AniNIX/Kapisi
3
0
Fork 0
Code Issues 27 Pull Requests Projects 1 Releases Wiki Activity

Compare commits

base: AniNIX:25u
Branches Tags
AniNIX:main AniNIX:improved-ipam AniNIX:25u
AniNIX:0.0
..
compare: AniNIX:improved-ipam
Branches Tags
AniNIX:main AniNIX:improved-ipam AniNIX:25u
AniNIX:0.0

17 Commits
25u ... improved-i

Author SHA1 Message Date
DarkFeather
59b3181d61 Updates for packages 2024-09-02 23:54:57 -05:00
project2501
f139ea55b4 ++precommit-hooks/playbook-lint-check 2024-08-22 15:30:41 -05:00
project2501
2e154389de patching-verification.yml -- trailing whitespace 2024-08-22 10:39:18 -05:00
DarkFeather
f5ef18851c First round injecting news articles into homepages using serverside precompiled snippets 2024-08-20 00:17:09 -05:00
DarkFeather
8886b572b0 Rebuild Pacman keyring 2024-08-12 17:30:29 -05:00
DarkFeather
a17e2c6fe9 Updates for Raspberry Pi 12 Bookworm 2024-07-23 14:18:32 -05:00
DarkFeather
9366d8b6d7 Catch up for Foundation 2024-04-05 13:16:42 -05:00
DarkFeather
5c3eb7f358 Moving VMs to Host cpu emulation 2024-04-04 13:15:38 -05:00
DarkFeather
33cf371a0d Updating roles 2024-04-01 00:53:08 -05:00
DarkFeather
9aa0a89b79 Seeding Aether 2024-04-01 00:52:29 -05:00
DarkFeather
3a01543c8b Capturing APC automation 2024-04-01 00:49:36 -05:00
DarkFeather
87973dfb6e Simplifying group management 2024-04-01 00:49:02 -05:00
DarkFeather
85286b5412 Catching up with automation 2024-04-01 00:47:05 -05:00
DarkFeather
6f36d515e3 AniNIX/Wiki#21 -- effecting renames for policy 2024-04-01 00:44:23 -05:00
DarkFeather
323b4dd306 Pathing updates for Gitea 1.21.5 -- custom/public to custom/public/assets 2024-03-07 12:28:46 -06:00
DarkFeather
e75d03a313 Update for automated response around poorly behaving archlinux-keyring weekly timer; rename Sora role to Password 2024-03-07 12:27:21 -06:00
DarkFeather
930441ae9a Adding enforcement exit code 2024-01-18 12:04:30 -06:00
191 changed files with 2523 additions and 1896 deletions
Expand all files Collapse all files

5
.gitignore vendored
View File

@@ -1,11 +1,12 @@
# Generated files
roles/Node/files/*-vm.service
roles/Nazara/files/dns
roles/Nazara/files/dhcp
roles/Chappaai/files/dns
roles/Chappaai/files/dhcp
roles/Node/files/vm-definitions/**
roles/ShadowArch/files/mirrorlist
roles/Sharingan/files/monit/checks/availability
roles/Foundation/files/custom/public/img/**
roles/Maat/files/pacoloco.yaml
venv/**
wiki/**
**/pkg/**

6
README.md
View File

@@ -2,7 +2,9 @@ This project is our Infrastructure-as-Code solution, detailing the deployment &
# Etymology
It is named after the fictional Star Wars Imperial Intelligence organization that oversaw the various divisions of Intelligence and orchestrated their operations. Like its namesake, this project oversees the various tools within our ecosystem and enforces compliance with standards.
It is named after flagship carrier Kapisi from the game [Homeworld: Deserts of Kharak](https://store.steampowered.com/app/281610?snr=5000_5100___primarylinks). The carrier was the command and production center of Operation Khadiim, an expedition to understand an anomaly on their world & escape the fanaticism of their Gaalsien rivals. The S'jet were able to succeed in this mission not only due to the military efficacy of their forces but also through the research and production capabilities available to the Kapisi.
This project seeks to give other admins and engineers to launch their own infrastructures and break out of any strangleholds that may have entangled them, whether that is tribalism, vendor lock, or stigma.
# Relevant Files and Software
@@ -12,7 +14,7 @@ export ANSIBLE_VAULT_PASSWORD_FILE=$HOME/password-store/${organization}.vault.pa
export ANSIBLE_VAULT_FILE=$HOME/password-store/${organization}.vault
```
Take a look at `examples/msn0.yml` as an example inventory -- make sure you populate one of your own.
Take a look at `examples/msn0.yml` as an example inventory -- make sure you populate one of your own. The scripts here expect inventories to have layers of groups -- the top group under `all` must be managed vs. unmanaged. The rest of the scripts use YAMLPath to sort out the rest of the groups.
Once you have your vault and inventory, use [AniNIX/ShadowArch](/AniNIX/ShadowArch) with your hypervisor to provision the base image for your machines, or [Raspbian](https://www.raspberrypi.org/).

3
bin/deploy-role
View File

@@ -1,5 +1,8 @@
#!/bin/bash
# Ensure we are in the source directory.
cd $(dirname $0)/..
# Role is first argument
role="$1"
if [ -z "$role" ]; then

3
bin/full-deploy
View File

@@ -1,5 +1,8 @@
#!/bin/bash
# Ensure we are in the source directory.
cd $(dirname $0)/..
# Arguments
inventory="$1"
if [ "$inventory" == "-h" ] || [ "$inventory" == "--help" ]; then

1
bin/generate-monitoring.py
View File

@@ -11,6 +11,7 @@
import os
import subprocess
import sys
import re
import yaml
rolepath='../roles/Sharingan/files'

66
bin/generate-pihole-dns-dhcp.py
View File

@@ -2,6 +2,7 @@
# File: generate-pihole-dns-dhcp.py
#
# Description: This file generates the DNS and DHCP files for pihole.
# It expects that the inventory has two levels of grouping.
#
# Package: AniNIX/Ubiqtorate
# Copyright: WTFPL
@@ -9,43 +10,37 @@
# Author: DarkFeather <darkfeather@aninix.net>
import os
import re
import subprocess
import sys
import yaml
from kapisi_lib import *
rolepath='../roles/Nazara/files'
rolepath='../roles/Chappaai/files'
dnsfilepath=rolepath+"/dns"
dhcpfilepath=rolepath+"/dhcp"
entryset={}
def WriteDHCPEntry(content,hosttype,hostclass):
def WriteDHCPEntries(replica_domain,dhcpfile):
### Create the DHCP entry
# param content: the yaml content to parse
# param hosttype: managed or unmanaged
# param hostclass: the type of host as classified in the yaml
global dhcpfile
global entryset
for host in entryset:
# Entries should be:
# dhcp-host=mac,ip,fqdn
dhcpfile.write('dhcp-host=' + entryset[host][1] + ',' + entryset[host][0] + ',' + host + '.' + replica_domain + '\n')
with open(dhcpfilepath,'a') as dhcpfile:
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
try:
dhcpfile.write('dhcp-host=' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['mac'] + ',' + content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['ip'] + ',' + host + '.' + content['all']['vars']['replica_domain'] + '\n')
except:
print(host + ' is not complete for DHCP.')
def WriteDNSEntry(content,hosttype,hostclass):
def WriteDNSEntries(replica_domain,dnsfile):
### Create the DNS entry
# param content: the yaml content to parse
# param hosttype: managed or unmanaged
# param hostclass: the type of host as classified in the yaml
global dnsfile
with open(dnsfilepath,'a') as dnsfile:
# Write host entries
for host in content['all']['children'][hosttype]['children'][hostclass]['hosts']:
try:
dnsfile.write(content['all']['children'][hosttype]['children'][hostclass]['hosts'][host]['ip'] + ' ' + host + '.' + content['all']['vars']['replica_domain'] + ' ' + host + '\n')
except:
print(host + ' is not complete for DNS.')
global entryset
for host in entryset:
# Entries should be:
# ip host fqdn
dnsfile.write(entryset[host][0] + ' ' + host + '.' + replica_domain + ' ' + host + '\n')
def GenerateFiles(file):
### Open the file and parse it
@@ -58,29 +53,30 @@ def GenerateFiles(file):
# Parse the yaml
with open(file, 'r') as stream:
content = yaml.safe_load(stream)
replica_domain = content['all']['vars']['replica_domain']
external_domain = content['all']['vars']['external_domain']
# Clear the DNS file
with open(dhcpfilepath,'w') as dhcpfile:
dhcpfile.write('dhcp-range='+content['all']['vars']['dhcprange']+'\n')
dhcpfile.write('dhcp-option=option:dns-server,'+content['all']['vars']['dns']+'\n\n')
dhcpfile.write('dhcp-range='+content['all']['vars']['staticrange']+'\n')
WriteDHCPEntries(replica_domain,dhcpfile)
with open(dnsfilepath,'w') as dnsfile:
vips=subprocess.run(["/bin/bash", "-c", "echo | openssl s_client -connect "+content['all']['vars']['external_domain']+":443 | openssl x509 -text -noout | grep DNS: | tr ',' '\n' | sed 's/\s\+DNS://' | grep -ivE ^"+content['all']['vars']['external_domain']+" | tr '\n' ' '"], capture_output=True).stdout.decode("utf-8")
dnsfile.write(content['all']['vars']['webfront']+' '+content['all']['vars']['external_domain']+' '+vips+"\n")
# Add DNS entries for each host
hosttype = 'managed'
for hostclass in ['physical','virtual','geth_hubs']:
WriteDNSEntry(content,hosttype,hostclass)
WriteDHCPEntry(content,hosttype,hostclass)
hosttype = 'unmanaged'
for hostclass in ['ovas','test_ovas','appliances','adhoc_appliances','iot']:
WriteDNSEntry(content,hosttype,hostclass)
WriteDHCPEntry(content,hosttype,hostclass)
dnsfile.write(content['all']['vars']['webfront']+' '+external_domain+' '+content['all']['vars']['external_subdomains'].replace(' ','.'+external_domain+' ')+'.'+external_domain+' '+content['all']['vars']['hosted_domains']+"\n")
WriteDNSEntries(replica_domain,dnsfile)
print('Files should be in '+rolepath);
### Main function
# param sys.argv: Input arguments
if __name__ == '__main__':
if len(sys.argv) != 2:
if len(sys.argv) < 2:
print("You need to supply an inventory file.")
sys.exit(1)
if len(sys.argv) == 3:
entryset = TrackIPEntries(sys.argv[1],sys.argv[2])
else:
entryset = TrackIPEntries(sys.argv[1])
GenerateFiles(sys.argv[1])
#dumper.dump(entryset)
sys.exit(0)

2
bin/generate-ssh-keyscan
View File

@@ -1,6 +1,6 @@
#!/bin/bash
# File: gen-ssh-keyscan
# File: ./generate-ssh-keyscan
#
# Description: This file generates a known_host block for the inventory.
#

2
bin/generate-systemd-vms.py
View File

@@ -54,7 +54,7 @@ def WriteVMFile(content,hosttype,hostclass):
vmfile.write('[Service]\n')
vmfile.write('ExecStart=/usr/sbin/qemu-system-x86_64 -name AniNIX/' + host + ' -machine type=pc,accel=kvm')
if 'uefi' in content['all']['children'][hosttype]['children'][hostclass]['hosts'][host].keys(): vmfile.write(' -bios /usr/share/edk2-ovmf/x64/OVMF.fd')
vmfile.write(' -cpu qemu64 -smp ' + cores + ' ' + disks + ' -net nic,macaddr=' + mac + ',model=virtio -net bridge,br=' + bridge + ' -vga std -nographic -vnc :' + str(vnc) + ' -m size=' + str(memory) + 'G -device virtio-rng-pci\n')
vmfile.write(' -cpu host -smp ' + cores + ' ' + disks + ' -net nic,macaddr=' + mac + ',model=virtio -net bridge,br=' + bridge + ' -vga std -nographic -vnc :' + str(vnc) + ' -m size=' + str(memory) + 'G -device virtio-rng-pci\n')
vmfile.write('ExecReload=/bin/kill -HUP $MAINPID\n')
vmfile.write('KillMode=process\n')
vmfile.write('Restart=always\n')

63
bin/kapisi_lib.py Normal file
View File

@@ -0,0 +1,63 @@
import re
import yaml
from types import SimpleNamespace
from yamlpath.common import Parsers
from yamlpath.wrappers import ConsolePrinter
from yamlpath import Processor
from yamlpath import YAMLPath
from yamlpath.exceptions import YAMLPathException
def TrackIPEntries(yaml_file,searchstring='all.children.**.ip'):
### Try to parse an Ansible inventory for hosts with the 'ip' attribute.
# param file: the file to parse
# return: a populated entry set in form [{Host,[ip,mac]},...]
# Borrowing from upstream author's example at https://pypi.org/project/yamlpath/
entryset = {}
# The various classes of this library must be able to write messages somewhere
# when things go bad.
#logging_args = SimpleNamespace(quiet=True, verbose=False, debug=False)
logging_args = SimpleNamespace(quiet=True, verbose=True, debug=True)
log = ConsolePrinter(logging_args)
# Prep the YAML parser
yaml = Parsers.get_yaml_editor()
(yaml_data, doc_loaded) = Parsers.get_yaml_data(yaml, log, yaml_file)
if not doc_loaded:
exit(1)
processor = Processor(log, yaml_data)
yaml_path = YAMLPath(searchstring)
# Create a regex pattern to remove the end of the path
ippattern = re.compile('\.ip$')
try:
for node_coordinate in processor.get_nodes(yaml_path, mustexist=True):
# Strip the path to the host entry.
path = ippattern.sub("",str(node_coordinate.path))
# Pull the IP
ip = str(node_coordinate.node)
# Pull the hosname
splitpath = path.split('.')
hostname = splitpath[len(splitpath)-1]
#print("Got {} from '{}''.".format(ip,path))
# Path the MAC
mac_yaml_path = YAMLPath(path+".mac")
mac=""
try:
for node_coordinate in processor.get_nodes(mac_yaml_path, mustexist=True):
mac = str(node_coordinate.node)
except YAMLPathException as ex:
log.error(ex)
# Add the host to the entryset.
entryset.update({ hostname : [ip,mac] })
except YAMLPathException as ex:
log.error(ex)
finally:
return entryset

5
bin/tmux-hosts
View File

@@ -21,7 +21,7 @@ function usage() {
# Show helptext
# param retcode: what to exit
retcode="$1"
echo "Usage: $0 [ -o offset ] [-g group ] -i inventory.yml"
echo "Usage: $0 [ -o offset ] [-g group ] [-i inventory.yml]"
echo " $0 -h"
echo "Group is optional -- add it if you only want to look at a specific subset."
echo "Add -v for verbosity."
