AniNIX/Kapisi
3
0
Fork 0
Code Issues 27 Pull Requests Projects 1 Releases Wiki Activity

Catching up with current successes

Browse Source
This commit is contained in:
DarkFeather
2022-01-25 23:54:43 -06:00
parent 94a4736839
commit 921d53c724
70 changed files with 2912 additions and 355 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
roles/ShadowArch/README.md Normal file
View File

@@ -0,0 +1 @@
This role expands on the [AniNIX/ShadowArch](/AniNIX/ShadowArch) project for customizing ArchLinux to fit our needs. This role is intended to populate those settings driven from inventory data that can't be easily included in the package.

16
roles/ShadowArch/bin/find-mirrors Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# File: find-mirrors
#
# Description: This file generates a pacman mirrorlist to ensure hosts use the right mirrors for performance.
#
# Package: AniNIX::Foundation/HelloWorld
# Copyright: WTFPL
#
# Author: DarkFeather <ircs://aninix.net:6697/DarkFeather>
country="United States"
curl -s https://raw.githubusercontent.com/archlinux/svntogit-packages/packages/pacman-mirrorlist/trunk/mirrorlist | awk '/^## '"$country"'$/{f=1; next}f==0{next}/^$/{exit}{print substr($0, 1);}' | sed 's/^#Server/Server/' > /tmp/mirrorlist
rankmirrors -n 6 /tmp/mirrorlist > files/mirrorlist
rm /tmp/mirrorlist

7
roles/ShadowArch/files/mirrorlist Normal file
View File

@@ -0,0 +1,7 @@
# Server list generated by rankmirrors on 2022-01-25
Server = http://mirrors.kernel.org/archlinux/$repo/os/$arch
Server = http://arch.hu.fo/archlinux/$repo/os/$arch
Server = http://il.us.mirror.archlinux-br.org/$repo/os/$arch
Server = http://ftp.osuosl.org/pub/archlinux/$repo/os/$arch
Server = http://mirror.pit.teraswitch.com/archlinux/$repo/os/$arch
Server = http://mirrors.gigenet.com/archlinux/$repo/os/$arch

5
roles/ShadowArch/files/motd/Core Normal file
View File

@@ -0,0 +1,5 @@
################################################################################
# Welcome to the AniNIX #
# #
# This is the network core VM. Let us know if services are gone or down. #
################################################################################

5
roles/ShadowArch/files/motd/DarkNet Normal file
View File

@@ -0,0 +1,5 @@
################################################################################
# AniNIX/DarkNet #
# #
# This is the network anonymization platform. Make sure VPN and TOR are up. #
################################################################################

3
roles/ShadowArch/files/motd/Geth-Hub-1 Normal file
View File

@@ -0,0 +1,3 @@
# AniNIX/Geth Hardware Platform (Raspbian Rpi 1 B+) #

3
roles/ShadowArch/files/motd/Geth-Hub-2 Normal file
View File

@@ -0,0 +1,3 @@
# AniNIX/Geth Hardware Platform (Raspbian Rpi 1 B+) #

3
roles/ShadowArch/files/motd/Geth-Hub-3 Normal file
View File

@@ -0,0 +1,3 @@
# AniNIX/Geth Hardware Platform (Raspberry Pi 3 Model B Plus Rev 1.3) #

5
roles/ShadowArch/files/motd/Maat Normal file
View File

@@ -0,0 +1,5 @@
################################################################################
# AniNIX/Maat #
# #
# This is the network CI/CD platform. Check `systemctl status maat-builder` #
################################################################################

5
roles/ShadowArch/files/motd/Nazara Normal file
View File

@@ -0,0 +1,5 @@
################################################################################
# AniNIX/Nazara #
# #
# This is the network DNS/DHCP service, using Raspberry Pi pihole, and bastion #
################################################################################

6
roles/ShadowArch/files/motd/Node0 Normal file
View File

@@ -0,0 +1,6 @@
################################################################################
# AniNIX/Node0 #
# #
# This is the network virtualization platform. VMs can be found with this: #
# cd /usr/lib/systemd/system; ls -1 *vm.service | xargs -n 1 systemctl status #
################################################################################

