diff --git a/README.md b/README.md
index 3edfbf7..ef3e85c 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,68 @@
-# role_modele
+# role_fail2ban
-Modèle
\ No newline at end of file
+Ce rôle permet d'installation, configurer et supprimer la configuration de fail2ban.
+
+## Variables
+
+### fail2ban_destemail
+
+Adresse IP où seront envoyé les alertes.
+
+*Valeur par défaut: aucune*
+
+### fail2ban_ignoreip
+
+Liste d'adresse IP qui seront ignorées et donc jamais bannis.
+
+*Valeur par défaut: aucune*
+
+### fail2ban_ssh_port
+
+Port d'écoute de SSH.
+
+*Valeur par défaut: aucune*
+
+### fail2ban_templates_*
+
+Liste de templates à déployer.
+
+*Valeur par défaut: aucune*
+
+## Exemple d'utilisation
+
+### inventory.yml
+
+```yaml
+---
+
+all:
+ hosts:
+ host1.ykn.local:
+ host2.ykn.local:
+ children:
+ dnsservers:
+ hosts:
+ dnsmasq1.ykn.local:
+ dnsmasq2.ykn.local:
+```
+
+### group_vars/all.yml
+
+```yaml
+---
+
+fail2ban_destemail: hostmaster@ykn.local
+fail2ban_sender: "{{ inventory_hostname }} "
+fail2ban_ignoreip: []
+fail2ban_ssh_port: 22
+```
+
+### playbook.yml
+
+```yaml
+---
+
+- hosts: 'all'
+ roles:
+ - name: fail2ban
+```
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..978acf2
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,16 @@
+---
+# defaults file for fail2ban
+
+fail2ban_destemail: ""
+fail2ban_sender: ""
+fail2ban_ignoreip: []
+fail2ban_ssh_port: 22
+
+fail2ban_templates: []
+#Exemple:
+# - src: role_fail2ban/nginx_jail.conf.j2
+# dest: /etc/fail2ban/jail.d/nginx.conf
+# - src: role_fail2ban/seafile_jail.conf.j2
+# dest: /etc/fail2ban/jail.d/seafile.conf
+# - src: role_fail2ban/seafile_filter.conf.j2
+# dest: /etc/fail2ban/filter.d/seafile.conf
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..aa50364
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+# handlers file for fail2ban
+
+- name: Redémarrer fail2ban.service
+ become: true
+ ansible.builtin.systemd:
+ state: restarted
+ name: fail2ban.service
diff --git a/meta/main.yml b/meta/main.yml
index c58bebf..7154c67 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,7 +1,7 @@
galaxy_info:
namespace: ykn
author: pulsar89.5
- description: Rôle modèle
+ description: Rôle de déploiement de fail2ban
license: GPL-3.0-or-later
@@ -12,4 +12,5 @@ galaxy_info:
versions:
- all
-dependencies: []
+dependencies:
+ - role: nftables
diff --git a/tasks/configuration.yml b/tasks/configuration.yml
new file mode 100644
index 0000000..e024aa2
--- /dev/null
+++ b/tasks/configuration.yml
@@ -0,0 +1,51 @@
+---
+# tasks file for fail2ban
+
+- name: Supprimer la configuration de Debian
+ ansible.builtin.file:
+ state: absent
+ path: /etc/fail2ban/jail.d/defaults-debian.conf
+ become: true
+ notify: Redémarrer fail2ban.service
+
+- name: Déployer la configuration contre la récidive
+ ansible.builtin.template:
+ owner: root
+ group: root
+ mode: u=rw,g=,o=
+ src: recidive.conf.j2
+ dest: /etc/fail2ban/fail2ban.d/recidive.conf
+ become: true
+ notify: Redémarrer fail2ban.service
+
+- name: Déployer la configuration de base
+ ansible.builtin.template:
+ owner: root
+ group: root
+ mode: u=rw,g=,o=
+ src: 01-base.conf.j2
+ dest: /etc/fail2ban/jail.d/01-base.conf
+ become: true
+ notify: Redémarrer fail2ban.service
+
+- name: Construire la liste des templates à déployer
+ ansible.builtin.set_fact:
+ fail2ban_templates: "{{ fail2ban_templates + specific }}"
+ when: specific | length > 0
+ loop: "{{ lookup('ansible.builtin.varnames', '^fail2ban_templates_.+', wantlist=True) }}"
+ vars:
+ specific: "{{ lookup('ansible.builtin.vars', item, default='') }}"
+
+- name: Déployer les fichiers de configuration
+ ansible.builtin.template:
+ owner: root
+ group: root
+ mode: u=rw,g=,o=
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ when: fail2ban_templates | length > 0
+ loop: "{{ fail2ban_templates }}"
+ loop_control:
+ label: "{{ item.dest }}"
+ become: true
+ notify: Redémarrer fail2ban.service
diff --git a/tasks/installation.yml b/tasks/installation.yml
new file mode 100644
index 0000000..6515c95
--- /dev/null
+++ b/tasks/installation.yml
@@ -0,0 +1,7 @@
+---
+# tasks file for fail2ban
+
+- name: Installer le paquet
+ ansible.builtin.apt:
+ name: fail2ban
+ become: true
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..3080357
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+# tasks file for dnsmasq
+
+- name: Importer les tâches d'installation
+ tags: installation
+ ansible.builtin.import_tasks: installation.yml
+
+- name: Importer les tâches de configuration
+ tags: configuration
+ ansible.builtin.import_tasks: configuration.yml
diff --git a/templates/01-base.conf.j2 b/templates/01-base.conf.j2
new file mode 100644
index 0000000..d29d6c0
--- /dev/null
+++ b/templates/01-base.conf.j2
@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+[DEFAULT]
+# nftables
+banaction = nftables-multiport
+banaction_allports = nftables-allports
+
+# rules
+findtime = 3600
+bantime = 86400
+maxretry = 3
+
+# notification
+destemail = {{ fail2ban_destemail }}
+sender = {{ fail2ban_sender }}
+action = %(action_mwl)s
+
+ignoreip = 127.0.0.1/8, ::1/128, {{ fail2ban_ignoreip | join(', ') }}
+
+[sshd]
+enabled = true
+port = {{ fail2ban_ssh_port }}
+
+[recidive]
+enabled = true
diff --git a/templates/recidive.conf.j2 b/templates/recidive.conf.j2
new file mode 100644
index 0000000..56ae0c9
--- /dev/null
+++ b/templates/recidive.conf.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+[Definition]
+loglevel = ERROR
+dbpurgeage = 8d