diff --git a/CHANGELOG.md b/CHANGELOG.md index 81e0003..9acf63a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ * Possibility to toggle file's backup (thanks to @p-rintz − PR #15). * Gentoo-specific variables * Ability to specify nft binary path through **nft__bin_location** +* Manage Fail2ban in the "systemd way" (thanks to @FinweVI − PR #16). ### Removed * Remove everything related to **in_udp_accept** (see conversation in PR #13). diff --git a/defaults/main.yml b/defaults/main.yml index 75904ee..7ba5bc4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -562,6 +562,17 @@ nft_service_unit_content: 'lib/systemd/system/nftables.service.j2' # The directives will be ignored. nft__service_protect: true # ]]] + +# .. envvar:: nft__fail2ban_service_unit_path [[[ +# +# Path to store Fail2Ban custom conf. +nft__fail2ban_service_unit_path: '/etc/systemd/system/fail2ban.service.d/override.conf' + # ]]] +# .. envvar:: nft__fail2ban_service_unit_content [[[ +# +# Template used to provide systemd custom conf for Fail2Ban service. +nft__fail2ban_service_unit_content: 'etc/systemd/system/fail2ban.service.d/override.conf.j2' + # ]]] # .. envvar:: nft__fail2ban_service [[[ # # If the Nftables systemd unit should also restart Fail2ban service. Possible @@ -574,6 +585,7 @@ nft__service_protect: true # Any Nftables service (re)start will also restart Fail2ban service. nft__fail2ban_service: False # ]]] + # # .. envvar:: nft_debug [[[ # # Toggle on/off more verbose output. Possible options are: diff --git a/handlers/main.yml b/handlers/main.yml index cb7e015..bfebe7b 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -4,7 +4,8 @@ # (re)Start will be called at first run - name: Restart nftables service systemd: - daemon_reload: '{{ nftables__register_systemd_service.changed | default(False) }}' + daemon_reload: '{{ (nftables__register_systemd_service.changed | default(False)) or + (nftables__register_fail2ban_service.changed | default(False)) }}' state: 'restarted' name: '{{ nft_service_name }}' enabled: '{{ nft_service_enabled }}' diff --git a/tasks/main.yml b/tasks/main.yml index 3746cc7..0d260d7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -185,4 +185,29 @@ register: nftables__register_systemd_service when: (nft_enabled|bool and nft_service_manage|bool) - notify: ['Restart nftables service'] \ No newline at end of file + notify: ['Restart nftables service'] + +# Manage custom fail2ban service [[[1 +- name: Create Fail2Ban custom directory for systemd service + file: + path: "{{ nft__fail2ban_service_unit_path | dirname }}" + state: directory + recurse: yes + when: + - nft_enabled|bool + - nft_service_manage|bool + - nft__fail2ban_service|bool + +- name: Install Debian Fail2Ban custom service + template: + src: '{{ nft__fail2ban_service_unit_content }}' + dest: '{{ nft__fail2ban_service_unit_path }}' + owner: 'root' + group: 'root' + mode: '0644' + register: nftables__register_fail2ban_service + when: + - nft_enabled|bool + - nft_service_manage|bool + - nft__fail2ban_service|bool + notify: ['Restart nftables service'] diff --git a/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 b/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 new file mode 100644 index 0000000..25eb25f --- /dev/null +++ b/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +[Unit] +After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service +PartOf=firewalld.service nftables.service + +[Install] +WantedBy=multi-user.target nftables.service