updated preflight and deployment checks

ansible/group_vars/all.yml

@@ -3,6 +3,8 @@
 default_user: cmmcadmin
 default_shell: /bin/bash
 ssh_authorized_key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
+organization_name: Acme Defense Systems  # Used in banners and audit messages
+
 
 # 🌐 Network & Proxy Settings
 nextcloud_port: 8080

ansible/roles/preflight/tasks/log_results.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Write DNS resolution log
+  copy:
+    content: "{{ dns_log }}"
+    dest: "{{ evidence_dir }}/08_preflight_checks/dns_check.log"
+
+- name: Write email validation log
+  copy:
+    content: "{{ email_log }}"
+    dest: "{{ evidence_dir }}/08_preflight_checks/email_check.log"
+
+- name: Write SSH key validation log
+  copy:
+    content: "{{ ssh_log }}"
+    dest: "{{ evidence_dir }}/08_preflight_checks/ssh_key_check.log"
+
+- name: Write validation summary
+  template:
+    src: summary.md.j2
+    dest: "{{ evidence_dir }}/08_preflight_checks/summary.md"

ansible/roles/preflight/templates/summary.md.j2

@@ -0,0 +1,13 @@
+# 🧪 Preflight Validation Summary
+
+This summary documents all major checks executed before the OpenCMMC Stack deployment.
+
+## Results
+
+- DNS Check: {{ dns_result }}
+- Email Format: {{ email_result }}
+- SSH Key: {{ ssh_result }}
+
+---
+
+Generated: {{ ansible_date_time.date }} at {{ ansible_date_time.time }}

ansible/roles/secure_ubuntu/templates/banner.txt.j2

@@ -1,10 +1 @@
-*** WARNING ***
+{{ login_banner_text }}
-
-This computer system is the property of {{ organization_name | default('Your Organization') }}. It is for authorized use only.
-
-By accessing this system, you acknowledge and consent to the following:
-- All information is subject to monitoring by authorized personnel.
-- Unauthorized use may result in disciplinary action, civil penalties, or criminal prosecution.
-- You agree to comply with all security and data handling policies.
-
-This system is protected under CMMC Level 2 compliance controls.

ansible/roles/secure_ubuntu/vars/main.yml

@@ -0,0 +1,16 @@
+---
+login_banner_text: |
+  *** WARNING ***
+
+  This computer system is the property of {{ organization_name | default("Your Organization") }}.
+  It is for authorized use only.
+
+  By accessing this system, you acknowledge and consent to the following:
+
+  - All information transmitted, received, or stored on this system is subject to monitoring, interception, and review by authorized personnel.
+  - Unauthorized use, access, or modification of this system or its data is strictly prohibited and may result in disciplinary action, civil penalties, or criminal prosecution.
+  - Use of this system indicates your understanding and acceptance of company policies regarding information security, acceptable use, and data protection.
+
+  This system is protected under CMMC Level 2 guidelines to safeguard Controlled Unclassified Information (CUI), Federal Contract Information (FCI), proprietary company data, financial records, and Personally Identifiable Information (PII).
+
+  If you do not have explicit authorization, log off immediately.

deployment_config.yml

@@ -0,0 +1,75 @@
+---
+# 🛠️ One-Click Deployment Configuration for OpenCMMC Stack
+
+# 👤 Global Administrator Details
+global_admin_username: cmmcadmin
+global_admin_email: admin@example.com
+admin_ssh_public_key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
+
+# 🌐 Domain and Host Settings
+domain_name: example.cmmc.local
+hostname: open-cmmc-gateway
+timezone: America/New_York
+dns_resolver_ip: 1.1.1.1
+
+# 🖥️ Infrastructure Provider
+provider: digitalocean         # Options: digitalocean, aws, gcp, azure, proxmox, baremetal
+provisioner_api_token: changeme-provider-token
+region: nyc3
+vm_size: s-2vcpu-4gb
+
+# 🔐 Security Parameters
+banner_text: |
+  *** WARNING ***
+
+  This system is the property of {{ domain_name }}. It is for authorized use only.
+  
+  - All information is subject to monitoring and disclosure.
+  - Unauthorized use may result in prosecution or administrative action.
+  - Use implies acceptance of all company security and use policies.
+
+# 🔑 SSH Configuration
+ssh_port: 22
+disable_root_ssh: true
+enforce_key_authentication: true
+
+# 📬 Mailcow Configuration
+mailcow_hostname: mail
+mailcow_admin_user: admin
+mailcow_admin_password: change_me_securely
+mailcow_letsencrypt_email: it@example.com
+mailcow_use_letsencrypt: "n"
+
+# 🔐 Tailscale
+tailscale_auth_key: tskey-abc123
+
+# 📜 Keycloak Identity Settings
+keycloak_realm: OpenCMMC
+
+# 🛡️ Ports Used by Services
+nextcloud_port: 8080
+mailcow_port: 443
+keycloak_port: 8081
+stepca_port: 9000
+wazuh_port: 55000
+
+# 📦 Container Images
+nextcloud_aio_image: nextcloud/all-in-one:latest
+keycloak_image: quay.io/keycloak/keycloak:24.0.2
+mailcow_image: mailcow/mailcow-dockerized:latest
+
+# 📁 Directories
+nextcloud_data_dir: /srv/nextcloud
+mailcow_data_dir: /opt/mailcow
+backup_base_dir: /srv/backups
+logs_dir: /var/log/open-cmmc
+
+# 📂 Backup Configuration
+restic_password: changeme-securely
+restic_repo: /srv/backups/restic-repo
+
+# ⚙️ System Users
+svc_keycloak: svc_keycloak
+svc_mailcow: svc_mailcow
+svc_wazuh: svc_wazuh
+svc_stepca: svc_stepca

evidence/07_policies/login_banner_policy.md

@@ -0,0 +1,17 @@
+# System Login Banner Policy
+
+## Organization: {{ organization_name }}
+
+All OpenCMMC Stack systems must display the following login banner on all remote or interactive login attempts (TTY, SSH, GUI):
+
+---
+
+{{ login_banner_text }}
+
+---
+
+## Applicability
+This policy applies to all systems governed under the OpenCMMC Stack deployment in production or pre-production use.
+
+## CMMC Mapping
+- AC.3.017 – Display system use notification before granting access.

