From e44f757b9e7f590de730caec7b978742d8755b8d Mon Sep 17 00:00:00 2001 From: Jose Date: Sun, 1 Mar 2026 10:31:36 +0100 Subject: [PATCH] =?UTF-8?q?refactor=20=E2=99=BB=EF=B8=8F:=20Refactor=20and?= =?UTF-8?q?=20reformat=20text=20for=20better=20readability?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit refactors the code by improving text formatting and structure to enhance readability, ensuring that the content and functionality remain unchanged. --- meta/fail2ban.md | 30 ++++++++++++++++++++---------- tasks/fail2ban.yml | 2 +- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/meta/fail2ban.md b/meta/fail2ban.md index 3db95c8..7165647 100644 --- a/meta/fail2ban.md +++ b/meta/fail2ban.md @@ -1,6 +1,8 @@ # Fail2Ban Integration with Proxmox Firewall -This Ansible playbook deploys and configures **Fail2Ban** on a Proxmox VE environment, integrating it with the **Proxmox firewall** for cluster-aware IP banning. It supports both single-node and clustered Proxmox setups. +This Ansible playbook deploys and configures **Fail2Ban** on a Proxmox VE +environment, integrating it with the **Proxmox firewall** for cluster-aware +IP banning. It supports both single-node and clustered Proxmox setups. --- @@ -13,7 +15,8 @@ This Ansible playbook deploys and configures **Fail2Ban** on a Proxmox VE enviro - SSH protection - Proxmox GUI / AD login protection - Progressive ban escalation (recidive jail) -- Deploys a **cluster-aware Fail2Ban action** (`proxmox-fw`) for Proxmox firewall integration. +- Deploys a **cluster-aware Fail2Ban action** (`proxmox-fw`) for Proxmox + firewall integration. - Ensures safe firewall updates without affecting Corosync ports (5404/5405). - Supports single-node Fail2Ban using `iptables-multiport`. - Enables and starts the Fail2Ban service. @@ -32,7 +35,8 @@ This Ansible playbook deploys and configures **Fail2Ban** on a Proxmox VE enviro ## Variables -The playbook uses the following variables (can be defined in a `vars` file or inventory group vars): +The playbook uses the following variables (can be defined in a `vars` file or +inventory group vars): | Variable | Description | Default / Notes | |----------|-------------|----------------| @@ -75,19 +79,25 @@ ansible-playbook -i inventory fail2ban-proxmox.yml -e "f2b_unban_ip=1.2.3.4" ## How It Works - Detects Proxmox – ensures the playbook runs only on Proxmox VE hosts. -- Cluster safety checks – verifies /etc/pve/.members and corosync.conf for quorum. -- Installs Fail2Ban – ensures /etc/fail2ban/jail.local exists and applies configuration. -- Cluster-aware action – for clustered nodes, Fail2Ban bans are added to Proxmox firewall and compiled immediately (pve-firewall compile). -- Single-node fallback – uses iptables-multiport for nodes not in a cluster. -- Corosync protection – prevents firewall rules from dropping cluster communication ports (5404/5405). +- Cluster safety checks – verifies /etc/pve/.members and corosync.conf + for quorum. +- Installs Fail2Ban – ensures /etc/fail2ban/jail.local exists and applies + configuration. +- Cluster-aware action – for clustered nodes, Fail2Ban bans are added to + Proxmox firewall and compiled immediately (pve-firewall compile). +- Single-node fallback – uses iptables-multiport for nodes not in + a cluster. +- Corosync protection – prevents firewall rules from dropping cluster + communication ports (5404/5405). ## Notes & Safety - The playbook does not copy jail.conf, only manages jail.local. - Firewall rules for clustered nodes are only modified if quorum exists. -- pve-firewall compile is called safely (>/dev/null 2>&1 || true) to prevent playbook failure on minor compilation warnings. +- pve-firewall compile is called safely (>/dev/null 2>&1 || true) + to prevent playbook failure on minor compilation warnings. - Manual unban is supported via f2b_unban_ip variable. -- Always verify that the Proxmox firewall is enabled when using cluster-wide bans. +- Always verify that the Proxmox firewall is enabled when using cluster-wide bans. ## License diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml index fc0c0dd..23a224f 100644 --- a/tasks/fail2ban.yml +++ b/tasks/fail2ban.yml @@ -266,7 +266,7 @@ actionstart = actionstop = when: - - clustered.stat.exists | default(false) + - clustered.stat.exists | default(false) notify: - Restart fail2ban