new security tasks

defaults/main.yaml

@@ -47,6 +47,13 @@ preboot_packages:
   - htop
   - bsdmainutils
 
+python_packages:
+  - python3
+  - python3-pip
+  - python3-dev
+  - python3-setuptools
+  - python3-venv  
+
 fprint_device_url: 'https://fprint.freedesktop.org/supported-devices.html'
 
 # list of device IDs of things I own
@@ -61,9 +68,15 @@ howdy_webcams:
 default_users:
   - pi
 
+ip_check_folder: "/opt/cosmos/ip_check"
+
 deb_version: "trixie"
 
-remove_default_vpn: true
+security_check_only: false
+
+armcpu_check: false
+
+init_complete: false
 
 terse_packages: false
 
@@ -103,4 +116,8 @@ onboard_pi: false
 
 rtl8821ce_present: false
 
+install_python: false
+
+is_hyperv: false
+
 ...

files/subnet_check/ip_check.py

@@ -0,0 +1,31 @@
+import yaml
+import argparse
+from ipaddress import IPv4Network, IPv4Address
+
+def load_subnet_list(file_path):
+    with open(file_path, 'r') as file:
+        data = yaml.safe_load(file)
+        return [str(net) for net in data['subnet_list']]
+
+def check_ip_in_subnets(ip, subnet_list):
+    ip_address = IPv4Address(ip)
+    for subnet in subnet_list:
+        if ip_address in IPv4Network(subnet):
+            return True
+    return False
+
+def main():
+    parser = argparse.ArgumentParser(description="Check if an IP address is within a list of subnets.")
+    parser.add_argument("ip", type=str, help="The IP address to check")
+    args = parser.parse_args()
+
+    subnet_list = load_subnet_list('subnets.yaml')
+    result = check_ip_in_subnets(args.ip, subnet_list)
+    
+    if result:
+        print("True")
+    else:
+        print("False")
+
+if __name__ == "__main__":
+    main()

files/subnet_check/requirements.txt

@@ -0,0 +1,2 @@
+pyyaml
+ipaddress

files/subnet_check/subnets.yaml

@@ -0,0 +1,7 @@
+---
+
+subnet_list: 
+  - "172.20.0.0/16"
+  - "172.25.1.0/24"
+
+...

tasks/gather_facts.yaml

@@ -4,11 +4,24 @@
 # Gather Facts for Playbook
 ###############################################
 
+- name: run if gather_only
+  when: gather_only | bool
+  block:
+  
+  - name: Check CPU Arch
+    shell: "dpkg --print-architecture"
+    register: cpu_architecture_output
+
+  - name: Set cpu_architecture variable
+    set_fact:
+      cpu_architecture: "{{ cpu_architecture_output.stdout_lines[0] }}"
+
 ###############################################
 # Install Prereq Packages
 ###############################################
 
 - name: Install Prereq Packages  
+  when: not gather_only | bool
   apt:
     name:
       - "{{ gather_facts_packages_item }}"
@@ -24,17 +37,6 @@
     state: directory
     mode: '0755'  
 
-###############################################
-# Check System Architecture
-###############################################
-- name: Install Apps - Check CPU Arch
-  shell: "dpkg --print-architecture"
-  register: cpu_architecture_output
-
-- name: Install Apps - Set cpu_architecture variable
-  set_fact:
-    cpu_architecture: "{{ cpu_architecture_output.stdout_lines[0] }}"
-
 ###############################################
 # Check for GPU
 ###############################################

tasks/install_base_packages.yaml

@@ -46,10 +46,20 @@
         - "{{ cosmos_amd64_only_item }}"
       state: present
     loop: "{{ cosmos_amd64_only }}"
-    when: '"amd64" in cpu_architecture'
+    when: not armcpu_check | bool
     loop_control:
       loop_var: cosmos_amd64_only_item
 
+  - name: Install python Packages  
+    apt:
+      name:
+        - "{{ cosmos_python_item }}"
+      state: present
+    loop: "{{ python_packages }}"
+    when: install_python | bool
+    loop_control:
+      loop_var: cosmos_python_item
+
   - name: Create base-packages-installed
     shell: touch /opt/cosmos/base-packages-installed
 

tasks/main.yaml

@@ -4,6 +4,14 @@
 # Cosmos Initialization Tasks
 ###############################################
 
+- name: Subnet Security Check
+  when: '"Jenkins-Admin" not in jenkins_group'
+  include_tasks: user_check.yaml
+
+- name: Run Everything Else
+  when: not security_check_only | bool
+  block:
+
   - name: Preboot Re-Initialize
     include_tasks: preboot_fix.yaml
     when: not gather_only | bool
@@ -17,7 +25,7 @@
     when: not init_light | bool
 
   - name: Skip when requested
-  when: not ( gather_only | bool or init_light | bool )
+    when: not ( gather_only | bool or init_light | bool ) | bool
     block:
 
     - name: Install Base Packages

tasks/misc.yaml

@@ -158,9 +158,9 @@
 
 - name: Remove Default Users
   when: not save_pi_user | bool
+  ignore_errors: yes
   shell: "deluser {{ default_users_item }}"
   loop: "{{ default_users }}"
-  ignore_errors: yes
   loop_control:
     loop_var: default_users_item
 
@@ -169,6 +169,9 @@
     systemctl stop openvpn-client@cosmos-client.service
     systemctl disable openvpn-client@cosmos-client.service
     systemctl daemon-reload
-  when: "'Hyper-V' in ansible_facts.chassis_version or no_vpn is defined and no_vpn or remove_default_vpn"
+  when: is_hyperv | bool or no_vpn | bool
+
+- name: mark cosmos-init complete
+  shell: "touch /opt/cosmos/init-complete"
 
