diff --git a/roles/fail2ban_exporter/defaults/main.yml b/roles/fail2ban_exporter/defaults/main.yml index 2126d097..c735caad 100644 --- a/roles/fail2ban_exporter/defaults/main.yml +++ b/roles/fail2ban_exporter/defaults/main.yml @@ -1,11 +1,9 @@ --- fail2ban_exporter_version: 0.10.1 -fail2ban_exporter_binary_local_dir: "" fail2ban_exporter_binary_url: "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter/-/releases/v{{ fail2ban_exporter_version }}/downloads/\ - fail2ban_exporter_{{ fail2ban_exporter_version }}_linux_{{ go_arch }}.tar.gz" + fail2ban_exporter_{{ fail2ban_exporter_version }}_{{ ansible_system | lower }}_{{ _fail2ban_exporter_go_ansible_arch }}.tar.gz" fail2ban_exporter_checksums_url: "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter/-/releases/v{{ fail2ban_exporter_version }}/downloads/\ fail2ban_exporter_{{ fail2ban_exporter_version }}_checksums.txt" -fail2ban_exporter_skip_install: false fail2ban_exporter_web_listen_address: "0.0.0.0:9191" fail2ban_exporter_socket: "/var/run/fail2ban/fail2ban.sock" @@ -13,6 +11,9 @@ fail2ban_exporter_binary_install_dir: "/usr/local/bin" fail2ban_exporter_username: "" fail2ban_exporter_password: "" +fail2ban_exporter_system_user: "root" +fail2ban_exporter_system_group: "{{ fail2ban_exporter_system_user }}" # Local path to stash the archive and its extraction -fail2ban_exporter_archive_path: /tmp +fail2ban_exporter_local_cache_path: "/tmp/fail2ban_exporter-{{ ansible_system | lower }}-{{ _fail2ban_exporter_go_ansible_arch }}/\ + {{ fail2ban_exporter_version }}" diff --git a/roles/fail2ban_exporter/meta/argument_specs.yml b/roles/fail2ban_exporter/meta/argument_specs.yml index 6f70e2f4..cc840d6d 100644 --- a/roles/fail2ban_exporter/meta/argument_specs.yml +++ b/roles/fail2ban_exporter/meta/argument_specs.yml @@ -11,18 +11,9 @@ argument_specs: fail2ban_exporter_version: description: "fail2ban_exporter package version. Also accepts latest as parameter." default: "0.10.1" - fail2ban_exporter_skip_install: - description: "fail2ban_exporter installation tasks gets skipped when set to true." - type: bool - default: false - fail2ban_exporter_binary_local_dir: - description: - - "Enables the use of local packages instead of those distributed on gitlab." - - "The parameter may be set to a directory where the C(fail2ban_exporter) binary is stored on the host where ansible is run." - - "This overrides the I(fail2ban_exporter_version) parameter" fail2ban_exporter_binary_url: description: "URL of the fail2ban_exporter binaries .tar.gz file" - default: "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter/-/releases/v{{ fail2ban_exporter_version }}/downloads/fail2ban_exporter_{{ fail2ban_exporter_version }}_linux_{{ go_arch }}.tar.gz" + default: "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter/-/releases/v{{ fail2ban_exporter_version }}/downloads/fail2ban_exporter_{{ fail2ban_exporter_version }}_{{ ansible_system | lower }}_{{ _fail2ban_exporter_go_ansible_arch }}.tar.gz" fail2ban_exporter_checksums_url: description: "URL of the fail2ban_exporter checksums file" default: "https://gitlab.com/hectorjsmith/fail2ban-prometheus-exporter/-/releases/v{{ fail2ban_exporter_version }}/downloads/fail2ban_exporter_{{ fail2ban_exporter_version }}_checksums.txt" @@ -46,6 +37,16 @@ argument_specs: description: - "I(Advanced)" - "Password to use to protect endpoints with basic auth" - fail2ban_exporter_archive_path: + fail2ban_exporter_local_cache_path: description: 'Local path to stash the archive and its extraction' - default: "/tmp" + default: "/tmp/fail2ban_exporter-{{ ansible_system | lower }}-{{ _fail2ban_exporter_go_ansible_arch }}/{{ fail2ban_exporter_version }}" + fail2ban_exporter_system_user: + description: + - "I(Advanced)" + - "fail2ban exporter system user" + default: root + fail2ban_exporter_system_group: + description: + - "I(Advanced)" + - "System group for fail2ban exporter" + default: root diff --git a/roles/fail2ban_exporter/tasks/configure.yml b/roles/fail2ban_exporter/tasks/configure.yml deleted file mode 100644 index 903b0e9b..00000000 --- a/roles/fail2ban_exporter/tasks/configure.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Copy the fail2ban_exporter systemd service file - ansible.builtin.template: - src: fail2ban_exporter.service.j2 - dest: /etc/systemd/system/fail2ban_exporter.service - owner: root - group: root - mode: 0644 - notify: restart fail2ban_exporter - -- name: Allow fail2ban_exporter port in SELinux on RedHat OS family - community.general.seport: - ports: "{{ fail2ban_exporter_web_listen_address.split(':')[-1] }}" - proto: tcp - setype: http_port_t - state: present - when: - - ansible_version.full is version_compare('2.4', '>=') - - ansible_selinux.status == "enabled" diff --git a/roles/fail2ban_exporter/tasks/install.yml b/roles/fail2ban_exporter/tasks/install.yml deleted file mode 100644 index 0c7f6802..00000000 --- a/roles/fail2ban_exporter/tasks/install.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -- name: Get binary - when: - - fail2ban_exporter_binary_local_dir | length == 0 - - not fail2ban_exporter_skip_install - block: - - - name: Download fail2ban_exporter binary to local folder - become: false - ansible.builtin.get_url: - url: "{{ fail2ban_exporter_binary_url }}" - dest: "{{ fail2ban_exporter_archive_path }}/fail2ban_exporter_{{ fail2ban_exporter_version }}_linux_{{ go_arch }}.tar.gz" - checksum: "sha256:{{ __fail2ban_exporter_checksum }}" - mode: '0644' - register: _download_binary - until: _download_binary is succeeded - retries: 5 - delay: 2 - delegate_to: localhost - check_mode: false - - - name: Unpack fail2ban_exporter binary - become: false - ansible.builtin.unarchive: - src: "{{ fail2ban_exporter_archive_path }}/fail2ban_exporter_{{ fail2ban_exporter_version }}_linux_{{ go_arch }}.tar.gz" - dest: "{{ fail2ban_exporter_archive_path }}" - creates: "{{ fail2ban_exporter_archive_path }}/fail2ban_exporter" - delegate_to: localhost - check_mode: false - - - name: Propagate fail2ban_exporter binaries - ansible.builtin.copy: - src: "{{ fail2ban_exporter_archive_path }}/fail2ban_exporter" - dest: "{{ fail2ban_exporter_binary_install_dir }}/fail2ban_exporter" - mode: 0755 - owner: root - group: root - notify: restart fail2ban_exporter - when: not ansible_check_mode - -- name: Propagate locally distributed fail2ban_exporter binary - ansible.builtin.copy: - src: "{{ fail2ban_exporter_binary_local_dir }}/fail2ban_exporter" - dest: "{{ fail2ban_exporter_binary_install_dir }}/fail2ban_exporter" - mode: 0755 - owner: root - group: root - when: - - fail2ban_exporter_binary_local_dir | length > 0 - - not fail2ban_exporter_skip_install - notify: restart fail2ban_exporter diff --git a/roles/fail2ban_exporter/tasks/main.yml b/roles/fail2ban_exporter/tasks/main.yml index 43660fed..50047a55 100644 --- a/roles/fail2ban_exporter/tasks/main.yml +++ b/roles/fail2ban_exporter/tasks/main.yml @@ -2,51 +2,41 @@ - name: Preflight ansible.builtin.include_tasks: file: preflight.yml - apply: - tags: - - fail2ban_exporter_install - - fail2ban_exporter_configure - - fail2ban_exporter_run tags: - fail2ban_exporter_install - fail2ban_exporter_configure - fail2ban_exporter_run - name: Install - ansible.builtin.include_tasks: - file: install.yml - apply: - become: true - tags: - - fail2ban_exporter_install - when: - ( not __fail2ban_exporter_is_installed.stat.exists ) or - ( (__fail2ban_exporter_current_version_output.stderr_lines | length > 0) - and (__fail2ban_exporter_current_version_output.stderr_lines[0] != fail2ban_exporter_version) ) or - ( (__fail2ban_exporter_current_version_output.stdout_lines | length > 0) - and (__fail2ban_exporter_current_version_output.stdout_lines[0] != fail2ban_exporter_version) ) or - ( fail2ban_exporter_binary_local_dir | length > 0 ) + ansible.builtin.include_role: + name: prometheus.prometheus._common + tasks_from: install.yml + vars: + _common_local_cache_path: "{{ fail2ban_exporter_local_cache_path }}" + _common_binaries: "{{ _fail2ban_exporter_binaries }}" + _common_binary_install_dir: "{{ fail2ban_exporter_binary_install_dir }}" + _common_binary_url: "{{ fail2ban_exporter_binary_url }}" + _common_checksums_url: "{{ fail2ban_exporter_checksums_url }}" + _common_system_group: "{{ fail2ban_exporter_system_group }}" + _common_system_user: "{{ fail2ban_exporter_system_user }}" + _common_config_dir: "{{ fail2ban_exporter_config_dir }}" tags: - fail2ban_exporter_install - name: SELinux - ansible.builtin.include_tasks: - file: selinux.yml - apply: - become: true - tags: - - fail2ban_exporter_configure + ansible.builtin.include_role: + name: prometheus.prometheus._common + tasks_from: selinux.yml + vars: + _common_selinux_port: "{{ fail2ban_exporter_web_listen_address | urlsplit('port') }}" when: ansible_selinux.status == "enabled" tags: - fail2ban_exporter_configure - name: Configure - ansible.builtin.include_tasks: - file: configure.yml - apply: - become: true - tags: - - fail2ban_exporter_configure + ansible.builtin.include_role: + name: prometheus.prometheus._common + tasks_from: configure.yml tags: - fail2ban_exporter_configure diff --git a/roles/fail2ban_exporter/tasks/preflight.yml b/roles/fail2ban_exporter/tasks/preflight.yml index 714505ea..f98df975 100644 --- a/roles/fail2ban_exporter/tasks/preflight.yml +++ b/roles/fail2ban_exporter/tasks/preflight.yml @@ -1,24 +1,8 @@ --- -- name: Assert usage of systemd as an init system - ansible.builtin.assert: - that: ansible_service_mgr == 'systemd' - msg: "This role only works with systemd" - -- name: Install package fact dependencies - become: true - ansible.builtin.package: - name: "{{ _pkg_fact_req }}" - state: present - when: (_pkg_fact_req) - vars: - _pkg_fact_req: "{% if (ansible_pkg_mgr == 'apt') %}\ - {{ ('python-apt' if ansible_python_version is version('3', '<') else 'python3-apt') }} - {% else %}\ - {% endif %}" - -- name: Gather package facts - ansible.builtin.package_facts: - when: "not 'packages' in ansible_facts" +- name: Common preflight + ansible.builtin.include_role: + name: prometheus.prometheus._common + tasks_from: preflight.yml - name: Assert that used version supports listen address type ansible.builtin.assert: @@ -36,50 +20,18 @@ list | length == 0 -- name: Check if fail2ban_exporter is installed - ansible.builtin.stat: - path: "{{ fail2ban_exporter_binary_install_dir }}/fail2ban_exporter" - register: __fail2ban_exporter_is_installed - check_mode: false - tags: - - fail2ban_exporter_install - -- name: Gather currently installed fail2ban_exporter version (if any) - ansible.builtin.command: "{{ fail2ban_exporter_binary_install_dir }}/fail2ban_exporter --version" - changed_when: false - register: __fail2ban_exporter_current_version_output - check_mode: false - when: __fail2ban_exporter_is_installed.stat.exists - tags: - - fail2ban_exporter_install - - name: Discover latest version ansible.builtin.set_fact: fail2ban_exporter_version: "{{ (lookup('url', 'https://gitlab.com/api/v4/projects/{{ _fail2ban_exporter_repo }}/releases', - split_lines=False) | from_json)[0].get('tag_name') | replace('v', '') }}" + split_lines=False) | from_json)[0].get('tag_name') | replace('v', '') }}" run_once: true until: fail2ban_exporter_version is version('0.0.0', '>=') retries: 10 when: - fail2ban_exporter_version == "latest" - - fail2ban_exporter_binary_local_dir | length == 0 - - not fail2ban_exporter_skip_install - -- name: Get fail2ban_exporter binary checksum - when: - - fail2ban_exporter_binary_local_dir | length == 0 - - not fail2ban_exporter_skip_install - block: - - name: Get checksum list from gitlab - ansible.builtin.set_fact: - __fail2ban_exporter_checksums: "{{ lookup('url', fail2ban_exporter_checksums_url, wantlist=True) | list }}" - run_once: true - until: __fail2ban_exporter_checksums is search('linux_' + go_arch + '.tar.gz') - retries: 10 - - - name: "Get checksum for {{ go_arch }}" - ansible.builtin.set_fact: - __fail2ban_exporter_checksum: "{{ item.split(' ')[0] }}" - with_items: "{{ __fail2ban_exporter_checksums }}" - when: - - "item.endswith('fail2ban_exporter_' + fail2ban_exporter_version + '_linux_' + go_arch + '.tar.gz')" + tags: + - fail2ban_exporter + - install + - fail2ban_exporter_install + - download + - fail2ban_exporter_download diff --git a/roles/fail2ban_exporter/tasks/selinux.yml b/roles/fail2ban_exporter/tasks/selinux.yml deleted file mode 100644 index 754cbd0a..00000000 --- a/roles/fail2ban_exporter/tasks/selinux.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: Install selinux python packages [RedHat] - ansible.builtin.package: - name: "{{ ['libselinux-python', 'policycoreutils-python'] - if ansible_python_version is version('3', '<') else - ['python3-libselinux', 'python3-policycoreutils'] }}" - state: present - register: _install_selinux_packages - until: _install_selinux_packages is success - retries: 5 - delay: 2 - when: ansible_os_family | lower == "redhat" - -- name: Install selinux python packages [clearlinux] - ansible.builtin.package: - name: sysadmin-basic - state: present - register: _install_selinux_packages - until: _install_selinux_packages is success - retries: 5 - delay: 2 - when: - - ansible_distribution | lower == "clearlinux" diff --git a/roles/fail2ban_exporter/templates/fail2ban_exporter.service.j2 b/roles/fail2ban_exporter/templates/fail2ban_exporter.service.j2 index 56c22270..3690504f 100644 --- a/roles/fail2ban_exporter/templates/fail2ban_exporter.service.j2 +++ b/roles/fail2ban_exporter/templates/fail2ban_exporter.service.j2 @@ -6,8 +6,8 @@ After=network-online.target [Service] Type=simple -User=root -Group=root +User={{ fail2ban_exporter_system_user }} +Group={{ fail2ban_exporter_system_group }} ExecStart={{ fail2ban_exporter_binary_install_dir }}/fail2ban_exporter \ --web.listen-address={{ fail2ban_exporter_web_listen_address }} \ {% if fail2ban_exporter_username | length > 0 -%} diff --git a/roles/fail2ban_exporter/vars/main.yml b/roles/fail2ban_exporter/vars/main.yml index 0807ef1f..f250a48f 100644 --- a/roles/fail2ban_exporter/vars/main.yml +++ b/roles/fail2ban_exporter/vars/main.yml @@ -1,10 +1,8 @@ --- -go_arch_map: - i386: '386' - x86_64: 'amd64' - aarch64: 'arm64' - armv7l: 'armv7' - armv6l: 'armv6' - -go_arch: "{{ go_arch_map[ansible_architecture] | default(ansible_architecture) }}" +_fail2ban_exporter_go_ansible_arch: "{{ {'i386': '386', + 'x86_64': 'amd64', + 'aarch64': 'arm64', + 'armv7l': 'armv7', + 'armv6l': 'armv6'}.get(ansible_architecture, ansible_architecture) }}" _fail2ban_exporter_repo: 24199687 +_fail2ban_exporter_binaries: ['fail2ban_exporter']