Manage Fail2ban in the "systemd way"

Thanks to @FinweVI !

Rebase after Gentoo related commits
This commit is contained in:
Jeremy Gardais 2021-07-30 09:34:38 +02:00
parent 5dbf5b9b1c
commit 28cf15ee42
Signed by: jegardai
GPG Key ID: E759BAA22501AF32
5 changed files with 49 additions and 2 deletions

View File

@ -7,6 +7,7 @@
* Possibility to toggle file's backup (thanks to @p-rintz PR #15). * Possibility to toggle file's backup (thanks to @p-rintz PR #15).
* Gentoo-specific variables * Gentoo-specific variables
* Ability to specify nft binary path through **nft__bin_location** * Ability to specify nft binary path through **nft__bin_location**
* Manage Fail2ban in the "systemd way" (thanks to @FinweVI PR #16).
### Removed ### Removed
* Remove everything related to **in_udp_accept** (see conversation in PR #13). * Remove everything related to **in_udp_accept** (see conversation in PR #13).

View File

@ -562,6 +562,17 @@ nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
# The directives will be ignored. # The directives will be ignored.
nft__service_protect: true nft__service_protect: true
# ]]] # ]]]
# .. envvar:: nft__fail2ban_service_unit_path [[[
#
# Path to store Fail2Ban custom conf.
nft__fail2ban_service_unit_path: '/etc/systemd/system/fail2ban.service.d/override.conf'
# ]]]
# .. envvar:: nft__fail2ban_service_unit_content [[[
#
# Template used to provide systemd custom conf for Fail2Ban service.
nft__fail2ban_service_unit_content: 'etc/systemd/system/fail2ban.service.d/override.conf.j2'
# ]]]
# .. envvar:: nft__fail2ban_service [[[ # .. envvar:: nft__fail2ban_service [[[
# #
# If the Nftables systemd unit should also restart Fail2ban service. Possible # If the Nftables systemd unit should also restart Fail2ban service. Possible
@ -574,6 +585,7 @@ nft__service_protect: true
# Any Nftables service (re)start will also restart Fail2ban service. # Any Nftables service (re)start will also restart Fail2ban service.
nft__fail2ban_service: False nft__fail2ban_service: False
# ]]] # ]]]
#
# .. envvar:: nft_debug [[[ # .. envvar:: nft_debug [[[
# #
# Toggle on/off more verbose output. Possible options are: # Toggle on/off more verbose output. Possible options are:

View File

@ -4,7 +4,8 @@
# (re)Start will be called at first run # (re)Start will be called at first run
- name: Restart nftables service - name: Restart nftables service
systemd: systemd:
daemon_reload: '{{ nftables__register_systemd_service.changed | default(False) }}' daemon_reload: '{{ (nftables__register_systemd_service.changed | default(False)) or
(nftables__register_fail2ban_service.changed | default(False)) }}'
state: 'restarted' state: 'restarted'
name: '{{ nft_service_name }}' name: '{{ nft_service_name }}'
enabled: '{{ nft_service_enabled }}' enabled: '{{ nft_service_enabled }}'

View File

@ -186,3 +186,28 @@
when: (nft_enabled|bool and when: (nft_enabled|bool and
nft_service_manage|bool) nft_service_manage|bool)
notify: ['Restart nftables service'] notify: ['Restart nftables service']
# Manage custom fail2ban service [[[1
- name: Create Fail2Ban custom directory for systemd service
file:
path: "{{ nft__fail2ban_service_unit_path | dirname }}"
state: directory
recurse: yes
when:
- nft_enabled|bool
- nft_service_manage|bool
- nft__fail2ban_service|bool
- name: Install Debian Fail2Ban custom service
template:
src: '{{ nft__fail2ban_service_unit_content }}'
dest: '{{ nft__fail2ban_service_unit_path }}'
owner: 'root'
group: 'root'
mode: '0644'
register: nftables__register_fail2ban_service
when:
- nft_enabled|bool
- nft_service_manage|bool
- nft__fail2ban_service|bool
notify: ['Restart nftables service']

View File

@ -0,0 +1,8 @@
# {{ ansible_managed }}
[Unit]
After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
PartOf=firewalld.service nftables.service
[Install]
WantedBy=multi-user.target nftables.service