From d6309882911ca91783bfa82a71e98f45a3790382 Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@outlook.com>
Date: Mon, 8 Jun 2020 15:20:12 +0200
Subject: [PATCH] Added role fail2ban/rule

---
 roles/fail2ban/rule/defaults/main.yml     | 21 +++++++++++++++++++++
 roles/fail2ban/rule/meta/main.yml         |  6 ++++++
 roles/fail2ban/rule/tasks/main.yml        | 19 +++++++++++++++++++
 roles/fail2ban/rule/templates/filter.conf |  8 ++++++++
 roles/fail2ban/rule/templates/jail.conf   |  8 ++++++++
 5 files changed, 62 insertions(+)
 create mode 100644 roles/fail2ban/rule/defaults/main.yml
 create mode 100644 roles/fail2ban/rule/meta/main.yml
 create mode 100644 roles/fail2ban/rule/tasks/main.yml
 create mode 100644 roles/fail2ban/rule/templates/filter.conf
 create mode 100644 roles/fail2ban/rule/templates/jail.conf

diff --git a/roles/fail2ban/rule/defaults/main.yml b/roles/fail2ban/rule/defaults/main.yml
new file mode 100644
index 0000000..49d3d0a
--- /dev/null
+++ b/roles/fail2ban/rule/defaults/main.yml
@@ -0,0 +1,21 @@
+---
+
+# domain # For deriving rule_name
+rule_name: "{{ domain }}"
+
+filter_name: "{{ rule_name }}"
+jail_name: "{{ rule_name }}"
+
+filter_file: "{{ global_fail2ban_filters_directory }}/{{ filter_name }}.local"
+jail_file: "{{ global_fail2ban_jails_directory }}/{{ jail_name }}.local"
+
+# unit_name # Systemd unit name of service for getting logs, for deriving journal_filter
+journal_match: "_SYSTEMD_UNIT={{ unit_name }}"
+fail_regex: [] # Regex for fail2ban
+ignore_regex: []
+max_retries: 10
+find_time: 60
+ban_time: 60
+ban_ports:
+  - 80
+  - 443
diff --git a/roles/fail2ban/rule/meta/main.yml b/roles/fail2ban/rule/meta/main.yml
new file mode 100644
index 0000000..cf3af2b
--- /dev/null
+++ b/roles/fail2ban/rule/meta/main.yml
@@ -0,0 +1,6 @@
+---
+
+allow_duplicates: yes
+
+dependencies:
+  - role: fail2ban/application
diff --git a/roles/fail2ban/rule/tasks/main.yml b/roles/fail2ban/rule/tasks/main.yml
new file mode 100644
index 0000000..373fab8
--- /dev/null
+++ b/roles/fail2ban/rule/tasks/main.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Configure filter
+  template:
+    src: filter.conf
+    dest: "{{ filter_file }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify: reload fail2ban
+
+- name: Configure jail
+  template:
+    src: jail.conf
+    dest: "{{ jail_file }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify: reload fail2ban
diff --git a/roles/fail2ban/rule/templates/filter.conf b/roles/fail2ban/rule/templates/filter.conf
new file mode 100644
index 0000000..885ad71
--- /dev/null
+++ b/roles/fail2ban/rule/templates/filter.conf
@@ -0,0 +1,8 @@
+[Definition]
+failregex =
+            {{ fail_regex | join("\n") | indent(width=12) }}
+ignoreregex =
+              {{ ignore_regex | join("\n") | indent(width=14) }}
+
+[Init]
+journalmatch = {{ journal_match }}
diff --git a/roles/fail2ban/rule/templates/jail.conf b/roles/fail2ban/rule/templates/jail.conf
new file mode 100644
index 0000000..66a35d6
--- /dev/null
+++ b/roles/fail2ban/rule/templates/jail.conf
@@ -0,0 +1,8 @@
+[{{ jail_name }}]
+enabled = true
+backend = systemd
+filter = {{ filter_name }}
+maxretry = {{ max_retries }}
+findtime = {{ find_time }}
+bantime = {{ ban_time }}
+ports = {{ ban_ports | join(",") }}