From 7a9a24ef5d93cd014300d08ce1035f626ddd9b8e Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Wed, 23 Aug 2023 22:14:16 +0300
Subject: [PATCH] roles/common: rework fail2ban again

Actually, we do want to run fail2ban on all hosts because the sshd
monitoring via systemd is nice. At the very least it reduces spam
from failed logins in our systemd journal.
---
 roles/common/handlers/main.yml         | 1 -
 roles/common/tasks/fail2ban.yml        | 2 +-
 roles/common/tasks/firewall_Debian.yml | 3 ---
 roles/common/tasks/firewall_Ubuntu.yml | 3 ---
 4 files changed, 1 insertion(+), 8 deletions(-)

diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 25034bc..4d8d07e 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -25,4 +25,3 @@
   ansible.builtin.systemd:
     name: fail2ban
     state: restarted
-  when: webserver is defined and webserver == 'nginx'
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index 9d47270..580b0a7 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -2,7 +2,6 @@
 - name: Install fail2ban
   when:
     - ansible_distribution_major_version is version('11', '>=')
-    - webserver is defined and webserver == 'nginx'
   ansible.builtin.package:
     name:
       - fail2ban
@@ -20,6 +19,7 @@
 
 - name: Configure fail2ban nginx filter
   when:
+    - webserver is defined and webserver == 'nginx'
     - extra_fail2ban_filters is defined
     - "'nginx' in extra_fail2ban_filters"
   ansible.builtin.template:
diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml
index 4a436d2..594497c 100644
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@@ -107,12 +107,9 @@
         state: started
         enabled: true
 
-    # We only install fail2ban on systems running nginx. If the host is running
-    # Caddy then there are no logs for us to monitor.
     - ansible.builtin.include_tasks: fail2ban.yml
       when:
         - ansible_distribution_major_version is version('9', '>=')
-        - webserver is defined and webserver == 'nginx'
   tags: firewall
 
 # vim: set sw=2 ts=2:
diff --git a/roles/common/tasks/firewall_Ubuntu.yml b/roles/common/tasks/firewall_Ubuntu.yml
index aa7f5bb..4895e65 100644
--- a/roles/common/tasks/firewall_Ubuntu.yml
+++ b/roles/common/tasks/firewall_Ubuntu.yml
@@ -106,12 +106,9 @@
         state: started
         enabled: true
 
-    # We only install fail2ban on systems running nginx. If the host is running
-    # Caddy then there are no logs for us to monitor.
     - ansible.builtin.include_tasks: fail2ban.yml
       when:
         - ansible_distribution_version is version('16.04', '>=')
-        - webserver is defined and webserver == 'nginx'
   tags: firewall
 
 # vim: set sw=2 ts=2: