fail2ban: fix fail2ban_ignore_ips definition

If the final variable is combined in the defaults file, it's component can be overridden, but the final variable can't be overriden.
2018-08-21 23:13:47 +02:00 · 2018-08-21 23:13:47 +02:00 · 012dabf657
parent 77aeb60544
commit 012dabf657
4 changed files with 5 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -44,6 +44,7 @@ The **patch** part changes incrementally at each release.
 ### Fixed
 * bind: chroot-bind.sh must not be executed in check mode
 * evoacme: fix module detection in apache config
+* fail2ban: fix fail2ban_ignore_ips definition
 * mysql-oracle: fix configuration directory variable
 * php: fpm slowlog needs an absolute path
 * roundcube: add missing slash to https redirection
--- a/fail2ban/defaults/main.yml
+++ b/fail2ban/defaults/main.yml
@ -4,7 +4,6 @@ fail2ban_alert_email: Null

 fail2ban_default_ignore_ips: []
 fail2ban_additional_ignore_ips: []
-fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}"

 fail2ban_wordpress: False
 fail2ban_roundcube: False
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@ -15,6 +15,9 @@
  tags:
  - fail2ban

+- set_fact:
+    fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}"
+
 - name: local jail is installed
  template:
    src: jail.local.j2
--- a/fail2ban/templates/jail.local.j2
+++ b/fail2ban/templates/jail.local.j2
@ -3,7 +3,7 @@
 [DEFAULT]

 # "ignoreip" can be an IP address, a CIDR mask or a DNS host
-ignoreip = {{ (['127.0.0.1/8'] + fail2ban_ignore_ips) | join(' ') }}
+ignoreip = {{ ['127.0.0.1/8'] union(fail2ban_ignore_ips) | unique | join(' ') }}

 bantime  = 600
 maxretry = 3