Add Proxmox ISO builder, CSRF protection, boot-files integration

- Add build-proxmox-iso.sh: remaster Ubuntu ISO with autoinstall config, offline packages, playbook, webapp, and boot files for zero-touch Proxmox VM deployment - Add boot-files/ directory for WinPE boot files (wimboot, boot.wim, BCD, ipxe.efi, etc.) sourced from WestJeff playbook - Update build-usb.sh and test-vm.sh to bundle boot-files automatically - Add usb_root variable to playbook, fix all file copy paths to use it - Unify Apache VirtualHost config (merge default site + webapp proxy) - Add CSRF token protection to all webapp POST forms and API endpoints - Update README with Proxmox deployment instructions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 20:01:19 -05:00
parent cb442f971b
commit f3a384fa1a
14 changed files with 492 additions and 32 deletions
--- a/playbook/pxe_server_setup.yml
+++ b/playbook/pxe_server_setup.yml
@@ -31,7 +31,8 @@
    tftp_dir: "/srv/tftp"
    web_root: "/var/www/html"
    samba_share: "/srv/samba/winpeapps"
-    usb_mount: "/mnt/usb/playbook"     # where your USB is mounted
+    usb_mount: "/mnt/usb/playbook"     # playbook location on USB
+    usb_root: "/mnt/usb"               # CIDATA partition root
    image_types:
      - gea-standard
      - gea-engineer
@@ -274,7 +275,7 @@

    - name: "Copy WinPE & boot files from USB (skipped if not present)"
      copy:
-        src: "{{ usb_mount }}/{{ item.src }}"
+        src: "{{ usb_root }}/{{ item.src }}"
        dest: "{{ web_root }}/win11/{{ item.dest }}"
        mode: '0644'
      loop:
@@ -288,7 +289,7 @@

    - name: "Copy iPXE binaries from USB (skipped if not present)"
      copy:
-        src: "{{ usb_mount }}/{{ item }}"
+        src: "{{ usb_root }}/{{ item }}"
        dest: "{{ tftp_dir }}/{{ item }}"
        mode: '0755'
      loop:
@@ -297,8 +298,7 @@

    - name: "Copy boot tool files from USB (Clonezilla, Blancco, Memtest)"
      shell: >
-        cp -r "{{ usb_mount }}/../boot-tools/{{ item }}/"* "{{ web_root }}/{{ item }}/" 2>/dev/null ||
-        cp -r "{{ usb_mount }}/boot-tools/{{ item }}/"* "{{ web_root }}/{{ item }}/" 2>/dev/null || true
+        cp -r "{{ usb_root }}/boot-tools/{{ item }}/"* "{{ web_root }}/{{ item }}/" 2>/dev/null || true
      loop:
        - clonezilla
        - blancco
@@ -306,12 +306,12 @@

    - name: "Check for WinPE deployment content on USB"
      stat:
-        path: "{{ usb_mount }}/images"
+        path: "{{ usb_root }}/images"
      register: usb_images_dir

    - name: "Import WinPE deployment content from USB (if present)"
      shell: >
-        cp -rn "{{ usb_mount }}/images/{{ item }}/"* "{{ samba_share }}/{{ item }}/" 2>/dev/null || true
+        cp -rn "{{ usb_root }}/images/{{ item }}/"* "{{ samba_share }}/{{ item }}/" 2>/dev/null || true
      loop: "{{ image_types }}"
      when: usb_images_dir.stat.exists

@@ -359,8 +359,7 @@

    - name: "Copy webapp from USB"
      shell: >
-        cp -r "{{ usb_mount }}/../webapp/"* /opt/pxe-webapp/ 2>/dev/null ||
-        cp -r "{{ usb_mount }}/webapp/"* /opt/pxe-webapp/ 2>/dev/null || true
+        cp -r "{{ usb_root }}/webapp/"* /opt/pxe-webapp/ 2>/dev/null || true
      args:
        creates: /opt/pxe-webapp/app.py

@@ -370,7 +369,7 @@
      shell: |
        # Find the pip-wheels directory on the CIDATA mount
        export WHEEL_DIR=""
-        for d in "{{ usb_mount }}/../pip-wheels" "{{ usb_mount }}/pip-wheels"; do
+        for d in "{{ usb_root }}/pip-wheels" "{{ usb_mount }}/pip-wheels"; do
          if [ -d "$d" ] && compgen -G "$d/*.whl" > /dev/null; then
            export WHEEL_DIR="$(cd "$d" && pwd)"
            break
@@ -427,11 +426,17 @@
        enabled: yes
        daemon_reload: yes

-    - name: "Configure Apache reverse proxy for webapp"
+    - name: "Configure unified Apache site (static files + webapp proxy)"
      copy:
-        dest: /etc/apache2/sites-available/pxe-webapp.conf
+        dest: /etc/apache2/sites-available/pxe-server.conf
        content: |
          <VirtualHost *:80>
+              DocumentRoot {{ web_root }}
+              <Directory "{{ web_root }}">
+                  Options Indexes FollowSymLinks
+                  AllowOverride None
+                  Require all granted
+              </Directory>
              ProxyPreserveHost On
              ProxyPass /manage http://127.0.0.1:9009/
              ProxyPassReverse /manage http://127.0.0.1:9009/
@@ -442,10 +447,20 @@
      args:
        creates: /etc/apache2/mods-enabled/proxy.load

-    - name: "Enable webapp Apache site"
-      command: a2ensite pxe-webapp.conf
+    - name: "Disable default Apache site"
+      command: a2dissite 000-default.conf
      args:
-        creates: /etc/apache2/sites-enabled/pxe-webapp.conf
+        removes: /etc/apache2/sites-enabled/000-default.conf
+
+    - name: "Enable unified PXE server site"
+      command: a2ensite pxe-server.conf
+      args:
+        creates: /etc/apache2/sites-enabled/pxe-server.conf
+
+    - name: "Reload Apache after site changes"
+      systemd:
+        name: apache2
+        state: reloaded

    - name: "Configure static IP for PXE interface"
      copy: