11-25 update

defaults/main.yaml

@@ -20,8 +20,6 @@ cosmos_base_packages:
   - gnupg
   - pwgen
   - unzip
-  - iw
-  - lshw
   - firmware-iwlwifi
   - dnsutils
   - git
@@ -120,4 +118,8 @@ install_python: false
 
 is_hyperv: false
 
+intall_cockpit: false
+
+install_LDAP: false
+
 ...

files/subnet_check/ip_check.py

@@ -1,31 +0,0 @@
-import yaml
-import argparse
-from ipaddress import IPv4Network, IPv4Address
-
-def load_subnet_list(file_path):
-    with open(file_path, 'r') as file:
-        data = yaml.safe_load(file)
-        return [str(net) for net in data['subnet_list']]
-
-def check_ip_in_subnets(ip, subnet_list):
-    ip_address = IPv4Address(ip)
-    for subnet in subnet_list:
-        if ip_address in IPv4Network(subnet):
-            return True
-    return False
-
-def main():
-    parser = argparse.ArgumentParser(description="Check if an IP address is within a list of subnets.")
-    parser.add_argument("ip", type=str, help="The IP address to check")
-    args = parser.parse_args()
-
-    subnet_list = load_subnet_list('subnets.yaml')
-    result = check_ip_in_subnets(args.ip, subnet_list)
-    
-    if result:
-        print("True")
-    else:
-        print("False")
-
-if __name__ == "__main__":
-    main()

files/subnet_check/requirements.txt

@@ -1,2 +0,0 @@
-pyyaml
-ipaddress

files/subnet_check/subnets.yaml

@@ -1,7 +0,0 @@
----
-
-subnet_list: 
-  - "172.20.0.0/16"
-  - "172.25.1.0/24"
-
-...

tasks/gather_facts.yaml

@@ -16,12 +16,9 @@
     set_fact:
       cpu_architecture: "{{ cpu_architecture_output.stdout_lines[0] }}"
 
-###############################################
 # Install Prereq Packages
-###############################################
-
 - name: Install Prereq Packages  
-  when: not gather_only | bool
+  when: not init_light | bool
   apt:
     name:
       - "{{ gather_facts_packages_item }}"

tasks/main.yaml

@@ -4,13 +4,14 @@
 # Cosmos Initialization Tasks
 ###############################################
 
-- name: Subnet Security Check
+- name: show user vars
-  when: '"Jenkins-Admin" not in jenkins_group'
+  debug:
-  include_tasks: user_check.yaml
+    msg: 
-
+      - "User email............  {{ jenkins_user}}"
-- name: Run Everything Else
+      - "Jenkins Group.........  {{ jenkins_group}}"
-  when: not security_check_only | bool
+      - "SERVER_SUBNET_GROUP...  {{ SERVER_SUBNET_GROUP }}"
-  block:
+      - "subnet_group_check....  {{ subnet_group_check }}"
+      - "Host IP...............  {{ ansible_ssh_host }}"
       
 - name: Preboot Re-Initialize
   include_tasks: preboot_fix.yaml
@@ -18,11 +19,11 @@
   
 - name: Set Hostname
   include_tasks: set_hostname.yaml
-    when: rename_host | bool and not gather_only | bool
+  when: rename_host | bool or not gather_only | bool
    
 - name: Gather Facts
   include_tasks: gather_facts.yaml
-    when: not init_light | bool
+  when: not init_light | bool or install_LDAP | bool
 
 - name: Skip when requested
   when: not ( gather_only | bool or init_light | bool ) | bool

tasks/misc.yaml

@@ -171,7 +171,52 @@
     systemctl daemon-reload
   when: is_hyperv | bool or no_vpn | bool
 
+# cosmostat script for all
+- name: create cosmostat
+  shell: "cp /root/stat.sh /usr/bin/cosmostat"
+
+- name: add cosmostat to skel .bash_aliases
+  copy:
+    dest: "/etc/skel/.bash_aliases"
+    mode: '0600'
+    content: |
+      cosmostat
+
+# log group for security issues
+- name: Ensure group 'log' exists
+  group:
+    name: log
+    state: present
+
+- name: Recursively change ownership of a directory
+  file:
+    path: /var/log
+    state: directory
+    group: log
+    mode: '0775'
+
 - name: mark cosmos-init complete
   shell: "touch /opt/cosmos/init-complete"
 
+# install cockpit if requested
+# ldap breaks it
+- name: install cockpit
+  when: intall_cockpit | bool and not install_LDAP | bool
+  block:
+
+  - name: Install cockpit
+    apt:
+      name:
+        - cockpit
+      state: present
+
+  - name: allow root login with cockpit
+    lineinfile:
+      path: "/etc/cockpit/disallowed-users"
+      regexp: '^root'
+      state: absent
+  
+
+
+
 ...

tasks/preboot_fix.yaml

@@ -143,13 +143,6 @@
             dest: /root/.config/htop/htoprc
             mode: 0644
 
-        - name: 00-update-issue.conf
-          when: not init_light | bool and not armcpu_check | bool
-          copy:
-            src: /var/jenkins_home/ansible/roles/pxe_server/files/init/00-update-issue.conf
-            dest: /etc/cron.d/update-issue
-            mode: 0644
-
         - name: 00-root-allow.conf
           copy:
             src: /var/jenkins_home/ansible/roles/pxe_server/files/init/00-root-allow.conf

tasks/user_check.yaml

@@ -1,65 +0,0 @@
----
-
-
-- name: show user vars
-  debug:
-    msg: 
-      - "User email:"
-      - "{{ jenkins_user}}"
-      - "Jenkins Group:"
-      - "{{ jenkins_group}}"
-      - "Host IP:"
-      - "{{ ansible_ssh_host }}"
-
-# Create venv Folder
-- name: create ip venv folder
-  file:
-    path: "{{ ip_check_folder }}"
-    state: directory
-    mode: '0700'
-
-# Copy venv files
-- name: copy ip venv files
-  copy:
-    src: subnet_check/
-    dest: "{{ ip_check_folder }}"
-    mode: 0600
-
-- name: extract venv
-  unarchive:
-    src: /var/jenkins_home/ansible-files/programs/ip_check_venv.tar.gz
-    dest: "{{ ip_check_folder }}"
-    mode: 0600
-
-## build venv
-## commenting and using pre-made archived env to save time
-#- name: build venv
-#  pip:
-#    virtualenv: "{{ ip_check_folder }}/venv"
-#    requirements: "{{ ip_check_folder }}/requirements.txt"
-#    virtualenv_command: python3 -m venv
-#    state: present
-
-# check if IP is restricted
-- name: check for restricted IP
-  shell: "{{ ip_check_folder }}/venv/bin/python {{ ip_check_folder }}/ip_check.py {{ ansible_ssh_host }}"
-  args:
-    chdir: "{{ ip_check_folder }}"
-  register: restricted_ip_check
-
-- name: display output of this 
-  debug:
-    msg: 
-      - "{{ restricted_ip_check.cmd }}"
-      - "{{ restricted_ip_check.stdout_lines }}"
-
-- name: end play if not admin
-  when: restricted_ip_check.stdout_lines[0] | bool
-  block:
-
-    - name: display warning
-      debug:
-        msg: "Warning: Your user account is not authorized to run playbooks on this subnet."
-    - meta: end_play
-
-...