Dotfiles

Commit Graph

Author	SHA1	Message	Date
Amir Alexander Abdelbaki	9289f01965	feat(ansipa): unify FreeIPA group naming with dev_* / usr_* prefixes All ansipa host/user group names now follow a consistent prefix scheme: dev_mod_<name> — dotfiles module install (was ansipa-module-) dev_fp_<app-id> — Flatpak install (was fp_install_) dev_pkg_<package> — native package install (was ansipa-install-) dev_daemon-enable-<u> — service enable policy (was policy-daemon-enable-) dev_daemon-disable-<u> — service disable policy (was policy-daemon-disable-) dev_timeshift-backup — backup policy (was policy-timeshift-backup) dev_security-scan — scan policy (was policy-security-scan) dev_no-local-users — auth lockdown (was no_local_users) dev_local-sudo-<user> — per-device sudo grant (was local_sudo_) usr_block-binary-<name> — per-user binary block (was policy-block-binary-) usr_scan-notify — per-user alert notification (was policy-scan-notify) Also adds a JSON state manifest (manifest.json) to ansipa-install-modules and tightens the FreeIPA enrollment guard to check /etc/ipa/default.conf. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01LcnnA1whUwQkDv1omsgh9Y	2026-06-26 11:48:24 +02:00
Amir Alexander Abdelbaki	c56c86d57b	fix(freeipa): harden container SMB setup and fetch-alerts script ansipa-smb.service: WantedBy=multi-user.target (was smb.service) so the setup service always runs at boot, not only when smb.service pulls it in docker-compose.yml: add NetBIOS UDP ports 137/138 to match Dockerfile EXPOSE and nmb.service being enabled ansipa-smb-setup.sh: - use printf '%q' when writing SMB_SCAN_PASSWORD to ansipa-smb.env so passwords with spaces or shell-special chars are correctly quoted - always write /etc/cron.d/ansipa-check-scans (remove the [[ ! -f ]] guard) since /etc/cron.d is on the ephemeral container layer and is lost on container recreation; the service runs on every start anyway Dockerfile: add -e SMB_SCAN_PASSWORD and -p 445:445 to the quick-test comment ansipa-fetch-alerts.sh: replace $NEW && log with [[ "$NEW" == true ]] && log to avoid set -e ambiguity with the 'false' builtin Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-20 13:13:53 +02:00
Amir Alexander Abdelbaki	11e66dbddd	feat(freeipa): scan result reporting, alert notifications, and SMB share Container (ansipa image): - Add samba + cronie to Dockerfile; expose ports 445/139 - ansipa-smb-setup.sh: idempotent setup of smbd + scanupload user + /data/scan-results/{archive,alerts}/ on every container start - ansipa-smb.service: runs setup before smb.service on each boot - ansipa-check-scans.sh: hourly cron on server; analyses archive logs for ClamAV/rkhunter/chkrootkit findings and writes <host>/<date>.alert files - docker-compose.yml: add SMB_SCAN_PASSWORD env var + port mappings - .env.example: document SMB_SCAN_PASSWORD Client (policy-security-scan): - Scan script now uploads log to //ipa-server/ansipa-scans/archive/<host>/ via smbclient after each run Client (policy-scan-notify — new policy group): - ansipa-fetch-alerts.sh: root timer (10 min) downloads alerts from SMB into ~/administration/<hostname>/ for each active login session; deletes server alert when user removes local file (acknowledgment) - ansipa-scan-notify.sh: user daemon started via /etc/profile.d/ansipa-notify.sh; sends notify-send every 10 min while *.alert files remain in ~/administration/ - deploy-ansipa-policies.yml: installs samba-client, deploys SMB creds file (/etc/ansipa-smb.creds, 0600), and deploys both notification scripts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-20 12:32:21 +02:00

Author

SHA1

Message

Date

Amir Alexander Abdelbaki

9289f01965

feat(ansipa): unify FreeIPA group naming with dev_* / usr_* prefixes

All ansipa host/user group names now follow a consistent prefix scheme:

  dev_mod_<name>          — dotfiles module install (was ansipa-module-)
  dev_fp_<app-id>         — Flatpak install (was fp_install_)
  dev_pkg_<package>       — native package install (was ansipa-install-)
  dev_daemon-enable-<u>   — service enable policy (was policy-daemon-enable-)
  dev_daemon-disable-<u>  — service disable policy (was policy-daemon-disable-)
  dev_timeshift-backup    — backup policy (was policy-timeshift-backup)
  dev_security-scan       — scan policy (was policy-security-scan)
  dev_no-local-users      — auth lockdown (was no_local_users)
  dev_local-sudo-<user>   — per-device sudo grant (was local_sudo_)
  usr_block-binary-<name> — per-user binary block (was policy-block-binary-)
  usr_scan-notify         — per-user alert notification (was policy-scan-notify)

Also adds a JSON state manifest (manifest.json) to ansipa-install-modules
and tightens the FreeIPA enrollment guard to check /etc/ipa/default.conf.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01LcnnA1whUwQkDv1omsgh9Y

2026-06-26 11:48:24 +02:00

Amir Alexander Abdelbaki

c56c86d57b

fix(freeipa): harden container SMB setup and fetch-alerts script

ansipa-smb.service: WantedBy=multi-user.target (was smb.service) so the
  setup service always runs at boot, not only when smb.service pulls it in

docker-compose.yml: add NetBIOS UDP ports 137/138 to match Dockerfile EXPOSE
  and nmb.service being enabled

ansipa-smb-setup.sh:
  - use printf '%q' when writing SMB_SCAN_PASSWORD to ansipa-smb.env so
    passwords with spaces or shell-special chars are correctly quoted
  - always write /etc/cron.d/ansipa-check-scans (remove the [[ ! -f ]] guard)
    since /etc/cron.d is on the ephemeral container layer and is lost on
    container recreation; the service runs on every start anyway

Dockerfile: add -e SMB_SCAN_PASSWORD and -p 445:445 to the quick-test comment

ansipa-fetch-alerts.sh: replace $NEW && log with [[ "$NEW" == true ]] && log
  to avoid set -e ambiguity with the 'false' builtin

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-20 13:13:53 +02:00

Amir Alexander Abdelbaki

11e66dbddd

feat(freeipa): scan result reporting, alert notifications, and SMB share

Container (ansipa image):
- Add samba + cronie to Dockerfile; expose ports 445/139
- ansipa-smb-setup.sh: idempotent setup of smbd + scanupload user +
  /data/scan-results/{archive,alerts}/ on every container start
- ansipa-smb.service: runs setup before smb.service on each boot
- ansipa-check-scans.sh: hourly cron on server; analyses archive logs for
  ClamAV/rkhunter/chkrootkit findings and writes <host>/<date>.alert files
- docker-compose.yml: add SMB_SCAN_PASSWORD env var + port mappings
- .env.example: document SMB_SCAN_PASSWORD

Client (policy-security-scan):
- Scan script now uploads log to //ipa-server/ansipa-scans/archive/<host>/
  via smbclient after each run

Client (policy-scan-notify — new policy group):
- ansipa-fetch-alerts.sh: root timer (10 min) downloads alerts from SMB into
  ~/administration/<hostname>/ for each active login session; deletes server
  alert when user removes local file (acknowledgment)
- ansipa-scan-notify.sh: user daemon started via /etc/profile.d/ansipa-notify.sh;
  sends notify-send every 10 min while *.alert files remain in ~/administration/
- deploy-ansipa-policies.yml: installs samba-client, deploys SMB creds file
  (/etc/ansipa-smb.creds, 0600), and deploys both notification scripts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-20 12:32:21 +02:00

3 Commits (9289f01965f539ce1dd4ee8867a04196cb328f63)