Compare commits

...

46 commits
dos ... master

Author SHA1 Message Date
15775ddd8c Merge pull request 'chore: Configure Renovate' (#7) from renovate/configure into master
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending approval
Reviewed-on: #7
2024-06-04 13:05:23 +05:30
Renovate Bot
d491f26e49 Add renovate.json
Some checks are pending
ci/woodpecker/push/woodpecker Pipeline is pending approval
ci/woodpecker/pr/woodpecker Pipeline is pending approval
ci/woodpecker/pull_request_closed/woodpecker Pipeline is pending approval
2024-06-04 07:35:06 +00:00
74cd88322d Merge pull request 'feat-test-playbooks' (#5) from feat-test-playbooks into master
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Reviewed-on: #5
2023-12-13 00:49:03 +05:30
152fb05cb6
feat: test mariadb+embedded combination
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
2023-12-13 00:17:49 +05:30
06d3da8019
feat: install python deps from requirements.txt
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
2023-12-12 23:53:25 +05:30
165b2d24f7
fix: typo 2023-12-12 23:52:58 +05:30
1c17a3f3d9
feat: make mcaptcha systemd service wait on deps 2023-12-12 23:52:43 +05:30
7e9f0a3633
feat: test for support DB and cache combinations
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
2023-12-12 23:08:01 +05:30
713ec1dd18
feat: cleanup ci config and use tofu-generated hostfile in ansible
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
2023-12-12 22:07:20 +05:30
bf87080e33
feat: use macvtap to make VM accessible to CI machine 2023-12-12 19:34:05 +05:30
0306798bad
feat: generalize ssh key and install qemu agent for macvtap IP retrival 2023-12-12 19:33:04 +05:30
9833f7fd98
debug: use pool dir in home
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
2023-12-11 20:43:33 +05:30
58cb71dab3
feat: CI: use local image mirror
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
2023-12-11 20:15:37 +05:30
418c792e83
feat: load SSH key
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
2023-12-11 19:47:09 +05:30
3da25ea1c3
feat: provision test domain in hellbat hypervisor
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
2023-12-11 19:26:00 +05:30
64302fed4c
feat: install opentofu and check network access
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
2023-12-11 15:11:09 +05:30
b6b58b6156
fix: rm ufw from ci
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
2023-12-11 14:38:03 +05:30
66f3979930
debug: become root
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
2023-12-11 14:37:23 +05:30
2c02ae4b95
fix: document roles 2023-12-11 14:37:23 +05:30
b74731476d
fix: testinfra install command 2023-12-11 14:37:23 +05:30
69fb946f3f
hotfix: run mcaptcha playbook on all hosts 2023-12-11 14:37:23 +05:30
dcc821782e
feat: init CI 2023-12-11 14:37:23 +05:30
9922989d5d
Merge branch 'disable-ufw' 2023-12-11 14:37:05 +05:30
c469878daf
feat: rm ufw
configuring a firewall is external to installing mCaptcha, since we use
standard HTTP ports only. Should also make testing with woodpecker CI
easy.
2023-12-11 14:36:14 +05:30
bbff7f41a5 Merge pull request 'feat: rm ufw' (#6) from disable-ufw into master
Reviewed-on: #6
2023-12-11 14:33:07 +05:30
4a81e7d591
feat: rm ufw
configuring a firewall is external to installing mCaptcha, since we use
standard HTTP ports only. Should also make testing with woodpecker CI
easy.
2023-12-11 14:30:54 +05:30
50569c8a32 Merge pull request 'wip-mcaptcha-mcaptcha' (#4) from wip-mcaptcha-mcaptcha into master
Reviewed-on: #4
2023-12-09 03:40:48 +05:30
a0a2e915af
doc: mcaptcha vars 2023-12-09 03:39:55 +05:30
800a6b6ebc
fix: dont use atm user 2023-12-09 03:30:10 +05:30
4e7f4b6be6
chore: consolidate vars file 2023-12-09 03:21:26 +05:30
60f730153e Merge pull request 'wip-mcaptcha-mcaptcha' (#3) from wip-mcaptcha-mcaptcha into master
Reviewed-on: #3
2023-12-09 03:03:07 +05:30
6457176823 Merge pull request 'wip-cache' (#2) from wip-cache into master
Reviewed-on: #2
2023-12-09 02:58:16 +05:30
da087a74c7
feat: helper make commands to install and test mcaptcha 2023-12-09 02:58:01 +05:30
f7206d721c
feat: test mCaptcha installation for firewall, services and health endpoint 2023-12-09 02:57:32 +05:30
3002808f92
feat: optionally redis, mariadb and postgres and proxy mcaptcha w nginx 2023-12-09 02:56:13 +05:30
c8a34a6e7b
feat: ansible role to download and install mcaptcha 2023-12-09 02:55:18 +05:30
eb586633ec
fix: dont expose redis and cleanup downloads 2023-12-09 02:52:24 +05:30
908f96b51a
feat: cache apt updates 2023-12-08 00:26:37 +05:30
beeef3c7bd
feat: make helpers to configure and test cache install 2023-12-08 00:26:10 +05:30
aced3188b2
feat: write custom redis config using inline mod 2023-12-08 00:25:30 +05:30
e3054d1297
feat: provision libvirt domain for mCaptcha guard 2023-12-08 00:20:06 +05:30
fe0c02dd09
feat: refactor cache into a role 2023-11-13 21:32:40 +05:30
2b23534250
feat: install and test mCaptcha/cache 2023-10-13 19:19:46 +05:30
4186f1eb47
chore: refactor playbooks 2023-10-13 16:28:38 +05:30
1158590b7f
feat: update to debian bookworm 2023-10-12 20:47:07 +05:30
458d774f99 Merge pull request 'feat: provision VMs for mCaptcha/dos/demo-server, mCaptcha/dos/locust, mCaptcha/mCaptcha' (#1) from dos into master
Reviewed-on: #1
2023-08-17 05:15:22 +05:30
43 changed files with 1309 additions and 307 deletions

3
.gitignore vendored
View file

@ -159,3 +159,6 @@ cython_debug/
# and can be added to the global gitignore or merged into this file. For a more nuclear # and can be added to the global gitignore or merged into this file. For a more nuclear
# option (not recommended) you can uncomment the following to ignore the entire idea folder. # option (not recommended) you can uncomment the following to ignore the entire idea folder.
#.idea/ #.idea/
ansible/credentials/
terraform/mcaptcha/mcaptcha
sec/

27
.woodpecker.yml Normal file
View file

@ -0,0 +1,27 @@
steps:
backend:
image: python:3-bookworm
environment:
- ANSIBLE_HOST_KEY_CHECKING=False
commands:
- export PATH=$PATH:/root/.local/bin
- eval "$(ssh-agent -s)"
- make ci.init
- cat terraform/mcaptcha/hosts.ini
# db: mariadb cache: redis
- . venv/bin/activate && ansible-playbook --become -i terraform/mcaptcha/hosts.ini --extra-vars "database_type=mariadb cache_type=redis" ./ansible/mcaptcha.yml
- INVENTORY=terraform/mcaptcha/hosts.ini make test.cache
- INVENTORY=terraform/mcaptcha/hosts.ini make test.mcaptcha
# db: postgres cache: redis
- . venv/bin/activate && ansible-playbook --become -i terraform/mcaptcha/hosts.ini --extra-vars "database_type=postgres cache_type=redis" ./ansible/mcaptcha.yml
- INVENTORY=terraform/mcaptcha/hosts.ini make test.cache
- INVENTORY=terraform/mcaptcha/hosts.ini make test.mcaptcha
# embedded cache
- . venv/bin/activate && ansible-playbook --become -i terraform/mcaptcha/hosts.ini --extra-vars "database_type=postgres cache_type=embedded" ./ansible/mcaptcha.yml
- INVENTORY=terraform/mcaptcha/hosts.ini make test.mcaptcha
# embedded cache
- . venv/bin/activate && ansible-playbook --become -i terraform/mcaptcha/hosts.ini --extra-vars "database_type=mariadb cache_type=embedded" ./ansible/mcaptcha.yml
- INVENTORY=terraform/mcaptcha/hosts.ini make test.mcaptcha
- make ci.clean
secrets: [TEST_NODE_SSH_KEY]

View file

@ -16,9 +16,21 @@ endef
define configure_locust define configure_locust
. ./venv/bin/activate && \ . ./venv/bin/activate && \
ansible-playbook -i $(INVENTORY) -f 10 ./ansible/locust/main.yml ansible-playbook -i $(INVENTORY) -f 10 ./ansible/locust.yml
endef endef
define configure_cache
. ./venv/bin/activate && \
ansible-playbook -i $(INVENTORY) -f 10 ./ansible/cache.yml
endef
define configure_mcaptcha
. ./venv/bin/activate && \
ansible-playbook -i $(INVENTORY) -f 10 ./ansible/mcaptcha.yml
endef
define test_base define test_base
. ./venv/bin/activate && \ . ./venv/bin/activate && \
cd tests/ && \ cd tests/ && \
@ -31,6 +43,32 @@ define test_base
endef endef
define test_cache
. ./venv/bin/activate && \
cd tests/cache/ && \
ANSIBLE_REMOTE_USER=root \
py.test --hosts='ansible://mcaptcha_hosts' \
-n 10 \
--verbose \
--ansible-inventory="../../${INVENTORY}" \
base.py
endef
define test_mcaptcha
. ./venv/bin/activate && \
cd tests/mcaptcha/ && \
ANSIBLE_REMOTE_USER=root \
py.test --hosts='ansible://mcaptcha_hosts' \
-n 10 \
--verbose \
--ansible-inventory="../../${INVENTORY}" \
base.py
endef
define test_locust define test_locust
. ./venv/bin/activate && \ . ./venv/bin/activate && \
cd tests/locust/ && \ cd tests/locust/ && \
@ -46,9 +84,9 @@ endef
# ```bash # ```bash
# INVENTORY=./terraform/dos/hosts.ini make conf.base # INVENTORY=./terraform/dos/hosts.ini make conf.base
# ``` # ```
conf.base: ## Get all VMs to base level configuration #conf.base: ## Get all VMs to base level configuration
$(call configure_base) # $(call configure_base)
#
lint: ## Lint source code lint: ## Lint source code
terraform fmt terraform fmt
@ -60,9 +98,22 @@ lint: ## Lint source code
# INVENTORY=./terraform/dos/hosts.ini make conf.base # INVENTORY=./terraform/dos/hosts.ini make conf.base
# ``` # ```
conf.dos: ## Configure all DoS VMs conf.dos: ## Configure all DoS VMs
$(call configure_base)
$(call configure_locust) $(call configure_locust)
# ```bash
# INVENTORY=./terraform/dos/hosts.ini make conf.cache
# ```
conf.cache: ## Configure all cache VMs
$(call configure_cache)
# ```bash
# INVENTORY=./terraform/dos/hosts.ini make conf.mcaptcha
# ```
conf.mcaptcha: ## Configure all mcaptcha VMs
$(call configure_mcaptcha)
# ```bash # ```bash
# INVENTORY=./terraform/dos/hosts.ini make conf.ping # INVENTORY=./terraform/dos/hosts.ini make conf.ping
# ``` # ```
@ -77,5 +128,35 @@ test: ## Run all tests
test.base: ## Test base configuration on all VMs test.base: ## Test base configuration on all VMs
$(call test_base) $(call test_base)
test.cache: ## Test cache configuration
$(call test_cache)
test.mcaptcha: ## Test mcaptcha configuration
$(call test_mcaptcha)
ci.init:
apt-get update
apt-get install -y ca-certificates curl gnupg tar wget libssl-dev python3-pip cython3 pipx apt-transport-https coreutils iputils-ping openssh-client libvirt-clients genisoimage
./scripts/ci.sh --init "$$TEST_NODE_SSH_KEY"
ssh-add /tmp/ci-ssh-id
ssh -o StrictHostKeyChecking=accept-new mcaptcha-ci@192.168.0.102 "echo f"
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://packages.opentofu.org/opentofu/tofu/gpgkey | gpg --no-tty --batch --dearmor -o /etc/apt/keyrings/opentofu.gpg
chmod a+r /etc/apt/keyrings/opentofu.gpg
echo "deb [signed-by=/etc/apt/keyrings/opentofu.gpg] https://packages.opentofu.org/opentofu/tofu/any/ any main" > /etc/apt/sources.list.d/opentofu.list
echo "deb-src [signed-by=/etc/apt/keyrings/opentofu.gpg] https://packages.opentofu.org/opentofu/tofu/any/ any main" >> /etc/apt/sources.list.d/opentofu.list
apt-get update
apt-get install -y tofu
tofu -chdir=terraform/mcaptcha/ init
tofu -chdir=terraform/mcaptcha/ plan -var-file="ci.tfvars" -out="mcaptcha"
tofu -chdir=terraform/mcaptcha/ apply "mcaptcha"
pip install virtualenv && virtualenv venv
. venv/bin/activate && pip install -r requirements.txt
. venv/bin/activate && ansible-galaxy install -r ./ansible/requirements.yml
ci.clean:
echo yes | tofu -chdir=terraform/mcaptcha/ destroy -var-file="ci.tfvars"
./scripts/ci.sh --clean
help: ## Prints help for targets with comments help: ## Prints help for targets with comments
@cat $(MAKEFILE_LIST) | grep -E '^[a-zA-Z_-].+:.*?## .*$$' | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' @cat $(MAKEFILE_LIST) | grep -E '^[a-zA-Z_-].+:.*?## .*$$' | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

View file

@ -4,19 +4,17 @@
--- ---
- name: Install and enable firewall - name: Install and enable firewall
hosts: [mcaptcha_dos, mcaptcha_demo_server, mcaptcha_mcaptcha] hosts: all
remote_user: atm
pre_tasks: pre_tasks:
- name: Ensure all VMs are reachable - name: Ensure all VMs are reachable
ansible.builtin.ping: ansible.builtin.ping:
roles:
- ufw
tasks: tasks:
- name: Install git, zip, nginx, wget, curl & other utils - name: Install git, zip, nginx, wget, curl & other utils
become: true become: true
ansible.builtin.apt: ansible.builtin.apt:
update_cache: true update_cache: true
cache_valid_time: 3600
pkg: pkg:
- git - git
- wget - wget
@ -27,10 +25,3 @@
- python3-pip - python3-pip
- virtualenv - virtualenv
- python3-setuptools - python3-setuptools
- ufw
- name: Install Docker
hosts: mcaptcha_dos
remote_user: atm
roles:
- docker

14
ansible/cache.yml Normal file
View file

@ -0,0 +1,14 @@
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Base configuration
ansible.builtin.import_playbook: base.yml
- name: Install redis cache
hosts: all
pre_tasks:
- name: Ensure all VMs are reachable
ansible.builtin.ping:
roles:
- cache

View file

@ -1,16 +1,20 @@
---
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net> # SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
- name: Base configuration
ansible.builtin.import_playbook: base.yml
roles:
- ufw
---
- name: Configure Locust instances - name: Configure Locust instances
hosts: [mcaptcha_dos] hosts: [mcaptcha_dos]
remote_user: atm
pre_tasks: pre_tasks:
- name: Ensure all VMs are reachable - name: Ensure all VMs are reachable
ansible.builtin.ping: ansible.builtin.ping:
roles: roles:
- docker-compose - docker
- docker_compose
tasks: tasks:
- name: Allow port 8089 for locust - name: Allow port 8089 for locust
@ -31,7 +35,7 @@
- name: Copy docker-compose.yml file - name: Copy docker-compose.yml file
become: true become: true
ansible.builtin.copy: ansible.builtin.copy:
src: ./artifacts/docker-compose.yml src: ./artifacts/locust/docker-compose.yml
dest: /etc/locust/ dest: /etc/locust/
- name: Start locust services - name: Start locust services

84
ansible/mcaptcha.yml Normal file
View file

@ -0,0 +1,84 @@
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
#---
- name: Base configuration
ansible.builtin.import_playbook: base.yml
- name: Install and configure postgres
hosts: all
become: yes
vars_files:
- vars/mcaptcha/vars.yml
- vars/mcaptcha/postgresql.yml
tasks:
- ansible.builtin.include_role:
name: geerlingguy.postgresql
when:
database_type == "postgres"
- name: Install and configure mariadb
hosts: all
become: yes
vars_files:
- vars/mcaptcha/vars.yml
- vars/mcaptcha/mariadb.yml
tasks:
- ansible.builtin.include_role:
name: geerlingguy.mysql
when:
database_type == "mariadb"
- name: Install and configure cache
hosts: all
become: yes
vars_files:
- vars/mcaptcha/vars.yml
tasks:
- name: conditionally install redis cache
ansible.builtin.include_role:
name: cache
when: cache_type == "redis"
- name: Install mCaptcha binary
hosts: all
vars_files:
- vars/mcaptcha/vars.yml
roles:
- mcaptcha
tasks:
- name: restart mcaptcha
debug:
msg: "mCaptcha successfully deployed to {{ mcaptcha_server_hostname }}"
notify: restart mcaptcha
- name: Install git, zip, nginx, wget, curl & other utils
become: true
ansible.builtin.apt:
update_cache: true
cache_valid_time: 3600
pkg:
- nginx
- name: Copy nginx vhost
become: true
ansible.builtin.template:
src: ./templates/mcaptcha/nginx.vhost.j2
dest: "/etc/nginx/sites-available/{{ mcaptcha_server_hostname }}"
owner: root
group: root
force: true
mode: "0644"
- name: Copy nginx vhost
become: true
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ mcaptcha_server_hostname }}"
dest: "/etc/nginx/sites-enabled/{{ mcaptcha_server_hostname }}"
state: link
- name: Restart nginx
become: true
ansible.builtin.service:
name: nginx
state: restarted

View file

@ -5,7 +5,6 @@
--- ---
- name: Ping all servers - name: Ping all servers
hosts: all hosts: all
remote_user: atm
tasks: tasks:
- name: Ensure all VMs are reachable - name: Ensure all VMs are reachable

3
ansible/requirements.yml Normal file
View file

@ -0,0 +1,3 @@
- src: geerlingguy.mysql
- src: geerlingguy.postgresql

7
ansible/roles/cache/handlers/main.yml vendored Normal file
View file

@ -0,0 +1,7 @@
- name: Restart redis
listen: restart redis
become: true
ansible.builtin.service:
name: redis
enabled: true
state: restarted

78
ansible/roles/cache/tasks/main.yml vendored Normal file
View file

@ -0,0 +1,78 @@
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Install redis-server
become: true
ansible.builtin.apt:
update_cache: true
cache_valid_time: 3600
pkg:
- redis-server
- name: Create Redis plugins dir
become: true
notify: restart redis
ansible.builtin.file:
path: /usr/lib/redis/modules
owner: redis
group: redis
state: directory
mode: "0755"
- name: Load mCaptcha module
become: true
notify: restart redis
ansible.builtin.lineinfile:
dest: /etc/redis/redis.conf
line: "{{ item }}"
loop:
- "loadmodule /usr/lib/redis/modules/libcache.so"
- "bind 0.0.0.0"
- name: Copy custom Redis configuration
become: true
notify: restart redis
ansible.builtin.file:
path: "{{ item }}"
owner: redis
group: redis
force: true
loop:
- /etc/redis/redis.conf
- /etc/redis/
- name: Create download dir
ansible.builtin.file:
path: /tmp/cache-lib
state: directory
mode: "0755"
- name: Download plugin
ansible.builtin.get_url:
url: https://dl.mcaptcha.org/mcaptcha/cache/master/cache-master-linux-amd64.tar.gz
dest: /tmp/cache-lib/
checksum: sha256:https://dl.mcaptcha.org/mcaptcha/cache/master/cache-master-linux-amd64.tar.gz.sha256
- name: Extract cache-master-linux-amd64.tar.gz into /var/lib/foo
ansible.builtin.unarchive:
src: /tmp/cache-lib/cache-master-linux-amd64.tar.gz
remote_src: true
dest: /tmp/cache-lib/
- name: Copy custom Redis configuration
become: true
notify: restart redis
ansible.builtin.copy:
src: /tmp/cache-lib/cache-master-linux-amd64/libcache.so
remote_src: true
dest: /usr/lib/redis/modules/
owner: redis
group: redis
force: true
mode: "0755"
- name: Delete download dir
ansible.builtin.file:
path: /tmp/cache-lib
state: absent

View file

@ -1,5 +1,4 @@
--- ---
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net> # SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
# #
# SPDX-License-Identifier: AGPL-3.0-or-later # SPDX-License-Identifier: AGPL-3.0-or-later
@ -29,10 +28,10 @@
name: docker-ce name: docker-ce
update_cache: true update_cache: true
- name: Install Docker Module for Python #- name: Install Docker Module for Python
become: true # become: true
ansible.builtin.pip: # community.general.pipx:
name: docker # name: docker
- name: Ensure docker group is present - name: Ensure docker group is present
become: true become: true
@ -40,8 +39,8 @@
name: docker name: docker
state: present state: present
- name: Add user atm to docker group - name: Add user to docker group
become: true become: true
ansible.builtin.user: ansible.builtin.user:
name: atm # TODO: add admin user to docker group name: "{{ ansible_user_id }}"
groups: docker,users,admin groups: docker,users,admin

View file

@ -7,5 +7,6 @@
become: true become: true
ansible.builtin.apt: ansible.builtin.apt:
update_cache: true update_cache: true
cache_valid_time: 3600
pkg: pkg:
- docker-compose - docker-compose

View file

@ -0,0 +1,7 @@
- name: restart mcaptcha
listen: restart mcaptcha
become: true
ansible.builtin.service:
name: mcaptcha
enabled: true
state: restarted

View file

@ -0,0 +1,82 @@
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
---
- name: Create mCaptcha systemd user
become: true
ansible.builtin.user:
name: mcaptcha
state: present
system: true
comment: mCaptcha systemd user
- name: Create download dir
ansible.builtin.file:
path: /tmp/mcaptcha-dl
state: directory
mode: "0755"
- name: Download binary
ansible.builtin.get_url:
url: https://dl.mcaptcha.org/mcaptcha/mCaptcha/master/mcaptcha-master-linux-amd64.tar.gz
dest: /tmp/mcaptcha-dl
checksum: sha256:https://dl.mcaptcha.org/mcaptcha/mCaptcha/master/mcaptcha-master-linux-amd64.tar.gz.sha256
- name: Extract mcaptcha-master-linux-amd64.tar.gz into /var/lib/foo
ansible.builtin.unarchive:
src: /tmp/mcaptcha-dl/mcaptcha-master-linux-amd64.tar.gz
remote_src: true
dest: /tmp/mcaptcha-dl/
- name: Install binary
become: true
notify: restart mcaptcha
ansible.builtin.copy:
src: /tmp/mcaptcha-dl/mcaptcha-master-linux-amd64/mcaptcha
remote_src: true
dest: /usr/local/bin/mcaptcha
owner: root
group: root
force: true
mode: "0755"
- name: Copy mCaptcha systemd servicefile
become: true
ansible.builtin.template:
src: ./templates/mcaptcha/mcaptcha.service.j2
dest: /etc/systemd/system/mcaptcha.service
owner: root
group: root
force: true
mode: "0777"
- name: Create mCaptcha config dir
become: true
ansible.builtin.file:
path: /etc/mcaptcha
state: directory
mode: "0755"
- name: Copy mCaptcha config file
become: true
notify: restart mcaptcha
ansible.builtin.template:
src: ./templates/mcaptcha/config.toml.j2
dest: /etc/mcaptcha/config.toml
owner: root
group: root
force: true
mode: "0644"
- name: Run mCaptcha as a systemd service
become: true
ansible.builtin.systemd_service:
name: mcaptcha
daemon_reload: true
state: started
enabled: true
- name: Delete download dir
ansible.builtin.file:
path: /tmp/mcaptcha-dl
state: absent

View file

@ -7,6 +7,7 @@
become: true become: true
ansible.builtin.apt: ansible.builtin.apt:
update_cache: true update_cache: true
cache_valid_time: 3600
pkg: pkg:
- ntp - ntp

View file

@ -7,6 +7,7 @@
become: true become: true
ansible.builtin.apt: ansible.builtin.apt:
update_cache: true update_cache: true
cache_valid_time: 3600
pkg: pkg:
- ufw - ufw

View file

@ -0,0 +1,81 @@
{% if database_type == 'postgres' %}
{% set mcaptcha_database_url = "postgres://" ~ database_owner ~ ":" ~ database_password ~ "@" ~ "localhost:5432/" ~ database_name %}
{% else %}
{% set mcaptcha_database_url = "mysql://" ~ database_owner ~ ":" ~ database_password ~ "@" ~ "localhost/" ~ database_name %}
{% endif %}
debug = "{{ mcaptcha_debug | default('false') }}"
source_code = "{{ mcaptcha_source_code | default('https://github.com/mCaptcha/mCaptcha') }}"
commercial = "{{ mcaptcha_commercial | default('false') }}"
allow_demo = "{{ mcaptcha_allow_demo | default('false') }}"
allow_registration = "{{ mcaptcha_allow_registration | default('true') }}"
[server]
# Please set a unique value, your mCaptcha instance's security depends on this being
# unique
cookie_secret = "{{ mcaptcha_server_cookie_secret }}"
# The port at which you want authentication to listen to
# takes a number, choose from 1000-10000 if you dont know what you are doing
port = "{{ mcaptcha_server_port | default(7000) }}"
#IP address. Enter 0.0.0.0 to listen on all available addresses
ip= "{{ mcaptcha_server_bind | default('127.0.0.1') }}"
# enter your hostname, eg: example.com
domain = "{{ mcaptcha_server_hostname }}"
# Set true if you have setup TLS with a reverse proxy like Nginx.
# Does HTTPS redirect and sends additional headers that can only be used if
# HTTPS available to improve security
proxy_has_tls = "{{ mcaptcha_proxy_has_tls | default('false') }}"
[captcha]
# Please set a unique value, your mCaptcha instance's security depends on this being
# unique
salt = "{{ mcaptcha_captcha_salt }}"
# garbage collection period to manage mCaptcha system
# leave untouched if you don't know what you are doing
gc = "{{ mcaptcha_captcha_gc | default(30) }}" #30
runners = "{{ mcaptcha_captcha_runners | default(4) }}" #4
queue_length = "{{ mcaptcha_captcha_queue_length | default(2000) }}" #2000
enable_stats = "{{ mcaptcha_captcha_enable_stats | default('true') }}" #true
[captcha.default_difficulty_strategy]
avg_traffic_difficulty = "{{ mcaptcha_captcha_default_difficulty_strategy_avg_traffic_difficulty | default(50000) }}" # 50000 # almost instant solution
peak_sustainable_traffic_difficulty = "{{ mcaptcha_captcha_default_difficulty_strategy_peak_sustainable_traffic_difficulty | default(3000000) }}" # 3000000 # roughly 1.5s
broke_my_site_traffic_difficulty = "{{ mcaptcha_captcha_default_difficulty_strategy_broke_my_site_traffic_difficulty | default(5000000) }}" # 5000000 # greater than 3.5s
# cooldown period in seconds
duration = "{{ mcaptcha_captcha_default_difficulty_strategy_avg_duration | default(30) }}" # 30
[database]
# This section deals with the database location and how to access it
# Please note that at the moment, we have support for only postgresqa.
# Example, if you are Batman, your config would be:
# url = "postgres://batman:password@batcave.org:5432/batcave"
# database_type = "postgres"
# pool = 4
url = "{{ mcaptcha_database_url }}" # "postgres://example.org" # hack for tests to run successfully
pool = "{{ mcaptcha_database_pool | default(4) }}" #4
{% if cache_type == 'redis' %}
[redis]
# This section deals with the database location and how to access it
# Please note that at the moment, we have support for only postgresqa.
# Example, if you are Batman, your config would be:
url = "{{ mcaptcha_redis_url }}" #"redis://127.0.0.1"
pool = "{{ mcaptcha_redis_pool | default(4) }}" #4
{% endif %}
[smtp]
from = "{{ mcaptcha_smtp_from }}" # "admin@localhost"
reply = "{{ mcaptcha_smtp_reply }}" #"admin@localhost"
url = "{{ mcaptcha_smtp_url }}" #"127.0.0.1"
port = "{{ mcaptcha_smtp_port }}" #10025
username = "{{ mcaptcha_smtp_username }}" #"admin"
password = "{{ mcaptcha_smtp_password }}" #"password"
#[survey]
#nodes = ["http://localhost:7001"]
#rate_limit = 10 # upload every hour
#instance_root_url = "http://localhost:7000"

View file

@ -0,0 +1,34 @@
[Unit]
Description=mCaptcha: PoW CAPTCHA system
After=syslog.target
After=network.target
{% if cache_type == 'redis' %}
Wants=redis.service
After=redis.service
{% endif %}
{% if database_type == 'postgres' %}
Wants=postgresql.service
After=postgresql.service
{% endif %}
{% if database_type == 'mariadb' %}
Wants=mariadb.service
After=mariadb.service
{% endif %}
[Service]
RestartSec=2s
Type=simple
User=mcaptcha
Group=mcaptcha
WorkingDirectory=/home/mcaptcha/
ExecStart=/usr/local/bin/mcaptcha
Restart=always
Environment=USER=mcaptcha HOME=/home/mcaptcha
[Install]
WantedBy=multi-user.target

View file

@ -0,0 +1,12 @@
server {
listen 80;
listen [::]:80;
server_name {{ mcaptcha_server_hostname }};
error_log /var/log/nginx/"{{ mcaptcha_server_hostname }}".error.log;
access_log /var/log/nginx/"{{ mcaptcha_server_hostname }}".access.log;
location / {
proxy_pass http://{{ mcaptcha_server_bind }}:{{ mcaptcha_server_port }};
proxy_set_header Host $host;
}
}

View file

@ -0,0 +1,136 @@
---
# Set this to the user ansible is logging in as - should have root
# or sudo access
mysql_user_home: "/home/{{ ansible_user_id }}"
mysql_user_name: "{{ ansible_user_id }}"
# The default root user installed by mysql - almost always root
mysql_root_home: /root
mysql_root_username: root
mysql_root_password: root
# Set this to `true` to forcibly update the root password.
mysql_root_password_update: true
mysql_user_password_update: true
mysql_enabled_on_startup: true
# Whether my.cnf should be updated on every run.
overwrite_global_mycnf: true
# The following variables have a default value depending on operating system.
# mysql_config_file: /etc/my.cnf
# mysql_config_include_dir: /etc/my.cnf.d
# Pass in a comma-separated list of repos to use (e.g. "remi,epel"). Used only
# for RedHat systems (and derivatives).
mysql_enablerepo: ""
# Define a custom list of packages to install; if none provided, the default
# package list from vars/[OS-family].yml will be used.
# mysql_packages:
# - mysql
# - mysql-server
# - MySQL-python
mysql_python_package_debian: python3-mysqldb
# MySQL connection settings.
mysql_port: "3306"
mysql_bind_address: '0.0.0.0'
mysql_skip_name_resolve: false
mysql_datadir: /var/lib/mysql
mysql_sql_mode: ~
# The following variables have a default value depending on operating system.
# mysql_pid_file: /var/run/mysqld/mysqld.pid
# mysql_socket: /var/lib/mysql/mysql.sock
# Log file settings.
mysql_log_file_group: mysql
# Slow query log settings.
mysql_slow_query_log_enabled: false
mysql_slow_query_time: "2"
# The following variable has a default value depending on operating system.
# mysql_slow_query_log_file: /var/log/mysql-slow.log
# Memory settings (default values optimized ~512MB RAM).
mysql_key_buffer_size: "256M"
mysql_max_allowed_packet: "64M"
mysql_table_open_cache: "256"
mysql_sort_buffer_size: "1M"
mysql_read_buffer_size: "1M"
mysql_read_rnd_buffer_size: "4M"
mysql_myisam_sort_buffer_size: "64M"
mysql_thread_cache_size: "8"
mysql_query_cache_type: "0"
mysql_query_cache_size: "16M"
mysql_query_cache_limit: "1M"
mysql_max_connections: "151"
mysql_tmp_table_size: "16M"
mysql_max_heap_table_size: "16M"
mysql_group_concat_max_len: "1024"
mysql_join_buffer_size: "262144"
# Other settings.
mysql_lower_case_table_names: "0"
mysql_wait_timeout: "28800"
mysql_event_scheduler_state: "OFF"
# InnoDB settings.
mysql_innodb_file_per_table: "1"
# Set .._buffer_pool_size up to 80% of RAM but beware of setting too high.
mysql_innodb_buffer_pool_size: "256M"
# Set .._log_file_size to 25% of buffer pool size.
mysql_innodb_log_file_size: "64M"
mysql_innodb_log_buffer_size: "8M"
mysql_innodb_flush_log_at_trx_commit: "1"
mysql_innodb_lock_wait_timeout: "50"
# These settings require MySQL > 5.5.
mysql_innodb_large_prefix: "1"
mysql_innodb_file_format: "barracuda"
# mysqldump settings.
mysql_mysqldump_max_allowed_packet: "64M"
# Logging settings.
mysql_log: ""
# The following variables have a default value depending on operating system.
# mysql_log_error: /var/log/mysql/mysql.err
# mysql_syslog_tag: mysql
mysql_config_include_files: []
# - src: path/relative/to/playbook/file.cnf
# - { src: path/relative/to/playbook/anotherfile.cnf, force: yes }
# Databases.
mysql_databases:
- name: mcaptcha
collation: utf8_general_ci
encoding: utf8
replicate: 1
# Users.
mysql_users:
- name: mcaptcha
priv: "mcaptcha.*:ALL"
password: "{{ database_password }}"
mysql_disable_log_bin: false
# Replication settings (replication is only enabled if master/user have values).
mysql_server_id: "1"
mysql_max_binlog_size: "100M"
mysql_binlog_format: "ROW"
mysql_expire_logs_days: "10"
mysql_replication_role: ''
mysql_replication_master: ''
mysql_replication_master_inventory_host: "{{ mysql_replication_master }}"
# Same keys as `mysql_users` above.
mysql_replication_user:
- name: mcaptcha
host: 127.0.0.1
mysql_hide_passwords: false

View file

@ -0,0 +1,48 @@
# Set postgresql state when configuration changes are made. Recommended values:
# `restarted` or `reloaded`
postgresql_restarted_state: "restarted"
postgresql_python_library: python-psycopg2
postgresql_user: postgres
postgresql_group: postgres
# `md5` or `scram-sha-256` (https://www.postgresql.org/docs/10/auth-methods.html)
postgresql_auth_method: "md5"
postgresql_unix_socket_directories:
- /var/run/postgresql
postgresql_service_state: started
postgresql_service_enabled: true
# Global configuration options that will be set in postgresql.conf.
postgresql_global_config_options:
- option: unix_socket_directories
value: '{{ postgresql_unix_socket_directories | join(",") }}'
- option: log_directory
value: 'log'
# Host based authentication (hba) entries to be added to the pg_hba.conf. This
# variable's defaults reflect the defaults that come with a fresh installation.
postgresql_hba_entries:
- {type: local, database: all, user: postgres, auth_method: peer}
- {type: local, database: all, user: all, auth_method: peer}
- {type: host, database: all, user: all, address: '127.0.0.1/32', auth_method: "{{ postgresql_auth_method }}"}
- {type: host, database: all, user: all, address: '::1/128', auth_method: "{{ postgresql_auth_method }}"}
# Debian only. Used to generate the locales used by PostgreSQL databases.
postgresql_locales:
- 'en_US.UTF-8'
# Users to ensure exist.
postgresql_users:
- name: "{{ database_owner }}" #required; the rest are optional
password: "{{ database_password }}"
# Databases to ensure exist.
postgresql_databases:
- name: "{{ database_name }}" # required; the rest are optional
owner: "{{ database_owner }}"
# Whether to output user data when managing users.
postgres_users_no_log: true

View file

@ -0,0 +1,70 @@
database_type: "postgres" # REQUIRED. options: "mariadb", "postgres"
cache_type: "redis" # REQUIRED. options: "embedded", "redis"
# database user
database_owner: "mcaptcha"
database_name: "mcaptcha"
# AUTO-GENERATED. database password
database_password: "{{ lookup('ansible.builtin.password', 'credentials/database_password', chars=['ascii_leters', 'digits'], length=32) }}"
# Database connection pool
mcaptcha_database_pool: 4
# debug logging
mcaptcha_debug: false
# doens't do anything at the moment
mcaptcha_commercial: false
# create demo user and allow demo login
mcaptcha_allow_demo: false
# allow registration of new accounts. Required for the first user account.
# Please edit to set to "false" and re-rerun playbook if registration is
# undesirable.
mcaptcha_allow_registration: true
# AUTO-GENERATED. Randomly generated unique value for signing cookies.
mcaptcha_server_cookie_secret: "{{ lookup('ansible.builtin.password', 'credentials/mcaptcha_server_cookie_secret', chars=['ascii_leters', 'digits'], length=32) }}"
# REQUIRED. mcaptcha server port. Won't be exposed to internet, change if something else
# is listening on binding IP and port combination.
mcaptcha_server_port: 7000
# REQUIRED. bind to IP. If using reverse proxy (playbook installs and configures nginx), set to 127.0.0.1.
mcaptcha_server_bind: "127.0.0.1"
# REQUIRED. hostname of the mcaptcha installation. Incorrect hostname will cause login failures.
mcaptcha_server_hostname: "mcaptcha.local"
# AUTO-GENERATED. IGNORE if unfamiliar.
mcaptcha_captcha_salt: "{{ lookup('ansible.builtin.password', 'credentials/mcaptcha_captha_salt', chars=['ascii_leters', 'digits'], length=32) }}"
# IGNORE if unfamiliar. # garbage collection period to manage mCaptcha system
# mcaptcha_captcha_gc: 30
# IGNORE if unfamiliar. Number of threads used to validate Proof-of-Work (PoW)
# mcaptcha_captcha_runners: 4
# IGNORE if unfamiliar. Maximum pending jobs in queue for PoW validation
# mcaptcha_captcha_queue_length: 2000
# Store PoW compute time statistics
mcaptcha_captcha_enable_stats: true
# IGNORE if unfamiliar. Difficulty factor for average traffic. Used in "easy mode" CAPTCHA configuration generation.
#mcaptcha_captcha_default_difficulty_strategy_avg_traffic_difficulty: 50000 # almost instant solution
# IGNORE if unfamiliar. Difficulty factor for peak traffic levels. Used in "easy mode" CAPTCHA configuration generation.
#mcaptcha_captcha_default_difficulty_strategy_peak_sustainable_traffic_difficulty: 3000000 # roughly 1.5s
# IGNORE if unfamiliar. Difficulty factor for maximum traffic levels. Used in "easy mode" CAPTCHA configuration generation.
#mcaptcha_captcha_default_difficulty_strategy_broke_my_site_traffic_difficulty: 5000000 # greater than 3.5s
# IGNORE if unfamiliar. Default cooldown period in seconds for "easy mode".
mcaptcha_captcha_default_difficulty_strategy_avg_duration: 30
# Redis instance URL
mcaptcha_redis_url: "redis://127.0.0.1"
# Redis connection pool
mcaptcha_redis_pool: 4
# smtp configuration
mcaptcha_smtp_from: "admin@localhost"
mcaptcha_smtp_reply: "admin@localhost"
mcaptcha_smtp_url: "127.0.0.1"
mcaptcha_smtp_port: 10025
mcaptcha_smtp_username: "admin"
mcaptcha_smtp_password: "password"
#[survey]
#nodes = ["http://localhost:7001"]
#rate_limit = 10 # upload every hour
#instance_root_url = "http://localhost:7000"

21
renovate.json Normal file
View file

@ -0,0 +1,21 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended",
":dependencyDashboard"
],
"labels": [
"renovate-bot"
],
"prHourlyLimit": 0,
"timezone": "Asia/kolkata",
"prCreation": "immediate",
"vulnerabilityAlerts": {
"enabled": true,
"labels": [
"renovate-bot",
"renovate-security",
"security"
]
}
}

View file

@ -1,289 +1,31 @@
ansible==8.1.0 ansible==9.1.0
ansible-core==2.15.1 ansible-core==2.16.2
certifi==2023.5.7 certifi==2023.11.17
cffi==1.15.1 cffi==1.16.0
charset-normalizer==3.2.0 charset-normalizer==3.3.2
contextvars==2.4 contextvars==2.4
cryptography==41.0.2 cryptography==41.0.7
distro==1.8.0 distro==1.8.0
execnet==2.0.2 execnet==2.0.2
idna==3.4 idna==3.6
immutables==0.19 immutables==0.20
iniconfig==2.0.0 iniconfig==2.0.0
Jinja2==3.1.2 Jinja2==3.1.2
jmespath==1.0.1 jmespath==1.0.1
looseversion==1.3.0 looseversion==1.3.0
MarkupSafe==2.1.3 MarkupSafe==2.1.3
msgpack==1.0.5 msgpack==1.0.7
packaging==23.1 packaging==23.2
pluggy==1.2.0 pluggy==1.3.0
psutil==5.9.5 psutil==5.9.6
pycparser==2.21 pycparser==2.21
pycryptodomex==3.18.0 pycryptodomex==3.19.0
pytest==7.4.0 pytest==7.4.3
pytest-testinfra==8.1.0 pytest-testinfra==10.0.0
pytest-xdist==3.3.1 pytest-xdist==3.5.0
PyYAML==6.0
pyzmq==25.0.2
requests==2.31.0
resolvelib==1.0.1
salt==3006.1
urllib3==2.0.3
airdrop-ng==1.1
airgraph-ng==1.1
apparmor==3.1.6
appdirs==1.4.4
argcomplete==2.0.0
asttokens==2.2.1
async-timeout==4.0.2
attrs==22.2.0
autocommand==2.2.2
autopage==0.5.1
Babel==2.12.1
beautifulsoup4==4.12.2
binwalk==2.3.3
black==23.7.0
borgbackup==1.2.4
Brlapi==0.8.5
btrfsutil==6.3.3
certifi==2023.7.22
cffi==1.15.1
chardet==5.2.0
charset-normalizer==3.2.0
click==8.1.6
cliff==4.3.0
cmd2==2.4.3
codespell==2.2.5
colorama==0.4.6
ConfigArgParse==1.5.3
contourpy==1.1.0
crit==3.18
cryptography==41.0.3
cupshelpers==1.0
cycler==0.11.0
Cython==3.0.0
dbus-python==1.3.2
debtcollector==2.5.0
decorator==5.1.1
defusedxml==0.7.1
deprecation==2.1.0
devtools==0.11.0
distlib==0.3.7
distro==1.8.0
dnspython==2.3.0
dogpile.cache==1.1.8
executing==1.2.0
fastjsonschema==2.18.0
filelock==3.12.2
fonttools==4.42.0
gevent==22.10.2
git-filter-repo==2.38.0
gpg==1.21.0
greenlet==2.0.2
html5lib==1.1
httpie==3.2.1
idna==3.4
importlib-metadata==5.0.0
inflect==7.0.0
iotop==0.6
iso8601==2.0.0
jaraco.context==4.3.0
jaraco.functools==3.8.1
jaraco.text==3.11.1
jedi==0.18.2
jmespath==1.0.1
jsonpatch==1.33
jsonpointer==2.4
jsonschema==4.19.0
jsonschema-specifications==2023.7.1
keystoneauth1==5.2.1
kiwisolver==1.4.4
lensfun==0.3.4
LibAppArmor==3.1.6
libfdt==1.7.0
libtorrent==2.0.9
libvirt-python==9.6.0
lit==15.0.7.dev0
louis==3.26.0
lxml==4.9.2
Mako==1.2.4
mallard-ducktype==1.0.2
Markdown==3.4.4
markdown-it-py==2.2.0
MarkupSafe==2.1.3
matplotlib==3.7.2
mdurl==0.1.2
MemoizeDB==2021.11.20.2.41.2
meson==1.2.1
more-itertools==10.1.0
msgpack==1.0.5
multidict==6.0.4
mypy-extensions==1.0.0
netaddr==0.8.0
netifaces==0.11.0
nftables==0.1
numpy==1.25.1
openshot-qt==3.1.1
openstacksdk==1.0.1
ordered-set==4.1.0
os-service-types==1.7.0
osc-lib==2.8.0
oslo.config==9.1.1
oslo.i18n==6.0.0
oslo.serialization==5.1.1
oslo.utils==6.1.0
packaging==23.1
parso==0.8.3
pathspec==0.11.2
pbr==5.11.1
perf==0.1
Pillow==10.0.0
pipenv==2023.7.23
pipx==1.2.0
platformdirs==3.10.0
ply==3.11
pm2ml==2021.11.20.2.41.2
pooch==1.7.0
Powerpill==2021.11.20.2.41.2
prettytable==3.6.0
protobuf==4.23.4
psutil==5.9.5
pwquality==1.4.5
pyalpm==0.10.6
pyasn1==0.4.8
pybind11==2.11.1
pycairo==1.24.0
pycparser==2.21
pycups==2.0.1
pycurl==7.45.2
pydantic==1.10.9
Pygments==2.16.1
PyGObject==3.44.1
pynvim==0.4.3
pyOpenSSL==23.2.0
pyparsing==3.0.9
pyperclip==1.8.2
PyQt5==5.15.9
PyQt5-sip==12.12.2
PyQtWebEngine==5.15.6
pyrsistent==0.19.3
pysequoia==0.1.20
PySocks==1.7.1
python-cinderclient==9.3.0
python-dateutil==2.8.2
python-glanceclient==4.1.0
python-keystoneclient==5.1.0
python-novaclient==18.3.0
python-openstackclient==6.2.0
pytz==2023.3
pyxdg==0.28
PyYAML==6.0.1 PyYAML==6.0.1
pyzmq==25.1.1 pyzmq==25.1.2
redis==4.6.0
referencing==0.30.2
Reflector==2023.6.28.0.36.1
requests==2.28.2
requests-toolbelt==1.0.0
requestsexceptions==1.4.0
rfc3986==2.0.0
rich==13.5.2
rpds-py==0.9.2
rpm==4.18.1
scipy==1.11.1
simplejson==3.19.1
six==1.16.0
soupsieve==2.4.1
stevedore==5.1.0
TBB==0.2
tomli==2.0.1
torbrowser-launcher==0.3.6
tqdm==4.65.0
trash-cli==0.23.2.13.2
trimage==1.0.6
trove-classifiers==2023.8.8
typing_extensions==4.7.1
uc-micro-py==1.0.2
ufw==0.36.2
urllib3==1.26.15
userpath==1.8.0
validate-pyproject==0.13.post1.dev0+gb752273.d20230520
vboxapi==1.0
virtualenv==20.24.3
virtualenv-clone==0.5.7
warlock==2.0.1
wcwidth==0.2.6
webencodings==0.5.1
wrapt==1.14.1
XCGF==2021.11.20.2.41.3
XCPF==2021.12.24.10.22.41
youtube-dl==2021.12.17
yt-dlp==2023.7.6
zipp==3.16.2
zope.event==5.0
zope.interface==6.0
ansible==8.1.0
ansible-compat==4.1.6
ansible-core==2.15.1
ansible-lint==6.17.2
astroid==2.15.6
attrs==23.1.0
black==23.7.0
bracex==2.3.post1
certifi==2023.5.7
cffi==1.15.1
charset-normalizer==3.2.0
click==8.1.6
contextvars==2.4
cryptography==41.0.2
dill==0.3.7
distro==1.8.0
execnet==2.0.2
filelock==3.12.2
gitdb==4.0.10
GitPython==3.1.32
idna==3.4
immutables==0.19
iniconfig==2.0.0
isort==5.12.0
Jinja2==3.1.2
jmespath==1.0.1
jsonschema==4.19.0
jsonschema-specifications==2023.7.1
lazy-object-proxy==1.9.0
lint==1.2.1
looseversion==1.3.0
markdown-it-py==3.0.0
MarkupSafe==2.1.3
mccabe==0.7.0
mdurl==0.1.2
msgpack==1.0.5
mypy-extensions==1.0.0
packaging==23.1
pathspec==0.11.2
platformdirs==3.10.0
pluggy==1.2.0
psutil==5.9.5
pycparser==2.21
pycryptodomex==3.18.0
Pygments==2.16.1
pylint==2.17.5
pytest==7.4.0
pytest-testinfra==8.1.0
pytest-xdist==3.3.1
PyYAML==6.0
pyzmq==25.0.2
referencing==0.30.2
requests==2.31.0 requests==2.31.0
resolvelib==1.0.1 resolvelib==1.0.1
rich==13.5.2 salt==3006.4
rpds-py==0.9.2 urllib3==2.1.0
ruamel.yaml==0.17.32
ruamel.yaml.clib==0.2.7
salt==3006.1
smmap==5.0.0
subprocess-tee==0.4.1
tomlkit==0.12.1
urllib3==2.0.3
wcmatch==8.4.1
wrapt==1.15.0
yamllint==1.32.0

84
scripts/ci.sh Executable file
View file

@ -0,0 +1,84 @@
#!/bin/bash
# ci.sh: Helper script to automate deployment operations on CI/CD
# Copyright © 2022 Aravinth Manivannan <realaravinth@batsense.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
set -xEeuo pipefail
#source $(pwd)/scripts/lib.sh
readonly SSH_ID_FILE=/tmp/ci-ssh-id
match_arg() {
if [ $1 == $2 ] || [ $1 == $3 ]
then
return 0
else
return 1
fi
}
help() {
cat << EOF
USAGE: ci.sh [SUBCOMMAND]
Helper script to automate deployment operations on CI/CD
Subcommands
-c --clean cleanup secrets, SSH key and other runtime data
-i --init <SSH_PRIVATE_KEY> initialize environment, write SSH private to file
-h --help print this help menu
EOF
}
# $1: SSH private key
write_ssh(){
truncate --size 0 $SSH_ID_FILE
echo "$1" > $SSH_ID_FILE
chmod 600 $SSH_ID_FILE
}
clean() {
if [ -f $SSH_ID_FILE ]
then
shred $SSH_ID_FILE
rm $SSH_ID_FILE
fi
}
if (( "$#" < 1 ))
then
help
exit -1
fi
if match_arg $1 '-i' '--init'
then
if (( "$#" < 2 ))
then
help
exit -1
fi
write_ssh "$2"
elif match_arg $1 '-c' '--clean'
then
clean
elif match_arg $1 '-h' '--help'
then
help
else
help
fi

View file

@ -17,7 +17,7 @@ variable "libvirt_pool_path" {
variable "libvirt_debian_src" { variable "libvirt_debian_src" {
description = "Location of Debian 11 qcow2 image" description = "Location of Debian 11 qcow2 image"
type = string type = string
default = "/home/atm/disk-images/debian/11/cloud/debian-11-genericcloud-amd64.qcow2" default = "/home/atm/disk-images/debian/12/clould/debian-12-generic-amd64.qcow2"
} }
/* demo server */ /* demo server */

45
terraform/mcaptcha/.gitignore vendored Normal file
View file

@ -0,0 +1,45 @@
# Compiled files
*.tfstate
*.tfstate.backup
*.tfstate.lock.info
# logs
*.log
# Directories
.terraform/
.vagrant/
# SSH Keys
*.pem
# Backup files
*.bak
# Ignored Terraform files
*gitignore*.tf
# Ignore Mac .DS_Store files
.DS_Store
# Ignored vscode files
.vscode/
# Ignore Any Generated JSON Files
operations/automation-script/apply.json
operations/automation-script/configversion.json
operations/automation-script/run.template.json
operations/automation-script/run.json
operations/automation-script/variable.template.json
operations/automation-script/variable.json
operations/automation-script/workspace.template.json
operations/automation-script/workspace.json
operations/sentinel-policies-scripts/create-policy.template.json
operations/sentinel-policies-scripts/create-policy.json
operations/variable-scripts/variable.template.json
operations/variable-scripts/variable.json
# Sentinel runtime directory
.sentinel
dos
hosts.ini

View file

@ -0,0 +1,53 @@
# This file is maintained automatically by "tofu init".
# Manual edits may be lost in future updates.
provider "registry.opentofu.org/dmacvicar/libvirt" {
version = "0.7.6"
constraints = "~> 0.7.0"
hashes = [
"h1:mmbm4vTyC/DCGO4Ed/vbp5AKvy1gmVn/94fzB9VmR08=",
"zh:0bde54f6f658b20b620b875daf106b5b25b1bae4d15408d6c5f06d58360e254d",
"zh:0c97c6930015918b8a34b6d7a2b0c3d17a649c226fcd1874fcba5bbbc0f35972",
"zh:1bdd7aa0011c5f024a09a124836ee9bc8e71b05a6ece810c61824275fd3f695f",
"zh:2b0cc7c794e4caf395d84ffff0b380d17e4b3219a4696264271bfe5059450efe",
"zh:2f8633f7fe07f76c188836ed6f93321ec5fbf5c004bc7699e1741d9b21ed5f37",
"zh:5bf47eed286ce55ed10a5cf657de49a34ab21cc8677c56fef3aab69cdde41a27",
"zh:7dca790fc5fd1d42bc4bc7170be003a7093602026d0f95c8aab84ad551fdf2a4",
"zh:80476b68bc84e3d661d1390025f83879b88f9cdc836de9751af09bd5716089cb",
"zh:82f3e2f3f50176cd6041c8ba36e295cbda1b289ef52ab75b5eceb0f921f64f7b",
"zh:a179b165f3b9bb9a67ebbbf9d73157ded33f02d476b2f58906389dca03b653c9",
"zh:acae54a5d0616f22b3180ddd8e8aad39af664e604394fdacf1f7b337bca2d5b4",
"zh:da4406a2428a9a7e98272c032cb93431c3919253af2fe9934b532d26c0deab09",
"zh:f63dbd8e579ab5268d01ffab4503b8a8e736b70d1a04e4f271559ba8dd133dcd",
"zh:f85c1d9e51a94ecde137435c9d6b0fb7be590437ea8a725334d1577eebbc550c",
]
}
provider "registry.opentofu.org/hashicorp/local" {
version = "2.4.0"
hashes = [
"h1:pWJMQ+uRtVtHg97vU2zSCuYcZTuDQ7FJz+QanfSGMXM=",
"zh:184d6ec1f0e77713b37f0d9cf943b1371f2aa2f44c2c5a618978e897ce3dccab",
"zh:2205a7955a4051c2c25e69646a60746d9416b73001491808ae5d10620f7b7ac1",
"zh:256ddc56457f725819dc6be62f2d0bb3b9fee40a61771317bb32353df5b5c1a0",
"zh:70146e603f540523f6fa2251dd52c225db5a92bda8c07fd198ed51ae2b50176b",
"zh:8c3f9fe12ab8843e25ff7edabc26e01df4a0e8db204e432600a4c77a95ec0535",
"zh:b003e421f643d14247d31dcb7f0f6470c46f772d0e15a175a555a525ce344bf2",
"zh:b4c8ad7c5696aeb2a52adf6047d1e01943fafa57dc123d5192542527406ffd72",
"zh:c3b6fbfa431f3c085621c74596ee63681a278fd433a4758f33c627e8936d5cb3",
"zh:d2e57b19295b326d84ca5f39b797849d901170d5509aa7558f2a6545c9ce72a9",
"zh:e2307421b0b380eb0e8fcee008e0af98ae30fccbfc9e9a1d24d952489e9b0df9",
]
}
provider "registry.opentofu.org/hashicorp/template" {
version = "2.2.0"
hashes = [
"h1:tdS0otiAtvUV8uLJWJNfcqOPo3llj7FyRzExw6X1srY=",
"zh:374c28bafc43cd65e578cb209efc9eee4c1cec7618f451528e928db98059e8c8",
"zh:6a2982e70fbc2ab2668d624c648ef2eb32243c1a1185246b03991a7a21326db9",
"zh:af83169c21bb13f141510a349e1f70cf7d893247a269bd71cad74dd22f1df0f5",
"zh:b81a5bedc91a1a81b938c393247248d6c3d1bd8ea685541f9c858908c0afb6b3",
"zh:de15486244af2d29d44d510d647cd6e0b1408e89952261013c572b7c9bfd744b",
]
}

View file

@ -0,0 +1,5 @@
libvirt_uri = "qemu+ssh://mcaptcha-ci@192.168.0.102/system?keyfile=/tmp/ci-ssh-id&sshauth=privkey&no_verify=1"
libvirt_pool_path = "/home/mcaptcha-ci/libvirt/pool/mcaptcha_basic"
libvirt_debian_src = "http://192.168.0.102/debian-12-generic-amd64.qcow2"
macvtap_ethernet_interface = "enp2s0"
ssh_public_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBCYagT9/PXoeaUae7Z3BKOPKBiEvJsCTUIhPCcRp5fb mcaptcha-ci@hellbat.batsense.net"

View file

@ -0,0 +1,30 @@
#cloud-config
# vim: syntax=yaml
packages:
- sudo
- qemu-guest-agent
runcmd:
- [ systemctl, daemon-reload ]
- [ systemctl, enable, qemu-guest-agent.service ]
- [ systemctl, start, --wait, qemu-guest-agent.service ]
users:
- name: root
ssh_authorized_keys:
- ${ssh_public_key}
- name: atm
gecos: Aravinth Manivannan
groups: users, admin
sudo: ALL=(ALL) NOPASSWD:ALL
shell: /bin/bash
lock_passwd: true
plain_text_passwd: fooabr12
ssh_authorized_keys:
- ${ssh_public_key}
ssh_pwauth: true
chpasswd:
list: |
root:foobar12
atm:foobar12
expire: False

View file

@ -0,0 +1,49 @@
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
terraform {
required_version = ">= 0.13"
required_providers {
libvirt = {
source = "dmacvicar/libvirt"
version = "~> 0.7.0"
}
}
}
provider "libvirt" {
uri = var.libvirt_uri
}
resource "libvirt_pool" "mcaptcha_basic" {
name = "mcaptcha_basic"
type = "dir"
path = var.libvirt_pool_path
}
resource "libvirt_volume" "debian-mcaptcha-qcow2" {
name = "debian-mcaptcha-qcow2"
pool = libvirt_pool.mcaptcha_basic.name
source = var.libvirt_debian_src
format = "qcow2"
}
data "template_file" "user_data" {
template = file("${path.module}/cloud_init.cfg")
vars = {
ssh_public_key = var.ssh_public_key
}
}
data "template_file" "network_config" {
template = file("${path.module}/network_config.cfg")
}
resource "libvirt_cloudinit_disk" "commoninit" {
name = "commoninit.iso"
user_data = data.template_file.user_data.rendered
network_config = data.template_file.network_config.rendered
pool = libvirt_pool.mcaptcha_basic.name
}

BIN
terraform/mcaptcha/mcaptcha Normal file

Binary file not shown.

