ansible-personal/roles/common/tasks/fail2ban.yml

---
- name: Install fail2ban
  when:
    - ansible_distribution_major_version is version('11', '>=')
  ansible.builtin.package:
    name:
      - fail2ban
      - python3-systemd
    state: present
    cache_valid_time: 3600

- name: Configure fail2ban sshd filter
  ansible.builtin.template:
    src: etc/fail2ban/jail.d/sshd.local.j2
    dest: /etc/fail2ban/jail.d/sshd.local
    owner: root
    mode: "0644"
  notify: restart fail2ban

- name: Configure fail2ban nginx filter
  when:
    - webserver is defined and webserver == 'nginx'
    - extra_fail2ban_filters is defined
    - "'nginx' in extra_fail2ban_filters"
  ansible.builtin.template:
    src: etc/fail2ban/jail.d/nginx.local.j2
    dest: /etc/fail2ban/jail.d/nginx.local
    owner: root
    mode: "0644"
  notify: restart fail2ban

- name: Create fail2ban service override directory
  ansible.builtin.file:
    path: /etc/systemd/system/fail2ban.service.d
    state: directory
    owner: root
    mode: "0755"

# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
- name: Configure fail2ban service override
  ansible.builtin.template:
    src: etc/systemd/system/fail2ban.service.d/override.conf.j2
    dest: /etc/systemd/system/fail2ban.service.d/override.conf
    owner: root
    mode: "0644"
  notify:
    - reload systemd
    - restart fail2ban

- name: Start and enable fail2ban service
  ansible.builtin.systemd:
    name: fail2ban
    state: started
    enabled: true

# vim: set sw=2 ts=2: