Commit 2e3e5f76 authored by Nick Busey's avatar Nick Busey

Makefile improvements, adding toke role

parent 516f48fb
Pipeline #37426407 failed with stages
in 38 seconds
......@@ -7,3 +7,4 @@ tincserver
ubuntu-bionic-18.04-cloudimg-console.log
kibitzr.yml
kibitzr-creds.yml
config.yml
# 0.4 Release Candidate
# 0.4
* Vastly improved initial setup
* Upgraded Organizr to v2
* Automated Grafana Configuration
* Added Cloud Bastion Server via Tinc VPN option
* Added individual service toggling via host vars
* Added The Lounge - IRC Bouncer
* Added Radarr - DVR
* Added Sonarr - DVR
* Added Kibitzr - IFTTT replacement
* Added BulletNotes - Note taking application
* Added Emby - Personal Media Server
* Automated Grafana Configuration
* Added Cloud Bastion Server via Tinc VPN option
* Added individual service toggling via host vars
* Upgraded Organizr to v2 - Dashboard
* Removed Koel - Rarely worked
* Removed Convos - Rarely worked
......
.PHONY: logo deploy docs_build restore develop docs_deploy lint
# Deploy HomelabOS
deploy: logo get_roles
ansible-playbook --extra-vars="@config.yml" -i inventory homelabos.yml
deploy: logo
@ansible-playbook --extra-vars="@config.yml" -i inventory homelabos.yml
logo:
cat homelaboslogo.txt
get_roles:
ansible-galaxy --roles-path ./roles install toke.tor
@cat homelaboslogo.txt
# Initial configuration
config: logo
ansible-playbook --extra-vars="@config.yml" -i setup_inventory setup.yml
echo "========== Configuration completed! Now just run 'make' =========="
# If config.yml does not exist, populate it with a 'blank'
# yml file so the first attempt at parsing it succeeds
@[ -f config.yml ] || cp config.yml.blank config.yml
@ansible-playbook --extra-vars="@config.yml" -i setup_inventory setup.yml
@echo "========== Configuration completed! Now just run 'make' =========="
# Reset all local settings
config_reset: logo
cp config.yml.blank config.yml
@cp config.yml.blank config.yml
@echo "========== Configuration reset! Now just run 'make config' =========="
# Update just HomelabOS Services (skipping slower initial setup steps)
update: logo
ansible-playbook --extra-vars="@config.yml" -i inventory -t deploy homelabos.yml
@ansible-playbook --extra-vars="@config.yml" -i inventory -t deploy homelabos.yml
@echo "========== Update completed! =========="
# Build the HomelabOs Documentation - Requires mkdocs with the Material Theme
docs_build: logo
......@@ -36,7 +38,7 @@ restore: logo
ansible-playbook -i inventory restore.yml
# Spin up a development stack
develop: logo get_roles
develop: logo
vagrant plugin install vagrant-disksize
vagrant up
vagrant provision
......
[homelabos]
myserver
[tinc]
tincserver
......@@ -7,17 +7,15 @@
- apt_repository:
repo: "{{item}}"
register: multiverse_installed
update_cache: false # We will do ourselfs afterwards
with_items:
- 'deb http://archive.ubuntu.com/ubuntu bionic universe'
- 'deb-src http://archive.ubuntu.com/ubuntu bionic universe'
- 'deb http://archive.ubuntu.com/ubuntu bionic universe'
- 'deb-src http://archive.ubuntu.com/ubuntu bionic universe'
with_items:
- 'deb http://archive.ubuntu.com/ubuntu bionic universe'
- 'deb-src http://archive.ubuntu.com/ubuntu bionic universe'
- 'deb http://archive.ubuntu.com/ubuntu bionic universe'
- 'deb-src http://archive.ubuntu.com/ubuntu bionic universe'
- apt:
update_cache: true
when: multiverse_installed | changed
- name: Upgrade all dist packages
apt: upgrade=dist
......@@ -26,20 +24,20 @@
- dependencies
- name: Install necessities and nice-to-haves
apt: pkg={{ item }} state=present
with_items:
- apt-transport-https
- git
- htop
- iftop
- iotop
- mosh
- screen
- sudo
- unattended-upgrades
- vim
- zsh
- docker-compose
apt:
name:
- apt-transport-https
- git
- htop
- iftop
- iotop
- mosh
- screen
- sudo
- unattended-upgrades
- vim
- zsh
- docker-compose
tags:
- dependencies
......
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
env/
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
.installed.cfg
*.egg
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
.hypothesis/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# Jupyter Notebook
.ipynb_checkpoints
# pyenv
.python-version
# celery beat schedule file
celerybeat-schedule
# SageMath parsed files
*.sage.py
# dotenv
.env
# virtualenv
.venv
venv/
ENV/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/
# Contributor Covenant Code of Conduct
## Our Pledge
In the interest of fostering an open and welcoming environment, we as contributors and maintainers pledge to making participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, gender identity and expression, level of experience, nationality, personal appearance, race, religion, or sexual identity and orientation.
## Our Standards
Examples of behavior that contributes to creating a positive environment include:
* Using welcoming and inclusive language
* Being respectful of differing viewpoints and experiences
* Gracefully accepting constructive criticism
* Focusing on what is best for the community
* Showing empathy towards other community members
Examples of unacceptable behavior by participants include:
* The use of sexualized language or imagery and unwelcome sexual attention or advances
* Trolling, insulting/derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or electronic address, without explicit permission
* Other conduct which could reasonably be considered inappropriate in a professional setting
## Our Responsibilities
Project maintainers are responsible for clarifying the standards of acceptable behavior and are expected to take appropriate and fair corrective action in response to any instances of unacceptable behavior.
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, or to ban temporarily or permanently any contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful.
## Scope
This Code of Conduct applies both within project spaces and in public spaces when an individual is representing the project or its community. Examples of representing a project or community include using an official project e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event. Representation of a project may be further defined and clarified by project maintainers.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the project team at toke@toke.de. The project team will review and investigate all complaints, and will respond in a way that it deems appropriate to the circumstances. The project team is obligated to maintain confidentiality with regard to the reporter of an incident. Further details of specific enforcement policies may be posted separately.
Project maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
[homepage]: http://contributor-covenant.org
[version]: http://contributor-covenant.org/version/1/4/
MIT License
Copyright (c) 2017 Thomas Kerpe
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
# Tor Hidden Services
A role to configure tor hidden services.
Can be found on [ansible-galaxy](https://galaxy.ansible.com/toke/tor/).
## Requirements
_None._
## Role Variables
##### ***Mandatory***:
_None._
##### ***Optional***:
| Name | Description | Default Value |
| :--- | :---------- | :------------ |
| tor_user | User under which tor is running | debian-tor |
| tor_group | Group associated with the tor user | debian-tor |
| tor_become | whether to become root during the installation | true |
| tor_config_dir | Tor configuration file directory | /etc/tor |
| tor_control_port | If set use it as tor control port | _None_ |
| tor_data_directory | | /var/lib/tor |
| tor_password | Password for control port | _None_ |
| tor_root_group | Group of the root-User | root |
| hidden_services | List of services to be set up | _None_ |
##### ***Hidden service***
* **dir**: Directory to store the hidden service configuration.
* **port**: Port to expose to the TOR-Network
* **source**: The ip-address and port of the service to be exposed.
* *version*: When defined used as a hidden service version (usually not set or 3)
## Dependencies
_None._
## Example Playbook
```yaml
- hosts: tor
roles:
- role: toke.tor
hidden_services:
- dir: /var/lib/tor/ssh-onion
port: 22
source: 127.0.0.1:22
- dir: /var/lib/tor/ssh-onion_v3
port: 22
source: 127.0.0.1:22
version: 3
- dir: /var/lib/tor/https-onion
port: 443
source: 127.0.0.1:443
```
## License
MIT License
## Author Information
* [Toke](https://github.com/toke)
* [Madonius](https://github.com/madonius)
---
tor_user: debian-tor
tor_group: debian-tor
tor_become: true
tor_config_dir: /etc/tor
tor_data_directory: /var/lib/tor
tor_root_group: root
#!/usr/bin/env python2
# Make coding more python3-ish
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
import binascii
import hashlib
import string
import random
import re
def check_pass(password, password_hash=None, **kwargs):
return _check_pw(password, password_hash)
def hash_pass(password, salt=None, how=96, **kwargs):
return _hash_pw(password, salt, how)
def update_pass(password, password_hash, salt='', how=96, **kwargs):
ret = {
'hash': None,
'changed': None
}
if (_check_pw(password, password_hash) == True):
ret['hash'] = password_hash
ret['changed'] = False
else:
ret['changed'] = True
ret['hash'] = _hash_pw(password, salt, how)
return ret
def _check_pw(password, password_hash=None):
if not re.match('^16:[0-9A-F]{58}$', password_hash):
raise AssertionError("Unexpected password hash: %s" % password_hash)
output_hex = binascii.a2b_hex(password_hash.strip()[3:])
salt, how, _ = output_hex[:8], ord(output_hex[8]), output_hex[9:]
if str(password_hash) == str(_hash_pw(password, salt, how=how)):
return True
else:
return False
def _hash_pw(password, salt=None, how=96):
#"S2K Algorithm, prefix 16:"
if not salt:
salt = ''.join(random.SystemRandom().choice(string.printable) for _ in range(8))
assert len(salt) == 8, "Salt needs to be 8 bytes long"
count = (16 + (how & 15)) << ((how >> 4) + 6)
stuff = salt + password.encode('UTF-8')
repetitions = count // len(stuff) + 1
inp = (stuff * repetitions)[:count]
pwhash = hashlib.sha1(inp).hexdigest()
hashed = ("16:%s%0x%s" % (binascii.b2a_hex(salt), how, pwhash)).upper()
return hashed
# ---- Ansible filters ----
class FilterModule(object):
filter_map = {
'tor_hash_pw': hash_pass,
'tor_check_pw': check_pass,
'tor_update_pw': update_pass
}
def filters(self):
return self.filter_map
---
- name: Reload Tor Service
service:
name: tor
state: reloaded
enabled: yes
when: ansible_distribution != "MaxOSX"
#!/usr/bin/env python2
# -*- coding: utf-8 -*-
import binascii
import hashlib
import string
import random
import re
def update_pass(password, password_hash, salt='', how=96, **kwargs):
ret = {
'hash': None,
'changed': None
}
if (_check_pw(password, password_hash) == True):
ret['hash'] = password_hash
ret['changed'] = False
else:
ret['changed'] = True
ret['hash'] = _hash_pw(password, salt, how)
return ret
def _check_pw(password, password_hash=None):
if not re.match('^16:[0-9A-F]{58}$', password_hash):
raise AssertionError("Unexpected password hash: %s" % password_hash)
output_hex = binascii.a2b_hex(password_hash.strip()[3:])
try:
salt, how, _ = output_hex[:8], ord(output_hex[8]), output_hex[9:]
except TypeError:
salt, how, _ = output_hex[:8], output_hex[8], output_hex[9:]
if str(password_hash) == str(_hash_pw(password, salt, how=how)):
return True
else:
return False
def _hash_pw(password, salt=None, how=96):
#"S2K Algorithm, prefix 16:"
if not salt:
salt = ''.join(random.SystemRandom().choice(string.printable) for _ in range(8)).encode('UTF-8')
assert len(salt) == 8, "Salt needs to be 8 bytes long"
count = (16 + (how & 15)) << ((how >> 4) + 6)
stuff = salt + bytes(password.encode('UTF-8'))
repetitions = count // len(stuff) + 1
inp = (stuff * repetitions)[:count]
pwhash_hex = hashlib.sha1(inp).hexdigest()
salt_hex = binascii.b2a_hex(salt).decode('UTF-8')
hashed = ("16:%s%0x%s" % (salt_hex, how, pwhash_hex)).upper()
return hashed
def enforce_state(module, params):
password = params['password']
password_hash = params['password_hash']
if password_hash:
params['changed'] = not _check_pw(password, password_hash)
params['match'] = _check_pw(password, password_hash)
if params['changed']:
params['password_hash'] = str(_hash_pw(password))
else:
params['changed'] = True
params['password_hash'] = str(_hash_pw(password))
params['msg'] = str(_hash_pw(password))
return params
def main():
module = AnsibleModule(
argument_spec = dict(
password = dict(required = True, no_log=True),
password_hash = dict(required = False, no_log=False)
)
)
results = enforce_state(module, module.params)
module.exit_json(**results)
# this is magic, see lib/ansible/module_common.py
#<<INCLUDE_ANSIBLE_MODULE_COMMON>>
main()
{install_date: 'Wed Nov 21 15:36:09 2018', version: master}
---
galaxy_info:
author: Thomas Kerpe <toke@toke.de>
description: Ansible tor hidden services role
license: "MIT"
min_ansible_version: 2.2
platforms:
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
- name: ArchLinux
versions:
- all
- name: Alpine
versions:
- all
galaxy_tags:
- tor
---
- name: Tor packages
package:
name: tor
state: present
become: "{{ tor_become }}"
- name: Manage Hidden Service directories
file:
path: "{{ item.dir }}"
owner: "{{ tor_user }}"
group: "{{ tor_group }}"
mode: 0700
state: directory
with_items:
"{{ hidden_services }}"
when: hidden_services is defined
- set_fact:
tor_stored_hash: "{{ ansible_local.tor.tor_hashed_password | default(omit)}}"
when: ansible_local is defined and ansible_local.tor is defined
- name: Manage the TOR password
include: password.yml
- name: Tor Configuration
template:
src: etc/tor/torrc.j2
dest: "{{ tor_config_dir }}/torrc"
owner: root
group: "{{ tor_root_group }}"
mode: 0644
notify: Reload Tor Service
- meta: flush_handlers
- block:
- name: Tor Service
service:
name: tor
state: started
enabled: yes
- name: wait for all tor hidden services hostname files
wait_for: state=present path="{{ item.dir }}/hostname" delay=5
with_items: "{{ hidden_services }}"
when: ansible_distribution != "MacOSX"
---
- name: Tor Password
tor_password:
password: "{{ tor_control_password }}"
password_hash: "{{ tor_stored_hash | default(omit)}}"
no_log: False
register: tor_password
when: tor_control_password is defined
- debug: msg={{ tor_password }}
## Store password
- set_fact:
tor_persistence:
tor_hashed_password: "{{ tor_password['password_hash'] }}"
when: tor_control_password is defined
## Hack as long We can't read torrc
- name: persist_password hash
template:
src: etc/ansible/facts.d/tor.json.j2
dest: /etc/ansible/facts.d/tor.fact
owner: root
group: root
mode: "0600"
when: tor_persistence is defined
{{ tor_persistence | default({}) | to_nice_json }}
#jinja2: lstrip_blocks: True
########################################
## {{ ansible_managed }}
## Tor configuration
########################################
{% if tor_control_port is defined %}
## The port on which Tor will listen for local connections from Tor
## controller applications, as documented in control-spec.txt.
## Usual Port Number:9051
ControlPort {{ tor_control_port }}
{% endif %}
{% if tor_password is defined and 'password_hash' in tor_password %}
HashedControlPassword {{ tor_password['password_hash'] }}
{% endif %}
## The directory for keeping all the keys/etc. By default, we store
## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
DataDirectory {{ tor_data_directory }}
{% if hidden_services is defined %}
## Tor Hidden Service configuration
{% for service in hidden_services %}
HiddenServiceDir {{ service.dir }}
{% if service.version is defined %}
HiddenServiceVersion {{ service.version }}
{% endif %}
HiddenServicePort {{ service.port }} {{ service.source }}
{% endfor %}
{% endif %}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment