Alan Orth
067adcd9f5
We can only run fail2ban when we have logs to monitor. When a host is running Caddy we don't have logs, so fail2ban doesn't have any- thing to monitor out of the box. For now I will restrict the task to hosts running nginx.
57 lines
1.5 KiB
YAML
57 lines
1.5 KiB
YAML
---
|
|
- name: Install fail2ban
|
|
when:
|
|
- ansible_distribution_major_version is version('11', '>=')
|
|
- webserver is defined and webserver == 'nginx'
|
|
ansible.builtin.package:
|
|
name:
|
|
- fail2ban
|
|
- python3-systemd
|
|
state: present
|
|
cache_valid_time: 3600
|
|
|
|
- name: Configure fail2ban sshd filter
|
|
ansible.builtin.template:
|
|
src: etc/fail2ban/jail.d/sshd.local.j2
|
|
dest: /etc/fail2ban/jail.d/sshd.local
|
|
owner: root
|
|
mode: "0644"
|
|
notify: restart fail2ban
|
|
|
|
- name: Configure fail2ban nginx filter
|
|
when:
|
|
- extra_fail2ban_filters is defined
|
|
- "'nginx' in extra_fail2ban_filters"
|
|
ansible.builtin.template:
|
|
src: etc/fail2ban/jail.d/nginx.local.j2
|
|
dest: /etc/fail2ban/jail.d/nginx.local
|
|
owner: root
|
|
mode: "0644"
|
|
notify: restart fail2ban
|
|
|
|
- name: Create fail2ban service override directory
|
|
ansible.builtin.file:
|
|
path: /etc/systemd/system/fail2ban.service.d
|
|
state: directory
|
|
owner: root
|
|
mode: "0755"
|
|
|
|
# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
|
|
- name: Configure fail2ban service override
|
|
ansible.builtin.template:
|
|
src: etc/systemd/system/fail2ban.service.d/override.conf.j2
|
|
dest: /etc/systemd/system/fail2ban.service.d/override.conf
|
|
owner: root
|
|
mode: "0644"
|
|
notify:
|
|
- reload systemd
|
|
- restart fail2ban
|
|
|
|
- name: Start and enable fail2ban service
|
|
ansible.builtin.systemd:
|
|
name: fail2ban
|
|
state: started
|
|
enabled: true
|
|
|
|
# vim: set sw=2 ts=2:
|