mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
95e19506ff
The firewalld direct interface is deprecated and will be removed in a future release[1]. Recently IPv4 connectivity inside docker containers on our runners broke and after some troubleshooting, the issue was pinpointed to the start of the fail2ban service. We also had issues in the past where sometimes firewalld had to be restarted after boot before network connectivity worked in libvirt on our runners. The issuse may be due to a bug in the way fail2ban use the direct interface, a bug in firewalld or a combination thereof. Let's just avoid the direct interface altogether and create a clean separation, with firewalld handling the blocking and fail2ban maintaining the ipset. [1] https://firewalld.org/documentation/man-pages/firewalld.direct.html
108 lines
2.4 KiB
YAML
108 lines
2.4 KiB
YAML
- name: Install fail2ban
|
|
package:
|
|
name: "fail2ban"
|
|
state: "present"
|
|
notify:
|
|
- Restart fail2ban
|
|
|
|
- name: Create systemd unit override path
|
|
file:
|
|
path: "/etc/systemd/system/fail2ban.service.d"
|
|
state: "directory"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: '0755'
|
|
|
|
- name: Install systemd unit override file
|
|
template:
|
|
src: "fail2ban.service.j2"
|
|
dest: "/etc/systemd/system/fail2ban.service.d/override.conf"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: '0644'
|
|
|
|
- name: Install local config files
|
|
template:
|
|
src: "{{ item }}.j2"
|
|
dest: "/etc/fail2ban/{{ item }}"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: '0644'
|
|
with_items:
|
|
- "fail2ban.local"
|
|
- "jail.local"
|
|
notify:
|
|
- Restart fail2ban
|
|
|
|
- name: Install firewallcmd-allports.local
|
|
template:
|
|
src: "firewallcmd-ipset-allports.conf.j2"
|
|
dest: "/etc/fail2ban/action.d/firewallcmd-ipset-allports.conf"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: '0644'
|
|
notify:
|
|
- Restart fail2ban
|
|
|
|
- name: Install sshd jail
|
|
when: fail2ban_jails.sshd
|
|
template:
|
|
src: "sshd.jail.j2"
|
|
dest: "/etc/fail2ban/jail.d/sshd.local"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: '0644'
|
|
notify:
|
|
- Reload fail2ban jails
|
|
|
|
- name: Install postfix jail
|
|
when: fail2ban_jails.postfix
|
|
template:
|
|
src: "postfix.jail.j2"
|
|
dest: "/etc/fail2ban/jail.d/postfix.local"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: '0644'
|
|
notify:
|
|
- Reload fail2ban jails
|
|
|
|
- name: Install dovecot jail
|
|
when: fail2ban_jails.dovecot
|
|
template:
|
|
src: "dovecot.jail.j2"
|
|
dest: "/etc/fail2ban/jail.d/dovecot.local"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: '0644'
|
|
notify:
|
|
- Reload fail2ban jails
|
|
|
|
- name: Install nginx-limit-req jail
|
|
when: fail2ban_jails.nginx_limit_req
|
|
template:
|
|
src: "nginx-limit-req.jail.j2"
|
|
dest: "/etc/fail2ban/jail.d/nginx-limit-req.local"
|
|
owner: "root"
|
|
group: "root"
|
|
mode: '0644'
|
|
notify:
|
|
- Reload fail2ban jails
|
|
|
|
- name: Install fail2ban ipset for firewalld
|
|
copy: src=fail2ban.xml dest=/etc/firewalld/ipsets/ owner=root group=root mode=0644
|
|
register: result
|
|
|
|
- name: Restart firewalld
|
|
systemd: name=firewalld state=restarted
|
|
when: result.changed
|
|
|
|
- name: Add fail2ban ipset to the firewalld drop zone
|
|
ansible.posix.firewalld: source=ipset:fail2ban zone=drop permanent=true immediate=true state=enabled
|
|
|
|
- name: Start and enable service
|
|
systemd:
|
|
name: "fail2ban.service"
|
|
enabled: true
|
|
state: started
|
|
daemon-reload: true
|