Jose/ansible_role_proxmox_provision
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor ♻️: Refactor task to extract and process Corosync ring addresses, determine their CIDRs, and update ignoreip in fail2ban config
All checks were successful
ansible-lint / Ansible Lint (push) Successful in 13s
Details
Gitleaks Scan / gitleaks (push) Successful in 4s
Details
Markdown Lint / markdown-lint (push) Successful in 5s
Details
ai-reviews / Review PR (pull_request) Successful in 32s
Details
PR check / Gitleaks (pull_request) Successful in 5s
Details
PR check / lint tests (pull_request) Successful in 16s
Details
PR check / labeler (pull_request) Successful in 3s
Details
PR check / handle_failures (pull_request) Has been skipped
Details
PR check / handle_success (pull_request) Successful in 1s
Details

Browse Source 
This refactoring extracts the logic for processing Corosync ring addresses and determining their CIDRs. It then updates the `ignoreip` setting in the fail2ban configuration accordingly. This change improves modularity and maintainability of the code.
This commit is contained in:
Jose
2026-02-24 19:18:48 +01:00
parent 79e14e7120
commit 13b3a5066d
1 changed files with 26 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
tasks/fail2ban.yml
View File

@@ -21,9 +21,8 @@
################################################# #################################################
- name: fail2ban | Get Proxmox node name - name: fail2ban | Get Proxmox node name
ansible.builtin.command: hostname ansible.builtin.set_fact:
register: pve_node pve_node: "{{ ansible_hostname }}"
changed_when: false
- name: fail2ban | Set firewall config path - name: fail2ban | Set firewall config path
ansible.builtin.set_fact: ansible.builtin.set_fact:
@@ -89,7 +88,7 @@
ansible.builtin.command: pve-firewall compile ansible.builtin.command: pve-firewall compile
register: compiled_fw register: compiled_fw
changed_when: false changed_when: false
failed_when: false failed_when: fw_compile_check.rc != 0
when: cluster_status.stat.exists when: cluster_status.stat.exists
- name: fail2ban | Fail if corosync ports are being dropped - name: fail2ban | Fail if corosync ports are being dropped
@@ -140,15 +139,33 @@
notify: Reload pve firewall notify: Reload pve firewall
# noqa risky-file-permissions # noqa risky-file-permissions
- name: fail2ban | Extract corosync ring0 address - name: fail2ban | Extract all corosync ring addresses
ansible.builtin.shell: | ansible.builtin.shell: |
set -o pipefail set -o pipefail
grep ring0_addr /etc/pve/corosync.conf | awk '{print $2}' awk '/ring[0-9]+_addr/ {print $2}' /etc/pve/corosync.conf
args: args:
executable: /bin/bash executable: /bin/bash
register: corosync_ip register: corosync_ips
changed_when: false changed_when: false
when: cluster_status.stat.exists when: pve_clustered
- name: fail2ban | Determine CIDR for each corosync IP
ansible.builtin.command: ip route get {{ item }}
register: corosync_routes
changed_when: false
loop: "{{ corosync_ips.stdout_lines }}"
when: pve_clustered
- name: fail2ban | Extract network CIDRs
ansible.builtin.set_fact:
corosync_networks: >-
{{
corosync_routes.results
| map(attribute='stdout')
| map('regex_search', 'src ([0-9.]+)/([0-9]+)', '\\1/\\2')
| list
}}
when: pve_clustered
- name: fail2ban | Validate Proxmox firewall configuration - name: fail2ban | Validate Proxmox firewall configuration
ansible.builtin.command: pve-firewall compile ansible.builtin.command: pve-firewall compile
@@ -200,7 +217,7 @@
bantime.max = {{ f2b_bantime_max }} bantime.max = {{ f2b_bantime_max }}
backend = systemd backend = systemd
banaction = proxmox-fw banaction = proxmox-fw
ignoreip = 127.0.0.1/8{% if pve_clustered %} {{ corosync_ip.stdout }}{% endif %} 192.168.2.0/24 ignoreip = 127.0.0.1/8{% if pve_clustered %} {{ corosync_networks | join(' ') }}{% endif %} 192.168.2.0/24
################################################# #################################################
# SSH # SSH