Compare commits

...

5 commits

15 changed files with 632 additions and 13 deletions

2
.gitignore vendored
View file

@ -159,3 +159,5 @@ cython_debug/
# and can be added to the global gitignore or merged into this file. For a more nuclear
# option (not recommended) you can uncomment the following to ignore the entire idea folder.
#.idea/
ansible/credentials/
terraform/mcaptcha/mcaptcha

View file

@ -24,6 +24,12 @@ define configure_cache
ansible-playbook -i $(INVENTORY) -f 10 ./ansible/cache.yml
endef
define configure_mcaptcha
. ./venv/bin/activate && \
ansible-playbook -i $(INVENTORY) -f 10 ./ansible/mcaptcha.yml
endef
define test_base
. ./venv/bin/activate && \
@ -49,6 +55,19 @@ define test_cache
endef
define test_mcaptcha
. ./venv/bin/activate && \
cd tests/mcaptcha/ && \
ANSIBLE_REMOTE_USER=root \
py.test --hosts='ansible://mcaptcha_hosts' \
-n 10 \
--verbose \
--ansible-inventory="../../${INVENTORY}" \
base.py
endef
define test_locust
. ./venv/bin/activate && \
@ -88,6 +107,13 @@ conf.dos: ## Configure all DoS VMs
conf.cache: ## Configure all cache VMs
$(call configure_cache)
# ```bash
# INVENTORY=./terraform/dos/hosts.ini make conf.mcaptcha
# ```
conf.mcaptcha: ## Configure all mcaptcha VMs
$(call configure_mcaptcha)
# ```bash
# INVENTORY=./terraform/dos/hosts.ini make conf.ping
# ```
@ -105,7 +131,8 @@ test.base: ## Test base configuration on all VMs
test.cache: ## Test cache configuration
$(call test_cache)
test.mcaptcha: ## Test mcaptcha configuration
$(call test_mcaptcha)
help: ## Prints help for targets with comments
@cat $(MAKEFILE_LIST) | grep -E '^[a-zA-Z_-].+:.*?## .*$$' | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

View file

@ -0,0 +1,29 @@
[Unit]
Description=mCaptcha: PoW CAPTCHA system
After=syslog.target
After=network.target
###
# Don't forget to add the database service dependencies
###
#
#Wants=mariadb.service
#After=mariadb.service
#
Wants=postgresql.service
After=postgresql.service
#
#Wants=redis.service
#After=redis.service
[Service]
RestartSec=2s
Type=simple
User=mcaptcha
Group=mcaptcha
WorkingDirectory=/home/mcaptcha/
ExecStart=/usr/local/bin/mcaptcha
Restart=always
Environment=USER=mcaptcha HOME=/home/mcaptcha
[Install]
WantedBy=multi-user.target

98
ansible/mcaptcha.yml Normal file
View file

@ -0,0 +1,98 @@
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
#---
- name: Base configuration
ansible.builtin.import_playbook: base.yml
- name: Install and configure postgres
hosts: mcaptcha_hosts
become: yes
vars_files:
- vars/mcaptcha/vars.yml
- vars/mcaptcha/db-common.yml
- vars/mcaptcha/postgresql.yml
tasks:
- ansible.builtin.include_role:
name: geerlingguy.postgresql
when:
database_type == "postgres"
- name: Install and configure mariadb
hosts: mcaptcha_hosts
become: yes
vars_files:
- vars/mcaptcha/vars.yml
- vars/mcaptcha/db-common.yml
- vars/mcaptcha/mariadb.yml.yml
tasks:
- ansible.builtin.include_role:
name: geerlingguy.mysql
when:
database_type == "mariadb"
- name: Install and configure cache
hosts: mcaptcha_hosts
become: yes
vars_files:
- vars/mcaptcha/vars.yml
tasks:
- name: conditionally install redis cache
ansible.builtin.include_role:
name: cache
when: cache_type == "redis"
- name: Install mCaptcha binary
hosts: mcaptcha_hosts
remote_user: atm
vars_files:
- vars/mcaptcha/vars.yml
- vars/mcaptcha/db-common.yml
- vars/mcaptcha/mcaptcha.yml
roles:
- mcaptcha
tasks:
- name: restart mcaptcha
debug:
msg: "mCaptcha successfully deployed to {{ mcaptcha_server_hostname }}"
notify: restart mcaptcha
- name: Install git, zip, nginx, wget, curl & other utils
become: true
ansible.builtin.apt:
update_cache: true
cache_valid_time: 3600
pkg:
- nginx
- ufw
- name: Copy nginx vhost
become: true
ansible.builtin.template:
src: ./templates/mcaptcha/nginx.vhost.j2
dest: "/etc/nginx/sites-available/{{ mcaptcha_server_hostname }}"
owner: root
group: root
force: true
mode: "0644"
- name: Copy nginx vhost
become: true
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ mcaptcha_server_hostname }}"
dest: "/etc/nginx/sites-enabled/{{ mcaptcha_server_hostname }}"
state: link
- name: Restart nginx
become: true
ansible.builtin.service:
name: nginx
state: restarted
- name: Allow port 80 and enable UFW
become: true
community.general.ufw:
state: enabled
rule: allow
proto: tcp
port: "80"

View file

@ -72,15 +72,7 @@
force: true
mode: "0755"
# - name: Delete download dir
# ansible.builtin.file:
# path: /tmp/cache-lib
# state: absent
- name: Allow port 6379 for redis
become: true
community.general.ufw:
state: enabled
rule: allow
proto: tcp
port: "6379"
- name: Delete download dir
ansible.builtin.file:
path: /tmp/cache-lib
state: absent

View file

@ -0,0 +1,7 @@
- name: restart mcaptcha
listen: restart mcaptcha
become: true
ansible.builtin.service:
name: mcaptcha
enabled: true
state: restarted

View file

@ -0,0 +1,82 @@
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Create mCaptcha systemd user
become: true
ansible.builtin.user:
name: mcaptcha
state: present
system: true
comment: mCaptcha systemd user
- name: Create download dir
ansible.builtin.file:
path: /tmp/mcaptcha-dl
state: directory
mode: "0755"
- name: Download binary
ansible.builtin.get_url:
url: https://dl.mcaptcha.org/mcaptcha/mCaptcha/master/mcaptcha-master-linux-amd64.tar.gz
dest: /tmp/mcaptcha-dl
checksum: sha256:https://dl.mcaptcha.org/mcaptcha/mCaptcha/master/mcaptcha-master-linux-amd64.tar.gz.sha256
- name: Extract mcaptcha-master-linux-amd64.tar.gz into /var/lib/foo
ansible.builtin.unarchive:
src: /tmp/mcaptcha-dl/mcaptcha-master-linux-amd64.tar.gz
remote_src: true
dest: /tmp/mcaptcha-dl/
- name: Install binary
become: true
notify: restart mcaptcha
ansible.builtin.copy:
src: /tmp/mcaptcha-dl/mcaptcha-master-linux-amd64/mcaptcha
remote_src: true
dest: /usr/local/bin/mcaptcha
owner: root
group: root
force: true
mode: "0755"
- name: Copy mCaptcha systemd servicefile
become: true
ansible.builtin.copy:
src: ./artifacts/mcaptcha/mcaptcha.service
dest: /etc/systemd/system/
owner: root
group: root
force: true
mode: "0777"
- name: Create mCaptcha config dir
become: true
ansible.builtin.file:
path: /etc/mcaptcha
state: directory
mode: "0755"
- name: Copy mCaptcha systemd servicefile
become: true
notify: restart mcaptcha
ansible.builtin.template:
src: ./templates/mcaptcha/config.toml.j2
dest: /etc/mcaptcha/config.toml
owner: root
group: root
force: true
mode: "0644"
- name: Run mCaptcha as a systemd service
become: true
ansible.builtin.systemd_service:
name: mcaptcha
daemon_reload: true
state: started
enabled: true
- name: Delete download dir
ansible.builtin.file:
path: /tmp/mcaptcha-dl
state: absent

View file

@ -0,0 +1,81 @@
{% if database_type == 'postgres' %}
{% set mcaptcha_database_url = "postgres://" ~ database_owner ~ ":" ~ database_password ~ "@" ~ "localhost:5432/" ~ database_name %}
{% else %}
{% set mcaptcha_database_url = "mysql://" ~ database_owner ~ ":" ~ database_password ~ "@" ~ "localhost/" ~ database_name %}
{% endif %}
debug = "{{ mcaptcha_debug | default('false') }}"
source_code = "{{ mcaptcha_source_code | default('https://github.com/mCaptcha/mCaptcha') }}"
commercial = "{{ mcaptcha_commercial | default('false') }}"
allow_demo = "{{ mcaptcha_allow_demo | default('false') }}"
allow_registration = "{{ mcaptcha_allow_registration | default('true') }}"
[server]
# Please set a unique value, your mCaptcha instance's security depends on this being
# unique
cookie_secret = "{{ mcaptcha_server_cookie_secret }}"
# The port at which you want authentication to listen to
# takes a number, choose from 1000-10000 if you dont know what you are doing
port = "{{ mcaptcha_server_port | default(7000) }}"
#IP address. Enter 0.0.0.0 to listen on all available addresses
ip= "{{ mcaptcha_server_bind | default('127.0.0.1') }}"
# enter your hostname, eg: example.com
domain = "{{ mcaptcha_server_hostname }}"
# Set true if you have setup TLS with a reverse proxy like Nginx.
# Does HTTPS redirect and sends additional headers that can only be used if
# HTTPS available to improve security
proxy_has_tls = "{{ mcaptcha_proxy_has_tls | default('false') }}"
[captcha]
# Please set a unique value, your mCaptcha instance's security depends on this being
# unique
salt = "{{ mcaptcha_captcha_salt }}"
# garbage collection period to manage mCaptcha system
# leave untouched if you don't know what you are doing
gc = "{{ mcaptcha_captcha_gc | default(30) }}" #30
runners = "{{ mcaptcha_captcha_runners | default(4) }}" #4
queue_length = "{{ mcaptcha_captcha_queue_length | default(2000) }}" #2000
enable_stats = "{{ mcaptcha_captcha_enable_stats | default('true') }}" #true
[captcha.default_difficulty_strategy]
avg_traffic_difficulty = "{{ mcaptcha_captcha_default_difficulty_strategy_avg_traffic_difficulty | default(50000) }}" # 50000 # almost instant solution
peak_sustainable_traffic_difficulty = "{{ mcaptcha_captcha_default_difficulty_strategy_peak_sustainable_traffic_difficulty | default(3000000) }}" # 3000000 # roughly 1.5s
broke_my_site_traffic_difficulty = "{{ mcaptcha_captcha_default_difficulty_strategy_broke_my_site_traffic_difficulty | default(5000000) }}" # 5000000 # greater than 3.5s
# cooldown period in seconds
duration = "{{ mcaptcha_captcha_default_difficulty_strategy_avg_duration | default(30) }}" # 30
[database]
# This section deals with the database location and how to access it
# Please note that at the moment, we have support for only postgresqa.
# Example, if you are Batman, your config would be:
# url = "postgres://batman:password@batcave.org:5432/batcave"
# database_type = "postgres"
# pool = 4
url = "{{ mcaptcha_database_url }}" # "postgres://example.org" # hack for tests to run successfully
pool = "{{ mcaptcha_database_pool | default(4) }}" #4
{% if cache_type == 'redis' %}
[redis]
# This section deals with the database location and how to access it
# Please note that at the moment, we have support for only postgresqa.
# Example, if you are Batman, your config would be:
url = "{{ mcaptcha_redis_url }}" #"redis://127.0.0.1"
pool = "{{ mcaptcha_redis_pool | default(4) }}" #4
{% endif %}
[smtp]
from = "{{ mcaptcha_smtp_from }}" # "admin@localhost"
reply = "{{ mcaptcha_smtp_reply }}" #"admin@localhost"
url = "{{ mcaptcha_smtp_url }}" #"127.0.0.1"
port = "{{ mcaptcha_smtp_port }}" #10025
username = "{{ mcaptcha_smtp_username }}" #"admin"
password = "{{ mcaptcha_smtp_password }}" #"password"
#[survey]
#nodes = ["http://localhost:7001"]
#rate_limit = 10 # upload every hour
#instance_root_url = "http://localhost:7000"

View file

@ -0,0 +1,12 @@
server {
listen 80;
listen [::]:80;
server_name {{ mcaptcha_server_hostname }};
error_log /var/log/nginx/"{{ mcaptcha_server_hostname }}".error.log;
access_log /var/log/nginx/"{{ mcaptcha_server_hostname }}".access.log;
location / {
proxy_pass http://{{ mcaptcha_server_bind }}:{{ mcaptcha_server_port }};
proxy_set_header Host $host;
}
}

View file

@ -0,0 +1,3 @@
database_owner: "mcaptcha"
database_name: "mcaptcha"
database_password: "{{ lookup('ansible.builtin.password', 'credentials/database_password', chars=['ascii_leters', 'digits'], length=32) }}"

View file

@ -0,0 +1,136 @@
---
# Set this to the user ansible is logging in as - should have root
# or sudo access
mysql_user_home: /home/atm
mysql_user_name: atm
# The default root user installed by mysql - almost always root
mysql_root_home: /root
mysql_root_username: root
mysql_root_password: root
# Set this to `true` to forcibly update the root password.
mysql_root_password_update: true
mysql_user_password_update: true
mysql_enabled_on_startup: true
# Whether my.cnf should be updated on every run.
overwrite_global_mycnf: true
# The following variables have a default value depending on operating system.
# mysql_config_file: /etc/my.cnf
# mysql_config_include_dir: /etc/my.cnf.d
# Pass in a comma-separated list of repos to use (e.g. "remi,epel"). Used only
# for RedHat systems (and derivatives).
mysql_enablerepo: ""
# Define a custom list of packages to install; if none provided, the default
# package list from vars/[OS-family].yml will be used.
# mysql_packages:
# - mysql
# - mysql-server
# - MySQL-python
mysql_python_package_debian: python3-mysqldb
# MySQL connection settings.
mysql_port: "3306"
mysql_bind_address: '0.0.0.0'
mysql_skip_name_resolve: false
mysql_datadir: /var/lib/mysql
mysql_sql_mode: ~
# The following variables have a default value depending on operating system.
# mysql_pid_file: /var/run/mysqld/mysqld.pid
# mysql_socket: /var/lib/mysql/mysql.sock
# Log file settings.
mysql_log_file_group: mysql
# Slow query log settings.
mysql_slow_query_log_enabled: false
mysql_slow_query_time: "2"
# The following variable has a default value depending on operating system.
# mysql_slow_query_log_file: /var/log/mysql-slow.log
# Memory settings (default values optimized ~512MB RAM).
mysql_key_buffer_size: "256M"
mysql_max_allowed_packet: "64M"
mysql_table_open_cache: "256"
mysql_sort_buffer_size: "1M"
mysql_read_buffer_size: "1M"
mysql_read_rnd_buffer_size: "4M"
mysql_myisam_sort_buffer_size: "64M"
mysql_thread_cache_size: "8"
mysql_query_cache_type: "0"
mysql_query_cache_size: "16M"
mysql_query_cache_limit: "1M"
mysql_max_connections: "151"
mysql_tmp_table_size: "16M"
mysql_max_heap_table_size: "16M"
mysql_group_concat_max_len: "1024"
mysql_join_buffer_size: "262144"
# Other settings.
mysql_lower_case_table_names: "0"
mysql_wait_timeout: "28800"
mysql_event_scheduler_state: "OFF"
# InnoDB settings.
mysql_innodb_file_per_table: "1"
# Set .._buffer_pool_size up to 80% of RAM but beware of setting too high.
mysql_innodb_buffer_pool_size: "256M"
# Set .._log_file_size to 25% of buffer pool size.
mysql_innodb_log_file_size: "64M"
mysql_innodb_log_buffer_size: "8M"
mysql_innodb_flush_log_at_trx_commit: "1"
mysql_innodb_lock_wait_timeout: "50"
# These settings require MySQL > 5.5.
mysql_innodb_large_prefix: "1"
mysql_innodb_file_format: "barracuda"
# mysqldump settings.
mysql_mysqldump_max_allowed_packet: "64M"
# Logging settings.
mysql_log: ""
# The following variables have a default value depending on operating system.
# mysql_log_error: /var/log/mysql/mysql.err
# mysql_syslog_tag: mysql
mysql_config_include_files: []
# - src: path/relative/to/playbook/file.cnf
# - { src: path/relative/to/playbook/anotherfile.cnf, force: yes }
# Databases.
mysql_databases:
- name: mcaptcha
collation: utf8_general_ci
encoding: utf8
replicate: 1
# Users.
mysql_users:
- name: mcaptcha
priv: "mcaptcha.*:ALL"
password: "{{ database_password }}"
mysql_disable_log_bin: false
# Replication settings (replication is only enabled if master/user have values).
mysql_server_id: "1"
mysql_max_binlog_size: "100M"
mysql_binlog_format: "ROW"
mysql_expire_logs_days: "10"
mysql_replication_role: ''
mysql_replication_master: ''
mysql_replication_master_inventory_host: "{{ mysql_replication_master }}"
# Same keys as `mysql_users` above.
mysql_replication_user:
- name: mcaptcha
host: 127.0.0.1
mysql_hide_passwords: false

View file

@ -0,0 +1,61 @@
mcaptcha_debug: false
# mcaptcha_source_code: 'https://github.com/mCaptcha/mCaptcha'
mcaptcha_commercial: false
mcaptcha_allow_demo: false
mcaptcha_allow_registration: false
# Please set a unique value, your mCaptcha instance's security depends on this being
# unique
mcaptcha_server_cookie_secret: "{{ lookup('ansible.builtin.password', 'credentials/mcaptcha_server_cookie_secret', chars=['ascii_leters', 'digits'], length=32) }}"
mcaptcha_server_port: 7000
mcaptcha_server_bind: "127.0.0.1"
mcaptcha_server_hostname: "mcaptcha.local"
# Set true if you have setup TLS with a reverse proxy like Nginx.
# Does HTTPS redirect and sends additional headers that can only be used if
# HTTPS available to improve security
#mcaptcha_proxy_has_tls: false
# Please set a unique value, your mCaptcha instance's security depends on this being
# unique
mcaptcha_captcha_salt: "{{ lookup('ansible.builtin.password', 'credentials/mcaptcha_captha_salt', chars=['ascii_leters', 'digits'], length=32) }}"
# garbage collection period to manage mCaptcha system
# leave untouched if you don't know what you are doing
# mcaptcha_captcha_gc: 30
# mcaptcha_captcha_runners: 4
# mcaptcha_captcha_queue_length: 2000
mcaptcha_captcha_enable_stats: true
#mcaptcha_captcha_default_difficulty_strategy_avg_traffic_difficulty: 50000 # almost instant solution
#mcaptcha_captcha_default_difficulty_strategy_peak_sustainable_traffic_difficulty: 3000000 # roughly 1.5s
#mcaptcha_captcha_default_difficulty_strategy_broke_my_site_traffic_difficulty: 5000000 # greater than 3.5s
# cooldown period in seconds
mcaptcha_captcha_default_difficulty_strategy_avg_duration: 30
#{% if database_type == 'postgres' %}
# {% set mcaptcha_database_url = "postgres://{{ database_owner }}:{{ database_password }}@localhost:5432/{{ database_name }}" %}
#{% else %}
# {% set mcaptcha_database_url = "mysql://{{ database_owner }}:{{ database_password }}@localhost/{{ database_name }}" %}
#{% endif %}
#mcaptcha_database_url: "mysql://{{ database_owner }}:{{ database_password }}@localhost/{{ database_name }}"
#mcaptcha_database_url: "postgres://{{ database_owner }}:{{ database_password }}@localhost:5432/{{ database_name }}"
# mysql://mcaptcha:password@localhost/mcaptcha"
mcaptcha_database_pool: 4
#mcaptcha_database_url: "{{ mcaptcha_database_url }}"
mcaptcha_redis_url: "redis://127.0.0.1"
mcaptcha_redis_pool: 4
mcaptcha_redis_url: "redis://127.0.0.1"
mcaptcha_redis_pool: 4
mcaptcha_smtp_from: "admin@localhost"
mcaptcha_smtp_reply: "admin@localhost"
mcaptcha_smtp_url: "127.0.0.1"
mcaptcha_smtp_port: 10025
mcaptcha_smtp_username: "admin"
mcaptcha_smtp_password: "password"
#[survey]
#nodes = ["http://localhost:7001"]
#rate_limit = 10 # upload every hour
#instance_root_url = "http://localhost:7000"

View file

@ -0,0 +1,48 @@
# Set postgresql state when configuration changes are made. Recommended values:
# `restarted` or `reloaded`
postgresql_restarted_state: "restarted"
postgresql_python_library: python-psycopg2
postgresql_user: postgres
postgresql_group: postgres
# `md5` or `scram-sha-256` (https://www.postgresql.org/docs/10/auth-methods.html)
postgresql_auth_method: "md5"
postgresql_unix_socket_directories:
- /var/run/postgresql
postgresql_service_state: started
postgresql_service_enabled: true
# Global configuration options that will be set in postgresql.conf.
postgresql_global_config_options:
- option: unix_socket_directories
value: '{{ postgresql_unix_socket_directories | join(",") }}'
- option: log_directory
value: 'log'
# Host based authentication (hba) entries to be added to the pg_hba.conf. This
# variable's defaults reflect the defaults that come with a fresh installation.
postgresql_hba_entries:
- {type: local, database: all, user: postgres, auth_method: peer}
- {type: local, database: all, user: all, auth_method: peer}
- {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: "{{ postgresql_auth_method }}"}
- {type: host, database: all, user: all, address: '::1/128', auth_method: "{{ postgresql_auth_method }}"}
# Debian only. Used to generate the locales used by PostgreSQL databases.
postgresql_locales:
- 'en_US.UTF-8'
# Users to ensure exist.
postgresql_users:
- name: "{{ database_owner }}" #required; the rest are optional
password: "{{ database_password }}"
# Databases to ensure exist.
postgresql_databases:
- name: "{{ database_name }}" # required; the rest are optional
owner: "{{ database_owner }}"
# Whether to output user data when managing users.
postgres_users_no_log: true

View file

@ -0,0 +1,2 @@
database_type: "postgres" # options: "mariadb", "postgres"
cache_type: "redis" # options: "embedded", "redis"

39
tests/mcaptcha/base.py Normal file
View file

@ -0,0 +1,39 @@
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
import os
import requests
def test_mcaptcha_nginx_is_listening(host):
socket = host.socket(f"tcp://127.0.0.1:80")
assert socket.is_listening
def test_mcaptcha_config_exists(host):
config = host.file("/etc/mcaptcha/config.toml")
assert config.exists
assert config.is_file
def test_mcaptcha_health(host):
url = f"http://{host.interface.default().addresses[0]}/api/v1/meta/health"
resp = requests.get(url, headers={"Host": "mcaptcha.local"})
assert resp.status_code == 200
data = resp.json()
if "redis" in data:
assert data["redis"] is True
assert data["db"] is True
def test_nginx_service_running_and_enabled(host):
service = host.service("nginx")
assert service.is_running
assert service.is_enabled
def test_mcaptcha_service_running_and_enabled(host):
service = host.service("mcaptcha")
assert service.is_running
assert service.is_enabled