diff options
| -rw-r--r-- | roles/common/handlers/main.yml | 3 | ||||
| -rw-r--r-- | roles/common/tasks/fail2ban.yml | 2 | ||||
| -rw-r--r-- | roles/common/tasks/ipsec.yml | 3 | ||||
| -rw-r--r-- | roles/common/tasks/samhain.yml | 2 |
4 files changed, 10 insertions, 0 deletions
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 9cae8bf..56b37e7 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,20 +1,23 @@ +# 'service: name=... state=started' tasks should NOT run if there is a +# corresponding state=restarted handler. (Register the task notifying +# the handler, and add a conditional.) --- - name: Refresh hostname service: name=hostname.sh state=restarted - name: apt-get update apt: update_cache=yes - name: Reload samhain service: name=samhain state=reloaded - name: Update rkhunter's data file command: /usr/bin/rkhunter --propupd - name: Restart fail2ban service: name=fail2ban state=restarted - name: Missing IPSec certificate fail: msg="strongswan IPsec is lacking public or private keys on '{{ ansible_fqdn }}'." - name: Restart IPSec diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml index 3c13d8c..d5007b9 100644 --- a/roles/common/tasks/fail2ban.yml +++ b/roles/common/tasks/fail2ban.yml @@ -1,15 +1,17 @@ - name: Install fail2ban apt: pkg=fail2ban - name: Configure fail2ban template: src=etc/fail2ban/jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=0644 + register: r notify: - Restart fail2ban - name: Start fail2ban service: name=fail2ban state=started + when: not r.changed - meta: flush_handlers diff --git a/roles/common/tasks/ipsec.yml b/roles/common/tasks/ipsec.yml index 1f33946..619c093 100644 --- a/roles/common/tasks/ipsec.yml +++ b/roles/common/tasks/ipsec.yml @@ -10,51 +10,54 @@ - name: Ensure we have our public key file: path=/etc/ipsec.d/certs/{{ inventory_hostname }}.pem owner=root group=root mode=0644 notify: - Missing IPSec certificate - name: Ensure we have the CA's public key file: path=/etc/ipsec.d/cacerts/cacert.pem owner=root group=root mode=0644 notify: - Missing IPSec certificate - name: Configure IPSec's secrets template: src=etc/ipsec.secrets.j2 dest=/etc/ipsec.secrets owner=root group=root mode=0600 + register: r1 notify: - Restart IPSec - name: Configure IPSec template: src=etc/ipsec.conf.j2 dest=/etc/ipsec.conf owner=root group=root mode=0644 + register: r2 notify: - Restart IPSec - name: Start IPSec service: name=ipsec state=started + when: not (r1.changed or r2.changed) - name: Auto-create a dedicated interface for IPSec copy: src=etc/network/if-up.d/ipsec dest=/etc/network/if-up.d/ipsec owner=root group=root mode=0755 notify: - Reload networking # XXX: As of 1.3.1 ansible doesn't accept relative src. # See https://github.com/ansible/ansible/issues/4459 - name: Auto-deactivate the dedicated interface for IPSec file: #src=../if-up.d/ipsec src=/etc/network/if-up.d/ipsec dest=/etc/network/if-down.d/ipsec owner=root group=root state=link - meta: flush_handlers diff --git a/roles/common/tasks/samhain.yml b/roles/common/tasks/samhain.yml index cbc0b5e..768ceb6 100644 --- a/roles/common/tasks/samhain.yml +++ b/roles/common/tasks/samhain.yml @@ -1,22 +1,24 @@ - name: Install samhain apt: pkg=samhain # XXX: Doesn't work out of the box, see #660197. # If this is the first installation, you may want to start with a fresh database # sudo service samhain stop # sudo rm /var/state/samhain/samhain_file # sudo samhain -t init -p warn # sudo service samhain start # sudo samhain -t update -l none - name: Configure samhain copy: src=etc/samhain/samhainrc dest=/etc/samhain/samhainrc owner=root group=root mode=0644 notify: - Reload samhain - name: Start samhain + # This task is inconditional because samhain is reloaded not + # restarted. service: name=samhain state=started - meta: flush_handlers |