AniNIX/Kapisi
AniNIX/Kapisi
3
0
Fork 0
Code Issues 25 Pull Requests Projects 1 Releases Wiki Activity

Whitespace cleanup to get in sync with AniNIX/Uniglot hooks

Browse Source
This commit is contained in:
DarkFeather 2022-11-20 20:03:01 -06:00
parent a43cb4b6bb
commit a34c96df6b
Signed by: DarkFeather
GPG Key ID: 1CC1E3F4ED06F296
96 changed files with 713 additions and 400 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -3,7 +3,9 @@ roles/Nazara/files/dns
roles/Nazara/files/dhcp
roles/Node/files/vm-definitions/**
roles/ShadowArch/files/mirrorlist
venv/
roles/Foundation/files/custom/public/img/**
venv/**
**/pkg/**
**pkg.tar.zst
# ---> Python

16
examples/msn0.yml
View File

@ -38,8 +38,8 @@ all:
static: true
sslidentity: aninix.net-0001
secdetection: true
iptv_location: Milwaukee
Node0:
iptv_location: "Milwaukee|Madison"
Node0:
ipinterface: enp1s0f0
ip: 10.0.1.4
mac: DE:8B:9E:19:55:1D
@ -67,7 +67,7 @@ all:
memory: 2
vnc: 9
bridge: br0
disks:
disks:
- '-drive format=raw,index=0,media=disk,file=/dev/sdd'
Maat:
ip: 10.0.1.18
@ -147,7 +147,7 @@ all:
cores: 2
memory: 2
bridge: br0
vnc: 6
vnc: 10
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test1.qcow2'
test2:
@ -157,7 +157,7 @@ all:
cores: 2
memory: 2
bridge: br0
vnc: 5
vnc: 11
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test2.qcow2'
test3:
@ -167,7 +167,7 @@ all:
cores: 2
memory: 2
bridge: br0
vnc: 4
vnc: 12
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test3.qcow2'
appliances:
@ -183,7 +183,7 @@ all:
mac: 70:74:14:4F:8E:42
Games:
ip: 10.0.1.66
mac: 00:1F:BC:10:1C:F8
mac: E0:BE:03:77:0E:88
Print:
ip: 10.0.1.67
mac: 00:80:92:77:CE:E4
@ -201,7 +201,7 @@ all:
mac: 80:D2:1D:17:63:10
Tachikoma:
ip: 10.0.1.72
mac: B8:76:3F:70:DB:C1
mac: 90:0f:0c:1a:d3:23
Dedsec:
ip: 10.0.1.73
mac: 34:F6:4B:36:12:8F

2
playbooks/vars-debugging.yml
View File

@ -12,7 +12,7 @@
# Expects ANSIBLE_VAULT_FILE to be set in the environment to path the vault
# Also set ANSIBLE_VAULT_PASSWORD_FILE to your password file location if you want it.
#
- hosts: "{{ targets | default('all') }}"
- hosts: "{{ targets | default('managed') }}"
order: sorted
serial: "{{ threads | default('8') }}"
gather_facts: true

19
precommit-hooks/find-incomplete-roles
View File

@ -1,19 +0,0 @@
#!/bin/bash
cd ~/src/Ubiqtorate/roles
if [ -n "$(git status | grep roles &>/dev/null)" ]; then
echo There are roles that are not committed yet.
exit 1;
fi
unset bad
for i in `ls -1`; do
if ! grep "$i" ../playbooks/deploy.yml &>/dev/null; then
echo "$i is not used in playbooks/deploy.yml"
bad="1"
fi
done
if [ -n "$bad" ]; then
exit 1;
fi

10
precommit-hooks/find-large-files Normal file
View File

@ -0,0 +1,10 @@
#!/bin/bash
# Limit files in git to 1M.
find . -type f -exec du -k {} \; | egrep -v '^[[:digit:]]?[[:digit:]]?[[:digit:]][[:space:]]|\s./.git/'
if [ $? -ne 1 ]; then
echo
echo "These files are probably larger than you want to commit to Git. Please try to find an alternate delivery path, such as a CDN or Git-LFS."
exit 1;
fi

14
precommit-hooks/find-missing-customizations Normal file
View File

@ -0,0 +1,14 @@
#!/bin/bash
retcode=0
for host in `ansible -i "examples/msn0.yml" --list-hosts managed | grep -v ' hosts '`; do
if [ ! -f roles/ShadowArch/files/motd/"$host" ]; then
echo "Need MOTD for $host"
retcode=1;
fi
if [ ! -f roles/Sharingan/files/monit/hostdefs/"$host" ]; then
echo "Need Sharingan-Data file for $host"
retcode=1;
fi
done
exit $retcode

28
precommit-hooks/find-passwords-in-files Normal file
View File

@ -0,0 +1,28 @@
#!/bin/bash
# Ignore Ansibilized templates.
saferegex='\s+}}"?\s*$'
# Ignore comments
saferegex="$saferegex"'|^[a-z,A-Z,0-9,_,-,/,.]+:\s*;|^[a-z,A-Z,0-9,_,-,/,.]+:\s*#|^[a-z,A-Z,0-9,_,-,/,.]+:\s*//'
# Ignore binary file matches.
saferegex="$saferegex"'|binary\ file\ matches'
# AniNIX Constructs
saferegex="$saferegex"'|password.aninix.net|aur.list'
# Web constructs
saferegex="$saferegex"'|.css:|.html:|.md:|htdocs|htpasswd'
# Ignore template text to set policy
saferegex="$saferegex"'|_LENGTH|Set new|attempt|pwdchange'
# haveibeenpwned is referenced in comments
saferegex="$saferegex"'|haveibeenpwned'
# Unset variables.
saferegex="$saferegex"'|\s+=\s*$|\s+yes$|\s+no$'
# Ignore LDAP attributes
saferegex="$saferegex"'|pwpolicies|pwdLastSuccess|pwdAttribute|pwdMaxAge|pwdExpireWarning|pwdInHistory|pwdCheckQuality|pwdMaxFailure|pwdLockout|pwdLockoutDuration|pwdGraceAuthNLimit|pwdFailureCountInterval|pwdMustChange|pwdMinLength|pwdAllowUserChange|pwdSafeModify|pwdChangedTime|pwdPolicy|last changed their password on|/root/.ldappass'
egrep -ir 'secret|password|pw|passphrase' roles/*/{files,templates} 2>&1 | egrep -v "$saferegex"
if [ $? -ne 1 ]; then
echo
echo If these are false positives, you need to add the signature to the whitelist in $0.
echo Otherwise, convert any files above to templates and encode the passphrase into your vault.
exit 1;
fi

4
roles/Cyberbrain/tasks/main.yml
View File

@ -8,7 +8,7 @@
- name: Standardize the servicefile
become: yes
register: servicefile
copy:
copy:
src: cyberbrain.service
dest: /usr/lib/systemd/system/cyberbrain.service
owner: root
@ -20,7 +20,7 @@
service:
name: webssh
state: stopped
enabled: no
enabled: no
- systemd:
daemon_reload: true

4
roles/DarkNet/README.md
View File

@ -11,8 +11,8 @@ A basic VM to provide DarkNet functionality in an AniNIX replica only needs the
* Virtualized NIC
* 150G of storage for any [AniNIX/WolfPack](/AniNIX/WolfPack) downloads, preferably on a unique physical harddrive that can be pulled and drilled
# Hosted Services
The DarkNet uses a small package list. It uses a couple services to achieve its goals. First, it uses [NordVPN](http://nordvpn.com/) to protect all traffic -- very simply, all one has to do to connect to the VPN is to run `nordvpn connect` and provide your login credentials to the service. We also use TOR for further anonymity -- torsocks and tor-browser-en provide functionality to cover that.
# Hosted Services
The DarkNet uses a small package list. It uses a couple services to achieve its goals. First, it uses [NordVPN](http://nordvpn.com/) to protect all traffic -- very simply, all one has to do to connect to the VPN is to run `nordvpn connect` and provide your login credentials to the service. We also use TOR for further anonymity -- torsocks and tor-browser-en provide functionality to cover that.
We recommend whitelisting your replica's subnet so that NordVPN doesn't see local traffic and services like log aggregation and administration can happen without exposing access across the VPN.
```

8
roles/DarkNet/tasks/main.yml
View File

@ -18,7 +18,7 @@
name: "{{ item }}"
state: started
enabled: yes
loop:
loop:
- tor
- nordvpnd
- deluged
@ -26,3 +26,9 @@
- debug:
msg: "Remember to use the nordvpn-bin command to set up your account."
# TODO Add yaml for OVPN file, user, pass to Vault
# TODO Enforce vpn.service on server instead of nordvpnd.
# TODO Add /etc/bashrc.d file for `alias torlynx='torsocks elinks https://check.torproject.org/'`
# TODO Add monit checks for tor and openvpn services
# TODO Shift deluged to WolfPack

8
roles/DedSec/tasks/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
# Consider https://blackarch.org/blackarch-guide-en.pdf
- name: Install DedSec packages
become: yes
package:
name:
- tcpdump
- wireshark

4
roles/Foundation/files/custom/bin/gen-aninix-custom
View File

@ -1,7 +1,5 @@
#!/bin/bash
set -x
URI=https://aninix.net/assets/css/theme-arc-green.css
# Gitea arc-green palette
@ -59,7 +57,7 @@ a {
cd /var/lib/gitea/web-snippets
head="$(curl -ks https://aninix.net/ | egrep -B 99999 '^<div class="home"')"
foot="$(curl -ks https://aninix.net/ | egrep -A 99999 '<footer>')"
for i in `find . -type f`; do
for i in `find . -type f`; do
(echo "$head"
cat "$i"
echo "$foot") > /var/lib/gitea/custom/public/"$i".html

10
roles/Foundation/files/custom/bin/sitemap.php
View File

@ -1,6 +1,6 @@
<?php
<?php
/*
/*
* Build a sitemap dynamically.
* Update Gitea's sitemap with: `php ./sitemap.php > /var/lib/gitea/custom/sitemap.xml`
*
@ -15,7 +15,7 @@ echo '<?xml version="1.0" encoding="UTF-8"?>
';
exec("(echo /srv/http/aninix.net/index.php; find /srv/http/aninix.net/pages -type f; find /srv/http/aninix.net/martialarts/ -type f) | egrep \.php\$ | egrep -v ^./unlisted\|^./errors/\|head.php\|foot.php\|test\|Template\|darknet", $output);
foreach ($output as &$file) {
foreach ($output as &$file) {
echo ' <url>
';
echo ' <loc>https://aninix.net/'.substr($file,strlen($path)).'</loc>
@ -23,10 +23,10 @@ echo ' <loc>https://aninix.net/'.substr($file,strlen($path)).'</loc>
echo ' <lastmod>'.date('Y-m-d',filemtime($file)).'</lastmod>
';
echo ' </url>
';
';
}
/* Print footer */
/* Print footer */
echo '</urlset>
';
?>

62
roles/Foundation/files/custom/options/license/AniNIX-WTFPL
View File

@ -1,31 +1,31 @@
# http://www.wtfpl.net/about/
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
Version 2, December 2004
Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
Everyone is permitted to copy and distribute verbatim or modified
copies of this license document, and changing it is allowed as long
as the name is changed.
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. You just DO WHAT THE FUCK YOU WANT TO.
ANINIX ADDENDUM
Trademark 2017 (https://aninix.net/)
The "AniNIX" name and |> logo are trademarked as of 2017/11/21.
AniNIX materials may be reproduced and re-used (though you must
contact the admins of the network to get written permission to use
the AniNIX name or logo) so long as such reproduction or re-use
does not inhibit the original AniNIX use of the same.
Attribution is appreciated for other materials but not legally
required or necessary.
"AniNIX" trademark serial: 87177883
|> Logo trademark serial: 87177887
# http://www.wtfpl.net/about/
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
Version 2, December 2004
Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
Everyone is permitted to copy and distribute verbatim or modified
copies of this license document, and changing it is allowed as long
as the name is changed.
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. You just DO WHAT THE FUCK YOU WANT TO.
ANINIX ADDENDUM
Trademark 2017 (https://aninix.net/)
The "AniNIX" name and |> logo are trademarked as of 2017/11/21.
AniNIX materials may be reproduced and re-used (though you must
contact the admins of the network to get written permission to use
the AniNIX name or logo) so long as such reproduction or re-use
does not inhibit the original AniNIX use of the same.
Attribution is appreciated for other materials but not legally
required or necessary.
"AniNIX" trademark serial: 87177883
|> Logo trademark serial: 87177887

BIN
roles/Foundation/files/custom/public/img/AniNIX.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 7.2 KiB

BIN
roles/Foundation/files/custom/public/img/avatar_default.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 7.2 KiB

1
roles/Foundation/files/custom/public/img/favicon.png
View File

@ -1 +0,0 @@
AniNIX.png

1
roles/Foundation/files/custom/public/img/gitea-lg.png
View File

@ -1 +0,0 @@
AniNIX.png

1
roles/Foundation/files/custom/public/img/gitea-safari.svg
View File

@ -1 +0,0 @@
AniNIX.png

1
roles/Foundation/files/custom/public/img/gitea-sm.png
View File

@ -1 +0,0 @@
AniNIX.png

1
roles/Foundation/files/custom/public/img/icons
View File

@ -1 +0,0 @@
/srv/yggdrasil/Pictures/AniNIX/Icons/

BIN
roles/Foundation/files/custom/public/img/qr.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 113 KiB

BIN
roles/Foundation/files/custom/public/img/rss.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 24 KiB

BIN
roles/Foundation/files/custom/public/img/social/discord.ico
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 614 B

BIN
roles/Foundation/files/custom/public/img/social/facebook.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 170 KiB

BIN
roles/Foundation/files/custom/public/img/social/github.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 21 KiB

BIN
roles/Foundation/files/custom/public/img/social/linkedin.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 657 B

BIN
roles/Foundation/files/custom/public/img/social/nextdoor.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 439 B

BIN
roles/Foundation/files/custom/public/img/social/rss.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 24 KiB

BIN
roles/Foundation/files/custom/public/img/social/strava.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 44 KiB

BIN
roles/Foundation/files/custom/public/img/social/wtfpl.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 42 KiB

BIN
roles/Foundation/files/custom/public/img/social/youtube.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 64 KiB

BIN
roles/Foundation/files/custom/public/img/ushf.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 9.7 KiB

BIN
roles/Foundation/files/custom/public/img/wtfpl.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 42 KiB

BIN
roles/Foundation/files/custom/public/martialarts/mil-gi.jpeg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 342 KiB

36
roles/Foundation/files/web-snippets/martialarts/index
View File

@ -17,7 +17,7 @@
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/icons/FoundationIcon.png'/>
<a href="/user/login?redirect_to=%2fAniNIX_Martial_Arts">Open-source</a>
<a href="/mawiki">Open-source</a>
</h1>
<p class="large">
We want your training with our system to become a part of your life. This means that we provide access to a revision-controlled copy of our notes that all our students can download, keep, and contribute to. We're tired of the old era where how the system works is kept hidden from students and piecemealed out as a marketing ploy -- we want to be as trasparent as possible in how our program and our martial art function. Transparency keeps our instructors honest and our students engaged -- this means a better martial arts experience for everyone.
@ -116,13 +116,13 @@
>
Checkout
</button>
<div id="error-message"></div>
<script>
(function() {
var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
var checkoutButton = document.getElementById('checkout-button-price_1HTuhvI49P1uFPoXXoSjPm2w');
checkoutButton.addEventListener('click', function () {
// When the customer clicks on the button, redirect
@ -148,7 +148,7 @@
});
});
})();
</script>
</script>
<! -- END STRIPE CODE -->
</p>
</div>
@ -170,13 +170,13 @@
>
Checkout
</button>
<div id="error-message"></div>
<script>
(function() {
var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
var checkoutButton = document.getElementById('checkout-button-price_1HThmcI49P1uFPoXMDCRVXTl');
checkoutButton.addEventListener('click', function () {
// When the customer clicks on the button, redirect
@ -202,8 +202,8 @@
});
});
})();
</script>
<! -- END STRIPE CODE -->
</script>
<! -- END STRIPE CODE -->
</p> </div>
</div>
<div class="ui stackable middle very relaxed page grid">
@ -225,13 +225,13 @@
>
Checkout
</button>
<div id="error-message"></div>
<script>
(function() {
var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
var checkoutButton = document.getElementById('checkout-button-price_1HTucZI49P1uFPoXshtbIl8W');
checkoutButton.addEventListener('click', function () {
// When the customer clicks on the button, redirect
@ -258,8 +258,8 @@
});
})();
</script>
<! -- END STRIPE CODE -->
</p>
<! -- END STRIPE CODE -->
</p>
</div>
<div class="eight wide center column" style="border: 1px solid #FFF;">
<h1 class="hero ui icon header">
@ -296,13 +296,13 @@
>
Checkout
</button>
<div id="error-message"></div>
<script>
(function() {
var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
var checkoutButton = document.getElementById('checkout-button-price_1HTuYII49P1uFPoXaIk9puyu');
checkoutButton.addEventListener('click', function () {
// When the customer clicks on the button, redirect

24
roles/Foundation/files/web-snippets/pay/index
View File

@ -13,7 +13,7 @@
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center column" >
<h1 class="hero ui icon header">
<img width=20px height=20px src='/img/icons/CoreIcon.png'/>
<img width=20px height=20px src='/assets/img/icons/CoreIcon.png'/>
Cybersecurity Consulting
</h1>
<p class="large">The AniNIX offers cybersecurity consulting and advice services on a limited basis. We bill at $20 an hour -- please select your need below after negotiating with an admin.</p>
@ -45,7 +45,7 @@
<br/>
</form>
<!-- START STRIPE CODE -->
<!-- Create a button that your customers click to complete their purchase. Customize the styling to suit your branding. -->
<button
style="background-color:#6772E5;color:#FFF;padding:8px 12px;border:0;border-radius:4px;font-size:1em"
@ -55,13 +55,13 @@
>
Checkout
</button>
<div id="error-message"></div>
<script>
(function() {
var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
var checkoutButton = document.getElementById('checkout-button-price_1HTuehI49P1uFPoXCW9pJg5E');
checkoutButton.addEventListener('click', function () {
// When the customer clicks on the button, redirect
@ -91,5 +91,17 @@
<! -- END STRIPE CODE -->
</p>
</div>
<hr style="margin-top: 50px;" />
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center column" >
<hr style="margin-top: 50px;" />
<h2>Donate</h2>
<p>If you like what we do, you can also donate on one of these platforms:</p>
<ul style="width:500px;text-align: left;margin:auto;">
<li><a href="https://store.steampowered.com/wishlist/id/darkfeather664/#sort=order">Steam (games)</a></li>
<li><a href="https://www.amazon.com/hz/wishlist/ls/3CORZU03RNWST?ref_=wl_share">Amazon (hardware)</a></li>
<li>BTC 38Nd3SgytdvSmcX3gfHeNAE2B6aPyYbS7s</li>
<li>Coinbase USDC 0x21a05e628Ed622F7594f62Ea3C764bAEF7fE3Bf3</li>
</ul>
</div>
</div>

2
roles/Foundation/files/web-snippets/pay/thank-you
View File

@ -1,7 +1,7 @@
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center aligned centered column">
<div>
<img class="logo" src="/img/icons/CoreIcon.png" />
<img class="logo" src="/assets/img/icons/CoreIcon.png" />
</div>
<div class="hero">
<h2 class="ui icon header title">

94
roles/Foundation/templates/app.ini.j2
View File

@ -13,7 +13,7 @@ RUN_MODE = prod
ROOT = repos
SCRIPT_TYPE = bash
; Default ANSI charset
ANSI_CHARSET =
ANSI_CHARSET =
; Force every new repository to be private
FORCE_PRIVATE = false
; Default privacy setting when creating a new repository, allowed values: last, private, public. Default is last which means the last setting used.
@ -31,7 +31,7 @@ PREFERRED_LICENSES = AniNIX-WTFPL
DISABLE_HTTP_GIT = false
; Value for Access-Control-Allow-Origin header, default is not to present
; WARNING: This maybe harmful to you website if you do not give it a right value.
ACCESS_CONTROL_ALLOW_ORIGIN =
ACCESS_CONTROL_ALLOW_ORIGIN =
; Force ssh:// clone url instead of scp-style uri when default SSH port is used
USE_COMPAT_SSH_URI = false
; Close issues as long as a commit on any branch marks it as fixed
@ -57,7 +57,7 @@ ENABLED = true
; Path for uploads. Defaults to `data/tmp/uploads` (tmp gets deleted on gitea restart)
TEMP_PATH = data/tmp/uploads
; One or more allowed types, e.g. image/jpeg|image/png. Nothing means any file type
ALLOWED_TYPES =
ALLOWED_TYPES =
; Max size of each file in megabytes. Defaults to 3MB
FILE_MAX_SIZE = 3
; Max number of files per upload. Defaults to 5
@ -138,7 +138,7 @@ KEYWORDS = go,git,self-hosted,gitea,aninix,aninix::foundation
ENABLE_HARD_LINE_BREAK = false
; List of custom URL-Schemes that are allowed as links when rendering Markdown
; for example git,magnet
CUSTOM_URL_SCHEMES =
CUSTOM_URL_SCHEMES =
; List of file extensions that should be rendered/edited as Markdown
; Separate the extensions with a comma. To render files without any extension as markdown, just put a comma
FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd
@ -156,7 +156,7 @@ HTTP_PORT = 3000
; ROOT_URL. Defaults are false for REDIRECT_OTHER_PORT and 80 for
; PORT_TO_REDIRECT.
REDIRECT_OTHER_PORT = false
PORT_TO_REDIRECT = 3000
PORT_TO_REDIRECT = 3000
; Permission for unix socket
UNIX_SOCKET_PERMISSION = 660
; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service.
@ -169,17 +169,17 @@ DISABLE_SSH = false
; Whether to use the builtin SSH server or not.
START_SSH_SERVER = false
; Username to use for the builtin SSH server. If blank, then it is the value of RUN_USER.
BUILTIN_SSH_SERVER_USER =
BUILTIN_SSH_SERVER_USER =
; Domain name to be exposed in clone URL
SSH_DOMAIN = foundation.aninix.net
; The network interface the builtin SSH server should listen on
SSH_LISTEN_HOST =
SSH_LISTEN_HOST =
; Port number to be exposed in clone URL
SSH_PORT = 22
; The port number the builtin SSH server should listen on
SSH_LISTEN_PORT = %(SSH_PORT)s
; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
SSH_ROOT_PATH =
SSH_ROOT_PATH =
; Gitea will create a authorized_keys file by default when it is not using the internal ssh server
; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off.
SSH_CREATE_AUTHORIZED_KEYS_FILE = true
@ -194,7 +194,7 @@ SSH_SERVER_KEY_EXCHANGES = diffie-hellman-group1-sha1, diffie-hellman-gro
SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1, hmac-sha1-96
; Directory to create temporary files in when testing public keys using ssh-keygen,
; default is the system temporary directory.
SSH_KEY_TEST_PATH =
SSH_KEY_TEST_PATH =
; Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call.
SSH_KEYGEN_PATH = ssh-keygen
; Enable SSH Authorized Key Backup when rewriting all keys, default is true
@ -208,7 +208,7 @@ OFFLINE_MODE = true
DISABLE_ROUTER_LOG = false
; Generate steps:
; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com
;
;
; Or from a .pfx file exported from the Windows certificate store (do
; not forget to export the private key):
; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
@ -301,7 +301,7 @@ DISABLE_REGULAR_ORG_CREATION = true
; Whether the installer is disabled
INSTALL_LOCK = true
; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
SECRET_KEY = {{ secrets.Foundation.secret_key }}
SECRET_KEY = {{ secrets.Foundation.secret_key }}
; How long to remember that an user is logged in before requiring relogin (in days)
LOGIN_REMEMBER_DAYS = 7
COOKIE_USERNAME = gitea_awesome
@ -318,15 +318,15 @@ DISABLE_GIT_HOOKS = false
INTERNAL_TOKEN = {{ secrets.Foundation.internal_token }}
[openid]
;
;
; OpenID is an open, standard and decentralized authentication protocol.
; Your identity is the address of a webpage you provide, which describes
; how to prove you are in control of that page.
;
;
; For more info: https://en.wikipedia.org/wiki/OpenID
;
;
; Current implementation supports OpenID-2.0
;
;
; Tested to work providers at the time of writing:
; - Any GNUSocial node (your.hostname.tld/username)
; - Any SimpleID provider (http://simpleid.koinic.net)
@ -334,7 +334,7 @@ INTERNAL_TOKEN = {{ secrets.Foundation.internal_token }}
; - openid.stackexchange.com
; - login.launchpad.net
; - <username>.livejournal.com
;
;
; Whether to allow signin in via OpenID
ENABLE_OPENID_SIGNIN = FALSE
; Whether to allow registering via OpenID
@ -344,12 +344,12 @@ ENABLE_OPENID_SIGNIN = FALSE
; Space separated.
; Only these would be allowed if non-blank.
; Example value: trusted.domain.org trusted.domain.net
WHITELISTED_URIS =
WHITELISTED_URIS =
; Forbidden URI patterns (POSIX regexp).
; Space separated.
; Only used if WHITELISTED_URIS is blank.
; Example value: loadaverage.org/badguy stackexchange.com/.*spammer
BLACKLISTED_URIS =
BLACKLISTED_URIS =
ENABLE_OPENID_SIGNUP = false
[service]
@ -361,7 +361,7 @@ RESET_PASSWD_CODE_LIVE_MINUTES = 180
REGISTER_EMAIL_CONFIRM = false
; List of domain names that are allowed to be used to register on a Gitea instance
; gitea.io,example.com
EMAIL_DOMAIN_WHITELIST =
EMAIL_DOMAIN_WHITELIST =
; Disallow registration, only allow admins to create accounts.
DISABLE_REGISTRATION = true
; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
@ -380,8 +380,8 @@ ENABLE_CAPTCHA = false
CAPTCHA_TYPE = image
; Enable recaptcha to use Google's recaptcha service
; Go to https://www.google.com/recaptcha/admin to sign up for a key
RECAPTCHA_SECRET =
RECAPTCHA_SITEKEY =
RECAPTCHA_SECRET =
RECAPTCHA_SITEKEY =
; Change this to use recaptcha.net or other recaptcha service
RECAPTCHA_URL = https://www.google.com/recaptcha/
; Default value for KeepEmailPrivate
@ -435,18 +435,18 @@ ENABLED = false
; Buffer length of channel, keep it as it is if you don't know what it is.
SEND_BUFFER_LEN = 100
; Prefix displayed before subject in mail
SUBJECT_PREFIX =
SUBJECT_PREFIX =
; Mail server
; Gmail: smtp.gmail.com:587
; QQ: smtp.qq.com:465
; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
HOST =
HOST =
; Disable HELO operation when hostnames are different.
DISABLE_HELO =
DISABLE_HELO =
; Custom hostname for HELO operation, if no value is provided, one is retrieved from system.
HELO_HOSTNAME =
HELO_HOSTNAME =
; Do not verify the certificate of the server. Only use this for self-signed certificates
SKIP_VERIFY =
SKIP_VERIFY =
; Use client certificate
USE_CERTIFICATE = false
CERT_FILE = custom/mailer/cert.pem
@ -454,11 +454,11 @@ KEY_FILE = custom/mailer/key.pem
; Should SMTP connection use TLS
IS_TLS_ENABLED = false
; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
FROM =
FROM =
; Mailer user name and password
USER =
USER =
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD =
PASSWD =
; Send mails as plain text
SEND_AS_PLAIN_TEXT = false
; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log)
@ -466,7 +466,7 @@ MAILER_TYPE = smtp
; Specify an alternative sendmail binary
SENDMAIL_PATH = sendmail
; Specify any extra sendmail arguments
SENDMAIL_ARGS =
SENDMAIL_ARGS =
[cache]
; Either "memory", "redis", or "memcache", default is "memory"
@ -476,7 +476,7 @@ INTERVAL = 60
; For "redis" and "memcache", connection host address
; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
; memcache: `127.0.0.1:11211`
HOST =
HOST =
; Time to keep items in cache if not used, default is 16 hours.
; Setting it to 0 disables caching
ITEM_TTL = 16h
@ -541,7 +541,7 @@ MAX_FILES = 5
; Specifies the format for fully outputted dates. Defaults to RFC1123
; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano
; For more information about the format see http://golang.org/pkg/time/#pkg-constants
FORMAT =
FORMAT =
[log]
ROOT_PATH = /var/log/gitea/
@ -564,22 +564,22 @@ STACKTRACE_LEVEL = Critical
; Generic log modes
[log.x]
FLAGS = stdflags
EXPRESSION =
PREFIX =
EXPRESSION =
PREFIX =
COLORIZE = false
; For "console" mode only
[log.console]
LEVEL =
LEVEL =
COLORIZE = false
STDERR = false
; For "file" mode only
[log.file]
LEVEL =
LEVEL =
; Set the file_name for the logger. If this is a relative path this
; will be relative to ROOT_PATH
FILE_NAME =
FILE_NAME =
; This enables automated log rotate(switch of following options), default is true
LOG_ROTATE = true
; Max number of lines in a single file, default is 1000000
@ -597,7 +597,7 @@ COMPRESSION_LEVEL = -1
; For "conn" mode only
[log.conn]
LEVEL =
LEVEL =
; Reconnect host for every single message, default is false
RECONNECT_ON_MSG = false
; Try to reconnect when connection is lost, default is false
@ -605,21 +605,21 @@ RECONNECT = false
; Either "tcp", "unix" or "udp", default is "tcp"
PROTOCOL = tcp
; Host address
ADDR =
ADDR =
; For "smtp" mode only
[log.smtp]
LEVEL =
LEVEL =
; Name displayed in mail title, default is "Diagnostic message from server"
SUBJECT = Diagnostic message from server
; Mail server
HOST =
HOST =
; Mailer user name and password
USER =
USER =
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD =
PASSWD =
; Receivers, can be one or more, e.g. 1@example.com,2@example.com
RECEIVERS =
RECEIVERS =
[cron]
; Enable running cron tasks periodically.
@ -637,7 +637,7 @@ SCHEDULE = @every 24h
TIMEOUT = 60s
; Arguments for command 'git fsck', e.g. "--unreachable --tags"
; see more on http://git-scm.com/docs/git-fsck
ARGS =
ARGS =
; Check repository statistics
[cron.check_repo_stats]
@ -676,7 +676,7 @@ MAX_GIT_DIFF_LINE_CHARACTERS = 5000
MAX_GIT_DIFF_FILES = 100
; Arguments for command 'git gc', e.g. "--aggressive --auto"
; see more on http://git-scm.com/docs/git-gc/
GC_ARGS =
GC_ARGS =
; If use git wire protocol version 2 when git version >= 2.18, default is true, set to false when you always want git wire protocol version 1
EnableAutoGitWireProtocol = true
@ -780,5 +780,5 @@ IS_INPUT_FILE = false
; Enables metrics endpoint. True or false; default is false.
ENABLED = false
; If you want to add authorization, specify a token here
TOKEN =
TOKEN =

10
roles/Games/tasks/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Install Games packages
become: yes
package:
name:
- mgba-qt
- steam
- steam-native-runtime
- discord

2
roles/Geth-Hub/files/hardware.conf
View File

@ -14,7 +14,7 @@ LOAD_MODULES=true
# Run "lircd --driver=help" for a list of supported drivers.
DRIVER="default"
# usually /dev/lirc0 is the correct setting for systems using udev
# usually /dev/lirc0 is the correct setting for systems using udev
DEVICE="/dev/lirc0"
MODULES="lirc_rpi"

4
roles/Geth-Hub/files/lircd.conf/Geth-Hub-1
View File

@ -5,9 +5,9 @@
# this config file was automatically generated
# using lirc-0.9.0-pre1(default) on Thu Feb 9 18:06:50 2017
#
# contributed by
# contributed by
#
# brand: Insignia
# brand: Insignia
# model no. of remote control: NS-RC4NA-14
# devices being controlled by this remote: TV
#

10
roles/Geth-Hub/files/lircd.conf/Geth-Hub-2
View File

@ -8,7 +8,7 @@
# contributed by darkfeather@aninix.net
#
# brand: LG.conf
# model no. of remote control: AKB73715608
# model no. of remote control: AKB73715608
# devices being controlled by this remote: TV
#
@ -49,10 +49,10 @@ end remote
# this config file was automatically generated
# using lirc-0.9.0-pre1(default) on Tue May 1 06:40:29 2018
#
# contributed by
# contributed by
#
# brand: ./lasko.conf
# model no. of remote control:
# model no. of remote control:
# devices being controlled by this remote:
#
@ -118,9 +118,9 @@ end remote
# this config file was automatically generated
# using lirc-0.9.0-pre1(default) on Thu Feb 9 18:06:50 2017
#
# contributed by
# contributed by
#
# brand: Insignia
# brand: Insignia
# model no. of remote control: NS-RC4NA-14
# devices being controlled by this remote: TV
#

2
roles/Geth-Hub/files/lircd.conf/Geth-Hub-3
View File

@ -8,7 +8,7 @@
# contributed by darkfeather@aninix.net
#
# brand: LG.conf
# model no. of remote control: AKB73715608
# model no. of remote control: AKB73715608
# devices being controlled by this remote: TV
#

8
roles/Geth-Hub/tasks/main.yml
View File

@ -16,7 +16,7 @@
user: "{{ ansible_user_id }}"
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/geth.pub') }}"
- name: Copy the motion config
become: yes
register: motion_config
@ -32,13 +32,13 @@
owner: motion
group: motion
mode: 0750
loop:
loop:
- "/var/log/motion"
- "/var/run/motion"
- name: Restart the motion service
become: yes
when: motion_config.changed and motion_enabled
when: motion_config.changed and motion_enabled
service:
name: motion
state: started
@ -119,7 +119,7 @@
- name: Copy lircd remote config
register: lircd_remote_config
become: yes
copy:
copy:
src: "lircd.conf/{{ inventory_hostname }}"
dest: /etc/lirc/lircd.conf

2
roles/Geth/tasks/main.yml
View File

@ -5,4 +5,4 @@
name:
- openhab2
- name:
- name:

29
roles/IRC-Bots/tasks/main.yml Normal file
View File

@ -0,0 +1,29 @@
---
- user:
name: "{{ item }}"
state: present
shell: "{{ daemon_shell | default('/sbin/nologin') }}"
local: yes
groups: ircd
loop:
- bitbot
- dsbridge
- theraven
- werewolf
# Install TheRaven package
- package:
name:
- TheRaven
- git:
repo: 'https://github.com/jesopo/bitbot.git'
dest: /usr/local/src/bitbot/
clone: yes
update: yes
- git:
repo:
-

4
roles/IRC/tasks/main.yml
View File

@ -1,6 +1,6 @@
---
- name: IRC packages
- name: IRC packages
become: yes
package:
name:
@ -10,7 +10,7 @@
- name: KiwiIRC Web Front
become: yes
git:
git:
repo: https://github.com/prawnsalad/KiwiIRC.git
dest: /usr/local/src/KiwiIRC

10
roles/Maat/tasks/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Sharingan packages
become: yes
package:
name:
- openvas
- greenbone-security-assistant
- elasticsearch6
- mongodb
- graylog

6
roles/Nazara/tasks/main.yml
View File

@ -1,5 +1,5 @@
---
- name: Clone pi-hole
become: yes
git:
@ -10,7 +10,7 @@
- name: Install pi-hole if needed
become: yes
register: pihole_install
command:
command:
creates: /usr/bin/pihole-FTL
cmd: false # bash basic-install.sh
chdir: '/opt/pi-hole/automated install'
@ -30,7 +30,7 @@
register: dns_updated
copy:
dest: /etc/pihole/custom.list
src: dns
src: dns
owner: pihole
group: pihole
mode: 0644

6
roles/Node/tasks/main.yml
View File

@ -14,11 +14,11 @@
- qemu-emulators-full
- ddrescue
state: present
- name: Copy VM definitions
become: yes
register: vmdefs
copy:
copy:
src: vm-definitions/
dest: /usr/lib/systemd/system
owner: root
@ -28,7 +28,7 @@
- name: Reload systemd daemon
become: yes
when: vmdefs.changed
systemd:
systemd:
daemon_reload: yes
- name: QEMU Bridge Config

69
roles/SSH/tasks/main.yml
View File

@ -1,30 +1,28 @@
---
- name: SSH
- name: SSH (ArchLinux)
become: yes
when: ansible_os_family == "Archlinux"
package:
state: present
name:
- bash
- sudo
- openssh
- name: SSH Config
- name: SSH (Raspbian)
become: yes
copy:
src: ssh_config
dest: /etc/ssh/ssh_config
- name: SSHD Config
become: yes
copy:
src: sshd_config
dest: /etc/ssh/sshd_config
when: ansible_os_family == "Debian"
package:
state: present
name:
- openssh-server
- openssh-client
- name: Mark SSH keys as immutable
become: yes
file:
path: "{{ item }}"
path: "{{ item }}"
attributes: i
loop:
loop:
- /etc/ssh/ssh_host_ed25519_key
- /etc/ssh/ssh_host_ed25519_key.pub
- /etc/ssh/ssh_host_rsa_key
@ -32,17 +30,52 @@
- name: Add SSH control groups
become: yes
group:
group:
name: "{{ item }}"
state: present
loop:
loop:
- ssh-allow
- ssh-forward
- sftp-home-jail
- name: Add SSH user to ssh-allow
become: yes
user:
user:
name: "{{ ansible_user_id }}"
groups: ssh-allow
append: yes
- name: Copy the SSH key
authorized_key:
user: "{{ ansible_user_id }}"
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/deploy.pub') }}"
- name: SSH Config
become: yes
copy:
src: ssh_config
dest: /etc/ssh/ssh_config
- name: SSHD Config
become: yes
register: sshd_config
copy:
src: sshd_config
dest: /etc/ssh/sshd_config
- name: Restart SSHD (ArchLinux)
become: yes
when: ansible_os_family == "Archlinux" and sshd_config.changed
service:
name: sshd
state: restarted
enabled: yes
- name: Restart SSHD (Raspbian)
become: yes
when: ansible_os_family == "Debian" and sshd_config.changed
service:
name: ssh
state: restarted
enabled: yes

12
roles/SSL/tasks/main.yml
View File

@ -2,8 +2,8 @@
- name: SSL packages
become: yes
package:
name:
package:
name:
- certbot
- openssl
@ -16,7 +16,7 @@
owner: root
group: root
mode: 0644
loop:
loop:
- "certbot.service"
- "certbot.timer"
@ -28,7 +28,7 @@
name: certbot.timer
enabled: yes
state: started
- name: Create letsencrypt folder
become: yes
file:
@ -50,7 +50,7 @@
become: yes
command: /usr/local/sbin/tlsa-generation.bash
register: tlsa_records
- name: Show proposed TLSA records
debug:
msg: "{{ tlsa_records.stdout_lines }}"
@ -60,7 +60,7 @@
run_once: yes
command: "/bin/bash -c 'printf _443._tcp\\ ; dig _443._tcp.{{ external_domain }} TLSA +short; printf _6697._tcp\\ ; dig _6697._tcp.{{ external_domain }} TLSA +short'"
register: ext_tlsa_records
- name: Show TLSA records
debug:
msg: "{{ ext_tlsa_records.stdout_lines }}"

6
roles/ShadowArch/bin/find-mirrors
View File

@ -1,9 +1,9 @@
#!/bin/bash
# File: find-mirrors
#
#
# Description: This file generates a pacman mirrorlist to ensure hosts use the right mirrors for performance.
#
#
# Package: AniNIX::Foundation/HelloWorld
# Copyright: WTFPL
#
@ -11,6 +11,6 @@
country="United States"
curl -s https://raw.githubusercontent.com/archlinux/svntogit-packages/packages/pacman-mirrorlist/trunk/mirrorlist | awk '/^## '"$country"'$/{f=1; next}f==0{next}/^$/{exit}{print substr($0, 1);}' | sed 's/^#Server/Server/' > /tmp/mirrorlist
curl -s https://raw.githubusercontent.com/archlinux/svntogit-packages/packages/pacman-mirrorlist/trunk/mirrorlist | awk '/^## '"$country"'$/{f=1; next}f==0{next}/^$/{exit}{print substr($0, 1);}' | sed 's/^#Server/Server/' > /tmp/mirrorlist
rankmirrors -n 6 /tmp/mirrorlist > files/mirrorlist
rm /tmp/mirrorlist

10
roles/ShadowArch/files/bashrc Normal file
View File

@ -0,0 +1,10 @@
#
# /etc/bash.bashrc
#
# If not running interactively, don't do anything
[[ $- != *i* ]] && return
[[ $DISPLAY ]] && shopt -s checkwinsize
[ -r /usr/share/bash-completion/bash_completion ] && . /usr/share/bash-completion/bash_completion

2
roles/ShadowArch/files/pacman.conf
View File

@ -99,7 +99,7 @@ Include = /etc/pacman.d/mirrorlist.shadowarch
#[custom]
#SigLevel = Optional TrustAll
#Server = file:///home/custompkgs
[AniNIX]
SigLevel = Required DatabaseOptional
Server = https://maat.aninix.net/

32
roles/ShadowArch/files/vimrc Normal file
View File

@ -0,0 +1,32 @@
" All system-wide defaults are set in $VIMRUNTIME/archlinux.vim (usually just
" /usr/share/vim/vimfiles/archlinux.vim) and sourced by the call to :runtime
" you can find below. If you wish to change any of those settings, you should
" do it in this file (/etc/vimrc), since archlinux.vim will be overwritten
" everytime an upgrade of the vim packages is performed. It is recommended to
" make changes after sourcing archlinux.vim since it alters the value of the
" 'compatible' option.
" This line should not be removed as it ensures that various options are
" properly set to work with the Vim-related packages.
runtime! archlinux.vim
" If you prefer the old-style vim functionalty, add 'runtime! vimrc_example.vim'
" Or better yet, read /usr/share/vim/vim74/vimrc_example.vim or the vim manual
" and configure vim to your own liking!
syntax on
filetype on
" Support CSharp files like Java
au BufNewFile,BufRead *.csharp set filetype=java
au BufNewFile,BufRead *.cs set filetype=java
set number
set mouse-=a
colorscheme desert
" This establishes the indenting policy.
filetype plugin indent on
" show existing tab with 4 spaces width
set tabstop=4
" when indenting with '>', use 4 spaces width
set shiftwidth=4
" On pressing tab, insert 4 spaces
set expandtab

4
roles/ShadowArch/tasks/archlinux-network.yml
View File

@ -1,4 +1,4 @@
---
---
- name: ArchLinux network packages
become: yes
@ -30,4 +30,4 @@
- name: Enable network config
become: yes
command: "netctl enable {{ ipinterface }}"
command: "netctl enable {{ ipinterface }}"

37
roles/ShadowArch/tasks/bash.yml Normal file
View File

@ -0,0 +1,37 @@
- name: Set Bash MOTD
become: yes
copy:
src: "motd/{{ inventory_hostname }}"
dest: /etc/bash.motd
owner: root
group: root
mode: 0644
- name: Nullify overall MOTD
become: yes
copy:
src: /dev/null
dest: /etc/motd
owner: root
group: root
mode: 0644
- name: Bashrc
become: yes
copy:
src: bashrc
dest: /etc/bashrc
owner: root
group: root
mode: 0644
- name: vimrc
become: yes
copy:
src: vimrc
dest: /etc/vimrc
owner: root
group: root
mode: 0644

4
roles/ShadowArch/tasks/dns.yml
View File

@ -2,8 +2,8 @@
- name: Install DNS packages
become: yes
ignore_errors: yes
package:
name:
package:
name:
- bind
- net-tools
- iputils

26
roles/ShadowArch/tasks/main.yml
View File

@ -58,10 +58,14 @@
ignore_errors: yes
register: root_password_test
vars:
ansible_become_user: "{{ item }}"
ansible_become_method: su
ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes
command: id
loop:
- root
- "{{ ansible_user_id }}"
- name: Define passwords
vars:
@ -70,7 +74,7 @@
become: yes
when: root_password_test.rc is not defined or root_password_test.rc != 0
command:
cmd: /bin/bash -l -c "printf '%s\n%s\n' '{{ passwords[inventory_hostname] }}' '{{ passwords[inventory_hostname] }}' | passwd {{ item }}"
cmd: /bin/bash -l -c "echo '{{item}}:{{ passwords[inventory_hostname] }}' | chpasswd {{ item }}"
loop:
- root
- "{{ ansible_user_id }}"
@ -163,24 +167,6 @@
hostname:
name: "{{ inventory_hostname }}.{{ replica_domain }}"
- name: Set Bash MOTD
become: yes
copy:
src: "motd/{{ inventory_hostname }}"
dest: /etc/bash.motd
owner: root
group: root
mode: 0644
- name: Nullify overall MOTD
become: yes
copy:
src: /dev/null
dest: /etc/motd
owner: root
group: root
mode: 0644
- include: archlinux-network.yml
when: ansible_os_family == "Archlinux"
@ -190,3 +176,5 @@
- include: dns.yml
- include: ntp.yml
- include: bash.yml

8
roles/ShadowArch/tasks/ntp.yml
View File

@ -10,7 +10,7 @@
- name: Remove legacy NTP services
become: yes
ignore_errors: yes
service:
service:
name: "{{ item }}"
state: stopped
enabled: no
@ -20,15 +20,15 @@
- name: Remove legacy NTP packages
become: yes
package:
name:
package:
name:
- ntp
- openntpd
state: absent
- name: Install NTP packages
become: yes
package:
package:
name: chrony
state: present

4
roles/ShadowArch/tasks/raspbian-network.yml
View File

@ -1,4 +1,4 @@
---
---
- name: Rasbian network packages
become: yes
@ -17,7 +17,7 @@
group: root
mode: 0644
- name: Rasbian network config (static)
- name: Rasbian network config (static)
become: yes
when: static
template:

10
roles/Sharingan/README.md
View File

@ -5,7 +5,7 @@ Sharingan is named after the mythical technique from the Naruto anime series. Sh
# Relevant Files and Software
We use Graylog on a dedicated VM to aggregate results. By default, all servers in a datacenter should send journald via syslog to `sharingan.$datacenter.aninix.net`.
We use Graylog on a dedicated VM to aggregate results. By default, all servers in a datacenter should send journald via syslog to `sharingan.$datacenter.aninix.net`.
## Syslog-ng
@ -13,7 +13,7 @@ We use a lot of services in the AniNIX ecosystem -- some create files, some pipe
## Journald
ArchLinux and most systemd-based Linux distributions use journald to track system log files.
ArchLinux and most systemd-based Linux distributions use journald to track system log files.
## Suricata
@ -32,12 +32,12 @@ TODO
## Graylog
## Elasticsearch
Elasticsearch acts as graylog's data backend.
Elasticsearch acts as graylog's data backend.
We have seen issues where poor disk i/o or unplanned shutdown can cause Elasticsearch to have index corruption.
We have seen issues where poor disk i/o or unplanned shutdown can cause Elasticsearch to have index corruption.
1. Stop elasticsearch
1. From `/usr/share/elasticsearch/lib`, you can use `java -cp lucene-core*.jar -ea:org.apache.lucene... org.apache.lucene.index.CheckIndex /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index -verbose -exorcise` (on the right index) to exorcise the corrupted data.
1. From `/usr/share/elasticsearch/lib`, you can use `java -cp lucene-core*.jar -ea:org.apache.lucene... org.apache.lucene.index.CheckIndex /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index -verbose -exorcise` (on the right index) to exorcise the corrupted data.
1. Remove corruption flags: `rm /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index/corrupted_*`
1. Restart elasticsearch
1. Retry shard allocation:

2
roles/Sharingan/files/monit/checks/system
View File

@ -7,7 +7,7 @@
## performed should a test fail.
check system $HOST
if loadavg (1min) per core > 2 for 25 times within 30 cycles then exec "/etc/monit.d/scripts/critical Load average is high"
if memory usage > 75% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Memory is overused."
if memory usage > 90% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Memory is overused."
if swap usage > 25% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Swap is overused."
group system
#

2
roles/Sharingan/files/monit/checks/warrant-canary Normal file
View File

@ -0,0 +1,2 @@
check program warrant_canary with path "/etc/monit.d/scripts/check-warrant-canary"
if status != 0 then exec "/etc/monit.d/scripts/critical Warrant Canary needs to be updated"

1
roles/Sharingan/files/monit/hostdefs/Core
View File

@ -1 +1,2 @@
include "/etc/monit.d/checks/system"
include "/etc/monit.d/checks/warrant-canary"

27
roles/Sharingan/files/monit/scripts/check-warrant-canary Executable file
View File

@ -0,0 +1,27 @@
#!/bin/bash
daysinadvance=14
url=https://aninix.net/AniNIX/WarrantCanary/raw/branch/main/canary
# ID the update expected date
canarydate="$(curl -s "$url" | grep -A 1 'next two updates' | tail -n 1 | sed 's/^..//' )"
if [ -z "$canarydate" ]; then
echo "Cannot identify the canary's next time."
exit 2
fi
epochcanarydate="$(date -d "$canarydate" +%s)"
# Remove a one-month padding
updatecanarydate=$(( $epochcanarydate - 2592000 ))
# ID today
today="$(date +%s)"
if [[ $today -gt $updatecanarydate ]]; then
echo Time to reseed the warrant canary.
exit 2
else
echo Warrant canary seems to have the right time.
exit 0
fi

160
roles/Sharingan/files/oinkmaster/oinkmaster.conf
View File

@ -1,11 +1,11 @@
# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ #
# This file is pretty big by default, but don't worry.
# The only things required are "path" and "update_files". You must also
# set "url" to point to the correct rules archive for your version of
# This file is pretty big by default, but don't worry.
# The only things required are "path" and "update_files". You must also
# set "url" to point to the correct rules archive for your version of
# Snort, unless you prefer to specify this on the command line.
# The rest in here is just a few recommended defaults, and examples
# how to use all the other optional features and give some ideas how they
# how to use all the other optional features and give some ideas how they
# could be used.
# Remember not to let untrusted users edit Oinkmaster configuration
@ -14,15 +14,15 @@
# Use "url = <url>" to specify the location of the rules archive to
# download. The url must begin with http://, https://, ftp://, file://
# or scp:// and end with .tar.gz or .tgz, and the file must be a
# Use "url = <url>" to specify the location of the rules archive to
# download. The url must begin with http://, https://, ftp://, file://
# or scp:// and end with .tar.gz or .tgz, and the file must be a
# gzipped tarball what contains a directory named "rules".
# You can also point to a local directory with dir://<directory>.
# Multiple "url = <url>" lines can be specified to grab multiple rules
# archives from different locations.
#
# Note: if URL is specified on the command line, it overrides all
# Note: if URL is specified on the command line, it overrides all
# possible URLs specified in the configuration file(s).
#
# The location of the official Snort rules you should use depends
@ -30,10 +30,10 @@
# http://www.snort.org/rules/ and follow the instructions
# there to pick the right URL for your version of Snort
# (and remember to update the URL when upgrading Snort in the
# future). You can of course also specify locations to third party
# future). You can of course also specify locations to third party
# rules.
#
# As of March 2005, you must register on the Snort site to get access
# As of March 2005, you must register on the Snort site to get access
# to the official Snort rules. This will get you an "oinkcode".
# You then specify the URL as
# http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename>
@ -45,7 +45,7 @@
# more information.
# URL examples follows. Replace <oinkcode> with the code you get on the
# URL examples follows. Replace <oinkcode> with the code you get on the
# Snort site in your registered user profile.
# Example for Snort
@ -73,18 +73,18 @@
# Only OpenSSH is tested. See the FAQ for more information.
# url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz
# If you use -u scp://... and need to specify a private ssh key (passed
# as -i <key> to the scp command) you can specify it here or add an
# entry in ~/.ssh/config for the Oinkmaster user as described in the
# OpenSSH manual.
# If you use -u scp://... and need to specify a private ssh key (passed
# as -i <key> to the scp command) you can specify it here or add an
# entry in ~/.ssh/config for the Oinkmaster user as described in the
# OpenSSH manual.
# scp_key = /home/oinkmaster/oinkmaster_privkey
# The PATH to use during execution. If you prefer to use external
# binaries (i.e. use_external_bins=1, see below), tar and gzip must be
# found, and also wget if downloading via ftp, http or https. All with
# optional .exe suffix. If you're on Cygwin, make sure that the path
# contains the Cygwin binaries and not the native Win32 binaries or
# The PATH to use during execution. If you prefer to use external
# binaries (i.e. use_external_bins=1, see below), tar and gzip must be
# found, and also wget if downloading via ftp, http or https. All with
# optional .exe suffix. If you're on Cygwin, make sure that the path
# contains the Cygwin binaries and not the native Win32 binaries or
# you will get problems.
# Assume UNIX style by default:
path = /bin:/usr/bin:/usr/local/bin
@ -96,17 +96,17 @@ path = /bin:/usr/bin:/usr/local/bin
# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin
# We normally use external binaries (wget, tar and gzip) since they're
# already available on most systems and do a good job. If you have the
# We normally use external binaries (wget, tar and gzip) since they're
# already available on most systems and do a good job. If you have the
# Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use
# those instead if you like. You can set use_external_bins below to
# choose which method you prefer. It's set to 0 by default on Win32
# (i.e. use Perl modules), and 1 on other systems (i.e. use external
# those instead if you like. You can set use_external_bins below to
# choose which method you prefer. It's set to 0 by default on Win32
# (i.e. use Perl modules), and 1 on other systems (i.e. use external
# binaries). The reason for that is that the required Perl modules
# are included on Windows/ActivePerl 5.8.1+, so it's easier to use
# those than to install the ported Unix tools. (Note that if you're
# using scp to download the archive, external scp binary is still
# used.)
# are included on Windows/ActivePerl 5.8.1+, so it's easier to use
# those than to install the ported Unix tools. (Note that if you're
# using scp to download the archive, external scp binary is still
# used.)
# use_external_bins = 0
@ -133,7 +133,7 @@ path = /bin:/usr/bin:/usr/local/bin
# umask = 0027
# Files in the archive(s) matching this regular expression will be
# Files in the archive(s) matching this regular expression will be
# checked for changes, and then updated or added if needed.
# All other files will be ignored. You can then choose to skip
# individual files by specifying the "skipfile" keyword below.
@ -159,10 +159,10 @@ update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
# min_rules = 1
# By default, a basic sanity check is performed on most paths/filenames
# to see if they contain illegal characters that may screw things up.
# If this check is too strict for your system (e.g. you get bogus
# "illegal characters in filename" errors because of your local language
# By default, a basic sanity check is performed on most paths/filenames
# to see if they contain illegal characters that may screw things up.
# If this check is too strict for your system (e.g. you get bogus
# "illegal characters in filename" errors because of your local language
# etc) and you're sure you want to disable the checks completely,
# set use_path_checks to 0.
# use_path_checks = 1
@ -174,11 +174,11 @@ update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
# You can include other files anywhere in here by using
# "include <file>". <file> will be parsed just like a regular
# oinkmaster.conf as soon as the include statement is seen, and then
# return and continue parsing the rest of the original file. If an
# option is redefined, it will override the previous value. You can use
# as many "include" statements as you wish, and also include even more
# "include <file>". <file> will be parsed just like a regular
# oinkmaster.conf as soon as the include statement is seen, and then
# return and continue parsing the rest of the original file. If an
# option is redefined, it will override the previous value. You can use
# as many "include" statements as you wish, and also include even more
# files from included files. Example to load stuff from "/etc/foo.conf".
# include /etc/foo.conf
@ -191,34 +191,34 @@ update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
# or: skipfile filename1, filename2, filename3, ... #
#######################################################################
# Ignore local.rules from the rules archive by default since we might
# have put some local rules in our own local.rules and we don't want it
# to get overwritten by the empty one from the archive after each
# Ignore local.rules from the rules archive by default since we might
# have put some local rules in our own local.rules and we don't want it
# to get overwritten by the empty one from the archive after each
# update.
skipfile local.rules
# The file deleted.rules contains rules that have been deleted from
# The file deleted.rules contains rules that have been deleted from
# other files, so there is usually no point in updating it.
skipfile deleted.rules
# Also skip snort.conf by default since we don't want to overwrite our
# own snort.conf if we have it in the same directory as the rules. If
# you have your own production copy of snort.conf in another directory,
# it may be really nice to check for changes in this file though,
# especially since variables are sometimes added or modified and
# Also skip snort.conf by default since we don't want to overwrite our
# own snort.conf if we have it in the same directory as the rules. If
# you have your own production copy of snort.conf in another directory,
# it may be really nice to check for changes in this file though,
# especially since variables are sometimes added or modified and
# new/old files are included/excluded.
skipfile snort.conf
