ansible-personal/roles/common/handlers/main.yml

---
# ansible.builtin.file: roles/common/handlers/main.yml

- name: reload sshd
  ansible.builtin.systemd:
    name: "{{ sshd_service_name }}"
    state: reloaded

- name: reload sysctl
  command: sysctl -p /etc/sysctl.conf

- name: reload systemd
  ansible.builtin.systemd:
    daemon_reload: true

- name: restart nftables
  ansible.builtin.systemd:
    name: nftables
    state: restarted

# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
# in the order they are defined, not in the order they are listed in the task's
# notify statement and we must restart fail2ban after updating the firewall.
- name: restart fail2ban
  ansible.builtin.systemd:
    name: fail2ban
    state: restarted
  when: webserver is defined and webserver == 'nginx'
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00			`---`
roles: use fully qualified module names 2022-09-10 17:09:12 +02:00			`# ansible.builtin.file: roles/common/handlers/main.yml`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00
roles/common: Reload sshd instead of restarting No need to restart for a config change. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-08-22 23:01:17 +02:00			`- name: reload sshd`
roles/common: re-format handlers Use the newer Ansible format. 2023-08-23 20:35:28 +02:00			`ansible.builtin.systemd:`
			`name: "{{ sshd_service_name }}"`
			`state: reloaded`
Initial commit Signed-off-by: Alan Orth <alan.orth@gmail.com> 2014-08-16 23:35:57 +02:00
			`- name: reload sysctl`
			`command: sysctl -p /etc/sysctl.conf`
roles/common: Add firewalld support Needed in Ubuntu 15.04 where iptables-persistent is going away. I have added translations of the current IPv4 and IPv6 iptables rules. Signed-off-by: Alan Orth <alan.orth@gmail.com> 2015-06-07 11:42:03 +02:00
roles/common: Add support for fail2ban This is active banning of IPs that are brute forcing login attempts to SSH, versus the passive banning of 10,000 abusive IPs from the abuseipdb.com blacklist. For now I am banning IPs that fail to log in successfully more than twelve times in a one-hour period, but these settings might change, and I can override them at the group and host level if needed. Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04, with minor differences in the systemd configuration due to older versions on some distributions. You can see the status of the jail like this: # fail2ban-client status sshd Status for the jail: sshd \|- Filter \| \|- Currently failed: 0 \| \|- Total failed: 0 \| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions \|- Currently banned: 1 \|- Total banned: 1 `- Banned IP list: 106.13.112.20 You can unban IPs like this: # fail2ban-client set sshd unbanip 106.13.112.20 2019-10-26 16:36:07 +02:00			`- name: reload systemd`
roles/common: re-format handlers Use the newer Ansible format. 2023-08-23 20:35:28 +02:00			`ansible.builtin.systemd:`
			`daemon_reload: true`
roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support. 2021-07-26 12:09:41 +02:00
roles/common: Fix typo in handlers 2021-09-05 15:19:31 +02:00			`- name: restart nftables`
roles/common: re-format handlers Use the newer Ansible format. 2023-08-23 20:35:28 +02:00			`ansible.builtin.systemd:`
			`name: nftables`
			`state: restarted`
roles/common: notify fail2ban after updating firewall We should always restart fail2ban after updating the firewall. Also note that the order of execution of handlers depends on how they are defined in the handler config, not on the order they are listed in the task's notify statement. See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html 2021-09-28 09:45:51 +02:00
			`# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed`
			`# in the order they are defined, not in the order they are listed in the task's`
			`# notify statement and we must restart fail2ban after updating the firewall.`
			`- name: restart fail2ban`
roles/common: re-format handlers Use the newer Ansible format. 2023-08-23 20:35:28 +02:00			`ansible.builtin.systemd:`
			`name: fail2ban`
			`state: restarted`
roles/common: rework fail2ban tasks We can only run fail2ban when we have logs to monitor. When a host is running Caddy we don't have logs, so fail2ban doesn't have any- thing to monitor out of the box. For now I will restrict the task to hosts running nginx. 2023-08-23 20:59:28 +02:00			`when: webserver is defined and webserver == 'nginx'`