Ensure fail2ban and logrotate are available on all machines

2020-12-27 22:39:33 +00:00 · 2020-12-27 22:39:33 +00:00 · 58879d2e1d
commit 58879d2e1d
parent b11dbfc829
8 changed files with 69 additions and 6 deletions
--- a/ansible/roles/base/files/fail2ban-logrotate
+++ b/ansible/roles/base/files/fail2ban-logrotate
@ -0,0 +1,11 @@
+/var/log/fail2ban.log {
+  weekly
+  rotate 7
+  missingok
+  compress
+  nodateext
+  notifempty
+  postrotate
+    /usr/bin/fail2ban-client flushlogs 1>/dev/null || true
+  endscript
+}
--- a/ansible/roles/base/files/ssh-jail.conf
+++ b/ansible/roles/base/files/ssh-jail.conf
@ -0,0 +1,7 @@
+[sshd]
+enabled  = true
+bantime  = 600
+findtime = 30
+maxretry = 5
+port     = {{ ssh_port }},ssh
+ignoreip = {{ wireguard.cidr }}
--- a/ansible/roles/base/files/sshd_config
+++ b/ansible/roles/base/files/sshd_config
@ -1,6 +1,6 @@
 # TCP port to bind to
 # Change to a high/odd port if this server is exposed to the internet directly
-Port 7743
+Port {{ ssh_port }}

 {% if expose_ssh %}
 AllowUsers {{ user }}
--- a/ansible/roles/base/tasks/fail2ban.yml
+++ b/ansible/roles/base/tasks/fail2ban.yml
@ -0,0 +1,25 @@
+- name: Install fail2ban
+  package:
+    name: fail2ban
+  become: true
+
+- name: Enable fail2ban
+  service:
+    name: fail2ban
+    enabled: true
+  become: true
+
+- name: fail2ban SSH jail
+  template:
+    src: files/ssh-jail.conf
+    dest: /etc/fail2ban/jail.d/ssh.conf
+    mode: "0600"
+  become: true
+  register: fail2ban_jail
+
+- name: Restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted
+  become: true
+  when: fail2ban_jail.changed
--- a/ansible/roles/base/tasks/logrotate.yml
+++ b/ansible/roles/base/tasks/logrotate.yml
@ -0,0 +1,18 @@
+- name: Install logrotate
+  package:
+    name: logrotate
+  become: true
+
+- name: Enable logrotate timer
+  service:
+    name: logrotate.timer
+  become: true
+  when: ansible_os_family == 'Archlinux'
+
+- name: logrotate fail2ban config
+  template:
+    src: files/fail2ban-logrotate
+    dest: /etc/logrotate.d/fail2ban
+    mode: "0600"
+  become: true
+  register: fail2ban_jail
--- a/ansible/roles/base/tasks/main.yml
+++ b/ansible/roles/base/tasks/main.yml
@ -6,3 +6,9 @@

 - name: SSH
  include: ssh.yml
+
+- name: fail2ban
+  include: fail2ban.yml
+
+- name: logrotate
+  include: logrotate.yml
--- a/ansible/roles/base/vars/main.yml
+++ b/ansible/roles/base/vars/main.yml
@ -0,0 +1 @@
+ssh_port: 7743
--- a/ansible/roles/gateway/tasks/fail2ban.yml
+++ b/ansible/roles/gateway/tasks/fail2ban.yml
@ -1,8 +1,3 @@
- name: Install fail2ban
-  package:
-    name: fail2ban
-  become: true
-
 - name: fail2ban filter
  template:
    src: files/haproxy-fail2ban-filter.conf