From 28a835da8f7f2158375cf3a1ed57d16489a48b17 Mon Sep 17 00:00:00 2001
From: Eesaan Atluri <atlurie@uab.edu>
Date: Fri, 24 Jan 2025 14:34:35 -0500
Subject: [PATCH] refactor: Move the fail2ban tasks out of ssh_proxy_config
---
ansible/roles/fail2ban/tasks/main.yml | 46 +++++++++++++++++++
ansible/roles/ssh_proxy_config/tasks/main.yml | 42 -----------------
.../ssh_proxy_config/templates/jail.local.j2 | 7 ---
3 files changed, 46 insertions(+), 49 deletions(-)
create mode 100644 ansible/roles/fail2ban/tasks/main.yml
delete mode 100644 ansible/roles/ssh_proxy_config/templates/jail.local.j2
diff --git a/ansible/roles/fail2ban/tasks/main.yml b/ansible/roles/fail2ban/tasks/main.yml
new file mode 100644
index 0000000..2f7d96e
--- /dev/null
+++ b/ansible/roles/fail2ban/tasks/main.yml
@@ -0,0 +1,46 @@
+---
+
+- name: Install fail2ban
+ ansible.builtin.package:
+ name: "{{ item }}"
+ state: present
+ loop:
+ - fail2ban
+ - fail2ban-firewalld
+
+- name: Configure fail2ban
+ ansible.builtin.template:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ backup: true
+ loop:
+ - { src: 'jail.local.j2', dest: '/etc/fail2ban/jail.local' }
+ - { src: 'sshpiperd_filter.local.j2', dest: '/etc/fail2ban/filter.d/sshpiperd.local' }
+ - { src: 'sshpiperd_jail.local.j2', dest: '/etc/fail2ban/jail.d/sshpiperd.local' }
+
+- name: Activate the firewalld support for fail2ban
+ ansible.builtin.command:
+ cmd: mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
+
+- name: Configure firewalld to allow ssh and sshpiper traffic
+ ansible.posix.firewalld:
+ port: "{{ item }}"
+ zone: public
+ state: enabled
+ permanent: true
+ loop:
+ - 2222/tcp
+ - 22/tcp
+
+- name: Enable and start firewalld
+ ansible.builtin.service:
+ name: firewalld
+ enabled: true
+ state: restarted
+
+- name: Enable and start fail2ban
+ ansible.builtin.service:
+ name: fail2ban
+ enabled: true
+ state: restarted
+
diff --git a/ansible/roles/ssh_proxy_config/tasks/main.yml b/ansible/roles/ssh_proxy_config/tasks/main.yml
index fb51f9f..30bac2a 100644
--- a/ansible/roles/ssh_proxy_config/tasks/main.yml
+++ b/ansible/roles/ssh_proxy_config/tasks/main.yml
@@ -10,45 +10,3 @@
name: sshpiperd
enabled: true
state: restarted
-
-- name: Install firewalld
- ansible.builtin.package:
- name: firewalld
- state: present
-
-- name: Configure firewalld
- ansible.posix.firewalld:
- port: 2222/tcp
- zone: public
- state: enabled
- permanent: true
-
-- name: Enable and start firewalld
- ansible.builtin.service:
- name: firewalld
- enabled: true
- state: restarted
-
-- name: Install fail2ban
- ansible.builtin.package:
- name: "{{ item }}"
- state: present
- loop:
- - fail2ban
- - fail2ban-firewalld
-
-- name: Configure fail2ban
- ansible.builtin.template:
- src: jail.local.j2
- dest: "/etc/fail2ban/jail.local"
- backup: true
-
-- name: Activate the firewall support
- ansible.builtin.command:
- cmd: mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
-
-- name: Enable and start fail2ban
- ansible.builtin.service:
- name: fail2ban
- enabled: true
- state: restarted
diff --git a/ansible/roles/ssh_proxy_config/templates/jail.local.j2 b/ansible/roles/ssh_proxy_config/templates/jail.local.j2
deleted file mode 100644
index d5898e6..0000000
--- a/ansible/roles/ssh_proxy_config/templates/jail.local.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-[DEFAULT]
-banaction = firewalld
-bantime = 1200
-ignoreip = {{ fail2ban_cidr_list }}
-
-[sshd]
-enabled = true
--
GitLab