Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing

This commit is contained in:
DarkFeather 2023-02-20 16:50:10 -06:00
parent a2fecf9d64
commit d92ab6acda
Signed by: DarkFeather
GPG Key ID: 1CC1E3F4ED06F296
39 changed files with 310 additions and 39 deletions

1
.gitignore vendored
View File

@ -6,6 +6,7 @@ roles/ShadowArch/files/mirrorlist
roles/Foundation/files/custom/public/img/**
venv/**
**/pkg/**
**/src/**
**pkg.tar.zst
# ---> Python

View File

@ -1,7 +1,9 @@
#!/bin/bash
# Limit files in git to 1M.
find . -type f -exec du -k {} \; | egrep -v '^[[:digit:]]?[[:digit:]]?[[:digit:]][[:space:]]|venv|\s./.git/'
IFS="
"
git ls-files | xargs -n1 du -k {} \; | egrep -v '^[[:digit:]]?[[:digit:]]?[[:digit:]][[:space:]]|venv|\s./.git/'
if [ $? -ne 1 ]; then
echo

View File

@ -55,8 +55,8 @@ a {
| sed "s/$BGCOLOR/$ANINIXBG/gI" > /var/lib/gitea/custom/public/css/theme-aninix.css
cd /var/lib/gitea/web-snippets
head="$(curl -ks https://aninix.net/ | egrep -B 99999 '^<div class="home"')"
foot="$(curl -ks https://aninix.net/ | egrep -A 99999 '<footer>')"
head="$(curl -ks https://aninix.net/ | grep -B 99999 -E '^<div class="home"')"
foot="$(curl -ks https://aninix.net/ | grep -A 99999 -E '<footer>')"
for i in `find . -type f`; do
(echo "$head"
cat "$i"

View File

@ -14,7 +14,7 @@ echo '<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
';
exec("(echo /srv/http/aninix.net/index.php; find /srv/http/aninix.net/pages -type f; find /srv/http/aninix.net/martialarts/ -type f) | egrep \.php\$ | egrep -v ^./unlisted\|^./errors/\|head.php\|foot.php\|test\|Template\|darknet", $output);
exec("(echo /srv/http/aninix.net/index.php; find /srv/http/aninix.net/pages -type f; find /srv/http/aninix.net/martialarts/ -type f) | grep -E \.php\$ | grep -vE ^./unlisted\|^./errors/\|head.php\|foot.php\|test\|Template\|darknet", $output);
foreach ($output as &$file) {
echo ' <url>
';

View File

@ -56,7 +56,7 @@
<bind
address=""
port="6697"
ssl="openssl"
sslprofile="clients"
type="clients">
<bind address="" port="6667" type="clients">
@ -66,7 +66,7 @@
<openssl onrehash="yes">
<sslprofile
name="Clients"
name="clients"
provider="openssl"
cafile="/etc/letsencrypt/live/{{ ssl['identity'] }}/fullchain.pem"
certfile="/etc/letsencrypt/live/{{ ssl['identity'] }}/cert.pem"
@ -75,10 +75,11 @@
hash="sha256"
renegotiation="no"
requestclientcert="no"
sslv3="false"
sslv3="no"
tlsv1="no"
tlsv11="no"
tlsv12="yes">
tlsv12="yes"
tlsv13="yes">

View File

@ -1453,7 +1453,7 @@
#<module name="m_regex_stdlib.so">
#
# Specify the regular expression engine to use here. Valid settings are
# bre, ere, awk, grep, egrep, ecmascript (default if not specified).
# bre, ere, awk, grep, ecmascript (default if not specified).
#<stdregex type="ecmascript">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#

View File

@ -89,7 +89,7 @@
# type="NetAdmin">
#
{% for oper in secrets['IRC']['opers'] %}
<oper name="{{ oper }}" password="{{ secrets['IRC']['opers'][oper] }}" hash="sha256" host="*@127.0.0.1 *@10.0.1.* *@localhost *@aninix.net" type="Helper">
<oper name="{{ oper }}" password="{{ secrets['IRC']['opers'][oper] }}" hash="sha256" host="*@127.0.0.1 *@10.0.1.* *@localhost *@aninix.net" type="NetAdmin">
{% endfor %}
#-#-#-#-#-#-#-#-#-#- DIE/RESTART CONFIGURATION -#-#-#-#-#-#-#-#-#-#-

View File

@ -13,4 +13,4 @@ Nazara should host a Pihole installation and [SSH](../Services/SSH.md). It shoul
Any host should be able to connect to a Nazara with SSH and X11, and it should be able to dial to any service provider.
## Additional Reference
Nazara hosts should be deployed alongside any Hypervisor. They can be as simple as a Pi-hole with SSH access, and they should be allowed to receive SSH connections from a non-tcp/22/ssh port.
Nazara hosts should be deployed alongside any Hypervisor. They can be as simple as a Pi-hole with SSH access, and they should be allowed to receive SSH connections from a non-tcp/22/ssh port.

