boma/roles/base/tasks
sjat db1e5db138 fix(base): propagate hardening tag to included tasks; check-mode-safe fail2ban
Two bugs caught by the live make check/deploy on askari:
- include_tasks with a tag selects the include but NOT its tasks, so --tags hardening
  ran nothing. Use apply: {tags:} to propagate (also fixed the firewall include).
- fail2ban service start + restart handler fail in a first-run --check (package not
  installed yet); guard both with when: not ansible_check_mode so check is clean.
Applied to askari: SSH hardened, fail2ban active, ping still works (no lockout).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 16:54:23 +02:00
..
fail2ban.yml fix(base): propagate hardening tag to included tasks; check-mode-safe fail2ban 2026-06-14 16:54:23 +02:00
firewall.yml fix(base): make rollback snapshot restorable (flush-prefixed) 2026-06-06 19:15:38 +02:00
main.yml fix(base): propagate hardening tag to included tasks; check-mode-safe fail2ban 2026-06-14 16:54:23 +02:00
ssh.yml test(base): Molecule coverage for ssh hardening + fail2ban 2026-06-14 16:47:42 +02:00