AniNIX/Kapisi
3
0
Fork 0
Code Issues 27 Pull Requests Projects 1 Releases Wiki Activity

Catchup

Browse Source
This commit is contained in:
DarkFeather
2025-10-21 14:04:09 -05:00
parent 4df485af5d
commit 571455802b
11 changed files with 186 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
playbooks/deploy.yml
View File

@@ -2,74 +2,39 @@
# deploy.yml
#
# This playbook details how an entire datacenter should be deployed
#
# Parameters:
#
# Parameters:
# threads: Number of threads to use; default is 16.
#
- hosts: Nazara
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
vars:
- ansible_password: "{{ passwords[inventory_hostname] }}"
- ansible_become_password: "{{ passwords[inventory_hostname] }}"
roles:
- Nazara
- hosts: managed
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
vars: # This is the only segment that should need these variables, as the basics role should take care of sudo and the SSH key.
- ansible_password: "{{ passwords[inventory_hostname] }}"
- ansible_become_password: "{{ passwords[inventory_hostname] }}"
roles:
- ShadowArch
- SSH
- Sharingan
- hosts: physical
gather_facts: true
ignore_unreachable: true
roles:
- hardware
- hosts: Yggdrasil
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- hardware
- SSL
- WebServer
- IRC
- WolfPack
roles:
- Aether
- Foundation
- Yggrasil
- hosts: geth_hubs
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- Geth-Hub
- hosts: Node1,Node2,Node3
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- hardware
- Node
- Grimoire
- IRC
- Password
- SSL
- TheRaven
- WebServer
- WolfPack
- Yggdrasil
- hosts: DarkNet
order: sorted
@@ -81,3 +46,23 @@
roles:
- DarkNet
- WolfPack
- hosts: "{{ item }}"
gather_facts: true
ignore_unreachable: true
roles:
- "{{ item }}"
loop:
- Chappaai
- Maat
- Geth
- Node
- Vergil
#- DedSec
#- BT
- hosts: Node3
gather_facts: true
ignore_unreachable: true
roles:
- Cyberbrain

8
roles/Aether/tasks/main.yml
View File

@@ -36,21 +36,21 @@
- name: Read the Aether identity
become: true
delegate_to: Core
delegate_to: '{{ aether_primary }}'
command: cat /home/aether/.ssh/aether
register: aether_key
- name: Read the Aether public identity
become: true
delegate_to: Core
delegate_to: '{{ aether_primary }}'
command: cat /home/aether/.ssh/aether.pub
register: aether_pubkey
- include_tasks: source.yml
when: "{{ inventory_hostname }} is 'Core'"
when: "{{ inventory_hostname }} is {{ aether_primary }}"
- include_tasks: client.yml
when: "{{ inventory_hostname }} is 'Core'"
when: "{{ inventory_hostname }} is {{ aether_primary }}"
- name: Ensure the Aether identity files are protected.
become: true