View File

@ -19,7 +19,7 @@
# Host *
# ForwardAgent no
ForwardX11 yes
ForwardX11 yes
ForwardX11Trusted yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
@ -46,5 +46,5 @@ ForwardX11Trusted yes
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
UseRoaming no
UseRoaming no
# fix for CVE-2016-0777

View File

@ -1,6 +1,6 @@
### AniNIX::SSH \\ Basic configuration for listening daemon ###
### AniNIX/SSH | Basic configuration for listening daemon ###
# Daemon spec #
# Daemon spec
Port 22
ListenAddress 0.0.0.0
PrintMotd yes
@ -8,17 +8,18 @@ PrintLastLog yes
StrictModes yes
Protocol 2
ChrootDirectory none
# DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
# RSA and ED25519 are stable.
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Network Performance #
# Network Performance
Compression yes
ClientAliveInterval 5
ClientAliveCountMax 3
# Forwarding options #
# Forwarding options
AllowTcpForwarding no
PermitTunnel no
AllowAgentForwarding no
@ -27,10 +28,10 @@ X11DisplayOffset 10
X11UseLocalhost no
GatewayPorts no
# Override default of no subsystems to allow SFTP #
Subsystem sftp /usr/lib/ssh/sftp-server
# Override default of no subsystems to allow SFTP
Subsystem sftp internal-sftp
# Authentication #
# Authentication
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
@ -44,16 +45,16 @@ AllowGroups ssh-allow
PermitRootLogin no
PermitEmptyPasswords no
## Access Controls ###
## Access Controls
Match Group ssh-forward
AllowTcpForwarding yes
PermitTunnel yes
AllowAgentForwarding yes
X11Forwarding yes
Match Group sftp-home-jail
ForceCommand internal-sftp #/usr/lib/ssh/sftp-server
ChrootDirectory /home # Lock the user in their home directory
Match User crypto
ForceCommand /usr/local/bin/captivecrypto
Match Group sftp-home-jail
ForceCommand internal-sftp
ChrootDirectory /home
# Allow other packages to ship snippets
Include /etc/ssh/includes/*

View File

@ -64,6 +64,15 @@
src: sshd_config
dest: /etc/ssh/sshd_config
- name: Allow SSHD Includes
become: yes
file:
path: /etc/ssh/includes
state: directory
user: root
group: root
mode: 0755
- name: Restart SSHD (ArchLinux)
become: yes
when: ansible_os_family == "Archlinux" and sshd_config.changed

View File

@ -1333,8 +1333,6 @@ DBDIR=/var/lib/rkhunter/db
SCRIPTDIR=/usr/lib/rkhunter/scripts
TMPDIR=/var/lib/rkhunter/tmp
USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf
SCRIPTWHITELIST=/usr/bin/egrep
SCRIPTWHITELIST=/usr/bin/fgrep
SCRIPTWHITELIST=/usr/bin/ldd
SCRIPTWHITELIST=/usr/bin/vendor_perl/GET
BINDIR=/bin /usr/bin /sbin /usr/sbin

View File

@ -31,6 +31,24 @@
group: root
mode: 0600
- name: suricata config files
become: yes
copy:
src: suricata/
dest: /etc/suricata/
owner: root
group: root
mode: 0600
- name: suricata config template
become: yes
template:
src: suricata.yaml.j2
dest: /etc/suricata/suricata.yaml
owner: root
group: root
mode: 0600
# Host IDS
- name: Copy rkhunter service
register: rkhunter_conf

View File

@ -154,7 +154,7 @@ set httpd port 2812 and
use address localhost # only accept connection from localhost (drop if you use M/Monit)
allow localhost # allow localhost to connect to the server and
# require user 'admin' with password
allow admin:"{{ secrets[Sharingan][monit] | default('monit') }}"
allow admin:"{{ secrets['Sharingan']['monit'] | default('monit') }}"
#with ssl { # enable SSL/TLS and set path to server certificate
# pemfile: /etc/ssl/certs/monit.pem
#}

