Finalizing Cyberbrain role

2023-12-19 16:20:58 -06:00 · 2023-12-19 16:20:58 -06:00 · e244895552
commit e244895552
parent cea66f285a
6 changed files with 12 additions and 145 deletions
--- a/roles/Cyberbrain/README.md
+++ b/roles/Cyberbrain/README.md
@ -1,12 +1,16 @@
-Cyberbrain is a way to ensure that so long as a person is connected to the Internet and authorized, they're able to connect to, use, and control the AniNIX. It's a web-based shell emulator for connecting to the system. It can serve as an alternative to using the [Terminal & SSH add-on](https://www.home-assistant.io/common-tasks/supervised/#installing-and-using-the-ssh-add-on-requires-enabling-advanced-mode-for-the-ha-user) for [AniNIX/Geth](../Geth/) in cases where a separate security posture is needed for each.
+Cyberbrain is a way to ensure that so long as a person is connected to the Internet and authorized, they're able to connect to, use, and control the AniNIX.
-**Warning**: This is a fallback measure -- browsers are still inherently less secure than hard clients like [Git Bash](https://git-scm.com/download/win) or [OpenSSH](https://www.openssh.com/portable.html).
+It can serve as an alternative to using the [Terminal & SSH add-on](https://www.home-assistant.io/common-tasks/supervised/#installing-and-using-the-ssh-add-on-requires-enabling-advanced-mode-for-the-ha-user) for [AniNIX/Geth](../Geth/) in cases where a separate security posture is needed for each.
 # Etymology
 A [cyberbrain](https://ghostintheshell.fandom.com/wiki/Cyberbrain) is a concept from the series *Ghost in the Shell*. It's the integration of a normal brain with electronic, usually networked components. Similarly, this app serves as a core bridge between the shell environment of the AniNIX and any authorized user.
 # Relevant Files and Software
-This service uses a file, [/etc/conf.d/webssh](file:///etc/conf.d/webssh), to control the service. Additionally, there's a password file [/opt/openresty/nginx/passwords/cyberbrain.htpasswd](file:///opt/openresty/nginx/passwords/cyberbrain.htpasswd) that controls an initial authentication to the webserver socket.
+This service is deployed as a Docker image from [FileStash](https://www.filestash.app/docs/install-and-upgrade/). This image is pointed back at the AniNIX/Yggdrasil's SFTP service.
 Configuration is done in [the app](http://10.0.1.8:8334/admin/). A unique password should be configured, and then the only authorized backend is SFTP with passthrough authentication on the 'username_and_password' strategy. The SFTP host is then jailed as AniNIX/Yggdrasil's internal IP and port, with the `{{ .user }}` and `{{ .password }}` attributes populated.
 This app can be proxied to the outside world and protected by encryption & a web-application firewall. This happens through [a WebServer configuration file](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf.d/Core/adhan.conf).
 ## Backups
 No backup is needed.
--- a/roles/Cyberbrain/files/cyberbrain.conf
+++ b/roles/Cyberbrain/files/cyberbrain.conf
@ -1,22 +0,0 @@
 server {
    listen      443 ssl http2;
    server_name cyberbrain.aninix.net;
    include sec.conf;
    include default.csp.conf;
    include letsencrypt.conf;
    location /
    {
      auth_basic "Cyberbrain";
      auth_basic_user_file ../passwords/cyberbrain.htpasswd;
      proxy_pass       http://127.0.0.1:8822;
      proxy_http_version 1.1;
      proxy_read_timeout 300;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Real-PORT $remote_port;
    }
 }
--- a/roles/Cyberbrain/files/cyberbrain.service
+++ b/roles/Cyberbrain/files/cyberbrain.service
@ -1,10 +0,0 @@
 [Unit]
 Description=AniNIX/Cyberbrain | SSH Web Front End, powered by python-webssh
 [Service]
 User=webssh
 EnvironmentFile=/etc/conf.d/webssh
 ExecStart=/usr/bin/wssh $WEBSSH_ARGS
 [Install]
 WantedBy=multi-user.target
--- a/roles/Cyberbrain/tasks/main.yml
+++ b/roles/Cyberbrain/tasks/main.yml
@ -1,71 +0,0 @@
 ---
 - name: Install python-webssh
   become: yes
   package:
     name: python-webssh
     state: present
 - name: Standardize the servicefile
   become: yes
   register: servicefile
   copy:
     src: cyberbrain.service
     dest: /usr/lib/systemd/system/cyberbrain.service
     owner: root
     group: root
     mode: 0644
 - name: Ensure default webssh service file is off.
   become: yes
   service:
     name: webssh
     state: stopped
     enabled: no
 - systemd:
     daemon_reload: true
   when: servicefile.changed
   become: yes
 - name: Ensure service is restarted
   when: servicefile.changed
   become: yes
   service:
     name: cyberbrain.service
     enabled: yes
     state: started
 - name: Ensure service is started
   when: not servicefile.changed
   become: yes
   service:
     name: cyberbrain.service
     enabled: yes
     state: started
 - name: Add the webserver conf file
   become: yes
   register: webserver_conf
   copy:
     src: cyberbrain.conf
     dest: /opt/openresty/nginx/conf.d/cyberbrain.conf
     owner: root
     group: http
     mode: 0750
 - name: Ensure the password file is seeded
   become: yes
   template:
     src: cyberbrain.htpasswd.j2
     dest: /opt/openresty/nginx/passwords/cyberbrain.htpasswd
     owner: root
     group: http
     mode: 0750
 - name: Reload openresty
   become: yes
   when: webserver_conf.changed
   service:
     name: openresty.service
     state: reloaded
--- a/roles/Cyberbrain/templates/cyberbrain.htpasswd.j2
+++ b/roles/Cyberbrain/templates/cyberbrain.htpasswd.j2
@ -1 +0,0 @@
 cyberbrain:{PLAIN}{{ passwords.Cyberbrain }}
--- a/roles/WebServer/files/conf.d/Yggdrasil/cyberbrain.conf
+++ b/roles/WebServer/files/conf.d/Yggdrasil/cyberbrain.conf
@ -2,47 +2,14 @@ server {
    listen      443 ssl;
    server_name cyberbrain.aninix.net;
-    include conf/local.conf;
+    location ^~ /admin {
    root /usr/share/webapps/;
    client_max_body_size 5m;
    client_body_timeout 60;
    include conf.d/fastcgi.config;
    location /mediawiki-gb/ {
        try_files $uri $uri/ @rewrite;
        rewrite ^/mediawiki-gb/(.*)$ /mediawiki/index.php?title=$1&$args;
        rewrite ^$ /mediawiki-gb/Main_Page;
        rewrite ^/$ /mediawiki-gb/Main_Page;
        rewrite ^mediawiki-gb$ /mediawiki-gb/Main_Page;
        rewrite ^mediawiki-gb/$ /mediawiki-gb/Main_Page;
    }
    location /mediawiki-ma/ {
        try_files $uri $uri/ @rewrite;
        rewrite ^/mediawiki-ma/(.*)$ /mediawiki/index.php?title=$1&$args;
        rewrite ^$ /mediawiki-ma/Main_Page;
        rewrite ^/$ /mediawiki-ma/Main_Page;
        rewrite ^mediawiki-ma$ /mediawiki-ma/Main_Page;
        rewrite ^mediawiki-ma/$ /mediawiki-ma/Main_Page;
    }
    location ^~ /maintenance/ {
        return 403;
    }
    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        try_files $uri /mediawiki/index.php;
        expires max;
        log_not_found off;
    }
    location ^~ /cache/ {
        deny all;
    }
    location / {
        proxy_pass       http://10.0.1.8:8334;
    }
    include conf/letsencrypt.conf;
 }
		`@ -1 +0,0 @@`
			`cyberbrain:{PLAIN}{{ passwords.Cyberbrain }}`