Externalize role

defaults/main.yml

@@ -0,0 +1,5 @@
+---
+fail2ban_ssh: true
+fail2ban_bantime: 172800
+fail2ban_findtime: 3600
+

handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: Restart fail2ban
+  service: name=fail2ban state=restarted
+

tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Include vars for {{ ansible_os_family }}
+  include_vars: "{{ ansible_os_family }}.yml"
+
+- name: Install packages for fail2ban
+  package: name="{{ fail2ban_packages }}" state=latest update_cache=yes
+
+- name: Test if paths overrides file exist
+  stat: path=/etc/fail2ban/paths-overrides.local
+  register: pathsoverrides
+
+- name: Touch the standard log file
+  file: path=/etc/fail2ban/paths-overrides.local state=touch owner=root group=root mode=0640
+  when:
+    - not pathsoverrides.stat.exists
+
+- name: Install fail2ban configuration files
+  template: src="{{ item }}.j2" dest="/{{ item }}" owner=root group=root mode=0644
+  with_items:
+    - etc/fail2ban/jail.local
+    - etc/fail2ban/jail.d/02-services.conf
+  notify: Restart fail2ban
+
+- name: Enable fail2ban services
+  service: name="fail2ban" enabled=yes
+
+

templates/etc/fail2ban/jail.d/02-services.conf.j2

@@ -0,0 +1,5 @@
+{% if fail2ban_ssh %}
+[sshd]
+enabled = true
+{% endif %}
+

templates/etc/fail2ban/jail.local.j2

@@ -0,0 +1,27 @@
+[DEFAULT]
+# "bantime" is the number of seconds that a host is banned.
+bantime  = {{ fail2ban_bantime }}
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime = {{ fail2ban_findtime }}
+
+# Destination email address used solely for the interpolations in
+# jail.{conf,local,d/*} configuration files.
+{% if fail2ban_email is defined %}
+destemail = {{ fail2ban_email }}
+{% else %}
+#destemail =
+{% endif %}
+
+# Sender email address used solely for some actions
+sender = root@localhost
+
+# Select mail mta instead of sendmail
+mta = mail
+
+# Choose default action.  To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(action_mw)s
+

vars/RedHat.yml

@@ -0,0 +1,9 @@
+---
+fail2ban_packages:
+  - fail2ban
+  - fail2ban-firewalld
+  - fail2ban-mail
+  - fail2ban-hostsdeny
+  - fail2ban-sendmail
+  - fail2ban-server
+