Whitelist our IPs against fail2ban.

This is important as we don't want the IMAP server baning the webmail,
for instance.  (The fail2ban instance running next to the webmail should
ban the attacker, but that running next to the IMAP server shouldn't ban
legit users.)

1 files changed, 3 insertions, 0 deletions

diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2
index 7c5bc0e..b76ffbc 100644
--- a/roles/common/templates/etc/fail2ban/jail.local.j2
+++ b/roles/common/templates/etc/fail2ban/jail.local.j2
@@ -1,35 +1,38 @@
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
 
 [DEFAULT]
 
 # Destination email address used solely for the interpolations in
 # jail.{conf,local} configuration files.
 destemail = admin@fripost.org
 
 # Specify chain where jumps would need to be added in iptables-* actions
 chain = fail2ban
 
 # Choose default action.
 action = %(action_)s
 
+# Don't ban ourselves.
+ignoreip = 127.0.0.0/8 {{ groups.all | sort | join(' ') }}
+
 #
 # JAILS
 #
 # There is no risk to lock ourself out, since traffic between our machines goes
 # through IPSec, and these packets are accepted before having a chance to enter
 # fail2ban's chain.
 #
 
 [ssh]
 
 enabled  = true
 port     = {{ ansible_ssh_port|default('22') }}
 filter   = sshd
 logpath  = /var/log/auth.log
 maxretry = 5
 
 [ssh-ddos]
 
 enabled  = true
 port     = {{ ansible_ssh_port|default('22') }}