Merge pull request '[INFO] Créer le dépôt' (#1) from alpha into master

Reviewed-on: #1
This commit is contained in:
pulsar89.5 2023-05-24 09:46:45 +00:00
commit 2fd414d1b1
9 changed files with 192 additions and 4 deletions

View File

@ -1,3 +1,68 @@
# role_modele
# role_fail2ban
Modèle
Ce rôle permet d'installation, configurer et supprimer la configuration de fail2ban.
## Variables
### fail2ban_destemail
Adresse IP où seront envoyé les alertes.
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
### fail2ban_ignoreip
Liste d'adresse IP qui seront ignorées et donc jamais bannis.
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
### fail2ban_ssh_port
Port d'écoute de SSH.
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
### fail2ban_templates_*
Liste de templates à déployer.
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
## Exemple d'utilisation
### inventory.yml
```yaml
---
all:
hosts:
host1.ykn.local:
host2.ykn.local:
children:
dnsservers:
hosts:
dnsmasq1.ykn.local:
dnsmasq2.ykn.local:
```
### group_vars/all.yml
```yaml
---
fail2ban_destemail: hostmaster@ykn.local
fail2ban_sender: "{{ inventory_hostname }} <fail2ban@ykn.local>"
fail2ban_ignoreip: []
fail2ban_ssh_port: 22
```
### playbook.yml
```yaml
---
- hosts: 'all'
roles:
- name: fail2ban
```

16
defaults/main.yml Normal file
View File

@ -0,0 +1,16 @@
---
# defaults file for fail2ban
fail2ban_destemail: ""
fail2ban_sender: ""
fail2ban_ignoreip: []
fail2ban_ssh_port: 22
fail2ban_templates: []
#Exemple:
# - src: role_fail2ban/nginx_jail.conf.j2
# dest: /etc/fail2ban/jail.d/nginx.conf
# - src: role_fail2ban/seafile_jail.conf.j2
# dest: /etc/fail2ban/jail.d/seafile.conf
# - src: role_fail2ban/seafile_filter.conf.j2
# dest: /etc/fail2ban/filter.d/seafile.conf

8
handlers/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
# handlers file for fail2ban
- name: Redémarrer fail2ban.service
become: true
ansible.builtin.systemd:
state: restarted
name: fail2ban.service

View File

@ -1,7 +1,7 @@
galaxy_info:
namespace: ykn
author: pulsar89.5
description: Rôle modèle
description: Rôle de déploiement de fail2ban
license: GPL-3.0-or-later
@ -12,4 +12,5 @@ galaxy_info:
versions:
- all
dependencies: []
dependencies:
- role: nftables

51
tasks/configuration.yml Normal file
View File

@ -0,0 +1,51 @@
---
# tasks file for fail2ban
- name: Supprimer la configuration de Debian
ansible.builtin.file:
state: absent
path: /etc/fail2ban/jail.d/defaults-debian.conf
become: true
notify: Redémarrer fail2ban.service
- name: Déployer la configuration contre la récidive
ansible.builtin.template:
owner: root
group: root
mode: u=rw,g=,o=
src: recidive.conf.j2
dest: /etc/fail2ban/fail2ban.d/recidive.conf
become: true
notify: Redémarrer fail2ban.service
- name: Déployer la configuration de base
ansible.builtin.template:
owner: root
group: root
mode: u=rw,g=,o=
src: 01-base.conf.j2
dest: /etc/fail2ban/jail.d/01-base.conf
become: true
notify: Redémarrer fail2ban.service
- name: Construire la liste des templates à déployer
ansible.builtin.set_fact:
fail2ban_templates: "{{ fail2ban_templates + specific }}"
when: specific | length > 0
loop: "{{ lookup('ansible.builtin.varnames', '^fail2ban_templates_.+', wantlist=True) }}"
vars:
specific: "{{ lookup('ansible.builtin.vars', item, default='') }}"
- name: Déployer les fichiers de configuration
ansible.builtin.template:
owner: root
group: root
mode: u=rw,g=,o=
src: "{{ item.src }}"
dest: "{{ item.dest }}"
when: fail2ban_templates | length > 0
loop: "{{ fail2ban_templates }}"
loop_control:
label: "{{ item.dest }}"
become: true
notify: Redémarrer fail2ban.service

7
tasks/installation.yml Normal file
View File

@ -0,0 +1,7 @@
---
# tasks file for fail2ban
- name: Installer le paquet
ansible.builtin.apt:
name: fail2ban
become: true

10
tasks/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
# tasks file for dnsmasq
- name: Importer les tâches d'installation
tags: installation
ansible.builtin.import_tasks: installation.yml
- name: Importer les tâches de configuration
tags: configuration
ansible.builtin.import_tasks: configuration.yml

25
templates/01-base.conf.j2 Normal file
View File

@ -0,0 +1,25 @@
# {{ ansible_managed }}
[DEFAULT]
# nftables
banaction = nftables-multiport
banaction_allports = nftables-allports
# rules
findtime = 3600
bantime = 86400
maxretry = 3
# notification
destemail = {{ fail2ban_destemail }}
sender = {{ fail2ban_sender }}
action = %(action_mwl)s
ignoreip = 127.0.0.1/8, ::1/128, {{ fail2ban_ignoreip | join(', ') }}
[sshd]
enabled = true
port = {{ fail2ban_ssh_port }}
[recidive]
enabled = true

View File

@ -0,0 +1,5 @@
# {{ ansible_managed }}
[Definition]
loglevel = ERROR
dbpurgeage = 8d