Skip to content

feat: add redis server role, improve impacket handling, and update dev workflow#200

Merged
l50 merged 17 commits intomainfrom
feat/ansible-updates
Apr 16, 2026
Merged

feat: add redis server role, improve impacket handling, and update dev workflow#200
l50 merged 17 commits intomainfrom
feat/ansible-updates

Conversation

@l50
Copy link
Copy Markdown
Contributor

@l50 l50 commented Apr 16, 2026
edited
Loading

Key Changes:

  • Introduced a new Ansible role for Redis server deployment and Ares worker service
  • Improved impacket and NetExec reliability for all tool roles and Kali support
  • Enhanced documentation, pre-commit, linting, and testing workflows
  • Updated dependency versions and fixed KrbRelayUp installation

Added:

  • Redis server Ansible role for Ares worker message broker, with systemd template,
    configuration, and verification tasks
  • GOAD attack box playbook now provisions Redis and logs via Alloy
  • Post-deploy playbook for GOAD attack box to configure log shipping ACLs and Alloy labels
  • Custom Ansible pre-commit hooks for documentation, linting, architecture diagrams,
    and formatting (.hooks/ansible/*, .hooks/prettier.sh)
  • Ansible-specific lint and formatting configs (.hooks/ansible/ansible-lint.yaml,
    .hooks/linters/markdownlint.json, .hooks/linters/yamllint.yaml)
  • Molecule CI workflow for per-role and full collection testing

Changed:

  • All tool roles (recon, credential_access, acl, coercion, privesc, lateral_movement)
    now ensure impacket 0.13.0+ is injected system-wide on Kali, fixing NetExec
    SMB support and regsecrets availability
  • Enhanced verification steps in Molecule to confirm regsecrets importability
    for all relevant roles and NetExec runtime
  • base role now installs AWS CLI v2 and includes acl package for POSIX ACLs
  • privesc_tools role fetches KrbRelayUp as a prebuilt binary for stability
  • Alloy roles and templates support optional namespace and app labels for
    Kubernetes dashboard compatibility
  • All relevant docs regenerated with improved docsible template and variable tables
  • Pre-commit workflow now runs all Ansible lint, doc, and format hooks with better
    dependency management and Python/Go version pinning
  • Rust and Python CI workflows updated for more robust cache keys and consistency

Removed:

  • Manual pipx ensurepath and path manipulations (now handled via profile.d)
  • Redundant or broken tasks for pipx and NetExec installation on some platforms
  • Unused or broken code paths in tool verification tasks

@l50
feat: add redis role for ares workers, improve agent toolchain, and e…
33adab4 
…nhance log shipping

**Added:**

- New `redis` Ansible role to provision and configure Redis server for Ares worker
  message brokering, including systemd template for worker services and verification
- Pre-commit hooks for ansible-lint, docsible docs generation, arch diagram
  auto-update, yamllint, markdownlint, and shell script linting/formatting
- `.hooks/requirements.txt` with standardized Python tooling dependencies for
  testing and linting
- Pre-commit configuration for Ansible, Markdown, YAML, and shell linting, plus
  documentation and architecture diagram automation
- `goad_attack_box_configure.yml` playbook for post-deploy Alloy log agent
  configuration on golden images

**Changed:**

- All roles that depend on impacket now inject source-built impacket into the
  system Python on Kali if the apt version is <0.13.0, ensuring regsecrets
  module is available for NetExec
- NetExec pipx venv: pipx inject now uses `--editable --force` and verification
  asserts regsecrets is importable, with clear failure output
- Role and molecule verification for all agent roles now assert regsecrets module
  is present in relevant venvs (and system Python on Kali)
- `base` role now installs AWS CLI v2 by default and exposes a flag to skip
- `base` role's pip install for Ares Python dependencies now pins `rigging>=3.0`
  and omits the deprecated `dreadnode` meta-package
- Added `acl` package to base system dependencies to support POSIX ACLs for
  log shipping and agent file permissions
- Playbooks and Alloy role/templates now support `namespace` and `app` labels for
  better Grafana dashboard compatibility with EC2 agents
- `privesc_tools` role now downloads prebuilt KrbRelayUp.exe from SharpCollection
  for stability, rather than cloning the repo
- All docsible-generated role READMEs updated to document new and changed
  installation, verification, and configuration steps
- `goad_attack_box.yml` now provisions redis, AWS agents, and Alloy by default,
  and sets ACLs on shell history files for log shipping

**Removed:**

- Redundant pipx path ensure logic from `base` role (now handled via profile.d)
- Legacy ensurepath step after pipx reinstall in `recon_tools` (now unnecessary)
@dreadnode-renovate-bot dreadnode-renovate-bot Bot added area/pre-commit Changes made to pre-commit hooks area/github Changes made to GitHub Actions workflows labels Apr 16, 2026
l50 added 14 commits April 16, 2026 09:00
@l50
ci: update python version for pre-commit workflow to 3.14
47357cf 
**Changed:**

- Updated the Python version used in the pre-commit GitHub Actions workflow
  from 3.12 to 3.14 to test compatibility with the latest Python release
@l50
refactor: reorganize ansible hooks and update pre-commit/ci config
949df2b 
**Added:**

- Introduced `.hooks/prettier.sh` for formatting files using Prettier

**Changed:**

- Moved all Ansible-related hooks and templates into `.hooks/ansible/` for better
  organization
- Updated references in `.pre-commit-config.yaml` and hook scripts to reflect new
  paths for Ansible lint, docsible, and architecture diagram hooks
- Modified `.github/workflows/pre-commit.yaml` to:
  - Update concurrency group naming for clarity
  - Set Python version via environment variable and bump to 3.14.3
  - Add pip caching and requirements install for Python dependencies
  - Update Task version to 3.49.1 and enable remote taskfiles
  - Simplify pre-commit run command, removing redundant env var

**Removed:**

- Eliminated the outdated `linters` and `templates` directories under `.hooks` in
  favor of consolidated structure under `.hooks/ansible`
@l50
ci: add ansible collection installation and local build to pre-commit…
733050f 
… workflow
@l50
ci: add go/shfmt setup to pre-commit workflow and exclude .tmpl from …
af9194e 
…shell hooks
@l50
ci: update python versions and improve ansible-lint compatibility in …
9ab5fc5 
…pre-commit workflow

**Added:**

- Introduced PYTHON_VERSION_ANSIBLE_LINT environment variable for ansible-lint,
  allowing use of Python 3.14.3 specifically for the ansible-lint pre-commit hook
- Added a dedicated Python setup step for ansible-lint using the new variable

**Changed:**

- Updated default PYTHON_VERSION from 3.14.3 to 3.13.5 to align with other tools
- Adjusted Python setup steps to use both general and ansible-lint-specific
  Python versions for better tool compatibility
@l50
ci: add change detection to optimize rust workflow runs
1cecede 
**Added:**

- Introduced a `detect-changes` job using `dorny/paths-filter` to check for
  Rust-related file changes and output results for conditional job execution
- Implemented conditional logic in `check`, `fmt`, and `clippy` jobs to run
  only when relevant Rust files are changed
- Enhanced the `test` job to skip steps and output a message when no Rust
  changes are detected

**Changed:**

- Updated workflow dependencies: jobs now depend on `detect-changes` and use
  its output to determine execution, reducing unnecessary runs on unrelated
  changes
- Refined job triggers by removing the previous `paths` filters from workflow
  events, delegating change detection to the new job and centralizing logic

**Removed:**

- Eliminated inline `paths` filters from pull_request and push event triggers to
  avoid redundant workflow executions and rely on job-level change detection
@l50
ci: update rust workflow paths to avoid self-triggering
6c3ac78 
**Changed:**

- Modified the `paths` filter in the rust GitHub Actions workflow to exclude
  `.github/workflows/rust.yaml` to prevent the workflow from triggering itself
  on changes to its own configuration file
@l50
```
c53f6a4 
ci: install ansible collections without dependencies in pre-commit workflow

**Changed:**

- Updated ansible-galaxy install command in pre-commit workflow to use
  --no-deps flag, preventing installation of dependent collections and reducing
  setup time in CI
```
@l50
```
a9c9115 
chore: add ansible-related files to gitignore
**Added:**

- Ignore `.ansible/` directory to prevent Ansible-related files from being
  tracked by git
```
@l50
build: downgrade ansible-core version in pre-commit requirements
f089bb9 
**Changed:**

