feat(ansible): create a role and playbook for fail2ban

Author: raisedadead

ansible/play-any--fail2ban.yml

@@ -0,0 +1,9 @@
+---
+- name: Install and configure fail2ban
+  hosts: '{{ variable_host | default("null") }}'
+  serial: "{{ variable_serial | default(1) }}"
+  gather_facts: false
+  become: true
+  become_user: root
+  roles:
+    - fail2ban

ansible/roles/fail2ban/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+fail2ban_sshd_maxretry: 5
+fail2ban_sshd_findtime: 600
+fail2ban_sshd_bantime: 3600

ansible/roles/fail2ban/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart fail2ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: restarted

ansible/roles/fail2ban/tasks/configure.yml

@@ -0,0 +1,15 @@
+---
+- name: Deploy fail2ban jail.local
+  ansible.builtin.template:
+    src: jail.local.j2
+    dest: /etc/fail2ban/jail.local
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Restart fail2ban
+
+- name: Enable and start fail2ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    enabled: true
+    state: started

ansible/roles/fail2ban/tasks/install.yml

@@ -0,0 +1,7 @@
+---
+- name: Install fail2ban via apt
+  ansible.builtin.apt:
+    name: fail2ban
+    state: present
+    update_cache: true
+    cache_valid_time: 3600

ansible/roles/fail2ban/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Install fail2ban
+  ansible.builtin.import_tasks: install.yml
+
+- name: Configure fail2ban
+  ansible.builtin.import_tasks: configure.yml

ansible/roles/fail2ban/templates/jail.local.j2

@@ -0,0 +1,10 @@
+[DEFAULT]
+banaction = iptables-multiport
+
+[sshd]
+enabled = true
+port = ssh
+filter = sshd
+maxretry = {{ fail2ban_sshd_maxretry }}
+findtime = {{ fail2ban_sshd_findtime }}
+bantime = {{ fail2ban_sshd_bantime }}