README.md - fixed wget typo

.gitignore

@@ -3,6 +3,7 @@ test/*
 *~
 test_*.txt
 */p[0-9].pl
+[0-9].pl
 notes.txt
 user_list.txt
-.#*
+.#*

README.md

@@ -0,0 +1,44 @@
+ # lyadmin #
+
+ ## install ##
+
+ Setup a clean instance of OpenBSD
+ 
+ Login as root
+ 
+ Run the below command to automatically provision the tilde instance
+
+ ```
+pkg_add wget && wget 'https://git.lain.church/gashapwn/lyadmin/raw/branch/master/perl-script/provision.pl'; perl provision.pl
+ ```
+
+ or
+
+ ```
+pkg_add wget && wget 'https://s.lain.la/wrMJw' -O provision.pl; perl provision.pl
+ ```
+
+ After the scripts run, haproxy, the Flask app for user requests (lingyind) and apache will all be installed and started.
+
+ lingyind listens on 127.0.0.1 port 5000
+ 
+ apache listens on 127.0.0.1 port 5001
+
+ haproxy listens on port 80 on all interfaces
+
+ You should be able to open your instance by IP address in your browser and see the home page
+
+ Make sure to setup HTTPS, setup authorized keys, disable password auth after install
+
+ ## video tutorial of install ##
+
+ The below video is about 5 minutes and walks through the install of the instance on Digital Ocean.
+
+ Please disregard the comment on total price. The cost is probably higher than $100 depending on instance size. I was slightly tired when making this...
+
+ https://youdieifyou.work/files/vqkiqquzluv.mp4
+
+ ## conf ##
+
+ in lyadmin.conf.json you can change the site name, set your email address and update the list of custom shells available
+

perl-script/.gitignore

@@ -0,0 +1 @@
+*.json

perl-script/bookdl.pl

@@ -0,0 +1,92 @@
+#!/usr/bin/perl
+
+binmode STDOUT, ":utf8";
+
+use warnings;
+use strict;
+
+use JSON;
+
+my $THREAD_NO;
+my $URL_PREFIX;
+
+my $FN;
+my $OUT_DIR;
+
+my %jh;
+
+my @a1;
+
+$URL_PREFIX = "https://lainchan.org/lit/src/";
+$THREAD_NO = 4953;
+$FN = "$THREAD_NO.json";
+$OUT_DIR = "./dl/";
+
+# Read JSON with list of files
+open FILE, "<", $FN or die "could not open file";
+do{
+    my $json_str;
+
+    local $/=undef;
+    
+    $json_str = <FILE>;
+    chomp $json_str;
+    
+    %jh = %{JSON->new()->decode($json_str)};
+};
+close FILE;
+
+# anonymous function that returns a list
+# of tuples of the below form:
+#     (file_name, file_url)
+@a1 = sub{
+    my @a0;
+    my @a2;
+
+    my $f1;
+
+    # filters for file types we
+    # dont want to downloads
+    sub f1 {
+	return $_[0]->{"ext"} && !($_[0]->{"ext"} =~ /jpe?g/);
+    }
+    sub f2 {
+	return !($_[0]->{"ext"} =~ /png/);
+    }
+    sub f3 {
+	return !($_[0]->{"ext"} =~ /gif/);
+    }
+    sub f4 {
+	return !($_[0]->{"ext"} =~ /webm/);
+    }
+    sub f0 {
+	return f1($_[0]) && f2($_[0]) && f3($_[0]) && f4($_[0])	
+    }
+
+    # create an array of files
+    # that meet our file ext requirement
+    @a0 = grep {f0($_)} @{$jh{"posts"}};
+
+    # do the same filter on the
+    # extra_files attribute
+    @a2 = grep {
+	f0($_)
+    } map {
+	@{$_->{"extra_files"}}
+    } grep {
+	$_->{"extra_files"}
+    } @{$jh{"posts"}};
+
+    # Return our tuple
+    return map {
+	[
+	 sprintf("%s%s", $_->{"filename"}, $_->{"ext"}),          # file_name
+	 sprintf("%s%s%s", $URL_PREFIX, $_->{"tim"}, $_->{"ext"}) # file_url
+	]
+    } (@a0, @a2);
+}->();
+
+# Print a list of wget commands from our tuples
+for my $i1 (@a1){
+    printf("wget -N %s -O '%s%s'\n", scalar $i1->[1], $OUT_DIR, scalar $i1->[0]);
+}

perl-script/conf/ngircd.conf

@@ -0,0 +1,45 @@
+[Global]
+    Name = tildezero.xyz
+    AdminInfo1 = null
+    AdminInfo2 = null
+    AdminEMail = null@null.tld
+    Info = priv8 pls go away
+#    MotdFile = /etc/ngircd/ngircd.motd
+    ServerGID = irc
+    ServerUID = _ngircd
+    Ports = 6667
+  
+
+[Limits]
+    MaxConnections = 50
+    MaxJoins = 5
+
+[Options]
+    PAM = no
+    PredefChannelsOnly = no
+    RequireAuthPing = no
+    SyslogFacility = local5
+    ;WebircPassword = webpwd
+
+    # Security related settings, useful for running servers with high anonimity, disable if desired
+
+    Ident = no
+    # Global password for all users needed to connect to the server
+#    Password = abc
+    # Set this hostname for every client instead of the real one.
+    # Use %x to add the hashed value of the original hostname.
+    CloakHost = tildezero.xyz
+    # Set every clients' user name to their nickname
+    CloakUserToNick = yes
+    # Do dns lookup when a user connects
+    DNS = no
+    # Enhance user privacy slightly (useful for IRC server on TOR or I2P)
+    # by censoring some information like idle time, logon time, etc.
+    MorePrivacy = yes
+    # Silently drop all incoming CTCP requests
+    ScrubCTCP = yes
+    
+
+#[Operator]
+#    Name = someuser
+#    Password = somepassword

perl-script/create_user.pl

@@ -19,41 +19,61 @@ my @g;
 
 # Given a username... prompts and creates that user
 sub create($){
-    my $id = $_[0];
+    my $id;
     
-    my $fn1 = $account_dir.$id.".ident";
+    my $fn1;
 
     my $username;
     my $shell_pref;
     my $user_email;
     my $pub_key;
 
+    my $p0;
+
+    # Prompts...
+    $p0 = [
+	"Enter username: ",
+	"Enter pubkey: "
+	];
+
+    $fn1 = "";
+    if($_[0]){
+	$id = $_[0];
+	$fn1 = $account_dir.$id.".ident";
+	open IN0, $fn1 or die "could not open file $fn1";
+	$p0 = [ map("", @{$p0}) ];
+    }else{
+	*IN0 = *STDIN;
+    }
+
     # read in username and validate
-    open FILE, $fn1 or die "could not open file $fn1";
-    $username = <FILE>;
+    printf($p0->[0]);
+    $username = <IN0>;
     chomp $username;
-    
+
     if(length($username) > 31 || !($username =~ /^[A-Za-z][A-Za-z0-9]+$/)){
-	printf("%s has an INVALID username\n", $id);
+	printf("%s is an INVALID username\n", $id);
 	die ("oh no");
     }
 
     # read in email
-    $user_email = <FILE>;
+    $user_email = $_[0] ?  <IN0> : "";
     chomp $user_email;
 
     # read in shell and validate
     {
-	my $s0 = <FILE>;
+	my $s0;
+	$s0 = $_[0] ? <IN0> : "SHELL_KSH";
 	chomp $s0;
 	unless($SHELL_ENUM->{$s0}){
-	    die "invalid shell setting $s0 in file $id.ident";
+	    die "invalid shell setting $s0";
 	}
 	$shell_pref = $SHELL_ENUM->{$s0};
     }
 
     # read in pub key
-    $pub_key = <FILE>;
+    printf($p0->[1]);
+    $pub_key = <IN0>;
     chomp $pub_key;
 
     {
@@ -70,10 +90,10 @@ sub create($){
 	system($cmd);
 	system("echo '".$pub_key."' > /home/$username/.ssh/authorized_keys");
 	system("chmod 711 /home/$username");
-	system("mv $fn1 $fn1.done");
+	system("test $fn1 && mv $fn1 $fn1.done");
 	system("echo $username >> $ul_path");
     }
-    close FILE;
+    close IN0;
 }
 
 # MAIN starts here
@@ -85,14 +105,19 @@ if(!(`id` =~ /uid=0/)){
 
 # Adjusts the relative file paths based on where
 # the script runs from
-if( `pwd` =~ /perl-script\/?\s*$/){
+if(`pwd` =~ /perl-script\/?\s*$/){
     $working_dir = "../";
     $account_dir = $working_dir."req/";
     $conf_path = $working_dir."lyadmin.conf.json";
     $ul_path = $working_dir."user_list.txt";
     printf("%s\n", $conf_path);
 }elsif(!(join(" ", glob("./*")) =~ /perl-script/)){
-    die "please run this script with ./perl-script/ as the present working directory";
+    $SHELL_ENUM = {"SHELL_KSH" => "/bin/ksh"};
+    create(0);
+    printf("admin user is now configured\n");
+    printf("run the below command to continue the install\n");
+    printf("pkg_add wget && wget 'https://git.lain.church/gashapwn/lyadmin/raw/branch/master/perl-script/provision.pl' -O - | perl");
+    die "\n\n";
 }
 
