Refs #8025 Rol debian-base. Task install, nrpe, fail2ban fix, refactor handlers

inventories/group_vars/all.yml

@@ -26,7 +26,6 @@ base_packages:
   - bash-completion
   - screen
   - aptitude
-  - vim
   - tree
   - btop
   - ncdu

roles/debian-base/defaults/main.yaml

@@ -5,6 +5,9 @@ fail2ban:
   bantime: 600
   maxretry: 4
   ignore: "127.0.0.0/8 {{ dc_net }}"
+fail2ban_base_packages:
+  - fail2ban
+  - rsyslog
 vn_host:
   url: http://apt.verdnatura.es/pool/main/v/vn-host
   package: vn-host_2.0.2_all.deb

roles/debian-base/tasks/fail2ban.yml

@@ -1,10 +1,7 @@
-- name: Install fail2ban packages
+- name: Install fail2ban and rsyslog packages
   apt:
-    name: fail2ban
+    name: "{{ fail2ban_base_packages }}"
     state: present
-  loop:
-    - fail2ban
-    - rsyslog
 - name: Configure fail2ban service
   template:
     src: jail.local

roles/debian-base/tasks/install.yml

@@ -1,5 +1,4 @@
 - name: Install base packages
   apt:
-    name: "{{ item }}"
+    name: "{{ base_packages }}"
     state: present
-  loop: "{{ base_packages }}"

roles/debian-base/tasks/main.yml

@@ -20,3 +20,5 @@
   tags: vim
 - import_tasks: nrpe.yml
   tags: nrpe
+- import_tasks: fail2ban.yml
+  tags: fail2ban

roles/debian-base/tasks/nrpe.yml

@@ -1,12 +1,8 @@
 - name: Install NRPE packages
   apt:
-    name: "{{ item }}"
+    name: "{{ nagios_packages }}"
     state: present
     install_recommends: no
-  loop:
-    - nagios-nrpe-server
-    - nagios-plugins-contrib
-    - monitoring-plugins-basic
 - name: Set NRPE generic configuration
   template:
     src: nrpe.cfg

roles/debian-once/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: restart sshd
+  systemd:
+    name: sshd
+    state: restarted

roles/debian-once/tasks/ssh.yml

@@ -1,10 +1,24 @@
+- name: Generate a new SSH key pair
+  openssh_keypair:
+    path: /etc/ssh/ssh_host_rsa_key
+    type: rsa                        
+    size: 4096
+  register: new_pair                                   
+- name: Configure sshd_config settings
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  loop:
+    - { regexp: '^#ListenAddress 0.0.0.0', line: 'ListenAddress 0.0.0.0' }
+    - { regexp: '^#SyslogFacility AUTH', line: 'SyslogFacility AUTH' }
 - name: Delete old host SSH keys
   file:
     path: "{{ item }}"
     state: absent
   with_items:
     - /etc/ssh/ssh_host_ecdsa_key
+    - /etc/ssh/ssh_host_ecdsa_key.pub
     - /etc/ssh/ssh_host_ed25519_key
-    - /etc/ssh/ssh_host_rsa_key
+    - /etc/ssh/ssh_host_ed25519_key.pub
-- name: Regenerate host SSH keys
+  when: new_pair is succeeded
-  command: dpkg-reconfigure openssh-server