fail2ban/tasks/fix-dbpurgeage.yml

@@ -0,0 +1,19 @@
+- name: Sqlite needed
+  ansible.builtin.apt:
+    name:
+      - sqlite3
+    state: present
+
+- name: Register bantime from default config from package
+  shell: "grep -R -E 'dbpurgeage[[:blank:]]*=[[:blank:]]*[0-9]+' /etc/fail2ban/fail2ban.conf |awk '{print $3}'|head -n1"
+  register: default_dbpurgeage
+  changed_when: false
+  check_mode: false
+
+- name: Add crontab
+  template:
+    src: fail2ban_dbpurge.j2
+    dest: /etc/cron.daily/fail2ban_dbpurge
+    mode: 0700
+    owner: root
+    group: root

fail2ban/tasks/main.yml

@@ -103,4 +103,11 @@
     mode: "0644"
   notify: restart fail2ban
   when:
-    - fail2ban_recidive
+    - fail2ban_recidive
+
+- name: Fix dbpurgeage for stretch and buster
+  include: fix-dbpurgeage.yml
+  when:
+    - ansible_distribution_release == "stretch" or ansible_distribution_release == "buster"
+  tags:
+    - fail2ban

fail2ban/templates/fail2ban_dbpurge.j2

@@ -0,0 +1,3 @@
+#!/bin/sh
+# Juin 2022 : #64088
+/usr/bin/sqlite3 /var/lib/fail2ban/fail2ban.sqlite3 "DELETE FROM bans WHERE date('now', '-{{  fail2ban_recidive_bantime | default(default_dbpurgeage.stdout) }}') > datetime(timeofban, 'unixepoch'); VACUUM;"

fail2ban/tests/test.yml

@@ -1,4 +1,6 @@
 ---
-- hosts: test-kitchen
+- hosts: all
+  become: yes
+#  gather_facts: no
   roles:
     - role: fail2ban