From 450683895e58ff619e300d56dba2134145c9cb68 Mon Sep 17 00:00:00 2001
From: staffadmin <stephane.gratiasquiquandon@gmail.com>
Date: Mon, 15 Apr 2024 01:38:55 +0200
Subject: [PATCH] Add backup bind and prom

---
 backup.yml          | 16 ++++++++++++----
 hardening.yml       | 28 ++++++++++++++--------------
 host_vars/ovh01.yml |  1 +
 3 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/backup.yml b/backup.yml
index a43bba7..74ff1ec 100644
--- a/backup.yml
+++ b/backup.yml
@@ -29,6 +29,12 @@
               6137356332636431643830666461333862613835336631333037
   tasks:
 
+
+    # - name: Return all secrets from a path
+    #   delegate_to: localhost
+    #   ansible.builtin.debug:
+    #     msg: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=apps/data/postgres token=prout url=https://hash.jingoh.fr') }}"
+
     - ansible.builtin.git:
         repo: https://{{ user }}:{{ token }}@gitea.jingoh.fr/staffadmin/backup.git
         dest: "{{ playbook_dir }}/backup"
@@ -64,10 +70,12 @@
         - /opt/dockerapps/appdata/grafana/etc/grafana.ini
       #! prometheus
         - /opt/dockerapps/appdata/prometheus/prometheus/prometheus.yml
-        - /opt/dockerapps/appdata/prometheus/prometheus/alerts_iowait.yml
-        - /opt/dockerapps/appdata/prometheus/prometheus/alerts_memory.yml
-        - /opt/dockerapps/appdata/prometheus/prometheus/alerts_space.yml
-        - /opt/dockerapps/appdata/prometheus/prometheus/alerts_load.yml
+        - /opt/dockerapps/appdata/prometheus/prometheus/alerts_system.yml
+        - /opt/dockerapps/appdata/prometheus/prometheus/alerts_network.yml
+        - /opt/dockerapps/appdata/prometheus/prometheus/alerts_exporter.yml
+      #! bind
+        - /opt/dockerapps/appdata/bind/config/named.conf
+        - /opt/dockerapps/appdata/bind/records/example.com.zone
 
     - name: Push backup to git
       ansible.builtin.shell: |
diff --git a/hardening.yml b/hardening.yml
index 970a793..43ed2c2 100644
--- a/hardening.yml
+++ b/hardening.yml
@@ -81,19 +81,19 @@
 #||-----> GPG error: https://pkgs.netbird.io/debian stable InRelease: The following signatures couldn't be verified because the public key is not available
 
   roles:
-    - robertdebock.update
-    - devsec.hardening.os_hardening
-    - devsec.hardening.ssh_hardening
-    - maxlareo.rkhunter
-    - maxlareo.chkrootkit
-    - robertdebock.auditd
-    - geerlingguy.firewall
-    - grog.management-user
-    - GROG.user
-    - GROG.authorized-key
-    - GROG.sudo
-    - ansible_unattended_upgrades
-    - buluma.lynis
+    # - robertdebock.update
+    # - devsec.hardening.os_hardening
+    # - devsec.hardening.ssh_hardening
+    # - maxlareo.rkhunter
+    # - maxlareo.chkrootkit
+    # - robertdebock.auditd
+    - { role: geerlingguy.firewall, tags: firewall }
+    # - grog.management-user
+    # - GROG.user
+    # - GROG.authorized-key
+    # - GROG.sudo
+    # - ansible_unattended_upgrades
+    # - buluma.lynis
   
   # roles:
   #   - role: netways.elasticstack.elasticsearch
@@ -122,7 +122,7 @@
         line: '#!Enable-HMAC-ETM'
 
     - name: Reload service httpd, in all cases
-      ansible.builtin.systemd_service:
+      ansible.builtin.service:
         name: sshd.service
         state: reloaded
 
diff --git a/host_vars/ovh01.yml b/host_vars/ovh01.yml
index 8c24397..1b65aa4 100644
--- a/host_vars/ovh01.yml
+++ b/host_vars/ovh01.yml
@@ -34,6 +34,7 @@ firewall_allowed_tcp_ports:
   - "9100"
   - "9090"
   - "3000"
+  - "9323"
 
 #* NETBIRD