1 files changed, 42 insertions, 7 deletions

diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index be26c79..563075f 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -1,28 +1,63 @@
 - name: Install fail2ban
   apt: pkg=fail2ban
 
-- name: Add addititional filters
-  copy: src=etc/fail2ban/filter.d/{{ item }}
-        dest=/etc/fail2ban/filter.d/{{ item }}
+- name: Configure fail2ban (fail2ban.local)
+  copy: src=etc/fail2ban/fail2ban.local
+        dest=/etc/fail2ban/fail2ban.local
         owner=root group=root
         mode=0644
   register: r1
-  with_items:
-    - roundcube.conf
   notify:
     - Restart fail2ban
 
-- name: Configure fail2ban
+- name: Configure fail2ban (jail.local)
   template: src=etc/fail2ban/jail.local.j2
             dest=/etc/fail2ban/jail.local
             owner=root group=root
             mode=0644
   register: r2
   notify:
     - Restart fail2ban
 
+- name: Configure fail2ban (action.d/nftables-allports.local)
+  copy: src=etc/fail2ban/action.d/nftables-allports.local
+        dest=/etc/fail2ban/action.d/nftables-allports.local
+        owner=root group=root
+        mode=0644
+  register: r3
+  notify:
+    - Restart fail2ban
+
+- name: Copy filters
+  copy: src=etc/fail2ban/filter.d/
+        dest=/etc/fail2ban/filter.d/
+        owner=root group=root
+        mode=0644
+  register: r4
+  notify:
+    - Restart fail2ban
+
+- name: Create directory /etc/systemd/system/fail2ban.service.d
+  file: path=/etc/systemd/system/fail2ban.service.d
+        state=directory
+        owner=root group=root
+        mode=0755
+
+- name: Harden fail2ban.service
+  copy: src=etc/systemd/system/fail2ban.service.d/override.conf
+        dest=/etc/systemd/system/fail2ban.service.d/override.conf
+        owner=root group=root
+        mode=0644
+  register: r5
+  notify:
+    - systemctl daemon-reload
+    - Restart fail2ban
+
 - name: Start fail2ban
   service: name=fail2ban state=started
-  when: not (r1.changed or r2.changed)
+  when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed)
 
 - meta: flush_handlers
+
+- name: Delete /var/lib/fail2ban/fail2ban.sqlite3
+  file: path=/var/lib/fail2ban/fail2ban.sqlite3 state=absent