Added role fail2ban/rule

roles/fail2ban/rule/defaults/main.yml

@@ -0,0 +1,21 @@
+---
+
+# domain # For deriving rule_name
+rule_name: "{{ domain }}"
+
+filter_name: "{{ rule_name }}"
+jail_name: "{{ rule_name }}"
+
+filter_file: "{{ global_fail2ban_filters_directory }}/{{ filter_name }}.local"
+jail_file: "{{ global_fail2ban_jails_directory }}/{{ jail_name }}.local"
+
+# unit_name # Systemd unit name of service for getting logs, for deriving journal_filter
+journal_match: "_SYSTEMD_UNIT={{ unit_name }}"
+fail_regex: [] # Regex for fail2ban
+ignore_regex: []
+max_retries: 10
+find_time: 60
+ban_time: 60
+ban_ports:
+  - 80
+  - 443

roles/fail2ban/rule/meta/main.yml

@@ -0,0 +1,6 @@
+---
+
+allow_duplicates: yes
+
+dependencies:
+  - role: fail2ban/application

roles/fail2ban/rule/tasks/main.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Configure filter
+  template:
+    src: filter.conf
+    dest: "{{ filter_file }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify: reload fail2ban
+
+- name: Configure jail
+  template:
+    src: jail.conf
+    dest: "{{ jail_file }}"
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify: reload fail2ban

roles/fail2ban/rule/templates/filter.conf

@@ -0,0 +1,8 @@
+[Definition]
+failregex =
+            {{ fail_regex | join("\n") | indent(width=12) }}
+ignoreregex =
+              {{ ignore_regex | join("\n") | indent(width=14) }}
+
+[Init]
+journalmatch = {{ journal_match }}

roles/fail2ban/rule/templates/jail.conf

@@ -0,0 +1,8 @@
+[{{ jail_name }}]
+enabled = true
+backend = systemd
+filter = {{ filter_name }}
+maxretry = {{ max_retries }}
+findtime = {{ find_time }}
+bantime = {{ ban_time }}
+ports = {{ ban_ports | join(",") }}