From 708250005a7e748b1b845312dfb983eb15497b12 Mon Sep 17 00:00:00 2001
From: Jake Howard <git@theorangeone.net>
Date: Fri, 13 Mar 2020 23:08:26 +0000
Subject: [PATCH] Install fail2ban

---
 .../files/haproxy-fail2ban-filter.conf        |  4 +++
 .../gateway/files/haproxy-fail2ban-jail.conf  |  8 +++++
 ansible/roles/gateway/tasks/fail2ban.yml      | 29 +++++++++++++++++++
 ansible/roles/gateway/tasks/main.yml          |  3 ++
 4 files changed, 44 insertions(+)
 create mode 100644 ansible/roles/gateway/files/haproxy-fail2ban-filter.conf
 create mode 100644 ansible/roles/gateway/files/haproxy-fail2ban-jail.conf
 create mode 100644 ansible/roles/gateway/tasks/fail2ban.yml

diff --git a/ansible/roles/gateway/files/haproxy-fail2ban-filter.conf b/ansible/roles/gateway/files/haproxy-fail2ban-filter.conf
new file mode 100644
index 0000000..615b2b0
--- /dev/null
+++ b/ansible/roles/gateway/files/haproxy-fail2ban-filter.conf
@@ -0,0 +1,4 @@
+[Definition]
+
+failregex = ^.*haproxy\[[0-9]+\]: <HOST>:.*$
+ignoreregex =
diff --git a/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf b/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf
new file mode 100644
index 0000000..45e18e5
--- /dev/null
+++ b/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf
@@ -0,0 +1,8 @@
+[haproxy]
+enabled  = true
+bantime  = 600
+findtime = 120
+maxretry = 10
+filter   = haproxy-basic
+logpath  = /var/log/haproxy.log
+port     = http,https
diff --git a/ansible/roles/gateway/tasks/fail2ban.yml b/ansible/roles/gateway/tasks/fail2ban.yml
new file mode 100644
index 0000000..6fb8dce
--- /dev/null
+++ b/ansible/roles/gateway/tasks/fail2ban.yml
@@ -0,0 +1,29 @@
+- name: Install fail2ban
+  apt:
+    name: fail2ban
+  become: true
+  become_user: root
+
+- name: fail2ban filter
+  template:
+    src: files/haproxy-fail2ban-filter.conf
+    dest: /etc/fail2ban/filter.d/haproxy-basic.conf
+  become: true
+  become_user: root
+  register: fail2ban_filter
+
+- name: fail2ban jail
+  template:
+    src: files/haproxy-fail2ban-jail.conf
+    dest: /etc/fail2ban/jail.d/haproxy.conf
+  become: true
+  become_user: root
+  register: fail2ban_jail
+
+- name: Restart fail2ban
+  service:
+    name: haproxy
+    state: restarted
+  become: true
+  become_user: root
+  when: fail2ban_filter.changed or fail2ban_jail.changed
diff --git a/ansible/roles/gateway/tasks/main.yml b/ansible/roles/gateway/tasks/main.yml
index 65b7421..aa8f8f9 100644
--- a/ansible/roles/gateway/tasks/main.yml
+++ b/ansible/roles/gateway/tasks/main.yml
@@ -3,3 +3,6 @@
 
 - name: Configure wireguard
   include: wireguard.yml
+
+- name: Configure fail2ban
+  include: fail2ban.yml