:EC:43:87:4D:2D
|
||||||
mac: DE:8B:9E:19:55:1D
|
tap: true
|
||||||
tap: true
|
ups: 'aps'
|
||||||
Node1:
|
active_vms:
|
||||||
ipinterface: enp1s0f0
|
- Yggdrasil
|
||||||
ip: 10.0.1.5
|
Node2:
|
||||||
mac: B0:41:6F:0D:47:E1
|
ipinterface: enp1s0
|
||||||
tap: true
|
ip: 10.0.1.7
|
||||||
Node2:
|
mac: 56:02:ef:2c:1f:7c
|
||||||
ipinterface: enp1s0f0
|
tap: true
|
||||||
ip: 10.0.1.7
|
active_vms:
|
||||||
mac: B0:41:6F:0D:41:D1
|
- DarkNet
|
||||||
tap: true
|
- Maat
|
||||||
Node3:
|
- Sharingan
|
||||||
ipinterface: enp1s0f0
|
- Superintendent
|
||||||
ip: 10.0.1.8
|
Node3:
|
||||||
mac: B0:41:6F:0D:51:0E
|
ipinterface: enp1s0
|
||||||
tap: true
|
ip: 10.0.1.8
|
||||||
|
mac: B2:C6:2C:02:B2:6E
|
||||||
|
tap: true
|
||||||
|
active_vms:
|
||||||
|
- TDS-Jump
|
||||||
|
Geth:
|
||||||
|
hosts:
|
||||||
|
Geth0:
|
||||||
|
ipinterface: eth0
|
||||||
|
ip: 10.0.1.9
|
||||||
|
mac: 84:16:F9:14:15:C5
|
||||||
|
static: true
|
||||||
|
k3s_primary: true
|
||||||
|
Geth1:
|
||||||
|
ipinterface: eth0
|
||||||
|
ip: 10.0.1.10
|
||||||
|
mac: E4:5F:01:01:FF:9C
|
||||||
|
static: true
|
||||||
|
Geth2:
|
||||||
|
ipinterface: eth0
|
||||||
|
ip: 10.0.1.11
|
||||||
|
mac: E4:5F:01:01:FF:D5
|
||||||
|
static: true
|
||||||
|
Geth3:
|
||||||
|
ipinterface: eth0
|
||||||
|
ip: 10.0.1.12
|
||||||
|
mac: E4:5F:01:01:FF:96
|
||||||
|
static: true
|
||||||
|
Geth4:
|
||||||
|
ipinterface: eth0
|
||||||
|
ip: 10.0.1.13
|
||||||
|
mac: E4:5F:01:01:FF:E4
|
||||||
|
static: true
|
||||||
virtual: # 10.0.1.16/28
|
virtual: # 10.0.1.16/28
|
||||||
vars:
|
vars:
|
||||||
hosts:
|
hosts:
|
||||||
|
@ -87,18 +121,20 @@ all:
|
||||||
uefi: true
|
uefi: true
|
||||||
siem: true
|
siem: true
|
||||||
disks:
|
disks:
|
||||||
- '-drive format=raw,index=0,media=disk,file=/dev/sdb'
|
- '-drive format=raw,index=0,media=disk,file=/dev/sdc'
|
||||||
# On hold because of https://aninix.net/DarkFeather/MSN0/issues/6
|
# On hold because of https://aninix.net/DarkFeather/MSN0/issues/6
|
||||||
holdpkg: "elasticsearch graylog mongodb44-bin mongodb-tools-bin"
|
holdpkg: "elasticsearch graylog mongodb44-bin mongodb-tools-bin"
|
||||||
DarkNet:
|
DarkNet:
|
||||||
ipinterface: ens3
|
ipinterface: ens3
|
||||||
ip: 10.0.1.17
|
ip: 10.0.1.17
|
||||||
mac: 00:15:5D:01:02:05
|
mac: 00:15:5D:01:02:05
|
||||||
cores: 2
|
cores: 4
|
||||||
memory: 2
|
memory: 4
|
||||||
vnc: 9
|
vnc: 9
|
||||||
|
bridge: br0
|
||||||
disks:
|
disks:
|
||||||
- '-drive format=raw,index=0,media=disk,file=/dev/sdd'
|
- '-drive format=raw,index=0,media=disk,file=/dev/sdb'
|
||||||
|
wolfpack_config: 'gitea@foundation.aninix.net:DarkFeather/WolfPack-Config.git'
|
||||||
Maat:
|
Maat:
|
||||||
ip: 10.0.1.18
|
ip: 10.0.1.18
|
||||||
ipinterface: ens3
|
ipinterface: ens3
|
||||||
|
@ -106,26 +142,45 @@ all:
|
||||||
cores: 2
|
cores: 2
|
||||||
memory: 2
|
memory: 2
|
||||||
bridge: br0
|
bridge: br0
|
||||||
|
vscan_enabled: true
|
||||||
vnc: 7
|
vnc: 7
|
||||||
disks:
|
disks:
|
||||||
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/Maat.qcow2'
|
- '-drive format=qcow2,l2-cache-size=8M,file=/mnt/cage2/vm/Maat.qcow2'
|
||||||
|
Yggdrasil:
|
||||||
|
ipinterface: ens3
|
||||||
|
ip: 10.0.1.3
|
||||||
|
mac: 00:25:90:0d:6e:86
|
||||||
|
static: true
|
||||||
|
sslidentity: aninix.net-0001
|
||||||
|
secdetection: true
|
||||||
|
iptv_location: "Milwaukee|Madison"
|
||||||
|
aether_source: true
|
||||||
|
cores: 8
|
||||||
|
memory: 16
|
||||||
|
bridge: br0
|
||||||
|
vnc: 1
|
||||||
|
vscan_enabled: true
|
||||||
|
disks:
|
||||||
|
- '-drive format=raw,index=0,media=disk,file=/dev/sda'
|
||||||
|
- '-drive format=raw,index=0,media=disk,file=/dev/sdb'
|
||||||
|
- '-drive format=raw,index=0,media=disk,file=/dev/sdc'
|
||||||
|
- '-drive format=raw,index=0,media=disk,file=/dev/sdd'
|
||||||
geth_hubs: # 10.0.1.32/28
|
geth_hubs: # 10.0.1.32/28
|
||||||
vars:
|
vars:
|
||||||
motion_enabled: yes
|
motion_enabled: yes
|
||||||
hosts:
|
hosts:
|
||||||
Geth-Hub-1:
|
Vergil1:
|
||||||
ip: 10.0.1.32
|
ip: 10.0.1.32
|
||||||
mac: 84:16:F9:14:15:C5
|
mac: b8:27:eb:9a:73:dd
|
||||||
rotate: 0
|
rotate: 0
|
||||||
remote: NS-RC4NA-14
|
remote: NS-RC4NA-14
|
||||||
Geth-Hub-2:
|
Vergil2:
|
||||||
ip: 10.0.1.33
|
ip: 10.0.1.33
|
||||||
mac: 84:16:F9:13:B6:E6
|
mac: 84:16:F9:13:B6:E6
|
||||||
motion_enabled: no
|
motion_enabled: no
|
||||||
rotate: 180
|
rotate: 180
|
||||||
remote: NS-RC4NA-14
|
remote: NS-RC4NA-14
|
||||||
Geth-Hub-3:
|
Vergil3:
|
||||||
ip: 10.0.1.34
|
ip: 10.0.1.34
|
||||||
mac: b8:27:eb:60:73:68
|
mac: b8:27:eb:60:73:68
|
||||||
rotate: 90
|
rotate: 90
|
||||||
|
@ -135,7 +190,7 @@ all:
|
||||||
# Both OVA groups are in the same subnet -- test_ovas aren't monitored
|
# Both OVA groups are in the same subnet -- test_ovas aren't monitored
|
||||||
ovas: # 10.0.1.48/28
|
ovas: # 10.0.1.48/28
|
||||||
hosts:
|
hosts:
|
||||||
Geth:
|
Superintendent:
|
||||||
ip: 10.0.1.49
|
ip: 10.0.1.49
|
||||||
mac: DE:8B:9E:19:55:1E
|
mac: DE:8B:9E:19:55:1E
|
||||||
cores: 2
|
cores: 2
|
||||||
|
@ -144,7 +199,7 @@ all:
|
||||||
bridge: br0
|
bridge: br0
|
||||||
uefi: true
|
uefi: true
|
||||||
disks:
|
disks:
|
||||||
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/hassos_ova-5.13.qcow2'
|
- '-drive format=qcow2,l2-cache-size=8M,file=/mnt/cage2/vm/hassos_ova-5.13.qcow2'
|
||||||
test_ovas: # 10.0.1.48/28
|
test_ovas: # 10.0.1.48/28
|
||||||
hosts:
|
hosts:
|
||||||
TDS-Jump:
|
TDS-Jump:
|
||||||
|
@ -155,7 +210,7 @@ all:
|
||||||
vnc: 4
|
vnc: 4
|
||||||
bridge: br0
|
bridge: br0
|
||||||
disks:
|
disks:
|
||||||
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/TDSJump.qcow2'
|
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/node/vm/TDSJump.qcow2'
|
||||||
DedNet:
|
DedNet:
|
||||||
ip: 10.0.1.50
|
ip: 10.0.1.50
|
||||||
mac: 00:15:5d:01:02:09
|
mac: 00:15:5d:01:02:09
|
||||||
|
@ -164,7 +219,7 @@ all:
|
||||||
vnc: 3
|
vnc: 3
|
||||||
bridge: br0
|
bridge: br0
|
||||||
disks:
|
disks:
|
||||||
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/DedNet.qcow2'
|
- '-drive format=qcow2,l2-cache-size=8M,file=/mnt/cage2/vm/DedNet.qcow2'
|
||||||
- '-cdrom /srv/maat/iso/kali-linux.iso -boot order=d'
|
- '-cdrom /srv/maat/iso/kali-linux.iso -boot order=d'
|
||||||
Aether:
|
Aether:
|
||||||
ip: 10.0.1.51
|
ip: 10.0.1.51
|
||||||
|
@ -185,7 +240,7 @@ all:
|
||||||
bridge: br0
|
bridge: br0
|
||||||
vnc: 10
|
vnc: 10
|
||||||
disks:
|
disks:
|
||||||
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test1.qcow2'
|
- '-drive format=qcow2,l2-cache-size=8M,file=/mnt/cage2/vm/test1.qcow2'
|
||||||
test2:
|
test2:
|
||||||
ip: 10.0.1.53
|
ip: 10.0.1.53
|
||||||
ipinterface: ens3
|
ipinterface: ens3
|
||||||
|
@ -195,7 +250,7 @@ all:
|
||||||
bridge: br0
|
bridge: br0
|
||||||
vnc: 11
|
vnc: 11
|
||||||
disks:
|
disks:
|
||||||
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test2.qcow2'
|
- '-drive format=qcow2,l2-cache-size=8M,file=/mnt/cage2/vm/test2.qcow2'
|
||||||
test3:
|
test3:
|
||||||
ip: 10.0.1.54
|
ip: 10.0.1.54
|
||||||
ipinterface: ens3
|
ipinterface: ens3
|
||||||
|
@ -205,11 +260,11 @@ all:
|
||||||
bridge: br0
|
bridge: br0
|
||||||
vnc: 12
|
vnc: 12
|
||||||
disks:
|
disks:
|
||||||
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test3.qcow2'
|
- '-drive format=qcow2,l2-cache-size=8M,file=/mnt/cage2/vm/test3.qcow2'
|
||||||
# appliances are monitored -- adhoc_appliances are convenience only and not monitored.
|
# appliances are monitored -- adhoc_appliances are convenience only and not monitored.
|
||||||
appliances:
|
appliances:
|
||||||
hosts: # 10.0.1.64/27
|
hosts: # 10.0.1.64/27
|
||||||
Shadowfeed: # Router must be at root
|
Shadownet: # Router must be at root
|
||||||
ip: 10.0.1.1
|
ip: 10.0.1.1
|
||||||
mac: 2c:30:33:64:f4:03
|
mac: 2c:30:33:64:f4:03
|
||||||
Print: # Print is excepted for legacy setup reasons before we laid out subnets.
|
Print: # Print is excepted for legacy setup reasons before we laid out subnets.
|
||||||
|
@ -218,21 +273,21 @@ all:
|
||||||
Geth-Eyes:
|
Geth-Eyes:
|
||||||
ip: 10.0.1.68
|
ip: 10.0.1.68
|
||||||
mac: 9C:A3:AA:33:A3:99
|
mac: 9C:A3:AA:33:A3:99
|
||||||
"Core-Console":
|
# "Core-Console":
|
||||||
ip: 10.0.1.74
|
# ip: 10.0.1.74
|
||||||
mac: 00:25:90:0D:82:5B
|
# mac: 00:25:90:0D:82:5B
|
||||||
"Node0-Console":
|
# "Node0-Console":
|
||||||
ip: 10.0.1.75
|
# ip: 10.0.1.75
|
||||||
mac: 00:25:90:3E:C6:8C
|
# mac: 00:25:90:3E:C6:8C
|
||||||
adhoc_appliances:
|
adhoc_appliances:
|
||||||
hosts: # 10.0.1.64/27
|
hosts: # 10.0.1.64/27
|
||||||
DarkFeather:
|
DarkFeather:
|
||||||
ip: 10.0.1.64
|
ip: 10.0.1.64
|
||||||
mac: D0:40:EF:D4:14:CF
|
mac: f4:2b:8c:10:31:44
|
||||||
Lykos:
|
Lykos:
|
||||||
ip: 10.0.1.65
|
ip: 10.0.1.65
|
||||||
mac: 70:74:14:4F:8E:42
|
mac: 70:74:14:4F:8E:42
|
||||||
Games:
|
Node0:
|
||||||
ip: 10.0.1.66
|
ip: 10.0.1.66
|
||||||
mac: E0:BE:03:77:0E:88
|
mac: E0:BE:03:77:0E:88
|
||||||
LivingRoomTV:
|
LivingRoomTV:
|
||||||
|
@ -244,24 +299,25 @@ all:
|
||||||
TrainingRoomTV:
|
TrainingRoomTV:
|
||||||
ip: 10.0.1.71
|
ip: 10.0.1.71
|
||||||
mac: 80:D2:1D:17:63:10
|
mac: 80:D2:1D:17:63:10
|
||||||
Tachikoma:
|
BT:
|
||||||
ip: 10.0.1.72
|
ip: 10.0.1.72
|
||||||
mac: 90:0f:0c:1a:d3:23
|
mac: 8A:00:AA:7F:DF:D1
|
||||||
Dedsec:
|
DedSec:
|
||||||
ip: 10.0.1.73
|
ip: 10.0.1.73
|
||||||
mac: 34:F6:4B:36:12:8F
|
mac: 34:F6:4B:36:12:8F
|
||||||
# dhcp build space: 10.0.1.224/27
|
# dhcp build space: 10.0.1.224/27
|
||||||
iot: # 10.0.2.0/24
|
iot: # 10.0.2.0/24
|
||||||
hosts:
|
hosts:
|
||||||
LinKeuei:
|
LivingRoomRegulator:
|
||||||
ip: 10.0.2.2
|
ip: 10.0.2.2
|
||||||
mac: 64:16:66:08:57:F5
|
mac: 64:16:66:08:57:F5
|
||||||
Canary:
|
Monitor:
|
||||||
ip: 10.0.2.3
|
ip: 10.0.2.3
|
||||||
mac: 18:B4:30:2F:F1:37
|
mac: 18:B4:30:2F:F1:37
|
||||||
Charon:
|
Gatekeeper:
|
||||||
ip: 10.0.2.4
|
ip: 10.0.2.4
|
||||||
mac: 64:52:99:14:28:2B
|
mac: 64:52:99:14:28:2B
|
||||||
Skitarii-1:
|
# CaretakerAlpha has no network
|
||||||
|
CaretakerBravo:
|
||||||
ip: 10.0.2.5
|
ip: 10.0.2.5
|
||||||
mac: 40:9F:38:95:06:34
|
mac: 40:9F:38:95:06:34
|
||||||
|
|
|
@ -34,7 +34,7 @@
|
||||||
- SSH
|
- SSH
|
||||||
- Sharingan
|
- Sharingan
|
||||||
|
|
||||||
- hosts: Core
|
- hosts: Yggdrasil
|
||||||
order: sorted
|
order: sorted
|
||||||
serial: "{{ threads | default('16') }}"
|
serial: "{{ threads | default('16') }}"
|
||||||
gather_facts: true
|
gather_facts: true
|
||||||
|
@ -46,6 +46,9 @@
|
||||||
- SSL
|
- SSL
|
||||||
- WebServer
|
- WebServer
|
||||||
- IRC
|
- IRC
|
||||||
|
- WolfPack
|
||||||
|
- Foundation
|
||||||
|
- Yggrasil
|
||||||
|
|
||||||
- hosts: geth_hubs
|
- hosts: geth_hubs
|
||||||
order: sorted
|
order: sorted
|
||||||
|
@ -57,7 +60,7 @@
|
||||||
roles:
|
roles:
|
||||||
- Geth-Hub
|
- Geth-Hub
|
||||||
|
|
||||||
- hosts: Node0
|
- hosts: Node1,Node2,Node3
|
||||||
order: sorted
|
order: sorted
|
||||||
serial: "{{ threads | default('16') }}"
|
serial: "{{ threads | default('16') }}"
|
||||||
gather_facts: true
|
gather_facts: true
|
||||||
|
@ -77,3 +80,4 @@
|
||||||
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
|
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
|
||||||
roles:
|
roles:
|
||||||
- DarkNet
|
- DarkNet
|
||||||
|
- WolfPack
|
||||||
|
|
|
@ -9,36 +9,23 @@
|
||||||
# Patch then restart a node
|
# Patch then restart a node
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
- hosts: physical,virtual
|
- hosts: "{{ targets | default('virtual') }}"
|
||||||
|
order: sorted
|
||||||
|
serial: 4
|
||||||
|
vars:
|
||||||
|
ansible_become: yes
|
||||||
|
ansible_become_method: sudo
|
||||||
|
roles:
|
||||||
|
- patching
|
||||||
|
|
||||||
|
- hosts: physical
|
||||||
order: sorted
|
order: sorted
|
||||||
serial: 4
|
serial: 4
|
||||||
vars:
|
vars:
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: sudo
|
ansible_become_method: sudo
|
||||||
tasks:
|
tasks:
|
||||||
- package:
|
|
||||||
name: archlinux-keyring
|
|
||||||
state: latest
|
|
||||||
|
|
||||||
- hosts: virtual,geth-hubs
|
- include_role:
|
||||||
order: sorted
|
name: patching
|
||||||
serial: 4
|
when: targets is unset
|
||||||
vars:
|
|
||||||
ansible_become: yes
|
|
||||||
ansible_become_method: sudo
|
|
||||||
vars_files:
|
|
||||||
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
|
|
||||||
roles:
|
|
||||||
- patching
|
|
||||||
|
|
||||||
- hosts: physical
|
|
||||||
order: sorted
|
|
||||||
ignore_unreachable: true
|
|
||||||
serial: 4
|
|
||||||
vars:
|
|
||||||
ansible_become: yes
|
|
||||||
ansible_become_method: sudo
|
|
||||||
vars_files:
|
|
||||||
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
|
|
||||||
roles:
|
|
||||||
- patching
|
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Webserver apps directory should be short -- apps that fail this category should become their own.
