Upgrade baseline to Debian 10.

5 files changed, 35 insertions, 6 deletions

diff --git a/roles/common/tasks/bacula.yml b/roles/common/tasks/bacula.yml
index 73a2fa1..fb37b5b 100644
--- a/roles/common/tasks/bacula.yml
+++ b/roles/common/tasks/bacula.yml
@@ -63,6 +63,14 @@
     - systemctl daemon-reload
     - Restart bacula-fd
 
+# We use RuntimeDirectory in our service unit to avoid permission issues
+# caused by the restrictive Capability Bounding Set
+- name: Mask /usr/lib/tmpfiles.d/bacula.conf
+  file: src=/dev/null
+        dest=/etc/tmpfiles.d/bacula.conf
+        owner=root group=root
+        state=link
+
 - meta: flush_handlers
 
 - name: Enable bacula-fd
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index 89427ea..e56deaf 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -53,11 +53,11 @@
   notify:
     - Restart fail2ban
 
-- name: Create directory /etc/systemd/system/fail2ban.service.d/override.conf
+- name: Create directory /etc/systemd/system/fail2ban.service.d
   file: path=/etc/systemd/system/fail2ban.service.d
         state=directory
         owner=root group=root
-        mode=0750
+        mode=0755
 
 - name: Harden fail2ban.service
   copy: src=etc/systemd/system/fail2ban.service.d/override.conf
diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml
index 989541b..30bb481 100644
--- a/roles/common/tasks/ipsec.yml
+++ b/roles/common/tasks/ipsec.yml
@@ -14,8 +14,6 @@
             dest=/etc/network/if-up.d/ipsec
             owner=root group=root
             mode=0755
-  notify:
-    - Reload networking
 
 - name: Auto-deactivate the dedicated virtual subnet for IPsec
   file: src=../if-up.d/ipsec
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 02a745c..55c1489 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -82,7 +82,6 @@
     - molly-guard
     - rsync
     - screen
-    - telnet-ssl
 
 - name: Disable resume device
   # Cf. initramfs-tools(7) and initramfs.conf(5).
diff --git a/roles/common/tasks/munin-node.yml b/roles/common/tasks/munin-node.yml
index f43094a..a713f08 100644
--- a/roles/common/tasks/munin-node.yml
+++ b/roles/common/tasks/munin-node.yml
@@ -133,8 +133,32 @@
   notify:
     - Restart munin-node
 
+- name: Create directory /etc/systemd/system/munin-node.service.d
+  file: path=/etc/systemd/system/munin-node.service.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Copy munin-node.service override
+  copy: src=etc/systemd/system/munin-node.service.d/override.conf
+        dest=/etc/systemd/system/munin-node.service.d/override.conf
+        owner=root group=root
+        mode=0644
+  register: r8
+  notify:
+    - systemctl daemon-reload
+    - Restart munin-node
+
+# We use RuntimeDirectory in our overrride unit to avoid permission
+# issues caused by the restrictive Capability Bounding Set
+- name: Mask /usr/lib/tmpfiles.d/munin-common.conf
+  file: src=/dev/null
+        dest=/etc/tmpfiles.d/munin-common.conf
+        owner=root group=root
+        state=link
+
 - name: Start munin-node
   service: name=munin-node state=started
-  when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed or r6.changed or r7.changed)
+  when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed or r6.changed or r7.changed or r8.changed)
 
 - meta: flush_handlers