Refs #8025 Rol debian-base. Task install, nrpe, fail2ban fix, refactor handlers

2024-10-10 13:21:32 +02:00 · 2024-10-10 13:21:32 +02:00 · 33586c7f96
parent d14b123219
commit 33586c7f96
8 changed files with 30 additions and 16 deletions
--- a/inventories/group_vars/all.yml
+++ b/inventories/group_vars/all.yml
@ -26,7 +26,6 @@ base_packages:
  - bash-completion
  - screen
  - aptitude
-  - vim
  - tree
  - btop
  - ncdu
--- a/roles/debian-base/defaults/main.yaml
+++ b/roles/debian-base/defaults/main.yaml
@ -5,6 +5,9 @@ fail2ban:
  bantime: 600
  maxretry: 4
  ignore: "127.0.0.0/8 {{ dc_net }}"
+fail2ban_base_packages:
+  - fail2ban
+  - rsyslog
 vn_host:
  url: http://apt.verdnatura.es/pool/main/v/vn-host
  package: vn-host_2.0.2_all.deb
--- a/roles/debian-base/tasks/fail2ban.yml
+++ b/roles/debian-base/tasks/fail2ban.yml
@ -1,10 +1,7 @@
- name: Install fail2ban packages
+- name: Install fail2ban and rsyslog packages
  apt:
-    name: fail2ban
+    name: "{{ fail2ban_base_packages }}"
    state: present
-  loop:
-    - fail2ban
-    - rsyslog
 - name: Configure fail2ban service
  template:
    src: jail.local
--- a/roles/debian-base/tasks/install.yml
+++ b/roles/debian-base/tasks/install.yml
@ -1,5 +1,4 @@
 - name: Install base packages
  apt:
-    name: "{{ item }}"
+    name: "{{ base_packages }}"
    state: present
-  loop: "{{ base_packages }}"
--- a/roles/debian-base/tasks/main.yml
+++ b/roles/debian-base/tasks/main.yml
@ -20,3 +20,5 @@
  tags: vim
 - import_tasks: nrpe.yml
  tags: nrpe
+- import_tasks: fail2ban.yml
+  tags: fail2ban
--- a/roles/debian-base/tasks/nrpe.yml
+++ b/roles/debian-base/tasks/nrpe.yml
@ -1,12 +1,8 @@
 - name: Install NRPE packages
  apt:
-    name: "{{ item }}"
+    name: "{{ nagios_packages }}"
    state: present
    install_recommends: no
-  loop:
-    - nagios-nrpe-server
-    - nagios-plugins-contrib
-    - monitoring-plugins-basic
 - name: Set NRPE generic configuration
  template:
    src: nrpe.cfg
--- a/roles/debian-once/handlers/main.yml
+++ b/roles/debian-once/handlers/main.yml
@ -0,0 +1,4 @@
+- name: restart sshd
+  systemd:
+    name: sshd
+    state: restarted
--- a/roles/debian-once/tasks/ssh.yml
+++ b/roles/debian-once/tasks/ssh.yml
@ -1,10 +1,24 @@
+- name: Generate a new SSH key pair
+  openssh_keypair:
+    path: /etc/ssh/ssh_host_rsa_key
+    type: rsa                        
+    size: 4096
+  register: new_pair                                   
+- name: Configure sshd_config settings
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+  loop:
+    - { regexp: '^#ListenAddress 0.0.0.0', line: 'ListenAddress 0.0.0.0' }
+    - { regexp: '^#SyslogFacility AUTH', line: 'SyslogFacility AUTH' }
 - name: Delete old host SSH keys
  file:
    path: "{{ item }}"
    state: absent
  with_items:
    - /etc/ssh/ssh_host_ecdsa_key
+    - /etc/ssh/ssh_host_ecdsa_key.pub
    - /etc/ssh/ssh_host_ed25519_key
-    - /etc/ssh/ssh_host_rsa_key
- name: Regenerate host SSH keys
-  command: dpkg-reconfigure openssh-server
+    - /etc/ssh/ssh_host_ed25519_key.pub
+  when: new_pair is succeeded