From cce7280cd0f49e98683c2b90fc15b8f58096429e Mon Sep 17 00:00:00 2001
From: William Hirigoyen <whirigoyen+git@evolix.fr>
Date: Wed, 24 Jan 2024 15:24:42 +0100
Subject: [PATCH] fail2ban: add script unban_ip

---
 CHANGELOG.md               |  1 +
 fail2ban/files/unban_ip.sh | 26 ++++++++++++++++++++++++++
 fail2ban/tasks/main.yml    |  9 +++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 fail2ban/files/unban_ip.sh

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f2b7ace8..8de4ddd6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -29,6 +29,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * webapps/nextcloud: Added var nextcloud_user_uid to enforce uid for nextcloud user
 * webapps/nextcloud: Set ownership and permissions of data directory
 * webapps/nextcloud: Add condition for archive tasks
+* fail2ban: add script unban_ip
 
 ### Changed
 
diff --git a/fail2ban/files/unban_ip.sh b/fail2ban/files/unban_ip.sh
new file mode 100644
index 00000000..c13f2ecd
--- /dev/null
+++ b/fail2ban/files/unban_ip.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+function version_gt() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1"; }
+
+IP="$1"
+if [ "$IP" == "" ]; then
+   echo
+   echo -e "\033${TERM_COLOR_LIGHT_RED}Usage: $FUNCNAME <IP>\033${TERM_COLOR_NORMAL}"
+   echo
+   cat <<EOF
+unban an IP from all fail2ban jails
+EOF
+   exit 1
+fi
+FAIL2BAN_VERSION="$(fail2ban-client --version | grep '^Fail2Ban v' | sed 's/Fail2Ban v//g')"
+FAIL2BAN_RECENT="$(version_gt 0.8.8 $FAIL2BAN_VERSION; echo $?)"
+for JAIL in $(fail2ban-client status | grep "Jail list" | sed -e 's/^[^:]\+:[ \t]\+//' | sed 's/,//g'); do
+   if [ "$FAIL2BAN_RECENT" == "1" ]; then
+      fail2ban-client set $JAIL unbanip $IP 2>&1 | grep -v "$IP is not banned";
+   else
+      iptables -D f2b-$JAIL -s $IP -j DROP 2>&1 | grep -v 'iptables: Bad rule' && sleep 5 || echo "$IP is not banned";
+   fi
+done
+
+exit 0
+
diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml
index 1fbb573a..182dbbd5 100644
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@@ -111,3 +111,12 @@
     - ansible_distribution_release == "stretch" or ansible_distribution_release == "buster"
   tags:
     - fail2ban
+
+- name: Script unban_ip is installed
+  ansible.builtin.copy:
+    src: unban_ip.sh
+    dst: /usr/local/sbin/unban_ip
+    mode: '0700'
+  tags:
+    - fail2ban
+