create role fail2ban

defaults/main.yml

@@ -0,0 +1,4 @@
+---
+# defaults file for fail2ban
+fail2ban_destmail: none
+fail2ban_sendmail: none

files/filter.d/tt-rss.conf

@@ -0,0 +1,18 @@
+# Fail2Ban filter for tt-rss
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+failregex = ^.*Failed login attempt for .* from <HOST> .*tt-rss.*$
+ignoreregex =
+
+# DEV Notes:
+#
+# pattern :
+# 2018/11/02 23:20:15 [error] 967#967: *398052 FastCGI sent in stderr: "PHP message: PHP Warning: Failed login attempt for username from 123.123.123.123 in /path/to/tt-rss/classes/handler/public.php on line 505" while reading response header from upstream, client: 123.123.123.123, server: , request: "POST /public.php?return=%2F HTTP/2.0", upstream: "fastcgi://unix:/var/run/fpm-123.sock:", host: "hosturl.com:port", referrer: "https://hosturl.com/"

handlers/main.yml

@@ -0,0 +1,7 @@
+---
+# handlers file for fail2ban
+- name: restart fail2ban
+  service:
+      name: fail2ban # required. Name of the service.
+      state: restarted # not required. choices: reloaded;restarted;started;stopped. C(started)/C(stopped) are idempotent actions that will not run commands unless necessary.  C(restarted) will always bounce the service.  C(reloaded) will always reload. B(At least one of state and enabled are required.) Note that reloaded will start the service if it is not already started, even if your chosen init system wouldn't normally.
+  become: yes

meta/main.yml

@@ -0,0 +1,60 @@
+galaxy_info:
+  author: your name
+  description: your description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Some suggested licenses:
+  # - BSD (default)
+  # - MIT
+  # - GPLv2
+  # - GPLv3
+  # - Apache
+  # - CC-BY
+  license: license (GPLv2, CC-BY, etc)
+
+  min_ansible_version: 2.4
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  # Optionally specify the branch Galaxy will use when accessing the GitHub
+  # repo for this role. During role install, if no tags are available,
+  # Galaxy will use this branch. During import Galaxy will access files on
+  # this branch. If Travis integration is configured, only notifications for this
+  # branch will be accepted. Otherwise, in all cases, the repo's default branch
+  # (usually master) will be used.
+  #github_branch:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

tasks/main.yml

@@ -0,0 +1,37 @@
+---
+# tasks file for fail2ban
+
+- name: Install fail2ban
+  pacman:
+    name:
+      - fail2ban
+  become: yes
+
+- name: enable fail2ban
+  service:
+      name: fail2ban # required. Name of the service.
+      enabled: true # not required. Whether the service should start on boot. B(At least one of state and enabled are required.)
+      state: started # not required. choices: reloaded;restarted;started;stopped. C(started)/C(stopped) are idempotent actions that will not run commands unless necessary.  C(restarted) will always bounce the service.  C(reloaded) will always reload. B(At least one of state and enabled are required.) Note that reloaded will start the service if it is not already started, even if your chosen init system wouldn't normally.
+  become: yes
+  
+
+- name: copy custom config
+  copy:
+      dest: /etc/fail2ban/filter.d # required. Remote absolute path where the file should be copied to. If I(src) is a directory, this must be a directory too. If I(dest) is a nonexistent path and if either I(dest) ends with "/" or I(src) is a directory, I(dest) is created. If I(src) and I(dest) are files, the parent directory of I(dest) isn't created: the task fails if it doesn't already exist.
+      src: filter.d/ # not required. Local path to a file to copy to the remote server; can be absolute or relative. If path is a directory, it is copied recursively. In this case, if path ends with "/", only inside contents of that directory are copied to destination. Otherwise, if it does not end with "/", the directory itself with all contents is copied. This behavior is similar to Rsync.
+  become: yes
+
+- name: apply jail sshd file
+  template:
+      dest: /etc/fail2ban/jail.d # required. Location to render the template to on the remote machine.
+      src: jail.d/sshd.local # required. Path of a Jinja2 formatted template on the Ansible controller. This can be a relative or absolute path.
+  notify: restart fail2ban
+  become: yes
+
+
+- name: apply jail mail file
+  template:
+      dest: /etc/fail2ban/jail.d # required. Location to render the template to on the remote machine.
+      src: jail.d/mail.local # required. Path of a Jinja2 formatted template on the Ansible controller. This can be a relative or absolute path.
+  notify: restart fail2ban
+  become: yes

templates/jail.d/mail.local

@@ -0,0 +1,9 @@
+[DEFAULT]
+destemail = {{ fail2ban_destmail }}
+sender = {{ fail2ban_sendmail }}
+
+# to ban & send an e-mail with whois report to the destemail.
+action = %(action_mw)s
+
+# same as action_mw but also send relevant log lines
+#action = %(action_mwl)s

templates/jail.d/sshd.local

@@ -0,0 +1,2 @@
+[sshd]
+enabled = true