@@ -78,8 +78,7 @@ if [ "$(basename $0)" == "tmux-hosts" ]; then
done
if [ -z "$inventory" ]; then
echo Need an inventory.
usage 2;
inventory=$(grep -E ^inventory ~/.ansible.cfg | cut -f 2 -d '=')
fi
tmuxHosts $(ansible -i "$inventory" --list-hosts "$group"\

88
examples/msn0.yml
View File

@@ -1,7 +1,9 @@
all:
vars:
# Environment-wide data
external_domain: aninix.net
external_domain: "aninix.net"
external_subdomains: "cyberbrain foundation irc lykos maat password sharingan singularity superintendent www yggdrasil"
hosted_domains: "travelpawscvt.com"
replica_domain: "MSN0.AniNIX.net"
time_zone: "America/Chicago"
# Services used by all
@@ -19,79 +21,98 @@ all:
ansible_become_method: sudo
ansible_become_user: root
static: false
wireless_ssid: 'Shadowfeed'
wireless_ssid: 'Shadownet'
ansible_python_interpreter: auto_silent
ldap:
server: "10.0.1.3"
orgdn: "dc=aninix,dc=net"
binduser: 'binduser'
userou: 'ou=People'
groupou: 'ou=Group'
filter: '(&(objectClass=person)(!(pwdReset=TRUE)))'
organization: # Information about the group
admin: 'DarkFeather'
email: 'ircs://irc.aninix.net:6697/DarkFeather'
displayname: 'AniNIX'
gpgkey: '904DE6275579CB589D85720C1CC1E3F4ED06F296'
ssl: # Standard SSL cryptographic standards
identity: 'aninix.net-0001' # The Let's Encrypt identity to use
identity: 'aninix.net-0002' # The Let's Encrypt identity to use
ciphersuite: "!NULL:!SSLv2:!SSLv3:!TLSv1:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
children:
managed:
children:
physical: # 10.0.1.0/28
hosts:
Nazara:
Chappaai:
ipinterface: eth0
ip: 10.0.1.2
mac: B8:27:EB:B6:AA:0C
static: true
children:
Node:
hosts:
Node1:
ipinterface: enp1s0
ip: 10.0.1.5
mac: FA:EC:43:87:4D:2D
tap: true
ups: 'aps'
active_vms:
- Yggdrasil
Node2:
ipinterface: enp1s0
ip: 10.0.1.7
mac: 56:02:ef:2c:1f:7c
tap: true
ups: 'cyberpower'
active_vms:
- DarkNet
- Maat
- Sharingan
- Superintendent
Node3:
ipinterface: enp1s0
ip: 10.0.1.8
mac: B2:C6:2C:02:B2:6E
tap: true
Nodelet0:
active_vms:
- TDS-Jump
Geth:
hosts:
Geth0:
ipinterface: eth0
ip: 10.0.1.9
mac: b8:27:eb:9a:73:dd
mac: 84:16:F9:14:15:C5
static: true
k3s_primary: true
Nodelet1:
Geth1:
ipinterface: eth0
ip: 10.0.1.10
mac: E4:5F:01:01:FF:9C
static: true
Nodelet2:
Geth2:
ipinterface: eth0
ip: 10.0.1.11
mac: E4:5F:01:01:FF:D5
static: true
Nodelet3:
Geth3:
ipinterface: eth0
ip: 10.0.1.12
mac: E4:5F:01:01:FF:96
static: true
Nodelet4:
Geth4:
ipinterface: eth0
ip: 10.0.1.13
mac: E4:5F:01:01:FF:E4
static: true
Geth5:
ipinterface: eth0
ip: 10.0.1.14
mac: B8:27:EB:B6:AA:0D
static: true
virtual: # 10.0.1.16/28
vars:
hosts:
Sharingan:
node: Node2
ip: 10.0.1.16
ipinterface: ens3
mac: 00:15:5D:01:02:10
@@ -106,7 +127,6 @@ all:
# On hold because of https://aninix.net/DarkFeather/MSN0/issues/6
holdpkg: "elasticsearch graylog mongodb44-bin mongodb-tools-bin"
DarkNet:
node: Node2
ipinterface: ens3
ip: 10.0.1.17
mac: 00:15:5D:01:02:05
@@ -118,19 +138,18 @@ all:
- '-drive format=raw,index=0,media=disk,file=/dev/sdb'
wolfpack_config: 'gitea@foundation.aninix.net:DarkFeather/WolfPack-Config.git'
Maat:
node: Node2
ip: 10.0.1.18
ipinterface: ens3
mac: 00:15:5d:01:02:07
cores: 2
memory: 2
bridge: br0
vscan_enabled: true
vnc: 7
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/mnt/cage2/vm/Maat.qcow2'
Yggdrasil:
node: Node1
ipinterface: enp1s0f0
ipinterface: ens3
ip: 10.0.1.3
mac: 00:25:90:0d:6e:86
static: true
@@ -142,27 +161,28 @@ all:
memory: 16
bridge: br0
vnc: 1
vscan_enabled: true
disks:
- '-drive format=raw,index=0,media=disk,file=/dev/sda'
- '-drive format=raw,index=0,media=disk,file=/dev/sdb'
- '-drive format=raw,index=0,media=disk,file=/dev/sdc'
- '-drive format=raw,index=0,media=disk,file=/dev/sdd'
geth_hubs: # 10.0.1.32/28
Vergil: # 10.0.1.32/28
vars:
motion_enabled: yes
hosts:
Geth-Hub-1:
Vergil1:
ip: 10.0.1.32
mac: 84:16:F9:14:15:C5
mac: b8:27:eb:9a:73:dd
rotate: 0
remote: NS-RC4NA-14
Geth-Hub-2:
Vergil2:
ip: 10.0.1.33
mac: 84:16:F9:13:B6:E6
motion_enabled: no
rotate: 180
remote: NS-RC4NA-14
Geth-Hub-3:
Vergil3:
ip: 10.0.1.34
mac: b8:27:eb:60:73:68
rotate: 90
@@ -172,8 +192,7 @@ all:
# Both OVA groups are in the same subnet -- test_ovas aren't monitored
ovas: # 10.0.1.48/28
hosts:
Geth:
node: Node2
Superintendent:
ip: 10.0.1.49
mac: DE:8B:9E:19:55:1E
cores: 2
@@ -186,7 +205,6 @@ all:
test_ovas: # 10.0.1.48/28
hosts:
TDS-Jump:
node: Node2
ip: 10.0.1.48
mac: 00:15:5d:01:02:08
cores: 2
@@ -194,7 +212,7 @@ all:
vnc: 4
bridge: br0
disks:
- '-drive format=qcow2,l2-cache-size=8M,file=/mnt/cage2/vm/TDSJump.qcow2'
- '-drive format=qcow2,l2-cache-size=8M,file=/srv/node/vm/TDSJump.qcow2'
DedNet:
ip: 10.0.1.50
mac: 00:15:5d:01:02:09
@@ -248,7 +266,7 @@ all:
# appliances are monitored -- adhoc_appliances are convenience only and not monitored.
appliances:
hosts: # 10.0.1.64/27
Shadowfeed: # Router must be at root
Shadownet: # Router must be at root
ip: 10.0.1.1
mac: 2c:30:33:64:f4:03
Print: # Print is excepted for legacy setup reasons before we laid out subnets.
@@ -267,11 +285,11 @@ all:
hosts: # 10.0.1.64/27
DarkFeather:
ip: 10.0.1.64
mac: D0:40:EF:D4:14:CF
mac: f4:2b:8c:10:31:44
Lykos:
ip: 10.0.1.65
mac: 70:74:14:4F:8E:42
Games:
Node0:
ip: 10.0.1.66
mac: E0:BE:03:77:0E:88
LivingRoomTV:
@@ -283,25 +301,25 @@ all:
TrainingRoomTV:
ip: 10.0.1.71
mac: 80:D2:1D:17:63:10
Tachikoma:
BT:
ip: 10.0.1.72
mac: 90:0f:0c:1a:d3:23
mac: 8A:00:AA:7F:DF:D1
DedSec:
ip: 10.0.1.73
mac: 34:F6:4B:36:12:8F
# dhcp build space: 10.0.1.224/27
iot: # 10.0.2.0/24
hosts:
LinKeuei:
LivingRoomRegulator:
ip: 10.0.2.2
mac: 64:16:66:08:57:F5
Canary:
Monitor:
ip: 10.0.2.3
mac: 18:B4:30:2F:F1:37
Charon:
Gatekeeper:
ip: 10.0.2.4
mac: 64:52:99:14:28:2B
# CanoptekAleph: physical, no network
CanoptekBek:
# CaretakerAlpha has no network
CaretakerBravo:
ip: 10.0.2.5
mac: 40:9F:38:95:06:34

39
playbooks/patching.yml
View File

@@ -9,36 +9,23 @@
# Patch then restart a node
#
#
- hosts: physical,virtual
- hosts: "{{ targets | default('virtual') }}"
order: sorted
serial: 4
vars:
ansible_become: yes
ansible_become_method: sudo
roles:
- patching
- hosts: physical
order: sorted
serial: 4
vars:
ansible_become: yes
ansible_become_method: sudo
tasks:
- package:
name: archlinux-keyring
state: latest
- hosts: virtual,geth-hubs
order: sorted
serial: 4
vars:
ansible_become: yes
ansible_become_method: sudo
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- patching
- hosts: physical
order: sorted
ignore_unreachable: true
serial: 4
vars:
ansible_become: yes
ansible_become_method: sudo
vars_files:
- "{{ lookup('env', 'ANSIBLE_VAULT_FILE') }}"
roles:
- patching
- include_role:
name: patching
when: targets is unset

33
playbooks/rebuild-pacman-keyring.yml Normal file
View File

@@ -0,0 +1,33 @@
---
- hosts: "{{ targets | default('all') }}"
become: true
gather_facts: false
tasks:
- name: Clean
command: rm -Rf /etc/pacman.d/gnupg
- name: Initialize keyring
command: /usr/bin/pacman-key --init
- name: Add ArchLinux
command: /usr/bin/pacman-key --populate archlinux
- name: Add AniNIX
command: /usr/bin/pacman-key --populate aninix
- name: Locally sign AniNIX
command: /usr/bin/pacman-key --lsign 904DE6275579CB589D85720C1CC1E3F4ED06F296
- name: Update DB
command: /usr/bin/pacman-key --updatedb
- name: Update packages
pacman:
name:
- archlinux-keyring
- ShadowArch
state: latest
update_cache: true

7
precommit-hooks/playbook-lint-check Executable file
View File

@@ -0,0 +1,7 @@
#!/bin/bash
# pre-commit hook to use ansible-lint to check our playbooks.
for file in `find ../playbooks/ -type f`; do
ansible-lint "$file"
done

7
roles/Aether/README.md Normal file
View File

@@ -0,0 +1,7 @@
See [AniNIX/Aether](/AniNIX/Aether) for complete details of the tool.
Role requirements:
* `secrets['Aether']` in Vault
* A YAML list of nodes under the key `Aether_nodes` in Vault
* A host called 'Core' to act as the source
* 22/tcp/sftp access through firewalls to the Core host from any clients

3
roles/Aether/files/backup-entries/Yggdrasil/gitea.backup.script Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
### Gitea ###
tar cvzf "$BACKUPDIR"/gitea.tgz /var/lib/gitea/data

3
roles/Aether/files/backup-entries/Yggdrasil/grimoire.backup.script Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
### Grimoire ###
sudo -u postgres pg_dumpall > "$BACKUPDIR"/grimoire.sql

3
roles/Aether/files/backup-entries/Yggdrasil/irc.backup.script Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
### IRC Services ###
cp /opt/anope/data/anope.db "$BACKUPDIR"

9
roles/Aether/files/backup-entries/Yggdrasil/wiki.backup.script Normal file
View File

@@ -0,0 +1,9 @@
#!/bin/bash
### Wiki ###
mkdir "$BACKUPDIR"/wiki/
for i in `find /usr/share/webapps/ -maxdepth 1 -type d | grep mediawiki`; do
foldername="$(echo "$i" | rev | cut -f 1 -d '/' | rev)"
dbname="$(grep '^\$wgDBname' "$i"/LocalSettings.php | cut -f 2 -d \")"
$BACKUPCMD "${i}"/LocalSettings.php "$BACKUPDIR"/wiki/"$foldername"-localsettings.php
sudo -u postgres pg_dump "$dbname" > "$BACKUPDIR"/wiki/"$dbname".psql
done

3
roles/Aether/files/backup-entries/Yggdrasil/yggdrasil.backup.script Normal file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
### Yggdrasil -- File & SHA list only for space reasons ###
cp /srv/yggdrasil/library.sha256 "$BACKUPDIR"/yggdrasil.library.sha256

146
roles/Aether/files/yggdrasil-check.conf Normal file
View File

@@ -0,0 +1,146 @@
# Example configuration file for AIDE.
# More information about configuration options available in the aide.conf manpage.
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# The location of the database to be read.
database_in=file:@@{DBDIR}/aide.db.gz
# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Default.
log_level=warning
report_level=changed_attributes
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#
# Here are all the attributes we can check
#p: permissions
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
###b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#ANF: allow new files
#ARF: allow removed files
#
# Here are all the digests we can use
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#gost: gost checksum
#whirlpool: whirlpool checksum
# These are the default rules
#R: p+i+l+n+u+g+s+m+c+md5
#L: p+i+l+n+u+g
#E: Empty group
#>: Growing logfile p+l+u+g+i+n+S
# You can create custom rules - my home made rule definition goes like this
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+xattrs
# Access control only
PERMS = p+i+u+g+acl
# Logfile are special, in that they often change
LOG = >
# Just do md5 and sha256 hashes
LSPP = R+sha256
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
/etc/sudoers NORMAL
/etc/skel NORMAL
/etc/logrotate.d NORMAL
/etc/resolv.conf DATAONLY
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
# Ignore logs
!/var/lib/pacman/.*
!/var/cache/.*
!/var/log/.*
!/var/run/.*
!/var/spool/.*

27
roles/Aether/tasks/client.yml Normal file
View File

@@ -0,0 +1,27 @@
---
- name: Copy the key
become: true
copy:
dest: /home/aether/.ssh/aether
content: "{{ aether_key.stdout }}"
- name: Copy the public key
become: true
copy:
dest: /home/aether/.ssh/aether.pub
content: "{{ aether_key.stdout }}"
- name: Enable the service
become: yes
service:
name: aether.timer
state: enabled
running: yes
- name: Enable the service - 2
become: yes
service:
name: aether-gen.timer
state: disabled
running: no

64
roles/Aether/tasks/main.yml Normal file
View File

@@ -0,0 +1,64 @@
---
- name: Install the package
become: true
ignore_errors: true
package:
name: Aether
state: present
- name: Validate the user
vars:
service_account: aether
include_tasks: ../roles/common/service_account.yml
- name: Ensure the Aether identity is protected.
become: true
file:
path: "{{ item }}"
state: directory
owner: aether
group: aether
mode: 0700
loop:
- /home/aether/.ssh
- /usr/local/etc/Aether
- /usr/local/etc/Aether/backup-entries
- /usr/local/backup
- name: Ensure the Aether identity exists
delegate_to: Core # Core will track the identity that will then be shared to everyone else.
become: true
command:
creates: /home/aether/.ssh/aether
chdir: /home/aether/.ssh/
cmd: ssh-keygen -t ed25519 -N "" -f ./aether
- name: Read the Aether identity
become: true
delegate_to: Core
command: cat /home/aether/.ssh/aether
register: aether_key
- name: Read the Aether public identity
become: true
delegate_to: Core
command: cat /home/aether/.ssh/aether.pub
register: aether_pubkey
- include_tasks: source.yml
when: "{{ inventory_hostname }} is 'Core'"
- include_tasks: client.yml
when: "{{ inventory_hostname }} is 'Core'"
- name: Ensure the Aether identity files are protected.
become: true
file:
path: "{{ item }}"
owner: aether
group: aether
mode: 0600
loop:
- /home/aether/.ssh/aether
- /home/aether/.ssh/aether.pub

42
roles/Aether/tasks/source.yml Normal file
View File

@@ -0,0 +1,42 @@
---
- name: Copy the backup scripts
become: yes
copy:
src: "backup-entries/{{ inventory_hostname }}"
dest: "/usr/local/etc/Aether/backup-entries"
owner: aether
group: aether
- name: Seed the backup passphrase
become: yes
copy:
content: "{{ passwords['Aether'] }}"
dest: "/usr/local/etc/Aether/pass.txt"
owner: aether
group: aether
mode: 0600
- name: Enable the generation service
become: yes
when: "{{ inventory_hostname }} == 'Core'"
service:
name: aether-gen.timer
state: enabled
running: yes
- name: Enable the generation service - 2
become: yes
when: "{{ inventory_hostname }} == 'Core'"
service:
name: aether.timer
state: disabled
running: no
- name: Set up the authorized_keys
template:
src: authorized_keys.j2
dest: /home/aether/.ssh/authorized_keys
mode: 0600
owner: aether
group: aether

18
roles/Chappaai/README.md Normal file
View File

@@ -0,0 +1,18 @@
A Chappaai host is a gateway to accessing other hosts. It is a safeguard against admin error.
## Etymology
Chappaai hosts are named to follow the non-English naming of the Stargate network by the other denizens of the galaxy.
They are the first line of defense against administrative error -- similar to the way that [Stargate Command](https://stargate.fandom.com/wiki/Stargate_Command) was for Earth. They prevent admins from being locked out of correcting their changes and are connected to everything in the ecosystem. They also control DNS, which allows a sort of subliminal control of the entire ecosystem. This prevents infiltration by infections (similar to Goauld) and in fact can be the extinction of any DNS-enabled malware in the ecosystem by sinkholing the Command-and-Control.
## Capacity and Components
A Chappaai host needs minimal CPU or memory.
## Hosted Services and Entities
Chappaai should host a Pihole installation and [SSH](../Services/SSH.md). It should be linked by NAT to an obscure port to the outside world.
## Connections
Any host should be able to connect to a Chappaai with SSH and X11, and it should be able to dial to any service provider.
## Additional Reference
Chappaai hosts should be deployed alongside any Hypervisor. They can be as simple as a Pi-hole with SSH access, and they should be allowed to receive SSH connections from a non-tcp/22/ssh port.

0
roles/Nazara/files/pihole-FTL.conf → roles/Chappaai/files/pihole-FTL.conf
View File

12
roles/Nazara/tasks/main.yml → roles/Chappaai/tasks/main.yml
View File

@@ -17,7 +17,7 @@
- name: Ensure pihole web admin password
become: yes
command: "pihole -a -p {{ passwords['Nazara'] }}"
command: "pihole -a -p {{ passwords['Chappaai'] }}"
# when: pihole_install.changed
- name: Generate DNS/DHCP from inventory
@@ -25,7 +25,7 @@
run_once: true
command: "python3 ../bin/generate-pihole-dns-dhcp.py {{ inventory_file }}"
- name: Nazara DNS
- name: Chappaai DNS
become: yes
register: dns_updated
copy:
@@ -35,7 +35,7 @@
group: pihole
mode: 0644
- name: Nazara DHCP
- name: Chappaai DHCP
become: yes
register: dhcp_updated
copy:
@@ -45,7 +45,7 @@
group: root
mode: 0644
- name: Nazara Configuration
- name: Chappaai Configuration
become: yes
register: conf_updated
copy:
@@ -56,7 +56,7 @@
mode: 0644
- name: Nazara DHCP Leases dir
- name: Chappaai DHCP Leases dir
become: yes
file:
path: /var/lib/misc/
@@ -65,7 +65,7 @@
group: root
mode: 0777
- name: Nazara DHCP Leases
- name: Chappaai DHCP Leases
become: yes
file:
path: /var/lib/misc/dnsmasq.leases

4
roles/Foundation/files/custom/bin/gen-aninix-custom
View File

@@ -52,7 +52,7 @@ a {
| sed "s/$ROW/$ANINIXROW/gI" \
| sed "s/$NAV/$ANINIXNAV/gI" \
| sed "s/$HOVER/$ANINIXHOVER/gI" \
| sed "s/$BGCOLOR/$ANINIXBG/gI" > /var/lib/gitea/custom/public/css/theme-aninix.css
| sed "s/$BGCOLOR/$ANINIXBG/gI" > /var/lib/gitea/custom/public/assets/css/theme-aninix.css
cd /var/lib/gitea/web-snippets
head="$(curl -ks https://aninix.net/ | grep -B 99999 -E '^<div class="home"')"
@@ -60,5 +60,5 @@ foot="$(curl -ks https://aninix.net/ | grep -A 99999 -E '<footer>')"
for i in `find . -type f`; do
(echo "$head"
cat "$i"
echo "$foot") > /var/lib/gitea/custom/public/"$i".html
echo "$foot") > /var/lib/gitea/custom/public/assets/"$i".html
done

26
roles/Foundation/files/custom/public/assets/js/aninix.js Normal file
View File

@@ -0,0 +1,26 @@
/* RSS Reading */
function insertNewsSnippet(snippet,tag) {
/* DOM XML handling has been too problematic, so we are now using git-hooks to pre-generate the snippet. This function injects that snippet.
* param snippet: URI for the snippet
* param tag: div tag to overwrite
*/
var http_request = false;
http_request = new XMLHttpRequest();
http_request.open("GET",snippet,true);
http_request.setRequestHeader("Cache-Control", "no-cache");
http_request.setRequestHeader("Pragma", "no-cache");
http_request.onreadystatechange = function() {
if (http_request.readyState == 4) {
if (http_request.status == 200) {
if (http_request.responseText != null) {
document.getElementById(tag).innerHTML = http_request.responseText;
} else {
alert("Failed to receive RSS file from the server - file not found.");
return false;
}
}
}
}
http_request.send(null);
}

472
roles/Foundation/files/custom/public/css/emby-web-dark-theme-BenZuser.css
View File

@@ -1,472 +0,0 @@
/* Borrowed from https://rawgit.com/BenZuser/Emby-Web-Dark-Themes-CSS/master/RED/theme.css */
/*
_________________________________________________________________________
------------------------- COLOR HEX & RGB CODES -------------------------
RED : #E81123 & (232, 17, 35)
DARK COLOR : #94131E
ORANGE : #FF8000 & (255, 128, 0)
DARK COLOR : #BF6000
ORANGE PLEX : #CC7B19 & (204, 123, 25)
DARK COLOR : #B35A00
YELLOW : #BDBD00 & (189, 189, 0)
DARK COLOR : #757500
GREEN : #52B54B & (82, 181, 75)
DARK COLOR : #3E8437
BLUE : #4285F4 & (66, 133, 244)
DARK COLOR : #0C57D6
BLUE DARK : #3367d6 & (51,103,214)
BLUE DARK (DARK) : #1f4698
PURPLE : #673AB7 & (103, 58, 183)
DARK COLOR : #3F2471
GRAY : #7F7F7F & (127, 127, 127)
DARK COLOR : #535353
PINK : #F707DF & (247, 7, 223)
DARK COLOR : #C604B3
*/
/*
_________________________________________________________________________
----------------------- EMBY THEME : ACCENT COLORS ----------------------
---------- Table of Contents ----------
1. ACCENT COLORS
1.1 Buttons
1.1.1 Checkboxes
1.1.2 Rectangles
1.1.3 Links & Text buttons
1.1.4 Others
1.2 Details
1.2.1 Circles
1.2.2 Indicators
1.2.3 Fonts
1.2.4 Icons
1.2.5 Dialogs & Action Sheets
1.2.6 Others
1.3 Fixes
2. MISCELLANEOUS MODIFICATIONS
2.1 Buttons
2.2 Details
2.2.1 Scrollbars
2.2.2 Logos
2.2.3 Others
2.3 Fixes
2.3.1 Dark Colors
*/
/* ------------------------ 1. ACCENT COLORS ------------------------- */
/* ----- 1.1 Buttons ----- */
/* 1.1.1 Checkboxes */
.emby-checkbox:checked + span + span + .checkboxOutline > .checkboxOutlineTick {
background-color: #E81123 !important; }
.emby-checkbox:checked + span + span + .checkboxOutline,
.progressring-spiner {
border-color: #E81123 !important; }
.emby-checkbox:focus + span + .emby-checkbox-focushelper {
background-color: #E81123 !important;
opacity: 0.26 !important; }
/* 1.1.2 Rectangles */
.raised {
background: #404040 !important;
color: #fff !important; }
.button-submit, .button-accent {
background: #E81123 !important;
color: #fff; }
.raised-mini.emby-button {
background: #E81123 !important;
color: #ffffff !important; }
/* Restart */
.btnRestartContainer.emby-button {
background: #E81123 !important;
color: #fff; }
/* Play & Resume */
.btnPlaySimple.emby-button {
background: #E81123 !important;
color: #fff; }
.btnResume.emby-button {
background: #94131E !important;
color: #fff; }
/* 1.1.3 Links & Text buttons */
.button-link, .button-flat-accent, .button-accent-flat,
.textlink {
color: #E81123 !important; }
.button-link:hover, .button-flat-accent:hover,
.button-accent-flat:hover, .textlink:hover {
color: #9b9b9b !important; }
.button-link:active, .button-flat-accent:active,
.button-accent-flat:active, .textlink:active {
color: #94131E !important; }
/* Top Header */
.emby-tab-button-active {
color: #E81123 !important; }
/* 1.1.4 Others */
/* Alpha Picker */
.alphaPickerButton-selected, .alphaPickerButton-tv:focus {
background-color: #E81123 !important;
color: #fff !important; }
/* Radio Buttons */
.mdl-radio__inner-circle {
background: #E81123 !important; }
.mdl-radio__button:checked + .mdl-radio__label + .mdl-radio__outer-circle {
border: 2px solid #E81123 !important; }
.mdl-radio__button:checked:focus + .mdl-radio__label + .mdl-radio__outer-circle + .mdl-radio__inner-circle {
-webkit-box-shadow: 0 0 0 10px rgba(232, 17, 35, 0.26) !important;
box-shadow: 0 0 0 10px rgba(232, 17, 35, 0.26) !important; }
/* Control Group Buttons */
div[data-role="controlgroup"] a.ui-btn-active[data-role='button'] {
background: #E81123 !important;
color: #ffffff !important; }
/* ----- 1.2 Details ----- */
/* 1.2.1 Circles */
/*.listItemIcon:not(.listItemIcon-transparent) {
background-color: $accent-color !important; }*/
.dashboardSection i.listItemIcon.md-icon {
background-color: #E81123 !important; }
.scheduledTaskPaperIconItem[data-status="Running"] i.listItemIcon.md-icon {
background-color: #94131E !important; }
/* Focus Helper circles */
.paper-icon-button-light:focus {
color: #E81123 !important; }
/* 1.2.2 Indicators */
.countIndicator, .playedIndicator {
background: #E81123 !important; }
.levelNormal {
background-color: #E81123 !important; }
.fullSyncIndicator {
background: #E81123 !important;
color: #fff; }
.playstatebutton-played i, .ratingbutton-withrating i {
color: #E81123 !important; }
p#pUpToDate i.md-icon {
background-color: #E81123 !important; }
/* Loading Spinners */
.mdl-spinner__layer-1, .mdl-spinner__layer-2, .mdl-spinner__layer-3,
.mdl-spinner__layer-4 {
border-color: #E81123 !important; }
.progressring-spiner {
border: 0.25em solid #E81123 !important; }
/* 1.2.3 Fonts */
.selectLabelFocused, .textareaLabelFocused, .inputLabelFocused {
color: #E81123 !important; }
.secondary.listItemBodyText span, div#divRunningTasks span {
color: #E81123 !important; }
/* 1.2.4 Icons */
.starIcon, .mediaInfoTimerIcon {
color: #E81123 !important; }
/* Top Header */
.btnActiveCast {
color: #E81123 !important; }
/* Now Playing Bar & Now Playing Page */
.repeatActive,
button.btnCommand.repeatToggleButton.autoSize.nowPlayingPageRepeatActive {
color: #E81123 !important; }
/* 1.2.5 Dialogs & Action Sheets */
/* 1.2.6 Others */
/* General Accent Color Modifications */
:focus {
outline: #E81123 auto 5px; }
select:focus {
border-color: #E81123 !important; }
::selection {
background-color: #94131E !important; }
.emby-input:focus, .emby-textarea:focus {
border-color: #E81123 !important; }
/* Google Now Playing Bar & Now Playing Page */
.iconOsdProgressInner, .mdl-slider__background-lower, .sliderBubble,
.mdl-slider::-webkit-slider-thumb {
background: #E81123 !important; }
.mdl-slider:focus::-webkit-slider-thumb {
-webkit-box-shadow: 0 0 0 10px rgba(232, 17, 35, 0.26);
box-shadow: 0 0 0 10px rgba(232, 17, 35, 0.26) !important; }
/* Firefox Now Playing Bar & Now Playing Page */
.mdl-slider::-moz-range-thumb, .mdl-slider::-moz-range-progress {
background: #E81123 !important; }
.mdl-slider:focus::-moz-range-thumb {
box-shadow: 0 0 0 10px rgba(232, 17, 35, 0.26) !important; }
/* Progress Bars */
.itemProgressBarForeground {
background-color: #E81123 !important; }
.taskProgressInner {
background: #E81123 !important; }
/* Google Progress Bars */
progress::-webkit-progress-value {
background: #E81123 !important; }
/* Firefox Progress Bars */
progress::-moz-progress-bar {
background: #E81123 !important; }
/* Edge Progress Bars */
progress {
background: #E81123 !important; }
/* Main Drawers */
.navMenuDivider {
background: #262626 !important; }
.adminDrawerLogo {
border-bottom: 1px solid #262626 !important; }
.mainDrawer {
background: #181818 !important; }
.sidebarHeader {
color: #bbbbbb !important; }
.navMenuOption {
color: #ffffff !important; }
.navMenuOption.navMenuOption-selected {
background: #252528 !important;
color: #E81123 !important; }
.navMenuOption:hover {
background: #252528 !important;
color: #9b9b9b !important; }
/* Metadata Editor */
div.jstree-wholerow.jstree-wholerow-clicked:hover,
div.jstree-wholerow.jstree-wholerow-clicked,
div.jstree-wholerow.jstree-wholerow-hovered {
background: #252528 !important; }
.jstree-anchor.jstree-clicked,
.jstree-anchor.jstree-clicked.jstree-hovered {
background: #252528 !important;
color: #E81123 !important; }
/* Multi-select */
.itemSelectionPanel {
border: 1px solid #E81123 !important; }
.selectionCommandsPanel {
background: #E81123 !important;
color: #fff; }
/* upNextDialog */
.upNextDialog-countdownText {
color: #E81123 !important; }
/* Selection Bars */
.emby-select-selectionbar, .emby-textarea-selectionbar,
.emby-input-selectionbar {
background-color: #E81123 !important; }
/* Media Info Detail Image */
.itemDetailImage.loaded:hover {
border: 1px solid #E81123 !important; }
/* 1.3 Fixes */
/* ------------------ 2. MISCELLANEOUS MODIFICATIONS ----------------- */
/* ----- 2.1 Buttons ----- */
/* Circles */
.fab {
background-color: transparent !important;
-webkit-box-shadow: none !important;
box-shadow: none !important;
-webkit-transition: none !important;
-o-transition: none !important;
transition: none !important; }
/* ----- 2.2 Details ----- */
/* 2.2.1 Scrollbars */
/* Google Chrome */
::-webkit-scrollbar-corner {
background-color: #3B3B3B; }
::-webkit-scrollbar {
width: 10px;
height: 10px;
background-color: #3B3B3B; }
::-webkit-scrollbar-thumb {
-webkit-border-radius: 2px;
border-radius: 2px;
background: #888888; }
/* Google Chrome - Dashboard Drawer */
div.scrollContainer.smoothScrollY::-webkit-scrollbar-corner {
background-color: transparent !important; }
div.scrollContainer.smoothScrollY::-webkit-scrollbar {
width: 2px;
height: 2px;
background-color: transparent !important; }
div.scrollContainer.smoothScrollY::-webkit-scrollbar-thumb {
-webkit-border-radius: 2px;
border-radius: 2px;
background: #888888; }
/* Google Chrome - Filter Dialog */
.dynamicFilterDialog::-webkit-scrollbar-corner {
background-color: transparent !important; }
.dynamicFilterDialog::-webkit-scrollbar {
width: 2px;
height: 2px;
background-color: transparent !important; }
.dynamicFilterDialog::-webkit-scrollbar-thumb {
-webkit-border-radius: 2px;
border-radius: 2px;
background: #888888; }
/* 2.2.2 Logos */
/* Login Page */
.imgLogoIcon {
content: url(https://cdn.rawgit.com/BenZuser/Emby-Dark-Themes-Resources/master/images/logos-and-icons/RED/logo.png) !important; }
/* Main Drawer Mobile */
.adminDrawerLogo img {
content: url(https://cdn.rawgit.com/BenZuser/Emby-Dark-Themes-Resources/master/images/logos-and-icons/RED/logo.png) !important; }
/* Home Page */
.pageTitleWithLogo {
background-image: url(https://cdn.rawgit.com/BenZuser/Emby-Dark-Themes-Resources/master/images/logos-and-icons/RED/logo.png) !important; }
/* 2.2.3 Others */
/* CSS Box */
#txtCustomCss {
height: 300px !important;
overflow-y: scroll !important; }
/* Select Box */
select option {
background-color: #2b2b2b !important;
color: #ffffff !important; }
/* Dialogs */
.formDialogHeader:not(.formDialogHeader-clear),
.formDialogFooter:not(.formDialogFooter-clear) {
background-color: #121212 !important;
color: #fff; }
/* Headers */
.skinHeader {
background-color: #080808 !important;
color: #fff !important; }
.skinHeader-withBackground {
background-color: #080808 !important; }
@supports (backdrop-filter: blur(1.5em)) or (-webkit-backdrop-filter: blur(1.5em)) {
.skinHeader-blurred {
background: rgba(20, 20, 20, 0.7) !important;
-webkit-backdrop-filter: blur(1.5em) !important;
backdrop-filter: blur(1.5em) !important; } }
.skinHeader.semiTransparent {
-webkit-backdrop-filter: none !important;
backdrop-filter: none !important;
background-color: rgba(0, 0, 0, 0.4) !important;
background-image: -webkit-gradient(linear, left top, left bottom, color-stop(10%, rgba(0, 0, 0, 0.7)), color-stop(10%, transparent)) !important;
background-image: -webkit-linear-gradient(top, rgba(0, 0, 0, 0.7) 10%, transparent) !important;
background-image: -moz-linear-gradient(top, rgba(0, 0, 0, 0.7) 10%, transparent) !important;
background-image: -o-linear-gradient(top, rgba(0, 0, 0, 0.7) 10%, transparent) !important;
background-image: linear-gradient(to bottom, rgba(0, 0, 0, 0.7) 10%, transparent) !important; }
.appfooter {
background: #080808 !important;
color: #fff !important; }
@supports (backdrop-filter: blur(10px)) or (-webkit-backdrop-filter: blur(10px)) {
.appfooter-blurred {
background: rgba(24, 24, 24, 0.7) !important;
-webkit-backdrop-filter: blur(20px) !important;
backdrop-filter: blur(20px) !important; } }
/* TV Global Modifications */
.emby-tab-button-active.emby-button-tv {
color: #fff !important; }
.guide-channelHeaderCell, .guide-channelTimeslotHeader {
background: #2e2e2e !important; }
.guide-programTextIcon {
color: #1e1e1e !important;
background: #555 !important; }
.guide-headerTimeslots {
color: #ccc !important; }
/* ----- 2.3 Fixes ----- */
/* 2.3.1 Dark Colors */
.autoorganizetable tbody tr:nth-child(odd) td, .autoorganizetable tbody tr:nth-child(odd) th {
background-color: #222326 !important; }
.autoorganizetable > .table > tbody > tr {
border: 1px solid #222326 !important; }
/*
_____________________________________________________________________
Emby Dark Themes is maintained by Ben Z (BenZuser)
with the contribution of Happy2Play.
_____________________________________________________________________
*/
/* TEMPORARY FIXES */
/* Links */
.searchSuggestionsList a, .noItemsMessage a, a.lnkPremiere {
color: #E81123 !important; }
.searchSuggestionsList a:hover, .noItemsMessage a:hover,
a.lnkPremiere:hover {
color: #9b9b9b !important; }
.searchSuggestionsList a:active, .noItemsMessage a:active,
a.lnkPremiere:active {
color: #94131E !important; }

16
roles/Foundation/files/custom/public/css/theme-aninix.css
View File

File diff suppressed because one or more lines are too long

271
roles/Foundation/files/custom/public/thank-you.html
View File

@@ -1,271 +0,0 @@
<!DOCTYPE html>
<html lang="en-US" class="theme-">
<head data-suburl="">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<title> AniNIX </title>
<link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
<meta name="theme-color" content="#ff0000">
<meta name="author" content="AniNIX::Foundation" />
<meta name="description" content="AniNIX::Foundation \\ Code, documentation, and information sharing powered by Gitea (git with a cup of tea)" />
<meta name="keywords" content="go,git,self-hosted,gitea,aninix,aninix::foundation">
<meta name="referrer" content="no-referrer" />
<meta name="_csrf" content="iI1Kkrppem-yCnHGCll-UshSK6A6MTYwMDcwNjM3MTUxOTU5NzYxNg" />
<script>
/*
@licstart The following is the entire license notice for the
JavaScript code in this page.
Copyright (c) 2016 The Gitea Authors
Copyright (c) 2015 The Gogs Authors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
---
Licensing information for additional javascript libraries can be found at:
{{StaticUrlPrefix}}/vendor/librejs.html
@licend The above is the entire license notice
for the JavaScript code in this page.
*/
</script>
<script>
window.config = {
AppVer: '1.12.4',
AppSubUrl: '',
StaticUrlPrefix: '',
UseServiceWorker: true ,
csrf: 'iI1Kkrppem-yCnHGCll-UshSK6A6MTYwMDcwNjM3MTUxOTU5NzYxNg',
HighlightJS: false,
Minicolors: false,
SimpleMDE: false,
Tribute: false,
U2F: false,
Heatmap: false,
heatmapUser: null,
NotificationSettings: {
MinTimeout: 10000 ,
TimeoutStep: 10000 ,
MaxTimeout: 60000 ,
EventSourceUpdateTime: 10000 ,
},
};
</script>
<link rel="shortcut icon" href="/img/favicon.png">
<link rel="mask-icon" href="/img/gitea-safari.svg" color="#609926">
<link rel="fluid-icon" href="/img/gitea-lg.png" title="AniNIX">
<link rel="stylesheet" href="/vendor/assets/font-awesome/css/font-awesome.min.css">
<link rel="stylesheet" href="/fomantic/semantic.min.css?v=d8d448774563cec3783c3b65d4e914b6">
<link rel="stylesheet" href="/css/index.css?v=d8d448774563cec3783c3b65d4e914b6">
<noscript>
<style>
.dropdown:hover > .menu { display: block; }
.ui.secondary.menu .dropdown.item > .menu { margin-top: 0; }
</style>
</noscript>
<style class="list-search-style"></style>
<meta property="og:title" content="AniNIX">
<meta property="og:type" content="website" />
<meta property="og:image" content="/img/gitea-lg.png" />
<meta property="og:url" content="https://foundation.aninix.net/" />
<meta property="og:description" content="AniNIX::Foundation \\ Code, documentation, and information sharing powered by Gitea (git with a cup of tea)">
<meta property="og:site_name" content="AniNIX" />
<link rel="stylesheet" href="/css/theme-aninix.css?v=d8d448774563cec3783c3b65d4e914b6">
<link rel="icon" type="image/png" href="/img/AniNIX.png" />
<link rel="alternate" type="application/rss+xml" title="AniNIX::RSS" href="/aninix.xml" />
<link rel='apple-touch-icon' sizes='180x180' href='/img/AniNIX.png' />
<meta name='apple-mobile-web-app-capable' content='yes' />
</head>
<body>
<div class="full height">
<noscript>This website works better with JavaScript.</noscript>
<div class="ui top secondary stackable main menu following bar light">
<div class="ui container" id="navbar">
<div class="item brand" style="justify-content: space-between;">
<a href="/">
<img class="ui mini image" src="/img/gitea-sm.png">
</a>
<div class="ui basic icon button mobile-only" id="navbar-expand-toggle">
<i class="sidebar icon"></i>
</div>
</div>
<a class="item active" href="/">Home</a>
<a class="item " href="/explore/repos">Explore</a>
<a class="item" target="_blank" id="chat" href="https://irc.aninix.net/">Chat</a>
<a class="item" target="_blank" id="pwdchange" href="https://password.aninix.net/">Change Password</a>
<a class="item" id="martialarts" href="/martialarts/">Martial Arts</a>
<a class="item" target="_blank" rel="noopener noreferrer" href="https://docs.gitea.io">Help</a>
<div class="right stackable menu">
<a class="item" href="/user/sign_up">
<svg class="svg octicon-person" width="16" height="16" aria-hidden="true"><use xlink:href="#octicon-person" /></svg> Register
</a>
<a class="item" rel="nofollow" href="/user/login?redirect_to=">
<svg class="svg octicon-sign-in" width="16" height="16" aria-hidden="true"><use xlink:href="#octicon-sign-in" /></svg> Sign In
</a>
</div>
</div>
</div>
<div class="home">
<h2>Thank you for your purchase!</h2>
<footer>
<div class="ui container">
<div class="ui left">
Powered by Gitea Page: <strong>0ms</strong> Template: <strong>0ms</strong>
</div>
<div class="ui right links">
<div class="ui language bottom floating slide up dropdown link item">
<i class="world icon"></i>
<div class="text">English</div>
<div class="menu">
<a lang="en-US" class="item active selected" href="#">English</a>
<a lang="zh-CN" class="item " href="?lang=zh-CN">简体中文</a>
<a lang="zh-HK" class="item " href="?lang=zh-HK">繁體中文(香港)</a>
<a lang="zh-TW" class="item " href="?lang=zh-TW">繁體中文(台灣)</a>
<a lang="de-DE" class="item " href="?lang=de-DE">Deutsch</a>
<a lang="fr-FR" class="item " href="?lang=fr-FR">français</a>
<a lang="nl-NL" class="item " href="?lang=nl-NL">Nederlands</a>
<a lang="lv-LV" class="item " href="?lang=lv-LV">latviešu</a>
<a lang="ru-RU" class="item " href="?lang=ru-RU">русский</a>
<a lang="uk-UA" class="item " href="?lang=uk-UA">Українська</a>
<a lang="ja-JP" class="item " href="?lang=ja-JP">日本語</a>
<a lang="es-ES" class="item " href="?lang=es-ES">español</a>
<a lang="pt-BR" class="item " href="?lang=pt-BR">português do Brasil</a>
<a lang="pl-PL" class="item " href="?lang=pl-PL">polski</a>
<a lang="bg-BG" class="item " href="?lang=bg-BG">български</a>
<a lang="it-IT" class="item " href="?lang=it-IT">italiano</a>
<a lang="fi-FI" class="item " href="?lang=fi-FI">suomi</a>
<a lang="tr-TR" class="item " href="?lang=tr-TR">Türkçe</a>
<a lang="cs-CZ" class="item " href="?lang=cs-CZ">čeština</a>
<a lang="sr-SP" class="item " href="?lang=sr-SP">српски</a>
<a lang="sv-SE" class="item " href="?lang=sv-SE">svenska</a>
<a lang="ko-KR" class="item " href="?lang=ko-KR">한국어</a>
</div>
</div>
<a href="/vendor/librejs.html" data-jslicense="1">JavaScript licenses</a>
<a href="/api/swagger">API</a>
<a target="_blank" rel="noopener noreferrer" href="https://gitea.io">Website</a>
</div>
</div>
</footer>
<script src="/js/jquery.js?v=d8d448774563cec3783c3b65d4e914b6"></script>
<script src="/fomantic/semantic.min.js?v=d8d448774563cec3783c3b65d4e914b6"></script>
<script src="/js/index.js?v=d8d448774563cec3783c3b65d4e914b6"></script>
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-18148792-3']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
<script src="https://redalert.battleforthenet.com/widget.js" async></script>
<script type="text/javascript">
document.getElementsByClassName('brand')[0].children[0].children[0].src="/img/AniNIX.png";
$('meta[property=og\\:image]').attr('content', '/img/AniNIX.png');
$('link[rel="mask-icon"]').attr('href', '/img/AniNIX.png');
$('link[rel="mask-icon"]').attr('color', '#000000');
document.getElementsById("pwdchange").setAttribute("target","_blank");
document.getElementsById("chat").setAttribute("target","_blank");
</script>
</body>
</html>

1
roles/Foundation/files/custom/templates/custom/header.tmpl
View File

@@ -2,3 +2,4 @@
<link rel="alternate" type="application/rss+xml" title="AniNIX/RSS" href="/aninix.xml" />
<link rel='apple-touch-icon' sizes='180x180' href='/assets/img/AniNIX.png' />
<meta name='apple-mobile-web-app-capable' content='yes' />
<script src="/assets/js/aninix.js"></script>

24
roles/Foundation/files/custom/templates/home.tmpl
View File

@@ -17,7 +17,7 @@
<div class="ui stackable middle very relaxed page grid">
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/icons/FoundationIcon.png'/>
<img width=20px height=20px src='/assets/img/icons/Foundation.png'/>
<a href="https://foundation.aninix.net/explore/repos">Open source security</a>
</h1>
<p class="large">
@@ -26,7 +26,7 @@
</div>
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/icons/IRCIcon.png'/>
<img width=20px height=20px src='/assets/img/icons/IRC.png'/>
<a href='ircs://aninix.net:6697/#lobby'>Contact us anytime</a>
</h1>
<p class="large">
@@ -36,7 +36,7 @@
<div class="ui stackable middle very relaxed page grid">
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src="/assets/img/icons/WikiIcon.png"/>
<img width=20px height=20px src="/assets/img/icons/Wiki.png"/>
<a href="/AniNIX/Wiki">Open documentation</a>
</h1>
<p class="large">
@@ -45,11 +45,11 @@
</div>
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20x src="/assets/img/icons/MaatIcon.png"/>
<img width=20px height=20x src="/assets/img/icons/Maat.png"/>
<a href="https://maat.aninix.net/">Downloads</a>
</h1>
<p class="large">
We offer downloads from our AniNIX::Maat continuous-deployment system, including static files and packages for <a href="https://archlinux.org/">ArchLinux-style distributions.</a>
We offer downloads from our AniNIX/Maat continuous-deployment system, including static files and packages for <a href="https://archlinux.org/">ArchLinux-style distributions.</a>
</p>
</div>
</div>
@@ -60,13 +60,19 @@
<p>We host a number of web apps to make our users' lives easier.
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="four wide center column"><a title="AniNIX/Singularity" href="https://singularity.aninix.net"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" alt=RSS src="/assets/img/icons/SingularityIcon.png" /><p>AniNIX/Singularity (News powered by TT-RSS)</p></a></div>
<div class="four wide center column"><a title="AniNIX/Yggdrasil" href="https://yggdrasil.aninix.net"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/icons/YggdrasilIcon.png" /><p>AniNIX/Yggdrasil (Media powered by Emby)</p></a></div>
<div class="four wide center column"><a title="AniNIX/Sharingan" href="https://sharingan.aninix.net"><img src="/assets/img/icons/SharinganIcon.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /><p>AniNIX/Sharingan (Monitoring powered by Nagios)</p></a></div>
<div class="four wide center column"><a title="AniNIX/WolfPack" href="https://wolfpack.aninix.net"><img src="/assets/img/icons/WolfPackIcon.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /><p>AniNIX/WolfPack (Botnet download results)</p></a></div>
<div class="four wide center column"><a title="AniNIX/Singularity" href="https://singularity.aninix.net"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" alt=RSS src="/assets/img/icons/Singularity.png" /><p>AniNIX/Singularity (News powered by TT-RSS)</p></a></div>
<div class="four wide center column"><a title="AniNIX/Yggdrasil" href="https://yggdrasil.aninix.net"><img style="width: 50px; height:auto; margin: 0; padding: 0 auto;" src="/assets/img/icons/Yggdrasil.png" /><p>AniNIX/Yggdrasil (Media powered by Emby)</p></a></div>
<div class="four wide center column"><a title="AniNIX/Sharingan" href="https://sharingan.aninix.net"><img src="/assets/img/icons/Sharingan.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /><p>AniNIX/Sharingan (Monitoring powered by Graylog)</p></a></div>
<div class="four wide center column"><a title="AniNIX/Cyberbrain" href="https://cyberbrain.aninix.net"><img src="/assets/img/icons/Cyberbrain.png" style="width: 50px; height:auto; margin: 0; padding: 0 auto;" /><p>AniNIX/Cyberbrain (SFTP Dropbox)</p></a></div>
</div>
</div>
<hr style="margin-top: 50px;" />
<div class="sixteen wide center aligned centered column">
<div class="hero" id="latest-news"></div>
<script type="text/javascript">
insertNewsSnippet("https://aninix.net/assets/rss-snippets/aninix","latest-news");
</script>
</div>
<div class="sixteen wide center aligned centered column">
<div class="hero">
<h2>Follow us on social media</h2>

14
roles/Foundation/files/web-snippets/martialarts/index
View File

@@ -2,7 +2,7 @@
<div class="sixteen wide center aligned centered column">
<!--<div class="ui negative message"><p>We are open despite COVID-19 -- those attending in person will need to sign a waiver of health and follow all state requirements, including wearing a mask.</p></div>-->
<div>
<img class="logo" src="/assets/img/icons/MartialArtsIcon.png" />
<img class="logo" src="/assets/img/icons/MartialArts.png" />
</div>
<div class="hero">
<h1 class="ui icon header title">
@@ -16,7 +16,7 @@
<div class="ui stackable middle very relaxed page grid">
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/icons/FoundationIcon.png'/>
<img width=20px height=20px src='/assets/img/icons/Foundation.png'/>
<a href="/mawiki">Open-source</a>
</h1>
<p class="large">
@@ -35,13 +35,13 @@
<div class="ui stackable middle very relaxed page grid">
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20px src="/assets/img/icons/MartialArtsIcon.png"/>
<img width=20px height=20px src="/assets/img/icons/MartialArts.png"/>
<a href="/martialarts/index.html#storefront">Low-cost</a>
</h1>
<p class="large">We are non-profit group -- we train because we feel like it makes life better, not to make money. As such, our costs are publicly documented and our rates match the same. Classes will be informed of potential changes to costs well in advance, and we use recurring payments. We want you thinking about your training, not how you're going to pay for it.</p>
<p class="large">
<ul style="text-align: left;">
<li><b>Cost:</b> $10 per month in-person; $5 per month livestream -- pay below.</li>
<li><b>Cost:</b> Free</li>
<li><b>Lessons:</b>Tuesdays 7-8:30 p.m.</li>
<li><b>Sparring:</b>Tuesdays 6-7 p.m.</li>
<li><b>Shaolin Workouts:</b> Saturday mornings at 8 a.m. </li>
@@ -51,7 +51,7 @@
</div>
<div class="eight wide center column">
<h1 class="hero ui icon header">
<img width=20px height=20x src="/assets/img/icons/IRCIcon.png"/>
<img width=20px height=20x src="/assets/img/icons/IRC.png"/>
<a href="/martialarts/index.html#social">Real-life First</a>
</h1>
<p class="large">
@@ -62,6 +62,10 @@
</div>
</div>
<hr style="margin-top: 50px;" />
<div class="ui stackable middle very relaxed page grid" id="latest-news"></div>
<script type="text/javascript">
insertNewsSnippet("https://aninix.net/assets/rss-snippets/maqotw","latest-news");
</script>
<div class="ui stackable middle very relaxed page grid" id="social">
<div class="sixteen wide center aligned centered column">
<div class="hero">

107
roles/Foundation/files/web-snippets/pay/index
View File

@@ -1,107 +0,0 @@
<div class="ui stackable middle very relaxed page grid">
<script src="https://js.stripe.com/v3"></script>
<div class="sixteen wide center aligned centered column">
<h1 class="ui icon header title">
AniNIX
</h1>
<h2>Our Storefront</h2>
<p>We have limited service offerings available. Please contact an admin on IRC first to arrange the contract, then use the item below to pay the invoice.</p>
</div>
</div>
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center column" >
<h1 class="hero ui icon header">
<img width=20px height=20px src='/assets/img/icons/CoreIcon.png'/>
Cybersecurity Consulting
</h1>
<p class="large">The AniNIX offers cybersecurity consulting and advice services on a limited basis. We bill at $20 an hour -- please select your need below after negotiating with an admin.</p>
<p class="large">
<form action="./storefront.html" id="hours">
<label for="hourcount">Hours required</label>
<select name="hourcount" id="hourscount">
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
<option value="6">6</option>
<option value="7">7</option>
<option value="8">8</option>
<option value="9">9</option>
<option value="10">10</option>
<option value="11">11</option>
<option value="12">12</option>
<option value="13">13</option>
<option value="14">14</option>
<option value="15">15</option>
<option value="16">16</option>
<option value="17">17</option>
<option value="18">18</option>
<option value="19">19</option>
<option value="20">20</option>
</select>
<br/>
</form>
<!-- START STRIPE CODE -->
<!-- Create a button that your customers click to complete their purchase. Customize the styling to suit your branding. -->
<button
style="background-color:#6772E5;color:#FFF;padding:8px 12px;border:0;border-radius:4px;font-size:1em"
id="checkout-button-price_1HTuehI49P1uFPoXCW9pJg5E"
role="link"
type="button"
>
Checkout
</button>
<div id="error-message"></div>
<script>
(function() {
var stripe = Stripe('pk_live_51HThYnI49P1uFPoX5ARnHSpT9D08Gbfux6O25waFLpPBsnZoLDuqopFAZeLfu0CbbICxEnPZOOLkDLTlcNjkazs100ElKcF2QX');
var checkoutButton = document.getElementById('checkout-button-price_1HTuehI49P1uFPoXCW9pJg5E');
checkoutButton.addEventListener('click', function () {
// When the customer clicks on the button, redirect
// them to Checkout.
stripe.redirectToCheckout({
lineItems: [{price: 'price_1HTuehI49P1uFPoXCW9pJg5E', quantity: parseInt(document.getElementById('hourscount').value)}],
mode: 'payment',
// Do not rely on the redirect to the successUrl for fulfilling
// purchases, customers may not always reach the success_url after
// a successful payment.
