forked from evolix/ansible-roles
b776fc3da2
Now the list of whitelisted ip addresses can be updated simply by including the specific tasks in an external playbook without polluting our role list. This change takes effect for nginx, apache and fail2ban.
101 lines
2 KiB
YAML
101 lines
2 KiB
YAML
---
|
|
# We have to copy the local jail before installing the package
|
|
# or we risk being jailed by fail2ban
|
|
|
|
- name: Prepare fail2ban hierarchy
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
with_items:
|
|
- "/etc/fail2ban"
|
|
- "/etc/fail2ban/filter.d"
|
|
tags:
|
|
- fail2ban
|
|
|
|
- set_fact:
|
|
fail2ban_ignore_ips: "{{ fail2ban_default_ignore_ips | union(fail2ban_additional_ignore_ips) | unique }}"
|
|
|
|
- name: local jail is installed
|
|
template:
|
|
src: jail.local.j2
|
|
dest: /etc/fail2ban/jail.local
|
|
mode: "0644"
|
|
force: no
|
|
notify: restart fail2ban
|
|
tags:
|
|
- fail2ban
|
|
|
|
- name: Include ignoredips update task
|
|
include: ip_whitelist.yml
|
|
when: fail2ban_force_update_ignore_ips
|
|
tags:
|
|
- fail2ban
|
|
|
|
- name: Disable SSH filter
|
|
ini_file:
|
|
dest: /etc/fail2ban/jail.local
|
|
section: sshd
|
|
option: enabled
|
|
value: false
|
|
notify: restart fail2ban
|
|
when: fail2ban_disable_ssh
|
|
tags:
|
|
- fail2ban
|
|
|
|
- name: custom filters are installed
|
|
copy:
|
|
src: "{{ item }}"
|
|
dest: /etc/fail2ban/filter.d/
|
|
mode: "0644"
|
|
with_items:
|
|
- dovecot-evolix.conf
|
|
- sasl-evolix.conf
|
|
- wordpress-soft.conf
|
|
- wordpress-hard.conf
|
|
- roundcube.conf
|
|
notify: restart fail2ban
|
|
tags:
|
|
- fail2ban
|
|
|
|
- name: package is installed
|
|
apt:
|
|
name: fail2ban
|
|
state: present
|
|
tags:
|
|
- fail2ban
|
|
- packages
|
|
|
|
- name: is Munin present ?
|
|
stat:
|
|
path: /etc/munin/plugins
|
|
check_mode: no
|
|
register: etc_munin_plugins
|
|
tags:
|
|
- fail2ban
|
|
- munin
|
|
|
|
- name: is fail2ban Munin plugin available ?
|
|
stat:
|
|
path: /usr/share/munin/plugins/fail2ban
|
|
check_mode: no
|
|
register: fail2ban_munin_plugin
|
|
tags:
|
|
- fail2ban
|
|
- munin
|
|
|
|
- name: Enable Munin plugins
|
|
file:
|
|
src: "/usr/share/munin/plugins/fail2ban"
|
|
dest: "/etc/munin/plugins/fail2ban"
|
|
state: link
|
|
notify: restart munin-node
|
|
when:
|
|
- etc_munin_plugins.stat.exists
|
|
- fail2ban_munin_plugin.stat.exists
|
|
tags:
|
|
- fail2ban
|
|
- munin
|