|
||||||
|
|
||||||
|
retcode=0
|
||||||
|
for file in `find roles/WebServer/files/apps -type f`; do
|
||||||
|
if [[ $(wc -l "$file" | awk '{ print $1; }') -gt 10 ]]; then
|
||||||
|
echo "$file" is too long to be deployed as a mini-app under the WebServer role.
|
||||||
|
retcode=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
exit $retcode
|
|
@ -0,0 +1,7 @@
|
||||||
|
See [AniNIX/Aether](/AniNIX/Aether) for complete details of the tool.
|
||||||
|
|
||||||
|
Role requirements:
|
||||||
|
* `secrets['Aether']` in Vault
|
||||||
|
* A YAML list of nodes under the key `Aether_nodes` in Vault
|
||||||
|
* A host called 'Core' to act as the source
|
||||||
|
* 22/tcp/sftp access through firewalls to the Core host from any clients
|
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/bash
|
||||||
|
### Gitea ###
|
||||||
|
tar cvzf "$BACKUPDIR"/gitea.tgz /var/lib/gitea/data
|
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/bash
|
||||||
|
### Grimoire ###
|
||||||
|
sudo -u postgres pg_dumpall > "$BACKUPDIR"/grimoire.sql
|
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/bash
|
||||||
|
### IRC Services ###
|
||||||
|
cp /opt/anope/data/anope.db "$BACKUPDIR"
|
|
@ -0,0 +1,9 @@
|
||||||
|
#!/bin/bash
|
||||||
|
### Wiki ###
|
||||||
|
mkdir "$BACKUPDIR"/wiki/
|
||||||
|
for i in `find /usr/share/webapps/ -maxdepth 1 -type d | grep mediawiki`; do
|
||||||
|
foldername="$(echo "$i" | rev | cut -f 1 -d '/' | rev)"
|
||||||
|
dbname="$(grep '^\$wgDBname' "$i"/LocalSettings.php | cut -f 2 -d \")"
|
||||||
|
$BACKUPCMD "${i}"/LocalSettings.php "$BACKUPDIR"/wiki/"$foldername"-localsettings.php
|
||||||
|
sudo -u postgres pg_dump "$dbname" > "$BACKUPDIR"/wiki/"$dbname".psql
|
||||||
|
done
|
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/bash
|
||||||
|
### Yggdrasil -- File & SHA list only for space reasons ###
|
||||||
|
cp /srv/yggdrasil/library.sha256 "$BACKUPDIR"/yggdrasil.library.sha256
|
|
@ -0,0 +1,146 @@
|
||||||
|
# Example configuration file for AIDE.
|
||||||
|
# More information about configuration options available in the aide.conf manpage.
|
||||||
|
@@define DBDIR /var/lib/aide
|
||||||
|
@@define LOGDIR /var/log/aide
|
||||||
|
|
||||||
|
# The location of the database to be read.
|
||||||
|
database_in=file:@@{DBDIR}/aide.db.gz
|
||||||
|
|
||||||
|
# The location of the database to be written.
|
||||||
|
#database_out=sql:host:port:database:login_name:passwd:table
|
||||||
|
#database_out=file:aide.db.new
|
||||||
|
database_out=file:@@{DBDIR}/aide.db.new.gz
|
||||||
|
|
||||||
|
# Whether to gzip the output to database
|
||||||
|
gzip_dbout=yes
|
||||||
|
|
||||||
|
# Default.
|
||||||
|
log_level=warning
|
||||||
|
report_level=changed_attributes
|
||||||
|
|
||||||
|
report_url=file:@@{LOGDIR}/aide.log
|
||||||
|
report_url=stdout
|
||||||
|
#report_url=stderr
|
||||||
|
#
|
||||||
|
# Here are all the attributes we can check
|
||||||
|
#p: permissions
|
||||||
|
#i: inode
|
||||||
|
#n: number of links
|
||||||
|
#l: link name
|
||||||
|
#u: user
|
||||||
|
#g: group
|
||||||
|
#s: size
|
||||||
|
###b: block count
|
||||||
|
#m: mtime
|
||||||
|
#a: atime
|
||||||
|
#c: ctime
|
||||||
|
#S: check for growing size
|
||||||
|
#I: ignore changed filename
|
||||||
|
#ANF: allow new files
|
||||||
|
#ARF: allow removed files
|
||||||
|
#
|
||||||
|
|
||||||
|
# Here are all the digests we can use
|
||||||
|
#md5: md5 checksum
|
||||||
|
#sha1: sha1 checksum
|
||||||
|
#sha256: sha256 checksum
|
||||||
|
#sha512: sha512 checksum
|
||||||
|
#rmd160: rmd160 checksum
|
||||||
|
#tiger: tiger checksum
|
||||||
|
#haval: haval checksum
|
||||||
|
#crc32: crc32 checksum
|
||||||
|
#gost: gost checksum
|
||||||
|
#whirlpool: whirlpool checksum
|
||||||
|
|
||||||
|
# These are the default rules
|
||||||
|
#R: p+i+l+n+u+g+s+m+c+md5
|
||||||
|
#L: p+i+l+n+u+g
|
||||||
|
#E: Empty group
|
||||||
|
#>: Growing logfile p+l+u+g+i+n+S
|
||||||
|
|
||||||
|
# You can create custom rules - my home made rule definition goes like this
|
||||||
|
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
|
||||||
|
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
|
||||||
|
# Everything but access time (Ie. all changes)
|
||||||
|
EVERYTHING = R+ALLXTRAHASHES
|
||||||
|
|
||||||
|
# Sane, with multiple hashes
|
||||||
|
# NORMAL = R+rmd160+sha256+whirlpool
|
||||||
|
NORMAL = R+rmd160+sha256
|
||||||
|
|
||||||
|
# For directories, don't bother doing hashes
|
||||||
|
DIR = p+i+n+u+g+acl+xattrs
|
||||||
|
|
||||||
|
# Access control only
|
||||||
|
PERMS = p+i+u+g+acl
|
||||||
|
|
||||||
|
# Logfile are special, in that they often change
|
||||||
|
LOG = >
|
||||||
|
|
||||||
|
# Just do md5 and sha256 hashes
|
||||||
|
LSPP = R+sha256
|
||||||
|
|
||||||
|
# Some files get updated automatically, so the inode/ctime/mtime change
|
||||||
|
# but we want to know when the data inside them changes
|
||||||
|
DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
|
||||||
|
|
||||||
|
|
||||||
|
# Next decide what directories/files you want in the database.
|
||||||
|
|
||||||
|
/boot NORMAL
|
||||||
|
/bin NORMAL
|
||||||
|
/sbin NORMAL
|
||||||
|
/lib NORMAL
|
||||||
|
/lib64 NORMAL
|
||||||
|
/opt NORMAL
|
||||||
|
/usr NORMAL
|
||||||
|
/root NORMAL
|
||||||
|
# These are too volatile
|
||||||
|
!/usr/src
|
||||||
|
!/usr/tmp
|
||||||
|
|
||||||
|
# Check only permissions, inode, user and group for /etc, but
|
||||||
|
# cover some important files closely.
|
||||||
|
/etc PERMS
|
||||||
|
!/etc/mtab
|
||||||
|
# Ignore backup files
|
||||||
|
!/etc/.*~
|
||||||
|
/etc/exports NORMAL
|
||||||
|
/etc/fstab NORMAL
|
||||||
|
/etc/passwd NORMAL
|
||||||
|
/etc/group NORMAL
|
||||||
|
/etc/gshadow NORMAL
|
||||||
|
/etc/shadow NORMAL
|
||||||
|
/etc/security/opasswd NORMAL
|
||||||
|
|
||||||
|
/etc/hosts.allow NORMAL
|
||||||
|
/etc/hosts.deny NORMAL
|
||||||
|
|
||||||
|
/etc/sudoers NORMAL
|
||||||
|
/etc/skel NORMAL
|
||||||
|
|
||||||
|
/etc/logrotate.d NORMAL
|
||||||
|
|
||||||
|
/etc/resolv.conf DATAONLY
|
||||||
|
|
||||||
|
/etc/nscd.conf NORMAL
|
||||||
|
/etc/securetty NORMAL
|
||||||
|
|
||||||
|
# Shell/X starting files
|
||||||
|
/etc/profile NORMAL
|
||||||
|
/etc/bashrc NORMAL
|
||||||
|
/etc/bash_completion.d/ NORMAL
|
||||||
|
/etc/login.defs NORMAL
|
||||||
|
/etc/zprofile NORMAL
|
||||||
|
/etc/zshrc NORMAL
|
||||||
|
/etc/zlogin NORMAL
|
||||||
|
/etc/zlogout NORMAL
|
||||||
|
/etc/profile.d/ NORMAL
|
||||||
|
/etc/X11/ NORMAL
|
||||||
|
|
||||||
|
# Ignore logs
|
||||||
|
!/var/lib/pacman/.*
|
||||||
|
!/var/cache/.*
|
||||||
|
!/var/log/.*
|
||||||
|
!/var/run/.*
|
||||||
|
!/var/spool/.*
|
|
@ -0,0 +1,27 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Copy the key
|
||||||
|
become: true
|
||||||
|
copy:
|
||||||
|
dest: /home/aether/.ssh/aether
|
||||||
|
content: "{{ aether_key.stdout }}"
|
||||||
|
|
||||||
|
- name: Copy the public key
|
||||||
|
become: true
|
||||||
|
copy:
|
||||||
|
dest: /home/aether/.ssh/aether.pub
|
||||||
|
content: "{{ aether_key.stdout }}"
|
||||||
|
|
||||||
|
- name: Enable the service
|
||||||
|
become: yes
|
||||||
|
service:
|
||||||
|
name: aether.timer
|
||||||
|
state: enabled
|
||||||
|
running: yes
|
||||||
|
|
||||||
|
- name: Enable the service - 2
|
||||||
|
become: yes
|
||||||
|
service:
|
||||||
|
name: aether-gen.timer
|
||||||
|
state: disabled
|
||||||
|
running: no
|
|
@ -0,0 +1,64 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Install the package
|
||||||
|
become: true
|
||||||
|
ignore_errors: true
|
||||||
|
package:
|
||||||
|
name: Aether
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Validate the user
|
||||||
|
vars:
|
||||||
|
service_account: aether
|
||||||
|
include_tasks: ../roles/common/service_account.yml
|
||||||
|
|
||||||
|
- name: Ensure the Aether identity is protected.
|
||||||
|
become: true
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
owner: aether
|
||||||
|
group: aether
|
||||||
|
mode: 0700
|
||||||
|
loop:
|
||||||
|
- /home/aether/.ssh
|
||||||
|
- /usr/local/etc/Aether
|
||||||
|
- /usr/local/etc/Aether/backup-entries
|
||||||
|
- /usr/local/backup
|
||||||
|
|
||||||
|
- name: Ensure the Aether identity exists
|
||||||
|
delegate_to: Core # Core will track the identity that will then be shared to everyone else.
|
||||||
|
become: true
|
||||||
|
command:
|
||||||
|
creates: /home/aether/.ssh/aether
|
||||||
|
chdir: /home/aether/.ssh/
|
||||||
|
cmd: ssh-keygen -t ed25519 -N "" -f ./aether
|
||||||
|
|
||||||
|
- name: Read the Aether identity
|
||||||
|
become: true
|
||||||
|
delegate_to: Core
|
||||||
|
command: cat /home/aether/.ssh/aether
|
||||||
|
register: aether_key
|
||||||
|
|
||||||
|
- name: Read the Aether public identity
|
||||||
|
become: true
|
||||||
|
delegate_to: Core
|
||||||
|
command: cat /home/aether/.ssh/aether.pub
|
||||||
|
register: aether_pubkey
|
||||||
|
|
||||||
|
- include_tasks: source.yml
|
||||||
|
when: "{{ inventory_hostname }} is 'Core'"
|
||||||
|
|
||||||
|
- include_tasks: client.yml
|
||||||
|
when: "{{ inventory_hostname }} is 'Core'"
|
||||||
|
|
||||||
|
- name: Ensure the Aether identity files are protected.
|
||||||
|
become: true
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
owner: aether
|
||||||
|
group: aether
|
||||||
|
mode: 0600
|
||||||
|
loop:
|
||||||
|
- /home/aether/.ssh/aether
|
||||||
|
- /home/aether/.ssh/aether.pub
|
|
@ -0,0 +1,42 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Copy the backup scripts
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
src: "backup-entries/{{ inventory_hostname }}"
|
||||||
|
dest: "/usr/local/etc/Aether/backup-entries"
|
||||||
|
owner: aether
|
||||||
|
group: aether
|
||||||
|
|
||||||
|
- name: Seed the backup passphrase
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
content: "{{ passwords['Aether'] }}"
|
||||||
|
dest: "/usr/local/etc/Aether/pass.txt"
|
||||||
|
owner: aether
|
||||||
|
group: aether
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
- name: Enable the generation service
|
||||||
|
become: yes
|
||||||
|
when: "{{ inventory_hostname }} == 'Core'"
|
||||||
|
service:
|
||||||
|
name: aether-gen.timer
|
||||||
|
state: enabled
|
||||||
|
running: yes
|
||||||
|
|
||||||
|
- name: Enable the generation service - 2
|
||||||
|
become: yes
|
||||||
|
when: "{{ inventory_hostname }} == 'Core'"
|
||||||
|
service:
|
||||||
|
name: aether.timer
|
||||||
|
state: disabled
|
||||||
|
running: no
|
||||||
|
|
||||||
|
- name: Set up the authorized_keys
|
||||||
|
template:
|
||||||
|
src: authorized_keys.j2
|
||||||
|
dest: /home/aether/.ssh/authorized_keys
|
||||||
|
mode: 0600
|
||||||
|
owner: aether
|
||||||
|
group: aether
|
|
@ -0,0 +1,18 @@
|
||||||
|
A Chappaai host is a gateway to accessing other hosts. It is a safeguard against admin error.
|
||||||
|
|
||||||
|
## Etymology
|
||||||
|
Chappaai hosts are named to follow the non-English naming of the Stargate network by the other denizens of the galaxy.
|
||||||
|
|
||||||
|
They are the first line of defense against administrative error -- similar to the way that [Stargate Command](https://stargate.fandom.com/wiki/Stargate_Command) was for Earth. They prevent admins from being locked out of correcting their changes and are connected to everything in the ecosystem. They also control DNS, which allows a sort of subliminal control of the entire ecosystem. This prevents infiltration by infections (similar to Goauld) and in fact can be the extinction of any DNS-enabled malware in the ecosystem by sinkholing the Command-and-Control.
|
||||||
|
|
||||||
|
## Capacity and Components
|
||||||
|
A Chappaai host needs minimal CPU or memory.
|
||||||
|
|
||||||
|
## Hosted Services and Entities
|
||||||
|
Chappaai should host a Pihole installation and [SSH](../Services/SSH.md). It should be linked by NAT to an obscure port to the outside world.
|
||||||
|
|
||||||
|
## Connections
|
||||||
|
Any host should be able to connect to a Chappaai with SSH and X11, and it should be able to dial to any service provider.
|
||||||
|
|
||||||
|
## Additional Reference
|
||||||
|
Chappaai hosts should be deployed alongside any Hypervisor. They can be as simple as a Pi-hole with SSH access, and they should be allowed to receive SSH connections from a non-tcp/22/ssh port.