# You may want to consider ignoring threshold.conf for the same reasons
# as for snort.conf, i.e. if you customize it locally and don't want it
# to become overwritten by the default one. It may be better to put
# local thresholding/suppressing in some local file and still update
# and use the official one though, in case important stuff is added to
# You may want to consider ignoring threshold.conf for the same reasons
# as for snort.conf, i.e. if you customize it locally and don't want it
# to become overwritten by the default one. It may be better to put
# local thresholding/suppressing in some local file and still update
# and use the official one though, in case important stuff is added to
# it some day. We do update it by default, but it's your call.
# skipfile threshold.conf
# If you update from multiple URLs at the same time you may need to
# ignore the sid-msg.map (and generate it yourself if you need one) as
# If you update from multiple URLs at the same time you may need to
# ignore the sid-msg.map (and generate it yourself if you need one) as
# it's usually included in each rules tarball. See the FAQ for more info.
# skipfile sid-msg.map
@ -243,11 +243,11 @@ skipfile snort.conf
# situations. #
# #
# Syntax: #
# modifysid SID "replacethis" | "withthis" #
# modifysid SID "replacethis" | "withthis" #
# or: #
# modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" #
# or: #
# modifysid file "replacethis" | "withthis" #
# modifysid file "replacethis" | "withthis" #
# or: #
# modifysid * "replacethis" | "withthis" #
# #
@ -289,11 +289,11 @@ skipfile snort.conf
# Example to add "tag" stuff to SID 1325.
# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"
# Example to make SID 1378 a 'drop' rule (valid if you're running
# Example to make SID 1378 a 'drop' rule (valid if you're running
# Snort_inline).
# modifysid 1378 "^alert" | "drop"
# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET
# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET
# in SID 302.
# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"
@ -306,17 +306,17 @@ skipfile snort.conf
# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
# "${1} replace:"\/foo\/sh";"
# If you for some reason would like to add a comment inside the actual
# rules file, like the reason why you disabled this rule, you can do
# like this (you would normally add such comments in oinkmaster.conf
# If you for some reason would like to add a comment inside the actual
# rules file, like the reason why you disabled this rule, you can do
# like this (you would normally add such comments in oinkmaster.conf
# though).
# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"
# Here is an example that is actually useful. Let's say you don't care
# about incoming welchia pings (detected by SID 483 at the time of
# writing) but you want to know when infected hosts on your network
# scans hosts on the outside. (Remember that watching for outgoing
# malicious packets is often just as important as watching for incoming
# Here is an example that is actually useful. Let's say you don't care
# about incoming welchia pings (detected by SID 483 at the time of
# writing) but you want to know when infected hosts on your network
# scans hosts on the outside. (Remember that watching for outgoing
# malicious packets is often just as important as watching for incoming
# ones, especially in this case.) The rule currently looks like
# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
# but we want to switch that so it becomes
@ -326,34 +326,34 @@ skipfile snort.conf
# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"
# The wildcard (modifysid * ...) can be used to do all kinds of
# interesting things. The substitution expression will be applied on all
# matching rules. First, a silly example to replace "foo" with "bar" in
# all rules (that have the string "foo" in them, that is.)
# The wildcard (modifysid * ...) can be used to do all kinds of
# interesting things. The substitution expression will be applied on all
# matching rules. First, a silly example to replace "foo" with "bar" in
# all rules (that have the string "foo" in them, that is.)
# modifysid * "foo" | "bar"
# If you for some reason don't want to use the stream preprocessor to
# match established streams, you may want to replace the 'flow'
# If you for some reason don't want to use the stream preprocessor to
# match established streams, you may want to replace the 'flow'
# statement with 'flags:A+;' in all those rules.
# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"
# Example to convert all rules of classtype attempted-admin to 'drop'
# Example to convert all rules of classtype attempted-admin to 'drop'
# rules (for Snort_inline only, obviously).
# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"
# This one will append some text to the 'msg' string for all rules that
# This one will append some text to the 'msg' string for all rules that
# have the 'tag' keyword in them.
# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
# "${1}, going to tag this baby"${2}"
# There may be times when you want to replace multiple occurrences of a
# certain keyword/string in a rule and not just the first one. To
# replace the first two occurrences of "foo" with "bar" in SID 100,
# There may be times when you want to replace multiple occurrences of a
# certain keyword/string in a rule and not just the first one. To
# replace the first two occurrences of "foo" with "bar" in SID 100,
# simply repeat the modifysid statement:
# modifysid 100 "foo" | "bar"
# modifysid 100 "foo" | "bar"
# Or you can even specify a SID list but repeat the same SID as many
# Or you can even specify a SID list but repeat the same SID as many
# times as required, like:
# modifysid 100,100,100 "foo" | "bar"

14
roles/Sharingan/files/rkhunter/rkhunter.conf
View File

@ -90,7 +90,7 @@
#
# If the mirrors file is read-only, then the '--versioncheck' command-line
# option can only be used if this option is set to '0'.
#
#
# The default value is '1'.
#
#ROTATE_MIRRORS=1
@ -635,7 +635,7 @@ ALLOWHIDDENDIR=/dev/.udev
# This option may be specified more than once, and may use wildcard characters.
#
# The default value is the null string.
#
#
#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
#ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
#ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
@ -907,7 +907,7 @@ ALLOWHIDDENDIR=/dev/.udev
#
#APP_WHITELIST=""
#
#
# Set this option to scan for suspicious files in directories which pose a
# relatively higher risk due to user write access.
#
@ -918,7 +918,7 @@ ALLOWHIDDENDIR=/dev/.udev
#
# Please consider adding all directories the user the (web)server runs as,
# and has write access to, including the document root (e.g: '/var/www') and
# log directories (e.g: '/var/log/httpd').
# log directories (e.g: '/var/log/httpd').
#
# This is a space-separated list of directory pathnames. The option may be
# specified more than once.
@ -968,7 +968,7 @@ ALLOWHIDDENDIR=/dev/.udev
#
# The following options can be used to whitelist network ports which are known
# to have been used by malware.
# to have been used by malware.
#
# The PORT_WHITELIST option is a space-separated list of one or more of two
# types of whitelisting. These are:
@ -1233,10 +1233,10 @@ ALLOWHIDDENDIR=/dev/.udev
#
# You should only activate this feature as part of a more thorough
# investigation, which should be based on relevant best practices and
# procedures.
# procedures.
#
# Enabling this feature implies you have the knowledge to interpret the
# results properly.
# results properly.
#
# The default value is the null string.
#

2
roles/Sharingan/files/suricata/suricata.yaml
View File

@ -134,7 +134,7 @@ outputs:
# Header name were the actual IP address will be reported, if more than
# one IP address is present, the last IP address will be the one taken
# into consideration.
header: X-Forwarded-For
header: X-Forwarded-For
# a line based log of HTTP requests (no alerts)
- http-log:

12
roles/Sharingan/tasks/data.yml
View File

@ -1,10 +1,10 @@
---
---
- name: Sharingan data packages
become: yes
package:
state: present
name:
name:
- syslog-ng
- monit
- monitoring-plugins
@ -18,13 +18,13 @@
- name: Sharingan-Data include apps dir
become: yes
register: base_config
lineinfile:
lineinfile:
path: /etc/syslog-ng/syslog-ng.conf
line: "{{ item }}"
loop:
loop:
- '# Allow compartmentalization of config'
- '@include "apps.d/*.conf"'
- name: Sharingan-Data conf
become: yes
template:

4
roles/Sharingan/tasks/heartbeat.yml
View File

@ -9,9 +9,9 @@
owner: root
group: root
mode: 0750
loop:
loop:
- sharingan-heartbeat.timer
- sharingan-heartbeat.service
- sharingan-heartbeat.service
- name: Sharingan-Data heartbeat timer
become: yes

12
roles/Sharingan/tasks/ids.yml
View File

@ -4,7 +4,7 @@
become: yes
register: package_install
package:
name:
name:
- sshguard
- suricata
- oinkmaster
@ -45,7 +45,7 @@
- name: Copy rkhunter service
register: rkhunter_service
become: yes
loop:
loop:
- rkhunter.service
- rkhunter.timer
copy:
@ -69,7 +69,7 @@
- name: Copy oinkmaster service
register: oinkmaster_service
become: yes
loop:
loop:
- oinkmaster.service
- oinkmaster.timer
copy:
@ -88,7 +88,7 @@
become: yes
when: package_install.changed or oinkmaster_conf.changed
service:
name: oinkmaster.service
name: oinkmaster.service
state: started
- name: Update rkhunter DB
@ -98,12 +98,12 @@
- name: IDS services
become: yes
loop:
loop:
- suricata.service
- sshguard.service
- oinkmaster.timer
- rkhunter.timer
service:
service:
