Merge branch 'master' of git.awful.club:jowj/agares

applicationConfiguration/.emacs/init.el

@@ -36,7 +36,7 @@
  '(global-hl-line-mode t)
  '(package-selected-packages
    (quote
-    (jedi znc yaml-mode which-key use-package twittering-mode try smex racer python-mode pylint py-autopep8 powershell pdf-tools outline-magic org2blog multiple-cursors magit helm flycheck-rust eyebrowse exec-path-from-shell emojify elpy ein doom-themes dockerfile-mode docker csharp-mode ansible anaconda-mode ace-window)))
+    (lsp-ui lsp-mode jedi znc yaml-mode which-key use-package twittering-mode try smex racer python-mode pylint py-autopep8 powershell pdf-tools outline-magic org2blog multiple-cursors magit helm flycheck-rust eyebrowse exec-path-from-shell emojify elpy ein doom-themes dockerfile-mode docker csharp-mode ansible anaconda-mode ace-window)))
  '(znc-servers
    (\`
     (("bouncer.awful.club" 5000 t

applicationConfiguration/.emacs/jlj-golang.el

@@ -1,44 +1,6 @@
-;; this is an intermediary golang config. my goals are to:
-;; - have gofmt run on save
-;; - have good syntax highlighting
-;; - compile, test, run gocode through emacs:
-
-(use-package go-eldoc
-  :ensure)
-
-(use-package gotest
-  :ensure)
-
-(use-package company-go
-  :ensure)
-
-(use-package go-guru
-  :ensure)
-
-(use-package go-mode
-  :init
+(use-package eglot
   :ensure t
   :config
-  (add-hook 'before-save-hook #'gofmt-before-save)
-
-  ;; stolen from luipan.pl/dotemacs/
-  (defun jlj-go-mode-hook ()
-    (go-eldoc-setup)
-    (set (make-local-variable 'company-backends) '(company-go))
-    (company-mode)
-    ;; Customize compile command to run go build
-
-    (let ((goimports (executable-find "goimports")))
-      (when goimports
-	(setq gofmt-command goimports)))
-    
-    (smartparens-mode 1)
-    (flycheck-mode 1)
-    (setq imenu-generic-expression
-          '(("type" "^type *\\([^ \t\n\r\f]*\\)" 1)
-            ("func" "^func *\\(.*\\) {" 1))))
-
-    (setq compile-command "echo Building... && go build -v && go test -v && go vet")
-  (add-hook 'go-mode-hook 'jlj-go-mode-hook))
-
-(with-eval-after-load "go-mode" (define-key go-mode-map (kbd "C-c C-c") 'compile))
+  (add-hook 'go-mode-hook 'eglot-ensure)
+  (local-set-key "\C-x\C-m" 'compile)
+  (setq compile-command "go test -v && go vet && golint"))

deployments/awful-1/deploy.yml

@@ -16,7 +16,7 @@
 - name: Deploy mojo webclient
   hosts: prod
   vars_files:
-    - vault-vars-mojo.yml
+    - mojo-vars-vault.yml
   tasks:
   - name: Build from the latest version
     shell: cd /home/josiah/mojojojo-bot/mojo-web && docker build -t mojo-web -f dockerfile .
@@ -30,7 +30,7 @@
 - name: Deploy mojo rtmclient
   hosts: prod
   vars_files:
-    - vault-vars-mojo.yml
+    - mojo-vars-vault.yml
   tasks:
   - name: Build from the latest version
     shell: cd /home/josiah/mojojojo-bot/mojo-rtm && docker build -t mojo-rtm -f dockerfile .
@@ -70,7 +70,7 @@
       shell: docker container rm znc
       when: result is succeeded
     - name: run the container (assumes the volume is already set up)
-      command: docker run -d -p 5000:5000 --mount type="bind",source="/mnt/volume_sfo2_znc/",target=/znc-data znc
+      command: docker run --restart "always" -d -p 5000:5000 --mount type="bind",source="/mnt/volume_sfo2_znc/",target=/znc-data znc
 