|
|
@ -17,7 +17,7 @@
|
||||||
|
|
||||||
- name: Ensure pihole web admin password
|
- name: Ensure pihole web admin password
|
||||||
become: yes
|
become: yes
|
||||||
command: "pihole -a -p {{ passwords['Nazara'] }}"
|
command: "pihole -a -p {{ passwords['Chappaai'] }}"
|
||||||
# when: pihole_install.changed
|
# when: pihole_install.changed
|
||||||
|
|
||||||
- name: Generate DNS/DHCP from inventory
|
- name: Generate DNS/DHCP from inventory
|
||||||
|
@ -25,7 +25,7 @@
|
||||||
run_once: true
|
run_once: true
|
||||||
command: "python3 ../bin/generate-pihole-dns-dhcp.py {{ inventory_file }}"
|
command: "python3 ../bin/generate-pihole-dns-dhcp.py {{ inventory_file }}"
|
||||||
|
|
||||||
- name: Nazara DNS
|
- name: Chappaai DNS
|
||||||
become: yes
|
become: yes
|
||||||
register: dns_updated
|
register: dns_updated
|
||||||
copy:
|
copy:
|
||||||
|
@ -35,7 +35,7 @@
|
||||||
group: pihole
|
group: pihole
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
- name: Nazara DHCP
|
- name: Chappaai DHCP
|
||||||
become: yes
|
become: yes
|
||||||
register: dhcp_updated
|
register: dhcp_updated
|
||||||
copy:
|
copy:
|
||||||
|
@ -45,7 +45,7 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
- name: Nazara Configuration
|
- name: Chappaai Configuration
|
||||||
become: yes
|
become: yes
|
||||||
register: conf_updated
|
register: conf_updated
|
||||||
copy:
|
copy:
|
||||||
|
@ -56,7 +56,7 @@
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
|
|
||||||
- name: Nazara DHCP Leases dir
|
- name: Chappaai DHCP Leases dir
|
||||||
become: yes
|
become: yes
|
||||||
file:
|
file:
|
||||||
path: /var/lib/misc/
|
path: /var/lib/misc/
|
||||||
|
@ -65,7 +65,7 @@
|
||||||
group: root
|
group: root
|
||||||
mode: 0777
|
mode: 0777
|
||||||
|
|
||||||
- name: Nazara DHCP Leases
|
- name: Chappaai DHCP Leases
|
||||||
become: yes
|
become: yes
|
||||||
file:
|
file:
|
||||||
path: /var/lib/misc/dnsmasq.leases
|
path: /var/lib/misc/dnsmasq.leases
|
|
@ -1,12 +1,16 @@
|
||||||
Cyberbrain is a way to ensure that so long as a person is connected to the Internet and authorized, they're able to connect to, use, and control the AniNIX. It's a web-based shell emulator for connecting to the system. It can serve as an alternative to using the [Terminal & SSH add-on](https://www.home-assistant.io/common-tasks/supervised/#installing-and-using-the-ssh-add-on-requires-enabling-advanced-mode-for-the-ha-user) for [AniNIX/Geth](../Geth/) in cases where a separate security posture is needed for each.
|
Cyberbrain is a way to ensure that so long as a person is connected to the Internet and authorized, they're able to connect to, use, and control the AniNIX.
|
||||||
|
|
||||||
**Warning**: This is a fallback measure -- browsers are still inherently less secure than hard clients like [Git Bash](https://git-scm.com/download/win) or [OpenSSH](https://www.openssh.com/portable.html).
|
It can serve as an alternative to using the [Terminal & SSH add-on](https://www.home-assistant.io/common-tasks/supervised/#installing-and-using-the-ssh-add-on-requires-enabling-advanced-mode-for-the-ha-user) for [AniNIX/Geth](../Geth/) in cases where a separate security posture is needed for each.
|
||||||
|
|
||||||
# Etymology
|
# Etymology
|
||||||
A [cyberbrain](https://ghostintheshell.fandom.com/wiki/Cyberbrain) is a concept from the series *Ghost in the Shell*. It's the integration of a normal brain with electronic, usually networked components. Similarly, this app serves as a core bridge between the shell environment of the AniNIX and any authorized user.
|
A [cyberbrain](https://ghostintheshell.fandom.com/wiki/Cyberbrain) is a concept from the series *Ghost in the Shell*. It's the integration of a normal brain with electronic, usually networked components. Similarly, this app serves as a core bridge between the shell environment of the AniNIX and any authorized user.
|
||||||
|
|
||||||
# Relevant Files and Software
|
# Relevant Files and Software
|
||||||
This service uses a file, [/etc/conf.d/webssh](file:///etc/conf.d/webssh), to control the service. Additionally, there's a password file [/opt/openresty/nginx/passwords/cyberbrain.htpasswd](file:///opt/openresty/nginx/passwords/cyberbrain.htpasswd) that controls an initial authentication to the webserver socket.
|
This service is deployed as a Docker image from [FileStash](https://www.filestash.app/docs/install-and-upgrade/). This image is pointed back at the AniNIX/Yggdrasil's SFTP service.
|
||||||
|
|
||||||
|
Configuration is done in [the app](http://10.0.1.8:8334/admin/). A unique password should be configured, and then the only authorized backend is SFTP with passthrough authentication on the 'username_and_password' strategy. The SFTP host is then jailed as AniNIX/Yggdrasil's internal IP and port, with the `{{ .user }}` and `{{ .password }}` attributes populated.
|
||||||
|
|
||||||
|
This app can be proxied to the outside world and protected by encryption & a web-application firewall. This happens through [a WebServer configuration file](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf.d/Core/adhan.conf).
|
||||||
|
|
||||||
## Backups
|
## Backups
|
||||||
No backup is needed.
|
No backup is needed.
|
||||||
|
|
|
@ -1,22 +0,0 @@
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
server_name cyberbrain.aninix.net;
|
|
||||||
|
|
||||||
include sec.conf;
|
|
||||||
include default.csp.conf;
|
|
||||||
include letsencrypt.conf;
|
|
||||||
|
|
||||||
location /
|
|
||||||
{
|
|
||||||
auth_basic "Cyberbrain";
|
|
||||||
auth_basic_user_file ../passwords/cyberbrain.htpasswd;
|
|
||||||
proxy_pass http://127.0.0.1:8822;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_read_timeout 300;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "upgrade";
|
|
||||||
proxy_set_header Host $http_host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Real-PORT $remote_port;
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,10 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=AniNIX/Cyberbrain | SSH Web Front End, powered by python-webssh
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
User=webssh
|
|
||||||
EnvironmentFile=/etc/conf.d/webssh
|
|
||||||
ExecStart=/usr/bin/wssh $WEBSSH_ARGS
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -1,71 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install python-webssh
|
|
||||||
become: yes
|
|
||||||
package:
|
|
||||||
name: python-webssh
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Standardize the servicefile
|
|
||||||
become: yes
|
|
||||||
register: servicefile
|
|
||||||
copy:
|
|
||||||
src: cyberbrain.service
|
|
||||||
dest: /usr/lib/systemd/system/cyberbrain.service
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Ensure default webssh service file is off.
|
|
||||||
become: yes
|
|
||||||
service:
|
|
||||||
name: webssh
|
|
||||||
state: stopped
|
|
||||||
enabled: no
|
|
||||||
|
|
||||||
- systemd:
|
|
||||||
daemon_reload: true
|
|
||||||
when: servicefile.changed
|
|
||||||
become: yes
|
|
||||||
|
|
||||||
- name: Ensure service is restarted
|
|
||||||
when: servicefile.changed
|
|
||||||
become: yes
|
|
||||||
service:
|
|
||||||
name: cyberbrain.service
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
|
|
||||||
- name: Ensure service is started
|
|
||||||
when: not servicefile.changed
|
|
||||||
become: yes
|
|
||||||
service:
|
|
||||||
name: cyberbrain.service
|
|
||||||
enabled: yes
|
|
||||||
state: started
|
|
||||||
|
|
||||||
- name: Add the webserver conf file
|
|
||||||
become: yes
|
|
||||||
register: webserver_conf
|
|
||||||
copy:
|
|
||||||
src: cyberbrain.conf
|
|
||||||
dest: /opt/openresty/nginx/conf.d/cyberbrain.conf
|
|
||||||
owner: root
|
|
||||||
group: http
|
|
||||||
mode: 0750
|
|
||||||
|
|
||||||
- name: Ensure the password file is seeded
|
|
||||||
become: yes
|
|
||||||
template:
|
|
||||||
src: cyberbrain.htpasswd.j2
|
|
||||||
dest: /opt/openresty/nginx/passwords/cyberbrain.htpasswd
|
|
||||||
owner: root
|
|
||||||
group: http
|
|
||||||
mode: 0750
|
|
||||||
|
|
||||||
- name: Reload openresty
|
|
||||||
become: yes
|
|
||||||
when: webserver_conf.changed
|
|
||||||
service:
|
|
||||||
name: openresty.service
|
|
||||||
state: reloaded
|
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
cyberbrain:{PLAIN}{{ passwords.Cyberbrain }}
|
|
|
@ -52,7 +52,7 @@ a {
|
||||||
| sed "s/$ROW/$ANINIXROW/gI" \
|
| sed "s/$ROW/$ANINIXROW/gI" \
|
||||||
| sed "s/$NAV/$ANINIXNAV/gI" \
|
| sed "s/$NAV/$ANINIXNAV/gI" \
|
||||||
| sed "s/$HOVER/$ANINIXHOVER/gI" \
|
| sed "s/$HOVER/$ANINIXHOVER/gI" \
|
||||||
| sed "s/$BGCOLOR/$ANINIXBG/gI" > /var/lib/gitea/custom/public/css/theme-aninix.css
|
| sed "s/$BGCOLOR/$ANINIXBG/gI" > /var/lib/gitea/custom/public/assets/css/theme-aninix.css
|
||||||
|
|
||||||
cd /var/lib/gitea/web-snippets
|
cd /var/lib/gitea/web-snippets
|
||||||
head="$(curl -ks https://aninix.net/ | grep -B 99999 -E '^<div class="home"')"
|
head="$(curl -ks https://aninix.net/ | grep -B 99999 -E '^<div class="home"')"
|
||||||
|
@ -60,5 +60,5 @@ foot="$(curl -ks https://aninix.net/ | grep -A 99999 -E '<footer>')"
|
||||||
for i in `find . -type f`; do
|
for i in `find . -type f`; do
|
||||||
(echo "$head"
|
(echo "$head"
|
||||||
cat "$i"
|
cat "$i"
|
||||||
echo "$foot") > /var/lib/gitea/custom/public/"$i".html
|
echo "$foot") > /var/lib/gitea/custom/public/assets/"$i".html
|
||||||
done
|
done
|
||||||
|
|
|
@ -1,16 +1,3 @@
|
||||||
<!-- Google Analytics -->
|
|
||||||
<script type="text/javascript">
|
|
||||||
var _gaq = _gaq || [];
|
|
||||||
_gaq.push(['_setAccount', 'UA-18148792-3']);
|
|
||||||
_gaq.push(['_trackPageview']);
|
|
||||||
|
|
||||||
(function() {
|
|
||||||
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
|
|
||||||
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
|
|
||||||
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
|
|
||||||
})();
|
|
||||||
|
|
||||||
</script>
|
|
||||||
<!-- Replace Gitea icon with AniNIX -->
|
<!-- Replace Gitea icon with AniNIX -->
|
||||||
<script type="text/javascript">
|
<script type="text/javascript">
|
||||||
document.getElementById('navbar').children[0].children[0].children[0].src="/assets/img/AniNIX.png";
|
document.getElementById('navbar').children[0].children[0].children[0].src="/assets/img/AniNIX.png";
|
||||||
|
@ -20,5 +7,3 @@ _gaq.push(['_trackPageview']);
|
||||||
document.getElementById("pwdchange").setAttribute("target","_blank");
|
document.getElementById("pwdchange").setAttribute("target","_blank");
|
||||||
document.getElementById("chat").setAttribute("target","_blank");
|
document.getElementById("chat").setAttribute("target","_blank");
|
||||||
</script>
|
</script>
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
<div class="ui stackable middle very relaxed page grid">
|
<div class="ui stackable middle very relaxed page grid">
|
||||||
<div class="eight wide center column">
|
<div class="eight wide center column">
|
||||||
<h1 class="hero ui icon header">
|
<h1 class="hero ui icon header">
|
||||||
<img width=20px height=20px src='/assets/img/icons/FoundationIcon.png'/>
|
<img width=20px height=20px src='/assets/img/icons/Foundation.png'/>
|
||||||
<a href="https://foundation.aninix.net/explore/repos">Open source security</a>
|
<a href="https://foundation.aninix.net/explore/repos">Open source security</a>
|
||||||
</h1>
|
</h1>
|
||||||
<p class="large">
|
<p class="large">
|
||||||
|
@ -26,7 +26,7 @@
|
||||||
</div>
|
</div>
|
||||||
<div class="eight wide center column">
|
<div class="eight wide center column">
|
||||||
<h1 class="hero ui icon header">
|
<h1 class="hero ui icon header">
|
||||||
<img width=20px height=20px src='/assets/img/icons/IRCIcon.png'/>
|
<img width=20px height=20px src='/assets/img/icons/IRC.png'/>
|
||||||
<a href='ircs://aninix.net:6697/#lobby'>Contact us anytime</a>
|
<a href='ircs://aninix.net:6697/#lobby'>Contact us anytime</a>
|
||||||
</h1>
|
</h1>
|
||||||
<p class="large">
|
<p class="large">
|
||||||
|
@ -36,7 +36,7 @@
|
||||||
<div class="ui stackable middle very relaxed page grid">
|
<div class="ui stackable middle very relaxed page grid">
|
||||||
<div class="eight wide center column">
|
<div class="eight wide center column">
|
||||||
<h1 class="hero ui icon header">
|
<h1 class="hero ui icon header">
|
||||||
<img width=20px height=20px src="/assets/img/icons/WikiIcon.png"/>
|
<img width=20px height=20px src="/assets/img/icons/Wiki.png"/>
|
||||||
<a href="/AniNIX/Wiki">Open documentation</a>
|
<a href="/AniNIX/Wiki">Open documentation</a>
|
||||||
</h1>
|
</h1>
|
||||||
<p class="large">
|
<p class="large">
|
||||||
|
@ -45,7 +45,7 @@
|
||||||
</div>
|
</div>
|
||||||
<div class="eight wide center column">
|
<div class="eight wide center column">
|
||||||
<h1 class="hero ui icon header">
|
<h1 class="hero ui icon header">
|
||||||
<img width=20px height=20x src="/assets/img/icons/MaatIcon.png"/>
|
<img width=20px height=20x src="/assets/img/icons/Maat.png"/>
|
||||||
<a href="https://maat.aninix.net/">Downloads</a>
|
<a href="https://maat.aninix.net/">Downloads</a>
|
||||||
</h1>
|
</h1>
|
||||||
<p class="large">
|
<p class="large">
|
||||||
|
@ -60,10 +60,10 @@
|
||||||
<p>We host a number of web apps to make our users' lives easier.
|
<p>We host a number of web apps to make our users' lives easier.
