chore: first commit

roles/fail2ban/templates/hardened.fail2ban.conf.j2

@@ -0,0 +1,11 @@
+[Service]
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=read-only
+ProtectSystem=strict
+ReadWritePaths=-/var/run/fail2ban
+ReadWritePaths=-/var/lib/fail2ban
+ReadWritePaths=-/var/log/fail2ban.log
+ReadWritePaths=-/var/spool/postfix/maildrop
+ReadWritePaths=-/run/xtables.lock
+CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW

roles/fail2ban/templates/jail.local.j2

@@ -0,0 +1,7 @@
+[DEFAULT]
+bantime    = 1d
+banaction  = {{fail2ban_firewall}}
+allowipv6  = true
+ignoreip   = 127.0.0.1/8
+backend    = {{fail2ban_backend}}
+ignoreself = true

roles/fail2ban/templates/nginx-jail.local.j2

@@ -0,0 +1,6 @@
+[nginx-http-auth]
+enabled    = true
+port       = http, https
+maxretry   = 2
+findtime   = 1d
+bantime    = 2w

roles/fail2ban/templates/sshd-jail.local.j2

@@ -0,0 +1,6 @@
+[sshd]
+enabled    = true
+filter     = sshd
+maxretry   = 5
+findtime   = 1d
+bantime    = 2w