Updates for Raspberry Pi 12 Bookworm

bin/deploy-role

@@ -1,5 +1,8 @@
 #!/bin/bash
 
+# Ensure we are in the source directory.
+cd $(dirname $0)/..
+
 # Role is first argument
 role="$1"
 if [ -z "$role" ]; then

bin/full-deploy

@@ -1,5 +1,8 @@
 #!/bin/bash
 
+# Ensure we are in the source directory.
+cd $(dirname $0)/..
+
 # Arguments
 inventory="$1"
 if [ "$inventory" == "-h" ] || [ "$inventory" == "--help" ]; then

examples/msn0.yml

@@ -28,6 +28,8 @@ all:
           orgdn: "dc=aninix,dc=net"
           binduser: 'binduser'
           userou: 'ou=People'
+          groupou: 'ou=Group'
+          filter: '(&(objectClass=person)(!(pwdReset=TRUE)))'
         organization: # Information about the group
           admin: 'DarkFeather'
           email: 'ircs://irc.aninix.net:6697/DarkFeather'
@@ -46,11 +48,6 @@ all:
                             ip: 10.0.1.2
                             mac: B8:27:EB:B6:AA:0C
                             static: true
-                        Maker:
-                            ipinterface: eth0
-                            ip: 10.0.1.14
-                            mac: B8:27:EB:B6:AA:0D
-                            static: true
                     children:
                         Node:
                             hosts:
@@ -107,6 +104,11 @@ all:
                                     ip: 10.0.1.13
                                     mac: E4:5F:01:01:FF:E4
                                     static: true
+                                Geth5:
+                                    ipinterface: eth0
+                                    ip: 10.0.1.14
+                                    mac: B8:27:EB:B6:AA:0D
+                                    static: true
                 virtual: # 10.0.1.16/28
                     vars:
                     hosts:
@@ -165,7 +167,7 @@ all:
                               - '-drive format=raw,index=0,media=disk,file=/dev/sdb'
                               - '-drive format=raw,index=0,media=disk,file=/dev/sdc'
                               - '-drive format=raw,index=0,media=disk,file=/dev/sdd'
-                geth_hubs: # 10.0.1.32/28
+                Vergil: # 10.0.1.32/28
                     vars:
                         motion_enabled: yes
                     hosts:

roles/IRC/tasks/daemon.yml

@@ -38,8 +38,8 @@
    become: yes
    register: servicesfile
    copy:
-     src: services/irc.service
+     src: services/inspircd.service
-     dest: /usr/lib/systemd/system/irc.service
+     dest: /usr/lib/systemd/system/inspircd.service
      owner: root
      group: root
      mode: 0644
@@ -90,7 +90,7 @@
  - name: Ensure service running
    become: yes
    service:
-     name: irc
+     name: inspircd
      state: started
      enabled: yes
 
@@ -98,5 +98,5 @@
    become: yes
    when: templatefiles.changed or servicesfile.changed
    service:
-     name: irc
+     name: inspircd
      state: reloaded

roles/IRC/tasks/services.yml

@@ -38,8 +38,8 @@
    become: yes
    register: servicesfile
    copy:
-     src: services/ircservices.service
+     src: services/anope.service
-     dest: /usr/lib/systemd/system/ircservices.service
+     dest: /usr/lib/systemd/system/anope.service
      owner: root
      group: root
      mode: 0644
@@ -53,7 +53,7 @@
  - name: Ensure service running
    become: yes
    service:
-     name: ircservices
+     name: anope
      state: started
      enabled: yes
 
@@ -61,5 +61,5 @@
    become: yes
    when: templatefiles.changed or servicesfile.changed
    service:
-     name: ircservices
+     name: anope
      state: reloaded

roles/IRC/tasks/web.yml

@@ -31,8 +31,8 @@
    become: yes
    register: servicesfile
    copy:
-     src: services/ircweb.service
+     src: services/kiwiirc.service
-     dest: /usr/lib/systemd/system/ircweb.service
+     dest: /usr/lib/systemd/system/kiwiirc.service
      owner: root
      group: root
      mode: 0644
@@ -46,7 +46,7 @@
  - name: Ensure service running
    become: yes
    service:
-     name: ircweb
+     name: kiwiirc
      state: started
      enabled: yes
 
