AniNIX/Kapisi
AniNIX/Kapisi
3
0
Fork 0
Code Issues 25 Pull Requests Projects 1 Releases Wiki Activity

Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing

Browse Source
This commit is contained in:
DarkFeather 2023-02-20 16:50:10 -06:00
parent a2fecf9d64
commit d92ab6acda
Signed by: DarkFeather
GPG Key ID: 1CC1E3F4ED06F296
39 changed files with 310 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -6,6 +6,7 @@ roles/ShadowArch/files/mirrorlist
roles/Foundation/files/custom/public/img/**
venv/**
**/pkg/**
**/src/**
**pkg.tar.zst
# ---> Python

4
precommit-hooks/find-large-files
View File

@ -1,7 +1,9 @@
#!/bin/bash
# Limit files in git to 1M.
find . -type f -exec du -k {} \; | egrep -v '^[[:digit:]]?[[:digit:]]?[[:digit:]][[:space:]]|venv|\s./.git/'
IFS="
"
git ls-files | xargs -n1 du -k {} \; | egrep -v '^[[:digit:]]?[[:digit:]]?[[:digit:]][[:space:]]|venv|\s./.git/'
if [ $? -ne 1 ]; then
echo

4
roles/Foundation/files/custom/bin/gen-aninix-custom
View File

@ -55,8 +55,8 @@ a {
| sed "s/$BGCOLOR/$ANINIXBG/gI" > /var/lib/gitea/custom/public/css/theme-aninix.css
cd /var/lib/gitea/web-snippets
head="$(curl -ks https://aninix.net/ | egrep -B 99999 '^<div class="home"')"
foot="$(curl -ks https://aninix.net/ | egrep -A 99999 '<footer>')"
head="$(curl -ks https://aninix.net/ | grep -B 99999 -E '^<div class="home"')"
foot="$(curl -ks https://aninix.net/ | grep -A 99999 -E '<footer>')"
for i in `find . -type f`; do
(echo "$head"
cat "$i"

2
roles/Foundation/files/custom/bin/sitemap.php
View File

@ -14,7 +14,7 @@ echo '<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
';
exec("(echo /srv/http/aninix.net/index.php; find /srv/http/aninix.net/pages -type f; find /srv/http/aninix.net/martialarts/ -type f) | egrep \.php\$ | egrep -v ^./unlisted\|^./errors/\|head.php\|foot.php\|test\|Template\|darknet", $output);
exec("(echo /srv/http/aninix.net/index.php; find /srv/http/aninix.net/pages -type f; find /srv/http/aninix.net/martialarts/ -type f) | grep -E \.php\$ | grep -vE ^./unlisted\|^./errors/\|head.php\|foot.php\|test\|Template\|darknet", $output);
foreach ($output as &$file) {
echo ' <url>
';

9
roles/IRC/templates/inspircd/inspircd.conf.j2
View File

@ -56,7 +56,7 @@
<bind
address=""
port="6697"
ssl="openssl"
sslprofile="clients"
type="clients">
<bind address="" port="6667" type="clients">
@ -66,7 +66,7 @@
<openssl onrehash="yes">
<sslprofile
name="Clients"
name="clients"
provider="openssl"
cafile="/etc/letsencrypt/live/{{ ssl['identity'] }}/fullchain.pem"
certfile="/etc/letsencrypt/live/{{ ssl['identity'] }}/cert.pem"
@ -75,10 +75,11 @@
hash="sha256"
renegotiation="no"
requestclientcert="no"
sslv3="false"
sslv3="no"
tlsv1="no"
tlsv11="no"
tlsv12="yes">
tlsv12="yes"
tlsv13="yes">

2
roles/IRC/templates/inspircd/modules.conf.j2
View File

@ -1453,7 +1453,7 @@
#<module name="m_regex_stdlib.so">
#
# Specify the regular expression engine to use here. Valid settings are
# bre, ere, awk, grep, egrep, ecmascript (default if not specified).
# bre, ere, awk, grep, ecmascript (default if not specified).
#<stdregex type="ecmascript">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#

