AniNIX/Kapisi
3
0
Fork 0
Code Issues 27 Pull Requests Projects 1 Releases Wiki Activity

Compare commits

base: AniNIX:0.0
Branches Tags
AniNIX:main AniNIX:improved-ipam AniNIX:25u
AniNIX:0.0
..
compare: AniNIX:improved-ipam
Branches Tags
AniNIX:improved-ipam AniNIX:25u AniNIX:main
AniNIX:0.0

83 Commits
0.0 ... improved-i

Author SHA1 Message Date
DarkFeather
59b3181d61 Updates for packages 2024-09-02 23:54:57 -05:00
project2501
f139ea55b4 ++precommit-hooks/playbook-lint-check 2024-08-22 15:30:41 -05:00
project2501
2e154389de patching-verification.yml -- trailing whitespace 2024-08-22 10:39:18 -05:00
DarkFeather
f5ef18851c First round injecting news articles into homepages using serverside precompiled snippets 2024-08-20 00:17:09 -05:00
DarkFeather
8886b572b0 Rebuild Pacman keyring 2024-08-12 17:30:29 -05:00
DarkFeather
a17e2c6fe9 Updates for Raspberry Pi 12 Bookworm 2024-07-23 14:18:32 -05:00
DarkFeather
9366d8b6d7 Catch up for Foundation 2024-04-05 13:16:42 -05:00
DarkFeather
5c3eb7f358 Moving VMs to Host cpu emulation 2024-04-04 13:15:38 -05:00
DarkFeather
33cf371a0d Updating roles 2024-04-01 00:53:08 -05:00
DarkFeather
9aa0a89b79 Seeding Aether 2024-04-01 00:52:29 -05:00
DarkFeather
3a01543c8b Capturing APC automation 2024-04-01 00:49:36 -05:00
DarkFeather
87973dfb6e Simplifying group management 2024-04-01 00:49:02 -05:00
DarkFeather
85286b5412 Catching up with automation 2024-04-01 00:47:05 -05:00
DarkFeather
6f36d515e3 AniNIX/Wiki#21 -- effecting renames for policy 2024-04-01 00:44:23 -05:00
DarkFeather
323b4dd306 Pathing updates for Gitea 1.21.5 -- custom/public to custom/public/assets 2024-03-07 12:28:46 -06:00
DarkFeather
e75d03a313 Update for automated response around poorly behaving archlinux-keyring weekly timer; rename Sora role to Password 2024-03-07 12:27:21 -06:00
DarkFeather
930441ae9a Adding enforcement exit code 2024-01-18 12:04:30 -06:00
DarkFeather
f9a3bd789b Removing duplicate resource 2024-01-12 16:17:55 -06:00
DarkFeather
15dd844093 Correcting abandoned rename 2024-01-12 16:10:40 -06:00
DarkFeather
43d7375dae Updating AniNIX/Scratch for naming & persistence warning 2024-01-12 15:34:41 -06:00
DarkFeather
cd3210c5fb Adding minor webapps to WebServer tracking 2024-01-12 13:06:58 -06:00
DarkFeather
221ce69a80 Catching up wolfpack to reenable 2024-01-12 13:06:19 -06:00
DarkFeather
1ca0272031 Adding ucode & UPS definitions to IAC 2023-12-21 12:58:32 -06:00
DarkFeather
e244895552 Finalizing Cyberbrain role 2023-12-19 16:20:58 -06:00
DarkFeather
cea66f285a Finishing rename from Core to Yggdrasil 2023-12-19 16:16:35 -06:00
DarkFeather
50167c0f03 Virtualizing Core host as Yggdrasil VM 2023-12-07 13:28:54 -06:00
DarkFeather
7b98c953b1 Merging out nginx conversion 2023-11-30 02:48:50 -06:00
DarkFeather
69e2bcc966 Evolution of deployment 2023-11-30 02:47:16 -06:00
DarkFeather
8392a3fe46 Hooks catch-up 2023-11-30 02:44:01 -06:00
DarkFeather
63a43c6f0e Fixing PKGBUILD dependencies 2023-11-16 12:59:49 -06:00
DarkFeather
528af8b0f5 Fixing PKGBUILD dependencies 2023-11-16 12:58:52 -06:00
DarkFeather
9b317d1677 Dropping Stripe as a payment method (will replace with Venmo/USDCoin address) & Google Analytics for AniNIX/Sharingan -- some updates for CSP in line with https://observatory.mozilla.org/analyze/aninix.net 2023-11-16 12:50:26 -06:00
DarkFeather
5fa67890c2 Moving from openresty to nginx+modsec for HTTP/2 Rapid Reset reasons 2023-11-09 13:03:06 -06:00
DarkFeather
444b8171f5 Adding packaging 2023-10-20 19:08:32 -05:00
DarkFeather
ea75da1b41 catchup 2023-10-08 12:28:14 -05:00
DarkFeather
5ab88dc387 Updating some SSH config 2023-07-19 15:41:27 -05:00
DarkFeather
60f848b55d Extending check interval for warrant canary checks 2023-05-30 16:03:22 -05:00
DarkFeather
75bf57c131 Adding checks on AniNIX/Grimoire to Core 2023-05-30 15:51:36 -05:00
DarkFeather
921e45afda pacman hook was using wrong user 2023-05-05 05:16:48 -05:00
DarkFeather
633f231b26 Catching up config with known state 2023-05-02 17:32:11 -05:00
DarkFeather
be2908625d Adding org-wide packaging config to AniNIX/Maat 2023-05-01 22:01:30 -05:00
DarkFeather
49b67de7ec Removing large amounts of extra commenting and old/unused features; SASL support 2023-04-18 23:56:59 -05:00
DarkFeather
e9fde0d8c9 Removing storefront from /martialarts; decomming stagnant copy of our RSS feed 2023-04-07 20:14:26 -05:00
DarkFeather
6a4aabee01 OpenVPN now manages the tunnel device -- DarkNet does not need bridge/tap config 2023-03-29 23:31:04 -05:00
DarkFeather
5fef78f60e Catching up IRC -- MOTD colors; servicefile; logging; config 2023-03-22 17:44:57 -05:00
DarkFeather
2f93e03f3a Zeek currently fails to build and burns too many system resources -- dropping. 2023-02-27 23:45:58 -06:00
DarkFeather
638b4e8c6e Seeding Maat role 2023-02-22 22:33:58 -06:00
DarkFeather
956b00a06e Syncing scripts and hooks 2023-02-22 21:54:52 -06:00
DarkFeather
d92ab6acda Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing 2023-02-20 16:50:10 -06:00
DarkFeather
a2fecf9d64 Adding DHParam generation for IRC ssl_openssl 2023-01-20 08:49:56 -06:00
DarkFeather
bef53d5889 Placing mediawiki package on hold 2022-12-23 11:28:29 -06:00
DarkFeather
99b7b9026c Removing IRC-Bots as a separate role -- folding into IRC role as part of the service 2022-12-18 22:25:40 -06:00
DarkFeather
c589f5ac55 Updating DarkNet VPN setup 2022-12-18 22:24:44 -06:00
DarkFeather
36d0be5f88 Infrastructure cleanup 2022-12-18 22:23:17 -06:00
DarkFeather
890e20c64c Catching up Webserver config 2022-12-18 22:21:39 -06:00
DarkFeather
72a62b63eb Seeding IRC automation after a lot of work 2022-12-18 22:18:43 -06:00
DarkFeather
0626c66413 Removing large files; adding hook to watch for them 2022-12-18 22:14:25 -06:00
DarkFeather
a34c96df6b Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00
DarkFeather
a43cb4b6bb Updates to fix certbot.service issues reloading 2022-10-01 23:54:40 -05:00
DarkFeather
12d2ca9a1d Updating WebServer deployment 2022-09-15 14:23:34 -05:00
DarkFeather
81b9a0a190 Logic update in tmux-hosts 2022-09-15 13:16:39 -05:00
DarkFeather
b7d26b6aa7 Updating Foundation role 2022-09-15 13:16:08 -05:00
DarkFeather
94f546a7be Starting Foundation automation 2022-07-02 10:24:10 -05:00
DarkFeather
59b54619f7 Catching up Sharingan, Geth, and ShadowArch roles 2022-05-25 14:50:16 -05:00
DarkFeather
8b2b0be95b Ensuring we go through local networking for our VIPs 2022-05-23 21:30:24 -05:00
DarkFeather
9758b23193 Current state; https://archlinux.org/news/qemu-700-changes-split-package-setup/ 2022-05-11 17:20:57 -05:00
DarkFeather
51e2836378 Updating Sharingan for testing 2022-05-04 10:30:23 -05:00
DarkFeather
01dde4008d Got rkhunter working for HIDS; operational fixes for Sharingan 2022-05-03 16:57:52 -05:00
DarkFeather
d0146770a4 Current state of Sharingan role -- still need to add rkhunter 2022-05-02 15:00:29 -05:00
DarkFeather
1c2f4266ad Adding Nazara README.md 2022-04-29 11:15:20 -05:00
DarkFeather
d1140cf78b Catching up with current dev 2022-04-19 12:01:03 -05:00
DarkFeather
a881363b9b Fixing Nazara errors 2022-03-25 06:08:12 -05:00
DarkFeather
5d04f1b393 Updating Geth-Hub role for config options; moving sources.list to ShadowArch control with pacman.conf 2022-01-29 23:41:46 -06:00
DarkFeather
921d53c724 Catching up with current successes 2022-01-25 23:54:43 -06:00
DarkFeather
94a4736839 Syncing current state. 2021-12-19 21:32:19 -06:00
DarkFeather
eb39acaa06 Adding a role for TheRaven 2021-11-21 04:53:42 -06:00
DarkFeather
8f85acce78 Seeding the Cyberbrain role 2021-11-09 16:01:39 -06:00
DarkFeather
87775fe636 Updates for structure 2021-03-16 03:09:19 -05:00
DarkFeather
68ef34c3c6 Adding some SSL support scripts 2021-01-01 12:45:34 -06:00
DarkFeather
17a9e9ef7d Group controls, hostkey protection, and typo correction in SSH 2020-12-25 05:40:57 -06:00
DarkFeather
432cc36ef8 Updating DarkNet role 2020-11-02 16:15:47 -06:00
DarkFeather
ffbd7b7bd8 Adding better syslog 2020-10-18 23:49:25 -05:00
DarkFeather
e12c8ff0c6 Updating Ubiqtorate 2020-10-08 16:33:19 -05:00
357 changed files with 23202 additions and 2 deletions
Expand all files Collapse all files

16
.gitignore vendored
View File

@@ -1,3 +1,19 @@
# Generated files
roles/Node/files/*-vm.service
roles/Chappaai/files/dns
roles/Chappaai/files/dhcp
roles/Node/files/vm-definitions/**
roles/ShadowArch/files/mirrorlist
roles/Sharingan/files/monit/checks/availability
roles/Foundation/files/custom/public/img/**
roles/Maat/files/pacoloco.yaml
venv/**
wiki/**
**/pkg/**
**/src/**
**pkg.tar.zst
wiki/**
# ---> Python
# Byte-compiled / optimized / DLL files
__pycache__/

31
Makefile Normal file
View File

@@ -0,0 +1,31 @@
pkgdirname != basename `git config remote.origin.url` | sed 's/.git$$//'
optlist = bin examples playbooks roles
compile:
@echo Nothing to do
install: clean compile
mkdir -p ${pkgdir}/opt/aninix/${pkgdirname}/
for opt in ${optlist}; do cp -pr $$opt ${pkgdir}/opt/aninix/${pkgdirname}/${opt}; done
make checkperm
clean:
git clean -fdX
uninstall:
rm -Rf ${pkgdir}/opt/aninix/${pkgdirname}/
test: compile
#python3 -m pytest
checkperm:
chown -R root: ${pkgdir}/opt/aninix/${pkgdirname}/
chmod 0755 ${pkgdir}/opt/aninix/${pkgdirname}/
chmod -R a+r ${pkgdir}/opt/aninix/${pkgdirname}/
diff:
@echo Nothing to do.
for opt in ${optlist}; do diff -r ${pkgdir}/opt/aninix/${pkgdirname}/${opt} $$opt; done
reverse:
for opt in ${optlist}; do rsync -avzlp ${pkgdir}/opt/aninix/${pkgdirname}/${opt}/ $$opt; done

46
PKGBUILD Normal file
View File

@@ -0,0 +1,46 @@
pkgname="$(git config remote.origin.url | rev | cut -f 1 -d '/' | rev | sed 's/.git$//')"
pkgver="$(git describe --tag --abbrev=0)"."$(git rev-parse --short HEAD)"
pkgrel=1
pkgrel() {
git log "$(git describe --tag --abbrev=0)"..HEAD | grep -c commit
}
epoch="$(git log | grep -c commit)"
pkgdesc="$(head -n 1 README.md)"
arch=("x86_64")
url="$(git config remote.origin.url | sed 's/.git$//')"
license=('custom')
groups=()
depends=('bash>=4.4' 'python>=3.11' 'ansible>=8.3' 'tmux' 'openssh')
makedepends=('make>=4.2')
checkdepends=()
optdepends=()
provides=("${pkgname}")
conflicts=()
replaces=("${pkgname,,}" "aninix-${pkgname,,}")
backup=()
options=()
install=
changelog=
source=()
noextract=()
md5sums=()
validpgpkeys=()
prepare() {
git pull
}
build() {
make -C ..
}
check() {
chmod -R u+r ../pkg
make -C .. test
}
package() {
export pkgdir="${pkgdir}"
make -C .. install
install -D -m644 ../LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
}

52
README.md
View File

@@ -1,3 +1,51 @@
# Tenebrous
This project is our Infrastructure-as-Code solution, detailing the deployment & some repeatable operational tasks of the AniNIX.
This project will discover and provide inventory intelligence to Sora, Shadowfeed, Geth, and Sharingan. It is named after the fictional Tenebrous from the SWTOR game.
# Etymology
It is named after flagship carrier Kapisi from the game [Homeworld: Deserts of Kharak](https://store.steampowered.com/app/281610?snr=5000_5100___primarylinks). The carrier was the command and production center of Operation Khadiim, an expedition to understand an anomaly on their world & escape the fanaticism of their Gaalsien rivals. The S'jet were able to succeed in this mission not only due to the military efficacy of their forces but also through the research and production capabilities available to the Kapisi.
This project seeks to give other admins and engineers to launch their own infrastructures and break out of any strangleholds that may have entangled them, whether that is tribalism, vendor lock, or stigma.
# Relevant Files and Software
This project expects that you use an Ansible vault for credentials. Create one and add this to your `.bashrc`.
```
export ANSIBLE_VAULT_PASSWORD_FILE=$HOME/password-store/${organization}.vault.password
export ANSIBLE_VAULT_FILE=$HOME/password-store/${organization}.vault
```
Take a look at `examples/msn0.yml` as an example inventory -- make sure you populate one of your own. The scripts here expect inventories to have layers of groups -- the top group under `all` must be managed vs. unmanaged. The rest of the scripts use YAMLPath to sort out the rest of the groups.
Once you have your vault and inventory, use [AniNIX/ShadowArch](/AniNIX/ShadowArch) with your hypervisor to provision the base image for your machines, or [Raspbian](https://www.raspberrypi.org/).
Then, use the SSH key playbook to copy your key and the deploy playbook to set things up.
```
ansible-playbook -i your-inventory.yml playbooks/sshkey.yml
ansible-playbook -i your-inventory.yml playbooks/deploy.yml
```
We've also added two scripts in `./bin` to make your life easier:
* `full-deploy`: This is the general role. If you are creating an AniNIX replica, once you have your inventory and vault populated, then you can run this script to push everything. This is also optimal when rotating vault secrets or other global tasks. This is effectively standardizing invocation of our overall deployment playbook.
* `deploy-role`: When you are updating a specific role, use this script to push that role to your group. Ideally, this should only be used to push a role that you have been working on to a target group in your inventory that's already tagged for the role in the deployment playbook.
Happy hacking!
# Etymology
The [Ubiqtorate](https://starwars.fandom.com/wiki/Ubiqtorate/Legends) was a far-reaching security orchestration entity within Palpatine's Empire. It was mean to collect and act on intelligence to improve the security posture of the regime. We use this project similarly -- Ubiqtorate is the Infrastructure-as-Code behind the throne, making changes and ensuring services stay in line.
# Relevant Files and Software
This project is mostly built on [Ansible](https://docs.ansible.com/). You will need to understand inventories, playbooks, and vaults at the minimum.
# Available Clients
None -- this project is used to describe actions for other services to take.
# Equivalents or Competition
Similar tools include Puppet, chef, salty, Ansible Tower, Terraform, etc. We have chosen to go the raw Ansible route, so that we don't have to maintain the build infrastructure separately and to make our responses more agile.
# Exceptions
Some services, such as AniNIX/Sharingan and AniNIX/Geth, store their configuration in internal datastructures and databases such that we cannot easily export our build for others to use. We will document what we have done for each of these as best we can in the README.md files for others to replicate. Backups of these services into AniNIX/Aether are therefore dumps of these databases and not available to share.

51
bin/deploy-role Executable file
View File

@@ -0,0 +1,51 @@
#!/bin/bash
# Ensure we are in the source directory.
cd $(dirname $0)/..
# Role is first argument
role="$1"
if [ -z "$role" ]; then
echo Need a role as first argument.
exit 1
fi
# Handle verbosity
if [ "$1" == "-v" ]; then
set -x
shift
role="$1"
fi
# Handle usage
if [ "$role" == "-h" ] || [ "$role" == "--help" ]; then
echo "Usage: $0 -h"
echo " $0 \$role \$targetgroup [\$optional_inventory]"
exit 0
fi
# Find the root of the git clone
while [ ! -d .git ]; do
cd ..
if [ "$PWD" == '/' ]; then
echo "This needs to be run from the Ubiqtorate checkout"
exit 3
fi
done
# Get the targetgroup
targetgroup="$2"
if [ -z "$targetgroup" ]; then
targetgroup="$role" # Deploy a role to the server named for that function
fi
# Allow an inventory override
inventory="$3"
if [ -z "$inventory" ]; then
inventory=examples/msn0.yml
fi
# Invoke the one-role playbook for the role on the targetgroup
ansible-playbook -i "$inventory" -e "role=$role" -e "targets=$targetgroup" playbooks/one-role.yml
# and return the exit status
exit $?

27
bin/full-deploy Executable file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
# Ensure we are in the source directory.
cd $(dirname $0)/..
# Arguments
inventory="$1"
if [ "$inventory" == "-h" ] || [ "$inventory" == "--help" ]; then
echo "Usage: $0 -h # Usage"
echo " $0 # Run a complete deployment."
exit 0
elif [ -z "$inventory" ]; then
inventory="examples/msn0.yml"
fi
# Find the root of the git clone
while [ ! -d .git ]; do
cd ..
if [ "$PWD" == '/' ]; then
echo "This needs to be run from the Ubiqtorate checkout"
exit 3
fi
done
ansible-playbook -i examples/msn0.yml playbooks/deploy.yml

14
bin/generate-mirrorlist Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
curl -s https://raw.githubusercontent.com/archlinux/svntogit-packages/packages/pacman-mirrorlist/trunk/mirrorlist | awk '/^## United States$/{f=1; next}f==0{next}/^$/{exit}{print substr($0, 1);}' | sed 's/^#Server/Server/' > /tmp/candidates
cat <<EOM > ../roles/Maat/files/pacoloco.yaml
port: 9129
download_timeout: 3600 # download will timeout after 3600 seconds
cache_dir: /var/cache/pacoloco
purge_files_after: 360000 # 360000 seconds or 100 hours, 0 to disable
repos:
archlinux:
urls:
$(rankmirrors -n 6 /tmp/candidates | sed 's/^Server = / - /' | grep -v generated\ by | cut -f 1 -d \$)
user_agent: Pacoloco
EOM

84
bin/generate-monitoring.py Executable file
View File

@@ -0,0 +1,84 @@
#!/usr/bin/env python3
# File: generate-pihole-dns-dhcp.py
#
# Description: This file generates the DNS and DHCP files for pihole.
#
# Package: AniNIX/Ubiqtorate
# Copyright: WTFPL
#
# Author: DarkFeather <darkfeather@aninix.net>
import os
import subprocess
import sys
import re
import yaml
rolepath='../roles/Sharingan/files'
monfilepath=rolepath+"/monit/checks/availability"
def WriteMonitoringEntry(content,hosttype,hostclass):
### Create the ping-based monitoring entry
# param content: the yaml content to parse
# param hosttype: managed or unmanaged
# param hostclass: the type of host as classified in the yaml
global monfile
with open(monfilepath,'a') as monfile:
# Write host entries
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
try:
hostname= host + '.' + content['all']['vars']['replica_domain']
monfile.write('check program ' + host + '_ping_mon with path "/usr/lib/monitoring-plugins/check_ping -H ' + hostname + ' -w 100,50% -c 1000,100% -p 3 -t 60 -4"\n')
monfile.write(' if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical ' + hostname + ' is not online."\n\n')
except:
print(host + ' is not complete for monitoring.')
def WriteSSHMonitoringEntry(content,hosttype,hostclass):
### Create the ping-based monitoring entry
# param content: the yaml content to parse
# param hosttype: managed or unmanaged
# param hostclass: the type of host as classified in the yaml
global monfile
with open(monfilepath,'a') as monfile:
# Write host entries
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
try:
hostname= host + '.' + content['all']['vars']['replica_domain']
monfile.write('check program ' + host + '_ssh_mon with path "/usr/lib/monitoring-plugins/check_ssh -H ' + hostname + '"\n')
monfile.write(' if status != 0 for 3 times within 5 cycles then exec "/etc/monit.d/scripts/critical ' + hostname + ' is not responding to SSH."\n\n')
except:
print(host + ' is not complete for monitoring.')
def GenerateFiles(file):
### Open the file and parse it
# param file: the file to work on
global monfilepath
if not os.path.isdir(rolepath):
os.mkdir(rolepath)
# Parse the yaml
with open(file, 'r') as stream:
content = yaml.safe_load(stream)
if os.path.isfile(monfilepath): os.remove(monfilepath)
# Add DNS entries for each host
hosttype = 'managed'
for hostclass in ['physical','virtual','geth_hubs']:
#WriteMonitoringEntry(content,hosttype,hostclass)
WriteSSHMonitoringEntry(content,hosttype,hostclass)
hosttype = 'unmanaged'
for hostclass in ['ovas','appliances']:
WriteMonitoringEntry(content,hosttype,hostclass)
if __name__ == '__main__':
if len(sys.argv) != 2:
print("You need to supply an inventory file.")
sys.exit(1)
GenerateFiles(sys.argv[1])
sys.exit(0)

82
bin/generate-pihole-dns-dhcp.py Executable file
View File

@@ -0,0 +1,82 @@
#!/usr/bin/env python3
# File: generate-pihole-dns-dhcp.py
#
# Description: This file generates the DNS and DHCP files for pihole.
# It expects that the inventory has two levels of grouping.
#
# Package: AniNIX/Ubiqtorate
# Copyright: WTFPL
#
# Author: DarkFeather <darkfeather@aninix.net>
import os
import re
import subprocess
import sys
from kapisi_lib import *
rolepath='../roles/Chappaai/files'
dnsfilepath=rolepath+"/dns"
dhcpfilepath=rolepath+"/dhcp"
entryset={}
def WriteDHCPEntries(replica_domain,dhcpfile):
### Create the DHCP entry
# param content: the yaml content to parse
# param hosttype: managed or unmanaged
# param hostclass: the type of host as classified in the yaml
global entryset
for host in entryset:
# Entries should be:
# dhcp-host=mac,ip,fqdn
dhcpfile.write('dhcp-host=' + entryset[host][1] + ',' + entryset[host][0] + ',' + host + '.' + replica_domain + '\n')
def WriteDNSEntries(replica_domain,dnsfile):
### Create the DNS entry
# param content: the yaml content to parse
# param hosttype: managed or unmanaged
# param hostclass: the type of host as classified in the yaml
global entryset
for host in entryset:
# Entries should be:
# ip host fqdn
dnsfile.write(entryset[host][0] + ' ' + host + '.' + replica_domain + ' ' + host + '\n')
def GenerateFiles(file):
### Open the file and parse it
# param file: the file to work on
global dnsfile
if not os.path.isdir(rolepath):
os.mkdir(rolepath)
# Parse the yaml
with open(file, 'r') as stream:
content = yaml.safe_load(stream)
replica_domain = content['all']['vars']['replica_domain']
external_domain = content['all']['vars']['external_domain']
# Clear the DNS file
with open(dhcpfilepath,'w') as dhcpfile:
dhcpfile.write('dhcp-range='+content['all']['vars']['dhcprange']+'\n')
dhcpfile.write('dhcp-option=option:dns-server,'+content['all']['vars']['dns']+'\n\n')
dhcpfile.write('dhcp-range='+content['all']['vars']['staticrange']+'\n')
WriteDHCPEntries(replica_domain,dhcpfile)
with open(dnsfilepath,'w') as dnsfile:
dnsfile.write(content['all']['vars']['webfront']+' '+external_domain+' '+content['all']['vars']['external_subdomains'].replace(' ','.'+external_domain+' ')+'.'+external_domain+' '+content['all']['vars']['hosted_domains']+"\n")
WriteDNSEntries(replica_domain,dnsfile)
print('Files should be in '+rolepath);
### Main function
# param sys.argv: Input arguments
if __name__ == '__main__':
if len(sys.argv) < 2:
print("You need to supply an inventory file.")
sys.exit(1)
if len(sys.argv) == 3:
entryset = TrackIPEntries(sys.argv[1],sys.argv[2])
else:
entryset = TrackIPEntries(sys.argv[1])
GenerateFiles(sys.argv[1])
#dumper.dump(entryset)
sys.exit(0)

21
bin/generate-ssh-keyscan Executable file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
# File: ./generate-ssh-keyscan
#
# Description: This file generates a known_host block for the inventory.
#
# Package: AniNIX/HelloWorld
# Copyright: WTFPL
#
# Author: DarkFeather <ircs://aninix.net:6697/DarkFeather>
inventory="$1"
replicadomain="$(grep replica_domain:\ "$inventory" | awk '{ print $2; }';)"
for short in `ansible -i "$inventory" --list-hosts managed | grep -v hosts | sed 's/^\s\+//'`; do
long="$short"'.'"$replicadomain"
ip="$(dig "$long" +short)"
ssh-keyscan -t ed25519 -f <(echo "$long" "$long","$short","$ip") 2>&1
ssh-keyscan -t rsa -f <(echo "$long" "$long","$short","$ip") 2>/dev/null
done

95
bin/generate-systemd-vms.py Executable file
View File

@@ -0,0 +1,95 @@
#!/usr/bin/env python3
# File: generate-systemd-vms.py
#
# Description: This file generates the systemd.service files that run our VM's
#
# Package: AniNIX/Ubiqtorate
# Copyright: WTFPL
#
# Author: DarkFeather <darkfeather@aninix.net>
import os
import shutil
import sys
import yaml
filepath="../roles/Node/files/vm-definitions/"
def WriteVMFile(content,hosttype,hostclass):
### Create the service files for the hosts
# param content: the yaml content to parse
# param hosttype: managed or unmanaged
# param hostclass: the type of host as classified in the yaml
global filepath
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
cores = 0
memory = 0
vnc = 0
disks = ''
mac = ''
bridge = ''
# Make sure the host definition has all the critera
try:
cores = str(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['cores'])
memory = str(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['memory'])
vnc = str(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['vnc'])
disks = ' '.join(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['disks'])
mac = content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['mac']
bridge = content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['bridge']
except Exception as e:
print('Host ' + host + " doesn't have the attributes needed to be a VM -- skipping.")
print(e)
1 == 1
# Write the file.
with open(filepath+host+'-vm.service','w') as vmfile:
vmfile.write('[Unit]\n')
vmfile.write('Description=AniNIX/' + host + '\n')
vmfile.write('After=network.target\n')
vmfile.write('\n')
vmfile.write('[Service]\n')
vmfile.write('ExecStart=/usr/sbin/qemu-system-x86_64 -name AniNIX/' + host + ' -machine type=pc,accel=kvm')
if 'uefi' in content['all']['children'][hosttype]['children'][hostclass]['hosts'][host].keys(): vmfile.write(' -bios /usr/share/edk2-ovmf/x64/OVMF.fd')
vmfile.write(' -cpu host -smp ' + cores + ' ' + disks + ' -net nic,macaddr=' + mac + ',model=virtio -net bridge,br=' + bridge + ' -vga std -nographic -vnc :' + str(vnc) + ' -m size=' + str(memory) + 'G -device virtio-rng-pci\n')
vmfile.write('ExecReload=/bin/kill -HUP $MAINPID\n')
vmfile.write('KillMode=process\n')
vmfile.write('Restart=always\n')
vmfile.write('User=root\n')
vmfile.write('Group=root\n')
vmfile.write('\n')
vmfile.write('[Install]\n')
vmfile.write('WantedBy=multi-user.target\n')
print(host+'-vm.service')
def GenerateFiles(file):
### Open the file and parse it
# param file: the file to work on
global filepath
try:
shutil.rmtree(filepath)
except:
1 == 1
finally:
os.mkdir(filepath)
# Parse the yaml
with open(file, 'r') as stream:
content = yaml.safe_load(stream)
# Add service files for each host
WriteVMFile(content,'managed','virtual')
WriteVMFile(content,'unmanaged','ovas')
WriteVMFile(content,'unmanaged','test_ovas')
if __name__ == '__main__':
if len(sys.argv) != 2:
print("You need to supply an inventory file.")
sys.exit(1)
GenerateFiles(sys.argv[1])
sys.exit(0)

63
bin/kapisi_lib.py Normal file
View File

@@ -0,0 +1,63 @@
import re
import yaml
from types import SimpleNamespace
from yamlpath.common import Parsers
from yamlpath.wrappers import ConsolePrinter
from yamlpath import Processor
from yamlpath import YAMLPath
from yamlpath.exceptions import YAMLPathException
def TrackIPEntries(yaml_file,searchstring='all.children.**.ip'):
### Try to parse an Ansible inventory for hosts with the 'ip' attribute.
# param file: the file to parse
# return: a populated entry set in form [{Host,[ip,mac]},...]
# Borrowing from upstream author's example at https://pypi.org/project/yamlpath/
entryset = {}
# The various classes of this library must be able to write messages somewhere
# when things go bad.
#logging_args = SimpleNamespace(quiet=True, verbose=False, debug=False)
logging_args = SimpleNamespace(quiet=True, verbose=True, debug=True)
log = ConsolePrinter(logging_args)
# Prep the YAML parser
yaml = Parsers.get_yaml_editor()
(yaml_data, doc_loaded) = Parsers.get_yaml_data(yaml, log, yaml_file)
if not doc_loaded:
exit(1)
processor = Processor(log, yaml_data)
yaml_path = YAMLPath(searchstring)
# Create a regex pattern to remove the end of the path
ippattern = re.compile('\.ip$')
try:
for node_coordinate in processor.get_nodes(yaml_path, mustexist=True):
# Strip the path to the host entry.
path = ippattern.sub("",str(node_coordinate.path))
# Pull the IP
ip = str(node_coordinate.node)
# Pull the hosname
splitpath = path.split('.')
hostname = splitpath[len(splitpath)-1]
#print("Got {} from '{}''.".format(ip,path))
# Path the MAC
mac_yaml_path = YAMLPath(path+".mac")
mac=""
try:
for node_coordinate in processor.get_nodes(mac_yaml_path, mustexist=True):
mac = str(node_coordinate.node)
except YAMLPathException as ex:
log.error(ex)
# Add the host to the entryset.
entryset.update({ hostname : [ip,mac] })
except YAMLPathException as ex:
log.error(ex)
finally:
return entryset

18
bin/reverse-copy Normal file
View File

@@ -0,0 +1,18 @@
#!/bin/bash
if [ "$USER" != root ]; then
sudo $0 $@
exit 0
fi
grep -A 2 copy: tasks/main.yml | tr '\n' ' ' | sed 's/--/\n/g' | while read copyline; do
dest="$(echo "$copyline" | sed 's/ /\n/g' | grep src: | awk '{ print $2; }' )"
src="$(echo "$copyline" | sed 's/ /\n/g' | grep dest: | awk '{ print $2; }' )"
if [ -d "$src" ]; then
cp -r "$src"/* files/"$dest"
else
cp -r "$src" files/"$dest"
fi
chown -R "$SUDO_USER": files/"$dest"
done

90
bin/tmux-hosts Executable file
View File

@@ -0,0 +1,90 @@
#!/bin/bash
# File: tmux-hosts
#
# Description: This script allows you to open groups of hosts in 2x2 tmux panes
#
# Package: AniNIX/Ubiqtorate
# Copyright: WTFPL
#
# Author: DarkFeather <ircs://irc.aninix.net:6697/DarkFeather>
# Sanity
set -Eo pipefail
# Defaults
group=all
offset=0
unset inventory
function usage() {
# Show helptext
# param retcode: what to exit
retcode="$1"
echo "Usage: $0 [ -o offset ] [-g group ] [-i inventory.yml]"
echo " $0 -h"
echo "Group is optional -- add it if you only want to look at a specific subset."
echo "Add -v for verbosity."
exit "$retcode"
}
function tmuxHosts() {
# Open hosts in Tmux -- ported from pnp/misc-scripts.git geotmux
# param host1: the first host
# param host2: the second host
# param host3: the third host
# param host4: the fourth host
host1="$1"
host2="$2"
host3="$3"
host4="$4"
name="$group-$offset"
# If no TMUX session started, then add one with four panes.
if [ -z "$TMUX" ]; then
tmux new-session -s "$name" -d "/bin/bash -l -c ssh\\ $host1"
tmux select-window -t "$name":0
tmux split-window "/bin/bash -l -c ssh\\ $host2"
tmux split-window -h -t 0 "/bin/bash -l -c ssh\\ $host3"
tmux select-window -t "$name":1
tmux split-window -h -t 2 "/bin/bash -l -c ssh\\ $host4"
tmux setw synchronize-panes
tmux a -d -t "$name"
# Otherwise, add a new window to the current session with all four sessions.
else
tmux new-window -n "$name" "/bin/bash -l -c ssh\\ $host1"
tmux select-window -t "$name"
tmux split-window "/bin/bash -l -c ssh\\ $host2"
tmux select-window -t "$name"
tmux split-window -h -t 0 "/bin/bash -l -c ssh\\ $host3"
tmux select-window -t "$name"
tmux split-window -h -t 2 "/bin/bash -l -c ssh\\ $host4"
tmux setw synchronize-panes
tmux select-window -t "$name"
fi
}
# main
if [ "$(basename $0)" == "tmux-hosts" ]; then
while getopts 'g:hi:o:v' OPTION; do
case "${OPTION}" in
g) group="${OPTARG}" ;;
h) echo Open Ansible hosts in TMUX panes.; usage 0 ;;
i) inventory="${OPTARG}" ;;
o) offset="${OPTARG}" ;;
v) set -x ;;
*) usage 1 ;;
esac
done
if [ -z "$inventory" ]; then
inventory=$(grep -E ^inventory ~/.ansible.cfg | cut -f 2 -d '=')
fi
tmuxHosts $(ansible -i "$inventory" --list-hosts "$group"\
| grep -v hosts\ \( \
| sed 's/\s\+//g' \
| if [ $offset -gt 0 ]; then tail -n +"${offset}"; else cat; fi \
| head -n 4 \
| tr '\n' ' ')
fi

325
examples/msn0.yml Normal file
View File

@@ -0,0 +1,325 @@
all:
vars:
# Environment-wide data
external_domain: "aninix.net"
external_subdomains: "cyberbrain foundation irc lykos maat password sharingan singularity superintendent www yggdrasil"
hosted_domains: "travelpawscvt.com"
replica_domain: "MSN0.AniNIX.net"
time_zone: "America/Chicago"
# Services used by all
router: 10.0.1.1
netmask: 24
dhcprange: '10.0.1.224,10.0.1.254,255.255.255.0,12h'
staticrange: '10.0.1.1,10.0.1.223,255.255.255.0,12h'
dns: "10.0.1.2"
logserver: "10.0.1.16"
webfront: "10.0.1.3"
mirroruri: "http://Maat.MSN0.AniNIX.net:9129/repo/archlinux/$repo/os/$arch"
# Standards
daemon_shell: /sbin/nologin
user_shell: /bin/bash
ansible_become_method: sudo
ansible_become_user: root
static: false
wireless_ssid: 'Shadownet'
ansible_python_interpreter: auto_silent
ldap:
server: "10.0.1.3"
orgdn: "dc=aninix,dc=net"
binduser: 'binduser'
userou: 'ou=People'
groupou: 'ou=Group'
filter: '(&(objectClass=person)(!(pwdReset=TRUE)))'
organization: # Information about the group
admin: 'DarkFeather'
email: 'ircs://irc.aninix.net:6697/DarkFeather'
displayname: 'AniNIX'
gpgkey: '904DE6275579CB589D85720C1CC1E3F4ED06F296'
ssl: # Standard SSL cryptographic standards
identity: 'aninix.net-0002' # The Let's Encrypt identity to use
ciphersuite: "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
children:
managed:
children:
physical: # 10.0.1.0/28
hosts:
Chappaai:
ipinterface: eth0
ip: 10.0.1.2
mac: B8:27:EB:B6:AA:0C
static: true
children:
Node:
hosts:
Node1:
ipinterface: enp1s0
ip: 10.0.1.5
mac: FA:EC:43:87:4D:2D
tap: true
ups: 'aps'
active_vms:
- Yggdrasil
Node2:
ipinterface: enp1s0
ip: 10.0.1.7
mac: 56:02:ef:2c:1f:7c
tap: true
active_vms:
- DarkNet
- Maat
- Sharingan
- Superintendent
Node3:
ipinterface: enp1s0
ip: 10.0.1.8
mac: B2:C6:2C:02:B2:6E
tap: true
active_vms:
- TDS-Jump
Geth:
hosts:
Geth0:
ipinterface: eth0
ip: 10.0.1.9
mac: 84:16:F9:14:15:C5
static: true
k3s_primary: true
Geth1:
ipinterface: eth0
ip: 10.0.1.10
mac: E4:5F:01:01:FF:9C
static: true
Geth2:
ipinterface: eth0
ip: 10.0.1.11
mac: E4:5F:01:01:FF:D5
static: true
Geth3:
ipinterface: eth0
ip: 10.0.1.12
mac: E4:5F:01:01:FF:96
static: true
Geth4:
ipinterface: eth0
ip: 10.0.1.13
mac: E4:5F:01:01:FF:E4
static: true
Geth5:
ipinterface: eth0
ip: 10.0.1.14
mac: B8:27:EB:B6:AA:0D
static: true
virtual: # 10.0.1.16/28
vars:
hosts:
Sharingan:
ip: 10.0.1.16
ipinterface: ens3
mac: 00:15:5D:01:02:10
cores: 4
memory: 4
vnc: 8
bridge: br0
uefi: true
siem: true
disks:
- '-drive format=raw,index=0,media=disk,file=/dev/sdc'
# On hold because of https://aninix.net/DarkFeather/MSN0/issues/6
holdpkg: "elasticsearch graylog mongodb44-bin mongodb-tools-bin"
DarkNet:
ipinterface: ens3
ip: 10.0.1.17
mac: 00:15:5D:01:02:05
cores: 4
memory: 4
vnc: 9
bridge: br0
disks:
- '-drive format=raw,index=0,media=disk,file=/dev/sdb'
wolfpack_config: 'gitea@foundation.aninix.net:DarkFeather/WolfPack-Config.git'
Maat:
ip: 10.0.1.18
ipinterface: ens3
mac: 00:15:5d:01:02:07
cores: 2
memory: 2
bridge: br0
vscan_enabled: true
vnc: 7
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/mnt/cage2/vm/Maat.qcow2'
Yggdrasil:
ipinterface: ens3
ip: 10.0.1.3
mac: 00:25:90:0d:6e:86
static: true
sslidentity: aninix.net-0001
secdetection: true
iptv_location: "Milwaukee|Madison"
aether_source: true
cores: 8
memory: 16
bridge: br0
vnc: 1
vscan_enabled: true
disks:
- '-drive format=raw,index=0,media=disk,file=/dev/sda'
- '-drive format=raw,index=0,media=disk,file=/dev/sdb'
- '-drive format=raw,index=0,media=disk,file=/dev/sdc'
- '-drive format=raw,index=0,media=disk,file=/dev/sdd'
Vergil: # 10.0.1.32/28
vars:
motion_enabled: yes
hosts:
Vergil1:
ip: 10.0.1.32
mac: b8:27:eb:9a:73:dd
rotate: 0
remote: NS-RC4NA-14
Vergil2:
ip: 10.0.1.33
mac: 84:16:F9:13:B6:E6
motion_enabled: no
rotate: 180
remote: NS-RC4NA-14
Vergil3:
ip: 10.0.1.34
mac: b8:27:eb:60:73:68
rotate: 90
remote: LG-AKB73715608
unmanaged:
children:
# Both OVA groups are in the same subnet -- test_ovas aren't monitored
ovas: # 10.0.1.48/28
hosts:
Superintendent:
ip: 10.0.1.49
mac: DE:8B:9E:19:55:1E
cores: 2
memory: 2
vnc: 6
bridge: br0
uefi: true
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/mnt/cage2/vm/hassos_ova-5.13.qcow2'
test_ovas: # 10.0.1.48/28
hosts:
TDS-Jump:
ip: 10.0.1.48
mac: 00:15:5d:01:02:08
cores: 2
memory: 2
vnc: 4
bridge: br0
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/node/vm/TDSJump.qcow2'
DedNet:
ip: 10.0.1.50
mac: 00:15:5d:01:02:09
cores: 2
memory: 2
vnc: 3
bridge: br0
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/mnt/cage2/vm/DedNet.qcow2'
- '-cdrom /srv/maat/iso/kali-linux.iso -boot order=d'
Aether:
ip: 10.0.1.51
mac: 00:15:5d:01:02:11
cores: 2
memory: 2
vnc: 5
bridge: br0
disks:
- '-drive if=none,id=disk0,cache=none,format=raw,aio=native,file=/dev/sdc'
- '-cdrom /srv/maat/iso/archlinux.iso -boot order=d'
test1:
ip: 10.0.1.52
ipinterface: ens3
mac: 00:15:5d:01:02:06
cores: 2
memory: 2
bridge: br0
vnc: 10
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/mnt/cage2/vm/test1.qcow2'
test2:
ip: 10.0.1.53
ipinterface: ens3
mac: 00:15:5d:01:02:03
cores: 2
memory: 2
bridge: br0
vnc: 11
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/mnt/cage2/vm/test2.qcow2'
test3:
ip: 10.0.1.54
ipinterface: ens3
mac: 00:15:5d:01:02:04
cores: 2
memory: 2
bridge: br0
vnc: 12
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/mnt/cage2/vm/test3.qcow2'
# appliances are monitored -- adhoc_appliances are convenience only and not monitored.
appliances:
hosts: # 10.0.1.64/27
Shadownet: # Router must be at root
ip: 10.0.1.1
mac: 2c:30:33:64:f4:03
Print: # Print is excepted for legacy setup reasons before we laid out subnets.
ip: 10.0.1.6
mac: 00:80:92:77:CE:E4
Geth-Eyes:
ip: 10.0.1.68
mac: 9C:A3:AA:33:A3:99
# "Core-Console":
# ip: 10.0.1.74
# mac: 00:25:90:0D:82:5B
# "Node0-Console":
# ip: 10.0.1.75
# mac: 00:25:90:3E:C6:8C
adhoc_appliances:
hosts: # 10.0.1.64/27
DarkFeather:
ip: 10.0.1.64
mac: f4:2b:8c:10:31:44
Lykos:
ip: 10.0.1.65
mac: 70:74:14:4F:8E:42
Node0:
ip: 10.0.1.66
mac: E0:BE:03:77:0E:88
LivingRoomTV:
ip: 10.0.1.69
mac: 80:D2:1D:17:63:0E
BedRoomTV:
ip: 10.0.1.70
mac: 80:D2:1D:17:63:0F
TrainingRoomTV:
ip: 10.0.1.71
mac: 80:D2:1D:17:63:10
BT:
ip: 10.0.1.72
mac: 8A:00:AA:7F:DF:D1
DedSec:
ip: 10.0.1.73
mac: 34:F6:4B:36:12:8F
# dhcp build space: 10.0.1.224/27
iot: # 10.0.2.0/24
hosts:
LivingRoomRegulator:
ip: 10.0.2.2
mac: 64:16:66:08:57:F5
Monitor:
ip: 10.0.2.3
mac: 18:B4:30:2F:F1:37
Gatekeeper:
ip: 10.0.2.4
mac: 64:52:99:14:28:2B
# CaretakerAlpha has no network
CaretakerBravo:
ip: 10.0.2.5
mac: 40:9F:38:95:06:34

83
playbooks/deploy.yml Normal file
View File

@@ -0,0 +1,83 @@
---
# deploy.yml
#
# This playbook details how an entire datacenter should be deployed
#
# Parameters:
# threads: Number of threads to use; default is 16.
#
- hosts: Nazara
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
vars:
- ansible_password: "{{ passwords[inventory_hostname] }}"
- ansible_become_password: "{{ passwords[inventory_hostname] }}"
roles:
- Nazara
- hosts: managed
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
vars: # This is the only segment that should need these variables, as the basics role should take care of sudo and the SSH key.
- ansible_password: "{{ passwords[inventory_hostname] }}"
- ansible_become_password: "{{ passwords[inventory_hostname] }}"
roles:
- ShadowArch
- SSH
- Sharingan
- hosts: Yggdrasil
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- hardware
- SSL
- WebServer
- IRC
- WolfPack
- Foundation
- Yggrasil
- hosts: geth_hubs
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- Geth-Hub
- hosts: Node1,Node2,Node3
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- hardware
- Node
- hosts: DarkNet
order: sorted
serial: "{{ threads | default('16') }}"
gather_facts: true
ignore_unreachable: true
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- DarkNet
- WolfPack

27
playbooks/disable-archlinux-keyring-wkd-sync.yml Normal file
View File

@@ -0,0 +1,27 @@
# This playbook disables the archlinux-keyring-wkd-sync.service and timer, because they tend to fail for bad reasons.
#
---
- hosts: managed
ignore_errors: true
gather_facts: true
become: yes
tasks:
- name: Disable services & timers
when: ansible_os_family == "Archlinux"
service:
name: "{{ item }}"
state: stopped
enabled: no
loop:
- archlinux-keyring-wkd-sync.timer
- archlinux-keyring-wkd-sync.service
- name: Reset failed
when: ansible_os_family == "Archlinux"
command: "systemctl reset-failed {{ item }}"
loop:
- archlinux-keyring-wkd-sync.timer
- archlinux-keyring-wkd-sync.service

61
playbooks/geth-major-patch.yml Normal file
View File

@@ -0,0 +1,61 @@
---
# patching.yml
#
# This playbook can be used to patch all the servers in an inventory to the latest on the repo servers
# Variables:
# - hosts: the host grouper in the inventory -- default: all
# - action: update or upgrade -- default: update
# - delay: minutes to wait after a reboot -- default 5
#
#
# Patch then restart a node
- hosts: "{{ targets | default('geth_hubs') }}"
order: sorted
ignore_unreachable: true
serial: 1
vars:
ansible_become: yes
ansible_become_method: sudo
oldmajor: stretch
newmajor: buster
tasks:
- name: Check /var free percentage
command: /bin/bash -c "df -m /var | tail -n 1 | awk '{ print $5; }' | sed 's/%//' "
become: no
register: df_output
- name: Verify /var space
assert:
that:
- 90 > {{ df_output.stdout }}
fail_msg: "Not enough free space"
- apt:
name: python-apt
state: present
- name: apt dist-upgrade
apt:
update_cache: yes
upgrade: dist
ignore_errors: yes
- name: Replace repo
command: "sed -i 's/{{ oldmajor }}/{{ newmajor }}/g' /etc/apt/sources.list"
become: yes
- name: Update packages
apt:
upgrade: full
update_cache: yes
autoremove: yes
autoclean: yes
ignore_errors: yes
# - name: Perform firmware-update
# command: rpi-update
# become: yes
- reboot:
- wait_for_connection:

29
playbooks/one-role.yml Normal file
View File

@@ -0,0 +1,29 @@
# ---
# one-role.yml
#
# Test a single role against a host or group of hosts.
#
# Parameters:
# targets: group in the inventory to use
# threads: number of simultaneous executions
# role: role to run
# sshport (optional): override 22/tcp/ssh for Ansible control
#
# Expects ANSIBLE_VAULT_FILE to be set in the environment to path the vault
# Also set ANSIBLE_VAULT_PASSWORD_FILE to your password file location if you want it.
#
- hosts: "{{ targets | default('all') }}"
order: sorted
serial: "{{ threads | default('8') }}"
gather_facts: true
ignore_unreachable: true
vars:
ansible_ssh_port: "{{ sshport | default('22') }}"
therole: "{{ role | default('Uptime') }}"
ansible_become_password: "{{ passwords[inventory_hostname] }}"
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- "{{ therole }}"

27
playbooks/patching-verification.yml Normal file
View File

@@ -0,0 +1,27 @@
---
# patching.yml
#
# Variables:
# - hosts: what hosts in the inventory to use
# - threads: how many to check in parallel
- hosts: "{{ hosts | default('managed') }}"
order: sorted
serial: "{{ threads | default('4') }}"
ignore_unreachable: true
vars:
ansible_become: no
tasks:
- name: Check updates
yum:
list=updates
update_cache=true
ignore_errors: true
register: yumupdates
- name: Patching succeeded
ignore_errors: true
assert:
that:
- yumupdates.results|length == 0
- df_output.stdout is search("rhel-7-server-rpms-nist")

31
playbooks/patching.yml Normal file
View File

@@ -0,0 +1,31 @@
---
# patching.yml
#
# This playbook can be used to patch all the servers in an inventory to the latest software available.
# Because we typically encrypt our disk storage, we don't wait for the connection to become available again.
# Variables:
# - target: the host grouper in the inventory -- default: all
#
# Patch then restart a node
#
#
- hosts: "{{ targets | default('virtual') }}"
order: sorted
serial: 4
vars:
ansible_become: yes
ansible_become_method: sudo
roles:
- patching
- hosts: physical
order: sorted
serial: 4
vars:
ansible_become: yes
ansible_become_method: sudo
tasks:
- include_role:
name: patching
when: targets is unset

33
playbooks/rebuild-pacman-keyring.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- hosts: "{{ targets | default('all') }}"
become: true
gather_facts: false
tasks:
- name: Clean
command: rm -Rf /etc/pacman.d/gnupg
- name: Initialize keyring
command: /usr/bin/pacman-key --init
- name: Add ArchLinux
command: /usr/bin/pacman-key --populate archlinux
- name: Add AniNIX
command: /usr/bin/pacman-key --populate aninix
- name: Locally sign AniNIX
command: /usr/bin/pacman-key --lsign 904DE6275579CB589D85720C1CC1E3F4ED06F296
- name: Update DB
command: /usr/bin/pacman-key --updatedb
- name: Update packages
pacman:
name:
- archlinux-keyring
- ShadowArch
state: latest
update_cache: true

1
playbooks/roles Symbolic link
View File

@@ -0,0 +1 @@
../roles/

39
playbooks/sshkey.yml Normal file
View File

@@ -0,0 +1,39 @@
# ---
# sshkey.yml
#
# ssh-keyscan and copy your SSH key to hosts
#
# Parameters:
# targets: group in the inventory to use
# threads: number of simultaneous executions
# pubkey: file to hand off
# sshport (optional): override 22/tcp/ssh for Ansible control
#
# Expects ANSIBLE_VAULT_FILE to be set in the environment to path the vault
#
- hosts: "{{ targets | default('managed') }}"
order: sorted
serial: "{{ threads | default('8') }}"
gather_facts: true
ignore_unreachable: true
vars:
ansible_ssh_password: "{{ passwords[inventory_hostname] }}"
ansible_ssh_port: "{{ sshport | default('22') }}"
keyfile: "{{ pubkey | default(lookup('env','HOME') + '/.ssh/id_ed25519.pub') }}"
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
tasks:
# Scanning SSH keys has been replaced with ../bin/generate-ssh-keyscan
- name: Get key
delegate_to: localhost
command: "cat {{ keyfile }}"
register: key
- authorized_key:
user: "{{ ansible_user_id }}"
key: "{{ key.stdout }}"
state: present
exclusive: true
name: "Pass authorized key"

28
playbooks/vars-debugging.yml Normal file
View File

@@ -0,0 +1,28 @@
# ---
# one-role.yml
#
# Test a single role against a host or group of hosts.
#
# Parameters:
# targets: group in the inventory to use
# threads: number of simultaneous executions
# variablename: the variable to print
# sshport (optional): override 22/tcp/ssh for Ansible control
#
# Expects ANSIBLE_VAULT_FILE to be set in the environment to path the vault
# Also set ANSIBLE_VAULT_PASSWORD_FILE to your password file location if you want it.
#
- hosts: "{{ targets | default('managed') }}"
order: sorted
serial: "{{ threads | default('8') }}"
gather_facts: true
ignore_unreachable: true
vars:
ansible_ssh_port: "{{ sshport | default('22') }}"
variablename: "{{ variable | default('ansible_os_family') }}"
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
tasks:
- debug:
msg: "{{ lookup('vars',variablename) | default('undefined') }}"

12
precommit-hooks/ensure-apps-are-short Executable file
View File

@@ -0,0 +1,12 @@
#!/bin/bash
# Webserver apps directory should be short -- apps that fail this category should become their own.
retcode=0
for file in `find roles/WebServer/files/apps -type f`; do
if [[ $(wc -l "$file" | awk '{ print $1; }') -gt 10 ]]; then
echo "$file" is too long to be deployed as a mini-app under the WebServer role.
retcode=1
fi
done
exit $retcode

58
precommit-hooks/find-bad-ipam Executable file
View File

@@ -0,0 +1,58 @@
#!/usr/bin/bash
# File: find-bad-ipam
#
# Description: This file finds bad IPAM entries in an inventory.
#
# Package: AniNIX/Ubiqtorate
# Copyright: WTFPL
#
# Author: DarkFeather <ircs://aninix.net:6697/DarkFeather>
file="examples/msn0.yml"
function findBadTerm() {
### Check for a term to be duplicated.
# param file: the file
# param term: the term to search for duplicates
file="$1"
term="$2"
results="$(grep -i "$term:" "$file" | tr '[[:upper:]]' '[[:lower:]]' | sed 's/\s+'"$term"':\s*//' | sort | uniq -c | grep -vE '^\s+1\s+' )"
if [ -n "$results" ]; then
echo "Some ${term} entries are duplicated. Search for the above terms in your inventory and deduplicate."
echo "$results"
exit 2
fi
}
function Usage() {
### Helptext
# param retcode: what to return
retcode="$1"
echo "Usage: $0 -f SOMEFILE"
echo " $0 -h"
echo "Add -v for verbosity."
exit $retcode
}
while getopts 'f:hv' OPTION; do
### Parse arguments
case "$OPTION" in
f) file="$OPTARG" ;;
h) echo "Find bad IPAM entries in an inventory." ; Usage 0 ;;
v) set -x ;;
*) Usage 1 ;;
esac
done
# Sanity check
if [ -z "$file" ] || [ ! -f "$file" ]; then
echo Need an inventory to process.
Usage 3;
fi
# Check for the unique attributes.
for i in ip vnc mac; do
findBadTerm "$file" "$i"
done

9
precommit-hooks/find-data-files Normal file
View File

@@ -0,0 +1,9 @@
#!/bin/bash
result="$(find roles/*/{files,templates} -type f -exec file {} \; | grep -Ev ASCII\ text\|empty\|Unicode\ text | grep -v motd.txt.j2)"
if [ -n "$result" ]; then
echo "These files need to be evaluated -- generally, don't commit data files to Git."
echo "$result"
exit 1
fi
exit 0

0
precommit-hooks/find-incomplete-roles Normal file
View File

12
precommit-hooks/find-large-files Normal file
View File

@@ -0,0 +1,12 @@
#!/bin/bash
# Limit files in git to 1M.
IFS="
"
git ls-files | xargs -n1 du -k | grep -vE '^[[:digit:]]?[[:digit:]]?[[:digit:]][[:space:]]|venv|\s./.git/'
if [ $? -ne 1 ]; then
echo
echo "These files are probably larger than you want to commit to Git. Please try to find an alternate delivery path, such as a CDN or Git-LFS."
exit 1;
fi

14
precommit-hooks/find-missing-customizations Normal file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
retcode=0
for host in `ansible -i "examples/msn0.yml" --list-hosts managed | grep -v ' hosts '`; do
if [ ! -f roles/ShadowArch/files/motd/"$host" ]; then
echo "Need MOTD for $host"
retcode=1;
fi
if [ ! -f roles/Sharingan/files/monit/hostdefs/"$host" ]; then
echo "Need Sharingan-Data file for $host"
retcode=1;
fi
done
exit $retcode

30
precommit-hooks/find-passwords-in-files Normal file
View File

@@ -0,0 +1,30 @@
#!/bin/bash
# Ignore Ansibilized templates.
saferegex='\{\{.+\}\}|secrets\['
# Ignore comments
saferegex="$saferegex"'|^[a-z,A-Z,0-9,_,-,/,.]+:\s*;|^[a-z,A-Z,0-9,_,-,/,.]+:\s*#|^[a-z,A-Z,0-9,_,-,/,.]+:\s*//|\s+[/]?[*][/]?\s+'
# AniNIX Constructs
saferegex="$saferegex"'|password.aninix.net|aur.list'
# Web constructs
saferegex="$saferegex"'|.css:|.html:|.md:|htdocs|htpasswd'
# Ignore template text to set policy
saferegex="$saferegex"'|_LENGTH|Set new|attempt|pwdchange'
# haveibeenpwned is referenced in comments
saferegex="$saferegex"'|haveibeenpwned'
# Unset variables.
saferegex="$saferegex"'|\s+=\s*$|\s+yes$|\s+no$'
# Ignore LDAP attributes
saferegex="$saferegex"'|pwpolicies|pwdLastSuccess|pwdAttribute|pwdMaxAge|pwdExpireWarning|pwdInHistory|pwdCheckQuality|pwdMaxFailure|pwdLockout|pwdLockoutDuration|pwdGraceAuthNLimit|pwdFailureCountInterval|pwdMustChange|pwdMinLength|pwdAllowUserChange|pwdSafeModify|pwdChangedTime|pwdPolicy|last changed their password on|/root/.ldappass'
# Ignore IRC Modules
saferegex="$saferegex"'|m_password_hash.so|/quote ns identify|SELECT|password_attribute|SET PASS|SASET PASS'
# Ignore SSH known hosts
saferegex="$saferegex""|ssh_known_hosts:|"
git ls-files roles/*/{files,templates} | xargs grep -irE 'secret|password|pw|passphrase|pass=' | grep -vE "$saferegex"
if [ $? -ne 1 ]; then
echo
echo If these are false positives, you need to add the signature to the whitelist in $0.
echo Otherwise, convert any files above to templates and encode the passphrase into your vault.
exit 1;
fi

7
precommit-hooks/playbook-lint-check Executable file
View File

@@ -0,0 +1,7 @@
#!/bin/bash
# pre-commit hook to use ansible-lint to check our playbooks.
for file in `find ../playbooks/ -type f`; do
ansible-lint "$file"
done

4
requirements.txt Normal file
View File

@@ -0,0 +1,4 @@
pyaml
pytest
python3-nmap
simplejson

7
roles/Aether/README.md Normal file
View File

@@ -0,0 +1,7 @@
See [AniNIX/Aether](/AniNIX/Aether) for complete details of the tool.
Role requirements:
* `secrets['Aether']` in Vault
* A YAML list of nodes under the key `Aether_nodes` in Vault
* A host called 'Core' to act as the source
* 22/tcp/sftp access through firewalls to the Core host from any clients

3
roles/Aether/files/backup-entries/Yggdrasil/gitea.backup.script Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
### Gitea ###
tar cvzf "$BACKUPDIR"/gitea.tgz /var/lib/gitea/data

3
roles/Aether/files/backup-entries/Yggdrasil/grimoire.backup.script Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
### Grimoire ###
sudo -u postgres pg_dumpall > "$BACKUPDIR"/grimoire.sql

3
roles/Aether/files/backup-entries/Yggdrasil/irc.backup.script Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
### IRC Services ###
cp /opt/anope/data/anope.db "$BACKUPDIR"

9
roles/Aether/files/backup-entries/Yggdrasil/wiki.backup.script Normal file
View File

@@ -0,0 +1,9 @@
#!/bin/bash
### Wiki ###
mkdir "$BACKUPDIR"/wiki/
for i in `find /usr/share/webapps/ -maxdepth 1 -type d | grep mediawiki`; do
foldername="$(echo "$i" | rev | cut -f 1 -d '/' | rev)"
dbname="$(grep '^\$wgDBname' "$i"/LocalSettings.php | cut -f 2 -d \")"
$BACKUPCMD "${i}"/LocalSettings.php "$BACKUPDIR"/wiki/"$foldername"-localsettings.php
sudo -u postgres pg_dump "$dbname" > "$BACKUPDIR"/wiki/"$dbname".psql
done

3
roles/Aether/files/backup-entries/Yggdrasil/yggdrasil.backup.script Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
### Yggdrasil -- File & SHA list only for space reasons ###
cp /srv/yggdrasil/library.sha256 "$BACKUPDIR"/yggdrasil.library.sha256

146
roles/Aether/files/yggdrasil-check.conf Normal file
View File

@@ -0,0 +1,146 @@
# Example configuration file for AIDE.
# More information about configuration options available in the aide.conf manpage.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# The location of the database to be read.
database_in=file:@@{DBDIR}/aide.db.gz
# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Default.
log_level=warning
report_level=changed_attributes
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#
# Here are all the attributes we can check
#p: permissions
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
###b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#ANF: allow new files
#ARF: allow removed files
#
# Here are all the digests we can use
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#gost: gost checksum
#whirlpool: whirlpool checksum
# These are the default rules
#R: p+i+l+n+u+g+s+m+c+md5
#L: p+i+l+n+u+g
#E: Empty group
#>: Growing logfile p+l+u+g+i+n+S
# You can create custom rules - my home made rule definition goes like this
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+xattrs
# Access control only
PERMS = p+i+u+g+acl
# Logfile are special, in that they often change
LOG = >
# Just do md5 and sha256 hashes
LSPP = R+sha256
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
/etc/sudoers NORMAL
/etc/skel NORMAL
/etc/logrotate.d NORMAL
/etc/resolv.conf DATAONLY
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
# Ignore logs
!/var/lib/pacman/.*
!/var/cache/.*
!/var/log/.*
!/var/run/.*
!/var/spool/.*

27
roles/Aether/tasks/client.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- name: Copy the key
become: true
copy:
dest: /home/aether/.ssh/aether
content: "{{ aether_key.stdout }}"
- name: Copy the public key
become: true
copy:
dest: /home/aether/.ssh/aether.pub
content: "{{ aether_key.stdout }}"
- name: Enable the service
become: yes
service:
name: aether.timer
state: enabled
running: yes
- name: Enable the service - 2
become: yes
service:
name: aether-gen.timer
state: disabled
running: no

64
roles/Aether/tasks/main.yml Normal file
View File

@@ -0,0 +1,64 @@
---
- name: Install the package
become: true
ignore_errors: true
package:
name: Aether
state: present
- name: Validate the user
vars:
service_account: aether
include_tasks: ../roles/common/service_account.yml
- name: Ensure the Aether identity is protected.
become: true
file:
path: "{{ item }}"
state: directory
owner: aether
group: aether
mode: 0700
loop:
- /home/aether/.ssh
- /usr/local/etc/Aether
- /usr/local/etc/Aether/backup-entries
- /usr/local/backup
- name: Ensure the Aether identity exists
delegate_to: Core # Core will track the identity that will then be shared to everyone else.
become: true
command:
creates: /home/aether/.ssh/aether
chdir: /home/aether/.ssh/
cmd: ssh-keygen -t ed25519 -N "" -f ./aether
- name: Read the Aether identity
become: true
delegate_to: Core
command: cat /home/aether/.ssh/aether
register: aether_key
- name: Read the Aether public identity
become: true
delegate_to: Core
command: cat /home/aether/.ssh/aether.pub
register: aether_pubkey
- include_tasks: source.yml
when: "{{ inventory_hostname }} is 'Core'"
- include_tasks: client.yml
when: "{{ inventory_hostname }} is 'Core'"
- name: Ensure the Aether identity files are protected.
become: true
file:
path: "{{ item }}"
owner: aether
group: aether
mode: 0600
loop:
- /home/aether/.ssh/aether
- /home/aether/.ssh/aether.pub

42
roles/Aether/tasks/source.yml Normal file
View File

@@ -0,0 +1,42 @@
---
- name: Copy the backup scripts
become: yes
copy:
src: "backup-entries/{{ inventory_hostname }}"
dest: "/usr/local/etc/Aether/backup-entries"
owner: aether
group: aether
- name: Seed the backup passphrase
become: yes
copy:
content: "{{ passwords['Aether'] }}"
dest: "/usr/local/etc/Aether/pass.txt"
owner: aether
group: aether
mode: 0600
- name: Enable the generation service
become: yes
when: "{{ inventory_hostname }} == 'Core'"
service:
name: aether-gen.timer
state: enabled
running: yes
- name: Enable the generation service - 2
become: yes
when: "{{ inventory_hostname }} == 'Core'"
service:
name: aether.timer
state: disabled
running: no
- name: Set up the authorized_keys
template:
src: authorized_keys.j2
dest: /home/aether/.ssh/authorized_keys
mode: 0600
owner: aether
group: aether

18
roles/Chappaai/README.md Normal file
View File

@@ -0,0 +1,18 @@
A Chappaai host is a gateway to accessing other hosts. It is a safeguard against admin error.
## Etymology
Chappaai hosts are named to follow the non-English naming of the Stargate network by the other denizens of the galaxy.
They are the first line of defense against administrative error -- similar to the way that [Stargate Command](https://stargate.fandom.com/wiki/Stargate_Command) was for Earth. They prevent admins from being locked out of correcting their changes and are connected to everything in the ecosystem. They also control DNS, which allows a sort of subliminal control of the entire ecosystem. This prevents infiltration by infections (similar to Goauld) and in fact can be the extinction of any DNS-enabled malware in the ecosystem by sinkholing the Command-and-Control.
## Capacity and Components
A Chappaai host needs minimal CPU or memory.
## Hosted Services and Entities
Chappaai should host a Pihole installation and [SSH](../Services/SSH.md). It should be linked by NAT to an obscure port to the outside world.
## Connections
Any host should be able to connect to a Chappaai with SSH and X11, and it should be able to dial to any service provider.
## Additional Reference
Chappaai hosts should be deployed alongside any Hypervisor. They can be as simple as a Pi-hole with SSH access, and they should be allowed to receive SSH connections from a non-tcp/22/ssh port.

