Wiki/Layouts/Entities.md

612 lines
37 KiB
Markdown

This is a high-level overview of the hosts used by the AniNIX. A truer source-of-truth is in [AniNIX/Ubiqtorate](/AniNIX/Ubiqtorate), but we include this for conversation and dialog.
# Core
The Core is the central VM on which the AniNIX's primary services are built. It is both a production platform and software repository location.
## Etymology
The Core is so named because all the rest of the AniNIX is built around it.
## Capacity and Components
The AniNIX is a [AniNIX/ShadowArch](/AniNIX/ShadowArch) installation. It receives the following resources from [[Forge2]]:
* 4 Cores
* 8GB RAM
* Virtualized GPU
* 2TB storage
* USB device assignment
* Virtual bridged network interface
* Bluetooth adapter passthrough
* CD/DVD drive
* BluRay drive
## Hosted Services and Entities
{{Reference|Aether}}{{Reference|Cerberus}}{{Reference|Foundation}}{{Reference|Grimoire}}{{Reference|Heartbeat}}{{Reference|IRC}}{{Reference|TheRaven}}{{Reference|Singularity}}{{Reference|Sora}}{{Reference|SSH}}{{Reference|WebServer}}{{Reference|Wiki}}{{Reference|WolfPack}}{{Reference|Yggdrasil}}
## Connections
{{Reference|Shadowfeed}}{{Reference|Eyes}}{{Reference|Windows}}{{Reference|DarkNet}}
## Additional Reference
### Storage stack
The AniNIX uses the following storage stack, from user-accessed files to bits on disk. Bootability is from an unencrypted [https://wiki.archlinux.org/index.php/EXT4 EXT4 boot sector] and MBR [https://wiki.archlinux.org/index.php/GRUB GRUB] bootloader.
* Files
* [https://wiki.archlinux.org/index.php/XFS XFS Filesystem]
* LUKS volume
* LVM physical volume
* 2TB Physical disk
The output of "lsblk -o NAME,KNAME,SIZE,FSTYPE,TYPE,MOUNTPOINT,LABEL,PARTLABEL" gives the following layout. Additional shares mounted to accomodate users are not shown.<pre>
NAME KNAME SIZE FSTYPE TYPE MOUNTPOINT LABEL PARTLABEL
sda sda 1.8T disk
├─sda1 sda1 500M ext4 part /boot COREBOOT
└─sda2 sda2 1.8T LVM2_member part
├─corestorage-coreswap dm-0 10G crypto_LUKS lvm
│ └─coreswap dm-3 10G swap crypt [SWAP]
└─corestorage-core dm-1 1.8T crypto_LUKS lvm
└─sysroot dm-2 1.8T xfs crypt /
sr0 sr0 1024M rom </pre>
}}
[[Category:LDAP]]The DarkNet VM is the privacy protection of the AniNIX. The AniNIX does not believe in security by obscurity or in censorship; as such, everyone should have a voice.
## Etymology
The DarkNet is named for an anonymous network whose access is controlled only by the admins and whose usage is known only to them. It's entirely closed and anonymous.
## Capacity and Components
* [[ShadowArch]]
* 1 core
* 1024M of RAM
* 150G of storage
* Virtualized NIC
## Hosted Services and Entities
The DarkNet uses a small package list but runs more than the standard ShadowArch install. Also included are the xfce4, xorg-server, tor-browser-en(AUR), transmission-gtk, transmission-cli, and openvpn packages.
### Abilities
* Encrypted storage by default to a passphrase known only to admins.
* Tor proxy service, integrated with both text lynx and GUI tor-browser-en browsers.
* Lynx is aliased to "torsocks lynx" globally
* Anonymous VPN via OpenVPN (details available on request)
<!-- we use cryptostorm[d0t]is with prepaid Visas purchased with cash -->
### Hosted
{{Reference|WolfPack}}{{Reference|VirusScan}}
## Connections
{{Reference|Core}}
}}The Forge2 is the primary hardware platform on which the AniNIX runs.
## Etymology
The Forge2 the second Forge build, the original having been two towers instead of one.
It is so named because the exterior is solid black with soft red LED's internally -- this creates an appearance similar to a furnace.
The Forge builds are also so named because projects are created, developed, and tested in these frames.
## Capacity and Components
* 6-core hyperthreaded core i7 at 3.4GHz, water-cooled by Corsair H100i two-fan cooler
* 24 GB RAM
* 13.2 TB onboard storage. One hotswap slot open.
* 60 GB solid state boot drive for Windows 10 Pro Hypervisor (Hyper-V)
* 1 1TB drive dedicated to additional user space and VM's
* 1 2TB drive dedicated to Windows data formatted as NTFS
* 1 2TB drive dedicated to Windows Backup formatted as NTFS
* 2 2TB drive dedicated to [[Core|AniNIX::Core]] -- see Core for the filesystem hierarchy there.
* One hotswap bay for [[Aether|AniNIX::Aether]] backups.
* 1 150GB drive for the [[DarkNet]] VM
* USB 2.0 & 3.0 and eSATA slots
* 2 10GB NIC's -- one for VM's and one for Windows
* Bluetooth Adapter
* Hyper-V virtualization under Windows 10 Pro[[Category:Microsoft]]
* 1200W Corsair power supply
* EVGA x79 Dark motherboard with PCI-e SATA extender
* SLI'ed GTX 760 GPU's with 4GB onboard cache each
* Corsair K70 Keyboard w/ red LED and Corsair M65 mouse.
* CyberPower UPS
[[Category:Corsair]]
[[Category:EVGA]]
[[Category:Intel]]
[[Category:Seagate]]
[[Category:Kingston]]
## Hosted Services and Entities
{{Reference|Core}}{{Reference|Windows}}{{Reference|DarkNet}}
## Connections
{{Reference|Infrastructure}}{{Reference|Shadowfeed}}{{Reference|Core}}{{Reference|Windows}}
## Additional Reference
### Gallery
A gallery will be added. [[Category:TODO]]
}}
## Hypervisor Notes
Hyper-V integrates VM's with Windows, allowing VM's to be started at Windows boot, providing direct disk access, and managing assignment of cores, memory, and disk.
ShadowArch guests with a GUI should include xf86-video-fbdev and set GRUB_CMDLINE_LINUX_DEFAULT="quiet video=hyperv_fb:1920x1080" to get maximum screen resolution.
Hyper-V comes with a few limitations. PCI and USB devices can't be passed through without 3rd-party software, but this was considered acceptable.
Hyper-V guests require significant configuration to prevent performance problems. Dynamic memory should be disabled to prevent a guest from overrunning the host. Data Exchange, Backup, and Guest Services should all be disabled from integration services. Disable checkpoints. Automatic start action should either be on startup or disabled, and automatic stop action should always be poweroff.
Hyper-V itself also requires configuration of the Windows host. The default High Performance power profile turns off monitors when not in use but does not put the entire frame to sleep -- this is the desired behavior.
### Antivirus
Make sure Hyper-V, if using [[VirusScan|antivirus]] follows the [[VirusScan##Hyper-V|Hyper-V considerations]].
Presently, this still caused drops in virtual disks, crashing several VM's, so we are suspending antivirus on the hypervisor, along with most general-purpose browsing. Read the following for other user experiences.
1. https://www.cnet.com/how-to/i-dont-use-anti-virus-software-am-i-nuts/
1. https://www.reddit.com/r/windows/comments/41b0k0/is_antivirus_software_still_necessary_for_windows/
### Windows Update
The Windows Update service, if it deems the system too out of date or in need of critical fixes, may forcibly restart the system. We recommend keeping the Windows Update service disabled on hypervisors until patching is desired. This can be done in services.msc.
We recommend addtionally setting the "gpedit.msc > Computer Configuration \ Administrative Templates \ Windows Components \ Windows Update \ Configure Automatic Updates" option if you have a Pro or Enterprise license.
### Sleep Mode
Sleep mode, even immediately interrupted, has been observed to break network connectivity and VM uptime. When running as a Hypervisor, it is advisable to disable sleep and hibernate modes. Change these from Group Policy under Administrative Templates>System>Power Management>Sleep Settings. Enable "Turn Off Hybrid Sleep" and disable "Allow Standby States (S1-S3) when sleeping".
### Previous Hypervisors
#### VirtualBox
Oracle VirtualBox is a free hypervisor that can run on almost any OS. This makes deployment and device driver management entirely on the stock OS, which was Windows in our case thus alleviating driver problems. Management is also easy, particularly with an admin account, so it's easy to assign cores, memory, and such to a VM. VirtualBox can assign raw disk access with VBoxManage. Use Windows Disk Manager (diskmgmt.msc) to identify the disk. In the case below, 7 is the disk number.
<pre>"C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" internalcommands createrawvmdk -filename "C:\Users\Admin\VirtualBox VMs\raw7.vmdk" -rawdisk \\.\PhysicalDrive7</pre>
VirtualBox was dropped due to buggy integration with the running OS and the inability to start VM's at OS Boot.
#### ArchLInux/KVM-enabled KVM
The Forge2 frame has a 60GB SSD installed for KVM-enabled QEMU virtualization inside a minimal ArchLinux host. This implementation allows passing any host resources to the guest, including USB and PCI devices which is an advantage over other Hypervisors.
While Intel VT-d provided by the motherboard ostensibly supports this passthrough, it had hardware caps on the x79 that the AniNIX could not afford (4 hard drives, 1 CD drive) without disabling KVM, and the network bridging created problems for VPN clients.
## Alternatives
You could in theory put the hardware for an AniNIX network clone in the Cloud. There are steps to set up ArchLinux in [http://codito.in/archlinux-on-azure/ Microsoft Azure] and [https://bbs.archlinux.org/viewtopic.php?id=186707 Google Cloud]. This may be advantageous for sites that have uptime concerns, low local resources, or physical security concerns.
From a cost perspective, power and network for a Forge2 and [[Shadowfeed|AniNIX::Shadowfeed]] costs roughly $100 per month with a $6000 buy-in. Equivalent cloud solutions would need to supply at least one full backup image with highly available power and network, along with [[Forge2##Capacity and Components|equivalent capacity]].
You should look at [[Aether|AniNIX::Aether]] notes on cloud computing if you consider this as an option.AniNIX::Forge3 will be a successor to [[Forge2|AniNIX::Forge2]] and [[Infrastructure|AniNIX::Infrastructure]]. [[AniNIX::Core]] will be turned into hardware rather than VM, and a new systemd+qemu [[ShadowArch]] install will take the role of [[Hypervisor]] from [[Windows]]. Options being evaluated are below.
**This is not yet live.**
## New Rack Layout
* Forge2 bottom shelf, relegated to Windows [[Games]] and typically powered off.
* Requires 27.2 x 9.9 x 25.5 inchs
* Middle shelf: 2 PSU's in lateral
* Next shelf: soundproof-wrapped 2 x [https://unixsurplus.com/collections/supermicro-servers/products/supermicro-1u-x8dtu-f-dual-intel-xeon-e5645-hex-core-2-4ghz-1u-server?variant=23868756487 SuperMicro X8DTU-F servers] -- one as [[Core]] and one as [[Hypervisor]]/Dev.
* Requires 32" x 19" x 4"
* Hypervisor will virtualize [[Darknet]], [[Sharingan]], [[Aether]], [[Maat]], [[Cerberus]], and [[DedSec]] VM's.
* Top shelf:
* [[Shadowfeed]]
* [[Geth/Nazara]]
* [[Print]]
* Dev switch
### Network
WAN link runs from modem to Shadowfeed WAN. Shadowfeed LAN are
1. Nazara
1. PRD ether
1. PRD IPMI
1. Switch WAN
Switch LAN are
1. Dev ether
1. Dev IPMI
1. Dev table ether
1. Windows
### USB
Each PSU has a USB that should be able to connect to Nazara. This will allow Nazara to monitor active power state into Nagios.
### Power
UPS 1 sockets are provided from one wall outlet, max load 1200W and average load 300W.
1. HA
1. PRD PSU (500W)
1. Dev PSU (500W)
1. Surge only
1. Dev table strip
1. Laptop charger (100W)
UPS 2 sockets are provided from a second wall outlet, max load 1300W and average load 100W, on a 25' 12-gauge outdoor extension cable.
1. HA
1. Shadowfeed
1. Nazara
1. Switch
1. Desk light (typically off)
1. Non-HA
1. Windows (1200W)The Games are a list of PC or emulated games available for users to play.
## Etymology
Let's not play games -- this service is self-named.
## Relevant Files and Software
<!-- This could be expanded. -->[[Category:TODO]]
### AAA Titles
* The [https://assassinscreed.wikia.com/ Assassin's Creed] series
* Dishonored
* Deus Ex: Human Revolution
### Indie games
* Hacknet_
### MMO's
* [http://swtor.com/ Star Wars: The Old Republic] -- AniNIX members are presently playing for the Empire faction and working with the [http://mandocabure.proboards.com/ Mando Cabure] guild. Ping an admin on IRC or Discord to join the gaming.
<pre>## This game can be installed on ShadowArch with the following:
pacman -S wine-staging wine-mono
winecfg
winetricks d3dx9 vcrun2008 msls31 winhttp
1. Download launcher from swtor.com
wine ./SWTOR_launcher.exe
timeout 60 wine ~/.wine/drive_c/Program\ Files\ \(x86\)/Electronic\ Arts/BioWare/Star\ Wars\ -\ The\ Old\ Republic/launcher.exe
vim ~/.wine/drive_c/Program\ Files\ \(x86\)/Electronic\ Arts/BioWare/Star\ Wars\ -\ The\ Old\ Republic/launcher.settings
1. Change bitraider_disable to true and download mode to SSN.
wine ~/.wine/drive_c/Program\ Files\ \(x86\)/Electronic\ Arts/BioWare/Star\ Wars\ -\ The\ Old\ Republic/launcher.exe
</pre>
* [http://www.crypticstudios.com/startrek Star Trek Online]
### Independent Games
: These are excellent for a [[Games/Team-building_Exercise|team-building exercise]].
* [http://artemis.eochu.net Artemis Bridge Simulator]
* [https://unvanquished.net Unvanquished]
### Emulators
* Desmune
* VisualBoy Advance
* ScummVM
## Available Clients
We are investigating NVidia SHIELD technology for the AAA titles.
