Merge pull request '[INFO] Créer le dépôt' (#1) from alpha into master

Reviewed-on: #1

README.md

@@ -1,3 +1,68 @@
-# role_modele
+# role_fail2ban
 
-Modèle
+Ce rôle permet d'installation, configurer et supprimer la configuration de fail2ban.
+
+## Variables
+
+### fail2ban_destemail
+
+Adresse IP où seront envoyé les alertes.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
+
+### fail2ban_ignoreip
+
+Liste d'adresse IP qui seront ignorées et donc jamais bannis.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
+
+### fail2ban_ssh_port
+
+Port d'écoute de SSH.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
+
+### fail2ban_templates_*
+
+Liste de templates à déployer.
+
+*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
+
+## Exemple d'utilisation
+
+### inventory.yml
+
+```yaml
+---
+
+all:
+  hosts:
+    host1.ykn.local:
+    host2.ykn.local:
+  children:
+    dnsservers:
+      hosts:
+        dnsmasq1.ykn.local:
+        dnsmasq2.ykn.local:
+```
+
+### group_vars/all.yml
+
+```yaml
+---
+
+fail2ban_destemail: hostmaster@ykn.local
+fail2ban_sender: "{{ inventory_hostname }} <fail2ban@ykn.local>"
+fail2ban_ignoreip: []
+fail2ban_ssh_port: 22
+```
+
+### playbook.yml
+
+```yaml
+---
+
+- hosts: 'all'
+  roles:
+    - name: fail2ban
+```

defaults/main.yml

@@ -0,0 +1,16 @@
+---
+# defaults file for fail2ban
+
+fail2ban_destemail: ""
+fail2ban_sender: ""
+fail2ban_ignoreip: []
+fail2ban_ssh_port: 22
+
+fail2ban_templates: []
+#Exemple:
+#  - src: role_fail2ban/nginx_jail.conf.j2
+#    dest: /etc/fail2ban/jail.d/nginx.conf
+#  - src: role_fail2ban/seafile_jail.conf.j2
+#    dest: /etc/fail2ban/jail.d/seafile.conf
+#  - src: role_fail2ban/seafile_filter.conf.j2
+#    dest: /etc/fail2ban/filter.d/seafile.conf

handlers/main.yml

@@ -0,0 +1,8 @@
+---
+# handlers file for fail2ban
+
+- name: Redémarrer fail2ban.service
+  become: true
+  ansible.builtin.systemd:
+    state: restarted
+    name: fail2ban.service

meta/main.yml

@@ -1,7 +1,7 @@
 galaxy_info:
   namespace: ykn
   author: pulsar89.5
-  description: Rôle modèle
+  description: Rôle de déploiement de fail2ban
 
   license: GPL-3.0-or-later
 
@@ -12,4 +12,5 @@ galaxy_info:
       versions:
         - all
 
-dependencies: []
+dependencies:
+  - role: nftables

tasks/configuration.yml

@@ -0,0 +1,51 @@
+---
+# tasks file for fail2ban
+
+- name: Supprimer la configuration de Debian
+  ansible.builtin.file:
+    state: absent
+    path: /etc/fail2ban/jail.d/defaults-debian.conf
+  become: true
+  notify: Redémarrer fail2ban.service
+
+- name: Déployer la configuration contre la récidive
+  ansible.builtin.template:
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+    src: recidive.conf.j2
+    dest: /etc/fail2ban/fail2ban.d/recidive.conf
+  become: true
+  notify: Redémarrer fail2ban.service
+
+- name: Déployer la configuration de base
+  ansible.builtin.template:
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+    src: 01-base.conf.j2
+    dest: /etc/fail2ban/jail.d/01-base.conf
+  become: true
+  notify: Redémarrer fail2ban.service
+
+- name: Construire la liste des templates à déployer
+  ansible.builtin.set_fact:
+    fail2ban_templates: "{{ fail2ban_templates + specific }}"
+  when: specific | length > 0
+  loop: "{{ lookup('ansible.builtin.varnames', '^fail2ban_templates_.+', wantlist=True) }}"
+  vars:
+    specific: "{{ lookup('ansible.builtin.vars', item, default='') }}"
+
+- name: Déployer les fichiers de configuration
+  ansible.builtin.template:
+    owner: root
+    group: root
+    mode: u=rw,g=,o=
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+  when: fail2ban_templates | length > 0 
+  loop: "{{ fail2ban_templates }}"
+  loop_control:
+    label: "{{ item.dest }}"
+  become: true
+  notify: Redémarrer fail2ban.service

tasks/installation.yml

@@ -0,0 +1,7 @@
+---
+# tasks file for fail2ban
+
+- name: Installer le paquet
+  ansible.builtin.apt:
+    name: fail2ban
+  become: true

tasks/main.yml

@@ -0,0 +1,10 @@
+---
+# tasks file for dnsmasq
+
+- name: Importer les tâches d'installation
+  tags: installation
+  ansible.builtin.import_tasks: installation.yml
+
+- name: Importer les tâches de configuration
+  tags: configuration
+  ansible.builtin.import_tasks: configuration.yml

templates/01-base.conf.j2

@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+[DEFAULT]
+# nftables
+banaction = nftables-multiport
+banaction_allports = nftables-allports
+
+# rules
+findtime = 3600
+bantime = 86400
+maxretry = 3
+
+# notification
+destemail = {{ fail2ban_destemail }}
+sender = {{ fail2ban_sender }}
+action = %(action_mwl)s
+
+ignoreip = 127.0.0.1/8, ::1/128, {{ fail2ban_ignoreip | join(', ') }}
+
+[sshd]
+enabled = true
+port = {{ fail2ban_ssh_port }}
+
+[recidive]
+enabled = true

templates/recidive.conf.j2

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+[Definition]
+loglevel = ERROR
+dbpurgeage = 8d