AniNIX/Wiki#21 -- effecting renames for policy

roles/Chappaai/README.md

@@ -0,0 +1,18 @@
+A Chappaai host is a gateway to accessing other hosts. It is a safeguard against admin error.
+
+## Etymology
+Chappaai hosts are named to follow the non-English naming of the Stargate network by the other denizens of the galaxy.
+
+They are the first line of defense against administrative error -- similar to the way that [Stargate Command](https://stargate.fandom.com/wiki/Stargate_Command) was for Earth. They prevent admins from being locked out of correcting their changes and are connected to everything in the ecosystem. They also control DNS, which allows a sort of subliminal control of the entire ecosystem. This prevents infiltration by infections (similar to Goauld) and in fact can be the extinction of any DNS-enabled malware in the ecosystem by sinkholing the Command-and-Control.
+
+## Capacity and Components
+A Chappaai host needs minimal CPU or memory.
+
+## Hosted Services and Entities
+Chappaai should host a Pihole installation and [SSH](../Services/SSH.md). It should be linked by NAT to an obscure port to the outside world.
+
+## Connections
+Any host should be able to connect to a Chappaai with SSH and X11, and it should be able to dial to any service provider.
+
+## Additional Reference
+Chappaai hosts should be deployed alongside any Hypervisor. They can be as simple as a Pi-hole with SSH access, and they should be allowed to receive SSH connections from a non-tcp/22/ssh port.

roles/Chappaai/tasks/main.yml

@@ -17,7 +17,7 @@
 
  - name: Ensure pihole web admin password
    become: yes
-   command: "pihole -a -p {{ passwords['Nazara'] }}"
+   command: "pihole -a -p {{ passwords['Chappaai'] }}"
      # when: pihole_install.changed
 
  - name: Generate DNS/DHCP from inventory
@@ -25,7 +25,7 @@
    run_once: true
    command: "python3 ../bin/generate-pihole-dns-dhcp.py {{ inventory_file }}"
 
- - name: Nazara DNS
+ - name: Chappaai DNS
    become: yes
    register: dns_updated
    copy:
@@ -35,7 +35,7 @@
      group: pihole
      mode: 0644
 
- - name: Nazara DHCP
+ - name: Chappaai DHCP
    become: yes
    register: dhcp_updated
    copy:
@@ -45,7 +45,7 @@
      group: root
      mode: 0644
 
- - name: Nazara Configuration
+ - name: Chappaai Configuration
    become: yes
    register: conf_updated
    copy:
@@ -56,7 +56,7 @@
      mode: 0644
 
 
- - name: Nazara DHCP Leases dir
+ - name: Chappaai DHCP Leases dir
    become: yes
    file:
      path: /var/lib/misc/
@@ -65,7 +65,7 @@
      group: root
      mode: 0777
 
- - name: Nazara DHCP Leases
+ - name: Chappaai DHCP Leases
    become: yes
    file:
      path: /var/lib/misc/dnsmasq.leases

roles/Nazara/README.md

@@ -1,16 +0,0 @@
-A Nazara host is a gateway to accessing other hosts. It is a safeguard against admin error.
-
-## Etymology
-Nazara hosts are named because they are the first line of defense against administrative error -- they prevent admins from being locked out of correcting their changes and are connected to everything in the ecosystem. They also control DNS, which allows a sort of subliminal control of the entire ecosystem. This is akin to the mastermind [Reaper AI](https://masseffect.fandom.com/wiki/Sovereign) from the Mass Effect franchise, and in fact can be the extinction of any DNS-enabled malware in the ecosystem by sinkholing the Command-and-Control.
-
-## Capacity and Components
-A Nazara host needs minimal CPU or memory.
-
-## Hosted Services and Entities
-Nazara should host a Pihole installation and [SSH](../Services/SSH.md). It should be NAT'ed to an obscure port to the outside world.
-
-## Connections
-Any host should be able to connect to a Nazara with SSH and X11, and it should be able to dial to any service provider.
-
-## Additional Reference
-Nazara hosts should be deployed alongside any Hypervisor. They can be as simple as a Pi-hole with SSH access, and they should be allowed to receive SSH connections from a non-tcp/22/ssh port.

roles/SSL/tasks/main.yml

@@ -37,30 +37,20 @@
      group: http
      mode: 2755
 
- - name: Copy TLSA script
+ - name: Remove old TLSA script
+   become: yes
+   file:
+     path: /usr/local/sbin/tlsa-generation.bash
+     state: absent
+
+ - name: Copy record generator script
    become: yes
    template:
-     src: tlsa-generation.bash.j2
-     dest: /usr/local/sbin/tlsa-generation.bash
+     src: record-generation.bash.j2
+     dest: /usr/local/sbin/record-generation.bash
      owner: root
      group: root
      mode: 0700
 
- - name: Get proposed TLSA records
-   become: yes
-   command: /usr/local/sbin/tlsa-generation.bash
-   register: tlsa_records
-
- - name: Show proposed TLSA records
-   debug:
-     msg: "{{ tlsa_records.stdout_lines }}"
-
- - name: Get TLSA records
-   delegate_to: localhost
-   run_once: yes
-   command: "/bin/bash -c 'printf _443._tcp\\ ; dig _443._tcp.{{ external_domain }} TLSA +short; printf _6697._tcp\\ ; dig _6697._tcp.{{ external_domain }} TLSA +short'"
-   register: ext_tlsa_records
-
- - name: Show TLSA records
-   debug:
-     msg: "{{ ext_tlsa_records.stdout_lines }}"
+ - debug:
+     msg: 'Run `sudo /usr/local/sbin/record-generation.bash` to generate a zonefile for import into a DNS provider.'

roles/SSL/templates/record-generation.bash.j2

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+ttl=86400
+
+externalip="$(curl -s ident.me)"
+
+for domain in {{ hosted_domains }} {{ external_domain }}; do
+
+    echo
+
+     # NS/MX/A -- basic orientation to the world for names, mail, and address
+     cat <<EOM
+\$ORIGIN ${domain}.
+@       $ttl   IN      SOA     ns51.cloudns.net. support.cloudns.net. 2024040128 7200 1800 1209600 86400
+@       $ttl   IN      NS      ns51.cloudns.net.
+@       $ttl   IN      NS      ns52.cloudns.net.
+@       $ttl   IN      NS      ns53.cloudns.net.
+@       $ttl   IN      NS      ns54.cloudns.net.
+@       $ttl   IN      MX      10 mailforward51.cloudns.net.
+@       $ttl   IN      MX      10 mailforward52.cloudns.net.
+@       $ttl   IN      A       ${externalip}
+EOM
+
+     # CAA -- who can issue certs for this domain
+     # https://letsencrypt.org/docs/caa/
+     echo 'CAA 128 issue "letsencrypt.org"'
+
+     # TLSA -- TLS fingerprints for certs & chain
+     for i in _443._tcp _6697._tcp; do
+         printf "$i   $ttl IN ";
+     openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/chain.pem -noout -pubkey  2>/dev/null | openssl rsa -pubin -outform DER  2>/dev/null | openssl dgst -sha256 -hex 2>/dev/null | awk '{print "TLSA 2 1 1", $NF}'
+         printf "$i   $ttl IN ";
+     openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/cert.pem -noout -pubkey 2>/dev/null | openssl rsa -pubin -outform DER 2>/dev/null  | openssl dgst -sha256 -hex 2>/dev/null | awk '{print "TLSA 3 1 1", $NF}'
+     done
+
+     # SSHFP -- SFTP/SSH fingerprints
+     ssh-keygen -r '@ $ttl' | grep -E '4 2|1 2' # Only take RSA & Ed25519 keys
+
+done
+
+# CNAME -- Add CNAMES for various subdomains
+for i in {{ external_subdomains }}; do
+     printf "%-20s %-10s %-10s %-10s %s\n" "$i" "$ttl" IN CNAME {{ external_domain }}.
+done

roles/SSL/templates/tlsa-generation.bash.j2

@@ -1,4 +0,0 @@
-#!/bin/bash
-openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/chain.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "le-ca TLSA 2 1 1", $NF}'
-openssl x509 -in /etc/letsencrypt/live/{{ sslidentity}}/cert.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "cert TLSA 3 1 1", $NF}'
-

roles/ShadowArch/files/motd/Geth0

@@ -0,0 +1,6 @@
+################################################################################
+#                                 AniNIX/Node0                                 #
+#                                                                              #
+#   This is the network virtualization platform. VMs can be found with this:   #
+# cd /usr/lib/systemd/system; ls -1 *vm.service | xargs -n 1 systemctl status  #
+################################################################################

roles/ShadowArch/files/motd/Geth1

@@ -0,0 +1,6 @@
+################################################################################
+#                                 AniNIX/Node0                                 #
+#                                                                              #
+#   This is the network virtualization platform. VMs can be found with this:   #
+# cd /usr/lib/systemd/system; ls -1 *vm.service | xargs -n 1 systemctl status  #
+################################################################################

roles/ShadowArch/files/motd/Geth2

@@ -0,0 +1,6 @@
+################################################################################
+#                                 AniNIX/Node0                                 #
+#                                                                              #
+#   This is the network virtualization platform. VMs can be found with this:   #
+# cd /usr/lib/systemd/system; ls -1 *vm.service | xargs -n 1 systemctl status  #
+################################################################################

roles/ShadowArch/files/motd/Geth3

@@ -0,0 +1,6 @@
+################################################################################
+#                                 AniNIX/Node0                                 #
+#                                                                              #
+#   This is the network virtualization platform. VMs can be found with this:   #
+# cd /usr/lib/systemd/system; ls -1 *vm.service | xargs -n 1 systemctl status  #
+################################################################################

roles/ShadowArch/files/motd/Geth4

@@ -0,0 +1,6 @@
+################################################################################
+#                                 AniNIX/Node0                                 #
+#                                                                              #
+#   This is the network virtualization platform. VMs can be found with this:   #
+# cd /usr/lib/systemd/system; ls -1 *vm.service | xargs -n 1 systemctl status  #
+################################################################################

roles/ShadowArch/files/motd/Maker

@@ -0,0 +1,5 @@
+################################################################################
+#                                AniNIX/Nazara                                 #
+#                                                                              #
+# This is the network DNS/DHCP service, using Raspberry Pi pihole, and bastion #
+################################################################################

roles/ShadowArch/files/motd/Vergil1

@@ -1,3 +1 @@
-
 # AniNIX/Geth Hardware Platform (Raspbian Rpi 1 B+) #
-

roles/ShadowArch/files/motd/Vergil2

@@ -1,3 +1 @@
-
 # AniNIX/Geth Hardware Platform (Raspbian Rpi 1 B+) #
-

roles/ShadowArch/files/motd/Vergil3

@@ -1,3 +1 @@
-
 # AniNIX/Geth Hardware Platform (Raspberry Pi 3 Model B Plus Rev 1.3) #
-

roles/ShadowArch/tasks/archlinux-network.yml

@@ -16,21 +16,21 @@
 
   - name: Tap ArchLinux network config
     become: yes
-      #when: tap is defined and not static is defined
+    when: tap is defined
     template:
         src: netctl-tap.j2
         dest: "/etc/netctl/{{ ipinterface }}"
 
   - name: Bridge ArchLinux network config
     become: yes
-      #when: tap is defined and not static is defined
+    when: tap is defined
     template:
         src: netctl-bond.j2
         dest: "/etc/netctl/br0"
 
   - name: Tunnel ArchLinux network config
     become: yes
-      #when: tap is defined and not static is defined
+    when: tap is defined
     copy:
         src: netctl-tun
         dest: "/etc/netctl/tun0"

roles/ShadowArch/tasks/authentication.yml

@@ -0,0 +1,57 @@
+---
+  - name: Test root password
+    ignore_errors: yes
+    register: root_password_test
+    vars:
+      ansible_become_user: "{{ item }}"
+      ansible_become_method: su
+      ansible_become_password: "{{ passwords[inventory_hostname] }}"
+    become: yes
+    command: id
+    loop:
+      - root
+      - "{{ ansible_user_id }}"
+
+  - name: Define passwords
+    ignore_errors: yes
+    vars:
+      ansible_become_user: "root"
+      ansible_become_password: "{{ passwords[inventory_hostname] }}"
+    become: yes
+    when: root_password_test.rc is not defined or root_password_test.rc != 0
+    command:
+      cmd: /bin/bash -l -c "echo '{{item}}:{{ passwords[inventory_hostname] }}' | chpasswd {{ item }}"
+    loop:
+      - root
+      - "{{ ansible_user_id }}"
+
+  - name: Ensure deploy user has sudo permissions.
+    vars:
+      ansible_become_method: su
+      ansible_become_password: "{{ passwords[inventory_hostname] }}"
+    become: yes
+    copy:
+      dest: /etc/sudoers.d/basics
+      content: "{{ ansible_user_id }} ALL=(ALL) NOPASSWD: ALL\n"
+
+  - name: Ensure we include /etc/sudoers.d (Current)
+    vars:
+      ansible_become_method: su
+      ansible_become_password: "{{ passwords[inventory_hostname] }}"
+    become: yes
+    when: ansible_architecture != "armv6l"
+    lineinfile:
+      path: /etc/sudoers
+      regexp: "includedir /etc/sudoers.d"
+      line: "@includedir /etc/sudoers.d"
+
+  - name: Ensure we include /etc/sudoers.d (Legacy)
+    vars:
+      ansible_become_method: su
+      ansible_become_password: "{{ passwords[inventory_hostname] }}"
+    become: yes
+    when: ansible_architecture == "armv6l"
+    lineinfile:
+      path: /etc/sudoers
+      regexp: "includedir /etc/sudoers.d"
+      line: "#includedir /etc/sudoers.d"

