Fix review findings: offline assets, security, audit logging

- Bundle Bootstrap CSS/JS/icons locally for air-gapped operation - Add path traversal validation on image import source - Disable Flask debug mode in production - Fix file handle leaks, remove unused import - Add python3-pip, python3-venv, p7zip-full to offline packages - Add pip wheel download/bundling for offline Flask install - Change UFW default policy from allow to deny - Fix wrong path displayed in unattend editor template - Dynamic sidebar image lists from all_image_types - Add audit logging for all write operations - Audit log viewer page with activity history Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-06 16:50:20 -05:00
parent ef7583920b
commit 92c9b0f762
13 changed files with 187 additions and 37 deletions
--- a/playbook/pxe_server_setup.yml
+++ b/playbook/pxe_server_setup.yml
@@ -336,7 +336,7 @@
    - name: "Enable UFW firewall"
      ufw:
        state: enabled
-        policy: allow
+        policy: deny

    - name: "Schedule dnsmasq restart 15s after reboot"
      cron:
@@ -346,11 +346,6 @@
        job: "/bin/sleep 15 && /usr/bin/systemctl restart dnsmasq.service"

    # --- Web Management App (Flask) ---
-    - name: "Install pip for Python package management"
-      command: apt-get install -y python3-pip python3-venv
-      args:
-        creates: /usr/bin/pip3
-
    - name: "Create webapp directory"
      file:
        path: /opt/pxe-webapp
@@ -369,10 +364,13 @@
      args:
        creates: /opt/pxe-webapp/venv/bin/python

-    - name: "Install webapp Python dependencies"
-      pip:
-        requirements: /opt/pxe-webapp/requirements.txt
-        virtualenv: /opt/pxe-webapp/venv
+    - name: "Install webapp Python dependencies (offline wheels)"
+      shell: >
+        /opt/pxe-webapp/venv/bin/pip install --no-index
+        --find-links="{{ usb_mount }}/../pip-wheels/"
+        --find-links="{{ usb_mount }}/pip-wheels/"
+        -r /opt/pxe-webapp/requirements.txt 2>/dev/null ||
+        /opt/pxe-webapp/venv/bin/pip install -r /opt/pxe-webapp/requirements.txt

    - name: "Create systemd service for PXE webapp"
      copy:
@@ -390,6 +388,7 @@
          Environment=CLONEZILLA_SHARE=/srv/samba/clonezilla
          Environment=WEB_ROOT={{ web_root }}
          Environment=BLANCCO_REPORTS=/srv/samba/blancco-reports
+          Environment=AUDIT_LOG=/var/log/pxe-webapp-audit.log
          ExecStart=/opt/pxe-webapp/venv/bin/python app.py
          Restart=always
          RestartSec=5