7c632352a0
The behaviour of the `include` module is badly defined (it try to choose between statically importing the tasks and dynamically including them) and can cause problems depending on any number of constraints (mostly if it choose the wrong behaviour). Replace it with the `import_tasks` (always statically import tasks) unless the `include` is in a loop in which case we replace it with `include_tasks` (always dynamically include tasks).
114 lines
2.4 KiB
YAML
114 lines
2.4 KiB
YAML
---
|
|
# We have to copy the local jail before installing the package
|
|
# or we risk being jailed by fail2ban
|
|
|
|
- name: Prepare fail2ban hierarchy
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
loop:
|
|
- "/etc/fail2ban"
|
|
- "/etc/fail2ban/filter.d"
|
|
- "/etc/fail2ban/fail2ban.d"
|
|
tags:
|
|
- fail2ban
|
|
|
|
- set_fact:
|
|
fail2ban_ignore_ips: "{{ ['127.0.0.1/8'] | union(fail2ban_default_ignore_ips) | union(fail2ban_additional_ignore_ips) | unique }}"
|
|
tags:
|
|
- fail2ban
|
|
|
|
- name: local jail is installed
|
|
template:
|
|
src: jail.local.j2
|
|
dest: /etc/fail2ban/jail.local
|
|
mode: "0644"
|
|
force: "{{ fail2ban_override_jaillocal }}"
|
|
notify: restart fail2ban
|
|
tags:
|
|
- fail2ban
|
|
|
|
- name: Include ignoredips update task
|
|
import_tasks: ip_whitelist.yml
|
|
when: fail2ban_force_update_ignore_ips | bool
|
|
tags:
|
|
- fail2ban
|
|
|
|
- name: custom filters are installed
|
|
copy:
|
|
src: "{{ item }}"
|
|
dest: /etc/fail2ban/filter.d/
|
|
mode: "0644"
|
|
loop:
|
|
- dovecot-evolix.conf
|
|
- sasl-evolix.conf
|
|
- wordpress-soft.conf
|
|
- wordpress-hard.conf
|
|
- roundcube.conf
|
|
notify: restart fail2ban
|
|
tags:
|
|
- fail2ban
|
|
|
|
- name: package fail2ban is installed
|
|
apt:
|
|
name: fail2ban
|
|
state: present
|
|
tags:
|
|
- fail2ban
|
|
- packages
|
|
|
|
- name: is Munin present ?
|
|
stat:
|
|
path: /etc/munin/plugins
|
|
check_mode: no
|
|
register: etc_munin_plugins
|
|
tags:
|
|
- fail2ban
|
|
- munin
|
|
|
|
- name: is fail2ban Munin plugin available ?
|
|
stat:
|
|
path: /usr/share/munin/plugins/fail2ban
|
|
check_mode: no
|
|
register: fail2ban_munin_plugin
|
|
tags:
|
|
- fail2ban
|
|
- munin
|
|
|
|
- name: Enable Munin plugins
|
|
file:
|
|
src: "/usr/share/munin/plugins/fail2ban"
|
|
dest: "/etc/munin/plugins/fail2ban"
|
|
state: link
|
|
notify: restart munin-node
|
|
when:
|
|
- etc_munin_plugins.stat.exists
|
|
- fail2ban_munin_plugin.stat.exists
|
|
tags:
|
|
- fail2ban
|
|
- munin
|
|
|
|
- name: "Extend dbpurgeage if recidive jail is enabled"
|
|
blockinfile:
|
|
dest: /etc/fail2ban/fail2ban.d/recidive_dbpurgeage
|
|
marker: "# ANSIBLE MANAGED"
|
|
block: |
|
|
[DEFAULT]
|
|
dbpurgeage = {{ fail2ban_recidive_bantime }}
|
|
insertafter: EOF
|
|
create: yes
|
|
mode: "0644"
|
|
notify: restart fail2ban
|
|
when:
|
|
- fail2ban_recidive
|
|
|
|
- name: Fix dbpurgeage for stretch and buster
|
|
import_tasks: fix-dbpurgeage.yml
|
|
when:
|
|
- ansible_distribution_release == "stretch" or ansible_distribution_release == "buster"
|
|
tags:
|
|
- fail2ban
|