From db1e5db1387f917979f0ddeebbf17165e702402b Mon Sep 17 00:00:00 2001 From: sjat Date: Sun, 14 Jun 2026 16:54:23 +0200 Subject: [PATCH] fix(base): propagate hardening tag to included tasks; check-mode-safe fail2ban Two bugs caught by the live make check/deploy on askari: - include_tasks with a tag selects the include but NOT its tasks, so --tags hardening ran nothing. Use apply: {tags:} to propagate (also fixed the firewall include). - fail2ban service start + restart handler fail in a first-run --check (package not installed yet); guard both with when: not ansible_check_mode so check is clean. Applied to askari: SSH hardened, fail2ban active, ping still works (no lockout). Co-Authored-By: Claude Opus 4.8 (1M context) --- roles/base/handlers/main.yml | 1 + roles/base/tasks/fail2ban.yml | 4 ++++ roles/base/tasks/main.yml | 18 +++++++++++++++--- 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml index 0b94520..5881d35 100644 --- a/roles/base/handlers/main.yml +++ b/roles/base/handlers/main.yml @@ -10,3 +10,4 @@ ansible.builtin.service: name: fail2ban state: restarted + when: not ansible_check_mode # fail2ban isn't installed during a first-run --check diff --git a/roles/base/tasks/fail2ban.yml b/roles/base/tasks/fail2ban.yml index 8a39f23..a957a8d 100644 --- a/roles/base/tasks/fail2ban.yml +++ b/roles/base/tasks/fail2ban.yml @@ -19,3 +19,7 @@ name: fail2ban enabled: true state: started + # In --check on a host without fail2ban yet, the package isn't really installed, so the + # service lookup fails. Skip the start in check mode (the install + jail are still + # previewed); a real deploy installs then starts it. + when: not ansible_check_mode diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 15b8e12..1b585ba 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -1,12 +1,24 @@ --- +# `apply: tags:` propagates the concern tag to the INCLUDED tasks — without it a tag on +# a dynamic include_tasks only selects the include itself, not its contents, so +# `--tags ` would run nothing (Ansible gotcha). - name: Configure host firewall (nftables) - ansible.builtin.include_tasks: firewall.yml + ansible.builtin.include_tasks: + file: firewall.yml + apply: + tags: [firewall] tags: [firewall] - name: SSH hardening - ansible.builtin.include_tasks: ssh.yml + ansible.builtin.include_tasks: + file: ssh.yml + apply: + tags: [hardening] tags: [hardening] - name: Fail2ban intrusion deterrence - ansible.builtin.include_tasks: fail2ban.yml + ansible.builtin.include_tasks: + file: fail2ban.yml + apply: + tags: [hardening] tags: [hardening]