The [[Games##Independent Titles|independent titles]] have game clients that can be downloaded and the AniNIX made to be the hosting server.
## Additional Reference
### Recovery
Recovering games used to be a tired process of maintaining product keys. Today, this is less an impact. Instead, one should buy games through services that allow reinstallation of the same. [https://steampowered.com Steam] and [https://uplay.ubi.com/ Uplay] both support this functionality. SWTOR and MMO's like it do not install unique content directly to the local machine, so they are easily reinstalled.
Independent games or freeware should be preserved through keeping copies of the installers.
### Streaming
Linux [[Tachikoma]] or [[DedSec]] hosts can stream from a Games install using Steam in-home streaming. Wireless AC connections are recommended, and [https://support.steampowered.com/kb_article.php?ref=8571-GLVN-8711 firewall rules] need to be made.
}}
[[Category:Internal_Service]]The Geth Armature is a robotic body that allows the Geth to interact with the real world.
## Uses
1. Physical patrolling
1. Lock inspection
1. Invalid care, for those unable to move on their own.
1. Hardware inspection, in the case of an [[Sharingan|AniNIX::Sharingan]] alert.
1. Potentially firing off other Geth-controlled units, such as carrying an IR module into range of a Roomba.
## Hardware
We're coding for [http://www.swiftstreamrc.com/product/robo-buddy/ RoboBuddy from SwiftStream], but the process to be documented will be very similar for any mobile IP camera. Key requirements:
* Articulation on the camera
* Onboard lights
* Durability of frame
* Self-recharging
* Good resolution
## Softare
In development! [[Category:TODO]]
## Etymology
While many Geth mobile units were modeled after their Quarian creators, larger security units were more utilitarian. The collapsible, giraffe-like Armature were the heavy armor that could be deployed into hostile territory to protect their holdings. Similarly, ours protects our locations.
[[Category:Entity]]<b>WARNING: Holocrons should not hold copies of sensitive information.</b><br />
The Holocron is a mobile USB designed to take over any computer hardware and run as an element of the AniNIX.
## Etymology
Named for the [http://starwars.wikia.com/wiki/Holocron_of_Heresies Sith Holocron] from the Star Wars universe, the Holocron is a method for AniNIX admins to craft and record all their personal code and knowledge, including [[Aether|AniNIX::Aether]] backups, [[Foundation|Git]] repo checkouts, etc. It should be secured and difficult to crack to protect the secrets within, just as its namesake -- the better the traps, the better the knowledge it can hold.
## Capacity and Components
Holocrons have no defined capacity since they are not bound to any set of hardware. The portable storage space is bound to the drive on which it's written.
## Hosted Services and Entities
No services or entities are hosted.
## Connections
Holocron can dial to any host desired. It should have VPN, SSH, remote-desktop, browser, code version control, and file transfer clients available.
## Additional Reference
Implementation details for Holocron are below.
### Host drive
We currently recommend a [https://www.pcnation.com/web/details/ZY1268/Corsair-Flash-Survivor-Stealth-64GB-USB-3-0-Flash-Drive-CMFSS3B-64GB-00843591066389?mkwid=s_dc&pcrid=64230955823&pkw=&pmt=&plc=&gclid=Cj0KEQjwo_y4BRD0nMnfoqqnxtEBEiQAWdA124R1SSj-sqFREK5wSAXJca5AVpUXJuKfbi3IuD_Sn2IaArOC8P8HAQ Corsair Survivor Stealth] for Holocrons. This offers 64GB of flash storage with the following layout, in a form that is both impact- and water-resistant, making it a resilient tool.[[Category:Corsair]]
<pre>
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
fd0 2:0 1 4K 0 disk
sda 8:0 0 1G 0 disk
sdb 8:16 1 59.6G 0 disk
|-sdb1 8:17 1 40G 0 part /mnt/xplatfrm
|-sdb2 8:18 1 9.3G 0 part /boot
`-sdb3 8:19 1 9.3G 0 part
`-spartacus 254:0 0 9.3G 0 crypt /
sr0 11:0 1 544K 0 rom
</pre>
<b>WARNING: Do not store sensitive information on Holocrons!</b><br/> Though a Holocron has its root encrypted, /boot is not and the device is portable. Physical access is death! The storage can be cloned and cracked with sufficient computing resources. The encryption is a delay but not a hard-stop protecting your information. If you have access to an encrypted machine like [[Core|AniNIX::Core]] there is no reason to keep sensitive information on this, a client device. If you have nothing else, this encryption is better than none.
