Browse Source

Moving Services to Ubiqtorate

Updates for Operation
Cleanup on README
Added table of counters for tracking technology selection
Naming cleanup
Renamed Bastion to Nazara
DarkFeather 4 months ago
Signed by: DarkFeather GPG Key ID: 1CC1E3F4ED06F296
29 changed files with 107 additions and 1057 deletions
  1. +0
  2. +17
  3. +19
  4. +0
  5. +0
  6. +0
  7. +39
  8. +30
  9. +2
  10. +0
  11. +0
  12. +0
  13. +0
  14. +0
  15. +0
  16. +0
  17. +0
  18. +0
  19. +0
  20. +0
  21. +0
  22. +0
  23. +0
  24. +0
  25. +0
  26. +0
  27. +0
  28. +0
  29. +0

+ 0
- 25
Entities/ View File

@@ -1,25 +0,0 @@
A Bastion host is a gateway to accessing other hosts. It is a safeguard against admin error.

# Etymology
Bastion hosts are named because they are the first line of defense against administrative error -- they prevent admins from being locked out of correcting their changes.

# Capacity and Components
A Bastion host needs minimal CPU or memory.

# Hosted Services and Entities
Nothing is hosted by a Bastion.

# Connections
See [[:Category:Entity|the entity list]] -- any host should be able to connect to a Bastion with [[SSH]] and X11, and it should be able to dial to any service provider.

# Additional Reference
Bastion hosts should be deployed alongside any Hypervisor and set to start on boot. The encrypted credentials volume should be encrypted per [[ShadowArch]]'s recommendations, and it should not be added to /etc/fstab or /etc/crypttab.

To create a Bastion:
1. Create a new VM in the Hypervisor and mark it to start on boot. For an example Hypervisor, see [[Forge2]].
1. Install ShadowArch with the Spartacus layout and without encryption or GUI -- encryption complicates boot and GUI is unnecessary. Applications with GUI will be X11-forwarded.
1. Log in as root and convert the exfat partition from the Spartacus layout to an encrypted ext4 or xfs one.
1. "make -C /usr/local/src/ConfigPackages/Bastion install"
1. Log in as the bastion user on the new VM and run new-ssh-key for each [[SSH]]-capable host.
1. Set a NAT rule in the router to allow access to the Bastion host on a non-22 port.

+ 17
- 0
Entities/ View File

@@ -0,0 +1,17 @@
A Nazara host is a gateway to accessing other hosts. It is a safeguard against admin error.

# Etymology

Nazara hosts are named because they are the first line of defense against administrative error -- they prevent admins from being locked out of correcting their changes.

# Capacity and Components
A Nazara host needs minimal CPU or memory.

# Hosted Services and Entities
Nothing is hosted by a Nazara.

# Connections
Any host should be able to connect to a Nazara with [SSH](../Services/ and X11, and it should be able to dial to any service provider.

# Additional Reference
Nazara hosts should be deployed alongside any Hypervisor. They can be as simple as a Pi-hole with SSH access, and they should be allowed to receive SSH connections from a non-tcp/22/ssh port.

+ 19
- 14
Operation/ View File

@@ -2,20 +2,25 @@ These are cybersecurity incidents that the AniNIX has had to remedy due to some

**Note**: We explicitly exclude routine incidents, such as IP's banned for SSH brute-force, files quarantined after virus scanning, and other routine housekeeping.

{{Incident Report|Attacker used a default password to pull down a Perl SMTP spambot and email list to spam fake Bank of America emails to users, attempting to phish them into clicking an xplotica link.
|title=January 2018 Spambot Detection
|date=11-29-2017 through 1-4-2018
|who=IRL identity unknown; last source IP (Netherlands residential)
|vector=Attacker used a default password to access a monitoring user account; spambot and target lists were downloaded from a GoDaddy webhost (now nonfunctional).
|detect=Detection was provided by the ISP and [ Abusix]. The Postfix service was shut down, and forensic analysis performed starting with the /var/spool/mail folder.
|impact=This has negatively impacted the AniNIX's reputation as an SMTP source -- we are following up with Abusix and Google to restore our reputation.
# January 2018 Spambot Detection
An attacker used a default password to pull down a Perl SMTP spambot and email list to spam fake Bank of America emails to users, attempting to phish them into clicking an xplotica link.

* When: 11-29-2017 through 1-4-2018
* Who: IRL identity unknown; last source IP (Netherlands residential)
* What: Spambot
* * Vector: Attacker used a default password to access a monitoring user account; spambot and target lists were downloaded from a GoDaddy webhost (now nonfunctional).

Detection was provided by the ISP and [ Abusix]. The Postfix service was shut down, and forensic analysis performed starting with the /var/spool/mail folder and tmux session capture.

# Impact
This has negatively impacted the AniNIX's reputation as an SMTP source -- we are following up with Abusix and Google to restore our reputation.

Current forensic investigation does not indicate a compromise to any AniNIX privileged information.
|actions=* Monitoring user password has been rotated on all systems.
* Automatic password rotation for service accounts added to the ConfigPackages and other repos in [[Foundation|AniNIX::Foundation]]
|plan=[[Cerberus|AniNIX::Cerberus]] needs updates to better monitor lastlog output and the sshd "Accepted" regex in journald. Postfix will be evaluated for appropriate MTA settings and restored to service later.
|logs=[file:///home/cxford/Desktop/Incident Response - 1-4-2018|Contact an admin for access.]}}

## Our Response
* Monitoring user password has been rotated on all systems.
* Automatic password rotation for service accounts will be added to the service deploy automation.
* Sharingan needs updates to better monitor lastlog output and the sshd "Accepted" regex in journald. Postfix will be evaluated for appropriate MTA settings and restored to service later.

Contact an admin for access to incident files.

Operation/ → Operation/ View File

+ 0
- 62
Operation/ View File

@@ -1,62 +0,0 @@
This is a list of active quality-assurance notes (QANs) being worked on by AniNIX staff. Lists are sorted in order of priority.[[Category:Operation]][[Category:TODO]]

If you see a problem with our code, go to [ IRC] and send a memo to the #tech channel with what you've found. These will be parsed into the ideas list or assigned-QANs lists below by admins.
/ms send #tech <some note>

Alternatively, you can make a new page as a child of this one, using [[:Template:QAN]], and assign it to yourself to work on the project. These will appear in [[Category:Open QANs]] automatically for assignment.

# Ideas

## GDPR WebApp
Add /gdpr WebApp to Webserver to download user content. Look at Sharingan source.

## Foundation
* Finish PKGBUILDs
* Identify why CGIT is suppressing "Receiving objects" and other typical git-clone messages.

## Maat
* Look into either using [ GPG keyserver] or adding key fingerprint to [ PKGbuilds]
* Test Jenkins for E2E, but require Lighttpd auth before proxying app, like Sharingan.

## Sora
* ldap-adduser.bash should make use of 'sed -i "s/^term: /c\term: Newething/" file' to simplify
* Improve regexes to handle names like TJ or emails like
* Add MemberOf overlay

<!-- ==ExploitChecks
* Add BEAST, BIND, DirtyCOW, CVE-2016-4484, [ VENOM], [ StackGuard] -->

## CryptoWorkbench
* Update to include flag for suppressing color usage
* Update to improve helptext and error checking
* Consider ncurses for line recall and better capture of input. [ Curses Sharp] could do this. MARKING FOR FUTURE -->

## TheRaven
* Add suppress functionality for printing URL headers in conf.
* function to remind users/channel in X amount of time with a given message.
* r.translate function that acts on the last message and translates with Google translate.
* Add PostGres integration
* Implement karma system -- nospaces-- or (with spaces)-- should update key
* Implement counter system -- r.counter keyword sets timestamp, r.counterdiff keyword returns time delta.
* Update searches to allow returning top result if possible. Use searches script folder?
* Add random copypasta linker/quoter via URL
* Discord support
* Set attributtes on lists so that r.whitelist/r.blacklist/etc. can be generalized. Steal from CryptoWorkbench subscription model.
* Add IQ/word notification so that TheRaven can notify admins of useful conversations via Djinni

## CSS/.Xresources
Because CSS.
* Spacing between white borders is inconsistent.
* Standardize color requirements between CSS and .Xresource files.
* Consider []'s layout
* [[Template:Reference]] has odd spacing of icons in some browsers.
* [ Repo tables] need to include tabulating borders.

## SSH
Consider offering certificate authentication. [ See Facebook's example.]

## IRC
Write MailServ daemon to proxy emails to MemoServ and allow outbound?

Operation/ → Operation/ View File

+ 39
- 0
Operation/ View File

@@ -0,0 +1,39 @@
| Attack vector | Defensive tool | AniNIX Selection |
| ------------- | -------------- | ----------------- |
| Worms, virus | AV | Sharingan(ClamAV) |
| Ransomware | Backups | Aether |
| Trojan/Shims | code signing | GPG |
| Rootkits | rkhunter/ASLR | |
| keylogger | HIDS | Sharingan(ossec) |
| Adware/spyware| DNS Blackhole | Pihole |
| Shodan IoT | dedicated VLAN | |
| RATs | NIDS | Sharingan(zeek) |
| Logic bomb | HA/Peer review |Inquisitorius(Git) |
| Backdoors | Vuln scanners | OpenVAS |
| SOCENG, phish | DLP (weak), edu| Markdown |
| Nmap | Firewall | nftables |
| DDoS | Cloudflare | Offline Git/DL |
| DPI / MITM | Encryption | OpenSSH |
| Buf overflow | ASLR | SAST/DAST |
| XSS/XSRF | WAF / CSP | ??? |
| ARP poison/amp| Managed switch | |
| DNS hijack | DNS over HTTPS | Pihole |
| MitM | SSL | Let's Encrypt |
| Zero day | Pentesting | Kali |
| Spoofing | Physsec | |
|Wireless replay| Strong creds | WPA2/AES, radiusd |
| IV | Strong creds | WPA2/AES, radiusd |
| Evil twin, etc| Wifi scanning | monitored Rpi NIC |
| WPS | Don't. | |
| Bluejacking | Don't Bluetooth| |
| De-auth | 802.11x | |
| B-day/rainbow | large hash | |
| Dict., BF | 8x4 | Sora pwdPolicy |
| Online BF | IPS |Sharingan(sshguard)|
| PTH / replay | nonce salting | OpenSSH/SSL conf |
| Weak implement|VCS config audit| Foundation(Gitea) |
| Hacktivist/APT| SIGINT, OSINT | Singularity(TTRSS)|
| Insiders | Role/work RNG | N/A |
| Tailgating | Trained guards | Martial Arts |
| Asset sprawl | IPAM w/ audits | Inventories |
| 1.6 | Patching |Ubiqtorate(Ansible)|

+ 30
- 0
Providers/ View File

@@ -0,0 +1,30 @@
[ Homepage]
[[Category:Provider]][ Homepage]
[[Category:Provider]][Https:// Homepage]

[[Category:Provider]][ Homepage]
[[Category:Provider]][ Homepage]
[[Category:Provider]][Http:// Homepage]
[[Category:Provider]][ Homepage]
[[Category:Provider]][ DAREBEE] is a free site that offers body-weight and little-equipment workouts -- this is an excellent application of the open-source principle in a non-computing format. Feel free to watch this site for new workouts, either for one-offs or 30-day programs.
[[Category:Provider]]DD-WRT is a partially open-source firmware for routers -- it contains both open-source components and proprietary drivers for hardware.

[ Homepage] and [ a Wiki] are available to help users configure their own hardware.

[ Provider homepage][Https:// Homepage]
[[Category:Provider]][ Home page]
[[Category:Provider]]Google is a provider with which the AniNIX has a love-hate relationship. It provides convenient, Linux-friendly devices in their Androids and Chromecasts, and they provide a number of highly useful Web services. However, they have been caught with [ privacy violations], and their reach is so extensive as to be a risk to any privacy-minded operation. Users should make choose carefully before using this provider and understand the risks.

[ Homepage]
[[Category:Provider]][Http:// Homepage]
[[Category:Provider]][[Http:// Homepage]
[[Category:Provider]][ Homepage]
[[Category:Provider]]Nagios is a monitoring software company.

[ Nagios homepage] [[Category:Provider]]Netgear is a wireless hardware provider.

[ Homepage] is here.


+ 2
- 1 View File

@@ -8,7 +8,8 @@ This wiki is divided into sections.
* Entities: a list of hosts, VM's, and hardware used by the network
* Operation: a list of policies and procedures for contributing to the AniNIX.
* Providers: a list of software, hardware, and service providers
* Services: a list of services provided for the network

Information on individual services will be under `roles` in [AniNIX/Ubiqtorate](../Ubiqtorate).

# Etymology
Wiki, in an [interesting article](, is cited to mean "quick". This Wiki and many like it are a quick, easily editable and Web-accessible database for presenting information to a wider audience.

+ 0
- 102
Services/ View File

@@ -1,102 +0,0 @@
The Cerberus project is a physical monitoring solution created to watch through the Eyes and alert the admins.

# Etymology
[ Cerberus] was the guardian of the underworld in the Greek mythos. Similarly, this project guards the [[Forge2]] and the daemons on which the AniNIX runs.

# Relevant Files and Software
Cerberus configuration is intensive and manual -- we don't believe automating security installs will be beneficial. The one exception is the [[VirusScan]] package.

We provide a Makefile in [ the Cerberus Foundation package] to install all of these.

## Cerberus Monitors
### Command Monitors
[ Filesystem IDS ]
command=aide -C | tee /var/log/aide.log
Command monitors check for change in command output on a given interval. Each interval, the command will be re-run and checked against the prior output.

<b>Note:</b> This is not cron-like operation -- the command runs to completion and then we wait the interval. If you need more regular execution, use a File monitor instead, and check for changes in the output file. This may generate more false positives.

### File Monitors
[ Network IDS ]

File monitors use C# API's to watch files for changes. On file change, they will send a notification. FYI, VI'ing a file will cause this to completely re-read the file.

### Directory Monitors
[ Physical IDS ]

Directory monitors watch a directory for changes. The optional filter argument in the configuration allows watching for only specific filetypes.

## Example Areas to Watch
### Vulnerabilities
* **System configuration:** The [ lynis] package offers good monitoring of vulnerabilities, similar to the popular Nessus service.
* **Network encryption:** The [ Qualsys SSL Labs] test suite provides a dashboard for [[:Category:SSL|SSL certificate and ciphersuite]] health. The AniNIX's scorecard is publicly available at [ this link].
* **PCI compliance:** Any site handling payment needs to have PCI compliance, primarily for the [ Self-Asessment Questionnaire]. The AniNIX attests itself as a PCI SAQ-A site -- all our payment functions are outsourced to PayPal presently or its Venmo subsidiary. We use the [ Pentest-Tools Website Vulnerability Scanning] as our external scan vendor at the moment as a best practice.
* **World search availability:** Site domain admins that expect to be found by search engines should maintain a Google Analytics account and watch the [ Search Console] for issues to remedy on their [[WebServer|webserver]].

This may be best run as a manual check on a regular basis, rather than as a monitor. We run this battery quarterly to check for posture degradation.

### Network
We recommend and include installation of the [ suricata] package for monitoring network input. Some notes:
1. Make sure to get HOME_NET configured correctly.
1. Some rulesets need to be dropped.
1. tor.rules needs to be removed if you're deploying a [[DarkNet]] machine.
1. If you are using IRC, comment out emerging-chat.rules in [file:///etc/suricata/suricata.yaml suricata.yaml].
1. I've had some problems with tracking ICMP and UDP, sadly, without millions of false positives. I comment out emerging-icmp.rules and decoder-events.rules
1. Streaming services like [[Yggdrasil|AniNIX::Yggdrasil]] sometimes cause stream-events.rules to generate false positives.
1. Any other local events should be configured by [file:///etc/suricata/rules/local.rules local.rules]
1. You will need to edit suricata.yaml and enable the suricata service yourself -- manual intervention is necessary to make sure the HOME_NET subnet masking is accurate for your deployment.

To remedy actual assaults, we recommend a response by iptables. At your network edge, use the following commands to add a new drop chain to the firewall.
iptables -N severe
iptables -I INPUT -j severe
iptables -I FORWARD -j severe

When this is done, the following command can be used to block offending IPs.
iptables -A severe -s <SOURCE IP>/32 -j DROP

[[Shadowfeed|AniNIX::Shadowfeed]] uses some special iptables syntax -- check [ the DD-WRT wiki] for any special considerations.

