Jose/ansible_role_proxmox_provision
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor ♻️: Refactor fail2ban tasks for better IPSet management
Some checks failed
ansible-lint / Ansible Lint (push) Failing after 6s
Details
Gitleaks Scan / gitleaks (push) Successful in 5s
Details
Markdown Lint / markdown-lint (push) Successful in 5s
Details

Browse Source 
This refactoring removes redundant 'blockinfile' and 'reload' commands in fail2ban tasks, ensuring that IPSet and drop rules are correctly placed. A new handler has been added to reload the PVE firewall after a fail2ban restart.
This commit is contained in:
Jose
2026-02-24 18:46:12 +01:00
parent a120b1042b
commit 80b3b82bf6
2 changed files with 12 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
handlers/main.yml
View File

@@ -36,3 +36,7 @@
ansible.builtin.systemd: ansible.builtin.systemd:
name: fail2ban name: fail2ban
state: restarted state: restarted
- name: Reload pve firewall
ansible.builtin.command: pve-firewall reload
changed_when: false

23
tasks/fail2ban.yml
View File

@@ -115,29 +115,28 @@
# Create Proxmox firewall IPSet # Create Proxmox firewall IPSet
################################################# #################################################
- name: fail2ban | Add Fail2Ban IPSet to cluster firewall - name: fail2ban | Add Fail2Ban IPSet to firewall
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: "{{ pve_firewall_config }}" path: "{{ pve_firewall_config }}"
marker: "# {mark} ANSIBLE FAIL2BAN IPSET" marker: "# {mark} ANSIBLE FAIL2BAN IPSET"
insertbefore: BOF
block: | block: |
[IPSET {{ f2b_ipset_name }}] [IPSET {{ f2b_ipset_name }}]
comment: Fail2Ban dynamic blacklist comment: Fail2Ban dynamic blacklist
create: true create: false
notify: Reload pve firewall
# noqa risky-file-permissions # noqa risky-file-permissions
- name: fail2ban | Ensure RULES section exists
ansible.builtin.blockinfile:
path: "{{ pve_firewall_config }}"
marker: "# {mark} ANSIBLE RULES HEADER"
block: |
[RULES]
- name: fail2ban | Add drop rule for Fail2Ban IPSet - name: fail2ban | Add drop rule for Fail2Ban IPSet
ansible.builtin.blockinfile: ansible.builtin.blockinfile:
path: "{{ pve_firewall_config }}" path: "{{ pve_firewall_config }}"
marker: "# {mark} ANSIBLE FAIL2BAN RULE" marker: "# {mark} ANSIBLE FAIL2BAN RULE"
insertafter: '^\[RULES\]'
block: | block: |
IN DROP -source +{{ f2b_ipset_name }} IN DROP -source +{{ f2b_ipset_name }}
create: false
notify: Reload pve firewall
# noqa risky-file-permissions
- name: fail2ban | Extract corosync ring0 address - name: fail2ban | Extract corosync ring0 address
ansible.builtin.shell: | ansible.builtin.shell: |
@@ -251,12 +250,6 @@
enabled: true enabled: true
state: started state: started
- name: fail2ban | Reload Proxmox firewall
ansible.builtin.command: pve-firewall reload
when: fw_stat.changed or
"'ANSIBLE FAIL2BAN' in fw_content.content | default('')"
changed_when: false
################################################# #################################################
# List banned IPs cluster-wide # List banned IPs cluster-wide
################################################# #################################################