The Israelis and such have been working out ways to listen with directional mics to crack encryption, and I have no guarantee they didn't use some similar hardware assault to crack the encryption. The algorithm might be smart enough, but the hardware may give rise to a more direct way. Moreover, with the hardware being mobile, the firmware and bootloader could be assaulted to broadcast key signatures from memory, or someone could record you entering the decryption password. Some example vectors are below:
* [http://www.tau.ac.il/~tromer/acoustic/ Accoustic attacks on RSA]
* [https://dx.eng.uiowa.edu/dave/lukstext.php A sample LUKS crack]
* [http://www.prnewswire.com/news-releases/passware-first-to-enable-computer-forensics-to-crack-linux-disk-encryption-luks-300004871.html Another potential LUKS crack]
### Installation
1. Install [[ShadowArch]] to the / partition. Remember to remove the first four lines so that your mount options are used with your storage layout.
1. Create a folder /boot/iso in the / partition.
1. Edit /etc/grub.d/40_custom:
1. See [https://wiki.archlinux.org/index.php/Multiboot_USB_drive Arch's multiboot] for individual GRUB entries.
1. Also see [https://releng.archlinux.org/pxeboot/ Arch's netboot] for a GRUB entry to use for netboot.
1. Load ISOs and pack for travel.
Example 40_custom file:
<pre>
1. !/bin/bash
exec tail -n +3 $0
probe -u $root --set=rootuuid
set imgdevpath="/dev/disk/by-uuid/$rootuuid"
menuentry 'ArchLinux ISO' {
set isofile='/iso/archlinux.iso'
loopback loop $isofile
linux (loop)/arch/boot/x86_64/vmlinuz archisodevice=/dev/loop0 img_dev=$imgdevpath img_loop=$isofile earlymodules=loop
initrd (loop)/arch/boot/x86_64/archiso.img
}
menuentry "Kali Linux ISO" {
set isofile='/iso/kali-linux.iso'
loopback loop $isofile
linux (loop)/live/vmlinuz boot=live findiso=$isofile noconfig=sudo username=root hostname=kali earlymodules=loop
initrd (loop)/live/initrd.img
}
menuentry "CentOS ISO" {
set isofile='/boot/iso/CentOS.iso'
loopback loop $isofile
linux (loop)/isolinux/vmlinuz noeject inst.stage2=hd:/dev/sdb2:/$isofile
initrd (loop)/isolinux/initrd.img
}
</pre>
### Recommended uses
* ArchLinux ISO: This ISO can be used to have a clean point from which to start -- its signature and size can be compared against [https://archlinux.org/download the ArchLinux page] for integrity.
* Kali Linux ISO: This ISO is a hack suite, porting the latest tools with the user.
* CentOS ISO: This allows a user to access an enterprise network using a trusted OS with a known signature.
* ArchLinux local install: This is a portable workspace for the carrier -- packages installed here will be persistent, and allow the user to boot their own toolset without any or much network traffic.
* Cross-platform storage: This allows Spartacus to perform as a usual flash-drive.
}}The Infrastructure is a conglomerate of machines with mostly proprietary firmware providing power and connectivity to the AniNIX.
## Etymology
This should be self-explanatory -- the Infrastructure describes the lowest-level connection between the digital world of the AniNIX and the physical world. The Infrastructure passes raw resources from the physical world for the AniNIX to manipulate.
## Capacity and Components
The capacity of the Infrastructure is limited by the following areas:
* Power: 1500VA / 900W with surge protection on all sockets and battery power on three sockets for roughly 20 minutes of operation under the usual AniNIX load. [[Category:HasBattery]] Power is provided by Madison Gas & Electric [[Category:MG&E]] via a CyberPower UPS [[Category:CyberPower]]
* Network: Charter Communications modem providing, ostensibly, a 500MB/s upload and 6Gb/s download speed. SpeedTest.com results fluctuate. [[Category:Charter]]
## Hosted Services and Entities
{{Reference|Shadowfeed}}{{Reference|Forge2}}
## Connections
{{Reference|Windows}}
## Additional Reference
For hosts seeking insight into the Infrastructure, they can install the PowerPanel software from CyberPower. ArchLinux contains a copy of it in the AUR: [https://aur.archlinux.org/packages/powerpanel/ linked here]
The following files are then critical for configuration, after the USB device is connected to the monitoring host:
* /etc/pwrstatd.conf
* /etc/powerpanel/pwrstatd-email.sh
* /etc/powerpanel/pwrstatd-lowbatt.sh
* /etc/powerpanel/pwrstatd-powerfail.sh
* /usr/lib/systemd/system/pwrstatd.service
}}A Nazara host is a gateway to accessing other hosts. It is a safeguard against admin error.
## Etymology
Nazara hosts are named because they are the first line of defense against administrative error -- they prevent admins from being locked out of correcting their changes.
## Capacity and Components
A Nazara host needs minimal CPU or memory.
## Hosted Services and Entities
Nothing is hosted by a Nazara.
## Connections
Any host should be able to connect to a Nazara with [SSH](../Services/SSH.md) and X11, and it should be able to dial to any service provider.
## Additional Reference
Nazara hosts should be deployed alongside any Hypervisor. They can be as simple as a Pi-hole with SSH access, and they should be allowed to receive SSH connections from a non-tcp/22/ssh port.
Print is the printer/scanner of the AniNIX, aimed at offering the option to convert materials from digital to physical and vice-versa.
## Etymology=This entity is self-named.
## Capacity and Components=A [[Category:Brother]]Brother MFC-J430W will fill this role nicely, with color printing, scanning, and (unused) faxing abilities. It can be easily installed from [https://aninix.net/foundation/ConfigPackages/ ConfigPackages].
## Hosted Services and Entities=There are no hosted aspects.
## Connections={{Reference|Core}}
}}[[Category:TODO]]Roomba is a cleaning bot for the AniNIXRufus is an overlay to make use of unused clock cycles on AniNIX hardware. It allows the AniNIX to take what would otherwise be wasted power and network presence and put it to either profit or charity.
## Etymology=Rufus is named after the naked mole rat from the Kim Possible TV series; a ubiquitious companion to the protagonists, Rufus' species is also capable of great feats of digging, given their traditionally subterranean habitat. The Rufus system is equally useful at mining resources for the AniNIX, keeping it online.
## Capacity and Components=Capacity depends on the number of rigs available. A "rig" may simply be a [[Geth/Hub|AniNIX::Geth hub]], a running VM, or a full-featured rig.
Our full-featured rigs are built from cheap consumer-grade parts.<ref name=motherboard>[https://www.youtube.com/watch?v=3YMxGGXme8g Motherboard Ethereum mining presentation], accessed 2/5/18]</ref>. We have a list of our current desired parts at [https://secure.newegg.com/Wishlist/SharedWishlistDetail?ID=vcB3403ONPRZhXHgzQNC%2fg%3d%3d Newegg].
## Hosted Services and Entities
### Ethereum
[https://ethereum.org Ethereum]<ref name=eth>https://wiki.archlinux.org/index.php/Ethereum</ref> is a decentralized currency and contract blockchain.
Install and upgrade python3. From that, we can install [http://raspnode.com/diyEthereumPyeth.html PyEthApp] to mine the currency.
<pre>
pip3 install pyethapp
</pre>
Multiple miners can be supported in a single network, but port 30303 must be forwarded to the first node. Other nodes in the cluster will connect their ethminer to that node.
Funds can be transferred to an Ethereum wallet by TODO.[[Category:TODO]][[Category:Coinbase]]
### Bitcoin
Bitcoin<ref name=btc>https://wiki.archlinux.org/index.php/Bitcoin</ref> is another decentralized blockchain currency -- in fact, it was the first and most popular.
Mining is done by connecting GPU's or [https://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=Raspberry+pi+ASIC+bitcoin ASIC miners] to your host. From there, install bfgminer and benchmark the attached ASIC's. This can be done by standalone block mining or pool mining, where a group of miners agree to mine for the same block through shared and decentralized work.
When satisfied with the operation of the benchmarking, bfgminer can be run with all hardware and a Coinbase address to receive the funds.
### Folding@Home
[https://foldingathome.org/ Folding@Home]<ref name=fah>https://wiki.archlinux.org/index.php/Folding@home</ref> is a Stanford project for protein folding research, helping researchers solve disease problems. This is our premiere project for our [https://aninix.net/pages/charity.php charity work].
Install the [https://aur.archlinux.org/packages/foldingathome/ Folding@Home package] from Stanford. This will allow you to receive units of work from Stanford and process them.
### BOINC
[http://boinc.berkeley.edu/ BOINC] is a Berkley project for supporting underfunded research projects by allowing open computing resources.
Install the [https://www.archlinux.org/packages/?name=boinc-nox boinc-nox]<ref name=boinc>https://wiki.archlinux.org/index.php/BOINC</ref> package from Berkley. Enabling the service will use your compute resources for the needy projects.
## Connections=Rufus runs on any available hardware.
## Additional Reference=[https://aninix.net/irc/ Contact an admin] for current ROI -- example math can be seen in [https://www.youtube.com/watch?v=8eXI_7O4Svc this presentation]. Also, [https://www.youtube.com/watch?v=U_LK0t_qaPo this presentation] offers an overview of how Ethereum the protocol works.}}
## ReferencesThe Shadowfeed is the networking gateway between the AniNIX and the outside world -- it broadcasts the AniNIX signal and allows the network to communicate.
## Etymology
The Shadowfeed is named after a resistance communications network in the Star Wars universe. The [http://starwars.wikia.com/wiki/CIS_Shadowfeed Shadowfeed] was a disseminated network routed through existing communications technology, allowing a separatist movement to broadcast its message.
## Capacity and Components
The Shadowfeed is an Netgear R7000 Nighthawk router hardware flashed with DD-WRT firmware.[[Category:DD-WRT]][[Category:Netgear]] It can hold numerous clients wirelessly, and it supports wired USB 2.0 and 3.0 hard-drives to create simple NAS storage. There are five physical slots, one occupied by wired connection to the Forge2 frame, one by a connection to the Verizon wireless tower, and one to the Infrastructure. One remaining slot is free with a 100ft Cat5e cable and the other reserved for hotswap in case of port failure or LAN need.
<b>Note:</b> the best place we've found to grab firmware updates is [https://ddwrt-kong.clonevince.fr/ this upload site for Kong's builds]. Ensure that you are on build 33525 or later to avoid being vulnerable to [https://aircrack-ng.blogspot.com/2017/10/krack-wpa-vulnerability-key.html KRACK]. Follow the instructions [https://dd-wrt.com/wiki/index.php/Installation from the DD-WRT Wiki] to flash your router with new firmware or to patch. Make sure to watch for the peacocking notes! Use the dork "kong dd-wrt build <buildnumber>" -- if you use Chromecasts for [[Geth|AniNIX::Geth]], make sure to look for explicit validation of the devices, or run your own extensive regressions.
## Hosted Services and Entities
Nothing is hosted by the Shadowfeed, but it is manageable by either SSH or an onboard webserver.[[Category:Lighttpd]]
## Connections
The Shadowfeed has a number of hosts and entities that connect to it -- unknown entities are routed to a guest network, while known hosts are allowed inside the DMZ where they can access internal services. Direct AniNIX network members are listed below.
{{Reference|Core}}{{Reference|Windows}}{{Reference|DarkNet}}{{Reference|Print}}{{Reference|Bastion}}{{Reference|Tricorder}}{{Reference|Geth}}{{Reference|Forge2}}{{Reference|Infrastructure}}
## Additional Reference
### Add NAT Rule
<pre>
iptables -t nat -I PREROUTING -p tcp -d $(nvram get wan_ipaddr) --dport 3389 -j DNAT --to 10.0.1.2 [ -s SourceIP ]
iptables -I FORWARD -p tcp -d 10.0.1.2 --dport 3389 -j ACCEPT
iptables -t nat -I PREROUTING -p udp -d $(nvram get wan_ipaddr) --dport 3389 -j DNAT --to 10.0.1.2 [ -s SourceIP ]
iptables -I FORWARD -p udp -d 10.0.1.2 --dport 3389 -j ACCEPT
</pre>
### Direct config alteration
nvram show will get all the current options, whereas nvram get variable will return a variable.
nvram set or unset change variables.
nvram commit pushes the change.
### Guest Wifi
[https://dd-wrt.com/wiki/index.php/Guest_Network See here.]
### Sample Startup Script
The following will insert firewall lines into your sample startup script to harden your network edge. This allows [[WebServer|web]], [[SSH]], [[IRC]], [[Geth|AniNIX::Geth]], and [[Nazara|bastion]] access through the firewall, dropping all others. It also sets up the block chain for [[Cerberus|AniNIX::Cerberus]].
<pre>
iptables -N severe
iptables -I INPUT 2 -i vlan2 -j DROP
iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 6641 -j ACCEPT
iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 6697 -j ACCEPT
iptables -I INPUT 2 -i vlan2 -p tcp -m tcp --dport 9022 -j ACCEPT
iptables -I INPUT 2 -j severe
iptables -I FORWARD -j severe
</pre>
}}|Tachikoma|Tachikoma are individual user or service machines.|
word
These are named after [https://www.youtube.com/watch?v=lNY53tZ2geg Tachikoma from Ghost in the Shell]. These AI-powered tanks offered personal transportation, concealment,
## Capacity and Components
Capacity is indeterminate -- depends on the hardware being used.
## Hosted Services and Entities=No services should be hosted for Tachikoma, despite [[SSH|an SSH server for remote access]].
## Connections=Varies by purpose}}Omnitool is a mobile smartphone client of the network.
## Etymology
The Tricorder is named after the fictional and ubiquitous devices from the Star Trek universe. Because the Tricorder is useful in a number of situations, hand-held in the same way, and is almost always handled by an Admin save during sleep, the name was apt.
Besides, we like the subtlety, craftiness, and paranoia of the Romulans.
## Capacity and Components
This is a Verizon Wireless Droid Turbo smartphone running the Android OS. [[Category:USCellular]][[Category:Google]]
* 48 hours of usability
* 5.2" Gorilla Glass 4 Display with 1920x1080 resolution
* 32 GB of onboard storage, encrypted with Android PIN
* Microphone
* 16MP Camera
* CDMA, GSM, WCDMA, UMTS, LTE Network-capable with US Cellular SIM
## Hosted Services and Entities
The Tricorder can host a couple remote-management tools.
* Apps can be remotely installed with [https://play.google.com/ Google Play Store].
* Location identification, remote locking, and remote wiping can be achieved with [https://google.com/android/devicemanager Google Device Manager].
* SMS, notifications, and call response can be remotely controlled with a vivoactive HR or [https://aninix.net/wiki/Subscriptions##Pushbullet Pushbullet].
## Connections
This device has clients for the following entities.
{{Reference|Singularity}}{{Reference|Yggdrasil}}{{Reference|Eyes}}{{Reference|SSH}}
This device physically can connect to the following.
{{Reference|Infrastructure}}{{Reference|Shadowfeed}}{{Reference|Forge2}}
This device can also extend Bluetooth and WiFi technology to the following devices, to extend the AniNIX's reach.
* Drones, such as the Parrot AR.Drone 2.0, over WiFi
* Smart devices, like the Garmin vivoactive HR smartwatch or smart scales, over bluetooth
* Car and other stereos over Bluetooth (this is particularly useful for playing back audio from Yggdrasil)
* Bluetooth-capable devices for file transfer
* WiFi-capable devices via ad-hoc WiFi network
## Additional Reference
* [https://www.lg.com/us/cell-phones/lg-US701-Black-us-cellular Reference page]
* [https://memory-alpha.wikia.com/wiki/Romulan_tricorder Star Trek Wiki page]
### Recovery Path
Please encrypt your Tricorder for privacy reasons. For those concerned, here is your recovery path, should the device be rendered inoperable or inaccessible.
* The Google Play Store records all applications installed on the phone.
* Music, pictures, and video should be replicated from [[Yggdrasil|AniNIX::Yggdrasil]]. Please use an [[SSH|SFTP]] client to regularly store your necessary files on your AniNIX account, or upload your files to a trusted storage service. For insecure files, [https://drive.google.com Google Drive] is sufficient and free.
* Customizations will be lost but should be easily recreated.
* SSH Keys should be recreated. Remove any existing public keys from servers the device had access to.
* Android devices can be remotely wiped, locked, or pinged from Android Device Manager.
Most severe problems with an Android device can be fixed with a factory reset, patching, app re-installation from the Play Store, and pulling down any desired files. While this is a cumbersome process, for non-rooted, encrypted devices, this is often the easiest route.
}}
{{Mobile}}: <b>Warning: Windows may reformat non-Windows partitions with no warning during boot. We recommend keeping strong backups and controlling when Windows Update runs. See [http://www.omgubuntu.co.uk/2016/08/windows-10-anniversary-update-delete-partition OMGUbuntu's article] for end user experiences.</b>
Windows is a ubiquitous desktop environment for home computing, still compromising the majority of the market. The AniNIX hosts a virtualized Windows host to access the tools and software developed for that OS.
## Etymology
The Windows host is named for the OS it runs.
## Capacity and Components
Windows' components are provided by Microsoft. [[Category:Microsoft]] The Windows host is granted networking, USB assignments, the GTX 760 pair, 2TB of storage, 8 GB RAM, and 4 cores from [[Forge2]].
## Hosted Services and Entities
{{Reference|Games}}{{Reference|VirusScan}}
### Customization
There is a desktop theme available to skin the Windows desktop environment in the same fashion as [[ShadowArch]], the WebServer and the Wiki. Download it from [https://aninix.net/aninix.deskthemepack this link].
### Standard Packages
Available from [https://aninix.net/wolfpack WolfPack's repo]:
* SeaMonkey Browser
* Chrome Browser can be used in place of SeaMonkey or in addition to support Chromecasts.
* PuTTY Terminal Emulator
* WinSCP File Transfer
* Launchy to emulate Linux Alt+F2 running
* VNC viewer
* Xming X11 server
* DaemonTools Lite for mounting ISO's.
### Hypervisor Role
A Hypervisor should also be deployed.
* A Windows 10 Pro license offers Hyper-V, which allows enterprise-style VM availability
* VMWare Workstation or VirtualBox are also alternatives.
### Work Role Packages
* WebEx
* AnyConnect
* One productivity suite from:
* LibreOffice
* Microsoft Office
* Notepad++
## Connections
{{Reference|Forge2}}{{Reference|Shadowfeed}}{{Reference|Infrastructure}}
## Additional Reference
Remember the following things when dealing with Windows:
* Windows updates and upgrades stand a very good chance of being destructive to other systems and itself. Never upgrade without a backup, and everything installed on Windows should have an independent recovery plan. See [[Games##Recovery]] for an example.
* Windows tries to send data to Microsoft. Check account settings to opt out.
* Always disable autorun to help slow malware.
### Unified Credentials
Install [https://pgina.org/ pGina] for LDAP authentication, including with [[Sora|AniNIX::Sora]].[[Category:LDAP]]
}}