evidence/99_preflight/summary.md

@@ -0,0 +1,13 @@
+# 🧪 Preflight Validation Summary
+
+This file summarizes the results of pre-deployment environment validation checks performed by the `preflight` role.
+
+## Checks Included:
+- ✅ DNS resolver reachability
+- ✅ Domain and hostname resolution
+- ✅ Valid administrator email format
+- ✅ SSH key presence and format
+- ✅ Port conflict scan
+
+## Last Run:
+_Not yet executed_

evidence/evidence_index.md

@@ -0,0 +1,15 @@
+# 📁 Evidence Index
+
+This directory contains autogenerated audit artifacts from the OpenCMMC Stack deployment process. Each subfolder corresponds to a control area or implementation phase.
+
+## Index of Evidence
+
+- [00_scoping](00_scoping/)
+- [01_identity_access](01_identity_access/)
+- [02_system_hardening](02_system_hardening/)
+- [03_file_sharing](03_file_sharing/)
+- [04_email](04_email/)
+- [05_monitoring](05_monitoring/)
+- [06_backups](06_backups/)
+- [07_policies](07_policies/)
+- [99_preflight_checks](99_preflight_checks/)

tools/README.md

@@ -0,0 +1,20 @@
+# 🛠️ OpenCMMC Stack Tools
+
+This directory contains helper scripts to streamline and automate deployment configurations.
+
+## Files
+
+- `generate_group_vars.py`: Converts the master `deployment_config.yml` into the Ansible `group_vars/all.yml`.
+
+## Usage
+
+```bash
+python3 tools/generate_group_vars.py
+```
+
+Ensure `deployment_config.yml` is located in the project root.
+
+### Prerequisites
+
+- Python 3.x
+- PyYAML (`pip install pyyaml`)

tools/generate_group_vars.py

@@ -0,0 +1,50 @@
+import yaml
+
+# Load deployment_config.yml
+with open('deployment_config.yml', 'r') as f:
+    deployment_config = yaml.safe_load(f)
+
+# Flattened structure for group_vars/all.yml
+group_vars = {
+    'default_user': deployment_config['global_admin_username'],
+    'default_shell': '/bin/bash',
+    'ssh_authorized_key': deployment_config['admin_ssh_public_key'],
+    'global_admin_email': deployment_config['global_admin_email'],
+    'domain_name': deployment_config['domain_name'],
+    'hostname': deployment_config['hostname'],
+    'timezone': deployment_config['timezone'],
+    'dns_resolver_ip': deployment_config['dns_resolver_ip'],
+    'ssh_port': deployment_config['ssh_port'],
+    'disable_root_ssh': deployment_config['disable_root_ssh'],
+    'enforce_key_authentication': deployment_config['enforce_key_authentication'],
+    'nextcloud_port': deployment_config['nextcloud_port'],
+    'mailcow_port': deployment_config['mailcow_port'],
+    'keycloak_port': deployment_config['keycloak_port'],
+    'stepca_port': deployment_config['stepca_port'],
+    'wazuh_port': deployment_config['wazuh_port'],
+    'tailscale_auth_key': deployment_config['tailscale_auth_key'],
+    'mailcow_hostname': deployment_config['mailcow_hostname'],
+    'mailcow_admin_user': deployment_config['mailcow_admin_user'],
+    'mailcow_admin_password': deployment_config['mailcow_admin_password'],
+    'mailcow_letsencrypt_email': deployment_config['mailcow_letsencrypt_email'],
+    'mailcow_use_letsencrypt': deployment_config['mailcow_use_letsencrypt'],
+    'keycloak_realm': deployment_config['keycloak_realm'],
+    'nextcloud_aio_image': deployment_config['nextcloud_aio_image'],
+    'keycloak_image': deployment_config['keycloak_image'],
+    'mailcow_image': deployment_config['mailcow_image'],
+    'nextcloud_data_dir': deployment_config['nextcloud_data_dir'],
+    'mailcow_data_dir': deployment_config['mailcow_data_dir'],
+    'backup_base_dir': deployment_config['backup_base_dir'],
+    'logs_dir': deployment_config['logs_dir'],
+    'restic_password': deployment_config['restic_password'],
+    'restic_repo': deployment_config['restic_repo'],
+    'svc_keycloak': deployment_config['svc_keycloak'],
+    'svc_mailcow': deployment_config['svc_mailcow'],
+    'svc_wazuh': deployment_config['svc_wazuh'],
+    'svc_stepca': deployment_config['svc_stepca'],
+    'banner_text': deployment_config['banner_text']
+}
+
+# Save to group_vars/all.yml
+with open('group_vars/all.yml', 'w') as f:
+    yaml.dump(group_vars, f, sort_keys=False, default_flow_style=False)