Compare commits

...

34 Commits

Author SHA1 Message Date
gashapwn
20c2dcbb6f README.md - updated install instructions 2021-03-08 03:19:27 +00:00
gashapwn
57f1085901 added bookdl.pl for downloading books from lainchan 2021-03-08 03:06:33 +00:00
gashapwn
87d1998186 added new .gitignore for json files 2021-03-07 23:23:53 +00:00
gashapwn
f6e1723d3d provision.pl - fixed an escape 2021-03-07 03:05:41 +00:00
gashapwn
d184c69bc4 provision.pl - forgot a file extension 2021-03-07 02:58:41 +00:00
gashapwn
4be664be38 provision.pl - fixing strange problem with relative directories when installing ngircd 2021-03-07 02:41:48 +00:00
gashapwn
821e0ab9d4 provision.pl -- added ngircd and configuration 2021-03-07 02:20:35 +00:00
gashapwn
2d9e582c00 added ngircd.conf 2021-03-07 02:07:23 +00:00
gashapwn
508bbee90b provision.pl - added flag to pull from non-prod branch 2021-03-06 23:48:20 +00:00
gashapwn
b0a547308f .gitignore - adding more test file patterns 2021-03-06 23:21:04 +00:00
gashapwn
1924d66f43 ngircd-ctl.pl - fixed status command 2021-03-06 22:47:30 +00:00
gashapwn
bd187d6964 added ngircd-ctl script 2021-03-06 20:50:09 +00:00
gashapwn
25123376b3 provision.pl - added bash 2021-03-02 20:16:44 +00:00
gashapwn
51e5753902 provision.pl - i think Flask install is working again 2021-03-02 19:47:38 +00:00
gashapwn
d6cc9c5673 provision.pl - komm susser todd 2021-03-02 19:31:29 +00:00
gashapwn
b54c33a442 provision.pl - garbage garbage garbage 2021-03-02 19:24:38 +00:00
gashapwn
a0d7006146 provision.pl - pip3 is garbade 2021-03-02 19:19:34 +00:00
gashapwn
bd9f37a5c7 requirements.txt - fsck fsck fsck fsck 2021-03-02 18:59:16 +00:00
gashapwn
e03153516c provision.pl - replacing pip package with OS package 2021-03-02 18:54:54 +00:00
gashapwn
2017145a4f provision.pl - changing depdendencies for py crypto 2021-03-02 18:48:22 +00:00
gashapwn
7e853ec18e provision.pl - added rust depdendency 2021-03-02 18:31:16 +00:00
gashapwn
983bb3b55e provision.pl - removed password login 2021-03-02 17:18:06 +00:00
gashapwn
8d93df3368 provision.pl - adjust root login regex 2021-03-02 16:53:54 +00:00
gashapwn
572d0ba0a7 provision.pl - disable root login... clean up comments... nopass doas.conf... clobber warning 2021-03-02 16:02:22 +00:00
gashapwn
656183e45b provision.pl - Add prompt for user creation 2021-03-02 15:35:53 +00:00
gashapwn
b1a69ac103 create_user.pl - fixing some newlines 2020-12-29 04:58:33 +00:00
gashapwn
de10cf77bc create_user.pl + provision.pl - updated usage info stuff 2020-12-29 04:51:33 +00:00
gashapwn
b30ebc7f23 create_user.pl - fixed filename test 2020-12-29 04:16:03 +00:00
gashapwn
00e09fd15e create_user.pl - fixed shell enum for STDIN use case 2020-12-29 04:11:50 +00:00
gashapwn
4f4217d4f8 provision.pl - hardcoding URLs to a testing branch like an idiot 2020-12-29 04:06:00 +00:00
gashapwn
37d034767a provision.pl - added JSON perl dependency 2020-12-29 03:58:55 +00:00
gashapwn
3bf739cbe7 create_user.pl - refactored create_user.pl so it can be run with STDIN instead of a file 2020-12-29 03:44:14 +00:00
gashapwn
e71775bf17 provision.pl - wget pulls in user create because vultr 2020-12-20 07:39:34 +00:00
gashapwn
8cfc3140cc provision.pl - added user creation prompt because vultr 2020-12-20 01:59:38 +00:00
8 changed files with 328 additions and 35 deletions

1
.gitignore vendored
View File

@ -3,6 +3,7 @@ test/*
*~ *~
test_*.txt test_*.txt
*/p[0-9].pl */p[0-9].pl
[0-9].pl
notes.txt notes.txt
user_list.txt user_list.txt
.#* .#*

View File

@ -9,13 +9,13 @@
Run the below command to automatically provision the tilde instance Run the below command to automatically provision the tilde instance
``` ```
pkg_add wget && wget 'https://git.lain.church/gashapwn/lyadmin/raw/branch/master/perl-script/provision.pl' -O - | perl pkg_add wget && wget 'https://git.lain.church/gashapwn/lyadmin/raw/branch/master/perl-script/provision.pl'; perl provision.pl
``` ```
or or
``` ```
pkg_add wget && wget 'https://s.lain.la/wrMJw' -O - | perl pkg_add wget && wget wget 'https://s.lain.la/wrMJw'; perl provision.pl
``` ```
After the scripts run, haproxy, the Flask app for user requests (lingyind) and apache will all be installed and started. After the scripts run, haproxy, the Flask app for user requests (lingyind) and apache will all be installed and started.

1
perl-script/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
*.json

92
perl-script/bookdl.pl Normal file
View File

@ -0,0 +1,92 @@
#!/usr/bin/perl
binmode STDOUT, ":utf8";
use warnings;
use strict;
use JSON;
my $THREAD_NO;
my $URL_PREFIX;
my $FN;
my $OUT_DIR;
my %jh;
my @a1;
$URL_PREFIX = "https://lainchan.org/lit/src/";
$THREAD_NO = 4953;
$FN = "$THREAD_NO.json";
$OUT_DIR = "./dl/";
# Read JSON with list of files
open FILE, "<", $FN or die "could not open file";
do{
my $json_str;
local $/=undef;
$json_str = <FILE>;
chomp $json_str;
%jh = %{JSON->new()->decode($json_str)};
};
close FILE;
# anonymous function that returns a list
# of tuples of the below form:
# (file_name, file_url)
@a1 = sub{
my @a0;
my @a2;
my $f1;
# filters for file types we
# dont want to downloads
sub f1 {
return $_[0]->{"ext"} && !($_[0]->{"ext"} =~ /jpe?g/);
}
sub f2 {
return !($_[0]->{"ext"} =~ /png/);
}
sub f3 {
return !($_[0]->{"ext"} =~ /gif/);
}
sub f4 {
return !($_[0]->{"ext"} =~ /webm/);
}
sub f0 {
return f1($_[0]) && f2($_[0]) && f3($_[0]) && f4($_[0])
}
# create an array of files
# that meet our file ext requirement
@a0 = grep {f0($_)} @{$jh{"posts"}};
# do the same filter on the
# extra_files attribute
@a2 = grep {
f0($_)
} map {
@{$_->{"extra_files"}}
} grep {
$_->{"extra_files"}
} @{$jh{"posts"}};
# Return our tuple
return map {
[
sprintf("%s%s", $_->{"filename"}, $_->{"ext"}), # file_name
sprintf("%s%s%s", $URL_PREFIX, $_->{"tim"}, $_->{"ext"}) # file_url
]
} (@a0, @a2);
}->();
# Print a list of wget commands from our tuples
for my $i1 (@a1){
printf("wget -N %s -O '%s%s'\n", scalar $i1->[1], $OUT_DIR, scalar $i1->[0]);
}

View File

@ -0,0 +1,45 @@
[Global]
Name = tildezero.xyz
AdminInfo1 = null
AdminInfo2 = null
AdminEMail = null@null.tld
Info = priv8 pls go away
# MotdFile = /etc/ngircd/ngircd.motd
ServerGID = irc
ServerUID = _ngircd
Ports = 6667
[Limits]
MaxConnections = 50
MaxJoins = 5
[Options]
PAM = no
PredefChannelsOnly = no
RequireAuthPing = no
SyslogFacility = local5
;WebircPassword = webpwd
# Security related settings, useful for running servers with high anonimity, disable if desired
Ident = no
# Global password for all users needed to connect to the server
# Password = abc
# Set this hostname for every client instead of the real one.
# Use %x to add the hashed value of the original hostname.
CloakHost = tildezero.xyz
# Set every clients' user name to their nickname
CloakUserToNick = yes
# Do dns lookup when a user connects
DNS = no
# Enhance user privacy slightly (useful for IRC server on TOR or I2P)
# by censoring some information like idle time, logon time, etc.
MorePrivacy = yes
# Silently drop all incoming CTCP requests
ScrubCTCP = yes
#[Operator]
# Name = someuser
# Password = somepassword

View File

@ -19,41 +19,61 @@ my @g;
# Given a username... prompts and creates that user # Given a username... prompts and creates that user
sub create($){ sub create($){
my $id = $_[0]; my $id;
my $fn1 = $account_dir.$id.".ident"; my $fn1;
my $username; my $username;
my $shell_pref; my $shell_pref;
my $user_email; my $user_email;
my $pub_key; my $pub_key;
my $p0;
# Prompts...
$p0 = [
"Enter username: ",
"Enter pubkey: "
];
$fn1 = "";
if($_[0]){
$id = $_[0];
$fn1 = $account_dir.$id.".ident";
open IN0, $fn1 or die "could not open file $fn1";
$p0 = [ map("", @{$p0}) ];
}else{
*IN0 = *STDIN;
}
# read in username and validate # read in username and validate
open FILE, $fn1 or die "could not open file $fn1"; printf($p0->[0]);
$username = <FILE>; $username = <IN0>;
chomp $username; chomp $username;
if(length($username) > 31 || !($username =~ /^[A-Za-z][A-Za-z0-9]+$/)){ if(length($username) > 31 || !($username =~ /^[A-Za-z][A-Za-z0-9]+$/)){
printf("%s has an INVALID username\n", $id); printf("%s is an INVALID username\n", $id);
die ("oh no"); die ("oh no");
} }
# read in email # read in email
$user_email = <FILE>; $user_email = $_[0] ? <IN0> : "";
chomp $user_email; chomp $user_email;
# read in shell and validate # read in shell and validate
{ {
my $s0 = <FILE>; my $s0;
$s0 = $_[0] ? <IN0> : "SHELL_KSH";
chomp $s0; chomp $s0;
unless($SHELL_ENUM->{$s0}){ unless($SHELL_ENUM->{$s0}){
die "invalid shell setting $s0 in file $id.ident"; die "invalid shell setting $s0";
} }
$shell_pref = $SHELL_ENUM->{$s0}; $shell_pref = $SHELL_ENUM->{$s0};
} }
# read in pub key # read in pub key
$pub_key = <FILE>; printf($p0->[1]);
$pub_key = <IN0>;
chomp $pub_key; chomp $pub_key;
{ {
@ -70,10 +90,10 @@ sub create($){
system($cmd); system($cmd);
system("echo '".$pub_key."' > /home/$username/.ssh/authorized_keys"); system("echo '".$pub_key."' > /home/$username/.ssh/authorized_keys");
system("chmod 711 /home/$username"); system("chmod 711 /home/$username");
system("mv $fn1 $fn1.done"); system("test $fn1 && mv $fn1 $fn1.done");
system("echo $username >> $ul_path"); system("echo $username >> $ul_path");
} }
close FILE; close IN0;
} }
# MAIN starts here # MAIN starts here
@ -92,7 +112,12 @@ if( `pwd` =~ /perl-script\/?\s*$/){
$ul_path = $working_dir."user_list.txt"; $ul_path = $working_dir."user_list.txt";
printf("%s\n", $conf_path); printf("%s\n", $conf_path);
}elsif(!(join(" ", glob("./*")) =~ /perl-script/)){ }elsif(!(join(" ", glob("./*")) =~ /perl-script/)){
die "please run this script with ./perl-script/ as the present working directory"; $SHELL_ENUM = {"SHELL_KSH" => "/bin/ksh"};
create(0);
printf("admin user is now configured\n");
printf("run the below command to continue the install\n");
printf("pkg_add wget && wget 'https://git.lain.church/gashapwn/lyadmin/raw/branch/master/perl-script/provision.pl' -O - | perl");
die "\n\n";
} }
# Opens the conf file to read # Opens the conf file to read
@ -117,4 +142,3 @@ close FILE;
for my $fn (@g){ for my $fn (@g){
create($fn); create($fn);
} }

33
perl-script/ngircd-ctl.pl Normal file
View File

@ -0,0 +1,33 @@
#!/usr/bin/perl
use warnings;
use strict;
my @MY_ARGV = @ARGV;
my $MY_ACMD = shift || "";
my $NGIRCD='ngircd';
my $NGIRCD_UID = 703;
my $NGIRCD_UN = "_ngircd";
my $ERROR = 0;
my $USAGE = "Usage: ngircd-ctl (start|status|stop)";
my $PERM_ERR = "must run as $NGIRCD_UN\nplease run using: doas -u $NGIRCD_UN\n";
unless( getpwuid( $< ) =~ /$NGIRCD_UN/ ){
die $PERM_ERR;
}
if ($MY_ACMD eq "stop"){
$ERROR = system("pkill -u $NGIRCD_UID -x $NGIRCD");
}elsif($MY_ACMD eq "start"){
$ERROR = system("$NGIRCD");
}elsif($MY_ACMD eq "status"){
$ERROR = system("pgrep -u $NGIRCD_UID $NGIRCD");
printf("%s(ok)\n", $NGIRCD) if ($ERROR == 0);
}elsif($MY_ACMD eq "help"){
printf("$USAGE\n");
}else{
printf("$USAGE\n");
}

View File

@ -12,7 +12,10 @@ use strict;
# gashapwn # gashapwn
# Nov 2020 # Nov 2020
my $DEV_FLAG = shift || "";
my $GIT_REPO = 'https://git.lain.church/gashapwn/lyadmin.git'; my $GIT_REPO = 'https://git.lain.church/gashapwn/lyadmin.git';
my $GIT_BRANCH = length($DEV_FLAG) > 0 ? "-b gasha-branch " : "";
my ($REPO_DIR) = $GIT_REPO =~ /\/([^\/]*)\.git$/; my ($REPO_DIR) = $GIT_REPO =~ /\/([^\/]*)\.git$/;
my $INST_DIR = "/tilde"; my $INST_DIR = "/tilde";
@ -23,6 +26,54 @@ my $pwuid;
my $admin_un; my $admin_un;
my $admin_home_dir; my $admin_home_dir;
# Given a username... prompts and creates that user
sub create(){
my $id;
my $username;
my $user_email;
my $pub_key;
my $p0;
# Prompts...
$p0 = [
"Enter username: ",
"Enter pubkey: "
];
# read in username and validate
printf($p0->[0]);
$username = <STDIN>;
chomp $username;
if(length($username) > 31 || !($username =~ /^[A-Za-z][A-Za-z0-9]+$/)){
printf("%s is an INVALID username\n", $id);
die ("oh no");
}
# read in pub key
printf($p0->[1]);
$pub_key = <STDIN>;
chomp $pub_key;
{
# Prompt to make sure the username looks OK
my $cmd;
$cmd = "useradd -m " . $username;
printf("Y/N is this command OK?: %s\n", $cmd);
if(!(<STDIN> =~ /^y/i)){
die "provision cancelled...";
}
# create the user
system($cmd);
system("echo '".$pub_key."' > /home/$username/.ssh/authorized_keys");
system("chmod 711 /home/$username");
}
}
# Make sure we're running as root # Make sure we're running as root
$pwuid = getpwuid( $< ); $pwuid = getpwuid( $< );
@ -30,18 +81,20 @@ if($pwuid ne "root"){
die "script must be run as root"; die "script must be run as root";
} }
# Check /etc/passwd for the username created during # Make sure script is provisioning a fresh instance
# installation # and doesn't clobber users existing configs
if( ($admin_un) = `tail /etc/passwd | grep -v "nobody:"` =~ /([^:\n]+):[^:]+:[0-9]{4,}/){ printf("This script is meant to be run on a fresh install\n");
printf("admin user will be set to %s\n", $admin_un); printf("Y/N OK to proceed?");
}else{
die "create a non-root user & set user passsword before running this script." if(!(<STDIN> =~ /^y/i)){
die "provision cancelled...";
} }
$admin_home_dir = "/home/$admin_un"; unless( ($admin_un) = `tail /etc/passwd | grep -v "nobody:"` =~ /([^:\n]+):[^:]+:[0-9]{4,}/){
printf("to provision the instance there must be a non root user with an authorized_keys file");
# grant doas access to admin user printf("creating user...\n");
system("echo 'permit $admin_un' > /etc/doas.conf"); create();
}
# install git # install git
system("pkg_add git"); system("pkg_add git");
@ -53,22 +106,31 @@ system("chown $SVC_ACCT:$SVC_ACCT $INST_DIR");
chdir $INST_DIR; chdir $INST_DIR;
# clone repo # clone repo
system("su $SVC_ACCT -c 'git clone $GIT_REPO'"); system("su $SVC_ACCT -c 'git clone $GIT_BRANCH$GIT_REPO'");
chdir $REPO_DIR; chdir $REPO_DIR;
# Copy the skel directory # Copy the skel directory
system("mkdir ./skel/public_html/cgi"); system("mkdir ./skel/public_html/cgi");
system("cp -r ./skel/* /etc/skel/"); system("cp -r ./skel/* /etc/skel/");
# Check /etc/passwd for the username created during
# installation
if( ($admin_un) = `tail /etc/passwd | grep -v "nobody:"` =~ /([^:\n]+):[^:]+:[0-9]{4,}/){
# grant doas access to admin user
system("echo 'permit nopass $admin_un' > /etc/doas.conf");
# setup admin user # setup admin user
system("cp -r ./skel/* /home/$admin_un/"); system("cp -r ./skel/* /home/$admin_un/");
system("chown -R $admin_un:$admin_un /home/$admin_un"); system("chown -R $admin_un:$admin_un /home/$admin_un");
system("echo $admin_un >> ./user_list.txt"); system("echo $admin_un >> ./user_list.txt");
}
# Setup the virtual environment # Setup the virtual environment
system("pkg_add python3"); system("pkg_add python3 openssl rust bash");
printf("generating virtual enviornment...\n"); printf("generating virtual enviornment...\n");
system("su $SVC_ACCT -c 'python3 -m venv venv'"); system("su $SVC_ACCT -c 'python3 -m venv venv'");
printf("running pip. can take up to 3 minutes due to slow compilation.\n");
system("su $SVC_ACCT -c '. ./venv/bin/activate && python3 -m pip install --upgrade pip'");
system("su $SVC_ACCT -c '. ./venv/bin/activate && pip3 install -r requirements.txt'"); system("su $SVC_ACCT -c '. ./venv/bin/activate && pip3 install -r requirements.txt'");
system("cp ./perl-script/conf/lingyin.rc /etc/rc.d/lingyind"); system("cp ./perl-script/conf/lingyin.rc /etc/rc.d/lingyind");
@ -111,5 +173,40 @@ system("cp ./perl-script/conf/haproxy.cfg /etc/haproxy/haproxy.cfg");
system("rcctl enable haproxy"); system("rcctl enable haproxy");
system("rcctl start haproxy"); system("rcctl start haproxy");
# Install and configure ngircd and delegation
system("pkg_add ngircd");
# irc group is used for granting permissions
# to irc admins
system("groupadd irc");
system("usermod -G irc _ngircd");
# allow doas for irc admins
system("echo 'permit nopass :irc as _ngircd' >> /etc/doas.conf");
# Copy over our conf file to /etc
# and set permissions
chdir "$INST_DIR/$REPO_DIR";
system("chmod 750 /etc/ngircd");
system("cp ./perl-script/conf/ngircd.conf /etc/ngircd/ngircd.conf");
system("chmod -R 660 /etc/ngircd/*");
system("chown -R _ngircd:irc /etc/ngircd/");
# copy over our admin script and set permissions
system("cp ./perl-script/ngircd-ctl.pl /usr/local/sbin/ngircd-ctl");
system("chown _ngircd:irc /usr/local/sbin/ngircd-ctl");
system("chmod 770 /usr/local/sbin/ngircd-ctl");
# Disable root login
system("sed -i -e 's/^[^#]*PermitRootLogin.*\$/PermitRootLogin no/' /etc/ssh/sshd_config");
system("sed -i -e 's/^PasswordAuthentication.*\$//' /etc/ssh/sshd_config");
system("echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config");
system("rcctl restart sshd");
printf("\n\nInstall complete\n");
printf("==================================================\n");
printf("Protip: use doas instead of sudo\n");
printf("root login and password login is now disabled, so dont forget\nto set a password\n");
printf("and test your pub key\n");
printf("dont forget to setup your ssh pub key at /home/$admin_un/.ssh/authorized_keys\n");