From 9aa0a89b7939293c8c3d8d55d6c1c994d3bc252d Mon Sep 17 00:00:00 2001 From: DarkFeather Date: Mon, 1 Apr 2024 00:52:29 -0500 Subject: [PATCH] Seeding Aether --- roles/Aether/README.md | 7 + .../Yggdrasil/gitea.backup.script | 3 + .../Yggdrasil/grimoire.backup.script | 3 + .../Yggdrasil/irc.backup.script | 3 + .../Yggdrasil/wiki.backup.script | 9 ++ .../Yggdrasil/yggdrasil.backup.script | 3 + roles/Aether/files/yggdrasil-check.conf | 146 ++++++++++++++++++ roles/Aether/tasks/client.yml | 27 ++++ roles/Aether/tasks/main.yml | 64 ++++++++ roles/Aether/tasks/source.yml | 42 +++++ 10 files changed, 307 insertions(+) create mode 100644 roles/Aether/README.md create mode 100644 roles/Aether/files/backup-entries/Yggdrasil/gitea.backup.script create mode 100644 roles/Aether/files/backup-entries/Yggdrasil/grimoire.backup.script create mode 100644 roles/Aether/files/backup-entries/Yggdrasil/irc.backup.script create mode 100644 roles/Aether/files/backup-entries/Yggdrasil/wiki.backup.script create mode 100644 roles/Aether/files/backup-entries/Yggdrasil/yggdrasil.backup.script create mode 100644 roles/Aether/files/yggdrasil-check.conf create mode 100644 roles/Aether/tasks/client.yml create mode 100644 roles/Aether/tasks/main.yml create mode 100644 roles/Aether/tasks/source.yml diff --git a/roles/Aether/README.md b/roles/Aether/README.md new file mode 100644 index 0000000..6ea88ac --- /dev/null +++ b/roles/Aether/README.md @@ -0,0 +1,7 @@ +See [AniNIX/Aether](/AniNIX/Aether) for complete details of the tool. + +Role requirements: + * `secrets['Aether']` in Vault + * A YAML list of nodes under the key `Aether_nodes` in Vault + * A host called 'Core' to act as the source + * 22/tcp/sftp access through firewalls to the Core host from any clients diff --git a/roles/Aether/files/backup-entries/Yggdrasil/gitea.backup.script b/roles/Aether/files/backup-entries/Yggdrasil/gitea.backup.script new file mode 100644 index 0000000..f0b14fa --- /dev/null +++ b/roles/Aether/files/backup-entries/Yggdrasil/gitea.backup.script @@ -0,0 +1,3 @@ +#!/bin/bash +### Gitea ### +tar cvzf "$BACKUPDIR"/gitea.tgz /var/lib/gitea/data diff --git a/roles/Aether/files/backup-entries/Yggdrasil/grimoire.backup.script b/roles/Aether/files/backup-entries/Yggdrasil/grimoire.backup.script new file mode 100644 index 0000000..9cd98d5 --- /dev/null +++ b/roles/Aether/files/backup-entries/Yggdrasil/grimoire.backup.script @@ -0,0 +1,3 @@ +#!/bin/bash +### Grimoire ### +sudo -u postgres pg_dumpall > "$BACKUPDIR"/grimoire.sql diff --git a/roles/Aether/files/backup-entries/Yggdrasil/irc.backup.script b/roles/Aether/files/backup-entries/Yggdrasil/irc.backup.script new file mode 100644 index 0000000..9604f66 --- /dev/null +++ b/roles/Aether/files/backup-entries/Yggdrasil/irc.backup.script @@ -0,0 +1,3 @@ +#!/bin/bash +### IRC Services ### +cp /opt/anope/data/anope.db "$BACKUPDIR" diff --git a/roles/Aether/files/backup-entries/Yggdrasil/wiki.backup.script b/roles/Aether/files/backup-entries/Yggdrasil/wiki.backup.script new file mode 100644 index 0000000..1a5a7dd --- /dev/null +++ b/roles/Aether/files/backup-entries/Yggdrasil/wiki.backup.script @@ -0,0 +1,9 @@ +#!/bin/bash +### Wiki ### +mkdir "$BACKUPDIR"/wiki/ +for i in `find /usr/share/webapps/ -maxdepth 1 -type d | grep mediawiki`; do + foldername="$(echo "$i" | rev | cut -f 1 -d '/' | rev)" + dbname="$(grep '^\$wgDBname' "$i"/LocalSettings.php | cut -f 2 -d \")" + $BACKUPCMD "${i}"/LocalSettings.php "$BACKUPDIR"/wiki/"$foldername"-localsettings.php + sudo -u postgres pg_dump "$dbname" > "$BACKUPDIR"/wiki/"$dbname".psql +done diff --git a/roles/Aether/files/backup-entries/Yggdrasil/yggdrasil.backup.script b/roles/Aether/files/backup-entries/Yggdrasil/yggdrasil.backup.script new file mode 100644 index 0000000..432af6f --- /dev/null +++ b/roles/Aether/files/backup-entries/Yggdrasil/yggdrasil.backup.script @@ -0,0 +1,3 @@ +#!/bin/bash +### Yggdrasil -- File & SHA list only for space reasons ### +cp /srv/yggdrasil/library.sha256 "$BACKUPDIR"/yggdrasil.library.sha256 diff --git a/roles/Aether/files/yggdrasil-check.conf b/roles/Aether/files/yggdrasil-check.conf new file mode 100644 index 0000000..e82ea55 --- /dev/null +++ b/roles/Aether/files/yggdrasil-check.conf @@ -0,0 +1,146 @@ +# Example configuration file for AIDE. +# More information about configuration options available in the aide.conf manpage. +@@define DBDIR /var/lib/aide +@@define LOGDIR /var/log/aide + +# The location of the database to be read. +database_in=file:@@{DBDIR}/aide.db.gz + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +database_out=file:@@{DBDIR}/aide.db.new.gz + +# Whether to gzip the output to database +gzip_dbout=yes + +# Default. +log_level=warning +report_level=changed_attributes + +report_url=file:@@{LOGDIR}/aide.log +report_url=stdout +#report_url=stderr +# +# Here are all the attributes we can check +#p: permissions +#i: inode +#n: number of links +#l: link name +#u: user +#g: group +#s: size +###b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#I: ignore changed filename +#ANF: allow new files +#ARF: allow removed files +# + +# Here are all the digests we can use +#md5: md5 checksum +#sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum +#haval: haval checksum +#crc32: crc32 checksum +#gost: gost checksum +#whirlpool: whirlpool checksum + +# These are the default rules +#R: p+i+l+n+u+g+s+m+c+md5 +#L: p+i+l+n+u+g +#E: Empty group +#>: Growing logfile p+l+u+g+i+n+S + +# You can create custom rules - my home made rule definition goes like this +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES + +# Sane, with multiple hashes +# NORMAL = R+rmd160+sha256+whirlpool +NORMAL = R+rmd160+sha256 + +# For directories, don't bother doing hashes +DIR = p+i+n+u+g+acl+xattrs + +# Access control only +PERMS = p+i+u+g+acl + +# Logfile are special, in that they often change +LOG = > + +# Just do md5 and sha256 hashes +LSPP = R+sha256 + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes +DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger + + +# Next decide what directories/files you want in the database. + +/boot NORMAL +/bin NORMAL +/sbin NORMAL +/lib NORMAL +/lib64 NORMAL +/opt NORMAL +/usr NORMAL +/root NORMAL +# These are too volatile +!/usr/src +!/usr/tmp + +# Check only permissions, inode, user and group for /etc, but +# cover some important files closely. +/etc PERMS +!/etc/mtab +# Ignore backup files +!/etc/.*~ +/etc/exports NORMAL +/etc/fstab NORMAL +/etc/passwd NORMAL +/etc/group NORMAL +/etc/gshadow NORMAL +/etc/shadow NORMAL +/etc/security/opasswd NORMAL + +/etc/hosts.allow NORMAL +/etc/hosts.deny NORMAL + +/etc/sudoers NORMAL +/etc/skel NORMAL + +/etc/logrotate.d NORMAL + +/etc/resolv.conf DATAONLY + +/etc/nscd.conf NORMAL +/etc/securetty NORMAL + +# Shell/X starting files +/etc/profile NORMAL +/etc/bashrc NORMAL +/etc/bash_completion.d/ NORMAL +/etc/login.defs NORMAL +/etc/zprofile NORMAL +/etc/zshrc NORMAL +/etc/zlogin NORMAL +/etc/zlogout NORMAL +/etc/profile.d/ NORMAL +/etc/X11/ NORMAL + +# Ignore logs +!