summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-05-16 02:52:55 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-05-16 05:45:59 +0200
commitbac7811d2b35252b7a83a45d75bb344b4b1776a9 (patch)
tree02176a15d570cab6dbd55b52b6df5c7b7b0538b1 /roles/common/tasks
parentc4f24043baeccc95556fb9c3c032505ecadb5fbd (diff)
Upgrade baseline to Debian 10.
Diffstat (limited to 'roles/common/tasks')
-rw-r--r--roles/common/tasks/bacula.yml8
-rw-r--r--roles/common/tasks/fail2ban.yml4
-rw-r--r--roles/common/tasks/ipsec.yml2
-rw-r--r--roles/common/tasks/main.yml1
-rw-r--r--roles/common/tasks/munin-node.yml26
5 files changed, 35 insertions, 6 deletions
diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml
index 73a2fa1..fb37b5b 100644
--- a/roles/common/tasks/bacula.yml
+++ b/roles/common/tasks/bacula.yml
@@ -63,6 +63,14 @@
- systemctl daemon-reload
- Restart bacula-fd
+# We use RuntimeDirectory in our service unit to avoid permission issues
+# caused by the restrictive Capability Bounding Set
+- name: Mask /usr/lib/tmpfiles.d/bacula.conf
+ file: src=/dev/null
+ dest=/etc/tmpfiles.d/bacula.conf
+ owner=root group=root
+ state=link
+
- meta: flush_handlers
- name: Enable bacula-fd
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index 89427ea..e56deaf 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -53,11 +53,11 @@
notify:
- Restart fail2ban
-- name: Create directory /etc/systemd/system/fail2ban.service.d/override.conf
+- name: Create directory /etc/systemd/system/fail2ban.service.d
file: path=/etc/systemd/system/fail2ban.service.d
state=directory
owner=root group=root
- mode=0750
+ mode=0755
- name: Harden fail2ban.service
copy: src=etc/systemd/system/fail2ban.service.d/override.conf
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 989541b..30bb481 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -14,8 +14,6 @@
dest=/etc/network/if-up.d/ipsec
owner=root group=root
mode=0755
- notify:
- - Reload networking
- name: Auto-deactivate the dedicated virtual subnet for IPsec
file: src=../if-up.d/ipsec
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 02a745c..55c1489 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -82,7 +82,6 @@
- molly-guard
- rsync
- screen
- - telnet-ssl
- name: Disable resume device
# Cf. initramfs-tools(7) and initramfs.conf(5).
diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml
index f43094a..a713f08 100644
--- a/roles/common/tasks/munin-node.yml
+++ b/roles/common/tasks/munin-node.yml
@@ -133,8 +133,32 @@
notify:
- Restart munin-node
+- name: Create directory /etc/systemd/system/munin-node.service.d
+ file: path=/etc/systemd/system/munin-node.service.d
+ state=directory
+ owner=root group=root
+ mode=0755
+
+- name: Copy munin-node.service override
+ copy: src=etc/systemd/system/munin-node.service.d/override.conf
+ dest=/etc/systemd/system/munin-node.service.d/override.conf
+ owner=root group=root
+ mode=0644
+ register: r8
+ notify:
+ - systemctl daemon-reload
+ - Restart munin-node
+
+# We use RuntimeDirectory in our overrride unit to avoid permission
+# issues caused by the restrictive Capability Bounding Set
+- name: Mask /usr/lib/tmpfiles.d/munin-common.conf
+ file: src=/dev/null
+ dest=/etc/tmpfiles.d/munin-common.conf
+ owner=root group=root
+ state=link
+
- name: Start munin-node
service: name=munin-node state=started
- when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed or r6.changed or r7.changed)
+ when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed or r6.changed or r7.changed or r8.changed)
- meta: flush_handlers