Cleaning up to fit AniNIX/Uniglot hooks; catching up with testing

.gitignore

@@ -6,6 +6,7 @@ roles/ShadowArch/files/mirrorlist
 roles/Foundation/files/custom/public/img/**
 venv/**
 **/pkg/**
+**/src/**
 **pkg.tar.zst
 
 # ---> Python

precommit-hooks/find-large-files

@@ -1,7 +1,9 @@
 #!/bin/bash
 
 # Limit files in git to 1M.
-find . -type f -exec du -k {} \; | egrep -v '^[[:digit:]]?[[:digit:]]?[[:digit:]][[:space:]]|venv|\s./.git/'
+IFS="
+"
+git ls-files | xargs -n1 du -k {} \; | egrep -v '^[[:digit:]]?[[:digit:]]?[[:digit:]][[:space:]]|venv|\s./.git/'
 
 if [ $? -ne 1 ]; then
     echo

roles/Foundation/files/custom/bin/gen-aninix-custom

@@ -55,8 +55,8 @@ a {
     | sed "s/$BGCOLOR/$ANINIXBG/gI" > /var/lib/gitea/custom/public/css/theme-aninix.css
 
 cd /var/lib/gitea/web-snippets
-head="$(curl -ks https://aninix.net/ | egrep -B 99999 '^<div class="home"')"
-foot="$(curl -ks https://aninix.net/ | egrep -A 99999 '<footer>')"
+head="$(curl -ks https://aninix.net/ | grep -B 99999 -E '^<div class="home"')"
+foot="$(curl -ks https://aninix.net/ | grep -A 99999 -E '<footer>')"
 for i in `find . -type f`; do
     (echo "$head"
     cat "$i"

roles/Foundation/files/custom/bin/sitemap.php

@@ -14,7 +14,7 @@ echo '<?xml version="1.0" encoding="UTF-8"?>
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
 ';
 
-exec("(echo /srv/http/aninix.net/index.php; find /srv/http/aninix.net/pages -type f; find /srv/http/aninix.net/martialarts/ -type f) | egrep \.php\$ | egrep -v ^./unlisted\|^./errors/\|head.php\|foot.php\|test\|Template\|darknet", $output);
+exec("(echo /srv/http/aninix.net/index.php; find /srv/http/aninix.net/pages -type f; find /srv/http/aninix.net/martialarts/ -type f) | grep -E \.php\$ | grep -vE ^./unlisted\|^./errors/\|head.php\|foot.php\|test\|Template\|darknet", $output);
 foreach ($output as &$file) {
     echo '    <url>
 ';

roles/IRC/templates/inspircd/inspircd.conf.j2

@@ -56,7 +56,7 @@
 <bind
       address=""
       port="6697"
-      ssl="openssl"
+      sslprofile="clients"
       type="clients">
 
 <bind address="" port="6667" type="clients">
@@ -66,7 +66,7 @@
 <openssl onrehash="yes">
 
 <sslprofile
-      name="Clients"
+      name="clients"
       provider="openssl"
       cafile="/etc/letsencrypt/live/{{ ssl['identity'] }}/fullchain.pem"
       certfile="/etc/letsencrypt/live/{{ ssl['identity'] }}/cert.pem"
@@ -75,10 +75,11 @@
       hash="sha256"
       renegotiation="no"
       requestclientcert="no"
-      sslv3="false"
+      sslv3="no"
       tlsv1="no"
       tlsv11="no"
-      tlsv12="yes">
+      tlsv12="yes"
+      tlsv13="yes">
 
 
 

roles/IRC/templates/inspircd/modules.conf.j2

@@ -1453,7 +1453,7 @@
 #<module name="m_regex_stdlib.so">
 #
 # Specify the regular expression engine to use here. Valid settings are
-# bre, ere, awk, grep, egrep, ecmascript (default if not specified).
+# bre, ere, awk, grep, ecmascript (default if not specified).
 #<stdregex type="ecmascript">
 
