roles/common: Wire up fail2ban

The nftables support works easily and creates the table, chains, and sets on demand.
2021-07-26 22:07:31 +03:00 · 2021-07-26 22:07:31 +03:00 · 14814aa5d9
parent 3b053167b1
commit 14814aa5d9
2 changed files with 7 additions and 2 deletions
--- a/roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2
+++ b/roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2
@ -2,8 +2,13 @@
 enabled   = true
 # See: /etc/fail2ban/filter.d/sshd.conf
 filter    = sshd
+{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=') %}
+# Integrate with nftables
+banaction=nftables[type=allports]
+{% else %}
 # Integrate with firewalld and ipsets
 banaction = firewallcmd-ipset
+{% endif %}
 backend   = systemd
 maxretry  = {{ fail2ban_maxretry }}
 findtime  = {{ fail2ban_findtime }}
--- a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
+++ b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
@ -2,14 +2,14 @@
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %}
+{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
 ProtectSystem=strict
 {% else %}
 {# Older systemd versions don't have ProtectSystem=strict #}
 ProtectSystem=full
 {% endif %}
 NoNewPrivileges=yes
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %}
+{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban.log