changemaker.lite/bunker-ops/roles/common/tasks/fail2ban.yml

---
# Configure fail2ban for SSH brute-force protection

- name: Ensure fail2ban is installed
  ansible.builtin.apt:
    name: fail2ban
    state: present

- name: Configure fail2ban jail
  ansible.builtin.copy:
    dest: /etc/fail2ban/jail.local
    content: |
      [DEFAULT]
      bantime = {{ fail2ban_bantime }}
      findtime = {{ fail2ban_findtime }}
      maxretry = {{ fail2ban_maxretry }}

      [sshd]
      enabled = true
      port = {{ ssh_port | default(22) }}
      filter = sshd
      logpath = /var/log/auth.log
    mode: "0644"
  notify: Restart fail2ban

- name: Ensure fail2ban is running
  ansible.builtin.service:
    name: fail2ban
    state: started
    enabled: true