Jose/ansible_role_proxmox_provision
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: Jose:6f27f0c47ce12819d98e98b8d372c0bc5b76701b
Branches Tags
Jose:main Jose:dev
...
compare: Jose:94726374eadeb6cdd251356a172fed1182d70c0c
Branches Tags
Jose:main Jose:dev

14 Commits
6f27f0c47c ... 94726374ea

Author SHA1 Message Date
Jose
94726374ea Merge pull request 'feat : Add Fail2ban integration with Proxmox Firewall' (#43) from dev into main
All checks were successful
ansible-lint / Ansible Lint (push) Successful in 13s
Details
Gitleaks Scan / gitleaks (push) Successful in 4s
Details
Markdown Lint / markdown-lint (push) Successful in 5s
Details
Mark stale issues and pull requests / stale (push) Successful in 3s
Details 
Reviewed-on: #43
 2026-02-24 19:22:28 +01:00
Jose
13b3a5066d refactor ♻️: Refactor task to extract and process Corosync ring addresses, determine their CIDRs, and update ignoreip in fail2ban config
All checks were successful
ansible-lint / Ansible Lint (push) Successful in 13s
Details
Gitleaks Scan / gitleaks (push) Successful in 4s
Details
Markdown Lint / markdown-lint (push) Successful in 5s
Details
ai-reviews / Review PR (pull_request) Successful in 32s
Details
PR check / Gitleaks (pull_request) Successful in 5s
Details
PR check / lint tests (pull_request) Successful in 16s
Details
PR check / labeler (pull_request) Successful in 3s
Details
PR check / handle_failures (pull_request) Has been skipped
Details
PR check / handle_success (pull_request) Successful in 1s
Details 
This refactoring extracts the logic for processing Corosync ring addresses and determining their CIDRs. It then updates the `ignoreip` setting in the fail2ban configuration accordingly. This change improves modularity and maintainability of the code.
 2026-02-24 19:18:48 +01:00
Jose
79e14e7120 feat : Add IPSET registration and conditional validation for Proxmox firewall configuration
All checks were successful
ansible-lint / Ansible Lint (push) Successful in 13s
Details
Gitleaks Scan / gitleaks (push) Successful in 5s
Details
Markdown Lint / markdown-lint (push) Successful in 5s
Details 
This commit introduces new features to register IPSETs and update firewall reload notifications. It also conditionally validates Proxmox firewall configurations based on changes, enhancing the robustness of the system.
 2026-02-24 19:02:24 +01:00
Jose
4107a3a953 refactor ♻️: Rename task 'Validate Proxmox firewall configuration' to 'fail2ban | Validate Proxmox firewall configuration'
All checks were successful
ansible-lint / Ansible Lint (push) Successful in 13s
Details
Gitleaks Scan / gitleaks (push) Successful in 4s
Details
Markdown Lint / markdown-lint (push) Successful in 5s
Details 
Refactored the task name to include 'fail2ban' for clarity and consistency with other similar tasks.
 2026-02-24 18:57:44 +01:00
Jose
8a3f359f46 style 💎: Remove unnecessary blank line from fail2ban.yml
Some checks failed
ansible-lint / Ansible Lint (push) Failing after 12s
Details
Gitleaks Scan / gitleaks (push) Successful in 5s
Details
Markdown Lint / markdown-lint (push) Successful in 6s
Details 
This commit removes an unnecessary blank line from the `fail2ban.yml` file to clean up the code style and improve readability.
 2026-02-24 18:56:47 +01:00
Jose
674f014be3 feat : Add conditional execution for reloading PVE firewall
Some checks failed
ansible-lint / Ansible Lint (push) Failing after 7s
Details
Gitleaks Scan / gitleaks (push) Successful in 5s
Details
Markdown Lint / markdown-lint (push) Successful in 5s
Details 
This commit introduces a new feature that allows conditional execution of the PVE firewall reload command based on certain conditions, enhancing flexibility and control over firewall management.
 2026-02-24 18:56:02 +01:00
Jose
432ec97292 chore 📦: Update build scripts for CI/CD pipeline
All checks were successful
ansible-lint / Ansible Lint (push) Successful in 13s
Details
Gitleaks Scan / gitleaks (push) Successful in 5s
Details
Markdown Lint / markdown-lint (push) Successful in 6s
Details 
Updated the build scripts to ensure compatibility with the latest version of the CI/CD tooling and improved the deployment process.
 2026-02-24 18:47:08 +01:00
Jose
80b3b82bf6 refactor ♻️: Refactor fail2ban tasks for better IPSet management
Some checks failed
ansible-lint / Ansible Lint (push) Failing after 6s
Details
Gitleaks Scan / gitleaks (push) Successful in 5s
Details
Markdown Lint / markdown-lint (push) Successful in 5s
Details 
This refactoring removes redundant 'blockinfile' and 'reload' commands in fail2ban tasks, ensuring that IPSet and drop rules are correctly placed. A new handler has been added to reload the PVE firewall after a fail2ban restart.
 2026-02-24 18:46:12 +01:00
Jose
a120b1042b chore 📦: Add comment to disable risky file permissions check
All checks were successful
ansible-lint / Ansible Lint (push) Successful in 13s
Details
Gitleaks Scan / gitleaks (push) Successful in 5s
Details
Markdown Lint / markdown-lint (push) Successful in 5s
Details 
This commit adds a comment in the codebase to disable a file permissions check that was deemed too risky. This change aims to simplify the build process while ensuring that we are aware of the potential security implications.
 2026-02-24 18:25:03 +01:00
Jose
e26b3f01f8 chore 📦: Remove redundant directory creation and update shell command for robustness
Some checks failed
ansible-lint / Ansible Lint (push) Failing after 13s
Details
Gitleaks Scan / gitleaks (push) Successful in 5s
Details
Markdown Lint / markdown-lint (push) Successful in 6s
Details 
This commit removes unnecessary directory creation steps in the build process, simplifying the setup. Additionally, it updates the shell command to be more robust and reliable.
 2026-02-24 18:21:50 +01:00
Jose
8d40abc15b style 💎: Remove trailing whitespace from f2b_unban_ip comment
Some checks failed
ansible-lint / Ansible Lint (push) Failing after 18s
Details
Gitleaks Scan / gitleaks (push) Successful in 4s
Details
Markdown Lint / markdown-lint (push) Successful in 5s
Details 
Cleaned up the code by removing unnecessary trailing whitespace from a comment in the defaults/main.yml file.
 2026-02-23 19:37:50 +01:00
Jose
d3527c14e4 docs 📝: Add Fail2Ban integration tasks to README and directory structure.
Some checks failed
ansible-lint / Ansible Lint (push) Failing after 6s
Details
Gitleaks Scan / gitleaks (push) Successful in 4s
Details
Markdown Lint / markdown-lint (push) Successful in 6s
Details 
Updated the README with instructions on integrating Fail2Ban and modified the directory structure to accommodate new files related to this integration.
 2026-02-23 19:36:36 +01:00
Jose
3afa853d09 feat : Add new variable f2b_unban_ip for specifying an IP to unban during playbook execution.
Some checks failed
ansible-lint / Ansible Lint (push) Failing after 6s
Details
Gitleaks Scan / gitleaks (push) Successful in 5s
Details
Markdown Lint / markdown-lint (push) Successful in 5s
Details 
Introduce a new variable `f2b_unban_ip` in the Ansible playbook to allow users to specify an IP address that should be unbanned using Fail2Ban. This feature enhances the flexibility of the playbook by enabling targeted IP management.
 2026-02-23 18:35:10 +01:00
Jose
4fa35ca62d feat : Add Fail2ban integration with Proxmox Firewall
Some checks failed
ansible-lint / Ansible Lint (push) Failing after 7s
Details
Gitleaks Scan / gitleaks (push) Successful in 5s
Details
Markdown Lint / markdown-lint (push) Successful in 7s
Details 
This commit adds Fail2ban settings to `defaults/main.yml`, a new task to restart the fail2ban service, and a task file for deploying Fail2Ban integrated with Proxmox Firewall. The new tasks include checks, validations, and configuration to enhance security by blocking malicious IP addresses.
 2026-02-23 18:30:01 +01:00
4 changed files with 336 additions and 0 deletions
Expand all files Collapse all files

3
README.md
View File

@@ -27,6 +27,7 @@
| Logrotate protection | ✅ | ✅ | ✅ |
| Powertop auto-tune | ✅ | ✅ | ✅ |
| Utilities | ✅ | ✅ | ✅ |
| Fail2Ban Integration | ✅ | ✅ | ✅ |
## 📂 Directory Structure
@@ -40,6 +41,7 @@ ansible_role_proxmox_provision/
├── meta/ # Role metadata
│ └── main.yml
├── tasks/ # Main role tasks
│ ├── fail2ban.yml # Fail2Ban integration tasks
│ ├── logrotate.yml # logrotate setup
│ ├── main.yml # Core tasks
│ ├── powertop.yml # powertop setup
@@ -69,6 +71,7 @@ proxmox_enable_powertop: true
## Logrotate
proxmox_logrotate_maxsize: "100M"
proxmox_logrotate_rotate: 7
...
```
## Example usage

13
defaults/main.yml
View File

@@ -47,3 +47,16 @@ journald_runtime_max_use: "100M"
vm_dirty_ratio: 15
vm_dirty_background_ratio: 5
vm_swappiness: "{{ proxmox_swapiness }}"
# Fail2ban settings
f2b_bantime: 1800 # 30 minutes
f2b_findtime: 600
f2b_maxretry: 5
f2b_recidive_bantime: 86400 # 24 hours
f2b_recidive_findtime: 86400 # 24 hours
f2b_recidive_maxretry: 3
f2b_ipset_name: f2b-blacklist
f2b_bantime_increment: true
f2b_bantime_factor: 2
f2b_bantime_max: 86400
f2b_unban_ip: "" # ansible-playbook play.yml -e f2b_unban_ip=192.168.1.55

10
handlers/main.yml
View File

@@ -31,3 +31,13 @@
- name: Reload systemd
ansible.builtin.systemd:
daemon_reload: true
- name: Restart fail2ban
ansible.builtin.systemd:
name: fail2ban
state: reloaded
- name: Reload pve firewall
ansible.builtin.command: pve-firewall reload
when: fw_compile_check.rc == 0
changed_when: false

310
tasks/fail2ban.yml Normal file
View File

@@ -0,0 +1,310 @@
---
# -------------------------------------------------
# Deploy Fail2Ban integrated with Proxmox Firewall
# -------------------------------------------------
#################################################
# Detect cluster
#################################################
- name: fail2ban | Detect Proxmox cluster
ansible.builtin.stat:
path: /etc/pve/corosync.conf
register: cluster_status
- name: fail2ban | Set cluster fact
ansible.builtin.set_fact:
pve_clustered: "{{ cluster_status.stat.exists }}"
#################################################
# Determine Correct Firewall File
#################################################
- name: fail2ban | Get Proxmox node name
ansible.builtin.set_fact:
pve_node: "{{ ansible_hostname }}"
- name: fail2ban | Set firewall config path
ansible.builtin.set_fact:
pve_firewall_config: >-
{{
'/etc/pve/firewall/cluster.fw'
if pve_clustered
else '/etc/pve/firewall/' + pve_node.stdout + '.fw'
}}
#################################################
# Detect firewall configuration
#################################################
- name: fail2ban | Check firewall config exists
ansible.builtin.stat:
path: "{{ pve_firewall_config }}"
register: fw_stat
- name: fail2ban | Read firewall config
ansible.builtin.slurp:
src: "{{ pve_firewall_config }}"
register: fw_content
when: fw_stat.stat.exists
- name: fail2ban | Determine if firewall enabled
ansible.builtin.set_fact:
pve_firewall_enabled: >-
{{
fw_stat.stat.exists and
(fw_content.content | b64decode) is search('enable:\s*1')
}}
- name: fail2ban | Warn if firewall not enabled
ansible.builtin.debug:
msg: >
WARNING: Proxmox firewall is disabled in configuration.