17
roles/Foundation/README.md
View File

@@ -30,23 +30,22 @@ To get a client to access the Foundation, use one of the following or visit
Each package will need to be checked out individually.
# Equivalents or Competition
The most famous equivalent is [https://github.com GitHub]. Other source code control systems exist, including some provided by employers or academic institutions -- GitLab provides an enterprise-style implementation. Other protocol implementations vary widely -- Mercurial, Bazaar, and SVN are other revision control systems others use. We appreciate the flexibility of Git.
The most famous equivalent is [https://github.com](GitHub). Other source code control systems exist, including some provided by employers or academic institutions -- GitLab provides an enterprise-style implementation. Other protocol implementations vary widely -- Mercurial, Bazaar, and SVN are other revision control systems others use. We appreciate the flexibility of Git.
# Additional Reference
Some core Git tools are leveraged in specific ways for the AniNIX.
## Config for Author
Even though the [[Talk:IRC#Why_Not_SMTP|AniNIX doesn't use SMTP]], we still use the @aninix.net suffix for the user.email config property on branches. All commits, therefore, should have the proper-case of the user's [[IRC|AniNIX::IRC]] handle as the user.name attribute, and the lower-cased username followed by @aninix.net for the user.email attribute.
[We don't use SMTP.](/AniNIX/Wiki/issues/8) We recommend GPG keys be created with your IRC address included, in the format `ircs://aninix.net:6697/$username`. This will throw some complaints if your project gets mirrored to GitHub, as GitHub wants your key to be verified through email, but within our ecosystem the commits will be verified.
## Tags for Semantic Versioning
We version our projects according to [https://semver.org/ Semantic Versioning] -- this versioning is established using the git tag as major and minor version, the git commit as the patch, and the number of commits since the tag as the ArchLinux release note.
To do this, see [our encryption article](https://aninix.net/AniNIX/Wiki/src/branch/main/Articles/Getting_Started_With_Encryption.md#GPG_Keys).
[https://aninix.net/cgit/cgit.cgi/HelloWorld/tree/PKGBUILD Our HelloWorld PKGBUILD] demonstrates this -- most of the metadata for the package is populated directly by git, and only dependencies are tracked in the PKGBUILD itself.
## Development Standards
If you are developing projects for the AniNIX organization or want to use our standards, ensure that the project is cloned with [AniNIX/Uniglot](/AniNIX/Uniglot)'s `uniglot-clone`. This will run pre-commit hooks to check your project.
## Branches for Functional Improvements
All major functional improvements being worked should be tracked in a branch. The branch name should be the same as the [[QANs|QAN]] for which the branch was started or the functional concept's shortname.
All major functional improvements being worked should be tracked in a branch. The branch name should be linked to the issue for which the branch was started or the functional concept's shortname.
## Filter-branch to Prune
Git maintains a history of all files. If you need to remove files permanently, GitHub maintains [https://help.github.com/articles/removing-sensitive-data-from-a-repository/ an article] on how to use "git filter-branch" to purge it.
}}
[[Category:Public_Service]]
Git maintains a history of all files. If you need to remove files permanently, GitHub maintains [an article](https://help.github.com/articles/removing-sensitive-data-from-a-repository/) on how to use `git filter-branch` to purge it.

19
roles/Password/package/ldap-resetpass
View File

@@ -1,5 +1,6 @@
#!/bin/bash
uid="$1"
if [ -z "$uid" ]; then
@@ -7,25 +8,33 @@ if [ -z "$uid" ]; then
exit 1
fi
# Get the bind password
read -sp 'cn=root,dc=aninix,dc=net Password: ' rootdnpw
printf "\n\n"
ldappasswd -D 'cn=root,dc=aninix,dc=net' -w "$rootdnpw" -H ldap://127.0.0.1 "uid=$uid,ou=People,dc=aninix,dc=net" && \
ldapmodify -D 'cn=root,dc=aninix,dc=net' -w "$rootdnpw" -H ldap://127.0.0.1 -f <(cat <<EOM
# Update the user password
tput setaf 1 1>&2; tput bold 1>&2;
/usr/bin/ldappasswd -D 'cn=root,dc=aninix,dc=net' -w "$rootdnpw" -H ldap://127.0.0.1 "uid=$uid,ou=People,dc=aninix,dc=net"
tput sgr0
# Ensure pwdReset is present
/usr/bin/ldapmodify -D 'cn=root,dc=aninix,dc=net' -w "$rootdnpw" -H ldap://127.0.0.1 -f <(cat <<EOM
dn: uid=$uid,ou=People,dc=aninix,dc=net
changetype: modify
add: pwdReset
pwdReset: TRUE
EOM
)
echo 'As cn=root,cn=config...' && ldapmodify -D 'cn=root,cn=config' -W -H ldap://127.0.0.1 -f <(cat <<EOM
# Remove pwdChangedTime for immediate update
/usr/bin/ldapmodify -e relax -D 'cn=root,dc=aninix,dc=net' -w "$rootdnpw" -H ldap://127.0.0.1 -f <(cat <<EOM
dn: uid=$uid,ou=People,dc=aninix,dc=net
changetype: modify
delete: pwdChangedTime
EOM
)
# Exit
exit $?

