Merge branch 'ClarifiedSecurity:main' into main

.github/workflows/docker-image.yml

@@ -23,20 +23,20 @@ jobs:
 
     steps:
       - name: Pulling Catapult repository...
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Preparing image build...
         run: make customizations
 
       - name: Logging into to GitHub Container Registry...
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Installing QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Getting current version...
         run: |

.github/workflows/release.yml → .github/workflows/version.yml

@@ -1,4 +1,5 @@
-name: Adding new git tag and release
+---
+name: Adding a new version, tag & release
 
 on:
   push:
@@ -9,41 +10,42 @@ on:
   workflow_dispatch:
 
 jobs:
-  version_collection_and_tag:
+  version_tag_and_release:
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Configuring collection & tag versions
         run: |
-          target_file="version.yml"
+          # Setting variables
+          version_file="${{ vars.PROJECT_VERSION_FILE }}"
 
           # Configuring git
-          git config --global user.name "Catapult CI"
-          git config --global user.email "[email protected]"
+          git config --global user.name "${{ vars.PROJECT_CI_USERNAME }}"
+          git config --global user.email "${{ vars.PROJECT_CI_EMAIL }}"
 
-          # Updating the version in the galaxy.yml file
-          version_row_old=$(grep "version: " $target_file)
+          # Updating the version
+          version_row_old=$(grep "version: " $version_file)
           version=$(echo $version_row_old | cut -d: -f2)
           major=$(echo $version | cut -d. -f1)
           minor=$(echo $version | cut -d. -f2)
           patch=$(echo $version | cut -d. -f3)
           patch_new=$(( $patch+1 ))
           version_row_new="version: $major.$minor.$patch_new"
-          sed -i "s/$version_row_old/$version_row_new/" $target_file
+          sed -i "s/$version_row_old/$version_row_new/" $version_file
 
           TAG_NAME="v$major.$minor.$patch_new"
           echo "LATEST_TAG=$TAG_NAME" >> $GITHUB_ENV
 
           # Adding the changed file to git
-          git add $target_file
+          git add $version_file
 
           # Committing the change
-          git commit -m "Set Catapult version to $major.$minor.$patch_new"
+          git commit -m "Set ${{ vars.PROJECT_NAME }} version to $major.$minor.$patch_new"
           git push
 
           # Tagging and pushing the change

.gitignore

@@ -1,9 +1,14 @@
+.DS_Store
+.githooks
+.vscode
 .yarnrc.yml
 *.log
 *.retry
 *.swp
-*.swp
 **/__pycache__/**
+/.idea/deployment.xml
+/.idea/sshConfigs.xml
+/.idea/webServers.xml
 /.makerc-custom
 /.makerc-personal
 /.makerc-vars
@@ -12,32 +17,28 @@
 /container/home/builder/.ssh/config.d/
 /container/home/builder/.ssh/known_hosts
 /custom/**
-ansible/**
-container/home/builder/.*_history
 /docker/docker-compose-extra.yml
+/docker/docker-compose-network.yml
 /docker/docker-compose-personal.yml
+/roles
+/roles_core
+ansible/**
+archives/
+container/home/builder/.*_history
+creds.kdbx
+creds.key
+download/
 exported_templates/**
 node_modules
 poetry/**
 requirements/**
+sync-to-shared-roles.sh
+upload/
 # Since this list is parsed in order, the deny (!) needs to be after allow for the same folder
 /inventories/*
 !/inventories/_TEMPLATE_PROJECT
 !/inventories/_operating_systems
-sync-to-shared-roles.sh
-/roles
-/roles_core
-/.idea/webServers.xml
-/.idea/sshConfigs.xml
-/.idea/deployment.xml
-upload/
-download/
-archives/
-.vscode
-.DS_Store
-.githooks
-creds.kdbx
-creds.key
+
 
 # Yarn
 .yarn/*

Dockerfile

@@ -1,5 +1,5 @@
-# Matches the Python version in pyproject.toml
-FROM python:3.11.6-slim-bullseye
+# Must match the Python version in pyproject.toml
+FROM python:3.11.7-slim-bookworm
 
 # Timezone configuration from .makerc-vars
 ARG TZ
@@ -17,7 +17,7 @@ RUN apt update \
  # Adding nodejs & yarn repo
  && mkdir -p /etc/apt/keyrings \
  && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \
- && NODE_MAJOR=18 \
+ && NODE_MAJOR=20 \
  && echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_$NODE_MAJOR.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list \
  && apt update \
  # Required tools
@@ -45,7 +45,7 @@ ADD --chown=builder:builder poetry/poetry.lock /srv/poetry/poetry.lock
 RUN cd /srv \
  && curl -sSL https://install.python-poetry.org | python3 - \
  && $HOME/.local/bin/poetry config installer.max-workers 10 \
- && $HOME/.local/bin/poetry install --directory=/srv/poetry \
+ && $HOME/.local/bin/poetry install --directory=/srv/poetry --no-root \
  && cd $HOME \
 # Oh My Zsh
  && sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended \

Makefile

@@ -48,8 +48,8 @@ start-tasks: checks
 ## build: Run checks and then build container image
 .PHONY: build
 build: customizations checks
-	@${MAKEVAR_SUDO_COMMAND} docker buildx create --use
-	@${MAKEVAR_SUDO_COMMAND} docker buildx build ${BUILD_ARGS} -t ${IMAGE_FULL} . --load
+	@${MAKEVAR_SUDO_COMMAND} docker buildx create --use --driver-opt network=host
+	@${MAKEVAR_SUDO_COMMAND} docker buildx build ${BUILD_ARGS} --network host --tag ${IMAGE_FULL} . --load
 
 ## run: Run the container
 .PHONY: run

README.md

@@ -1,7 +1,5 @@
 # Catapult
 
-## What is Catapult?
-
 Catapult is a easy-to-use framework built around Ansible to develop, deploy and (re)configure different types of environments, such as Cyber Exercises, Trainings, Labs or even Production environments. It is designed to be used by people with some experience with Ansible, but it's a force multiplier for experienced Ansible users. Catapult does the heavy lifting in dependency installation and management, virtual machine creation or remote/cloud service configuration so the developer can focus on the actual content of the machine or service.
 
 This is the core version of Catapult that supports VM creation and configuration on vSphere, AWS, Linode and even VMware Workstation running on the developers own machine (VMware Workstation only tested on Linux). It is also possible to use Catapult to configure an already existing virtual or physical machines.

ansible-lint.yml

@@ -1,8 +1,7 @@
 ---
 # You can use this file to run ansible-lint inside the container against roles with:
-# ansible-lint --write -c /srv/ansible-lint.yml /path/to/role
+# ansible-lint --fix -c /srv/ansible-lint.yml /path/to/role
 skip_list: # https://ansible-lint.readthedocs.io/rules/
-  - yaml[line-length]
   - name[template]
   - meta-no-info
   - role-name[path]

ansible.cfg

@@ -1,6 +1,6 @@
 [defaults]
-collections_paths = ansible:~/ansible
-forks = 500
+collections_path = ansible:~/ansible
+forks = 50
 host_key_checking = false
 interpreter_python = auto_silent
 inventory = inventories/_operating_systems/os.ini,$PWD/inventory.yml,$PWD/inventory.ini
@@ -21,8 +21,6 @@ retries=30
 # ServerAliveInterval=10 required for ssh to be stable on windows
 ssh_args =-C -o ControlMaster=auto -o ControlPersist=3600s -o ControlPath=/tmp/%r@%h-%p -o UserKnownHostsFile=/dev/null -o ServerAliveInterval=10 -o ForwardAgent=yes
 pipelining = True
-# scp_if_ssh will fix errors coming from SFTP
-scp_if_ssh = True
 
 [paramiko_connection]
 # For connections to RouterOS, Cisco IOS, VyOS etc.
@@ -36,3 +34,5 @@ display_progress = True
 [hashi_vault_collection]
 # Increased timeout to allow LDAP server failover
 timeout = 60
+retries = 5
+backoff_factor = 3

container/docker-entrypoint.sh

@@ -40,7 +40,7 @@ fi
 if [ "$(ls -A /tmp/ca-certificates)" ]; then
 
   sudo rsync -ar /tmp/ca-certificates/ /usr/local/share/ca-certificates/ --ignore-existing --delete
-  sudo update-ca-certificates > /dev/null
+  sudo update-ca-certificates > /dev/null 2>/dev/null # To avoid false positive error rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
 
 fi
 

container/home/builder/.zshrc

@@ -1,104 +1,19 @@
-# If you come from bash you might have to change your $PATH.
-# export PATH=$HOME/bin:/usr/local/bin:$PATH
-
 # Path to your oh-my-zsh installation.
 export ZSH="/home/builder/.oh-my-zsh"
 
-# Set name of the theme to load --- if set to "random", it will
-# load a random theme each time oh-my-zsh is loaded, in which case,
-# to know which specific one was loaded, run: echo $RANDOM_THEME
-# See https://github.com/ohmyzsh/ohmyzsh/wiki/Themes
+# Theme
 ZSH_THEME="spaceship"
 