// Instead use one of the strategies described in
// https://stripe.com/docs/payments/checkout/fulfill-orders
successUrl: window.location.protocol + '//aninix.net/pay/thank-you.html',
cancelUrl: window.location.protocol + '//aninix.net/pay/storefront.html',
})
.then(function (result) {
if (result.error) {
// If `redirectToCheckout` fails due to a browser or network
// error, display the localized error message to your customer.
var displayError = document.getElementById('error-message');
displayError.textContent = result.error.message;
}
});
});
})();
</script>
<! -- END STRIPE CODE -->
</p>
</div>
</div>
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center column" >
<hr style="margin-top: 50px;" />
<h2>Donate</h2>
<p>If you like what we do, you can also donate on one of these platforms:</p>
<ul style="width:500px;text-align: left;margin:auto;">
<li><a href="https://store.steampowered.com/wishlist/id/darkfeather664/#sort=order">Steam (games)</a></li>
<li><a href="https://www.amazon.com/hz/wishlist/ls/3CORZU03RNWST?ref_=wl_share">Amazon (hardware)</a></li>
<li>BTC 38Nd3SgytdvSmcX3gfHeNAE2B6aPyYbS7s</li>
<li>Coinbase USDC 0x21a05e628Ed622F7594f62Ea3C764bAEF7fE3Bf3</li>
</ul>
</div>
</div>

12
roles/Foundation/files/web-snippets/pay/thank-you
View File

@@ -1,12 +0,0 @@
<div class="ui stackable middle very relaxed page grid">
<div class="sixteen wide center aligned centered column">
<div>
<img class="logo" src="/assets/img/icons/CoreIcon.png" />
</div>
<div class="hero">
<h2 class="ui icon header title">
Thank you for your purchase!
</h2>
</div>
</div>
</div>

31
roles/Foundation/tasks/main.yml
View File

@@ -5,12 +5,6 @@
name:
- gitea
- name: BitBot
become: yes
git:
repo: https://github.com/jesopo/bitbot.git
dest: /opt/bitbot
- name: Make directories
become: yes
file:
@@ -27,7 +21,7 @@
register: config
template:
src: app.ini.j2
dest: /var/lib/gitea/custom/conf/app.ini
dest: /etc/gitea/app.ini
owner: gitea
group: gitea
mode: 0750
@@ -53,7 +47,7 @@
become: yes
get_url:
url: https://github.com/BenZuser/Emby-Web-Dark-Themes-CSS/raw/master/RED/theme.css
dest: /var/lib/gitea/custom/public/css/emby-web-dark-theme-BenZuser.css
dest: /var/lib/gitea/custom/public/assets/css/emby-web-dark-theme-BenZuser.css
owner: gitea
group: gitea
@@ -65,23 +59,6 @@
owner: gitea
group: gitea
- name: Service file
become: yes
register: servicefile
copy:
src: foundation.service
dest: /usr/lib/systemd/system
owner: root
group: root
mode: 0755
- name: Ensure default service disabled
become: yes
service:
name: gitea
state: stopped
enabled: no
- name: Generate pages
become: yes
register: custompages
@@ -89,8 +66,8 @@
- name: Restart service
become: yes
when: config.changed or servicefile.changed or custompages.changed
when: config.changed or custompages.changed
service:
name: foundation
name: gitea
state: restarted
enabled: yes

31
roles/Foundation/templates/app.ini.j2
View File

@@ -8,6 +8,7 @@ APP_NAME = AniNIX
RUN_USER = gitea
; Either "dev", "prod" or "test", default is "dev"
RUN_MODE = prod
WORK_PATH = /var/lib/gitea
[repository]
ROOT = repos
@@ -125,8 +126,8 @@ ORG_PAGING_NUM = 50
REPO_PAGING_NUM = 15
[ui.meta]
AUTHOR = AniNIX::Foundation
DESCRIPTION = AniNIX::Foundation \\ Code, documentation, and information sharing powered by Gitea (git with a cup of tea)
AUTHOR = AniNIX/Foundation
DESCRIPTION = AniNIX/Foundation | Code, documentation, and information sharing powered by Gitea (git with a cup of tea)
KEYWORDS = go,git,self-hosted,gitea,aninix,aninix::foundation
[markdown]
@@ -457,8 +458,8 @@ GC_INTERVAL_TIME = 86400
SESSION_LIFE_TIME = 86400
[picture]
AVATAR_UPLOAD_PATH = data/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = data/repo-avatars
AVATAR_UPLOAD_PATH = avatars
REPOSITORY_AVATAR_UPLOAD_PATH = repo-avatars
; How Gitea deals with missing repository avatars
; none = no avatar will be displayed; random = random avatar will be displayed; image = default image will be used
REPOSITORY_AVATAR_FALLBACK = none
@@ -499,26 +500,21 @@ MAX_FILES = 5
FORMAT =
[log]
ROOT_PATH = %(GITEA_WORK_DIR)/log
MODE = console
LEVEL = Info
STACKTRACE_LEVEL = None
logger.router.MODE = ,
logger.xorm.MODE = ,
logger.access.MODE =
ROOT_PATH = /var/log/gitea/
; Either "console", "file", "conn", "smtp" or "database", default is "console"
; Use comma to separate multiple modes, e.g. "console, file"
MODE = console
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
LEVEL = Warn
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "None"
STACKTRACE_LEVEL = None
logger.router.MODE = ,
logger.xorm.MODE = ,
logger.access.MODE = console
; Buffer length of the channel, keep it as it is if you don't know what it is.
BUFFER_LEN = 10000
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Info"
ACCESS_LOG_TEMPLATE = {{ '{{' }}.Ctx.RemoteAddr{{ '}}' }} - {{ '{{' }}.Identity{{ '}}' }} {{ '{{' }}.Start.Format "[02/Jan/2006:15:04:05 -0700]" {{ '}}' }} "{{ '{{' }}.Ctx.Req.Method{{ '}}' }} {{ '{{' }}.Ctx.Req.RequestURI{{ '}}' }} {{ '{{' }}.Ctx.Req.Proto{{ '}}' }}" {{ '{{' }}.ResponseWriter.Status{{ '}}' }} {{ '{{' }}.ResponseWriter.Size{{ '}}' }} "{{ '{{' }}.Ctx.Req.Referer{{ '}}' }}\" \"{{ '{{' }}.Ctx.Req.UserAgent{{ '}}' }}"
logger.access.MODE = console
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "Trace"
LEVEL = Info
; Either "Trace", "Debug", "Info", "Warn", "Error", "Critical", default is "None"
STACKTRACE_LEVEL = Critical
;ACCESS_LOG_TEMPLATE =
; Generic log modes
[log.x]
@@ -741,4 +737,3 @@ IS_INPUT_FILE = false
ENABLED = false
; If you want to add authorization, specify a token here
TOKEN =

0
roles/IRC/files/services/ircservices.service → roles/IRC/files/services/anope.service
View File

0
roles/IRC/files/services/irc.service → roles/IRC/files/services/inspircd.service
View File

0
roles/IRC/files/services/ircweb.service → roles/IRC/files/services/kiwiirc.service
View File

8
roles/IRC/tasks/daemon.yml
View File

@@ -38,8 +38,8 @@
become: yes
register: servicesfile
copy:
src: services/irc.service
dest: /usr/lib/systemd/system/irc.service
src: services/inspircd.service
dest: /usr/lib/systemd/system/inspircd.service
owner: root
group: root
mode: 0644
@@ -90,7 +90,7 @@
- name: Ensure service running
become: yes
service:
name: irc
name: inspircd
state: started
enabled: yes
@@ -98,5 +98,5 @@
become: yes
when: templatefiles.changed or servicesfile.changed
service:
name: irc
name: inspircd
state: reloaded

8
roles/IRC/tasks/services.yml
View File

@@ -38,8 +38,8 @@
become: yes
register: servicesfile
copy:
src: services/ircservices.service
dest: /usr/lib/systemd/system/ircservices.service
src: services/anope.service
dest: /usr/lib/systemd/system/anope.service
owner: root
group: root
mode: 0644
@@ -53,7 +53,7 @@
- name: Ensure service running
become: yes
service:
name: ircservices
name: anope
state: started
enabled: yes
@@ -61,5 +61,5 @@
become: yes
when: templatefiles.changed or servicesfile.changed
service:
name: ircservices
name: anope
state: reloaded

8
roles/IRC/tasks/web.yml
View File

@@ -31,8 +31,8 @@
become: yes
register: servicesfile
copy:
src: services/ircweb.service
dest: /usr/lib/systemd/system/ircweb.service
src: services/kiwiirc.service
dest: /usr/lib/systemd/system/kiwiirc.service
owner: root
group: root
mode: 0644
@@ -46,7 +46,7 @@
- name: Ensure service running
become: yes
service:
name: ircweb
name: kiwiirc
state: started
enabled: yes
@@ -54,5 +54,5 @@
become: yes
when: config.changed or servicesfile.changed
service:
name: ircweb
name: kiwiirc
state: reloaded

26
roles/Maat/files/aur.list
View File

@@ -9,35 +9,23 @@ https://aur.archlinux.org/brscan4.git
https://aur.archlinux.org/carbonyl-bin.git
https://aur.archlinux.org/castnow-git.git
https://aur.archlinux.org/ccrypt.git
https://aur.archlinux.org/chromium-pepper-flash.git
https://aur.archlinux.org/defcon.git
https://aur.archlinux.org/discord-cli-git.git
https://aur.archlinux.org/discord-irc.git
https://aur.archlinux.org/downgrader.git
https://aur.archlinux.org/dotnet-core-bin.git
https://aur.archlinux.org/dotnet-runtime-bin.git
https://aur.archlinux.org/freeme2.git
https://aur.archlinux.org/genymotion.git
https://aur.archlinux.org/gnome-alsamixer.git
https://aur.archlinux.org/google-chrome.git
https://aur.archlinux.org/google-earth.git
https://aur.archlinux.org/googlecl.git
https://aur.archlinux.org/googler.git
https://aur.archlinux.org/graylog.git
https://aur.archlinux.org/graylog-collector-sidecar.git
https://aur.archlinux.org/gsa.git
https://aur.archlinux.org/gstreamer0.10-ffmpeg.git
https://aur.archlinux.org/gtk-xfce-engine.git
https://aur.archlinux.org/gvmd.git
https://aur.archlinux.org/gyazo.git
https://aur.archlinux.org/helloworld.git
https://aur.archlinux.org/injection.git
https://aur.archlinux.org/inspircd.git
https://aur.archlinux.org/irker.git
https://aur.archlinux.org/jmtpfs.git
https://aur.archlinux.org/jpcsp.git
https://aur.archlinux.org/js.git
https://aur.archlinux.org/kpcli.git
https://aur.archlinux.org/lib32-glib.git
https://aur.archlinux.org/libdaq.git
https://aur.archlinux.org/libdwarf-20140413.git
@@ -50,28 +38,22 @@ https://aur.archlinux.org/mkinitcpio-utils.git
https://aur.archlinux.org/mpir.git
https://aur.archlinux.org/mongodb-bin.git
https://aur.archlinux.org/mongodb-tools-bin.git
https://aur.archlinux.org/mongosh-bin.git
https://aur.archlinux.org/nordvpn-bin.git
https://aur.archlinux.org/oinkmaster.git
https://aur.archlinux.org/openresty.git
https://aur.archlinux.org/openvas-scanner.git
https://aur.archlinux.org/openvisualtraceroute.git
https://aur.archlinux.org/ospd.git
https://aur.archlinux.org/ospd-openvas.git
https://aur.archlinux.org/ossec-local.git
https://aur.archlinux.org/pwm.git
https://aur.archlinux.org/pcmciautils.git
https://aur.archlinux.org/pdfshuffler.git
https://aur.archlinux.org/pear-net-ldap2.git
https://aur.archlinux.org/perl-clipboard.git
https://aur.archlinux.org/perl-crypt-rijndael.git
https://aur.archlinux.org/perl-expect.git
https://aur.archlinux.org/perl-file-keepass.git
https://aur.archlinux.org/perl-net-sftp-foreign.git
https://aur.archlinux.org/perl-php-serialization.git
https://aur.archlinux.org/perl-sys-mmap.git
https://aur.archlinux.org/perl-term-shellui.git
https://aur.archlinux.org/php-pear.git
https://aur.archlinux.org/php-zts.git
https://aur.archlinux.org/pm-utils.git
https://aur.archlinux.org/powerpanel.git
https://aur.archlinux.org/python-aiohttp.git
@@ -92,16 +74,14 @@ https://aur.archlinux.org/savage.git
https://aur.archlinux.org/self-service-password.git
https://aur.archlinux.org/smarty3.git
https://aur.archlinux.org/suricata.git
https://aur.archlinux.org/swfdec.git
https://aur.archlinux.org/swfdec-gnome.git
https://aur.archlinux.org/systemdjournal2gelf.git
https://aur.archlinux.org/tor-browser-en.git
https://aur.archlinux.org/tor-browser-bin.git
https://aur.archlinux.org/trid.git
https://aur.archlinux.org/tt-rss-auth-ldap-git.git
https://aur.archlinux.org/udisks.git
https://aur.archlinux.org/undvd.git
https://aur.archlinux.org/uniglot.git
https://aur.archlinux.org/unvanquished.git
https://aur.archlinux.org/unvanquished-data.git
https://aur.archlinux.org/vbam-gtk.git
https://aur.archlinux.org/xfce4-mixer.git
https://aur.archlinux.org/xorg-server-utils.git

14
roles/Maat/files/pacoloco.yaml
View File

@@ -1,14 +0,0 @@
port: 9129
download_timeout: 3600 # download will timeout after 3600 seconds
cache_dir: /var/cache/pacoloco
purge_files_after: 360000 # 360000 seconds or 100 hours, 0 to disable
repos:
archlinux:
urls:
- http://mirrors.gigenet.com/archlinux/
- http://mnvoip.mm.fcix.net/archlinux/
- http://mirrors.kernel.org/archlinux/
- http://ftp.osuosl.org/pub/archlinux/
- https://mnvoip.mm.fcix.net/archlinux/
- http://southfront.mm.fcix.net/archlinux/
user_agent: Pacoloco

8
roles/Maat/tasks/main.yml
View File

@@ -17,6 +17,7 @@
- name: Maat configuration
become: yes
register: aurlist
copy:
src: aur.list
dest: /usr/local/etc/Maat/aur.list
@@ -28,6 +29,13 @@
state: restarted
enabled: yes
- name: Start Maat build cycle
become: yes
when: aurlist.changed
service:
name: maat.service
state: started
- name: Generate mirrorlist
delegate_to: localhost
run_once: yes

16
roles/Nazara/README.md
View File

@@ -1,16 +0,0 @@
A Nazara host is a gateway to accessing other hosts. It is a safeguard against admin error.
## Etymology
Nazara hosts are named because they are the first line of defense against administrative error -- they prevent admins from being locked out of correcting their changes and are connected to everything in the ecosystem. They also control DNS, which allows a sort of subliminal control of the entire ecosystem. This is akin to the mastermind [Reaper AI](https://masseffect.fandom.com/wiki/Sovereign) from the Mass Effect franchise, and in fact can be the extinction of any DNS-enabled malware in the ecosystem by sinkholing the Command-and-Control.
## Capacity and Components
A Nazara host needs minimal CPU or memory.
## Hosted Services and Entities
Nazara should host a Pihole installation and [SSH](../Services/SSH.md). It should be NAT'ed to an obscure port to the outside world.
## Connections
Any host should be able to connect to a Nazara with SSH and X11, and it should be able to dial to any service provider.
## Additional Reference
Nazara hosts should be deployed alongside any Hypervisor. They can be as simple as a Pi-hole with SSH access, and they should be allowed to receive SSH connections from a non-tcp/22/ssh port.

8
roles/Node/tasks/main.yml
View File

@@ -61,3 +61,11 @@
when: qemubr.changed or br0.changed
debug:
msg: You may need to restart VMs on the Node.
- name: Enable VMs
become: yes
with_items: "{{ active_vms }}"
service:
name: "{{ item }}-vm.service"
state: started
enabled: yes

14
roles/Node/templates/vm.service.j2
View File

@@ -1,14 +0,0 @@
[Unit]
Description=AniNIX/{{ inventory_hostname }}
After=network.target
[Service]
ExecStart=/usr/sbin/qemu-system-x86_64 -name AniNIX/{{ inventory_hostname }} -machine type=pc,accel=kvm -bios /usr/share/edk2-ovmf/x64/OVMF.fd -cpu host -smp {{ cores }} {{ disks }} -net nic,macaddr={{ mac }},model=virtio -net bridge,br={{ bridge }} -vga std -nographic -vnc :{{ vnc }} -m size={{ memory }}G -device virtio-rng-pci
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=always
User=root
Group=root
[Install]
WantedBy=multi-user.target

0
roles/Sora/README.md → roles/Password/README.md
View File

3
roles/Password/bin/sora-dump-config Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
slapcat -a "(!(entryDN:dnSubtreeMatch:=ou=People,dc=aninix,dc=net))"

19
roles/Password/files/nsswitch.conf Normal file
View File

@@ -0,0 +1,19 @@
# Begin /etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
publickey: files
hosts: files dns myhostname
networks: files
protocols: files
services: files
ethers: files
rpc: files
netgroup: files
# End /etc/nsswitch.conf

12
roles/Password/files/pam.d/atd Normal file
View File

@@ -0,0 +1,12 @@
#%PAM-1.0
auth required pam_unix.so
auth required pam_env.so
account required pam_access.so
account required pam_unix.so
account required pam_time.so
session required pam_loginuid.so
session required pam_limits.so
session required pam_unix.so

6
roles/Password/files/pam.d/chfn Normal file
View File

@@ -0,0 +1,6 @@
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password required pam_permit.so

4
roles/Password/files/pam.d/chpasswd Normal file
View File

@@ -0,0 +1,4 @@
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth

6
roles/Password/files/pam.d/chsh Normal file
View File

@@ -0,0 +1,6 @@
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password required pam_permit.so

11
roles/Password/files/pam.d/crond Normal file
View File

@@ -0,0 +1,11 @@
#
# The PAM configuration file for the cron daemon
#
#
# Although no PAM authentication is called, auth modules
# are used for credential setting
auth include system-auth
account required pam_access.so
account include system-auth
session required pam_loginuid.so
session include system-auth

3
roles/Password/files/pam.d/cups Normal file
View File

@@ -0,0 +1,3 @@
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so

4
roles/Password/files/pam.d/groupmems Normal file
View File

@@ -0,0 +1,4 @@
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth

7
roles/Password/files/pam.d/login Normal file
View File

@@ -0,0 +1,7 @@
#%PAM-1.0
auth requisite pam_nologin.so
auth include system-local-login
account include system-local-login
session include system-local-login
password include system-local-login

4
roles/Password/files/pam.d/newusers Normal file
View File

@@ -0,0 +1,4 @@
#%PAM-1.0
auth sufficient pam_rootok.so
account required pam_permit.so
password include system-auth

1
roles/Password/files/pam.d/nslcd.conf Normal file
View File

@@ -0,0 +1 @@
UiqiKXIU

9
roles/Password/files/pam.d/other Normal file
View File

@@ -0,0 +1,9 @@
#%PAM-1.0
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_deny.so
session required pam_warn.so

5
roles/Password/files/pam.d/passwd Normal file
View File

@@ -0,0 +1,5 @@
#%PAM-1.0
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
#password required pam_unix.so sha512 shadow use_authtok
password sufficient pam_ldap.so
password required pam_unix.so sha512 shadow nullok

4
roles/Password/files/pam.d/passwd.pacnew Normal file
View File

@@ -0,0 +1,4 @@
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth

3
roles/Password/files/pam.d/postgresql Normal file
View File

@@ -0,0 +1,3 @@
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so

8
roles/Password/files/pam.d/remote Normal file
View File

@@ -0,0 +1,8 @@
#%PAM-1.0
auth required pam_securetty.so
auth requisite pam_nologin.so
auth include system-remote-login
account include system-remote-login
session include system-remote-login
password include system-remote-login

13
roles/Password/files/pam.d/rlogin Normal file
View File

@@ -0,0 +1,13 @@
#%PAM-1.0
# For root login to succeed here with pam_securetty, "rlogin" must be
# listed in /etc/securetty.
auth required pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth sufficient pam_rhosts.so
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session required pam_loginuid.so
session include system-auth

11
roles/Password/files/pam.d/rsh Normal file
View File

@@ -0,0 +1,11 @@
#%PAM-1.0
# For root login to succeed here with pam_securetty, "rsh" must be
# listed in /etc/securetty.
auth required pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth required pam_rhosts.so
account include system-auth
session optional pam_keyinit.so force revoke
session required pam_loginuid.so
session include system-auth

4
roles/Password/files/pam.d/runuser Normal file
View File

@@ -0,0 +1,4 @@
#%PAM-1.0
auth sufficient pam_rootok.so
session include system-login

4
roles/Password/files/pam.d/runuser-l Normal file
View File

@@ -0,0 +1,4 @@
#%PAM-1.0
auth sufficient pam_rootok.so
session include system-login

1
roles/Password/files/pam.d/screen Normal file
View File

@@ -0,0 +1 @@
auth required pam_unix.so

6
roles/Password/files/pam.d/sshd Normal file
View File

@@ -0,0 +1,6 @@
#%PAM-1.0
auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login

6
roles/Password/files/pam.d/sssd-shadowutils Normal file
View File

@@ -0,0 +1,6 @@
#%PAM-1.0
auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth required pam_deny.so
account required pam_unix.so
account required pam_permit.so

14
roles/Password/files/pam.d/su Normal file
View File

@@ -0,0 +1,14 @@
#%PAM-1.0
auth sufficient pam_ldap.so
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth required pam_unix.so use_first_pass
account sufficient pam_ldap.so
account required pam_unix.so
session sufficient pam_ldap.so
session required pam_unix.so

12
roles/Password/files/pam.d/su-l Normal file
View File

@@ -0,0 +1,12 @@
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
account sufficient pam_ldap.so
account required pam_unix.so
session sufficient pam_ldap.so
session required pam_unix.so

10
roles/Password/files/pam.d/su-l.pacnew Normal file
View File

@@ -0,0 +1,10 @@
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password include system-auth

10
roles/Password/files/pam.d/su.pacnew Normal file
View File

@@ -0,0 +1,10 @@
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password include system-auth

4
roles/Password/files/pam.d/sudo Normal file
View File

@@ -0,0 +1,4 @@
#%PAM-1.0
auth include system-auth
account include system-auth
session include system-auth

20
roles/Password/files/pam.d/system-auth Normal file
View File

@@ -0,0 +1,20 @@
#%PAM-1.0
auth sufficient pam_ldap.so
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
account sufficient pam_ldap.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password sufficient pam_ldap.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_permit.so

27
roles/Password/files/pam.d/system-auth.pacnew Normal file
View File

@@ -0,0 +1,27 @@
#%PAM-1.0
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth [success=2 default=ignore] pam_systemd_home.so
auth [success=1 default=bad] pam_unix.so try_first_pass nullok
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
-password [success=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow
password optional pam_permit.so
-session optional pam_systemd_home.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so

6
roles/Password/files/pam.d/system-local-login Normal file
View File

@@ -0,0 +1,6 @@
#%PAM-1.0
auth include system-login
account include system-login
password include system-login
session include system-login

19
roles/Password/files/pam.d/system-login Normal file
View File

@@ -0,0 +1,19 @@
#%PAM-1.0
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_loginuid.so
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet
-session optional pam_systemd.so
session required pam_env.so
#session required pam_mkhomedir.so skel=/etc/skel umask=0027

20
roles/Password/files/pam.d/system-login.pacnew Normal file
View File

@@ -0,0 +1,20 @@
#%PAM-1.0
auth required pam_shells.so
auth requisite pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_loginuid.so
session optional pam_keyinit.so force revoke
session include system-auth
session optional pam_motd.so
session optional pam_mail.so dir=/var/spool/mail standard quiet
session optional pam_umask.so
-session optional pam_systemd.so
session required pam_env.so

6
roles/Password/files/pam.d/system-remote-login Normal file
View File

@@ -0,0 +1,6 @@
#%PAM-1.0
auth include system-login
account include system-login
password include system-login
session include system-login

11
roles/Password/files/pam.d/system-services Normal file
View File

@@ -0,0 +1,11 @@
#%PAM-1.0
auth sufficient pam_permit.so
account include system-auth
session optional pam_loginuid.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
session required pam_env.so

5
roles/Password/files/pam.d/systemd-user Normal file
View File

@@ -0,0 +1,5 @@
# Used by systemd --user instances.
account include system-login
session required pam_loginuid.so
session include system-login

5
roles/Password/files/pam.d/vlock Normal file
View File

@@ -0,0 +1,5 @@
#%PAM-1.0
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so

119
roles/Password/files/sora-base-config Normal file
View File

@@ -0,0 +1,119 @@
dn: dc=aninix,dc=net
objectClass: dcObject
objectClass: organization
dc: aninix
o: AniNIXUsers
description: AniNIX::LDAP Crediential Directory
structuralObjectClass: organization
entryUUID: a521b05a-3532-4042-bf8f-3631a1e51b94
creatorsName: cn=root,dc=aninix,dc=net
createTimestamp: 20160901205333Z
entryCSN: 20160901205333.449191Z#000000#000#000000
modifiersName: cn=root,dc=aninix,dc=net
modifyTimestamp: 20160901205333Z
dn: cn=root,dc=aninix,dc=net
objectClass: organizationalRole
cn: root
description: Directory Manager
structuralObjectClass: organizationalRole
entryUUID: 9e4273d9-d002-4015-a774-bed02afd6cc9
creatorsName: cn=root,dc=aninix,dc=net
createTimestamp: 20160901205333Z
pwdLastSuccess: 20220918222625Z
entryCSN: 20220918222625.132392Z#000000#000#000000
modifiersName: cn=root,dc=aninix,dc=net
modifyTimestamp: 20220918222625Z
dn: ou=Group,dc=aninix,dc=net
ou: Group
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 475e1ae1-d992-4a9a-85de-e7f71974ac03
creatorsName: cn=root,dc=aninix,dc=net
createTimestamp: 20160901214257Z
entryCSN: 20160901214257.941445Z#000000#000#000000
modifiersName: cn=root,dc=aninix,dc=net
modifyTimestamp: 20160901214257Z
dn: cn=ldapuser,ou=Group,dc=aninix,dc=net
cn: ldapuser
gidNumber: 10000
objectClass: posixGroup
objectClass: top
structuralObjectClass: posixGroup
entryUUID: dc17d42d-fae9-496d-b362-82f27679476c
creatorsName: cn=root,dc=aninix,dc=net
createTimestamp: 20160903051753Z
entryCSN: 20160903051753.156600Z#000000#000#000000
modifiersName: cn=root,dc=aninix,dc=net
modifyTimestamp: 20160903051753Z
dn: cn=hypervisorauth,ou=Group,dc=aninix,dc=net
cn: hypervisorauth
gidNumber: 10001
objectClass: posixGroup
objectClass: top
structuralObjectClass: posixGroup
entryUUID: 88cb5e2c-ee93-4d62-a83a-63ceff9ceba0
creatorsName: cn=root,dc=aninix,dc=net
createTimestamp: 20160903061147Z
memberUid: lurso3
entryCSN: 20160903061653.689826Z#000000#000#000000
modifiersName: cn=root,dc=aninix,dc=net
modifyTimestamp: 20160903061653Z
dn: ou=pwpolicies,dc=aninix,dc=net
ou: pwpolicies
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: ee2c6fc6-a40a-4d6f-992e-c1a04439f022
creatorsName: cn=root,dc=aninix,dc=net
createTimestamp: 20161029155416Z
entryCSN: 20161029155416.247439Z#000000#000#000000
modifiersName: cn=root,dc=aninix,dc=net
modifyTimestamp: 20161029155416Z
dn: cn=default,ou=pwpolicies,dc=aninix,dc=net
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: default
sn: Default
pwdAttribute: userPassword
pwdMaxAge: 31536000
pwdExpireWarning: 604800
pwdInHistory: 12
pwdCheckQuality: 1
pwdMaxFailure: 5
pwdLockout: TRUE
pwdLockoutDuration: 86400
pwdGraceAuthNLimit: 3
pwdFailureCountInterval: 3600
pwdMustChange: TRUE
pwdMinLength: 8
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
structuralObjectClass: person
entryUUID: f983ea45-deca-4b8f-8e55-cebbacf392ba
creatorsName: cn=root,dc=aninix,dc=net
createTimestamp: 20161029171109Z
entryCSN: 20161029171109.930559Z#000000#000#000000
modifiersName: cn=root,dc=aninix,dc=net
modifyTimestamp: 20161029171109Z
dn: cn=DarkFeather,ou=Group,dc=aninix,dc=net
cn: DarkFeather
gidNumber: 10002
objectClass: posixGroup
objectClass: top
memberUid: DarkFeather
structuralObjectClass: posixGroup
entryUUID: 1f333fb2-0611-4235-ba07-aa9fa0edb439
creatorsName: cn=root,dc=aninix,dc=net
createTimestamp: 20201018201805Z
entryCSN: 20201018201805.104347Z#000000#000#000000
modifiersName: cn=root,dc=aninix,dc=net
modifyTimestamp: 20201018201805Z

26
roles/Password/package/Makefile Normal file
View File

@@ -0,0 +1,26 @@
binlist = ldap-adduser ldap-userreport ldap-resetpass ldap-recreateuser
filelist = sample-user.ldif
compile:
@echo Nothing to do
install: clean ${binlist} ${filelist}
mkdir -p ${pkgdir}/opt/aninix/Password/
for i in ${filelist}; do install -m 0640 -o ldap -g ldap $$i ${pkgdir}/opt/aninix/Password/; done
mkdir -p ${pkgdir}/usr/local/sbin/
for i in ${binlist}; do install -m 0750 -o root -g root $$i ${pkgdir}/usr/local/sbin; done
test: compile
@echo Nothing to do
clean:
@echo Nothing to do.
diff:
@echo Nothing to do.
reverse:
@echo Nothing to do.
checkperm:
@echo Nothing to do.

46
roles/Password/package/PKGBUILD Normal file
View File

@@ -0,0 +1,46 @@
depends=('bash>=4.4' 'openldap')
makedepends=('make>=4.2')
checkdepends=()
optdepends=()
pkgname="Password-Scripts"
pkgver="$(git describe --tag --abbrev=0)"."$(git rev-parse --short HEAD)"
pkgrel=1
pkgrel() {
echo $(( `git log "$(git describe --tag --abbrev=0)"..HEAD | grep -c commit` + 1 ))
}
epoch="$(git log | grep -c commit)"
pkgdesc="AniNIX/Password Scripts"
arch=("x86_64")
url="$(git config remote.origin.url | sed 's/.git$//')"
license=('custom')
groups=()
provides=("${pkgname}")
conflicts=()
replaces=("${pkgname,,}" "aninix-${pkgname,,}")
backup=()
options=()
install=
changelog=
source=()
noextract=()
md5sums=()
validpgpkeys=()
prepare() {
git pull || true
}
build() {
make -C ..
}
check() {
chmod -R u+r ../pkg
make -C .. test
}
package() {
export pkgdir="${pkgdir}"
make -C .. install
install -D -m644 ../../../../LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
}

8
roles/Sora/files/ldap-adduser → roles/Password/package/ldap-adduser
View File

@@ -43,16 +43,16 @@ if [ "$?" -eq 0 ]; then
read answer
if [ "$answer" == "YES" ]; then
file="/etc/openldap/users.d/$username.ldif"
cp /usr/local/src/ConfigPackages/Sora/sample-user.ldif "$file"
cp /opt/aninix/Password/sample-user.ldif "$file"
line="$(grep -E '^uid: ' "$file")"; sed -i "s/$line/uid: $username/" "$file"
line="$(grep -E '^dn: ' "$file" | cut -f 2 -d ' ' | cut -f 1 -d ',')"; sed -i "s/$line/uid=$username/" "$file"
line="$(grep -E '^homeDirectory: ' "$file")"; sed -i "s#$line#homeDirectory: /home/$username/#" "$file"
line="$(grep -E '^homeDirectory: ' "$file")"; sed -i "s#$line#homeDirectory: /$username/#" "$file"
line="$(grep -E '^cn: ' "$file")"; sed -i "s/$line/cn: $username/" "$file"
line="$(grep -E '^mail: ' "$file")"; sed -i "s#$line#mail: ircs://aninix.net:6697/$username#" "$file"
line="$(grep -E '^uidNumber: ' "$file")"; sed -i "s/$line/uidNumber: $newuserid/" "$file"
ldapadd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass -f "$file"
ldapadd -D 'cn=root,dc=aninix,dc=net' -W -f "$file"
ldap-resetpass "$username"
# usermod -a -G ssh-allow,passwdchange "$username"
cp -r /etc/skel "/home/$username"; chmod 0027 "/home/$username"; chown -R "$username": "/home/$username"
fi
rmdir "$lockfile"
exit 0;

22
roles/Password/package/ldap-recreateuser Executable file
View File

@@ -0,0 +1,22 @@
#!/bin/bash
uid="$1"
userfile="/etc/openldap/users.d/$uid.ldif"
if [ -z "$uid" ]; then
echo "Need a user ID (uid)!"
exit 1
fi
if [ ! -f "$userfile" ]; then
ldapsearch -x "uid=${uid}" > "$userfile"
echo "$userfile" had to be created -- please validate before re-running this script.
exit 2
fi
read -sp 'cn=root,dc=aninix,dc=net Password: ' rootdnpw
ldapdelete -D 'cn=root,dc=aninix,dc=net' -w "$rootdnpw" -H ldap://127.0.0.1 "uid=$uid,ou=People,dc=aninix,dc=net" && \
ldapadd -D 'cn=root,dc=aninix,dc=net' -w "$rootdnpw" -H ldap://127.0.0.1 -f "$userfile"
exit $?

31
roles/Password/package/ldap-resetpass Executable file
View File

@@ -0,0 +1,31 @@
#!/bin/bash
uid="$1"
if [ -z "$uid" ]; then
echo "Need a user ID (uid)!"
exit 1
fi
read -sp 'cn=root,dc=aninix,dc=net Password: ' rootdnpw
ldappasswd -D 'cn=root,dc=aninix,dc=net' -w "$rootdnpw" -H ldap://127.0.0.1 "uid=$uid,ou=People,dc=aninix,dc=net" && \
ldapmodify -D 'cn=root,dc=aninix,dc=net' -w "$rootdnpw" -H ldap://127.0.0.1 -f <(cat <<EOM
dn: uid=$uid,ou=People,dc=aninix,dc=net
changetype: modify
add: pwdReset
pwdReset: TRUE
EOM
)
echo 'As cn=root,cn=config...' && ldapmodify -D 'cn=root,cn=config' -W -H ldap://127.0.0.1 -f <(cat <<EOM
dn: uid=$uid,ou=People,dc=aninix,dc=net
changetype: modify
delete: pwdChangedTime
EOM
)
exit $?

95
roles/Password/package/ldap-userreport Executable file
View File

@@ -0,0 +1,95 @@
#!/bin/bash
function getLDAPAttr() {
### Get an LDAP attribute
# param: filter
# param attribute
filter="${1}"
attribute="${2}"
ldapsearch -x "${filter}" "${attribute}" | grep -E "^${attribute}: " | sed "s/${attribute}: //"
}
# Clear cleanup files
ldif="/root/cleanup.ldif"
>"${ldif}"
bash="/root/cleanup.bash"
echo "#!/bin/bash" > "${bash}"
# Attributes
basedn=`getLDAPAttr '(cn=root)' dn | sed 's/cn=root,//'`
pwdMaxAge=`getLDAPAttr '(&(cn=default)(objectClass=pwdPolicy))' pwdMaxAge`
warning=`getLDAPAttr '(&(cn=default)(objectClass=pwdPolicy))' pwdExpireWarning`
pwdWarnAge=$(( $pwdMaxAge - $warning ))
unset EXPIRED EXPIRING OK PENDING
### Check all users
for user in `ldapsearch -x -b "ou=People,$basedn" uid | grep -E ^uid:\ | sed 's/^uid: //'`; do
# Pull changed stats
lastChanged=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep pwdChangedTime | cut -f 2 -d ' '`
# created=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep createTimestamp | cut -f 2 -d ' '`
# email=`/usr/sbin/ldapsearch -x "(uid=$user)" | grep mail | cut -f 2 -d ' '`
# If user has PENDING changed, report
if [ -z "$lastChanged" ]; then
if [ -z "${PENDING}" ]; then
PENDING="${user}"
else
PENDING="${PENDING},${user}"
fi
else
delta="$(( `date +%s` - `date -d $(echo $lastChanged | head -c 8) +%s`))"
# Report if user is expired
if [ $delta -gt $pwdMaxAge ]; then
if [ -z "${EXPIRED}" ]; then
EXPIRED="${user}"
else
EXPIRED="${EXPIRED},${user}"
fi
printf "dn: uid=${user},ou=People,${basedn}\nchangetype: delete\n\n" >> "${ldif}"
printf "rm -Rf `getent passwd "${user}" | cut -f 6 -d ':'`\n" >> "${bash}"
# Report if the user is expiring and needs to update their password.
elif [ $delta -gt $pwdWarnAge ] && [ $delta -le $pwdMaxAge ]; then
if [ -z "${EXPIRING}" ]; then
EXPIRING="${user}"
else
EXPIRING="${EXPIRING},${user}"
fi
# Record the user account is OK.
else
if [ -z "${OK}" ]; then
OK="${user}"
else
OK="${OK},${user}"
fi
fi
fi
done
### Results
# Should always have OK users in the tree.
echo "OK: ${OK}"
# Report when there are users that have not changed their password.
# This may be normal, such as for new user accounts, and may not drive action.
if [ -n "$PENDING" ]; then
echo "PENDING: ${PENDING}"
fi
# Report when users are expiring -- give them several notices to fix it.
if [ -n "${EXPIRING}" ]; then
echo "EXPIRING: ${EXPIRING}"
ravensend -c "#tech" -m "The following users are expiring: ${EXPIRING}"
fi
# Report users that have expired. These users should be contacted or removed.
if [ -n "${EXPIRED}" ]; then
echo "EXPIRED: ${EXPIRED}"
echo "Expired users can be cleaned up with ${ldif} and ${bash}"
ravensend -c "#sharingan" -m 'Users have expired and need attention.'
fi

21
roles/Password/package/sample-user.ldif Normal file
View File

@@ -0,0 +1,21 @@
dn: uid=testuser,ou=People,dc=aninix,dc=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
cn: Test User
sn: User
givenName: Test
title: User
telephoneNumber: +0 000 000 0000
mobile: +0 000 000 0000
postalAddress: AddressLine1$AddressLine2$AddressLine3
loginShell: /bin/bash
uidNumber: 10006
gidNumber: 10000
homeDirectory: /home/testuser
description: Work contact
mail: testuser@aninix.net

35
roles/Password/tasks/daemon.yml Normal file
View File

@@ -0,0 +1,35 @@
---
- name: Create the base config
become: yes
template:
src: slapd.ldif
dest: /etc/openldap/slapd.ldif
owner: ldap
group: ldap
mode: 0640
- name: Create the directories
file:
path: "{{ item }}"
owner: ldap
group: ldap
mode: 0700
loop:
- /var/lib/openldap/openldap-data/
- /etc/openldap
- /etc/openldap/users.d
- /etc/openldap/groups.d
- /etc/openldap/slapd.d
- name: Initialize the instance
become: yes
command:
cmd: slapadd -n 0 -F /etc/openldap/slapd.d/ -l /etc/openldap/config.ldif && chown -R ldap: /etc/openldap
creates: /etc/openldap/slapd.d/cn=config
- name: Ensure the service
become: yes
service:
name: slapd
state: restarted
enabled: yes

17
roles/Password/tasks/login.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: Set login config
become: yes
template:
src: nslcd.conf.j2
dest: /etc/nslcd.conf
owner: nslcd
group: nslcd
mode: 0600
- name: Ensure login service
become: yes
service:
name: nslcd
state: restarted
enabled: yes

Some files were not shown because too many files have changed in this diff Show More