mirror/infrastructure
1
1
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/infrastructure.git synced 2025-01-18 08:06:16 +01:00
Code Issues
master
infrastructure/roles/fail2ban/tasks/main.yml
Robin Candau 701c1d01ef Migrate 'with_X' to 'loop'
2024-12-23 17:43:01 +00:00

108 lines
2.5 KiB
YAML
Raw Permalink Blame History

- name: Install fail2ban
package:
name: "fail2ban"
state: "present"
notify:
- Restart fail2ban
- name: Create systemd unit override path
file:
path: "/etc/systemd/system/fail2ban.service.d"
state: "directory"
owner: "root"
group: "root"
mode: '0755'
- name: Install systemd unit override file
template:
src: "fail2ban.service.j2"
dest: "/etc/systemd/system/fail2ban.service.d/override.conf"
owner: "root"
group: "root"
mode: '0644'
- name: Install local config files
template:
src: "{{ item }}.j2"
dest: "/etc/fail2ban/{{ item }}"
owner: "root"
group: "root"
mode: '0644'
loop:
- "fail2ban.local"
- "jail.local"
notify:
- Restart fail2ban
- name: Install firewallcmd-ipset-allports.conf
template:
src: "firewallcmd-ipset-allports.conf.j2"
dest: "/etc/fail2ban/action.d/firewallcmd-ipset-allports.conf"
owner: "root"
group: "root"
mode: '0644'
notify:
- Restart fail2ban
- name: Install sshd jail
when: fail2ban_jails.sshd
template:
src: "sshd.jail.j2"
dest: "/etc/fail2ban/jail.d/sshd.local"
owner: "root"
group: "root"
mode: '0644'
notify:
- Reload fail2ban jails
- name: Install postfix jail
when: fail2ban_jails.postfix
template:
src: "postfix.jail.j2"
dest: "/etc/fail2ban/jail.d/postfix.local"
owner: "root"
group: "root"
mode: '0644'
notify:
- Reload fail2ban jails
- name: Install dovecot jail
when: fail2ban_jails.dovecot
template:
src: "dovecot.jail.j2"
dest: "/etc/fail2ban/jail.d/dovecot.local"
owner: "root"
group: "root"
mode: '0644'
notify:
- Reload fail2ban jails
- name: Install nginx-limit-req jail
when: fail2ban_jails.nginx_limit_req
template:
src: "nginx-limit-req.jail.j2"
dest: "/etc/fail2ban/jail.d/nginx-limit-req.local"
owner: "root"
group: "root"
mode: '0644'
notify:
- Reload fail2ban jails
- name: Install fail2ban ipset for firewalld
copy: src=fail2ban.xml dest=/etc/firewalld/ipsets/ owner=root group=root mode=0644
register: result
- name: Restart firewalld
systemd_service: name=firewalld state=restarted
when: result.changed
- name: Add fail2ban ipset to the firewalld drop zone
ansible.posix.firewalld: source=ipset:fail2ban zone=drop permanent=true immediate=true state=enabled
- name: Start and enable service
systemd_service:
name: "fail2ban.service"
enabled: true
state: started
daemon-reload: true
View Git Blame Copy Permalink