Manage Fail2ban in the "systemd way"
Thanks to @FinweVI ! Rebase after Gentoo related commits
This commit is contained in:
parent
5dbf5b9b1c
commit
28cf15ee42
|
@ -7,6 +7,7 @@
|
||||||
* Possibility to toggle file's backup (thanks to @p-rintz − PR #15).
|
* Possibility to toggle file's backup (thanks to @p-rintz − PR #15).
|
||||||
* Gentoo-specific variables
|
* Gentoo-specific variables
|
||||||
* Ability to specify nft binary path through **nft__bin_location**
|
* Ability to specify nft binary path through **nft__bin_location**
|
||||||
|
* Manage Fail2ban in the "systemd way" (thanks to @FinweVI − PR #16).
|
||||||
|
|
||||||
### Removed
|
### Removed
|
||||||
* Remove everything related to **in_udp_accept** (see conversation in PR #13).
|
* Remove everything related to **in_udp_accept** (see conversation in PR #13).
|
||||||
|
|
|
@ -562,6 +562,17 @@ nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
|
||||||
# The directives will be ignored.
|
# The directives will be ignored.
|
||||||
nft__service_protect: true
|
nft__service_protect: true
|
||||||
# ]]]
|
# ]]]
|
||||||
|
|
||||||
|
# .. envvar:: nft__fail2ban_service_unit_path [[[
|
||||||
|
#
|
||||||
|
# Path to store Fail2Ban custom conf.
|
||||||
|
nft__fail2ban_service_unit_path: '/etc/systemd/system/fail2ban.service.d/override.conf'
|
||||||
|
# ]]]
|
||||||
|
# .. envvar:: nft__fail2ban_service_unit_content [[[
|
||||||
|
#
|
||||||
|
# Template used to provide systemd custom conf for Fail2Ban service.
|
||||||
|
nft__fail2ban_service_unit_content: 'etc/systemd/system/fail2ban.service.d/override.conf.j2'
|
||||||
|
# ]]]
|
||||||
# .. envvar:: nft__fail2ban_service [[[
|
# .. envvar:: nft__fail2ban_service [[[
|
||||||
#
|
#
|
||||||
# If the Nftables systemd unit should also restart Fail2ban service. Possible
|
# If the Nftables systemd unit should also restart Fail2ban service. Possible
|
||||||
|
@ -574,6 +585,7 @@ nft__service_protect: true
|
||||||
# Any Nftables service (re)start will also restart Fail2ban service.
|
# Any Nftables service (re)start will also restart Fail2ban service.
|
||||||
nft__fail2ban_service: False
|
nft__fail2ban_service: False
|
||||||
# ]]]
|
# ]]]
|
||||||
|
#
|
||||||
# .. envvar:: nft_debug [[[
|
# .. envvar:: nft_debug [[[
|
||||||
#
|
#
|
||||||
# Toggle on/off more verbose output. Possible options are:
|
# Toggle on/off more verbose output. Possible options are:
|
||||||
|
|
|
@ -4,7 +4,8 @@
|
||||||
# (re)Start will be called at first run
|
# (re)Start will be called at first run
|
||||||
- name: Restart nftables service
|
- name: Restart nftables service
|
||||||
systemd:
|
systemd:
|
||||||
daemon_reload: '{{ nftables__register_systemd_service.changed | default(False) }}'
|
daemon_reload: '{{ (nftables__register_systemd_service.changed | default(False)) or
|
||||||
|
(nftables__register_fail2ban_service.changed | default(False)) }}'
|
||||||
state: 'restarted'
|
state: 'restarted'
|
||||||
name: '{{ nft_service_name }}'
|
name: '{{ nft_service_name }}'
|
||||||
enabled: '{{ nft_service_enabled }}'
|
enabled: '{{ nft_service_enabled }}'
|
||||||
|
|
|
@ -186,3 +186,28 @@
|
||||||
when: (nft_enabled|bool and
|
when: (nft_enabled|bool and
|
||||||
nft_service_manage|bool)
|
nft_service_manage|bool)
|
||||||
notify: ['Restart nftables service']
|
notify: ['Restart nftables service']
|
||||||
|
|
||||||
|
# Manage custom fail2ban service [[[1
|
||||||
|
- name: Create Fail2Ban custom directory for systemd service
|
||||||
|
file:
|
||||||
|
path: "{{ nft__fail2ban_service_unit_path | dirname }}"
|
||||||
|
state: directory
|
||||||
|
recurse: yes
|
||||||
|
when:
|
||||||
|
- nft_enabled|bool
|
||||||
|
- nft_service_manage|bool
|
||||||
|
- nft__fail2ban_service|bool
|
||||||
|
|
||||||
|
- name: Install Debian Fail2Ban custom service
|
||||||
|
template:
|
||||||
|
src: '{{ nft__fail2ban_service_unit_content }}'
|
||||||
|
dest: '{{ nft__fail2ban_service_unit_path }}'
|
||||||
|
owner: 'root'
|
||||||
|
group: 'root'
|
||||||
|
mode: '0644'
|
||||||
|
register: nftables__register_fail2ban_service
|
||||||
|
when:
|
||||||
|
- nft_enabled|bool
|
||||||
|
- nft_service_manage|bool
|
||||||
|
- nft__fail2ban_service|bool
|
||||||
|
notify: ['Restart nftables service']
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
[Unit]
|
||||||
|
After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
|
||||||
|
PartOf=firewalld.service nftables.service
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target nftables.service
|
Loading…
Reference in New Issue