Whitespace cleanup to get in sync with AniNIX/Uniglot hooks

This commit is contained in:
DarkFeather 2022-11-20 20:03:01 -06:00
parent a43cb4b6bb
commit a34c96df6b
Signed by: DarkFeather
GPG Key ID: 1CC1E3F4ED06F296
96 changed files with 713 additions and 400 deletions

4
.gitignore vendored
View File

@ -3,7 +3,9 @@ roles/Nazara/files/dns
roles/Nazara/files/dhcp roles/Nazara/files/dhcp
roles/Node/files/vm-definitions/** roles/Node/files/vm-definitions/**
roles/ShadowArch/files/mirrorlist roles/ShadowArch/files/mirrorlist
venv/ roles/Foundation/files/custom/public/img/**
venv/**
**/pkg/**
**pkg.tar.zst **pkg.tar.zst
# ---> Python # ---> Python

View File

@ -38,8 +38,8 @@ all:
static: true static: true
sslidentity: aninix.net-0001 sslidentity: aninix.net-0001
secdetection: true secdetection: true
iptv_location: Milwaukee iptv_location: "Milwaukee|Madison"
Node0: Node0:
ipinterface: enp1s0f0 ipinterface: enp1s0f0
ip: 10.0.1.4 ip: 10.0.1.4
mac: DE:8B:9E:19:55:1D mac: DE:8B:9E:19:55:1D
@ -67,7 +67,7 @@ all:
memory: 2 memory: 2
vnc: 9 vnc: 9
bridge: br0 bridge: br0
disks: disks:
- '-drive format=raw,index=0,media=disk,file=/dev/sdd' - '-drive format=raw,index=0,media=disk,file=/dev/sdd'
Maat: Maat:
ip: 10.0.1.18 ip: 10.0.1.18
@ -147,7 +147,7 @@ all:
cores: 2 cores: 2
memory: 2 memory: 2
bridge: br0 bridge: br0
vnc: 6 vnc: 10
disks: disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test1.qcow2' - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test1.qcow2'
test2: test2:
@ -157,7 +157,7 @@ all:
cores: 2 cores: 2
memory: 2 memory: 2
bridge: br0 bridge: br0
vnc: 5 vnc: 11
disks: disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test2.qcow2' - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test2.qcow2'
test3: test3:
@ -167,7 +167,7 @@ all:
cores: 2 cores: 2
memory: 2 memory: 2
bridge: br0 bridge: br0
vnc: 4 vnc: 12
disks: disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test3.qcow2' - '-drive format=qcow2,l2-cache-size=8M,file=/srv/maat/vm/test3.qcow2'
appliances: appliances:
@ -183,7 +183,7 @@ all:
mac: 70:74:14:4F:8E:42 mac: 70:74:14:4F:8E:42
Games: Games:
ip: 10.0.1.66 ip: 10.0.1.66
mac: 00:1F:BC:10:1C:F8 mac: E0:BE:03:77:0E:88
Print: Print:
ip: 10.0.1.67 ip: 10.0.1.67
mac: 00:80:92:77:CE:E4 mac: 00:80:92:77:CE:E4
@ -201,7 +201,7 @@ all:
mac: 80:D2:1D:17:63:10 mac: 80:D2:1D:17:63:10
Tachikoma: Tachikoma:
ip: 10.0.1.72 ip: 10.0.1.72
mac: B8:76:3F:70:DB:C1 mac: 90:0f:0c:1a:d3:23
Dedsec: Dedsec:
ip: 10.0.1.73 ip: 10.0.1.73
mac: 34:F6:4B:36:12:8F mac: 34:F6:4B:36:12:8F

View File

@ -12,7 +12,7 @@
# Expects ANSIBLE_VAULT_FILE to be set in the environment to path the vault # Expects ANSIBLE_VAULT_FILE to be set in the environment to path the vault
# Also set ANSIBLE_VAULT_PASSWORD_FILE to your password file location if you want it. # Also set ANSIBLE_VAULT_PASSWORD_FILE to your password file location if you want it.
# #
- hosts: "{{ targets | default('all') }}" - hosts: "{{ targets | default('managed') }}"
order: sorted order: sorted
serial: "{{ threads | default('8') }}" serial: "{{ threads | default('8') }}"
gather_facts: true gather_facts: true

View File

@ -1,19 +0,0 @@
#!/bin/bash
cd ~/src/Ubiqtorate/roles
if [ -n "$(git status | grep roles &>/dev/null)" ]; then
echo There are roles that are not committed yet.
exit 1;
fi
unset bad
for i in `ls -1`; do
if ! grep "$i" ../playbooks/deploy.yml &>/dev/null; then
echo "$i is not used in playbooks/deploy.yml"
bad="1"
fi
done
if [ -n "$bad" ]; then
exit 1;
fi

View File

@ -0,0 +1,10 @@
#!/bin/bash
# Limit files in git to 1M.
find . -type f -exec du -k {} \; | egrep -v '^[[:digit:]]?[[:digit:]]?[[:digit:]][[:space:]]|\s./.git/'
if [ $? -ne 1 ]; then
echo
echo "These files are probably larger than you want to commit to Git. Please try to find an alternate delivery path, such as a CDN or Git-LFS."
exit 1;
fi

View File

@ -0,0 +1,14 @@
#!/bin/bash
retcode=0
for host in `ansible -i "examples/msn0.yml" --list-hosts managed | grep -v ' hosts '`; do
if [ ! -f roles/ShadowArch/files/motd/"$host" ]; then
echo "Need MOTD for $host"
retcode=1;
fi
if [ ! -f roles/Sharingan/files/monit/hostdefs/"$host" ]; then
echo "Need Sharingan-Data file for $host"
retcode=1;
fi
done
exit $retcode

View File

@ -0,0 +1,28 @@
#!/bin/bash
# Ignore Ansibilized templates.
saferegex='\s+}}"?\s*$'
# Ignore comments
saferegex="$saferegex"'|^[a-z,A-Z,0-9,_,-,/,.]+:\s*;|^[a-z,A-Z,0-9,_,-,/,.]+:\s*#|^[a-z,A-Z,0-9,_,-,/,.]+:\s*//'
# Ignore binary file matches.
saferegex="$saferegex"'|binary\ file\ matches'
# AniNIX Constructs
saferegex="$saferegex"'|password.aninix.net|aur.list'
# Web constructs
saferegex="$saferegex"'|.css:|.html:|.md:|htdocs|htpasswd'
# Ignore template text to set policy
saferegex="$saferegex"'|_LENGTH|Set new|attempt|pwdchange'
# haveibeenpwned is referenced in comments
saferegex="$saferegex"'|haveibeenpwned'
# Unset variables.
saferegex="$saferegex"'|\s+=\s*$|\s+yes$|\s+no$'
# Ignore LDAP attributes
saferegex="$saferegex"'|pwpolicies|pwdLastSuccess|pwdAttribute|pwdMaxAge|pwdExpireWarning|pwdInHistory|pwdCheckQuality|pwdMaxFailure|pwdLockout|pwdLockoutDuration|pwdGraceAuthNLimit|pwdFailureCountInterval|pwdMustChange|pwdMinLength|pwdAllowUserChange|pwdSafeModify|pwdChangedTime|pwdPolicy|last changed their password on|/root/.ldappass'
egrep -ir 'secret|password|pw|passphrase' roles/*/{files,templates} 2>&1 | egrep -v "$saferegex"
if [ $? -ne 1 ]; then
echo
echo If these are false positives, you need to add the signature to the whitelist in $0.
echo Otherwise, convert any files above to templates and encode the passphrase into your vault.
exit 1;
fi

View File

@ -8,7 +8,7 @@
- name: Standardize the servicefile - name: Standardize the servicefile
become: yes become: yes
register: servicefile register: servicefile
copy: copy:
src: cyberbrain.service src: cyberbrain.service
dest: /usr/lib/systemd/system/cyberbrain.service dest: /usr/lib/systemd/system/cyberbrain.service
owner: root owner: root
@ -20,7 +20,7 @@
service: service:
name: webssh name: webssh
state: stopped state: stopped
enabled: no enabled: no
- systemd: - systemd:
daemon_reload: true daemon_reload: true

View File

@ -11,8 +11,8 @@ A basic VM to provide DarkNet functionality in an AniNIX replica only needs the
* Virtualized NIC * Virtualized NIC
* 150G of storage for any [AniNIX/WolfPack](/AniNIX/WolfPack) downloads, preferably on a unique physical harddrive that can be pulled and drilled * 150G of storage for any [AniNIX/WolfPack](/AniNIX/WolfPack) downloads, preferably on a unique physical harddrive that can be pulled and drilled
# Hosted Services # Hosted Services
The DarkNet uses a small package list. It uses a couple services to achieve its goals. First, it uses [NordVPN](http://nordvpn.com/) to protect all traffic -- very simply, all one has to do to connect to the VPN is to run `nordvpn connect` and provide your login credentials to the service. We also use TOR for further anonymity -- torsocks and tor-browser-en provide functionality to cover that. The DarkNet uses a small package list. It uses a couple services to achieve its goals. First, it uses [NordVPN](http://nordvpn.com/) to protect all traffic -- very simply, all one has to do to connect to the VPN is to run `nordvpn connect` and provide your login credentials to the service. We also use TOR for further anonymity -- torsocks and tor-browser-en provide functionality to cover that.
We recommend whitelisting your replica's subnet so that NordVPN doesn't see local traffic and services like log aggregation and administration can happen without exposing access across the VPN. We recommend whitelisting your replica's subnet so that NordVPN doesn't see local traffic and services like log aggregation and administration can happen without exposing access across the VPN.
``` ```

View File

@ -18,7 +18,7 @@
name: "{{ item }}" name: "{{ item }}"
state: started state: started
enabled: yes enabled: yes
loop: loop:
- tor - tor
- nordvpnd - nordvpnd
- deluged - deluged
@ -26,3 +26,9 @@
- debug: - debug:
msg: "Remember to use the nordvpn-bin command to set up your account." msg: "Remember to use the nordvpn-bin command to set up your account."
# TODO Add yaml for OVPN file, user, pass to Vault
# TODO Enforce vpn.service on server instead of nordvpnd.
# TODO Add /etc/bashrc.d file for `alias torlynx='torsocks elinks https://check.torproject.org/'`
# TODO Add monit checks for tor and openvpn services
# TODO Shift deluged to WolfPack

View File

@ -0,0 +1,8 @@
---
# Consider https://blackarch.org/blackarch-guide-en.pdf
- name: Install DedSec packages
become: yes
package:
name:
- tcpdump
- wireshark

View File

@ -1,7 +1,5 @@
#!/bin/bash #!/bin/bash
set -x
URI=https://aninix.net/assets/css/theme-arc-green.css URI=https://aninix.net/assets/css/theme-arc-green.css
# Gitea arc-green palette # Gitea arc-green palette
@ -59,7 +57,7 @@ a {
cd /var/lib/gitea/web-snippets cd /var/lib/gitea/web-snippets
head="$(curl -ks https://aninix.net/ | egrep -B 99999 '^<div class="home"')" head="$(curl -ks https://aninix.net/ | egrep -B 99999 '^<div class="home"')"
foot="$(curl -ks https://aninix.net/ | egrep -A 99999 '<footer>')" foot="$(curl -ks https://aninix.net/ | egrep -A 99999 '<footer>')"
for i in `find . -type f`; do for i in `find . -type f`; do
(echo "$head" (echo "$head"
cat "$i" cat "$i"
echo "$foot") > /var/lib/gitea/custom/public/"$i".html echo "$foot") > /var/lib/gitea/custom/public/"$i".html

View File

@ -1,6 +1,6 @@
<?php <?php
/* /*
* Build a sitemap dynamically. * Build a sitemap dynamically.
* Update Gitea's sitemap with: `php ./sitemap.php > /var/lib/gitea/custom/sitemap.xml` * Update Gitea's sitemap with: `php ./sitemap.php > /var/lib/gitea/custom/sitemap.xml`
* *
@ -15,7 +15,7 @@ echo '<?xml version="1.0" encoding="UTF-8"?>
'; ';
exec("(echo /srv/http/aninix.net/index.php; find /srv/http/aninix.net/pages -type f; find /srv/http/aninix.net/martialarts/ -type f) | egrep \.php\$ | egrep -v ^./unlisted\|^./errors/\|head.php\|foot.php\|test\|Template\|darknet", $output); exec("(echo /srv/http/aninix.net/index.php; find /srv/http/aninix.net/pages -type f; find /srv/http/aninix.net/martialarts/ -type f) | egrep \.php\$ | egrep -v ^./unlisted\|^./errors/\|head.php\|foot.php\|test\|Template\|darknet", $output);
foreach ($output as &$file) { foreach ($output as &$file) {
echo ' <url> echo ' <url>
'; ';
echo ' <loc>https://aninix.net/'.substr($file,strlen($path)).'</loc> echo ' <loc>https://aninix.net/'.substr($file,strlen($path)).'</loc>
@ -23,10 +23,10 @@ echo ' <loc>https://aninix.net/'.substr($file,strlen($path)).'</loc>
echo ' <lastmod>'.date('Y-m-d',filemtime($file)).'</lastmod> echo ' <lastmod>'.date('Y-m-d',filemtime($file)).'</lastmod>
'; ';
echo ' </url> echo ' </url>
'; ';
} }
/* Print footer */ /* Print footer */
echo '</urlset> echo '</urlset>
'; ';
?> ?>

View File

@ -1,31 +1,31 @@
# http://www.wtfpl.net/about/ # http://www.wtfpl.net/about/
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
Version 2, December 2004 Version 2, December 2004
Copyright (C) 2004 Sam Hocevar <sam@hocevar.net> Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
Everyone is permitted to copy and distribute verbatim or modified Everyone is permitted to copy and distribute verbatim or modified
copies of this license document, and changing it is allowed as long copies of this license document, and changing it is allowed as long
as the name is changed. as the name is changed.
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. You just DO WHAT THE FUCK YOU WANT TO. 0. You just DO WHAT THE FUCK YOU WANT TO.
ANINIX ADDENDUM ANINIX ADDENDUM
Trademark 2017 (https://aninix.net/) Trademark 2017 (https://aninix.net/)
The "AniNIX" name and |> logo are trademarked as of 2017/11/21. The "AniNIX" name and |> logo are trademarked as of 2017/11/21.
AniNIX materials may be reproduced and re-used (though you must AniNIX materials may be reproduced and re-used (though you must
contact the admins of the network to get written permission to use contact the admins of the network to get written permission to use
the AniNIX name or logo) so long as such reproduction or re-use the AniNIX name or logo) so long as such reproduction or re-use
does not inhibit the original AniNIX use of the same. does not inhibit the original AniNIX use of the same.
Attribution is appreciated for other materials but not legally Attribution is appreciated for other materials but not legally
required or necessary. required or necessary.
"AniNIX" trademark serial: 87177883 "AniNIX" trademark serial: 87177883
|> Logo trademark serial: 87177887 |> Logo trademark serial: 87177887

Binary file not shown.

Before

Width:  |  Height:  |  Size: 7.2 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 7.2 KiB

View File

@ -1 +0,0 @@
AniNIX.png

View File

@ -1 +0,0 @@
AniNIX.png

View File

@ -1 +0,0 @@
AniNIX.png

View File

@ -1 +0,0 @@
AniNIX.png

View File

@ -1 +0,0 @@
/srv/yggdrasil/Pictures/AniNIX/Icons/

Binary file not shown.

Before

Width:  |  Height:  |  Size: 113 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 24 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 614 B

Binary file not shown.

Before

Width:  |  Height:  |  Size: 170 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 21 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 657 B

Binary file not shown.

Before

Width:  |  Height:  |  Size: 439 B

Binary file not shown.

Before

Width:  |  Height:  |  Size: 24 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 44 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 42 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 64 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 9.7 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 42 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 342 KiB

View File

@ -17,7 +17,7 @@
<div class="eight wide center column"> <div class="eight wide center column">
<h1 class="hero ui icon header"> <h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/icons/FoundationIcon.png'/> <img width=20px height=20px src='/assets/img/icons/FoundationIcon.png'/>
<a href="/user/login?redirect_to=%2fAniNIX_Martial_Arts">Open-source</a> <a href="/mawiki">Open-source</a>
</h1> </h1>
<p class="large"> <p class="large">
We want your training with our system to become a part of your life. This means that we provide access to a revision-controlled copy of our notes that all our students can download, keep, and contribute to. We're tired of the old era where how the system works is kept hidden from students and piecemealed out as a marketing ploy -- we want to be as trasparent as possible in how our program and our martial art function. Transparency keeps our instructors honest and our students engaged -- this means a better martial arts experience for everyone. We want your training with our system to become a part of your life. This means that we provide access to a revision-controlled copy of our notes that all our students can download, keep, and contribute to. We're tired of the old era where how the system works is kept hidden from students and piecemealed out as a marketing ploy -- we want to be as trasparent as possible in how our program and our martial art function. Transparency keeps our instructors honest and our students engaged -- this means a better martial arts experience for everyone.
@ -116,13 +116,13 @@
> >
Checkout Checkout
</button> </button>
<div id="error-message"></div> <div id="error-message"></div>
<script> <script>
(function() { (function() {
var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX'); var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
var checkoutButton = document.getElementById('checkout-button-price_1HTuhvI49P1uFPoXXoSjPm2w'); var checkoutButton = document.getElementById('checkout-button-price_1HTuhvI49P1uFPoXXoSjPm2w');
checkoutButton.addEventListener('click', function () { checkoutButton.addEventListener('click', function () {
// When the customer clicks on the button, redirect // When the customer clicks on the button, redirect
@ -148,7 +148,7 @@
}); });
}); });
})(); })();
</script> </script>
<! -- END STRIPE CODE --> <! -- END STRIPE CODE -->
</p> </p>
</div> </div>
@ -170,13 +170,13 @@
> >
Checkout Checkout
</button> </button>
<div id="error-message"></div> <div id="error-message"></div>
<script> <script>
(function() { (function() {
var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX'); var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
var checkoutButton = document.getElementById('checkout-button-price_1HThmcI49P1uFPoXMDCRVXTl'); var checkoutButton = document.getElementById('checkout-button-price_1HThmcI49P1uFPoXMDCRVXTl');
checkoutButton.addEventListener('click', function () { checkoutButton.addEventListener('click', function () {
// When the customer clicks on the button, redirect // When the customer clicks on the button, redirect
@ -202,8 +202,8 @@
}); });
}); });
})(); })();
</script> </script>
<! -- END STRIPE CODE --> <! -- END STRIPE CODE -->
</p> </div> </p> </div>
</div> </div>
<div class="ui stackable middle very relaxed page grid"> <div class="ui stackable middle very relaxed page grid">
@ -225,13 +225,13 @@
> >
Checkout Checkout
</button> </button>
<div id="error-message"></div> <div id="error-message"></div>
<script> <script>
(function() { (function() {
var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX'); var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
var checkoutButton = document.getElementById('checkout-button-price_1HTucZI49P1uFPoXshtbIl8W'); var checkoutButton = document.getElementById('checkout-button-price_1HTucZI49P1uFPoXshtbIl8W');
checkoutButton.addEventListener('click', function () { checkoutButton.addEventListener('click', function () {
// When the customer clicks on the button, redirect // When the customer clicks on the button, redirect
@ -258,8 +258,8 @@
}); });
})(); })();
</script> </script>
<! -- END STRIPE CODE --> <! -- END STRIPE CODE -->
</p> </p>
</div> </div>
<div class="eight wide center column" style="border: 1px solid #FFF;"> <div class="eight wide center column" style="border: 1px solid #FFF;">
<h1 class="hero ui icon header"> <h1 class="hero ui icon header">
@ -296,13 +296,13 @@
> >
Checkout Checkout
</button> </button>
<div id="error-message"></div> <div id="error-message"></div>
<script> <script>
(function() { (function() {
var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX'); var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
var checkoutButton = document.getElementById('checkout-button-price_1HTuYII49P1uFPoXaIk9puyu'); var checkoutButton = document.getElementById('checkout-button-price_1HTuYII49P1uFPoXaIk9puyu');
checkoutButton.addEventListener('click', function () { checkoutButton.addEventListener('click', function () {
// When the customer clicks on the button, redirect // When the customer clicks on the button, redirect

View File

@ -13,7 +13,7 @@
<div class="ui stackable middle very relaxed page grid"> <div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center column" > <div class="sixteen wide center column" >
<h1 class="hero ui icon header"> <h1 class="hero ui icon header">
<img width=20px height=20px src='/img/icons/CoreIcon.png'/> <img width=20px height=20px src='/assets/img/icons/CoreIcon.png'/>
Cybersecurity Consulting Cybersecurity Consulting
