added suricata and its things

deploy.yml

@@ -3,26 +3,45 @@
 - name: common roles
   hosts:
     - caladan
-    - narwhal
     - fugu
+    - narwhal
     - snitch
+    - suricata
   become: true
   roles:
     - basic
     - users
+    - repos
     - sshd
   vars:
     users:
       - rilla
       - ansible
+      - builder
       - gopass
       - woodpecker
 
+- name: mounts
+  hosts:
+    - suricata
+  become: true
+  roles:
+    - mounts
+
+- name: pi_fan_hwpwm
+  hosts:
+    - suricata
+  become: true
+  roles:
+    - pi_fan_hwpwm
+  tags: fan
+
 - name: quality of life tools
   hosts:
     - caladan
-    - narwhal
     - fugu
+    - narwhal
+    - suricata
   become: true
   roles:
     - quality_of_life
@@ -47,12 +66,6 @@
   roles:
     - wireguard
 
-- name: lbu commit
-  hosts: snitch
-  become: true
-  roles:
-    - lbu_commit
-
 - name: setup gopass
   become: true
   hosts:
@@ -62,3 +75,12 @@
   roles:
     - gopass
   tags: gopass
+
+- name: lbu commit
+  hosts:
+    - snitch
+    - suricata
+  become: true
+  roles:
+    - lbu_commit
+

host_files/ssh/suricata/ssh_host_ed25519_key

@@ -0,0 +1,25 @@
+$ANSIBLE_VAULT;1.1;AES256
+65653865383936396434356638353138363731333763643435626165323463663666306161336235
+6133646231336666643665623962376430333038613465660a333062343239643735633661643838
+64333137643932353632613864366262326264316434626437313736623037633537383139623966
+3366373335343263330a393330646236316164646230616535373036653564653034373333316337
+36313036643138623231626166646465613662383936306263313537363538333634323332336463
+32383933656535656232333365663835363735333030396434663230333935633538623365356531
+65316336663863393366383661396337663166306166393539366661386465636431663330653633
+65346666353034363463326233383531316565346663343462303565663138333261653730373764
+38306137636533393161323535393930663465313362343634373262353336303638396361623733
+66396463383361616535336136613136343136303934353164653765336637383035313037363763
+36363633663664633730656264616261616636626561616531393434353738316363653763626463
+61306333346532353839646365323463316437303761363561383637333336653635353637396337
+31336337613563343739323233383232303636323564306231623839653761623737356632333636
+61326138616237313764386637623834653765333161356437626338643436666262663337366438
+61376466346236353566393332313237343936346639613033623938323639323936663837323736
+35396638336137323636306361383864313235353234323832363235636333343039653062363063
+65643032313564383638616438646339303637656264656233313166333931363231373138396130
+33376530323336623466663463356635373965613561613831326461343432346465633239393461
+31313038663663633336343134323733616661336537383032636139643831363461396439666531
+36333764363331316232623435323434653864343636316333356239636237303762323331323034
+62613538396331653232633138633263313265303532333437366139356164353263643264383764
+38653366313638316539323565306665653836623765626637663139613438613635623362653863
+31653031666535666531623265383438656563316164393534613466333735663538613862623232
+66303736333362633131

host_files/ssh/suricata/ssh_host_ed25519_key-cert.pub

@@ -0,0 +1,32 @@
+$ANSIBLE_VAULT;1.1;AES256
+37626161353234313036383265393338616331666331633361363930383931386364643435616534
+3233666639313662616261656430656538623634353037620a363664316538613665626232386331
+31366664393931333030653333336266663833663561386361653039613163663635356131623564
+6438373362336439390a346539313566646335613035336265316666343262326338333261333734
+35646233626666613639313238636463383838333335343136663832303463356632656561326461
+64626465303066323339306232373864313137303935353139383761363833663637633234313663
+65316666623734353863646463386262316566663839353734636665616630633162356238376538
+31643539326334666238613761373165653663626363353734383761383433313662343337356438
+62356366316564396361393536353861386635333764323931316566363535303434386332373262
+32663635376464643639636531653739663035613037306262663639363863343063613736396166
+64323663393461373862373233616166383130323363333630363962333433333862353163653837
+64643633663233303632373662616137396563626332623862383439363231636633363366653561
+64323165663139623139393431666539323238303731313832393662343465623966653531393333
+34643266373366613237363261303633376163353430653337366239623066656232333862373831
+38313932363533363133363132666562646539353731313965333233386533363332333063353163
+37356464633631316239383835333639376461363834643566636137623230333061646136666239
+30636532306531386130626135346166613133323534643561656634613834333861363864653762
+35313461353864316138303863663431323865616338343533643964356462313136356231373033
+37333831623738303565626665333635346266623530646338393764346466323434386237353361
+37336336373235376638393861343663663433613238343361313561306330653833336262386465
+30373561346366383465356362336665393638393237303563623862353831663939653266346432
+65356637383831396630356261373338386339313361653434653262303831313366316335333636
+32316466366631663639616361633766653435636232306165656361376537303633316364343537
+61633363646663313061636531643266316633633937313134386263643336613064353936373538
+33656566363365613662396234336462353765363430383737353566356264646163343836316431
+65383366373932363830656231623061343566303734663233346339616638633333663961356661
+61386134326431336330343236373636303234626263623362646534356535653537323066386630
+39303262643064623636373630303831396130366230303832383561646332343961666334316431
+34313433383135376136396462386365613133363832626339386461383562393433373232326363
+65373666383063313432666132613061643833383265376637336539633339333866353135313066
+316630383231306432316561663434303435

host_files/ssh/suricata/ssh_host_ed25519_key.pub

@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+62333135383063633034623932393339386632623365333565336362353964346464303465633236
+3763333833386239336539613166326231636465613864360a363662356230383338353732343337
+62616563316362633964346336636363373131353838316162636561366162316365633936303931
+3663346537356562300a366564623435623462633438393735363830333463363239636465643962
+64653761386533323864313464393134643734653138663734366132666162653831393730363566
+39656261366464636439626566623938303935643531663736353132346262613563346231353635
+61656663616432333132366639616535366365333733623634303330333935376433313536623463
+31643037303866623832653666613938356664383063383633663062663834613963323030666634
+6430

hosts.yml

@@ -9,6 +9,37 @@ all:
       ansible_python_interpreter: /usr/bin/python3
       ansible_become_method: doas
       use_lbu: true
+      alpine_version: v3.16
+      alpine_repos:
+        - main
+
+    suricata:
+      ansible_host: suricata
+      ansible_user: ansible
+      ansible_port: 22
+      ansible_python_interpreter: /usr/bin/python3
+      ansible_become_method: doas
+      use_lbu: true
+      alpine_version: v3.16
+      alpine_repos:
+        - main
+        - community
+      mounts:
+        - path: "/media/mmcblk0p1"
+          src: "0EB4-4BBF"
+          fstype: "vfat"
+          opts: "noauto,defaults"
+          passno: "0"
+        - path: "/media/mmcblk0p2"
+          src: "UUID=75d4943d-2a1a-4f76-9f60-cff99b4d2e1f"
+          fstype: "ext4"
+          opts: "noauto,defaults"
+          passno: "0"
+        - path: "/var/lib/builder/src"
+          src: "/media/mmcblk0p2/src"
+          fstype: "none"
+          opts: "bind"
+          passno: "0"
 
     caladan:
       ansible_host: caladan
@@ -17,6 +48,10 @@ all:
       ansible_python_interpreter: /usr/bin/python3
       ansible_become_method: doas
       use_lbu: false
+      alpine_version: v3.16
+      alpine_repos:
+        - main
+        - community
 
     narwhal:
       ansible_host: narwhal

roles/mounts/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+
+- name: setup mountpoints
+  include_tasks: mountpoint.yml
+  loop: "{{ mounts }}"

roles/mounts/tasks/mountpoint.yml

@@ -0,0 +1,15 @@
+---
+
+- name: create mountpoint directory
+  file:
+    path: "{{ item.path }}"
+    state: directory
+
+- name: create mountpoint
+  mount:
+    path: "{{ item.path }}"
+    src: "{{ item.src }}"
+    fstype: "{{ item.fstype }}"
+    opts: "{{ item.opts }}"
+    passno: "{{ item.passno }}"
+    state: mounted

roles/pi_fan_hwpwm/files/init.d/pi_fan_hwpwm

@@ -0,0 +1,12 @@
+#!/sbin/openrc-run
+
+name="pi_fan_hwpwm"
+description="Hardware PWM control for Raspberry Pi 4 Case Fan"
+supervisor="supervise-daemon"
+command="/usr/local/sbin/pi_fan_hwpwm"
+supervise_daemon_args=" -d /run"
+command_user="root"
+
+depend() {
+    after syslog
+}

roles/pi_fan_hwpwm/tasks/alpine.yml

@@ -0,0 +1,58 @@
+---
+
+- name: install necessary packages
+  apk:
+    name:
+      - gcc
+      - git
+      - make
+      - musl-dev
+      - tar
+    state: present
+
+- name: let builder own the src directory
+  file:
+    state: directory
+    path: /var/lib/builder/src
+    owner: builder
+    group: builder
+
+- name: clone git repo
+  git:
+    repo: https://github.com/kubesail/pibox-os.git
+    dest: /var/lib/builder/src/pibox-os
+    clone: true
+  become_user: builder
+
+- name: build and install bcm2835-1.68
+  include_tasks: bcm2835.yml
+
+- name: build and install pi_fan_hwpwm
+  include_tasks: pi_fan_hwpwm.yml
+
+- name: copy init script
+  copy:
+    src: init.d/pi_fan_hwpwm
+    dest: /etc/init.d/pi_fan_hwpwm
+    owner: root
+    mode: '0755'
+
+- name: enable pi_fan_hwpwm
+  service:
+    name: pi_fan_hwpwm
+    state: started
+    enabled: true
+    runlevel: default
+
+- name: add files to lbu
+  lbu:
+    include:
+      - /usr/local/sbin/pi_fan_hwpwm
+      - /etc/init.d/pi_fan_hwpwm
+  when: ansible_distribution == "Alpine" and use_lbu
+
+- name: add iomem=relaxed to cmdline.txt
+  replace:
+    path: /media/mmcblk0p1/cmdline.txt
+    regexp: '^([\w](?!.*\biomem=relaxed\b).*)$'
+    replace: '\1 iomem=relaxed'

roles/pi_fan_hwpwm/tasks/bcm2835.yml

@@ -0,0 +1,27 @@
+---
+
+- name: uncompress bcm2835-1.68
+  unarchive:
+    src: /var/lib/builder/src/pibox-os/pwm-fan/bcm2835-1.68.tar.gz
+    dest: /var/lib/builder/src/pibox-os/pwm-fan
+    remote_src: true
+    creates: /var/lib/builder/src/pibox-os/pwm-fan/bcm2835-1.68/configure
+  become_user: builder
+
+- name: ./configure bcm2835-1.68
+  shell:
+    chdir: /var/lib/builder/src/pibox-os/pwm-fan/bcm2835-1.68
+    cmd: ./configure
+    creates: /var/lib/builder/src/pibox-os/pwm-fan/bcm2835-1.68/Makefile
+  become_user: builder
+
+- name: build bcm2835-1.68
+  make:
+    chdir: /var/lib/builder/src/pibox-os/pwm-fan/bcm2835-1.68
+    target: all
+  become_user: builder
+
+- name: install bcm2835-1.68
+  make:
+    chdir: /var/lib/builder/src/pibox-os/pwm-fan/bcm2835-1.68
+    target: install

roles/pi_fan_hwpwm/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+
+- name: pi_fan_hwpwm on alpine
+  include_tasks: alpine.yml
+  when: ansible_distribution == "Alpine"

roles/pi_fan_hwpwm/tasks/pi_fan_hwpwm.yml

@@ -0,0 +1,20 @@
+---
+
+- name: build pi_fan_hwpwm
+  make:
+    chdir: /var/lib/builder/src/pibox-os/pwm-fan
+    target: all
+  become_user: builder
+
+- name: make sure /usr/local/sbin exists
+  file:
+    state: directory
+    path: /usr/local/sbin
+
+- name: install pi_fan_hwpwm
+  copy:
+    src: /var/lib/builder/src/pibox-os/pwm-fan/pi_fan_hwpwm
+    dest: /usr/local/sbin/pi_fan_hwpwm
+    remote_src: true
+    owner: root
+    mode: '0755'

roles/pi_fan_hwpwm/todo

@@ -0,0 +1,12 @@
+install
+- git
+- make
+- gcc
+- musl-dev
+
+config
+- iomem relaxed
+
+steps
+- build and compile
+- setup openrc service

roles/quality_of_life/files/mkshrc

@@ -0,0 +1,9 @@
+#PS1="$(echo -e "\033[36m$PWD\033[00m") ❯ "
+#PS1=$PWD ❯
+bind '^L=clear-screen'
+bind -m ^U='^[0^K'
+# PS1="${USER}@${HOSTNAME}:\${PWD/} ❯ "
+PS1=$'\n\e[34m${USER}@${HOSTNAME}\e[36m:\${PWD/}\e[00m\n❯ '
+
+alias vi=nvim
+alias vim=nvim

roles/quality_of_life/tasks/main.yml

@@ -30,16 +30,65 @@
       # OpenBSD already ships with tmux
   when: ansible_distribution == "OpenBSD"
 
-- name: make tmux config directory
-  file:
-    path: /home/rilla/.config/tmux
-    state: directory
-    owner: rilla
-    group: rilla
+- name: set up tmux
+  block:
 
-- name: copy tmux config
-  copy:
-    src: tmux.conf
-    dest: /home/rilla/.config/tmux/tmux.conf
-    owner: rilla
-    group: rilla
+    - name: make tmux config directory
+      file:
+        path: /home/rilla/.config/tmux
+        state: directory
+        owner: rilla
+        group: rilla
+
+    - name: copy tmux config
+      copy:
+        src: tmux.conf
+        dest: /home/rilla/.config/tmux/tmux.conf
+        owner: rilla
+        group: rilla
+
+    - name: make sure .profile file exists
+      file:
+        name: /home/rilla/.profile
+        state: touch
+        owner: rilla
+        group: rilla
+        modification_time: preserve
+        access_time: preserve
+        mode: '0644'
+
+    - name: start tmux session on ssh connection
+      lineinfile:
+        path: /home/rilla/.profile
+        line: '[ -n "$PS1" ] && [ -z "$TMUX"  ] && [ -n "$SSH_CONNECTION" ] && exec tmux -u'
+        insertafter: EOF
+        state: present
+
+- name: set Alpine shell to mksh
+  block:
+
+    - name: install mksh
+      apk:
+        name: mksh
+
+    - name: change user default shell
+      user:
+        name: rilla
+        shell: /bin/mksh
+
+    - name: copy mkshrc
+      copy:
+        src: mkshrc
+        dest: /home/rilla/.mkshrc
+        owner: rilla
+        group: rilla
+
+  when: ansible_distribution == "Alpine"
+
+- name: include to lbu config files
+  lbu:
+    include:
+      - /home/rilla/.config/tmux/tmux.conf
+      - /home/rilla/.mkshrc
+      - /home/rilla/.profile
+  when: ansible_distribution == "Alpine" and use_lbu

roles/repos/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+
+- name: setup apk repos
+  block:
+
+    - name: render /etc/apk/repositories
+      template:
+        src: apk/repositories.j2
+        dest: /etc/apk/repositories
+        mode: '0644'
+
+    - name: apk update
+      apk:
+        update_cache: true
+
+  when: ansible_distribution == "Alpine"

roles/repos/templates/apk/repositories.j2

@@ -0,0 +1,9 @@
+#http://dl-cdn.alpinelinux.org/alpine/v3.16/main
+#http://dl-cdn.alpinelinux.org/alpine/v3.16/community
+#http://dl-cdn.alpinelinux.org/alpine/edge/main
+#http://dl-cdn.alpinelinux.org/alpine/edge/community
+#http://dl-cdn.alpinelinux.org/alpine/edge/testing
+
+{% for repo in alpine_repos %}
+http://dl-cdn.alpinelinux.org/alpine/{{ alpine_version }}/{{ repo }}
+{% endfor %}

roles/sshd/files/ssh_known_hosts

@@ -1,14 +1,15 @@
 $ANSIBLE_VAULT;1.1;AES256
-30663736636237313364336337326635386534643066313331663938343963303834653861396135
-6539333062323635633434363131383131353964363038650a636639383033396266396633356364
-33613537306665643265336539323965363331646263343532656238313266613965383736313162
-6332333035356537610a333035613730666138303533643134316332303039636235303233663232
-32333237646234333638616265623930333561313236326263313639323563643536613966303431
-64616438366261663865366632303633353333326436646531616365343066626134323534323436
-32373665303033346132663264343231656134623930303866383731623132313063356334376134
-66383263393164333461356339356434323666376331366331613932663834346333366538616532
-31373230353265373163646261326235613934653533663134666263643463663135313230616265
-35306632343132623237333437343165393238356132326639323933353437613962333263383434
-31623265306333623366373339396630373837343937663239333535653863343665353935336237
-62636632386336383233306566326663363363323132306564363934346439633665636463623163
-36326362383263303834316234643530633166636630646565623962373235343339
+36353339353134333434643436623333336164626237333933626364353932333435376637323865
+3338306465393764393463626238343033646166376533300a396465613731393362356265623761
+62386539613961316564666161613536303934373336393861613566323364353438396634373934
+3537326237386436630a376333623766376437666561363236326337333563373030643239336164
+65363936346531313034363334313361643462313364353130366639383565343837616135336165
+31393539643035633963386430383133646161393332643039316366306630336633636565653466
+62393834393633663465393233653866313239323539623565653862643531323461613830666639
+63653939363264616139333361383561656238626139313735613632663733653561643266666632
+38306332306539366539643866653762646236383534393866373137383961353161353938633963
+37306264376134336538356164393831346530333662333531663931653135613663323161393066
+32636230633364346639313237373736333562643337616564303861396131363335623564643739
+61613138373865616635313530363166333762393933373238383264646233333961393866393464
+38343833336563323034393034653433633033366533643535616334396336326330313166373361
+3035643134653035306431373834386464373731356332633630

roles/users/tasks/builder.yml

@@ -0,0 +1,37 @@
+---
+- name: create group 'builder'
+  group:
+    name: builder
+    gid: 504
+
+- name: create user 'builder'
+  user:
+    name: builder
+    uid: 504
+    group: builder
+    home: /var/lib/builder
+    password: "!"
+
+- name: make sure builder owns its home
+  file:
+    state: directory
+    path: /var/lib/builder
+    owner: builder
+    group: builder
+    mode: '2755'
+
+- name: let builder own the src directory
+  file:
+    state: directory
+    path: /var/lib/builder/src
+    owner: builder
+    group: builder
+
+- name: commit builder's home to lbu
+  lbu:
+    include:
+      - /var/lib/builder
+    exclude:
+      - /var/lib/builder/.ash_history
+      - /var/lib/builder/src
+  when: ansible_distribution == "Alpine" and use_lbu