roles/common: rework fail2ban again
Actually, we do want to run fail2ban on all hosts because the sshd monitoring via systemd is nice. At the very least it reduces spam from failed logins in our systemd journal.
This commit is contained in:
parent
067adcd9f5
commit
7a9a24ef5d
@ -25,4 +25,3 @@
|
||||
ansible.builtin.systemd:
|
||||
name: fail2ban
|
||||
state: restarted
|
||||
when: webserver is defined and webserver == 'nginx'
|
||||
|
@ -2,7 +2,6 @@
|
||||
- name: Install fail2ban
|
||||
when:
|
||||
- ansible_distribution_major_version is version('11', '>=')
|
||||
- webserver is defined and webserver == 'nginx'
|
||||
ansible.builtin.package:
|
||||
name:
|
||||
- fail2ban
|
||||
@ -20,6 +19,7 @@
|
||||
|
||||
- name: Configure fail2ban nginx filter
|
||||
when:
|
||||
- webserver is defined and webserver == 'nginx'
|
||||
- extra_fail2ban_filters is defined
|
||||
- "'nginx' in extra_fail2ban_filters"
|
||||
ansible.builtin.template:
|
||||
|
@ -107,12 +107,9 @@
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
# We only install fail2ban on systems running nginx. If the host is running
|
||||
# Caddy then there are no logs for us to monitor.
|
||||
- ansible.builtin.include_tasks: fail2ban.yml
|
||||
when:
|
||||
- ansible_distribution_major_version is version('9', '>=')
|
||||
- webserver is defined and webserver == 'nginx'
|
||||
tags: firewall
|
||||
|
||||
# vim: set sw=2 ts=2:
|
||||
|
@ -106,12 +106,9 @@
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
# We only install fail2ban on systems running nginx. If the host is running
|
||||
# Caddy then there are no logs for us to monitor.
|
||||
- ansible.builtin.include_tasks: fail2ban.yml
|
||||
when:
|
||||
- ansible_distribution_version is version('16.04', '>=')
|
||||
- webserver is defined and webserver == 'nginx'
|
||||
tags: firewall
|
||||
|
||||
# vim: set sw=2 ts=2:
|
||||
|
Loading…
Reference in New Issue
Block a user