Merge branch 'feat-add-fail2ban' into 'feat-hpc-factory'

feat: Add tasks to install and config fail2ban

See merge request !145

ansible/group_vars/all

@@ -46,3 +46,4 @@
 # ssh proxy
   enable_ssh_proxy_config: false
   sshpiper_dest_dir: "/opt/sshpiper"
+  fail2ban_cidr_list: "127.0.0.1/8"

ansible/roles/ssh_proxy_config/tasks/main.yml

@@ -11,3 +11,44 @@
     enabled: true
     state: restarted
 
+- name: Install firewalld
+  ansible.builtin.package:
+    name: firewalld
+    state: present
+
+- name: Configure firewalld
+  ansible.posix.firewalld:
+    port: 2222/tcp
+    zone: public
+    state: enabled
+    permanent: true
+
+- name: Enable and start firewalld
+  ansible.builtin.service:
+    name: firewalld
+    enabled: true
+    state: restarted
+
+- name: Install fail2ban
+  ansible.builtin.package:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - fail2ban
+    - fail2ban-firewalld
+
+- name: Configure fail2ban
+  ansible.builtin.template:
+    src: jail.local.j2
+    dest: "/etc/fail2ban/jail.local"
+    backup: true
+
+- name: Activate the firewall support
+  ansible.builtin.command:
+    cmd: mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
+
+- name: Enable and start fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    enabled: true
+    state: restarted

ansible/roles/ssh_proxy_config/templates/jail.local.j2

+[DEFAULT]
+banaction = firewalld
+bantime  = 1200
+ignoreip = {{ fail2ban_cidr_list }}
+
+[sshd]
+enabled = true