-# Set list of themes to pick from when loading at random
-# Setting this variable when ZSH_THEME=random will cause zsh to load
-# a theme from this variable instead of looking in $ZSH/themes/
-# If set to an empty array, this variable will have no effect.
-# ZSH_THEME_RANDOM_CANDIDATES=( "robbyrussell" "agnoster" )
-
-# Uncomment the following line to use case-sensitive completion.
-# CASE_SENSITIVE="true"
-
-# Uncomment the following line to use hyphen-insensitive completion.
-# Case-sensitive completion must be off. _ and - will be interchangeable.
-# HYPHEN_INSENSITIVE="true"
-
-# Uncomment the following line to disable bi-weekly auto-update checks.
-# DISABLE_AUTO_UPDATE="true"
-
-# Uncomment the following line to automatically update without prompting.
-# DISABLE_UPDATE_PROMPT="true"
-
-# Uncomment the following line to change how often to auto-update (in days).
-# export UPDATE_ZSH_DAYS=13
-
-# Uncomment the following line if pasting URLs and other text is messed up.
-# DISABLE_MAGIC_FUNCTIONS="true"
-
-# Uncomment the following line to disable colors in ls.
-# DISABLE_LS_COLORS="true"
-
-# Uncomment the following line to disable auto-setting terminal title.
-# DISABLE_AUTO_TITLE="true"
-
-# Uncomment the following line to enable command auto-correction.
-# ENABLE_CORRECTION="true"
-
-# Uncomment the following line to display red dots whilst waiting for completion.
-# COMPLETION_WAITING_DOTS="true"
-
-# Uncomment the following line if you want to disable marking untracked files
-# under VCS as dirty. This makes repository status check for large repositories
-# much, much faster.
-# DISABLE_UNTRACKED_FILES_DIRTY="true"
-
-# Uncomment the following line if you want to change the command execution time
-# stamp shown in the history command output.
-# You can set one of the optional three formats:
-# "mm/dd/yyyy"|"dd.mm.yyyy"|"yyyy-mm-dd"
-# or set a custom format using the strftime function format specifications,
-# see 'man strftime' for details.
-# HIST_STAMPS="mm/dd/yyyy"
-
-# Would you like to use another custom folder than $ZSH/custom?
-# ZSH_CUSTOM=/path/to/new-custom-folder
-
-# Which plugins would you like to load?
-# Standard plugins can be found in $ZSH/plugins/
-# Custom plugins may be added to $ZSH_CUSTOM/plugins/
-# Example format: plugins=(rails git textmate ruby lighthouse)
-# Add wisely, as too many plugins slow down shell startup.
+# Plugins
 plugins=(git poetry)
 
+# Sourcing oh-my-zsh
 source $ZSH/oh-my-zsh.sh
 
-# User configuration
-
-# export MANPATH="/usr/local/man:$MANPATH"
-
-# You may need to manually set your language environment
-# export LANG=en_US.UTF-8
-
-# Preferred editor for local and remote sessions
-# if [[ -n $SSH_CONNECTION ]]; then
-#   export EDITOR='vim'
-# else
-#   export EDITOR='mvim'
-# fi
-
-# Compilation flags
-# export ARCHFLAGS="-arch x86_64"
-
-# Set personal aliases, overriding those provided by oh-my-zsh libs,
-# plugins, and themes. Aliases can be placed here, though oh-my-zsh
-# users are encouraged to define aliases within the ZSH_CUSTOM folder.
-# For a full list of active aliases, run `alias`.
-#
-# Example aliases
-# alias zshconfig="mate ~/.zshrc"
-# alias ohmyzsh="mate ~/.oh-my-zsh"
-
-# Loading fzf extension if it exists
+# Including better history
 if [ -f ~/.fzf.zsh ]; then
     . ~/.fzf.zsh
-fi
+fi
+
+# Disabling globbing
+unsetopt glob

defaults/docker-compose-bridge.yml

@@ -0,0 +1,11 @@
+---
+name: ${CONTAINER_PROJECT_NAME}
+services:
+  catapult:
+    environment:
+      CATAPULT_NETWORK: bridge
+
+networks:
+  default:
+    name: ${CONTAINER_NETWORK}
+    external: true # External becuase when compose creates the network the container does not have an IPv6 address

defaults/docker-compose-host.yml

@@ -0,0 +1,7 @@
+---
+name: ${CONTAINER_PROJECT_NAME}
+services:
+  catapult:
+    network_mode: host
+    environment:
+      CATAPULT_NETWORK: host

defaults/docker-compose-network.yml

@@ -0,0 +1,7 @@
+---
+# This is a place holder for until everyone has ran ./install.sh
+name: ${CONTAINER_PROJECT_NAME}
+services:
+  catapult:
+    environment:
+      CATAPULT_PLACEHOLDER: CATAPULT_PLACEHOLDER