--- # We have to copy the local jail before installing the package # or we risk being jailed by fail2ban - name: Prepare fail2ban hierarchy file: path: "{{ item }}" state: directory owner: root group: root mode: "0755" with_items: - "/etc/fail2ban" - "/etc/fail2ban/filter.d" tags: - fail2ban - set_fact: fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}" tags: - fail2ban - name: local jail is installed template: src: jail.local.j2 dest: /etc/fail2ban/jail.local mode: "0644" force: no notify: restart fail2ban tags: - fail2ban - name: Include ignoredips update task include: ip_whitelist.yml when: fail2ban_force_update_ignore_ips tags: - fail2ban - name: Disable SSH filter ini_file: dest: /etc/fail2ban/jail.local section: sshd option: enabled value: false notify: restart fail2ban when: fail2ban_disable_ssh tags: - fail2ban - name: custom filters are installed copy: src: "{{ item }}" dest: /etc/fail2ban/filter.d/ mode: "0644" with_items: - dovecot-evolix.conf - sasl-evolix.conf - wordpress-soft.conf - wordpress-hard.conf - roundcube.conf notify: restart fail2ban tags: - fail2ban - name: package is installed apt: name: fail2ban state: present tags: - fail2ban - packages - name: is Munin present ? stat: path: /etc/munin/plugins check_mode: no register: etc_munin_plugins tags: - fail2ban - munin - name: is fail2ban Munin plugin available ? stat: path: /usr/share/munin/plugins/fail2ban check_mode: no register: fail2ban_munin_plugin tags: - fail2ban - munin - name: Enable Munin plugins file: src: "/usr/share/munin/plugins/fail2ban" dest: "/etc/munin/plugins/fail2ban" state: link notify: restart munin-node when: - etc_munin_plugins.stat.exists - fail2ban_munin_plugin.stat.exists tags: - fail2ban - munin