new security tasks

2025-10-12 16:52:25 -07:00
parent d2c9c31105
commit 7049c2288c
11 changed files with 227 additions and 47 deletions
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@ -47,6 +47,13 @@ preboot_packages:
  - htop
  - bsdmainutils
 python_packages:
  - python3
  - python3-pip
  - python3-dev
  - python3-setuptools
  - python3-venv  
 fprint_device_url: 'https://fprint.freedesktop.org/supported-devices.html'
 # list of device IDs of things I own
@ -61,9 +68,15 @@ howdy_webcams:
 default_users:
  - pi
 ip_check_folder: "/opt/cosmos/ip_check"
 deb_version: "trixie"
-remove_default_vpn: true
+security_check_only: false
 armcpu_check: false
 init_complete: false
 terse_packages: false
@ -103,4 +116,8 @@ onboard_pi: false
 rtl8821ce_present: false
 install_python: false
 is_hyperv: false
 ...
--- a/files/subnet_check/ip_check.py
+++ b/files/subnet_check/ip_check.py
@ -0,0 +1,31 @@
 import yaml
 import argparse
 from ipaddress import IPv4Network, IPv4Address
 def load_subnet_list(file_path):
    with open(file_path, 'r') as file:
        data = yaml.safe_load(file)
        return [str(net) for net in data['subnet_list']]
 def check_ip_in_subnets(ip, subnet_list):
    ip_address = IPv4Address(ip)
    for subnet in subnet_list:
        if ip_address in IPv4Network(subnet):
            return True
    return False
 def main():
    parser = argparse.ArgumentParser(description="Check if an IP address is within a list of subnets.")
    parser.add_argument("ip", type=str, help="The IP address to check")
    args = parser.parse_args()
    subnet_list = load_subnet_list('subnets.yaml')
    result = check_ip_in_subnets(args.ip, subnet_list)
    if result:
        print("True")
    else:
        print("False")
 if __name__ == "__main__":
    main()
--- a/files/subnet_check/requirements.txt
+++ b/files/subnet_check/requirements.txt
@ -0,0 +1,2 @@
 pyyaml
 ipaddress
--- a/files/subnet_check/subnets.yaml
+++ b/files/subnet_check/subnets.yaml
@ -0,0 +1,7 @@
 ---
 subnet_list: 
  - "172.20.0.0/16"
  - "172.25.1.0/24"
 ...
--- a/tasks/gather_facts.yaml
+++ b/tasks/gather_facts.yaml
@ -4,11 +4,24 @@
 # Gather Facts for Playbook
 ###############################################
 - name: run if gather_only
  when: gather_only | bool
  block:
  - name: Check CPU Arch
    shell: "dpkg --print-architecture"
    register: cpu_architecture_output
  - name: Set cpu_architecture variable
    set_fact:
      cpu_architecture: "{{ cpu_architecture_output.stdout_lines[0] }}"
 ###############################################
 # Install Prereq Packages
 ###############################################
 - name: Install Prereq Packages  
  when: not gather_only | bool
  apt:
    name:
      - "{{ gather_facts_packages_item }}"
@ -24,17 +37,6 @@
    state: directory
    mode: '0755'  
 ###############################################
 # Check System Architecture
 ###############################################
 - name: Install Apps - Check CPU Arch
  shell: "dpkg --print-architecture"
  register: cpu_architecture_output
 - name: Install Apps - Set cpu_architecture variable
  set_fact:
    cpu_architecture: "{{ cpu_architecture_output.stdout_lines[0] }}"
 ###############################################
 # Check for GPU
 ###############################################
--- a/tasks/install_base_packages.yaml
+++ b/tasks/install_base_packages.yaml
@ -46,10 +46,20 @@
        - "{{ cosmos_amd64_only_item }}"
      state: present
    loop: "{{ cosmos_amd64_only }}"
-    when: '"amd64" in cpu_architecture'
+    when: not armcpu_check | bool
    loop_control:
      loop_var: cosmos_amd64_only_item
  - name: Install python Packages  
    apt:
      name:
        - "{{ cosmos_python_item }}"
      state: present
    loop: "{{ python_packages }}"
    when: install_python | bool
    loop_control:
      loop_var: cosmos_python_item
  - name: Create base-packages-installed
    shell: touch /opt/cosmos/base-packages-installed
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@ -4,37 +4,45 @@
 # Cosmos Initialization Tasks
 ###############################################
- name: Preboot Re-Initialize
+- name: Subnet Security Check
-  include_tasks: preboot_fix.yaml
+  when: '"Jenkins-Admin" not in jenkins_group'
-  when: not gather_only | bool
+  include_tasks: user_check.yaml
 - name: Set Hostname
  include_tasks: set_hostname.yaml
  when: rename_host | bool and not gather_only | bool
 - name: Gather Facts
  include_tasks: gather_facts.yaml
  when: not init_light | bool
- name: Skip when requested
+- name: Run Everything Else
-  when: not ( gather_only | bool or init_light | bool )
+  when: not security_check_only | bool
  block:
-  - name: Install Base Packages
+  - name: Preboot Re-Initialize
-    include_tasks: install_base_packages.yaml
+    include_tasks: preboot_fix.yaml
-    when: install_packages | bool
+    when: not gather_only | bool
  - name: Set Hostname
    include_tasks: set_hostname.yaml
    when: rename_host | bool and not gather_only | bool
  - name: Gather Facts
    include_tasks: gather_facts.yaml
    when: not init_light | bool
-  - name: Configure SMB
+  - name: Skip when requested
-    include_tasks: configure_smb.yaml
+    when: not ( gather_only | bool or init_light | bool ) | bool
-    when: not smb_configured | bool
+    block:
-  - name: Realtek Firmware
+    - name: Install Base Packages
-    include_tasks: realtek.yaml
+      include_tasks: install_base_packages.yaml
-    when: realtek_present | bool
+      when: install_packages | bool
- name: Misc Tasks
+    - name: Configure SMB
-  include_tasks: misc.yaml
+      include_tasks: configure_smb.yaml
-  when: not gather_only | bool
+      when: not smb_configured | bool
    - name: Realtek Firmware
      include_tasks: realtek.yaml
      when: realtek_present | bool
  - name: Misc Tasks
    include_tasks: misc.yaml
    when: not gather_only | bool
 ...
--- a/tasks/misc.yaml
+++ b/tasks/misc.yaml
@ -158,9 +158,9 @@
 - name: Remove Default Users
  when: not save_pi_user | bool
  ignore_errors: yes
  shell: "deluser {{ default_users_item }}"
  loop: "{{ default_users }}"
  ignore_errors: yes
  loop_control:
    loop_var: default_users_item
@ -169,6 +169,9 @@
    systemctl stop openvpn-client@cosmos-client.service
    systemctl disable openvpn-client@cosmos-client.service
    systemctl daemon-reload
-  when: "'Hyper-V' in ansible_facts.chassis_version or no_vpn is defined and no_vpn or remove_default_vpn"
+  when: is_hyperv | bool or no_vpn | bool
 - name: mark cosmos-init complete
  shell: "touch /opt/cosmos/init-complete"
 ...
--- a/tasks/preboot_fix.yaml
+++ b/tasks/preboot_fix.yaml
@ -5,6 +5,34 @@
  register: cosmos_info
  ignore_errors: true
 - name: Check CPU Arch
  shell: "dpkg --print-architecture"
  register: cpu_architecture_output
 - name: Check if running in HyperV
  when: "'Hyper-V' in ansible_facts.chassis_version "
  set_fact: 
    is_hyperv: true
 - name: Set cpu_architecture variable
  set_fact:
    cpu_architecture: "{{ cpu_architecture_output.stdout_lines[0] }}"
 - name: Set bool armcpu_check
  when: '"arm" in cpu_architecture'
  set_fact:
    armcpu_check: true
 - name: Check for cosmos init-complete
  shell: "ls /opt/cosmos/init-complete || true"
  register: check_init_complete
 - name: Skip most of cosmos_init
  when: '"init-complete" in check_init_complete.stdout'
  set_fact:
    gather_only: true
    init_light: true
 - name: Set cosmos_exists
  set_fact:
    cosmos_exists: "{{ not cosmos_info.failed | bool }}"
@ -22,7 +50,7 @@
 ###############################################
 # check debian version
- name: Check for contrib non-free in current sources.list
+- name: Check debian version
  shell: cat /etc/os-release | grep VERSION_CODENAME | cut -d '=' -f 2
