diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml index 0b94520..5881d35 100644 --- a/roles/base/handlers/main.yml +++ b/roles/base/handlers/main.yml @@ -10,3 +10,4 @@ ansible.builtin.service: name: fail2ban state: restarted + when: not ansible_check_mode # fail2ban isn't installed during a first-run --check diff --git a/roles/base/tasks/fail2ban.yml b/roles/base/tasks/fail2ban.yml index 8a39f23..a957a8d 100644 --- a/roles/base/tasks/fail2ban.yml +++ b/roles/base/tasks/fail2ban.yml @@ -19,3 +19,7 @@ name: fail2ban enabled: true state: started + # In --check on a host without fail2ban yet, the package isn't really installed, so the + # service lookup fails. Skip the start in check mode (the install + jail are still + # previewed); a real deploy installs then starts it. + when: not ansible_check_mode diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 15b8e12..1b585ba 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -1,12 +1,24 @@ --- +# `apply: tags:` propagates the concern tag to the INCLUDED tasks — without it a tag on +# a dynamic include_tasks only selects the include itself, not its contents, so +# `--tags ` would run nothing (Ansible gotcha). - name: Configure host firewall (nftables) - ansible.builtin.include_tasks: firewall.yml + ansible.builtin.include_tasks: + file: firewall.yml + apply: + tags: [firewall] tags: [firewall] - name: SSH hardening - ansible.builtin.include_tasks: ssh.yml + ansible.builtin.include_tasks: + file: ssh.yml + apply: + tags: [hardening] tags: [hardening] - name: Fail2ban intrusion deterrence - ansible.builtin.include_tasks: fail2ban.yml + ansible.builtin.include_tasks: + file: fail2ban.yml + apply: + tags: [hardening] tags: [hardening]