I believe that currently the only way to get the systemd python bindings installed on Clear Linux is to bundle-add ansible. Could you just add this to the base distro or add a separate bundle for it?
Adding it to the base (os-core) would make every ClearLinux OS system to install python whether they needed it or not, so that is not an option.
So, this should be a separate bundle. May I ask what this is actually needed for?
One package that uses it is fail2ban. But any python application that wants access to the systemd libraries needs it. By the way, it would be nice to also have a bundle for fail2ban (GitHub - fail2ban/fail2ban: Daemon to ban hosts that cause multiple authentication errors).
ClearLinux ships by default with tallow - a light-weight alternative to fail2ban that doesn’t require python. It’s extensible and uses the journal API without the need for python bindings. Try and see if that fits your needs, since, you already have it installed and running on your system.
Can tallow be configured to monitor logs from services other than sshd? That’s what fail2ban offers that tallow appears to be missing.
tallow follows the journal. Everything that logs to the journal can therefore be monitored.
We have added configurations for sshd because, that’s the obvious use case. But we also add one for dovecot here: tallow/dovecot.json at 3ffb46e8e7abfdc6032cb7ff7ddc26eb5a1f7a48 · clearlinux/tallow · GitHub
I’ve actually made a nginx tallow rule for my personal stuff at some point. These can be added to servers at runtime (they’re JSON formatted). The docs aren’t up 2 date to reflect this feature, yet, since it’s relatively (few months) new.
If you have any good ideas about new rulesets, please, propose them or post them to the github project - GitHub - clearlinux/tallow: Block hosts that attempt to bruteforce SSH using the journald API.