roles/common: minor configuration of Debian 13 SSH

Tweak some of the new OpenSSH per-source penalty settings on Debian 13. For now only adjusting the source network masks and reusing the list of IPs to exempt from fail2ban. These being built in makes them easier to use, but I think I will end up sticking with fail2ban for the heavy lifting because it per- sists across restarts of the daemon, whereas OpenSSH's doesn't. I will monitor OpenSSH on Debian 13 to see how to best use it along side fail2ban.
roles/common: use 127.0.0.0/8 for fail2ban ignoreip
2025-09-22 22:26:09 +03:00 · 2025-09-22 22:19:37 +03:00 · 2025-09-21 23:27:28 +03:00
12 changed files with 17 additions and 17 deletions
--- a/roles/caddy/handlers/main.yml
+++ b/roles/caddy/handlers/main.yml
@@ -3,7 +3,7 @@
 # I'm currently not sure when we need to restart versus reload
 - name: reload caddy
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: caddy
    state: reloaded
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -2,7 +2,7 @@
 # ansible.builtin.file: roles/common/handlers/main.yml
 - name: Reload sshd
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: "{{ sshd_service_name }}"
    state: reloaded
@@ -10,11 +10,11 @@
  ansible.builtin.command: sysctl -p /etc/sysctl.conf
 - name: Reload systemd
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    daemon_reload: true
 - name: Restart nftables
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: nftables
    state: restarted
@@ -22,6 +22,6 @@
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
 - name: Restart fail2ban
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: fail2ban
    state: restarted
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -47,7 +47,7 @@
    - Restart fail2ban
 - name: Start and enable fail2ban service
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: fail2ban
    state: started
    enabled: true
--- a/roles/common/tasks/nftables.yml
+++ b/roles/common/tasks/nftables.yml
@@ -76,11 +76,11 @@
 # need to reload to pick up service/timer/environment changes
 - name: Reload systemd daemon
  when: nftables_systemd_units is changed
-  ansible.builtin.systemd_service: # noqa no-handler
+  ansible.builtin.systemd: # noqa no-handler
    daemon_reload: true
 - name: Start and enable nftables update timers
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: "{{ item }}"
    state: started
    enabled: true
@@ -88,7 +88,7 @@
    - update-firehol-nftables.timer
 - name: Start and enable nftables
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: nftables
    state: started
    enabled: true
--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@@ -22,7 +22,7 @@
 - name: Start and enable systemd's NTP client
  when: ansible_service_mgr == 'systemd'
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: systemd-timesyncd
    state: started
    enabled: true
--- a/roles/mariadb/handlers/main.yml
+++ b/roles/mariadb/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: restart mariadb
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: mariadb
    state: restarted
--- a/roles/munin/handlers/main.yml
+++ b/roles/munin/handlers/main.yml
@@ -1,4 +1,4 @@
 ---
 # ansible.builtin.file: roles/munin/handlers/main.yml
 - name: restart munin-node
-  ansible.builtin.systemd_service: name=munin-node state=restarted
+  ansible.builtin.systemd: name=munin-node state=restarted
--- a/roles/munin/tasks/munin-node.yml
+++ b/roles/munin/tasks/munin-node.yml
@@ -26,7 +26,7 @@
    - restart munin-node
 - name: Start munin-node
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: munin-node
    state: started
    enabled: true
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: Reload nginx
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: nginx
    state: reloaded
--- a/roles/nginx/tasks/letsencrypt.yml
+++ b/roles/nginx/tasks/letsencrypt.yml
@@ -82,7 +82,7 @@
    # always issues daemon-reload just in case the service/timer changed
    - name: Start and enable systemd timer to renew Let's Encrypt certs
-      ansible.builtin.systemd_service:
+      ansible.builtin.systemd:
        name: renew-letsencrypt.timer
        state: started
        enabled: true
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -119,7 +119,7 @@
  tags: nginx
 - name: Start and enable nginx service
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: nginx
    state: started
    enabled: true
--- a/roles/php_fpm/handlers/main.yml
+++ b/roles/php_fpm/handlers/main.yml
@@ -1,7 +1,7 @@
 ---
 # For Debian 12
 - name: Reload php8.2-fpm
-  ansible.builtin.systemd_service:
+  ansible.builtin.systemd:
    name: php8.2-fpm
    state: reloaded