chore: first commit

roles/fail2ban/defaults/main.yml

@@ -0,0 +1,2 @@
+fail2ban_firewall: ufw
+fail2ban_backend: systemd

roles/fail2ban/tasks/main.yml

@@ -0,0 +1,59 @@
+---
+# see: https://wiki.archlinux.org/title/Fail2ban
+- name: Install fail2ban
+  package:
+    name: fail2ban
+    state: present
+
+- name: Ensure fail2ban configuration is only owned by root
+  file:
+    path: /etc/fail2ban
+    owner: root
+    group: root
+    mode: 0700
+    recurse: yes
+
+- name: Install Fail2ban Config
+  block:
+    - name: General configuration
+      template:
+        src: jail.local.j2
+        dest: /etc/fail2ban/jail.local
+        mode: "0600"
+    - name: Service custom jail
+      template:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: "0600"
+      loop:
+        - { src: sshd-jail.local.j2, dest: /etc/fail2ban/jail.d/sshd.local }
+        - { src: nginx-jail.local.j2, dest: /etc/fail2ban/jail.d/nginx.local }
+
+- name: Service hardening (read-only root rights)
+  block:
+    - name: Check if hardening configuration is already applied
+      stat:
+        path: /etc/systemd/system/fail2ban.service.d/override.conf
+      register: override_conf
+    - name: Create configuration directory
+      file:
+        path: /etc/systemd/system/fail2ban.service.d
+        state: directory
+        owner: root
+        group: root
+        mode: 0700
+    - name: Apply hardening configuration
+      template:
+        src: hardened.fail2ban.conf.j2
+        dest: /etc/systemd/system/fail2ban.service.d/override.conf
+      when: not override_conf.stat.exists
+    - name: Reload systemd
+      systemd:
+        daemon_reload: yes
+      when: not override_conf.stat.exists
+
+- name: Start and enable fail2ban
+  service:
+    name: fail2ban
+    state: started
+    enabled: yes

roles/fail2ban/templates/hardened.fail2ban.conf.j2

@@ -0,0 +1,11 @@
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban.log
+ReadWritePaths=-/var/spool/postfix/maildrop
+ReadWritePaths=-/run/xtables.lock
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW

roles/fail2ban/templates/jail.local.j2

@@ -0,0 +1,7 @@
+[DEFAULT]
+bantime    = 1d
+banaction  = {{fail2ban_firewall}}
+allowipv6  = true
+ignoreip   = 127.0.0.1/8
+backend    = {{fail2ban_backend}}
+ignoreself = true

roles/fail2ban/templates/nginx-jail.local.j2

@@ -0,0 +1,6 @@
+[nginx-http-auth]
+enabled    = true
+port       = http, https
+maxretry   = 2
+findtime   = 1d
+bantime    = 2w

roles/fail2ban/templates/sshd-jail.local.j2

@@ -0,0 +1,6 @@
+[sshd]
+enabled    = true
+filter     = sshd
+maxretry   = 5
+findtime   = 1d
+bantime    = 2w