Seeding Aether

This commit is contained in:
DarkFeather 2024-04-01 00:52:29 -05:00
parent 3a01543c8b
commit 9aa0a89b79
Signed by: DarkFeather
GPG Key ID: 1CC1E3F4ED06F296
10 changed files with 307 additions and 0 deletions

7
roles/Aether/README.md Normal file
View File

@ -0,0 +1,7 @@
See [AniNIX/Aether](/AniNIX/Aether) for complete details of the tool.
Role requirements:
* `secrets['Aether']` in Vault
* A YAML list of nodes under the key `Aether_nodes` in Vault
* A host called 'Core' to act as the source
* 22/tcp/sftp access through firewalls to the Core host from any clients

View File

@ -0,0 +1,3 @@
#!/bin/bash
### Gitea ###
tar cvzf "$BACKUPDIR"/gitea.tgz /var/lib/gitea/data

View File

@ -0,0 +1,3 @@
#!/bin/bash
### Grimoire ###
sudo -u postgres pg_dumpall > "$BACKUPDIR"/grimoire.sql

View File

@ -0,0 +1,3 @@
#!/bin/bash
### IRC Services ###
cp /opt/anope/data/anope.db "$BACKUPDIR"

View File

@ -0,0 +1,9 @@
#!/bin/bash
### Wiki ###
mkdir "$BACKUPDIR"/wiki/
for i in `find /usr/share/webapps/ -maxdepth 1 -type d | grep mediawiki`; do
foldername="$(echo "$i" | rev | cut -f 1 -d '/' | rev)"
dbname="$(grep '^\$wgDBname' "$i"/LocalSettings.php | cut -f 2 -d \")"
$BACKUPCMD "${i}"/LocalSettings.php "$BACKUPDIR"/wiki/"$foldername"-localsettings.php
sudo -u postgres pg_dump "$dbname" > "$BACKUPDIR"/wiki/"$dbname".psql
done

View File

@ -0,0 +1,3 @@
#!/bin/bash
### Yggdrasil -- File & SHA list only for space reasons ###
cp /srv/yggdrasil/library.sha256 "$BACKUPDIR"/yggdrasil.library.sha256

View File

@ -0,0 +1,146 @@
# Example configuration file for AIDE.
# More information about configuration options available in the aide.conf manpage.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# The location of the database to be read.
database_in=file:@@{DBDIR}/aide.db.gz
# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Default.
log_level=warning
report_level=changed_attributes
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#
# Here are all the attributes we can check
#p: permissions
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
###b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#ANF: allow new files
#ARF: allow removed files
#
# Here are all the digests we can use
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#gost: gost checksum
#whirlpool: whirlpool checksum
# These are the default rules
#R: p+i+l+n+u+g+s+m+c+md5
#L: p+i+l+n+u+g
#E: Empty group
#>: Growing logfile p+l+u+g+i+n+S
# You can create custom rules - my home made rule definition goes like this
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+xattrs
# Access control only
PERMS = p+i+u+g+acl
# Logfile are special, in that they often change
LOG = >
# Just do md5 and sha256 hashes
LSPP = R+sha256
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
/etc/sudoers NORMAL
/etc/skel NORMAL
/etc/logrotate.d NORMAL
/etc/resolv.conf DATAONLY
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
# Ignore logs
!/var/lib/pacman/.*
!/var/cache/.*
!/var/log/.*
!/var/run/.*
!/var/spool/.*

View File

@ -0,0 +1,27 @@
---
- name: Copy the key
become: true
copy:
dest: /home/aether/.ssh/aether
content: "{{ aether_key.stdout }}"
- name: Copy the public key
become: true
copy:
dest: /home/aether/.ssh/aether.pub
content: "{{ aether_key.stdout }}"
- name: Enable the service
become: yes
service:
name: aether.timer
state: enabled
running: yes
- name: Enable the service - 2
become: yes
service:
name: aether-gen.timer
state: disabled
running: no

View File

@ -0,0 +1,64 @@
---
- name: Install the package
become: true
ignore_errors: true
package:
name: Aether
state: present
- name: Validate the user
vars:
service_account: aether
include_tasks: ../roles/common/service_account.yml
- name: Ensure the Aether identity is protected.
become: true
file:
path: "{{ item }}"
state: directory
owner: aether
group: aether
mode: 0700
loop:
- /home/aether/.ssh
- /usr/local/etc/Aether
- /usr/local/etc/Aether/backup-entries
- /usr/local/backup
- name: Ensure the Aether identity exists
delegate_to: Core # Core will track the identity that will then be shared to everyone else.
become: true
command:
creates: /home/aether/.ssh/aether
chdir: /home/aether/.ssh/
cmd: ssh-keygen -t ed25519 -N "" -f ./aether
- name: Read the Aether identity
become: true
delegate_to: Core
command: cat /home/aether/.ssh/aether
register: aether_key
- name: Read the Aether public identity
become: true
delegate_to: Core
command: cat /home/aether/.ssh/aether.pub
register: aether_pubkey
- include_tasks: source.yml
when: "{{ inventory_hostname }} is 'Core'"
- include_tasks: client.yml
when: "{{ inventory_hostname }} is 'Core'"
- name: Ensure the Aether identity files are protected.
become: true
file:
path: "{{ item }}"
owner: aether
group: aether
mode: 0600
loop:
- /home/aether/.ssh/aether
- /home/aether/.ssh/aether.pub

View File

@ -0,0 +1,42 @@
---
- name: Copy the backup scripts
become: yes
copy:
src: "backup-entries/{{ inventory_hostname }}"
dest: "/usr/local/etc/Aether/backup-entries"
owner: aether
group: aether
- name: Seed the backup passphrase
become: yes
copy:
content: "{{ passwords['Aether'] }}"
dest: "/usr/local/etc/Aether/pass.txt"
owner: aether
group: aether
mode: 0600
- name: Enable the generation service
become: yes
when: "{{ inventory_hostname }} == 'Core'"
service:
name: aether-gen.timer
state: enabled
running: yes
- name: Enable the generation service - 2
become: yes
when: "{{ inventory_hostname }} == 'Core'"
service:
name: aether.timer
state: disabled
running: no
- name: Set up the authorized_keys
template:
src: authorized_keys.j2
dest: /home/aether/.ssh/authorized_keys
mode: 0600
owner: aether
group: aether