</h1> </h1>
<p class="large">The AniNIX offers cybersecurity consulting and advice services on a limited basis. We bill at $20 an hour -- please select your need below after negotiating with an admin.</p> <p class="large">The AniNIX offers cybersecurity consulting and advice services on a limited basis. We bill at $20 an hour -- please select your need below after negotiating with an admin.</p>
@ -45,7 +45,7 @@
<br/> <br/>
</form> </form>
<!-- START STRIPE CODE --> <!-- START STRIPE CODE -->
<!-- Create a button that your customers click to complete their purchase. Customize the styling to suit your branding. --> <!-- Create a button that your customers click to complete their purchase. Customize the styling to suit your branding. -->
<button <button
style="background-color:#6772E5;color:#FFF;padding:8px 12px;border:0;border-radius:4px;font-size:1em" style="background-color:#6772E5;color:#FFF;padding:8px 12px;border:0;border-radius:4px;font-size:1em"
@ -55,13 +55,13 @@
> >
Checkout Checkout
</button> </button>
<div id="error-message"></div> <div id="error-message"></div>
<script> <script>
(function() { (function() {
var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX'); var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
var checkoutButton = document.getElementById('checkout-button-price_1HTuehI49P1uFPoXCW9pJg5E'); var checkoutButton = document.getElementById('checkout-button-price_1HTuehI49P1uFPoXCW9pJg5E');
checkoutButton.addEventListener('click', function () { checkoutButton.addEventListener('click', function () {
// When the customer clicks on the button, redirect // When the customer clicks on the button, redirect
@ -91,5 +91,17 @@
<! -- END STRIPE CODE --> <! -- END STRIPE CODE -->
</p> </p>
</div> </div>
<hr style="margin-top: 50px;" /> </div>
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center column" >
<hr style="margin-top: 50px;" />
<h2>Donate</h2>
<p>If you like what we do, you can also donate on one of these platforms:</p>
<ul style="width:500px;text-align: left;margin:auto;">
<li><a href="https://store.steampowered.com/wishlist/id/darkfeather664/#sort=order">Steam (games)</a></li>
<li><a href="https://www.amazon.com/hz/wishlist/ls/3CORZU03RNWST?ref_=wl_share">Amazon (hardware)</a></li>
<li>BTC 38Nd3SgytdvSmcX3gfHeNAE2B6aPyYbS7s</li>
<li>Coinbase USDC 0x21a05e628Ed622F7594f62Ea3C764bAEF7fE3Bf3</li>
</ul>
</div>
</div> </div>

View File

@ -1,7 +1,7 @@
<div class="ui stackable middle very relaxed page grid"> <div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center aligned centered column"> <div class="sixteen wide center aligned centered column">
<div> <div>
<img class="logo" src="/img/icons/CoreIcon.png" /> <img class="logo" src="/assets/img/icons/CoreIcon.png" />
</div> </div>
<div class="hero"> <div class="hero">
<h2 class="ui icon header title"> <h2 class="ui icon header title">

View File

@ -13,7 +13,7 @@ RUN_MODE = prod
ROOT = repos ROOT = repos
SCRIPT_TYPE = bash SCRIPT_TYPE = bash
; Default ANSI charset ; Default ANSI charset
ANSI_CHARSET = ANSI_CHARSET =
; Force every new repository to be private ; Force every new repository to be private
FORCE_PRIVATE = false FORCE_PRIVATE = false
; Default privacy setting when creating a new repository, allowed values: last, private, public. Default is last which means the last setting used. ; Default privacy setting when creating a new repository, allowed values: last, private, public. Default is last which means the last setting used.
@ -31,7 +31,7 @@ PREFERRED_LICENSES = AniNIX-WTFPL
DISABLE_HTTP_GIT = false DISABLE_HTTP_GIT = false
; Value for Access-Control-Allow-Origin header, default is not to present ; Value for Access-Control-Allow-Origin header, default is not to present
; WARNING: This maybe harmful to you website if you do not give it a right value. ; WARNING: This maybe harmful to you website if you do not give it a right value.
ACCESS_CONTROL_ALLOW_ORIGIN = ACCESS_CONTROL_ALLOW_ORIGIN =
; Force ssh:// clone url instead of scp-style uri when default SSH port is used ; Force ssh:// clone url instead of scp-style uri when default SSH port is used
USE_COMPAT_SSH_URI = false USE_COMPAT_SSH_URI = false
; Close issues as long as a commit on any branch marks it as fixed ; Close issues as long as a commit on any branch marks it as fixed
@ -57,7 +57,7 @@ ENABLED = true
; Path for uploads. Defaults to `data/tmp/uploads` (tmp gets deleted on gitea restart) ; Path for uploads. Defaults to `data/tmp/uploads` (tmp gets deleted on gitea restart)
TEMP_PATH = data/tmp/uploads TEMP_PATH = data/tmp/uploads
; One or more allowed types, e.g. image/jpeg|image/png. Nothing means any file type ; One or more allowed types, e.g. image/jpeg|image/png. Nothing means any file type
ALLOWED_TYPES = ALLOWED_TYPES =
; Max size of each file in megabytes. Defaults to 3MB ; Max size of each file in megabytes. Defaults to 3MB
FILE_MAX_SIZE = 3 FILE_MAX_SIZE = 3
; Max number of files per upload. Defaults to 5 ; Max number of files per upload. Defaults to 5
@ -138,7 +138,7 @@ KEYWORDS = go,git,self-hosted,gitea,aninix,aninix::foundation
ENABLE_HARD_LINE_BREAK = false ENABLE_HARD_LINE_BREAK = false
; List of custom URL-Schemes that are allowed as links when rendering Markdown ; List of custom URL-Schemes that are allowed as links when rendering Markdown
; for example git,magnet ; for example git,magnet
CUSTOM_URL_SCHEMES = CUSTOM_URL_SCHEMES =
; List of file extensions that should be rendered/edited as Markdown ; List of file extensions that should be rendered/edited as Markdown
; Separate the extensions with a comma. To render files without any extension as markdown, just put a comma ; Separate the extensions with a comma. To render files without any extension as markdown, just put a comma
FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd
@ -156,7 +156,7 @@ HTTP_PORT = 3000
; ROOT_URL. Defaults are false for REDIRECT_OTHER_PORT and 80 for ; ROOT_URL. Defaults are false for REDIRECT_OTHER_PORT and 80 for
; PORT_TO_REDIRECT. ; PORT_TO_REDIRECT.
REDIRECT_OTHER_PORT = false REDIRECT_OTHER_PORT = false
PORT_TO_REDIRECT = 3000 PORT_TO_REDIRECT = 3000
; Permission for unix socket ; Permission for unix socket
UNIX_SOCKET_PERMISSION = 660 UNIX_SOCKET_PERMISSION = 660
; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service. ; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service.
@ -169,17 +169,17 @@ DISABLE_SSH = false
; Whether to use the builtin SSH server or not. ; Whether to use the builtin SSH server or not.
START_SSH_SERVER = false START_SSH_SERVER = false
; Username to use for the builtin SSH server. If blank, then it is the value of RUN_USER. ; Username to use for the builtin SSH server. If blank, then it is the value of RUN_USER.
BUILTIN_SSH_SERVER_USER = BUILTIN_SSH_SERVER_USER =
; Domain name to be exposed in clone URL ; Domain name to be exposed in clone URL
SSH_DOMAIN = foundation.aninix.net SSH_DOMAIN = foundation.aninix.net
; The network interface the builtin SSH server should listen on ; The network interface the builtin SSH server should listen on
SSH_LISTEN_HOST = SSH_LISTEN_HOST =
; Port number to be exposed in clone URL ; Port number to be exposed in clone URL
SSH_PORT = 22 SSH_PORT = 22
; The port number the builtin SSH server should listen on ; The port number the builtin SSH server should listen on
SSH_LISTEN_PORT = %(SSH_PORT)s SSH_LISTEN_PORT = %(SSH_PORT)s
; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'. ; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
SSH_ROOT_PATH = SSH_ROOT_PATH =
; Gitea will create a authorized_keys file by default when it is not using the internal ssh server ; Gitea will create a authorized_keys file by default when it is not using the internal ssh server
; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off. ; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off.
SSH_CREATE_AUTHORIZED_KEYS_FILE = true SSH_CREATE_AUTHORIZED_KEYS_FILE = true
@ -194,7 +194,7 @@ SSH_SERVER_KEY_EXCHANGES = diffie-hellman-group1-sha1, diffie-hellman-gro
SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1, hmac-sha1-96 SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1, hmac-sha1-96
; Directory to create temporary files in when testing public keys using ssh-keygen, ; Directory to create temporary files in when testing public keys using ssh-keygen,
; default is the system temporary directory. ; default is the system temporary directory.
SSH_KEY_TEST_PATH = SSH_KEY_TEST_PATH =
; Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call. ; Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call.
SSH_KEYGEN_PATH = ssh-keygen SSH_KEYGEN_PATH = ssh-keygen
; Enable SSH Authorized Key Backup when rewriting all keys, default is true ; Enable SSH Authorized Key Backup when rewriting all keys, default is true
@ -208,7 +208,7 @@ OFFLINE_MODE = true
DISABLE_ROUTER_LOG = false DISABLE_ROUTER_LOG = false
; Generate steps: ; Generate steps:
; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com ; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com
; ;
; Or from a .pfx file exported from the Windows certificate store (do ; Or from a .pfx file exported from the Windows certificate store (do
; not forget to export the private key): ; not forget to export the private key):
; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys ; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
@ -301,7 +301,7 @@ DISABLE_REGULAR_ORG_CREATION = true
; Whether the installer is disabled ; Whether the installer is disabled
INSTALL_LOCK = true INSTALL_LOCK = true
; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!! ; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
SECRET_KEY = {{ secrets.Foundation.secret_key }} SECRET_KEY = {{ secrets.Foundation.secret_key }}
; How long to remember that an user is logged in before requiring relogin (in days) ; How long to remember that an user is logged in before requiring relogin (in days)
LOGIN_REMEMBER_DAYS = 7 LOGIN_REMEMBER_DAYS = 7
COOKIE_USERNAME = gitea_awesome COOKIE_USERNAME = gitea_awesome
@ -318,15 +318,15 @@ DISABLE_GIT_HOOKS = false
INTERNAL_TOKEN = {{ secrets.Foundation.internal_token }} INTERNAL_TOKEN = {{ secrets.Foundation.internal_token }}
[openid] [openid]
; ;
; OpenID is an open, standard and decentralized authentication protocol. ; OpenID is an open, standard and decentralized authentication protocol.
; Your identity is the address of a webpage you provide, which describes ; Your identity is the address of a webpage you provide, which describes
; how to prove you are in control of that page. ; how to prove you are in control of that page.
; ;
; For more info: https://en.wikipedia.org/wiki/OpenID ; For more info: https://en.wikipedia.org/wiki/OpenID
; ;
; Current implementation supports OpenID-2.0 ; Current implementation supports OpenID-2.0
; ;
; Tested to work providers at the time of writing: ; Tested to work providers at the time of writing:
; - Any GNUSocial node (your.hostname.tld/username) ; - Any GNUSocial node (your.hostname.tld/username)
; - Any SimpleID provider (http://simpleid.koinic.net) ; - Any SimpleID provider (http://simpleid.koinic.net)
@ -334,7 +334,7 @@ INTERNAL_TOKEN = {{ secrets.Foundation.internal_token }}
; - openid.stackexchange.com ; - openid.stackexchange.com
; - login.launchpad.net ; - login.launchpad.net
; - <username>.livejournal.com ; - <username>.livejournal.com
; ;
; Whether to allow signin in via OpenID ; Whether to allow signin in via OpenID
ENABLE_OPENID_SIGNIN = FALSE ENABLE_OPENID_SIGNIN = FALSE
; Whether to allow registering via OpenID ; Whether to allow registering via OpenID
@ -344,12 +344,12 @@ ENABLE_OPENID_SIGNIN = FALSE
; Space separated. ; Space separated.
; Only these would be allowed if non-blank. ; Only these would be allowed if non-blank.
; Example value: trusted.domain.org trusted.domain.net ; Example value: trusted.domain.org trusted.domain.net
WHITELISTED_URIS = WHITELISTED_URIS =
; Forbidden URI patterns (POSIX regexp). ; Forbidden URI patterns (POSIX regexp).
; Space separated. ; Space separated.
; Only used if WHITELISTED_URIS is blank. ; Only used if WHITELISTED_URIS is blank.
; Example value: loadaverage.org/badguy stackexchange.com/.*spammer ; Example value: loadaverage.org/badguy stackexchange.com/.*spammer
BLACKLISTED_URIS = BLACKLISTED_URIS =
ENABLE_OPENID_SIGNUP = false ENABLE_OPENID_SIGNUP = false
[service] [service]
@ -361,7 +361,7 @@ RESET_PASSWD_CODE_LIVE_MINUTES = 180
REGISTER_EMAIL_CONFIRM = false REGISTER_EMAIL_CONFIRM = false
; List of domain names that are allowed to be used to register on a Gitea instance ; List of domain names that are allowed to be used to register on a Gitea instance
; gitea.io,example.com ; gitea.io,example.com
EMAIL_DOMAIN_WHITELIST = EMAIL_DOMAIN_WHITELIST =
; Disallow registration, only allow admins to create accounts. ; Disallow registration, only allow admins to create accounts.
DISABLE_REGISTRATION = true DISABLE_REGISTRATION = true
; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false ; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
@ -380,8 +380,8 @@ ENABLE_CAPTCHA = false
CAPTCHA_TYPE = image CAPTCHA_TYPE = image
; Enable recaptcha to use Google's recaptcha service ; Enable recaptcha to use Google's recaptcha service
