From 4890c3d3e5f51fc480732b9123c9ac169f7a005d Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Fri, 16 Oct 2020 19:08:49 +0100
Subject: [PATCH] Revert "Remove fail2ban"

This reverts commit 1f0e33acc8f93bcf793bff5a90ee2d0bca780150.
---
 .../files/haproxy-fail2ban-filter.conf        |  4 +++
 .../gateway/files/haproxy-fail2ban-jail.conf  |  8 ++++++
 ansible/roles/gateway/tasks/fail2ban.yml      | 25 +++++++++++++++++++
 ansible/roles/gateway/tasks/main.yml          |  3 +++
 4 files changed, 40 insertions(+)
 create mode 100644 ansible/roles/gateway/files/haproxy-fail2ban-filter.conf
 create mode 100644 ansible/roles/gateway/files/haproxy-fail2ban-jail.conf
 create mode 100644 ansible/roles/gateway/tasks/fail2ban.yml

diff --git a/ansible/roles/gateway/files/haproxy-fail2ban-filter.conf b/ansible/roles/gateway/files/haproxy-fail2ban-filter.conf
new file mode 100644
index 0000000..615b2b0
--- /dev/null
+++ b/ansible/roles/gateway/files/haproxy-fail2ban-filter.conf
@@ -0,0 +1,4 @@
+[Definition]
+
+failregex = ^.*haproxy\[[0-9]+\]: <HOST>:.*$
+ignoreregex =
diff --git a/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf b/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf
new file mode 100644
index 0000000..f19b266
--- /dev/null
+++ b/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf
@@ -0,0 +1,8 @@
+[haproxy]
+enabled  = true
+bantime  = 600
+findtime = 120
+maxretry = 15
+filter   = haproxy-basic
+logpath  = /var/log/haproxy.log
+port     = http,https
diff --git a/ansible/roles/gateway/tasks/fail2ban.yml b/ansible/roles/gateway/tasks/fail2ban.yml
new file mode 100644
index 0000000..77ae933
--- /dev/null
+++ b/ansible/roles/gateway/tasks/fail2ban.yml
@@ -0,0 +1,25 @@
+- name: Install fail2ban
+  apt:
+    name: fail2ban
+  become: true
+
+- name: fail2ban filter
+  template:
+    src: files/haproxy-fail2ban-filter.conf
+    dest: /etc/fail2ban/filter.d/haproxy-basic.conf
+  become: true
+  register: fail2ban_filter
+
+- name: fail2ban jail
+  template:
+    src: files/haproxy-fail2ban-jail.conf
+    dest: /etc/fail2ban/jail.d/haproxy.conf
+  become: true
+  register: fail2ban_jail
+
+- name: Restart fail2ban
+  service:
+    name: haproxy
+    state: restarted
+  become: true
+  when: fail2ban_filter.changed or fail2ban_jail.changed
diff --git a/ansible/roles/gateway/tasks/main.yml b/ansible/roles/gateway/tasks/main.yml
index 65b7421..aa8f8f9 100644
--- a/ansible/roles/gateway/tasks/main.yml
+++ b/ansible/roles/gateway/tasks/main.yml
@@ -3,3 +3,6 @@
 
 - name: Configure wireguard
   include: wireguard.yml
+
+- name: Configure fail2ban
+  include: fail2ban.yml