 #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#

roles/IRC/templates/inspircd/opers.conf.j2

@@ -89,7 +89,7 @@
 #      type="NetAdmin">
 #
 {% for oper in secrets['IRC']['opers'] %}
-<oper name="{{ oper }}" password="{{ secrets['IRC']['opers'][oper] }}" hash="sha256" host="*@127.0.0.1 *@10.0.1.* *@localhost *@aninix.net" type="Helper">
+<oper name="{{ oper }}" password="{{ secrets['IRC']['opers'][oper] }}" hash="sha256" host="*@127.0.0.1 *@10.0.1.* *@localhost *@aninix.net" type="NetAdmin">
 {% endfor %}
 
 #-#-#-#-#-#-#-#-#-#-  DIE/RESTART CONFIGURATION   -#-#-#-#-#-#-#-#-#-#-

roles/SSH/files/sshd_config

@@ -1,6 +1,6 @@
-### AniNIX::SSH \\ Basic configuration for listening daemon ###
+### AniNIX/SSH | Basic configuration for listening daemon ###
 
-# Daemon spec #
+# Daemon spec
 Port 22
 ListenAddress 0.0.0.0
 PrintMotd yes
@@ -8,17 +8,18 @@ PrintLastLog yes
 StrictModes yes
 Protocol 2
 ChrootDirectory none
+
 # DSA and ECDSA are untrusted for vulnerabilites and backdoors. https://wiki.archlinux.org/index.php/SSH_keys
 # RSA and ED25519 are stable.
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 
-# Network Performance #
+# Network Performance
 Compression yes
 ClientAliveInterval 5
 ClientAliveCountMax 3
 
-# Forwarding options # 
+# Forwarding options
 AllowTcpForwarding no
 PermitTunnel no
 AllowAgentForwarding no
@@ -27,10 +28,10 @@ X11DisplayOffset 10
 X11UseLocalhost no
 GatewayPorts no
 
-# Override default of no subsystems to allow SFTP #
-Subsystem	sftp	/usr/lib/ssh/sftp-server
+# Override default of no subsystems to allow SFTP
+Subsystem	sftp	internal-sftp
 
-# Authentication #
+# Authentication
 PubkeyAuthentication yes
 AuthorizedKeysFile	.ssh/authorized_keys
 PasswordAuthentication yes
@@ -44,7 +45,7 @@ AllowGroups ssh-allow
 PermitRootLogin no
 PermitEmptyPasswords no
 
-## Access Controls ###
+## Access Controls
 Match Group ssh-forward
     AllowTcpForwarding yes
     PermitTunnel yes
@@ -52,8 +53,8 @@ Match Group ssh-forward
     X11Forwarding yes
 
 Match Group sftp-home-jail
-    ForceCommand internal-sftp #/usr/lib/ssh/sftp-server
-    ChrootDirectory /home # Lock the user in their home directory
+    ForceCommand internal-sftp
+    ChrootDirectory /home
 
-Match User crypto
-    ForceCommand /usr/local/bin/captivecrypto
+# Allow other packages to ship snippets
+Include /etc/ssh/includes/*

roles/SSH/tasks/main.yml

@@ -64,6 +64,15 @@
        src: sshd_config
        dest: /etc/ssh/sshd_config
 
+ - name: Allow SSHD Includes
+   become: yes
+   file:
+     path: /etc/ssh/includes
+     state: directory
+     user: root
+     group: root
+     mode: 0755
+
  - name: Restart SSHD (ArchLinux)
    become: yes
    when: ansible_os_family == "Archlinux" and sshd_config.changed

roles/Sharingan/files/rkhunter/rkhunter.conf

@@ -1333,8 +1333,6 @@ DBDIR=/var/lib/rkhunter/db
 SCRIPTDIR=/usr/lib/rkhunter/scripts
 TMPDIR=/var/lib/rkhunter/tmp
 USER_FILEPROP_FILES_DIRS=/etc/rkhunter.conf
-SCRIPTWHITELIST=/usr/bin/egrep
-SCRIPTWHITELIST=/usr/bin/fgrep
 SCRIPTWHITELIST=/usr/bin/ldd
 SCRIPTWHITELIST=/usr/bin/vendor_perl/GET
 BINDIR=/bin /usr/bin /sbin /usr/sbin

roles/Sharingan/tasks/ids.yml

@@ -31,6 +31,24 @@
      group: root
      mode: 0600
 
+ - name: suricata config files
+   become: yes
+   copy:
+     src: suricata/
+     dest: /etc/suricata/
+     owner: root
+     group: root
+     mode: 0600
+
+ - name: suricata config template
+   become: yes
+   template:
+     src: suricata.yaml.j2
+     dest: /etc/suricata/suricata.yaml
+     owner: root
+     group: root
+     mode: 0600
+
  # Host IDS
  - name: Copy rkhunter service
    register: rkhunter_conf

roles/Sharingan/templates/monitrc.j2

@@ -154,7 +154,7 @@ set httpd port 2812 and
     use address localhost  # only accept connection from localhost (drop if you use M/Monit)
     allow localhost        # allow localhost to connect to the server and
     # require user 'admin' with password
-    allow admin:"{{ secrets[Sharingan][monit] | default('monit') }}"
+    allow admin:"{{ secrets['Sharingan']['monit'] | default('monit') }}"
     #with ssl {            # enable SSL/TLS and set path to server certificate
     #    pemfile: /etc/ssl/certs/monit.pem
     #}

roles/Sharingan/templates/suricata.yaml.j2

@@ -16,7 +16,7 @@
 #max-pending-packets: 1024
 
 # Runmode the engine should use. Please check --list-runmodes to get the available
-# runmodes for each packet acquisition menp1s0fod. Defaults to "autofp" (auto flow pinned
+# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
 # load balancing).
 #runmode: autofp
 
@@ -143,7 +143,7 @@ outputs:
       append: yes
       #extended: yes     # enable this for extended logging information
       #custom: yes       # enabled the custom logging format (defined by customformat)
-      #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
+      #customformat:
       #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
 
   # a line based log of TLS handshake parameters (no alerts)
@@ -310,7 +310,7 @@ nflog:
 # af-packet support
 # Set threads to > 1 to use PACKET_FANOUT support
 af-packet:
-  - interface: enp1s0f0
+  - interface: {{ ipinterface }}
     # Number of receive threads (>1 will enable experimental flow pinned
     # runmode)
     threads: 1
@@ -363,10 +363,10 @@ af-packet:
     # will not be copied.
     #copy-mode: ips
     #copy-iface: enp1s0f1
-  - interface: enp1s0f1
-    threads: 1
-    cluster-id: 98
-    cluster-type: cluster_flow
+    #   - interface: enp1s0f1
+    #     threads: 1
+    #     cluster-id: 98
+    #     cluster-type: cluster_flow
     defrag: yes
     # buffer-size: 32768
     # disable-promisc: no

roles/Sora/files/ldap-adduser

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+nameRegEx='^[A-Z,a-z,0-9,\.,-]+$'
+lockfile="/tmp/""$(echo $0 | rev | cut -f 1 -d '/' | rev)"
+
+function helptext {
+    echo "$0 username [ userid ]"
+}
+
+# match email against regex and create shortname from email ID.
+if [ ! -z "$1" ] && [[ "$1" =~ $nameRegEx ]]; then
+    username="$(echo $1)"
+    if getent passwd "$username"; then
+        echo User already exists!
+        exit 1;
+    fi
+elif [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
+    helptext;
+    exit 0;
+else
+    echo Need an username.
+    helptext
+    exit 1;
+fi
+
+# Create a new user ID.
+if [ -z "$2" ]; then
+    newuserid="$(($(getent passwd | sort -k 3 -n -t ':' | tail -n 1 | cut -f 3 -d ':') + 1))"
+else
+    if id "$newuserid" &>/dev/null; then
+        echo "User id $newuserid already exist!"
+        exit 2
+    else
+        newuserid="$2"
+    fi
+fi
+
+printf "Username: %s\nID: %s\n\nReady to add? [YES/no]   " "$username" "$newuserid"
+
+
+mkdir "$lockfile" 2>/dev/null
+if [ "$?" -eq 0 ]; then
+    read answer
+    if [ "$answer" == "YES" ]; then
+        file="/etc/openldap/users.d/$username.ldif"
+        cp /usr/local/src/ConfigPackages/Sora/sample-user.ldif "$file"
+        line="$(grep -E '^uid: ' "$file")"; sed -i "s/$line/uid: $username/" "$file"
+        line="$(grep -E '^dn: ' "$file" | cut -f 2 -d ' ' | cut -f 1 -d ',')"; sed -i "s/$line/uid=$username/" "$file"
+        line="$(grep -E '^homeDirectory: ' "$file")"; sed -i "s#$line#homeDirectory: /home/$username/#" "$file"
+        line="$(grep -E '^cn: ' "$file")"; sed -i "s/$line/cn: $username/" "$file"
+        line="$(grep -E '^mail: ' "$file")"; sed -i "s#$line#mail: ircs://aninix.net:6697/$username#" "$file"
+        line="$(grep -E '^uidNumber: ' "$file")"; sed -i "s/$line/uidNumber: $newuserid/" "$file"
+        ldapadd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass -f "$file"
+        ldap-resetpass "$username"
+        # usermod -a -G ssh-allow,passwdchange "$username"
+    fi
+    rmdir "$lockfile"
+    exit 0;
+else
+    echo "Cannot add -- locked."
+    exit 1;
+fi

roles/Sora/files/ldap-resetpass

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+uid="$1"
+
+if [ -z "$uid" ]; then
+    echo "Need a user ID (uid)!"
+    exit 1
+fi
+
+ldappasswd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass "uid=$uid,ou=People,dc=aninix,dc=net"
+
+if [ `ldapsearch -x "(uid=$uid)" + \* | grep -c shadowLastChange\:` -ne 0 ]; then
+    (printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\ndelete: shadowLastChange\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass &>/dev/null;
+fi
+(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: shadowLastChange\nshadowLastChange: 0\n\ndn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass &>/dev/null;
+
+exit $?

roles/Sora/files/ldap-userreport

@@ -0,0 +1,67 @@
+#!/bin/bash
+
+hostname=`hostname`
+errortext="ERROR:NEVER"
+arg="$1"
+
+function shortshow() {
+    echo ${user}": "$email
+}
+
+function queryLDAPAttribute() {
+    ldapsearch -x "$1" "$2" | grep -E "${2}: " | sed "s/^${2}: //"
+}
+
+basedn=`ldapsearch -x '(cn=root)' dn | grep -E ^dn:\  | sed 's/dn: cn=root,//'`
+
+maxAge="$(queryLDAPAttribute '(cn=default)' pwdMaxAge)"
+changeAge=$(( $maxAge - 2592000 ))
+deleteAge=$(( 2 * $maxAge ))
+
+for user in `queryLDAPAttribute '(uid=*)' uid`; do
+
+    # Pull changed stats
+    lastChanged=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep pwdChangedTime | cut -f 2 -d ' '`
+    created=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep createTimestamp | cut -f 2 -d ' '`
+    email=`/usr/sbin/ldapsearch -x "(uid=$user)" | grep mail | cut -f 2 -d ' '`
+
+    if [ -z "$lastChanged" ]; then
+        lastChanged="$errortext";
+    else
+        delta="$(( `date +%s` - `date -d $(echo $lastChanged | head -c 8)  +%s`))"
+    fi
+    lastlog=`lastlog -u $user | tail -n 1`
+    if [ `echo $lastlog | grep -c 'Never logged in'` -gt 0 ]; then
+        lastlog=$errortext
+    else
+        lastlog=`echo $lastlog | awk '{$1="";$2="";$3="";print $0 }'`
+    fi
+    printf "User $user (email: $email, created: $created) last changed their password on $lastChanged. They last logged in to SSH on $hostname on $lastlog\n" | (
+    case "$arg" in
+        "--inactive")
+            if grep -E $errortext'$' &> /dev/null; then shortshow; fi
+            ;;
+        "--needschange")
+            if [ "$lastChanged" == "$errortext" ]; then
+                shortshow
+            else
+                if [ $delta -gt "$changeAge" ] && [ $delta -lt "$maxAge" ]; then shortshow; fi
+            fi
+            ;;
+        "--expired")
+            if [ "$lastChanged" != "$errortext" ] && [ "$delta" -ge 31536000 ]; then
+                shortshow;
+            fi
+            ;;
+        "--removeable")
+            if [ "$lastChanged" != "$errortext" ] && [ "$delta" -ge "$deleteAge" ]; then
+                shortshow;
+            fi
+            ;;
+        *)
+            cat
+            ;;
+    esac
+    )
+
+done

roles/TheRaven/templates/raven.conf.j2

@@ -29,6 +29,8 @@ martialarts
 maworkouts
 dromundkaas
 inn
+cic
+masignups
 
 [ Searches ]
 r.google|http://google.com/search?q=|+|Google

roles/WolfPack/files/Core/aninix-searches.pup

@@ -0,0 +1,3 @@
+search
+/srv/wolfpack/search-results
+aninix.net

roles/WolfPack/files/Core/archlinux.pup

@@ -0,0 +1,4 @@
+download
+/usr/local/src/isos/
+wget -q -O - 'https://www.archlinux.org/download/' | grep rackspace | cut -f 2 -d \" | head -n 1
+echo PREVRESULT/$(wget -q -O - PREVRESULT | grep x86_64.iso | head -n 1 | cut -f 2 -d \")

roles/WolfPack/files/Core/centos.pup

@@ -0,0 +1,3 @@
+download
+/usr/local/src/isos
+curl -s https://centos.org/download/ | grep Minimal | grep 'a href' | cut -f 2 -d '"'

roles/WolfPack/files/Core/chrome.pup

@@ -0,0 +1,5 @@
+download
+/srv/wolfpack/
+curl -s https://portableapps.com/apps/internet/google_chrome_portable | tr '<' '\n' | tr '>' '\n' | tr \" '\n' | grep online.paf.exe | sed 's/ /\%20/g' | sed 's/\&/\\\&/g'
+curl -s https://portableapps.comPREVRESULT | tr '"' '\n' | grep redirect | tail -n 1
+echo https://portableapps.comPREVRESULT

roles/WolfPack/files/Core/cnews.pup

@@ -0,0 +1,3 @@
+search
+/srv/wolfpack/
+Riffle

roles/WolfPack/files/Core/cshows.DarkNet

@@ -0,0 +1,11 @@
+shows
+/srv/yggdrasil/new_acquisition
+S06E11#Game of Thrones
+S04E21#Vikings#
+S02E13#Mr Robot#HDTV
+S02E12#Marco Polo
+S02E12#Criminal Minds Beyond Borders#
+S02E14#Dark Matter#ettv
+S03E22#Star Wars Rebels#
+S02E11#Shadowhunters#
+S03E18#Gotham#

roles/WolfPack/files/Core/eminem.pup

@@ -0,0 +1,4 @@
+search
+/srv/wolfpack/search-results
+Eminem Shows
+Eminem Concerts

roles/WolfPack/files/Core/ftor.DarkNet

@@ -0,0 +1,8 @@
+torrent
+/srv/yggdrasil/new_acquisition
+King Arthur 2017 BRrip
+The Great Wall 2017 BRrip
+Edge of 17 2016 BRrip
+Bilal: A New Breed of Hero 2015
+John Wick Chapter 2 2017 HDrip
+Fast 8 HDRip 2017

roles/WolfPack/files/Core/kali-arm.pup

@@ -0,0 +1,3 @@
+download
+/usr/local/src/isos/
+elinks --dump https://www.offensive-security.com/kali-linux-arm-images/ | grep rpi | head -n 1 | sed 's/^\s\+//'

roles/WolfPack/files/Core/kali-linux.pup

@@ -0,0 +1,4 @@
+download
+/usr/local/src/isos/
+wget -q -O - http://cdimage.kali.org/current/ | grep amd64.iso | head -n 1 | cut -f 8 -d '"'
+echo http://cdimage.kali.org/current/PREVRESULT

roles/WolfPack/files/Core/lshows.DarkNet

@@ -0,0 +1,12 @@
+shows
+/srv/yggdrasil/new_acquisition
+S06E23#2 Broke Girls#
+S10E25#Big Bang Theory#
+S04E21#The Fosters#
+S18E19#Law Order SVU#
+S08E23#The Middle#
+S08E22#Modern Family#
+S07E13#Shameless US
+S07E17#The Walking Dead#
+S03E25#Scorpion#
+S05E05#Prison Break#ettv

roles/WolfPack/files/Core/mediawiki.pup

@@ -0,0 +1,4 @@
+download
+/var/cache/localpkg/
+wget -q -O - https://www.mediawiki.org/wiki/Download | grep 'Download MediaWiki' | cut -f 6 -d \"
+echo https:PREVRESULT

roles/WolfPack/files/Core/plpbt.pup

@@ -0,0 +1,3 @@
+download
+/usr/local/src/isos/
+wget -q -O - https://www.plop.at/en/bootmanager/download.html | grep 'plpbt-' | head -n 2 | tail -n 1 | cut -f 3 -d '=' | cut -f 1 -d ' '

roles/WolfPack/files/Core/putty.pup

@@ -0,0 +1,3 @@
+download
+/srv/wolfpack/
+echo http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

roles/WolfPack/files/Core/raspbian.pup

@@ -0,0 +1,4 @@
+download
+/usr/local/src/isos/
+wget -q -O - 'https://www.raspberrypi.org/downloads/raspbian/' | grep 'btn dl-zip' | grep -i lite | cut -f 2 -d \"
+curl -sI PREVRESULT | grep Location: | cut -f 2 -d ' ' | sed 's/\r//g'

roles/WolfPack/files/Core/torrentengine

@@ -0,0 +1,6 @@
+torrentengine="https://1337x.to/search/%s/1/"
+torrentterms='printf https://1337x.to; grep "/torrent/" | head -n 1 | cut -f 2 -d \"'
+magnetposition='4'
+torrentdebugging='true'
+searchunifier='+'
+magnetseparator=\"

roles/WolfPack/files/Core/winscp.pup

@@ -0,0 +1,3 @@
+download
+/srv/wolfpack/
+wget -q -O - http://portableapps.com/apps/internet/winscp_portable | grep 'sf-download' | cut -f 4 -d \" | head -n 1

roles/patching/tasks/main.yml

@@ -9,8 +9,17 @@
           - 90 > {{ df_output.stdout }}
         fail_msg: "Not enough free space"
 
+    - name: Update Archlinux Keyring
+      when: ansible_os_family == "Archlinux"
+      become: yes
+      package:
+        name: archlinux-keyring
+        state: latest
+        update_cache: yes
+
     - name: Patching all packages
       ignore_errors: yes
+      become: yes
       register: updates
       package:
         upgrade: yes
@@ -18,6 +27,7 @@
 
     - name: Reboot
       ignore_errors: yes
+      become: yes
       when: '"linux" in updates.stdout or "kernel" in updates.stdout'
       reboot:
           reboot_timeout: 2