2
roles/Chappaai/files/pihole-FTL.conf Normal file
View File

@@ -0,0 +1,2 @@
PRIVACYLEVEL=0
RATE_LIMIT=1000/5

80
roles/Chappaai/tasks/main.yml Normal file
View File

@@ -0,0 +1,80 @@
---
- name: Clone pi-hole
become: yes
git:
accept_newhostkey: yes
dest: /opt/pi-hole
repo: https://github.com/pi-hole/pi-hole.git
- name: Install pi-hole if needed
become: yes
register: pihole_install
command:
creates: /usr/bin/pihole-FTL
cmd: false # bash basic-install.sh
chdir: '/opt/pi-hole/automated install'
- name: Ensure pihole web admin password
become: yes
command: "pihole -a -p {{ passwords['Chappaai'] }}"
# when: pihole_install.changed
- name: Generate DNS/DHCP from inventory
delegate_to: localhost
run_once: true
command: "python3 ../bin/generate-pihole-dns-dhcp.py {{ inventory_file }}"
- name: Chappaai DNS
become: yes
register: dns_updated
copy:
dest: /etc/pihole/custom.list
src: dns
owner: pihole
group: pihole
mode: 0644
- name: Chappaai DHCP
become: yes
register: dhcp_updated
copy:
src: dhcp
dest: /etc/dnsmasq.d/04-pihole-static-dhcp.conf
owner: root
group: root
mode: 0644
- name: Chappaai Configuration
become: yes
register: conf_updated
copy:
src: pihole-FTL.conf
dest: /etc/pihole/pihole-FTL.conf
owner: root
group: root
mode: 0644
- name: Chappaai DHCP Leases dir
become: yes
file:
path: /var/lib/misc/
state: directory
owner: root
group: root
mode: 0777
- name: Chappaai DHCP Leases
become: yes
file:
path: /var/lib/misc/dnsmasq.leases
state: touch
owner: pihole
group: pihole
mode: 0660
- name: Reload services
become: yes
command: pihole restartdns
when: dns_updated.changed or dhcp_updated.changed or conf_updated.changed

19
roles/Cyberbrain/README.md Normal file
View File

@@ -0,0 +1,19 @@
Cyberbrain is a way to ensure that so long as a person is connected to the Internet and authorized, they're able to connect to, use, and control the AniNIX.
It can serve as an alternative to using the [Terminal & SSH add-on](https://www.home-assistant.io/common-tasks/supervised/#installing-and-using-the-ssh-add-on-requires-enabling-advanced-mode-for-the-ha-user) for [AniNIX/Geth](../Geth/) in cases where a separate security posture is needed for each.
# Etymology
A [cyberbrain](https://ghostintheshell.fandom.com/wiki/Cyberbrain) is a concept from the series *Ghost in the Shell*. It's the integration of a normal brain with electronic, usually networked components. Similarly, this app serves as a core bridge between the shell environment of the AniNIX and any authorized user.
# Relevant Files and Software
This service is deployed as a Docker image from [FileStash](https://www.filestash.app/docs/install-and-upgrade/). This image is pointed back at the AniNIX/Yggdrasil's SFTP service.
Configuration is done in [the app](http://10.0.1.8:8334/admin/). A unique password should be configured, and then the only authorized backend is SFTP with passthrough authentication on the 'username_and_password' strategy. The SFTP host is then jailed as AniNIX/Yggdrasil's internal IP and port, with the `{{ .user }}` and `{{ .password }}` attributes populated.
This app can be proxied to the outside world and protected by encryption & a web-application firewall. This happens through [a WebServer configuration file](/AniNIX/Ubiqtorate/src/branch/main/roles/WebServer/files/conf.d/Core/adhan.conf).
## Backups
No backup is needed.
# Available Clients
This uses the same clients as [AniNIX/WebServer](../WebServer). Any browser will do.

27
roles/DarkNet/README.md Normal file
View File

@@ -0,0 +1,27 @@
The DarkNet VM is the privacy protection of the AniNIX. The AniNIX does not believe in security by obscurity or in censorship; as such, everyone should have a voice. VPN access is an assurance to content despite censorship and obfuscation for cases where free speech would normally come with some form of repercussions, despite the UN standards for human rights.
# Etymology
The DarkNet is named for an anonymous network whose access is controlled only by the admins and whose usage is known only to them. It's entirely closed and anonymous.
# Capacity and Components
A basic VM to provide DarkNet functionality in an AniNIX replica only needs the following resources:
* [ShadowArch](/AniNIX/ShadowArch)
* 1 core
* 1024M of RAM
* Virtualized NIC
* 150G of storage for any [AniNIX/WolfPack](/AniNIX/WolfPack) downloads, preferably on a unique physical harddrive that can be pulled and drilled
# Hosted Services
The DarkNet uses a small package list. It uses a couple services to achieve its goals. First, it uses [NordVPN](http://nordvpn.com/) to protect all traffic -- very simply, all one has to do to connect to the VPN is to run `nordvpn connect` and provide your login credentials to the service. We also use TOR for further anonymity -- torsocks and tor-browser-en provide functionality to cover that.
We recommend whitelisting your replica's subnet so that NordVPN doesn't see local traffic and services like log aggregation and administration can happen without exposing access across the VPN.
```
nordvpn whitelist add subnet $subnet/$cidr
```
## Abilities
* Encrypted storage by default to a passphrase known only to admins.
* Tor proxy service, integrated with both text lynx and GUI tor-browser-en browsers.
* Lynx is aliased to "torsocks lynx" globally
* Anonymous VPN via NordVPN

67
roles/DarkNet/tasks/main.yml Normal file
View File

@@ -0,0 +1,67 @@
---
- name: DarkNet packages
become: yes
package:
name:
- deluge
- deluge-gtk
- openvpn
- nordvpn-bin
- tor
- torsocks
- tor-browser-en
- name: OpenVPN config
become: yes
get_url:
url: "{{ secrets.DarkNet.vpnserver }}"
dest: /etc/openvpn/client/darknet.conf
mode: 0600
owner: openvpn
group: network
- name: OpenVPN Auth part 1
become: yes
lineinfile:
path: /etc/openvpn/client/darknet.conf
regexp: ^auth-user-pass
line: auth-user-pass /etc/openvpn/client/darknet.auth
- name: OpenVPN Auth part 2
become: yes
lineinfile:
path: /etc/openvpn/client/darknet.conf
regexp: ^dev
line: dev tun0
- name: OpenVPN Auth part 3
become: yes
copy:
dest: /etc/openvpn/client/darknet.auth
content: "{{ secrets.DarkNet.token }}"
mode: 0600
owner: openvpn
group: network
- name: "Enable daemons"
become: yes
service:
name: "{{ item }}"
state: started
enabled: yes
loop:
- tor.service
- nordvpnd.service
- deluged.service
- openvpn-client@darknet.service
- name: BashRC customization
become: yes
copy:
dest: /etc/profile.d/darknet
content: |
alias torlynx='torsocks elinks https://check.torproject.org/'
mode: 0644
owner: root
group: root

8
roles/DedSec/tasks/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
# Consider https://blackarch.org/blackarch-guide-en.pdf
- name: Install DedSec packages
become: yes
package:
name:
- tcpdump
- wireshark

65
roles/Foundation/README.md Normal file
View File

@@ -0,0 +1,65 @@
The Foundation is a one-stop shop for source code from AniNIX developers -- it's an open repository form which people can pull source code and recreate the entities being used by the AniNIX. You can view its web frontend from [https://aninix.net/foundation this webpage].
# Etymology
The etymology of the Foundation is twofold. First and foremost, the AniNIX attempts to automate any new package it is using as much as possible, and as such the Foundation holds the very basis on which the AniNIX is built.
Secondly, the Foundation is the third piece of the charity trinity for the AniNIX, along with the Wiki and the [https://aninix.net/pages/charity.php short-term charity projects]. The AniNIX puts a lot of time into designing its projects and making sure they work. Rather than forcing others to redo this work, we offer commented code and documentation so that the process is transparent but the work-by-hand is minimized.[[Category:Charity]]
# Relevant Files and Software
The Git system was created by the Linux project to manage changes to the kernel and has been on the rise for some time among Version Control Systems (VCS's) with projects like GitHub. The AniNIX self-hosts the repositories in [file:///srv/foundation/ the Foundation server folder] on [[Core]].
[[WebServer]] is configured to translate the repository to [https://aninix.net/foundation/ the Web-accessible format] via the ArchLinux cgit package. Review the package list at that link and identify the source packages you want to use. Then use the following to clone the source, generally best done to /usr/local/src/ on Linux. Please note that the AniNIX uses Webserver translation to eliminate the need for a .git suffix -- web requests will show in CGIT, while Git clone requests will pull the package all from the same URL. Right-click on your package of choice from the web interface's index page and then clone that address. <pre>
git clone https://aninix.net/foundation/<packagename>
</pre>
New packages should make sure to refer to the [[Development Best Practices]] to ensure they are compliant with standards; if you notice an issue with the Foundation's code, make sure to submit a [[QANs|QAN]]. [[TeamGreen|AniNIX::TeamGreen]] should be running regressions on these projects.
You can use [https://aur.archlinux.org/packages/hexedit-advanced-search/ Hexedit] to edit [file:///usr/share/webapps/cgit/cgit.cgi cgit.cgi] to have a different name, such as "AniNIX::Foundation Web".
## Dependencies
For CentOS, one needs to use the following steps to install Mono. Packages like Cryptoworkbench, Heartbeat, Cerberus, and others require this.
* yum install bison gettext glib2 freetype fontconfig libpng libpng-devel libX11 libX11-devel glib2-devel libgdi* libexif glibc-devel urw-fonts java unzip gcc gcc-c++ automake autoconf libtool make bzip2 wget
* [https://download.mono-project.com/sources/mono/ Download Mono source]
* tar xjvf the source package
* configure; make; make install
*Note:* We used to declare the INSTALLER variable at the top of Makefiles, but no longer do. Non-ShadowArch installs should double check dependencies against the PKGBUILD files manually. We will try to keep this list short.
# Available Clients
To get a client to access the Foundation, use one of the following or visit
* ArchLinux: pacman -S git
* Ubuntu: apt-get install git
* RHEL/CentOS: yum install git
* Windows: [https://git-scm.com/download/win Go here], but please be aware that file paths and such are coded for Linux. Windows users will need to conduct extensive code review to install these packages.
* Mac: [https://git-scm.com/download/mac Go here]
Each package will need to be checked out individually.
**Alternatively**: ArchLinux users can add the following segment to the bottom of pacman.conf to install the packages as bundled by the AniNIX. We're working on adding GPG signing -- in the meantime, security-conscious users should build from source anyway.
<pre>
[AniNIX::Foundation]
SigLevel = Optional TrustAll
Server = https://aninix.net/foundation/
</pre>
# Equivalents or Competition
The most famous equivalent is [https://github.com GitHub]. Other source code control systems exist, including some provided by employers or academic institutions -- GitLab provides an enterprise-style implementation. Other protocol implementations vary widely -- Mercurial, Bazaar, and SVN are other revision control systems others use. We appreciate the flexibility of Git.
# Additional Reference
Some core Git tools are leveraged in specific ways for the AniNIX.
## Config for Author
Even though the [[Talk:IRC#Why_Not_SMTP|AniNIX doesn't use SMTP]], we still use the @aninix.net suffix for the user.email config property on branches. All commits, therefore, should have the proper-case of the user's [[IRC|AniNIX::IRC]] handle as the user.name attribute, and the lower-cased username followed by @aninix.net for the user.email attribute.
## Tags for Semantic Versioning
We version our projects according to [https://semver.org/ Semantic Versioning] -- this versioning is established using the git tag as major and minor version, the git commit as the patch, and the number of commits since the tag as the ArchLinux release note.
[https://aninix.net/cgit/cgit.cgi/HelloWorld/tree/PKGBUILD Our HelloWorld PKGBUILD] demonstrates this -- most of the metadata for the package is populated directly by git, and only dependencies are tracked in the PKGBUILD itself.
## Branches for Functional Improvements
All major functional improvements being worked should be tracked in a branch. The branch name should be the same as the [[QANs|QAN]] for which the branch was started or the functional concept's shortname.
## Filter-branch to Prune
Git maintains a history of all files. If you need to remove files permanently, GitHub maintains [https://help.github.com/articles/removing-sensitive-data-from-a-repository/ an article] on how to use "git filter-branch" to purge it.
}}
[[Category:Public_Service]]

64
roles/Foundation/files/custom/bin/gen-aninix-custom Normal file
View File

@@ -0,0 +1,64 @@
#!/bin/bash
URI=https://aninix.net/assets/css/theme-arc-green.css
# Gitea arc-green palette
BOLDTEXT='#87ab63'
TEXT='#9e9e9e'
BGCOLOR='#383c4a'
ACCENTBG='#353945'
HEADERBG='#404552'
ROW='#2a2e3a'
HOVER='#a0cc75'
NAV='#2e323e'
# AniNIX palette
ANINIXBOLD='#df0000'
ANINIXTEXT='#ffffff'
ANINIXBG='#000000'
ANINIXACCENTBG='#303030'
ANINIXHEADERBG='#151515'
ANINIXROW='#2a2a2a'
ANINIXHOVER='#af0000'
ANINIXNAV='#000000'
(curl -ks "$URI"; echo; echo ".home a {
color: $ANINIXBOLD;
}
.bounding {
border: 1px solid #FFF;
border-radius: 15px;
margin: 0;
margin-top: 20px;
padding: 10px;
background-color: #000;
margin-bottom: 30px;
display: block;
}
body {
background-color: $ANINIXBG;
color: $ANINIXTEXT;
}
a {
color: $ANINIXBOLD;
}
") \
| sed "s/$BOLDTEXT/$ANINIXBOLD/gI" \
| sed "s/$TEXT/$ANINIXTEXT/gI" \
| sed "s/$ACCENTBG/$ANINIXACCENTBG/gI" \
| sed "s/$HEADERBG/$ANINIXHEADERBG/gI" \
| sed "s/$ROW/$ANINIXROW/gI" \
| sed "s/$NAV/$ANINIXNAV/gI" \
| sed "s/$HOVER/$ANINIXHOVER/gI" \
| sed "s/$BGCOLOR/$ANINIXBG/gI" > /var/lib/gitea/custom/public/assets/css/theme-aninix.css
cd /var/lib/gitea/web-snippets
head="$(curl -ks https://aninix.net/ | grep -B 99999 -E '^<div class="home"')"
foot="$(curl -ks https://aninix.net/ | grep -A 99999 -E '<footer>')"
for i in `find . -type f`; do
(echo "$head"
cat "$i"
echo "$foot") > /var/lib/gitea/custom/public/assets/"$i".html
done

32
roles/Foundation/files/custom/bin/sitemap.php Normal file
View File

@@ -0,0 +1,32 @@
<?php
/*
* Build a sitemap dynamically.
* Update Gitea's sitemap with: `php ./sitemap.php > /var/lib/gitea/custom/sitemap.xml`
*
* Builds according to https://www.sitemaps.org/protocol.html
*/
/* Globals */
$path="/srv/http/aninix.net/";
echo '<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
';
exec("(echo /srv/http/aninix.net/index.php; find /srv/http/aninix.net/pages -type f; find /srv/http/aninix.net/martialarts/ -type f) | grep -E \.php\$ | grep -vE ^./unlisted\|^./errors/\|head.php\|foot.php\|test\|Template\|darknet", $output);
foreach ($output as &$file) {
echo ' <url>
';
echo ' <loc>https://aninix.net/'.substr($file,strlen($path)).'</loc>
';
echo ' <lastmod>'.date('Y-m-d',filemtime($file)).'</lastmod>
';
echo ' </url>
';
}
/* Print footer */
echo '</urlset>
';
?>

7
roles/Foundation/files/custom/options/label/AniNIX Normal file
View File

@@ -0,0 +1,7 @@
#e11d21 Blocked ; There are functional or technical reasons this can't be implemented yet
#eb6420 Duplicate ; Another issue or PR already describes this issue
#bfd4f2 On-hold ; Evaluated but not enough resources to complete now
#009800 Peer-review ; Being reviewed for quality prior to merge
#207de5 RFC ; More information and feedback is needed
#fbca04 Wontfix ; Not a bug -- way it works
#9c4ac2 In-progress ; Being worked.

31
roles/Foundation/files/custom/options/license/AniNIX-WTFPL Normal file
View File

@@ -0,0 +1,31 @@
# http://www.wtfpl.net/about/
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
Version 2, December 2004
Copyright (C) 2004 Sam Hocevar <sam@hocevar.net>
Everyone is permitted to copy and distribute verbatim or modified
copies of this license document, and changing it is allowed as long
as the name is changed.
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. You just DO WHAT THE FUCK YOU WANT TO.
ANINIX ADDENDUM
Trademark 2017 (https://aninix.net/)
The "AniNIX" name and |> logo are trademarked as of 2017/11/21.
AniNIX materials may be reproduced and re-used (though you must
contact the admins of the network to get written permission to use
the AniNIX name or logo) so long as such reproduction or re-use
does not inhibit the original AniNIX use of the same.
Attribution is appreciated for other materials but not legally
required or necessary.
"AniNIX" trademark serial: 87177883
|> Logo trademark serial: 87177887

0
roles/Foundation/files/custom/public/.well-known/acme-challenge/aninix-test Executable file
View File

26
roles/Foundation/files/custom/public/assets/js/aninix.js Normal file
View File

@@ -0,0 +1,26 @@
/* RSS Reading */
function insertNewsSnippet(snippet,tag) {
/* DOM XML handling has been too problematic, so we are now using git-hooks to pre-generate the snippet. This function injects that snippet.
* param snippet: URI for the snippet
* param tag: div tag to overwrite
*/
var http_request = false;
http_request = new XMLHttpRequest();
http_request.open("GET",snippet,true);
http_request.setRequestHeader("Cache-Control", "no-cache");
http_request.setRequestHeader("Pragma", "no-cache");
http_request.onreadystatechange = function() {
if (http_request.readyState == 4) {
if (http_request.status == 200) {
if (http_request.responseText != null) {
document.getElementById(tag).innerHTML = http_request.responseText;
} else {
alert("Failed to receive RSS file from the server - file not found.");
return false;
}
}
}
}
http_request.send(null);
}

55
roles/Foundation/files/custom/public/sitemap.xml Executable file
View File

@@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>https://aninix.net/</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://aninix.net/martialarts/index.html</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://foundation.aninix.net/</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://foundation.aninix.net/explore/repos</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://foundation.aninix.net/AniNIX/Wiki</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://irc.aninix.net/</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://password.aninix.net/</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://maat.aninix.net/index.html</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://singularity.aninix.net/</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://wolfpack.aninix.net/</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://yggdrasil.aninix.net/</loc>
<lastmod>2020-09-20</lastmod>
</url>
<url>
<loc>https://sharingan.aninix.net</loc>
<lastmod>2020-09-20</lastmod>
</url>
<!-- Unlisted:
lykos.aninix.net
adhan.aninix.net
-->
</urlset>

9
roles/Foundation/files/custom/robots.txt Normal file
View File

@@ -0,0 +1,9 @@
User-agent: *
Allow: /$
Allow: /issues
Allow: /pulls
Allow: /explore
Allow: /AniNIX/
Allow: /martialarts/
Allow: /sitemap.xml
Disallow: /

47
roles/Foundation/files/custom/sitemap.php Normal file
View File

@@ -0,0 +1,47 @@
<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>https://aninix.net/index.php</loc>
<lastmod>2019-10-24</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/legal.php</loc>
<lastmod>2018-01-24</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/wiki.php</loc>
<lastmod>2017-05-09</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/martialarts.php</loc>
<lastmod>2018-09-18</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/qr.php</loc>
<lastmod>2016-11-01</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/social.php</loc>
<lastmod>2019-10-04</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/webapps.php</loc>
<lastmod>2018-10-11</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/downloads.php</loc>
<lastmod>2018-04-06</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/charity.php</loc>
<lastmod>2018-04-06</lastmod>
</url>
<url>
<loc>https://aninix.net/pages/chatroom.php</loc>
<lastmod>2017-05-09</lastmod>
</url>
<url>
<loc>https://aninix.net/martialarts/index.php</loc>
<lastmod>2019-08-26</lastmod>
</url>
</urlset>

3
roles/Foundation/files/custom/templates/custom/extra_links.tmpl Normal file
View File

@@ -0,0 +1,3 @@
<a class="item" target="_blank" id="chat" href="https://irc.aninix.net/">Chat</a>
<a class="item" target="_blank" id="pwdchange" href="https://password.aninix.net/">Change Password</a>
<a class="item" id="martialarts" href="{{AppSubUrl}}/martialarts/">Martial Arts</a>

9
roles/Foundation/files/custom/templates/custom/footer.tmpl Normal file
View File

@@ -0,0 +1,9 @@
<!-- Replace Gitea icon with AniNIX -->
<script type="text/javascript">
document.getElementById('navbar').children[0].children[0].children[0].src="/assets/img/AniNIX.png";
$('meta[property=og\\:image]').attr('content', '/assets/img/AniNIX.png');
$('link[rel="mask-icon"]').attr('href', '/assets/img/AniNIX.png');
$('link[rel="mask-icon"]').attr('color', '#000000');
document.getElementById("pwdchange").setAttribute("target","_blank");
document.getElementById("chat").setAttribute("target","_blank");
</script>

5
roles/Foundation/files/custom/templates/custom/header.tmpl Normal file
View File

@@ -0,0 +1,5 @@
<link rel="icon" type="image/png" href="/assets/img/AniNIX.png" />
<link rel="alternate" type="application/rss+xml" title="AniNIX/RSS" href="/aninix.xml" />
<link rel='apple-touch-icon' sizes='180x180' href='/assets/img/AniNIX.png' />
<meta name='apple-mobile-web-app-capable' content='yes' />
<script src="/assets/js/aninix.js"></script>

94
roles/Foundation/files/custom/templates/home.tmpl Normal file
View File

@@ -0,0 +1,94 @@
{{template "base/head" .}}
<!-- BEGIN CUSTOM HOME -->
<div class="home">
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center aligned centered column">
<div>
<img class="logo" src="{{AppSubUrl}}/assets/img/avatar_default.png" />
</div>
<div class="hero">
<h1 class="ui icon header title">
AniNIX
</h1>
<h2>Welcome to the network</h2>
</div>
</div>
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/icons/Foundation.png'/>
<a href="https://foundation.aninix.net/explore/repos">Open source security</a>
</h1>
<p class="large">
The AniNIX's primary goal is to ensure everyone has access to the knowledge they need to build a low-cost, secure platform. We make all our source-code accessible and open-source.
</p>
</div>
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/icons/IRC.png'/>
<a href='ircs://aninix.net:6697/#lobby'>Contact us anytime</a>
</h1>
<p class="large">
We run an open IRC network -- we'd love to connect with you there. Not familiar with IRC? No worries -- we have a <a href="https://irc.aninix.net/" target=_blank alt="AniNIX/IRC (Web)" id="webchat">webchat</a> available.
</p> </div>
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src="/assets/img/icons/Wiki.png"/>
<a href="/AniNIX/Wiki">Open documentation</a>
</h1>
<p class="large">
We maintain a Wiki to document how and why we do what we do. Hopefully, it can both help others to learn more about computing and spark discussion with the community at large.
</p>
</div>
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20x src="/assets/img/icons/Maat.png"/>
<a href="https://maat.aninix.net/">Downloads</a>
</h1>
<p class="large">
We offer downloads from our AniNIX/Maat continuous-deployment system, including static files and packages for <a href="https://archlinux.org/">ArchLinux-style distributions.</a>
</p>
</div>
</div>
<hr style="margin-top: 50px;" />
<div class="sixteen wide center aligned centered column">
<div class="hero">
<h2>Webapps</h2>
<p>We host a number of web apps to make our users' lives easier.
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="four wide center column"><a title="AniNIX/Singularity" href="https://singularity.aninix.net"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" alt=RSS src="/assets/img/icons/Singularity.png" /><p>AniNIX/Singularity (News powered by TT-RSS)</p></a></div>
<div class="four wide center column"><a title="AniNIX/Yggdrasil" href="https://yggdrasil.aninix.net"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/icons/Yggdrasil.png" /><p>AniNIX/Yggdrasil (Media powered by Emby)</p></a></div>
<div class="four wide center column"><a title="AniNIX/Sharingan" href="https://sharingan.aninix.net"><img src="/assets/img/icons/Sharingan.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /><p>AniNIX/Sharingan (Monitoring powered by Graylog)</p></a></div>
<div class="four wide center column"><a title="AniNIX/Cyberbrain" href="https://cyberbrain.aninix.net"><img src="/assets/img/icons/Cyberbrain.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /><p>AniNIX/Cyberbrain (SFTP Dropbox)</p></a></div>
</div>
</div>
<hr style="margin-top: 50px;" />
<div class="sixteen wide center aligned centered column">
<div class="hero" id="latest-news"></div>
<script type="text/javascript">
insertNewsSnippet("https://aninix.net/assets/rss-snippets/aninix","latest-news");
</script>
</div>
<div class="sixteen wide center aligned centered column">
<div class="hero">
<h2>Follow us on social media</h2>
<p>We want to stay in touch with you, so we are present on the social media platforms we find applicable.<br/> Have one you want us on? Contact us and let us know!</p>
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="two wide center column"><!--placeholder--><p>&nbsp;</p></div>
<div class="two wide center column"><a title=AniNIX/RSS href="/assets/aninix.xml"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" alt=RSS src="/assets/img/social/rss.png" /></a></div>
<div class="two wide center column"><a title=Discord href="https://discord.gg/2bmggfR"><img alt=Discord style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/discord.ico" /></a></div>
<div class="two wide center column"><a title=GitHub href="https://github.com/AniNIX"><img alt=GitHub src="/assets/img/social/github.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /></a></div>
<div class="two wide center column"><a title=YouTube href="https://www.youtube.com/channel/UCe-WNM2mbI51xoVZp3K_wFQ"><img src="/assets/img/social/youtube.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /></a></div>
<div class="two wide center column"><a title=LinkedIn href="https://www.linkedin.com/groups/13577720"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/linkedin.png" /></a></div>
<div class="two wide center column"><a title=Facebook href="https://facebook.com/aninixnetwork"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/facebook.png" /></a></div>
<div class="two wide center column"><!--placeholder--><p>&nbsp;</p></div>
</div>
</div>
</div>
<!-- END CUSTOM HOME -->
{{template "base/footer" .}}

51
roles/Foundation/files/foundation.service Normal file
View File

@@ -0,0 +1,51 @@
[Unit]
Description=Gitea (Git with a cup of tea)
After=syslog.target
After=network.target
After=mysqld.service
After=postgresql.service
After=memcached.service
After=redis.service
[Service]
User=gitea
Group=gitea
Type=simple
WorkingDirectory=~
RuntimeDirectory=gitea
LogsDirectory=gitea
StateDirectory=gitea
Environment=USER=gitea HOME=/var/lib/gitea GITEA_WORK_DIR=/var/lib/gitea GITEA_CUSTOM=/var/lib/gitea/custom/
ExecStart=/usr/bin/gitea web -c /var/lib/gitea/custom/conf/app.ini --custom-path=/var/lib/gitea/custom/
Restart=always
RestartSec=2s
ReadWritePaths=/var/lib/gitea/custom/conf/app.ini
AmbientCapabilities=
CapabilityBoundingSet=
LockPersonality=true
#Required by commit search
#MemoryDenyWriteExecute=true
NoNewPrivileges=True
#SecureBits=noroot-locked
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
[Install]
WantedBy=multi-user.target

10
roles/Foundation/files/gitea.hook Normal file
View File

@@ -0,0 +1,10 @@
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = gitea
[Action]
Description = Updating Gitea Custom Pages
When = PostTransaction
Exec = /usr/bin/runuser -u gitea -- /usr/bin/bash /var/lib/gitea/custom/bin/gen-aninix-custom

10
roles/Foundation/files/hooks/gitea.hook Normal file
View File

@@ -0,0 +1,10 @@
[Trigger]
Operation = Install
Operation = Upgrade
Type = Package
Target = gitea
[Action]
Description = Updating Gitea Custom Pages
When = PostTransaction
Exec = /usr/bin/runuser -u gitea -- /usr/bin/bash /var/lib/gitea/custom/bin/gen-aninix-custom

86
roles/Foundation/files/web-snippets/martialarts/index Normal file
View File

@@ -0,0 +1,86 @@
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center aligned centered column">
<!--<div class="ui negative message"><p>We are open despite COVID-19 -- those attending in person will need to sign a waiver of health and follow all state requirements, including wearing a mask.</p></div>-->
<div>
<img class="logo" src="/assets/img/icons/MartialArts.png" />
</div>
<div class="hero">
<h1 class="ui icon header title">
AniNIX Martial Arts
</h1>
<h2>Open-source, research-driven self-defense and personal health</h2>
<p>AniNIX Martial Arts is a small martial arts collective focusing on research-driven martial arts. Our core style is USHF HapKiDo, but we are influenced by HEMA, Razmafzar, Kali, Shaolin, Silat, JKD, BJJ, and many other systems. We are a research-driven group -- we encourage cross-training with other systems and will bring in new concepts regularly. The class is open to all experience levels, gender identity, gender expression, sexual orientation, religious or cultural identity, socioecomic status, or age (above 14), in Southcentral Wisconsin -- we will fit your training to your needs and goals.</p><p>Drop-ins are welcome, and registration is cheap. We hope you'll give us a chance to show you what we can do.</p>
</div>
</div>
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/icons/Foundation.png'/>
<a href="/mawiki">Open-source</a>
</h1>
<p class="large">
We want your training with our system to become a part of your life. This means that we provide access to a revision-controlled copy of our notes that all our students can download, keep, and contribute to. We're tired of the old era where how the system works is kept hidden from students and piecemealed out as a marketing ploy -- we want to be as trasparent as possible in how our program and our martial art function. Transparency keeps our instructors honest and our students engaged -- this means a better martial arts experience for everyone.
</p>
</div>
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/ushf.jpg'/>
<a href='https://ushapkidofederation.wordpress.com/'>Research-driven</a>
</h1>
<p class="large">
Our system is always growing. We are a United States HapKiDo Federation (USHF) school, and that gives us access to high-quality instructors and seminar material each year from across the US. We also maintain good relationships with other schools in our area -- we want our students to examine what they're learing and make sure that it works, and that means looking at different perspectives.
</p> </div>
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src="/assets/img/icons/MartialArts.png"/>
<a href="/martialarts/index.html#storefront">Low-cost</a>
</h1>
<p class="large">We are non-profit group -- we train because we feel like it makes life better, not to make money. As such, our costs are publicly documented and our rates match the same. Classes will be informed of potential changes to costs well in advance, and we use recurring payments. We want you thinking about your training, not how you're going to pay for it.</p>
<p class="large">
<ul style="text-align: left;">
<li><b>Cost:</b> Free</li>
<li><b>Lessons:</b>Tuesdays 7-8:30 p.m.</li>
<li><b>Sparring:</b>Tuesdays 6-7 p.m.</li>
<li><b>Shaolin Workouts:</b> Saturday mornings at 8 a.m. </li>
<li><b>Location:</b> <a href="https://g.page/aninix-martial-arts?share">225 Blaser Drive, Belleville, WI</a></li>
<li><b>What to bring:</b> Exercise clothes and water</li>
</ul></p>
</div>
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20x src="/assets/img/icons/IRC.png"/>
<a href="/martialarts/index.html#social">Real-life First</a>
</h1>
<p class="large">
Everyone is welcome! Class attendance is not mandated and belt-testing is not required to train. As a courtesy, please inform the class of your absence or intended late arrival -- real-life comes first, and we're happy to work with your needs. As long as one person shows, we'll have class -- the smaller the class, the more tailored it is, but the bigger classes mean more partners and body types.</p>
<p class="large">
Our focus is also on what you will actually use. While we appreciate traditional and esoteric training for self-development, our weekly classes are focused on modern techniques and training methods so that you get the most out of your time. Our goal is to help create a community of prepared and healthy citizens, and we believe martial arts helps build that in a way no other activity can.
</p>
</div>
</div>
<hr style="margin-top: 50px;" />
<div class="ui stackable middle very relaxed page grid" id="latest-news"></div>
<script type="text/javascript">
insertNewsSnippet("https://aninix.net/assets/rss-snippets/maqotw","latest-news");
</script>
<div class="ui stackable middle very relaxed page grid" id="social">
<div class="sixteen wide center aligned centered column">
<div class="hero">
<h2 id=social>Follow us on social media</h2>
<p class=large>We want to stay in touch with you, so we are present on the social media platforms we find applicable.<br/> Have one you want us on? Contact us and let us know!</p>
</div>
<div class="ui stackable middle very relaxed page grid" id="social">
<div class="two wide center column"><p>&nbsp;</p></div>
<div class="two wide center column"><a title=RSS href="/martialarts/maqotw.xml"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" alt=RSS src="/assets/img/social/rss.png" /></a></div>
<div class="two wide center column"><a title=Discord href="https://discord.gg/2bmggfR"><img alt=Discord style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/discord.ico" /></a></div>
<div class="two wide center column"><a title=NextDoor href="https://nextdoor.com/news_feed/?post=112835813"><img alt=NextDoor src="/assets/img/social/nextdoor.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /></a></div>
<div class="two wide center column"><a title=YouTube href="https://www.youtube.com/channel/UCVAkee-WaInnZbPn16bqzrw/about?view_as=subscriber"><img src="/assets/img/social/youtube.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /></a></div>
<div class="two wide center column"><a title=Strava href="https://www.strava.com/clubs/aninixmartialarts"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/strava.png" /></a></div>
<div class="two wide center column"><a title=Facebook href="https://www.facebook.com/groups/aninixmartialarts/"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/social/facebook.png" /></a></div>
<div class="two wide center column"><p>&nbsp;</p></div>
</div>
</div>
</div>

73
roles/Foundation/tasks/main.yml Normal file
View File

@@ -0,0 +1,73 @@
---
- name: Base packages
become: yes
package:
name:
- gitea
- name: Make directories
become: yes
file:
path: "/var/lib/gitea/{{ item }}"
owner: gitea
group: gitea
mode: 0750
loop:
- "custom/bin"
- "web-snippets"
- name: Populate config
become: yes
register: config
template:
src: app.ini.j2
dest: /etc/gitea/app.ini
owner: gitea
group: gitea
mode: 0750
- name: Copy web-snippets
become: yes
copy:
src: web-snippets/
dest: /var/lib/gitea/web-snippets
owner: gitea
group: gitea
mode: 0640
- name: Copy scripts
become: yes
copy:
src: custom/
dest: /var/lib/gitea/custom/
owner: gitea
group: gitea
- name: Publish AniNIX/Yggdrasil CSS
become: yes
get_url:
url: https://github.com/BenZuser/Emby-Web-Dark-Themes-CSS/raw/master/RED/theme.css
dest: /var/lib/gitea/custom/public/assets/css/emby-web-dark-theme-BenZuser.css
owner: gitea
group: gitea
- name: Copy hook
become: yes
copy:
src: gitea.hook
dest: /etc/pacman.d/hooks/gitea.hook
owner: gitea
group: gitea
- name: Generate pages
become: yes
register: custompages
command: /usr/bin/runuser -u gitea -- /usr/bin/bash /var/lib/gitea/custom/bin/gen-aninix-custom
- name: Restart service
become: yes
when: config.changed or custompages.changed
service:
name: gitea
state: restarted
enabled: yes

739
roles/Foundation/templates/app.ini.j2 Normal file
View File

@@ -0,0 +1,739 @@
; This file lists the default values used by Gitea
; Copy required sections to your own app.ini (default is custom/conf/app.ini)
; and modify as needed.
; see https://docs.gitea.io/en-us/config-cheat-sheet/ for additional documentation.
; App name that shows in every page title
APP_NAME = AniNIX
; Change it if you run locally
RUN_USER = gitea
; Either "dev", "prod" or "test", default is "dev"
RUN_MODE = prod
WORK_PATH = /var/lib/gitea
[repository]
ROOT = repos
SCRIPT_TYPE = bash
; Default ANSI charset
ANSI_CHARSET =
; Force every new repository to be private
FORCE_PRIVATE = false
; Default privacy setting when creating a new repository, allowed values: last, private, public. Default is last which means the last setting used.
DEFAULT_PRIVATE = last
; Global limit of repositories per user, applied at creation time. -1 means no limit
MAX_CREATION_LIMIT = -1
; Preferred Licenses to place at the top of the List
; The name here must match the filename in conf/license or custom/conf/license
PREFERRED_LICENSES = AniNIX-WTFPL
; Disable the ability to interact with repositories using the HTTP protocol
DISABLE_HTTP_GIT = false
; Value for Access-Control-Allow-Origin header, default is not to present
; WARNING: This maybe harmful to you website if you do not give it a right value.
ACCESS_CONTROL_ALLOW_ORIGIN =
; Force ssh:// clone url instead of scp-style uri when default SSH port is used
USE_COMPAT_SSH_URI = false
; Close issues as long as a commit on any branch marks it as fixed
DEFAULT_CLOSE_ISSUES_VIA_COMMITS_IN_ANY_BRANCH = false
[repository.editor]
; List of file extensions for which lines should be wrapped in the CodeMirror editor
; Separate extensions with a comma. To line wrap files without an extension, just put a comma
LINE_WRAP_EXTENSIONS = .txt,.md,.markdown,.mdown,.mkd,
; Valid file modes that have a preview API associated with them, such as api/v1/markdown
; Separate the values by commas. The preview tab in edit mode won't be displayed if the file extension doesn't match
PREVIEWABLE_FILE_MODES = markdown
[repository.local]
; Path for local repository copy. Defaults to `tmp/local-repo`
LOCAL_COPY_PATH = tmp/local-repo
; Path for local wiki copy. Defaults to `tmp/local-wiki`
LOCAL_WIKI_PATH = tmp/local-wiki
[repository.upload]
; Whether repository file uploads are enabled. Defaults to `true`
ENABLED = true
; Path for uploads. Defaults to `data/tmp/uploads` (tmp gets deleted on gitea restart)
TEMP_PATH = data/tmp/uploads
; One or more allowed types, e.g. image/jpeg|image/png. Nothing means any file type
ALLOWED_TYPES =
; Max size of each file in megabytes. Defaults to 3MB
FILE_MAX_SIZE = 3
; Max number of files per upload. Defaults to 5
MAX_FILES = 5
[repository.pull-request]
; List of prefixes used in Pull Request title to mark them as Work In Progress
WORK_IN_PROGRESS_PREFIXES = WIP:,[WIP]
[repository.issue]
; List of reasons why a Pull Request or Issue can be locked
LOCK_REASONS = Too heated,Off-topic,Resolved,Spam
[cors]
; More information about CORS can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#The_HTTP_response_headers
; enable cors headers (disabled by default)
ENABLED = false
; scheme of allowed requests
SCHEME = http
; list of requesting domains that are allowed
ALLOW_DOMAIN = *
; allow subdomains of headers listed above to request
ALLOW_SUBDOMAIN = false
; list of methods allowed to request
METHODS = GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS
; max time to cache response
MAX_AGE = 10m
; allow request with credentials
ALLOW_CREDENTIALS = false
[ui]
; Number of repositories that are displayed on one explore page
EXPLORE_PAGING_NUM = 20
; Number of issues that are displayed on one page
ISSUE_PAGING_NUM = 10
; Number of maximum commits displayed in one activity feed
FEED_MAX_COMMIT_NUM = 5
; Number of maximum commits displayed in commit graph.
GRAPH_MAX_COMMIT_NUM = 100
; Number of line of codes shown for a code comment
CODE_COMMENT_LINES = 4
; Value of `theme-color` meta tag, used by Android >= 5.0
; An invalid color like "none" or "disable" will have the default style
; More info: https://developers.google.com/web/updates/2014/11/Support-for-theme-color-in-Chrome-39-for-Android
THEME_COLOR_META_TAG = `#ff0000`
; Max size of files to be displayed (default is 8MiB)
MAX_DISPLAY_FILE_SIZE = 8388608
; Whether the email of the user should be shown in the Explore Users page
SHOW_USER_EMAIL = true
; Set the default theme for the Gitea install
DEFAULT_THEME = aninix
; All available themes. Allow users select personalized themes regardless of the value of `DEFAULT_THEME`.
THEMES = gitea,arc-green,aninix
; Whether the full name of the users should be shown where possible. If the full name isn't set, the username will be used.
DEFAULT_SHOW_FULL_NAME = false
[ui.admin]
; Number of users that are displayed on one page
USER_PAGING_NUM = 50
; Number of repos that are displayed on one page
REPO_PAGING_NUM = 50
; Number of notices that are displayed on one page
NOTICE_PAGING_NUM = 25
; Number of organizations that are displayed on one page
ORG_PAGING_NUM = 50
[ui.user]
; Number of repos that are displayed on one page
REPO_PAGING_NUM = 15
[ui.meta]
AUTHOR = AniNIX/Foundation
DESCRIPTION = AniNIX/Foundation | Code, documentation, and information sharing powered by Gitea (git with a cup of tea)
KEYWORDS = go,git,self-hosted,gitea,aninix,aninix::foundation
[markdown]
; Enable hard line break extension
ENABLE_HARD_LINE_BREAK = false
; List of custom URL-Schemes that are allowed as links when rendering Markdown
; for example git,magnet
CUSTOM_URL_SCHEMES =
; List of file extensions that should be rendered/edited as Markdown
; Separate the extensions with a comma. To render files without any extension as markdown, just put a comma
FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd
[server]
; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'.
PROTOCOL = http
DOMAIN = {{ external_domain }}
ROOT_URL = https://{{ external_domain }}/
; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
HTTP_ADDR = 0.0.0.0
HTTP_PORT = 3000
; If REDIRECT_OTHER_PORT is true, and PROTOCOL is set to https an http server
; will be started on PORT_TO_REDIRECT and it will redirect plain, non-secure http requests to the main
; ROOT_URL. Defaults are false for REDIRECT_OTHER_PORT and 80 for
; PORT_TO_REDIRECT.
REDIRECT_OTHER_PORT = false
PORT_TO_REDIRECT = 3000
; Permission for unix socket
UNIX_SOCKET_PERMISSION = 660
; Local (DMZ) URL for Gitea workers (such as SSH update) accessing web service.
; In most cases you do not need to change the default value.
; Alter it only if your SSH server node is not the same as HTTP node.
; Do not set this variable if PROTOCOL is set to 'unix'.
LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
; Disable SSH feature when not available
DISABLE_SSH = false
; Whether to use the builtin SSH server or not.
START_SSH_SERVER = false
; Username to use for the builtin SSH server. If blank, then it is the value of RUN_USER.
BUILTIN_SSH_SERVER_USER =
; Domain name to be exposed in clone URL
SSH_DOMAIN = foundation.aninix.net
; The network interface the builtin SSH server should listen on
SSH_LISTEN_HOST =
; Port number to be exposed in clone URL
SSH_PORT = 22
; The port number the builtin SSH server should listen on
SSH_LISTEN_PORT = %(SSH_PORT)s
; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
SSH_ROOT_PATH =
; Gitea will create a authorized_keys file by default when it is not using the internal ssh server
; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off.
SSH_CREATE_AUTHORIZED_KEYS_FILE = true
; For the built-in SSH server, choose the ciphers to support for SSH connections,
; for system SSH this setting has no effect
SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128
; For the built-in SSH server, choose the key exchange algorithms to support for SSH connections,
; for system SSH this setting has no effect
SSH_SERVER_KEY_EXCHANGES = diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256@libssh.org
; For the built-in SSH server, choose the MACs to support for SSH connections,
; for system SSH this setting has no effect
SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1, hmac-sha1-96
; Directory to create temporary files in when testing public keys using ssh-keygen,
; default is the system temporary directory.
SSH_KEY_TEST_PATH =
; Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call.
SSH_KEYGEN_PATH = ssh-keygen
; Enable SSH Authorized Key Backup when rewriting all keys, default is true
SSH_BACKUP_AUTHORIZED_KEYS = true
; Enable exposure of SSH clone URL to anonymous visitors, default is false
SSH_EXPOSE_ANONYMOUS = false
; Indicate whether to check minimum key size with corresponding type
MINIMUM_KEY_SIZE_CHECK = false
; Disable CDN even in "prod" mode
OFFLINE_MODE = true
DISABLE_ROUTER_LOG = false
; Generate steps:
; $ ./gitea cert -ca=true -duration=8760h0m0s -host=myhost.example.com
;
; Or from a .pfx file exported from the Windows certificate store (do
; not forget to export the private key):
; $ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
; $ openssl pkcs12 -in cert.pfx -out key.pem -nocerts -nodes
CERT_FILE = custom/https/cert.pem
KEY_FILE = custom/https/key.pem
; Root directory containing templates and static files.
; default is the path where Gitea is executed
STATIC_ROOT_PATH = /usr/share/gitea
; Default path for App data
APP_DATA_PATH = data
; Application level GZIP support
ENABLE_GZIP = false
; Application profiling (memory and cpu)
; For "web" command it listens on localhost:6060
; For "serve" command it dumps to disk at PPROF_DATA_PATH as (cpuprofile|memprofile)_<username>_<temporary id>
ENABLE_PPROF = false
; PPROF_DATA_PATH, use an absolute path when you start gitea as service
PPROF_DATA_PATH = data/tmp/pprof
; Landing page, can be "home", "explore", or "organizations"
LANDING_PAGE = home
; Enables git-lfs support. true or false, default is false.
LFS_START_SERVER = true
; Where your lfs files reside, default is data/lfs.
; LFS authentication secret, change this yourself
LFS_JWT_SECRET = {{ secrets.Foundation.lfs_jwt_secret }}
; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
LFS_HTTP_AUTH_EXPIRY = 20m
[lfs]
PATH = data/lfs
; Define allowed algorithms and their minimum key length (use -1 to disable a type)
[ssh.minimum_key_sizes]
ED25519 = 256
ECDSA = 256
RSA = 2048
DSA = 1024
[database]
; Either "mysql", "postgres", "mssql" or "sqlite3", it's your choice
DB_TYPE = postgres
HOST = 127.0.0.1:5432
NAME = gitea
USER = gitea
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD = {{ secrets.Foundation.database_password }}
; For Postgres, either "disable" (default), "require", or "verify-full"
; For MySQL, either "false" (default), "true", or "skip-verify"
SSL_MODE = disable
; For MySQL only, either "utf8" or "utf8mb4", default is "utf8".
; NOTICE: for "utf8mb4" you must use MySQL InnoDB > 5.6. Gitea is unable to check this.
CHARSET = utf8
; For "sqlite3" and "tidb", use an absolute path when you start gitea as service
PATH = data/gitea.db
; For "sqlite3" only. Query timeout
SQLITE_TIMEOUT = 500
; For iterate buffer, default is 50
ITERATE_BUFFER_SIZE = 50
; Show the database generated SQL
LOG_SQL = false
; Maximum number of DB Connect retries
DB_RETRIES = 10
; Backoff time per DB retry (time.Duration)
DB_RETRY_BACKOFF = 3s
[indexer]
; Issue indexer type, currently support: bleve or db, default is bleve
ISSUE_INDEXER_TYPE = bleve
; Issue indexer storage path, available when ISSUE_INDEXER_TYPE is bleve
ISSUE_INDEXER_PATH = indexers/issues.bleve
; When `ISSUE_INDEXER_QUEUE_TYPE` is `redis`, this will store the redis connection string.
; repo indexer by default disabled, since it uses a lot of disk space
REPO_INDEXER_ENABLED = false
REPO_INDEXER_PATH = indexers/repos.bleve
MAX_FILE_SIZE = 1048576
[admin]
; Disallow regular (non-admin) users from creating organizations.
DISABLE_REGULAR_ORG_CREATION = true
[security]
; Whether the installer is disabled
INSTALL_LOCK = true
; !!CHANGE THIS TO KEEP YOUR USER DATA SAFE!!
SECRET_KEY = {{ secrets.Foundation.secret_key }}
; How long to remember that an user is logged in before requiring relogin (in days)
LOGIN_REMEMBER_DAYS = 7
COOKIE_USERNAME = gitea_awesome
COOKIE_REMEMBER_NAME = gitea_incredible
; Reverse proxy authentication header name of user name
REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
; The minimum password length for new Users
MIN_PASSWORD_LENGTH = 6
; Set to true to allow users to import local server paths
IMPORT_LOCAL_PATHS = false
; Set to true to prevent all users (including admin) from creating custom git hooks
DISABLE_GIT_HOOKS = false
INTERNAL_TOKEN = {{ secrets.Foundation.internal_token }}
[openid]
;
; OpenID is an open, standard and decentralized authentication protocol.
; Your identity is the address of a webpage you provide, which describes
; how to prove you are in control of that page.
;
; For more info: https://en.wikipedia.org/wiki/OpenID
;
; Current implementation supports OpenID-2.0
;
; Tested to work providers at the time of writing:
; - Any GNUSocial node (your.hostname.tld/username)
; - Any SimpleID provider (http://simpleid.koinic.net)
; - http://openid.org.cn/
; - openid.stackexchange.com
; - login.launchpad.net
; - <username>.livejournal.com
;
; Whether to allow signin in via OpenID
ENABLE_OPENID_SIGNIN = FALSE
; Whether to allow registering via OpenID
; Do not include to rely on rhw DISABLE_REGISTRATION setting
; ENABLE_OPENID_SIGNUP = true
; Allowed URI patterns (POSIX regexp).
; Space separated.
; Only these would be allowed if non-blank.
; Example value: trusted.domain.org trusted.domain.net
WHITELISTED_URIS =
; Forbidden URI patterns (POSIX regexp).
; Space separated.
; Only used if WHITELISTED_URIS is blank.
; Example value: loadaverage.org/badguy stackexchange.com/.*spammer
BLACKLISTED_URIS =
ENABLE_OPENID_SIGNUP = false
[service]
; Time limit to confirm account/email registration
ACTIVE_CODE_LIVE_MINUTES = 180
; Time limit to perform the reset of a forgotten password
RESET_PASSWD_CODE_LIVE_MINUTES = 180
; Whether a new user needs to confirm their email when registering.
REGISTER_EMAIL_CONFIRM = false
; List of domain names that are allowed to be used to register on a Gitea instance
; gitea.io,example.com
EMAIL_DOMAIN_ALLOWLIST =
; Disallow registration, only allow admins to create accounts.
DISABLE_REGISTRATION = true
; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
ALLOW_ONLY_EXTERNAL_REGISTRATION = false
; User must sign in to view anything.
REQUIRE_SIGNIN_VIEW = false
; Mail notification
ENABLE_NOTIFY_MAIL = false
; More detail: https://github.com/gogits/gogs/issues/165
ENABLE_REVERSE_PROXY_AUTHENTICATION = false
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
ENABLE_REVERSE_PROXY_EMAIL = false
; Enable captcha validation for registration
ENABLE_CAPTCHA = false
; Type of captcha you want to use. Options: image, recaptcha
CAPTCHA_TYPE = image
; Enable recaptcha to use Google's recaptcha service
; Go to https://www.google.com/recaptcha/admin to sign up for a key
RECAPTCHA_SECRET =
RECAPTCHA_SITEKEY =
; Change this to use recaptcha.net or other recaptcha service
RECAPTCHA_URL = https://www.google.com/recaptcha/
; Default value for KeepEmailPrivate
; Each new user will get the value of this setting copied into their profile
DEFAULT_KEEP_EMAIL_PRIVATE = false
; Default value for AllowCreateOrganization
; Every new user will have rights set to create organizations depending on this setting
DEFAULT_ALLOW_CREATE_ORGANIZATION = false
; Either "public", "limited" or "private", default is "public"
; Limited is for signed user only
; Private is only for member of the organization
; Public is for everyone
DEFAULT_ORG_VISIBILITY = public
; Default value for EnableDependencies
; Repositories will use dependencies by default depending on this setting
DEFAULT_ENABLE_DEPENDENCIES = true
; Enable heatmap on users profiles.
ENABLE_USER_HEATMAP = true
; Enable Timetracking
ENABLE_TIMETRACKING = true
; Default value for EnableTimetracking
; Repositories will use timetracking by default depending on this setting
DEFAULT_ENABLE_TIMETRACKING = true
; Default value for AllowOnlyContributorsToTrackTime
; Only users with write permissions can track time if this is true
DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME = true
; Default value for the domain part of the user's email address in the git log
; if he has set KeepEmailPrivate to true. The user's email will be replaced with a
; concatenation of the user name in lower case, "@" and NO_REPLY_ADDRESS.
NO_REPLY_ADDRESS = noreply.aninix.net
; Show Registration button
SHOW_REGISTRATION_BUTTON = true
; Default value for AutoWatchNewRepos
; When adding a repo to a team or creating a new repo all team members will watch the
; repo automatically if enabled
AUTO_WATCH_NEW_REPOS = true
[webhook]
; Hook task queue length, increase if webhook shooting starts hanging
QUEUE_LENGTH = 1000
; Deliver timeout in seconds
DELIVER_TIMEOUT = 5
; Allow insecure certification
SKIP_TLS_VERIFY = false
; Number of history information in each page
PAGING_NUM = 10
ALLOWED_HOST_LIST = ::1/128, 127.0.0.1/32
; We don't use mail
[mailer]
ENABLED = false
[cache]
; Either "memory", "redis", or "memcache", default is "memory"
ADAPTER = memory
; For "memory" only, GC interval in seconds, default is 60
INTERVAL = 60
; For "redis" and "memcache", connection host address
; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
; memcache: `127.0.0.1:11211`
HOST =
; Time to keep items in cache if not used, default is 16 hours.
; Setting it to 0 disables caching
ITEM_TTL = 16h
[session]
; Either "memory", "file", or "redis", default is "memory"
PROVIDER = file
; Provider config options
; memory: doesn't have any config yet
; file: session file path, e.g. `data/sessions`
; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
PROVIDER_CONFIG = data/sessions
; Session cookie name
COOKIE_NAME = i_like_gitea
; If you use session in https only, default is false
COOKIE_SECURE = true
; Enable set cookie, default is true
ENABLE_SET_COOKIE = true
; Session GC time interval in seconds, default is 86400 (1 day)
GC_INTERVAL_TIME = 86400
; Session life time in seconds, default is 86400 (1 day)
SESSION_LIFE_TIME = 86400
[picture]
AVATAR_UPLOAD_PATH = avatars
REPOSITORY_AVATAR_UPLOAD_PATH = repo-avatars
; How Gitea deals with missing repository avatars
; none = no avatar will be displayed; random = random avatar will be displayed; image = default image will be used
REPOSITORY_AVATAR_FALLBACK = none
REPOSITORY_AVATAR_FALLBACK_IMAGE = /img/repo_default.png
; Max Width and Height of uploaded avatars.
; This is to limit the amount of RAM used when resizing the image.
AVATAR_MAX_WIDTH = 4096
AVATAR_MAX_HEIGHT = 3072
; Maximum alloved file size for uploaded avatars.
; This is to limit the amount of RAM used when resizing the image.
AVATAR_MAX_FILE_SIZE = 1048576
; Chinese users can choose "duoshuo"
; or a custom avatar source, like: http://cn.gravatar.com/avatar/
GRAVATAR_SOURCE = gravatar
; This value will always be true in offline mode.
DISABLE_GRAVATAR = true
; Federated avatar lookup uses DNS to discover avatar associated
; with emails, see https://www.libravatar.org
; This value will always be false in offline mode or when Gravatar is disabled.
ENABLE_FEDERATED_AVATAR = false
[attachment]
; Whether attachments are enabled. Defaults to `true`
ENABLED = true
; Path for attachments. Defaults to `data/attachments`
PATH = data/attachments
; One or more allowed types, e.g. image/jpeg|image/png
ALLOWED_TYPES = image/jpeg|image/png|application/zip|application/gzip
; Max size of each file. Defaults to 4MB
MAX_SIZE = 4
; Max number of files per upload. Defaults to 5
MAX_FILES = 5
[time]
; Specifies the format for fully outputted dates. Defaults to RFC1123
; Special supported values are ANSIC, UnixDate, RubyDate, RFC822, RFC822Z, RFC850, RFC1123, RFC1123Z, RFC3339, RFC3339Nano, Kitchen, Stamp, StampMilli, StampMicro and StampNano
; For more information about the format see http://golang.org/pkg/time/#pkg-constants
FORMAT =
[log]
ROOT_PATH = /var/log/gitea/
; Either "console", "file", "conn", "smtp" or "database", default is "console"
; Use comma to separate multiple modes, e.g. "console, file"
MODE = console
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
LEVEL = Warn
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "None"
STACKTRACE_LEVEL = None
logger.router.MODE = ,
logger.xorm.MODE = ,
logger.access.MODE = console
; Buffer length of the channel, keep it as it is if you don't know what it is.
BUFFER_LEN = 10000
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Info"
;ACCESS_LOG_TEMPLATE =
; Generic log modes
[log.x]
FLAGS = stdflags
EXPRESSION =
PREFIX =
COLORIZE = false
; For "console" mode only
[log.console]
MODE = console
FLAGS = stdflags
PREFIX =
COLORIZE = true
; For "file" mode only
[log.file]
LEVEL =
; Set the file_name for the logger. If this is a relative path this
; will be relative to ROOT_PATH
FILE_NAME =
; This enables automated log rotate(switch of following options), default is true
LOG_ROTATE = true
; Max number of lines in a single file, default is 1000000
MAX_LINES = 1000000
; Max size shift of a single file, default is 28 means 1 << 28, 256MB
MAX_SIZE_SHIFT = 28
; Segment log daily, default is true
DAILY_ROTATE = true
; delete the log file after n days, default is 7
MAX_DAYS = 7
; compress logs with gzip
COMPRESS = true
; compression level see godoc for compress/gzip
COMPRESSION_LEVEL = -1
; For "conn" mode only
[log.conn]
LEVEL =
; Reconnect host for every single message, default is false
RECONNECT_ON_MSG = false
; Try to reconnect when connection is lost, default is false
RECONNECT = false
; Either "tcp", "unix" or "udp", default is "tcp"
PROTOCOL = tcp
; Host address
ADDR =
; For "smtp" mode only
[log.smtp]
LEVEL =
; Name displayed in mail title, default is "Diagnostic message from server"
SUBJECT = Diagnostic message from server
; Mail server
HOST =
; Mailer user name and password
USER =
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD =
; Receivers, can be one or more, e.g. 1@example.com,2@example.com
RECEIVERS =
[cron]
; Enable running cron tasks periodically.
ENABLED = true
; Run cron tasks when Gitea starts.
RUN_AT_START = false
; Update mirrors
[cron.update_mirrors]
SCHEDULE = @every 10m
; Repository health check
[cron.repo_health_check]
SCHEDULE = @every 24h
TIMEOUT = 60s
; Arguments for command 'git fsck', e.g. "--unreachable --tags"
; see more on http://git-scm.com/docs/git-fsck
ARGS =
; Check repository statistics
[cron.check_repo_stats]
RUN_AT_START = true
SCHEDULE = @every 24h
; Clean up old repository archives
[cron.archive_cleanup]
; Whether to enable the job
ENABLED = true
; Whether to always run at least once at start up time (if ENABLED)
RUN_AT_START = true
; Time interval for job to run
SCHEDULE = @every 24h
; Archives created more than OLDER_THAN ago are subject to deletion
OLDER_THAN = 24h
; Synchronize external user data (only LDAP user synchronization is supported)
[cron.sync_external_users]
; Synchronize external user data when starting server (default false)
RUN_AT_START = false
; Interval as a duration between each synchronization (default every 24h)
SCHEDULE = @every 24h
; Create new users, update existing user data and disable users that are not in external source anymore (default)
; or only create new users if UPDATE_EXISTING is set to false
UPDATE_EXISTING = true
[git]
; Disables highlight of added and removed changes
DISABLE_DIFF_HIGHLIGHT = false
; Max number of lines allowed in a single file in diff view
MAX_GIT_DIFF_LINES = 1000
; Max number of allowed characters in a line in diff view
MAX_GIT_DIFF_LINE_CHARACTERS = 5000
; Max number of files shown in diff view
MAX_GIT_DIFF_FILES = 100
; Arguments for command 'git gc', e.g. "--aggressive --auto"
; see more on http://git-scm.com/docs/git-gc/
GC_ARGS =
; If use git wire protocol version 2 when git version >= 2.18, default is true, set to false when you always want git wire protocol version 1
EnableAutoGitWireProtocol = true
; Operation timeout in seconds
[git.timeout]
DEFAULT = 360
MIGRATE = 600
MIRROR = 300
CLONE = 300
PULL = 300
GC = 60
[mirror]
; Default interval as a duration between each check
DEFAULT_INTERVAL = 8h
; Min interval as a duration must be > 1m
MIN_INTERVAL = 10m
[api]
; Enables Swagger. True or false; default is true.
ENABLE_SWAGGER = true
; Max number of items in a page
MAX_RESPONSE_ITEMS = 50
; Default paging number of api
DEFAULT_PAGING_NUM = 30
; Default and maximum number of items per page for git trees api
DEFAULT_GIT_TREES_PER_PAGE = 1000
; Default size of a blob returned by the blobs API (default is 10MiB)
DEFAULT_MAX_BLOB_SIZE = 10485760
[oauth2]
; Enables OAuth2 provider
ENABLE = true
; Lifetime of an OAuth2 access token in seconds
ACCESS_TOKEN_EXPIRATION_TIME = 3600
; Lifetime of an OAuth2 access token in hours
REFRESH_TOKEN_EXPIRATION_TIME = 730
; Check if refresh token got already used
INVALIDATE_REFRESH_TOKENS = false
; OAuth2 authentication secret for access and refresh tokens, change this a unique string.
JWT_SECRET = {{ secrets.Foundation.jwt_secret }}
[i18n]
LANGS = en-US,zh-CN,zh-HK,zh-TW,de-DE,fr-FR,nl-NL,lv-LV,ru-RU,uk-UA,ja-JP,es-ES,pt-BR,pl-PL,bg-BG,it-IT,fi-FI,tr-TR,cs-CZ,sr-SP,sv-SE,ko-KR
NAMES = English,简体中文,繁體中文(香港),繁體中文(台灣),Deutsch,français,Nederlands,latviešu,русский,Українська,日本語,español,português do Brasil,polski,български,italiano,suomi,Türkçe,čeština,српски,svenska,한국어
; Used for datetimepicker
[i18n.datelang]
en-US = en
zh-CN = zh
zh-HK = zh-HK
zh-TW = zh-TW
de-DE = de
fr-FR = fr
nl-NL = nl
lv-LV = lv
ru-RU = ru
uk-UA = uk
ja-JP = ja
es-ES = es
pt-BR = pt-BR
pl-PL = pl
bg-BG = bg
it-IT = it
fi-FI = fi
tr-TR = tr
cs-CZ = cs-CZ
sr-SP = sr
sv-SE = sv
ko-KR = ko
[U2F]
; NOTE: THE DEFAULT VALUES HERE WILL NEED TO BE CHANGED
; Two Factor authentication with security keys
; https://developers.yubico.com/U2F/App_ID.html
; APP_ID = http://localhost:3000/
; Comma seperated list of trusted facets
; TRUSTED_FACETS = http://localhost:3000/
; Extension mapping to highlight class
; e.g. .toml=ini
[highlight.mapping]
[other]
SHOW_FOOTER_BRANDING = false
; Show version information about Gitea and Go in the footer
SHOW_FOOTER_VERSION = false
; Show template execution time in the footer
SHOW_FOOTER_TEMPLATE_LOAD_TIME = true
[markup.asciidoc]
ENABLED = false
; List of file extensions that should be rendered by an external command
FILE_EXTENSIONS = .adoc,.asciidoc
; External command to render all matching extensions
RENDER_COMMAND = asciidoc --out-file=- -
; Don't pass the file on STDIN, pass the filename as argument instead.
IS_INPUT_FILE = false
[metrics]
; Enables metrics endpoint. True or false; default is false.
ENABLED = false
; If you want to add authorization, specify a token here
TOKEN =

10
roles/Games/tasks/main.yml Normal file
View File

@@ -0,0 +1,10 @@
---
- name: Install Games packages
become: yes
package:
name:
- mgba-qt
- steam
- steam-native-runtime
- discord

20
roles/Geth/README.md Normal file
View File

@@ -0,0 +1,20 @@
Geth is a complete automation suite for homes and interaction with the physical world. However, it is not a automatic process, and as such you will need to install it manually.
# Etymology=The [http://masseffect.wikia.com/wiki/Geth Geth] are a fictional race in the Mass Effect universe. Geth are individual processes running on many platforms. The more devices, the smarter the collective or gestalt consciousness of the entity becomes.
# Relevant Files and Software
You can install Geth with [https://aninix.net/foundation/ConfigPackages ConfigPackages]'s Geth Makefile and configuration.
A number of devices can be controlled under the gestalt -- see [[Geth/Hardware]] for our experiments with Geth hardware platforms. The configuration.yaml format used by the underlying home-assistant package is very simple, and as such we don't prescriptively install one over the base version. Instead, we include snippets for you to define your own structure.
We are also considering features such as integrating smart lights with Shadowfeed presence detection and timeslots and requiring wireless presence for RFC door unlocks.
[file:///var/lib/hass/ Geth configuration] can be tested with the following: <pre> hass --script check_config -c /var/lib/hass</pre>
# Available Clients
See [[WebServer#Clients|this list of clients]] for tools to access this system. The Shadowfeed NAT rules will need to be updated to allow access outside the network, and make sure to follow [https://home-assistant.io/getting-started/securing/ the security checkpoints] before publishing.
# Equivalents or Competition
Most home-automation systems are DIY at the moment, though the [https://nest.com/ NEST] system is one commercial offering.
<!--|ref=REFERENCE-->}}
[[Category:SSL]]

8
roles/Geth/tasks/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Geth packages
become: yes
package:
name:
- openhab2
- name:

22
roles/Grimoire/README.md Normal file
View File

@@ -0,0 +1,22 @@
Grimoire is a PostgreSQL database underlying other systems on the AniNIX, including [AniNIX/Singularity](../Singularity)
# Etymology
A [grimoire](http://en.wikipedia.org/wiki/Grimoire) is historically a collection of magical knowledge and the ability summon spirits or daemons. Similarly, Singularity adds knowledge to be read from the Grimoire, and Wiki includes the methodology to start the daemon processes being run on the network.
# Relevant Files and Software
Grimoire has a user, postgres, with a home directory of `/var/lib/postgres/`. This user's bashrc contains some help text on how to reset passwords and backup databases in PostgreSQL.
## Backups
Backups are provided by [AniNIX/Aether](../Aether). They can be restored with the following:
```
psql -U dbuser -d db -f backup.sql
```
# Available Clients
There are no clients for the Grimoire -- Singularity and Wiki maintain their tables.
# Additional Reference
Make sure to read the [PostgreSQL page on ArchWiki](https://wiki.archlinux.org/index.php/PostgreSQL) to understand how to maintain this system.
# Tables
* Singularity controls the ttrss database.

8
roles/Grimoire/tasks/main.yml Normal file
View File

@@ -0,0 +1,8 @@
---
- name: Grimoire packages
become: yes
package:
name:
- postgresql

64
roles/IRC/README.md Normal file
View File

@@ -0,0 +1,64 @@
IRC is a chat system used by members of the AniNIX network.
# Etymology
[IRC](https://en.wikipedia.org/wiki/IRC) stands for Internet Relay Chat -- it is a method of text-based communication across the network via various servers. IRC has long been the self-hosted communication medium of choice for hackers, developers, and the fringe -- though overall adoption has dropped a bit with the rise of other social media, networks like [Libera](https://libera.chat/) are [still growing](https://royal.pingdom.com/2012/04/24/irc-is-dead-long-live-irc/). IRC is moving to the hacker niche, and we follow along.
# Relevant Files and Software
The configuration for the IRC service is divided into two parts -- the daemon and services.
## InspIRCd
The IRC daemon is powered by [InspIRCd](https://inspircd.org/). Relevant configuration is in `/etc/inspircd/` and it logs to journald.
## Anope
The services component is supplied by [Anope](https://www.anope.org/). Relevant configuration is in [the services.conf](file:///etc/anope/services.conf) and it logs to the [its own log](file:///var/log/anope/).
Anope also takes backups of [the anope database](file:///var/db/anope/anope.db) to the backups folder in the same location.
<b>Caution:</b> Anope with version 2.0.3 has some issues with gcc6. If you start encountering segmentation faults with Anope, sign in to `irc://anope.org#anope` (the Anope support IRC network). Script a run of "sudo -u ircd gdb /usr/bin/services core". Enter `r <your flags>` and when it crashes run `bt full`. Quit out of everything and pastebin the file. Provide this to the support staff.
<b>Caution:</b> Arch's packaged version of Anope may be missing critical LDAP modules. We still install the package, but you may need to use a localized install in /opt to get it working.
Anope Services' NickServ authentication can be linked to [[Sora|AniNIX::Sora]] for unified credentials.[[Category:LDAP]]
### Service entities
The following entities can be messaged personally (PM'ed) for help with `/msg <entity> help` from inside an IRC client.
* NickServ will manage IRC nicknames.
* HostServ will manage IRC virtual hosts, to mask IP's.
* ChanServ will manage IRC channels -- new channels can be registered on the network here.
* MemoServ will manage IRC memos (short text-message-like messages between users).
### Bots
#### Bitbot
BitBot is a webhook engine -- we tie it into AniNIX/Yggdrasil and AniNIX/Foundation.
### discord-irc
Discord-IRC acts as a bridge between our IRC network and Discord -- this lets us integrate with mobile push notifications & lowers the barrier to entry to the network.
# Available Clients
A [simple web client](https://irc.aninix.net) is hosted.
For more advanced options like logging, you will need to use your own client. All IRC clients will connect to the service by providing the following information:
* Host: aninix.net
* Port: 6697
* The client should accept only valid certificates.
* The client should automatically join the #lobby channel.
* The client should provide a nickname and NickServ password that the user intends to use.
### Clients by OS
Some example clients can be found here.
* Linux hosts are strongly recommended to use [weechat](https://wiki.archlinux.org/index.php/Weechat) inside [tmux](https://wiki.archlinux.org/index.php/Tmux).
* Windows hosts can connect to this service using [HexChat](https://hexchat.github.io/).
* Mac and iOS hosts can use [Colloquy](http://colloquy.info/downloads.html).
* Android hosts can use [AndChat](http://www.duckspike.net/andchat/).
# Equivalents or Competition
Rivals to IRC include other IRC networks like Libera, mail services like [Gmail](https://mail.google.com), and other chat systems like Slack, Microsoft Teams, Discord, Snapchat, WhatsApp, etc. We use Discord to provide new users with a Web-only bridge to the IRC network, but most features are only available within our own network.
# Additional Reference
* [IRCHelp.org for operators](https://www.irchelp.org/ircd/ircopguide.html)
* [InspIRCd modes reference](https://docs.inspircd.org/3/user-modes/)

16
roles/IRC/files/services/anope.service Normal file
View File

@@ -0,0 +1,16 @@
[Unit]
Description=AniNIX/IRC | Anope Services
Requires=network.target
After=network.target
[Service]
Type=simple
PIDFile=/run/anope/anope.pid
ExecStart=/opt/anope/bin/services --confdir=/etc/anope/ --dbdir=/opt/anope/data --localedir=/opt/anope/locale --logdir=/var/log/anope --modulesdir=/opt/anope/lib --nofork
ExecReload=/bin/kill -1 $MAINPID
Restart=always
User=ircd
Group=ircd
[Install]
WantedBy=multi-user.target

17
roles/IRC/files/services/inspircd.service Normal file
View File

@@ -0,0 +1,17 @@
[Unit]
Description=AniNIX/IRC daemon
Requires=network.target
After=network.target
[Service]
Type=forking
PIDFile=/var/lib/inspircd/inspircd.pid
ExecStart=/usr/bin/inspircd
ExecReload=kill -HUP $MAINPID
ExecStop=kill $MAINPID
Restart=always
User=ircd
Group=ircd
[Install]
WantedBy=multi-user.target

15
roles/IRC/files/services/kiwiirc.service Normal file
View File

@@ -0,0 +1,15 @@
[Unit]
Description=AniNIX/IRC Web Client
After=network.target irc.service ircservices.service
[Service]
WorkingDirectory=/usr/local/src/KiwiIRC/
ExecStart=/bin/sh ./kiwi -f
ExecReload=/bin/kill -HUP $MAINPID
KillMode=control-group
Restart=always
User=ircd
Group=ircd
[Install]
WantedBy=multi-user.target

29
roles/IRC/tasks/bots.yml Normal file
View File

@@ -0,0 +1,29 @@
---
- user:
name: "{{ item }}"
state: present
shell: "{{ daemon_shell | default('/sbin/nologin') }}"
local: yes
groups: ircd
loop:
- bitbot
- dsbridge
- theraven
- werewolf
# Install TheRaven package
- package:
name:
- TheRaven
- git:
repo: 'https://github.com/jesopo/bitbot.git'
dest: /usr/local/src/bitbot/
clone: yes
update: yes
- git:
repo:
-

102
roles/IRC/tasks/daemon.yml Normal file
View File

@@ -0,0 +1,102 @@
---
- name: Ensure directory permissions
become: yes
file:
state: directory
path: "{{ item }}"
owner: ircd
group: ircd
mode: 0750
loop:
- "/var/log/inspircd"
- "/etc/inspircd"
- name: Generate dhparam
become: yes
command:
cmd: openssl dhparam -out /etc/inspircd/dhparams.pem 2048
creates: /etc/inspircd/dhparams.pem
- name: Permissions on dhparam
become: yes
file:
state: file
path: /etc/inspircd/dhparams.pem
owner: ircd
group: ircd
mode: 0640
- name: Add ircd user to ssl
become: yes
user:
name: ircd
groups: ssl
append: yes
- name: Copy service file
become: yes
register: servicesfile
copy:
src: services/inspircd.service
dest: /usr/lib/systemd/system/inspircd.service
owner: root
group: root
mode: 0644
- name: Reload services
when: servicesfile.changed
become: yes
systemd:
daemon_reload: true
- name: Copy config and fill in attributes
register: templatefiles
become: yes
template:
src: "inspircd/{{ item }}.j2"
dest: "/etc/inspircd/{{ item }}"
owner: ircd
group: ircd
mode: 0600
loop:
- inspircd.conf
- modules.conf
- links.conf
- opers.conf
- rules.txt
- motd.txt
- name: Tracking directory
become: yes
file:
dest: "/etc/inspircd/data/"
owner: ircd
group: ircd
mode: 0750
state: directory
- name: Ensure tracking files
become: yes
file:
dest: "/etc/inspircd/{{ item }}"
owner: ircd
group: ircd
mode: 0600
loop:
- 'data/xline.db'
- 'data/permchannels.conf'
- name: Ensure service running
become: yes
service:
name: inspircd
state: started
enabled: yes
- name: Reload on config change
become: yes
when: templatefiles.changed or servicesfile.changed
service:
name: inspircd
state: reloaded

18
roles/IRC/tasks/main.yml Normal file
View File

@@ -0,0 +1,18 @@
---
- name: IRC packages
become: yes
package:
name:
- inspircd
- anope
- TheRaven
- include_tasks: daemon.yml
- include_tasks: services.yml
- include_tasks: web.yml
#- include_tasks: bots.yml

65
roles/IRC/tasks/services.yml Normal file
View File

@@ -0,0 +1,65 @@
---
- name: Ensure directory permissions
become: yes
file:
state: directory
path: "{{ item }}"
owner: ircd
group: ircd
mode: 0700
loop:
- "/etc/anope"
- "/opt/anope"
- "/opt/anope/data"
- "/var/log/anope"
- name: Copy config and fill in attributes
register: templatefiles
become: yes
template:
src: "anope/{{ item }}.j2"
dest: "/etc/anope/{{ item }}"
owner: ircd
group: ircd
mode: 0600
loop:
- botserv.conf
- chanserv.conf
- global.conf
- hostserv.conf
- memoserv.conf
- modules.conf
- nickserv.conf
- operserv.conf
- services.conf
- name: Copy service file
become: yes
register: servicesfile
copy:
src: services/anope.service
dest: /usr/lib/systemd/system/anope.service
owner: root
group: root
mode: 0644
- name: Reload services
when: servicesfile.changed
become: yes
systemd:
daemon_reload: true
- name: Ensure service running
become: yes
service:
name: anope
state: started
enabled: yes
- name: Reload on config change
become: yes
when: templatefiles.changed or servicesfile.changed
service:
name: anope
state: reloaded

58
roles/IRC/tasks/web.yml Normal file
View File

@@ -0,0 +1,58 @@
---
- name: Clone KiwiIRC
become: yes
git:
repo: https://github.com/prawnsalad/KiwiIRC.git
dest: /usr/local/src/KiwiIRC
update: no
# Need to capture AniNIX skinning of client as well as client build process.
- name: Update permissions
become: yes
file:
path: /usr/local/src/KiwiIRC
recurse: yes
owner: ircd
group: ircd
- name: Populate config
become: yes
register: config
template:
src: kiwiirc/config.js.j2
dest: /usr/local/src/KiwiIRC/config.js
owner: ircd
group: ircd
mode: 0600
- name: Copy service file
become: yes
register: servicesfile
copy:
src: services/kiwiirc.service
dest: /usr/lib/systemd/system/kiwiirc.service
owner: root
group: root
mode: 0644
- name: Reload services
when: servicesfile.changed
become: yes
systemd:
daemon_reload: true
- name: Ensure service running
become: yes
service:
name: kiwiirc
state: started
enabled: yes
- name: Reload on config change
become: yes
when: config.changed or servicesfile.changed
service:
name: kiwiirc
state: reloaded

404
roles/IRC/templates/anope/botserv.conf.j2 Normal file
View File

@@ -0,0 +1,404 @@
/*
* Example configuration file for BotServ.
*/
/*
* First, create the service. If you do not want to have a 'BotServ', but do want the ability to have
* ChanServ assigned to channels for the use of fantasy commands, you may delete the below 'service' block.
*
* Note that deleting a 'service' block for a pseudoclient that is already online will not remove the
* client, the client becomes no different from a normal service bot, so you will have to use botserv/bot
* to manually delete the client.
*
* You may then want to map some of the below commands to other services, like placing botserv/bot on
* OperServ so you can delete the below client, and mapping assign and unassign to ChanServ so users are
* able to control whether or not ChanServ is in the channel. You may also want to map botserv/set/nobot
* to OperServ so you can restrict who can assign the other core service clients.
*/
service
{
/*
* The name of the BotServ client.
* If you change this value, you probably want to change the client directive in the configuration for the botserv module too.
*/
nick = "BotServ"
/*
* The username of the BotServ client.
*/
user = "services"
/*
* The hostname of the BotServ client.
*/
host = "ircservices.{{ external_domain }}"
/*
* The realname of the BotServ client.
*/
gecos = "Bot Service"
/*
* The modes this client should use.
* Do not modify this unless you know what you are doing.
*
* These modes are very IRCd specific. If left commented, sane defaults
* are used based on what protocol module you have loaded.
*
* Note that setting this option incorrectly could potentially BREAK some, if
* not all, usefulness of the client. We will not support you if this client is
* unable to do certain things if this option is enabled.
*/
#modes = "+o"
/*
* An optional comma separated list of channels this service should join. Outside
* of log channels this is not very useful, as the service will just idle in the
* specified channels, and will not accept any types of commands.
*
* Prefixes may be given to the channels in the form of mode characters or prefix symbols.
*/
#channels = "@#services,#mychan"
}
/*
* Core BotServ module.
*
* Provides essential functionality for BotServ.
*/
module
{
name = "botserv"
/*
* The name of the client that should be BotServ.
*
* This directive is optional.
*/
client = "BotServ"
/*
* The default bot options for newly registered channels. Note that changing these options
* will have no effect on channels which are already registered. The list must be separated
* by spaces.
*
* The options are:
* - dontkickops: Channel operators will be protected against BotServ kicks
* - dontkickvoices: Voiced users will be protected against BotServ kicks
* - greet: The channel's BotServ bot will greet incoming users that have set a greet
* in their NickServ settings
* - fantasy: Enables the use of BotServ fantasy commands in the channel
*
* This directive is optional, if left blank, there will be no defaults.
*/
defaults = "greet fantasy"
/*
* The minimum number of users there must be in a channel before the bot joins it. The best
* value for this setting is 1 or 2. This can be 0, the service bots will not part unless
* specifically unassigned, and will keep the channel open.
*/
minusers = 1
/*
* The bots are currently not affected by any modes or bans when they try to join a channel.
* But some people may want to make it act like a real bot, that is, for example, remove all
* the bans affecting the bot before joining the channel, remove a ban that affects the bot
* set by a user when it is in the channel, and so on. Since it consumes a bit more CPU
* time, you should not enable this on larger networks.
*
* This directive is optional.
*/
#smartjoin = yes
/*
* Modes to set on service bots when they join channels, comment this out for no modes
*
* This directive is optional.
*/
botmodes = "ao"
/*
* User modes to set on service bots. Read the comment about the service:modes directive
* on why this can be a bad idea to set.
*/
#botumodes = "i"
}
/*
* Core BotServ commands.
*
* In Anope modules can provide (multiple) commands, each of which has a unique command name. Once these modules
* are loaded you can then configure the commands to be added to any client you like with any name you like.
*
* Additionally, you may provide a permission name that must be in the opertype of users executing the command.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
/* Give it a help command. */
command { service = "BotServ"; name = "HELP"; command = "generic/help"; }
/*
* bs_assign
*
* Provides the commands:
* botserv/assign - Used to assign BotServ bots to channels
* botserv/unassign - Used to unassign BotServ bots
* botserv/set/nobot - Used to prohibit channels from being assigned BotServ bots.
*
* Used for assigning and unassigning bots to channels.
*/
module { name = "bs_assign" }
command { service = "BotServ"; name = "ASSIGN"; command = "botserv/assign"; }
command { service = "BotServ"; name = "UNASSIGN"; command = "botserv/unassign"; }
command { service = "BotServ"; name = "SET NOBOT"; command = "botserv/set/nobot"; permission = "botserv/set/nobot"; }
/*
* bs_autoassign
*
* Allows service bots to be automatically assigned to channels upon registration.
*/
#module
{
name = "bs_autoassign"
/*
* Automatically assign ChanServ to channels upon registration.
*/
bot = "ChanServ"
}
/*
* bs_badwords
*
* Provides the command botserv/badwords.
*
* Used for controlling the channel badword list.
*/
module
{
name = "bs_badwords"
/*
* The maximum number of entries a single bad words list can have.
*/
badwordsmax = 32
/*
* If set, BotServ will use case sensitive checking for badwords.
*
* This directive is optional.
*/
#casesensitive = yes
}
command { service = "BotServ"; name = "BADWORDS"; command = "botserv/badwords"; }
/*
* bs_bot
*
* Provides the command botserv/bot.
*
* Used for administrating BotServ bots.
*/
module { name = "bs_bot" }
command { service = "BotServ"; name = "BOT"; command = "botserv/bot"; permission = "botserv/bot"; }
/*
* bs_botlist
*
* Provides the command botserv/botlist.
*
* Used for listing all available bots.
*/
module { name = "bs_botlist" }
command { service = "BotServ"; name = "BOTLIST"; command = "botserv/botlist"; }
/*
* bs_control
*
* Provides the commands botserv/act and botserv/say.
*
* Used for making the bot message a channel.
*/
module { name = "bs_control" }
command { service = "BotServ"; name = "ACT"; command = "botserv/act"; }
command { service = "BotServ"; name = "SAY"; command = "botserv/say"; }
/*
* bs_info
*
* Provides the command botserv/info.
*
* Used for getting information on bots or channels.
*/
module { name = "bs_info" }
command { service = "BotServ"; name = "INFO"; command = "botserv/info"; }
/*
* bs_kick
*
* Provides the commands:
* botserv/kick - Dummy help wrapper for the KICK command.
* botserv/kick/amsg - Configures BotServ's AMSG kicker.
* botserv/kick/badwords - Configures BotServ's badwords kicker.
* botserv/kick/bolds - Configures BotServ's bold text kiceker.
* botserv/kick/caps - Configures BotServ's capital letters kicker.
* botserv/kick/colors - Configures BotServ's color kicker.
* botserv/kick/flood - Configures BotServ's flood kicker.
* botserv/kick/italics - Configures BotServ's italics kicker.
* botserv/kick/repeat - Configures BotServ's repeat kicker.
* botserv/kick/reverses - Configures BotServ's reverse kicker.
* botserv/kick/underlines - Configures BotServ's reverse kicker.
* botserv/set/dontkickops - Used for preventing BotServ from kicking channel operators.
* botserv/set/dontkickvoices - Used for preventing BotServ from kicking voices.
*
* Used for configuring what bots should kick for.
*/
module
{
name = "bs_kick"
/*
* The amount of time that data for a user is valid in BotServ. If the data exceeds this time,
* it is reset or deleted depending on the case. Do not set it too high, otherwise your
* resources will be slightly affected.
*/
keepdata = 10m
/*
* If set, the bots will use a kick reason that does not state the word when it is kicking.
* This is especially useful if you have young people on your network.
*
* This directive is optional.
*/
gentlebadwordreason = yes
}
command { service = "BotServ"; name = "KICK"; command = "botserv/kick"; }
command { service = "BotServ"; name = "KICK AMSG"; command = "botserv/kick/amsg"; }
command { service = "BotServ"; name = "KICK BADWORDS"; command = "botserv/kick/badwords"; }
command { service = "BotServ"; name = "KICK BOLDS"; command = "botserv/kick/bolds"; }
command { service = "BotServ"; name = "KICK CAPS"; command = "botserv/kick/caps"; }
command { service = "BotServ"; name = "KICK COLORS"; command = "botserv/kick/colors"; }
command { service = "BotServ"; name = "KICK FLOOD"; command = "botserv/kick/flood"; }
command { service = "BotServ"; name = "KICK ITALICS"; command = "botserv/kick/italics"; }
command { service = "BotServ"; name = "KICK REPEAT"; command = "botserv/kick/repeat"; }
command { service = "BotServ"; name = "KICK REVERSES"; command = "botserv/kick/reverses"; }
command { service = "BotServ"; name = "KICK UNDERLINES"; command = "botserv/kick/underlines"; }
command { service = "BotServ"; name = "SET DONTKICKOPS"; command = "botserv/set/dontkickops"; }
command { service = "BotServ"; name = "SET DONTKICKVOICES"; command = "botserv/set/dontkickvoices"; }
/*
* bs_set
*
* Provides the commands:
* botserv/set/private - Used to prohibit specific BotServ bots from being assigned to channels.
*/
module { name = "bs_set" }
command { service = "BotServ"; name = "SET"; command = "botserv/set"; }
command { service = "BotServ"; name = "SET BANEXPIRE"; command = "botserv/set/banexpire"; }
command { service = "BotServ"; name = "SET PRIVATE"; command = "botserv/set/private"; permission = "botserv/set/private"; }
/*
* greet
*
* Provides the commands:
* botserv/set/greet - Used for enabling or disabling BotServ's greet messages in a channel.
* nickserv/set/greet, nickserv/saset/greet - Used for changing a users greet message, which is displayed when they enter channels.
*/
module { name = "greet" }
command { service = "BotServ"; name = "SET GREET"; command = "botserv/set/greet"; }
command { service = "NickServ"; name = "SET GREET"; command = "nickserv/set/greet"; }
command { service = "NickServ"; name = "SASET GREET"; command = "nickserv/saset/greet"; permission = "nickserv/saset/greet"; }
/*
* GREET privilege.
*
* Used by 'greet'.
*
* Users with this privilege have their greet shown when they join channels.
*/
privilege
{
name = "GREET"
rank = 40
level = 5
flag = "g"
xop = "AOP"
}
/*
* fantasy
*
* Allows 'fantaisist' commands to be used in channels.
*
* Provides the commands:
* botserv/set/fantasy - Used for enabling or disabling BotServ's fantasist commands.
*/
module
{
name = "fantasy"
/*
* Defines the prefixes for fantasy commands in channels. One of these characters will have to be prepended
* to all fantasy commands. If you choose "!", for example, fantasy commands will be "!kick",
* "!op", etc. This directive is optional, if left out, the default fantasy character is "!".
*/
#fantasycharacter = "!."
}
command { service = "BotServ"; name = "SET FANTASY"; command = "botserv/set/fantasy"; }
/*
* Fantasy commands
*
* Fantasy commands can be executed in channels that have a BotServ bot by prefixing the
* command with one of the fantasy characters configured in botserv's fantasycharacter
* directive.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
fantasy { name = "ACCESS"; command = "chanserv/access"; }
fantasy { name = "AKICK"; command = "chanserv/akick"; }
fantasy { name = "AOP"; command = "chanserv/xop"; }
fantasy { name = "BAN"; command = "chanserv/ban"; }
fantasy { name = "CLONE"; command = "chanserv/clone"; }
fantasy { name = "DEHALFOP"; command = "chanserv/modes"; }
fantasy { name = "DEOP"; command = "chanserv/modes"; }
fantasy { name = "DEOWNER"; command = "chanserv/modes"; }
fantasy { name = "DEPROTECT"; command = "chanserv/modes"; }
fantasy { name = "DEVOICE"; command = "chanserv/modes"; }
fantasy { name = "DOWN"; command = "chanserv/down"; }
fantasy { name = "ENFORCE"; command = "chanserv/enforce"; }
fantasy { name = "ENTRYMSG"; command = "chanserv/entrymsg"; }
fantasy { name = "FLAGS"; command = "chanserv/flags"; }
fantasy { name = "HALFOP"; command = "chanserv/modes"; }
fantasy { name = "HELP"; command = "generic/help"; prepend_channel = false; }
fantasy { name = "HOP"; command = "chanserv/xop"; }
fantasy { name = "INFO"; command = "chanserv/info"; prepend_channel = false; }
fantasy { name = "INVITE"; command = "chanserv/invite"; }
fantasy { name = "K"; command = "chanserv/kick"; }
fantasy { name = "KB"; command = "chanserv/ban"; }
fantasy { name = "KICK"; command = "chanserv/kick"; }
fantasy { name = "LEVELS"; command = "chanserv/levels"; }
fantasy { name = "LIST"; command = "chanserv/list"; prepend_channel = false; }
fantasy { name = "LOG"; command = "chanserv/log"; }
fantasy { name = "MODE"; command = "chanserv/mode"; }
fantasy { name = "MUTE"; command = "chanserv/ban"; kick = no; mode = "QUIET"; }
fantasy { name = "OP"; command = "chanserv/modes"; }
fantasy { name = "OWNER"; command = "chanserv/modes"; }
fantasy { name = "PROTECT"; command = "chanserv/modes"; }
fantasy { name = "QOP"; command = "chanserv/xop"; }
fantasy { name = "SEEN"; command = "chanserv/seen"; prepend_channel = false; }
fantasy { name = "SOP"; command = "chanserv/xop"; }
fantasy { name = "STATUS"; command = "chanserv/status"; }
fantasy { name = "SUSPEND"; command = "chanserv/suspend"; permission = "chanserv/suspend"; }
fantasy { name = "SYNC"; command = "chanserv/sync"; }
fantasy { name = "TOPIC"; command = "chanserv/topic"; }
fantasy { name = "UNBAN"; command = "chanserv/unban"; }
fantasy { name = "UNSUSPEND"; command = "chanserv/unsuspend"; permission = "chanserv/suspend"; }
fantasy { name = "UP"; command = "chanserv/up"; }
fantasy { name = "VOICE"; command = "chanserv/modes"; }
fantasy { name = "VOP"; command = "chanserv/xop"; }

1311
roles/IRC/templates/anope/chanserv.conf.j2 Executable file
View File

File diff suppressed because it is too large Load Diff

115
roles/IRC/templates/anope/global.conf.j2 Executable file
View File

@@ -0,0 +1,115 @@
/*
* Example configuration file for Global.
*/
/*
* First, create the service.
*/
service
{
/*
* The name of the Global client.
* If you change this value, you probably want to change the client directive in the configuration for the global module too.
*/
nick = "Global"
/*
* The username of the Global client.
*/
user = "services"
/*
* The hostname of the Global client.
*/
host = "ircservices.{{ external_domain }}"
/*
* The realname of the Global client.
*/
gecos = "Global Noticer"
/*
* The modes this client should use.
* Do not modify this unless you know what you are doing.
*
* These modes are very IRCd specific. If left commented, sane defaults
* are used based on what protocol module you have loaded.
*
* Note that setting this option incorrectly could potentially BREAK some, if
* not all, usefulness of the client. We will not support you if this client is
* unable to do certain things if this option is enabled.
*/
#modes = "+o"
/*
* An optional comma separated list of channels this service should join. Outside
* of log channels this is not very useful, as the service will just idle in the
* specified channels, and will not accept any types of commands.
*
* Prefixes may be given to the channels in the form of mode characters or prefix symbols.
*/
#channels = "@#services,#mychan"
}
/*
* Core Global module.
*
* Provides essential functionality for Global.
*/
module
{
name = "global"
/*
* The name of the client that should be Global.
*/
client = "Global"
/*
* This is the global message that will be sent when Services are being
* shutdown/restarted.
*
* This directive is optional.
*/
#globaloncycledown = "Services are restarting, they will be back shortly - please be good while we're gone"
/*
* This is the global message that will be sent when Services (re)join the
* network.
*
* This directive is optional.
*/
#globaloncycleup = "Services are now back online - have a nice day"
/*
* If set, Services will hide the IRC Operator's nick in a global
* message/notice.
*
* This directive is optional.
*/
#anonymousglobal = yes
}
/*
* Core Global commands.
*
* In Anope modules can provide (multiple) commands, each of which has a unique command name. Once these modules
* are loaded you can then configure the commands to be added to any client you like with any name you like.
*
* Additionally, you may provide a permission name that must be in the opertype of users executing the command.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
/* Give it a help command. */
command { service = "Global"; name = "HELP"; command = "generic/help"; }
/*
* gl_global
*
* Provides the command global/global.
*
* Used for sending a message to every online user.
*/
module { name = "gl_global" }
command { service = "Global"; name = "GLOBAL"; command = "global/global"; permission = "global/global"; }

188
roles/IRC/templates/anope/hostserv.conf.j2 Executable file
View File

@@ -0,0 +1,188 @@
/*
* Example configuration file for HostServ.
*/
/*
* First, create the service.
*/
service
{
/*
* The name of the HostServ client.
* If you change this value, you probably want to change the client directive in the configuration for the hostserv module too.
*/
nick = "HostServ"
/*
* The username of the HostServ client.
*/
user = "services"
/*
* The hostname of the HostServ client.
*/
host = "ircservices.{{ external_domain }}"
/*
* The realname of the HostServ client.
*/
gecos = "vHost Service"
/*
* The modes this client should use.
* Do not modify this unless you know what you are doing.
*
* These modes are very IRCd specific. If left commented, sane defaults
* are used based on what protocol module you have loaded.
*
* Note that setting this option incorrectly could potentially BREAK some, if
* not all, usefulness of the client. We will not support you if this client is
* unable to do certain things if this option is enabled.
*/
#modes = "+o"
/*
* An optional comma separated list of channels this service should join. Outside
* of log channels this is not very useful, as the service will just idle in the
* specified channels, and will not accept any types of commands.
*
* Prefixes may be given to the channels in the form of mode characters or prefix symbols.
*/
#channels = "@#services,#mychan"
}
/*
* Core HostServ module.
*
* Provides essential functionality for HostServ.
*/
module
{
name = "hostserv"
/*
* The name of the client that should be HostServ.
*/
client = "HostServ"
/*
* If enabled, vhosts are activated on users immediately when they are set.
*/
activate_on_set = false
}
/*
* Core HostServ commands.
*
* In Anope modules can provide (multiple) commands, each of which has a unique command name. Once these modules
* are loaded you can then configure the commands to be added to any client you like with any name you like.
*
* Additionally, you may provide a permission name that must be in the opertype of users executing the command.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
/* Give it a help command. */
command { service = "HostServ"; name = "HELP"; command = "generic/help"; }
/*
* hs_del
*
* Provides the commands hostserv/del and hostserv/delall.
*
* Used for removing users' vHosts.
*/
module { name = "hs_del" }
command { service = "HostServ"; name = "DEL"; command = "hostserv/del"; permission = "hostserv/del"; }
command { service = "HostServ"; name = "DELALL"; command = "hostserv/delall"; permission = "hostserv/del"; }
/*
* hs_group
*
* Provides the command hostserv/group.
*
* Used for grouping one vHost to many nicks.
*/
module
{
name = "hs_group"
/*
* Upon nickserv/group, this option syncs the nick's main vHost to the grouped nick.
*/
syncongroup = false
/*
* This makes vhosts act as if they are per account.
*/
synconset = false
}
command { service = "HostServ"; name = "GROUP"; command = "hostserv/group"; }
/*
* hs_list
*
* Provides the command hostserv/list.
*
* Used for listing actively set vHosts.
*/
module { name = "hs_list" }
command { service = "HostServ"; name = "LIST"; command = "hostserv/list"; permission = "hostserv/list"; }
/*
* hs_off
*
* Provides the command hostserv/off.
*
* Used for turning off your vHost.
*/
module { name = "hs_off" }
command { service = "HostServ"; name = "OFF"; command = "hostserv/off"; }
/*
* hs_on
*
* Provides the command hostserv/on.
*
* Used for turning on your vHost.
*/
module { name = "hs_on" }
command { service = "HostServ"; name = "ON"; command = "hostserv/on"; }
/*
* hs_request
*
* Provides the commands hostserv/request, hostserv/activate, hostserv/reject, and hostserv/waiting.
*
* Used to manage vHosts requested by users.
*/
module
{
name = "hs_request"
/*
* If set, Services will send a memo to the user requesting a vHost when it's been
* approved or rejected.
*/
memouser = yes
/*
* If set, Services will send a memo to all Services staff when a new vHost is requested.
*/
memooper = yes
}
command { service = "HostServ"; name = "REQUEST"; command = "hostserv/request"; }
command { service = "HostServ"; name = "ACTIVATE"; command = "hostserv/activate"; permission = "hostserv/set"; }
command { service = "HostServ"; name = "REJECT"; command = "hostserv/reject"; permission = "hostserv/set"; }
command { service = "HostServ"; name = "WAITING"; command = "hostserv/waiting"; permission = "hostserv/set"; }
/*
* hs_set
*
* Provides the commands hostserv/set and hostserv/setall.
*
* Used for setting users' vHosts.
*/
module { name = "hs_set" }
command { service = "HostServ"; name = "SET"; command = "hostserv/set"; permission = "hostserv/set"; }
command { service = "HostServ"; name = "SETALL"; command = "hostserv/setall"; permission = "hostserv/set"; }

243
roles/IRC/templates/anope/memoserv.conf.j2 Normal file
View File

@@ -0,0 +1,243 @@
/*
* Example configuration file for MemoServ.
*/
/*
* First, create the service.
*/
service
{
/*
* The name of the MemoServ client.
* If you change this value, you probably want to change the client directive in the configuration for the memoserv module too.
*/
nick = "MemoServ"
/*
* The username of the MemoServ client.
*/
user = "services"
/*
* The hostname of the MemoServ client.
*/
host = "ircservices.{{ external_domain }}"
/*
* The realname of the MemoServ client.
*/
gecos = "Memo Service"
/*
* The modes this client should use.
* Do not modify this unless you know what you are doing.
*
* These modes are very IRCd specific. If left commented, sane defaults
* are used based on what protocol module you have loaded.
*
* Note that setting this option incorrectly could potentially BREAK some, if
* not all, usefulness of the client. We will not support you if this client is
* unable to do certain things if this option is enabled.
*/
#modes = "+o"
/*
* An optional comma separated list of channels this service should join. Outside
* of log channels this is not very useful, as the service will just idle in the
* specified channels, and will not accept any types of commands.
*
* Prefixes may be given to the channels in the form of mode characters or prefix symbols.
*/
#channels = "@#services,#mychan"
}
/*
* Core MemoServ module.
*
* Provides essential functionality for MemoServ.
*/
module
{
name = "memoserv"
/*
* The name of the client that should be MemoServ. Clients are configured
* with the service blocks.
*/
client = "MemoServ"
/*
* The maximum number of memos a user is allowed to keep by default. Normal users may set the
* limit anywhere between 0 and this value. Services Admins can change it to any value or
* disable it.
*
* This directive is optional, but recommended. If not set, the limit is disabled
* by default, and normal users can set any limit they want.
*/
maxmemos = 20
/*
* The delay between consecutive uses of the MemoServ SEND command. This can help prevent spam
* as well as denial-of-service attacks from sending large numbers of memos and filling up disk
* space (and memory). The default 3-second wait means a maximum average of 150 bytes of memo
* per second per user under the current IRC protocol.
*
* This directive is optional, but recommended.
*/
senddelay = 3s
}
/*
* Core MemoServ commands.
*
* In Anope modules can provide (multiple) commands, each of which has a unique command name. Once these modules
* are loaded you can then configure the commands to be added to any client you like with any name you like.
*
* Additionally, you may provide a permission name that must be in the opertype of users executing the command.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
/* Give it a help command. */
command { service = "MemoServ"; name = "HELP"; command = "generic/help"; }
/*
* ms_cancel
*
* Provides the command memoserv/cancel.
*
* Used to cancel memos already sent but not yet read.
*/
module { name = "ms_cancel" }
command { service = "MemoServ"; name = "CANCEL"; command = "memoserv/cancel"; }
/*
* ms_check
*
* Provides the command memoserv/check.
*
* Used to check if a sent memo has been read.
*/
module { name = "ms_check" }
command { service = "MemoServ"; name = "CHECK"; command = "memoserv/check"; }
/*
* ms_del
*
* Provides the command memoserv/del.
*
* Used to delete your memos.
*/
module { name = "ms_del" }
command { service = "MemoServ"; name = "DEL"; command = "memoserv/del"; }
/*
* ms_ignore
*
* Provides the command memoserv/ignore.
*
* Used to ignore memos from specific users.
*/
module
{
name = "ms_ignore"
/*
* The maximum number of entries that may be on a memo ignore list.
*
* This directive is optional.
*/
max = 32
}
command { service = "MemoServ"; name = "IGNORE"; command = "memoserv/ignore"; }
/*
* ms_info
*
* Provides the command memoserv/info.
*
* Used to show memo related information about an account or a channel.
*/
module { name = "ms_info" }
command { service = "MemoServ"; name = "INFO"; command = "memoserv/info"; }
/*
* ms_list
*
* Provides the command memoserv/list.
*
* Used to list your current memos.
*/
module { name = "ms_list" }
command { service = "MemoServ"; name = "LIST"; command = "memoserv/list"; }
/*
* ms_read
*
* Provides the command memoserv/read.
*
* Used to read your memos.
*/
module { name = "ms_read" }
command { service = "MemoServ"; name = "READ"; command = "memoserv/read"; }
/*
* ms_rsend
*
* Provides the command memoserv/rsend.
*
* Used to send a memo requiring a receipt be sent back once it is read.
*
* Requires configuring memoserv:memoreceipt.
*/
#module
{
name = "ms_rsend"
/*
* Only allow Services Operators to use ms_rsend.
*
* This directive is optional.
*/
operonly = false
}
#command { service = "MemoServ"; name = "RSEND"; command = "memoserv/rsend"; }
/*
* ms_send
*
* Provides the command memoserv/send.
*
* Used to send memos.
*/
module { name = "ms_send" }
command { service = "MemoServ"; name = "SEND"; command = "memoserv/send"; }
/*
* ms_sendall
*
* Provides the command memoserv/sendall.
*
* Used to send a mass memo to every registered user.
*/
module { name = "ms_sendall" }
command { service = "MemoServ"; name = "SENDALL"; command = "memoserv/sendall"; permission = "memoserv/sendall"; }
/*
* ms_set
*
* Provides the command memoserv/set.
*
* Used to set settings such as how you are notified of new memos, and your memo limit.
*/
module { name = "ms_set" }
command { service = "MemoServ"; name = "SET"; command = "memoserv/set"; }
/*
* ms_staff
*
* Provides the command memoserv/staff.
*
* Used to send a memo to all registered staff members.
*/
module { name = "ms_staff" }
command { service = "MemoServ"; name = "STAFF"; command = "memoserv/staff"; permission = "memoserv/staff"; }

797
roles/IRC/templates/anope/modules.conf.j2 Normal file
View File

@@ -0,0 +1,797 @@
/*
* [OPTIONAL] Non-Core Modules
*
* The following blocks are used to load all non-core modules, including 3rd-party modules.
* Modules can be prevented from loading by commenting out the line, other modules can be added by
* adding a module block. These modules will be loaded prior to Services connecting to your network.
*
* Note that some of these modules are labeled EXTRA, and must be enabled prior to compiling by
* running the 'extras' script on Linux and UNIX.
*/
/*
* help
*
* Provides the command generic/help.
*
* This is a generic help command that can be used with any client.
*/
module { name = "help" }
/*
* m_ldap [EXTRA]
*
* This module allows other modules to use LDAP. By itself, this module does nothing useful.
*/
module
{
name = "m_ldap"
ldap
{
server = "ldap://127.0.0.1"
port = 389
/*
* Admin credentials used for performing searches and adding users.
*/
admin_binddn = "uid=binduser,{{ ldap['userou'] }},{{ ldap['orgdn'] }}"
admin_password = "{{ secrets['Sora']['bindpassword'] }}"
}
}
/*
* m_ldap_authentication [EXTRA]
*
* This module allows many commands such as IDENTIFY, RELEASE, RECOVER, GHOST, etc. use
* LDAP to authenticate users. Requires m_ldap.
*/
module
{
name = "m_ldap_authentication"
/*
* The distinguished name used for searching for users's accounts.
*/
basedn = "{{ ldap['userou'] }},{{ ldap['orgdn'] }}"
/*
* The search filter used to look up users's accounts.
* %account is replaced with the user's account.
* %object_class is replaced with the object_class configured below.
*/
search_filter = "uid=%account"
/*
* The object class used by LDAP to store user account information.
* This is used for adding new users to LDAP if registration is allowed.
*/
object_class = "organizationalPerson"
/*
* The attribute value used for account names.
*/
username_attribute = "uid"
/*
* The attribute value used for email addresses.
* This directive is optional.
*/
email_attribute = "email"
/*
* The attribute value used for passwords.
* Used when registering new accounts in LDAP.
*/
password_attribute = "userPassword"
/*
* If set, the reason to give the users who try to register with nickserv,
* including nick registration from grouping.
*
* If not set, then registration is not blocked.
*/
#disable_register_reason = "To register on this network, contact a netadmin in #lobby. They will need to add an AniNIX/Sora LDAP account for you."
/*
* If set, the reason to give the users who try to "/msg NickServ SET EMAIL".
* If not set, then email changing is not blocked.
*/
disable_email_reason = "Not allowed -- this network does not use email for account management."
}
/*
* m_dns
*
* Adds support for the DNS protocol. By itself this module does nothing useful,
* but other modules such as m_dnsbl and os_dns require this.
*/
#module
{
name = "m_dns"
/*
* The nameserver to use for resolving hostnames, must be an IP or a resolver configuration file.
* The below should work fine on all unix like systems. Windows users will have to find their nameservers
* from ipconfig /all and put the IP here.
*/
nameserver = "/etc/resolv.conf"
#nameserver = "127.0.0.1"
/*
* How long to wait in seconds before a DNS query has timed out.
*/
timeout = 5
/* Only edit below if you are expecting to use os_dns or otherwise answer DNS queries. */
/*
* The IP and port services use to listen for DNS queries.
* Note that ports less than 1024 are privileged on UNIX/Linux systems, and
* require Anope to be started as root. If you do this, it is recommended you
* set options:user and options:group so Anope can change users after binding
* to this port.
*/
ip = "0.0.0.0"
port = 53
/*
* SOA record information.
*/
/* E-mail address of the DNS administrator. */
admin = "admin@example.com"
/* This should be the names of the public facing nameservers serving the records. */
nameservers = "ns1.example.com ns2.example.com"
/* The time slave servers are allowed to cache. This should be reasonably low
* if you want your records to be updated without much delay.
*/
refresh = 3600
/* A notify block. There should probably be one per nameserver listed in 'nameservers'.
*/
notify
{
ip = "192.0.2.0"
port = 53
}
}
/*
* m_dnsbl
*
* Allows configurable DNS blacklists to check connecting users against. If a user
* is found on the blacklist they will be immediately banned. This is a crucial module
* to prevent bot attacks.
*/
#module
{
name = "m_dnsbl"
/*
* If set, Services will check clients against the DNSBLs when services connect to its uplink.
* This is not recommended, and on large networks will open a very large amount of DNS queries.
* Whilst services are not drastically affected by this, your nameserver/DNSBL might care.
*/
check_on_connect = no
/*
* If set, Services will check clients when coming back from a netsplit. This can cause a large number
* of DNS queries open at once. Whilst services are not drastically affected by this, your nameserver/DNSBL
* might care.
*/
check_on_netburst = no
/*
* If set, OperServ will add clients found in the DNSBL to the akill list. Without it, OperServ simply sends
* a timed G/K-line to the IRCd and forgets about it. Can be useful if your akill list is being fill up by bots.
*/
add_to_akill = yes
blacklist
{
/* Name of the blacklist. */
name = "rbl.efnetrbl.org"
/* How long to set the ban for. */
time = 4h
/* Reason for akill.
* %n is the nick of the user
* %u is the ident/username of the user
* %g is the realname of the user
* %h is the hostname of the user
* %i is the IP of the user
* %r is the reply reason (configured below). Will be nothing if not configured.
* %N is the network name set in networkinfo:networkname
*/
reason = "You are listed in the efnet RBL, visit http://rbl.efnetrbl.org/?i=%i for info"
/* Replies to ban and their reason. If no relies are configured, all replies get banned. */
reply
{
code = 1
reason = "Open Proxy"
}
#reply
{
code = 2
reason = "spamtrap666"
}
#reply
{
code = 3
reason = "spamtrap50"
}
reply
{
code = 4
reason = "TOR"
/*
* If set, users identified to services at the time the result comes back
* will not be banned.
*/
#allow_account = yes
}
reply
{
code = 5
reason = "Drones / Flooding"
}
}
#blacklist
{
name = "dnsbl.dronebl.org"
time = 4h
reason = "You have a host listed in the DroneBL. For more information, visit http://dronebl.org/lookup_branded?ip=%i&network=%N"
}
/* Exempt localhost from DNSBL checks */
exempt { ip = "127.0.0.1" }
}
/*
* m_helpchan
*
* Gives users who are op in the specified help channel usermode +h (helpop).
*/
#module
{
name = "m_helpchan"
helpchannel = "#help"
}
/*
* m_httpd
*
* Allows services to serve web pages. By itself, this module does nothing useful.
*
* Note that using this will allow users to get the IP of your services.
* To prevent this we recommend using a reverse proxy or a tunnel.
*/
#module
{
name = "m_httpd"
httpd
{
/* Name of this service. */
name = "httpd/main"
/* IP to listen on. */
ip = "0.0.0.0"
/* Port to listen on. */
port = 8080
/* Time before connections to this server are timed out. */
timeout = 30
/* Listen using SSL. Requires an SSL module. */
#ssl = yes
/* If you are using a reverse proxy that sends one of the
* extforward_headers set below, set this to its IP.
* This allows services to obtain the real IP of users by
* reading the forwarded-for HTTP header.
*/
#extforward_ip = "192.168.0.255"
/* The header to look for. These probably work as is. */
extforward_header = "X-Forwarded-For Forwarded-For"
}
}
/*
* m_ldap_oper [EXTRA]
*
* This module dynamically ties users to Anope opertypes when they identify
* via LDAP group membership. Requires m_ldap.
*
* Note that this doesn't give the user privileges on the IRCd, only in Services.
*/
#module
{
name = "m_ldap_oper"
/*
* An optional binddn to use when searching for groups.
* %a is replaced with the account name of the user.
*/
#binddn = "cn=Manager,dc=anope,dc=org"
/*
* An optional password to bind with.
*/
#password = "secret"
/*
* The base DN where the groups are.
*/
basedn = "ou=groups,dc=anope,dc=org"
/*
* The filter to use when searching for users.
* %a is replaced with the account name of the user.
*/
filter = "(member=uid=%a,ou=users,dc=anope,dc=org)"
/*
* The attribute of the group that is the name of the opertype.
* The cn attribute should match a known opertype in the config.
*/
opertype_attribute = "cn"
}
/*
* m_mysql [EXTRA]
*
* This module allows other modules to use MySQL.
*/
#module
{
name = "m_mysql"
mysql
{
/* The name of this service. */
name = "mysql/main"
database = "anope"
server = "127.0.0.1"
username = "anope"
password =
port = 3306
}
}
/*
* m_redis
*
* This module allows other modules to use Redis.
*/
#module
{
name = "m_redis"
/* A redis database */
redis
{
/* The name of this service */
name = "redis/main"
/*
* The redis database to use. New connections default to 0.
*/
db = 0
ip = "127.0.0.1"
port = 6379
}
}
/*
* m_regex_pcre [EXTRA]
*
* Provides the regex engine regex/pcre, which uses the Perl Compatible Regular Expressions library.
*/
#module { name = "m_regex_pcre" }
/*
* m_regex_posix [EXTRA]
*
* Provides the regex engine regex/posix, which uses the POSIX compliant regular expressions.
* This is likely the only regex module you will not need extra libraries for.
*/
#module { name = "m_regex_posix" }
/*
* m_regex_tre [EXTRA]
*
* Provides the regex engine regex/tre, which uses the TRE regex library.
*/
#module { name = "m_regex_tre" }
/*
* m_rewrite
*
* Allows rewriting commands sent to/from clients.
*/
#module { name = "m_rewrite" }
#command
{
service = "ChanServ"; name = "CLEAR"; command = "rewrite"
/* Enable m_rewrite. */
rewrite = true
/* Source message to match. A $ can be used to match anything. */
rewrite_source = "CLEAR $ USERS"
/*
* Message to rewrite the source message to. A $ followed by a number, eg $0, gets
* replaced by the number-th word from the source_message, starting from 0.
*/
rewrite_target = "KICK $1 *"
/*
* The command description. This only shows up in HELP's output.
* Comment this option to prevent the command from showing in the
* HELP command.
*/
rewrite_description = "Clears all users from a channel"
}
/*
* m_proxyscan
*
* This module allows you to scan connecting clients for open proxies.
* Note that using this will allow users to get the IP of your services.
*
* Currently the two supported proxy types are HTTP and SOCKS5.
*
* The proxy scanner works by attempting to connect to clients when they
* connect to the network, and if they have a proxy running instruct it to connect
* back to services. If services are able to connect through the proxy to itself
* then it knows it is an insecure proxy, and will ban it.
*/
#module
{
name = "m_proxyscan"
/*
* The target IP services tells the proxy to connect back to. This must be a publicly
* available IP that remote proxies can connect to.
*/
#target_ip = "127.0.0.1"
/*
* The port services tells the proxy to connect to.
*/
target_port = 7226
/*
* The listen IP services listen on for incoming connections from suspected proxies.
* This probably will be the same as target_ip, but may not be if you are behind a firewall (NAT).
*/
#listen_ip = "127.0.0.1"
/*
* The port services should listen on for incoming connections from suspected proxies.
* This most likely will be the same as target_port.
*/
listen_port = 7226
/*
* An optional notice sent to clients upon connect.
*/
#connect_notice = "We will now scan your host for insecure proxies. If you do not consent to this scan please disconnect immediately."
/*
* Who the notice should be sent from.
*/
#connect_source = "OperServ"
/*
* If set, OperServ will add infected clients to the akill list. Without it, OperServ simply sends
* a timed G/K-line to the IRCd and forgets about it. Can be useful if your akill list is being filled up by bots.
*/
add_to_akill = yes
/*
* How long before connections should be timed out.
*/
timeout = 5
proxyscan
{
/* The type of proxy to check for. A comma separated list is allowed. */
type = "HTTP"
/* The ports to check. */
port = "80,8080"
/* How long to set the ban for. */
time = 4h
/*
* The reason to ban the user for.
* %h is replaced with the type of proxy found.
* %i is replaced with the IP of proxy found.
* %p is replaced with the port.
*/
reason = "You have an open proxy running on your host (%t:%i:%p)"
}
}
/*
* m_sasl
*
* Some IRCds allow "SASL" authentication to let users identify to Services
* during the IRCd user registration process. If this module is loaded, Services will allow
* authenticating users through this mechanism. Supported mechanisms are:
* PLAIN, EXTERNAL.
*/
module { name = "m_sasl" }
/*
* m_sasl_dh-aes [EXTRA]
*
* Add the DH-AES mechanism to SASL.
* Requires m_sasl to be loaded.
* Requires openssl.
*/
#module { name = "m_sasl_dh-aes" }
/*
* m_sasl_dh-blowfish [EXTRA]
*
* Add the DH-BLOWFISH mechanism to SASL.
* Requires m_sasl to be loaded.
* Requires openssl.
*/
#module { name = "m_sasl_dh-blowfish" }
/*
* m_ssl_gnutls [EXTRA]
*
* This module provides SSL services to Anope using GnuTLS, for example to
* connect to the uplink server(s) via SSL.
*
* You may only load either m_ssl_gnutls or m_ssl_openssl, bot not both.
*/
#module
{
name = "m_ssl_gnutls"
/*
* An optional certificate and key for m_ssl_gnutls to give to the uplink.
*
* You can generate your own certificate and key pair by using:
*
* certtool --generate-privkey --bits 2048 --outfile anope.key
* certtool --generate-self-signed --load-privkey anope.key --outfile anope.crt
*
*/
cert = "data/anope.crt"
key = "data/anope.key"
/*
* Diffie-Hellman parameters to use when acting as a server. This is only
* required for TLS servers that want to use ephemeral DH cipher suites.
*
* This is NOT required for Anope to connect to the uplink server(s) via SSL.
*
* You can generate DH parameters by using:
*
* certtool --generate-dh-params --bits 2048 --outfile dhparams.pem
*
*/
# dhparams = "data/dhparams.pem"
}
/*
* m_ssl_openssl [EXTRA]
*
* This module provides SSL services to Anope using OpenSSL, for example to
* connect to the uplink server(s) via SSL.
*
* You may only load either m_ssl_openssl or m_ssl_gnutls, bot not both.
*
*/
#module
{
name = "m_ssl_openssl"
/*
* An optional certificate and key for m_ssl_openssl to give to the uplink.
*
* You can generate your own certificate and key pair by using:
*
* openssl genrsa -out anope.key 2048
* openssl req -new -x509 -key anope.key -out anope.crt -days 1095
*/
cert = "data/anope.crt"
key = "data/anope.key"
/*
* As of 2014 SSL 3.0 is considered insecure, but it might be enabled
* on some systems by default for compatibility reasons.
* You can use the following option to enable or disable it explicitly.
* Leaving this option not set defaults to the default system behavior.
*/
sslv3 = no
}
/*
* m_sql_authentication [EXTRA]
*
* This module allows authenticating users against an external SQL database using a custom
* query.
*/
#module
{
name = "m_sql_authentication"
/* SQL engine to use. Should be configured elsewhere with m_mysql, m_sqlite, etc. */
engine = "mysql/main"
/* Query to execute to authenticate. A non empty result from this query is considered a success,
* and the user will be authenticated.
*
* @a@ is replaced with the user's account name
* @p@ is replaced with the user's password
* @n@ is replaced with the user's nickname
* @i@ is replaced with the user's IP
*
* Note that @n@ and @i@ may not always exist in the case of a user identifying outside of the normal
* nickserv/identify command, such as through the web panel.
*
* Furthermore, if a field named email is returned from this query the user's email is
* set to its value.
*
*
* We've included some example queries for some popular website/forum systems.
*
* Drupal 6: "SELECT `mail` AS `email` FROM `users` WHERE `name` = @a@ AND `pass` = MD5(@p@) AND `status` = 1"
* e107 cms: "SELECT `user_email` AS `email` FROM `e107_user` WHERE `user_loginname` = @a@ AND `user_password` = MD5(@p@)"
* SMF Forum: "SELECT `email_address` AS `email` FROM `smf_members` WHERE `member_name` = @a@ AND `passwd` = SHA1(CONCAT(LOWER(@a@), @p@))"
* vBulletin: "SELECT `email` FROM `user` WHERE `username` = @a@ AND `password` = MD5(CONCAT(MD5(@p@), `salt`))"
* IP.Board: "SELECT `email` FROM `ibf_members` WHERE `name` = @a@ AND `members_pass_hash` = MD5(CONCAT(MD5(`members_pass_salt`), MD5(@p@)))"
*/
query = "SELECT `email_addr` AS `email` FROM `my_users` WHERE `username` = @a@ AND `password` = MD5(CONCAT('salt', @p@))"
/*
* If set, the reason to give the users who try to "/msg NickServ REGISTER".
* If not set, then registration is not blocked.
*/
#disable_reason = "To register on this network visit http://some.misconfigured.site/register"
/*
* If set, the reason to give the users who try to "/msg NickServ SET EMAIL".
* If not set, then email changing is not blocked.
*/
#disable_email_reason = "To change your email address visit http://some.misconfigured.site"
}
/*
* m_sql_log [EXTRA]
*
* This module adds an additional target option to log{} blocks
* that allows logging Service's logs to SQL. To log to SQL, add
* the SQL service name to log:targets prefixed by sql_log:. For
* example:
*
* log
* {
* targets = "services.log sql_log:mysql/main"
* ...
* }
*
* By default this module logs to the table `logs`, and will create
* it if it doesn't exist. This module does not create any indexes (keys)
* on the table and it is recommended you add them yourself as necessary.
*/
#module { name = "m_sql_log" }
/*
* m_sql_oper [EXTRA]
*
* This module allows granting users services operator privileges and possibly IRC Operator
* privileges based on an external SQL database using a custom query.
*/
#module
{
name = "m_sql_oper"
/* SQL engine to use. Should be configured elsewhere with m_mysql, m_sqlite, etc. */
engine = "mysql/main"
/* Query to execute to determine if a user should have operator privileges.
* A field named opertype must be returned in order to link the user to their oper type.
* The oper types must be configured earlier in services.conf.
*
* If a field named modes is returned from this query then those modes are set on the user.
* Without this, only a simple +o is sent.
*
* @a@ is replaced with the user's account name
* @i@ is replaced with the user's IP
*/
query = "SELECT `opertype` FROM `my_users` WHERE `user_name` = @a@"
}
/*
* m_sqlite [EXTRA]
*
* This module allows other modules to use SQLite.
*/
#module
{
name = "m_sqlite"
/* A SQLite database */
sqlite
{
/* The name of this service. */
name = "sqlite/main"
/* The database name, it will be created if it does not exist. */
database = "anope.db"
}
}
/*
* webcpanel
*
* This module creates a web configuration panel that allows users and operators to perform any task
* as they could over IRC. If you are using the default configuration you should be able to access
* this panel by visiting http://127.0.0.1:8080 in your web browser from the machine Anope is running on.
*
* This module requires m_httpd.
*/
#module
{
name = "webcpanel"
/* Web server to use. */
server = "httpd/main";
/* Template to use. */
template = "default";
/* Page title. */
title = "Anope IRC Services";
}
/*
* m_xmlrpc
*
* Allows remote applications (websites) to execute queries in real time to retrieve data from Anope.
* By itself this module does nothing, but allows other modules (m_xmlrpc_main) to receive and send XMLRPC queries.
*/
#module
{
name = "m_xmlrpc"
/* Web service to use. Requires m_httpd. */
server = "httpd/main"
}
/*
* m_xmlrpc_main
*
* Adds the main XMLRPC core functions.
* Requires m_xmlrpc.
*/
#module { name = "m_xmlrpc_main" }

662
roles/IRC/templates/anope/nickserv.conf.j2 Executable file
View File

@@ -0,0 +1,662 @@
/*
* Example configuration file for NickServ.
*/
/*
* First, create the service.
*/
service
{
/*
* The name of the NickServ client.
* If you change this value, you probably want to change the client directive in the configuration for the nickserv module too.
*/
nick = "NickServ"
/*
* The username of the NickServ client.
*/
user = "services"
/*
* The hostname of the NickServ client.
*/
host = "ircservices.{{ external_domain }}"
/*
* The realname of the NickServ client.
*/
gecos = "Nickname Registration Service"
/*
* The modes this client should use.
* Do not modify this unless you know what you are doing.
*
* These modes are very IRCd specific. If left commented, sane defaults
* are used based on what protocol module you have loaded.
*
* Note that setting this option incorrectly could potentially BREAK some, if
* not all, usefulness of the client. We will not support you if this client is
* unable to do certain things if this option is enabled.
*/
#modes = "+o"
/*
* An optional comma separated list of channels this service should join. Outside
* of log channels this is not very useful, as the service will just idle in the
* specified channels, and will not accept any types of commands.
*
* Prefixes may be given to the channels in the form of mode characters or prefix symbols.
*/
#channels = "@#services,#mychan"
}
/*
* Core NickServ module.
*
* Provides essential functionality for NickServ.
*/
module
{
name = "nickserv"
/*
* The name of the client that should be NickServ.
*/
client = "NickServ"
/*
* Force users to give an e-mail address when they register a nick.
*
* This directive defaults to "yes" and is recommended to be enabled. This is required if e-mail registration is enabled.
*/
forceemail = no
/*
* Require users who change their email address to confirm they
* own their new email.
*/
confirmemailchanges = no
/*
* A message sent to users on connect if they use an unregistered nick.
*
* This directive is optional.
*/
unregistered_notice = "Your nickname is not registered. If you would like it registered, contact a netadmin (identified by ^) in #lobby to get it registered."
/*
* The default options for newly registered nicks. Note that changing these options
* will have no effect on nicks which are already registered. The list must be separated
* by spaces.
*
* The options are:
* - killprotect: Kill nick if not identified within 60 seconds
* - kill_quick: Kill nick if not identified within 20 seconds, this one overrides the above
* option and the above must be specified with this one
* - ns_secure: Enable nickname security, requiring the nick's password before any operations
* can be done on it
* - ns_private: Hide the nick from NickServ's LIST command
* - hide_email: Hide's the nick's e-mail address from NickServ's INFO command
* - hide_mask: Hide's the nick's last or current user@host from NickServ's INFO command
* - hide_quit: Hide's the nick's last quit message
* - memo_signon: Notify user if they have a new memo when they sign into the nick
* - memo_receive: Notify user if they have a new memo as soon as it's received
* - memo_mail: Notify user if they have a new memo by mail
* - autoop: User will be automatically opped in channels they enter and have access to
* - msg: Services messages will be sent as PRIVMSGs instead of NOTICEs, requires
* options:useprivmsg to be enabled as well
* - ns_keepmodes: Enables keepmodes, which retains user modes across sessions
*
* This directive is optional, if left blank, the options will default to ns_secure, memo_signon, and
* memo_receive. If you really want no defaults, use "none" by itself as the option.
*/
defaults = "ns_secure ns_private hide_email hide_mask memo_signon memo_receive autoop killprotect"
/*
* The minimum length of time between consecutive uses of NickServ's REGISTER command. This
* directive is optional, but recommended. If not set, this restriction will be disabled.
*/
regdelay = 30s
/*
* The length of time before a nick's registration expires.
*
* This directive is optional, but recommended. If not set, the default is 21 days.
*/
expire = 3650d
/*
* Prevents the use of the ACCESS and CERT (excluding their LIST subcommand), DROP, FORBID, SUSPEND,
* GETPASS and SET PASSWORD commands by services operators on other services operators.
*
* This directive is optional, but recommended.
*/
secureadmins = yes
/*
* If set, Services will set the channel modes a user has access to upon identifying, assuming
* they are not already set.
*
* This directive is optional.
*/
modeonid = yes
/*
* If set, Services will set these user modes on any user who identifies.
*
* This directive is optional.
*/
#modesonid = "+R"
/*
* If set, Services will not show netsplits in the last quit message field
* of NickServ's INFO command.
*/
hidenetsplitquit = no
/*
* If set, is the length of time NickServ's killquick and kill options wait before
* forcing users off of protected nicknames.
*/
killquick = 20s
kill = 60s
/*
* If set, forbids the registration of nicks that contain an existing
* nick with Services access. For example, if Tester is a Services Oper,
* you can't register NewTester or Tester123 unless you are an IRC
* Operator.
*
* NOTE: If you enable this, you will have to be logged in as an IRC
* operator in order to register a Services Root nick when setting up
* Anope for the first time.
*
* This directive is optional.
*/
restrictopernicks = yes
/*
* The username, and possibly hostname, used for fake users created when Services needs to
* hold a nickname.
*/
enforceruser = "enforcer"
enforcerhost = "ircservices.{{ external_domain }}"
/*
* The length of time Services hold nicknames.
*
* This directive is optional, but recommended. If not set it defaults to 1 minute.
*/
releasetimeout = 1m
/*
* When a user's nick is forcibly changed to enforce a "nick kill", their new nick will start
* with this value. The rest will be made up of 6 or 7 digits.
* Make sure this is a valid nick and Nicklen+7 is not longer than the allowed Nicklen on your ircd.
*
* This directive is optional. If not set it defaults to "Guest"
*/
guestnickprefix = "Guest"
/*
* If set, Services do not allow ownership of nick names, only ownership of accounts.
*/
nonicknameownership = no
/*
* The maximum length of passwords
*
* This directive is optional. If not set it defaults to 32.
*/
passlen = 32
}
/*
* Core NickServ commands.
*
* In Anope modules can provide (multiple) commands, each of which has a unique command name. Once these modules
* are loaded you can then configure the commands to be added to any client you like with any name you like.
*
* Additionally, you may provide a permission name that must be in the opertype of users executing the command.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
/* Command group configuration for NickServ.
*
* Commands may optionally be placed into groups to make NickServ's HELP output easier to understand.
* Remove the following groups to use the old behavior of simply listing all NickServ commands from HELP.
*/
command_group
{
name = "nickserv/admin"
description = _("Services Operator commands")
}
/* Give it a help command. */
command { service = "NickServ"; name = "HELP"; command = "generic/help"; }
/*
* ns_access
*
* Provides the command nickserv/access.
*
* Used for configuring what hosts have access to your account.
*/
module
{
name = "ns_access"
/*
* The maximum number of entries allowed on a nickname's access list.
* If not set, the default is 32. This number cannot be set to 0.
*/
accessmax = 32
/*
* If set, Services will add the usermask of registering users to the access list of their
* newly created account. If not set, users will always have to identify to NickServ before
* being recognized, unless they manually add an address to the access list of their account.
* This directive is optional.
*/
addaccessonreg = yes
}
command { service = "NickServ"; name = "ACCESS"; command = "nickserv/access"; }
/*
* ns_ajoin
*
* Provides the command nickserv/ajoin.
*
* Used for configuring channels to join once you identify.
*/
module
{
name = "ns_ajoin"
/*
* The maximum number of channels a user can have on NickServ's AJOIN command.
*/
ajoinmax = 50
}
command { service = "NickServ"; name = "AJOIN"; command = "nickserv/ajoin"; }
/*
* ns_alist
*
* Provides the command nickserv/alist.
*
* Used for viewing what channels you have access to.
*/
module { name = "ns_alist" }
command { service = "NickServ"; name = "ALIST"; command = "nickserv/alist"; }
/*
* ns_cert
*
* Provides the command nickserv/cert.
*
* Used for configuring your SSL certificate list, which can be used to automatically identify you.
*
module
{
name = "ns_cert"
/*
* The maximum number of entries allowed on a nickname's certificate fingerprint list.
* The default is 5. This number cannot be set to 0.
*
max = 5
}
command { service = "NickServ"; name = "CERT"; command = "nickserv/cert"; }
*/
/*
* ns_drop
*
* Provides the command nickserv/drop.
*
* Used for unregistering names.
*/
module { name = "ns_drop" }
command { service = "NickServ"; name = "DROP"; command = "nickserv/drop"; }
/*
* ns_getemail
*
* Provides the command nickserv/getemail.
*
* Used for getting registered accounts by searching for emails.
*/
module { name = "ns_getemail" }
command { service = "NickServ"; name = "GETEMAIL"; command = "nickserv/getemail"; permission = "nickserv/getemail"; group = "nickserv/admin"; }
/*
* ns_getpass
*
* Provides the command nickserv/getpass.
*
* Used for getting users passwords.
*
* Requires no encryption is being used.
*/
#module { name = "ns_getpass" }
#command { service = "NickServ"; name = "GETPASS"; command = "nickserv/getpass"; permission = "nickserv/getpass"; }
/*
* ns_group
*
* Provides the commands nickserv/group, nickserv/glist, and nickserv/ungroup.
*
* Used for controlling nick groups.
*/
module
{
name = "ns_group"
/*
* The maximum number of nicks allowed in a group.
*
* This directive is optional, but recommended. If not set or set to 0, no limits will be applied.
*/
maxaliases = 16
/*
* If set, the NickServ GROUP command won't allow any group changes. This is recommended to
* prevent users from accidentally dropping their nicks, as it forces users to explicitly
* drop their nicks before adding it to another group.
*
* This directive is optional, but recommended.
*/
nogroupchange = yes
}
command { service = "NickServ"; name = "GLIST"; command = "nickserv/glist"; }
command { service = "NickServ"; name = "GROUP"; command = "nickserv/group"; }
command { service = "NickServ"; name = "UNGROUP"; command = "nickserv/ungroup"; }
/*
* ns_identify
*
* Provides the command nickserv/identify.
*
* Used for identifying to accounts.
*/
module { name = "ns_identify" }
command { service = "NickServ"; name = "ID"; command = "nickserv/identify"; hide = true; }
command { service = "NickServ"; name = "IDENTIFY"; command = "nickserv/identify"; }
/*
* ns_info
*
* Provides the commands:
* nickserv/info. - Used for gathering information about an account.
* nickserv/set/hide, nickserv/saset/hide - Used for configuring which options are publically shown in nickserv/info.
*
*/
module { name = "ns_info" }
command { service = "NickServ"; name = "INFO"; command = "nickserv/info"; }
command { service = "NickServ"; name = "SET HIDE"; command = "nickserv/set/hide"; }
command { service = "NickServ"; name = "SASET HIDE"; command = "nickserv/saset/hide"; permission = "nickserv/saset/hide"; }
/*
* ns_list
*
* Provides the commands:
* nickserv/list - Used for retrieving and searching the registered account list.
* nickserv/set/private, nickserv/saset/private - Used for configuring whether or a users account shows up in nickserv/list.
*
*/
module
{
name = "ns_list"
/*
* The maximum number of nicks to be returned for a NickServ LIST command.
*/
listmax = 50
}
command { service = "NickServ"; name = "LIST"; command = "nickserv/list"; }
command { service = "NickServ"; name = "SET PRIVATE"; command = "nickserv/set/private"; }
command { service = "NickServ"; name = "SASET PRIVATE"; command = "nickserv/saset/private"; permission = "nickserv/saset/private"; }
/*
* ns_logout
*
* Provides the command nickserv/logout.
*
* Used for logging out of your account.
*/
module { name = "ns_logout" }
command { service = "NickServ"; name = "LOGOUT"; command = "nickserv/logout"; }
/*
* ns_recover
*
* Provides the command nickserv/recover.
*
* Used for recovering your nick from services or another user.
*/
module
{
name = "ns_recover"
/*
* If set, Services will svsnick and svsjoin users who use the recover
* command on an identified user to the nick and channels of the recovered user.
*
* This directive is opional.
*/
restoreonrecover = yes
}
command { service = "NickServ"; name = "RECOVER"; command = "nickserv/recover"; }
# Uncomment below to emulate 1.8's behavior of ghost and release.
#command { service = "NickServ"; name = "GHOST"; command = "nickserv/recover"; }
#command { service = "NickServ"; name = "RELEASE"; command = "nickserv/recover"; }
/*
* ns_register
*
* Provides the commands nickserv/confirm, nickserv/register, and nickserv/resend.
*
* Used for registering accounts.
*/
module
{
name = "ns_register"
/*
* Registration confirmation setting. Set to "none" for no registration confirmation,
* "mail" for email confirmation, and "admin" to have services operators manually confirm
* every registration. Set to "disable" to completely disable all registrations.
*/
registration = "none"
/*
* The minimum length of time between consecutive uses of NickServ's RESEND command.
*
* This directive is optional, but recommended. If not set, this restriction will be disabled.
*/
resenddelay = 90s
/*
* Prevents users from registering their nick if they are not connected
* for at least the given number of seconds.
*
* This directive is optional.
*/
#nickregdelay = 30s
/*
* The length of time a user using an unconfirmed account has
* before the account will be released for general use again.
*/
#unconfirmedexpire = 1d
}
#command { service = "NickServ"; name = "CONFIRM"; command = "nickserv/confirm"; }
command { service = "NickServ"; name = "REGISTER"; command = "nickserv/register"; }
#command { service = "NickServ"; name = "RESEND"; command = "nickserv/resend"; }
/*
* ns_resetpass
*
* Provides the command nickserv/resetpass.
*
* Used for resetting passwords by emailing users a temporary one.
*/
/*module { name = "ns_resetpass" }
command { service = "NickServ"; name = "RESETPASS"; command = "nickserv/resetpass"; }
*/
/*
* ns_set
*
* Provides the commands:
* nickserv/set, nickserv/saset - Dummy help wrappers for the SET and SASET commands.
* nickserv/set/autoop, nickserv/saset/autoop - Determines whether or not modes are automatically set users when joining a channel.
* nickserv/set/display, nickserv/saset/display - Used for setting a users display name.
* nickserv/set/email, nickserv/saset/email - Used for setting a users email address.
* nickserv/set/keepmodes, nickserv/saset/keepmodes - Configure whether or not services should retain a user's modes across sessions.
* nickserv/set/kill, nickserv/saset/kill - Used for configuring nickname protection.
* nickserv/set/language, nickserv/saset/language - Used for configuring what language services use.
* nickserv/set/message, nickserv/saset/message - Used to configure how services send messages to you.
* nickserv/set/password, nickserv/saset/password - Used for changing a users password.
* nickserv/set/secure, nickserv/saset/secure - Used for configuring whether a user can identify by simply being recognized by nickserv/access.
* nickserv/saset/noexpire - Used for configuring noexpire, which prevents nicks from expiring.
*/
module
{
name = "ns_set"
/*
* Allow the use of the IMMED option in the NickServ SET KILL command.
*
* This directive is optional.
*/
#allowkillimmed = yes
}
command { service = "NickServ"; name = "SET"; command = "nickserv/set"; }
command { service = "NickServ"; name = "SASET"; command = "nickserv/saset"; permission = "nickserv/saset/"; group = "nickserv/admin"; }
command { service = "NickServ"; name = "SET AUTOOP"; command = "nickserv/set/autoop"; }
command { service = "NickServ"; name = "SASET AUTOOP"; command = "nickserv/saset/autoop"; permission = "nickserv/saset/autoop"; }
command { service = "NickServ"; name = "SET DISPLAY"; command = "nickserv/set/display"; }
command { service = "NickServ"; name = "SASET DISPLAY"; command = "nickserv/saset/display"; permission = "nickserv/saset/display"; }
command { service = "NickServ"; name = "SET EMAIL"; command = "nickserv/set/email"; }
command { service = "NickServ"; name = "SASET EMAIL"; command = "nickserv/saset/email"; permission = "nickserv/saset/email"; }
command { service = "NickServ"; name = "SET KEEPMODES"; command = "nickserv/set/keepmodes"; }
command { service = "NickServ"; name = "SASET KEEPMODES"; command = "nickserv/saset/keepmodes"; permission = "nickserv/saset/keepmodes"; }
command { service = "NickServ"; name = "SET KILL"; command = "nickserv/set/kill"; }
command { service = "NickServ"; name = "SASET KILL"; command = "nickserv/saset/kill"; permission = "nickserv/saset/kill"; }
command { service = "NickServ"; name = "SET LANGUAGE"; command = "nickserv/set/language"; }
command { service = "NickServ"; name = "SASET LANGUAGE"; command = "nickserv/saset/language"; permission = "nickserv/saset/language"; }
command { service = "NickServ"; name = "SET MESSAGE"; command = "nickserv/set/message"; }
command { service = "NickServ"; name = "SASET MESSAGE"; command = "nickserv/saset/message"; permission = "nickserv/saset/message"; }
/* command { service = "NickServ"; name = "SET PASSWORD"; command = "nickserv/set/password"; }
command { service = "NickServ"; name = "SASET PASSWORD"; command = "nickserv/saset/password"; permission = "nickserv/saset/password"; }
*/
command { service = "NickServ"; name = "SET SECURE"; command = "nickserv/set/secure"; }
command { service = "NickServ"; name = "SASET SECURE"; command = "nickserv/saset/secure"; permission = "nickserv/saset/secure"; }
command { service = "NickServ"; name = "SASET NOEXPIRE"; command = "nickserv/saset/noexpire"; permission = "nickserv/saset/noexpire"; }
/*
* ns_set_misc
*
* Provides the command nickserv/set/misc.
*
* Allows you to create arbitrary commands to set data, and have that data show up in nickserv/info.
* A field named misc_description may be given for use with help output.
*/
module { name = "ns_set_misc" }
command { service = "NickServ"; name = "SET URL"; command = "nickserv/set/misc"; misc_description = _("Associate a URL with your account"); }
command { service = "NickServ"; name = "SASET URL"; command = "nickserv/saset/misc"; misc_description = _("Associate a URL with this account"); permission = "nickserv/saset/url"; group = "nickserv/admin"; }
#command { service = "NickServ"; name = "SET ICQ"; command = "nickserv/set/misc"; misc_description = _("Associate an ICQ account with your account"); }
#command { service = "NickServ"; name = "SASET ICQ"; command = "nickserv/saset/misc"; misc_description = _("Associate an ICQ account with this account"); permission = "nickserv/saset/icq"; group = "nickserv/admin"; }
#command { service = "NickServ"; name = "SET TWITTER"; command = "nickserv/set/misc"; misc_description = _("Associate a Twitter account with your account"); }
#command { service = "NickServ"; name = "SASET TWITTER"; command = "nickserv/saset/misc"; misc_description = _("Associate a Twitter account with this account"); permission = "nickserv/saset/twitter"; group = "nickserv/admin"; }
#command { service = "NickServ"; name = "SET FACEBOOK"; command = "nickserv/set/misc"; misc_description = _("Associate a Facebook URL with your account"); }
#command { service = "NickServ"; name = "SASET FACEBOOK"; command = "nickserv/saset/misc"; misc_description = _("Associate a Facebook URL with this account"); permission = "nickserv/saset/facebook"; group = "nickserv/admin"; }
/*
* ns_status
*
* Provides the nickserv/status command.
*
* Used to determine if a user is recognized or identified by services.
*/
module { name = "ns_status" }
command { service = "NickServ"; name = "STATUS"; command = "nickserv/status"; }
/*
* ns_suspend
*
* Provides the commands nickserv/suspend and nickserv/unsuspend.
*
* Used to suspend and unsuspend nicknames. Suspended nicknames can not be used but their settings are preserved.
*/
module
{
name = "ns_suspend"
/*
* The length of time before a suspended nick becomes unsuspended.
*
* This directive is optional. If not set, the default is never.
*/
#suspendexpire = 90d
/*
* Settings to show to non-opers in NickServ's INFO output.
* Comment to completely disable showing any information about
* suspended nicknames to non-opers.
*/
show = "suspended, by, reason, on, expires"
}
command { service = "NickServ"; name = "SUSPEND"; command = "nickserv/suspend"; permission = "nickserv/suspend"; group = "nickserv/admin"; }
command { service = "NickServ"; name = "UNSUSPEND"; command = "nickserv/unsuspend"; permission = "nickserv/suspend"; group = "nickserv/admin"; }
/*
* ns_update
*
* Provides the command nickserv/update.
*
* Used to update your status on all channels, turn on your vHost, etc.
*/
module { name = "ns_update" }
command { service = "NickServ"; name = "UPDATE"; command = "nickserv/update"; }
/*
* Extra NickServ related modules.
*/
/*
* ns_maxemail
*
* Limits how many times the same email address may be used in Anope
* to register accounts.
*/
#module
{
name = "ns_maxemail"
/*
* The limit to how many registered nicks can use the same e-mail address. If set to 0 or left
* commented, there will be no limit enforced when registering new accounts or using
* /msg NickServ SET EMAIL.
*/
maxemails = 1
}

701
roles/IRC/templates/anope/operserv.conf.j2 Executable file
View File

@@ -0,0 +1,701 @@
/*
* Example configuration file for OperServ.
*/
/*
* First, create the service.
*/
service
{
/*
* The name of the OperServ client.
* If you change this value, you probably want to change the client directive in the configuration for the operserv module too.
*/
nick = "OperServ"
/*
* The username of the OperServ client.
*/
user = "services"
/*
* The hostname of the OperServ client.
*/
host = "ircservices.{{ external_domain }}"
/*
* The realname of the OperServ client.
*/
gecos = "Operator Service"
/*
* The modes this client should use.
* Do not modify this unless you know what you are doing.
*
* These modes are very IRCd specific. If left commented, sane defaults
* are used based on what protocol module you have loaded.
*
* Note that setting this option incorrectly could potentially BREAK some, if
* not all, usefulness of the client. We will not support you if this client is
* unable to do certain things if this option is enabled.
*/
#modes = "+o"
/*
* An optional comma separated list of channels this service should join. Outside
* of log channels this is not very useful, as the service will just idle in the
* specified channels, and will not accept any types of commands.
*
* Prefixes may be given to the channels in the form of mode characters or prefix symbols.
*/
#channels = "@#services,#mychan"
}
/*
* Core OperServ module.
*
* Provides essential functionality for OperServ.
*/
module
{
name = "operserv"
/*
* The name of the client that should be OperServ.
*/
client = "OperServ"
/*
* These define the default expiration times for, respectively, AKILLs, CHANKILLs, SNLINEs,
* and SQLINEs.
*/
autokillexpiry = 30d
chankillexpiry = 30d
snlineexpiry = 30d
sqlineexpiry = 30d
/*
* If set, this option will make Services send an AKILL command immediately after it has been
* added with AKILL ADD. This eliminates the need for killing the user after the AKILL has
* been added.
*
* This directive is optional, but recommended.
*/
akillonadd = yes
/*
* If set, this option will make Services send an (SVS)KILL command immediately after SNLINE ADD.
* This eliminates the need for killing the user after the SNLINE has been added.
*
* This directive is optional.
*/
killonsnline = yes
/*
* If set, this option will make Services send an (SVS)KILL command immediately after SQLINE ADD.
* This eliminates the need for killing the user after the SQLINE has been added.
*
* This directive is optional.
*/
killonsqline = yes
/*
* Adds the nickname of the IRC Operator issuing an AKILL to the kill reason.
*
* This directive is optional.
*/
addakiller = yes
/*
* Adds akill IDs to akills. Akill IDs are given to users in their ban reason and can be used to easily view,
* modify, or remove an akill from the ID.
*/
akillids = yes
/*
* If set, only IRC Operators will be permitted to use OperServ, regardless of command access restrictions.
*
* This directive is optional, but recommended.
*/
opersonly = yes
}
/*
* Core OperServ commands.
*
* In Anope modules can provide (multiple) commands, each of which has a unique command name. Once these modules
* are loaded you can then configure the commands to be added to any client you like with any name you like.
*
* Additionally, you may provide a permission name that must be in the opertype of users executing the command.
*
* Sane defaults are provided below that do not need to be edited unless you wish to change the default behavior.
*/
/* Give it a help command. */
command { service = "OperServ"; name = "HELP"; command = "generic/help"; }
/*
* os_akill
*
* Provides the command operserv/akill.
*
* Used to ban users from the network.
*/
module { name = "os_akill" }
command { service = "OperServ"; name = "AKILL"; command = "operserv/akill"; permission = "operserv/akill"; }
/*
* os_chankill
*
* Provides the command operserv/chankill.
*
* Used to akill users from an entire channel.
*/
module { name = "os_chankill" }
command { service = "OperServ"; name = "CHANKILL"; command = "operserv/chankill"; permission = "operserv/chankill"; }
/*
* os_session
*
* Provides the commands operserv/exception and operserv/session.
*
* This module enables session limiting. Session limiting prevents users from connecting more than a certain
* number of times from the same IP at the same time - thus preventing most types of cloning.
* Once a host reaches it's session limit, all clients attempting to connect from that host will
* be killed. Exceptions to the default session limit can be defined via the exception list.
*
* Used to manage the session limit exception list, and view currently active sessions.
*/
module
{
name = "os_session"
/*
* Default session limit per host. Once a host reaches its session limit, all clients attempting
* to connect from that host will be killed.
*
* This directive is required if os_session is loaded.
*/
defaultsessionlimit = 3
/*
* The maximum session limit that may be set for a host in an exception.
*
* This directive is required if os_session is loaded.
*/
maxsessionlimit = 100
/*
* Sets the default expiry time for session exceptions.
*
* This directive is required if os_session is loaded.
*/
exceptionexpiry = 1d
/*
* The message that will be NOTICE'd to a user just before they are removed from the network because
* their host's session limit has been exceeded. It may be used to give a slightly more descriptive
* reason for the impending kill as opposed to simply "Session limit exceeded".
*
* This directive is optional, if not set, nothing will be sent.
*/
sessionlimitexceeded = "The session limit for your IP %IP% has been exceeded."
/*
* Same as above, but should be used to provide a website address where users can find out more
* about session limits and how to go about applying for an exception.
*
* Note: This directive has been intentionally commented out in an effort to remind you to change
* the URL it contains. It is recommended that you supply an address/URL where people can get help
* regarding session limits.
*
* This directive is optional, if not set, nothing will be sent.
*/
#sessionlimitdetailsloc = "Please visit http://your.website.url/ for more information about session limits."
/*
* If set and is not 0, this directive tells Services to add an AKILL if the number of subsequent kills
* for the same host exceeds this value, preventing the network from experiencing KILL floods.
*
* This directive is optional.
*/
maxsessionkill = 15
/*
* Sets the expiry time for AKILLs set for hosts exceeding the maxsessionkill directive limit.
*
* This directive is optional, if not set, defaults to 30 minutes.
*/
sessionautokillexpiry = 30m
/*
* Sets the CIDR value used to determine which IP addresses represent the same person.
* By default this would limit 3 connections per IPv4 IP and 3 connections per IPv6 IP.
* If you are receiving IPv6 clone attacks it may be useful to set session_ipv6_cidr to
* 64 or 48.
*/
session_ipv4_cidr = 32
session_ipv6_cidr = 128
}
command { service = "OperServ"; name = "EXCEPTION"; command = "operserv/exception"; permission = "operserv/exception"; }
command { service = "OperServ"; name = "SESSION"; command = "operserv/session"; permission = "operserv/session"; }
/*
* os_defcon
*
* Provides the command operserv/defcon.
*
* Allows you to set services in defcon mode, which can be used to restrict services access
* during bot attacks.
*/
module
{
name = "os_defcon"
/*
* Default DefCon level (1-5) to use when starting Services up. Level 5 constitutes normal operation
* while level 1 constitutes the most restrictive operation. If this setting is left out or set to
* 0, DefCon will be disabled and the rest of this block will be ignored.
*/
defaultlevel = 5
/*
* The following 4 directives define what operations will take place when DefCon is set to levels
* 1 through 4. Each level is a list that must be separated by spaces.
*
* The following operations can be defined at each level:
* - nonewchannels: Disables registering new channels
* - nonewnicks: Disables registering new nicks
* - nomlockchanges: Disables changing MLOCK on registered channels
* - forcechanmodes: Forces all channels to have the modes given in the later chanmodes directive
* - reducedsessions: Reduces the session limit to the value given in the later sessionlimit directive
* - nonewclients: KILL any new clients trying to connect
* - operonly: Services will ignore all non-IRCops
* - silentoperonly: Services will silently ignore all non-IRCops
* - akillnewclients: AKILL any new clients trying to connect
* - nonewmemos: No new memos will be sent to block MemoServ attacks
*/
level4 = "nonewchannels nonewnicks nomlockchanges reducedsessions"
level3 = "nonewchannels nonewnicks nomlockchanges forcechanmodes reducedsessions"
level2 = "nonewchannels nonewnicks nomlockchanges forcechanmodes reducedsessions silentoperonly"
level1 = "nonewchannels nonewnicks nomlockchanges forcechanmodes reducedsessions silentoperonly akillnewclients"
/*
* New session limit to use when a DefCon level is using "reduced" session limiting.
*/
sessionlimit = 2
/*
* Length of time to add an AKILL for when DefCon is preventing new clients from connecting to the
* network.
*/
akillexpire = 5m
/*
* The channel modes to set on all channels when the DefCon channel mode system is in use.
*
* Note 1: Choose these modes carefully, because when DefCon switches to a level which does NOT have
* the mode setting selected, Services will set the reverse on all channels, e.g. if this setting
* is +RN when DefCon is used, all channels will be set to +RN, when DefCon is removed, all
* channels will be set to -RN. You don't want to set this to +k for example, because when DefCon
* is removed, all channels are set -k, removing the key from previously keyed channels.
*
* Note 2: MLOCKed modes will not be lost.
*/
chanmodes = "+Ri"
/*
* This value can be used to automatically return the network to DefCon level 5 after the specified
* time period, just in case any IRC Operator forgets to remove a DefCon setting.
*
* This directive is optional.
*/
timeout = 15m
/*
* If set, Services will send a global message on DefCon level changes.
*
* This directive is optional.
*/
globalondefcon = yes
/*
* If set, Services will send the global message defined in the message directive on DefCon level
* changes.
*
* This directive is optional.
*/
#globalondefconmore = yes
/*
* Defines the message that will be sent on DefCon level changes when globalondefconmore is set.
*
* This directive is required only when globalondefconmore is set.
*/
#message = "Put your message to send your users here. Don't forget to uncomment globalondefconmore"
/*
* Defines the message that will be sent when DefCon is returned to level 5. This directive is optional,
* and will also override globalondefcon and globalondefconmore when set.
*/
offmessage = "Services are now back to normal; sorry for any inconvenience"
/*
* Defines the reason to use when clients are KILLed or AKILLed from the network while the proper
* DefCon operation is in effect.
*/
akillreason = "This network is currently not accepting connections. We are working on diagnostics, so please try again later."
}
command { service = "OperServ"; name = "DEFCON"; command = "operserv/defcon"; }
/*
* os_dns
*
* Provides the command operserv/dns.
*
* This module requires that m_dns is loaded.
*
* This module allows controlling a DNS zone. This is useful for
* controlling what servers users are placed on for load balancing,
* and to automatically remove split servers.
*
* To use this module you must set a nameserver record for services
* so that DNS queries go to services.
*
* Alternatively, you may use a slave DNS server to hide service's IP,
* provide query caching, and provide better fault tolerance.
*
* To do this using BIND, configure similar to:
*
* options { max-refresh-time 60; };
* zone "irc.example.com" IN {
* type slave;
* masters { 127.0.0.1 port 5353; };
* };
*
* Where 127.0.0.1:5353 is the IP and port services are listening on.
* We recommend you externally firewall both UDP and TCP to the port
* Anope is listening on.
*
* Finally set a NS record for irc.example.com. to BIND or services.
*/
#module
{
name = "os_dns"
/* TTL for records. This should be very low if your records change often. */
ttl = 1m
/* If a server drops this many users the server is automatically removed from the DNS zone.
* This directive is optional.
*/
user_drop_mark = 50
/* The time used for user_drop_mark. */
user_drop_time = 1m
/* When a server is removed from the zone for dropping users, it is readded after this time.
* This directive is optional.
*/
user_drop_readd_time = 5m
/* If set, when a server splits, it is automatically removed from the zone. */
remove_split_servers = yes
/* If set, when a server connects to the network, it will be automatically added to
* the zone if it is a known server.
*/
readd_connected_servers = no
}
#command { service = "OperServ"; name = "DNS"; command = "operserv/dns"; permission = "operserv/dns"; }
/*
* os_config
*
* Provides the command operserv/config.
*
* Used to view and set configuration options while services are running.
*/
module { name = "os_config" }
command { service = "OperServ"; name = "CONFIG"; command = "operserv/config"; permission = "operserv/config"; }
/*
* os_forbid
*
* Provides the command operserv/forbid.
*
* Used to forbid specific nicks, channels, emails, etc. from being used.
*/
module { name = "os_forbid" }
command { service = "OperServ"; name = "FORBID"; command = "operserv/forbid"; permission = "operserv/forbid"; }
/*
* os_ignore
*
* Provides the command operserv/ignore.
*
* Used to make Services ignore users.
*/
module { name = "os_ignore" }
command { service = "OperServ"; name = "IGNORE"; command = "operserv/ignore"; permission = "operserv/ignore"; }
/*
* os_info
*
* Provides the command operserv/info.
*
* Used to add oper only notes to users and channels.
*/
module { name = "os_info" }
command { service = "OperServ"; name = "INFO"; command = "operserv/info"; permission = "operserv/info"; }
/*
* os_jupe
*
* Provides the command operserv/jupe.
*
* Used to disconnect servers from the network and prevent them from relinking.
*/
module { name = "os_jupe" }
command { service = "OperServ"; name = "JUPE"; command = "operserv/jupe"; permission = "operserv/jupe"; }
/*
* os_kick
*
* Provides the command operserv/kick.
*
* Used to kick users from channels.
*/
module { name = "os_kick" }
command { service = "OperServ"; name = "KICK"; command = "operserv/kick"; permission = "operserv/kick"; }
/*
* os_kill
*
* Provides the command operserv/kill.
*
* Used to forcibly disconnect users from the network.
*/
module { name = "os_kill" }
command { service = "OperServ"; name = "KILL"; command = "operserv/kill"; permission = "operserv/kill"; }
/*
* os_list
*
* Provides the commands operserv/chanlist and operserv/userlist.
*
* Used to list and search the channels and users currently on the network.
*/
module { name = "os_list" }
command { service = "OperServ"; name = "CHANLIST"; command = "operserv/chanlist"; permission = "operserv/chanlist"; }
command { service = "OperServ"; name = "USERLIST"; command = "operserv/userlist"; permission = "operserv/userlist"; }
/*
* os_login
*
* Provides the commands operserv/login and operserv/logout.
*
* Used to login to OperServ, only required if your oper block requires this.
*/
module { name = "os_login" }
command { service = "OperServ"; name = "LOGIN"; command = "operserv/login"; }
command { service = "OperServ"; name = "LOGOUT"; command = "operserv/logout"; }
/*
* os_logsearch
*
* Provides the command operserv/logsearch.
*
* Used to search services log files.
*/
module
{
name = "os_logsearch"
/* The log file name to search. There should be a log{} block configured to log
* to a file of this name.
*/
logname = "services.log"
}
command { service = "OperServ"; name = "LOGSEARCH"; command = "operserv/logsearch"; permission = "operserv/logsearch"; }
/*
* os_mode
*
* Provides the commands operserv/mode and operserv/umode.
*
* Used to change user and channel modes.
*/
module { name = "os_mode" }
command { service = "OperServ"; name = "UMODE"; command = "operserv/umode"; permission = "operserv/umode"; }
command { service = "OperServ"; name = "MODE"; command = "operserv/mode"; permission = "operserv/mode"; }
/*
* os_modinfo
*
* Provides the commands operserv/modinfo and operserv/modlist.
*
* Used to show information about loaded modules.
*/
module { name = "os_modinfo" }
command { service = "OperServ"; name = "MODINFO"; command = "operserv/modinfo"; permission = "operserv/modinfo"; }
command { service = "OperServ"; name = "MODLIST"; command = "operserv/modlist"; permission = "operserv/modinfo"; }
/*
* os_module
*
* Provides the commands operserv/modload, operserv/modreload, and operserv/modunload.
*
* Used to load, reload, and unload modules.
*/
module { name = "os_module" }
command { service = "OperServ"; name = "MODLOAD"; command = "operserv/modload"; permission = "operserv/modload"; }
command { service = "OperServ"; name = "MODRELOAD"; command = "operserv/modreload"; permission = "operserv/modload"; }
command { service = "OperServ"; name = "MODUNLOAD"; command = "operserv/modunload"; permission = "operserv/modload"; }
/*
* os_news
*
* Provides the commands operserv/logonnews, operserv/opernews, and operserv/randomnews.
*
* Used to configure news notices shown to users when they connect, and opers when they oper.
*/
module
{
name = "os_news"
/*
* The service bot names to use to send news to users on connection
* and to opers when they oper.
*/
announcer = "Global"
oper_announcer = "OperServ"
/*
* The number of LOGON/OPER news items to display when a user logs on.
*
* This directive is optional, if not set it will default to 3.
*/
#newscount = 3
}
command { service = "OperServ"; name = "LOGONNEWS"; command = "operserv/logonnews"; permission = "operserv/news"; }
command { service = "OperServ"; name = "OPERNEWS"; command = "operserv/opernews"; permission = "operserv/news"; }
command { service = "OperServ"; name = "RANDOMNEWS"; command = "operserv/randomnews"; permission = "operserv/news"; }
/*
* os_noop
*
* Provides the command operserv/noop.
*
* Used to NOOP a server, which prevents users from opering on that server.
*/
module { name = "os_noop" }
command { service = "OperServ"; name = "NOOP"; command = "operserv/noop"; permission = "operserv/noop"; }
/*
* os_oline
*
* Provides the command operserv/oline.
*
* Used to set oper flags on users, and is specific to UnrealIRCd.
* See /helpop ?svso on your IRCd for more information.
*
* module { name = "os_oline" }
* command { service = "OperServ"; name = "OLINE"; command = "operserv/oline"; permission = "operserv/oline"; }
*/
/*
* os_oper
*
* Provides the command operserv/oper.
*
* Used to configure opers and show information about opertypes.
*/
module { name = "os_oper" }
command { service = "OperServ"; name = "OPER"; command = "operserv/oper"; permission = "operserv/oper"; }
/*
* os_reload
*
* Provides the command operserv/reload.
*
* Used to reload the services.conf configuration file.
*/
module { name = "os_reload" }
command { service = "OperServ"; name = "RELOAD"; command = "operserv/reload"; permission = "operserv/reload"; }
/*
* os_set
*
* Provides the command operserv/set.
*
* Used to set various settings such as superadmin, debug mode, etc.
*/
module
{
name = "os_set"
/*
* If set, Services Admins will be able to use SUPERADMIN [ON|OFF] which will temporarily grant
* them extra privileges such as being a founder on ALL channels.
*
* This directive is optional.
*/
superadmin = yes
}
command { service = "OperServ"; name = "SET"; command = "operserv/set"; permission = "operserv/set"; }
/*
* os_shutdown
*
* Provides the commands operserv/quit, operserv/restart, and operserv/shutdown.
*
* Used to quit, restart, or shutdown services.
*/
module { name = "os_shutdown" }
command { service = "OperServ"; name = "QUIT"; command = "operserv/quit"; permission = "operserv/quit"; }
command { service = "OperServ"; name = "RESTART"; command = "operserv/restart"; permission = "operserv/restart"; }
command { service = "OperServ"; name = "SHUTDOWN"; command = "operserv/shutdown"; permission = "operserv/shutdown"; }
/*
* os_stats
*
* Provides the operserv/stats command.
*
* Used to show statistics about services.
*/
module { name = "os_stats" }
command { service = "OperServ"; name = "STATS"; command = "operserv/stats"; permission = "operserv/stats"; }
/*
* os_svs
*
* Provides the commands operserv/svsnick, operserv/svsjoin, and operserv/svspart.
*
* Used to force users to change nicks, join and part channels.
*/
module { name = "os_svs" }
command { service = "OperServ"; name = "SVSNICK"; command = "operserv/svsnick"; permission = "operserv/svs"; }
command { service = "OperServ"; name = "SVSJOIN"; command = "operserv/svsjoin"; permission = "operserv/svs"; }
command { service = "OperServ"; name = "SVSPART"; command = "operserv/svspart"; permission = "operserv/svs"; }
/*
* os_sxline
*
* Provides the operserv/snline and operserv/sqline commands.
*
* Used to ban real names, nick names, and possibly channels.
*/
module { name = "os_sxline" }
command { service = "OperServ"; name = "SNLINE"; command = "operserv/snline"; permission = "operserv/snline"; }
command { service = "OperServ"; name = "SQLINE"; command = "operserv/sqline"; permission = "operserv/sqline"; }
/*
* os_update
*
* Provides the operserv/update command.
*
* Use to immediately update the databases.
*/
module { name = "os_update" }
command { service = "OperServ"; name = "UPDATE"; command = "operserv/update"; permission = "operserv/update"; }

1183
roles/IRC/templates/anope/services.conf.j2 Normal file
View File

File diff suppressed because it is too large Load Diff

176
roles/IRC/templates/inspircd/inspircd.conf.j2 Normal file
View File

@@ -0,0 +1,176 @@
# Includes
<config format="xml">
<include file="/etc/inspircd/opers.conf">
<include file="/etc/inspircd/links.conf">
<include file="/etc/inspircd/modules.conf">
<files motd="/etc/inspircd/motd.txt" rules="/etc/inspircd/rules.txt">
# Server Definition
<server
name="{{ external_domain }}"
description="{{ organization['displayname'] }}/IRC"
network="{{ organization['displayname'] }}/IRC">
<admin
name="{{ organization['admin'] }}"
nick="{{ organization['admin'] }}"
email="{{ organization['email'] }}">
# Connection Information
<define name="subnetips" value="10.0.1.0/24">
<define name="localhost" value="127.0.0.1/32">
<cidr
ipv4clone="32"
ipv6clone="128">
# Plaintext on local only for bots and servers
<bind address="" port="8067" type="servers">
<bind address="" port="6667" type="clients">
<connect
name="local"
parent="main"
allow="127.0.0.1"
localmax="20"
globalmax="20"
limit="20"
requiressl="off"
modes="+Bwx"
threshold="200"
port="6667">
# SSL for external connections
<bind
address=""
port="6697"
sslprofile="clients"
type="clients">
<connect
name="main"
allow="*"
commandrate="1000"
fakelag="on"
globalmax="500"
hardsendq="1M"
limit="500"
localmax="500"
maxconnwarn="on"
modes="+wx"
pingfreq="120"
port="6697"
recvq="8192"
requiressl="off"
resolvehostnames="on"
softsendq="8192"
threshold="25"
timeout="10"
useident="no">
<sslprofile
name="clients"
provider="openssl"
cafile="/etc/letsencrypt/live/{{ ssl['identity'] }}/chain.pem"
certfile="/etc/letsencrypt/live/{{ ssl['identity'] }}/fullchain.pem"
keyfile="/etc/letsencrypt/live/{{ ssl['identity'] }}/privkey.pem"
ciphers="{{ ssl['ciphersuite'] }}"
hash="sha256"
renegotiation="no"
requestclientcert="no"
sslv3="no"
tlsv1="no"
tlsv11="no"
tlsv12="yes"
tlsv13="yes">
<openssl onrehash="yes">
# Performance
<performance
netbuffersize="10240"
somaxconn="128"
limitsomaxconn="true"
softlimit="1024"
quietbursts="yes">
<log method="file" type="* -USERINPUT -USEROUTPUT" level="default" target="/var/log/inspircd/inspircd.log" flush="1">
<pid file="/var/lib/inspircd/inspircd.pid">
<options
prefixquit="Quit: "
suffixquit=""
prefixpart="&quot;"
suffixpart="&quot;"
syntaxhints="no"
cyclehosts="no"
cyclehostsfromuser="no"
ircumsgprefix="no"
announcets="yes"
allowmismatch="no"
defaultbind="auto"
hostintopic="yes"
pingwarning="15"
serverpingfreq="60"
defaultmodes="not"
moronbanner="You're banned! Contact {{ organization['email'] }} with the ERROR line below for help."
exemptchanops="nonick:v flood:o"
invitebypassmodes="yes"
nosnoticestack="no"
welcomenotice="yes">
# Security and Controls
<security
announceinvites="dynamic"
hidemodes="eI"
hideulines="no"
flatlinks="no"
hidewhois=""
hidebans="no"
hidekills=""
hidesplits="yes"
maxtargets="20"
customversion=""
operspywhois="yes"
restrictbannedusers="yes"
genericoper="no"
userstats="Pu">
<limits
maxnick="12"
maxchan="20"
maxmodes="20"
maxident="64"
maxquit="255"
maxtopic="307"
maxkick="255"
maxgecos="128"
maxaway="200">
<channels users="20" opers="60">
<maxlist chan="*" limit="60">
<whowas
groupsize="10"
maxgroups="100000"
maxkeep="1d">
# Ban options
<badnick nick="*Serv" reason="Reserved for Services">
<badhost host="*@*malware*" reason="Malware">
<badhost host="root@*" reason="Don't IRC as root!">
<exception host="{{ organization['admin'] }}@localhost" reason="localhost">
<exception host="{{ organization['admin'] }}@127.0.0.1" reason="localhost">
<exception host="{{ organization['admin'] }}@{{ external_domain }}" reason="localhost">
<exception host="{{ organization['admin'] }}@*.{{ external_domain }}" reason="localhost">
<insane
hostmasks="no"
ipmasks="no"
nickmasks="no"
trigger="99">

10
roles/IRC/templates/inspircd/links.conf.j2 Normal file
View File

@@ -0,0 +1,10 @@
{{ secrets['IRC']['links'] }}
<link name="ircservices.{{ external_domain }}"
ipaddr="core.{{ replica_domain }}"
port="8067"
allowmask="10.0.1.3/32"
sendpass="{{ secrets['IRC']['servicespass'] }}"
recvpass="{{ secrets['IRC']['servicespass'] }}">
<uline server="ircservices.{{ external_domain }}" silent="no">

416
roles/IRC/templates/inspircd/modules.conf.j2 Normal file
View File

@@ -0,0 +1,416 @@
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Generate hashes using the /MKPASSWD command on the server.
# Don't run it on a server you don't trust with your password.
<module name="m_password_hash.so">
# MD5 module: Allows other modules to generate MD5 hashes, usually for
# cryptographic uses and security.
<module name="m_md5.so">
# SHA256 module: Allows other modules to generate SHA256 hashes,
# usually for cryptographic uses and security.
<module name="m_sha256.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Abbreviation module: Provides the ability to abbreviate commands a-la
# BBC BASIC keywords.
<module name="m_abbreviation.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Alias module: Allows you to define server-side command aliases.
<module name="m_alias.so">
<alias text="NICKSERV" format=":IDENTIFY *" replace="PRIVMSG NickServ :IDENTIFY $3-" requires="NickServ" uline="yes">
<alias text="ID" replace="PRIVMSG NickServ :IDENTIFY $2" requires="NickServ" uline="yes">
<alias text="NICKSERV" replace="PRIVMSG NickServ :$2-" requires="NickServ" uline="yes">
<alias text="NS" replace="PRIVMSG NickServ :$2-" requires="NickServ" uline="yes">
<alias text="CHANSERV" replace="PRIVMSG ChanServ :$2-" requires="ChanServ" uline="yes">
<alias text="CS" replace="PRIVMSG ChanServ :$2-" requires="ChanServ" uline="yes">
<alias text="OPERSERV" replace="PRIVMSG OperServ :$2-" requires="OperServ" uline="yes" operonly="yes">
<alias text="OS" replace="PRIVMSG OperServ :$2-" requires="OperServ" uline="yes" operonly="yes">
<alias text="HOSTSERV" replace="PRIVMSG HostServ :$2-" requires="HostServ" uline="yes">
<alias text="HS" replace="PRIVMSG HostServ :$2-" requires="HostServ" uline="yes">
<alias text="MEMOSERV" replace="PRIVMSG MemoServ :$2-" requires="MemoServ" uline="yes">
<alias text="MS" replace="PRIVMSG MemoServ :$2-" requires="MemoServ" uline="yes">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Allowinvite module: Gives channel mode +A to allow all users to use
# /INVITE, and extban A to deny invite from specific masks.
<module name="m_allowinvite.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# # Auditorium module: Adds channel mode +u which makes everyone else
# except you in the channel invisible, used for large meetings etc.
<module name="m_auditorium.so">
<auditorium opvisible="no" opcansee="no" opercansee="yes">
#-#-#-#-#-#-#-#-#-#-#- BLOCKAMSG CONFIGURATION -#-#-#-#-#-#-#-#-#-#-#
# #
# If you have the m_blockamsg.so module loaded, you can configure it #
# with the <blockamsg> tag: #
# #
# delay - How many seconds between two messages to force #
# them to be recognised as unrelated. #
# action - Any of 'notice', 'noticeopers', 'silent', 'kill' #
# or 'killopers'. Define how to take action when #
# a user uses /amsg or /ame. #
#
#<blockamsg delay="3" action="killopers">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Block CAPS module: Adds channel mode +B, blocks all-CAPS messages.
<module name="m_blockcaps.so">
<blockcaps percent="50"
minlen="5"
capsmap="ABCDEFGHIJKLMNOPQRSTUVWXYZ! ">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Block color module: Blocking color-coded messages with chan mode +c.
<module name="m_blockcolor.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Botmode module: Adds the user mode +B. If set on a user, it will
# show that the user is a bot in /WHOIS.
<module name="m_botmode.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# CAP module: Provides the CAP negotiation mechanism required by the
# m_sasl, m_namesx, m_uhnames, and m_ircv3 modules.
# It is also recommended for the STARTTLS support in m_ssl_gnutls.
<module name="m_cap.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# SASL authentication module: Provides support for IRC Authentication
# Layer via AUTHENTICATE. Note: You also need to have m_cap.so loaded
# for SASL to work.
<module name="m_sasl.so">
<sasl target="ircservices.{{ external_domain }}">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# IRCv3 module: Provides the following IRCv3.1 extensions:
# extended-join, away-notify and account-notify. These are optional
# enhancements to the client-to-server protocol. An extension is only
# active for a client when the client specifically requests it, so this
# module needs m_cap to work.
# http://ircv3.org/extensions/
<module name="m_ircv3.so">
<ircv3 accountnotify="on" awaynotify="on" extendedjoin="on">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# CGI:IRC module: Adds support for automatic host changing in CGI:IRC
# (http://cgiirc.sourceforge.net).
<module name="m_cgiirc.so">
<cgihost type="webirc" password="{{ secrets['IRC']['webirc'] }}" mask="127.0.0.1">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Channel create module: Adds snomask +j, which will notify opers of
# any new channels that are created.
# This module is oper-only.
<module name="m_chancreate.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Channel history module: Displays the last 'X' lines of chat to a user
# joining a channel with +H 'X:T' set; 'T' is the maximum time to keep
# lines in the history buffer. Designed so that the new user knows what
# the current topic of conversation is when joining the channel.
#<module name="m_chanhistory.so">
#
# Set the maximum number of lines allowed to be stored per channel below.
# This is the hard limit for 'X'.
# If notice is set to yes, joining users will get a NOTICE before playback
# telling them about the following lines being the pre-join history.
#<chanhistory maxlines="20" notice="yes">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Channel logging module: Used to send snotice output to channels, to
# allow staff to centrally monitor and discuss network activity.
#
# The "channel" field is where you want the messages to go, "snomasks"
# is what snomasks you want to be sent to that channel. Multiple tags
# are allowed.
<module name="m_chanlog.so">
<chanlog snomasks="AOcC" channel="#private">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Custom prefixes: Allows for channel prefixes to be configured.
<module name="customprefix">
<customprefix name="founder" letter="q" prefix="~" rank="50000" ranktoset="50000">
<customprefix name="admin" letter="a" prefix="&amp;" rank="40000" ranktoset="50000">
#<customprefix name="op" letter="o" prefix="@" rank="30000" ranktoset="30000">
<customprefix name="halfop" letter="h" prefix="%" rank="20000" ranktoset="30000">
#<customprefix name="voice" letter="o" prefix="@" rank="10000" ranktoset="20000">
<module name="m_operprefix.so">
<operprefix prefix="^">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Check module: Adds the /CHECK command.
# This module is oper-only.
<module name="m_check.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# CHGHOST module: Adds the /CHGHOST command.
# This module is oper-only.
<module name="m_chghost.so">
<hostname charmap="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-_/0123456789">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# CHGIDENT module: Adds the /CHGIDENT command.
# This module is oper-only.
<module name="m_chgident.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# CHGNAME module: Adds the /CHGNAME command.
# This module is oper-only.
<module name="m_chgname.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Cloaking module: Adds usermode +x and cloaking support.
# Relies on the module m_md5.so being loaded.
<module name="m_cloaking.so">
<cloak mode="half"
key="{{ secrets['IRC']['cloakpass'] }}"
prefix="aninix-">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Auto join on connect module: Allows you to force users to join one
# or more channels automatically upon connecting to the server.
<module name="m_conn_join.so">
<autojoin channel="#lobby">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Set modes on connect module: When this module is loaded <connect>
# blocks may have an optional modes="" value, which contains modes to
# add or remove from users when they connect to the server.
<module name="m_conn_umodes.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Wait for PONG on connect module: Send a PING to all connecting users
# and don't let them connect until they reply with a PONG.
# This is useful to stop certain kinds of bots and proxies.
<module name="m_conn_waitpong.so">
<waitpong sendsnotice="yes" killonbadreply="yes">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Connection throttle module.
<module name="m_connflood.so">
<connflood seconds="15" maxconns="5" timeout="30"
quitmsg="Throttled" bootwait="10">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# DCCALLOW module: Adds the /DCCALLOW command.
#<module name="m_dccallow.so">
#<dccallow blockchat="yes" length="5m" action="block" maxentries="20">
#<banfile pattern="*.exe" action="block">
#<banfile pattern="*.txt" action="allow">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Deny channels module: Deny channels from being used by users.
<module name="m_denychans.so">
<badchan name="#private*" redirect="#lobby" allowopers="yes" reason="Bots and opers only">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# DNS blacklist module: Provides support for looking up IPs on one or #
# more blacklists. #
#<module name="m_dnsbl.so"> #
# #
# For configuration options please see the wiki page for m_dnsbl at #
# http://wiki.inspircd.org/Modules/dnsbl #
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# GeoIP module: Allows the server admin to match users by country code.
# This module is in extras. Re-run configure with:
# ./configure --enable-extras=m_geoip.cpp
# and run make install, then uncomment this module to enable it.
# This module requires GeoIP to be installed on your system,
# use your package manager to find the appropriate packages
# or check the InspIRCd wiki page for this module.
#<module name="m_geoip.so">
#
# The actual allow/ban actions are done by connect classes, not by the
# GeoIP module. An example connect class to ban people from russia or
# turkey:
#
# <connect deny="*" geoip="TR,RU">
#
# The country code must be in capitals and should be an ISO country
# code such as TR, GB, or US. Unknown IPs (localhost, LAN IPs, etc)
# will be assigned the country code "UNK". Since connect classes are
# matched from top down, your deny classes must be above your allow
# classes for them to match.
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Globops module: Provides the /GLOBOPS command and snomask +g.
# This module is oper-only.
# To use, GLOBOPS must be in one of your oper class blocks.
<module name="m_globops.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Hide chans module: Allows users to hide their channels list from non-
# opers by setting user mode +I on themselves.
<module name="m_hidechans.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Ident: Provides RFC 1413 ident lookup support.
<module name="m_ident.so">
<ident timeout="20">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Knock module: Adds the /KNOCK command and channel mode +K.
<module name="m_knock.so">
<knock notify="notice">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Message flood module: Adds message/notice flood protection via
# channel mode +f.
<module name="m_messageflood.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# NAMESX module: Provides support for the NAMESX extension which allows
# clients to see all the prefixes set on a user without getting confused.
# This is supported by mIRC, x-chat, klient, and maybe more.
<module name="m_namesx.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# No CTCP module: Adds the channel mode +C to block CTCPs and extban
# 'C' to block CTCPs sent by specific users.
<module name="m_noctcp.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Network business join module:
# Allows an oper to join a channel using /OJOIN, giving them +Y on the
# channel which makes them immune to kick/deop/etc.
<module name="m_ojoin.so">
<ojoin prefix="!" notice="yes" op="yes">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Oper join module: Auto-joins opers to a channel upon oper-up.
# This module is oper-only. For the user equivalent, see m_conn_join.
<module name="m_operjoin.so">
<operjoin channel="#private" override="no">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Oper log module: Logs all oper commands to the server log (with log
# type "m_operlog" at default loglevel), and optionally to the 'r'
# snomask.
# This module is oper-only.
<module name="m_operlog.so">
<operlog tosnomask="on">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Oper modes module: Allows you to specify modes to add/remove on oper.
# Specify the modes as the 'modes' parameter of the <type> tag
# and/or as the 'modes' parameter of the <oper> tag.
# This module is oper-only. For the user equivalent, see m_conn_umodes.
<module name="m_opermodes.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Password forwarding module: Forwards a password users can send on
# connect to the specified client below. The client is usually NickServ
# and this module is usually used to authenticate users with NickServ
# using their connect password.
<module name="m_passforward.so">
<passforward
nick="NickServ"
forwardmsg="NOTICE $nick :*** Forwarding PASS to $nickrequired"
cmd="PRIVMSG $nickrequired :IDENTIFY $pass">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Permanent channels module: Channels with the permanent channel mode
# will remain open even after everyone else has left the channel, and
# therefore keep things like modes, ban lists and topic. Permanent
# channels -may- need support from your Services package to function
# properly with them. This adds channel mode +P.
# This module is oper-only.
<module name="m_permchannels.so">
<permchanneldb filename="/etc/inspircd/data/permchannels.conf" listmodes="true">
<include file="/etc/inspircd/data/permchannels.conf">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Muteban: Implements extended ban 'm', which stops anyone matching
# a mask like +b m:nick!user@host from speaking on channel.
<module name="m_muteban.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Regular expression provider for glob or wildcard (?/*) matching.
<module name="m_regex_glob.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# SAJOIN module: Adds the /SAJOIN command which forcibly joins a user
# to the given channel.
# This module is oper-only.
# To use these, the option must be in one of your oper class blocks.
<module name="m_sajoin.so">
<module name="m_sakick.so">
<module name="m_samode.so">
<module name="m_sanick.so">
<module name="m_sapart.so">
<module name="m_saquit.so">
<module name="m_satopic.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Secure list module: Prevent /LIST in the first minute of connection,
# crippling most spambots and trojan spreader bots.
<module name="m_securelist.so">
<securelist waittime="60"> #
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Services support module: Adds several usermodes such as +R and +M.
# This module implements the 'identified' state via account names,
# and is similar in operation to the way asuka and ircu handle services.
<module name="m_services_account.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Sethost module: Adds the /SETHOST command.
# This module is oper-only.
# To use, SETHOST must be in one of your oper class blocks.
# See m_chghost for how to customise valid chars for hostnames.
<module name="m_sethost.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Setident module: Adds the /SETIDENT command.
# This module is oper-only.
# To use, SETIDENT must be in one of your oper class blocks.
<module name="m_setident.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# SETNAME module: Adds the /SETNAME command.
<module name="m_setname.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# OpenSSL SSL module: Adds support for SSL connections using OpenSSL,
# if enabled. You must answer 'yes' in ./configure when asked or symlink
# the source for this module from the directory src/modules/extra, if
# you want to enable this, or it will not load.
<module name="m_ssl_openssl.so">
# SSL info module: Allows users to retrieve information about other
# users' peer SSL certificates and keys.
<module name="m_sslinfo.so">
# SSL channel mode module: Adds support for SSL-only channels via
# channel mode +z and the 'z' extban which matches SSL client
# certificate fingerprints.
<module name="m_sslmodes.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Strip color module: Adds channel mode +S that strips mIRC color
# codes from all messages sent to the channel.
<module name="m_stripcolor.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Test line module: Adds the /TLINE command, used to test how many
# users a /GLINE or /ZLINE etc. would match.
# This module is oper-only.
# To use, TLINE must be in one of your oper class blocks.
<module name="m_tline.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Topiclock module: implements server-side topic locking to achieve deeper
# integration with services packages.
<module name="m_topiclock.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Userip module: Adds the /USERIP command.
# Allows users to query their own IP, also allows opers to query the IP
# of anyone else.
<module name="m_userip.so">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# Spanning tree module: Allows linking of servers using the spanning
# tree protocol (see the READ THIS BIT section above).
# You will almost always want to load this.
#
<module name="m_spanningtree.so">

44
roles/IRC/templates/inspircd/motd.txt.j2 Normal file
View File

@@ -0,0 +1,44 @@
...........................................
...........................................
.....................4HHH...................
..................4HHHHHHHHH................
...............4HHHHHHHHHHHHHH..............
...........4HHHHHHHH.....4HHHHHHHH...........
........4HHHHHHHH...........4HHHHHHHH........
.......4HHHHHH.................4HHHHHH.......
.......4HHHH.....................4HHHH.......
.......4HHHH....4HHH....#.........4HHHH.......
.......4HHHH....4HHH.....###......4HHHH.......
.......4HHHH....4HHH........##....4HHHH.......
.......4HHHH....4HHH........##....4HHHH.......
.......4HHHH....4HHH.....###......4HHHH.......
.......4HHHH....4HHH....#.........4HHHH.......
.......4HHHH.....................4HHHH.......
.......4HHHHHH.................4HHHHHH.......
........4HHHHHHHH...........4HHHHHHHH........
...........4HHHHHHHH......4HHHHHHHH..........
.............4HHHHHHHH.4HHHHHHHH.............
.................4HHHHHHHHHH................
....................4HHHH...................
...........................................
...........................................
Welcome to the AniNIX/IRC secure chat system!
Reach out to ops and founders in #lobby if you
need any help.
You should check which channels you want to join.
Type the following to get a list:
/list
You will need to request an AniNIX/Sora LDAP
account from an op or founder in #lobby to be
able to log in. If you already have an account,
use the following to authenticate:
"/quote ns identify <password>"
For reference, check out the Wiki:
4https://{{ external_domain }}/AniNIX/Wiki
User code of conduct is recorded below:
4https://{{ external_domain }}/AniNIX/Wiki/src/branch/main/Policies/User_Ethics.md

12
roles/IRC/templates/inspircd/opers.conf.j2 Normal file
View File

@@ -0,0 +1,12 @@
# We are not yet deeply using the class system -- only NetAdmins should be managing the network. Most management will be through services.
<class name="NetAdmin" commands="*" usermodes="*" chanmodes="*" privs="*">
<type
name="NetAdmin"
classes="NetAdmin"
vhost="{{ external_domain }}"
modes="+s +aAcCjkKlLoOqQr">
# Operators are tracked in the vault.
{% for oper in secrets['IRC']['opers'] %}
<oper name="{{ oper }}" password="{{ secrets['IRC']['opers'][oper] }}" hash="sha256" host="*@127.0.0.1 *@10.0.1.* *@localhost *@aninix.net" type="NetAdmin">
{% endfor %}

4
roles/IRC/templates/inspircd/rules.txt.j2 Normal file
View File

@@ -0,0 +1,4 @@
1) Be respectful and do not use the AniNIX for malicious actions.
2) Follow the Hacker Ethic.
3) Contribute, rather than detract, from any community.
Reach out to DarkFeather if you have questions.

Some files were not shown because too many files have changed in this diff Show More