README updated

4f765232 · Chris Croome · 07acce35 · 4f765232 · 4f765232 · 4f765232
Verified Commit 4f765232 authored 1 year ago by Chris Croome
--- a/.ansible-lint
+++ b/.ansible-lint
+# Copyright 2018-2023 Chris Croome
+#
+# This file is part of the Webarchitects Fail2ban Ansible role.
+#
+# The Webarchitects Fail2ban Ansible role is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+#
+# The Webarchitects Fail2ban Ansible role is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with the Webarchitects Fail2ban Ansible role. If not, see <https://www.gnu.org/licenses/>.
 ---
 # https://docs.ansible.com/ansible-lint/rules/default_rules.html
 skip_list:

--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+# Copyright 2018-2023 Chris Croome
+#
+# This file is part of the Webarchitects Fail2ban Ansible role.
+#
+# The Webarchitects Fail2ban Ansible role is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+#
+# The Webarchitects Fail2ban Ansible role is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with the Webarchitects Fail2ban Ansible role. If not, see <https://www.gnu.org/licenses/>.
 ---
 image: registry.git.coop/webarch/containers/images/ansible:0.22.0
 variables:

--- a/.yamllint
+++ b/.yamllint
+# Copyright 2018-2023 Chris Croome
+#
+# This file is part of the Webarchitects Fail2ban Ansible role.
+#
+# The Webarchitects Fail2ban Ansible role is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+#
+# The Webarchitects Fail2ban Ansible role is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with the Webarchitects Fail2ban Ansible role. If not, see <https://www.gnu.org/licenses/>.
 ---
 extends: default
-ignore: |
-  .venv
+yaml-files:
+  - '*.yaml'
+  - '*.yml'
 rules:
  braces:
    max-spaces-inside: 1
@@ -10,3 +20,6 @@ rules:
    max-spaces-inside: 1
    level: error
  line-length: disable
+  comments-indentation: disable
+# vim: syntax=yaml
+...
--- a/README.md
+++ b/README.md
@@ -2,11 +2,89 @@

 [![pipeline status](https://git.coop/webarch/fail2ban/badges/master/pipeline.svg)](https://git.coop/webarch/fail2ban/-/commits/master)

-This repository contains an Ansible role for installing [fail2ban](https://fail2ban.org/) on Debian.
+This repository contains an Ansible role for installing [Fail2ban](https://fail2ban.org/) on Debian.

 ## Usage

-The [alternatives role](https://git.coop/webarch/alternatives) can be used to set priority for `iptables`.
+The [alternatives role](https://git.coop/webarch/alternatives) can be used to set priority for `iptables` or these cammands can be run manually:
+
+```bash
+update-alternatives --set iptables /usr/sbin/iptables-nft
+update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
+```
+
+## Role variables
+
+See the [defaults/main.yml](defaults/main.yml) file for the default variables, the [vars/main.yml](vars/main.yml) file for the preset variables and the [meta/argument_specs.yml](meta/argument_specs.yml) file for the variable specification.
+
+### fail2ban
+
+Set the `fail2ban` variable to `true` run the tasks in this role, it defaults to `false`.
+
+### fail2ban_filters
+
+A list of files from [files/filter.d](files/filter.d) to upload to the `/etc/fail2ban/filter.d` directory.
+
+### fail2ban_config_files
+
+A list of Fail2ban configuration files, for each item in the list the `path` and `state` are required, for example:
+
+```yaml
+fail2ban_config_files:
+  - name: Local jail
+    path: /etc/fail2ban/jail.local
+    state: present
+    conf:
+      DEFAULT:
+        bantime: 36000
+```
+
+#### conf
+
+A dictionary representing the sections, variables and values that should be present in the INI file in YAML format, [jc]](https://github.com/kellyjonbrazil/jc) version >= [1.22.5](https://github.com/kellyjonbrazil/jc/releases/tag/v1.22.5) can be used to convert files into YAML format, for example:
+
+```bash
+cat /etc/fail2ban/jail.conf | jc --ini -yp
+```
+
+Note that currently this role doesn't have the ability to omit variables from conf files, only add and amend them.
+
+#### name
+
+An optional name for the configuration file.
+
+#### path
+
+A required path for the configuration file.
+
+#### state
+
+A required state for the configuration file, `absent` or `present`.
+
+### fail2ban_pkgs
+
+A list of `.deb` packages that should be persent.
+
+### fail2ban_whitelist
+
+A list of IP addresses that should never be banned.
+
+### fail2ban_validate
+
+Validate all variables starting with `fail2ban_` using [meta/argument_specs.yml](meta/argument_specs.yml), `fail2ban_validate` defaults to true and catches the use of legacy variables.
+
+## Repository
+
+The primary URL of this repo is [`https://git.coop/webarch/fail2ban`](https://git.coop/webarch/fail2ban) however it is also [mirrored to GitHub](https://github.com/webarch-coop/ansible-role-fail2ban) and [available via Ansible Galaxy](https://galaxy.ansible.com/chriscroome/fail2ban).
+
+If you use this role please use a tagged release, see [the release notes](https://git.coop/webarch/fail2ban/-/releases).
+
+## Copyright
+
+Copyright 2019-2023 Chris Croome, &lt;[chris@webarchitects.co.uk](mailto:chris@webarchitects.co.uk)&gt;.
+
+This role is released under [the same terms as Ansible itself](https://github.com/ansible/ansible/blob/devel/COPYING), the [GNU GPLv3](LICENSE).
+