@@ -54,5 +54,5 @@
    become: yes
    when: config.changed or servicesfile.changed
    service:
-     name: ircweb
+     name: kiwiirc
      state: reloaded

roles/Password/files/nsswitch.conf

@@ -0,0 +1,19 @@
+# Begin /etc/nsswitch.conf
+
+passwd: files ldap
+group: files ldap
+shadow: files ldap
+
+publickey: files
+
+hosts: files dns myhostname
+networks: files
+
+protocols: files
+services: files
+ethers: files
+rpc: files
+
+netgroup: files
+
+# End /etc/nsswitch.conf

roles/Password/files/pam.d/atd

@@ -0,0 +1,12 @@
+#%PAM-1.0
+
+auth		required	pam_unix.so
+auth		required	pam_env.so
+
+account		required	pam_access.so
+account		required	pam_unix.so
+account		required	pam_time.so
+
+session		required	pam_loginuid.so
+session		required	pam_limits.so
+session		required	pam_unix.so

roles/Password/files/pam.d/chfn

@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth            sufficient      pam_rootok.so
+auth            required        pam_unix.so
+account         required        pam_unix.so
+session         required        pam_unix.so
+password        required        pam_permit.so

roles/Password/files/pam.d/chpasswd

@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth

roles/Password/files/pam.d/chsh

@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth            sufficient      pam_rootok.so
+auth            required        pam_unix.so
+account         required        pam_unix.so
+session         required        pam_unix.so
+password        required        pam_permit.so

roles/Password/files/pam.d/crond

@@ -0,0 +1,11 @@
+#
+# The PAM configuration file for the cron daemon
+#
+#
+# Although no PAM authentication is called, auth modules
+# are used for credential setting
+auth       include    system-auth
+account    required   pam_access.so
+account    include    system-auth
+session    required   pam_loginuid.so
+session    include    system-auth

roles/Password/files/pam.d/cups

@@ -0,0 +1,3 @@
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so

roles/Password/files/pam.d/groupmems

@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth

roles/Password/files/pam.d/login

@@ -0,0 +1,7 @@
+#%PAM-1.0
+
+auth       requisite    pam_nologin.so
+auth       include      system-local-login
+account    include      system-local-login
+session    include      system-local-login
+password   include      system-local-login

roles/Password/files/pam.d/newusers

@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+account		required	pam_permit.so
+password	include		system-auth

roles/Password/files/pam.d/nslcd.conf

@@ -0,0 +1 @@
+UiqiKXIU

roles/Password/files/pam.d/other

@@ -0,0 +1,9 @@
+#%PAM-1.0
+auth      required   pam_deny.so
+auth      required   pam_warn.so
+account   required   pam_deny.so
+account   required   pam_warn.so
+password  required   pam_deny.so
+password  required   pam_warn.so
+session   required   pam_deny.so
+session   required   pam_warn.so

roles/Password/files/pam.d/passwd

@@ -0,0 +1,5 @@
+#%PAM-1.0
+#password	required	pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
+#password	required	pam_unix.so sha512 shadow use_authtok
+password    sufficient  pam_ldap.so
+password	required	pam_unix.so sha512 shadow nullok

roles/Password/files/pam.d/passwd.pacnew

@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		include		system-auth
+account		include		system-auth
+password	include		system-auth

roles/Password/files/pam.d/postgresql

@@ -0,0 +1,3 @@
+auth		required	pam_unix.so
+account		required	pam_unix.so
+session		required	pam_unix.so

roles/Password/files/pam.d/remote

@@ -0,0 +1,8 @@
+#%PAM-1.0
+
+auth       required     pam_securetty.so
+auth       requisite    pam_nologin.so
+auth       include      system-remote-login
+account    include      system-remote-login
+session    include      system-remote-login
+password   include      system-remote-login

roles/Password/files/pam.d/rlogin

@@ -0,0 +1,13 @@
+#%PAM-1.0
+# For root login to succeed here with pam_securetty, "rlogin" must be
+# listed in /etc/securetty.
+auth       required     pam_nologin.so
+auth       required     pam_securetty.so
+auth       required     pam_env.so
+auth       sufficient   pam_rhosts.so
+auth       include      system-auth
+account    include      system-auth
+password   include      system-auth
+session	   optional     pam_keyinit.so    force revoke
+session    required     pam_loginuid.so
+session    include      system-auth

