From 07a14a5fbe07651d5816a6553afddb9269f1d37d Mon Sep 17 00:00:00 2001
From: Dawa Ometto <d.l.a.ometto1@uu.nl>
Date: Mon, 6 Jan 2025 10:14:27 +0100
Subject: [PATCH] playbook robot-server: restrict permissions on storage and
 activate fail2ban

---
 playbooks/robot-server.yml | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/playbooks/robot-server.yml b/playbooks/robot-server.yml
index ab9a6e5e..33bfa099 100644
--- a/playbooks/robot-server.yml
+++ b/playbooks/robot-server.yml
@@ -1,9 +1,26 @@
 ---
 - name: Prepare a robot server
   hosts: localhost
-  gather_facts: true
+  gather_facts: false
 
   roles:
     - role: robotuser
       vars:
         robotuser_generate_ssh_key: true
+    - role: fact_workspace_info
+  
+  tasks:
+
+    - name: Restrict permissions on data volumes
+      ansible.builtin.file:
+        path: "{{ item }}"
+        state: directory
+        owner: root
+        group: root
+        mode: "0750"
+      with_items: "{{ fact_workspace_storage }}"
+
+    - name: Ensure fail2ban is active
+      ansible.builtin.service:
+        name: fail2ban
+        state: started