diff --git a/precommit-hooks/find-bad-ipam b/precommit-hooks/find-bad-ipam index 4266625..ee34a8c 100755 --- a/precommit-hooks/find-bad-ipam +++ b/precommit-hooks/find-bad-ipam @@ -1,12 +1,12 @@ #!/usr/bin/bash # File: find-bad-ipam -# +# # Description: This file finds bad IPAM entries in an inventory. -# +# # Package: AniNIX/Ubiqtorate # Copyright: WTFPL -# +# # Author: DarkFeather file="examples/msn0.yml" @@ -14,7 +14,7 @@ file="examples/msn0.yml" function findBadTerm() { ### Check for a term to be duplicated. # param file: the file - # param term: the term to search for duplicates + # param term: the term to search for duplicates file="$1" term="$2" results="$(grep -i "$term:" "$file" | tr '[[:upper:]]' '[[:lower:]]' | sed 's/\s+'"$term"':\s*//' | sort | uniq -c | grep -vE '^\s+1\s+' )" @@ -26,7 +26,7 @@ function findBadTerm() { fi } -function Usage() { +function Usage() { ### Helptext # param retcode: what to return retcode="$1" diff --git a/precommit-hooks/find-mismatched-macs b/precommit-hooks/find-mismatched-macs new file mode 100755 index 0000000..094c5cb --- /dev/null +++ b/precommit-hooks/find-mismatched-macs @@ -0,0 +1,17 @@ +#!/bin/bash + + +export IFS=" +" +retcode=0 + +for macline in `grep -E '^\s+mac: ' examples/*.yml`; do + if [ "${macline}" != "${macline,,}" ]; then + mac="$( echo "${macline}" | awk '{ print $2; }')" + retcode=1 + echo "${mac} has mismatched case -- should be lower." + sed -i "s/${mac}/${mac,,}/g" examples/*.yml + echo "Attempted replacement." + fi +done +exit $retcode diff --git a/precommit-hooks/find-passwords-in-files b/precommit-hooks/find-passwords-in-files index e6bf696..a2e8dd2 100644 --- a/precommit-hooks/find-passwords-in-files +++ b/precommit-hooks/find-passwords-in-files @@ -28,3 +28,12 @@ if [ $? -ne 1 ]; then echo Otherwise, convert any files above to templates and encode the passphrase into your vault. exit 1; fi +IFS=" +" +for i in `ansible-vault decrypt --output - ${ANSIBLE_VAULT_FILE} | sed 's/\s\?-\?\s\?[A-Za-z0-9_]\+://' | grep -vE '\||password|^\s\?$|#|https://' | sed "s/^ \+['\"]\?//" | sed "s/[\"']\s\?//" | sort | uniq`; do + grep -rl "${i}" . 2>/dev/null + if [ $? -ne 1 ]; then + echo "A secret starting with $(echo "$i" | cut -c 1-7) was found in the files above." + exit 1; + fi +done diff --git a/precommit-hooks/make-sure-hooks-synced b/precommit-hooks/make-sure-hooks-synced new file mode 100644 index 0000000..f11f8fe --- /dev/null +++ b/precommit-hooks/make-sure-hooks-synced @@ -0,0 +1,4 @@ +if [ `git ls-files -m | grep precommit-hooks/ | wc -l` != '0' ]; then + echo 'Hooks have changed and need to be added. Run `git add precommit-hooks`' + exit 1 +fi diff --git a/precommit-hooks/playbook-lint-check b/precommit-hooks/playbook-lint-check index 9e33da0..e69de29 100755 --- a/precommit-hooks/playbook-lint-check +++ b/precommit-hooks/playbook-lint-check @@ -1,7 +0,0 @@ -#!/bin/bash - -# pre-commit hook to use ansible-lint to check our playbooks. - -for file in `find ../playbooks/ -type f`; do - ansible-lint "$file" -done diff --git a/roles/IRC/files/services/anope.service b/roles/IRC/files/services/anope.service index 044cae1..022bbad 100644 --- a/roles/IRC/files/services/anope.service +++ b/roles/IRC/files/services/anope.service @@ -6,10 +6,10 @@ After=network.target [Service] Type=simple PIDFile=/run/anope/anope.pid -ExecStart=/opt/anope/bin/services --confdir=/etc/anope/ --dbdir=/opt/anope/data --localedir=/opt/anope/locale --logdir=/var/log/anope --modulesdir=/opt/anope/lib --nofork +ExecStart=/usr/bin/services --confdir=/etc/anope/ --dbdir=/opt/anope/data --logdir=/var/log/anope --localedir=/usr/lib/anope/locale --modulesdir=/usr/lib/anope --nofork ExecReload=/bin/kill -1 $MAINPID Restart=always -User=ircd +User=anope Group=ircd [Install] diff --git