From 71f6942e4bdfebc53a7a47134d95923cc95c363d Mon Sep 17 00:00:00 2001 From: Adrien Date: Mon, 8 Oct 2018 19:35:13 +0200 Subject: [PATCH] Externalize role --- defaults/main.yml | 5 ++++ handlers/main.yml | 4 +++ tasks/main.yml | 27 +++++++++++++++++++ .../etc/fail2ban/jail.d/02-services.conf.j2 | 5 ++++ templates/etc/fail2ban/jail.local.j2 | 27 +++++++++++++++++++ vars/RedHat.yml | 9 +++++++ 6 files changed, 77 insertions(+) create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 tasks/main.yml create mode 100644 templates/etc/fail2ban/jail.d/02-services.conf.j2 create mode 100644 templates/etc/fail2ban/jail.local.j2 create mode 100644 vars/RedHat.yml diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..4e73e94 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,5 @@ +--- +fail2ban_ssh: true +fail2ban_bantime: 172800 +fail2ban_findtime: 3600 + diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..c40d5cb --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: Restart fail2ban + service: name=fail2ban state=restarted + diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..942a9c7 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- name: Include vars for {{ ansible_os_family }} + include_vars: "{{ ansible_os_family }}.yml" + +- name: Install packages for fail2ban + package: name="{{ fail2ban_packages }}" state=latest update_cache=yes + +- name: Test if paths overrides file exist + stat: path=/etc/fail2ban/paths-overrides.local + register: pathsoverrides + +- name: Touch the standard log file + file: path=/etc/fail2ban/paths-overrides.local state=touch owner=root group=root mode=0640 + when: + - not pathsoverrides.stat.exists + +- name: Install fail2ban configuration files + template: src="{{ item }}.j2" dest="/{{ item }}" owner=root group=root mode=0644 + with_items: + - etc/fail2ban/jail.local + - etc/fail2ban/jail.d/02-services.conf + notify: Restart fail2ban + +- name: Enable fail2ban services + service: name="fail2ban" enabled=yes + + diff --git a/templates/etc/fail2ban/jail.d/02-services.conf.j2 b/templates/etc/fail2ban/jail.d/02-services.conf.j2 new file mode 100644 index 0000000..5c3d1f5 --- /dev/null +++ b/templates/etc/fail2ban/jail.d/02-services.conf.j2 @@ -0,0 +1,5 @@ +{% if fail2ban_ssh %} +[sshd] +enabled = true +{% endif %} + diff --git a/templates/etc/fail2ban/jail.local.j2 b/templates/etc/fail2ban/jail.local.j2 new file mode 100644 index 0000000..8d41178 --- /dev/null +++ b/templates/etc/fail2ban/jail.local.j2 @@ -0,0 +1,27 @@ +[DEFAULT] +# "bantime" is the number of seconds that a host is banned. +bantime = {{ fail2ban_bantime }} + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = {{ fail2ban_findtime }} + +# Destination email address used solely for the interpolations in +# jail.{conf,local,d/*} configuration files. +{% if fail2ban_email is defined %} +destemail = {{ fail2ban_email }} +{% else %} +#destemail = +{% endif %} + +# Sender email address used solely for some actions +sender = root@localhost + +# Select mail mta instead of sendmail +mta = mail + +# Choose default action. To change, just override value of 'action' with the +# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local +# globally (section [DEFAULT]) or per specific section +action = %(action_mw)s + diff --git a/vars/RedHat.yml b/vars/RedHat.yml new file mode 100644 index 0000000..954cf19 --- /dev/null +++ b/vars/RedHat.yml @@ -0,0 +1,9 @@ +--- +fail2ban_packages: + - fail2ban + - fail2ban-firewalld + - fail2ban-mail + - fail2ban-hostsdeny + - fail2ban-sendmail + - fail2ban-server +