11-25 update

tasks/gather_facts.yaml

@@ -16,12 +16,9 @@
     set_fact:
       cpu_architecture: "{{ cpu_architecture_output.stdout_lines[0] }}"
 
-###############################################
 # Install Prereq Packages
-###############################################
-
 - name: Install Prereq Packages  
-  when: not gather_only | bool
+  when: not init_light | bool
   apt:
     name:
       - "{{ gather_facts_packages_item }}"

tasks/main.yaml

@@ -4,45 +4,46 @@
 # Cosmos Initialization Tasks
 ###############################################
 
-- name: Subnet Security Check
-  when: '"Jenkins-Admin" not in jenkins_group'
-  include_tasks: user_check.yaml
+- name: show user vars
+  debug:
+    msg: 
+      - "User email............  {{ jenkins_user}}"
+      - "Jenkins Group.........  {{ jenkins_group}}"
+      - "SERVER_SUBNET_GROUP...  {{ SERVER_SUBNET_GROUP }}"
+      - "subnet_group_check....  {{ subnet_group_check }}"
+      - "Host IP...............  {{ ansible_ssh_host }}"
+      
+- name: Preboot Re-Initialize
+  include_tasks: preboot_fix.yaml
+  when: not gather_only | bool
+  
+- name: Set Hostname
+  include_tasks: set_hostname.yaml
+  when: rename_host | bool or not gather_only | bool
+   
+- name: Gather Facts
+  include_tasks: gather_facts.yaml
+  when: not init_light | bool or install_LDAP | bool
 
-- name: Run Everything Else
-  when: not security_check_only | bool
+- name: Skip when requested
+  when: not ( gather_only | bool or init_light | bool ) | bool
   block:
 
-  - name: Preboot Re-Initialize
-    include_tasks: preboot_fix.yaml
-    when: not gather_only | bool
-    
-  - name: Set Hostname
-    include_tasks: set_hostname.yaml
-    when: rename_host | bool and not gather_only | bool
-    
-  - name: Gather Facts
-    include_tasks: gather_facts.yaml
-    when: not init_light | bool
+  - name: Install Base Packages
+    include_tasks: install_base_packages.yaml
+    when: install_packages | bool
 
-  - name: Skip when requested
-    when: not ( gather_only | bool or init_light | bool ) | bool
-    block:
+  - name: Configure SMB
+    include_tasks: configure_smb.yaml
+    when: not smb_configured | bool
 
-    - name: Install Base Packages
-      include_tasks: install_base_packages.yaml
-      when: install_packages | bool
+  - name: Realtek Firmware
+    include_tasks: realtek.yaml
+    when: realtek_present | bool
 
-    - name: Configure SMB
-      include_tasks: configure_smb.yaml
-      when: not smb_configured | bool
-
-    - name: Realtek Firmware
-      include_tasks: realtek.yaml
-      when: realtek_present | bool
-
-  - name: Misc Tasks
-    include_tasks: misc.yaml
-    when: not gather_only | bool
+- name: Misc Tasks
+  include_tasks: misc.yaml
+  when: not gather_only | bool
 
 
 ...

tasks/misc.yaml

@@ -171,7 +171,52 @@
     systemctl daemon-reload
   when: is_hyperv | bool or no_vpn | bool
 
+# cosmostat script for all
+- name: create cosmostat
+  shell: "cp /root/stat.sh /usr/bin/cosmostat"
+
+- name: add cosmostat to skel .bash_aliases
+  copy:
+    dest: "/etc/skel/.bash_aliases"
+    mode: '0600'
+    content: |
+      cosmostat
+
+# log group for security issues
+- name: Ensure group 'log' exists
+  group:
+    name: log
+    state: present
+
+- name: Recursively change ownership of a directory
+  file:
+    path: /var/log
+    state: directory
+    group: log
+    mode: '0775'
+
 - name: mark cosmos-init complete
   shell: "touch /opt/cosmos/init-complete"
 
+# install cockpit if requested
+# ldap breaks it
+- name: install cockpit
+  when: intall_cockpit | bool and not install_LDAP | bool
+  block:
+
+  - name: Install cockpit
+    apt:
+      name:
+        - cockpit
+      state: present
+
+  - name: allow root login with cockpit
+    lineinfile:
+      path: "/etc/cockpit/disallowed-users"
+      regexp: '^root'
+      state: absent
+  
+
+
+
 ...

tasks/preboot_fix.yaml

@@ -143,13 +143,6 @@
             dest: /root/.config/htop/htoprc
             mode: 0644
 
-        - name: 00-update-issue.conf
-          when: not init_light | bool and not armcpu_check | bool
-          copy:
-            src: /var/jenkins_home/ansible/roles/pxe_server/files/init/00-update-issue.conf
-            dest: /etc/cron.d/update-issue
-            mode: 0644
-
         - name: 00-root-allow.conf
           copy:
             src: /var/jenkins_home/ansible/roles/pxe_server/files/init/00-root-allow.conf

tasks/user_check.yaml

@@ -1,65 +0,0 @@
----
-
-
-- name: show user vars
-  debug:
-    msg: 
-      - "User email:"
-      - "{{ jenkins_user}}"
-      - "Jenkins Group:"
-      - "{{ jenkins_group}}"
-      - "Host IP:"
-      - "{{ ansible_ssh_host }}"
-
-# Create venv Folder
-- name: create ip venv folder
-  file:
-    path: "{{ ip_check_folder }}"
-    state: directory
-    mode: '0700'
-
-# Copy venv files
-- name: copy ip venv files
-  copy:
-    src: subnet_check/
-    dest: "{{ ip_check_folder }}"
-    mode: 0600
-
-- name: extract venv
-  unarchive:
-    src: /var/jenkins_home/ansible-files/programs/ip_check_venv.tar.gz
-    dest: "{{ ip_check_folder }}"
-    mode: 0600
-
-## build venv
-## commenting and using pre-made archived env to save time
-#- name: build venv
-#  pip:
-#    virtualenv: "{{ ip_check_folder }}/venv"
-#    requirements: "{{ ip_check_folder }}/requirements.txt"
-#    virtualenv_command: python3 -m venv
-#    state: present
-
-# check if IP is restricted
-- name: check for restricted IP
-  shell: "{{ ip_check_folder }}/venv/bin/python {{ ip_check_folder }}/ip_check.py {{ ansible_ssh_host }}"
-  args:
-    chdir: "{{ ip_check_folder }}"
-  register: restricted_ip_check
-
-- name: display output of this 
-  debug:
-    msg: 
-      - "{{ restricted_ip_check.cmd }}"
-      - "{{ restricted_ip_check.stdout_lines }}"
-
-- name: end play if not admin
-  when: restricted_ip_check.stdout_lines[0] | bool
-  block:
-
-    - name: display warning
-      debug:
-        msg: "Warning: Your user account is not authorized to run playbooks on this subnet."
-    - meta: end_play
-
-...