roles/ShadowArch/tasks/main.yml

@@ -4,169 +4,7 @@
 
   # This is an AniNIX convention to allow password management by Ansible.
 
-  - name: Test root password
-    ignore_errors: yes
-    register: root_password_test
-    vars:
-      ansible_become_user: "{{ item }}"
-      ansible_become_method: su
-      ansible_become_password: "{{ passwords[inventory_hostname] }}"
-    become: yes
-    command: id
-    loop:
-      - root
-      - "{{ ansible_user_id }}"
-
-  - name: Define passwords
-    ignore_errors: yes
-    vars:
-      ansible_become_user: "root"
-      ansible_become_password: "{{ passwords[inventory_hostname] }}"
-    become: yes
-    when: root_password_test.rc is not defined or root_password_test.rc != 0
-    command:
-      cmd: /bin/bash -l -c "echo '{{item}}:{{ passwords[inventory_hostname] }}' | chpasswd {{ item }}"
-    loop:
-      - root
-      - "{{ ansible_user_id }}"
-
-  - name: Ensure deploy user has sudo permissions.
-    vars:
-      ansible_become_method: su
-      ansible_become_password: "{{ passwords[inventory_hostname] }}"
-    become: yes
-    copy:
-      dest: /etc/sudoers.d/basics
-      content: "{{ ansible_user_id }} ALL=(ALL) NOPASSWD: ALL\n"
-
-  - name: Ensure we include /etc/sudoers.d (Current)
-    vars:
-      ansible_become_method: su
-      ansible_become_password: "{{ passwords[inventory_hostname] }}"
-    become: yes
-    when: ansible_architecture != "armv6l"
-    lineinfile:
-      path: /etc/sudoers
-      regexp: "includedir /etc/sudoers.d"
-      line: "@includedir /etc/sudoers.d"
-
-  - name: Ensure we include /etc/sudoers.d (Legacy)
-    vars:
-      ansible_become_method: su
-      ansible_become_password: "{{ passwords[inventory_hostname] }}"
-    become: yes
-    when: ansible_architecture == "armv6l"
-    lineinfile:
-      path: /etc/sudoers
-      regexp: "includedir /etc/sudoers.d"
-      line: "#includedir /etc/sudoers.d"
-
-  - name: Set up pacman.conf
-    vars:
-      ansible_become_password: "{{ passwords[inventory_hostname] }}"
-      ignorepkg: "{{ holdpackages | default('') }}"
-    become: yes
-    template:
-      src: pacman.conf.j2
-      dest: /etc/pacman.conf
-      owner: root
-      group: root
-      mode: 0644
-    when: ansible_os_family == "Archlinux"
-
-  - name: Set mirror
-    become: yes
-    when: ansible_os_family == "Archlinux"
-    copy:
-      content: |
-        Server = {{ mirroruri }}
-      dest: /etc/pacman.d/mirrorlist.shadowarch
-      owner: root
-      group: root
-      mode: 0644
-
-  - name: Import AniNIX GPG key
-    vars:
-      ansible_become_password: "{{ passwords[inventory_hostname] }}"
-    become: yes
-    command: /bin/bash -c 'if [ ! -f /usr/share/pacman/keyrings/aninix.gpg ]; then mkdir /tmp/aninix; curl -s https://aninix.net/AniNIX/ShadowArch/raw/branch/main/EtcFiles/aninix.gpg > /tmp/aninix/pubring.gpg; pacman-key --import /tmp/aninix; pacman-key --lsign 904DE6275579CB589D85720C1CC1E3F4ED06F296; fi'
-    when: ansible_os_family == "Archlinux"
-
-  - name: Set up apt sources.list
-    vars:
-      ansible_become_password: "{{ passwords[inventory_hostname] }}"
-    become: yes
-    copy:
-      content: |
-        deb http://archive.raspberrypi.org/debian/ bullseye main
-        # Uncomment line below then 'apt-get update' to enable 'apt-get source'
-        #deb-src http://archive.raspberrypi.org/debian/ bullseye main
-      dest: /etc/apt/sources.list.d/raspi.list
-      owner: root
-      group: root
-      mode: 0644
-    when: ansible_os_family == "Debian"
-
-  - name: Base packages
-    vars:
-      ansible_become_method: su
-      ansible_become_password: "{{ passwords[inventory_hostname] }}"
-    become: yes
-    package:
-      name:
-        - bash
-        - sudo
-        - git
-        - tmux
-        - vim
-        - sysstat
-        - iotop
-        - lsof
-        - rsync
-        - xfsprogs
-        - man-db
-        - man-pages
-      state: present
-      update_cache: yes
-
-  - name: Install ShadowArch (ArchLinux)
-    vars:
-      ansible_become_password: "{{ passwords[inventory_hostname] }}"
-    become: yes
-    pacman:
-      name: ShadowArch
-      state: present
-      update_cache: yes
-    when: ansible_os_family == "Archlinux"
-
-  - name: Set up AniNIX-specific repository location (Other)
-    when: ansible_os_family != "Archlinux"
-    vars:
-      ansible_become_password: "{{ passwords[inventory_hostname] }}"
-    become: yes
-    file:
-      path: /opt/aninix
-      state: directory
-
-  - name: Download ShadowArch (Other)
-    vars:
-      ansible_become_password: "{{ passwords[inventory_hostname] }}"
-    become: yes
-    ignore_errors: yes
-    git:
-      repo: 'https://foundation.aninix.net/AniNIX/ShadowArch'
-      dest: '/opt/aninix/ShadowArch'
-      update: yes
-    when: ansible_os_family != "Archlinux"
-
-  - name: Install ShadowArch (Other)
-    vars:
-      ansible_become_password: "{{ passwords[inventory_hostname] }}"
-    become: yes
-    command:
-      chdir: '/opt/aninix/ShadowArch'
-      cmd: '/bin/bash -c "make install"'
-    when: ansible_os_family != "Archlinux"
+  - include_tasks: authentication.yml
 
   - name: Set up hostname
     vars:
@@ -175,14 +13,18 @@
     hostname:
       name: "{{ inventory_hostname }}.{{ replica_domain }}"
 
-  - include: archlinux-network.yml
+  - include_tasks: archlinux-network.yml
     when: ansible_os_family == "Archlinux"
 
-  - include: raspbian-network.yml
+  - include_tasks: raspbian-network.yml
     when: ansible_os_family == "Debian"
 
-  - include: dns.yml
+  - include_tasks: dns.yml
 
-  - include: ntp.yml
+  - include_tasks: ntp.yml
 
-  - include: bash.yml
+  - include_tasks: repositories.yml
+
+  - include_tasks: bash.yml
+
+  - include_tasks: shadowarch.yml

roles/ShadowArch/tasks/repositories.yml

@@ -0,0 +1,67 @@
+---
+  - name: Set up pacman.conf
+    vars:
+      ansible_become_password: "{{ passwords[inventory_hostname] }}"
+      ignorepkg: "{{ holdpackages | default('') }}"
+    become: yes
+    template:
+      src: pacman.conf.j2
+      dest: /etc/pacman.conf
+      owner: root
+      group: root
+      mode: 0644
+    when: ansible_os_family == "Archlinux"
+
+  - name: Set mirror
+    become: yes
+    when: ansible_os_family == "Archlinux"
+    copy:
+      content: |
+        Server = {{ mirroruri }}
+      dest: /etc/pacman.d/mirrorlist.shadowarch
+      owner: root
+      group: root
+      mode: 0644
+
+  - name: Import AniNIX GPG key
+    vars:
+      ansible_become_password: "{{ passwords[inventory_hostname] }}"
+    become: yes
+    command: /bin/bash -c 'if [ ! -f /usr/share/pacman/keyrings/aninix.gpg ]; then mkdir /tmp/aninix; curl -s https://aninix.net/AniNIX/ShadowArch/raw/branch/main/EtcFiles/aninix.gpg > /tmp/aninix/pubring.gpg; pacman-key --import /tmp/aninix; pacman-key --lsign 904DE6275579CB589D85720C1CC1E3F4ED06F296; fi'
+    when: ansible_os_family == "Archlinux"
+
+  - name: Set up apt sources.list
+    vars:
+      ansible_become_password: "{{ passwords[inventory_hostname] }}"
+    become: yes
+    copy:
+      content: |
+        deb http://archive.raspberrypi.org/debian/ bullseye main
+        # Uncomment line below then 'apt-get update' to enable 'apt-get source'
+        #deb-src http://archive.raspberrypi.org/debian/ bullseye main
+      dest: /etc/apt/sources.list.d/raspi.list
+      owner: root
+      group: root
+      mode: 0644
+    when: ansible_os_family == "Debian"
+
+  - name: Base packages
+    vars:
+      ansible_become_method: su
+      ansible_become_password: "{{ passwords[inventory_hostname] }}"
+    become: yes
+    package:
+      name:
+        - bash
+        - sudo
+        - git
+        - tmux
+        - vim
+        - sysstat
+        - iotop
+        - lsof
+        - rsync
+        - xfsprogs
+        - man
+      state: present
+      update_cache: yes

roles/ShadowArch/tasks/shadowarch.yml

@@ -0,0 +1,39 @@
+---
+  - name: Install ShadowArch (ArchLinux)
+    vars:
+      ansible_become_password: "{{ passwords[inventory_hostname] }}"
+    become: yes
+    pacman:
+      name: ShadowArch
+      state: present
+      update_cache: yes
+    when: ansible_os_family == "Archlinux"
+
+  - name: Set up AniNIX-specific repository location (Other)
+    when: ansible_os_family != "Archlinux"
+    vars:
+      ansible_become_password: "{{ passwords[inventory_hostname] }}"
+    become: yes
+    file:
+      path: /opt/aninix
+      state: directory
+
+  - name: Download ShadowArch (Other)
+    vars:
+      ansible_become_password: "{{ passwords[inventory_hostname] }}"
+    become: yes
+    ignore_errors: yes
+    git:
+      repo: 'https://foundation.aninix.net/AniNIX/ShadowArch'
+      dest: '/opt/aninix/ShadowArch'
+      update: yes
+    when: ansible_os_family != "Archlinux"
+
+  - name: Install ShadowArch (Other)
+    vars:
+      ansible_become_password: "{{ passwords[inventory_hostname] }}"
+    become: yes
+    command:
+      chdir: '/opt/aninix/ShadowArch'
+      cmd: '/bin/bash -c "make install"'
+    when: ansible_os_family != "Archlinux"

roles/ShadowArch/templates/netctl-bond.j2

@@ -2,4 +2,7 @@ Description="Bridge connection"
 Interface=br0
 Connection=bridge
 BindsToInterfaces=({{ ipinterface }} tun0)
-IP=dhcp
+IP=static
+Address=('{{ ip }}/24')
+Gateway='{{ router }}'
+DNS=('{{ dns }}')

roles/ShadowArch/templates/pacman.conf.j2

@@ -102,8 +102,8 @@ Include = /etc/pacman.d/mirrorlist.shadowarch
 
 [AniNIX]
 SigLevel = Required DatabaseOptional
-Server = https://maat.aninix.net/
+Server = http://maat.msn0.aninix.net/
 
 [aur]
 SigLevel = Required DatabaseOptional
-Server = https://maat.aninix.net/aur/
+Server = http://maat.msn0.aninix.net/aur/

roles/ShadowArch/templates/raspbian-static.j2

@@ -10,7 +10,7 @@ auto lo
 iface lo inet loopback
 
 iface {{ ipinterface }} inet static
-     address {{ ansible_host }}/{{ netmask }}
+     address {{ ip }}/{{ netmask }}
      gateway {{ router }}
 
 auto wlan0

roles/Sharingan/files/monit/hostdefs/Vergil3

@@ -0,0 +1 @@
+include "/etc/monit.d/checks/system"

roles/WebServer/files/conf.d/Yggdrasil/aaa_default.conf

@@ -10,6 +10,7 @@ server {
     location / {
 
       rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
+      rewrite ^/hire(\/)*(\/index.html)*$ /assets/hire/index.html;
 
       proxy_set_header Host $http_host;
       proxy_set_header X-Forwarded-Host $host;
@@ -34,6 +35,15 @@ server {
         rewrite /martialarts/maqotw.xml /MartialArts/Wiki/raw/branch/main/rss/maqotw.xml;
     }
 
+    location /25u {
+        include conf.d/fastcgi.config;
+        root /usr/share/webapps/aninix/;
+        location ~* 25u {
+            try_files $uri /25u_subnetting.php;
+            expires max;
+        }
+    }
+
     location /whatismyip {
         include conf.d/fastcgi.config;
         root /usr/share/webapps/aninix/;
@@ -52,8 +62,6 @@ server {
         root /usr/share/webapps/aninix/;
         try_files $uri /scratch.html;
     }
-
-
 }
 
 server {

roles/WebServer/files/conf.d/Yggdrasil/superintendent.conf

@@ -6,7 +6,7 @@ map $http_upgrade $connection_upgrade {
 server {
     #listen      443 ssl http2;
     listen      443 ssl;
-    server_name geth.aninix.net;
+    server_name superintendent.aninix.net;
 
     include conf/sec.conf;
     # include conf/default.csp.conf;
@@ -19,7 +19,7 @@ server {
         proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Forwarded-Server $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_pass       http://geth.msn0.aninix.net:8123;
+        proxy_pass       http://superintendent.msn0.aninix.net:8123;
         proxy_redirect http:// https://;
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;

roles/WebServer/tasks/main.yml

@@ -22,6 +22,7 @@
      mode: 0750
    loop:
      - /usr/share/webapps/aninix
+     - /var/lib/letsencrypt
      - /etc/nginx/conf
      - /etc/nginx/conf.d
      - /etc/modsecurity