- Updated `.hooks/requirements.txt` to require `ansible-core==2.19.8` instead of
  `2.20.4` to address compatibility or stability concerns with the newer version
@l50
feat: add ansible.posix collection to requirements
edb8acb 
**Added:**

- Added ansible.posix collection version 2.1.0 to Ansible requirements for
  extended support of POSIX-related modules and features
@l50
```
13100d6 
fix: set apt cache_valid_time to reduce unnecessary cache updates

**Changed:**

- Set `cache_valid_time: 3600` for apt cache updates to minimize redundant
  cache refreshes in Debian-based systems across base and mythic roles
- Standardized `update_cache` parameter to `true` (from `yes`) for clarity
  in mythic packages task
```
@l50
ci: enhance workflows for environment safety, test coverage, and secu…
7db9caf 
…rity reporting

**Added:**

- Security warning comment to meta-labeler workflow explaining risks of
  `pull_request_target` and referencing relevant CVEs
- Upload of Semgrep SARIF results to GitHub Security tab for improved
  vulnerability visibility
- Additional Semgrep rules for Python and GitHub Actions security checks

**Changed:**

- Expanded workflow trigger paths in molecule and rust workflows to include
  relevant workflow and requirements files for more complete test coverage
- Updated cache keys in molecule, rust, and clippy jobs to use `github.ref` for
  more accurate cache scoping
- Improved environment variable usage and consistency across molecule,
  pre-commit, and related workflows by setting variables explicitly and
  referencing them uniformly in shell scripts and steps
- Simplified and modernized event detection and changed files logic in molecule
  workflow, including use of explicit environment variables and more robust
  input handling
- Adjusted permissions in molecule and meta-labeler workflows to only request
  necessary access for increased security
- Improved error handling and validation messaging in molecule workflow when
  roles are missing or lack molecule tests
- Refactored rust workflow to remove the `detect-changes` job, simplifying job
  dependencies and always running check, test, fmt, and clippy jobs, relying on
  path filters for execution control

**Removed:**

- Deprecated or redundant steps for permissions and change detection in
  meta-labeler and rust workflows to streamline configuration and reduce
  maintenance burden
@l50
refactor: simplify descending sort logic using sort_by_key with Reverse
ee9753a 
**Changed:**

- Replaced manual descending sort closures with `sort_by_key` and `std::cmp::Reverse`
  in multiple locations to improve readability and consistency:
    - Query results in coverage queries
    - Investigation and operation selection logic in blue_operations and operations modules
- Simplified match logic for extracting searchable values in lateral movement analyzer by
  using a match guard instead of an inner if statement
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 16, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@l50 l50 changed the title feat: add redis role for ares worker message broker and improve agent provisioning feat: add redis server role, improve impacket handling, and update dev workflow Apr 16, 2026
l50 added 2 commits April 16, 2026 14:06
@l50
refactor: simplify sorting logic using sort_by_key with Reverse
1f88e9b 
**Changed:**

- Replaced manual sort_by closures with sort_by_key using std::cmp::Reverse for
  descending order sorting of vectors in detection/markdown.rs and ops/list.rs.
  This improves code readability and consistency in sorting logic.
@l50
fix: correct logic and iterator usage in unconstrained exploitation a…
0021ba7 
…nd task queue

**Changed:**

- Refined logic for dispatching the dump action after coercion by consolidating
  the pattern match and ensuring the delay check occurs only when all
  conditions are met in the unconstrained exploitation flow
- Updated task queue result batching to remove unnecessary `into_iter` on
  `raw`, iterating directly to improve clarity and efficiency
@l50 l50 merged commit 4c77da0 into main Apr 16, 2026
21 checks passed
@l50 l50 deleted the feat/ansible-updates branch April 16, 2026 20:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/github Changes made to GitHub Actions workflows area/pre-commit Changes made to pre-commit hooks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@l50 @github-advanced-security