fix(base): propagate hardening tag to included tasks; check-mode-safe fail2ban

Two bugs caught by the live make check/deploy on askari:
- include_tasks with a tag selects the include but NOT its tasks, so --tags hardening
  ran nothing. Use apply: {tags:} to propagate (also fixed the firewall include).
- fail2ban service start + restart handler fail in a first-run --check (package not
  installed yet); guard both with when: not ansible_check_mode so check is clean.
Applied to askari: SSH hardened, fail2ban active, ping still works (no lockout).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
sjat 2026-06-14 16:54:23 +02:00
parent a111a20cc8
commit db1e5db138
3 changed files with 20 additions and 3 deletions

View file

@ -10,3 +10,4 @@
ansible.builtin.service:
name: fail2ban
state: restarted
when: not ansible_check_mode # fail2ban isn't installed during a first-run --check

View file

@ -19,3 +19,7 @@
name: fail2ban
enabled: true
state: started
# In --check on a host without fail2ban yet, the package isn't really installed, so the
# service lookup fails. Skip the start in check mode (the install + jail are still
# previewed); a real deploy installs then starts it.
when: not ansible_check_mode

View file

@ -1,12 +1,24 @@
---
# `apply: tags:` propagates the concern tag to the INCLUDED tasks — without it a tag on
# a dynamic include_tasks only selects the include itself, not its contents, so
# `--tags <concern>` would run nothing (Ansible gotcha).
- name: Configure host firewall (nftables)
ansible.builtin.include_tasks: firewall.yml
ansible.builtin.include_tasks:
file: firewall.yml
apply:
tags: [firewall]
tags: [firewall]
- name: SSH hardening
ansible.builtin.include_tasks: ssh.yml
ansible.builtin.include_tasks:
file: ssh.yml
apply:
tags: [hardening]
tags: [hardening]
- name: Fail2ban intrusion deterrence
ansible.builtin.include_tasks: fail2ban.yml
ansible.builtin.include_tasks:
file: fail2ban.yml
apply:
tags: [hardening]
tags: [hardening]