Commit 57be1825 authored by Michael Klix's avatar Michael Klix
Browse files

initial commit of working copy, not working

parent 96a27887
## Description ## Description
A brief description of the role goes here. This role configures fail2ban.
## Requirements ## Requirements
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. none
### Roles ### Roles
A list of required roles. Parent roles must not be listed. tbd: A list of required roles. Parent roles must not be listed.
### Variables ### Variables
...@@ -19,21 +19,23 @@ Changed variable of parent roles must be listed too. ...@@ -19,21 +19,23 @@ Changed variable of parent roles must be listed too.
## Processes ## Processes
A rough overview of the steps. tbd: A rough overview of the steps.
### <task list> ## License
1. <step 1>
2. ..
## Features BSD-3-Clauses
A detailed description of roles features ## Author Information
## License - Michael Klix <michael.klix@tu-dresden.de>
BSD-3-Clauses Based on the provided SDM framework of
- Martin Pietsch <martin.pietsch@tu-dresden.de>
## Contributors Mainly influenced by the implementation/example of
- Nicolas Bigot <https://github.com/nbigot/ansible-fail2ban>
An optional section for the role authors to include contact information, or a website (HTML is not allowed). ## Literature
- firstname lastname <e-mail-address> - https://fail2ban.org/wiki/index.php/Category:HTTP
- https://fedoraproject.org/wiki/Fail2ban_with_FirewallD
- https://computingforgeeks.com/install-and-use-firewalld-on-ubuntu-18-04-ubuntu-16-04
# defaults file for fail2ban
--- ---
# defaults file for project-template fail2ban_loglevel: INFO
fail2ban_logtarget: /var/log/fail2ban.log
fail2ban_syslog_target: /var/log/fail2ban.log
fail2ban_syslog_facility: 1
fail2ban_socket: /var/run/fail2ban/fail2ban.sock
fail2ban_pidfile: /var/run/fail2ban/fail2ban.pid
fail2ban_sendername: 'Fail2ban'
fail2ban_ignoreips:
- 127.0.0.1/8
fail2ban_bantime: 600
fail2ban_maxretry: 3
fail2ban_findtime: 600
# tbd fail2ban_backend: auto
# tbd fail2ban_banaction: iptables-multiport
# tbd fail2ban_mta: sendmail
# tbd fail2ban_protocol: tcp
# tbd fail2ban_chain: INPUT
# tbd fail2ban_action: '%(action_)s'
# fail2ban_services:
# - name: sshd
# - name: httpd
# fail2ban_jaild_path: files/jail.d/
--- ---
# handlers file for project-template # handlers file for fail2ban
---
galaxy_info: galaxy_info:
author: your name author: Michael Klix (michael.klix@tu-dresden.de)
description: your role description description: This role configures fail2ban.
company: your company (optional) company: Technische Universität Dresden
role_name: package_security_fail2ban
namespace: sdm
# If the issue tracker for your role is not on github, uncomment the license: BSD-3-Clause
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses: min_ansible_version: 2.10
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.1 platforms:
- name: Linux/systemd
# If this a Container Enabled role, provide the minimum Ansible Container version. versions:
# min_ansible_container_version: - all
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: [] galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: [] dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
--- ---
- name: Converge - name: Converge
hosts: all hosts: all
vars:
system_config_directory: "/etc"
tasks: tasks:
- name: "Include project-template" - name: "configure fail2ban"
include_role: sdm.oor.call_role:
name: "project-template" name: package.security.fail2ban
tasks: configure
--- ---
dependency: dependency:
name: galaxy name: galaxy
enabled: False enabled: false
driver: driver:
name: podman name: podman
platforms: platforms:
- name: debian - name: package_security_fail2ban_debian
registry: registry:
url: gitlab.mn.tu-dresden.de:8000 url: gitlab.mn.tu-dresden.de:8000
image: sdmgroup/containers/debian10:latest image: sdmgroup/containers/debian10:latest
command: /lib/systemd/systemd command: /lib/systemd/systemd
pre_build_image: false pre_build_image: false
provisioner: provisioner:
name: ansible name: ansible
config_options: config_options:
defaults: defaults:
callback_whitelist: sdm.oor.sdmoor callback_whitelist: sdm.oor.sdmoor
stdout_callback: sdm.oor.sdmdefault stdout_callback: sdm.oor.sdmdefault
strategy: sdm.oor.sdmlinear strategy: sdm.oor.sdmlinear
vars_plugins_enabled: sdm.common.sdm_host_group_vars vars_plugins_enabled: sdm.common.sdm_host_group_vars
deprecation_warnings: False deprecation_warnings: false
remote_tmp: /tmp remote_tmp: /tmp
playbooks: playbooks:
create: create.yml create: create.yml
......
--- ---
# tasks file for project-template - name: "call inherited configure tasks"
sdm.oor.call_tasks:
from: configure
super: true
- name: "configure fail2ban: update configuration file"
ansible.builtin.template:
src: fail2ban.local.j2
dest: "{{ '{}/fail2ban/fail2ban.local'.format(system_config_directory) }}"
owner: "root"
group: "root"
mode: 0644
notify:
- "restart fail2ban"
- name: "configure fail2ban: update jail file"
ansible.builtin.template:
src: jail.local.j2
dest: "{{ '{}/fail2ban/jail.local'.format(system_config_directory) }}"
owner: "root"
group: "root"
mode: 0644
notify:
- "restart fail2ban"
# Overrides values from the fail2ban.conf configuration file. # Overrides values from the fail2ban.conf configuration file.
# #
# For comments relating to each setting see fail2ban.conf # For comments relating to each setting see fail2ban.conf
# source: https://github.com/nbigot/ansible-fail2ban/blob/master/templates/etc/fail2ban/fail2ban.local.j2
[Definition] [Definition]
...@@ -15,4 +14,4 @@ syslog-facility = {{ fail2ban_syslog_facility }} ...@@ -15,4 +14,4 @@ syslog-facility = {{ fail2ban_syslog_facility }}
socket = {{ fail2ban_socket }} socket = {{ fail2ban_socket }}
pidfile = {{ fail2ban_pidfile }} pidfile = {{ fail2ban_pidfile }}
\ No newline at end of file
# source: https://github.com/nbigot/ansible-fail2ban/blob/master/templates/etc/fail2ban/jail.local.j2 # example-source:
\ No newline at end of file # https://github.com/nbigot/ansible-fail2ban/blob/master/templates/etc/fail2ban/jail.local.j2
...@@ -2,4 +2,4 @@ ...@@ -2,4 +2,4 @@
- hosts: localhost - hosts: localhost
remote_user: root remote_user: root
roles: roles:
- project-template - package.security.fail2ban/
--- ---
# vars file for project-template # vars file for package.security.fail2ban/
package_packages: ["fail2ban"]
package_services: ["fail2ban.service"]
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment