Jose/ansible_role_proxmox_provision
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat : Add Fail2ban integration with Proxmox Firewall #43

Merged
Jose merged 13 commits from dev into main 2026-02-24 19:22:28 +01:00
Conversation 1 Commits 13 Files Changed 4 +26 -9
1 changed files with 26 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 13b3a5066d - Show all commits

35
tasks/fail2ban.yml
View File

@@ -21,9 +21,8 @@
#################################################
- name: fail2ban | Get Proxmox node name
ansible.builtin.command: hostname
register: pve_node
changed_when: false
ansible.builtin.set_fact:
pve_node: "{{ ansible_hostname }}"
- name: fail2ban | Set firewall config path
ansible.builtin.set_fact:
@@ -89,7 +88,7 @@
ansible.builtin.command: pve-firewall compile
register: compiled_fw
changed_when: false
failed_when: false
failed_when: fw_compile_check.rc != 0
when: cluster_status.stat.exists
- name: fail2ban | Fail if corosync ports are being dropped
@@ -140,15 +139,33 @@
notify: Reload pve firewall
# noqa risky-file-permissions
- name: fail2ban | Extract corosync ring0 address
- name: fail2ban | Extract all corosync ring addresses
ansible.builtin.shell: |
set -o pipefail
grep ring0_addr /etc/pve/corosync.conf | awk '{print $2}'
awk '/ring[0-9]+_addr/ {print $2}' /etc/pve/corosync.conf
args:
executable: /bin/bash
register: corosync_ip
register: corosync_ips
changed_when: false
when: cluster_status.stat.exists
when: pve_clustered
- name: fail2ban | Determine CIDR for each corosync IP
ansible.builtin.command: ip route get {{ item }}
register: corosync_routes
changed_when: false
loop: "{{ corosync_ips.stdout_lines }}"
when: pve_clustered
- name: fail2ban | Extract network CIDRs
ansible.builtin.set_fact:
corosync_networks: >-
{{
corosync_routes.results
| map(attribute='stdout')
| map('regex_search', 'src ([0-9.]+)/([0-9]+)', '\\1/\\2')
| list
}}
when: pve_clustered
- name: fail2ban | Validate Proxmox firewall configuration
ansible.builtin.command: pve-firewall compile
@@ -200,7 +217,7 @@
bantime.max = {{ f2b_bantime_max }}
backend = systemd
banaction = proxmox-fw
ignoreip = 127.0.0.1/8{% if pve_clustered %} {{ corosync_ip.stdout }}{% endif %} 192.168.2.0/24
ignoreip = 127.0.0.1/8{% if pve_clustered %} {{ corosync_networks | join(' ') }}{% endif %} 192.168.2.0/24
#################################################
# SSH