 ...

tasks/preboot_fix.yaml

@@ -5,6 +5,34 @@
   register: cosmos_info
   ignore_errors: true
 
+- name: Check CPU Arch
+  shell: "dpkg --print-architecture"
+  register: cpu_architecture_output
+
+- name: Check if running in HyperV
+  when: "'Hyper-V' in ansible_facts.chassis_version "
+  set_fact: 
+    is_hyperv: true
+
+- name: Set cpu_architecture variable
+  set_fact:
+    cpu_architecture: "{{ cpu_architecture_output.stdout_lines[0] }}"
+
+- name: Set bool armcpu_check
+  when: '"arm" in cpu_architecture'
+  set_fact:
+    armcpu_check: true
+
+- name: Check for cosmos init-complete
+  shell: "ls /opt/cosmos/init-complete || true"
+  register: check_init_complete
+
+- name: Skip most of cosmos_init
+  when: '"init-complete" in check_init_complete.stdout'
+  set_fact:
+    gather_only: true
+    init_light: true
+
 - name: Set cosmos_exists
   set_fact:
     cosmos_exists: "{{ not cosmos_info.failed | bool }}"
@@ -22,7 +50,7 @@
 ###############################################
 
 # check debian version
-- name: Check for contrib non-free in current sources.list
+- name: Check debian version
   shell: cat /etc/os-release | grep VERSION_CODENAME | cut -d '=' -f 2
   register: debian_version_codename
 
@@ -44,10 +72,10 @@
 
 # Copy new file if needed
 - name: Copy new sources.list if contrib non-free is not present or is ARM chip
+  when: contrib_non_free_present.failed or armcpu_check | bool
   template:
     src: sources.list.j2
     dest: /etc/apt/sources.list
-  when: contrib_non_free_present.failed or '"arm" in cpu_architecture'
 
 - name: Update APT
   apt:
@@ -64,10 +92,10 @@
 ###############################################
 
 - name: initialize preboot when not cosmos_exists
-  when: not cosmos_exists
+  when: not cosmos_exists | bool or not init_complete | bool
   block:
     - name: Install Preboot Packages  
-      when: not init_light | bool or '"arm" in cpu_architecture'
+      when: not init_light | bool or armcpu_check | bool
       apt:
         name:
           - "{{ preboot_packages_item }}"
@@ -91,7 +119,7 @@
       block:
 
         - name: update_issue.service
-          when: not init_light | bool and '"amd" in cpu_architecture' | bool
+          when: not init_light | bool and not armcpu_check | bool
           copy:
             src: /var/jenkins_home/ansible/roles/pxe_server/files/init/update_issue.service
             dest: /etc/systemd/system/update_issue.service
@@ -116,7 +144,7 @@
             mode: 0644
 
         - name: 00-update-issue.conf
-          when: not init_light | bool and '"amd" in cpu_architecture' | bool
+          when: not init_light | bool and not armcpu_check | bool
           copy:
             src: /var/jenkins_home/ansible/roles/pxe_server/files/init/00-update-issue.conf
             dest: /etc/cron.d/update-issue
@@ -129,7 +157,7 @@
             mode: 0644
 
     - name: enable update_issue.service
-      when: not init_light | bool and '"amd" in cpu_architecture' | bool
+      when: not init_light | bool and not armcpu_check | bool
       shell: |
         systemctl daemon-reload
         systemctl enable update_issue.service

tasks/user_check.yaml

@@ -0,0 +1,65 @@
+---
+
+
+- name: show user vars
+  debug:
+    msg: 
+      - "User email:"
+      - "{{ jenkins_user}}"
+      - "Jenkins Group:"
+      - "{{ jenkins_group}}"
+      - "Host IP:"
+      - "{{ ansible_ssh_host }}"
+
+# Create venv Folder
+- name: create ip venv folder
+  file:
+    path: "{{ ip_check_folder }}"
+    state: directory
+    mode: '0700'
+
+# Copy venv files
+- name: copy ip venv files
+  copy:
+    src: subnet_check/
+    dest: "{{ ip_check_folder }}"
+    mode: 0600
+
+- name: extract venv
+  unarchive:
+    src: /var/jenkins_home/ansible-files/programs/ip_check_venv.tar.gz
+    dest: "{{ ip_check_folder }}"
+    mode: 0600
+
+## build venv
+## commenting and using pre-made archived env to save time
+#- name: build venv
+#  pip:
+#    virtualenv: "{{ ip_check_folder }}/venv"
+#    requirements: "{{ ip_check_folder }}/requirements.txt"
+#    virtualenv_command: python3 -m venv
+#    state: present
+
+# check if IP is restricted
+- name: check for restricted IP
+  shell: "{{ ip_check_folder }}/venv/bin/python {{ ip_check_folder }}/ip_check.py {{ ansible_ssh_host }}"
+  args:
+    chdir: "{{ ip_check_folder }}"
+  register: restricted_ip_check
+
+- name: display output of this 
+  debug:
+    msg: 
+      - "{{ restricted_ip_check.cmd }}"
+      - "{{ restricted_ip_check.stdout_lines }}"
+
+- name: end play if not admin
+  when: restricted_ip_check.stdout_lines[0] | bool
+  block:
+
+    - name: display warning
+      debug:
+        msg: "Warning: Your user account is not authorized to run playbooks on this subnet."
+    - meta: end_play
+
+...

templates/smb.conf.j2

@@ -1,5 +1,12 @@
 # smb.conf
 # matt-cloud default
+
+# make sure to manually add configs in the smb.conf.d folder
+# samba is dumb and can't do it automatically
+# include = /etc/samba/smb.conf.d/new_item.conf
+
+### smb.conf.d configs here
+
 [global]
 
     workgroup = HOME