name: "{{ item }}"
state: restarted
enabled: yes

4
roles/Sharingan/tasks/main.yml
View File

@ -1,5 +1,5 @@
---
---
- import_tasks: ../roles/Sharingan/tasks/data.yml
- import_tasks: ../roles/Sharingan/tasks/eval.yml
- import_tasks: ../roles/Sharingan/tasks/heartbeat.yml

4
roles/Sharingan/tasks/scans.yml
View File

@ -24,7 +24,7 @@
become: yes
register: lynis_svc
copy:
src: "lynis/{{ item }}"
src: "lynis/{{ item }}"
dest: /usr/lib/systemd/system/
owner: root
group: root
@ -37,7 +37,7 @@
become: yes
register: clam_svc
copy:
src: "clamav/{{ item }}"
src: "clamav/{{ item }}"
dest: /usr/lib/systemd/system/
owner: root
group: root

2
roles/Sharingan/tasks/siem.yml
View File

@ -16,7 +16,7 @@
- mongodb
- graylog
service:
name: "{{ item }}"
name: "{{ item }}"
state: started
enabled: yes

3
roles/Sharingan/templates/monitrc.j2
View File

@ -153,7 +153,8 @@ set log syslog
set httpd port 2812 and
use address localhost # only accept connection from localhost (drop if you use M/Monit)
allow localhost # allow localhost to connect to the server and
allow admin:"{{ monitcli | default('monit') }}" # require user 'admin' with password 'monit'
# require user 'admin' with password
allow admin:"{{ secrets[Sharingan][monit] | default('monit') }}"
#with ssl { # enable SSL/TLS and set path to server certificate
# pemfile: /etc/ssl/certs/monit.pem
#}

47
roles/Tachikoma/tasks/main.yml Normal file
View File

@ -0,0 +1,47 @@
---
- name: Install Tachikoma packages
become: yes
package:
name:
- wifi-menu
- weechat
- elinks
- conky
- xfce4
- xfce4-goodies
- xfce4-screenshooter
- xscreensaver
- libreoffice-still
- hunspell
- hunspell-en_us
- google-chrome
- keepassxc
- sshfs
- vlc
- cups
- brother-mfc-j430w
- brscan4
- xsane
- mtpfs
- libmtp
- alsamixer
- name: Remove deprecated packages
become: yes
package:
name:
- chromium
- keepassx
- kpcli
- irssi
- lynx
- name: Enable services
become: yes
service:
name: "{{ item }}"
state: running
enabled: yes
with:
- cups.service

2
roles/Vanik/tasks/main.yml
View File

@ -1,4 +1,4 @@
---
---
- command: ./scripts/generate-dhcp.py
delegate_to: localhost

2
roles/WebServer/README.md
View File

@ -6,7 +6,7 @@ The WebServer serves content on the Web -- its name is simple to match the funct
# Relevant Files and Software
Configuration files live in [/opt/openresty/nginx/](file:///opt/openresty/nginx), including ciphersuites, URI redirection, and pathing. It can be validated with the `openresty -t` command. Webserver isn't meant to hold files itself -- it generally proxies and SSL-terminates connections for other apps, using location-based hosting and fastcgi.
Of security note are the default.csp.conf and sec.conf files in [the conf folder](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf). These files include our security remediations, as we have been able to get them to work with our apps.
Of security note are the default.csp.conf and sec.conf files in [the conf folder](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf). These files include our security remediations, as we have been able to get them to work with our apps.
**Please note:** We offer a redirect on www.aninix.net and http://aninix.net:80/ only as a legacy convenience as browsers do not yet support 443 by default -- no data is transmitted on these. When the webhosting community acknowledges the death of the empty www. subdomain and the necessity of encryption, we will drop these. However, for usability, we include them for now.

49
roles/WebServer/files/conf.d/Core/aaa_default.conf
View File

@ -1,25 +1,25 @@
server {
listen 443 ssl http2;
server_name default_server;
include sec.conf;
include letsencrypt.conf;
include default.csp.conf;
rewrite ^/(.*)$ https://aninix.net/$1 permanent;
}
server {
listen 443 ssl http2;
server_name aninix.net;
include sec.conf;
include letsencrypt.conf;
include default.csp.conf;
location /
{
rewrite ^/martialarts(\/*)$ /assets/martialarts/index.html;
rewrite /shadowarch /AniNIX/ShadowArch/raw/branch/main/EtcFiles/shadowarch
location / {
rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
location /aninix.xml {
proxy_hide_header Content-Type;
add_header content-type "application/atom+xml";
rewrite /aninix.xml /AniNIX/Wiki/raw/branch/main/rss/aninix.xml;
}
location /martialarts/maqotw.xml {
proxy_hide_header Content-Type;
add_header content-type "application/atom+xml";
rewrite /martialarts/maqotw.xml /AniNIX/Wiki/raw/branch/main/rss/maqotw.xml;
}
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
@ -27,8 +27,19 @@ server {
proxy_pass http://127.0.0.1:3000;
}
location /whatismyip
{
location /aninix.xml {
proxy_hide_header Content-Type;
add_header content-type "application/atom+xml";
rewrite /aninix.xml /AniNIX/Wiki/raw/branch/main/rss/aninix.xml;
}
location /martialarts/maqotw.xml {
proxy_hide_header Content-Type;
add_header content-type "application/atom+xml";
rewrite /martialarts/maqotw.xml /AniNIX/Wiki/raw/branch/main/rss/maqotw.xml;
}
location /whatismyip {
include ../conf.d/fastcgi.config;
root /usr/share/webapps/aninix/;
location ~* whatismyip {
@ -36,12 +47,10 @@ server {
expires max;
}
}
location /blackpage
{
location /blackpage {
root /usr/share/webapps/aninix/;
try_files $uri /blackpage.html;
}
include letsencrypt.conf;
}

2
roles/WebServer/files/conf.d/Core/adhan.conf
View File

@ -1,6 +1,6 @@
server {
listen 443 ssl http2;
server_name adhan.aninix.net;
server_name adhan.aninix.net;
include sec.conf;
include default.csp.conf;

2
roles/WebServer/files/conf.d/Core/geth.conf
View File

@ -1,4 +1,4 @@
map $http_upgrade $connection_upgrade {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

2
roles/WebServer/files/conf.d/Core/lykos-wiki.conf
View File

@ -2,7 +2,7 @@ server {
listen 443 ssl;
server_name lykos.aninix.net;
include letsencrypt.conf;
include letsencrypt.conf;
root /usr/share/webapps/;

28
roles/WebServer/files/conf.d/Core/password.conf
View File

@ -1,19 +1,19 @@
server {
listen 443 ssl http2;
server_name password.aninix.net;
server_name password.aninix.net;
include sec.conf;
include default.csp.conf;
include letsencrypt.conf;
root /usr/share/webapps/self-service-password/htdocs/;
# https://ltb-project.org/documentation/self-service-password/1.3/config_nginx
index index.php index.html index.htm;
# Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
sendfile off;
gzip on;
gzip_comp_level 6;
gzip_min_length 1000;
@ -21,24 +21,24 @@ server {
gzip_vary on;
gzip_proxied any;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
# Add stdout logging
#error_log /dev/stdout warn;
#access_log /dev/stdout info;
include ../conf.d/fastcgi.config;
# deny access to . files, for security
#
location ~ /\.\. {
log_not_found off;
deny all;
log_not_found off;
deny all;
}
location ~ /scripts {
log_not_found off;
deny all;
log_not_found off;
deny all;
}
}

2
roles/WebServer/files/conf.d/Core/sharingan.conf
View File

@ -7,7 +7,7 @@ server {
# include default.csp.conf;
include local.conf;
include letsencrypt.conf;
location /
{

2
roles/WebServer/files/conf.d/Core/singularity.conf
View File

@ -1,6 +1,6 @@
server {
listen 443 ssl;
server_name singularity.aninix.net;
server_name singularity.aninix.net;
include sec.conf;
include default.csp.conf;

2
roles/WebServer/files/conf/sec.conf
View File

@ -1,5 +1,5 @@
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/aninix.net-0001/fullchain.pem;
ssl_certificate /etc/letsencrypt/live/aninix.net-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aninix.net-0001/privkey.pem;
ssl_session_cache shared:SSL:1m;

4
roles/WebServer/tasks/main.yml
View File

@ -58,13 +58,13 @@
service:
name: openresty
state: stopped
enabled: no
enabled: no
- name: Ensure service is started
become: yes
when: conf.changed or confd.changed
service:
name: "{{ item }}"
name: "{{ item }}"
enabled: yes
state: restarted
loop:

25
roles/WolfPack/tasks/main.yml Normal file
View File

@ -0,0 +1,25 @@
---
- name: Packages
become: yes
package:
name:
- wolfpack
- name: Config
become: yes
copy:
src: "{{ inventory_hostname }}"
dest: /usr/local/etc/WolfPack
- name: Timer
become: yes
systemd:
name: "{{ wolfpack_service | default('wolfpack.timer') }}"
state: started
enabled: yes
daemon_reload: yes
# TODO Add sshfs and mountpoint for Darknet
# TODO Add config folders and restart daemon on change
# TODO Deprecate offload-wolfpack for Deluge move to sshfs

6
roles/Yggdrasil/tasks/main.yml
View File

@ -3,12 +3,12 @@
- name: Yggdrasil packages
become: yes
package:
name:
name:
- emby-server
- name: Yggdrasil directories
become: yes
file:
file:
path: "{{ item }}"
state: directory
owner: http
@ -24,7 +24,7 @@
- /srv/yggdrasil/Software
- name: LiveTV channels
command: /bin/bash -c "curl -s https://raw.githubusercontent.com/iptv-org/iptv/master/streams/us.m3u | egrep -A 1 {{ iptv_location }} 2>&1 | egrep -v '^--$'"
command: /bin/bash -c "curl -s https://raw.githubusercontent.com/iptv-org/iptv/master/streams/us.m3u | egrep -A 1 '{{ iptv_location }}' 2>&1 | egrep -v '^--$'"
register: livetv_channels
- name: Write to file

5
roles/common/tasks/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- debug:
msg: Importing common handlers.
### DO NOT CHANGE THIS FILE

2
roles/hardware/tasks/main.yml
View File

@ -24,7 +24,7 @@
group: root
mode: 0700
register: udev_iosched
- name: Reload udev
become: yes
command: /bin/bash -c 'udevadm control --reload; udevadm trigger'

4
roles/patching/tasks/main.yml
View File

@ -4,8 +4,8 @@
register: df_output
- name: Verify /var space
assert:
that:
assert:
that:
- 90 > {{ df_output.stdout }}
fail_msg: "Not enough free space"

7
tests/test_net-detect.py
View File

@ -1,7 +0,0 @@
import os
import re
import pytest
from modules import netdetect
def test_netdetect_usage():
assert True