Jose/ansible_role_proxmox_provision
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3054a97d15f72505cab0bb097d93e410486615a8
ansible_role_proxmox_provision/tasks/fail2ban.yml

314 lines
9.5 KiB
YAML
Raw Normal View History

feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
---
# -------------------------------------------------
# Deploy Fail2Ban integrated with Proxmox Firewall
# -------------------------------------------------
docs 📝: Add Fail2Ban integration tasks to README and directory structure. Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
2026-02-23 19:36:36 +01:00
#################################################
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
# Detect Proxmox
docs 📝: Add Fail2Ban integration tasks to README and directory structure. Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
2026-02-23 19:36:36 +01:00
#################################################
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
- name: fail2ban | Detect Proxmox
refactor ♻️: Refactor task names and update module references in `fail2ban.yml` This commit refactors the task names and updates module references in the `fail2ban.yml` file to improve clarity and consistency. It also includes minor text adjustments in `meta/fail2ban.md` to enhance readability and ensure accurate variable descriptions with updated default values.
2026-03-01 10:48:13 +01:00
ansible.builtin.stat:
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
path: /usr/bin/pveversion
register: pve_installed
#################################################
# Ensure pmxcfs is mounted (cluster filesystem)
#################################################
- name: fail2ban | Check pmxcfs cluster filesystem
ansible.builtin.stat:
path: /etc/pve/.members
register: pmxcfs_running
when: pve_installed.stat.exists | default(false)
- name: fail2ban | Warn if pmxcfs not mounted (no quorum)
ansible.builtin.debug:
msg: >
/etc/pve is not mounted or node has no quorum.
Refusing to modify cluster firewall.
when:
- pve_installed.stat.exists | default(false)
- not pmxcfs_running.stat.exists
#################################################
# Detect cluster membership
#################################################
- name: fail2ban | Detect Proxmox cluster membership
docs 📝: Add Fail2Ban integration tasks to README and directory structure. Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
2026-02-23 19:36:36 +01:00
ansible.builtin.stat:
path: /etc/pve/corosync.conf
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
register: clustered
when: pmxcfs_running.stat.exists | default(false)
docs 📝: Add Fail2Ban integration tasks to README and directory structure. Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
2026-02-23 19:36:36 +01:00
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
- name: fail2ban | Warn if corosync.conf is missing
ansible.builtin.debug:
msg: >
node has no quorum.
Refusing to modify cluster firewall.
when:
- pve_installed.stat.exists | default(false)
- pmxcfs_running.stat.exists | default(false)
- not clustered.stat.exists
#################################################
# Install Fail2Ban
#################################################
- name: fail2ban | Install fail2ban
ansible.builtin.apt:
name: fail2ban
state: present
update_cache: true
#################################################
# Ensure jail.local exists (do NOT copy jail.conf)
#################################################
- name: fail2ban | Ensure jail.local exists
ansible.builtin.file:
path: /etc/fail2ban/jail.local
state: touch
owner: root
group: root
mode: '0644'
#################################################
# Configure Fail2Ban jails
#################################################
- name: fail2ban | Configure Fail2Ban jails
ansible.builtin.blockinfile:
dest: /etc/fail2ban/jail.local
marker: "# {mark} ANSIBLE MANAGED BLOCK - PROXMOX"
block: |
# jail.conf (default)
# jail.local (override defaults)
[DEFAULT]
bantime = {{ f2b_bantime }}
findtime = {{ f2b_findtime }}
maxretry = {{ f2b_maxretry }}
bantime.increment = {{ f2b_bantime_increment }}
bantime.factor = {{ f2b_bantime_factor }}
bantime.maxtime = {{ f2b_bantime_max }}
backend = systemd
banaction = {% if (clustered.stat.exists | default(false)) %} proxmox-fw{% else %} iptables-multiport{% endif %}
ignoreip = 127.0.0.1/8 192.168.2.0/24
# {% if pmxcfs_running.stat.exists %} {{ corosync_networks | join(' ') }}{% endif %}
#################################################
# SSH
#################################################
[sshd]
enabled = true
#################################################
# Proxmox GUI + AD authentication
#################################################
[proxmox]
enabled = true
port = https,http,8006
filter = proxmox
#################################################
# Progressive escalation (recidive)
#################################################
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
bantime = {{ f2b_recidive_bantime }}
findtime = {{ f2b_recidive_findtime }}
maxretry = {{ f2b_recidive_maxretry }}
banaction = {% if (clustered.stat.exists | default(false)) %} proxmox-fw{% else %} iptables-multiport{% endif %}
notify:
- Reload fail2ban
- name: fail2ban | Place Proxmox filter definition
ansible.builtin.copy:
dest: /etc/fail2ban/filter.d/proxmox.conf
content: |
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
journalmatch = _SYSTEMD_UNIT=pvedaemon.service
owner: root
group: root
mode: '0644'
notify:
- Reload fail2ban
docs 📝: Add Fail2Ban integration tasks to README and directory structure. Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
2026-02-23 19:36:36 +01:00
#################################################
# Determine Correct Firewall File
#################################################
- name: fail2ban | Get Proxmox node name
refactor ♻️: Refactor task to extract and process Corosync ring addresses, determine their CIDRs, and update ignoreip in fail2ban config This refactoring extracts the logic for processing Corosync ring addresses and determining their CIDRs. It then updates the `ignoreip` setting in the fail2ban configuration accordingly. This change improves modularity and maintainability of the code.
2026-02-24 19:18:48 +01:00
ansible.builtin.set_fact:
pve_node: "{{ ansible_hostname }}"
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
when: not clustered.stat.exists
docs 📝: Add Fail2Ban integration tasks to README and directory structure. Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
2026-02-23 19:36:36 +01:00
- name: fail2ban | Set firewall config path
ansible.builtin.set_fact:
pve_firewall_config: >-
{{
'/etc/pve/firewall/cluster.fw'
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
if clustered.stat.exists
else '/etc/pve/nodes/' + pve_node + '.fw'
docs 📝: Add Fail2Ban integration tasks to README and directory structure. Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
2026-02-23 19:36:36 +01:00
}}
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
when: pve_installed.stat.exists | default(false)
docs 📝: Add Fail2Ban integration tasks to README and directory structure. Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
2026-02-23 19:36:36 +01:00
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
#################################################
# Detect firewall configuration
#################################################
docs 📝: Add Fail2Ban integration tasks to README and directory structure. Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
2026-02-23 19:36:36 +01:00
- name: fail2ban | Check firewall config exists
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
ansible.builtin.stat:
docs 📝: Add Fail2Ban integration tasks to README and directory structure. Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
2026-02-23 19:36:36 +01:00
path: "{{ pve_firewall_config }}"
register: fw_stat
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
when: pve_firewall_config is defined
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
docs 📝: Add Fail2Ban integration tasks to README and directory structure. Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
2026-02-23 19:36:36 +01:00
- name: fail2ban | Read firewall config
ansible.builtin.slurp:
src: "{{ pve_firewall_config }}"
register: fw_content
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
when: fw_stat.stat.exists | default(false)
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
- name: fail2ban | Determine if firewall enabled
ansible.builtin.set_fact:
pve_firewall_enabled: >-
{{
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
(fw_stat.stat.exists | default(false)) and
(
(fw_content.content | default('') | b64decode)
is search('enable:\s*1')
)
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
}}
docs 📝: Add Fail2Ban integration tasks to README and directory structure. Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
2026-02-23 19:36:36 +01:00
- name: fail2ban | Warn if firewall not enabled
ansible.builtin.debug:
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
msg: >
docs 📝: Add Fail2Ban integration tasks to README and directory structure. Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
2026-02-23 19:36:36 +01:00
WARNING: Proxmox firewall is disabled in configuration.
Fail2Ban will not actively block traffic.
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
when: not pve_firewall_enabled
#################################################
# Validate firewall runtime state
#################################################
- name: fail2ban | Check firewall runtime status
ansible.builtin.command: pve-firewall status
register: pve_fw_status
changed_when: false
failed_when: false
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
when: pmxcfs_running.stat.exists | default(false)
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
- name: fail2ban | Abort if firewall daemon not running
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
ansible.builtin.debug:
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
msg: >
Proxmox firewall service is not running.
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
You can run: systemctl enable --now pve-firewall
when:
- pve_fw_status is defined
- pve_fw_status.rc != 0
- fw_stat.stat.exists | default(false)
- pmxcfs_running.stat.exists | default(false)
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
#################################################
# Corosync safety validation
#################################################
- name: fail2ban | Validate corosync firewall rules
ansible.builtin.command: pve-firewall compile
register: compiled_fw
changed_when: false
refactor ♻️: Refactor fail2ban.yml to use fw_compile_check.rc for failure checks This refactoring updates the fail2ban configuration to utilize a new script, `fw_compile_check.rc`, for handling failure checks. This change aims to streamline the process and improve reliability by centralizing the logic in a dedicated script.
