Two bugs caught by the live make check/deploy on askari:
- include_tasks with a tag selects the include but NOT its tasks, so --tags hardening
ran nothing. Use apply: {tags:} to propagate (also fixed the firewall include).
- fail2ban service start + restart handler fail in a first-run --check (package not
installed yet); guard both with when: not ansible_check_mode so check is clean.
Applied to askari: SSH hardened, fail2ban active, ping still works (no lockout).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
13 lines
314 B
YAML
13 lines
314 B
YAML
---
|
|
- name: Reload sshd
|
|
listen: reload sshd
|
|
ansible.builtin.service:
|
|
name: ssh
|
|
state: reloaded
|
|
|
|
- name: Restart fail2ban
|
|
listen: restart fail2ban
|
|
ansible.builtin.service:
|
|
name: fail2ban
|
|
state: restarted
|
|
when: not ansible_check_mode # fail2ban isn't installed during a first-run --check
|