Feat: use ini_file module

Signed-off-by: Hadrien Patte <hadrien.patte@protonmail.com>

roles/baseconfig/tasks/apt-listchanges.yml

@@ -12,11 +12,20 @@
 
 # Send email when there is something new
 - name: Configure apt-listchanges
-  lineinfile:
+  ini_file:
-    dest: /etc/apt/listchanges.conf
+    path: /etc/apt/listchanges.conf
-    regexp: "^{{ item.key }}="
+    no_extra_spaces: true
-    line: "{{ item.value }}"
+    section: apt
-  with_dict:
+    option: "{{ item.option }}"
-    confirm: 'confirm=true'
+    value: "{{ item.value }}"
-    email_address: "email_address={{ monitoring_mail }}"
+    state: present
-    which: 'which=both'
+  loop:
+    - option: confirm
+      value: "true"
+
+    - option: email_address
+      value: "{{ monitoring_mail }}"
+
+    - option: which
+      value: both
+...

roles/basesecurity/tasks/main.yml

@@ -47,11 +47,33 @@
   until: apt_result is succeeded
 
 - name: Configure fail2ban
-  template:
+  ini_file:
-    src: fail2ban/jail.d/local.conf.j2
+    path: /etc/fail2ban/jail.d/local.conf
-    dest: /etc/fail2ban/jail.d/local.conf
+    section: "{{ item.section }}"
-    mode: 0644
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    state: present
   notify: Restart fail2ban service
+  loop:
+    - section: DEFAULT
+      option: ignoreip
+      value: 10.128.0.254  # Whitelist bastion
+
+    - section: sshd
+      option: enabled
+      value: "true"
+
+    - section: sshd
+      option: bantime
+      value: 600
+
+    - section: sshd
+      option: findtime
+      value: 600
+
+    - section: sshd
+      option: maxretry
+      value: 5
 
 # See altered packages and configurations with `debsums -ca`
 - name: Install debsums

roles/basesecurity/templates/fail2ban/jail.d/local.conf.j2

@@ -1,12 +0,0 @@
-# {{ ansible_managed }}
-
-# Ban a host for 10mn
-# if it has failed 5 times during the last 10mn
-[sshd]
-enabled = true
-bantime  = 600
-findtime  = 600
-maxretry = 5
-
-# Whitelist bastion
-ignoreip = 10.128.0.254