diff --git a/ansible/inventory b/ansible/inventory new file mode 100644 index 0000000..cee07a5 --- /dev/null +++ b/ansible/inventory @@ -0,0 +1,2 @@ +[all] +doorlock ansible_host=10.109.250.15 ansible_user=root diff --git a/ansible/main.yml b/ansible/main.yml new file mode 100644 index 0000000..0987fb9 --- /dev/null +++ b/ansible/main.yml @@ -0,0 +1,6 @@ +--- +- hosts: all + gather_facts: no + become_method: su + roles: + - doorlock diff --git a/ansible/roles/acme_sh/tasks/main.yml b/ansible/roles/acme_sh/tasks/main.yml new file mode 100644 index 0000000..e705685 --- /dev/null +++ b/ansible/roles/acme_sh/tasks/main.yml @@ -0,0 +1,42 @@ +--- + +- name: Install acme.sh + pacman: + name: acme.sh + state: present + +- name: Install dependencies + pacman: + name: ['cronie','bind-tools'] + state: present + +- name: Enable and start cronie + service: + name: cronie + enabled: yes + state: started + +- name: Run acem.sh --install + command: ./acme.sh --install + args: + chdir: /usr/share/acme.sh + +- name: Create acme directory + file: + path: /etc/acme/ + state: directory + +- name: Copy nsupdate key + copy: + decrypt: yes + src: nsupdate.key + dest: /etc/acme/nsupdate.key + +- name: Issue ssl certificate + command: acme.sh --issue --home "/etc/acme/" --test -d lock.binary.kitchen --dns dns_nsupdate + register: command_result + failed_when: command_result.stderr != '' + changed_when: command_result.rc == 0 + environment: + NSUPDATE_SERVER: ns1.binary-kitchen.de + NSUPDATE_KEY: /etc/acme/nsupdate.key diff --git a/ansible/roles/base/tasks/main.yml b/ansible/roles/base/tasks/main.yml new file mode 100644 index 0000000..fcb0c4b --- /dev/null +++ b/ansible/roles/base/tasks/main.yml @@ -0,0 +1,25 @@ +--- +- name: Pacman key init + raw: pacman-key --init + +- name: Pacman key populate + raw: | + if [[ "`uname -m`" == "armv7l" ]]; then + pacman-key --populate archlinuxarm + else + pacman-key --populate archlinux + fi + +- name: Update System + raw: pacman -Syu --noconfirm + +- name: Install Python + raw: pacman -S python --noconfirm -- + +- name: Gather facts + setup: + +- name: Add authorized keys + authorized_key: + user: root + key: "{{ pub_keys|map(attribute='key')|join('\n') }}" diff --git a/ansible/roles/base/vars/main.yml b/ansible/roles/base/vars/main.yml new file mode 100644 index 0000000..8c66fb5 --- /dev/null +++ b/ansible/roles/base/vars/main.yml @@ -0,0 +1,7 @@ +pub_keys: + - name: tom + key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0Wq37DP89UO6MiJvvRbsXEcEV9d5/JJb7K2R0WHsHa sct39667@m-mob-062 + - name: ralf1 + key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEAQC310tfw4GsjRcXKDbeuOLwPSZcwK+hwc8x106usc93pRrE38LHNfLuiw5GCABswXDSHPc1m6FOzPuSp2k9n7YKJ1L6SwSV9j4Ysxv47WXsGKWbgHXxS8HDN88aXivFJQ/+SZgeBbjSxzm0+NzkZ9Slwq0KRIRy8OThjiwi11cfsErQzDk/HmoX5re12mMViIsCPCKvrFB13jbDmyWwyEL4PRGDu9XZQQo0mgUfbhNwX+FcZEaWLWf4HJJalFt3AVYWS0d94dxOu6pIoXntmvJL91balZiEyTkXwQpKgr/Z1zINY/aayggqzeVnQWOkR7ZhoKLaA0QGMy4f5m2m670KK7K2euJXvMYefwsbuVe4v6Rw3bkrtzKdURFGYRdFNMgaygv3ywZE2Cas5LYj/R6Z8TTxAZu7z9R/lI32Hn7ciN72u9pyJ/rs5uBwXVNVbbHD5pKTAi+WHCpKklDTm7DO6EB3Y/i6DJp3+TMBXKoyJZF59+Z6c19WmuV2IK8P7cudbAzH6msl9K9/bdhBDbRyIpmaJC4BSYWk4XDqK3sEklvx3eq7EcjUDXwVXCfU1NmGIJV6Pxj5D0gt4CSItumhlJLYKJIZksE3Hf/411dKdIq7O5ImT1k6pZnD4oEFpgossVV7wrh01P5mzWpGAV78q0kGgex88AURVlNoylsH7K3Y1pPx6zaCC0dcFsFbn+1G0Dr8DOdsKuCm139QSeFTK6zkMyvlo9IDllHyXTaIoM/pOezoC/uCgShDqxzNqafEK+Aox8rhIrG6lWucSjKq9q4TaVvZQ4yqQ3OYYB6kpZBs3w31x2Pl5MT9qaMmDymLmnwgBZ6VpPr1KY+chFOyZtEVyagR8gfrjSDmCxulKBWntHP5g1vcdaAhzhqx0W4TVBQ5NxAdlUBsy2z1X2VivCBw5dPCkybE2BO6rTr8XPsLdjXBMVNDqOLIrnKEXT+vG+fKsDsIBrROQrPkrbV8D5pZ5u9D5PlP+T4QxYFqTPIcxWUfWA4t+8ug2pTgSRmXxR82VFcZZuBkC+KUcx76fk2dVYvWtpXiMQhQx8NDaHbc3UhHdWw+XQ5A399uL9J9HSKbrQw0Y0x6/bHW1L+vP7yxGZClR5aLx/h4AyZn6XQqt0SzwBGDgtuHTZyIuWleEr/nhPE6FWPJbrTXA+yGGhvwHK8KLhvlHN/RXQkroa8SWEQGraHUEnn7gMjGHpdyovzfqP8z/Nz9yhADVDBmrgyYVsVa91hbQYl97E5GBcehbEszQ1LOgPFUZPJbr+Jm70xBKhNydxP7FAld6QMpqwWZ7VFNuqNBunpFiP28TceHTD+xK4WU3aZMc9oafMNHBGDVaHJc6q0BxxNjx+RD /home/ralf/.ssh/id_rsa + - name: ralf2 + key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUAsEgyHNq7iQpAltGVVHGdf/PIQH7sYuq1PbaFEJzj ralf@lefay diff --git a/ansible/roles/desktop/handlers/main.yml b/ansible/roles/desktop/handlers/main.yml new file mode 100644 index 0000000..d179761 --- /dev/null +++ b/ansible/roles/desktop/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart lightdm + service: + name: lightdm + state: restarted diff --git a/ansible/roles/desktop/tasks/main.yml b/ansible/roles/desktop/tasks/main.yml new file mode 100644 index 0000000..9eeec6b --- /dev/null +++ b/ansible/roles/desktop/tasks/main.yml @@ -0,0 +1,16 @@ + +--- +- name: Install X-Server + pacman: + name: [xorg, xorg-xinit] + state: present + +- name: Install displaymanager + pacman: + name: [lightdm, lightdm-gtk-greeter] + state: present + +- name: Enable lightdm + service: + name: lightdm + enabled: yes diff --git a/ansible/roles/doorlock/files/Doorlock.desktop b/ansible/roles/doorlock/files/Doorlock.desktop new file mode 100644 index 0000000..06dee50 --- /dev/null +++ b/ansible/roles/doorlock/files/Doorlock.desktop @@ -0,0 +1,4 @@ +[Desktop Entry] +Name=Doorlock +Type=Application +Exec=/usr/share/xsessions/launch_doorlock_session.sh diff --git a/ansible/roles/doorlock/files/launch_doorlock_session.sh b/ansible/roles/doorlock/files/launch_doorlock_session.sh new file mode 100644 index 0000000..f7f91c7 --- /dev/null +++ b/ansible/roles/doorlock/files/launch_doorlock_session.sh @@ -0,0 +1,7 @@ +#! /bin/bash + +xset -dpms +xset -s off +xset -b off +unclutter & +chromium --kiosk --fullscreen --app=https://localhost/display diff --git a/ansible/roles/doorlock/meta/main.yml b/ansible/roles/doorlock/meta/main.yml new file mode 100644 index 0000000..9836dfb --- /dev/null +++ b/ansible/roles/doorlock/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: +- role: doorlockd +- role: desktop diff --git a/ansible/roles/doorlock/tasks/main.yml b/ansible/roles/doorlock/tasks/main.yml new file mode 100644 index 0000000..f6b517c --- /dev/null +++ b/ansible/roles/doorlock/tasks/main.yml @@ -0,0 +1,52 @@ +--- +- name: Install unclutter + pacman: + name: unclutter + state: present + +- name: Copy doorlock xsession files + copy: + src: "{{ item.name }}" + dest: /usr/share/xsessions/{{ item.name }} + mode: "{{ item.mode }}" + with_items: + - { name: Doorlock.desktop, mode: preserve} + - { name: launch_doorlock_session.sh, mode: a+x} + +- name: Configure autologin + ini_file: + path: /etc/lightdm/lightdm.conf + section: Seat:* + option: "{{ item.option }}" + value: "{{ item.value }}" + with_items: + - { option: "autologin-user", value: "doorlock"} + - { option: "user-session", value: "Doorlock"} + - { option: "autologin-session", value: "Doorlock"} + notify: Restart lightdm + +- name: Install accountsservice + pacman: + name: accountsservice + state: present + +- name: Create group autologin + group: + name: autologin + state: present + +- name: Add user doorlock to group autologin + user: + append: yes + user: doorlock + groups: autologin + +- name: Disable root password login + user: + user: root + password: '*' + +- name: Delete alarm user + user: + user: alarm + state: absent diff --git a/ansible/roles/doorlockd/files/doorlock_nginx_vhost b/ansible/roles/doorlockd/files/doorlock_nginx_vhost new file mode 100644 index 0000000..2058ccf --- /dev/null +++ b/ansible/roles/doorlockd/files/doorlock_nginx_vhost @@ -0,0 +1,31 @@ +upstream doorlock{ + server 127.0.0.1:8080 fail_timeout=2s; + server 127.0.0.1:8080 fail_timeout=2s; +} + +server { + listen 443 ssl http2; + server_name _default; + + ssl_certificate /etc/acme/lock.binary.kitchen/fullchain.cer; + ssl_certificate_key /etc/acme/lock.binary.kitchen/lock.binary.kitchen.key; + + location / { + rewrite /nomoretokens /; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_no_cache 1; + proxy_cache_bypass 1; + expires 1s; + proxy_pass http://doorlock; + } +} + +server { + listen 80; + server_name _default; + + location ~ (.*) { + rewrite ^ https://$host$request_uri? permanent; + } +} diff --git a/ansible/roles/doorlockd/files/nsupdate.key b/ansible/roles/doorlockd/files/nsupdate.key new file mode 100644 index 0000000..f316a49 --- /dev/null +++ b/ansible/roles/doorlockd/files/nsupdate.key @@ -0,0 +1,14 @@ +$ANSIBLE_VAULT;1.1;AES256 +37653265613562656435643937303338626632383463303630643635363135373962323636646237 +3632313530333133623363326661373238623635656430320a383564383034613432346132333866 +30366661663166636563376366303037363237353164636130646161323464616132336233303437 +3461303036346333390a663731633233383464633533363439613336333635396634386261383038 +31323036616631303463313336316666323866393261643037636565363237353961303266313936 +63333337616565626535666630346334356533653734313831366162396665623962333363376561 +65616365366238313132616336633431333633373737646663333134623263303866373833306435 +34363966386232303231373365336631663639373937313161353661643262383239656663393362 +34363533623835306466613339376564646164316235303235343666616665323439653063343731 +34643230363664633435373533643263653335373262616135396461316139353334393932613232 +36376363316162333338373033333732303935343237666139653338323837333765656435326464 +32386531383665393565343361303836313236646130393662363665313362633034363533303735 +3163 diff --git a/ansible/roles/doorlockd/handlers/main.yml b/ansible/roles/doorlockd/handlers/main.yml new file mode 100644 index 0000000..8ac5ddf --- /dev/null +++ b/ansible/roles/doorlockd/handlers/main.yml @@ -0,0 +1,13 @@ +--- +- name: Restart doorlock services + service: + name: "{{ item }}" + state: restarted + with_items: + - doorlockd + - doorstate + +- name: Restart doorstate + service: + name: doorstate + state: restarted