Merge pull request '[INFO] Créer le dépôt' (#1) from alpha into master
Reviewed-on: #1
This commit is contained in:
commit
2fd414d1b1
69
README.md
69
README.md
@ -1,3 +1,68 @@
|
||||
# role_modele
|
||||
# role_fail2ban
|
||||
|
||||
Modèle
|
||||
Ce rôle permet d'installation, configurer et supprimer la configuration de fail2ban.
|
||||
|
||||
## Variables
|
||||
|
||||
### fail2ban_destemail
|
||||
|
||||
Adresse IP où seront envoyé les alertes.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||
|
||||
### fail2ban_ignoreip
|
||||
|
||||
Liste d'adresse IP qui seront ignorées et donc jamais bannis.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||
|
||||
### fail2ban_ssh_port
|
||||
|
||||
Port d'écoute de SSH.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||
|
||||
### fail2ban_templates_*
|
||||
|
||||
Liste de templates à déployer.
|
||||
|
||||
*<span style="text-decoration: underline">Valeur par défaut:</span> aucune*
|
||||
|
||||
## Exemple d'utilisation
|
||||
|
||||
### inventory.yml
|
||||
|
||||
```yaml
|
||||
---
|
||||
|
||||
all:
|
||||
hosts:
|
||||
host1.ykn.local:
|
||||
host2.ykn.local:
|
||||
children:
|
||||
dnsservers:
|
||||
hosts:
|
||||
dnsmasq1.ykn.local:
|
||||
dnsmasq2.ykn.local:
|
||||
```
|
||||
|
||||
### group_vars/all.yml
|
||||
|
||||
```yaml
|
||||
---
|
||||
|
||||
fail2ban_destemail: hostmaster@ykn.local
|
||||
fail2ban_sender: "{{ inventory_hostname }} <fail2ban@ykn.local>"
|
||||
fail2ban_ignoreip: []
|
||||
fail2ban_ssh_port: 22
|
||||
```
|
||||
|
||||
### playbook.yml
|
||||
|
||||
```yaml
|
||||
---
|
||||
|
||||
- hosts: 'all'
|
||||
roles:
|
||||
- name: fail2ban
|
||||
```
|
||||
|
16
defaults/main.yml
Normal file
16
defaults/main.yml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
# defaults file for fail2ban
|
||||
|
||||
fail2ban_destemail: ""
|
||||
fail2ban_sender: ""
|
||||
fail2ban_ignoreip: []
|
||||
fail2ban_ssh_port: 22
|
||||
|
||||
fail2ban_templates: []
|
||||
#Exemple:
|
||||
# - src: role_fail2ban/nginx_jail.conf.j2
|
||||
# dest: /etc/fail2ban/jail.d/nginx.conf
|
||||
# - src: role_fail2ban/seafile_jail.conf.j2
|
||||
# dest: /etc/fail2ban/jail.d/seafile.conf
|
||||
# - src: role_fail2ban/seafile_filter.conf.j2
|
||||
# dest: /etc/fail2ban/filter.d/seafile.conf
|
8
handlers/main.yml
Normal file
8
handlers/main.yml
Normal file
@ -0,0 +1,8 @@
|
||||
---
|
||||
# handlers file for fail2ban
|
||||
|
||||
- name: Redémarrer fail2ban.service
|
||||
become: true
|
||||
ansible.builtin.systemd:
|
||||
state: restarted
|
||||
name: fail2ban.service
|
@ -1,7 +1,7 @@
|
||||
galaxy_info:
|
||||
namespace: ykn
|
||||
author: pulsar89.5
|
||||
description: Rôle modèle
|
||||
description: Rôle de déploiement de fail2ban
|
||||
|
||||
license: GPL-3.0-or-later
|
||||
|
||||
@ -12,4 +12,5 @@ galaxy_info:
|
||||
versions:
|
||||
- all
|
||||
|
||||
dependencies: []
|
||||
dependencies:
|
||||
- role: nftables
|
||||
|
51
tasks/configuration.yml
Normal file
51
tasks/configuration.yml
Normal file
@ -0,0 +1,51 @@
|
||||
---
|
||||
# tasks file for fail2ban
|
||||
|
||||
- name: Supprimer la configuration de Debian
|
||||
ansible.builtin.file:
|
||||
state: absent
|
||||
path: /etc/fail2ban/jail.d/defaults-debian.conf
|
||||
become: true
|
||||
notify: Redémarrer fail2ban.service
|
||||
|
||||
- name: Déployer la configuration contre la récidive
|
||||
ansible.builtin.template:
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,g=,o=
|
||||
src: recidive.conf.j2
|
||||
dest: /etc/fail2ban/fail2ban.d/recidive.conf
|
||||
become: true
|
||||
notify: Redémarrer fail2ban.service
|
||||
|
||||
- name: Déployer la configuration de base
|
||||
ansible.builtin.template:
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,g=,o=
|
||||
src: 01-base.conf.j2
|
||||
dest: /etc/fail2ban/jail.d/01-base.conf
|
||||
become: true
|
||||
notify: Redémarrer fail2ban.service
|
||||
|
||||
- name: Construire la liste des templates à déployer
|
||||
ansible.builtin.set_fact:
|
||||
fail2ban_templates: "{{ fail2ban_templates + specific }}"
|
||||
when: specific | length > 0
|
||||
loop: "{{ lookup('ansible.builtin.varnames', '^fail2ban_templates_.+', wantlist=True) }}"
|
||||
vars:
|
||||
specific: "{{ lookup('ansible.builtin.vars', item, default='') }}"
|
||||
|
||||
- name: Déployer les fichiers de configuration
|
||||
ansible.builtin.template:
|
||||
owner: root
|
||||
group: root
|
||||
mode: u=rw,g=,o=
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
when: fail2ban_templates | length > 0
|
||||
loop: "{{ fail2ban_templates }}"
|
||||
loop_control:
|
||||
label: "{{ item.dest }}"
|
||||
become: true
|
||||
notify: Redémarrer fail2ban.service
|
7
tasks/installation.yml
Normal file
7
tasks/installation.yml
Normal file
@ -0,0 +1,7 @@
|
||||
---
|
||||
# tasks file for fail2ban
|
||||
|
||||
- name: Installer le paquet
|
||||
ansible.builtin.apt:
|
||||
name: fail2ban
|
||||
become: true
|
10
tasks/main.yml
Normal file
10
tasks/main.yml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
# tasks file for dnsmasq
|
||||
|
||||
- name: Importer les tâches d'installation
|
||||
tags: installation
|
||||
ansible.builtin.import_tasks: installation.yml
|
||||
|
||||
- name: Importer les tâches de configuration
|
||||
tags: configuration
|
||||
ansible.builtin.import_tasks: configuration.yml
|
25
templates/01-base.conf.j2
Normal file
25
templates/01-base.conf.j2
Normal file
@ -0,0 +1,25 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[DEFAULT]
|
||||
# nftables
|
||||
banaction = nftables-multiport
|
||||
banaction_allports = nftables-allports
|
||||
|
||||
# rules
|
||||
findtime = 3600
|
||||
bantime = 86400
|
||||
maxretry = 3
|
||||
|
||||
# notification
|
||||
destemail = {{ fail2ban_destemail }}
|
||||
sender = {{ fail2ban_sender }}
|
||||
action = %(action_mwl)s
|
||||
|
||||
ignoreip = 127.0.0.1/8, ::1/128, {{ fail2ban_ignoreip | join(', ') }}
|
||||
|
||||
[sshd]
|
||||
enabled = true
|
||||
port = {{ fail2ban_ssh_port }}
|
||||
|
||||
[recidive]
|
||||
enabled = true
|
5
templates/recidive.conf.j2
Normal file
5
templates/recidive.conf.j2
Normal file
@ -0,0 +1,5 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[Definition]
|
||||
loglevel = ERROR
|
||||
dbpurgeage = 8d
|
Loading…
Reference in New Issue
Block a user