 # Opens the conf file to read
@@ -117,4 +142,3 @@ close FILE;
 for my $fn (@g){
     create($fn);
 }
-

perl-script/ngircd-ctl.pl

@@ -0,0 +1,33 @@
+#!/usr/bin/perl
+
+use warnings;
+use strict;
+
+my @MY_ARGV = @ARGV;
+my $MY_ACMD = shift || "";
+
+my $NGIRCD='ngircd';
+my $NGIRCD_UID = 703;
+my $NGIRCD_UN = "_ngircd";
+
+my $ERROR = 0;
+
+my $USAGE = "Usage: ngircd-ctl (start|status|stop)";
+my $PERM_ERR = "must run as $NGIRCD_UN\nplease run using: doas -u $NGIRCD_UN\n";
+    
+unless( getpwuid( $< ) =~ /$NGIRCD_UN/ ){
+    die $PERM_ERR;
+}
+
+if ($MY_ACMD eq "stop"){
+    $ERROR = system("pkill -u $NGIRCD_UID -x $NGIRCD");
+}elsif($MY_ACMD eq "start"){
+    $ERROR = system("$NGIRCD");
+}elsif($MY_ACMD eq "status"){
+    $ERROR = system("pgrep -u $NGIRCD_UID $NGIRCD");
+    printf("%s(ok)\n", $NGIRCD) if ($ERROR == 0);
+}elsif($MY_ACMD eq "help"){
+    printf("$USAGE\n");
+}else{
+    printf("$USAGE\n");
+}

perl-script/provision.pl

@@ -12,7 +12,10 @@ use strict;
 # gashapwn
 # Nov 2020
 
+my $DEV_FLAG = shift || "";
+
 my $GIT_REPO = 'https://git.lain.church/gashapwn/lyadmin.git';
+my $GIT_BRANCH = length($DEV_FLAG) > 0 ? "-b gasha-branch " : "";
 my ($REPO_DIR) = $GIT_REPO =~ /\/([^\/]*)\.git$/;
 my $INST_DIR = "/tilde";
 
@@ -23,6 +26,54 @@ my $pwuid;
 my $admin_un;
 my $admin_home_dir;
 
+# Given a username... prompts and creates that user
+sub create(){
+    my $id;
+    
+    my $username;
+    my $user_email;
+    my $pub_key;
+
+    my $p0;
+
+    # Prompts...
+    $p0 = [
+	"Enter username: ",
+	"Enter pubkey: "
+	];
+
+    # read in username and validate
+    printf($p0->[0]);
+    $username = <STDIN>;
+    chomp $username;
+
+    if(length($username) > 31 || !($username =~ /^[A-Za-z][A-Za-z0-9]+$/)){
+	printf("%s is an INVALID username\n", $id);
+	die ("oh no");
+    }
+
+    # read in pub key
+    printf($p0->[1]);
+    $pub_key = <STDIN>;
+    chomp $pub_key;
+    
+    {
+	# Prompt to make sure the username looks OK
+	my $cmd;
+	$cmd = "useradd -m " . $username; 
+	printf("Y/N is this command OK?: %s\n", $cmd);
+	
+	if(!(<STDIN> =~ /^y/i)){
+	    die "provision cancelled...";
+	}
+
+	# create the user
+	system($cmd);
+	system("echo '".$pub_key."' > /home/$username/.ssh/authorized_keys");
+	system("chmod 711 /home/$username");
+    }
+}
+
 # Make sure we're running as root
 $pwuid = getpwuid( $< );
 
@@ -30,18 +81,20 @@ if($pwuid ne "root"){
     die "script must be run as root";
 }
 
-# Check /etc/passwd for the username created during
-# installation
-if( ($admin_un) = `tail /etc/passwd | grep -v "nobody:"` =~ /([^:\n]+):[^:]+:[0-9]{4,}/){
-    printf("admin user will be set to %s\n", $admin_un);
-}else{
-    die "create a non-root user & set user passsword before running this script."
+# Make sure script is provisioning a fresh instance
+# and doesn't clobber users existing configs
+printf("This script is meant to be run on a fresh install\n");
+printf("Y/N OK to proceed?");
+
+if(!(<STDIN> =~ /^y/i)){
+    die "provision cancelled...";
 }
 
-$admin_home_dir = "/home/$admin_un";
-
-# grant doas access to admin user
-system("echo 'permit $admin_un' > /etc/doas.conf");
+unless( ($admin_un) = `tail /etc/passwd | grep -v "nobody:"` =~ /([^:\n]+):[^:]+:[0-9]{4,}/){
+    printf("to provision the instance there must be a non root user with an authorized_keys file");
+    printf("creating user...\n");
+    create();
+}
 
 # install git
 system("pkg_add git");
@@ -53,22 +106,31 @@ system("chown $SVC_ACCT:$SVC_ACCT $INST_DIR");
 chdir $INST_DIR;
 
 # clone repo
-system("su $SVC_ACCT -c 'git clone $GIT_REPO'");
+system("su $SVC_ACCT -c 'git clone $GIT_BRANCH$GIT_REPO'");
 chdir $REPO_DIR;
 
 # Copy the skel directory
 system("mkdir ./skel/public_html/cgi");
 system("cp -r ./skel/* /etc/skel/");
 
-# setup admin user
-system("cp -r ./skel/* /home/$admin_un/");
-system("chown -R $admin_un:$admin_un /home/$admin_un");
-system("echo $admin_un >> ./user_list.txt");
+# Check /etc/passwd for the username created during
+# installation
+if( ($admin_un) = `tail /etc/passwd | grep -v "nobody:"` =~ /([^:\n]+):[^:]+:[0-9]{4,}/){
+    # grant doas access to admin user
+    system("echo 'permit nopass $admin_un' > /etc/doas.conf");
+    
+    # setup admin user
+    system("cp -r ./skel/* /home/$admin_un/");
+    system("chown -R $admin_un:$admin_un /home/$admin_un");
+    system("echo $admin_un >> ./user_list.txt");
+}
 
 # Setup the virtual environment
-system("pkg_add python3");
+system("pkg_add python3 openssl rust bash");
 printf("generating virtual enviornment...\n");
 system("su $SVC_ACCT -c 'python3 -m venv venv'");
+printf("running pip. can take up to 3 minutes due to slow compilation.\n");
+system("su $SVC_ACCT -c '. ./venv/bin/activate && python3 -m pip install --upgrade pip'");
 system("su $SVC_ACCT -c '. ./venv/bin/activate && pip3 install -r requirements.txt'");
 
 system("cp ./perl-script/conf/lingyin.rc /etc/rc.d/lingyind");
@@ -111,5 +173,40 @@ system("cp ./perl-script/conf/haproxy.cfg /etc/haproxy/haproxy.cfg");
 system("rcctl enable haproxy");
 system("rcctl start haproxy");
 
+# Install and configure ngircd and delegation
+system("pkg_add ngircd");
+
+# irc group is used for granting permissions
+# to irc admins
+system("groupadd irc");
+system("usermod -G irc _ngircd");
+# allow doas for irc admins
+system("echo 'permit nopass :irc as _ngircd' >> /etc/doas.conf");
+
+# Copy over our conf file to /etc
+# and set permissions
+chdir "$INST_DIR/$REPO_DIR";
+system("chmod 750 /etc/ngircd");
+system("cp ./perl-script/conf/ngircd.conf /etc/ngircd/ngircd.conf");
+system("chmod -R 660 /etc/ngircd/*");
+system("chown -R _ngircd:irc /etc/ngircd/");
+
+# copy over our admin script and set permissions
+system("cp ./perl-script/ngircd-ctl.pl /usr/local/sbin/ngircd-ctl");
+system("chown _ngircd:irc /usr/local/sbin/ngircd-ctl");
+system("chmod 770 /usr/local/sbin/ngircd-ctl");
+
+# Disable root login
+system("sed -i -e 's/^[^#]*PermitRootLogin.*\$/PermitRootLogin no/' /etc/ssh/sshd_config");
+system("sed -i -e 's/^PasswordAuthentication.*\$//' /etc/ssh/sshd_config");
+system("echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config");
+system("rcctl restart sshd");
+
+printf("\n\nInstall complete\n");
+printf("==================================================\n");
+
+printf("Protip: use doas instead of sudo\n");
+
+printf("root login and password login is now disabled, so dont forget\nto set a password\n");
+printf("and test your pub key\n");
 
-printf("dont forget to setup your ssh pub key at /home/$admin_un/.ssh/authorized_keys\n");