From: Christian Heller Date: Tue, 15 Apr 2025 11:33:10 +0000 (+0200) Subject: Add catgirl logss encryption. X-Git-Url: https://plomlompom.com/repos/%22https:/validator.w3.org/%7B%7Bprefix%7D%7D/condition?a=commitdiff_plain;h=9dadd5c30072166b51ff19d39eb0779f73bb8f80;p=config Add catgirl logss encryption. --- diff --git a/bookworm/aptmark/catgirl b/bookworm/aptmark/catgirl index ddab378..be0a8b4 100644 --- a/bookworm/aptmark/catgirl +++ b/bookworm/aptmark/catgirl @@ -1,4 +1,7 @@ # IRC -tmux catgirl +# for detachable sessions +tmux +# for logs encryption +age # diff --git a/bookworm/etc/caddy/caddy/Caddyfile b/bookworm/etc/caddy/caddy/Caddyfile index 788e8f7..1eddd83 100644 --- a/bookworm/etc/caddy/caddy/Caddyfile +++ b/bookworm/etc/caddy/caddy/Caddyfile @@ -1,6 +1,6 @@ REPLACE_WITH_FQDN { root * /var/www/dump - basic_auth /private/* { + basicauth /private/* { user REPLACE_WITH_HASH } file_server browse diff --git a/bookworm/etc/catgirl/systemd/system/encrypt_catgirl_logs.service b/bookworm/etc/catgirl/systemd/system/encrypt_catgirl_logs.service new file mode 100644 index 0000000..3529295 --- /dev/null +++ b/bookworm/etc/catgirl/systemd/system/encrypt_catgirl_logs.service @@ -0,0 +1,8 @@ +[Unit] +Description=Run script for encrypting catgirl logs. + +[Service] +Type=oneshot +User=plom +ExecStart=/bin/sh -c 'encrypt_catgirl_logs' + diff --git a/bookworm/etc/catgirl/systemd/system/encrypt_catgirl_logs.timer b/bookworm/etc/catgirl/systemd/system/encrypt_catgirl_logs.timer new file mode 100644 index 0000000..c650376 --- /dev/null +++ b/bookworm/etc/catgirl/systemd/system/encrypt_catgirl_logs.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Run service for encrypting catgirl logs once every day. + +[Timer] +OnCalendar=*-*-* 01:00:00 + +[Install] +WantedBy=timers.target + diff --git a/bookworm/home/catgirl/.config/catgirl/libera b/bookworm/home/catgirl/.config/catgirl/libera index 5d04ff2..68c04eb 100644 --- a/bookworm/home/catgirl/.config/catgirl/libera +++ b/bookworm/home/catgirl/.config/catgirl/libera @@ -1,3 +1,4 @@ host = irc.libera.chat join = #plomtest -sasl-plain = plomlompom:REPLACE_WITH_SASL_PASSWORD +sasl-plain = plomtest:REPLACE_WITH_SASL_PASSWORD +log diff --git a/bookworm/home/catgirl/.local/bin/encrypt_catgirl_logs b/bookworm/home/catgirl/.local/bin/encrypt_catgirl_logs new file mode 100755 index 0000000..469f4eb --- /dev/null +++ b/bookworm/home/catgirl/.local/bin/encrypt_catgirl_logs @@ -0,0 +1,26 @@ +#!/bin/sh +set -e +cd $(dirname "$0") +. lib/expect_n_args +. lib/constants_catgirl # PATH_USER_SHARE_CATGIRL + +expect_n_args 0 + +PATH_LOGS="${PATH_USER_SHARE_CATGIRL}/log" +PATH_ENCRYPTED_LOGS="${HOME}/logs_encrypted" +PATH_ENCRYPTION_KEY="${HOME}/.plomlib/encrypt_with.pub" +TODAY="$(date +'%Y-%m-%d')" +for _PATH_LOG in $(ls -1 "${PATH_LOGS}/*/*/*.log"); do + _FILENAME=$(basename "${PATH_LOG})" + _DATE_OF_LOG=$(echo "${FILENAME}" | cut -d'.' -f1) + _DIRNAME=$(dirname "${PATH_LOG}" + _WINDOW_OF_LOG=$(basename "${_DIRNAME}" + _DIRNAME=$(dirname "${_DIRNAME}" + _NETWORK_OF_LOG=$(basename "${_DIRNAME}" + if [ "${_DATE_OF_LOG}" < "${TODAY}" ]; then + _PATH_TARGET="${PATH_ENCRYPTED_LOGS}/${_NETWORK_OF_LOG}/${_WINDOW_OF_LOG}" + mkdir -p "${_PATH_TARGET}" + age -R "${PATH_ENCRYPTION_KEY}" "${_PATH_LOG}" > "${_PATH_TARGET}/${_FILENAME}.age" + rm "${_PATH_LOG}" + fi +done diff --git a/bookworm/home/catgirl/.plomlib/constants_catgirl b/bookworm/home/catgirl/.plomlib/constants_catgirl new file mode 100644 index 0000000..daa6b56 --- /dev/null +++ b/bookworm/home/catgirl/.plomlib/constants_catgirl @@ -0,0 +1,4 @@ +. lib/constants_user # PATH_USER_HOME + +PATH_USER_SHARE_CATGIRL="${PATH_USER_HOME}/.local/share/catgirl" + diff --git a/bookworm/home/catgirl/.plomlib/encrypt_with.pub b/bookworm/home/catgirl/.plomlib/encrypt_with.pub new file mode 100644 index 0000000..ddd5ba1 --- /dev/null +++ b/bookworm/home/catgirl/.plomlib/encrypt_with.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoMa288S7iHnw8lEaSQTTK8pSJwBEWCCyPJF7zewbXrgGoHHXAYD88AJFrULBivTk6HIVpx+Dc0fdhheXr3yl8XGo57l7XTVd1xz2USxaPXfWHEz5mAtJVM4MJ7MjQ5eNkCgrJaOWZ1SLnSS/+dF3KGYs1BK7piIKFk/5AKQmX+0R3STxNlLlEOWG03224409VNliMKFhbfjszPJyaKDFKt4tnG12YgEZ0Zx2LbAfJZzFdkxb2qzcdb09vRHOEZgtFPszohVETaBtocl3mEPHRjwXzhE6fz/jzMHc+JZDViQONobvgJ7weVU7dnv8zmiobFuyOEb4uyAE1yugvBypPQ== diff --git a/bookworm/scripts/setup_catgirl.sh b/bookworm/scripts/setup_catgirl.sh index ee7db2c..a61d66a 100755 --- a/bookworm/scripts/setup_catgirl.sh +++ b/bookworm/scripts/setup_catgirl.sh @@ -1,6 +1,7 @@ #!/bin/sh set -e cd $(dirname "$0") +. lib/constants_catgirl # PATH_USER_SHARE_CATGIRL . lib/constants_repopaths # PATH_CONF . lib/constants_ssh # PATH_REL_SSH, PATH_USER_SSH . lib/constants_user # PATH_USER_HOME, USERNAME @@ -12,17 +13,18 @@ cd $(dirname "$0") MIN_TAGS='all server catgirl caddy' -expect_n_args 4 4 'HOSTNAME, FQDN, SASL_PASSWORD, CADDY_PASSWORD' $@ +expect_n_args 4 4 'HOSTNAME, FQDN, IRC_PASSWORD, WEB_PASSWORD' $@ HOSTNAME="$1" FQDN="$2" -SASL_PASSWORD="$3" -CADDY_PASSWORD="$4" +IRC_PASSWORD="$3" +WEB_PASSWORD="$4" PATH_REL_ETC=etc PATH_CONF_ETC="${PATH_CONF}/${PATH_REL_ETC}" PATH_ETC="/${PATH_REL_ETC}" PATH_HOSTS="${PATH_ETC}/hosts" PATH_BORG_HOME=/home/borg +PATH_CADDYFILE="${PATH_ETC}/caddy/Caddyfile" echo '\nPreparing caddy install.' apt -y install curl @@ -57,17 +59,18 @@ cp -a "${PATH_USER_SSH}" "${PATH_BORG_HOME}/" chown -R borg:nogroup "${PATH_BORG_HOME}/${PATH_REL_SSH}" echo '\nEnabling the firewall.' -systemctl enable nftables.service -systemctl start nftables.service +systemctl enable --now nftables -# echo '\nSetting up catgirl.' -# sed -i "s/REPLACE_WITH_SASL_PASSWORD/${SASL_PASSWORD}/g" "${PATH_USER_HOME}/.config/catgirl/libera" -# systemctl enable catgirl.service -# systemctl start catgirl.service +echo '\nSetting up catgirl.' +sed -i "s/REPLACE_WITH_IRC_PASSWORD/${IRC_PASSWORD}/g" "${PATH_USER_HOME}/.config/catgirl/libera" +mkdir -p "${PATH_USER_SHARE_CATGIRL}" +chown -R "${PATH_USER_SHARE_CATGIRL}" +systemctl enable --now catgirl +systemctl enable --now encrypt_catgirl_logs -# Reload caddy with new config. -HASH=$(caddy hash-password --plaintext "${CADDY_PASSWORD}") -sed -i "s/REPLACE_WITH_HASH/${HASH}/g" "${PATH_ETC}/caddy/Caddyfile" -sed -i "s/REPLACE_WITH_FQDN/${FQDN}/g" "${PATH_ETC}/caddy/Caddyfile" -mkdir -p /var/www/dump/{private,public} +echo "Adapting caddy's config and reloading it …" +HASH=$(caddy hash-password --plaintext "${WEB_PASSWORD}") +sed -i "s/REPLACE_WITH_HASH/${HASH}/g" "${PATH_CADDYFILE}" +sed -i "s/REPLACE_WITH_FQDN/${FQDN}/g" "${PATH_CADDYFILE}" +mkdir -p /var/www/dump/private /var/www/dump/public systemctl reload caddy