3 files changed, 151 insertions, 0 deletions

diff --git a/roles/base/templates/newsyslog.conf.j2 b/roles/base/templates/newsyslog.conf.j2
new file mode 100644
index 00000000..a8f348d6
--- /dev/null
+++ b/roles/base/templates/newsyslog.conf.j2
@@ -0,0 +1,31 @@
+# $OpenBSD: newsyslog.conf - fsa generated
+#
+# NOTE: SIGHUP has to be sent to syslogd for services whose logs are being written by syslogd
+#
+# logfile_name		owner:group     mode count size when  flags
+/var/cron/log		root:wheel	600  3     10   *     Z
+/var/log/authlog	root:wheel	640  7     *    168   Z
+/var/log/daemon				640  5     300  *     Z
+/var/log/lpd-errs			640  7     10   *     Z
+/var/log/maillog			640  7     *    24    Z
+/var/log/messages			644  5     300  *     Z
+/var/log/secure				600  7     *    168   Z
+/var/log/wtmp				644  7     *    $M1D4 B ""
+/var/log/xferlog			640  7     250  *     Z
+/var/log/pflog				600  3     250  *     ZB "pkill -HUP -u root -U root -t - -x pflogd"
+/var/www/logs/access.log	644  4     *    $W0   Z "pkill -USR1 -u root -U root -x httpd"
+/var/www/logs/error.log		644  7     250  *     Z "pkill -USR1 -u root -U root -x httpd"
+{# for services whose logs are written by syslogd, we need to restart syslogd instead #}
+{% if inventory_hostname in (groups['xray']|default([])) + (groups['all_vpns']|default([])) %}
+/var/reactance/xray/logs/xray-access.log	640  4     512    *   Z "pkill -HUP -u root -U root -x xray"
+/var/reactance/xray/logs/xray-error.log	640  4     512    *   Z "pkill -HUP -u root -U root -x xray"
+{% endif %}
+{% if not disable_dns|default(true) %}
+/var/log/unbound.log		600  5     *    $W0   Z "pkill -HUP -u root -U root -x syslogd"
+{% endif %}
+{% if inventory_hostname in (groups['ocserv']|default([])) + (groups['all_vpns']|default([])) %}
+/var/log/ocserv.log			600  5     128000    *   Z "pkill -HUP -u root -U root -x syslogd"
+{% endif %}
+{% if inventory_hostname in (groups['trojan']|default([]))  + (groups['vless']|default([])) + (groups['vmess']|default([])) + (groups['all_vpns']|default([])) %}
+/var/log/relayd.log         600  5     512    *   Z "pkill -HUP -u root -U root -x syslogd"
+{% endif %}
diff --git a/roles/base/templates/syslog.conf.j2 b/roles/base/templates/syslog.conf.j2
new file mode 100644
index 00000000..261b6d88
--- /dev/null
+++ b/roles/base/templates/syslog.conf.j2
@@ -0,0 +1,21 @@
+#	$OpenBSD: syslog.conf,v 1.20 2016/12/27 13:38:14 jca Exp $
+
+*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none	/var/log/messages
+kern.debug;syslog,user.info				/var/log/messages
+auth.info						/var/log/authlog
+authpriv.debug						/var/log/secure
+cron.info						/var/cron/log
+{% if inventory_hostname in (groups['ocserv']|default([])) + (groups['all_vpns']|default([])) %}
+!!ocserv
+daemon.*                        /var/log/ocserv.log
+!*
+{% endif %}
+{% if inventory_hostname in (groups['hysteria']|default([])) + (groups['all_vpns']|default([])) %}
+!!hysteria
+daemon.*                        /var/log/hysteria.log
+!*
+{% endif %}
+daemon.info						/var/log/daemon
+ftp.info						/var/log/xferlog
+lpr.debug						/var/log/lpd-errs
+mail.info						/var/log/maillog
diff --git a/roles/base/templates/user_expiration_control.py.j2 b/roles/base/templates/user_expiration_control.py.j2
new file mode 100644
index 00000000..36551617
--- /dev/null
+++ b/roles/base/templates/user_expiration_control.py.j2
@@ -0,0 +1,99 @@
+#!/usr/local/bin/python3
+
+import json, os, subprocess, shutil
+from datetime import datetime
+
+EXPIRE_USER_JSON_PATH = "/var/reactance/.user_expiration.json"
+EXPIRE_WEB_JSON_PATH = "/var/reactance/.web_expiration.json"
+OCSERV_CONFIG_PATH = "/var/reactance/ocserv/etc/ocserv.passwd"
+HYSTERIA_CONFIG_FILE = "/var/reactance/hysteria/etc/config.json"
+XRAY_CONFIG_PATH = "/var/reactance/xray/etc/config.json"
+SSH_ROOT = "/var/reactance/sshvpn/.ssh"
+AUTHORIZED_KEYS = os.path.join(SSH_ROOT, "authorized_keys")
+
+def ocserv_get_users():
+    ocserv_config_dict = {}
+    if os.path.isfile(OCSERV_CONFIG_PATH):
+        with open(OCSERV_CONFIG_PATH, "r") as f:
+            ocserv_content = f.read()
+            ocserv_config_dict = dict(map(lambda x: x.split(':*:'), list(filter(lambda x: x != '', ocserv_content.split("\n")))))
+    return ocserv_config_dict
+
+def xray_get_users():
+    with open(XRAY_CONFIG_PATH, "r") as f:
+        xray_config_dict = json.loads(f.read())
+    return xray_config_dict
+
+def hysteria_get_users():
+    with open(HYSTERIA_CONFIG_FILE, "r") as f:
+        hysteria_config_dict = json.loads(f.read())
+    return hysteria_config_dict
+
+def sshvpn_get_users():
+    previous_users = [".".join(i.split('.')[:-1]) for i in os.listdir(SSH_ROOT) if i.endswith(".pub")]
+    return previous_users
+
+def ocserv_user_purge(users_to_remove):
+    for user in users_to_remove:
+        subprocess.run(f"ocpasswd -d {user} -c {OCSERV_CONFIG_PATH}", shell=True)
+ 
+def xray_user_purge(users_to_remove):
+    xray_config_dict = xray_get_users()
+    for i, inbound in enumerate(xray_config_dict['inbounds']):
+        previous_users_list = inbound['settings']['clients']
+        new_users_list = previous_users_list.copy()
+        for user in previous_users_list:
+            if user['email'] in users_to_remove:
+                new_users_list.remove(user)
+        xray_config_dict['inbounds'][i]['settings']['clients'] = new_users_list
+    with open(XRAY_CONFIG_PATH, "w") as f:
+        f.write(json.dumps(xray_config_dict, indent=1))
+
+def hysteria_user_purge(users_to_remove):
+    hysteria_config_dict = hysteria_get_users()
+    previous_users_dict = hysteria_config_dict["auth"]["userpass"]
+    new_users_dict = {}
+    for user in previous_users_dict.keys():
+        if user not in users_to_remove:
+            new_users_dict[user] = previous_users_dict[user]
+    hysteria_config_dict["auth"]["userpass"] = new_users_dict
+    with open(HYSTERIA_CONFIG_FILE, "w") as f:
+        f.write(json.dumps(hysteria_config_dict, indent=1))
+
+def sshvpn_user_purge(users_to_remove):
+    previous_users_list = sshvpn_get_users()
+    for user in previous_users_list:
+        if user in users_to_remove:
+            os.remove(f"{SSH_ROOT}/{user}.pub")
+            os.remove(f"{SSH_ROOT}/{user}")
+
+    # Overwrite existing authorized_key file
+    users_pubkey_files = [os.path.join(SSH_ROOT, i) for i in os.listdir(SSH_ROOT) if i.endswith(".pub")]
+    with open(AUTHORIZED_KEYS, "w") as f:
+        for pubkey_file in users_pubkey_files:
+            with open(pubkey_file, "r") as pkey:
+                f.write(pkey.read())
+
+def main():
+    current_unix_time = datetime.now().timestamp()
+
+    with open(EXPIRE_USER_JSON_PATH, "r") as f:
+        expire_user_dict = json.loads(f.read())
+    for exp in expire_user_dict.keys():
+        if float(exp) <= current_unix_time:
+            users = expire_user_dict[exp]
+
+            xray_user_purge(users)
+            sshvpn_user_purge(users)
+            ocserv_user_purge(users)
+            hysteria_user_purge(users)
+    with open(EXPIRE_USER_JSON_PATH, "w") as f:
+        f.write(json.dumps(expire_user_dict, indent=1))
+
+    with open(EXPIRE_WEB_JSON_PATH, "r") as f:
+        expire_web_dict = json.loads(f.read())
+    for exp in expire_web_dict.keys():
+        shutil.rmtree(f"/var/www/reactance/{exp}")
+
+if __name__ == "__main__":
+    main()