5
roles/ShadowArch/files/motd/Sharingan Normal file
View File

@@ -0,0 +1,5 @@
################################################################################
# AniNIX/Sharingan #
# #
# This is the network monitoring platform. It will send alarms to #sharingan #
################################################################################

109
roles/ShadowArch/files/pacman.conf Normal file
View File

@@ -0,0 +1,109 @@
#
# /etc/pacman.conf
#
# See the pacman.conf(5) manpage for option and repository directives
#
# GENERAL OPTIONS
#
[options]
# The following paths are commented out with their default values listed.
# If you wish to use different paths, uncomment and update the paths.
#RootDir = /
#DBPath = /var/lib/pacman/
#CacheDir = /var/cache/pacman/pkg/
#LogFile = /var/log/pacman.log
#GPGDir = /etc/pacman.d/gnupg/
#HookDir = /etc/pacman.d/hooks/
#HoldPkg = pacman glibc
#XferCommand = /usr/bin/curl -C - -f %u > %o
#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u
CleanMethod = KeepCurrent
#UseDelta = 0.7
Architecture = auto
# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup
# IgnorePkg = postgresql postgresql-libs
# IgnoreGroup =
#NoUpgrade =
#NoExtract =
# Misc options
#UseSyslog
Color
ILoveCandy
#TotalDownload
CheckSpace
#VerbosePkgLists
# By default, pacman accepts packages signed by keys that its local keyring
# trusts (see pacman-key and its man page), as well as unsigned packages.
SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional
#RemoteFileSigLevel = Required
# NOTE: You must run `pacman-key --init` before first using pacman; the local
# keyring can then be populated with the keys of all official Arch Linux
# packagers with `pacman-key --populate archlinux`.
#
# REPOSITORIES
# - can be defined here or included from another file
# - pacman will search repositories in the order defined here
# - local/custom mirrors can be added here or in separate files
# - repositories listed first will take precedence when packages
# have identical names, regardless of version number
# - URLs will have $repo replaced by the name of the current repo
# - URLs will have $arch replaced by the name of the architecture
#
# Repository entries are of the format:
# [repo-name]
# Server = ServerName
# Include = IncludePath
#
# The header [repo-name] is crucial - it must be present and
# uncommented to enable the repo.
#
# The testing repositories are disabled by default. To enable, uncomment the
# repo name header and Include lines. You can add preferred servers immediately
# after the header, and they will be used before the default mirrors.
#[testing]
#Include = /etc/pacman.d/mirrorlist
[core]
Include = /etc/pacman.d/mirrorlist.shadowarch
[extra]
Include = /etc/pacman.d/mirrorlist.shadowarch
#[community-testing]
#Include = /etc/pacman.d/mirrorlist
[community]
Include = /etc/pacman.d/mirrorlist.shadowarch
# If you want to run 32 bit applications on your x86_64 system,
# enable the multilib repositories as required here.
#[multilib-testing]
#Include = /etc/pacman.d/mirrorlist
[multilib]
Include = /etc/pacman.d/mirrorlist.shadowarch
# An example of a custom package repository. See the pacman manpage for
# tips on creating your own repositories.
#[custom]
#SigLevel = Optional TrustAll
#Server = file:///home/custompkgs
[AniNIX]
SigLevel = Required DatabaseOptional
Server = https://maat.aninix.net/
[aur]
SigLevel = Required DatabaseOptional
Server = https://maat.aninix.net/aur/

17
roles/ShadowArch/files/raspbian-interfaces Normal file
View File

@@ -0,0 +1,17 @@
# interfaces(5) file used by ifup(8) and ifdown(8)
# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
auto lo
iface lo inet loopback
iface eth0 inet manual
auto wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant.conf

3
roles/ShadowArch/files/raspbian-interfaces.static Normal file
View File

@@ -0,0 +1,3 @@
# interfaces(5) file used by ifup(8) and ifdown(8)
# Include files from /etc/network/interfaces.d:
source /etc/network/interfaces.d/*

26
roles/ShadowArch/tasks/archlinux-network.yml Normal file
View File

@@ -0,0 +1,26 @@
---
- name: ArchLinux network packages
become: yes
package:
name:
- netctl
state: present
- name: Static ArchLinux network config
become: yes
when: static
template:
src: netctl-static.j2
dest: "/etc/netctl/{{ ipinterface }}"
- name: Dynamic ArchLinux network config
become: yes
when: static
template:
src: netctl-dhcp.j2
dest: "/etc/netctl/{{ ipinterface }}"
- name: Enable network config
become: yes
command: "netctl enable {{ ipinterface }}"

29
roles/ShadowArch/tasks/dns.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- name: Install DNS packages
become: yes
ignore_errors: yes
package:
name:
- bind
- net-tools
- iputils
state: present
- name: Set up /etc/resolv.conf
become: yes
copy:
dest: /etc/resolv.conf
content: "domain {{ replica_domain }}\nnameserver {{ dns }}\n"
owner: root
group: root
mode: 0644
- name: Set up /etc/hosts
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
lineinfile:
dest: /etc/hosts
regexp: '^127.0.0.1[ \t]+localhost'
line: "127.0.0.1 localhost localhost.localdomain {{ inventory_hostname }} {{ inventory_hostname }}.{{ replica_domain }}"
state: present

190
roles/ShadowArch/tasks/main.yml Normal file
View File

@@ -0,0 +1,190 @@
---
###
# This role installs the basic package and host setup for AniNIX operations.
# This is an AniNIX convention to allow password management by Ansible.
- name: Base packages
vars:
ansible_become_method: su
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
package:
name:
- bash
- sudo
- git
- tmux
- vim
- sysstat
- iotop
- lsof
- rsync
state: present
update_cache: yes
- name: Ensure deploy user has sudo permissions.
vars:
ansible_become_method: su
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
copy:
dest: /etc/sudoers.d/basics
content: "{{ ansible_user_id }} ALL=(ALL) NOPASSWD: ALL\n"
- name: Ensure we include /etc/sudoers.d (Current)
vars:
ansible_become_method: su
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
when: ansible_architecture != "armv6l"
lineinfile:
path: /etc/sudoers
regexp: "includedir /etc/sudoers.d"
line: "@includedir /etc/sudoers.d"
- name: Ensure we include /etc/sudoers.d (Legacy)
vars:
ansible_become_method: su
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
when: ansible_architecture == "armv6l"
lineinfile:
path: /etc/sudoers
regexp: "includedir /etc/sudoers.d"
line: "#includedir /etc/sudoers.d"
- name: Test root password
ignore_errors: yes
register: root_password_test
vars:
ansible_become_method: su
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
command: id
- name: Define passwords
vars:
ansible_become_user: "root"
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
when: root_password_test.rc is not defined or root_password_test.rc != 0
command:
cmd: /bin/bash -l -c "printf '%s\n%s\n' '{{ passwords[inventory_hostname] }}' '{{ passwords[inventory_hostname] }}' | passwd {{ item }}"
loop:
- root
- "{{ ansible_user_id }}"
- name: Set up pacman.conf
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
copy:
src: pacman.conf
dest: /etc/pacman.conf
owner: root
group: root
mode: 0644
when: ansible_os_family == "Archlinux"
- name: Generate mirrorlist
delegate_to: localhost
run_once: yes
command: "bash ../bin/generate-mirrorlist"
- name: Copy mirrorlist
become: yes
when: ansible_os_family == "Archlinux"
copy:
src: mirrorlist
dest: /etc/pacman.d/mirrorlist.shadowarch
owner: root
group: root
mode: 0644
- name: Set up apt sources.list
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
copy:
content: |
deb http://raspbian.raspberrypi.org/raspbian/ bullseye main contrib non-free rpi
# deb-src http://archive.raspbian.org/raspbian/ stretch main contrib non-free rpi
dest: /etc/apt/sources.list
owner: root
group: root
mode: 0644
when: ansible_os_family == "Debian"
- name: Install ShadowArch (ArchLinux)
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
pacman:
name: ShadowArch
state: present
update_cache: yes
when: ansible_os_family == "Archlinux"
- name: Set up AniNIX-specific repository location (Other)
when: ansible_os_family != "Archlinux"
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
file:
path: /opt/aninix
state: directory
- name: Download ShadowArch (Other)
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
ignore_errors: yes
git:
repo: 'https://foundation.aninix.net/AniNIX/ShadowArch'
dest: '/opt/aninix/ShadowArch'
update: yes
when: ansible_os_family != "Archlinux"
- name: Install ShadowArch (Other)
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
command:
chdir: '/opt/aninix/ShadowArch'
cmd: '/bin/bash -c "make install; /usr/local/sbin/shadowarch-sync"'
when: ansible_os_family != "Archlinux"
- name: Set up hostname
vars:
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
hostname:
name: "{{ inventory_hostname }}.{{ replica_domain }}"
- name: Set Bash MOTD
become: yes
copy:
src: "motd/{{ inventory_hostname }}"
dest: /etc/bash.motd
owner: root
group: root
mode: 0644
- name: Nullify overall MOTD
become: yes
copy:
src: /dev/null
dest: /etc/motd
owner: root
group: root
mode: 0644
- include: archlinux-network.yml
when: ansible_os_family == "Archlinux"
- include: raspbian-network.yml
when: ansible_os_family == "Debian"
- include: dns.yml
- include: ntp.yml

40
roles/ShadowArch/tasks/ntp.yml Normal file
View File

@@ -0,0 +1,40 @@
---
- name: Set up time zone
become: yes
register: localtime
file:
src: "/usr/share/zoneinfo/{{ time_zone }}"
dest: /etc/localtime
state: link
- name: Remove legacy NTP services
become: yes
ignore_errors: yes
service:
name: "{{ item }}"
state: stopped
enabled: no
loop:
- ntpd
- openntpd
- name: Remove legacy NTP packages
become: yes
package:
name:
- ntp
- openntpd
state: absent
- name: Install NTP packages
become: yes
package:
name: chrony
state: present
- name: Start NTP service
become: yes
service:
name: chronyd
state: started
enabled: yes

43
roles/ShadowArch/tasks/raspbian-network.yml Normal file
View File

@@ -0,0 +1,43 @@
---
- name: Rasbian network packages
become: yes
package:
name:
- netbase
state: present
- name: Rasbian network config
become: yes
when: not static
copy:
src: raspbian-interfaces
dest: "/etc/network/interfaces"
owner: root
group: root
mode: 0644
- name: Rasbian network config (static)
become: yes
when: static
template:
src: raspbian-static.j2
dest: "/etc/network/interfaces"
owner: root
group: root
mode: 0644
- name: Raspbian wireless
become: yes
command:
cmd: /bin/bash -c "wpa_passphrase {{ wireless_ssid }} '{{ passwords['Shadowfeed'] }}' > /etc/wpa_supplicant.conf"
creates: '/etc/wpa_supplicant.conf'
- name: Raspbian wireless hardening
become: yes
file:
path: '/etc/wpa_supplicant.conf'
state: file
owner: root
group: root
mode: 0600

4
roles/ShadowArch/templates/netctl-dhcp.j2 Normal file
View File

@@ -0,0 +1,4 @@
Description='DHCP wired connection'
Interface={{ ipinterface }}
Connection=ethernet
IP=dhcp

7
roles/ShadowArch/templates/netctl-static.j2 Normal file
View File

@@ -0,0 +1,7 @@
Description='A basic static ethernet connection'
Interface={{ ipinterface }}
Connection=ethernet
IP=static
Address=('{{ ip }}/24')
Gateway='{{ router }}'
DNS=('{{ dns }}')

20
roles/ShadowArch/templates/raspbian-static.j2 Normal file
View File

@@ -0,0 +1,20 @@
# interfaces(5) file used by ifup(8) and ifdown(8)
# Please note that this file is written to be used with dhcpcd
# For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf'
# Include files from /etc/network/interfaces.d:
source-directory /etc/network/interfaces.d
auto lo
iface lo inet loopback
iface {{ ipinterface }} inet static
address {{ ansible_host }}/{{ netmask }}
gateway {{ router }}
auto wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant.conf