; Go to https://www.google.com/recaptcha/admin to sign up for a key ; Go to https://www.google.com/recaptcha/admin to sign up for a key
RECAPTCHA_SECRET = RECAPTCHA_SECRET =
RECAPTCHA_SITEKEY = RECAPTCHA_SITEKEY =
; Change this to use recaptcha.net or other recaptcha service ; Change this to use recaptcha.net or other recaptcha service
RECAPTCHA_URL = https://www.google.com/recaptcha/ RECAPTCHA_URL = https://www.google.com/recaptcha/
; Default value for KeepEmailPrivate ; Default value for KeepEmailPrivate
@ -435,18 +435,18 @@ ENABLED = false
; Buffer length of channel, keep it as it is if you don't know what it is. ; Buffer length of channel, keep it as it is if you don't know what it is.
SEND_BUFFER_LEN = 100 SEND_BUFFER_LEN = 100
; Prefix displayed before subject in mail ; Prefix displayed before subject in mail
SUBJECT_PREFIX = SUBJECT_PREFIX =
; Mail server ; Mail server
; Gmail: smtp.gmail.com:587 ; Gmail: smtp.gmail.com:587
; QQ: smtp.qq.com:465 ; QQ: smtp.qq.com:465
; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used. ; Note, if the port ends with "465", SMTPS will be used. Using STARTTLS on port 587 is recommended per RFC 6409. If the server supports STARTTLS it will always be used.
HOST = HOST =
; Disable HELO operation when hostnames are different. ; Disable HELO operation when hostnames are different.
DISABLE_HELO = DISABLE_HELO =
; Custom hostname for HELO operation, if no value is provided, one is retrieved from system. ; Custom hostname for HELO operation, if no value is provided, one is retrieved from system.
HELO_HOSTNAME = HELO_HOSTNAME =
; Do not verify the certificate of the server. Only use this for self-signed certificates ; Do not verify the certificate of the server. Only use this for self-signed certificates
SKIP_VERIFY = SKIP_VERIFY =
; Use client certificate ; Use client certificate
USE_CERTIFICATE = false USE_CERTIFICATE = false
CERT_FILE = custom/mailer/cert.pem CERT_FILE = custom/mailer/cert.pem
@ -454,11 +454,11 @@ KEY_FILE = custom/mailer/key.pem
; Should SMTP connection use TLS ; Should SMTP connection use TLS
IS_TLS_ENABLED = false IS_TLS_ENABLED = false
; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format ; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
FROM = FROM =
; Mailer user name and password ; Mailer user name and password
USER = USER =
; Use PASSWD = `your password` for quoting if you use special characters in the password. ; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = PASSWD =
; Send mails as plain text ; Send mails as plain text
SEND_AS_PLAIN_TEXT = false SEND_AS_PLAIN_TEXT = false
; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log) ; Set Mailer Type (either SMTP, sendmail or dummy to just send to the log)
@ -466,7 +466,7 @@ MAILER_TYPE = smtp
; Specify an alternative sendmail binary ; Specify an alternative sendmail binary
SENDMAIL_PATH = sendmail SENDMAIL_PATH = sendmail
; Specify any extra sendmail arguments ; Specify any extra sendmail arguments
SENDMAIL_ARGS = SENDMAIL_ARGS =
[cache] [cache]
; Either "memory", "redis", or "memcache", default is "memory" ; Either "memory", "redis", or "memcache", default is "memory"
@ -476,7 +476,7 @@ INTERVAL = 60
; For "redis" and "memcache", connection host address ; For "redis" and "memcache", connection host address
; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180 ; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
; memcache: `127.0.0.1:11211` ; memcache: `127.0.0.1:11211`
HOST = HOST =
; Time to keep items in cache if not used, default is 16 hours. ; Time to keep items in cache if not used, default is 16 hours.
; Setting it to 0 disables caching ; Setting it to 0 disables caching
ITEM_TTL = 16h ITEM_TTL = 16h
@ -541,7 +541,7 @@ MAX_FILES = 5
; Specifies the format for fully outputted dates. Defaults to RFC1123 ; Specifies the format for fully outputted dates. Defaults to RFC1123
; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano ; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano
; For more information about the format see http://golang.org/pkg/time/#pkg-constants ; For more information about the format see http://golang.org/pkg/time/#pkg-constants
FORMAT = FORMAT =
[log] [log]
ROOT_PATH = /var/log/gitea/ ROOT_PATH = /var/log/gitea/
@ -564,22 +564,22 @@ STACKTRACE_LEVEL = Critical
; Generic log modes ; Generic log modes
[log.x] [log.x]
FLAGS = stdflags FLAGS = stdflags
EXPRESSION = EXPRESSION =
PREFIX = PREFIX =
COLORIZE = false COLORIZE = false
; For "console" mode only ; For "console" mode only
[log.console] [log.console]
LEVEL = LEVEL =
COLORIZE = false COLORIZE = false
STDERR = false STDERR = false
; For "file" mode only ; For "file" mode only
[log.file] [log.file]
LEVEL = LEVEL =
; Set the file_name for the logger. If this is a relative path this ; Set the file_name for the logger. If this is a relative path this
; will be relative to ROOT_PATH ; will be relative to ROOT_PATH
FILE_NAME = FILE_NAME =
; This enables automated log rotate(switch of following options), default is true ; This enables automated log rotate(switch of following options), default is true
LOG_ROTATE = true LOG_ROTATE = true
; Max number of lines in a single file, default is 1000000 ; Max number of lines in a single file, default is 1000000
@ -597,7 +597,7 @@ COMPRESSION_LEVEL = -1
; For "conn" mode only ; For "conn" mode only
[log.conn] [log.conn]
LEVEL = LEVEL =
; Reconnect host for every single message, default is false ; Reconnect host for every single message, default is false
RECONNECT_ON_MSG = false RECONNECT_ON_MSG = false
; Try to reconnect when connection is lost, default is false ; Try to reconnect when connection is lost, default is false
@ -605,21 +605,21 @@ RECONNECT = false
; Either "tcp", "unix" or "udp", default is "tcp" ; Either "tcp", "unix" or "udp", default is "tcp"
PROTOCOL = tcp PROTOCOL = tcp
; Host address ; Host address
ADDR = ADDR =
; For "smtp" mode only ; For "smtp" mode only
[log.smtp] [log.smtp]
LEVEL = LEVEL =
; Name displayed in mail title, default is "Diagnostic message from server" ; Name displayed in mail title, default is "Diagnostic message from server"
SUBJECT = Diagnostic message from server SUBJECT = Diagnostic message from server
; Mail server ; Mail server
HOST = HOST =
; Mailer user name and password ; Mailer user name and password
USER = USER =
; Use PASSWD = `your password` for quoting if you use special characters in the password. ; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = PASSWD =
; Receivers, can be one or more, e.g. 1@example.com,2@example.com ; Receivers, can be one or more, e.g. 1@example.com,2@example.com
RECEIVERS = RECEIVERS =
[cron] [cron]
; Enable running cron tasks periodically. ; Enable running cron tasks periodically.
@ -637,7 +637,7 @@ SCHEDULE = @every 24h
TIMEOUT = 60s TIMEOUT = 60s
; Arguments for command 'git fsck', e.g. "--unreachable --tags" ; Arguments for command 'git fsck', e.g. "--unreachable --tags"
; see more on http://git-scm.com/docs/git-fsck ; see more on http://git-scm.com/docs/git-fsck
ARGS = ARGS =
; Check repository statistics ; Check repository statistics
[cron.check_repo_stats] [cron.check_repo_stats]
@ -676,7 +676,7 @@ MAX_GIT_DIFF_LINE_CHARACTERS = 5000
MAX_GIT_DIFF_FILES = 100 MAX_GIT_DIFF_FILES = 100
; Arguments for command 'git gc', e.g. "--aggressive --auto" ; Arguments for command 'git gc', e.g. "--aggressive --auto"
; see more on http://git-scm.com/docs/git-gc/ ; see more on http://git-scm.com/docs/git-gc/
GC_ARGS = GC_ARGS =
; If use git wire protocol version 2 when git version >= 2.18, default is true, set to false when you always want git wire protocol version 1 ; If use git wire protocol version 2 when git version >= 2.18, default is true, set to false when you always want git wire protocol version 1
EnableAutoGitWireProtocol = true EnableAutoGitWireProtocol = true
@ -780,5 +780,5 @@ IS_INPUT_FILE = false
; Enables metrics endpoint. True or false; default is false. ; Enables metrics endpoint. True or false; default is false.
ENABLED = false ENABLED = false
; If you want to add authorization, specify a token here ; If you want to add authorization, specify a token here
TOKEN = TOKEN =

View File

@ -0,0 +1,10 @@
---
- name: Install Games packages
become: yes
package:
name:
- mgba-qt
- steam
- steam-native-runtime
- discord

View File

@ -14,7 +14,7 @@ LOAD_MODULES=true
# Run "lircd --driver=help" for a list of supported drivers. # Run "lircd --driver=help" for a list of supported drivers.
DRIVER="default" DRIVER="default"
# usually /dev/lirc0 is the correct setting for systems using udev # usually /dev/lirc0 is the correct setting for systems using udev
DEVICE="/dev/lirc0" DEVICE="/dev/lirc0"
MODULES="lirc_rpi" MODULES="lirc_rpi"

View File

@ -5,9 +5,9 @@
# this config file was automatically generated # this config file was automatically generated
# using lirc-0.9.0-pre1(default) on Thu Feb 9 18:06:50 2017 # using lirc-0.9.0-pre1(default) on Thu Feb 9 18:06:50 2017
# #
# contributed by # contributed by
# #
# brand: Insignia # brand: Insignia
# model no. of remote control: NS-RC4NA-14 # model no. of remote control: NS-RC4NA-14
# devices being controlled by this remote: TV # devices being controlled by this remote: TV
# #

View File

@ -8,7 +8,7 @@
# contributed by darkfeather@aninix.net # contributed by darkfeather@aninix.net
# #
# brand: LG.conf # brand: LG.conf
# model no. of remote control: AKB73715608 # model no. of remote control: AKB73715608
# devices being controlled by this remote: TV # devices being controlled by this remote: TV
# #
@ -49,10 +49,10 @@ end remote
# this config file was automatically generated # this config file was automatically generated
# using lirc-0.9.0-pre1(default) on Tue May 1 06:40:29 2018 # using lirc-0.9.0-pre1(default) on Tue May 1 06:40:29 2018
# #
# contributed by # contributed by
# #
# brand: ./lasko.conf # brand: ./lasko.conf
# model no. of remote control: # model no. of remote control:
# devices being controlled by this remote: # devices being controlled by this remote:
# #
@ -118,9 +118,9 @@ end remote
# this config file was automatically generated # this config file was automatically generated
# using lirc-0.9.0-pre1(default) on Thu Feb 9 18:06:50 2017 # using lirc-0.9.0-pre1(default) on Thu Feb 9 18:06:50 2017
# #
# contributed by # contributed by
# #
# brand: Insignia # brand: Insignia
# model no. of remote control: NS-RC4NA-14 # model no. of remote control: NS-RC4NA-14
# devices being controlled by this remote: TV # devices being controlled by this remote: TV
# #

View File

@ -8,7 +8,7 @@
# contributed by darkfeather@aninix.net # contributed by darkfeather@aninix.net
# #
# brand: LG.conf # brand: LG.conf
# model no. of remote control: AKB73715608 # model no. of remote control: AKB73715608
# devices being controlled by this remote: TV # devices being controlled by this remote: TV
# #

View File

@ -16,7 +16,7 @@
user: "{{ ansible_user_id }}" user: "{{ ansible_user_id }}"
state: present state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/geth.pub') }}" key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/geth.pub') }}"
- name: Copy the motion config - name: Copy the motion config
become: yes become: yes
register: motion_config register: motion_config
@ -32,13 +32,13 @@
owner: motion owner: motion
group: motion group: motion
mode: 0750 mode: 0750
loop: loop:
- "/var/log/motion" - "/var/log/motion"
- "/var/run/motion" - "/var/run/motion"
- name: Restart the motion service - name: Restart the motion service
become: yes become: yes
when: motion_config.changed and motion_enabled when: motion_config.changed and motion_enabled
service: service:
name: motion name: motion
state: started state: started
@ -119,7 +119,7 @@
- name: Copy lircd remote config - name: Copy lircd remote config
register: lircd_remote_config register: lircd_remote_config
become: yes become: yes
copy: copy:
src: "lircd.conf/{{ inventory_hostname }}" src: "lircd.conf/{{ inventory_hostname }}"
dest: /etc/lirc/lircd.conf dest: /etc/lirc/lircd.conf

View File

@ -5,4 +5,4 @@
name: name:
- openhab2 - openhab2
- name: - name:

View File

@ -0,0 +1,29 @@
---
- user:
name: "{{ item }}"
state: present
shell: "{{ daemon_shell | default('/sbin/nologin') }}"
local: yes
groups: ircd
loop:
- bitbot
- dsbridge
- theraven
- werewolf
# Install TheRaven package
- package:
name:
- TheRaven
- git:
repo: 'https://github.com/jesopo/bitbot.git'
dest: /usr/local/src/bitbot/
clone: yes
update: yes
- git:
repo:
-

View File

@ -1,6 +1,6 @@
--- ---
- name: IRC packages - name: IRC packages
become: yes become: yes
package: package:
name: name:
@ -10,7 +10,7 @@
- name: KiwiIRC Web Front - name: KiwiIRC Web Front
become: yes become: yes
git: git:
repo: https://github.com/prawnsalad/KiwiIRC.git repo: https://github.com/prawnsalad/KiwiIRC.git
dest: /usr/local/src/KiwiIRC dest: /usr/local/src/KiwiIRC

10
roles/Maat/tasks/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: Sharingan packages
become: yes
package:
name:
- openvas
- greenbone-security-assistant
- elasticsearch6
- mongodb
- graylog

View File

@ -1,5 +1,5 @@
--- ---
- name: Clone pi-hole - name: Clone pi-hole
become: yes become: yes
git: git:
@ -10,7 +10,7 @@
- name: Install pi-hole if needed - name: Install pi-hole if needed
become: yes become: yes
register: pihole_install register: pihole_install
command: command:
creates: /usr/bin/pihole-FTL creates: /usr/bin/pihole-FTL
cmd: false # bash basic-install.sh cmd: false # bash basic-install.sh
chdir: '/opt/pi-hole/automated install' chdir: '/opt/pi-hole/automated install'
@ -30,7 +30,7 @@
register: dns_updated register: dns_updated
copy: copy:
dest: /etc/pihole/custom.list dest: /etc/pihole/custom.list
src: dns src: dns
owner: pihole owner: pihole
group: pihole group: pihole
mode: 0644 mode: 0644

View File

@ -14,11 +14,11 @@
- qemu-emulators-full - qemu-emulators-full
- ddrescue - ddrescue
state: present state: present
- name: Copy VM definitions - name: Copy VM definitions
become: yes become: yes
register: vmdefs register: vmdefs
copy: copy:
src: vm-definitions/ src: vm-definitions/
dest: /usr/lib/systemd/system dest: /usr/lib/systemd/system
owner: root owner: root
@ -28,7 +28,7 @@
- name: Reload systemd daemon - name: Reload systemd daemon
become: yes become: yes
when: vmdefs.changed when: vmdefs.changed
systemd: systemd:
daemon_reload: yes daemon_reload: yes
- name: QEMU Bridge Config - name: QEMU Bridge Config

View File

@ -1,30 +1,28 @@
--- ---
- name: SSH - name: SSH (ArchLinux)
become: yes become: yes
when: ansible_os_family == "Archlinux"
package: package:
state: present
name: name:
- bash - openssh
- sudo
- name: SSH Config - name: SSH (Raspbian)
become: yes become: yes
copy: when: ansible_os_family == "Debian"
src: ssh_config package:
dest: /etc/ssh/ssh_config state: present
name:
- name: SSHD Config - openssh-server
become: yes - openssh-client
copy:
src: sshd_config
dest: /etc/ssh/sshd_config
- name: Mark SSH keys as immutable - name: Mark SSH keys as immutable
become: yes become: yes
file: file:
path: "{{ item }}" path: "{{ item }}"
attributes: i attributes: i
loop: loop:
- /etc/ssh/ssh_host_ed25519_key - /etc/ssh/ssh_host_ed25519_key
- /etc/ssh/ssh_host_ed25519_key.pub - /etc/ssh/ssh_host_ed25519_key.pub
- /etc/ssh/ssh_host_rsa_key - /etc/ssh/ssh_host_rsa_key
@ -32,17 +30,52 @@
- name: Add SSH control groups - name: Add SSH control groups
become: yes become: yes
group: group:
name: "{{ item }}" name: "{{ item }}"
state: present state: present
loop: loop:
- ssh-allow - ssh-allow
- ssh-forward - ssh-forward
- sftp-home-jail - sftp-home-jail
- name: Add SSH user to ssh-allow - name: Add SSH user to ssh-allow
become: yes become: yes
user: user:
name: "{{ ansible_user_id }}" name: "{{ ansible_user_id }}"
groups: ssh-allow groups: ssh-allow
append: yes append: yes
- name: Copy the SSH key
authorized_key:
user: "{{ ansible_user_id }}"
state: present
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/deploy.pub') }}"
- name: SSH Config
become: yes
copy:
src: ssh_config
dest: /etc/ssh/ssh_config
- name: SSHD Config
become: yes
register: sshd_config
copy:
src: sshd_config
dest: /etc/ssh/sshd_config
- name: Restart SSHD (ArchLinux)
become: yes
when: ansible_os_family == "Archlinux" and sshd_config.changed
service:
name: sshd
state: restarted
enabled: yes
- name: Restart SSHD (Raspbian)
become: yes
when: ansible_os_family == "Debian" and sshd_config.changed
service:
name: ssh
state: restarted
enabled: yes

View File

@ -2,8 +2,8 @@
- name: SSL packages - name: SSL packages
become: yes become: yes
package: package:
name: name:
- certbot - certbot
- openssl - openssl
@ -16,7 +16,7 @@
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
loop: loop:
- "certbot.service" - "certbot.service"
- "certbot.timer" - "certbot.timer"
@ -28,7 +28,7 @@
name: certbot.timer name: certbot.timer
enabled: yes enabled: yes
state: started state: started
- name: Create letsencrypt folder - name: Create letsencrypt folder
become: yes become: yes
file: file:
@ -50,7 +50,7 @@
become: yes become: yes
command: /usr/local/sbin/tlsa-generation.bash command: /usr/local/sbin/tlsa-generation.bash
register: tlsa_records register: tlsa_records
- name: Show proposed TLSA records - name: Show proposed TLSA records
debug: debug:
msg: "{{ tlsa_records.stdout_lines }}" msg: "{{ tlsa_records.stdout_lines }}"
@ -60,7 +60,7 @@
run_once: yes run_once: yes
command: "/bin/bash -c 'printf _443._tcp\\ ; dig _443._tcp.{{ external_domain }} TLSA +short; printf _6697._tcp\\ ; dig _6697._tcp.{{ external_domain }} TLSA +short'" command: "/bin/bash -c 'printf _443._tcp\\ ; dig _443._tcp.{{ external_domain }} TLSA +short; printf _6697._tcp\\ ; dig _6697._tcp.{{ external_domain }} TLSA +short'"
register: ext_tlsa_records register: ext_tlsa_records
- name: Show TLSA records - name: Show TLSA records
debug: debug:
msg: "{{ ext_tlsa_records.stdout_lines }}" msg: "{{ ext_tlsa_records.stdout_lines }}"

View File

@ -1,9 +1,9 @@
#!/bin/bash #!/bin/bash
# File: find-mirrors # File: find-mirrors
# #
# Description: This file generates a pacman mirrorlist to ensure hosts use the right mirrors for performance. # Description: This file generates a pacman mirrorlist to ensure hosts use the right mirrors for performance.
# #
# Package: AniNIX::Foundation/HelloWorld # Package: AniNIX::Foundation/HelloWorld
# Copyright: WTFPL # Copyright: WTFPL
# #
@ -11,6 +11,6 @@
country="United States" country="United States"
curl -s https://raw.githubusercontent.com/archlinux/svntogit-packages/packages/pacman-mirrorlist/trunk/mirrorlist | awk '/^## '"$country"'$/{f=1; next}f==0{next}/^$/{exit}{print substr($0, 1);}' | sed 's/^#Server/Server/' > /tmp/mirrorlist curl -s https://raw.githubusercontent.com/archlinux/svntogit-packages/packages/pacman-mirrorlist/trunk/mirrorlist | awk '/^## '"$country"'$/{f=1; next}f==0{next}/^$/{exit}{print substr($0, 1);}' | sed 's/^#Server/Server/' > /tmp/mirrorlist
rankmirrors -n 6 /tmp/mirrorlist > files/mirrorlist rankmirrors -n 6 /tmp/mirrorlist > files/mirrorlist
rm /tmp/mirrorlist rm /tmp/mirrorlist

View File

@ -0,0 +1,10 @@
#
# /etc/bash.bashrc
#
# If not running interactively, don't do anything
[[ $- != *i* ]] && return
[[ $DISPLAY ]] && shopt -s checkwinsize
[ -r /usr/share/bash-completion/bash_completion ] && . /usr/share/bash-completion/bash_completion

View File

@ -99,7 +99,7 @@ Include = /etc/pacman.d/mirrorlist.shadowarch
#[custom] #[custom]
#SigLevel = Optional TrustAll #SigLevel = Optional TrustAll
#Server = file:///home/custompkgs #Server = file:///home/custompkgs
[AniNIX] [AniNIX]
SigLevel = Required DatabaseOptional SigLevel = Required DatabaseOptional
Server = https://maat.aninix.net/ Server = https://maat.aninix.net/

View File

@ -0,0 +1,32 @@
" All system-wide defaults are set in $VIMRUNTIME/archlinux.vim (usually just
" /usr/share/vim/vimfiles/archlinux.vim) and sourced by the call to :runtime
" you can find below. If you wish to change any of those settings, you should
" do it in this file (/etc/vimrc), since archlinux.vim will be overwritten
" everytime an upgrade of the vim packages is performed. It is recommended to
" make changes after sourcing archlinux.vim since it alters the value of the
" 'compatible' option.
" This line should not be removed as it ensures that various options are
" properly set to work with the Vim-related packages.
runtime! archlinux.vim
" If you prefer the old-style vim functionalty, add 'runtime! vimrc_example.vim'
" Or better yet, read /usr/share/vim/vim74/vimrc_example.vim or the vim manual
" and configure vim to your own liking!
syntax on
filetype on
" Support CSharp files like Java
au BufNewFile,BufRead *.csharp set filetype=java
au BufNewFile,BufRead *.cs set filetype=java
set number
set mouse-=a
colorscheme desert
" This establishes the indenting policy.
filetype plugin indent on
" show existing tab with 4 spaces width
set tabstop=4
" when indenting with '>', use 4 spaces width
set shiftwidth=4
" On pressing tab, insert 4 spaces
set expandtab

View File

@ -1,4 +1,4 @@
--- ---
- name: ArchLinux network packages - name: ArchLinux network packages
become: yes become: yes
@ -30,4 +30,4 @@
- name: Enable network config - name: Enable network config
become: yes become: yes
command: "netctl enable {{ ipinterface }}" command: "netctl enable {{ ipinterface }}"

View File

@ -0,0 +1,37 @@
- name: Set Bash MOTD
become: yes
copy:
src: "motd/{{ inventory_hostname }}"
dest: /etc/bash.motd
owner: root
group: root
mode: 0644
- name: Nullify overall MOTD
become: yes
copy:
src: /dev/null
dest: /etc/motd
owner: root
group: root
mode: 0644
- name: Bashrc
become: yes
copy:
src: bashrc
dest: /etc/bashrc
owner: root
group: root
mode: 0644
- name: vimrc
become: yes
copy:
src: vimrc
dest: /etc/vimrc
owner: root
group: root
mode: 0644

View File

@ -2,8 +2,8 @@
- name: Install DNS packages - name: Install DNS packages
become: yes become: yes
ignore_errors: yes ignore_errors: yes
package: package:
name: name:
- bind - bind
- net-tools - net-tools
- iputils - iputils

View File

@ -58,10 +58,14 @@
ignore_errors: yes ignore_errors: yes
register: root_password_test register: root_password_test
vars: vars:
ansible_become_user: "{{ item }}"
ansible_become_method: su ansible_become_method: su
ansible_become_password: "{{ passwords[inventory_hostname] }}" ansible_become_password: "{{ passwords[inventory_hostname] }}"
become: yes become: yes
command: id command: id
loop:
- root
- "{{ ansible_user_id }}"
- name: Define passwords - name: Define passwords
vars: vars:
@ -70,7 +74,7 @@
become: yes become: yes
when: root_password_test.rc is not defined or root_password_test.rc != 0 when: root_password_test.rc is not defined or root_password_test.rc != 0
command: command:
cmd: /bin/bash -l -c "printf '%s\n%s\n' '{{ passwords[inventory_hostname] }}' '{{ passwords[inventory_hostname] }}' | passwd {{ item }}" cmd: /bin/bash -l -c "echo '{{item}}:{{ passwords[inventory_hostname] }}' | chpasswd {{ item }}"
loop: loop:
- root - root
- "{{ ansible_user_id }}" - "{{ ansible_user_id }}"
@ -163,24 +167,6 @@
hostname: hostname:
name: "{{ inventory_hostname }}.{{ replica_domain }}" name: "{{ inventory_hostname }}.{{ replica_domain }}"
- name: Set Bash MOTD
become: yes
copy:
src: "motd/{{ inventory_hostname }}"
dest: /etc/bash.motd
owner: root
group: root
mode: 0644
- name: Nullify overall MOTD
become: yes
copy:
src: /dev/null
dest: /etc/motd
owner: root
group: root
mode: 0644
- include: archlinux-network.yml - include: archlinux-network.yml
when: ansible_os_family == "Archlinux" when: ansible_os_family == "Archlinux"
@ -190,3 +176,5 @@
- include: dns.yml - include: dns.yml
- include: ntp.yml - include: ntp.yml
- include: bash.yml

View File

@ -10,7 +10,7 @@
- name: Remove legacy NTP services - name: Remove legacy NTP services
become: yes become: yes
ignore_errors: yes ignore_errors: yes
service: service:
name: "{{ item }}" name: "{{ item }}"
state: stopped state: stopped
enabled: no enabled: no
@ -20,15 +20,15 @@
- name: Remove legacy NTP packages - name: Remove legacy NTP packages
become: yes become: yes
package: package:
name: name:
- ntp - ntp
- openntpd - openntpd
state: absent state: absent
- name: Install NTP packages - name: Install NTP packages
become: yes become: yes
package: package:
name: chrony name: chrony
state: present state: present

View File

@ -1,4 +1,4 @@
--- ---
- name: Rasbian network packages - name: Rasbian network packages
become: yes become: yes
@ -17,7 +17,7 @@
group: root group: root
mode: 0644 mode: 0644
- name: Rasbian network config (static) - name: Rasbian network config (static)
become: yes become: yes
when: static when: static
template: template:

View File

@ -5,7 +5,7 @@ Sharingan is named after the mythical technique from the Naruto anime series. Sh
# Relevant Files and Software # Relevant Files and Software
We use Graylog on a dedicated VM to aggregate results. By default, all servers in a datacenter should send journald via syslog to `sharingan.$datacenter.aninix.net`. We use Graylog on a dedicated VM to aggregate results. By default, all servers in a datacenter should send journald via syslog to `sharingan.$datacenter.aninix.net`.
## Syslog-ng ## Syslog-ng
@ -13,7 +13,7 @@ We use a lot of services in the AniNIX ecosystem -- some create files, some pipe
## Journald ## Journald
ArchLinux and most systemd-based Linux distributions use journald to track system log files. ArchLinux and most systemd-based Linux distributions use journald to track system log files.
## Suricata ## Suricata
@ -32,12 +32,12 @@ TODO
## Graylog ## Graylog
## Elasticsearch ## Elasticsearch
Elasticsearch acts as graylog's data backend. Elasticsearch acts as graylog's data backend.
We have seen issues where poor disk i/o or unplanned shutdown can cause Elasticsearch to have index corruption. We have seen issues where poor disk i/o or unplanned shutdown can cause Elasticsearch to have index corruption.
1. Stop elasticsearch 1. Stop elasticsearch
1. From `/usr/share/elasticsearch/lib`, you can use `java -cp lucene-core*.jar -ea:org.apache.lucene... org.apache.lucene.index.CheckIndex /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index -verbose -exorcise` (on the right index) to exorcise the corrupted data. 1. From `/usr/share/elasticsearch/lib`, you can use `java -cp lucene-core*.jar -ea:org.apache.lucene... org.apache.lucene.index.CheckIndex /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index -verbose -exorcise` (on the right index) to exorcise the corrupted data.
