refactor ♻️: Refactor task to extract and process Corosync ring addresses, determine their CIDRs, and update ignoreip in fail2ban config
All checks were successful
ansible-lint / Ansible Lint (push) Successful in 13s
Gitleaks Scan / gitleaks (push) Successful in 4s
Markdown Lint / markdown-lint (push) Successful in 5s
ai-reviews / Review PR (pull_request) Successful in 32s
PR check / Gitleaks (pull_request) Successful in 5s
PR check / lint tests (pull_request) Successful in 16s
PR check / labeler (pull_request) Successful in 3s
PR check / handle_failures (pull_request) Has been skipped
PR check / handle_success (pull_request) Successful in 1s
All checks were successful
ansible-lint / Ansible Lint (push) Successful in 13s
Gitleaks Scan / gitleaks (push) Successful in 4s
Markdown Lint / markdown-lint (push) Successful in 5s
ai-reviews / Review PR (pull_request) Successful in 32s
PR check / Gitleaks (pull_request) Successful in 5s
PR check / lint tests (pull_request) Successful in 16s
PR check / labeler (pull_request) Successful in 3s
PR check / handle_failures (pull_request) Has been skipped
PR check / handle_success (pull_request) Successful in 1s
This refactoring extracts the logic for processing Corosync ring addresses and determining their CIDRs. It then updates the `ignoreip` setting in the fail2ban configuration accordingly. This change improves modularity and maintainability of the code.
This commit is contained in:
@@ -21,9 +21,8 @@
|
||||
#################################################
|
||||
|
||||
- name: fail2ban | Get Proxmox node name
|
||||
ansible.builtin.command: hostname
|
||||
register: pve_node
|
||||
changed_when: false
|
||||
ansible.builtin.set_fact:
|
||||
pve_node: "{{ ansible_hostname }}"
|
||||
|
||||
- name: fail2ban | Set firewall config path
|
||||
ansible.builtin.set_fact:
|
||||
@@ -89,7 +88,7 @@
|
||||
ansible.builtin.command: pve-firewall compile
|
||||
register: compiled_fw
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
failed_when: fw_compile_check.rc != 0
|
||||
when: cluster_status.stat.exists
|
||||
|
||||
- name: fail2ban | Fail if corosync ports are being dropped
|
||||
@@ -140,15 +139,33 @@
|
||||
notify: Reload pve firewall
|
||||
# noqa risky-file-permissions
|
||||
|
||||
- name: fail2ban | Extract corosync ring0 address
|
||||
- name: fail2ban | Extract all corosync ring addresses
|
||||
ansible.builtin.shell: |
|
||||
set -o pipefail
|
||||
grep ring0_addr /etc/pve/corosync.conf | awk '{print $2}'
|
||||
awk '/ring[0-9]+_addr/ {print $2}' /etc/pve/corosync.conf
|
||||
args:
|
||||
executable: /bin/bash
|
||||
register: corosync_ip
|
||||
register: corosync_ips
|
||||
changed_when: false
|
||||
when: cluster_status.stat.exists
|
||||
when: pve_clustered
|
||||
|
||||
- name: fail2ban | Determine CIDR for each corosync IP
|
||||
ansible.builtin.command: ip route get {{ item }}
|
||||
register: corosync_routes
|
||||
changed_when: false
|
||||
loop: "{{ corosync_ips.stdout_lines }}"
|
||||
when: pve_clustered
|
||||
|
||||
- name: fail2ban | Extract network CIDRs
|
||||
ansible.builtin.set_fact:
|
||||
corosync_networks: >-
|
||||
{{
|
||||
corosync_routes.results
|
||||
| map(attribute='stdout')
|
||||
| map('regex_search', 'src ([0-9.]+)/([0-9]+)', '\\1/\\2')
|
||||
| list
|
||||
}}
|
||||
when: pve_clustered
|
||||
|
||||
- name: fail2ban | Validate Proxmox firewall configuration
|
||||
ansible.builtin.command: pve-firewall compile
|
||||
@@ -200,7 +217,7 @@
|
||||
bantime.max = {{ f2b_bantime_max }}
|
||||
backend = systemd
|
||||
banaction = proxmox-fw
|
||||
ignoreip = 127.0.0.1/8{% if pve_clustered %} {{ corosync_ip.stdout }}{% endif %} 192.168.2.0/24
|
||||
ignoreip = 127.0.0.1/8{% if pve_clustered %} {{ corosync_networks | join(' ') }}{% endif %} 192.168.2.0/24
|
||||
|
||||
#################################################
|
||||
# SSH
|
||||
|
||||
Reference in New Issue
Block a user