roles/common: rework fail2ban again

Actually, we do want to run fail2ban on all hosts because the sshd
monitoring via systemd is nice. At the very least it reduces spam
from failed logins in our systemd journal.

roles/common/handlers/main.yml

@@ -25,4 +25,3 @@
   ansible.builtin.systemd:
     name: fail2ban
     state: restarted
-  when: webserver is defined and webserver == 'nginx'

roles/common/tasks/fail2ban.yml

@@ -2,7 +2,6 @@
 - name: Install fail2ban
   when:
     - ansible_distribution_major_version is version('11', '>=')
-    - webserver is defined and webserver == 'nginx'
   ansible.builtin.package:
     name:
       - fail2ban
@@ -20,6 +19,7 @@
 
 - name: Configure fail2ban nginx filter
   when:
+    - webserver is defined and webserver == 'nginx'
     - extra_fail2ban_filters is defined
     - "'nginx' in extra_fail2ban_filters"
   ansible.builtin.template:

roles/common/tasks/firewall_Debian.yml

@@ -107,12 +107,9 @@
         state: started
         enabled: true
 
-    # We only install fail2ban on systems running nginx. If the host is running
-    # Caddy then there are no logs for us to monitor.
     - ansible.builtin.include_tasks: fail2ban.yml
       when:
         - ansible_distribution_major_version is version('9', '>=')
-        - webserver is defined and webserver == 'nginx'
   tags: firewall
 
 # vim: set sw=2 ts=2:

roles/common/tasks/firewall_Ubuntu.yml

@@ -106,12 +106,9 @@
         state: started
         enabled: true
 
-    # We only install fail2ban on systems running nginx. If the host is running
-    # Caddy then there are no logs for us to monitor.
     - ansible.builtin.include_tasks: fail2ban.yml
       when:
         - ansible_distribution_version is version('16.04', '>=')
-        - webserver is defined and webserver == 'nginx'
   tags: firewall
 
 # vim: set sw=2 ts=2: