jokester/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d8eb53f096
ansible-playbooks/roles/fail2ban/tasks/main.yml
Clément Désiles ba37edd498
doc: add more ufw comments
2025-11-10 23:57:34 +01:00

70 lines
1.9 KiB
YAML
Raw Blame History

---
# see: https://wiki.archlinux.org/title/Fail2ban
- name: Install fail2ban
ansible.builtin.package:
name: fail2ban
state: present
- name: Ensure fail2ban configuration is only owned by root
ansible.builtin.file:
path: /etc/fail2ban
owner: root
group: root
mode: "0700"
recurse: true
- name: Install Fail2ban Config
block:
- name: General configuration
ansible.builtin.template:
src: jail.local.j2
dest: /etc/fail2ban/jail.local
mode: "0600"
- name: Service custom jail
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "0600"
loop:
- { src: sshd-jail.local.j2, dest: /etc/fail2ban/jail.d/sshd.local }
- { src: nginx-jail.local.j2, dest: /etc/fail2ban/jail.d/nginx.local }
- name: Service hardening (read-only root rights)
block:
- name: Check if hardening configuration is already applied
ansible.builtin.stat:
path: /etc/systemd/system/fail2ban.service.d/override.conf
register: override_conf
- name: Create configuration directory
ansible.builtin.file:
path: /etc/systemd/system/fail2ban.service.d
state: directory
owner: root
group: root
mode: "0700"
- name: Apply hardening configuration
ansible.builtin.template:
src: hardened.fail2ban.conf.j2
dest: /etc/systemd/system/fail2ban.service.d/override.conf
when: not override_conf.stat.exists
- name: Reload systemd
ansible.builtin.systemd:
daemon_reload: true
when: not override_conf.stat.exists
- name: Enable UFW
community.general.ufw:
state: enabled
- name: Enable UFW service at startup
ansible.builtin.systemd:
name: ufw
enabled: true
state: started
- name: Start and enable fail2ban
ansible.builtin.service:
name: fail2ban
state: started
enabled: true
Reference in New Issue View Git Blame Copy Permalink