From e244895552889b6ea344113761edfdbb1e1b7b43 Mon Sep 17 00:00:00 2001 From: DarkFeather Date: Tue, 19 Dec 2023 16:20:58 -0600 Subject: [PATCH] Finalizing Cyberbrain role --- roles/Cyberbrain/README.md | 10 ++- roles/Cyberbrain/files/cyberbrain.conf | 22 ------ roles/Cyberbrain/files/cyberbrain.service | 10 --- roles/Cyberbrain/tasks/main.yml | 71 ------------------- .../templates/cyberbrain.htpasswd.j2 | 1 - .../files/conf.d/Yggdrasil/cyberbrain.conf | 43 ++--------- 6 files changed, 12 insertions(+), 145 deletions(-) delete mode 100644 roles/Cyberbrain/files/cyberbrain.conf delete mode 100644 roles/Cyberbrain/files/cyberbrain.service delete mode 100644 roles/Cyberbrain/tasks/main.yml delete mode 100644 roles/Cyberbrain/templates/cyberbrain.htpasswd.j2 mode change 100755 => 100644 roles/WebServer/files/conf.d/Yggdrasil/cyberbrain.conf diff --git a/roles/Cyberbrain/README.md b/roles/Cyberbrain/README.md index 7f186d1..1890c55 100644 --- a/roles/Cyberbrain/README.md +++ b/roles/Cyberbrain/README.md @@ -1,12 +1,16 @@ -Cyberbrain is a way to ensure that so long as a person is connected to the Internet and authorized, they're able to connect to, use, and control the AniNIX. It's a web-based shell emulator for connecting to the system. It can serve as an alternative to using the [Terminal & SSH add-on](https://www.home-assistant.io/common-tasks/supervised/#installing-and-using-the-ssh-add-on-requires-enabling-advanced-mode-for-the-ha-user) for [AniNIX/Geth](../Geth/) in cases where a separate security posture is needed for each. +Cyberbrain is a way to ensure that so long as a person is connected to the Internet and authorized, they're able to connect to, use, and control the AniNIX. -**Warning**: This is a fallback measure -- browsers are still inherently less secure than hard clients like [Git Bash](https://git-scm.com/download/win) or [OpenSSH](https://www.openssh.com/portable.html). +It can serve as an alternative to using the [Terminal & SSH add-on](https://www.home-assistant.io/common-tasks/supervised/#installing-and-using-the-ssh-add-on-requires-enabling-advanced-mode-for-the-ha-user) for [AniNIX/Geth](../Geth/) in cases where a separate security posture is needed for each. # Etymology A [cyberbrain](https://ghostintheshell.fandom.com/wiki/Cyberbrain) is a concept from the series *Ghost in the Shell*. It's the integration of a normal brain with electronic, usually networked components. Similarly, this app serves as a core bridge between the shell environment of the AniNIX and any authorized user. # Relevant Files and Software -This service uses a file, [/etc/conf.d/webssh](file:///etc/conf.d/webssh), to control the service. Additionally, there's a password file [/opt/openresty/nginx/passwords/cyberbrain.htpasswd](file:///opt/openresty/nginx/passwords/cyberbrain.htpasswd) that controls an initial authentication to the webserver socket. +This service is deployed as a Docker image from [FileStash](https://www.filestash.app/docs/install-and-upgrade/). This image is pointed back at the AniNIX/Yggdrasil's SFTP service. + +Configuration is done in [the app](http://10.0.1.8:8334/admin/). A unique password should be configured, and then the only authorized backend is SFTP with passthrough authentication on the 'username_and_password' strategy. The SFTP host is then jailed as AniNIX/Yggdrasil's internal IP and port, with the `{{ .user }}` and `{{ .password }}` attributes populated. + +This app can be proxied to the outside world and protected by encryption & a web-application firewall. This happens through [a WebServer configuration file](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf.d/Core/adhan.conf). ## Backups No backup is needed. diff --git a/roles/Cyberbrain/files/cyberbrain.conf b/roles/Cyberbrain/files/cyberbrain.conf deleted file mode 100644 index 271828b..0000000 --- a/roles/Cyberbrain/files/cyberbrain.conf +++ /dev/null @@ -1,22 +0,0 @@ -server { - listen 443 ssl http2; - server_name cyberbrain.aninix.net; - - include sec.conf; - include default.csp.conf; - include letsencrypt.conf; - - location / - { - auth_basic "Cyberbrain"; - auth_basic_user_file ../passwords/cyberbrain.htpasswd; - proxy_pass http://127.0.0.1:8822; - proxy_http_version 1.1; - proxy_read_timeout 300; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host $http_host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Real-PORT $remote_port; - } -} diff --git a/roles/Cyberbrain/files/cyberbrain.service b/roles/Cyberbrain/files/cyberbrain.service deleted file mode 100644 index 4be714d..0000000 --- a/roles/Cyberbrain/files/cyberbrain.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=AniNIX/Cyberbrain | SSH Web Front End, powered by python-webssh - -[Service] -User=webssh -EnvironmentFile=/etc/conf.d/webssh -ExecStart=/usr/bin/wssh $WEBSSH_ARGS - -[Install] -WantedBy=multi-user.target diff --git a/roles/Cyberbrain/tasks/main.yml b/roles/Cyberbrain/tasks/main.yml deleted file mode 100644 index 0f09ae3..0000000 --- a/roles/Cyberbrain/tasks/main.yml +++ /dev/null @@ -1,71 +0,0 @@ ---- - - name: Install python-webssh - become: yes - package: - name: python-webssh - state: present - - - name: Standardize the servicefile - become: yes - register: servicefile - copy: - src: cyberbrain.service - dest: /usr/lib/systemd/system/cyberbrain.service - owner: root - group: root - mode: 0644 - - - name: Ensure default webssh service file is off. - become: yes - service: - name: webssh - state: stopped - enabled: no - - - systemd: - daemon_reload: true - when: servicefile.changed - become: yes - - - name: Ensure service is restarted - when: servicefile.changed - become: yes - service: - name: cyberbrain.service - enabled: yes - state: started - - - name: Ensure service is started - when: not servicefile.changed - become: yes - service: - name: cyberbrain.service - enabled: yes - state: started - - - name: Add the webserver conf file - become: yes - register: webserver_conf - copy: - src: cyberbrain.conf - dest: /opt/openresty/nginx/conf.d/cyberbrain.conf - owner: root - group: http - mode: 0750 - - - name: Ensure the password file is seeded - become: yes - template: - src: cyberbrain.htpasswd.j2 - dest: /opt/openresty/nginx/passwords/cyberbrain.htpasswd - owner: root - group: http - mode: 0750 - - - name: Reload openresty - become: yes - when: webserver_conf.changed - service: - name: openresty.service - state: reloaded - diff --git a/roles/Cyberbrain/templates/cyberbrain.htpasswd.j2 b/roles/Cyberbrain/templates/cyberbrain.htpasswd.j2 deleted file mode 100644 index fcf0315..0000000 --- a/roles/Cyberbrain/templates/cyberbrain.htpasswd.j2 +++ /dev/null @@ -1 +0,0 @@ -cyberbrain:{PLAIN}{{ passwords.Cyberbrain }} diff --git a/roles/WebServer/files/conf.d/Yggdrasil/cyberbrain.conf b/roles/WebServer/files/conf.d/Yggdrasil/cyberbrain.conf old mode 100755 new mode 100644 index f68b9d5..3ba5855 --- a/roles/WebServer/files/conf.d/Yggdrasil/cyberbrain.conf +++ b/roles/WebServer/files/conf.d/Yggdrasil/cyberbrain.conf @@ -2,47 +2,14 @@ server { listen 443 ssl; server_name cyberbrain.aninix.net; - include conf/local.conf; - - root /usr/share/webapps/; - - client_max_body_size 5m; - client_body_timeout 60; - - include conf.d/fastcgi.config; - - location /mediawiki-gb/ { - try_files $uri $uri/ @rewrite; - rewrite ^/mediawiki-gb/(.*)$ /mediawiki/index.php?title=$1&$args; - rewrite ^$ /mediawiki-gb/Main_Page; - rewrite ^/$ /mediawiki-gb/Main_Page; - rewrite ^mediawiki-gb$ /mediawiki-gb/Main_Page; - rewrite ^mediawiki-gb/$ /mediawiki-gb/Main_Page; - } - - location /mediawiki-ma/ { - try_files $uri $uri/ @rewrite; - rewrite ^/mediawiki-ma/(.*)$ /mediawiki/index.php?title=$1&$args; - rewrite ^$ /mediawiki-ma/Main_Page; - rewrite ^/$ /mediawiki-ma/Main_Page; - rewrite ^mediawiki-ma$ /mediawiki-ma/Main_Page; - rewrite ^mediawiki-ma/$ /mediawiki-ma/Main_Page; - } - - location ^~ /maintenance/ { - return 403; - } - - location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { - try_files $uri /mediawiki/index.php; - expires max; - log_not_found off; - } - - location ^~ /cache/ { + location ^~ /admin { deny all; } + location / { + proxy_pass http://10.0.1.8:8334; + } + include conf/letsencrypt.conf; }