|
||||||
</div>
|
</div>
|
||||||
<div class="ui stackable middle very relaxed page grid">
|
<div class="ui stackable middle very relaxed page grid">
|
||||||
<div class="four wide center column"><a title="AniNIX/Singularity" href="https://singularity.aninix.net"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" alt=RSS src="/assets/img/icons/SingularityIcon.png" /><p>AniNIX/Singularity (News powered by TT-RSS)</p></a></div>
|
<div class="four wide center column"><a title="AniNIX/Singularity" href="https://singularity.aninix.net"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" alt=RSS src="/assets/img/icons/Singularity.png" /><p>AniNIX/Singularity (News powered by TT-RSS)</p></a></div>
|
||||||
<div class="four wide center column"><a title="AniNIX/Yggdrasil" href="https://yggdrasil.aninix.net"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/icons/YggdrasilIcon.png" /><p>AniNIX/Yggdrasil (Media powered by Emby)</p></a></div>
|
<div class="four wide center column"><a title="AniNIX/Yggdrasil" href="https://yggdrasil.aninix.net"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/icons/Yggdrasil.png" /><p>AniNIX/Yggdrasil (Media powered by Emby)</p></a></div>
|
||||||
<div class="four wide center column"><a title="AniNIX/Sharingan" href="https://sharingan.aninix.net"><img src="/assets/img/icons/SharinganIcon.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /><p>AniNIX/Sharingan (Monitoring powered by Nagios)</p></a></div>
|
<div class="four wide center column"><a title="AniNIX/Sharingan" href="https://sharingan.aninix.net"><img src="/assets/img/icons/Sharingan.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /><p>AniNIX/Sharingan (Monitoring powered by Graylog)</p></a></div>
|
||||||
<div class="four wide center column"><a title="AniNIX/WolfPack" href="https://wolfpack.aninix.net"><img src="/assets/img/icons/WolfPackIcon.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /><p>AniNIX/WolfPack (Botnet download results)</p></a></div>
|
<div class="four wide center column"><a title="AniNIX/Cyberbrain" href="https://cyberbrain.aninix.net"><img src="/assets/img/icons/Cyberbrain.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /><p>AniNIX/Cyberbrain (SFTP Dropbox)</p></a></div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
<hr style="margin-top: 50px;" />
|
<hr style="margin-top: 50px;" />
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
<div class="sixteen wide center aligned centered column">
|
<div class="sixteen wide center aligned centered column">
|
||||||
<!--<div class="ui negative message"><p>We are open despite COVID-19 -- those attending in person will need to sign a waiver of health and follow all state requirements, including wearing a mask.</p></div>-->
|
<!--<div class="ui negative message"><p>We are open despite COVID-19 -- those attending in person will need to sign a waiver of health and follow all state requirements, including wearing a mask.</p></div>-->
|
||||||
<div>
|
<div>
|
||||||
<img class="logo" src="/assets/img/icons/MartialArtsIcon.png" />
|
<img class="logo" src="/assets/img/icons/MartialArts.png" />
|
||||||
</div>
|
</div>
|
||||||
<div class="hero">
|
<div class="hero">
|
||||||
<h1 class="ui icon header title">
|
<h1 class="ui icon header title">
|
||||||
|
@ -16,7 +16,7 @@
|
||||||
<div class="ui stackable middle very relaxed page grid">
|
<div class="ui stackable middle very relaxed page grid">
|
||||||
<div class="eight wide center column">
|
<div class="eight wide center column">
|
||||||
<h1 class="hero ui icon header">
|
<h1 class="hero ui icon header">
|
||||||
<img width=20px height=20px src='/assets/img/icons/FoundationIcon.png'/>
|
<img width=20px height=20px src='/assets/img/icons/Foundation.png'/>
|
||||||
<a href="/mawiki">Open-source</a>
|
<a href="/mawiki">Open-source</a>
|
||||||
</h1>
|
</h1>
|
||||||
<p class="large">
|
<p class="large">
|
||||||
|
@ -35,13 +35,13 @@
|
||||||
<div class="ui stackable middle very relaxed page grid">
|
<div class="ui stackable middle very relaxed page grid">
|
||||||
<div class="eight wide center column">
|
<div class="eight wide center column">
|
||||||
<h1 class="hero ui icon header">
|
<h1 class="hero ui icon header">
|
||||||
<img width=20px height=20px src="/assets/img/icons/MartialArtsIcon.png"/>
|
<img width=20px height=20px src="/assets/img/icons/MartialArts.png"/>
|
||||||
<a href="/martialarts/index.html#storefront">Low-cost</a>
|
<a href="/martialarts/index.html#storefront">Low-cost</a>
|
||||||
</h1>
|
</h1>
|
||||||
<p class="large">We are non-profit group -- we train because we feel like it makes life better, not to make money. As such, our costs are publicly documented and our rates match the same. Classes will be informed of potential changes to costs well in advance, and we use recurring payments. We want you thinking about your training, not how you're going to pay for it.</p>
|
<p class="large">We are non-profit group -- we train because we feel like it makes life better, not to make money. As such, our costs are publicly documented and our rates match the same. Classes will be informed of potential changes to costs well in advance, and we use recurring payments. We want you thinking about your training, not how you're going to pay for it.</p>
|
||||||
<p class="large">
|
<p class="large">
|
||||||
<ul style="text-align: left;">
|
<ul style="text-align: left;">
|
||||||
<li><b>Cost:</b> $10 per month in-person; $5 per month livestream -- pay below.</li>
|
<li><b>Cost:</b> Free</li>
|
||||||
<li><b>Lessons:</b>Tuesdays 7-8:30 p.m.</li>
|
<li><b>Lessons:</b>Tuesdays 7-8:30 p.m.</li>
|
||||||
<li><b>Sparring:</b>Tuesdays 6-7 p.m.</li>
|
<li><b>Sparring:</b>Tuesdays 6-7 p.m.</li>
|
||||||
<li><b>Shaolin Workouts:</b> Saturday mornings at 8 a.m. </li>
|
<li><b>Shaolin Workouts:</b> Saturday mornings at 8 a.m. </li>
|
||||||
|
@ -51,7 +51,7 @@
|
||||||
</div>
|
</div>
|
||||||
<div class="eight wide center column">
|
<div class="eight wide center column">
|
||||||
<h1 class="hero ui icon header">
|
<h1 class="hero ui icon header">
|
||||||
<img width=20px height=20x src="/assets/img/icons/IRCIcon.png"/>
|
<img width=20px height=20x src="/assets/img/icons/IRC.png"/>
|
||||||
<a href="/martialarts/index.html#social">Real-life First</a>
|
<a href="/martialarts/index.html#social">Real-life First</a>
|
||||||
</h1>
|
</h1>
|
||||||
<p class="large">
|
<p class="large">
|
||||||
|
|
|
@ -1,107 +1,82 @@
|
||||||
<div class="ui stackable middle very relaxed page grid">
|
<div class="ui stackable middle very relaxed page grid">
|
||||||
<script src="https://js.stripe.com/v3"></script>
|
|
||||||
<div class="sixteen wide center aligned centered column">
|
<div class="sixteen wide center aligned centered column">
|
||||||
|
<!--<div class="ui negative message"><p>We are open despite COVID-19 -- those attending in person will need to sign a waiver of health and follow all state requirements, including wearing a mask.</p></div>-->
|
||||||
|
<div>
|
||||||
|
<img class="logo" src="/assets/img/icons/MartialArtsIcon.png" />
|
||||||
|
</div>
|
||||||
|
<div class="hero">
|
||||||
<h1 class="ui icon header title">
|
<h1 class="ui icon header title">
|
||||||
AniNIX
|
AniNIX Martial Arts
|
||||||
</h1>
|
</h1>
|
||||||
<h2>Our Storefront</h2>
|
<h2>Open-source, research-driven self-defense and personal health</h2>
|
||||||
<p>We have limited service offerings available. Please contact an admin on IRC first to arrange the contract, then use the item below to pay the invoice.</p>
|
<p>AniNIX Martial Arts is a small martial arts collective focusing on research-driven martial arts. Our core style is USHF HapKiDo, but we are influenced by HEMA, Razmafzar, Kali, Shaolin, Silat, JKD, BJJ, and many other systems. We are a research-driven group -- we encourage cross-training with other systems and will bring in new concepts regularly. The class is open to all experience levels, gender identity, gender expression, sexual orientation, religious or cultural identity, socioecomic status, or age (above 14), in Southcentral Wisconsin -- we will fit your training to your needs and goals.</p><p>Drop-ins are welcome, and registration is cheap. We hope you'll give us a chance to show you what we can do.</p>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="ui stackable middle very relaxed page grid">
|
<div class="ui stackable middle very relaxed page grid">
|
||||||
<div class="sixteen wide center column" >
|
<div class="eight wide center column">
|
||||||
<h1 class="hero ui icon header">
|
<h1 class="hero ui icon header">
|
||||||
<img width=20px height=20px src='/assets/img/icons/CoreIcon.png'/>
|
<img width=20px height=20px src='/assets/img/icons/FoundationIcon.png'/>
|
||||||
Cybersecurity Consulting
|
<a href="/mawiki">Open-source</a>
|
||||||
</h1>
|
</h1>
|
||||||
<p class="large">The AniNIX offers cybersecurity consulting and advice services on a limited basis. We bill at $20 an hour -- please select your need below after negotiating with an admin.</p>
|
|
||||||
<p class="large">
|
<p class="large">
|
||||||
<form action="./storefront.html" id="hours">
|
We want your training with our system to become a part of your life. This means that we provide access to a revision-controlled copy of our notes that all our students can download, keep, and contribute to. We're tired of the old era where how the system works is kept hidden from students and piecemealed out as a marketing ploy -- we want to be as trasparent as possible in how our program and our martial art function. Transparency keeps our instructors honest and our students engaged -- this means a better martial arts experience for everyone.
|
||||||
<label for="hourcount">Hours required</label>
|
</p>
|
||||||
<select name="hourcount" id="hourscount">
|
</div>
|
||||||
<option value="1">1</option>
|
<div class="eight wide center column">
|
||||||
<option value="2">2</option>
|
<h1 class="hero ui icon header">
|
||||||
<option value="3">3</option>
|
<img width=20px height=20px src='/assets/img/ushf.jpg'/>
|
||||||
<option value="4">4</option>
|
<a href='https://ushapkidofederation.wordpress.com/'>Research-driven</a>
|
||||||
<option value="5">5</option>
|
</h1>
|
||||||
<option value="6">6</option>
|
<p class="large">
|
||||||
<option value="7">7</option>
|
Our system is always growing. We are a United States HapKiDo Federation (USHF) school, and that gives us access to high-quality instructors and seminar material each year from across the US. We also maintain good relationships with other schools in our area -- we want our students to examine what they're learing and make sure that it works, and that means looking at different perspectives.
|
||||||
<option value="8">8</option>
|
</p> </div>
|
||||||
<option value="9">9</option>
|
</div>
|
||||||
<option value="10">10</option>
|
<div class="ui stackable middle very relaxed page grid">
|
||||||
<option value="11">11</option>
|
<div class="eight wide center column">
|
||||||
<option value="12">12</option>
|
<h1 class="hero ui icon header">
|
||||||
<option value="13">13</option>
|
<img width=20px height=20px src="/assets/img/icons/MartialArtsIcon.png"/>
|
||||||
<option value="14">14</option>
|
<a href="/martialarts/index.html#storefront">Low-cost</a>
|
||||||
<option value="15">15</option>
|
</h1>
|
||||||
<option value="16">16</option>
|
<p class="large">We are non-profit group -- we train because we feel like it makes life better, not to make money. As such, our costs are publicly documented and our rates match the same. Classes will be informed of potential changes to costs well in advance, and we use recurring payments. We want you thinking about your training, not how you're going to pay for it.</p>
|
||||||
<option value="17">17</option>
|
<p class="large">
|
||||||
<option value="18">18</option>
|
<ul style="text-align: left;">
|
||||||
<option value="19">19</option>
|
<li><b>Cost:</b> $10 per month in-person; $5 per month livestream -- pay below.</li>
|
||||||
<option value="20">20</option>
|
<li><b>Lessons:</b>Tuesdays 7-8:30 p.m.</li>
|
||||||
</select>
|
<li><b>Sparring:</b>Tuesdays 6-7 p.m.</li>
|
||||||
<br/>
|
<li><b>Shaolin Workouts:</b> Saturday mornings at 8 a.m. </li>
|
||||||
</form>
|
<li><b>Location:</b> <a href="https://g.page/aninix-martial-arts?share">225 Blaser Drive, Belleville, WI</a></li>
|
||||||
<!-- START STRIPE CODE -->
|
<li><b>What to bring:</b> Exercise clothes and water</li>
|
||||||
|
</ul></p>
|
||||||
<!-- Create a button that your customers click to complete their purchase. Customize the styling to suit your branding. -->
|
</div>
|
||||||
<button
|
<div class="eight wide center column">
|
||||||
style="background-color:#6772E5;color:#FFF;padding:8px 12px;border:0;border-radius:4px;font-size:1em"
|
<h1 class="hero ui icon header">
|
||||||
id="checkout-button-price_1HTuehI49P1uFPoXCW9pJg5E"
|
<img width=20px height=20x src="/assets/img/icons/IRCIcon.png"/>
|
||||||
role="link"
|
<a href="/martialarts/index.html#social">Real-life First</a>
|
||||||
type="button"
|
</h1>
|
||||||
>
|
<p class="large">
|
||||||
Checkout
|
Everyone is welcome! Class attendance is not mandated and belt-testing is not required to train. As a courtesy, please inform the class of your absence or intended late arrival -- real-life comes first, and we're happy to work with your needs. As long as one person shows, we'll have class -- the smaller the class, the more tailored it is, but the bigger classes mean more partners and body types.</p>
|
||||||
</button>
|
<p class="large">
|
||||||
|
Our focus is also on what you will actually use. While we appreciate traditional and esoteric training for self-development, our weekly classes are focused on modern techniques and training methods so that you get the most out of your time. Our goal is to help create a community of prepared and healthy citizens, and we believe martial arts helps build that in a way no other activity can.
|
||||||
<div id="error-message"></div>
|
|
||||||
|
|
||||||
<script>
|
|
||||||
(function() {
|
|
||||||
var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
|
|
||||||
|
|
||||||
var checkoutButton = document.getElementById('checkout-button-price_1HTuehI49P1uFPoXCW9pJg5E');
|
|
||||||
checkoutButton.addEventListener('click', function () {
|
|
||||||
// When the customer clicks on the button, redirect
|
|
||||||
// them to Checkout.
|
|
||||||
stripe.redirectToCheckout({
|
|
||||||
lineItems: [{price: 'price_1HTuehI49P1uFPoXCW9pJg5E', quantity: parseInt(document.getElementById('hourscount').value)}],
|
|
||||||
mode: 'payment',
|
|
||||||
// Do not rely on the redirect to the successUrl for fulfilling
|
|
||||||
// purchases, customers may not always reach the success_url after
|
|
||||||
// a successful payment.
|
|
||||||
// Instead use one of the strategies described in
|
|
||||||
// https://stripe.com/docs/payments/checkout/fulfill-orders
|
|
||||||
successUrl: window.location.protocol + '//aninix.net/pay/thank-you.html',
|
|
||||||
cancelUrl: window.location.protocol + '//aninix.net/pay/storefront.html',
|
|
||||||
})
|
|
||||||
.then(function (result) {
|
|
||||||
if (result.error) {
|
|
||||||
// If `redirectToCheckout` fails due to a browser or network
|
|
||||||
// error, display the localized error message to your customer.
|
|
||||||
var displayError = document.getElementById('error-message');
|
|
||||||
displayError.textContent = result.error.message;
|
|
||||||
}
|
|
||||||
});
|
|
||||||
});
|
|
||||||
})();
|
|
||||||
</script>
|
|
||||||
<! -- END STRIPE CODE -->
|
|
||||||
</p>
|
</p>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
<div class="ui stackable middle very relaxed page grid">
|
|
||||||
<div class="sixteen wide center column" >
|
|
||||||
<hr style="margin-top: 50px;" />
|
<hr style="margin-top: 50px;" />
|
||||||
<h2>Donate</h2>
|
<div class="ui stackable middle very relaxed page grid" id="social">
|
||||||
<p>If you like what we do, you can also donate on one of these platforms:</p>
|
<div class="sixteen wide center aligned centered column">
|
||||||
<ul style="width:500px;text-align: left;margin:auto;">
|
<div class="hero">
|
||||||
<li><a href="https://store.steampowered.com/wishlist/id/darkfeather664/#sort=order">Steam (games)</a></li>
|
<h2 id=social>Follow us on social media</h2>
|
||||||
<li><a href="https://www.amazon.com/hz/wishlist/ls/3CORZU03RNWST?ref_=wl_share">Amazon (hardware)</a></li>
|
<p class=large>We want to stay in touch with you, so we are present on the social media platforms we find applicable.<br/> Have one you want us on? Contact us and let us know!</p>
|
||||||
<li>BTC 38Nd3SgytdvSmcX3gfHeNAE2B6aPyYbS7s</li>
|
</div>
|
||||||
<li>Coinbase USDC 0x21a05e628Ed622F7594f62Ea3C764bAEF7fE3Bf3</li>
|
<div class="ui stackable middle very relaxed page grid" id="social">
|
||||||
</ul>
|
<div class="two wide center column"><p> </p></div>
|
||||||
</div>
|
<div class="two wide center column"><a title=RSS href="/martialarts/maqotw.xml"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" alt=RSS src="/assets/img/social/rss.png" /></a></div>
|
||||||
|
<div class="two wide center column"><a title=Discord href="https://discord.gg/2bmggfR"><img alt=Discord style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/discord.ico" /></a></div>
|
||||||
|
<div class="two wide center column"><a title=NextDoor href="https://nextdoor.com/news_feed/?post=112835813"><img alt=NextDoor src="/assets/img/social/nextdoor.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /></a></div>
|
||||||
|
<div class="two wide center column"><a title=YouTube href="https://www.youtube.com/channel/UCVAkee-WaInnZbPn16bqzrw/about?view_as=subscriber"><img src="/assets/img/social/youtube.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /></a></div>
|
||||||
|
<div class="two wide center column"><a title=Strava href="https://www.strava.com/clubs/aninixmartialarts"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/strava.png" /></a></div>
|
||||||
|
<div class="two wide center column"><a title=Facebook href="https://www.facebook.com/groups/aninixmartialarts/"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/facebook.png" /></a></div>
|
||||||
|
<div class="two wide center column"><p> </p></div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
|
@ -1,12 +0,0 @@
|
||||||
<div class="ui stackable middle very relaxed page grid">
|
|
||||||
<div class="sixteen wide center aligned centered column">
|
|
||||||
<div>
|
|
||||||
<img class="logo" src="/assets/img/icons/CoreIcon.png" />
|
|
||||||
</div>
|
|
||||||
<div class="hero">
|
|
||||||
<h2 class="ui icon header title">
|
|
||||||
Thank you for your purchase!
|
|
||||||
</h2>
|
|
||||||
</div>
|
|
||||||
</div>
|
|
||||||
</div>
|
|
|
@ -5,12 +5,6 @@
|
||||||
name:
|
name:
|
||||||
- gitea
|
- gitea
|
||||||
|
|
||||||
- name: BitBot
|
|
||||||
become: yes
|
|
||||||
git:
|
|
||||||
repo: https://github.com/jesopo/bitbot.git
|
|
||||||
dest: /opt/bitbot
|
|
||||||
|
|
||||||
- name: Make directories
|
- name: Make directories
|
||||||
become: yes
|
become: yes
|
||||||
file:
|
file:
|
||||||
|
@ -27,7 +21,7 @@
|
||||||
register: config
|
register: config
|
||||||
template:
|
template:
|
||||||
src: app.ini.j2
|
src: app.ini.j2
|
||||||
dest: /var/lib/gitea/custom/conf/app.ini
|
dest: /etc/gitea/app.ini
|
||||||
owner: gitea
|
owner: gitea
|
||||||
group: gitea
|
group: gitea
|
||||||
mode: 0750
|
mode: 0750
|
||||||
|
@ -53,7 +47,7 @@
|
||||||
become: yes
|
become: yes
|
||||||
get_url:
|
get_url:
|
||||||
url: https://github.com/BenZuser/Emby-Web-Dark-Themes-CSS/raw/master/RED/theme.css
|
url: https://github.com/BenZuser/Emby-Web-Dark-Themes-CSS/raw/master/RED/theme.css
|
||||||
dest: /var/lib/gitea/custom/public/css/emby-web-dark-theme-BenZuser.css
|
dest: /var/lib/gitea/custom/public/assets/css/emby-web-dark-theme-BenZuser.css
|
||||||
owner: gitea
|
owner: gitea
|
||||||
group: gitea
|
group: gitea
|
||||||
|
|
||||||
|
@ -65,23 +59,20 @@
|
||||||
owner: gitea
|
owner: gitea
|
||||||
group: gitea
|
group: gitea
|
||||||
|
|
||||||
- name: Service file
|
- name: Ensure internal service disabled
|
||||||
become: yes
|
|
||||||
register: servicefile
|
|
||||||
copy:
|
|
||||||
src: foundation.service
|
|
||||||
dest: /usr/lib/systemd/system
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: Ensure default service disabled
|
|
||||||
become: yes
|
become: yes
|
||||||
|
ignore_errors: yes
|
||||||
service:
|
service:
|
||||||
name: gitea
|
name: foundation
|
||||||
state: stopped
|
state: stopped
|
||||||
enabled: no
|
enabled: no
|
||||||
|
|
||||||
|
- name: Ensure internal service is absent
|
||||||
|
become: yes
|
||||||
|
file:
|
||||||
|
path: /usr/lib/systemd/system/foundation.service
|
||||||
|
state: absent
|
||||||
|
|
||||||
- name: Generate pages
|
- name: Generate pages
|
||||||
become: yes
|
become: yes
|
||||||
register: custompages
|
register: custompages
|
||||||
|
@ -89,8 +80,8 @@
|
||||||
|
|
||||||
- name: Restart service
|
- name: Restart service
|
||||||
become: yes
|
become: yes
|
||||||
when: config.changed or servicefile.changed or custompages.changed
|
when: config.changed or custompages.changed
|
||||||
service:
|
service:
|
||||||
name: foundation
|
name: gitea
|
||||||
state: restarted
|
state: restarted
|
||||||
enabled: yes
|
enabled: yes
|
||||||
|
|
|
@ -448,7 +448,7 @@ PROVIDER_CONFIG = data/sessions
|
||||||
; Session cookie name
|
; Session cookie name
|
||||||
COOKIE_NAME = i_like_gitea
|
COOKIE_NAME = i_like_gitea
|
||||||
; If you use session in https only, default is false
|
; If you use session in https only, default is false
|
||||||
COOKIE_SECURE = false
|
COOKIE_SECURE = true
|
||||||
; Enable set cookie, default is true
|
; Enable set cookie, default is true
|
||||||
ENABLE_SET_COOKIE = true
|
ENABLE_SET_COOKIE = true
|
||||||
; Session GC time interval in seconds, default is 86400 (1 day)
|
; Session GC time interval in seconds, default is 86400 (1 day)
|
||||||
|
@ -457,8 +457,8 @@ GC_INTERVAL_TIME = 86400
|
||||||
SESSION_LIFE_TIME = 86400
|
SESSION_LIFE_TIME = 86400
|
||||||
|
|
||||||
[picture]
|
[picture]
|
||||||
AVATAR_UPLOAD_PATH = data/avatars
|
AVATAR_UPLOAD_PATH = avatars
|
||||||
REPOSITORY_AVATAR_UPLOAD_PATH = data/repo-avatars
|
REPOSITORY_AVATAR_UPLOAD_PATH = repo-avatars
|
||||||
; How Gitea deals with missing repository avatars
|
; How Gitea deals with missing repository avatars
|
||||||
; none = no avatar will be displayed; random = random avatar will be displayed; image = default image will be used
|
; none = no avatar will be displayed; random = random avatar will be displayed; image = default image will be used
|
||||||
REPOSITORY_AVATAR_FALLBACK = none
|
REPOSITORY_AVATAR_FALLBACK = none
|
||||||
|
@ -501,7 +501,7 @@ FORMAT =
|
||||||
[log]
|
[log]
|
||||||
ROOT_PATH = %(GITEA_WORK_DIR)/log
|
ROOT_PATH = %(GITEA_WORK_DIR)/log
|
||||||
MODE = console
|
MODE = console
|
||||||
LEVEL = Info
|
LEVEL = Warn
|
||||||
STACKTRACE_LEVEL = None
|
STACKTRACE_LEVEL = None
|
||||||
logger.router.MODE = ,
|
logger.router.MODE = ,
|
||||||
logger.xorm.MODE = ,
|
logger.xorm.MODE = ,
|
||||||
|
@ -516,9 +516,9 @@ BUFFER_LEN = 10000
|
||||||
ACCESS_LOG_TEMPLATE = {{ '{{' }}.Ctx.RemoteAddr{{ '}}' }} - {{ '{{' }}.Identity{{ '}}' }} {{ '{{' }}.Start.Format "[02/Jan/2006:15:04:05 -0700]" {{ '}}' }} "{{ '{{' }}.Ctx.Req.Method{{ '}}' }} {{ '{{' }}.Ctx.Req.RequestURI{{ '}}' }} {{ '{{' }}.Ctx.Req.Proto{{ '}}' }}" {{ '{{' }}.ResponseWriter.Status{{ '}}' }} {{ '{{' }}.ResponseWriter.Size{{ '}}' }} "{{ '{{' }}.Ctx.Req.Referer{{ '}}' }}\" \"{{ '{{' }}.Ctx.Req.UserAgent{{ '}}' }}"
|
ACCESS_LOG_TEMPLATE = {{ '{{' }}.Ctx.RemoteAddr{{ '}}' }} - {{ '{{' }}.Identity{{ '}}' }} {{ '{{' }}.Start.Format "[02/Jan/2006:15:04:05 -0700]" {{ '}}' }} "{{ '{{' }}.Ctx.Req.Method{{ '}}' }} {{ '{{' }}.Ctx.Req.RequestURI{{ '}}' }} {{ '{{' }}.Ctx.Req.Proto{{ '}}' }}" {{ '{{' }}.ResponseWriter.Status{{ '}}' }} {{ '{{' }}.ResponseWriter.Size{{ '}}' }} "{{ '{{' }}.Ctx.Req.Referer{{ '}}' }}\" \"{{ '{{' }}.Ctx.Req.UserAgent{{ '}}' }}"
|
||||||
logger.access.MODE = console
|
logger.access.MODE = console
|
||||||
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
|
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
|
||||||
LEVEL = Info
|
LEVEL = Warn
|
||||||
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "None"
|
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "None"
|
||||||
STACKTRACE_LEVEL = Critical
|
STACKTRACE_LEVEL = None
|
||||||
|
|
||||||
; Generic log modes
|
; Generic log modes
|
||||||
[log.x]
|
[log.x]
|
||||||
|
|
|
@ -9,35 +9,23 @@ https://aur.archlinux.org/brscan4.git
|
||||||
https://aur.archlinux.org/carbonyl-bin.git
|
https://aur.archlinux.org/carbonyl-bin.git
|
||||||
https://aur.archlinux.org/castnow-git.git
|
https://aur.archlinux.org/castnow-git.git
|
||||||
https://aur.archlinux.org/ccrypt.git
|
https://aur.archlinux.org/ccrypt.git
|
||||||
https://aur.archlinux.org/chromium-pepper-flash.git
|
|
||||||
https://aur.archlinux.org/defcon.git
|
|
||||||
https://aur.archlinux.org/discord-cli-git.git
|
|
||||||
https://aur.archlinux.org/discord-irc.git
|
https://aur.archlinux.org/discord-irc.git
|
||||||
https://aur.archlinux.org/downgrader.git
|
|
||||||
https://aur.archlinux.org/dotnet-core-bin.git
|
https://aur.archlinux.org/dotnet-core-bin.git
|
||||||
https://aur.archlinux.org/dotnet-runtime-bin.git
|
|
||||||
https://aur.archlinux.org/freeme2.git
|
https://aur.archlinux.org/freeme2.git
|
||||||
https://aur.archlinux.org/genymotion.git
|
https://aur.archlinux.org/genymotion.git
|
||||||
https://aur.archlinux.org/gnome-alsamixer.git
|
https://aur.archlinux.org/gnome-alsamixer.git
|
||||||
https://aur.archlinux.org/google-chrome.git
|
https://aur.archlinux.org/google-chrome.git
|
||||||
https://aur.archlinux.org/google-earth.git
|
|
||||||
https://aur.archlinux.org/googlecl.git
|
https://aur.archlinux.org/googlecl.git
|
||||||
https://aur.archlinux.org/googler.git
|
https://aur.archlinux.org/googler.git
|
||||||
https://aur.archlinux.org/graylog.git
|
https://aur.archlinux.org/graylog.git
|
||||||
https://aur.archlinux.org/graylog-collector-sidecar.git
|
https://aur.archlinux.org/graylog-collector-sidecar.git
|
||||||
https://aur.archlinux.org/gsa.git
|
|
||||||
https://aur.archlinux.org/gstreamer0.10-ffmpeg.git
|
|
||||||
https://aur.archlinux.org/gtk-xfce-engine.git
|
https://aur.archlinux.org/gtk-xfce-engine.git
|
||||||
https://aur.archlinux.org/gvmd.git
|
|
||||||
https://aur.archlinux.org/gyazo.git
|
https://aur.archlinux.org/gyazo.git
|
||||||
https://aur.archlinux.org/helloworld.git
|
|
||||||
https://aur.archlinux.org/injection.git
|
https://aur.archlinux.org/injection.git
|
||||||
https://aur.archlinux.org/inspircd.git
|
https://aur.archlinux.org/inspircd.git
|
||||||
https://aur.archlinux.org/irker.git
|
https://aur.archlinux.org/irker.git
|
||||||
https://aur.archlinux.org/jmtpfs.git
|
https://aur.archlinux.org/jmtpfs.git
|
||||||
https://aur.archlinux.org/jpcsp.git
|
|
||||||
https://aur.archlinux.org/js.git
|
https://aur.archlinux.org/js.git
|
||||||
https://aur.archlinux.org/kpcli.git
|
|
||||||
https://aur.archlinux.org/lib32-glib.git
|
https://aur.archlinux.org/lib32-glib.git
|
||||||
https://aur.archlinux.org/libdaq.git
|
https://aur.archlinux.org/libdaq.git
|
||||||
https://aur.archlinux.org/libdwarf-20140413.git
|
https://aur.archlinux.org/libdwarf-20140413.git
|
||||||
|
@ -50,28 +38,22 @@ https://aur.archlinux.org/mkinitcpio-utils.git
|
||||||
https://aur.archlinux.org/mpir.git
|
https://aur.archlinux.org/mpir.git
|
||||||
https://aur.archlinux.org/mongodb-bin.git
|
https://aur.archlinux.org/mongodb-bin.git
|
||||||
https://aur.archlinux.org/mongodb-tools-bin.git
|
https://aur.archlinux.org/mongodb-tools-bin.git
|
||||||
|
https://aur.archlinux.org/mongosh-bin.git
|
||||||
https://aur.archlinux.org/nordvpn-bin.git
|
https://aur.archlinux.org/nordvpn-bin.git
|
||||||
https://aur.archlinux.org/oinkmaster.git
|
https://aur.archlinux.org/oinkmaster.git
|
||||||
https://aur.archlinux.org/openresty.git
|
https://aur.archlinux.org/openresty.git
|
||||||
https://aur.archlinux.org/openvas-scanner.git
|
|
||||||
https://aur.archlinux.org/openvisualtraceroute.git
|
https://aur.archlinux.org/openvisualtraceroute.git
|
||||||
https://aur.archlinux.org/ospd.git
|
https://aur.archlinux.org/ospd.git
|
||||||
https://aur.archlinux.org/ospd-openvas.git
|
|
||||||
https://aur.archlinux.org/ossec-local.git
|
|
||||||
https://aur.archlinux.org/pwm.git
|
|
||||||
https://aur.archlinux.org/pcmciautils.git
|
https://aur.archlinux.org/pcmciautils.git
|
||||||
https://aur.archlinux.org/pdfshuffler.git
|
|
||||||
https://aur.archlinux.org/pear-net-ldap2.git
|
https://aur.archlinux.org/pear-net-ldap2.git
|
||||||
https://aur.archlinux.org/perl-clipboard.git
|
https://aur.archlinux.org/perl-clipboard.git
|
||||||
https://aur.archlinux.org/perl-crypt-rijndael.git
|
https://aur.archlinux.org/perl-crypt-rijndael.git
|
||||||
https://aur.archlinux.org/perl-expect.git
|
https://aur.archlinux.org/perl-expect.git
|
||||||
https://aur.archlinux.org/perl-file-keepass.git
|
|
||||||
https://aur.archlinux.org/perl-net-sftp-foreign.git
|
https://aur.archlinux.org/perl-net-sftp-foreign.git
|
||||||
https://aur.archlinux.org/perl-php-serialization.git
|
https://aur.archlinux.org/perl-php-serialization.git
|
||||||
https://aur.archlinux.org/perl-sys-mmap.git
|
https://aur.archlinux.org/perl-sys-mmap.git
|
||||||
https://aur.archlinux.org/perl-term-shellui.git
|
https://aur.archlinux.org/perl-term-shellui.git
|
||||||
https://aur.archlinux.org/php-pear.git
|
https://aur.archlinux.org/php-pear.git
|
||||||
https://aur.archlinux.org/php-zts.git
|
|
||||||
https://aur.archlinux.org/pm-utils.git
|
https://aur.archlinux.org/pm-utils.git
|
||||||
https://aur.archlinux.org/powerpanel.git
|
https://aur.archlinux.org/powerpanel.git
|
||||||
https://aur.archlinux.org/python-aiohttp.git
|
https://aur.archlinux.org/python-aiohttp.git
|
||||||
|
@ -92,16 +74,14 @@ https://aur.archlinux.org/savage.git
|
||||||
https://aur.archlinux.org/self-service-password.git
|
https://aur.archlinux.org/self-service-password.git
|
||||||
https://aur.archlinux.org/smarty3.git
|
https://aur.archlinux.org/smarty3.git
|
||||||
https://aur.archlinux.org/suricata.git
|
https://aur.archlinux.org/suricata.git
|
||||||
https://aur.archlinux.org/swfdec.git
|
https://aur.archlinux.org/tor-browser-bin.git
|
||||||
https://aur.archlinux.org/swfdec-gnome.git
|
|
||||||
https://aur.archlinux.org/systemdjournal2gelf.git
|
|
||||||
https://aur.archlinux.org/tor-browser-en.git
|
|
||||||
https://aur.archlinux.org/trid.git
|
https://aur.archlinux.org/trid.git
|
||||||
https://aur.archlinux.org/tt-rss-auth-ldap-git.git
|
https://aur.archlinux.org/tt-rss-auth-ldap-git.git
|
||||||
https://aur.archlinux.org/udisks.git
|
https://aur.archlinux.org/udisks.git
|
||||||
https://aur.archlinux.org/undvd.git
|
https://aur.archlinux.org/undvd.git
|
||||||
https://aur.archlinux.org/uniglot.git
|
https://aur.archlinux.org/uniglot.git
|
||||||
https://aur.archlinux.org/unvanquished.git
|
https://aur.archlinux.org/unvanquished.git
|
||||||
|
https://aur.archlinux.org/unvanquished-data.git
|
||||||
https://aur.archlinux.org/vbam-gtk.git
|
https://aur.archlinux.org/vbam-gtk.git
|
||||||
https://aur.archlinux.org/xfce4-mixer.git
|
https://aur.archlinux.org/xfce4-mixer.git
|
||||||
https://aur.archlinux.org/xorg-server-utils.git
|
https://aur.archlinux.org/xorg-server-utils.git
|
||||||
|
|
|
@ -1,14 +0,0 @@
|
||||||
port: 9129
|
|
||||||
download_timeout: 3600 # download will timeout after 3600 seconds
|
|
||||||
cache_dir: /var/cache/pacoloco
|
|
||||||
purge_files_after: 360000 # 360000 seconds or 100 hours, 0 to disable
|
|
||||||
repos:
|
|
||||||
archlinux:
|
|
||||||
urls:
|
|
||||||
- http://mirrors.gigenet.com/archlinux/
|
|
||||||
- http://mnvoip.mm.fcix.net/archlinux/
|
|
||||||
- http://mirrors.kernel.org/archlinux/
|
|
||||||
- http://ftp.osuosl.org/pub/archlinux/
|
|
||||||
- https://mnvoip.mm.fcix.net/archlinux/
|
|
||||||
- http://southfront.mm.fcix.net/archlinux/
|
|
||||||
user_agent: Pacoloco
|
|
|
@ -17,6 +17,7 @@
|
||||||
|
|
||||||
- name: Maat configuration
|
- name: Maat configuration
|
||||||
become: yes
|
become: yes
|
||||||
|
register: aurlist
|
||||||
copy:
|
copy:
|
||||||
src: aur.list
|
src: aur.list
|
||||||
dest: /usr/local/etc/Maat/aur.list
|
dest: /usr/local/etc/Maat/aur.list
|
||||||
|
@ -28,6 +29,13 @@
|
||||||
state: restarted
|
state: restarted
|
||||||
enabled: yes
|
enabled: yes
|
||||||
|
|
||||||
|
- name: Start Maat build cycle
|
||||||
|
become: yes
|
||||||
|
when: aurlist.changed
|
||||||
|
service:
|
||||||
|
name: maat.service
|
||||||
|
state: started
|
||||||
|
|
||||||
- name: Generate mirrorlist
|
- name: Generate mirrorlist
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
run_once: yes
|
run_once: yes
|
||||||
|
|
|
@ -1,16 +0,0 @@
|
||||||
A Nazara host is a gateway to accessing other hosts. It is a safeguard against admin error.
|
|
||||||
|
|
||||||
## Etymology
|
|
||||||
Nazara hosts are named because they are the first line of defense against administrative error -- they prevent admins from being locked out of correcting their changes and are connected to everything in the ecosystem. They also control DNS, which allows a sort of subliminal control of the entire ecosystem. This is akin to the mastermind [Reaper AI](https://masseffect.fandom.com/wiki/Sovereign) from the Mass Effect franchise, and in fact can be the extinction of any DNS-enabled malware in the ecosystem by sinkholing the Command-and-Control.
|
|
||||||
|
|
||||||
## Capacity and Components
|
|
||||||
A Nazara host needs minimal CPU or memory.
|
|
||||||
|
|
||||||
## Hosted Services and Entities
|
|
||||||
Nazara should host a Pihole installation and [SSH](../Services/SSH.md). It should be NAT'ed to an obscure port to the outside world.
|
|
||||||
|
|
||||||
## Connections
|
|
||||||
Any host should be able to connect to a Nazara with SSH and X11, and it should be able to dial to any service provider.
|
|
||||||
|
|
||||||
## Additional Reference
|
|
||||||
Nazara hosts should be deployed alongside any Hypervisor. They can be as simple as a Pi-hole with SSH access, and they should be allowed to receive SSH connections from a non-tcp/22/ssh port.
|
|
|
@ -61,3 +61,11 @@
|
||||||
when: qemubr.changed or br0.changed
|
when: qemubr.changed or br0.changed
|
||||||
debug:
|
debug:
|
||||||
msg: You may need to restart VMs on the Node.
|
msg: You may need to restart VMs on the Node.
|
||||||
|
|
||||||
|
- name: Enable VMs
|
||||||
|
become: yes
|
||||||
|
with_items: "{{ active_vms }}"
|
||||||
|
service:
|
||||||
|
name: "{{ item }}-vm.service"
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
|
|
@ -1,14 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=AniNIX/{{ inventory_hostname }}
|
|
||||||
After=network.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
ExecStart=/usr/sbin/qemu-system-x86_64 -name AniNIX/{{ inventory_hostname }} -machine type=pc,accel=kvm -bios /usr/share/edk2-ovmf/x64/OVMF.fd -cpu host -smp {{ cores }} {{ disks }} -net nic,macaddr={{ mac }},model=virtio -net bridge,br={{ bridge }} -vga std -nographic -vnc :{{ vnc }} -m size={{ memory }}G -device virtio-rng-pci
|
|
||||||
ExecReload=/bin/kill -HUP $MAINPID
|
|
||||||
KillMode=process
|
|
||||||
Restart=always
|
|
||||||
User=root
|
|
||||||
Group=root
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
slapcat -a "(!(entryDN:dnSubtreeMatch:=ou=People,dc=aninix,dc=net))"
|
|
@ -0,0 +1,119 @@
|
||||||
|
dn: dc=aninix,dc=net
|
||||||
|
objectClass: dcObject
|
||||||
|
objectClass: organization
|
||||||
|
dc: aninix
|
||||||
|
o: AniNIXUsers
|
||||||
|
description: AniNIX::LDAP Crediential Directory
|
||||||
|
structuralObjectClass: organization
|
||||||
|
entryUUID: a521b05a-3532-4042-bf8f-3631a1e51b94
|
||||||
|
creatorsName: cn=root,dc=aninix,dc=net
|
||||||
|
createTimestamp: 20160901205333Z
|
||||||
|
entryCSN: 20160901205333.449191Z#000000#000#000000
|
||||||
|
modifiersName: cn=root,dc=aninix,dc=net
|
||||||
|
modifyTimestamp: 20160901205333Z
|
||||||
|
|
||||||
|
dn: cn=root,dc=aninix,dc=net
|
||||||
|
objectClass: organizationalRole
|
||||||
|
cn: root
|
||||||
|
description: Directory Manager
|
||||||
|
structuralObjectClass: organizationalRole
|
||||||
|
entryUUID: 9e4273d9-d002-4015-a774-bed02afd6cc9
|
||||||
|
creatorsName: cn=root,dc=aninix,dc=net
|
||||||
|
createTimestamp: 20160901205333Z
|
||||||
|
pwdLastSuccess: 20220918222625Z
|
||||||
|
entryCSN: 20220918222625.132392Z#000000#000#000000
|
||||||
|
modifiersName: cn=root,dc=aninix,dc=net
|
||||||
|
modifyTimestamp: 20220918222625Z
|
||||||
|
|
||||||
|
dn: ou=Group,dc=aninix,dc=net
|
||||||
|
ou: Group
|
||||||
|
objectClass: top
|
||||||
|
objectClass: organizationalUnit
|
||||||
|
structuralObjectClass: organizationalUnit
|
||||||
|
entryUUID: 475e1ae1-d992-4a9a-85de-e7f71974ac03
|
||||||
|
creatorsName: cn=root,dc=aninix,dc=net
|
||||||
|
createTimestamp: 20160901214257Z
|
||||||
|
entryCSN: 20160901214257.941445Z#000000#000#000000
|
||||||
|
modifiersName: cn=root,dc=aninix,dc=net
|
||||||
|
modifyTimestamp: 20160901214257Z
|
||||||
|
|
||||||
|
dn: cn=ldapuser,ou=Group,dc=aninix,dc=net
|
||||||
|
cn: ldapuser
|
||||||
|
gidNumber: 10000
|
||||||
|
objectClass: posixGroup
|
||||||
|
objectClass: top
|
||||||
|
structuralObjectClass: posixGroup
|
||||||
|
entryUUID: dc17d42d-fae9-496d-b362-82f27679476c
|
||||||
|
creatorsName: cn=root,dc=aninix,dc=net
|
||||||
|
createTimestamp: 20160903051753Z
|
||||||
|
entryCSN: 20160903051753.156600Z#000000#000#000000
|
||||||
|
modifiersName: cn=root,dc=aninix,dc=net
|
||||||
|
modifyTimestamp: 20160903051753Z
|
||||||
|
|
||||||
|
dn: cn=hypervisorauth,ou=Group,dc=aninix,dc=net
|
||||||
|
cn: hypervisorauth
|
||||||
|
gidNumber: 10001
|
||||||
|
objectClass: posixGroup
|
||||||
|
objectClass: top
|
||||||
|
structuralObjectClass: posixGroup
|
||||||
|
entryUUID: 88cb5e2c-ee93-4d62-a83a-63ceff9ceba0
|
||||||
|
creatorsName: cn=root,dc=aninix,dc=net
|
||||||
|
createTimestamp: 20160903061147Z
|
||||||
|
memberUid: lurso3
|
||||||
|
entryCSN: 20160903061653.689826Z#000000#000#000000
|
||||||
|
modifiersName: cn=root,dc=aninix,dc=net
|
||||||
|
modifyTimestamp: 20160903061653Z
|
||||||
|
|
||||||
|
dn: ou=pwpolicies,dc=aninix,dc=net
|
||||||
|
ou: pwpolicies
|
||||||
|
objectClass: top
|
||||||
|
objectClass: organizationalUnit
|
||||||
|
structuralObjectClass: organizationalUnit
|
||||||
|
entryUUID: ee2c6fc6-a40a-4d6f-992e-c1a04439f022
|
||||||
|
creatorsName: cn=root,dc=aninix,dc=net
|
||||||
|
createTimestamp: 20161029155416Z
|
||||||
|
entryCSN: 20161029155416.247439Z#000000#000#000000
|
||||||
|
modifiersName: cn=root,dc=aninix,dc=net
|
||||||
|
modifyTimestamp: 20161029155416Z
|
||||||
|
|
||||||
|
dn: cn=default,ou=pwpolicies,dc=aninix,dc=net
|
||||||
|
objectClass: pwdPolicy
|
||||||
|
objectClass: person
|
||||||
|
objectClass: top
|
||||||
|
cn: default
|
||||||
|
sn: Default
|
||||||
|
pwdAttribute: userPassword
|
||||||
|
pwdMaxAge: 31536000
|
||||||
|
pwdExpireWarning: 604800
|
||||||
|
pwdInHistory: 12
|
||||||
|
pwdCheckQuality: 1
|
||||||
|
pwdMaxFailure: 5
|
||||||
|
pwdLockout: TRUE
|
||||||
|
pwdLockoutDuration: 86400
|
||||||
|
pwdGraceAuthNLimit: 3
|
||||||
|
pwdFailureCountInterval: 3600
|
||||||
|
pwdMustChange: TRUE
|
||||||
|
pwdMinLength: 8
|
||||||
|
pwdAllowUserChange: TRUE
|
||||||
|
pwdSafeModify: FALSE
|
||||||
|
structuralObjectClass: person
|
||||||
|
entryUUID: f983ea45-deca-4b8f-8e55-cebbacf392ba
|
||||||
|
creatorsName: cn=root,dc=aninix,dc=net
|
||||||
|
createTimestamp: 20161029171109Z
|
||||||
|
entryCSN: 20161029171109.930559Z#000000#000#000000
|
||||||
|
modifiersName: cn=root,dc=aninix,dc=net
|
||||||
|
modifyTimestamp: 20161029171109Z
|
||||||
|
|
||||||
|
dn: cn=DarkFeather,ou=Group,dc=aninix,dc=net
|
||||||
|
cn: DarkFeather
|
||||||
|
gidNumber: 10002
|
||||||
|
objectClass: posixGroup
|
||||||
|
objectClass: top
|
||||||
|
memberUid: DarkFeather
|
||||||
|
structuralObjectClass: posixGroup
|
||||||
|
entryUUID: 1f333fb2-0611-4235-ba07-aa9fa0edb439
|
||||||
|
creatorsName: cn=root,dc=aninix,dc=net
|
||||||
|
createTimestamp: 20201018201805Z
|
||||||
|
entryCSN: 20201018201805.104347Z#000000#000#000000
|
||||||
|
modifiersName: cn=root,dc=aninix,dc=net
|
||||||
|
modifyTimestamp: 20201018201805Z
|
|
@ -0,0 +1,26 @@
|
||||||
|
binlist = ldap-adduser ldap-userreport ldap-resetpass
|
||||||
|
filelist = sample-user.ldif
|
||||||
|
|
||||||
|
compile:
|
||||||
|
@echo Nothing to do
|
||||||
|
|
||||||
|
install: clean ${binlist} ${filelist}
|
||||||
|
mkdir -p ${pkgdir}/opt/aninix/Password/
|
||||||
|
for i in ${filelist}; do install -m 0640 -o ldap -g ldap $$i ${pkgdir}/opt/aninix/Password/; done
|
||||||
|
mkdir -p ${pkgdir}/usr/local/sbin/
|
||||||
|
for i in ${binlist}; do install -m 0750 -o root -g root $$i ${pkgdir}/usr/local/sbin; done
|
||||||
|
|
||||||
|
test: compile
|
||||||
|
@echo Nothing to do
|
||||||
|
|
||||||
|
clean:
|
||||||
|
@echo Nothing to do.
|
||||||
|
|
||||||
|
diff:
|
||||||
|
@echo Nothing to do.
|
||||||
|
|
||||||
|
reverse:
|
||||||
|
@echo Nothing to do.
|
||||||
|
|
||||||
|
checkperm:
|
||||||
|
@echo Nothing to do.
|
|
@ -0,0 +1,46 @@
|
||||||
|
depends=('bash>=4.4' 'openldap')
|
||||||
|
makedepends=('make>=4.2')
|
||||||
|
checkdepends=()
|
||||||
|
optdepends=()
|
||||||
|
pkgname="Password-Scripts"
|
||||||
|
pkgver="$(git describe --tag --abbrev=0)"."$(git rev-parse --short HEAD)"
|
||||||
|
pkgrel=1
|
||||||
|
pkgrel() {
|
||||||
|
echo $(( `git log "$(git describe --tag --abbrev=0)"..HEAD | grep -c commit` + 1 ))
|
||||||
|
}
|
||||||
|
epoch="$(git log | grep -c commit)"
|
||||||
|
pkgdesc="AniNIX/Password Scripts"
|
||||||
|
arch=("x86_64")
|
||||||
|
url="$(git config remote.origin.url | sed 's/.git$//')"
|
||||||
|
license=('custom')
|
||||||
|
groups=()
|
||||||
|
provides=("${pkgname}")
|
||||||
|
conflicts=()
|
||||||
|
replaces=("${pkgname,,}" "aninix-${pkgname,,}")
|
||||||
|
backup=()
|
||||||
|
options=()
|
||||||
|
install=
|
||||||
|
changelog=
|
||||||
|
source=()
|
||||||
|
noextract=()
|
||||||
|
md5sums=()
|
||||||
|
validpgpkeys=()
|
||||||
|
|
||||||
|
prepare() {
|
||||||
|
git pull || true
|
||||||
|
}
|
||||||
|
|
||||||
|
build() {
|
||||||
|
make -C ..
|
||||||
|
}
|
||||||
|
|
||||||
|
check() {
|
||||||
|
chmod -R u+r ../pkg
|
||||||
|
make -C .. test
|
||||||
|
}
|
||||||
|
|
||||||
|
package() {
|
||||||
|
export pkgdir="${pkgdir}"
|
||||||
|
make -C .. install
|
||||||
|
install -D -m644 ../../../../LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
|
||||||
|
}
|
|
@ -43,16 +43,17 @@ if [ "$?" -eq 0 ]; then
|
||||||
read answer
|
read answer
|
||||||
if [ "$answer" == "YES" ]; then
|
if [ "$answer" == "YES" ]; then
|
||||||
file="/etc/openldap/users.d/$username.ldif"
|
file="/etc/openldap/users.d/$username.ldif"
|
||||||
cp /usr/local/src/ConfigPackages/Sora/sample-user.ldif "$file"
|
cp /opt/aninix/Password/sample-user.ldif "$file"
|
||||||
line="$(grep -E '^uid: ' "$file")"; sed -i "s/$line/uid: $username/" "$file"
|
line="$(grep -E '^uid: ' "$file")"; sed -i "s/$line/uid: $username/" "$file"
|
||||||
line="$(grep -E '^dn: ' "$file" | cut -f 2 -d ' ' | cut -f 1 -d ',')"; sed -i "s/$line/uid=$username/" "$file"
|
line="$(grep -E '^dn: ' "$file" | cut -f 2 -d ' ' | cut -f 1 -d ',')"; sed -i "s/$line/uid=$username/" "$file"
|
||||||
line="$(grep -E '^homeDirectory: ' "$file")"; sed -i "s#$line#homeDirectory: /home/$username/#" "$file"
|
line="$(grep -E '^homeDirectory: ' "$file")"; sed -i "s#$line#homeDirectory: /$username/#" "$file"
|
||||||
line="$(grep -E '^cn: ' "$file")"; sed -i "s/$line/cn: $username/" "$file"
|
line="$(grep -E '^cn: ' "$file")"; sed -i "s/$line/cn: $username/" "$file"
|
||||||
line="$(grep -E '^mail: ' "$file")"; sed -i "s#$line#mail: ircs://aninix.net:6697/$username#" "$file"
|
line="$(grep -E '^mail: ' "$file")"; sed -i "s#$line#mail: ircs://aninix.net:6697/$username#" "$file"
|
||||||
line="$(grep -E '^uidNumber: ' "$file")"; sed -i "s/$line/uidNumber: $newuserid/" "$file"
|
line="$(grep -E '^uidNumber: ' "$file")"; sed -i "s/$line/uidNumber: $newuserid/" "$file"
|
||||||
ldapadd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass -f "$file"
|
ldapadd -D 'cn=root,dc=aninix,dc=net' -W -f "$file"
|
||||||
ldap-resetpass "$username"
|
ldap-resetpass "$username"
|
||||||
# usermod -a -G ssh-allow,passwdchange "$username"
|
# Create default home
|
||||||
|
cp -r /etc/skel "/home/$username"; chmod 0027 "/home/$username"; chown -R "$username": "/home/$username"
|
||||||
fi
|
fi
|
||||||
rmdir "$lockfile"
|
rmdir "$lockfile"
|
||||||
exit 0;
|
exit 0;
|
|
@ -7,11 +7,11 @@ if [ -z "$uid" ]; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
ldappasswd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass "uid=$uid,ou=People,dc=aninix,dc=net"
|
ldappasswd -D 'cn=root,dc=aninix,dc=net' -W "uid=$uid,ou=People,dc=aninix,dc=net"
|
||||||
|
|
||||||
if [ `ldapsearch -x "(uid=$uid)" + \* | grep -c shadowLastChange\:` -ne 0 ]; then
|
if [ `ldapsearch -x "(uid=$uid)" + \* | grep -c shadowLastChange\:` -ne 0 ]; then
|
||||||
(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\ndelete: shadowLastChange\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass &>/dev/null;
|
(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\ndelete: shadowLastChange\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -W &>/dev/null;
|
||||||
fi
|
fi
|
||||||
(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: shadowLastChange\nshadowLastChange: 0\n\ndn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass &>/dev/null;
|
(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: shadowLastChange\nshadowLastChange: 0\n\ndn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -W &>/dev/null;
|
||||||
|
|
||||||
exit $?
|
exit $?
|
|
@ -8,17 +8,9 @@ function shortshow() {
|
||||||
echo ${user}": "$email
|
echo ${user}": "$email
|
||||||
}
|
}
|
||||||
|
|
||||||
function queryLDAPAttribute() {
|
|
||||||
ldapsearch -x "$1" "$2" | grep -E "${2}: " | sed "s/^${2}: //"
|
|
||||||
}
|
|
||||||
|
|
||||||
basedn=`ldapsearch -x '(cn=root)' dn | grep -E ^dn:\ | sed 's/dn: cn=root,//'`
|
basedn=`ldapsearch -x '(cn=root)' dn | grep -E ^dn:\ | sed 's/dn: cn=root,//'`
|
||||||
|
|
||||||
maxAge="$(queryLDAPAttribute '(cn=default)' pwdMaxAge)"
|
for user in `ldapsearch -x -b "ou=People,$basedn" '(uid=*)' uid | grep -E ^uid:\ | sed 's/^uid: //'`; do
|
||||||
changeAge=$(( $maxAge - 2592000 ))
|
|
||||||
deleteAge=$(( 2 * $maxAge ))
|
|
||||||
|
|
||||||
for user in `queryLDAPAttribute '(uid=*)' uid`; do
|
|
||||||
|
|
||||||
# Pull changed stats
|
# Pull changed stats
|
||||||
lastChanged=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep pwdChangedTime | cut -f 2 -d ' '`
|
lastChanged=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep pwdChangedTime | cut -f 2 -d ' '`
|
||||||
|
@ -45,7 +37,7 @@ for user in `queryLDAPAttribute '(uid=*)' uid`; do
|
||||||
if [ "$lastChanged" == "$errortext" ]; then
|
if [ "$lastChanged" == "$errortext" ]; then
|
||||||
shortshow
|
shortshow
|
||||||
else
|
else
|
||||||
if [ $delta -gt "$changeAge" ] && [ $delta -lt "$maxAge" ]; then shortshow; fi
|
if [ $delta -gt 28512000 ] && [ $delta -lt 31536000 ]; then shortshow; fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
"--expired")
|
"--expired")
|
||||||
|
@ -53,11 +45,6 @@ for user in `queryLDAPAttribute '(uid=*)' uid`; do
|
||||||
shortshow;
|
shortshow;
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
"--removeable")
|
|
||||||
if [ "$lastChanged" != "$errortext" ] && [ "$delta" -ge "$deleteAge" ]; then
|
|
||||||
shortshow;
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
*)
|
*)
|
||||||
cat
|
cat
|
||||||
;;
|
;;
|
|
@ -0,0 +1,21 @@
|
||||||
|
dn: uid=testuser,ou=People,dc=aninix,dc=net
|
||||||
|
objectClass: top
|
||||||
|
objectClass: person
|
||||||
|
objectClass: organizationalPerson
|
||||||
|
objectClass: inetOrgPerson
|
||||||
|
objectClass: posixAccount
|
||||||
|
objectClass: shadowAccount
|
||||||
|
uid: testuser
|
||||||
|
cn: Test User
|
||||||
|
sn: User
|
||||||
|
givenName: Test
|
||||||
|
title: User
|
||||||
|
telephoneNumber: +0 000 000 0000
|
||||||
|
mobile: +0 000 000 0000
|
||||||
|
postalAddress: AddressLine1$AddressLine2$AddressLine3
|
||||||
|
loginShell: /bin/bash
|
||||||
|
uidNumber: 10006
|
||||||
|
gidNumber: 10000
|
||||||
|
homeDirectory: /home/testuser
|
||||||
|
description: Work contact
|
||||||
|
mail: testuser@aninix.net
|
|
@ -0,0 +1,35 @@
|
||||||
|
---
|
||||||
|
- name: Create the base config
|
||||||
|
become: yes
|
||||||
|
template:
|
||||||
|
src: slapd.ldif
|
||||||
|
dest: /etc/openldap/slapd.ldif
|
||||||
|
owner: ldap
|
||||||
|
group: ldap
|
||||||
|
mode: 0640
|
||||||
|
|
||||||
|
- name: Create the directories
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
owner: ldap
|
||||||
|
group: ldap
|
||||||
|
mode: 0700
|
||||||
|
loop:
|
||||||
|
- /var/lib/openldap/openldap-data/
|
||||||
|
- /etc/openldap
|
||||||
|
- /etc/openldap/users.d
|
||||||
|
- /etc/openldap/groups.d
|
||||||
|
- /etc/openldap/slapd.d
|
||||||
|
|
||||||
|
- name: Initialize the instance
|
||||||
|
become: yes
|
||||||
|
command:
|
||||||
|
cmd: slapadd -n 0 -F /etc/openldap/slapd.d/ -l /etc/openldap/config.ldif && chown -R ldap: /etc/openldap
|
||||||
|
creates: /etc/openldap/slapd.d/cn=config
|
||||||
|
|
||||||
|
- name: Ensure the service
|
||||||
|
become: yes
|
||||||
|
service:
|
||||||
|
name: slapd
|
||||||
|
state: restarted
|
||||||
|
enabled: yes
|
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Set login config
|
||||||
|
become: yes
|
||||||
|
template:
|
||||||
|
src: nslcd.conf.j2
|
||||||
|
dest: /etc/nslcd.conf
|
||||||
|
owner: nslcd
|
||||||
|
group: nslcd
|
||||||
|
mode: 0600
|
||||||
|
|
||||||
|
- name: Ensure login service
|
||||||
|
become: yes
|
||||||
|
service:
|
||||||
|
name: nslcd
|
||||||
|
state: restarted
|
||||||
|
enabled: yes
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
- name: Sora packages
|
||||||
|
become: yes
|
||||||
|
package:
|
||||||
|
name:
|
||||||
|
- openldap
|
||||||
|
- Password-Scripts
|
||||||
|
|
||||||
|
- include_tasks: daemon.yml
|
||||||
|
|
||||||
|
- include_tasks: login.yml
|
||||||
|
|
||||||
|
- include_tasks: web.yml
|
|
@ -0,0 +1,24 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Clone the web portal
|
||||||
|
become: yes
|
||||||
|
git:
|
||||||
|
repo: https://github.com/ltb-project/self-service-password
|
||||||
|
dest: /usr/share/webapps/self-service-password
|
||||||
|
|
||||||
|
- name: Ensure web portal ownership
|
||||||
|
file:
|
||||||
|
state: directory
|
||||||
|
owner: http
|
||||||
|
group: http
|
||||||
|
path: /usr/share/webapps/self-service-password
|
||||||
|
recurse: true
|
||||||
|
|
||||||
|
- name: Web portal config
|
||||||
|
become: yes
|
||||||
|
template:
|
||||||
|
src: config.inc.php.j2
|
||||||
|
dest: /usr/share/webapps/self-service-password/conf/config.inc.php
|
||||||
|
owner: http
|
||||||
|
group: http
|
||||||
|
mode: 0600
|
|
@ -41,21 +41,23 @@ ChallengeResponseAuthentication no
|
||||||
HostbasedAuthentication no
|
HostbasedAuthentication no
|
||||||
KerberosAuthentication no
|
KerberosAuthentication no
|
||||||
GSSAPIAuthentication no
|
GSSAPIAuthentication no
|
||||||
DenyGroups [^ssh-allow]
|
|
||||||
AllowGroups ssh-allow
|
|
||||||
PermitRootLogin no
|
PermitRootLogin no
|
||||||
PermitEmptyPasswords no
|
PermitEmptyPasswords no
|
||||||
|
|
||||||
## Access Controls
|
## By default, only ssh-allow or ldapusers are allowed to sftp
|
||||||
Match Group ssh-forward
|
AllowGroups ssh sftp ldapuser
|
||||||
|
Match Group ldapuser,sftp
|
||||||
|
ForceCommand internal-sftp
|
||||||
|
ChrootDirectory /home
|
||||||
|
|
||||||
|
## Special groups are allowed shell
|
||||||
|
Match Group wheel,ssh-allow
|
||||||
AllowTcpForwarding yes
|
AllowTcpForwarding yes
|
||||||
PermitTunnel yes
|
PermitTunnel yes
|
||||||
AllowAgentForwarding yes
|
AllowAgentForwarding yes
|
||||||
X11Forwarding yes
|
X11Forwarding yes
|
||||||
|
ForceCommand none
|
||||||
Match Group sftp-home-jail
|
ChrootDirectory none
|
||||||
ForceCommand internal-sftp
|
|
||||||
ChrootDirectory /home
|
|
||||||
|
|
||||||
# Allow other packages to ship snippets
|
# Allow other packages to ship snippets
|
||||||
Include /etc/ssh/includes/*
|
Include /etc/ssh/includes/*
|
||||||
|
|
|
@ -34,15 +34,14 @@
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
state: present
|
state: present
|
||||||
loop:
|
loop:
|
||||||
- ssh-allow
|
- ssh
|
||||||
- ssh-forward
|
- sftp
|
||||||
- sftp-home-jail
|
|
||||||
|
|
||||||
- name: Add SSH user to ssh-allow
|
- name: Add SSH user to ssh group
|
||||||
become: yes
|
become: yes
|
||||||
user:
|
user:
|
||||||
name: "{{ ansible_user_id }}"
|
name: "{{ ansible_user_id }}"
|
||||||
groups: ssh-allow
|
groups: ssh
|
||||||
append: yes
|
append: yes
|
||||||
|
|
||||||
- name: Copy the SSH key
|
- name: Copy the SSH key
|
||||||
|
@ -75,7 +74,7 @@
|
||||||
file:
|
file:
|
||||||
path: /etc/ssh/includes
|
path: /etc/ssh/includes
|
||||||
state: directory
|
state: directory
|
||||||
user: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
||||||
|
|
|
@ -37,30 +37,20 @@
|
||||||
group: http
|
group: http
|
||||||
mode: 2755
|
mode: 2755
|
||||||
|
|
||||||
- name: Copy TLSA script
|
- name: Remove old TLSA script
|
||||||
|
become: yes
|
||||||
|
file:
|
||||||
|
path: /usr/local/sbin/tlsa-generation.bash
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: Copy record generator script
|
||||||
become: yes
|
become: yes
|
||||||
template:
|
template:
|
||||||
src: tlsa-generation.bash.j2
|
src: record-generation.bash.j2
|
||||||
dest: /usr/local/sbin/tlsa-generation.bash
|
dest: /usr/local/sbin/record-generation.bash
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0700
|
mode: 0700
|
||||||
|
|
||||||
- name: Get proposed TLSA records
|
- debug:
|
||||||
become: yes
|
msg: 'Run `sudo /usr/local/sbin/record-generation.bash` to generate a zonefile for import into a DNS provider.'
|
||||||
command: /usr/local/sbin/tlsa-generation.bash
|
|
||||||
register: tlsa_records
|
|
||||||
|
|
||||||
- name: Show proposed TLSA records
|
|
||||||
debug:
|
|
||||||
msg: "{{ tlsa_records.stdout_lines }}"
|
|
||||||
|
|
||||||
- name: Get TLSA records
|
|
||||||
delegate_to: localhost
|
|
||||||
run_once: yes
|
|
||||||
command: "/bin/bash -c 'printf _443._tcp\\ ; dig _443._tcp.{{ external_domain }} TLSA +short; printf _6697._tcp\\ ; dig _6697._tcp.{{ external_domain }} TLSA +short'"
|
|
||||||
register: ext_tlsa_records
|
|
||||||
|
|
||||||
- name: Show TLSA records
|
|
||||||
debug:
|
|
||||||
msg: "{{ ext_tlsa_records.stdout_lines }}"
|
|
||||||
|
|
|
@ -0,0 +1,44 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
ttl=86400
|
||||||
|
|
||||||
|
externalip="$(curl -s ident.me)"
|
||||||
|
|
||||||
|
for domain in {{ hosted_domains }} {{ external_domain }}; do
|
||||||
|
|
||||||
|
echo
|
||||||
|
|
||||||
|
# NS/MX/A -- basic orientation to the world for names, mail, and address
|
||||||
|
cat <<EOM
|
||||||
|
\$ORIGIN ${domain}.
|
||||||
|
@ $ttl IN SOA ns51.cloudns.net. support.cloudns.net. 2024040128 7200 1800 1209600 86400
|
||||||
|
@ $ttl IN NS ns51.cloudns.net.
|
||||||
|
@ $ttl IN NS ns52.cloudns.net.
|
||||||
|
@ $ttl IN NS ns53.cloudns.net.
|
||||||
|
@ $ttl IN NS ns54.cloudns.net.
|
||||||
|
@ $ttl IN MX 10 mailforward51.cloudns.net.
|
||||||
|
@ $ttl IN MX 10 mailforward52.cloudns.net.
|
||||||
|
@ $ttl IN A ${externalip}
|
||||||
|
EOM
|
||||||
|
|
||||||
|
# CAA -- who can issue certs for this domain
|
||||||
|
# https://letsencrypt.org/docs/caa/
|
||||||
|
echo 'CAA 128 issue "letsencrypt.org"'
|
||||||
|
|
||||||
|
# TLSA -- TLS fingerprints for certs & chain
|
||||||
|
for i in _443._tcp _6697._tcp; do
|
||||||
|
printf "$i $ttl IN ";
|
||||||
|
openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/chain.pem -noout -pubkey 2>/dev/null | openssl rsa -pubin -outform DER 2>/dev/null | openssl dgst -sha256 -hex 2>/dev/null | awk '{print "TLSA 2 1 1", $NF}'
|
||||||
|
printf "$i $ttl IN ";
|
||||||
|
openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/cert.pem -noout -pubkey 2>/dev/null | openssl rsa -pubin -outform DER 2>/dev/null | openssl dgst -sha256 -hex 2>/dev/null | awk '{print "TLSA 3 1 1", $NF}'
|
||||||
|
done
|
||||||
|
|
||||||
|
# SSHFP -- SFTP/SSH fingerprints
|
||||||
|
ssh-keygen -r '@ $ttl' | grep -E '4 2|1 2' # Only take RSA & Ed25519 keys
|
||||||
|
|
||||||
|
done
|
||||||
|
|
||||||
|
# CNAME -- Add CNAMES for various subdomains
|
||||||
|
for i in {{ external_subdomains }}; do
|
||||||
|
printf "%-20s %-10s %-10s %-10s %s\n" "$i" "$ttl" IN CNAME {{ external_domain }}.
|
||||||
|
done
|
|
@ -1,4 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/chain.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "le-ca TLSA 2 1 1", $NF}'
|
|
||||||
openssl x509 -in /etc/letsencrypt/live/{{ sslidentity}}/cert.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "cert TLSA 3 1 1", $NF}'
|
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
################################################################################
|
||||||
|
# AniNIX/Node0 #
|
||||||
|
# #
|
||||||
|
# This is the network virtualization platform. VMs can be found with this: #
|
||||||
|
# cd /usr/lib/systemd/system; ls -1 *vm.service | xargs -n 1 systemctl status #
|
||||||
|
################################################################################
|
|
@ -0,0 +1,6 @@
|
||||||
|
################################################################################
|
||||||
|
# AniNIX/Node0 #
|
||||||
|
# #
|
||||||
|
# This is the network virtualization platform. VMs can be found with this: #
|
||||||
|
# cd /usr/lib/systemd/system; ls -1 *vm.service | xargs -n 1 systemctl status #
|
||||||
|
################################################################################
|
|
@ -0,0 +1,6 @@
|
||||||
|
################################################################################
|
||||||
|
# AniNIX/Node0 #
|
||||||
|
# #
|
||||||
|
# This is the network virtualization platform. VMs can be found with this: #
|
||||||
|
# cd /usr/lib/systemd/system; ls -1 *vm.service | xargs -n 1 systemctl status #
|
||||||
|
################################################################################
|
|
@ -0,0 +1,6 @@
|
||||||
|
################################################################################
|
||||||
|
# AniNIX/Node0 #
|
||||||
|
# #
|
||||||
|
# This is the network virtualization platform. VMs can be found with this: #
|
||||||
|
# cd /usr/lib/systemd/system; ls -1 *vm.service | xargs -n 1 systemctl status #
|
||||||
|
################################################################################
|
|
@ -0,0 +1,6 @@
|
||||||
|
################################################################################
|
||||||
|
# AniNIX/Node0 #
|
||||||
|
# #
|
||||||
|
# This is the network virtualization platform. VMs can be found with this: #
|
||||||
|
# cd /usr/lib/systemd/system; ls -1 *vm.service | xargs -n 1 systemctl status #
|
||||||
|
################################################################################
|
|
@ -0,0 +1,5 @@
|
||||||
|
################################################################################
|
||||||
|
# AniNIX/Nazara #
|
||||||
|
# #
|
||||||
|
# This is the network DNS/DHCP service, using Raspberry Pi pihole, and bastion #
|
||||||
|
################################################################################
|
|
@ -1,3 +1 @@
|
||||||
|
|
||||||
# AniNIX/Geth Hardware Platform (Raspbian Rpi 1 B+) #
|
# AniNIX/Geth Hardware Platform (Raspbian Rpi 1 B+) #
|
||||||
|
|
|
@ -1,3 +1 @@
|
||||||
|
|
||||||
# AniNIX/Geth Hardware Platform (Raspbian Rpi 1 B+) #
|
# AniNIX/Geth Hardware Platform (Raspbian Rpi 1 B+) #
|
||||||
|
|
|
@ -1,3 +1 @@
|
||||||
|
|
||||||
# AniNIX/Geth Hardware Platform (Raspberry Pi 3 Model B Plus Rev 1.3) #
|
# AniNIX/Geth Hardware Platform (Raspberry Pi 3 Model B Plus Rev 1.3) #
|
||||||
|
|
|
@ -16,21 +16,21 @@
|
||||||
|
|
||||||
- name: Tap ArchLinux network config
|
- name: Tap ArchLinux network config
|
||||||
become: yes
|
become: yes
|
||||||
when: tap is defined and not static is defined
|
when: tap is defined
|
||||||
template:
|
template:
|
||||||
src: netctl-tap is defined.j2
|
src: netctl-tap.j2
|
||||||
dest: "/etc/netctl/{{ ipinterface }}"
|
dest: "/etc/netctl/{{ ipinterface }}"
|
||||||
|
|
||||||
- name: Bridge ArchLinux network config
|
- name: Bridge ArchLinux network config
|
||||||
become: yes
|
become: yes
|
||||||
when: tap is defined and not static is defined
|
when: tap is defined
|
||||||
template:
|
template:
|
||||||
src: netctl-bond.j2
|
src: netctl-bond.j2
|
||||||
dest: "/etc/netctl/br0"
|
dest: "/etc/netctl/br0"
|
||||||
|
|
||||||
- name: Tunnel ArchLinux network config
|
- name: Tunnel ArchLinux network config
|
||||||
become: yes
|
become: yes
|
||||||
when: tap is defined and not static is defined
|
when: tap is defined
|
||||||
copy:
|
copy:
|
||||||
src: netctl-tun
|
src: netctl-tun
|
||||||
dest: "/etc/netctl/tun0"
|
dest: "/etc/netctl/tun0"
|
||||||
|
|
|
@ -0,0 +1,57 @@
|
||||||
|
---
|
||||||
|
- name: Test root password
|
||||||
|
ignore_errors: yes
|
||||||
|
register: root_password_test
|
||||||
|
vars:
|
||||||
|
ansible_become_user: "{{ item }}"
|
||||||
|
ansible_become_method: su
|
||||||
|
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
||||||
|
become: yes
|
||||||
|
command: id
|
||||||
|
loop:
|
||||||
|
- root
|
||||||
|
- "{{ ansible_user_id }}"
|
||||||
|
|
||||||
|
- name: Define passwords
|
||||||
|
ignore_errors: yes
|
||||||
|
vars:
|
||||||
|
ansible_become_user: "root"
|
||||||
|
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
||||||
|
become: yes
|
||||||
|
when: root_password_test.rc is not defined or root_password_test.rc != 0
|
||||||
|
command:
|
||||||
|
cmd: /bin/bash -l -c "echo '{{item}}:{{ passwords[inventory_hostname] }}' | chpasswd {{ item }}"
|
||||||
|
loop:
|
||||||
|
- root
|
||||||
|
- "{{ ansible_user_id }}"
|
||||||
|
|
||||||
|
- name: Ensure deploy user has sudo permissions.
|
||||||
|
vars:
|
||||||
|
ansible_become_method: su
|
||||||
|
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
dest: /etc/sudoers.d/basics
|
||||||
|
content: "{{ ansible_user_id }} ALL=(ALL) NOPASSWD: ALL\n"
|
||||||
|
|
||||||
|
- name: Ensure we include /etc/sudoers.d (Current)
|
||||||
|
vars:
|
||||||
|
ansible_become_method: su
|
||||||
|
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
||||||
|
become: yes
|
||||||
|
when: ansible_architecture != "armv6l"
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/sudoers
|
||||||
|
regexp: "includedir /etc/sudoers.d"
|
||||||
|
line: "@includedir /etc/sudoers.d"
|
||||||
|
|
||||||
|
- name: Ensure we include /etc/sudoers.d (Legacy)
|
||||||
|
vars:
|
||||||
|
ansible_become_method: su
|
||||||
|
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
||||||
|
become: yes
|
||||||
|
when: ansible_architecture == "armv6l"
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/sudoers
|
||||||
|
regexp: "includedir /etc/sudoers.d"
|
||||||
|
line: "#includedir /etc/sudoers.d"
|
|
@ -4,160 +4,7 @@
|
||||||
|
|
||||||
# This is an AniNIX convention to allow password management by Ansible.
|
# This is an AniNIX convention to allow password management by Ansible.
|
||||||
|
|
||||||
- name: Test root password
|
- include_tasks: authentication.yml
|
||||||
ignore_errors: yes
|
|
||||||
register: root_password_test
|
|
||||||
vars:
|
|
||||||
ansible_become_user: "{{ item }}"
|
|
||||||
ansible_become_method: su
|
|
||||||
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
|
||||||
become: yes
|
|
||||||
command: id
|
|
||||||
loop:
|
|
||||||
- root
|
|
||||||
- "{{ ansible_user_id }}"
|
|
||||||
|
|
||||||
- name: Define passwords
|
|
||||||
ignore_errors: yes
|
|
||||||
vars:
|
|
||||||
ansible_become_user: "root"
|
|
||||||
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
|
||||||
become: yes
|
|
||||||
when: root_password_test.rc is not defined or root_password_test.rc != 0
|
|
||||||
command:
|
|
||||||
cmd: /bin/bash -l -c "echo '{{item}}:{{ passwords[inventory_hostname] }}' | chpasswd {{ item }}"
|
|
||||||
loop:
|
|
||||||
- root
|
|
||||||
- "{{ ansible_user_id }}"
|
|
||||||
|
|
||||||
- name: Base packages
|
|
||||||
vars:
|
|
||||||
ansible_become_method: su
|
|
||||||
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
|
||||||
become: yes
|
|
||||||
package:
|
|
||||||
name:
|
|
||||||
- bash
|
|
||||||
- sudo
|
|
||||||
- git
|
|
||||||
- tmux
|
|
||||||
- vim
|
|
||||||
- sysstat
|
|
||||||
- iotop
|
|
||||||
- lsof
|
|
||||||
- rsync
|
|
||||||
- xfsprogs
|
|
||||||
state: present
|
|
||||||
update_cache: yes
|
|
||||||
|
|
||||||
- name: Ensure deploy user has sudo permissions.
|
|
||||||
vars:
|
|
||||||
ansible_become_method: su
|
|
||||||
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
|
||||||
become: yes
|
|
||||||
copy:
|
|
||||||
dest: /etc/sudoers.d/basics
|
|
||||||
content: "{{ ansible_user_id }} ALL=(ALL) NOPASSWD: ALL\n"
|
|
||||||
|
|
||||||
- name: Ensure we include /etc/sudoers.d (Current)
|
|
||||||
vars:
|
|
||||||
ansible_become_method: su
|
|
||||||
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
|
||||||
become: yes
|
|
||||||
when: ansible_architecture != "armv6l"
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/sudoers
|
|
||||||
regexp: "includedir /etc/sudoers.d"
|
|
||||||
line: "@includedir /etc/sudoers.d"
|
|
||||||
|
|
||||||
- name: Ensure we include /etc/sudoers.d (Legacy)
|
|
||||||
vars:
|
|
||||||
ansible_become_method: su
|
|
||||||
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
|
||||||
become: yes
|
|
||||||
when: ansible_architecture == "armv6l"
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/sudoers
|
|
||||||
regexp: "includedir /etc/sudoers.d"
|
|
||||||
line: "#includedir /etc/sudoers.d"
|
|
||||||
|
|
||||||
- name: Set up pacman.conf
|
|
||||||
vars:
|
|
||||||
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
|
||||||
ignorepkg: "{{ holdpackages | default('') }}"
|
|
||||||
become: yes
|
|
||||||
template:
|
|
||||||
src: pacman.conf.j2
|
|
||||||
dest: /etc/pacman.conf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
when: ansible_os_family == "Archlinux"
|
|
||||||
|
|
||||||
- name: Set mirror
|
|
||||||
become: yes
|
|
||||||
when: ansible_os_family == "Archlinux"
|
|
||||||
copy:
|
|
||||||
content: |
|
|
||||||
Server = {{ mirroruri }}
|
|
||||||
dest: /etc/pacman.d/mirrorlist.shadowarch
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Set up apt sources.list
|
|
||||||
vars:
|
|
||||||
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
|
||||||
become: yes
|
|
||||||
copy:
|
|
||||||
content: |
|
|
||||||
deb http://archive.raspberrypi.org/debian/ bullseye main
|
|
||||||
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
|
|
||||||
#deb-src http://archive.raspberrypi.org/debian/ bullseye main
|
|
||||||
dest: /etc/apt/sources.list.d/raspi.list
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
when: ansible_os_family == "Debian"
|
|
||||||
|
|
||||||
- name: Install ShadowArch (ArchLinux)
|
|
||||||
vars:
|
|
||||||
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
|
||||||
become: yes
|
|
||||||
pacman:
|
|
||||||
name: ShadowArch
|
|
||||||
state: present
|
|
||||||
update_cache: yes
|
|
||||||
when: ansible_os_family == "Archlinux"
|
|
||||||
|
|
||||||
- name: Set up AniNIX-specific repository location (Other)
|
|
||||||
when: ansible_os_family != "Archlinux"
|
|
||||||
vars:
|
|
||||||
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
|
||||||
become: yes
|
|
||||||
file:
|
|
||||||
path: /opt/aninix
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Download ShadowArch (Other)
|
|
||||||
vars:
|
|
||||||
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
|
||||||
become: yes
|
|
||||||
ignore_errors: yes
|
|
||||||
git:
|
|
||||||
repo: 'https://foundation.aninix.net/AniNIX/ShadowArch'
|
|
||||||
dest: '/opt/aninix/ShadowArch'
|
|
||||||
update: yes
|
|
||||||
when: ansible_os_family != "Archlinux"
|
|
||||||
|
|
||||||
- name: Install ShadowArch (Other)
|
|
||||||
vars:
|
|
||||||
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
|
||||||
become: yes
|
|
||||||
command:
|
|
||||||
chdir: '/opt/aninix/ShadowArch'
|
|
||||||
cmd: '/bin/bash -c "make install"'
|
|
||||||
when: ansible_os_family != "Archlinux"
|
|
||||||
|
|
||||||
- name: Set up hostname
|
- name: Set up hostname
|
||||||
vars:
|
vars:
|
||||||
|
@ -166,14 +13,18 @@
|
||||||
hostname:
|
hostname:
|
||||||
name: "{{ inventory_hostname }}.{{ replica_domain }}"
|
name: "{{ inventory_hostname }}.{{ replica_domain }}"
|
||||||
|
|
||||||
- include: archlinux-network.yml
|
- include_tasks: archlinux-network.yml
|
||||||
when: ansible_os_family == "Archlinux"
|
when: ansible_os_family == "Archlinux"
|
||||||
|
|
||||||
- include: raspbian-network.yml
|
- include_tasks: raspbian-network.yml
|
||||||
when: ansible_os_family == "Debian"
|
when: ansible_os_family == "Debian"
|
||||||
|
|
||||||
- include: dns.yml
|
- include_tasks: dns.yml
|
||||||
|
|
||||||
- include: ntp.yml
|
- include_tasks: ntp.yml
|
||||||
|
|
||||||
- include: bash.yml
|
- include_tasks: repositories.yml
|
||||||
|
|
||||||
|
- include_tasks: bash.yml
|
||||||
|
|
||||||
|
- include_tasks: shadowarch.yml
|
||||||
|
|
|
@ -0,0 +1,67 @@
|
||||||
|
---
|
||||||
|
- name: Set up pacman.conf
|
||||||
|
vars:
|
||||||
|
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
||||||
|
ignorepkg: "{{ holdpackages | default('') }}"
|
||||||
|
become: yes
|
||||||
|
template:
|
||||||
|
src: pacman.conf.j2
|
||||||
|
dest: /etc/pacman.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
when: ansible_os_family == "Archlinux"
|
||||||
|
|
||||||
|
- name: Set mirror
|
||||||
|
become: yes
|
||||||
|
when: ansible_os_family == "Archlinux"
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
Server = {{ mirroruri }}
|
||||||
|
dest: /etc/pacman.d/mirrorlist.shadowarch
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
- name: Import AniNIX GPG key
|
||||||
|
vars:
|
||||||
|
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
||||||
|
become: yes
|
||||||
|
command: /bin/bash -c 'if [ ! -f /usr/share/pacman/keyrings/aninix.gpg ]; then mkdir /tmp/aninix; curl -s https://aninix.net/AniNIX/ShadowArch/raw/branch/main/EtcFiles/aninix.gpg > /tmp/aninix/pubring.gpg; pacman-key --import /tmp/aninix; pacman-key --lsign 904DE6275579CB589D85720C1CC1E3F4ED06F296; fi'
|
||||||
|
when: ansible_os_family == "Archlinux"
|
||||||
|
|
||||||
|
- name: Set up apt sources.list
|
||||||
|
vars:
|
||||||
|
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
||||||
|
become: yes
|
||||||
|
copy:
|
||||||
|
content: |
|
||||||
|
deb http://archive.raspberrypi.org/debian/ bullseye main
|
||||||
|
# Uncomment line below then 'apt-get update' to enable 'apt-get source'
|
||||||
|
#deb-src http://archive.raspberrypi.org/debian/ bullseye main
|
||||||
|
dest: /etc/apt/sources.list.d/raspi.list
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
when: ansible_os_family == "Debian"
|
||||||
|
|
||||||
|
- name: Base packages
|
||||||
|
vars:
|
||||||
|
ansible_become_method: su
|
||||||
|
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
||||||
|
become: yes
|
||||||
|
package:
|
||||||
|
name:
|
||||||
|
- bash
|
||||||
|
- sudo
|
||||||
|
- git
|
||||||
|
- tmux
|
||||||
|
- vim
|
||||||
|
- sysstat
|
||||||
|
- iotop
|
||||||
|
- lsof
|
||||||
|
- rsync
|
||||||
|
- xfsprogs
|
||||||
|
- man
|
||||||
|
state: present
|
||||||
|
update_cache: yes
|
|
@ -0,0 +1,39 @@
|
||||||
|
---
|
||||||
|
- name: Install ShadowArch (ArchLinux)
|
||||||
|
vars:
|
||||||
|
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
||||||
|
become: yes
|
||||||
|
pacman:
|
||||||
|
name: ShadowArch
|
||||||
|
state: present
|
||||||
|
update_cache: yes
|
||||||
|
when: ansible_os_family == "Archlinux"
|
||||||
|
|
||||||
|
- name: Set up AniNIX-specific repository location (Other)
|
||||||
|
when: ansible_os_family != "Archlinux"
|
||||||
|
vars:
|
||||||
|
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
||||||
|
become: yes
|
||||||
|
file:
|
||||||
|
path: /opt/aninix
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Download ShadowArch (Other)
|
||||||
|
vars:
|
||||||
|
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
||||||
|
become: yes
|
||||||
|
ignore_errors: yes
|
||||||
|
git:
|
||||||
|
repo: 'https://foundation.aninix.net/AniNIX/ShadowArch'
|
||||||
|
dest: '/opt/aninix/ShadowArch'
|
||||||
|
update: yes
|
||||||
|
when: ansible_os_family != "Archlinux"
|
||||||
|
|
||||||
|
- name: Install ShadowArch (Other)
|
||||||
|
vars:
|
||||||
|
ansible_become_password: "{{ passwords[inventory_hostname] }}"
|
||||||
|
become: yes
|
||||||
|
command:
|
||||||
|
chdir: '/opt/aninix/ShadowArch'
|
||||||
|
cmd: '/bin/bash -c "make install"'
|
||||||
|
when: ansible_os_family != "Archlinux"
|
|
@ -2,4 +2,7 @@ Description="Bridge connection"
|
||||||
Interface=br0
|
Interface=br0
|
||||||
Connection=bridge
|
Connection=bridge
|
||||||
BindsToInterfaces=({{ ipinterface }} tun0)
|
BindsToInterfaces=({{ ipinterface }} tun0)
|
||||||
IP=dhcp
|
IP=static
|
||||||
|
Address=('{{ ip }}/24')
|
||||||
|
Gateway='{{ router }}'
|
||||||
|
DNS=('{{ dns }}')
|
||||||
|
|
|
@ -102,8 +102,8 @@ Include = /etc/pacman.d/mirrorlist.shadowarch
|
||||||
|
|
||||||
[AniNIX]
|
[AniNIX]
|
||||||
SigLevel = Required DatabaseOptional
|
SigLevel = Required DatabaseOptional
|
||||||
Server = https://maat.aninix.net/
|
Server = http://maat.msn0.aninix.net/
|
||||||
|
|
||||||
[aur]
|
[aur]
|
||||||
SigLevel = Required DatabaseOptional
|
SigLevel = Required DatabaseOptional
|
||||||
Server = https://maat.aninix.net/aur/
|
Server = http://maat.msn0.aninix.net/aur/
|
||||||
|
|
|
@ -10,7 +10,7 @@ auto lo
|
||||||
iface lo inet loopback
|
iface lo inet loopback
|
||||||
|
|
||||||
iface {{ ipinterface }} inet static
|
iface {{ ipinterface }} inet static
|
||||||
address {{ ansible_host }}/{{ netmask }}
|
address {{ ip }}/{{ netmask }}
|
||||||
gateway {{ router }}
|
gateway {{ router }}
|
||||||
|
|
||||||
auto wlan0
|
auto wlan0
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
check program check_archlinux_wkd with path "/usr/bin/systemctl is-failed archlinux-keyring-wkd-sync.service"
|
||||||
|
if status == 0 for 1 times within 5 cycles then exec "/usr/bin/systemctl reset-failed archlinux-keyring-wkd-sync.service"
|
||||||
|
if status == 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical CRITICAL: Archlinux Keyring WKD Sync has failed and automated remediation has not solved it."
|
|
@ -0,0 +1,2 @@
|
||||||
|
check program cyberpower with path "/etc/monit.d/scripts/check-cyberpower"
|
||||||
|
if status != 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical Host is on UPS power!"
|
|
@ -1 +1,2 @@
|
||||||
include "/etc/monit.d/checks/system"
|
include "/etc/monit.d/checks/system"
|
||||||
|
include "/etc/monit.d/checks/automated_response"
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
include "/etc/monit.d/checks/system"
|
|
@ -0,0 +1 @@
|
||||||
|
include "/etc/monit.d/checks/system"
|
|
@ -1 +1,2 @@
|
||||||
include "/etc/monit.d/checks/system"
|
include "/etc/monit.d/checks/system"
|
||||||
|
include "/etc/monit.d/checks/automated_response"
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
include "/etc/monit.d/checks/system"
|
|
@ -1 +1,2 @@
|
||||||
include "/etc/monit.d/checks/system"
|
include "/etc/monit.d/checks/system"
|
||||||
|
include "/etc/monit.d/checks/cyberpower"
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
include "/etc/monit.d/checks/system"
|
include "/etc/monit.d/checks/system"
|
||||||
include "/etc/monit.d/checks/vips"
|
include "/etc/monit.d/checks/vips"
|
||||||
include "/etc/monit.d/checks/availability"
|
include "/etc/monit.d/checks/availability"
|
||||||
|
include "/etc/monit.d/checks/automated_response"
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
include "/etc/monit.d/checks/system"
|
|
@ -0,0 +1 @@
|
||||||
|
include "/etc/monit.d/checks/system"
|
|
@ -0,0 +1 @@
|
||||||
|
include "/etc/monit.d/checks/system"
|
|
@ -2,3 +2,4 @@ include "/etc/monit.d/checks/system"
|
||||||
include "/etc/monit.d/checks/watcher-of-watchers"
|
include "/etc/monit.d/checks/watcher-of-watchers"
|
||||||
include "/etc/monit.d/checks/warrant-canary"
|
include "/etc/monit.d/checks/warrant-canary"
|
||||||
include "/etc/monit.d/checks/grimoire"
|
include "/etc/monit.d/checks/grimoire"
|
||||||
|
include "/etc/monit.d/checks/automated_response"
|
|
@ -0,0 +1,6 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
if [ `pwrstat -status | sed 's/^\s\+//' | grep -E ^State | awk '{ print $2; }'` != 'Normal' ]; then
|
||||||
|
exit 2;
|
||||||
|
fi
|
||||||
|
exit 0
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue