Fixing Nazara errors

This commit is contained in:
DarkFeather 2022-03-25 06:08:12 -05:00
parent 5d04f1b393
commit a881363b9b
Signed by: DarkFeather
GPG Key ID: 1CC1E3F4ED06F296
10 changed files with 102 additions and 26 deletions

View File

@ -12,8 +12,9 @@ import os
import sys import sys
import yaml import yaml
dnsfilepath="roles/Nazara/files/dns" rolepath='../roles/Nazara/files'
dhcpfilepath="roles/Nazara/files/dhcp" dnsfilepath=rolepath+"/dns"
dhcpfilepath=rolepath+"/dhcp"
def WriteDHCPEntry(content,hosttype,hostclass): def WriteDHCPEntry(content,hosttype,hostclass):
### Create the DHCP entry ### Create the DHCP entry
@ -25,7 +26,7 @@ def WriteDHCPEntry(content,hosttype,hostclass):
with open(dhcpfilepath,'a') as dhcpfile: with open(dhcpfilepath,'a') as dhcpfile:
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']: for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
try: try:
dhcpfile.write('dhcp-host=' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['vars']['mac'] + ',' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['vars']['ip'] + ',' + host + '.' + content['all']['vars']['replica_domain'] + '\n') dhcpfile.write('dhcp-host=' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['mac'] + ',' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['ip'] + ',' + host + '.' + content['all']['vars']['replica_domain'] + '\n')
except: except:
print(host + ' is not complete for DHCP.') print(host + ' is not complete for DHCP.')
@ -39,7 +40,7 @@ def WriteDNSEntry(content,hosttype,hostclass):
with open(dnsfilepath,'a') as dnsfile: with open(dnsfilepath,'a') as dnsfile:
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']: for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
try: try:
dnsfile.write(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['vars']['ip'] + ' ' + host + '.' + content['all']['vars']['replica_domain'] + ' ' + host + '\n') dnsfile.write(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['ip'] + ' ' + host + '.' + content['all']['vars']['replica_domain'] + ' ' + host + '\n')
except: except:
print(host + ' is not complete for DNS.') print(host + ' is not complete for DNS.')
@ -48,6 +49,9 @@ def GenerateFiles(file):
# param file: the file to work on # param file: the file to work on
global dnsfile global dnsfile
if not os.path.isdir(rolepath):
os.mkdir(rolepath)
# Parse the yaml # Parse the yaml
with open(file, 'r') as stream: with open(file, 'r') as stream:
content = yaml.safe_load(stream) content = yaml.safe_load(stream)
@ -55,7 +59,6 @@ def GenerateFiles(file):
# Clear the DNS file # Clear the DNS file
with open(dhcpfilepath,'w') as dhcpfile: with open(dhcpfilepath,'w') as dhcpfile:
dhcpfile.write('dhcp-range='+content['all']['vars']['dhcprange']+'\n') dhcpfile.write('dhcp-range='+content['all']['vars']['dhcprange']+'\n')
dhcpfile.write('dhcp-option=option:router,'+content['all']['vars']['router']+'\n')
dhcpfile.write('dhcp-option=option:dns-server,'+content['all']['vars']['dns']+'\n\n') dhcpfile.write('dhcp-option=option:dns-server,'+content['all']['vars']['dns']+'\n\n')
dhcpfile.write('dhcp-range='+content['all']['vars']['staticrange']+'\n') dhcpfile.write('dhcp-range='+content['all']['vars']['staticrange']+'\n')
with open(dnsfilepath,'w') as dnsfile: with open(dnsfilepath,'w') as dnsfile:
@ -63,7 +66,7 @@ def GenerateFiles(file):
# Add DNS entries for each host # Add DNS entries for each host
hosttype = 'managed' hosttype = 'managed'
for hostclass in ['physical','virtual','geth_hubs']: for hostclass in ['physical','virtual','geth_hubs']:
WriteDNSEntry(content,hosttype,hostclass) WriteDNSEntry(content,hosttype,hostclass)
WriteDHCPEntry(content,hosttype,hostclass) WriteDHCPEntry(content,hosttype,hostclass)
hosttype = 'unmanaged' hosttype = 'unmanaged'

View File

@ -1,4 +1,4 @@
Cyberbrain is a way to ensure that so long as a person is connected to the Internet and authorized, they're able to connect to, use, and control the AniNIX. It's a web-based shell emulator for connecting to the system. Cyberbrain is a way to ensure that so long as a person is connected to the Internet and authorized, they're able to connect to, use, and control the AniNIX. It's a web-based shell emulator for connecting to the system. It can serve as an alternative to using the [Terminal & SSH add-on](https://www.home-assistant.io/common-tasks/supervised/#installing-and-using-the-ssh-add-on-requires-enabling-advanced-mode-for-the-ha-user) for [AniNIX/Geth](../Geth/) in cases where a separate security posture is needed for each.
**Warning**: This is a fallback measure -- browsers are still inherently less secure than hard clients like [Git Bash](https://git-scm.com/download/win) or [OpenSSH](https://www.openssh.com/portable.html). **Warning**: This is a fallback measure -- browsers are still inherently less secure than hard clients like [Git Bash](https://git-scm.com/download/win) or [OpenSSH](https://www.openssh.com/portable.html).

View File

@ -8,9 +8,9 @@ Grimoire has a user, postgres, with a home directory of `/var/lib/postgres/`. Th
## Backups ## Backups
Backups are provided by [AniNIX/Aether](../Aether). They can be restored with the following: Backups are provided by [AniNIX/Aether](../Aether). They can be restored with the following:
<pre> ```
psql -U dbuser -d db -f backup.sql psql -U dbuser -d db -f backup.sql
</pre> ```
# Available Clients # Available Clients
There are no clients for the Grimoire -- Singularity and Wiki maintain their tables. There are no clients for the Grimoire -- Singularity and Wiki maintain their tables.

View File

@ -0,0 +1,2 @@
PRIVACYLEVEL=0
RATE_LIMIT=1000/5

View File

@ -9,11 +9,17 @@
- name: Install pi-hole if needed - name: Install pi-hole if needed
become: yes become: yes
register: pihole_install
command: command:
creates: /usr/bin/pihole-FTL creates: /usr/bin/pihole-FTL
cmd: bash basic-install.sh cmd: false # bash basic-install.sh
chdir: '/opt/pi-hole/automated install' chdir: '/opt/pi-hole/automated install'
- name: Ensure pihole web admin password
become: yes
command: "pihole -a -p {{ passwords['Nazara'] }}"
# when: pihole_install.changed
- name: Generate DNS/DHCP from inventory - name: Generate DNS/DHCP from inventory
delegate_to: localhost delegate_to: localhost
run_once: true run_once: true
@ -29,11 +35,6 @@
group: pihole group: pihole
mode: 0644 mode: 0644
- name: Reload dns
become: yes
command: "pihole restartdns"
when: dns_updated.changed
- name: Nazara DHCP - name: Nazara DHCP
become: yes become: yes
register: dhcp_updated register: dhcp_updated
@ -44,8 +45,36 @@
group: root group: root
mode: 0644 mode: 0644
- name: Nazara Configuration
become: yes
register: conf_updated
copy:
src: pihole-FTL.conf
dest: /etc/pihole/pihole-FTL.conf
owner: root
group: root
mode: 0644
- name: Nazara DHCP Leases dir
become: yes
file:
path: /var/lib/misc/
state: directory
owner: root
group: root
mode: 0777
- name: Nazara DHCP Leases
become: yes
file:
path: /var/lib/misc/dnsmasq.leases
state: touch
owner: pihole
group: pihole
mode: 0660
- name: Reload services - name: Reload services
become: yes become: yes
command: pihole restartdns command: pihole restartdns
when: dns_updated.changed or dhcp_updated.changed when: dns_updated.changed or dhcp_updated.changed or conf_updated.changed

View File

@ -1,18 +1,17 @@
Remote access is important in the AniNIX, and so we support the use of the [https://wiki.archlinux.org/index.php/Secure_Shell OpenSSH] protocol via [[ShadowArch]] to supporting hosts. Remote access is important in the AniNIX, and so we support the use of the [OpenSSH](https://wiki.archlinux.org/index.php/Secure_Shell) protocol to supporting hosts.
# Etymology # Etymology
SSH is named for the protocol on which it's built. SSH is named for the protocol on which it's built. It's so ubiquitous that we don't rename it.
# Relevant Files and Software # Relevant Files and Software
Most of this service's configuration lives in [file:///etc/ssh/sshd_config sshd_config]. This includes match statements on what groups are allowed to connect, allowed protocols, and somewhat importantly the ForceCommand directives that hold certain users captive to specific operations. Most of this service's configuration lives in [sshd_config](files/sshd_config) as specified in [sshd_config(5)](https://man.archlinux.org/man/core/openssh/sshd_config.5.en). This includes match statements on what groups are allowed to connect, allowed protocols, and somewhat importantly the ForceCommand directives that hold certain users captive to specific operations.
VNC and X11 forwarding can be used over SSH to allow graphical clients. X11 forwarding without SSH compression is generally slower. To allow VNC, log in over SSH and forward remote port 5901 to localhost port 5901. Start the VNC server on the remote, and use a VNC viewer like tightVNC portable to view the remote desktop. VNC and X11 forwarding can be used over SSH to allow graphical clients. X11 forwarding without SSH compression is generally slower. To allow VNC, log in over SSH and forward remote port 5901 to localhost port 5901. Start the VNC server on the remote, and use a VNC viewer like tightVNC portable to view the remote desktop.
This role does expect that you have a public key in your `.ssh` folder named `deploy.pub`. This public key will be put on all servers, and as such it is intrinsically necessary that there be a passphrase on the private key to protect it from compromise. [AniNIX/ShadowArch](/AniNIX/ShadowArch) will provide a convenient [service file](/AniNIX/ShadowArch/src/branch/main/EtcFiles/ssh-agent@.service) to wrap the ssh-agent service for you to make working with this key easier.
# Available Clients # Available Clients
* Windows users should use [http://www.putty.org/ PuTTY]. The AniNIX considers this important enough that a copy of PuTTY is mirrored in [https://aninix.net/wolfpack/ WolfPack].[[Category:CachedClient]]
* Mac has a native client in their Terminal application. * Mac has a native client in their Terminal application.
* Linux users can install [https://wiki.archlinux.org/index.php/Secure_Shell openssh]. * Windows users should use [Git Bash](https://git-scm.com/download/win).
* Android users can use [https://serverauditor.com/ Server Auditor]. * Linux users can install [openssh](https://archlinux.org/packages/core/x86_64/openssh/).
}} * Android users can use [AdminHands](https://play.google.com/store/apps/details?id=com.arpaplus.adminhands).
[[Category:Public_Service]]
[[Category:LDAP]]

View File

@ -29,6 +29,26 @@ TODO
## Monit ## Monit
## Graylog
## Elasticsearch
Elasticsearch acts as graylog's data backend.
We have seen issues where poor disk i/o or unplanned shutdown can cause Elasticsearch to have index corruption.
1. Stop elasticsearch
1. From `/usr/share/elasticsearch/lib`, you can use `java -cp lucene-core*.jar -ea:org.apache.lucene... org.apache.lucene.index.CheckIndex /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index -verbose -exorcise` (on the right index) to exorcise the corrupted data.
1. Remove corruption flags: `rm /usr/share/elasticsearch/data/nodes/0/indices/1nJc43t7TGuHmVR3Q5w9PA/1/index/corrupted_*`
1. Restart elasticsearch
1. Retry shard allocation:
```
curl -X POST http://127.0.0.1:9200/_cluster/reroute?retry_failed=true
curl -XGET localhost:9200/_cluster/allocation/explain?pretty
```
## Mongodb
MongoDB holds the graylog config for us.
# Available Clients # Available Clients
See [[WebServer#Available Clients|AniNIX::Webserver's client list]]. See [[WebServer#Available Clients|AniNIX::Webserver's client list]].

14
roles/WolfPack/README.md Normal file
View File

@ -0,0 +1,14 @@
WolfPack is a webcrawler for the AniNIX. Public results from Core's instance will be available from [https://wolfpack.aninix.net/wolfpack the WebServer] -- this may be locked to admins, for reproducibility reasons.
Note: Code for this service is encoded in [the WolfPack repo](/AniNIX/WolfPack) rather than here -- we just include the package.
# Etymology
WolfPack is named for its operation. "Pups" live on disk as .pup files -- these will grow up and retrieve the results that feed the system. An alpha sends pack members to raise a pup and collect the results for the pack. This role will update configuration to [the configuration directory](file:///usr/local/etc/WolfPack).
## VPN protection and Offloading.
Some countries and areas take issue with some searches and downloads. As such, the offload-wolfpack executable will allow a [DarkNet](../DarkNet) service, deployed on a unique host, to merge results. In your Ansible inventory, set the wolfpack_service YAML variable for the host to `offload-wolfpack@somehost.timer` to enable that service instead of the normal wolfpack.timer.
This requires SSH keys to be set up between the offloading hosts and the target location, but this will run some version of wolfpack and send the results to the target. This is helpful for a server like Core that requires network uptime and stable external accessibility but needs VPN functionality for anonymity. This requires significant user intervention and customization -- this option is provided as a stub.
## Alternatives
Google Alerts can provide an alternative to the Wolfpack's search pup type. Downloads can be done manually, and some torrent clients will have search and queuing options.

View File

@ -0,0 +1,8 @@
This is a collection of scripts we use for managing yggdrasil data.
1. yggdrasil-get: API for pulling data into Yggdrasil.
1. yggdrasil-lock: API for setting permissions safely.
1. yggdrasil-set-music-data: API for updating a music file with the new detected metadata from the path. Assumes `/srv/yggdrasil/Music/$genre/$artist/$album`.
1. yggdrasil-sha256: Get a SHA-256 hash of the current library. This is good for checking media changes over time in conjunction with [AniNIX/Aether](/AniNIX/Aether).
1. yggdrasil-sort-shows: Look at `/srv/yggdrasil/new_acquisition` and try to find the right folder in `/srv/yggdrasil/Videos/Shows` to stash it in. Will try to put it under the show name and the season.
1. yggdrasil-unlock: API for allowing writes to media.

1
roles/common/README.md Normal file
View File

@ -0,0 +1 @@
This role is only intended as a library of handlers to be shared between roles in this project.