82 lines
2.3 KiB
YAML
82 lines
2.3 KiB
YAML
---
|
|
|
|
- name: prepare systemd override
|
|
block:
|
|
- name: create fail2ban.service.d directory
|
|
file:
|
|
path: /etc/systemd/system/fail2ban.service.d
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: create fail2ban.service override
|
|
template:
|
|
src: systemd-override.j2
|
|
dest: /etc/systemd/system/fail2ban.service.d/override.conf
|
|
notify:
|
|
- reload fail2ban unit
|
|
- fail2ban restart
|
|
when: fail2ban_dummy_logs
|
|
|
|
- name: create jail.local
|
|
template:
|
|
src: jail.j2
|
|
dest: /etc/fail2ban/jail.local
|
|
mode: 0644
|
|
notify: fail2ban restart
|
|
|
|
- name: create iptables-multiport-fw.conf
|
|
template:
|
|
src: action_iptables-multiport-fw.j2
|
|
dest: /etc/fail2ban/action.d/iptables-multiport-fw.conf
|
|
mode: 0644
|
|
notify: fail2ban restart
|
|
|
|
- name: deploy custom filters
|
|
template:
|
|
src: custom-filter.j2
|
|
dest: "/etc/fail2ban/filter.d/{{ item.name }}.conf"
|
|
with_items: "{{ fail2ban_filters }}"
|
|
when: fail2ban_filters is defined
|
|
notify: fail2ban restart
|
|
|
|
- name: adjust blocktype in iptables conf
|
|
replace:
|
|
path: "{{ '/etc/fail2ban/action.d/iptables-ipset.conf' if ansible_distribution_release == 'noble' else '/etc/fail2ban/action.d/iptables-common.conf' }}"
|
|
regexp: '^blocktype =.+'
|
|
replace: "blocktype = {{ fail2ban_blocktype }}"
|
|
notify: fail2ban restart
|
|
when: not ansible_check_mode
|
|
|
|
- name: create scripts directory
|
|
file:
|
|
dest: /usr/local/etc/scripts
|
|
state: directory
|
|
when: fail2ban_enable_ignorecommand
|
|
|
|
- name: create custom.fail2ban-check-ip.conf
|
|
template:
|
|
src: check-ip_conf.j2
|
|
dest: /usr/local/etc/scripts/custom.fail2ban-check-ip.conf
|
|
mode: 0644
|
|
when: fail2ban_enable_ignorecommand and not ansible_check_mode
|
|
|
|
- name: create custom.fail2ban-check-ip
|
|
template:
|
|
src: fail2ban-check-ip.j2
|
|
dest: /usr/local/sbin/custom.fail2ban-check-ip
|
|
mode: 0744
|
|
when: fail2ban_enable_ignorecommand
|
|
|
|
- name: adjust ignoreregex in recidive filter
|
|
lineinfile:
|
|
path: /etc/fail2ban/filter.d/recidive.conf
|
|
regexp: '^ignoreregex'
|
|
line: "ignoreregex = .*\\[({{ fail2ban_recidive_ignore_jails | join('|') }})\\].*"
|
|
when: not ansible_check_mode and fail2ban_recidive_ignore_jails | length > 0
|
|
|
|
- name: ensure fail2ban service is enabled and started
|
|
service:
|
|
name: fail2ban
|
|
enabled: true
|
|
state: started
|