Install fail2ban

ansible/roles/gateway/files/haproxy-fail2ban-filter.conf

@@ -0,0 +1,4 @@
+[Definition]
+
+failregex = ^.*haproxy\[[0-9]+\]: <HOST>:.*$
+ignoreregex =

ansible/roles/gateway/files/haproxy-fail2ban-jail.conf

@@ -0,0 +1,8 @@
+[haproxy]
+enabled  = true
+bantime  = 600
+findtime = 120
+maxretry = 10
+filter   = haproxy-basic
+logpath  = /var/log/haproxy.log
+port     = http,https

ansible/roles/gateway/tasks/fail2ban.yml

@@ -0,0 +1,29 @@
+- name: Install fail2ban
+  apt:
+    name: fail2ban
+  become: true
+  become_user: root
+
+- name: fail2ban filter
+  template:
+    src: files/haproxy-fail2ban-filter.conf
+    dest: /etc/fail2ban/filter.d/haproxy-basic.conf
+  become: true
+  become_user: root
+  register: fail2ban_filter
+
+- name: fail2ban jail
+  template:
+    src: files/haproxy-fail2ban-jail.conf
+    dest: /etc/fail2ban/jail.d/haproxy.conf
+  become: true
+  become_user: root
+  register: fail2ban_jail
+
+- name: Restart fail2ban
+  service:
+    name: haproxy
+    state: restarted
+  become: true
+  become_user: root
+  when: fail2ban_filter.changed or fail2ban_jail.changed

ansible/roles/gateway/tasks/main.yml

@@ -3,3 +3,6 @@
 
 - name: Configure wireguard
   include: wireguard.yml
+
+- name: Configure fail2ban
+  include: fail2ban.yml