/var/lib/pacman/.* +!/var/cache/.* +!/var/log/.* +!/var/run/.* +!/var/spool/.* diff --git a/roles/Aether/tasks/client.yml b/roles/Aether/tasks/client.yml new file mode 100644 index 0000000..beea04f --- /dev/null +++ b/roles/Aether/tasks/client.yml @@ -0,0 +1,27 @@ +--- + + - name: Copy the key + become: true + copy: + dest: /home/aether/.ssh/aether + content: "{{ aether_key.stdout }}" + + - name: Copy the public key + become: true + copy: + dest: /home/aether/.ssh/aether.pub + content: "{{ aether_key.stdout }}" + + - name: Enable the service + become: yes + service: + name: aether.timer + state: enabled + running: yes + + - name: Enable the service - 2 + become: yes + service: + name: aether-gen.timer + state: disabled + running: no diff --git a/roles/Aether/tasks/main.yml b/roles/Aether/tasks/main.yml new file mode 100644 index 0000000..9e3590c --- /dev/null +++ b/roles/Aether/tasks/main.yml @@ -0,0 +1,64 @@ +--- + + - name: Install the package + become: true + ignore_errors: true + package: + name: Aether + state: present + + - name: Validate the user + vars: + service_account: aether + include_tasks: ../roles/common/service_account.yml + + - name: Ensure the Aether identity is protected. + become: true + file: + path: "{{ item }}" + state: directory + owner: aether + group: aether + mode: 0700 + loop: + - /home/aether/.ssh + - /usr/local/etc/Aether + - /usr/local/etc/Aether/backup-entries + - /usr/local/backup + + - name: Ensure the Aether identity exists + delegate_to: Core # Core will track the identity that will then be shared to everyone else. + become: true + command: + creates: /home/aether/.ssh/aether + chdir: /home/aether/.ssh/ + cmd: ssh-keygen -t ed25519 -N "" -f ./aether + + - name: Read the Aether identity + become: true + delegate_to: Core + command: cat /home/aether/.ssh/aether + register: aether_key + + - name: Read the Aether public identity + become: true + delegate_to: Core + command: cat /home/aether/.ssh/aether.pub + register: aether_pubkey + + - include_tasks: source.yml + when: "{{ inventory_hostname }} is 'Core'" + + - include_tasks: client.yml + when: "{{ inventory_hostname }} is 'Core'" + + - name: Ensure the Aether identity files are protected. + become: true + file: + path: "{{ item }}" + owner: aether + group: aether + mode: 0600 + loop: + - /home/aether/.ssh/aether + - /home/aether/.ssh/aether.pub diff --git a/roles/Aether/tasks/source.yml b/roles/Aether/tasks/source.yml new file mode 100644 index 0000000..140cae8 --- /dev/null +++ b/roles/Aether/tasks/source.yml @@ -0,0 +1,42 @@ +--- + + - name: Copy the backup scripts + become: yes + copy: + src: "backup-entries/{{ inventory_hostname }}" + dest: "/usr/local/etc/Aether/backup-entries" + owner: aether + group: aether + + - name: Seed the backup passphrase + become: yes + copy: + content: "{{ passwords['Aether'] }}" + dest: "/usr/local/etc/Aether/pass.txt" + owner: aether + group: aether + mode: 0600 + + - name: Enable the generation service + become: yes + when: "{{ inventory_hostname }} == 'Core'" + service: + name: aether-gen.timer + state: enabled + running: yes + + - name: Enable the generation service - 2 + become: yes + when: "{{ inventory_hostname }} == 'Core'" + service: + name: aether.timer + state: disabled + running: no + + - name: Set up the authorized_keys + template: + src: authorized_keys.j2 + dest: /home/aether/.ssh/authorized_keys + mode: 0600 + owner: aether + group: aether