1. Remove corruption flags: `rm /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index/corrupted_*` 1. Remove corruption flags: `rm /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index/corrupted_*`
1. Restart elasticsearch 1. Restart elasticsearch
1. Retry shard allocation: 1. Retry shard allocation:

View File

@ -7,7 +7,7 @@
## performed should a test fail. ## performed should a test fail.
check system $HOST check system $HOST
if loadavg (1min) per core > 2 for 25 times within 30 cycles then exec "/etc/monit.d/scripts/critical Load average is high" if loadavg (1min) per core > 2 for 25 times within 30 cycles then exec "/etc/monit.d/scripts/critical Load average is high"
if memory usage > 75% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Memory is overused." if memory usage > 90% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Memory is overused."
if swap usage > 25% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Swap is overused." if swap usage > 25% for 8 times within 10 cycles then exec "/etc/monit.d/scripts/critical Swap is overused."
group system group system
# #

View File

@ -0,0 +1,2 @@
check program warrant_canary with path "/etc/monit.d/scripts/check-warrant-canary"
if status != 0 then exec "/etc/monit.d/scripts/critical Warrant Canary needs to be updated"

View File

@ -1 +1,2 @@
include "/etc/monit.d/checks/system" include "/etc/monit.d/checks/system"
include "/etc/monit.d/checks/warrant-canary"

View File

@ -0,0 +1,27 @@
#!/bin/bash
daysinadvance=14
url=https://aninix.net/AniNIX/WarrantCanary/raw/branch/main/canary
# ID the update expected date
canarydate="$(curl -s "$url" | grep -A 1 'next two updates' | tail -n 1 | sed 's/^..//' )"
if [ -z "$canarydate" ]; then
echo "Cannot identify the canary's next time."
exit 2
fi
epochcanarydate="$(date -d "$canarydate" +%s)"
# Remove a one-month padding
updatecanarydate=$(( $epochcanarydate - 2592000 ))
# ID today
today="$(date +%s)"
if [[ $today -gt $updatecanarydate ]]; then
echo Time to reseed the warrant canary.
exit 2
else
echo Warrant canary seems to have the right time.
exit 0
fi

View File

@ -1,11 +1,11 @@
# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ # # $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ #
# This file is pretty big by default, but don't worry. # This file is pretty big by default, but don't worry.
# The only things required are "path" and "update_files". You must also # The only things required are "path" and "update_files". You must also
# set "url" to point to the correct rules archive for your version of # set "url" to point to the correct rules archive for your version of
# Snort, unless you prefer to specify this on the command line. # Snort, unless you prefer to specify this on the command line.
# The rest in here is just a few recommended defaults, and examples # The rest in here is just a few recommended defaults, and examples
# how to use all the other optional features and give some ideas how they # how to use all the other optional features and give some ideas how they
# could be used. # could be used.
# Remember not to let untrusted users edit Oinkmaster configuration # Remember not to let untrusted users edit Oinkmaster configuration
@ -14,15 +14,15 @@
# Use "url = <url>" to specify the location of the rules archive to # Use "url = <url>" to specify the location of the rules archive to
# download. The url must begin with http://, https://, ftp://, file:// # download. The url must begin with http://, https://, ftp://, file://
# or scp:// and end with .tar.gz or .tgz, and the file must be a # or scp:// and end with .tar.gz or .tgz, and the file must be a
# gzipped tarball what contains a directory named "rules". # gzipped tarball what contains a directory named "rules".
# You can also point to a local directory with dir://<directory>. # You can also point to a local directory with dir://<directory>.
# Multiple "url = <url>" lines can be specified to grab multiple rules # Multiple "url = <url>" lines can be specified to grab multiple rules
# archives from different locations. # archives from different locations.
# #
# Note: if URL is specified on the command line, it overrides all # Note: if URL is specified on the command line, it overrides all
# possible URLs specified in the configuration file(s). # possible URLs specified in the configuration file(s).
# #
# The location of the official Snort rules you should use depends # The location of the official Snort rules you should use depends
@ -30,10 +30,10 @@
# http://www.snort.org/rules/ and follow the instructions # http://www.snort.org/rules/ and follow the instructions
# there to pick the right URL for your version of Snort # there to pick the right URL for your version of Snort
# (and remember to update the URL when upgrading Snort in the # (and remember to update the URL when upgrading Snort in the
# future). You can of course also specify locations to third party # future). You can of course also specify locations to third party
# rules. # rules.
# #
# As of March 2005, you must register on the Snort site to get access # As of March 2005, you must register on the Snort site to get access
# to the official Snort rules. This will get you an "oinkcode". # to the official Snort rules. This will get you an "oinkcode".
# You then specify the URL as # You then specify the URL as
# http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename> # http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename>
@ -45,7 +45,7 @@
# more information. # more information.
# URL examples follows. Replace <oinkcode> with the code you get on the # URL examples follows. Replace <oinkcode> with the code you get on the
# Snort site in your registered user profile. # Snort site in your registered user profile.
# Example for Snort # Example for Snort
@ -73,18 +73,18 @@
# Only OpenSSH is tested. See the FAQ for more information. # Only OpenSSH is tested. See the FAQ for more information.
# url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz # url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz
# If you use -u scp://... and need to specify a private ssh key (passed # If you use -u scp://... and need to specify a private ssh key (passed
# as -i <key> to the scp command) you can specify it here or add an # as -i <key> to the scp command) you can specify it here or add an
# entry in ~/.ssh/config for the Oinkmaster user as described in the # entry in ~/.ssh/config for the Oinkmaster user as described in the
# OpenSSH manual. # OpenSSH manual.
# scp_key = /home/oinkmaster/oinkmaster_privkey # scp_key = /home/oinkmaster/oinkmaster_privkey
# The PATH to use during execution. If you prefer to use external # The PATH to use during execution. If you prefer to use external
# binaries (i.e. use_external_bins=1, see below), tar and gzip must be # binaries (i.e. use_external_bins=1, see below), tar and gzip must be
# found, and also wget if downloading via ftp, http or https. All with # found, and also wget if downloading via ftp, http or https. All with
# optional .exe suffix. If you're on Cygwin, make sure that the path # optional .exe suffix. If you're on Cygwin, make sure that the path
# contains the Cygwin binaries and not the native Win32 binaries or # contains the Cygwin binaries and not the native Win32 binaries or
# you will get problems. # you will get problems.
# Assume UNIX style by default: # Assume UNIX style by default:
path = /bin:/usr/bin:/usr/local/bin path = /bin:/usr/bin:/usr/local/bin
@ -96,17 +96,17 @@ path = /bin:/usr/bin:/usr/local/bin
# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin # path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin
# We normally use external binaries (wget, tar and gzip) since they're # We normally use external binaries (wget, tar and gzip) since they're
# already available on most systems and do a good job. If you have the # already available on most systems and do a good job. If you have the
# Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use # Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use
# those instead if you like. You can set use_external_bins below to # those instead if you like. You can set use_external_bins below to
# choose which method you prefer. It's set to 0 by default on Win32 # choose which method you prefer. It's set to 0 by default on Win32
# (i.e. use Perl modules), and 1 on other systems (i.e. use external # (i.e. use Perl modules), and 1 on other systems (i.e. use external
# binaries). The reason for that is that the required Perl modules # binaries). The reason for that is that the required Perl modules
# are included on Windows/ActivePerl 5.8.1+, so it's easier to use # are included on Windows/ActivePerl 5.8.1+, so it's easier to use
# those than to install the ported Unix tools. (Note that if you're # those than to install the ported Unix tools. (Note that if you're
# using scp to download the archive, external scp binary is still # using scp to download the archive, external scp binary is still
# used.) # used.)
# use_external_bins = 0 # use_external_bins = 0
@ -133,7 +133,7 @@ path = /bin:/usr/bin:/usr/local/bin
# umask = 0027 # umask = 0027
# Files in the archive(s) matching this regular expression will be # Files in the archive(s) matching this regular expression will be
# checked for changes, and then updated or added if needed. # checked for changes, and then updated or added if needed.
# All other files will be ignored. You can then choose to skip # All other files will be ignored. You can then choose to skip
# individual files by specifying the "skipfile" keyword below. # individual files by specifying the "skipfile" keyword below.
@ -159,10 +159,10 @@ update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
# min_rules = 1 # min_rules = 1
# By default, a basic sanity check is performed on most paths/filenames # By default, a basic sanity check is performed on most paths/filenames
# to see if they contain illegal characters that may screw things up. # to see if they contain illegal characters that may screw things up.
# If this check is too strict for your system (e.g. you get bogus # If this check is too strict for your system (e.g. you get bogus
# "illegal characters in filename" errors because of your local language # "illegal characters in filename" errors because of your local language
# etc) and you're sure you want to disable the checks completely, # etc) and you're sure you want to disable the checks completely,
# set use_path_checks to 0. # set use_path_checks to 0.
# use_path_checks = 1 # use_path_checks = 1
@ -174,11 +174,11 @@ update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
# You can include other files anywhere in here by using # You can include other files anywhere in here by using
# "include <file>". <file> will be parsed just like a regular # "include <file>". <file> will be parsed just like a regular
# oinkmaster.conf as soon as the include statement is seen, and then # oinkmaster.conf as soon as the include statement is seen, and then
# return and continue parsing the rest of the original file. If an # return and continue parsing the rest of the original file. If an
# option is redefined, it will override the previous value. You can use # option is redefined, it will override the previous value. You can use
# as many "include" statements as you wish, and also include even more # as many "include" statements as you wish, and also include even more
# files from included files. Example to load stuff from "/etc/foo.conf". # files from included files. Example to load stuff from "/etc/foo.conf".
# include /etc/foo.conf # include /etc/foo.conf
@ -191,34 +191,34 @@ update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
# or: skipfile filename1, filename2, filename3, ... # # or: skipfile filename1, filename2, filename3, ... #
####################################################################### #######################################################################
# Ignore local.rules from the rules archive by default since we might # Ignore local.rules from the rules archive by default since we might
# have put some local rules in our own local.rules and we don't want it # have put some local rules in our own local.rules and we don't want it
# to get overwritten by the empty one from the archive after each # to get overwritten by the empty one from the archive after each
# update. # update.
skipfile local.rules skipfile local.rules
# The file deleted.rules contains rules that have been deleted from # The file deleted.rules contains rules that have been deleted from
# other files, so there is usually no point in updating it. # other files, so there is usually no point in updating it.
skipfile deleted.rules skipfile deleted.rules
# Also skip snort.conf by default since we don't want to overwrite our # Also skip snort.conf by default since we don't want to overwrite our
# own snort.conf if we have it in the same directory as the rules. If # own snort.conf if we have it in the same directory as the rules. If
# you have your own production copy of snort.conf in another directory, # you have your own production copy of snort.conf in another directory,
# it may be really nice to check for changes in this file though, # it may be really nice to check for changes in this file though,
# especially since variables are sometimes added or modified and # especially since variables are sometimes added or modified and
# new/old files are included/excluded. # new/old files are included/excluded.
skipfile snort.conf skipfile snort.conf
# You may want to consider ignoring threshold.conf for the same reasons # You may want to consider ignoring threshold.conf for the same reasons
# as for snort.conf, i.e. if you customize it locally and don't want it # as for snort.conf, i.e. if you customize it locally and don't want it
# to become overwritten by the default one. It may be better to put # to become overwritten by the default one. It may be better to put
# local thresholding/suppressing in some local file and still update # local thresholding/suppressing in some local file and still update
# and use the official one though, in case important stuff is added to # and use the official one though, in case important stuff is added to
# it some day. We do update it by default, but it's your call. # it some day. We do update it by default, but it's your call.
# skipfile threshold.conf # skipfile threshold.conf
# If you update from multiple URLs at the same time you may need to # If you update from multiple URLs at the same time you may need to
# ignore the sid-msg.map (and generate it yourself if you need one) as # ignore the sid-msg.map (and generate it yourself if you need one) as
# it's usually included in each rules tarball. See the FAQ for more info. # it's usually included in each rules tarball. See the FAQ for more info.
# skipfile sid-msg.map # skipfile sid-msg.map
@ -243,11 +243,11 @@ skipfile snort.conf
# situations. # # situations. #
# # # #
# Syntax: # # Syntax: #
# modifysid SID "replacethis" | "withthis" # # modifysid SID "replacethis" | "withthis" #
# or: # # or: #
# modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" # # modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" #
# or: # # or: #
# modifysid file "replacethis" | "withthis" # # modifysid file "replacethis" | "withthis" #
# or: # # or: #
# modifysid * "replacethis" | "withthis" # # modifysid * "replacethis" | "withthis" #
# # # #
@ -289,11 +289,11 @@ skipfile snort.conf
# Example to add "tag" stuff to SID 1325. # Example to add "tag" stuff to SID 1325.
# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;" # modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"
# Example to make SID 1378 a 'drop' rule (valid if you're running # Example to make SID 1378 a 'drop' rule (valid if you're running
# Snort_inline). # Snort_inline).
# modifysid 1378 "^alert" | "drop" # modifysid 1378 "^alert" | "drop"
# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET # Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET
# in SID 302. # in SID 302.
# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET" # modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"
@ -306,17 +306,17 @@ skipfile snort.conf
# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \ # modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
# "${1} replace:"\/foo\/sh";" # "${1} replace:"\/foo\/sh";"
# If you for some reason would like to add a comment inside the actual # If you for some reason would like to add a comment inside the actual
# rules file, like the reason why you disabled this rule, you can do # rules file, like the reason why you disabled this rule, you can do
# like this (you would normally add such comments in oinkmaster.conf # like this (you would normally add such comments in oinkmaster.conf
# though). # though).
# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}" # modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"
# Here is an example that is actually useful. Let's say you don't care # Here is an example that is actually useful. Let's say you don't care
# about incoming welchia pings (detected by SID 483 at the time of # about incoming welchia pings (detected by SID 483 at the time of
# writing) but you want to know when infected hosts on your network # writing) but you want to know when infected hosts on your network
# scans hosts on the outside. (Remember that watching for outgoing # scans hosts on the outside. (Remember that watching for outgoing
# malicious packets is often just as important as watching for incoming # malicious packets is often just as important as watching for incoming
# ones, especially in this case.) The rule currently looks like # ones, especially in this case.) The rule currently looks like
# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..." # "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
# but we want to switch that so it becomes # but we want to switch that so it becomes
@ -326,34 +326,34 @@ skipfile snort.conf
# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \ # "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}" # "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"
# The wildcard (modifysid * ...) can be used to do all kinds of # The wildcard (modifysid * ...) can be used to do all kinds of
# interesting things. The substitution expression will be applied on all # interesting things. The substitution expression will be applied on all
# matching rules. First, a silly example to replace "foo" with "bar" in # matching rules. First, a silly example to replace "foo" with "bar" in
# all rules (that have the string "foo" in them, that is.) # all rules (that have the string "foo" in them, that is.)
# modifysid * "foo" | "bar" # modifysid * "foo" | "bar"
# If you for some reason don't want to use the stream preprocessor to # If you for some reason don't want to use the stream preprocessor to
# match established streams, you may want to replace the 'flow' # match established streams, you may want to replace the 'flow'
# statement with 'flags:A+;' in all those rules. # statement with 'flags:A+;' in all those rules.
# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;" # modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"
# Example to convert all rules of classtype attempted-admin to 'drop' # Example to convert all rules of classtype attempted-admin to 'drop'
# rules (for Snort_inline only, obviously). # rules (for Snort_inline only, obviously).
# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}" # modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"
# This one will append some text to the 'msg' string for all rules that # This one will append some text to the 'msg' string for all rules that
# have the 'tag' keyword in them. # have the 'tag' keyword in them.
# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \ # modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
# "${1}, going to tag this baby"${2}" # "${1}, going to tag this baby"${2}"
# There may be times when you want to replace multiple occurrences of a # There may be times when you want to replace multiple occurrences of a
# certain keyword/string in a rule and not just the first one. To # certain keyword/string in a rule and not just the first one. To
# replace the first two occurrences of "foo" with "bar" in SID 100, # replace the first two occurrences of "foo" with "bar" in SID 100,
# simply repeat the modifysid statement: # simply repeat the modifysid statement:
# modifysid 100 "foo" | "bar" # modifysid 100 "foo" | "bar"
# modifysid 100 "foo" | "bar" # modifysid 100 "foo" | "bar"
# Or you can even specify a SID list but repeat the same SID as many # Or you can even specify a SID list but repeat the same SID as many
# times as required, like: # times as required, like:
# modifysid 100,100,100 "foo" | "bar" # modifysid 100,100,100 "foo" | "bar"

View File

@ -90,7 +90,7 @@
# #
# If the mirrors file is read-only, then the '--versioncheck' command-line # If the mirrors file is read-only, then the '--versioncheck' command-line
# option can only be used if this option is set to '0'. # option can only be used if this option is set to '0'.
# #
# The default value is '1'. # The default value is '1'.
# #
#ROTATE_MIRRORS=1 #ROTATE_MIRRORS=1
@ -635,7 +635,7 @@ ALLOWHIDDENDIR=/dev/.udev
# This option may be specified more than once, and may use wildcard characters. # This option may be specified more than once, and may use wildcard characters.
# #
# The default value is the null string. # The default value is the null string.
# #
#ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz #ALLOWHIDDENFILE=/usr/share/man/man1/..1.gz
#ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac #ALLOWHIDDENFILE=/usr/bin/.fipscheck.hmac
#ALLOWHIDDENFILE=/usr/bin/.ssh.hmac #ALLOWHIDDENFILE=/usr/bin/.ssh.hmac
@ -907,7 +907,7 @@ ALLOWHIDDENDIR=/dev/.udev
# #
#APP_WHITELIST="" #APP_WHITELIST=""
# #
# Set this option to scan for suspicious files in directories which pose a # Set this option to scan for suspicious files in directories which pose a
# relatively higher risk due to user write access. # relatively higher risk due to user write access.
# #
@ -918,7 +918,7 @@ ALLOWHIDDENDIR=/dev/.udev
# #
# Please consider adding all directories the user the (web)server runs as, # Please consider adding all directories the user the (web)server runs as,
# and has write access to, including the document root (e.g: '/var/www') and # and has write access to, including the document root (e.g: '/var/www') and
# log directories (e.g: '/var/log/httpd'). # log directories (e.g: '/var/log/httpd').
# #
# This is a space-separated list of directory pathnames. The option may be # This is a space-separated list of directory pathnames. The option may be
# specified more than once. # specified more than once.
@ -968,7 +968,7 @@ ALLOWHIDDENDIR=/dev/.udev
# #
# The following options can be used to whitelist network ports which are known # The following options can be used to whitelist network ports which are known
# to have been used by malware. # to have been used by malware.
# #
# The PORT_WHITELIST option is a space-separated list of one or more of two # The PORT_WHITELIST option is a space-separated list of one or more of two
# types of whitelisting. These are: # types of whitelisting. These are:
@ -1233,10 +1233,10 @@ ALLOWHIDDENDIR=/dev/.udev
# #
# You should only activate this feature as part of a more thorough # You should only activate this feature as part of a more thorough
# investigation, which should be based on relevant best practices and # investigation, which should be based on relevant best practices and
# procedures. # procedures.
# #
# Enabling this feature implies you have the knowledge to interpret the # Enabling this feature implies you have the knowledge to interpret the
# results properly. # results properly.
# #
# The default value is the null string. # The default value is the null string.
# #

View File

@ -134,7 +134,7 @@ outputs:
# Header name were the actual IP address will be reported, if more than # Header name were the actual IP address will be reported, if more than
# one IP address is present, the last IP address will be the one taken # one IP address is present, the last IP address will be the one taken
# into consideration. # into consideration.
header: X-Forwarded-For header: X-Forwarded-For
# a line based log of HTTP requests (no alerts) # a line based log of HTTP requests (no alerts)
- http-log: - http-log:

View File

@ -1,10 +1,10 @@
--- ---
- name: Sharingan data packages - name: Sharingan data packages
become: yes become: yes
package: package:
state: present state: present
name: name:
- syslog-ng - syslog-ng
- monit - monit
- monitoring-plugins - monitoring-plugins
@ -18,13 +18,13 @@
- name: Sharingan-Data include apps dir - name: Sharingan-Data include apps dir
become: yes become: yes
register: base_config register: base_config
lineinfile: lineinfile:
path: /etc/syslog-ng/syslog-ng.conf path: /etc/syslog-ng/syslog-ng.conf
line: "{{ item }}" line: "{{ item }}"
loop: loop:
- '# Allow compartmentalization of config' - '# Allow compartmentalization of config'
- '@include "apps.d/*.conf"' - '@include "apps.d/*.conf"'
- name: Sharingan-Data conf - name: Sharingan-Data conf
become: yes become: yes
template: template:

View File

@ -9,9 +9,9 @@
owner: root owner: root
group: root group: root
mode: 0750 mode: 0750
loop: loop:
- sharingan-heartbeat.timer - sharingan-heartbeat.timer
- sharingan-heartbeat.service - sharingan-heartbeat.service
- name: Sharingan-Data heartbeat timer - name: Sharingan-Data heartbeat timer
become: yes become: yes

View File

@ -4,7 +4,7 @@
become: yes become: yes
register: package_install register: package_install
package: package:
name: name:
- sshguard - sshguard
- suricata - suricata
- oinkmaster - oinkmaster
@ -45,7 +45,7 @@
- name: Copy rkhunter service - name: Copy rkhunter service
register: rkhunter_service register: rkhunter_service
become: yes become: yes
loop: loop:
- rkhunter.service - rkhunter.service
- rkhunter.timer - rkhunter.timer
copy: copy:
@ -69,7 +69,7 @@
- name: Copy oinkmaster service - name: Copy oinkmaster service
register: oinkmaster_service register: oinkmaster_service
become: yes become: yes
loop: loop:
- oinkmaster.service - oinkmaster.service
- oinkmaster.timer - oinkmaster.timer
copy: copy:
@ -88,7 +88,7 @@
become: yes become: yes
when: package_install.changed or oinkmaster_conf.changed when: package_install.changed or oinkmaster_conf.changed
service: service:
name: oinkmaster.service name: oinkmaster.service
state: started state: started
- name: Update rkhunter DB - name: Update rkhunter DB
@ -98,12 +98,12 @@
- name: IDS services - name: IDS services
become: yes become: yes
loop: loop:
- suricata.service - suricata.service
- sshguard.service - sshguard.service
- oinkmaster.timer - oinkmaster.timer
- rkhunter.timer - rkhunter.timer
service: service:
name: "{{ item }}" name: "{{ item }}"
state: restarted state: restarted
enabled: yes enabled: yes

View File

@ -1,5 +1,5 @@
--- ---
- import_tasks: ../roles/Sharingan/tasks/data.yml - import_tasks: ../roles/Sharingan/tasks/data.yml
- import_tasks: ../roles/Sharingan/tasks/eval.yml - import_tasks: ../roles/Sharingan/tasks/eval.yml
- import_tasks: ../roles/Sharingan/tasks/heartbeat.yml - import_tasks: ../roles/Sharingan/tasks/heartbeat.yml

View File

@ -24,7 +24,7 @@
become: yes become: yes
register: lynis_svc register: lynis_svc
copy: copy:
src: "lynis/{{ item }}" src: "lynis/{{ item }}"
dest: /usr/lib/systemd/system/ dest: /usr/lib/systemd/system/
owner: root owner: root
group: root group: root
@ -37,7 +37,7 @@
become: yes become: yes
register: clam_svc register: clam_svc
copy: copy:
src: "clamav/{{ item }}" src: "clamav/{{ item }}"
dest: /usr/lib/systemd/system/ dest: /usr/lib/systemd/system/
owner: root owner: root
group: root group: root

View File

@ -16,7 +16,7 @@
- mongodb - mongodb
- graylog - graylog
service: service:
name: "{{ item }}" name: "{{ item }}"
state: started state: started
enabled: yes enabled: yes

View File

@ -153,7 +153,8 @@ set log syslog
set httpd port 2812 and set httpd port 2812 and
use address localhost # only accept connection from localhost (drop if you use M/Monit) use address localhost # only accept connection from localhost (drop if you use M/Monit)
allow localhost # allow localhost to connect to the server and allow localhost # allow localhost to connect to the server and
allow admin:"{{ monitcli | default('monit') }}" # require user 'admin' with password 'monit' # require user 'admin' with password
allow admin:"{{ secrets[Sharingan][monit] | default('monit') }}"
#with ssl { # enable SSL/TLS and set path to server certificate #with ssl { # enable SSL/TLS and set path to server certificate
# pemfile: /etc/ssl/certs/monit.pem # pemfile: /etc/ssl/certs/monit.pem
#} #}

View File

@ -0,0 +1,47 @@
---
- name: Install Tachikoma packages
become: yes
package:
name:
- wifi-menu
- weechat
- elinks
- conky
- xfce4
- xfce4-goodies
- xfce4-screenshooter
- xscreensaver
- libreoffice-still
- hunspell
- hunspell-en_us
- google-chrome
- keepassxc
- sshfs
- vlc
- cups
- brother-mfc-j430w
- brscan4
- xsane
- mtpfs
- libmtp
- alsamixer
- name: Remove deprecated packages
become: yes
package:
name:
- chromium
- keepassx
- kpcli
- irssi
- lynx
- name: Enable services
become: yes
service:
name: "{{ item }}"
state: running
enabled: yes
with:
- cups.service

View File

@ -1,4 +1,4 @@
--- ---
- command: ./scripts/generate-dhcp.py - command: ./scripts/generate-dhcp.py
delegate_to: localhost delegate_to: localhost

View File

@ -6,7 +6,7 @@ The WebServer serves content on the Web -- its name is simple to match the funct
# Relevant Files and Software # Relevant Files and Software
Configuration files live in [/opt/openresty/nginx/](file:///opt/openresty/nginx), including ciphersuites, URI redirection, and pathing. It can be validated with the `openresty -t` command. Webserver isn't meant to hold files itself -- it generally proxies and SSL-terminates connections for other apps, using location-based hosting and fastcgi. Configuration files live in [/opt/openresty/nginx/](file:///opt/openresty/nginx), including ciphersuites, URI redirection, and pathing. It can be validated with the `openresty -t` command. Webserver isn't meant to hold files itself -- it generally proxies and SSL-terminates connections for other apps, using location-based hosting and fastcgi.
Of security note are the default.csp.conf and sec.conf files in [the conf folder](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf). These files include our security remediations, as we have been able to get them to work with our apps. Of security note are the default.csp.conf and sec.conf files in [the conf folder](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf). These files include our security remediations, as we have been able to get them to work with our apps.
**Please note:** We offer a redirect on www.aninix.net and http://aninix.net:80/ only as a legacy convenience as browsers do not yet support 443 by default -- no data is transmitted on these. When the webhosting community acknowledges the death of the empty www. subdomain and the necessity of encryption, we will drop these. However, for usability, we include them for now. **Please note:** We offer a redirect on www.aninix.net and http://aninix.net:80/ only as a legacy convenience as browsers do not yet support 443 by default -- no data is transmitted on these. When the webhosting community acknowledges the death of the empty www. subdomain and the necessity of encryption, we will drop these. However, for usability, we include them for now.

View File

@ -1,25 +1,25 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
server_name default_server; server_name default_server;
include sec.conf;
include letsencrypt.conf;
include default.csp.conf;
rewrite ^/(.*)$ https://aninix.net/$1 permanent;
}
server {
listen 443 ssl http2;
server_name aninix.net;
include sec.conf; include sec.conf;
include letsencrypt.conf;
include default.csp.conf; include default.csp.conf;
location / location / {
{
rewrite ^/martialarts(\/*)$ /assets/martialarts/index.html; rewrite ^/martialarts(\/)*(\/index.html)*$ /assets/martialarts/index.html;
rewrite /shadowarch /AniNIX/ShadowArch/raw/branch/main/EtcFiles/shadowarch
location /aninix.xml {
proxy_hide_header Content-Type;
add_header content-type "application/atom+xml";
rewrite /aninix.xml /AniNIX/Wiki/raw/branch/main/rss/aninix.xml;
}
location /martialarts/maqotw.xml {
proxy_hide_header Content-Type;
add_header content-type "application/atom+xml";
rewrite /martialarts/maqotw.xml /AniNIX/Wiki/raw/branch/main/rss/maqotw.xml;
}
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Server $host;
@ -27,8 +27,19 @@ server {
proxy_pass http://127.0.0.1:3000; proxy_pass http://127.0.0.1:3000;
} }
location /whatismyip location /aninix.xml {
{ proxy_hide_header Content-Type;
add_header content-type "application/atom+xml";
rewrite /aninix.xml /AniNIX/Wiki/raw/branch/main/rss/aninix.xml;
}
location /martialarts/maqotw.xml {
proxy_hide_header Content-Type;
add_header content-type "application/atom+xml";
rewrite /martialarts/maqotw.xml /AniNIX/Wiki/raw/branch/main/rss/maqotw.xml;
}
location /whatismyip {
include ../conf.d/fastcgi.config; include ../conf.d/fastcgi.config;
root /usr/share/webapps/aninix/; root /usr/share/webapps/aninix/;
location ~* whatismyip { location ~* whatismyip {
@ -36,12 +47,10 @@ server {
expires max; expires max;
} }
} }
location /blackpage
{ location /blackpage {
root /usr/share/webapps/aninix/; root /usr/share/webapps/aninix/;
try_files $uri /blackpage.html; try_files $uri /blackpage.html;
} }
include letsencrypt.conf;
} }

View File

@ -1,6 +1,6 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
server_name adhan.aninix.net; server_name adhan.aninix.net;
include sec.conf; include sec.conf;
include default.csp.conf; include default.csp.conf;

View File

@ -1,4 +1,4 @@
map $http_upgrade $connection_upgrade { map $http_upgrade $connection_upgrade {
default upgrade; default upgrade;
'' close; '' close;
} }

View File

@ -2,7 +2,7 @@ server {
listen 443 ssl; listen 443 ssl;
server_name lykos.aninix.net; server_name lykos.aninix.net;
include letsencrypt.conf; include letsencrypt.conf;
root /usr/share/webapps/; root /usr/share/webapps/;

View File

@ -1,19 +1,19 @@
server { server {
listen 443 ssl http2; listen 443 ssl http2;
server_name password.aninix.net; server_name password.aninix.net;
include sec.conf; include sec.conf;
include default.csp.conf; include default.csp.conf;
include letsencrypt.conf; include letsencrypt.conf;
root /usr/share/webapps/self-service-password/htdocs/; root /usr/share/webapps/self-service-password/htdocs/;
# https://ltb-project.org/documentation/self-service-password/1.3/config_nginx # https://ltb-project.org/documentation/self-service-password/1.3/config_nginx
index index.php index.html index.htm; index index.php index.html index.htm;
# Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html # Disable sendfile as per https://docs.vagrantup.com/v2/synced-folders/virtualbox.html
sendfile off; sendfile off;
gzip on; gzip on;
gzip_comp_level 6; gzip_comp_level 6;
gzip_min_length 1000; gzip_min_length 1000;
@ -21,24 +21,24 @@ server {
gzip_vary on; gzip_vary on;
gzip_proxied any; gzip_proxied any;
gzip_disable "MSIE [1-6]\.(?!.*SV1)"; gzip_disable "MSIE [1-6]\.(?!.*SV1)";
# Add stdout logging # Add stdout logging
#error_log /dev/stdout warn; #error_log /dev/stdout warn;
#access_log /dev/stdout info; #access_log /dev/stdout info;
include ../conf.d/fastcgi.config; include ../conf.d/fastcgi.config;
# deny access to . files, for security # deny access to . files, for security
# #
location ~ /\.\. { location ~ /\.\. {
log_not_found off; log_not_found off;
deny all; deny all;
} }
location ~ /scripts { location ~ /scripts {
log_not_found off; log_not_found off;
deny all; deny all;
} }
} }

View File

@ -7,7 +7,7 @@ server {
# include default.csp.conf; # include default.csp.conf;
include local.conf; include local.conf;
include letsencrypt.conf; include letsencrypt.conf;
location / location /
{ {

View File

@ -1,6 +1,6 @@
server { server {
listen 443 ssl; listen 443 ssl;
server_name singularity.aninix.net; server_name singularity.aninix.net;
include sec.conf; include sec.conf;
include default.csp.conf; include default.csp.conf;

View File

@ -1,5 +1,5 @@
ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/letsencrypt/live/aninix.net-0001/fullchain.pem; ssl_certificate /etc/letsencrypt/live/aninix.net-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/aninix.net-0001/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/aninix.net-0001/privkey.pem;
ssl_session_cache shared:SSL:1m; ssl_session_cache shared:SSL:1m;

View File

@ -58,13 +58,13 @@
service: service:
name: openresty name: openresty
state: stopped state: stopped
enabled: no enabled: no
- name: Ensure service is started - name: Ensure service is started
become: yes become: yes
when: conf.changed or confd.changed when: conf.changed or confd.changed
service: service:
name: "{{ item }}" name: "{{ item }}"
enabled: yes enabled: yes
state: restarted state: restarted
loop: loop:

View File

@ -0,0 +1,25 @@
---
- name: Packages
become: yes
package:
name:
- wolfpack
- name: Config
become: yes
copy:
src: "{{ inventory_hostname }}"
dest: /usr/local/etc/WolfPack
- name: Timer
become: yes
systemd:
name: "{{ wolfpack_service | default('wolfpack.timer') }}"
state: started
enabled: yes
daemon_reload: yes
# TODO Add sshfs and mountpoint for Darknet
# TODO Add config folders and restart daemon on change
# TODO Deprecate offload-wolfpack for Deluge move to sshfs

View File

@ -3,12 +3,12 @@
- name: Yggdrasil packages - name: Yggdrasil packages
become: yes become: yes
package: package:
name: name:
- emby-server - emby-server
- name: Yggdrasil directories - name: Yggdrasil directories
become: yes become: yes
file: file:
path: "{{ item }}" path: "{{ item }}"
state: directory state: directory
owner: http owner: http
@ -24,7 +24,7 @@
- /srv/yggdrasil/Software - /srv/yggdrasil/Software
- name: LiveTV channels - name: LiveTV channels
command: /bin/bash -c "curl -s https://raw.githubusercontent.com/iptv-org/iptv/master/streams/us.m3u | egrep -A 1 {{ iptv_location }} 2>&1 | egrep -v '^--$'" command: /bin/bash -c "curl -s https://raw.githubusercontent.com/iptv-org/iptv/master/streams/us.m3u | egrep -A 1 '{{ iptv_location }}' 2>&1 | egrep -v '^--$'"
register: livetv_channels register: livetv_channels
- name: Write to file - name: Write to file

View File

@ -0,0 +1,5 @@
---
- debug:
msg: Importing common handlers.
### DO NOT CHANGE THIS FILE

View File

@ -24,7 +24,7 @@
group: root group: root
mode: 0700 mode: 0700
register: udev_iosched register: udev_iosched
- name: Reload udev - name: Reload udev
become: yes become: yes
command: /bin/bash -c 'udevadm control --reload; udevadm trigger' command: /bin/bash -c 'udevadm control --reload; udevadm trigger'

View File

@ -4,8 +4,8 @@
register: df_output register: df_output
- name: Verify /var space - name: Verify /var space
assert: assert:
that: that:
- 90 > {{ df_output.stdout }} - 90 > {{ df_output.stdout }}
fail_msg: "Not enough free space" fail_msg: "Not enough free space"

View File

@ -1,7 +0,0 @@
import os
import re
import pytest
from modules import netdetect
def test_netdetect_usage():
assert True