Use block in fail2ban role

2021-01-06 00:13:13 +01:00 · 2021-01-06 00:13:13 +01:00 · 7283ac291f
parent ffe73e5568
commit 7283ac291f
3 changed files with 37 additions and 29 deletions
--- a/roles/fail2ban/defaults/main.yml
+++ b/roles/fail2ban/defaults/main.yml
@ -0,0 +1,3 @@
+---
+fail2ban_become: true
+fail2ban_become_user: root
--- a/roles/fail2ban/tasks/main.yml
+++ b/roles/fail2ban/tasks/main.yml
@ -1,24 +1,29 @@
 ---
- name: install fail2ban
-  apt:
-    name: fail2ban
-    state: present
-    update_cache: true
-    cache_valid_time: 3600
-  become: true
+- block:

- name: set customization.local config file
-  template:
-    src: templates/customization.local.j2
-    dest: /etc/fail2ban/jail.d/customization.local
-    mode: 0640
-  become: true
-  notify: restart fail2ban
+  - name: install fail2ban
+    apt:
+      name: fail2ban
+      state: present
+      update_cache: true
+      cache_valid_time: 3600
+    become: true

- name: set custom sshd filter config file
-  template:
-    src: templates/sshd-custom-filter.conf.j2
-    dest: /etc/fail2ban/filter.d/sshd-custom.conf
-    mode: 0640
-  become: true
-  notify: restart fail2ban
+  - name: set customization.local config file
+    template:
+      src: templates/customization.local.j2
+      dest: /etc/fail2ban/jail.d/customization.local
+      mode: 0640
+    become: true
+    notify: restart fail2ban
+
+  - name: set custom sshd filter config file
+    template:
+      src: templates/sshd-custom-filter.conf.j2
+      dest: /etc/fail2ban/filter.d/sshd-custom.conf
+      mode: 0640
+    become: true
+    notify: restart fail2ban
+
+  become: "{{ fail2ban_become }}"
+  become_user: "{{ fail2ban_become_user }}"
--- a/tests/test.yml
+++ b/tests/test.yml
@ -17,15 +17,12 @@
    # - ../roles/apt_dist_upgrade
    - ../roles/common
    - ../roles/hostname
-    # The easy ports sequece is just for test. Also don't disable strict IP
-    # filtering on production.
-    # - {role: ../roles/knockd, ports: [3333, 4444, 5555], network_interface: eth1, filter_ip: ""}
    - ../roles/nftables
    - ../roles/sshd
-    - {role: ../roles/fail2ban}
-    - {role: ../roles/snake_oil_dehydrated, become: true}
-    - {role: ../roles/mailserver}
-    - {role: ../roles/weechat}
+    - ../roles/fail2ban
+    # - {role: ../roles/snake_oil_dehydrated, become: true}
+    # - {role: ../roles/mailserver}
+    # - {role: ../roles/weechat}
    # Uncomment to test wikijs role: it's commented since the tarball that we
    # have to download is more than 60MB.
    # - {role: ../roles/wikijs, become: true, wikijs_db_type: sqlite}
@ -41,4 +38,7 @@
    # - {role: ../roles/generate_certificate, become: true}
    # - {role: ../roles/gitea, become: true}
    # - ../roles/docker
-    - ../roles/dokku
+    # - ../roles/dokku
+    # The easy ports sequece is just for test. Also don't disable strict IP
+    # filtering on production.
+    # - {role: ../roles/knockd, ports: [3333, 4444, 5555], network_interface: eth1, filter_ip: ""}