View File

@ -16,7 +16,7 @@
#max-pending-packets: 1024
# Runmode the engine should use. Please check --list-runmodes to get the available
# runmodes for each packet acquisition menp1s0fod. Defaults to "autofp" (auto flow pinned
# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
# load balancing).
#runmode: autofp
@ -143,7 +143,7 @@ outputs:
append: yes
#extended: yes # enable this for extended logging information
#custom: yes # enabled the custom logging format (defined by customformat)
#customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
#customformat:
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
# a line based log of TLS handshake parameters (no alerts)
@ -310,7 +310,7 @@ nflog:
# af-packet support
# Set threads to > 1 to use PACKET_FANOUT support
af-packet:
- interface: enp1s0f0
- interface: {{ ipinterface }}
# Number of receive threads (>1 will enable experimental flow pinned
# runmode)
threads: 1
@ -363,10 +363,10 @@ af-packet:
# will not be copied.
#copy-mode: ips
#copy-iface: enp1s0f1
- interface: enp1s0f1
threads: 1
cluster-id: 98
cluster-type: cluster_flow
# - interface: enp1s0f1
# threads: 1
# cluster-id: 98
# cluster-type: cluster_flow
defrag: yes
# buffer-size: 32768
# disable-promisc: no

62
roles/Sora/files/ldap-adduser Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
nameRegEx='^[A-Z,a-z,0-9,\.,-]+$'
lockfile="/tmp/""$(echo $0 | rev | cut -f 1 -d '/' | rev)"
function helptext {
echo "$0 username [ userid ]"
}
# match email against regex and create shortname from email ID.
if [ ! -z "$1" ] && [[ "$1" =~ $nameRegEx ]]; then
username="$(echo $1)"
if getent passwd "$username"; then
echo User already exists!
exit 1;
fi
elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
helptext;
exit 0;
else
echo Need an username.
helptext
exit 1;
fi
# Create a new user ID.
if [ -z "$2" ]; then
newuserid="$(($(getent passwd | sort -k 3 -n -t ':' | tail -n 1 | cut -f 3 -d ':') + 1))"
else
if id "$newuserid" &>/dev/null; then
echo "User id $newuserid already exist!"
exit 2
else
newuserid="$2"
fi
fi
printf "Username: %s\nID: %s\n\nReady to add? [YES/no] " "$username" "$newuserid"
mkdir "$lockfile" 2>/dev/null
if [ "$?" -eq 0 ]; then
read answer
if [ "$answer" == "YES" ]; then
file="/etc/openldap/users.d/$username.ldif"
cp /usr/local/src/ConfigPackages/Sora/sample-user.ldif "$file"
line="$(grep -E '^uid: ' "$file")"; sed -i "s/$line/uid: $username/" "$file"
line="$(grep -E '^dn: ' "$file" | cut -f 2 -d ' ' | cut -f 1 -d ',')"; sed -i "s/$line/uid=$username/" "$file"
line="$(grep -E '^homeDirectory: ' "$file")"; sed -i "s#$line#homeDirectory: /home/$username/#" "$file"
line="$(grep -E '^cn: ' "$file")"; sed -i "s/$line/cn: $username/" "$file"
line="$(grep -E '^mail: ' "$file")"; sed -i "s#$line#mail: ircs://aninix.net:6697/$username#" "$file"
line="$(grep -E '^uidNumber: ' "$file")"; sed -i "s/$line/uidNumber: $newuserid/" "$file"
ldapadd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass -f "$file"
ldap-resetpass "$username"
# usermod -a -G ssh-allow,passwdchange "$username"
fi
rmdir "$lockfile"
exit 0;
else
echo "Cannot add -- locked."
exit 1;
fi

17
roles/Sora/files/ldap-resetpass Executable file
View File

@ -0,0 +1,17 @@
#!/bin/bash
uid="$1"
if [ -z "$uid" ]; then
echo "Need a user ID (uid)!"
exit 1
fi
ldappasswd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass "uid=$uid,ou=People,dc=aninix,dc=net"
if [ `ldapsearch -x "(uid=$uid)" + \* | grep -c shadowLastChange\:` -ne 0 ]; then
(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\ndelete: shadowLastChange\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass &>/dev/null;
fi
(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: shadowLastChange\nshadowLastChange: 0\n\ndn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass &>/dev/null;
exit $?

View File

@ -0,0 +1,67 @@
#!/bin/bash
hostname=`hostname`
errortext="ERROR:NEVER"
arg="$1"
function shortshow() {
echo ${user}": "$email
}
function queryLDAPAttribute() {
ldapsearch -x "$1" "$2" | grep -E "${2}: " | sed "s/^${2}: //"
}
basedn=`ldapsearch -x '(cn=root)' dn | grep -E ^dn:\ | sed 's/dn: cn=root,//'`
maxAge="$(queryLDAPAttribute '(cn=default)' pwdMaxAge)"
changeAge=$(( $maxAge - 2592000 ))
deleteAge=$(( 2 * $maxAge ))
for user in `queryLDAPAttribute '(uid=*)' uid`; do
# Pull changed stats
lastChanged=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep pwdChangedTime | cut -f 2 -d ' '`
created=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep createTimestamp | cut -f 2 -d ' '`
email=`/usr/sbin/ldapsearch -x "(uid=$user)" | grep mail | cut -f 2 -d ' '`
if [ -z "$lastChanged" ]; then
lastChanged="$errortext";
else
delta="$(( `date +%s` - `date -d $(echo $lastChanged | head -c 8) +%s`))"
fi
lastlog=`lastlog -u $user | tail -n 1`
if [ `echo $lastlog | grep -c 'Never logged in'` -gt 0 ]; then
lastlog=$errortext
else
lastlog=`echo $lastlog | awk '{$1="";$2="";$3="";print $0 }'`
fi
printf "User $user (email: $email, created: $created) last changed their password on $lastChanged. They last logged in to SSH on $hostname on $lastlog\n" | (
case "$arg" in
"--inactive")
if grep -E $errortext'$' &> /dev/null; then shortshow; fi
;;
"--needschange")
if [ "$lastChanged" == "$errortext" ]; then
shortshow
else
if [ $delta -gt "$changeAge" ] && [ $delta -lt "$maxAge" ]; then shortshow; fi
fi
;;
"--expired")
if [ "$lastChanged" != "$errortext" ] && [ "$delta" -ge 31536000 ]; then
shortshow;
fi
;;
"--removeable")
if [ "$lastChanged" != "$errortext" ] && [ "$delta" -ge "$deleteAge" ]; then
shortshow;
fi
;;
*)
cat
;;
esac
)
done

View File

@ -14,7 +14,7 @@ ansible-playbook -i Core, -e 'role=TheRaven' playbooks/one-role.yml
# Configuration
Most of the configuration is controlled through the [configuration files](https://foundation.aninix.net/AniNIX/TheRaven/src/branch/main/sample-confs) provided by the package.
Most of the configuration is controlled through the [configuration files](https://foundation.aninix.net/AniNIX/TheRaven/src/branch/main/sample-confs) provided by the package.
Some configuration comes from [the local template](./templates/raven.conf.j2) -- it expects the vault to have a `password.TheRaven` value. The rest of the variables are provided in the -e flag above. These can be set at the host or site level in the inventory.

View File

@ -29,6 +29,8 @@ martialarts
maworkouts
dromundkaas
inn
cic
masignups
[ Searches ]
r.google|http://google.com/search?q=|+|Google

View File

@ -8,7 +8,7 @@ WolfPack is named for its operation. "Pups" live on disk as .pup files -- these
## VPN protection and Offloading.
Some countries and areas take issue with some searches and downloads. As such, the offload-wolfpack executable will allow a [DarkNet](../DarkNet) service, deployed on a unique host, to merge results. In your Ansible inventory, set the wolfpack_service YAML variable for the host to `offload-wolfpack@somehost.timer` to enable that service instead of the normal wolfpack.timer.
This requires SSH keys to be set up between the offloading hosts and the target location, but this will run some version of wolfpack and send the results to the target. This is helpful for a server like Core that requires network uptime and stable external accessibility but needs VPN functionality for anonymity. This requires significant user intervention and customization -- this option is provided as a stub.
This requires SSH keys to be set up between the offloading hosts and the target location, but this will run some version of wolfpack and send the results to the target. This is helpful for a server like Core that requires network uptime and stable external accessibility but needs VPN functionality for anonymity. This requires significant user intervention and customization -- this option is provided as a stub.
## Alternatives
Google Alerts can provide an alternative to the Wolfpack's search pup type. Downloads can be done manually, and some torrent clients will have search and queuing options.

View File

@ -0,0 +1,3 @@
search
/srv/wolfpack/search-results
aninix.net

View File

@ -0,0 +1,4 @@
download
/usr/local/src/isos/
wget -q -O - 'https://www.archlinux.org/download/' | grep rackspace | cut -f 2 -d \" | head -n 1
echo PREVRESULT/$(wget -q -O - PREVRESULT | grep x86_64.iso | head -n 1 | cut -f 2 -d \")

View File

@ -0,0 +1,3 @@
download
/usr/local/src/isos
curl -s https://centos.org/download/ | grep Minimal | grep 'a href' | cut -f 2 -d '"'

View File

@ -0,0 +1,5 @@
download
/srv/wolfpack/
curl -s https://portableapps.com/apps/internet/google_chrome_portable | tr '<' '\n' | tr '>' '\n' | tr \" '\n' | grep online.paf.exe | sed 's/ /\%20/g' | sed 's/\&/\\\&/g'
curl -s https://portableapps.comPREVRESULT | tr '"' '\n' | grep redirect | tail -n 1
echo https://portableapps.comPREVRESULT

View File

@ -0,0 +1,3 @@
search
/srv/wolfpack/
Riffle

View File

@ -0,0 +1,11 @@
shows
/srv/yggdrasil/new_acquisition
S06E11#Game of Thrones
S04E21#Vikings#
S02E13#Mr Robot#HDTV
S02E12#Marco Polo
S02E12#Criminal Minds Beyond Borders#
S02E14#Dark Matter#ettv
S03E22#Star Wars Rebels#
S02E11#Shadowhunters#
S03E18#Gotham#

View File

@ -0,0 +1,4 @@
search
/srv/wolfpack/search-results
Eminem Shows
Eminem Concerts

View File

@ -0,0 +1,8 @@
torrent
/srv/yggdrasil/new_acquisition
King Arthur 2017 BRrip
The Great Wall 2017 BRrip
Edge of 17 2016 BRrip
Bilal: A New Breed of Hero 2015
John Wick Chapter 2 2017 HDrip
Fast 8 HDRip 2017

View File

@ -0,0 +1,3 @@
download
/usr/local/src/isos/
elinks --dump https://www.offensive-security.com/kali-linux-arm-images/ | grep rpi | head -n 1 | sed 's/^\s\+//'

View File

@ -0,0 +1,4 @@
download
/usr/local/src/isos/
wget -q -O - http://cdimage.kali.org/current/ | grep amd64.iso | head -n 1 | cut -f 8 -d '"'
echo http://cdimage.kali.org/current/PREVRESULT

View File

@ -0,0 +1,12 @@
shows
/srv/yggdrasil/new_acquisition
S06E23#2 Broke Girls#
S10E25#Big Bang Theory#
S04E21#The Fosters#
S18E19#Law Order SVU#
S08E23#The Middle#
S08E22#Modern Family#
S07E13#Shameless US
S07E17#The Walking Dead#
S03E25#Scorpion#
S05E05#Prison Break#ettv

View File

@ -0,0 +1,4 @@
download
/var/cache/localpkg/
wget -q -O - https://www.mediawiki.org/wiki/Download | grep 'Download MediaWiki' | cut -f 6 -d \"
echo https:PREVRESULT

View File

@ -0,0 +1,3 @@
download
/usr/local/src/isos/
wget -q -O - https://www.plop.at/en/bootmanager/download.html | grep 'plpbt-' | head -n 2 | tail -n 1 | cut -f 3 -d '=' | cut -f 1 -d ' '

View File

@ -0,0 +1,3 @@
download
/srv/wolfpack/
echo http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

View File

@ -0,0 +1,4 @@
download
/usr/local/src/isos/
wget -q -O - 'https://www.raspberrypi.org/downloads/raspbian/' | grep 'btn dl-zip' | grep -i lite | cut -f 2 -d \"
curl -sI PREVRESULT | grep Location: | cut -f 2 -d ' ' | sed 's/\r//g'

View File

@ -0,0 +1,6 @@
torrentengine="https://1337x.to/search/%s/1/"
torrentterms='printf https://1337x.to; grep "/torrent/" | head -n 1 | cut -f 2 -d \"'
magnetposition='4'
torrentdebugging='true'
searchunifier='+'
magnetseparator=\"

View File

@ -0,0 +1,3 @@
download
/srv/wolfpack/
wget -q -O - http://portableapps.com/apps/internet/winscp_portable | grep 'sf-download' | cut -f 4 -d \" | head -n 1

View File

@ -9,8 +9,17 @@
- 90 > {{ df_output.stdout }}
fail_msg: "Not enough free space"
- name: Update Archlinux Keyring
when: ansible_os_family == "Archlinux"
become: yes
package:
name: archlinux-keyring
state: latest
update_cache: yes
- name: Patching all packages
ignore_errors: yes
become: yes
register: updates
package:
upgrade: yes
@ -18,6 +27,7 @@
- name: Reboot
ignore_errors: yes
become: yes
when: '"linux" in updates.stdout or "kernel" in updates.stdout'
reboot:
reboot_timeout: 2