---
# We have to copy the local jail before installing the package
# or we risk being jailed by fail2ban

- name: Prepare fail2ban hierarchy
  file:
    path: "{{ item }}"
    state: directory
    owner: root
    group: root
    mode: "0755"
  loop:
    - "/etc/fail2ban"
    - "/etc/fail2ban/filter.d"
    - "/etc/fail2ban/fail2ban.d"
  tags:
    - fail2ban

- set_fact:
    fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}"
  tags:
    - fail2ban

- name: local jail is installed
  template:
    src: jail.local.j2
    dest: /etc/fail2ban/jail.local
    mode: "0644"
    force: "{{ fail2ban_override_jaillocal }}"
  notify: restart fail2ban
  tags:
    - fail2ban

- name: Include ignoredips update task
  include: ip_whitelist.yml
  when: fail2ban_force_update_ignore_ips | bool
  tags:
    - fail2ban

- name: custom filters are installed
  copy:
    src: "{{ item }}"
    dest: /etc/fail2ban/filter.d/
    mode: "0644"
  loop:
    - dovecot-evolix.conf
    - sasl-evolix.conf
    - wordpress-soft.conf
    - wordpress-hard.conf
    - roundcube.conf
  notify: restart fail2ban
  tags:
    - fail2ban

- name: package fail2ban is installed
  apt:
    name: fail2ban
    state: present
  tags:
    - fail2ban
    - packages

- name: is Munin present ?
  stat:
    path: /etc/munin/plugins
  check_mode: no
  register: etc_munin_plugins
  tags:
    - fail2ban
    - munin

- name: is fail2ban Munin plugin available ?
  stat:
    path: /usr/share/munin/plugins/fail2ban
  check_mode: no
  register: fail2ban_munin_plugin
  tags:
    - fail2ban
    - munin

- name: Enable Munin plugins
  file:
    src: "/usr/share/munin/plugins/fail2ban"
    dest: "/etc/munin/plugins/fail2ban"
    state: link
  notify: restart munin-node
  when:
    - etc_munin_plugins.stat.exists
    - fail2ban_munin_plugin.stat.exists
  tags:
    - fail2ban
    - munin

- name: "Extend dbpurgeage if recidive jail is enabled"
  blockinfile:
    dest: /etc/fail2ban/fail2ban.d/recidive_dbpurgeage
    marker: "# ANSIBLE MANAGED"
    block: |
      [DEFAULT]
      dbpurgeage = {{ fail2ban_recidive_bantime }}
    insertafter: EOF
    create: yes
    mode: "0644"
  notify: restart fail2ban
  when:
    - fail2ban_recidive

- name: Fix dbpurgeage for stretch and buster
  include: fix-dbpurgeage.yml
  when:
    - ansible_distribution_release == "stretch" or ansible_distribution_release == "buster"
  tags:
    - fail2ban