6
roles/SSH/files/sshd_config
View File

@@ -44,6 +44,9 @@ GSSAPIAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
# Allow other packages to ship snippets
Include /etc/ssh/includes/*
## By default, only ssh-allow or ldapusers are allowed to sftp
AllowGroups ssh sftp ldapuser
Match Group ldapuser,sftp
@@ -58,6 +61,3 @@ Match Group wheel,ssh-allow
X11Forwarding yes
ForceCommand none
ChrootDirectory none
# Allow other packages to ship snippets
Include /etc/ssh/includes/*

1
roles/Sharingan/files/monit/hostdefs/Node1
View File

@@ -1 +1,2 @@
include "/etc/monit.d/checks/system"
include "/etc/monit.d/checks/automated_response"

1
roles/Sharingan/files/monit/hostdefs/Node2
View File

@@ -1,2 +1,3 @@
include "/etc/monit.d/checks/system"
include "/etc/monit.d/checks/automated_response"
include "/etc/monit.d/checks/cyberpower"

1
roles/Sharingan/files/monit/hostdefs/Node3
View File

@@ -1 +1,2 @@
include "/etc/monit.d/checks/system"
include "/etc/monit.d/checks/automated_response"

1
roles/Sharingan/tasks/ids.yml
View File

@@ -10,6 +10,7 @@
- suricata
- oinkmaster
- rkhunter
- sharingan-scripts
state: present
# Network IPS

8
roles/Sharingan/tasks/siem.yml
View File

@@ -4,7 +4,7 @@
register: sharingan_packages
package:
name:
- elasticsearch
- opensearch
- mongodb-bin
- mongodb-tools-bin
- graylog
@@ -13,7 +13,7 @@
- name: Sharingan services
become: yes
loop:
- elasticsearch
- opensearch
- mongodb
- graylog
service:
@@ -24,11 +24,11 @@
- name: Sharingan backups directory
become: yes
file:
path: /usr/local/backups/elasticsearch
path: /usr/local/backups/opensearch
state: directory
owner: elasticsearch
group: elasticsearch
mode: 0770
- name: Set Sharingan backups
command: "curl -X PUT localhost:9200/_snapshot/my_backup?pretty -H 'Content-Type: application/json' -d '{ type: fs, settings: { location: /usr/local/backup/elasticsearch, compress: true } }'"
command: "curl -X PUT localhost:9200/_snapshot/my_backup?pretty -H 'Content-Type: application/json' -d '{ type: fs, settings: { location: /usr/local/backup/opensearch, compress: true } }'"

177
roles/Yggdrasil/package/yggdrasil-get
View File

@@ -1,23 +1,109 @@
#!/bin/bash
source /opt/aninix/Uniglot/Bash/header
function ygdl() {
### Download a file
# param path: path to make
# param newname (optional): output location
if [ "$newname" != "" ]; then
wget -O "$newname" "$path";
else
wget "$path";
fi
}
function ygyt() {
### Cache from YouTube
# param path: YouTube URI
# param newname: output location
if [ `echo "$path" | grep -c '/watch?v='` -eq 1 ]; then
path="$(echo "$path" | cut -f 1 -d '&')"
fi
if [ "$newname" != "" ]; then
yt-dlp -o "$newname" "$path";
else
yt-dlp "$path";
fi
}
function ygmp3() {
uri="$path"
if [ "$newname" != "" ]; then
ygmkdir "$newname"
cd "$newname"
fi
if [ `echo "$uri" | grep -c '/watch?v='` -eq 1 ]; then
uri="$(echo "$uri" | cut -f 1 -d '&')"
fi
youtube-mp3 "$uri";
yggdrasil-set-music-data *.mp3
}
function ygcache() {
### Cache files
# param path: path to move
# param newname (option): somewhere other than $PWD to move
# param exec: what to use
if [ -n "$1" ]; then
exec="$1"
fi
if [ "$newname" != "" ]; then
$exec "$path" ./"$newname"
else
$exec "$path" .
fi
}
function ygmkdir() {
### Make a directory
# path: directory to make
if [ -n "$1" ]; then
path="$1"
fi
if [ -d "$path" ]; then
infoheader "Directory '$path' already existed."
else
mkdir -p "$path"
chmod u+w "$path"
fi
}
function usage() {
### Usage
# param retcode: what to return
if [ -z "$1" ]; then
retcode=0;
else
retcode=$1;
fi
cat << EOM
AniNIX/Yggdrasil Bash API
Syntax: yggdrasil-get {dl|yt|mp3|cp|mv|mkdir} PATH [new file name in $PWD]
Option:
-- dl: Use wget
-- yt: Use yt-dlp
-- mp3: Use youtube-mp3
-- cp: Copy the file here.
-- mv: Move the file here.
-- mkdir: Make a folder
EOM
exit $retcode
}
### Main
export YGGDRASIL="/home/yggdrasil"
if [ "$1" == '-v' ]; then
set -x
shift
fi
option="$1"
path="$2"
newname="$3"
#Offer help
if [ "$option" == "" ] || [ "$option" == "-h" ] || [ "$option" == "--help" ] || [ "$path" == "" ] || [ $(echo $newname | grep -c '/') -ne 0 ]; then
echo "AniNIX::Yggdrasil Bash API"
echo 'Syntax: yggdrasil-get {dl|yt|mp3|sol|cp|mv} PATH [new file name in $PWD]'
echo "Option:"
echo "-- dl: Use wget"
echo "-- yt: Use yt-dlp"
echo "-- mp3: Use youtube-mp3"
echo "-- sol: Use solarmovie-vodlocker-dl"
echo "-- cp: Copy the file here."
echo "-- mv: Move the file here."
echo "-- mkdir: Make a folder"
exit;
if [ "$option" == "" ] || [ "$option" == "-h" ] || [ "$option" == "--help" ] || [ "$path" == "" ]; then
usage 0;
fi
#Make sure we're in the Yggdrasil project.
@@ -29,62 +115,21 @@ fi
#unlock this directory
chmod ug+w "$PWD"
#Appropriately source the file
if [ $? -ne 0 ]; then
echo Couldn\'t unlock $PWD
exit
exit 1
fi
if [ "$option" == "dl" ]; then
if [ "$newname" != "" ]; then
wget -O "$newname" "$path";
else
wget "$path";
fi
fi
if [ "$option" == "yt" ]; then
if [ `echo "$path" | grep -c '/watch?v='` -eq 1 ]; then
path="$(echo "$path" | cut -f 1 -d '&')"
fi
if [ "$newname" != "" ]; then
yt-dlp -o "$newname" "$path";
else
yt-dlp "$path";
fi
fi
if [ "$option" == "mp3" ]; then
if [ "$newname" != "" ]; then
echo "Renaming not available."
fi
if [ `echo "$path" | grep -c '/watch?v='` -eq 1 ]; then
path="$(echo "$path" | cut -f 1 -d '&')"
fi
youtube-mp3 "$path";
yggdrasil-set-music-data *.mp3
fi
if [ "$option" == "sol" ]; then
if [ "$newname" != "" ]; then
solarmovie-vodlocker-dl "$path" "$newname"
else
echo "Need a name."
fi
fi
if [ "$option" == "cp" ]; then
if [ "$newname" != "" ]; then
cp "$path" ./"$newname"
else
cp "$path" .
fi
fi
if [ "$option" == "mv" ]; then
if [ "$newname" != "" ]; then
mv "$path" ./"$newname"
else
mv "$path" .
fi
fi
if [[ "$option" == "mkdir" && "$path" != "" ]]; then
mkdir -p "$path"
fi
# Functional loop
case "$option" in
dl) ygdl ;;
yt) ygyt ;;
mp3) ygmp3 ;;
cp) ygcache cp ;;
mv) ygcache mv ;;
mkdir) ygmkdir ;;
*) usage 1 ;;
esac
#Lock
chmod -R ug-w "$PWD"