From 13b3a5066d7df34bd82b5b5b21a7d51a2d7feb6d Mon Sep 17 00:00:00 2001 From: Jose Date: Tue, 24 Feb 2026 19:18:48 +0100 Subject: [PATCH] =?UTF-8?q?refactor=20=E2=99=BB=EF=B8=8F:=20Refactor=20tas?= =?UTF-8?q?k=20to=20extract=20and=20process=20Corosync=20ring=20addresses,?= =?UTF-8?q?=20determine=20their=20CIDRs,=20and=20update=20ignoreip=20in=20?= =?UTF-8?q?fail2ban=20config?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This refactoring extracts the logic for processing Corosync ring addresses and determining their CIDRs. It then updates the `ignoreip` setting in the fail2ban configuration accordingly. This change improves modularity and maintainability of the code. --- tasks/fail2ban.yml | 35 ++++++++++++++++++++++++++--------- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml index e832288..8381c45 100644 --- a/tasks/fail2ban.yml +++ b/tasks/fail2ban.yml @@ -21,9 +21,8 @@ ################################################# - name: fail2ban | Get Proxmox node name - ansible.builtin.command: hostname - register: pve_node - changed_when: false + ansible.builtin.set_fact: + pve_node: "{{ ansible_hostname }}" - name: fail2ban | Set firewall config path ansible.builtin.set_fact: @@ -89,7 +88,7 @@ ansible.builtin.command: pve-firewall compile register: compiled_fw changed_when: false - failed_when: false + failed_when: fw_compile_check.rc != 0 when: cluster_status.stat.exists - name: fail2ban | Fail if corosync ports are being dropped @@ -140,15 +139,33 @@ notify: Reload pve firewall # noqa risky-file-permissions -- name: fail2ban | Extract corosync ring0 address +- name: fail2ban | Extract all corosync ring addresses ansible.builtin.shell: | set -o pipefail - grep ring0_addr /etc/pve/corosync.conf | awk '{print $2}' + awk '/ring[0-9]+_addr/ {print $2}' /etc/pve/corosync.conf args: executable: /bin/bash - register: corosync_ip + register: corosync_ips changed_when: false - when: cluster_status.stat.exists + when: pve_clustered + +- name: fail2ban | Determine CIDR for each corosync IP + ansible.builtin.command: ip route get {{ item }} + register: corosync_routes + changed_when: false + loop: "{{ corosync_ips.stdout_lines }}" + when: pve_clustered + +- name: fail2ban | Extract network CIDRs + ansible.builtin.set_fact: + corosync_networks: >- + {{ + corosync_routes.results + | map(attribute='stdout') + | map('regex_search', 'src ([0-9.]+)/([0-9]+)', '\\1/\\2') + | list + }} + when: pve_clustered - name: fail2ban | Validate Proxmox firewall configuration ansible.builtin.command: pve-firewall compile @@ -200,7 +217,7 @@ bantime.max = {{ f2b_bantime_max }} backend = systemd banaction = proxmox-fw - ignoreip = 127.0.0.1/8{% if pve_clustered %} {{ corosync_ip.stdout }}{% endif %} 192.168.2.0/24 + ignoreip = 127.0.0.1/8{% if pve_clustered %} {{ corosync_networks | join(' ') }}{% endif %} 192.168.2.0/24 ################################################# # SSH