From 33586c7f961d0d600d9504d0f8bd122ef9ea431e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Xavi=20Lle=C3=B3=20Tom=C3=A1s?= Date: Thu, 10 Oct 2024 13:21:32 +0200 Subject: [PATCH] Refs #8025 Rol debian-base. Task install, nrpe, fail2ban fix, refactor handlers --- inventories/group_vars/all.yml | 1 - roles/debian-base/defaults/main.yaml | 3 +++ roles/debian-base/tasks/fail2ban.yml | 7 ++----- roles/debian-base/tasks/install.yml | 3 +-- roles/debian-base/tasks/main.yml | 2 ++ roles/debian-base/tasks/nrpe.yml | 6 +----- roles/debian-once/handlers/main.yml | 4 ++++ roles/debian-once/tasks/ssh.yml | 20 +++++++++++++++++--- 8 files changed, 30 insertions(+), 16 deletions(-) create mode 100644 roles/debian-once/handlers/main.yml diff --git a/inventories/group_vars/all.yml b/inventories/group_vars/all.yml index fdadcd2..28f9649 100644 --- a/inventories/group_vars/all.yml +++ b/inventories/group_vars/all.yml @@ -26,7 +26,6 @@ base_packages: - bash-completion - screen - aptitude - - vim - tree - btop - ncdu diff --git a/roles/debian-base/defaults/main.yaml b/roles/debian-base/defaults/main.yaml index 5b2dc17..92d106e 100644 --- a/roles/debian-base/defaults/main.yaml +++ b/roles/debian-base/defaults/main.yaml @@ -5,6 +5,9 @@ fail2ban: bantime: 600 maxretry: 4 ignore: "127.0.0.0/8 {{ dc_net }}" +fail2ban_base_packages: + - fail2ban + - rsyslog vn_host: url: http://apt.verdnatura.es/pool/main/v/vn-host package: vn-host_2.0.2_all.deb diff --git a/roles/debian-base/tasks/fail2ban.yml b/roles/debian-base/tasks/fail2ban.yml index 709bafe..838e89e 100644 --- a/roles/debian-base/tasks/fail2ban.yml +++ b/roles/debian-base/tasks/fail2ban.yml @@ -1,10 +1,7 @@ -- name: Install fail2ban packages +- name: Install fail2ban and rsyslog packages apt: - name: fail2ban + name: "{{ fail2ban_base_packages }}" state: present - loop: - - fail2ban - - rsyslog - name: Configure fail2ban service template: src: jail.local diff --git a/roles/debian-base/tasks/install.yml b/roles/debian-base/tasks/install.yml index a43a71e..396832c 100644 --- a/roles/debian-base/tasks/install.yml +++ b/roles/debian-base/tasks/install.yml @@ -1,5 +1,4 @@ - name: Install base packages apt: - name: "{{ item }}" + name: "{{ base_packages }}" state: present - loop: "{{ base_packages }}" diff --git a/roles/debian-base/tasks/main.yml b/roles/debian-base/tasks/main.yml index 665c208..74471b2 100644 --- a/roles/debian-base/tasks/main.yml +++ b/roles/debian-base/tasks/main.yml @@ -20,3 +20,5 @@ tags: vim - import_tasks: nrpe.yml tags: nrpe +- import_tasks: fail2ban.yml + tags: fail2ban diff --git a/roles/debian-base/tasks/nrpe.yml b/roles/debian-base/tasks/nrpe.yml index bf6aff3..d5e98a1 100644 --- a/roles/debian-base/tasks/nrpe.yml +++ b/roles/debian-base/tasks/nrpe.yml @@ -1,12 +1,8 @@ - name: Install NRPE packages apt: - name: "{{ item }}" + name: "{{ nagios_packages }}" state: present install_recommends: no - loop: - - nagios-nrpe-server - - nagios-plugins-contrib - - monitoring-plugins-basic - name: Set NRPE generic configuration template: src: nrpe.cfg diff --git a/roles/debian-once/handlers/main.yml b/roles/debian-once/handlers/main.yml new file mode 100644 index 0000000..18c505e --- /dev/null +++ b/roles/debian-once/handlers/main.yml @@ -0,0 +1,4 @@ +- name: restart sshd + systemd: + name: sshd + state: restarted diff --git a/roles/debian-once/tasks/ssh.yml b/roles/debian-once/tasks/ssh.yml index 84877cc..26f7a8b 100644 --- a/roles/debian-once/tasks/ssh.yml +++ b/roles/debian-once/tasks/ssh.yml @@ -1,10 +1,24 @@ +- name: Generate a new SSH key pair + openssh_keypair: + path: /etc/ssh/ssh_host_rsa_key + type: rsa + size: 4096 + register: new_pair +- name: Configure sshd_config settings + lineinfile: + path: /etc/ssh/sshd_config + regexp: "{{ item.regexp }}" + line: "{{ item.line }}" + loop: + - { regexp: '^#ListenAddress 0.0.0.0', line: 'ListenAddress 0.0.0.0' } + - { regexp: '^#SyslogFacility AUTH', line: 'SyslogFacility AUTH' } - name: Delete old host SSH keys file: path: "{{ item }}" state: absent with_items: - /etc/ssh/ssh_host_ecdsa_key + - /etc/ssh/ssh_host_ecdsa_key.pub - /etc/ssh/ssh_host_ed25519_key - - /etc/ssh/ssh_host_rsa_key -- name: Regenerate host SSH keys - command: dpkg-reconfigure openssh-server + - /etc/ssh/ssh_host_ed25519_key.pub + when: new_pair is succeeded