mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
95a1476d17
It seems to have broken with the release of filesystem 2021.12.07, which incorporates this upstream change[1] in [2]. Please also see the upstream issue[3]. I'm not sure why we used ansible_fqdn in the first place as inventory_hostname should be preferred (as we define it ourselves). [1]ce266330fc[2]fc84245e3e[3] https://github.com/systemd/systemd/issues/20358
39 lines
1.3 KiB
Django/Jinja
39 lines
1.3 KiB
Django/Jinja
#
|
|
# {{ansible_managed}}
|
|
#
|
|
|
|
[DEFAULT]
|
|
findtime = {{fail2ban_findtime}}
|
|
bantime = {{fail2ban_bantime}}
|
|
maxretry = {{fail2ban_maxretry}}
|
|
|
|
# don't trust dns
|
|
usedns = no
|
|
|
|
# if f2b ever needs to send emails, send them to root and make sure the sender
|
|
# address clearly identifies the host the message originated from
|
|
destemail = root
|
|
sender = fail2ban@{{inventory_hostname}}
|
|
|
|
# use firewalld to manage bans - if we don't specify this, then fail2ban will
|
|
# default to use iptables, which we don't want as our systems are running
|
|
# firewalld with nftables backend.
|
|
#
|
|
# check current rules added to firewalld while fail2ban is running:
|
|
# firewall-cmd --direct --get-all-rules
|
|
# useful runtime commands include:
|
|
# fail2ban-client set <JAIL> banip <IP>
|
|
# fail2ban-cleint set <JAIL> unbanip <IP>
|
|
# fail2ban-client set unban <IP>
|
|
# fail2ban-client set unban --all
|
|
# see `fail2ban-client help` for full list of runtime commands
|
|
banaction = firewallcmd-ipset-allports
|
|
|
|
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
|
# will not ban a host which matches an address in this list. Several addresses
|
|
# can be defined using space (and/or comma) separator.
|
|
ignoreip = 127.0.0.1/8 ::1
|
|
{% for host in groups['all'] %}
|
|
{{ hostvars[host]['inventory_hostname'] }}
|
|
{% endfor %}
|