roles/Password/files/pam.d/rsh

@@ -0,0 +1,11 @@
+#%PAM-1.0
+# For root login to succeed here with pam_securetty, "rsh" must be
+# listed in /etc/securetty.
+auth       required     pam_nologin.so
+auth       required     pam_securetty.so
+auth       required     pam_env.so
+auth       required     pam_rhosts.so
+account    include      system-auth
+session	   optional     pam_keyinit.so    force revoke
+session    required     pam_loginuid.so
+session    include      system-auth

roles/Password/files/pam.d/runuser

@@ -0,0 +1,4 @@
+#%PAM-1.0
+
+auth    sufficient      pam_rootok.so
+session include         system-login

roles/Password/files/pam.d/runuser-l

@@ -0,0 +1,4 @@
+#%PAM-1.0
+
+auth    sufficient      pam_rootok.so
+session include         system-login

roles/Password/files/pam.d/screen

@@ -0,0 +1 @@
+auth		required	pam_unix.so

roles/Password/files/pam.d/sshd

@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth      include   system-remote-login
+account   include   system-remote-login
+password  include   system-remote-login
+session   include   system-remote-login

roles/Password/files/pam.d/sssd-shadowutils

@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
+auth        required      pam_deny.so
+
+account     required      pam_unix.so
+account     required      pam_permit.so

roles/Password/files/pam.d/su

@@ -0,0 +1,14 @@
+#%PAM-1.0
+auth        sufficient  pam_ldap.so
+auth		sufficient	pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth		sufficient	pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth		required	pam_wheel.so use_uid
+auth		required	pam_unix.so use_first_pass
+
+account     sufficient  pam_ldap.so
+account		required	pam_unix.so
+
+session     sufficient  pam_ldap.so
+session		required	pam_unix.so

roles/Password/files/pam.d/su-l

@@ -0,0 +1,12 @@
+#%PAM-1.0
+auth		sufficient	pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth		sufficient	pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth		required	pam_wheel.so use_uid
+auth        sufficient  pam_ldap.so
+auth		required	pam_unix.so use_first_pass
+account     sufficient  pam_ldap.so
+account		required	pam_unix.so
+session     sufficient  pam_ldap.so
+session		required	pam_unix.so

roles/Password/files/pam.d/su-l.pacnew

@@ -0,0 +1,10 @@
+#%PAM-1.0
+auth            sufficient      pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth           sufficient      pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth           required        pam_wheel.so use_uid
+auth            required        pam_unix.so
+account         required        pam_unix.so
+session	        required        pam_unix.so
+password        include         system-auth

roles/Password/files/pam.d/su.pacnew

@@ -0,0 +1,10 @@
+#%PAM-1.0
+auth            sufficient      pam_rootok.so
+# Uncomment the following line to implicitly trust users in the "wheel" group.
+#auth           sufficient      pam_wheel.so trust use_uid
+# Uncomment the following line to require a user to be in the "wheel" group.
+#auth           required        pam_wheel.so use_uid
+auth            required        pam_unix.so
+account         required        pam_unix.so
+session	        required        pam_unix.so
+password        include         system-auth

roles/Password/files/pam.d/sudo

@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth		include		system-auth
+account		include		system-auth
+session		include		system-auth

roles/Password/files/pam.d/system-auth

@@ -0,0 +1,20 @@
+#%PAM-1.0
+
+auth      sufficient pam_ldap.so
+auth      required  pam_unix.so     try_first_pass nullok
+auth      optional  pam_permit.so
+auth      required  pam_env.so
+
+account   sufficient pam_ldap.so
+account   required  pam_unix.so
+account   optional  pam_permit.so
+account   required  pam_time.so
+
+password  sufficient pam_ldap.so
+password  required  pam_unix.so     try_first_pass nullok sha512 shadow
+password  optional  pam_permit.so
+
+session   required  pam_limits.so
+session   required  pam_unix.so
+session   optional  pam_ldap.so
+session   optional  pam_permit.so

roles/Password/files/pam.d/system-auth.pacnew

@@ -0,0 +1,27 @@
+#%PAM-1.0
+
+auth       required                    pam_faillock.so      preauth
+# Optionally use requisite above if you do not want to prompt for the password
+# on locked accounts.
+-auth      [success=2 default=ignore]  pam_systemd_home.so
+auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
+auth       [default=die]               pam_faillock.so      authfail
+auth       optional                    pam_permit.so
+auth       required                    pam_env.so
+auth       required                    pam_faillock.so      authsucc
+# If you drop the above call to pam_faillock.so the lock will be done also
+# on non-consecutive authentication failures.
+
+-account   [success=1 default=ignore]  pam_systemd_home.so
+account    required                    pam_unix.so
+account    optional                    pam_permit.so
+account    required                    pam_time.so
+
+-password  [success=1 default=ignore]  pam_systemd_home.so
+password   required                    pam_unix.so          try_first_pass nullok shadow
+password   optional                    pam_permit.so
+
+-session   optional                    pam_systemd_home.so
+session    required                    pam_limits.so
+session    required                    pam_unix.so
+session    optional                    pam_permit.so

roles/Password/files/pam.d/system-local-login

@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth      include   system-login
+account   include   system-login
+password  include   system-login
+session   include   system-login

roles/Password/files/pam.d/system-login

@@ -0,0 +1,19 @@
+#%PAM-1.0
+
+auth       required   pam_shells.so
+auth       requisite  pam_nologin.so
+auth       include    system-auth
+
+account    required   pam_access.so
+account    required   pam_nologin.so
+account    include    system-auth
+
+password   include    system-auth
+
+session    optional   pam_loginuid.so
+session    include    system-auth
+session    optional   pam_motd.so          motd=/etc/motd
+session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
+-session   optional   pam_systemd.so
+session    required   pam_env.so
+#session    required   pam_mkhomedir.so skel=/etc/skel umask=0027

roles/Password/files/pam.d/system-login.pacnew

@@ -0,0 +1,20 @@
+#%PAM-1.0
+
+auth       required   pam_shells.so
+auth       requisite  pam_nologin.so
+auth       include    system-auth
+
+account    required   pam_access.so
+account    required   pam_nologin.so
+account    include    system-auth
+
+password   include    system-auth
+
+session    optional   pam_loginuid.so
+session    optional   pam_keyinit.so       force revoke
+session    include    system-auth
+session    optional   pam_motd.so
+session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
+session    optional   pam_umask.so
+-session   optional   pam_systemd.so
+session    required   pam_env.so

roles/Password/files/pam.d/system-remote-login

@@ -0,0 +1,6 @@
+#%PAM-1.0
+
+auth      include   system-login
+account   include   system-login
+password  include   system-login
+session   include   system-login

roles/Password/files/pam.d/system-services

@@ -0,0 +1,11 @@
+#%PAM-1.0
+
+auth      sufficient  pam_permit.so
+
+account   include     system-auth
+
+session   optional    pam_loginuid.so
+session   required    pam_limits.so
+session   required    pam_unix.so
+session   optional    pam_permit.so
+session   required    pam_env.so

roles/Password/files/pam.d/systemd-user

@@ -0,0 +1,5 @@
+# Used by systemd --user instances.
+
+account  include system-login
+session  required pam_loginuid.so
+session  include system-login

roles/Password/files/pam.d/vlock

@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth required pam_unix.so
+account required pam_unix.so
+password required pam_unix.so
+session required pam_unix.so

roles/Password/package/ldap-adduser

@@ -52,7 +52,6 @@ if [ "$?" -eq 0 ]; then
         line="$(grep -E '^uidNumber: ' "$file")"; sed -i "s/$line/uidNumber: $newuserid/" "$file"
         ldapadd -D 'cn=root,dc=aninix,dc=net' -W -f "$file"
         ldap-resetpass "$username"
-        # Create default home
         cp -r /etc/skel "/home/$username"; chmod 0027 "/home/$username"; chown -R "$username": "/home/$username"
     fi
     rmdir "$lockfile"

roles/Password/package/ldap-resetpass

@@ -7,11 +7,8 @@ if [ -z "$uid" ]; then
     exit 1
 fi
 
-ldappasswd -D 'cn=root,dc=aninix,dc=net' -W "uid=$uid,ou=People,dc=aninix,dc=net"
+ldappasswd -D 'cn=root,dc=aninix,dc=net' -W -H ldap://127.0.0.1 "uid=$uid,ou=People,dc=aninix,dc=net"
 
-if [ `ldapsearch -x "(uid=$uid)" + \* | grep -c shadowLastChange\:` -ne 0 ]; then
+#ldapmodify -D 'cn=root,dc=aninix,dc=net' -W -H ldap://127.0.0.1 -f <(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n")
-    (printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\ndelete: shadowLastChange\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -W &>/dev/null;
-fi
-(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: shadowLastChange\nshadowLastChange: 0\n\ndn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -W &>/dev/null;
 
 exit $?

roles/Password/templates/nscld.conf.j2

@@ -0,0 +1,80 @@
+# This is the configuration file for the LDAP nameservice
+# switch library's nslcd daemon. It configures the mapping
+# between NSS names (see /etc/nsswitch.conf) and LDAP
+# information in the directory.
+# See the manual page nslcd.conf(5) for more information.
+
+# The user and group nslcd should run as.
+uid nslcd
+gid nslcd
+
+# The uri pointing to the LDAP server to use for name lookups.
+# Multiple entries may be specified. The address that is used
+# here should be resolvable without using LDAP (obviously).
+#uri ldap://127.0.0.1/
+#uri ldaps://127.0.0.1/
+#uri ldapi://%2fvar%2frun%2fldapi_sock/
+# Note: %2f encodes the '/' used as directory separator
+uri ldap://{{ ldap['server'] }}/
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+#ldap_version 3
+
+# The distinguished name of the search base.
+base {{ ldap['orgdn'] }}
+
+# The distinguished name to bind to the server with.
+# Optional: default is to bind anonymously.
+binddn {{ ldap['binduser'] }},{{ ldap['userou'] }},{{ ldap['orgdn'] }}
+
+# The credentials to bind with.
+# Optional: default is no credentials.
+# Note that if you set a bindpw you should check the permissions of this file.
+bindpw {{ secrets['Sora']['bindpassword'] }}
+
+# The distinguished name to perform password modifications by root by.
+rootpwmoddn cn=root,{{ ldap['orgdn'] }}
+
+# The default search scope.
+scope sub
+#filter (&(!(pwdReset=TRUE))(objectClass=person))
+#scope one
+#scope base
+
+# Customize certain database lookups.
+base   group  {{ ldap['groupou'] }},{{ ldap['orgdn'] }}
+base   passwd {{ ldap['userou'] }},{{ ldap['orgdn'] }}
+base   shadow {{ ldap['userou'] }},{{ ldap['orgdn'] }}
+#scope  group  onelevel
+scope  hosts  sub
+
+# Bind/connect timelimit.
+#bind_timelimit 30
+
+# Search timelimit.
+#timelimit 30
+
+# Idle timelimit. nslcd will close connections if the
+# server has not been contacted for the number of seconds.
+#idle_timelimit 3600
+
+# Use StartTLS without verifying the server certificate.
+#ssl start_tls
+#tls_reqcert never
+
+# CA certificates for server certificate verification
+#tls_cacertdir /etc/ssl/certs
+#tls_cacertfile /etc/ssl/ca.cert
+
+# Seed the PRNG if /dev/urandom is not provided
+#tls_randfile /var/run/egd-pool
+
+# SSL cipher suite
+# See man ciphers for syntax
+#tls_ciphers TLSv1
+
+# Client certificate and key
+# Use these, if your server requires client authentication.
+#tls_cert
+#tls_key

roles/SSL/files/certbot.service

@@ -3,8 +3,8 @@ Description=Certbot
 
 [Service]
 ExecStart=certbot renew -w /var/lib/letsencrypt/ --preferred-chain "ISRG Root X1"
-ExecStartPost=-/usr/bin/systemctl reload webserver
+ExecStartPost=-/usr/bin/systemctl reload nginx
-ExecStartPost=-/usr/bin/systemctl reload irc
+ExecStartPost=-/usr/bin/systemctl reload inspircd
 KillMode=process
 Type=oneshot
 RemainAfterExit=no

roles/SSL/tasks/main.yml

@@ -7,6 +7,14 @@
       - certbot
       - openssl
 
+ - name: LetsEncrypt directory
+   become: yes
+   file:
+     path: /etc/letsencrypt
+     owner: root
+     group: ssl
+     mode: 0750
+
  - name: Services
    become: yes
    register: services

roles/ShadowArch/files/motd/Geth5

@@ -0,0 +1,6 @@
+################################################################################
+#                                 AniNIX/Node0                                 #
+#                                                                              #
+#   This is the network virtualization platform. VMs can be found with this:   #
+# cd /usr/lib/systemd/system; ls -1 *vm.service | xargs -n 1 systemctl status  #
+################################################################################

roles/ShadowArch/tasks/raspbian-network.yml

@@ -30,7 +30,7 @@
   - name: Raspbian wireless
     become: yes
     command:
-        cmd: /bin/bash -c "wpa_passphrase {{ wireless_ssid }} '{{ passwords['Shadowfeed'] }}' > /etc/wpa_supplicant.conf"
+        cmd: /bin/bash -c "wpa_passphrase {{ wireless_ssid }} '{{ secrets['Shadownet']['ssid_passphrase'] }}' > /etc/wpa_supplicant.conf"
         creates: '/etc/wpa_supplicant.conf'
 
   - name: Raspbian wireless hardening

roles/Sharingan/files/monit/checks/vips

@@ -4,8 +4,8 @@ check program https_aninix with path "/usr/lib/monitoring-plugins/check_http --s
 check program https_foundation with path "/usr/lib/monitoring-plugins/check_http --ssl -w 10 -c 10 -H foundation.aninix.net"
     if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical foundation.aninix.net not reporting OK"
 
-check program https_geth with path "/usr/lib/monitoring-plugins/check_http --ssl -w 10 -c 10 -H geth.aninix.net"
+check program https_superintendent with path "/usr/lib/monitoring-plugins/check_http --ssl -w 10 -c 10 -H superintendent.aninix.net"
-    if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical geth.aninix.net not reporting OK"
+    if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical superintendent.aninix.net not reporting OK"
 
 check program https_lykos with path "/usr/lib/monitoring-plugins/check_http --ssl -w 10 -c 10 -H lykos.aninix.net"
     if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical lykos.aninix.net not reporting OK"
@@ -22,9 +22,6 @@ check program https_sharingan with path "/usr/lib/monitoring-plugins/check_http
 check program https_singularity with path "/usr/lib/monitoring-plugins/check_http --ssl -w 10 -c 10 -H singularity.aninix.net"
     if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical singularity.aninix.net not reporting OK"
 
-check program https_wolfpack with path "/usr/lib/monitoring-plugins/check_http --ssl -w 10 -c 10 -H wolfpack.aninix.net"
-    if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical wolfpack.aninix.net not reporting OK"
-
 check program https_yggdrasil with path "/usr/lib/monitoring-plugins/check_http --ssl -w 10 -c 10 -u /web/index.html -H yggdrasil.aninix.net"
     every "* 6-23 * * *"
     if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical yggdrasil.aninix.net not reporting OK"
@@ -32,5 +29,5 @@ check program https_yggdrasil with path "/usr/lib/monitoring-plugins/check_http
 check program http_eyes with path "/usr/lib/monitoring-plugins/check_http -w 10 -c 10 -u / -H geth-eyes.msn0.aninix.net"
     if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical geth-eyes HTTP not reporting OK"
 
-check program http_shadowfeed with path "/usr/lib/monitoring-plugins/check_http -w 10 -c 10 -u / -H shadowfeed.msn0.aninix.net"
+check program http_shadownet with path "/usr/lib/monitoring-plugins/check_http -w 10 -c 10 -u / -H shadownet.msn0.aninix.net"
-    if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical shadowfeed HTTP not reporting OK"
+    if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical shadownet HTTP not reporting OK"

roles/Sharingan/files/monit/hostdefs/Geth5

@@ -0,0 +1 @@
+include "/etc/monit.d/checks/system"

roles/Vergil/README.md

@@ -9,6 +9,14 @@ For the IR control we use an [IR shield](https://www.amazon.com/s?k=Raspberry+pi
 We also set up an SNMPv3 daemon service on the hubs, to work with their IR control. This snmpd requires the Geth OVA to add snmpget using `apk update && apk add net-snmp-tools` from the `Terminal & SSH` add-on. Covers can then be added from the [command-line integration](https://www.home-assistant.io/integrations/command_line/). They'll look something like this:
 
 ```
-
+  - cover:
+        command_open: bash /config/snmp.sh 10.0.1.32 .1.3.6.1.4.1.8072.1.3.2.4.1.2.5.112.111.119.101.114.1 # NET-SNMP-EXTEND-MIB::nsExtendOutLine."power".1
+        command_close: bash /config/snmp.sh 10.0.1.32 .1.3.6.1.4.1.8072.1.3.2.4.1.2.6.99.111.110.102.105.103.1 # NET-SNMP-EXTEND-MIB::nsExtendOutLine."config".1
+        command_stop: bash /config/snmp.sh 10.0.1.32 .1.3.6.1.4.1.8072.1.3.2.4.1.2.5.101.110.116.101.114.1 # NET-SNMP-EXTEND-MIB::nsExtendOutLine."enter".1
+        name: livingroom_power
+  - cover:
+        command_open: bash /config/snmp.sh 10.0.1.32 .1.3.6.1.4.1.8072.1.3.2.4.1.2.8.118.111.108.117.109.101.117.112.1 # NET-SNMP-EXTEND-MIB::nsExtendOutLine."volumeup".1
+        command_close: bash /config/snmp.sh 10.0.1.32 .1.3.6.1.4.1.8072.1.3.2.4.1.2.10.118.111.108.117.109.101.100.111.119.110.1 # NET-SNMP-EXTEND-MIB::nsExtendOutLine."volumedown".1
+        command_stop: bash /config/snmp.sh 10.0.1.32 .1.3.6.1.4.1.8072.1.3.2.4.1.2.4.109.117.116.101.1 # NET-SNMP-EXTEND-MIB::nsExtendOutLine."mute".1
+        name: livingroom_volume
 ```
-

roles/Vergil/files/lircd.conf/Geth-Hub-2

@@ -153,5 +153,3 @@ begin remote
       end codes
 
 end remote
-
-

roles/Vergil/tasks/main.yml

@@ -58,6 +58,7 @@
  - name: Set the dtoverlay
    become: yes
    register: dtoverlay
+   when: ansible_distribution_major_version == 11
    blockinfile:
      path: "/boot/config.txt"
      insertafter: EOF
@@ -70,15 +71,40 @@
  - name: Unset camera autodetect
    become: yes
    register: camera_autodetect
+   when: ansible_distribution_major_version == 11
    lineinfile:
      path: "/boot/config.txt"
      regexp: "camera_auto_detect"
      line: "# camera_auto_detect=1"
 
+# Thanks to https://wiki.geekworm.com/Raspberry_Pi_IR_Control_Expansion_Board for instructions setting up lirc
+ - name: Set the dtoverlay
+   become: yes
+   register: dtoverlay
+   when: ansible_distribution_major_version == 12
+   blockinfile:
+     path: "/boot/firmware/config.txt"
+     insertafter: EOF
+     marker: "# {mark} Ubiqtorate Managed Block"
+     block: |
+         dtoverlay=gpio-ir,gpio_pin={{ gpio_in_pin | default('18') }}
+         dtoverlay=gpio-ir-tx,gpio_pin={{ gpio_out_pin | default('17') }}
+         start_x=1
+
+ - name: Unset camera autodetect
+   become: yes
+   register: camera_autodetect
+   when: ansible_distribution_major_version == 12
+   lineinfile:
+     path: "/boot/firmware/config.txt"
+     regexp: "camera_auto_detect"
+     line: "# camera_auto_detect=1"
+
  - name: Set the dtparam
    become: yes
    register: dtparam
    lineinfile:
+     path: "/boot/firmware/config.txt"
      path: "/boot/config.txt"
      regexp: "^dtparam="
      line: "dtparam=gpio_in_pull={{ gpio_in_pull | default('down') }}"
@@ -113,6 +139,8 @@
    copy:
      src: "{{ item }}"
      dest: "/etc/lirc/{{ item }}"
+     force: no
+     # TODO: -- need a switch on the version of the RPi image
    loop:
      - hardware.conf
      - lirc_options.conf

roles/Vergil/templates/modules.j2

@@ -7,4 +7,3 @@
 # lirc_rpi gpio_in_pin={{ gpio_in_pin | default('18') }} gpio_out_pin={{ gpio_out_pin | default('17') }}
 bcm2835-v4l2
 r8188eu
-