| 1 | --- |
| 2 | - name: restart fail2ban |
| 3 | systemd: |
| 4 | name: fail2ban |
| 5 | state: restarted |
| 6 | enabled: yes |
| 7 | |
| 8 | # Re-baselining is operator-driven, not automatic — see runbooks/aide.md. |
| 9 | # This handler drops a marker the next aide-check surfaces in the journal |
| 10 | # so the operator knows the config drifted and the DB is stale. |
| 11 | - name: rebuild aide database |
| 12 | copy: |
| 13 | dest: /var/lib/aide/.config-changed |
| 14 | content: | |
| 15 | AIDE config was modified by Ansible at {{ ansible_date_time.iso8601 }}. |
| 16 | Operator must re-baseline before the next check produces meaningful |
| 17 | diffs: |
| 18 | sudo aideinit -y -f && \ |
| 19 | sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz && \ |
| 20 | sudo rm /var/lib/aide/.config-changed |
| 21 | See docs/internal/runbooks/aide.md. |
| 22 | mode: "0644" |
| 23 |