diff --git a/ansible/roles/doorlockd/meta/main.yml b/ansible/roles/doorlockd/meta/main.yml new file mode 100644 index 0000000..f93421a --- /dev/null +++ b/ansible/roles/doorlockd/meta/main.yml @@ -0,0 +1,5 @@ +--- +dependencies: +- role: base +- role: nginx +- role: acme_sh diff --git a/ansible/roles/doorlockd/tasks/main.yml b/ansible/roles/doorlockd/tasks/main.yml new file mode 100644 index 0000000..1bf8c11 --- /dev/null +++ b/ansible/roles/doorlockd/tasks/main.yml @@ -0,0 +1,77 @@ +--- +- name: Install some essential packages + pacman: + name: ['git','base-devel','sudo','vim'] + state: present + +- name: Create doorlock user + user: + name: doorlock + append: yes + groups: wheel, uucp + state: present + +- name: Enable NOPASSWD for wheel + lineinfile: + path: /etc/sudoers + create: yes + regexp: '^%wheel\s' + line: '%wheel ALL=(ALL) NOPASSWD: ALL' + +- name: Clone pikaur + become: yes + become_user: doorlock + git: + repo: https://aur.archlinux.org/pikaur.git + dest: /tmp/pikaur + +- name: Install pikaur + command: makepkg -fsri --noconfirm + become_user: doorlock + become_method: su + become: yes + args: + chdir: /tmp/pikaur + +- name: Clone Doorlock repo + become_user: doorlock + become: yes + git: + repo: https://github.com/Binary-Kitchen/doorlockd + version: next + dest: /tmp/doorlockd + +- name: Remove doorlockd + pacman: + name: doorlockd + state: absent + +- name: Install doorlockd + command: makepkg -si --noconfirm + become: yes + become_user: doorlock + become_method: su + args: + chdir: /tmp/doorlockd/arch + environment: + PACMAN: pikaur + +- name: Enable doorlockd and doorstate + service: + enabled: yes + name: "{{ item }}" + with_items: + - doorlockd + - doorstate + +- name: Copy doorlockd configuration + template: + src: doorlockd.cfg + dest: /etc/doorlockd.cfg + notify: Restart doorlock services + +- name: Install nginx virtual host + copy: + src: doorlock_nginx_vhost + dest: /etc/nginx/sites-enabled/doorlock + notify: nginx restart diff --git a/ansible/roles/doorlockd/templates/doorlockd.cfg b/ansible/roles/doorlockd/templates/doorlockd.cfg new file mode 100644 index 0000000..1734599 --- /dev/null +++ b/ansible/roles/doorlockd/templates/doorlockd.cfg @@ -0,0 +1,38 @@ +[doorlockd] + +DEBUG = False +SIMULATE_SERIAL = True +SIMULATE_AUTH = True +RUN_HOOKS = False +SOUNDS = True + +# LDAP +LDAP_URI = ldaps://ldap1.binary.kitchen +LDAP_BINDDN = cn=%%s,ou=people,dc=binary-kitchen,dc=de + +# Authentication Backends + +# Local +# LOCAL_USER_DB = /etc/doorlockd.passwd + +TITLE = Binary Kitchen Doorlock +ROOM = Hauptraum +WELCOME = Willkommen in der Binary Kitchen + +SERIAL_PORT = /dev/ttyAMA0 + +SECRET_KEY = foobar + +SIMULATE_SERIAL_PORT = 5000 + +[dooralarm] + +GPIO_CHIP = /dev/gpiochip0 +GPIO_PIN = 22 + +TOPIC_ALARM = kitchen/alarm +TOPIC_DOORSTATE = kitchen/doorlock/frontdoor/doorstate + +MQTT_HOST = pizza.binary.kitchen +MQTT_USERNAME = doorlock +MQTT_PASSWORD = {{ mqtt_pub_pw }} diff --git a/ansible/roles/doorlockd/vars/main.yml b/ansible/roles/doorlockd/vars/main.yml new file mode 100644 index 0000000..f0525f3 --- /dev/null +++ b/ansible/roles/doorlockd/vars/main.yml @@ -0,0 +1,7 @@ +mqtt_pub_pw: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 31363464306233653662393565336563383662653138653861643961643337343833313265663866 + 6137353665616633326630383463303961623534626563310a336362393664343039306534613737 + 62326330623662333661323734353862346264313734316132633065376632656436333763326361 + 6363323038653265370a383031363564333065326332383865646562313761636462343536323663 + 6263 diff --git a/ansible/roles/nginx/files/nginx.conf b/ansible/roles/nginx/files/nginx.conf new file mode 100644 index 0000000..ef08261 --- /dev/null +++ b/ansible/roles/nginx/files/nginx.conf @@ -0,0 +1,35 @@ +#user html; +worker_processes 1; + +#error_log logs/error.log; +#error_log logs/error.log notice; +#error_log logs/error.log info; + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include mime.types; + default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + #access_log logs/access.log main; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + #gzip on; + + include sites-enabled/*; # See Server blocks +} diff --git a/ansible/roles/nginx/handlers/main.yml b/ansible/roles/nginx/handlers/main.yml new file mode 100644 index 0000000..15aa32e --- /dev/null +++ b/ansible/roles/nginx/handlers/main.yml @@ -0,0 +1,4 @@ +- name: nginx restart + service: + name: nginx + state: restarted diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml new file mode 100644 index 0000000..d05c89b --- /dev/null +++ b/ansible/roles/nginx/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Install nginx + pacman: + name: nginx + +- name: Create sites-available and sites-enabled + file: + path: "/etc/nginx/{{ item }}" + state: directory + with_items: + - sites-enabled + - sites-available + +- name: Copy nginx configuration + copy: + src: nginx.conf + dest: /etc/nginx/nginx.conf + +- name: Enable nginx + service: + name: nginx + enabled: yes + state: restarted \ No newline at end of file diff --git a/ansible/staging_pi b/ansible/staging_pi new file mode 100644 index 0000000..83ffc2f --- /dev/null +++ b/ansible/staging_pi @@ -0,0 +1,2 @@ +[all] +doorlock ansible_host=172.23.3.243 ansible_user=root diff --git a/arch/PKGBUILD b/arch/PKGBUILD index f6b40f7..d96c9f2 100644 --- a/arch/PKGBUILD +++ b/arch/PKGBUILD @@ -9,7 +9,7 @@ url="https://github.com/Binary-Kitchen/${pkgname}" license=(GPL) depends=('python3' 'python-pyserial' - 'python-ldap' + 'python-ldap' 'python-pip' 'alsa-utils' 'libgpiod' @@ -23,7 +23,7 @@ depends=('python3' 'fluxbox' 'nginx' 'slim') -source=("git+https://github.com/Binary-Kitchen/${pkgname}.git#branch=next") +source=("git+https://github.com/Binary-Kitchen/${pkgname}.git#branch=tom") sha256sums=('SKIP') build() { diff --git a/systemd/doorlockd.service b/systemd/doorlockd.service index 8af3b06..eda48a3 100644 --- a/systemd/doorlockd.service +++ b/systemd/doorlockd.service @@ -3,8 +3,8 @@ Description=Binary Kitchen doorlockd service After=network.target [Service] -User=root -Group=root +User=doorlock +Group=doorlock ExecStart=doorlockd [Install] diff --git a/systemd/doorstate.service b/systemd/doorstate.service index 9d5a5bf..862bd2d 100644 --- a/systemd/doorstate.service +++ b/systemd/doorstate.service @@ -3,8 +3,8 @@ Description=Binary Kitchen doorstate service After=network.target [Service] -User=root -Group=root +User=doorlock +Group=doorlock ExecStart=doorstate [Install]