Manage Fail2ban in the "systemd way"

Thanks to @FinweVI !

Rebase after Gentoo related commits

CHANGELOG.md

@@ -7,6 +7,7 @@
 * Possibility to toggle file's backup (thanks to @p-rintz − PR #15).
 * Gentoo-specific variables
 * Ability to specify nft binary path through **nft__bin_location**
+* Manage Fail2ban in the "systemd way" (thanks to @FinweVI − PR #16).
 
 ### Removed
 * Remove everything related to **in_udp_accept** (see conversation in PR #13).

defaults/main.yml

@@ -562,6 +562,17 @@ nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
 #   The directives will be ignored.
 nft__service_protect: true
                                                                    # ]]]
+
+# .. envvar:: nft__fail2ban_service_unit_path [[[
+#
+# Path to store Fail2Ban custom conf.
+nft__fail2ban_service_unit_path: '/etc/systemd/system/fail2ban.service.d/override.conf'
+                                                                   # ]]]
+# .. envvar:: nft__fail2ban_service_unit_content [[[
+#
+# Template used to provide systemd custom conf for Fail2Ban service.
+nft__fail2ban_service_unit_content: 'etc/systemd/system/fail2ban.service.d/override.conf.j2'
+                                                                   # ]]]
 # .. envvar:: nft__fail2ban_service [[[
 #
 # If the Nftables systemd unit should also restart Fail2ban service. Possible
@@ -574,6 +585,7 @@ nft__service_protect: true
 #   Any Nftables service (re)start will also restart Fail2ban service.
 nft__fail2ban_service: False
                                                                    # ]]]
+                                                                   #
 # .. envvar:: nft_debug [[[
 #
 # Toggle on/off more verbose output. Possible options are:

handlers/main.yml

@@ -4,7 +4,8 @@
 # (re)Start will be called at first run
 - name: Restart nftables service
   systemd:
-    daemon_reload: '{{ nftables__register_systemd_service.changed | default(False) }}'
+    daemon_reload: '{{ (nftables__register_systemd_service.changed | default(False)) or
+                       (nftables__register_fail2ban_service.changed | default(False)) }}'
     state: 'restarted'
     name: '{{ nft_service_name }}'
     enabled: '{{ nft_service_enabled }}'

tasks/main.yml

@@ -185,4 +185,29 @@
   register: nftables__register_systemd_service
   when: (nft_enabled|bool and
          nft_service_manage|bool)
-  notify: ['Restart nftables service']
+  notify: ['Restart nftables service']
+
+# Manage custom fail2ban service [[[1
+- name: Create Fail2Ban custom directory for systemd service
+  file:
+    path: "{{ nft__fail2ban_service_unit_path | dirname }}"
+    state: directory
+    recurse: yes
+  when:
+    - nft_enabled|bool
+    - nft_service_manage|bool
+    - nft__fail2ban_service|bool
+
+- name: Install Debian Fail2Ban custom service
+  template:
+    src: '{{ nft__fail2ban_service_unit_content }}'
+    dest: '{{ nft__fail2ban_service_unit_path }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: nftables__register_fail2ban_service
+  when:
+    - nft_enabled|bool
+    - nft_service_manage|bool
+    - nft__fail2ban_service|bool
+  notify: ['Restart nftables service']

templates/etc/systemd/system/fail2ban.service.d/override.conf.j2

@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+[Unit]
+After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service
+PartOf=firewalld.service nftables.service
+
+[Install]
+WantedBy=multi-user.target nftables.service