init

ansible/roles/harden/fail2ban/tasks/main.yml

@@ -0,0 +1,58 @@
+---
+- name: install fail2ban + deps
+  ansible.builtin.apt:
+    name:
+      - fail2ban
+      - python3
+      - python3-systemd
+      - nftables
+    state: present
+    update_cache: true
+  become: true
+
+- name: enable & start nftables
+  ansible.builtin.systemd:
+    name: nftables
+    enabled: true
+    state: started
+  become: true
+
+- name: ensure fail2ban directories exist
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  loop:
+    - /etc/fail2ban
+    - /etc/fail2ban/jail.d
+    - /etc/fail2ban/filter.d
+  become: true
+
+- name: deploy /etc/fail2ban/fail2ban.local
+  ansible.builtin.template:
+    src: fail2ban.local.j2
+    dest: /etc/fail2ban/fail2ban.local
+    owner: root
+    group: root
+    mode: "0644"
+  notify: validate and restart fail2ban
+  become: true
+
+- name: deploy /etc/fail2ban/jail.local
+  ansible.builtin.template:
+    src: jail.local.j2
+    dest: /etc/fail2ban/jail.local
+    owner: root
+    group: root
+    mode: "0644"
+  notify: validate and restart fail2ban
+  become: true
+
+- name: ensure fail2ban enabled and started
+  ansible.builtin.systemd:
+    name: fail2ban
+    enabled: true
+    state: started
+  become: true