Fixing Nazara errors
This commit is contained in:
parent
5d04f1b393
commit
a881363b9b
@ -12,8 +12,9 @@ import os
|
|||||||
import sys
|
import sys
|
||||||
import yaml
|
import yaml
|
||||||
|
|
||||||
dnsfilepath="roles/Nazara/files/dns"
|
rolepath='../roles/Nazara/files'
|
||||||
dhcpfilepath="roles/Nazara/files/dhcp"
|
dnsfilepath=rolepath+"/dns"
|
||||||
|
dhcpfilepath=rolepath+"/dhcp"
|
||||||
|
|
||||||
def WriteDHCPEntry(content,hosttype,hostclass):
|
def WriteDHCPEntry(content,hosttype,hostclass):
|
||||||
### Create the DHCP entry
|
### Create the DHCP entry
|
||||||
@ -25,7 +26,7 @@ def WriteDHCPEntry(content,hosttype,hostclass):
|
|||||||
with open(dhcpfilepath,'a') as dhcpfile:
|
with open(dhcpfilepath,'a') as dhcpfile:
|
||||||
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
|
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
|
||||||
try:
|
try:
|
||||||
dhcpfile.write('dhcp-host=' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['vars']['mac'] + ',' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['vars']['ip'] + ',' + host + '.' + content['all']['vars']['replica_domain'] + '\n')
|
dhcpfile.write('dhcp-host=' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['mac'] + ',' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['ip'] + ',' + host + '.' + content['all']['vars']['replica_domain'] + '\n')
|
||||||
except:
|
except:
|
||||||
print(host + ' is not complete for DHCP.')
|
print(host + ' is not complete for DHCP.')
|
||||||
|
|
||||||
@ -39,7 +40,7 @@ def WriteDNSEntry(content,hosttype,hostclass):
|
|||||||
with open(dnsfilepath,'a') as dnsfile:
|
with open(dnsfilepath,'a') as dnsfile:
|
||||||
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
|
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
|
||||||
try:
|
try:
|
||||||
dnsfile.write(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['vars']['ip'] + ' ' + host + '.' + content['all']['vars']['replica_domain'] + ' ' + host + '\n')
|
dnsfile.write(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['ip'] + ' ' + host + '.' + content['all']['vars']['replica_domain'] + ' ' + host + '\n')
|
||||||
except:
|
except:
|
||||||
print(host + ' is not complete for DNS.')
|
print(host + ' is not complete for DNS.')
|
||||||
|
|
||||||
@ -48,6 +49,9 @@ def GenerateFiles(file):
|
|||||||
# param file: the file to work on
|
# param file: the file to work on
|
||||||
global dnsfile
|
global dnsfile
|
||||||
|
|
||||||
|
if not os.path.isdir(rolepath):
|
||||||
|
os.mkdir(rolepath)
|
||||||
|
|
||||||
# Parse the yaml
|
# Parse the yaml
|
||||||
with open(file, 'r') as stream:
|
with open(file, 'r') as stream:
|
||||||
content = yaml.safe_load(stream)
|
content = yaml.safe_load(stream)
|
||||||
@ -55,7 +59,6 @@ def GenerateFiles(file):
|
|||||||
# Clear the DNS file
|
# Clear the DNS file
|
||||||
with open(dhcpfilepath,'w') as dhcpfile:
|
with open(dhcpfilepath,'w') as dhcpfile:
|
||||||
dhcpfile.write('dhcp-range='+content['all']['vars']['dhcprange']+'\n')
|
dhcpfile.write('dhcp-range='+content['all']['vars']['dhcprange']+'\n')
|
||||||
dhcpfile.write('dhcp-option=option:router,'+content['all']['vars']['router']+'\n')
|
|
||||||
dhcpfile.write('dhcp-option=option:dns-server,'+content['all']['vars']['dns']+'\n\n')
|
dhcpfile.write('dhcp-option=option:dns-server,'+content['all']['vars']['dns']+'\n\n')
|
||||||
dhcpfile.write('dhcp-range='+content['all']['vars']['staticrange']+'\n')
|
dhcpfile.write('dhcp-range='+content['all']['vars']['staticrange']+'\n')
|
||||||
with open(dnsfilepath,'w') as dnsfile:
|
with open(dnsfilepath,'w') as dnsfile:
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
Cyberbrain is a way to ensure that so long as a person is connected to the Internet and authorized, they're able to connect to, use, and control the AniNIX. It's a web-based shell emulator for connecting to the system.
|
Cyberbrain is a way to ensure that so long as a person is connected to the Internet and authorized, they're able to connect to, use, and control the AniNIX. It's a web-based shell emulator for connecting to the system. It can serve as an alternative to using the [Terminal & SSH add-on](https://www.home-assistant.io/common-tasks/supervised/#installing-and-using-the-ssh-add-on-requires-enabling-advanced-mode-for-the-ha-user) for [AniNIX/Geth](../Geth/) in cases where a separate security posture is needed for each.
|
||||||
|
|
||||||
**Warning**: This is a fallback measure -- browsers are still inherently less secure than hard clients like [Git Bash](https://git-scm.com/download/win) or [OpenSSH](https://www.openssh.com/portable.html).
|
**Warning**: This is a fallback measure -- browsers are still inherently less secure than hard clients like [Git Bash](https://git-scm.com/download/win) or [OpenSSH](https://www.openssh.com/portable.html).
|
||||||
|
|
||||||
|
@ -8,9 +8,9 @@ Grimoire has a user, postgres, with a home directory of `/var/lib/postgres/`. Th
|
|||||||
|
|
||||||
## Backups
|
## Backups
|
||||||
Backups are provided by [AniNIX/Aether](../Aether). They can be restored with the following:
|
Backups are provided by [AniNIX/Aether](../Aether). They can be restored with the following:
|
||||||
<pre>
|
```
|
||||||
psql -U dbuser -d db -f backup.sql
|
psql -U dbuser -d db -f backup.sql
|
||||||
</pre>
|
```
|
||||||
|
|
||||||
# Available Clients
|
# Available Clients
|
||||||
There are no clients for the Grimoire -- Singularity and Wiki maintain their tables.
|
There are no clients for the Grimoire -- Singularity and Wiki maintain their tables.
|
||||||
|
2
roles/Nazara/files/pihole-FTL.conf
Normal file
2
roles/Nazara/files/pihole-FTL.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
PRIVACYLEVEL=0
|
||||||
|
RATE_LIMIT=1000/5
|
@ -9,11 +9,17 @@
|
|||||||
|
|
||||||
- name: Install pi-hole if needed
|
- name: Install pi-hole if needed
|
||||||
become: yes
|
become: yes
|
||||||
|
register: pihole_install
|
||||||
command:
|
command:
|
||||||
creates: /usr/bin/pihole-FTL
|
creates: /usr/bin/pihole-FTL
|
||||||
cmd: bash basic-install.sh
|
cmd: false # bash basic-install.sh
|
||||||
chdir: '/opt/pi-hole/automated install'
|
chdir: '/opt/pi-hole/automated install'
|
||||||
|
|
||||||
|
- name: Ensure pihole web admin password
|
||||||
|
become: yes
|
||||||
|
command: "pihole -a -p {{ passwords['Nazara'] }}"
|
||||||
|
# when: pihole_install.changed
|
||||||
|
|
||||||
- name: Generate DNS/DHCP from inventory
|
- name: Generate DNS/DHCP from inventory
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
run_once: true
|
run_once: true
|
||||||
@ -29,11 +35,6 @@
|
|||||||
group: pihole
|
group: pihole
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
- name: Reload dns
|
|
||||||
become: yes
|
|
||||||
command: "pihole restartdns"
|
|
||||||
when: dns_updated.changed
|
|
||||||
|
|
||||||
- name: Nazara DHCP
|
- name: Nazara DHCP
|
||||||
become: yes
|
become: yes
|
||||||
register: dhcp_updated
|
register: dhcp_updated
|
||||||
@ -44,8 +45,36 @@
|
|||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
|
- name: Nazara Configuration
|
||||||
|
become: yes
|
||||||
|
register: conf_updated
|
||||||
|
copy:
|
||||||
|
src: pihole-FTL.conf
|
||||||
|
dest: /etc/pihole/pihole-FTL.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
|
||||||
|
|
||||||
|
- name: Nazara DHCP Leases dir
|
||||||
|
become: yes
|
||||||
|
file:
|
||||||
|
path: /var/lib/misc/
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0777
|
||||||
|
|
||||||
|
- name: Nazara DHCP Leases
|
||||||
|
become: yes
|
||||||
|
file:
|
||||||
|
path: /var/lib/misc/dnsmasq.leases
|
||||||
|
state: touch
|
||||||
|
owner: pihole
|
||||||
|
group: pihole
|
||||||
|
mode: 0660
|
||||||
|
|
||||||
- name: Reload services
|
- name: Reload services
|
||||||
become: yes
|
become: yes
|
||||||
command: pihole restartdns
|
command: pihole restartdns
|
||||||
when: dns_updated.changed or dhcp_updated.changed
|
when: dns_updated.changed or dhcp_updated.changed or conf_updated.changed
|
||||||
|
|
||||||
|
@ -1,18 +1,17 @@
|
|||||||
Remote access is important in the AniNIX, and so we support the use of the [https://wiki.archlinux.org/index.php/Secure_Shell OpenSSH] protocol via [[ShadowArch]] to supporting hosts.
|
Remote access is important in the AniNIX, and so we support the use of the [OpenSSH](https://wiki.archlinux.org/index.php/Secure_Shell) protocol to supporting hosts.
|
||||||
|
|
||||||
# Etymology
|
# Etymology
|
||||||
SSH is named for the protocol on which it's built.
|
SSH is named for the protocol on which it's built. It's so ubiquitous that we don't rename it.
|
||||||
|
|
||||||
# Relevant Files and Software
|
# Relevant Files and Software
|
||||||
Most of this service's configuration lives in [file:///etc/ssh/sshd_config sshd_config]. This includes match statements on what groups are allowed to connect, allowed protocols, and somewhat importantly the ForceCommand directives that hold certain users captive to specific operations.
|
Most of this service's configuration lives in [sshd_config](files/sshd_config) as specified in [sshd_config(5)](https://man.archlinux.org/man/core/openssh/sshd_config.5.en). This includes match statements on what groups are allowed to connect, allowed protocols, and somewhat importantly the ForceCommand directives that hold certain users captive to specific operations.
|
||||||
|
|
||||||
VNC and X11 forwarding can be used over SSH to allow graphical clients. X11 forwarding without SSH compression is generally slower. To allow VNC, log in over SSH and forward remote port 5901 to localhost port 5901. Start the VNC server on the remote, and use a VNC viewer like tightVNC portable to view the remote desktop.
|
VNC and X11 forwarding can be used over SSH to allow graphical clients. X11 forwarding without SSH compression is generally slower. To allow VNC, log in over SSH and forward remote port 5901 to localhost port 5901. Start the VNC server on the remote, and use a VNC viewer like tightVNC portable to view the remote desktop.
|
||||||
|
|
||||||
|
This role does expect that you have a public key in your `.ssh` folder named `deploy.pub`. This public key will be put on all servers, and as such it is intrinsically necessary that there be a passphrase on the private key to protect it from compromise. [AniNIX/ShadowArch](/AniNIX/ShadowArch) will provide a convenient [service file](/AniNIX/ShadowArch/src/branch/main/EtcFiles/ssh-agent@.service) to wrap the ssh-agent service for you to make working with this key easier.
|
||||||
|
|
||||||
# Available Clients
|
# Available Clients
|
||||||
* Windows users should use [http://www.putty.org/ PuTTY]. The AniNIX considers this important enough that a copy of PuTTY is mirrored in [https://aninix.net/wolfpack/ WolfPack].[[Category:CachedClient]]
|
|
||||||
* Mac has a native client in their Terminal application.
|
* Mac has a native client in their Terminal application.
|
||||||
* Linux users can install [https://wiki.archlinux.org/index.php/Secure_Shell openssh].
|
* Windows users should use [Git Bash](https://git-scm.com/download/win).
|
||||||
* Android users can use [https://serverauditor.com/ Server Auditor].
|
* Linux users can install [openssh](https://archlinux.org/packages/core/x86_64/openssh/).
|
||||||
}}
|
* Android users can use [AdminHands](https://play.google.com/store/apps/details?id=com.arpaplus.adminhands).
|
||||||
[[Category:Public_Service]]
|
|
||||||
[[Category:LDAP]]
|
|
||||||
|
@ -29,6 +29,26 @@ TODO
|
|||||||
|
|
||||||
## Monit
|
## Monit
|
||||||
|
|
||||||
|
## Graylog
|
||||||
|
|
||||||
|
## Elasticsearch
|
||||||
|
Elasticsearch acts as graylog's data backend.
|
||||||
|
|
||||||
|
We have seen issues where poor disk i/o or unplanned shutdown can cause Elasticsearch to have index corruption.
|
||||||
|
|
||||||
|
1. Stop elasticsearch
|
||||||
|
1. From `/usr/share/elasticsearch/lib`, you can use `java -cp lucene-core*.jar -ea:org.apache.lucene... org.apache.lucene.index.CheckIndex /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index -verbose -exorcise` (on the right index) to exorcise the corrupted data.
|
||||||
|
1. Remove corruption flags: `rm /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index/corrupted_*`
|
||||||
|
1. Restart elasticsearch
|
||||||
|
1. Retry shard allocation:
|
||||||
|
```
|
||||||
|
curl -X POST http://127.0.0.1:9200/_cluster/reroute?retry_failed=true
|
||||||
|
curl -XGET localhost:9200/_cluster/allocation/explain?pretty
|
||||||
|
```
|
||||||
|
|
||||||
|
## Mongodb
|
||||||
|
MongoDB holds the graylog config for us.
|
||||||
|
|
||||||
# Available Clients
|
# Available Clients
|
||||||
See [[WebServer#Available Clients|AniNIX::Webserver's client list]].
|
See [[WebServer#Available Clients|AniNIX::Webserver's client list]].
|
||||||
|
|
||||||
|
14
roles/WolfPack/README.md
Normal file
14
roles/WolfPack/README.md
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
WolfPack is a webcrawler for the AniNIX. Public results from Core's instance will be available from [https://wolfpack.aninix.net/wolfpack the WebServer] -- this may be locked to admins, for reproducibility reasons.
|
||||||
|
|
||||||
|
Note: Code for this service is encoded in [the WolfPack repo](/AniNIX/WolfPack) rather than here -- we just include the package.
|
||||||
|
|
||||||
|
# Etymology
|
||||||
|
WolfPack is named for its operation. "Pups" live on disk as .pup files -- these will grow up and retrieve the results that feed the system. An alpha sends pack members to raise a pup and collect the results for the pack. This role will update configuration to [the configuration directory](file:///usr/local/etc/WolfPack).
|
||||||
|
|
||||||
|
## VPN protection and Offloading.
|
||||||
|
Some countries and areas take issue with some searches and downloads. As such, the offload-wolfpack executable will allow a [DarkNet](../DarkNet) service, deployed on a unique host, to merge results. In your Ansible inventory, set the wolfpack_service YAML variable for the host to `offload-wolfpack@somehost.timer` to enable that service instead of the normal wolfpack.timer.
|
||||||
|
|
||||||
|
This requires SSH keys to be set up between the offloading hosts and the target location, but this will run some version of wolfpack and send the results to the target. This is helpful for a server like Core that requires network uptime and stable external accessibility but needs VPN functionality for anonymity. This requires significant user intervention and customization -- this option is provided as a stub.
|
||||||
|
|
||||||
|
## Alternatives
|
||||||
|
Google Alerts can provide an alternative to the Wolfpack's search pup type. Downloads can be done manually, and some torrent clients will have search and queuing options.
|
8
roles/Yggdrasil/package/README.md
Normal file
8
roles/Yggdrasil/package/README.md
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
This is a collection of scripts we use for managing yggdrasil data.
|
||||||
|
|
||||||
|
1. yggdrasil-get: API for pulling data into Yggdrasil.
|
||||||
|
1. yggdrasil-lock: API for setting permissions safely.
|
||||||
|
1. yggdrasil-set-music-data: API for updating a music file with the new detected metadata from the path. Assumes `/srv/yggdrasil/Music/$genre/$artist/$album`.
|
||||||
|
1. yggdrasil-sha256: Get a SHA-256 hash of the current library. This is good for checking media changes over time in conjunction with [AniNIX/Aether](/AniNIX/Aether).
|
||||||
|
1. yggdrasil-sort-shows: Look at `/srv/yggdrasil/new_acquisition` and try to find the right folder in `/srv/yggdrasil/Videos/Shows` to stash it in. Will try to put it under the show name and the season.
|
||||||
|
1. yggdrasil-unlock: API for allowing writes to media.
|
1
roles/common/README.md
Normal file
1
roles/common/README.md
Normal file
@ -0,0 +1 @@
|
|||||||
|
This role is only intended as a library of handlers to be shared between roles in this project.
|
Loading…
Reference in New Issue
Block a user