Merge branch 't34007-fix-fail2ban-sshd-jail' into 'master'

Fix fail2ban sshd jail, refs #34007

See merge request mediaserver/envsetup!61

ansible/molecule/default/tests/test_mediaimport.py

@@ -73,7 +73,7 @@ def test_sftp_socket(host):
 
 
 def test_fail2ban_conf(host):
-    f = host.file("/etc/fail2ban/jail.d/pure-ftpd.local")
+    f = host.file("/etc/fail2ban/jail.d/pure-ftpd.conf")
 
     assert f.exists
 

ansible/roles/fail2ban/defaults/main.yml

@@ -13,15 +13,4 @@ f2b_destemail: "{% if envsetup_fail2ban_dest_email is string %}{{ envsetup_fail2
 f2b_destemail_admins: "{% if envsetup_email_admins is string %}{{ envsetup_email_admins }}{% else %}{{ envsetup_email_admins | join(',') }}{% endif %}"
 f2b_action: "{% if envsetup_fail2ban_send_email | bool %}action_mwl{% else %}action_{% endif %}"
 
-f2b_filter:
-  name: sshd
-  content:
-
-f2b_jail:
-  name: sshd
-  content: |
-    [sshd]
-    enabled = {{ f2b_enabled }}
-    backend = systemd
-
 ...

ansible/roles/fail2ban/tasks/main.yml

@@ -10,33 +10,12 @@
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
 
-- name: directories
-  loop:
-    - /etc/fail2ban/filter.d
-    - /etc/fail2ban/jail.d
-    - /etc/fail2ban/action.d
-  file:
-    path: "{{ item }}"
-    state: directory
-
 - name: jail defaults
   notify: restart fail2ban
   template:
     src: jail.local.j2
     dest: /etc/fail2ban/jail.local
 
-- name: filter
-  notify: restart fail2ban
-  copy:
-    dest: /etc/fail2ban/filter.d/{{ f2b_filter.name }}.local
-    content: "{{ f2b_filter.content }}"
-
-- name: jail
-  notify: restart fail2ban
-  copy:
-    dest: /etc/fail2ban/jail.d/{{ f2b_jail.name }}.local
-    content: "{{ f2b_jail.content }}"
-
 - name: service
   systemd:
     name: fail2ban

ansible/roles/mediaimport/defaults/main.yml

@@ -35,11 +35,6 @@ mediaimport_ms_api_key: "{{ envsetup_ms_api_key | d() }}"
 mediaimport_ms_server_name: "{{ envsetup_ms_server_name | d() }}"
 
 mediaimport_fail2ban_enabled: "{{ envsetup_fail2ban_enabled | d(true) }}"
-mediaimport_f2b_jail:
-  name: pure-ftpd
-  content: |
-    [pure-ftpd]
-    enabled = {% if mediaimport_fail2ban_enabled | bool %}true{% else %}false{% endif %}
 
 mediaimport_firewall_enabled: true
 mediaimport_ferm_rules_filename: import

ansible/roles/mediaimport/handlers/main.yml

@@ -19,6 +19,11 @@
     name: mediaimport
     state: restarted
 
+- name: restart fail2ban
+  systemd:
+    name: fail2ban
+    state: restarted
+
 - name: sftp-verif
   command:
     cmd: timeout 30 sftp-verif

ansible/roles/mediaimport/tasks/main.yml

@@ -140,12 +140,14 @@
 
 # FAIL2BAN
 
-- name: fail2ban
-  when: mediaimport_fail2ban_enabled
-  vars:
-    f2b_jail: "{{ mediaimport_f2b_jail }}"
-  include_role:
-    name: fail2ban
+- name: deploy fail2ban jail
+  notify: restart fail2ban
+  template:
+    src: fail2ban_ftpd.conf.j2
+    dest: /etc/fail2ban/jail.d/pure-ftpd.conf
+    mode: 0644
+
+- meta: flush_handlers
 
 # FIREWALL
 

ansible/roles/mediaimport/templates/fail2ban_ftpd.conf.j2

+[pure-ftpd]
+enabled = {% if mediaimport_fail2ban_enabled | bool %}true{% else %}false{% endif %}