2
roles/IRC/templates/inspircd/opers.conf.j2
View File

@ -89,7 +89,7 @@
# type="NetAdmin">
#
{% for oper in secrets['IRC']['opers'] %}
<oper name="{{ oper }}" password="{{ secrets['IRC']['opers'][oper] }}" hash="sha256" host="*@127.0.0.1 *@10.0.1.* *@localhost *@aninix.net" type="Helper">
<oper name="{{ oper }}" password="{{ secrets['IRC']['opers'][oper] }}" hash="sha256" host="*@127.0.0.1 *@10.0.1.* *@localhost *@aninix.net" type="NetAdmin">
{% endfor %}
#-#-#-#-#-#-#-#-#-#- DIE/RESTART CONFIGURATION -#-#-#-#-#-#-#-#-#-#-

25
roles/SSH/files/sshd_config
View File

@ -1,6 +1,6 @@
### AniNIX::SSH \\ Basic configuration for listening daemon ###
### AniNIX/SSH | Basic configuration for listening daemon ###
# Daemon spec #
# Daemon spec
Port 22
ListenAddress 0.0.0.0
PrintMotd yes
@ -8,17 +8,18 @@ PrintLastLog yes
StrictModes yes
Protocol 2
ChrootDirectory none
# DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
# RSA and ED25519 are stable.
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Network Performance #
# Network Performance
Compression yes
ClientAliveInterval 5
ClientAliveCountMax 3
# Forwarding options #
# Forwarding options
AllowTcpForwarding no
PermitTunnel no
AllowAgentForwarding no
@ -27,10 +28,10 @@ X11DisplayOffset 10
X11UseLocalhost no
GatewayPorts no
# Override default of no subsystems to allow SFTP #
Subsystem sftp /usr/lib/ssh/sftp-server
# Override default of no subsystems to allow SFTP
Subsystem sftp internal-sftp
# Authentication #
# Authentication
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
@ -44,7 +45,7 @@ AllowGroups ssh-allow
PermitRootLogin no
PermitEmptyPasswords no
## Access Controls ###
## Access Controls
Match Group ssh-forward
AllowTcpForwarding yes
PermitTunnel yes
@ -52,8 +53,8 @@ Match Group ssh-forward
X11Forwarding yes
Match Group sftp-home-jail
ForceCommand internal-sftp #/usr/lib/ssh/sftp-server
ChrootDirectory /home # Lock the user in their home directory
ForceCommand internal-sftp
ChrootDirectory /home
Match User crypto
ForceCommand /usr/local/bin/captivecrypto
# Allow other packages to ship snippets
Include /etc/ssh/includes/*

9
roles/SSH/tasks/main.yml
View File

@ -64,6 +64,15 @@
src: sshd_config
dest: /etc/ssh/sshd_config
- name: Allow SSHD Includes
become: yes
file:
path: /etc/ssh/includes
state: directory
user: root
group: root
mode: 0755
- name: Restart SSHD (ArchLinux)
become: yes
when: ansible_os_family == "Archlinux" and sshd_config.changed

2
roles/Sharingan/files/rkhunter/rkhunter.conf
View File

@ -1333,8 +1333,6 @@ DBDIR=/var/lib/rkhunter/db
SCRIPTDIR=/usr/lib/rkhunter/scripts
TMPDIR=/var/lib/rkhunter/tmp
USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf
SCRIPTWHITELIST=/usr/bin/egrep
SCRIPTWHITELIST=/usr/bin/fgrep
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/vendor_perl/GET
BINDIR=/bin /usr/bin /sbin /usr/sbin

18
roles/Sharingan/tasks/ids.yml
View File

@ -31,6 +31,24 @@
group: root
mode: 0600
- name: suricata config files
become: yes
copy:
src: suricata/
dest: /etc/suricata/
owner: root
group: root
mode: 0600
- name: suricata config template
become: yes
template:
src: suricata.yaml.j2
dest: /etc/suricata/suricata.yaml
owner: root
group: root
mode: 0600
# Host IDS
- name: Copy rkhunter service
register: rkhunter_conf

2
roles/Sharingan/templates/monitrc.j2
View File

@ -154,7 +154,7 @@ set httpd port 2812 and
use address localhost # only accept connection from localhost (drop if you use M/Monit)
allow localhost # allow localhost to connect to the server and
# require user 'admin' with password
allow admin:"{{ secrets[Sharingan][monit] | default('monit') }}"
allow admin:"{{ secrets['Sharingan']['monit'] | default('monit') }}"
#with ssl { # enable SSL/TLS and set path to server certificate
# pemfile: /etc/ssl/certs/monit.pem
#}

14
roles/Sharingan/templates/suricata.yaml.j2
View File

@ -16,7 +16,7 @@
#max-pending-packets: 1024
# Runmode the engine should use. Please check --list-runmodes to get the available
# runmodes for each packet acquisition menp1s0fod. Defaults to "autofp" (auto flow pinned
# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
# load balancing).
#runmode: autofp
@ -143,7 +143,7 @@ outputs:
append: yes
#extended: yes # enable this for extended logging information
#custom: yes # enabled the custom logging format (defined by customformat)
#customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
#customformat:
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# a line based log of TLS handshake parameters (no alerts)
@ -310,7 +310,7 @@ nflog:
# af-packet support
# Set threads to > 1 to use PACKET_FANOUT support
af-packet:
- interface: enp1s0f0
- interface: {{ ipinterface }}
# Number of receive threads (>1 will enable experimental flow pinned
# runmode)
threads: 1
@ -363,10 +363,10 @@ af-packet:
# will not be copied.
#copy-mode: ips
#copy-iface: enp1s0f1
- interface: enp1s0f1
threads: 1
cluster-id: 98
cluster-type: cluster_flow
# - interface: enp1s0f1
# threads: 1
# cluster-id: 98
# cluster-type: cluster_flow
defrag: yes
# buffer-size: 32768
# disable-promisc: no

62
roles/Sora/files/ldap-adduser Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
nameRegEx='^[A-Z,a-z,0-9,\.,-]+$'
lockfile="/tmp/""$(echo $0 | rev | cut -f 1 -d '/' | rev)"
function helptext {
echo "$0 username [ userid ]"
}
# match email against regex and create shortname from email ID.
if [ ! -z "$1" ] && [[ "$1" =~ $nameRegEx ]]; then
username="$(echo $1)"
if getent passwd "$username"; then
echo User already exists!
exit 1;
fi
elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
helptext;
exit 0;
else
echo Need an username.
helptext
exit 1;
fi
# Create a new user ID.
if [ -z "$2" ]; then
newuserid="$(($(getent passwd | sort -k 3 -n -t ':' | tail -n 1 | cut -f 3 -d ':') + 1))"
else
if id "$newuserid" &>/dev/null; then
echo "User id $newuserid already exist!"
exit 2
else
newuserid="$2"
fi
fi
printf "Username: %s\nID: %s\n\nReady to add? [YES/no] " "$username" "$newuserid"
mkdir "$lockfile" 2>/dev/null
if [ "$?" -eq 0 ]; then
read answer
if [ "$answer" == "YES" ]; then
file="/etc/openldap/users.d/$username.ldif"
cp /usr/local/src/ConfigPackages/Sora/sample-user.ldif "$file"
line="$(grep -E '^uid: ' "$file")"; sed -i "s/$line/uid: $username/" "$file"
line="$(grep -E '^dn: ' "$file" | cut -f 2 -d ' ' | cut -f 1 -d ',')"; sed -i "s/$line/uid=$username/" "$file"
line="$(grep -E '^homeDirectory: ' "$file")"; sed -i "s#$line#homeDirectory: /home/$username/#" "$file"
line="$(grep -E '^cn: ' "$file")"; sed -i "s/$line/cn: $username/" "$file"
line="$(grep -E '^mail: ' "$file")"; sed -i "s#$line#mail: ircs://aninix.net:6697/$username#" "$file"
line="$(grep -E '^uidNumber: ' "$file")"; sed -i "s/$line/uidNumber: $newuserid/" "$file"
ldapadd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass -f "$file"
ldap-resetpass "$username"
# usermod -a -G ssh-allow,passwdchange "$username"
fi
rmdir "$lockfile"
exit 0;
else
echo "Cannot add -- locked."
exit 1;
fi

17
roles/Sora/files/ldap-resetpass Executable file
View File

@ -0,0 +1,17 @@
#!/bin/bash
uid="$1"
if [ -z "$uid" ]; then
echo "Need a user ID (uid)!"
exit 1
fi
ldappasswd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass "uid=$uid,ou=People,dc=aninix,dc=net"
if [ `ldapsearch -x "(uid=$uid)" + \* | grep -c shadowLastChange\:` -ne 0 ]; then
(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\ndelete: shadowLastChange\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass &>/dev/null;
fi
(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: shadowLastChange\nshadowLastChange: 0\n\ndn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass &>/dev/null;
exit $?

67
roles/Sora/files/ldap-userreport Executable file
View File

@ -0,0 +1,67 @@
#!/bin/bash
hostname=`hostname`
errortext="ERROR:NEVER"
arg="$1"
function shortshow() {
echo ${user}": "$email
}
function queryLDAPAttribute() {
ldapsearch -x "$1" "$2" | grep -E "${2}: " | sed "s/^${2}: //"
}
basedn=`ldapsearch -x '(cn=root)' dn | grep -E ^dn:\ | sed 's/dn: cn=root,//'`
maxAge="$(queryLDAPAttribute '(cn=default)' pwdMaxAge)"
changeAge=$(( $maxAge - 2592000 ))
deleteAge=$(( 2 * $maxAge ))
for user in `queryLDAPAttribute '(uid=*)' uid`; do
# Pull changed stats
lastChanged=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep pwdChangedTime | cut -f 2 -d ' '`
created=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep createTimestamp | cut -f 2 -d ' '`
email=`/usr/sbin/ldapsearch -x "(uid=$user)" | grep mail | cut -f 2 -d ' '`
if [ -z "$lastChanged" ]; then
lastChanged="$errortext";
else
delta="$(( `date +%s` - `date -d $(echo $lastChanged | head -c 8) +%s`))"
fi
lastlog=`lastlog -u $user | tail -n 1`
if [ `echo $lastlog | grep -c 'Never logged in'` -gt 0 ]; then
lastlog=$errortext
else
lastlog=`echo $lastlog | awk '{$1="";$2="";$3="";print $0 }'`
fi
printf "User $user (email: $email, created: $created) last changed their password on $lastChanged. They last logged in to SSH on $hostname on $lastlog\n" | (
case "$arg" in
"--inactive")
if grep -E $errortext'$' &> /dev/null; then shortshow; fi
;;
"--needschange")
if [ "$lastChanged" == "$errortext" ]; then
shortshow
else
if [ $delta -gt "$changeAge" ] && [ $delta -lt "$maxAge" ]; then shortshow; fi
fi
;;
"--expired")
if [ "$lastChanged" != "$errortext" ] && [ "$delta" -ge 31536000 ]; then
shortshow;
fi
;;
"--removeable")
if [ "$lastChanged" != "$errortext" ] && [ "$delta" -ge "$deleteAge" ]; then
shortshow;
fi
;;
*)
cat
;;
esac
)
done

2
roles/TheRaven/templates/raven.conf.j2
View File

@ -29,6 +29,8 @@ martialarts
maworkouts
dromundkaas
inn
cic
masignups
[ Searches ]
r.google|http://google.com/search?q=|+|Google

3
roles/WolfPack/files/Core/aninix-searches.pup Normal file
View File

@ -0,0 +1,3 @@
search
/srv/wolfpack/search-results
aninix.net

4
roles/WolfPack/files/Core/archlinux.pup Normal file
View File

@ -0,0 +1,4 @@
download
/usr/local/src/isos/
wget -q -O - 'https://www.archlinux.org/download/' | grep rackspace | cut -f 2 -d \" | head -n 1
echo PREVRESULT/$(wget -q -O - PREVRESULT | grep x86_64.iso | head -n 1 | cut -f 2 -d \")

3
roles/WolfPack/files/Core/centos.pup Normal file
View File

@ -0,0 +1,3 @@
download
/usr/local/src/isos
curl -s https://centos.org/download/ | grep Minimal | grep 'a href' | cut -f 2 -d '"'

5
roles/WolfPack/files/Core/chrome.pup Normal file
View File

@ -0,0 +1,5 @@
download
/srv/wolfpack/
curl -s https://portableapps.com/apps/internet/google_chrome_portable | tr '<' '\n' | tr '>' '\n' | tr \" '\n' | grep online.paf.exe | sed 's/ /\%20/g' | sed 's/\&/\\\&/g'
curl -s https://portableapps.comPREVRESULT | tr '"' '\n' | grep redirect | tail -n 1
echo https://portableapps.comPREVRESULT

3
roles/WolfPack/files/Core/cnews.pup Normal file
View File

@ -0,0 +1,3 @@
search
/srv/wolfpack/
Riffle

11
roles/WolfPack/files/Core/cshows.DarkNet Normal file
View File

@ -0,0 +1,11 @@
shows
/srv/yggdrasil/new_acquisition
S06E11#Game of Thrones
S04E21#Vikings#
S02E13#Mr Robot#HDTV
S02E12#Marco Polo
S02E12#Criminal Minds Beyond Borders#
S02E14#Dark Matter#ettv
S03E22#Star Wars Rebels#
S02E11#Shadowhunters#
S03E18#Gotham#

4
roles/WolfPack/files/Core/eminem.pup Normal file
View File

@ -0,0 +1,4 @@
search
/srv/wolfpack/search-results
Eminem Shows
Eminem Concerts

8
roles/WolfPack/files/Core/ftor.DarkNet Normal file
View File

@ -0,0 +1,8 @@
torrent
/srv/yggdrasil/new_acquisition
King Arthur 2017 BRrip
The Great Wall 2017 BRrip
Edge of 17 2016 BRrip
Bilal: A New Breed of Hero 2015
John Wick Chapter 2 2017 HDrip
Fast 8 HDRip 2017

3
roles/WolfPack/files/Core/kali-arm.pup Normal file
View File

@ -0,0 +1,3 @@
download
/usr/local/src/isos/
elinks --dump https://www.offensive-security.com/kali-linux-arm-images/ | grep rpi | head -n 1 | sed 's/^\s\+//'

4
roles/WolfPack/files/Core/kali-linux.pup Normal file
View File

@ -0,0 +1,4 @@
download
/usr/local/src/isos/
wget -q -O - http://cdimage.kali.org/current/ | grep amd64.iso | head -n 1 | cut -f 8 -d '"'
echo http://cdimage.kali.org/current/PREVRESULT

12
roles/WolfPack/files/Core/lshows.DarkNet Normal file
View File

@ -0,0 +1,12 @@
shows
/srv/yggdrasil/new_acquisition
S06E23#2 Broke Girls#
S10E25#Big Bang Theory#
S04E21#The Fosters#
S18E19#Law Order SVU#
S08E23#The Middle#
S08E22#Modern Family#
S07E13#Shameless US
S07E17#The Walking Dead#
S03E25#Scorpion#
S05E05#Prison Break#ettv

4
roles/WolfPack/files/Core/mediawiki.pup Normal file
View File

@ -0,0 +1,4 @@
download
/var/cache/localpkg/
wget -q -O - https://www.mediawiki.org/wiki/Download | grep 'Download MediaWiki' | cut -f 6 -d \"
echo https:PREVRESULT

3
roles/WolfPack/files/Core/plpbt.pup Normal file
View File

@ -0,0 +1,3 @@
download
/usr/local/src/isos/
wget -q -O - https://www.plop.at/en/bootmanager/download.html | grep 'plpbt-' | head -n 2 | tail -n 1 | cut -f 3 -d '=' | cut -f 1 -d ' '

3
roles/WolfPack/files/Core/putty.pup Normal file
View File

@ -0,0 +1,3 @@
download
/srv/wolfpack/
echo http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

4
roles/WolfPack/files/Core/raspbian.pup Normal file
View File

@ -0,0 +1,4 @@
download
/usr/local/src/isos/
wget -q -O - 'https://www.raspberrypi.org/downloads/raspbian/' | grep 'btn dl-zip' | grep -i lite | cut -f 2 -d \"
curl -sI PREVRESULT | grep Location: | cut -f 2 -d ' ' | sed 's/\r//g'

6
roles/WolfPack/files/Core/torrentengine Executable file
View File

@ -0,0 +1,6 @@
torrentengine="https://1337x.to/search/%s/1/"
torrentterms='printf https://1337x.to; grep "/torrent/" | head -n 1 | cut -f 2 -d \"'
magnetposition='4'
torrentdebugging='true'
searchunifier='+'
magnetseparator=\"

3
roles/WolfPack/files/Core/winscp.pup Normal file
View File

@ -0,0 +1,3 @@
download
/srv/wolfpack/
wget -q -O - http://portableapps.com/apps/internet/winscp_portable | grep 'sf-download' | cut -f 4 -d \" | head -n 1

10
roles/patching/tasks/main.yml
View File

@ -9,8 +9,17 @@
- 90 > {{ df_output.stdout }}
fail_msg: "Not enough free space"
- name: Update Archlinux Keyring
when: ansible_os_family == "Archlinux"
become: yes
package:
name: archlinux-keyring
state: latest
update_cache: yes
- name: Patching all packages
ignore_errors: yes
become: yes
register: updates
package:
upgrade: yes
@ -18,6 +27,7 @@
- name: Reboot
ignore_errors: yes
become: yes
when: '"linux" in updates.stdout or "kernel" in updates.stdout'
reboot:
reboot_timeout: 2