first commit

tasks/configure.yml

@@ -0,0 +1,81 @@
+---
+
+- name: prepare systemd override
+  block:
+    - name: create fail2ban.service.d directory
+      file:
+        path: /etc/systemd/system/fail2ban.service.d
+        state: directory
+        mode: '0755'
+
+    - name: create fail2ban.service override
+      template:
+        src: systemd-override.j2
+        dest: /etc/systemd/system/fail2ban.service.d/override.conf
+      notify:
+        - reload fail2ban unit
+        - fail2ban restart
+  when: fail2ban_dummy_logs
+
+- name: create jail.local
+  template:
+    src: jail.j2
+    dest: /etc/fail2ban/jail.local
+    mode: 0644
+  notify: fail2ban restart
+
+- name: create iptables-multiport-fw.conf
+  template:
+    src: action_iptables-multiport-fw.j2
+    dest: /etc/fail2ban/action.d/iptables-multiport-fw.conf
+    mode: 0644
+  notify: fail2ban restart
+
+- name: deploy custom filters
+  template:
+    src: custom-filter.j2
+    dest: "/etc/fail2ban/filter.d/{{ item.name }}.conf"
+  with_items: "{{ fail2ban_filters }}"
+  when: fail2ban_filters is defined
+  notify: fail2ban restart
+
+- name: adjust blocktype in iptables conf
+  replace:
+    path: "{{ '/etc/fail2ban/action.d/iptables-ipset.conf' if ansible_distribution_release == 'noble' else '/etc/fail2ban/action.d/iptables-common.conf' }}"
+    regexp: '^blocktype =.+'
+    replace: "blocktype = {{ fail2ban_blocktype }}"
+  notify: fail2ban restart
+  when: not ansible_check_mode
+
+- name: create scripts directory
+  file:
+    dest: /usr/local/etc/scripts
+    state: directory
+  when: fail2ban_enable_ignorecommand
+
+- name: create custom.fail2ban-check-ip.conf
+  template:
+    src: check-ip_conf.j2
+    dest: /usr/local/etc/scripts/custom.fail2ban-check-ip.conf
+    mode: 0644
+  when: fail2ban_enable_ignorecommand and not ansible_check_mode
+
+- name: create custom.fail2ban-check-ip
+  template:
+    src: fail2ban-check-ip.j2
+    dest: /usr/local/sbin/custom.fail2ban-check-ip
+    mode: 0744
+  when: fail2ban_enable_ignorecommand
+
+- name: adjust ignoreregex in recidive filter
+  lineinfile:
+    path: /etc/fail2ban/filter.d/recidive.conf
+    regexp: '^ignoreregex'
+    line: "ignoreregex = .*\\[({{ fail2ban_recidive_ignore_jails | join('|') }})\\].*"
+  when: not ansible_check_mode and fail2ban_recidive_ignore_jails | length > 0
+
+- name: ensure fail2ban service is enabled and started
+  service:
+    name: fail2ban
+    enabled: true
+    state: started

tasks/install.yml

@@ -0,0 +1,9 @@
+---
+- name: install fail2ban
+  apt:
+    name: fail2ban
+    update_cache: true
+
+- name: gather installed packages
+  package_facts:
+    manager: apt

tasks/main.yml

@@ -0,0 +1,8 @@
+---
+
+- include_tasks: prepare.yml
+
+- include_tasks: install.yml
+  when: fail2ban_setup == "full"
+
+- include_tasks: configure.yml

tasks/prepare.yml

@@ -0,0 +1,45 @@
+---
+
+- name: create test dirs
+  file:
+    path: "{{ item }}"
+    state: directory
+  when: fail2ban_role_test_mode is defined
+  with_items:
+    - /var/log/nginx
+
+- name: create test log files
+  template:
+    src: testfile.j2
+    dest: "{{ item }}"
+  when: fail2ban_role_test_mode is defined
+  with_items:
+    - /var/log/nginx/test-error.log
+    - /tmp/web-prod.log
+    - /tmp/backend-prod.log
+
+- name: ensure syslog group is present
+  group:
+    name: syslog
+    system: true
+    state: present
+
+- name: ensure syslog user is present
+  user:
+    name: syslog
+    group: syslog
+    groups: adm
+    home: "{{ '/nonexistent' if ansible_distribution_release == 'noble' else '/home/syslog' }}"
+    create_home: no
+    shell: "{{ '/usr/sbin/nologin' if ansible_distribution_release == 'bionic' else '/bin/false' }}"
+    system: true
+    state: present
+
+- name: prepare auth.log
+  copy:
+    content: ""
+    dest: /var/log/auth.log
+    force: false
+    group: adm
+    owner: syslog
+    mode: 0640