--- a/defaults/main.yml
+++ b/defaults/main.yml
+# Copyright 2018-2023 Chris Croome
+#
+# This file is part of the Webarchitects Fail2ban Ansible role.
+#
+# The Webarchitects Fail2ban Ansible role is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+#
+# The Webarchitects Fail2ban Ansible role is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with the Webarchitects Fail2ban Ansible role. If not, see <https://www.gnu.org/licenses/>.
 ---
 fail2ban: false
 fail2ban_filters:
@@ -30,7 +39,6 @@ fail2ban_config_files:
        port: http,https
      phpmyadmin-syslog:
        enabled: true
-fail2ban_backup_extension: "{{ '%Y%m%d_%H%M%S' | ansible.builtin.strftime }}.bak"
 fail2ban_pkgs:
  - fail2ban
  - iptables

--- a/meta/argument_specs.yml
+++ b/meta/argument_specs.yml
@@ -18,10 +18,10 @@ argument_specs:
        type: bool
        required: true
        description: Run the tasks in this role.
-      fail2ban_backup_extension:
-        type: str
-        required: true
-        description: File extension for backup files.
+      fail2ban_config_file_changed:
+        type: bool
+        required: false
+        description: Internal variable used to track changes to config files.
      fail2ban_config_files:
        type: list
        elements: dict

--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
+# Copyright 2018-2023 Chris Croome
+#
+# This file is part of the Webarchitects Fail2ban Ansible role.
+#
+# The Webarchitects Fail2ban Ansible role is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+#
+# The Webarchitects Fail2ban Ansible role is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along with the Webarchitects Fail2ban Ansible role. If not, see <https://www.gnu.org/licenses/>.
 ---
 dependency:
  name: galaxy

--- a/tasks/conf_file.yml
+++ b/tasks/conf_file.yml
@@ -11,6 +11,10 @@
 - name: Fail2ban configuration file
  block:

+    - name: Set a fact for the backup file extension
+      ansible.builtin.set_fact:
+        fail2ban_backup_extension: "{{ '%Y%m%d_%H%M%S' | ansible.builtin.strftime }}.bak"
+
    - name: Check if the file exists
      ansible.builtin.stat:
        path: "{{ fail2ban_config_file.path }}"
@@ -60,6 +64,7 @@
          loop: "{{ fail2ban_config_file.conf | dict2items }}"
          loop_control:
            loop_var: fail2ban_config_file_section
+            label: "{{ fail2ban_config_file_section.key }}"
          when: fail2ban_config_file.conf.keys() | length != 0

        - name: Ansible managed comment present at the top of the file
@@ -72,6 +77,19 @@
            owner: root
            group: root

+        - name: Name present at the top of the file
+          ansible.builtin.lineinfile:
+            path: "{{ fail2ban_config_file.path }}"
+            line: "# {{ fail2ban_config_file.name }}"
+            state: present
+            insertafter: "# Ansible managed"
+            mode: "0644"
+            owner: root
+            group: root
+          when:
+            - fail2ban_config_file.name is defined
+            - fail2ban_config_file.name | length > 0
+
        - name: Vim syntaxhighlighting modeline present at the end of the file
          ansible.builtin.lineinfile:
            path: "{{ fail2ban_config_file.path }}"
@@ -82,6 +100,24 @@
            owner: root
            group: root

+        - name: Test configuration when changed
+          ansible.builtin.command: fail2ban-client -t
+          check_mode: false
+          changed_when: true
+          notify: Restart fail2ban
+          when:
+            - fail2ban_config_file_changed is defined
+            - fail2ban_config_file_changed | bool
+
+        - name: Backup absent when the file is unchanged
+          ansible.builtin.file:
+            path: "{{ fail2ban_config_file.path }}.{{ fail2ban_backup_extension }}"
+            state: absent
+          changed_when: false
+          when: >-
+            ( fail2ban_config_file_changed is not defined ) or
+            ( not fail2ban_config_file_changed | bool )
+
      when: >-
        ( ( not fail2ban_config_file_path.stat.exists | bool ) and
        ( fail2ban_config_file.state == "present" ) ) or

--- a/tasks/conf_file_section.yml
+++ b/tasks/conf_file_section.yml
@@ -15,20 +15,20 @@
      community.general.ini_file:
        path: /etc/fail2ban/jail.local
        section: "{{ fail2ban_config_file_section.key }}"
-        option: "{{ fail2ban_config_file_svariable_pair.key }}"
-        value: "{% if fail2ban_config_file_svariable_pair.value | type_debug == 'bool' %}{{ fail2ban_config_file_svariable_pair.value | lower }}{% else %}{{ fail2ban_config_file_svariable_pair.value }}{% endif %}"
+        option: "{{ fail2ban_config_file_variable_pair.key }}"
+        value: "{% if fail2ban_config_file_variable_pair.value | type_debug == 'bool' %}{{ fail2ban_config_file_variable_pair.value | lower }}{% else %}{{ fail2ban_config_file_variable_pair.value }}{% endif %}"
        no_extra_spaces: false
        mode: 0644
        owner: root
        group: root
      when: >-
        ( fail2ban_jail_local_file_contents is not defined ) or
-        ( fail2ban_config_file_svariable_pair.value != fail2ban_jail_local_file_contents | ansible.builtin.json_query(fail2ban_config_file_svariable_json_query) )
+        ( fail2ban_config_file_variable_pair.value != fail2ban_jail_local_file_contents | ansible.builtin.json_query(fail2ban_config_file_svariable_json_query) )
      vars:
-        fail2ban_config_file_variable_json_query: '"{{ fail2ban_config_file_section.key }}"."{{ fail2ban_config_file_svariable_pair.key }}"'
+        fail2ban_config_file_variable_json_query: '"{{ fail2ban_config_file_section.key }}"."{{ fail2ban_config_file_variable_pair.key }}"'
      loop: "{{ fail2ban_config_file_section.value | ansible.builtin.dict2items }}"
      loop_control:
-        loop_var: fail2ban_config_file_svariable_pair
+        loop_var: fail2ban_config_file_variable_pair
      register: fail2ban_config_file_edited

    - name: Set a fact to indicate that the file has changed  # noqa: no-handler

--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -19,6 +19,7 @@
      ansible.builtin.apt:
        pkg: "{{ fail2ban_pkgs }}"
        state: present
+      notify: Restart fail2ban

    - name: Filters in place
      ansible.builtin.copy:
@@ -28,7 +29,7 @@
      loop: "{{ fail2ban_filters }}"
      loop_control:
        loop_var: fail2ban_filter
-      register: fail2ban_filters_present
+      notify: Restart fail2ban

    - name: Configure Fail2ban
      ansible.builtin.include_tasks: conf_file.yml
@@ -37,17 +38,6 @@
        loop_var: fail2ban_config_file
        label: "{{ fail2ban_config_file.path }}"

-    - name: Test configuration when configuration has changed
-      ansible.builtin.command: fail2ban-client -t
-      check_mode: false
-      changed_when: true
-      notify: Restart fail2ban
-      when: >-
-        ( ( fail2ban_filters_present.changed is defined ) and
-        ( fail2ban_filters_present.changed | bool ) ) or
-        ( ( fail2ban_config_file_changed is defined ) and
-        ( fail2ban_config_file_changed | bool ) )
-
  when: fail2ban | bool
  tags:
    - fail2ban

--- a/vars/main.yml
+++ b/vars/main.yml
@@ -11,4 +11,7 @@
 # https://docs.ansible.com/ansible/latest/playbook_guide/complex_data_manipulation.html
 fail2banvarnames: "{{ q('varnames', '^fail2ban_') | sort }}"
 fail2banhostvars: "{{ dict(fail2banvarnames | list | zip(q('vars', *fail2banvarnames))) }}"
+
+# Updated to true if the config file has changed
+fail2ban_config_file_changed: false
 ...