From 9dadd5c30072166b51ff19d39eb0779f73bb8f80 Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Tue, 15 Apr 2025 13:33:10 +0200
Subject: [PATCH] Add catgirl logss encryption.
---
bookworm/aptmark/catgirl | 5 ++-
bookworm/etc/caddy/caddy/Caddyfile | 2 +-
.../system/encrypt_catgirl_logs.service | 8 +++++
.../systemd/system/encrypt_catgirl_logs.timer | 9 ++++++
bookworm/home/catgirl/.config/catgirl/libera | 3 +-
.../catgirl/.local/bin/encrypt_catgirl_logs | 26 ++++++++++++++++
.../home/catgirl/.plomlib/constants_catgirl | 4 +++
.../home/catgirl/.plomlib/encrypt_with.pub | 1 +
bookworm/scripts/setup_catgirl.sh | 31 ++++++++++---------
9 files changed, 72 insertions(+), 17 deletions(-)
create mode 100644 bookworm/etc/catgirl/systemd/system/encrypt_catgirl_logs.service
create mode 100644 bookworm/etc/catgirl/systemd/system/encrypt_catgirl_logs.timer
create mode 100755 bookworm/home/catgirl/.local/bin/encrypt_catgirl_logs
create mode 100644 bookworm/home/catgirl/.plomlib/constants_catgirl
create mode 100644 bookworm/home/catgirl/.plomlib/encrypt_with.pub
diff --git a/bookworm/aptmark/catgirl b/bookworm/aptmark/catgirl
index ddab378..be0a8b4 100644
--- a/bookworm/aptmark/catgirl
+++ b/bookworm/aptmark/catgirl
@@ -1,4 +1,7 @@
# IRC
-tmux
catgirl
+# for detachable sessions
+tmux
+# for logs encryption
+age
#
diff --git a/bookworm/etc/caddy/caddy/Caddyfile b/bookworm/etc/caddy/caddy/Caddyfile
index 788e8f7..1eddd83 100644
--- a/bookworm/etc/caddy/caddy/Caddyfile
+++ b/bookworm/etc/caddy/caddy/Caddyfile
@@ -1,6 +1,6 @@
REPLACE_WITH_FQDN {
root * /var/www/dump
- basic_auth /private/* {
+ basicauth /private/* {
user REPLACE_WITH_HASH
}
file_server browse
diff --git a/bookworm/etc/catgirl/systemd/system/encrypt_catgirl_logs.service b/bookworm/etc/catgirl/systemd/system/encrypt_catgirl_logs.service
new file mode 100644
index 0000000..3529295
--- /dev/null
+++ b/bookworm/etc/catgirl/systemd/system/encrypt_catgirl_logs.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Run script for encrypting catgirl logs.
+
+[Service]
+Type=oneshot
+User=plom
+ExecStart=/bin/sh -c 'encrypt_catgirl_logs'
+
diff --git a/bookworm/etc/catgirl/systemd/system/encrypt_catgirl_logs.timer b/bookworm/etc/catgirl/systemd/system/encrypt_catgirl_logs.timer
new file mode 100644
index 0000000..c650376
--- /dev/null
+++ b/bookworm/etc/catgirl/systemd/system/encrypt_catgirl_logs.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run service for encrypting catgirl logs once every day.
+
+[Timer]
+OnCalendar=*-*-* 01:00:00
+
+[Install]
+WantedBy=timers.target
+
diff --git a/bookworm/home/catgirl/.config/catgirl/libera b/bookworm/home/catgirl/.config/catgirl/libera
index 5d04ff2..68c04eb 100644
--- a/bookworm/home/catgirl/.config/catgirl/libera
+++ b/bookworm/home/catgirl/.config/catgirl/libera
@@ -1,3 +1,4 @@
host = irc.libera.chat
join = #plomtest
-sasl-plain = plomlompom:REPLACE_WITH_SASL_PASSWORD
+sasl-plain = plomtest:REPLACE_WITH_SASL_PASSWORD
+log
diff --git a/bookworm/home/catgirl/.local/bin/encrypt_catgirl_logs b/bookworm/home/catgirl/.local/bin/encrypt_catgirl_logs
new file mode 100755
index 0000000..469f4eb
--- /dev/null
+++ b/bookworm/home/catgirl/.local/bin/encrypt_catgirl_logs
@@ -0,0 +1,26 @@
+#!/bin/sh
+set -e
+cd $(dirname "$0")
+. lib/expect_n_args
+. lib/constants_catgirl # PATH_USER_SHARE_CATGIRL
+
+expect_n_args 0
+
+PATH_LOGS="${PATH_USER_SHARE_CATGIRL}/log"
+PATH_ENCRYPTED_LOGS="${HOME}/logs_encrypted"
+PATH_ENCRYPTION_KEY="${HOME}/.plomlib/encrypt_with.pub"
+TODAY="$(date +'%Y-%m-%d')"
+for _PATH_LOG in $(ls -1 "${PATH_LOGS}/*/*/*.log"); do
+ _FILENAME=$(basename "${PATH_LOG})"
+ _DATE_OF_LOG=$(echo "${FILENAME}" | cut -d'.' -f1)
+ _DIRNAME=$(dirname "${PATH_LOG}"
+ _WINDOW_OF_LOG=$(basename "${_DIRNAME}"
+ _DIRNAME=$(dirname "${_DIRNAME}"
+ _NETWORK_OF_LOG=$(basename "${_DIRNAME}"
+ if [ "${_DATE_OF_LOG}" < "${TODAY}" ]; then
+ _PATH_TARGET="${PATH_ENCRYPTED_LOGS}/${_NETWORK_OF_LOG}/${_WINDOW_OF_LOG}"
+ mkdir -p "${_PATH_TARGET}"
+ age -R "${PATH_ENCRYPTION_KEY}" "${_PATH_LOG}" > "${_PATH_TARGET}/${_FILENAME}.age"
+ rm "${_PATH_LOG}"
+ fi
+done
diff --git a/bookworm/home/catgirl/.plomlib/constants_catgirl b/bookworm/home/catgirl/.plomlib/constants_catgirl
new file mode 100644
index 0000000..daa6b56
--- /dev/null
+++ b/bookworm/home/catgirl/.plomlib/constants_catgirl
@@ -0,0 +1,4 @@
+. lib/constants_user # PATH_USER_HOME
+
+PATH_USER_SHARE_CATGIRL="${PATH_USER_HOME}/.local/share/catgirl"
+
diff --git a/bookworm/home/catgirl/.plomlib/encrypt_with.pub b/bookworm/home/catgirl/.plomlib/encrypt_with.pub
new file mode 100644
index 0000000..ddd5ba1
--- /dev/null
+++ b/bookworm/home/catgirl/.plomlib/encrypt_with.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoMa288S7iHnw8lEaSQTTK8pSJwBEWCCyPJF7zewbXrgGoHHXAYD88AJFrULBivTk6HIVpx+Dc0fdhheXr3yl8XGo57l7XTVd1xz2USxaPXfWHEz5mAtJVM4MJ7MjQ5eNkCgrJaOWZ1SLnSS/+dF3KGYs1BK7piIKFk/5AKQmX+0R3STxNlLlEOWG03224409VNliMKFhbfjszPJyaKDFKt4tnG12YgEZ0Zx2LbAfJZzFdkxb2qzcdb09vRHOEZgtFPszohVETaBtocl3mEPHRjwXzhE6fz/jzMHc+JZDViQONobvgJ7weVU7dnv8zmiobFuyOEb4uyAE1yugvBypPQ==
diff --git a/bookworm/scripts/setup_catgirl.sh b/bookworm/scripts/setup_catgirl.sh
index ee7db2c..a61d66a 100755
--- a/bookworm/scripts/setup_catgirl.sh
+++ b/bookworm/scripts/setup_catgirl.sh
@@ -1,6 +1,7 @@
#!/bin/sh
set -e
cd $(dirname "$0")
+. lib/constants_catgirl # PATH_USER_SHARE_CATGIRL
. lib/constants_repopaths # PATH_CONF
. lib/constants_ssh # PATH_REL_SSH, PATH_USER_SSH
. lib/constants_user # PATH_USER_HOME, USERNAME
@@ -12,17 +13,18 @@ cd $(dirname "$0")
MIN_TAGS='all server catgirl caddy'
-expect_n_args 4 4 'HOSTNAME, FQDN, SASL_PASSWORD, CADDY_PASSWORD' $@
+expect_n_args 4 4 'HOSTNAME, FQDN, IRC_PASSWORD, WEB_PASSWORD' $@
HOSTNAME="$1"
FQDN="$2"
-SASL_PASSWORD="$3"
-CADDY_PASSWORD="$4"
+IRC_PASSWORD="$3"
+WEB_PASSWORD="$4"
PATH_REL_ETC=etc
PATH_CONF_ETC="${PATH_CONF}/${PATH_REL_ETC}"
PATH_ETC="/${PATH_REL_ETC}"
PATH_HOSTS="${PATH_ETC}/hosts"
PATH_BORG_HOME=/home/borg
+PATH_CADDYFILE="${PATH_ETC}/caddy/Caddyfile"
echo '\nPreparing caddy install.'
apt -y install curl
@@ -57,17 +59,18 @@ cp -a "${PATH_USER_SSH}" "${PATH_BORG_HOME}/"
chown -R borg:nogroup "${PATH_BORG_HOME}/${PATH_REL_SSH}"
echo '\nEnabling the firewall.'
-systemctl enable nftables.service
-systemctl start nftables.service
+systemctl enable --now nftables
-# echo '\nSetting up catgirl.'
-# sed -i "s/REPLACE_WITH_SASL_PASSWORD/${SASL_PASSWORD}/g" "${PATH_USER_HOME}/.config/catgirl/libera"
-# systemctl enable catgirl.service
-# systemctl start catgirl.service
+echo '\nSetting up catgirl.'
+sed -i "s/REPLACE_WITH_IRC_PASSWORD/${IRC_PASSWORD}/g" "${PATH_USER_HOME}/.config/catgirl/libera"
+mkdir -p "${PATH_USER_SHARE_CATGIRL}"
+chown -R "${PATH_USER_SHARE_CATGIRL}"
+systemctl enable --now catgirl
+systemctl enable --now encrypt_catgirl_logs
-# Reload caddy with new config.
-HASH=$(caddy hash-password --plaintext "${CADDY_PASSWORD}")
-sed -i "s/REPLACE_WITH_HASH/${HASH}/g" "${PATH_ETC}/caddy/Caddyfile"
-sed -i "s/REPLACE_WITH_FQDN/${FQDN}/g" "${PATH_ETC}/caddy/Caddyfile"
-mkdir -p /var/www/dump/{private,public}
+echo "Adapting caddy's config and reloading it â¦"
+HASH=$(caddy hash-password --plaintext "${WEB_PASSWORD}")
+sed -i "s/REPLACE_WITH_HASH/${HASH}/g" "${PATH_CADDYFILE}"
+sed -i "s/REPLACE_WITH_FQDN/${FQDN}/g" "${PATH_CADDYFILE}"
+mkdir -p /var/www/dump/private /var/www/dump/public
systemctl reload caddy
--
2.30.2