Fail2Ban will not actively block traffic.
when: not pve_firewall_enabled
#################################################
# Validate firewall runtime state
#################################################
- name: fail2ban | Check firewall runtime status
ansible.builtin.command: pve-firewall status
register: pve_fw_status
changed_when: false
failed_when: false
- name: fail2ban | Abort if firewall daemon not running
ansible.builtin.fail:
msg: >
Proxmox firewall service is not running.
Run: systemctl enable --now pve-firewall
when: pve_fw_status.rc != 0
#################################################
# Corosync safety validation
#################################################
- name: fail2ban | Validate corosync firewall rules
ansible.builtin.command: pve-firewall compile
register: compiled_fw
changed_when: false
failed_when: fw_compile_check.rc != 0
when: cluster_status.stat.exists
- name: fail2ban | Fail if corosync ports are being dropped
ansible.builtin.fail:
msg: >
Firewall configuration appears to affect Corosync ports (5404/5405).
Refusing to continue to prevent cluster outage.
when:
- cluster_status.stat.exists
- compiled_fw.stdout is search('5404.*DROP|5405.*DROP')
#################################################
# Install Fail2Ban
#################################################
- name: fail2ban | Install fail2ban
ansible.builtin.apt:
name: fail2ban
state: present
update_cache: true
#################################################
# Create Proxmox firewall IPSet
#################################################
- name: fail2ban | Add Fail2Ban IPSet to firewall
ansible.builtin.blockinfile:
path: "{{ pve_firewall_config }}"
marker: "# {mark} ANSIBLE FAIL2BAN IPSET"
insertbefore: BOF
block: |
[IPSET {{ f2b_ipset_name }}]
comment: Fail2Ban dynamic blacklist
create: false
register: ipset_change
notify: Reload pve firewall
# noqa risky-file-permissions
- name: fail2ban | Add drop rule for Fail2Ban IPSet
ansible.builtin.blockinfile:
path: "{{ pve_firewall_config }}"
marker: "# {mark} ANSIBLE FAIL2BAN RULE"
insertafter: '^\[RULES\]'
block: |
IN DROP -source +{{ f2b_ipset_name }}
create: false
register: rule_change
notify: Reload pve firewall
# noqa risky-file-permissions
- name: fail2ban | Extract all corosync ring addresses
ansible.builtin.shell: |
set -o pipefail
awk '/ring[0-9]+_addr/ {print $2}' /etc/pve/corosync.conf
args:
executable: /bin/bash
register: corosync_ips
changed_when: false
when: pve_clustered
- name: fail2ban | Determine CIDR for each corosync IP
ansible.builtin.command: ip route get {{ item }}
register: corosync_routes
changed_when: false
loop: "{{ corosync_ips.stdout_lines }}"
when: pve_clustered
- name: fail2ban | Extract network CIDRs
ansible.builtin.set_fact:
corosync_networks: >-
{{
corosync_routes.results
| map(attribute='stdout')
| map('regex_search', 'src ([0-9.]+)/([0-9]+)', '\\1/\\2')
| list
}}
when: pve_clustered
- name: fail2ban | Validate Proxmox firewall configuration
ansible.builtin.command: pve-firewall compile
when: ipset_change.changed or rule_change.changed
changed_when: false
failed_when: fw_compile_check.rc != 0
register: fw_compile_check
# Then automatically whitelist it in Fail2Ban:
# ignoreip = 127.0.0.1/8 {{ corosync_ip.stdout }}
#################################################
# Create Fail2Ban Proxmox action
#################################################
- name: fail2ban | Create Proxmox firewall action
ansible.builtin.copy:
dest: /etc/fail2ban/action.d/proxmox-fw.conf
mode: '0644'
content: |
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = /usr/sbin/pve-firewall ipset add {{ f2b_ipset_name }} <ip>
actionunban = /usr/sbin/pve-firewall ipset del {{ f2b_ipset_name }} <ip>
#################################################
# Configure AD-aware jail
#################################################
- name: fail2ban | Ensure jail.d exists
ansible.builtin.file:
path: /etc/fail2ban/jail.d
state: directory
mode: '0755'
- name: fail2ban | Configure Fail2Ban jails
ansible.builtin.copy:
dest: /etc/fail2ban/jail.d/proxmox.conf
mode: '0644'
content: |
[DEFAULT]
bantime = {{ f2b_bantime }}
findtime = {{ f2b_findtime }}
maxretry = {{ f2b_maxretry }}
bantime.increment = {{ f2b_bantime_increment }}
bantime.factor = {{ f2b_bantime_factor }}
bantime.max = {{ f2b_bantime_max }}
backend = systemd
banaction = proxmox-fw
ignoreip = 127.0.0.1/8{% if pve_clustered %} {{ corosync_networks | join(' ') }}{% endif %} 192.168.2.0/24
#################################################
# SSH
#################################################
[sshd]
enabled = true
journalmatch = _SYSTEMD_UNIT=sshd.service
#################################################
# Proxmox GUI + AD authentication
#################################################
[proxmox-auth]
enabled = true
port = https,8006
filter = proxmox-auth
logpath = /var/log/pveproxy/access.log
#################################################
# Progressive escalation (recidive)
#################################################
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
bantime = {{ f2b_recidive_bantime }}
findtime = {{ f2b_recidive_findtime }}
maxretry = {{ f2b_recidive_maxretry }}
banaction = proxmox-fw
notify:
- Restart fail2ban
#################################################
# AD / Winbind filter
#################################################
- name: fail2ban | Create AD-aware filter
ansible.builtin.copy:
dest: /etc/fail2ban/filter.d/proxmox-auth.conf
mode: '0644'
content: |
[Definition]
failregex = authentication failure; rhost=<HOST>
pam_unix\(sshd:auth\): authentication failure;.*rhost=<HOST>
winbind.*authentication for user.*from <HOST> failed
ignoreregex =
notify:
- Restart fail2ban
#################################################
# Enable services
#################################################
- name: fail2ban | Enable fail2ban
ansible.builtin.systemd:
name: fail2ban
enabled: true
state: started
#################################################
# List banned IPs cluster-wide
#################################################
- name: fail2ban | Get banned IPs from Proxmox IPSet
ansible.builtin.command: pve-firewall ipset list {{ f2b_ipset_name }}
register: banned_ips
changed_when: false
failed_when: false
- name: fail2ban | Show banned IPs
ansible.builtin.debug:
msg: >
Current banned IPs (cluster-wide):
{{ banned_ips.stdout_lines | default([]) }}
#################################################
# Manual unban
#################################################
- name: fail2ban | Unban specific IP
ansible.builtin.command: >
pve-firewall ipset del {{ f2b_ipset_name }} {{ f2b_unban_ip }}
when: f2b_unban_ip | length > 0
register: unban_result
changed_when: "'removed' in unban_result.stdout or unban_result.rc == 0"
failed_when: false
- name: fail2ban | Report unban result
ansible.builtin.debug:
msg: "Unbanned IP {{ f2b_unban_ip }}"
when: f2b_unban_ip | length > 0