Added support for fail2ban

Author: blackandred

.rkd/makefile.yaml

@@ -94,3 +94,20 @@ tasks:
             export EDITOR=${TEXT_EDITOR};
             ansible-vault edit "${inventory_path}"
             cd inventory && git add host_vars/${ARG_HOST}.yaml
+
+    :node:edit:all-hosts-defaults-config:
+        description: Edit a file that contains common values for all hosts
+        steps: |
+            inventory_path=./inventory/group_vars/all.yaml
+            export EDITOR=${TEXT_EDITOR};
+
+            if [[ ! -f "${inventory_path}" ]]; then
+                %RKD% :node:copy-host-defaults
+            fi
+
+            if [[ "$(cat $inventory_path)" == *"ANSIBLE_VAULT"* ]]; then
+                ansible-vault edit "${inventory_path}"
+                exit 0
+            fi
+
+            ${EDITOR} "${inventory_path}"

.templates/inventory/group_vars/all.yaml

@@ -144,6 +144,21 @@ default_role_logs:
     systemd_max_file_sec: 1month
 
 
+# https://github.com/Oefenweb/ansible-fail2ban
+default_role_fail2ban:
+    fail2ban_dbpurgeage: 86400
+    fail2ban_loglevel: "INFO"
+    fail2ban_logtarget: "SYSLOG"
+    fail2ban_syslog_target: "/var/log/fail2ban.log"
+    fail2ban_ignoreips: [127.0.0.1/8]
+    fail2ban_bantime: 600
+    fail2ban_maxretry: 6
+    fail2ban_services:
+        - name: sshd
+          port: "{{ ansible_ssh_port }}"
+          maxretry: 6
+          bantime: 600
+
 default_role_system_settings:
     timezone: Europe/Rome
     locale: "en_GB.UTF-8"

README.md

@@ -107,15 +107,32 @@ With this combination you can divide access to multiple admins handling administ
 nano .env
 ```
 
-Editing inventory per host
---------------------------
+Editing configuration per host and disabling/enabling roles
+-----------------------------------------------------------
 
 This command will automatically encrypt existing and new file using AES-256 with Ansible Vault.
 
+**Please note: All values there are overriding `group_vars/all.yaml` default values for edited host**
+
+**To disable a role - remove or comment out it's section eg. `role_fail2ban`**
+
+**To enable a role without overriding any values (inheriting all defaults) just add empty section eg. `role_fail2ban: {}`**
+
 ```bash
 rkd :edit:host-config my-host.org
 ```
 
+Setting default values for ALL hosts in inventory (hosts will inherit those values by default)
+----------------------------------------------------------------------------------------------
+
+When a host does not override given value, then it is inherited from global defaults.
+
+*Note: This file you can also encrypt and below command will support encrypted edits*
+
+```bash
+rkd :edit:all-hosts-defaults-config
+```
+
 Deploying
 ---------
 

playbooks/prepare-machine.yml

@@ -88,3 +88,13 @@
 
           - include_role: name=infrastructure-ansible-logs
             tags: logs
+
+      - name: Fail2ban role
+        when: role_fail2ban is defined
+        block:
+          - name: Include required vars
+            set_fact:
+            args: "{{ default_role_fail2ban | combine(role_fail2ban | default({}), recursive=True) }}"
+
+          - include_role: name=oefenweb.fail2ban
+            tags: fail2ban

requirements.yml

@@ -6,3 +6,5 @@ roles:
     - src: blackandred.server_basic_security
     - src: git+https://github.com/riotkit-org/infrastructure-ansible-tweak-os
     - src: blackandred.server_secure_storage
+    - src: oefenweb.fail2ban
+      version: v3.3.14