Also, we install the [ oinkmaster] package to pull rules from Suricata. Update root's crontab to reschedule this job.
### Filesystem
We recommend using the AIDE package to watch for changes. While the output is complex, we have not found a better system. Please submit a [[QANs|QAN]] if you have recommendations, but we have not had good luck with OSSEC's stability.
### Remote Intrusions
Presently, we include, configure, and enable the [ sshguard] service to prevent intrusions via iptables. The -s and -p flags on the service file for sshguard control intervals -- see "man sshguard" for details.
### Physical Intrusion
We recommend adding an eyes user and folders. This user should be SFTP/FTP jailed to their home folder. IP cameras from [[Geth|AniNIX::Geth]] can be configured to upload images to the folders on detecting motion.

Alternately, Geth units with other sensing equipment can write to files that a File monitor can watch.
## Other protections
These can be added with "make bonusinstall".
### ccrypt
Any protected data can be encrypted with ccrypt, a replacement of the popular TrueCrypt software.
### pass
pass is a Git-aware password storage client using GPG encryption. This is an excellently secure way to store passwords and can integrate directly into the clipboard to never show the password, and it can randomly generate passwords for you. pwgen is an alternative, but you will then need your own password storage system. <b>DO NOT USE TEXT FILES!</b>

# Available Clients
There are no clients for Cerberus -- it will notify any necessary address by email through [[Djinni|AniNIX::Djinni]].[[Category:Djinni]]

# Equivalents or Competition
Professional tools like Nessus, Tripwire, and Check Point provide vulnerability, filesystem, and network scanning. Alternative packages can be browsed from the [ ArchLinux security tool index].

+ 0
- 58
Services/Foundation.d/ View File

@@ -1,58 +0,0 @@
The same concepts used for [[Foundation|AniNIX::Foundation]]'s revision control of code can be used for user home folders.

# Setup
To create this tracking, use the following steps to create a read-write bare Git repo.
mkdir .gitbare
cd .gitbare
git init --bare
git clone .gitbare test && mv test/.git . && rmdir test

You will need to set up the file tracking below -- `git status` at this point will report lots of files that you probably won't want to track, like browser cache, temporary files, and large document files that are better backed up outside revision control.

# File tracking
You will need the following .gitignore added to your repo. This will track SSH keys and config, PGP keys, Weechat config, bash config, git config, TMUX config, rclone config, scripts, Vim config, and a .password-store folder for [[Cerberus|KeePass]] or like password databases.

Other files are excluded for keeping the repo small enough to be cloned to a [[Tricorder|smartphone]], but they can easily be added if so chosen.

1. Ignore normal files

# Value of Local Branches
Some elements, like Git, use default identities for their operation. A local branch can be created at that site to update configurations that need to be site-specific -- if this data shouldn't be moved offsite, the branch needn't be pushed to the remote and can instead be cloned from a backup system directly.

# Caveats
There are some caveats to consider when using this policy.

## Cloud and Keys
Because this system captures SSH keys, PGP keys, and password databases, it is best [[Design_Principles#Physical_Access|not stored in the cloud]]. If you have to store it in the cloud, such as in Google Drive, GitHub, or AWS, you should look at [ AniNIX::Aether]'s source code for how to do strong encryption of a tarball of the repo, rather than committing directly to the cloud storage provider. This does, however, carry the intrinsic risk that flaws in the cryptography used can expose the keys to your identity! Don't use the cloud if you can avoid it.

## Large Files
Large files are difficult for revision control systems like this to handle -- they result in large differences for the revision control, which will lengthen clone times, branching, and such.

## SSH-Only Clones
For security, don't put these files onto a Webserver. SSH cloning is mandatory for security, and some ISP's may block residential IP's from getting SSH access.

+ 0
- 65
Services/ View File

@@ -1,65 +0,0 @@
The Foundation is a one-stop shop for source code from AniNIX developers -- it's an open repository form which people can pull source code and recreate the entities being used by the AniNIX. You can view its web frontend from [ this webpage].

# Etymology
The etymology of the Foundation is twofold. First and foremost, the AniNIX attempts to automate any new package it is using as much as possible, and as such the Foundation holds the very basis on which the AniNIX is built.

Secondly, the Foundation is the third piece of the charity trinity for the AniNIX, along with the Wiki and the [ short-term charity projects]. The AniNIX puts a lot of time into designing its projects and making sure they work. Rather than forcing others to redo this work, we offer commented code and documentation so that the process is transparent but the work-by-hand is minimized.[[Category:Charity]]

# Relevant Files and Software
The Git system was created by the Linux project to manage changes to the kernel and has been on the rise for some time among Version Control Systems (VCS's) with projects like GitHub. The AniNIX self-hosts the repositories in [file:///srv/foundation/ the Foundation server folder] on [[Core]].

[[WebServer]] is configured to translate the repository to [ the Web-accessible format] via the ArchLinux cgit package. Review the package list at that link and identify the source packages you want to use. Then use the following to clone the source, generally best done to /usr/local/src/ on Linux. Please note that the AniNIX uses Webserver translation to eliminate the need for a .git suffix -- web requests will show in CGIT, while Git clone requests will pull the package all from the same URL. Right-click on your package of choice from the web interface's index page and then clone that address. <pre>
git clone<packagename>

New packages should make sure to refer to the [[Development Best Practices]] to ensure they are compliant with standards; if you notice an issue with the Foundation's code, make sure to submit a [[QANs|QAN]]. [[TeamGreen|AniNIX::TeamGreen]] should be running regressions on these projects.

You can use [ Hexedit] to edit [file:///usr/share/webapps/cgit/cgit.cgi cgit.cgi] to have a different name, such as "AniNIX::Foundation Web".

## Dependencies
For CentOS, one needs to use the following steps to install Mono. Packages like Cryptoworkbench, Heartbeat, Cerberus, and others require this.
* yum install bison gettext glib2 freetype fontconfig libpng libpng-devel libX11 libX11-devel glib2-devel libgdi* libexif glibc-devel urw-fonts java unzip gcc gcc-c++ automake autoconf libtool make bzip2 wget
* [ Download Mono source]
* tar xjvf the source package
* configure; make; make install

*Note:* We used to declare the INSTALLER variable at the top of Makefiles, but no longer do. Non-ShadowArch installs should double check dependencies against the PKGBUILD files manually. We will try to keep this list short.

# Available Clients
To get a client to access the Foundation, use one of the following or visit
* ArchLinux: pacman -S git
* Ubuntu: apt-get install git
* RHEL/CentOS: yum install git
* Windows: [ Go here], but please be aware that file paths and such are coded for Linux. Windows users will need to conduct extensive code review to install these packages.
* Mac: [ Go here]

Each package will need to be checked out individually.

**Alternatively**: ArchLinux users can add the following segment to the bottom of pacman.conf to install the packages as bundled by the AniNIX. We're working on adding GPG signing -- in the meantime, security-conscious users should build from source anyway.
SigLevel = Optional TrustAll
Server =

# Equivalents or Competition
The most famous equivalent is [ GitHub]. Other source code control systems exist, including some provided by employers or academic institutions -- GitLab provides an enterprise-style implementation. Other protocol implementations vary widely -- Mercurial, Bazaar, and SVN are other revision control systems others use. We appreciate the flexibility of Git.

# Additional Reference
Some core Git tools are leveraged in specific ways for the AniNIX.

## Config for Author
Even though the [[Talk:IRC#Why_Not_SMTP|AniNIX doesn't use SMTP]], we still use the suffix for the config property on branches. All commits, therefore, should have the proper-case of the user's [[IRC|AniNIX::IRC]] handle as the attribute, and the lower-cased username followed by for the attribute.

## Tags for Semantic Versioning
We version our projects according to [ Semantic Versioning] -- this versioning is established using the git tag as major and minor version, the git commit as the patch, and the number of commits since the tag as the ArchLinux release note.

[ Our HelloWorld PKGBUILD] demonstrates this -- most of the metadata for the package is populated directly by git, and only dependencies are tracked in the PKGBUILD itself.

## Branches for Functional Improvements
All major functional improvements being worked should be tracked in a branch. The branch name should be the same as the [[QANs|QAN]] for which the branch was started or the functional concept's shortname.

## Filter-branch to Prune
Git maintains a history of all files. If you need to remove files permanently, GitHub maintains [ an article] on how to use "git filter-branch" to purge it.

+ 0
- 28
Services/Geth.d/ View File

@@ -1,28 +0,0 @@
# Hardware
* Exacto knife
* Superglue
* Screwdriver
* [ Maker case]
* [ SainSmart Tumbling Two-wheels R/C Car]
* [ Motor controller]
* [ 5V stepper]
* [ Raspberry Pi 3]
* 3 red LEDs
* [ RPi camera]
* 2 [ IR rangefinders]

# Construction

## Body

## Wiring
* See [ this article for wiring schematics].
* We are also considering [ wireless self-recharging].

## Code

# Operation

# Gallery

# References

+ 0
- 30
Services/Geth.d/ View File

@@ -1,30 +0,0 @@
These are some purpose-built hardware we are using with the Geth gestalt. Please keep in mind that we are also tracking code projects for [[Geth/Hub|Geth Hub]], [[Geth/Nazara|Nazara]], and [[Geth/Armature|Armature]] units as well.

# Chromecast Displays
Chromecasts are very easy to set up -- connect the Chromecast to the HDMI and power-over-USB slots in some TV. Use the Chromecast app native to [[Tricorder|Android]] devices to set it up to connect to a [[Shadowfeed|AniNIX::Shadowfeed]]. The Geth [ discovery] module will pick up the display's presence, and devices can then cast over WiFi.

[[ShadowArch]] hosts will need the following firewall rules:
iptables -A INPUT -s ${CHROMECAST_IP} -p udp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000 -m comment --comment "Allow Chromecast UDP data (inbound)" -j ACCEPT
iptables -A OUTPUT -d ${CHROMECAST_IP} -p udp -m multiport --sports 32768:61000 -m multiport --dports 32768:61000 -m comment --comment "Allow Chromecast UDP data (outbound)" -j ACCEPT
iptables -A OUTPUT -d ${CHROMECAST_IP} -p tcp -m multiport --dports 8008:8009 -m comment --comment "Allow Chromecast TCP data (outbound)" -j ACCEPT
iptables -A OUTPUT -d -p udp --dport 1900 -m comment --comment "Allow Chromecast SSDP" -j ACCEPT

Hubs can also be implemented to replace IR remotes.

# Ring Cameras

# Nest Smoke Detectors

# Chamberlain Garage Door Openers

# Wink Door Switches

# TPLink Power Sockets

# iRobot Roomba
Register the unit with [ the care center] for warranty support, tips and tricks, and parts availability.

# Lasko Heater (CAUTION)

+ 0
- 51
Services/Geth.d/ View File

@@ -1,51 +0,0 @@
Geth hubs are the most prototypical unit. They are basic control and data providers to the Geth gestalt.

# Typical Install
* [ Download the latest image.] [[Category:Raspberry Pi]]
* Buy a Raspberry Pi, microUSB 5V/4A power supply, and micro SD card 8GB or more in capacity.
* Attach the SD card to some Linux system.
* dd bs=4M if=*raspbian*.img of=/dev/<SD Card>
* Mount the /dev/sda2 partition to /mnt and /dev/sda1 partition to /mnt/boot
* "scp /usr/local/src/ConfigPackages /mnt/usr/local/src/"
* "chroot /mnt"
* "cd /usr/local/src/ConfigPackages/Geth"
* "make rpi-base"

## Remotes
* Purchase an [ IR shield] and attach it to your GPIO pins.
* "make remote" from /usr/local/src/ConfigPackages/Geth on the Pi.
* [ Set up LIRC to read and write from the shield.] This [ article] may have more troubleshooting help.
* Use [ irrecord] to capture the sequences from the current remote.
* At a minimum, capture power, input, enter, mute, volume up and volume down from your TV.
* DVD players and such devices may need more captures.
* Roombas only need launch, dock, and spot-clean commands. [ These are already captured].
* Use irsend to test sending commands.
* Set up the proper SSH keys and ~/.ssh/config options to allow the hass user to SSH to the Pi without a password.

The following snippet added to your configuration.yaml to allow remote-like activity.
- platform: command_line
command_on: "ssh -o StrictHostKeyChecking=no -q pi@geth-host-1 irsend SEND_ONCE NS-RC4NA-14 KEY_POWER"
command_state: 'ping -c 1 | grep -c "1 received"'
command_off: "ssh -o StrictHostKeyChecking=no -q pi@geth-host-1 irsend SEND_ONCE NS-RC4NA-14 KEY_POWER"
- platform: command_line
command_open: "ssh -o StrictHostKeyChecking=no -q pi@geth-host-1 irsend SEND_ONCE NS-RC4NA-14 KEY_VOLUMEUP"
command_stop: "ssh -o StrictHostKeyChecking=no -q pi@geth-host-1 irsend SEND_ONCE NS-RC4NA-14 KEY_MUTE"
command_close: "ssh -o StrictHostKeyChecking=no -q pi@geth-host-1 irsend SEND_ONCE NS-RC4NA-14 KEY_VOLUMEDOWN"
#icon: mdi:volume-medium
command_open: "ssh -o StrictHostKeyChecking=no -q pi@geth-host-1 irsend SEND_ONCE NS-RC4NA-14 KEY_CONFIG"
command_stop: "ssh -o StrictHostKeyChecking=no -q pi@geth-host-1 irsend SEND_ONCE NS-RC4NA-14 KEY_ENTER"
command_close: "ssh -o StrictHostKeyChecking=no -q pi@geth-host-1 irsend SEND_ONCE NS-RC4NA-14 KEY_CONFIG"
#icon: mdi:animation

## Cameras
A package, motion, provided by Raspbian allows use of [ cameras], which are more secure than oft-compromised off-the-shelf IP cameras.

+ 0
- 13
Services/Geth.d/ View File

@@ -1,13 +0,0 @@
# Installation

Nazara hosts should follow the [[Geth/Hub|typical hub base installation]], but they don't need any hardware besides a [[:Category:Raspberry_Pi|Raspberry Pi 3]][[Category:Raspberry_Pi]] and 5V/4A power supply.

The deprivileged user on the Nazara host should set up the [[SSH|/home/pi/.ssh]] folder with configs and keys for each critical and service host in the ecosystem.

1. Create the key:<pre>ssh-keygen -t rsa -b 4096 -N PASSPHRASE -f USER-HOST</pre>
1. Install the key to a new host:<pre> ssh-copy-id -i /home/pi/.ssh/USER-HOST USER@HOST</pre>
1. Regularly rotate all the key passphrases:<pre>for i in `ls -1 /home/pi/.ssh | egrep -v 'known_hosts|config|authorized_keys|.pub$'`; do ssh-keygen -p -P OLDPASS -N NEWPASS -f "$i"; done</pre>

# Etymology

In the Mass Effect universe, the Geth were secretly puppeted by an ancient AI, a Reaper also known as Sovereign or Nazara. A Nazara Geth node similarly manipulates all the nodes in the ecosystem.

+ 0
- 20
Services/ View File

@@ -1,20 +0,0 @@
Geth is a complete automation suite for homes and interaction with the physical world. However, it is not a automatic process, and as such you will need to install it manually.

# Etymology=The [ Geth] are a fictional race in the Mass Effect universe. Geth are individual processes running on many platforms. The more devices, the smarter the collective or gestalt consciousness of the entity becomes.

# Relevant Files and Software
You can install Geth with [ ConfigPackages]'s Geth Makefile and configuration.

A number of devices can be controlled under the gestalt -- see [[Geth/Hardware]] for our experiments with Geth hardware platforms. The configuration.yaml format used by the underlying home-assistant package is very simple, and as such we don't prescriptively install one over the base version. Instead, we include snippets for you to define your own structure.

We are also considering features such as integrating smart lights with Shadowfeed presence detection and timeslots and requiring wireless presence for RFC door unlocks.

[file:///var/lib/hass/ Geth configuration] can be tested with the following: <pre> hass --script check_config -c /var/lib/hass</pre>

# Available Clients
See [[WebServer#Clients|this list of clients]] for tools to access this system. The Shadowfeed NAT rules will need to be updated to allow access outside the network, and make sure to follow [ the security checkpoints] before publishing.

# Equivalents or Competition
Most home-automation systems are DIY at the moment, though the [ NEST] system is one commercial offering.

+ 0
- 27
Services/ View File

@@ -1,27 +0,0 @@
Grimoire is a PostgreSQL[[Category:PostgreSQL]] database underlying other systems on the AniNIX, including [[Singularity]] and [[Wiki]].

# Etymology
A [ grimoire] is historically a collection of magical knowledge and the ability summon spirits or daemons. Similarly, Singularity adds knowledge to be read from the Grimoire, and Wiki includes the methodology to start the daemon processes being run on the network.

# Relevant Files and Software
Grimoire has a user, postgres, with a home directory of [file:///var/lib/postgres/ /var/lib/postgres/]. This user's bashrc contains some help text on how to reset passwords and backup databases in PostgreSQL.
## Backups
Backups are provided by [[Aether|AniNIX::Aether]]. They can be restored with the following:
psql -U dbuser -d db -f backup.sql

# Available Clients
There are no clients for the Grimoire -- Singularity and Wiki maintain their tables.

# Additional Reference
Make sure to read the [ PostgreSQL page on ArchWiki] to understand how to maintain this system.
# Tables
* Singularity controls the ttrss database.
* Wiki controls the wiki database.
* WikiGB controls the wiki-gb database. This database is internal-only.
* ACWiki-Archive controls the acwiki-archive database.

+ 0
- 152
Services/IRC.d/ View File

@@ -1,152 +0,0 @@

## Basic Commands
: Borrowed from [ the Wikipedia tutorial]

Users should also type "/msg NickServ help" into their client for help with nickname questions or user preferences, or use "/msg ChanServ help" for help with registering and administering channels.

{| class="wikitable"
!Command || What it does || Example
|/attach <br/> /server || Sign on to a server || **/attach** <br/> **/server**
|/nick || Set your nickname || **/nick** YourName
|/join || Join a channel || **/join** #en.wikibooks
|/part || Leave a channel || **/part** #en.wikibooks
|/msg || Sends a message (can either be private or to the entire channel) || Message the channel: **/msg** #en.wikibooks Hello, World! <br/> Send a private message: **/msg** JohnDoe Hi, John.
|/whois || Display information about a user on the server || **/whois** JohnDoe
|/clear <br/> /clear all || Clears a channel's text. <br/> Clears all open channel's text. || **/clear** <br/> **/clear all**
|/away || Sets an away message. **Note: Type /away again to return from away.** || **/away** I'm away because...
|/me || Sends an action to the channel. See example. || The following: <br/> **/me** loves pie. <br/> would output to the chat in the case of JohnDoe: <br/> **JohnDoe** loves pie.
|/quit || Disconnects you from the IRC network. You can also quit with a quit message. || **/quit** Off to bed.
What happens: JohnDoe has quit (Off to bed)

## Channel Modes
<p>Channel modes allow you to change the way the channel reacts to certain events. All channels have modes +nt set on them by default. To change a channel mode, simply enter:</p>
<pre>/mode #channel +m</pre>
<p>Keep in mind that Channel Modes are case sensitive, +b and +B are NOT the same thing. All the time codes do not have to be in seconds, if you want to do a 10 minute ban, rather than using "600" for your time, you can do "10m". Supported time codes are:<br> 1y2m3w4d5h6m<br>Below is a list of Channel Modes supported by InspIRCd:</p>

### Core Modes
|b [n!u@h]||Bans matching [n!u@h] from joining the channel. Also, be sure to check out the <strong>extbans</strong>.
|i||Sets the channel as Invite-Only
|k [key]||Sets a key on the channel.
|l [number]||Sets the channel limit to [number]. Once the limit is reached, no more users can join.
|m||Makes a channel "moderated". Only +qaohv can talk. (You must have at least a voice to talk)
|n||Forces a user to be in the channel to PRIVMSG it. You probably want to keep this mode.
|o [nick]||Makes [nick] a channel Operator.
|p||Sets the channel as 'private'. Will not show up in /LIST, but WILL still show up in your WHOIS.
|s||Sets the channel as 'secret'. Will not show up in /LIST or /WHOIS, generally preferred over +p
|t||Forces a user to have +o or +h to change the topic. You probably want to keep this mode.
|v [nick]||Gives voice to [nick]. Voiced users have no real power, the only thing special about being voiced is being able to speak when mode +m is set.

### Modular Modes
These modes are available through modules. Once the module is unloaded, modes will be removed, and their effects gone.
|A||allowinvite||Allows all users in the channel to use /INVITE, even if they don't have half-op or above.
|a||chanprotect||Gives protected status to [nick]. This protects them from channel ops (+o); as of 2.0, this now implies +o.
|B||blockcaps||Blocks messages with too many CAPITAL LETTERS. The amount of capital letters that is decided to be too many is set by the network configuration.
|C||noctcp||Blocks CTCPs to the channel.
|c||blockcolor||<strong>Blocks</strong> messages and notices with colour or formatting codes. Also see chanmode +S.
|D||delayjoin||Users are not shown as joined until they speak.
|d [sec]||delaymsg||Disallows a user from talking in the channel unless they've been joined for [num] seconds.
|e [n!u@h]||banexception||Allows users matching [n!u@h] to bypass +b
|F [num]:[sec]||nickflood||Allows only [num] nick changes every [sec] seconds in a channel.
|f {*}[num]:[sec]||messageflood||Allows only [num] messages from a user every [sec] seconds. Exceeding this will enact a KICK on the offending user (or ban if the * is included.)
|G||censor||Censors bad words from the channel based on network configuration.
|g [keyword]||chanfilter||Blocks messages matching [keyword]. Wild cards are usable here; however, must be done with wildcards surrounding the keyword as well. For example, if you wanted to filter [key*word], you would type: <strong>/mode +g *key*word*</strong>
|H [num:sec]||chanhistory||Displays the last [num] lines of chat to a user joining a channel; [sec] is the maximum time to keep lines in the history buffer. Designed so that the new user knows what the current topic of conversation is when joining the channel.
|h [nick]||halfop||Makes [nick] a channel Half-Operator
|I [n!u@h]||inviteexception||Allows users matching [n!u@h] to bypass +i
|J [sec]||kicknorejoin||Disallows a user from joining [sec] seconds after being /KICK'd
|j [num]:[sec]||joinflood||Allows only [num] users to join the channel in [sec] seconds.
|K||knock||Disallows usage of /KNOCK on the channel.
|L [channel]||redirect||When the channel is "full" (from channel mode "l"), forwards the user to [channel].
|M||services_account||Users must be registered with services to speak in the channel.
|N||nonicks||Disallows nick changes for users on the channel.
|O||operchans||Marks a channel as an oper-only channel; only users who are oper'ed will be able to join these channels. As well, only opers may set channel mode +O.
|P||permchannels||Marks the channel as "permanent". Will not disappear when there are no users. Note that only opers can set this mode.
|Q||nokicks||Disallows channel kicks, except Services / U-Lined clients.
|q||chanprotect||Makes [nick] a channel owner. Protects from +a and +o; as of 2.0, this now implies +o.
|R||services_account||Users must be registered with services to join the channel.
|r||services_account||Marks a channel as registered. While some services still use this (namely Anope), this mode is mostly depreciated.
|S||stripcolor||<strong>Strips</strong> colour or formatting codes from messages and notices to the channel. Note that the user sending the message will still see the colour and/or formatting. Also see chanmode +c.
|T||nonotice||Blocks /NOTICEs to the channel.
|u||auditorium||Creates an "Auditorium" channel.
|w [flag]:[banmask]||autoop||Adds basic channel access controls of [flag] to [banmask], via the +w listmode. For example, +w o:R:Brain will op anyone identified to the account "Brain" on join.
|X [flag]:[restriction]||exemptchanops||Allows the level of channel access required to bypass a given permission to be set. For example, setting +NX v:nonick will prevent people from changing nicks unless they are voiced (or opped/halfopped).
|Y||ojoin||Marks a user as an oper in-channel with a definable prefix in front of their nick, when an oper issues the <strong>/ojoin #channel</strong> command. An oper with +Y cannot be kicked or deoped. Note that this mode is oper only.
|y||operprefix||Marks a user as an oper in-channel with a definable prefix in front of their nick. If this module is loaded, all opers will permanently be prefixed with the character, as opposed to +Y, which only prefixes during an /ojoin. Note that this mode is oper only.
|Z||namedmodes||This module allows for the display and manipulation of channel modes via long-form mode names. For example, to set a channel ban with named modes: <pre>/MODE #channel +Z ban=foo!bar@baz</pre>
|z||sslmodes||All users must be connected to the network via SSL to join the channel.

### Recommended Mode Settings
ChanServ will by default set modes "keeptopic peace cs_secure securefounder secureops topiclock persist cs_keep_modes signkick topiclock" on any registered channel. NickServ adds +r to any registered user, and first user to join a channel will be founder. Here are some other recommendations.
1. Private channels should receive mode +Rs or +Ris to prevent unwanted visitors.
1. Network-maintained channels should get the ChanServ no-expire setting -- user-defined channels should not.
1. Hierarchy in the channel should be laid out according to the following:
1. Channel founders (and successors if any) should be in the ChanServ qop list and have mode +q. Network-maintained channels should have an IRC NetAdmin as channel founder.
1. Channel bots should receive mode +s and be in the Chanserv sop list.
1. Channel moderators should receive mode +o and be in the ChanServ aop list.
1. Channel moderators in training should receive mode +h and be in the ChanServ hop list.
1. Channels should receive descriptive topics, URLs, and descriptions in their ChanServ settings so that users can learn more about the project.

## IRC Operation
IRC Operation is a complicated issue for even small networks. Various sites offer some assistance <ref name=irchelp>[, accessed 2019/04/24]</ref> but all IRC operators or "IRCops" should be familiar with the KILL, REHASH, RELOAD, DIE, TRACE, STATS, LINKS, and HTM commands, as well as their individual module config. Refer to your IRCd's documentation for the syntax on these.

+ 0
- 19
Services/IRC.d/ View File

@@ -1,19 +0,0 @@
We maintain some [ Discord] services for users that are less tech-savvy or want to work primarily with Web front-ends.

# Bridge
We bridge some specific IRC channels to Discord for convenience. We will not create arbitrary channel mirroring -- we encourage users to focus on IRC for user-driven channels.
1. lobby mirrors to IRC #lobby and is where all new users are connected.
1. tech mirrors to IRC #tech for projects.
1. martialart mirrors to IRC #martialarts in support of our [[Martial Arts]] class.

We use the [ reactiflux discord-irc bridge] to set this up.

# Werewolf
We run an instance of [ belugawhale's Discord-Werewolf bot] for playing text games in the #textgames channel.

# Voice Channels
We do have a couple voice channels set up.
1. General is for anyone and everyone to talk.
1. Table Talk is for folks playing remote games to chat together.
1. Raids is dedicated to our Raid Team role, primarily for our [[Games#MMO.27s|SWTOR]] raids on the Empire faction.
1. There is also a voice channel for admins to deal with critical network decisions and incidents.

+ 0
- 53
Services/ View File

@@ -1,53 +0,0 @@
IRC is a chat system used by members of the AniNIX network. See [[IRC#Available Clients|Available Clients]] for access methods.

# Etymology
[ IRC] stands for Internet Relay Chat -- it is a method of text-based communication across the network via various servers. IRC has long been the self-hosted communication medium of choice for hackers, developers, and the fringe -- though overall adoption has dropped a bit with the rise of other social media, networks like [ Freenode] are growing. IRC<ref name=ircgrow></ref> is moving to the hacker niche, and we follow along.

# Relevant Files and Software
The configuration for the IRC service is divided into two parts -- the daemon and services.
## InspIRCd
The IRC daemon is powered by [ InspIRCd 2][[Category:InspIRCd]]. Relevant configuration is in [file:///etc/inspircd/inspircd.conf the conf file] and it logs to [file:///var/log/inspircd/startup.log startup.log].
## Anope
The services component is supplied by [ Anope 2][[Category:Anope]]. Relevant configuration is in [file:///etc/anope/services.conf the services.conf] and it logs to the [file:///var/log/anope/ the anope log].

Anope also takes backups of [file:///var/db/anope/anope.db the anope database] to the backups folder in the same location. [[Category:TODO]]<!--This should be backed up with Wiki-->

<b>Caution:</b> Anope with version 2.0.3 has some issues with gcc6. If you start encountering segmentation faults with Anope, sign in to [[irc:// The Anope support IRC]]. Script a run of "sudo -u ircd gdb /usr/bin/services core". Enter "r <your flags>" and when it crashes run "bt full". Quit out of everything and pastebin the file. Provide this to the support staff.

Anope Services' NickServ authentication can be linked to [[Sora|AniNIX::Sora]] for unified credentials.[[Category:LDAP]]

### Service entities
The following entities can be messaged personally (PM'ed) for help with "/msg <entity> help

* NickServ will manage IRC nicknames.
* HostServ will manage IRC virtual hosts, to mask IP's.
* ChanServ will manage IRC channels -- new channels can be registered on the network here.
* MemoServ will manage IRC memos (short text-message-like messages between users).

# Available Clients
You will need to use your own client. All IRC clients will connect to the service by providing the following information:
* Host:
* Port: 6697
* The client should accept invalid certificates.
* The client should automatically join the #lobby channel.
* The client should provide a nickname and NickServ password that the user intends to use.

### Clients by OS
Some example clients can be found here.
* Linux hosts are strongly recommended to use [ weechat] inside [ tmux] with the [ crym theme], though a Hexchat version is also available.
* Windows hosts can connect to this service using [ HexChat].
* Mac hosts can use [ Colloquy].
* Android hosts can use [ Andchat].
* iOS devices should use [ Colloquy's mobile version].

# Equivalents or Competition
Rivals to IRC include other IRC networks like [ Freenode], mail services like [ Google Inbox], and other chat systems like Slack, Microsoft Teams, Discord, Snapchat, WhatsApp, etc. We use Discord to provide new users with a Web-only bridge to the IRC network at -- [[IRC/Discord Bridge|documentation for our Discord hosting]] is also available..

# Additional Reference
{{:IRC/Commands and Modes}}

### Helpful Reading

# Additional Reference

+ 0
- 18
Services/ View File

@@ -1,18 +0,0 @@
Remote access is important in the AniNIX, and so we support the use of the [ OpenSSH] protocol via [[ShadowArch]] to supporting hosts.

# Etymology
SSH is named for the protocol on which it's built.

# Relevant Files and Software
Most of this service's configuration lives in [file:///etc/ssh/sshd_config sshd_config]. This includes match statements on what groups are allowed to connect, allowed protocols, and somewhat importantly the ForceCommand directives that hold certain users captive to specific operations.

VNC and X11 forwarding can be used over SSH to allow graphical clients. X11 forwarding without SSH compression is generally slower. To allow VNC, log in over SSH and forward remote port 5901 to localhost port 5901. Start the VNC server on the remote, and use a VNC viewer like tightVNC portable to view the remote desktop.

# Available Clients
* Windows users should use [ PuTTY]. The AniNIX considers this important enough that a copy of PuTTY is mirrored in [ WolfPack].[[Category:CachedClient]]
* Mac has a native client in their Terminal application.
* Linux users can install [ openssh].
* Android users can use [ Server Auditor].

+ 0
- 17
Services/ View File

@@ -1,17 +0,0 @@
Sharingan is the monitoring solution for the AniNIX, replacing legacy, homebrew Heartbeat.

# Etymology
Sharingan is named after the mythical technique from the Naruto anime series. Sharingan confers deep insight abilities to its user, and our implementation of it will do the same for our administrators' domains.

We are considering a Greylog or rsyslog service alongside Nagios[[Category:Nagios]] to implement a security best-practice.[[Category:TODO]]

# Relevant Files and Software
Sharingan maintains all of its configuration in [file:///etc/nagios/ one directory]. You can validate the configuration there with the following.
<pre> nagios -t /etc/nagios/nagios.cfg</pre>

Sharingan can be installed from the [ ConfigPackages]' Sharingan Makefile. Clients will communicate over SSH, so there is a statement to make a nagios user ("make nagiosuser").

# Available Clients=See [[WebServer#Available Clients|AniNIX::Webserver's client list]].

# Equivalents or Competition=Various monitoring SaaS vendors are available, including one that Nagios sells.

+ 0
- 22
Services/ View File

@@ -1,22 +0,0 @@
Singularity is the AniNIX's news aggregator -- you can access its [ main page here].

# Etymology
The Singularity is named for [ gravitational singularities]. As it is a pull service, it pulls news into itself.

<b>Note:</b> It's not to be confused with the [ technological singularity]. This service has no AI presently.

# Relevant Files and Software
Most files will be installed with the [ tt-rss] package from ArchLinux. You can then link /usr/share/webapps/tt-rss to your [[WebServer]] root.

# Available Clients
Singularity has a [[WebServer#Available Clients|web interface]] available, and there is an app in the [ Google Play Store] for [[Tricorder|Android devices]] and one in the iOS store as well.

# Equivalents or Competition
Equivalents are included in some browers, like Firefox and Seamonkey. Online, [ Feedly] and other RSS aggregators allow subscribing to feeds.

# Additional Reference
Singularity can be joined to the [[Sora|AniNIX::Sora]] domain for unified authentication.


+ 0
- 134
Services/ View File

@@ -1,134 +0,0 @@
Sora is the [ LDAP]-enabled central crendential store of the AniNIX -- end users will have accounts here.

# Etymology=Sora was the name of a pivotal character in the Kingdom of Hearts series. As Sora holds the "keys to the kingdom", the name fit.<!-- I've considered renaming this, but I'm kind of happy with it, even though I didn't follow the Kingdom of Hearts series. -->

# Relevant Files and Software
Most of the configuration initially is handled by the [ ConfigPackages'] Sora Makefile.

We use [file:///etc/openldap/users.d a users.d] folder to hold the default user definitions. uidNumber should generally start from 10000 and the .ldif files should never be deleted to track the maximum uidNumber.

# Available Clients
See [[:Category:LDAP]] for more information on the services that are clients of Sora.

# Equivalents or Competition
Both [[:Category:Google|Google]] and Facebook offer distributed authentication systems. Google in particular is a good equivalent, as some of the services used by this network rely on its authentication for various products it provides internally.

The AniNIX is not presently set up or planning to do distributed authentication.
# Authorizing Other Services by Sora
## [[ShadowArch]] OS Authentication
You will need nss-pam-ldap as package installed. You will need to edit /etc/pam.d/su, /etc/pam.d/su-l, /etc/pam.d/system-auth, and /etc/nslcd.conf to match [ this link] and [ the Arch Wiki].
## [[Windows]] OS Authentication
We recommend the [ pGina] package -- this is a very smooth client.
## [[SSH]]
Edit /etc/ssh/sshd_config to allow PasswordAuthentication and PAM. This assumes the OS authentication is set up.

We recommend adding a passwdchange OS group on the external-facing SSH host and set up a ForceCommand around /usr/bin/passwd for users in that group. This allows you to enable centralized password changes from outside the command line for subscribing clients and then disable password changes in individual services.
## [[IRC|IRCServices]]
You will need to enable m_ldap and m_ldap_authentication in [file:///etc/anope/modules.aninix.conf the modules conf file]. The modules conf has the necessary parameters waiting to be filled in. We recommend updating the search_filter to "(&(!(shadowLastChange=0))(&(uid=%account)(objectClass=%object_class)))". This will prevent users from using a password reset by an administrator.

When you enable LDAP for IRCServices, we would recommend disabling email changes in m_ldap_authentication and disabling account creation in the NickServ configuration. Do not disable registration in m_ldap_authentication. This ensures that account provisioning is done by LDAP and users can group as necessary. Moreover, disable password changes by removing the NickServ set/*pass directives.
## [[Singularity]]
You'll need to update your plugins line in [file:///usr/share/webapps/tt-rss/config.php the config file] and add some parameters. Note: you'll be removing the auth_internal module, but you'll have to add it at least once to promote an LDAP user to admin.

define('PLUGINS', 'auth_remote, note, updater, auth_ldap');
define('LDAP_AUTH_SERVER_URI', 'ldap://localhost:389/');
define('LDAP_AUTH_USETLS', FALSE); // Enable TLS Support for ldaps://
define('LDAP_AUTH_ALLOW_UNTRUSTED_CERT', TRUE); // Allows untrusted certificate
define('LDAP_AUTH_BINDDN', 'uid=binduser,ou=People,dc=aninix,dc=net');
define('LDAP_AUTH_BINDPW', 'secret');
define('LDAP_AUTH_BASEDN', 'ou=People,dc=aninix,dc=net');
define('LDAP_AUTH_SEARCHFILTER', 'uid=???');
## [[Wiki]]
Wiki is the most complicated to add with its multiple domain support, but the following snippet can be modified for a single domain. You'll need to comment out the fourth line at least once after logging in an LDAP user to promote that user to administrator.

1. LDAP Modules
require_once( "extensions/LdapAuthentication/LdapAuthentication.php" );
require_once( "includes/AuthPlugin.php");
$wgAuth = new LdapAuthenticationPlugin();

1. LDAP Debugging
$wgLDAPDebug = 0;
$wgDebugLogGroups["ldap"] = "$IP/debug.log" ;

1. LDAP Connection info
$wgLDAPUseLocal = false;
$wgLDAPDomainNames = array( '', );
$wgLDAPServerNames = array( '' => 'localhost', );
$wgLDAPEncryptionType = array( '' => 'clear',
#'' => 'tls',
1. $wgLDAPOptions = array( '' => array( LDAP_OPT_DEREF, 0 ), );
$wgLDAPPort = array( '' => 389, );
$wgLDAPProxyAgent = array( '' => 'uid=binduser,ou=People,dc=aninix,dc=net', );
$wgLDAPProxyAgentPassword = array( '' => 'secret', );
$wgLDAPSearchAttributes = array( '' => 'uid', );
$wgLDAPBaseDNs = array( '' => 'dc=aninix,dc=net', );
$wgLDAPGroupBaseDNs = array( '' => 'ou=Group,dc=aninix,dc=net', );
$wgLDAPUserBaseDNs = array( '' => 'ou=People,dc=aninix,dc=net', );
$wgLDAPAddLDAPUsers = array( '' => false, );
$wgLDAPUpdateLDAP = array( '' => false, );
$wgLDAPPreferences = array( '' => array( 'email' => 'mail','realname' => 'cn','nickname' => 'uid'), );

1. LDAP Access Only by Group Membership -- requires the memberOf overlay in Sora
1. $wgLDAPGroupUseFullDN = array( ""=>false );
1. $wgLDAPGroupObjectclass = array( ""=>"posixgroup" );
1. $wgLDAPGroupAttribute = array( ""=>"memberuid" );
1. $wgLDAPGroupSearchNestedGroups = array( ""=>false );
1. $wgLDAPGroupNameAttribute = array( ""=>"cn" );
1. $wgLDAPRequiredGroups = array( ""=>array("cn=wiki,ou=Group,dc=aninix,dc=net"));

1. Disable password changes.
$wgHooks['UserLoginForm'][] = 'lfChangeLoginPage';
function lfChangeLoginPage( &$template ) {
$template->set('canreset',false); // removes default reset password link
// Use the following line to show your own 'reset password' link above the login fields
$template->set('link',"<a href=''>Forgot your password?</a>");
return true;
// Disallow password reset on password reset page
$wgHooks['UserLoginMailPassword'][] = 'MailPasswordIsAllowed';
function MailPasswordIsAllowed ( $username, $error ) {
$error = wfMsg( 'resetpass_forbidden' );

return false;
$wgHooks['PrefsPasswordAudit'][] = 'ChangePasswordIsAllowed';
function ChangePasswordIsAllowed ( $user ) {
throw new PasswordError( wfMsg( 'resetpass_forbidden' ));
return true;
$wgHooks['GetPreferences'][] = 'RemovePasswordChangeLink';
function RemovePasswordChangeLink ( $user, &$preferences ) {
return true;
# Making Changes
Ldapmodify will allow admins to change parts of Sora. Most user attributes can be updated like below.
dn: uid=testuser,ou=People,dc=aninix,dc=net
changetype: modify
replace: mail
mail: blar@test.local


Some properties are more intrinsic to the user object and require special handling.
dn: uid=testuser1,ou=People,dc=aninix,dc=net
changetype: modrdn
newrdn: uid=testuser2
deleteoldrdn: 1
modifying rdn of entry "uid=testuser2,ou=People,dc=aninix,dc=net"



+ 0
- 32
Services/ View File

@@ -1,32 +0,0 @@
The AniNIX is not a complete solution -- the network recognizes that others do some projects in a superior manner with superior resources than are available directly to us. We subscribe to the following, at a total cost of $200 per year.

# Freehostia
The [ Freehostia] web hosting service also offers DNS services -- the AniNIX purchases public DNS listing and whois protection from this organization for $20 a year.

# Google
Google provides a number of features to individual users for free. [[Category:Google]]
* [ Google Keep] provides an easy interface for nonpublic (as opposed to private) notes. It is browser- and mobile-accessible.
* [ Google Maps] provides a browser- and mobile accessible means of accessing maps and charts of the Earth's surface including semistatic satellite and 3D imagery.
* [ Google Inbox] provides a browser- and mobile accessible email service.
* [ Google Drive] provides a browser- and mobile-accessible file upload and collaboration service.
* [ Google Calendar] provides a browser- and mobile-accessible calendar.
* [ YouTube] provides a subscription mechanism for user-uploaded content from around the world.
* [[:Category:Mobile|Android]] devices in the AniNIX also benefit from being able to be tracked, locked, and remotely erased by their owning user via the [ Device Manager] service.

# Gutenberg Project
The [ Gutenberg project] is a free reading library that augments Yggdrasil's digital library.

# Netflix
[[Yggdrasil|AniNIX::Yggdrasil]] cannot store all material available. Netflix offers a quick and accessible streaming service for content that has not been archived in our own storage, at low cost of $10 a month for two screens.

# Emby
> See [[:Category:Emby]] for subscription details.

# Pushbullet
The [[Tricorder|AniNIX::Tricorder]] uses a Pushbullet service for $40 a year, offering remote access to SMS messages and notifications on mobile devices.

The AniNIX monitors [[ TED]] for new lectures on technology, entertainment, and design.


+ 0
- 25
Services/ View File

@@ -1,25 +0,0 @@
Malware is everywhere -- deployed by email, botcrawlers, script injection, physical intrusion, and many other vectors. Hosts in the AniNIX deploy the VirusScan service to protect themselves.

# Etymology
The name comes from the function. [[Category:TODO]]

# Relevant Files and Software
### Linux
Linux hosts use the [ ClamAV] package to scan for viruses. The AniNIX has a [file:///root/bin/vscan script] to execute the clamscan executable across all files, logging to [file:///var/log/clamscan.log log file] and reported via email to admins.

Crontab entries regularly execute the vscan and freshclam executables to scan the system and update the virus definitions daily.
### Windows and Android
Windows and Android hosts will use the [ Avast] software package to conduct scans. There are no configuration files to be manipulated directly.

# Available Clients
There are no clients for this service.

# Additional Reference
## Hyper-V
Hyper-V hosts that must run antivirus should make sure to [ exclude these locations] to prevent guest disk errors as described in [[RCAs#Windows_Virtual_Disk_Failure]]. This includes both the host and any fileshares in use by other systems.


+ 0
- 31
Services/ View File

@@ -1,31 +0,0 @@
Having some information be publicly accessible is useful to the network -- it's how we can be available to new people. Because HTTPS is the protocol of choice today, the WebServer is our vector.

# Etymology
The WebServer serves content on the Web -- its name is simple to match the function.

# Relevant Files and Software
Configuration files live in [file:///etc/lighttpd/lighttpd.conf lighttpd.conf], including ciphersuites, URI redirection, and pathing. It can be validated with the following.
<pre>lighttpd -t -f /etc/lighttpd/lighttpd.conf</pre>

Most notably, our lighttpd.conf is set to set specific headers to prevent XSS vulnerabilities. We allow the plaintext listener for a better user experience, but we restrict scripts and style resources from loading from plaintext links via Content-Security-Policy. Our X-Frame options are also set to be restrictive against XSS vulnerabilities. We pin the [[Category:SSL|Let's Encrypt]] sha-256 public key signature, and require strict transport security.

Data files live in [file:///srv/http/ the http directory]. Each domain is virtually hosted by the AniNIX and pathing is set up in configuration. Sites in the WebServer are designed to be as sparse and lightweight as possible for rapidly disseminating information; this comes at a cost of beauty.

The WebServer uses six PHP child processes to handle the processing of pages. Both the WebServer and [[Wiki]] are built on PHP engines to reduce code sprawl and edit times. We will install a custom php.ini to handle things like disabling expose_php and configuring open_basedir.

**Please note:** We offer a redirect on and only as a legacy convenience as browsers do not yet support 443 by default -- no data is transmitted on these. When the webhosting community acknowledges the death of the empty www. subdomain and the necessity of encryption, we will drop these. However, for usability, we include them for now.

# Available Clients
* Windows users should use [ Chrome] or Firefox. A copy of Chrome is stored in [ WolfPack].
* Privacy-conscious users may be interested in [ Seamonkey], also stored in WolfPack. This browser includes mail and IRC clients and can be installed on a [[Holocron|flash drive]]. It can be set to silently purge privacy information on closing, and it is lighter on the OS.
* [[ShadowArch]] users should use Seamonkey; chromium can be used to support custom Chrome extensions and bleeding-edge services, like Pushbullet or Netflix.
* Mac users should use Safari or Chrome.
* Mobile users should use the built-in browser.

# Equivalents or Competition
Hosting services like [ GoDaddy] and [ FreeHostia] will provide hosting services for web pages. Content management can be done with systems like WordPress.


+ 0
- 58
Services/ View File

@@ -1,58 +0,0 @@
The AniNIX aims to share information. Yggdrasil holds the many worlds of information available. See [[Yggdrasil#Available Clients|Available Clients]] below for ways to access the system.

# Etymology
The most commonly accepted etymology of the name is ygg "terrible" + drasil "steed". While the name means the "terrible steed", it is usually taken to mean the "steed of the terrible one", with Yggr the epithet of the god Odin. In other words, Odin's horse, referring to the nine nights he is said to have spent hanging from the tree, or "riding the gallows", in order to acquire knowledge of the runic alphabet.

The gallows are sometimes described in Old Norse poetry as the "horse of the hanged." In the case of "terrible steed", the association with Odin may be secondary, and any number of riders possible. A third interpretation, with etymological difficulties, is "yew-column", associating the tree with the Eihwaz rune.

Fjölsvinnsmál, a poem in the Poetic Edda, refers to the World Tree as Mimameid (Old Norse: Mímameiðr, "Mímir's tree" ). The tree is also probably identical to Laerad (Old Norse: Læraðr) a tree whose leaves and branches reach down to the roof of Valhalla and provide food for the goat Heidrun (Old Norse: Heiðrún) and the stag Eikthyrnir (Old Norse: Eikþyrnir).

## The Nine Worlds
The Yggdrasil tree is home to the Nine Worlds in Norse Cosmology. The worlds are:
In the north: Niflheim
In the east: Jotunheim
In the south: Musspelheim
In the west: Vanaheim
In the center: Midgard
Above: Alfheim and Asgard
Below: Svartalfheim and Helheim

## Residents
The World Tree is inhabited by several animals, the Nίðhӧggr, pet dragon of the goddess Hel which chews the roots of the tree which bind it, Veðrfӧlnir the rooster, who will crow when Ragnarok occurs, Ratatӧsk the squirrel, who carries messages of hate between the eagle and the Nίðhӧggr. This eagle, who is not named, is said to have knowledge of many things, and on its head sits Veðrfӧlnir. The significance of Veðrfӧlnir is unclear but John Lindow suggests that it may represent a higher faculty of wisdom, possibly sent out to acquire knowledge in a similar manner as Odin's ravens Hugin and Munin.

The original Norn was undoubtedly Urd, a word which can be translated to mean "Fate". The Well of Urd, which was situated at the base of the great cosmic tree Yggdrasil, is named after this Norn. The two additional Norns that are known by name are Verdandi ("Present" [or "Necessity" in some versions]) and Skuld ("Future" [or "Being" in some versions]). All three Norns live at the Well of Urd in Asgard. According to Norse mythology, nothing lasts forever, and even the great Yggdrasil has been said to decay one day. The Norns try to stop or slow this process by pouring mud and water from the Well of Urd over its branches. The magical liquid stops the decaying process for a short time.

## Relevance to the Service

Yggdrasil is a knowledge repository for the AniNIX -- it literally "holds the worlds" for the network's data content.

# Relevant Files and Software
All configuration is cached inside the service -- we log to [file:///var/lib/emby/logs Emby's logs directory] and data lives in [file:///var/lib/emby /var/lib/emby]. You can build it using the [ ConfigPackages], which will handle the initial directory installation along with an emby-server service.

To keep a consistent color scheme, we add the following under the Emby Server Dashboard > Advanced > Branding. This does not help mobile, but it does make a significant help to computer use.
/* */
@import url('');

LDAP in Emby world is controlled by a dotnet plugin. Bind DN, search filters, and initial user setup are controlled within the plugin from the server admin panel; the plugin can be pulled from the plugin catalog inside Emby. Usage of it is dependent on an Emby premiere membership -- failure to have such will result in "System.Exception: Emby Premiere required for LDAP" messages in the logs. However, this can sometimes be a false positive if preceded by lines of "Error Plugin: Error checking registration status of ldapfeature" -- the latter will be caused by a [ documented issue with dotnet core] that can be resolved by "sudo chmod a+r /etc/ssl/certs/*".

# Available Clients
### Music, Pictures, and Video
* You can go to [ the web-app] for a web-accessible view of the service.
* Android users can use a specific [ app].
### Books and Other Media
* Windows users can use [ WinSCP]. The AniNIX contains a cached copy of this in [ WolfPack].[[Category:CachedClient]]
* Mac users have a native client.
* Linux users should install the openssh client -- see [[SSH#Available clients]] for details.
* Android should use [ Turbo Client].

# Equivalents or Competition
Rivals include [ Pinterest], [ Soundcloud], [ NetFlix], [ Amazon Kindle], [ Google Play], and [ Hulu].