View file

@ -0,0 +1,56 @@
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
resource "libvirt_volume" "mcaptcha_volume" {
name = "mcaptcha_volume-${count.index}"
base_volume_id = libvirt_volume.debian-mcaptcha-qcow2.id
count = var.mcaptcha_vm_count
pool = libvirt_pool.mcaptcha_basic.name
size = var.mcaptcha_vm_disk_size
}
resource "libvirt_domain" "mcaptcha_mcaptcha" {
count = var.mcaptcha_vm_count
name = "mcaptcha_mcaptcha_${count.index}"
memory = var.mcaptcha_vm_memory
vcpu = var.mcaptcha_vm_vcpu
qemu_agent = true
cloudinit = libvirt_cloudinit_disk.commoninit.id
console {
type = "pty"
target_port = "0"
target_type = "serial"
}
console {
type = "pty"
target_type = "virtio"
target_port = "1"
}
network_interface {
macvtap = var.macvtap_ethernet_interface
wait_for_lease = true
}
disk {
volume_id = element(libvirt_volume.mcaptcha_volume.*.id, count.index)
}
}
locals {
mcaptcha_vm_ips = [for i in libvirt_domain.mcaptcha_mcaptcha : i.network_interface.0.addresses[0]]
mcaptcha_vm_names = [for i in libvirt_domain.mcaptcha_mcaptcha : i.name]
mcaptcha_vm_map = [for i in libvirt_domain.mcaptcha_mcaptcha : {
ip = i.network_interface.0.addresses[0],
name = i.name
}]
}

View file

@ -0,0 +1,5 @@
version: 2
ethernets:
ens3:
dhcp4: true
# ip: 192.168.0.115

View file

@ -0,0 +1,20 @@
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
output "mcaptcha_mcaptcha_ip" {
value = local.mcaptcha_vm_map
}
resource "local_file" "hosts_yml" {
content = templatefile("./templates/hosts.yml.tftpl",
{
mcaptcha_vms_ips = local.mcaptcha_vm_ips,
mcaptcha_vms_names = local.mcaptcha_vm_names,
mcaptcha_vms = local.mcaptcha_vm_map
})
filename = "hosts.ini"
}

View file

@ -0,0 +1,7 @@
#!/bin/bash
for vm in $(virsh list --all --name --state-shutoff); do \
echo "[*] Starting vm: $vm"; \
virsh start $vm; \
done

View file

@ -0,0 +1,4 @@
[mcaptcha_hosts]
%{ for vm in mcaptcha_vms ~}
${vm.name} ansible_host=${vm.ip} ansible_user=atm
%{ endfor ~}

View file

@ -0,0 +1,58 @@
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
/* main.tf */
variable "libvirt_uri" {
description = "URI of libvert socket"
type = string
default = "qemu:///system"
}
variable "libvirt_pool_path" {
description = "Path of libvirt storage pool"
type = string
default = "/home/atm/code/libvirt/pool/mcaptcha_basic"
}
variable "libvirt_debian_src" {
description = "Location of Debian 11 qcow2 image"
type = string
default = "/home/atm/disk-images/debian/12/clould/debian-12-generic-amd64.qcow2"
}
/* mcaptcha/mcaptcha server server */
variable "mcaptcha_vm_count" {
description = "Number of VMs to be deployed to run mcaptcha/mcaptcha"
type = number
default = 1
}
variable "mcaptcha_vm_disk_size" {
description = "Size of disk of VMs running mcaptcha/mcaptcha in bytes"
type = number
default = 8000000000 # 8GB
}
variable "mcaptcha_vm_memory" {
description = "Memory of VMs running mcaptcha/mcaptcha in MB"
type = number
default = 2000 # 2GB
}
variable "mcaptcha_vm_vcpu" {
description = "Number of CPUs of VMs running mcaptcha/mcaptcha"
type = number
default = 4
}
variable "macvtap_ethernet_interface" {
description = "Ethernet interface on the host machine that can be used as macvtap"
type = string
default = "enp2s0"
}
variable "ssh_public_key" {
description = "Set up SSH login for this public key"
type = string
default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/wXdHpwpY/4ubhYTmuNdGepQpj1kchvTUTApxMZyfyVW4uzrPRTYsle1y9QbTBV35qLkNajRC/wmC5/xPchdXpsJpuD9st1HMhLeR8qwaPyptiYJYT+z/WisWw2k6oWhG3QKvPoRtBdW9nhZnkG+O6zkuGXiRHpS7j2VVboDPpWEe1UdELQFVCwfraRal2g3ENFZ/9V1UrW/4ahRnQnSxERplZUm/fgSxQtmXubTkW68ut7yasBsrKFffMm8JztW0tWgTlTKONd3LCjv4juM0t5+cJDotNDnUR86Tq2PG8io7no/h8BWtazmjdpfGgn02ibX26BkdU0LDEYbJt5q9/Fh9TGk2ZwcMQeyepO1AWQgkmHXZWZELqu6MLQpqdtsOjHp9k0MeSpuIbdwzgf10Ydy7vK1z8irS24tVNNnJaMBwOlVOPwfyztHRADPkFcv2lKSjS1uyKR0FIkV8Kvs4txaIjmwv2LfMg6lF5W6j3ZPLyeE4cplJP0DDjzorSanu31xVnqVb3A8V9awsJ/4H7d59bI99c7QHL4K3fBVP3O0gqd31xAVRsdGs5Tj2P+RpiI6o5JJiOa1+DuBdWzrVIXYchQ30ZjaJp1wTNsYLmAsjeYuQZE2tf1xvywdzD4MB4avugDEWikzRWN9V5PHDZr1bamTCCjOrb2PRCd7eSQ== aravinth7820@gmail.com"
}

22
tests/cache/base.py vendored Normal file
View file

@ -0,0 +1,22 @@
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
import os
def test_redis_is_listening(host):
socket = host.socket(f"tcp://0.0.0.0:6379")
assert socket.is_listening
def test_redis_config_exists(host):
config = host.file("/etc/redis/redis.conf")
assert config.exists
assert config.is_file
def test_redis_service_running_and_enabled(host):
service = host.service("redis")
assert service.is_running
assert service.is_enabled

39
tests/mcaptcha/base.py Normal file
View file

@ -0,0 +1,39 @@
# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
import os
import requests
def test_mcaptcha_nginx_is_listening(host):
socket = host.socket(f"tcp://127.0.0.1:80")
assert socket.is_listening
def test_mcaptcha_config_exists(host):
config = host.file("/etc/mcaptcha/config.toml")
assert config.exists
assert config.is_file
def test_mcaptcha_health(host):
url = f"http://{host.interface.default().addresses[0]}/api/v1/meta/health"
resp = requests.get(url, headers={"Host": "mcaptcha.local"})
assert resp.status_code == 200
data = resp.json()
if "redis" in data:
assert data["redis"] is True
assert data["db"] is True
def test_nginx_service_running_and_enabled(host):
service = host.service("nginx")
assert service.is_running
assert service.is_enabled
def test_mcaptcha_service_running_and_enabled(host):
service = host.service("mcaptcha")
assert service.is_running
assert service.is_enabled

View file

@ -38,7 +38,6 @@ def test_pkgis_installed(host):
"python3-pip", "python3-pip",
"virtualenv", "virtualenv",
"python3-setuptools", "python3-setuptools",
"ntp",
"ufw", "ufw",
]: ]:
assert host.package(pkg).is_installed assert host.package(pkg).is_installed