a/roles/IRC/files/services/inspircd.service b/roles/IRC/files/services/inspircd.service index dd4c2ea..c96b360 100644 --- a/roles/IRC/files/services/inspircd.service +++ b/roles/IRC/files/services/inspircd.service @@ -5,12 +5,12 @@ After=network.target [Service] Type=forking -PIDFile=/var/lib/inspircd/inspircd.pid -ExecStart=/usr/bin/inspircd +PIDFile=/var/lib//inspircd.pid +ExecStart=/usr/bin/ ExecReload=kill -HUP $MAINPID ExecStop=kill $MAINPID Restart=always -User=ircd +User=inspircd Group=ircd [Install] diff --git a/roles/IRC/tasks/daemon.yml b/roles/IRC/tasks/daemon.yml index 48c0016..d906032 100644 --- a/roles/IRC/tasks/daemon.yml +++ b/roles/IRC/tasks/daemon.yml @@ -5,12 +5,13 @@ file: state: directory path: "{{ item }}" - owner: ircd + owner: inspircd group: ircd mode: 0750 loop: - "/var/log/inspircd" - "/etc/inspircd" + - "/etc/inspircd/data/" - name: Generate dhparam become: yes @@ -23,40 +24,24 @@ file: state: file path: /etc/inspircd/dhparams.pem - owner: ircd + owner: inspircd group: ircd mode: 0640 - - name: Add ircd user to ssl + - name: Add inspircd user to ssl become: yes user: - name: ircd - groups: ssl + name: inspircd + groups: ssl,ircd append: yes - - name: Copy service file - become: yes - register: servicesfile - copy: - src: services/inspircd.service - dest: /usr/lib/systemd/system/inspircd.service - owner: root - group: root - mode: 0644 - - - name: Reload services - when: servicesfile.changed - become: yes - systemd: - daemon_reload: true - - name: Copy config and fill in attributes register: templatefiles become: yes template: src: "inspircd/{{ item }}.j2" dest: "/etc/inspircd/{{ item }}" - owner: ircd + owner: inspircd group: ircd mode: 0600 loop: @@ -67,20 +52,11 @@ - rules.txt - motd.txt - - name: Tracking directory - become: yes - file: - dest: "/etc/inspircd/data/" - owner: ircd - group: ircd - mode: 0750 - state: directory - - name: Ensure tracking files become: yes file: dest: "/etc/inspircd/{{ item }}" - owner: ircd + owner: inspircd group: ircd mode: 0600 loop: @@ -96,7 +72,7 @@ - name: Reload on config change become: yes - when: templatefiles.changed or servicesfile.changed + when: templatefiles.changed service: name: inspircd state: reloaded diff --git a/roles/IRC/tasks/services.yml b/roles/IRC/tasks/services.yml index c51772f..640b853 100644 --- a/roles/IRC/tasks/services.yml +++ b/roles/IRC/tasks/services.yml @@ -1,11 +1,18 @@ --- + - name: Add anope user to ircd + become: yes + user: + name: anope + groups: ircd + append: yes + - name: Ensure directory permissions become: yes file: state: directory path: "{{ item }}" - owner: ircd + owner: anope group: ircd mode: 0700 loop: @@ -20,7 +27,7 @@ template: src: "anope/{{ item }}.j2" dest: "/etc/anope/{{ item }}" - owner: ircd + owner: anope group: ircd mode: 0600 loop: diff --git a/roles/IRC/templates/anope/modules.conf.j2 b/roles/IRC/templates/anope/modules.conf.j2 index d457600..cd362ce 100644 --- a/roles/IRC/templates/anope/modules.conf.j2 +++ b/roles/IRC/templates/anope/modules.conf.j2 @@ -36,7 +36,7 @@ module * Admin credentials used for performing searches and adding users. */ admin_binddn = "uid=binduser,{{ ldap['userou'] }},{{ ldap['orgdn'] }}" - admin_password = "{{ secrets['Sora']['bindpassword'] }}" + admin_password = "{{ secrets['Password']['bindpassword'] }}" } } @@ -91,7 +91,7 @@ module * * If not set, then registration is not blocked. */ - #disable_register_reason = "To register on this network, contact a netadmin in #lobby. They will need to add an AniNIX/Sora LDAP account for you." + #disable_register_reason = "To register on this network, contact a netadmin in #lobby. They will need to add an AniNIX/Password LDAP account for you." /* * If set, the reason to give the users who try to "/msg NickServ SET EMAIL". diff --git a/roles/IRC/templates/anope/services.conf.j2 b/roles/IRC/templates/anope/services.conf.j2 index 7584968..2e5e6a6 100644 --- a/roles/IRC/templates/anope/services.conf.j2 +++ b/roles/IRC/templates/anope/services.conf.j2 @@ -135,7 +135,7 @@ uplink * * NOTE: On some shell providers, this will not be an option. */ - host = "10.0.1.3" + host = "127.0.0.1" /* * Enable if Services should connect using IPv6. @@ -221,19 +221,10 @@ serverinfo * * This directive tells Anope which IRCd Protocol to speak when connecting. * You MUST modify this to match the IRCd you run. - * - * Supported: - * - bahamut - * - inspircd11 - * - inspircd12 - * - inspircd20 - * - plexus - * - ratbox - * - unreal */ module { - name = "inspircd20" + name = "inspircd3" /* * Some protocol modules can enforce mode locks server-side. This reduces the spam caused by diff --git a/roles/IRC/templates/inspircd/inspircd.conf.j2 b/roles/IRC/templates/inspircd/inspircd.conf.j2 index 08736fc..a169626 100644 --- a/roles/IRC/templates/inspircd/inspircd.conf.j2 +++ b/roles/IRC/templates/inspircd/inspircd.conf.j2 @@ -1,5 +1,4 @@ # Includes - @@ -54,6 +53,7 @@ limit="500" localmax="500" maxconnwarn="on" + maxchans="20" modes="+wx" pingfreq="120" port="6697" @@ -119,7 +119,7 @@ defaultmodes="not" - moronbanner="You're banned! Contact {{ organization['email'] }} with the ERROR line below for help." + xlinemessage="You're banned! Contact {{ organization['email'] }} with the ERROR line below for help." exemptchanops="nonick:v flood:o" invitebypassmodes="yes" nosnoticestack="no" @@ -134,7 +134,7 @@ hidemodes="eI" hideulines="no" flatlinks="no" - hidewhois="" + hideserver="" hidebans="no" hidekills="" hidesplits="yes" @@ -152,9 +152,8 @@ maxquit="255" maxtopic="307" maxkick="255" - maxgecos="128" + maxreal="128" maxaway="200"> - diff --git a/roles/IRC/templates/inspircd/modules.conf.j2 b/roles/IRC/templates/inspircd/modules.conf.j2 index b064dc6..945c0c5 100644 --- a/roles/IRC/templates/inspircd/modules.conf.j2 +++ b/roles/IRC/templates/inspircd/modules.conf.j2 @@ -54,8 +54,8 @@ #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # Block CAPS module: Adds channel mode +B, blocks all-CAPS messages. - - + @@ -402,15 +402,15 @@ # integration with services packages. -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# -# Userip module: Adds the /USERIP command. -# Allows users to query their own IP, also allows opers to query the IP -# of anyone else. - - #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # Spanning tree module: Allows linking of servers using the spanning # tree protocol (see the READ THIS BIT section above). # You will almost always want to load this. # + +#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# +# CBAN module: This module adds the /CBAN command which allows server +# operators to prevent channels matching a glob from being created. + + diff --git a/roles/IRC/templates/inspircd/motd.txt.j2 b/roles/IRC/templates/inspircd/motd.txt.j2 index 211243a..eb85478 100644 --- a/roles/IRC/templates/inspircd/motd.txt.j2 +++ b/roles/IRC/templates/inspircd/motd.txt.j2 @@ -31,7 +31,7 @@ You should check which channels you want to join. Type the following to get a list: /list -You will need to request an AniNIX/Sora LDAP +You will need to request an AniNIX/Password LDAP account from an op or founder in #lobby to be able to log in. If you already have an account, use the following to authenticate: diff --git a/roles/IRC/templates/inspircd/opers.conf.j2 b/roles/IRC/templates/inspircd/opers.conf.j2 index 31457df..b4884dd 100644 --- a/roles/IRC/templates/inspircd/opers.conf.j2 +++ b/roles/IRC/templates/inspircd/opers.conf.j2 @@ -8,5 +8,5 @@ # Operators are tracked in the vault. {% for oper in secrets['IRC']['opers'] %} - + {% endfor %}