 - name: Deploy Arke
   hosts: dockerhosts

deployments/mediaServer/docker-compose.yml

@@ -11,9 +11,9 @@ services:
       PGID: 1000
       TZ: America/Chicago
     volumes:
-      - "/Users/josiah/Documents/apps/sonarr:/config"
-      - "/Users/josiah/Downloads/usenet-complete/:/downloads"
-      - "/Volumes/usenet/tv/:/tv"
+      - "/home/josiah/apps/sonarr:/config"
+      - "/home/josiah/Downloads/usenet-complete/:/downloads"
+      - "/media/usenet/tv/:/tv"
   lidarr:
     image: "linuxserver/lidarr"
     ports:
@@ -24,9 +24,9 @@ services:
       PGID: 1000
       TZ: America/Chicago
     volumes:
-      - "/Users/josiah/Documents/apps/lidarr:/config"
-      - "/Users/josiah/Downloads/usenet-complete/:/downloads"
-      - "/Volumes/usenet/audio/:/music"
+      - "/home/josiah/apps/lidarr:/config"
+      - "/home/josiah/Downloads/usenet-complete/:/downloads"
+      - "/media/usenet/audio/:/music"
  # headphones:
  #   image: "linuxserver/headphones"
  #   ports:
@@ -37,9 +37,9 @@ services:
  #     PGID: 1000
  #     TZ: America/Chicago
  #   volumes:
- #     - "/Users/josiah/Documents/apps/headphones:/config"
- #     - "/Users/josiah/Downloads/usenet-complete/:/downloads"
- #     - "/Volumes/usenet/audio/:/music"
+ #     - "/home/josiah/Documents/apps/headphones:/config"
+ #     - "/home/josiah/Downloads/usenet-complete/:/downloads"
+ #     - "/media/usenet/audio/:/music"
   radarr:
     image: "linuxserver/radarr"
     ports:
@@ -50,9 +50,9 @@ services:
       PGID: 1000
       TZ: America/Chicago
     volumes:
-      - "/Users/josiah/Documents/apps/radarr:/config"
-      - "/Users/josiah/Downloads/usenet-complete/:/downloads"
-      - "/Volumes/usenet/movies/:/movies"
+      - "/home/josiah/apps/radarr:/config"
+      - "/home/josiah/Downloads/usenet-complete/:/downloads"
+      - "/media/usenet/movies/:/movies"
   sabnzb:
     image: "funkypenguin/sabnzbd"
     ports:
@@ -64,11 +64,43 @@ services:
       PGID: 1000
       TZ: America/Chicago
     volumes:
-      - "/Users/josiah/Documents/apps/sabnzbd:/config"
-      - "/Users/josiah/Downloads/usenet-complete/:/downloads"
-      - "/Users/josiah/Downloads/usenet-incomplete/:/incomplete-downloads"
-      - "/Users/josiah/Downloads/usenet-watched/:/watched-folder"      
-      - "/Volumes/usenet/tv:/tv"
-      - "/Volumes/usenet/audio/:/music"
-      - "/Volumes/usenet/movies/:/movies"
-      - "/Volumes/usenet/itunes-synology/iTunes Media/Automatically Add to iTunes.localized/:/itunes"
+      - "/home/josiah/apps/sabnzbd:/config"
+      - "/home/josiah/Downloads/usenet-complete/:/downloads"
+      - "/home/josiah/Downloads/usenet-incomplete/:/incomplete-downloads"
+      - "/home/josiah/Downloads/usenet-watched/:/watched-folder"      
+      - "/media/usenet/tv:/tv"
+      - "/media/usenet/audio/:/music"
+      - "/media/usenet/movies/:/movies"
+      - "/media/usenet/itunes-synology/iTunes Media/Automatically Add to iTunes.localized/:/itunes"
+      - "/media/usenet/book-library/books/:/books"
+  lazylibrarian:
+    image: "thraxis/lazylibrarian-calibre"
+    ports:
+      - "5299:5299"
+    restart: unless-stopped
+    environment:
+      PUID: 1000
+      PGID: 1000
+      TZ: America/Chicago
+    volumes:
+      - "/home/josiah/apps/lazylibrarian:/config"
+      - "/home/josiah/Downloads/usenet-complete/:/downloads"
+      - "/media/usenet/book-library/calibre-library/:/calibre-library"
+      - "/media/usenet/book-library/books/:/books"
+      - "/media/usenet/book-library/audiobooks:/audiobooks"
+  # calibre:
+  #   image: "linuxserver/calibre"
+  #   container_name: calibre
+  #   ports:
+  #     - "8219:8080"
+  #     - "8081:8081"
+  #   restart: unless-stopped
+  #   environment:
+  #     PUID: 1000
+  #     PGID: 1000
+  #     TZ: America/Chicago
+  #   volumes:
+  #     - "/home/josiah/apps/calibre:/config"
+  #     - "/home/josiah/Downloads/usenet-complete/:/downloads"
+  #     - "/media/usenet/book-library/calibre-library/:/calibre-library"
+  #     - "/media/usenet/book-library/temp/:/import"

deployments/serverBuild/hosts.yml

@@ -9,3 +9,6 @@ all:
     dev:
       hosts:
         localhost:
+    onprem:
+      hosts:
+        hatchery:

deployments/serverBuild/ipsec.conf

@@ -1,27 +1,23 @@
-
+# basic configuration
 config setup
-    charondebug="ike 1, knl 1, cfg 0"
-    uniqueids=no
+        charondebug="all"
+        uniqueids=yes
+        strictcrlpolicy=no
 
-conn ikev2-vpn
-    auto=add
-    compress=no
-    type=tunnel
-    keyexchange=ikev2
-    fragmentation=yes
-    forceencaps=yes
-    dpdaction=clear
-    dpddelay=300s
-    rekey=no
-    left=%any
-    leftid=@vpn.awful.club
-    leftcert=awful-server-cert.pem
-    leftsendcert=always
-    leftsubnet=0.0.0.0/0
-    right=%any
-    rightid=%any
-    rightauth=eap-mschapv2
-    rightsourceip=10.10.10.0/24
-    rightdns=1.1.1.1,1.0.0.1
-    rightsendcert=never
-    eap_identity=%identity
+# connection to amsterdam datacenter
+conn home-to-digitalocean
+  authby=secret
+  left=%defaultroute
+  leftid=165.22.156.25
+  leftsubnet=10.138.0.0/16
+  right=0.0.0.0
+  rightsubnet=192.168.1.0/24
+  ike=aes256-sha2_256-modp1024!
+  esp=aes256-sha2_256!
+  keyingtries=0
+  ikelifetime=1h
+  lifetime=8h
+  dpddelay=30
+  dpdtimeout=120
+  dpdaction=restart
+  auto=start

deployments/serverBuild/ipsec.secrets

@@ -1,9 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA "awful-server-key.pem"
-
-jowj : EAP "fake-password" 
-
-# get secrets from other files
-include ipsec.*.secrets
-

deployments/serverBuild/onprem.yml

@@ -0,0 +1,38 @@
+- hosts: onprem
+  remote_user: josiah
+  gather_facts: false
+  become: yes
+  vars:
+    create_user: josiah
+    sys_packages: [ 'curl', 'vim', 'git', '', 'emacs', 'build-essential' ]
+
+  tasks:
+    - name: Install aptitude using apt
+      apt: name=aptitude state=latest update_cache=yes force_apt_get=yes
+
+    - name: Install required system packages for docker install
+      apt: name={{ item }} state=latest update_cache=yes
+      loop: [ 'apt-transport-https', 'ca-certificates', 'software-properties-common' ]
+
+    - name: Add Docker GPG apt Key
+      apt_key:
+        url: https://download.docker.com/linux/debian/gpg
+        state: present
+
+    - name: Add Docker Repository
+      apt_repository:
+        repo: deb https://download.docker.com/linux/ubuntu bionic stable
+        state: present
+
+    - name: Update apt
+      apt: update_cache=yes
+
+    - name: Install required system packages
+      apt: name={{ sys_packages }} state=latest
+
+    - name: add 'josiah' to docker group
+        user:
+          name='josiah'
+          groups=docker
+          append=yes
+      

deployments/serverBuild/vpnBuild.yml

@@ -6,6 +6,8 @@
   become: yes
   vars:
     vpn_packages: [ 'strongswan','strongswan-pki','ufw' ]
+    remote_host: 165.22.156.25
+    local_host:  0.0.0.0
 
   tasks:
     - name: Update apt
@@ -14,31 +16,23 @@
     - name: Install required system packages
       apt: name={{ vpn_packages }} state=latest
 
-    - name: Build temp pki dir structure - cacerts
-      shell: mkdir -p ~/pki/cacerts
-    - name: Build temp pki dir structure - certs
-      shell: mkdir -p ~/pki/certs
-    - name: Build temp pki dir structure - private and set perms
-      shell: mkdir -p ~/pki/private && chmod 700 ~/pki
+    - name: set kernel params
+      shell: |
+        cat >> /etc/sysctl.conf << EOF
+        net.ipv4.ip_forward = 1 
+        net.ipv4.conf.all.accept_redirects = 0 
+        net.ipv4.conf.all.send_redirects = 0
+        EOF
 
-    - name: Generate root key 4096 bit RSA
-      shell: ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/awful-ca-key.pem
-
-    - name: Create root cert authority & sign with root key
-      become_method: sudo
-      shell:    ipsec pki --self --ca --lifetime 3650 --in ~/pki/private/awful-ca-key.pem --type rsa --dn "CN=vpn.awful.club" --outform pem > ~/pki/cacerts/awful-ca-cert.pem
-
-    - name: Generate cert for the VPN host
-      shell: ipsec pki --gen --type rsa --size 4096 --outform pem > ~/pki/private/awful-server-key.pem
-
-    - name: Create & sign VPN server cert with CA cert.
-      shell: ipsec pki --pub --in ~/pki/private/awful-server-key.pem --type rsa | ipsec pki --issue --lifetime 1825 --cacert ~/pki/cacerts/awful-ca-cert.pem --cakey ~/pki/private/awful-ca-key.pem --dn "CN=vpn.awful.club" --san "vpn.awful.club" --flag serverAuth --flag ikeIntermediate --outform pem >  ~/pki/certs/awful-server-cert.pem
-
-    - name: move temp pki dir structure to proper /etc/ipsec.d/ dir
-      shell: sudo cp -r ~/pki/* /etc/ipsec.d/
+    - name: save kernel params
+      shell: sysctl -p /etc/sysctl.conf
+      
+    - name: Generate preshared key
+      shell: openssl rand -hex 32
+      register: awful_psk
 
-    - name: make backup of  default sswan conf file
-      shell: sudo mv /etc/ipsec.conf /etc/ipsec.conf.original
+    - debug:
+        msg: got this key {{ awful_psk }}
 
     - name: Copy my ipsec.conf file to the VPN host
       # this file does a lot. view more info in the readme.md
@@ -48,81 +42,17 @@
         owner: root
         group: root
 
-    - name: Copy my ipsec.secrets file to the VPN host
-      # this file does a lot. view more info in the readme.md
-      copy:
-        src: ipsec.secrets
-        dest: /etc/ipsec.secrets
-        owner: root
-        group: root
-
-    - name: restart strongswan
-      shell: systemctl restart strongswan
-
-    - name: allow SSH connections
-      ufw:
-        rule: allow
-        name: OpenSSH
-        
-    - name: Deny everything and enable UFW
-      ufw:
-        state: enabled
-        policy: deny
-
-    - name: rate limit ssh connections
-      ufw:
-        rule: limit
-        port: ssh
-        proto: tcp
+    - name: remove existing ipsec.secerts
+      shell: rm /etc/ipsec.secrets
 
-    - name: Allow all access from RFC1918 networks to this host
-      ufw:
-        rule: allow
-        src: '{{ item }}'
-      loop:
-        - 10.0.0.0/8
-        - 172.16.0.0/12
-        - 192.168.0.0/16
-
-
-    - name: Allow tcp ipsec ports
-      ufw:
-        rule: allow
-        port: 500
-        port: 4500
-        proto: tcp
-          
-    - name: Allow udp ipsec ports
-      ufw:
-        rule: allow
-        port: 4500
-        port: 500
-        proto: udp
-
-    - name: copy local before.rules to vpn host
-      copy:
-        src: before.rules
-        dest: /etc/ufw/before.rules
-        owner: root
-        group: root
+    - name: create ipsec.secrets with psk info
+      shell: |
+        cat >> /etc/ipsec.secrets << EOF
+        {{ remote_host }} {{local_host}}: PSK "{{awful_psk.stdout}}"
+        EOF
       
-    - name: copy local sysctl.conf to vpn host
-      copy:
-        src: sysctl.conf
-        dest: /etc/ufw/sysctl.conf
-        owner: root
-        group: root
-
-    - name: disable ufw to save config
-      ufw:
-        state: disabled
-
-    - name: reload ufw to activate changes
-      ufw:
-        state: enabled
+    - name: update route rules
+      shell: iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.138.0.0/16 -j MASQUERADE
 
-    - name: Copy ca-cert down to local machine
-      fetch:
-        src: /etc/ipsec.d/cacerts/awful-ca-cert.pem
-        dest: awful-ca-cert.pem
-        flat: yes
+    # - name: copy psk down to local machine
+    #   local_action: copy_content={{ awful_psk }} dest=psk.txt