2026-02-25 17:59:13 +01:00
failed_when: compiled_fw.rc != 0
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
when: clustered.stat.exists | default(false)
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
- name: fail2ban | Fail if corosync ports are being dropped
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
ansible.builtin.debug:
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
msg: >
Firewall configuration appears to affect Corosync ports (5404/5405).
Refusing to continue to prevent cluster outage.
when:
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
- clustered.stat.exists | default(false)
docs 📝: Add Fail2Ban integration tasks to README and directory structure. Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
2026-02-23 19:36:36 +01:00
- compiled_fw.stdout is search('5404.*DROP|5405.*DROP')
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
#################################################
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
# Deploy cluster-aware Fail2Ban action
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
#################################################
refactor ♻️: Refactor task names and update module references in `fail2ban.yml` This commit refactors the task names and updates module references in the `fail2ban.yml` file to improve clarity and consistency. It also includes minor text adjustments in `meta/fail2ban.md` to enhance readability and ensure accurate variable descriptions with updated default values.
2026-03-01 10:48:13 +01:00
- name: fail2ban | Deploy proxmox-fw action
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
ansible.builtin.copy:
dest: /etc/fail2ban/action.d/proxmox-fw.conf
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
owner: root
group: root
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
mode: '0644'
content: |
[Definition]
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
fwfile = {{ pve_firewall_config }}
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
rule = DROP -source <ip> -log nolog
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
actionban = \
if [ -f <fwfile> ]; then \
grep -qF "<rule>" <fwfile> || echo "<rule>" >> <fwfile>; \
pve-firewall compile >/dev/null 2>&1 || true; \
fi
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
actionunban = \
if [ -f <fwfile> ]; then \
sed -i "\|<rule>|d" <fwfile>; \
pve-firewall compile >/dev/null 2>&1 || true; \
fi
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
refactor ♻️: Refactor fail2ban.yml for Proxmox cluster detection and configuration This commit refactors the fail2ban.yml file to include support for detecting a Proxmox cluster, ensuring that pmxcfs is mounted, installing Fail2Ban, and configuring appropriate jails. This enhances the security and management of the Proxmox environment by automating the setup and monitoring of failed login attempts.
2026-03-01 10:22:41 +01:00
actionstart =
actionstop =
when:
refactor ♻️: Refactor and reformat text for better readability This commit refactors the code by improving text formatting and structure to enhance readability, ensuring that the content and functionality remain unchanged.
2026-03-01 10:31:36 +01:00
- clustered.stat.exists | default(false)
feat ✨: Add Fail2ban integration with Proxmox Firewall This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
2026-02-23 18:30:01 +01:00
notify:
- Restart fail2ban
#################################################
# Enable services
#################################################
- name: fail2ban | Enable fail2ban
ansible.builtin.systemd:
name: fail2ban
enabled: true
state: started
chore 📦: Update build scripts for CI/CD pipeline Refactored the build scripts to improve compatibility with the latest version of the CI/CD tooling and added new tests for edge cases.
2026-03-01 12:00:48 +01:00
# #################################################
# # List banned IPs cluster-wide
# #################################################
# - name: fail2ban | Get banned IPs from Proxmox IPSet
# ansible.builtin.command: pve-firewall ipset list {{ f2b_ipset_name }}
# register: banned_ips
# changed_when: false
# failed_when: false
# - name: fail2ban | Show banned IPs
# ansible.builtin.debug:
# msg: >
# Current banned IPs (cluster-wide):
# {{ banned_ips.stdout_lines | default([]) }}
# #################################################
# # Manual unban
# #################################################
# - name: fail2ban | Unban specific IP
# ansible.builtin.command: >
# pve-firewall ipset del {{ f2b_ipset_name }} {{ f2b_unban_ip }}
# when: f2b_unban_ip is defined and f2b_unban_ip | length > 0
# register: unban_result
# changed_when: "'removed' in unban_result.stdout or unban_result.rc == 0"
# failed_when: false
# - name: fail2ban | Report unban result
# ansible.builtin.debug:
# msg: "Unbanned IP {{ f2b_unban_ip }}"
# when: f2b_unban_ip | length > 0
Reference in New Issue Copy Permalink