  register: debian_version_codename
@ -44,10 +72,10 @@
 # Copy new file if needed
 - name: Copy new sources.list if contrib non-free is not present or is ARM chip
  when: contrib_non_free_present.failed or armcpu_check | bool
  template:
    src: sources.list.j2
    dest: /etc/apt/sources.list
  when: contrib_non_free_present.failed or '"arm" in cpu_architecture'
 - name: Update APT
  apt:
@ -64,10 +92,10 @@
 ###############################################
 - name: initialize preboot when not cosmos_exists
-  when: not cosmos_exists
+  when: not cosmos_exists | bool or not init_complete | bool
  block:
    - name: Install Preboot Packages  
-      when: not init_light | bool or '"arm" in cpu_architecture'
+      when: not init_light | bool or armcpu_check | bool
      apt:
        name:
          - "{{ preboot_packages_item }}"
@ -91,7 +119,7 @@
      block:
        - name: update_issue.service
-          when: not init_light | bool and '"amd" in cpu_architecture' | bool
+          when: not init_light | bool and not armcpu_check | bool
          copy:
            src: /var/jenkins_home/ansible/roles/pxe_server/files/init/update_issue.service
            dest: /etc/systemd/system/update_issue.service
@ -116,7 +144,7 @@
            mode: 0644
        - name: 00-update-issue.conf
-          when: not init_light | bool and '"amd" in cpu_architecture' | bool
+          when: not init_light | bool and not armcpu_check | bool
          copy:
            src: /var/jenkins_home/ansible/roles/pxe_server/files/init/00-update-issue.conf
            dest: /etc/cron.d/update-issue
@ -129,7 +157,7 @@
            mode: 0644
    - name: enable update_issue.service
-      when: not init_light | bool and '"amd" in cpu_architecture' | bool
+      when: not init_light | bool and not armcpu_check | bool
      shell: |
        systemctl daemon-reload
        systemctl enable update_issue.service
--- a/tasks/user_check.yaml
+++ b/tasks/user_check.yaml
@ -0,0 +1,65 @@
 ---
 - name: show user vars
  debug:
    msg: 
      - "User email:"
      - "{{ jenkins_user}}"
      - "Jenkins Group:"
      - "{{ jenkins_group}}"
      - "Host IP:"
      - "{{ ansible_ssh_host }}"
 # Create venv Folder
 - name: create ip venv folder
  file:
    path: "{{ ip_check_folder }}"
    state: directory
    mode: '0700'
 # Copy venv files
 - name: copy ip venv files
  copy:
    src: subnet_check/
    dest: "{{ ip_check_folder }}"
    mode: 0600
 - name: extract venv
  unarchive:
    src: /var/jenkins_home/ansible-files/programs/ip_check_venv.tar.gz
    dest: "{{ ip_check_folder }}"
    mode: 0600
 ## build venv
 ## commenting and using pre-made archived env to save time
 #- name: build venv
 #  pip:
 #    virtualenv: "{{ ip_check_folder }}/venv"
 #    requirements: "{{ ip_check_folder }}/requirements.txt"
 #    virtualenv_command: python3 -m venv
 #    state: present
 # check if IP is restricted
 - name: check for restricted IP
  shell: "{{ ip_check_folder }}/venv/bin/python {{ ip_check_folder }}/ip_check.py {{ ansible_ssh_host }}"
  args:
    chdir: "{{ ip_check_folder }}"
  register: restricted_ip_check
 - name: display output of this 
  debug:
    msg: 
      - "{{ restricted_ip_check.cmd }}"
      - "{{ restricted_ip_check.stdout_lines }}"
 - name: end play if not admin
  when: restricted_ip_check.stdout_lines[0] | bool
  block:
    - name: display warning
      debug:
        msg: "Warning: Your user account is not authorized to run playbooks on this subnet."
    - meta: end_play
 ...
--- a/templates/smb.conf.j2
+++ b/templates/smb.conf.j2
@ -1,5 +1,12 @@
 # smb.conf
 # matt-cloud default
 # make sure to manually add configs in the smb.conf.d folder
 # samba is dumb and can't do it automatically
 # include = /etc/samba/smb.conf.d/new_item.conf
 ### smb.conf.d configs here
 [global]
    workgroup = HOME