From 11374216ac965abd080c184762ca8bdc353dab40 Mon Sep 17 00:00:00 2001
From: Mathias Merscher <Mathias.Merscher@dg-i.net>
Date: Fri, 8 Mar 2019 13:12:16 +0100
Subject: [PATCH] adds support for optional deployment of fail2ban jail

---
 README.md                         |  4 ++++
 defaults/main.yml                 |  2 ++
 handlers/main.yml                 |  6 ++++++
 tasks/fail2ban.yaml               | 18 ++++++++++++++++++
 tasks/main.yml                    |  3 +++
 templates/fail2ban/filter.conf.j2 |  4 ++++
 templates/fail2ban/jail.conf.j2   |  9 +++++++++
 7 files changed, 46 insertions(+)
 create mode 100644 tasks/fail2ban.yaml
 create mode 100644 templates/fail2ban/filter.conf.j2
 create mode 100644 templates/fail2ban/jail.conf.j2

diff --git a/README.md b/README.md
index fe6c9eb..0edea84 100644
--- a/README.md
+++ b/README.md
@@ -105,6 +105,10 @@ The following have been tested with Debian 8, it should work on Ubuntu as well.
 * `gitea_mailer_host`: SMTP server hostname and port
 * `gitea_mailer_from`: Sender mail address
 
+### Fail2Ban configuration
+
+* `gitea_install_fail2ban_config`: Wether to deploy the fail2ban config snippets
+
 ## Disclaimer
 This module is currently a work in progress. For now it is only able to install
 gitea from the Github Release, in a fixed version for Linux amd64, on systems
diff --git a/defaults/main.yml b/defaults/main.yml
index a2ed573..62cc461 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -40,3 +40,5 @@ gitea_mailer_enabled: false
 gitea_mailer_skip_verify: true
 gitea_mailer_host:    localhost:25
 gitea_mailer_from:    noreply@your.domain
+
+gitea_install_fail2ban_config: false
diff --git a/handlers/main.yml b/handlers/main.yml
index 2c43309..ff9001f 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -3,3 +3,9 @@
 
 - name: "Reload systemd"
   shell: "systemctl daemon-reload"
+
+- name: "Restart fail2ban"
+  service:
+    name:  fail2ban
+    state: restarted
+
diff --git a/tasks/fail2ban.yaml b/tasks/fail2ban.yaml
new file mode 100644
index 0000000..2caab90
--- /dev/null
+++ b/tasks/fail2ban.yaml
@@ -0,0 +1,18 @@
+- name: install fail2ban filter
+  template:
+    src: fail2ban/filter.conf.j2
+    dest: /etc/fail2ban/filter.d/gitea.conf
+    owner: root
+    group: root
+    mode:  0444
+  notify: Restart fail2ban
+
+- name: install fail2ban jail
+  template:
+    src: fail2ban/jail.conf.j2
+    dest: /etc/fail2ban/jail.d/gitea.conf
+    owner: root
+    group: root
+    mode:  0444
+  notify: Restart fail2ban
+
diff --git a/tasks/main.yml b/tasks/main.yml
index 26a8e43..357fd49 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -41,3 +41,6 @@
     name: gitea
     state: started
     enabled: true
+
+- include: fail2ban.yml
+  when: gitea_install_fail2ban_config
\ No newline at end of file
diff --git a/templates/fail2ban/filter.conf.j2 b/templates/fail2ban/filter.conf.j2
new file mode 100644
index 0000000..6fd9eee
--- /dev/null
+++ b/templates/fail2ban/filter.conf.j2
@@ -0,0 +1,4 @@
+# Managed by Ansible
+[Definition]
+failregex =  .*Failed authentication attempt for .* from <HOST>
+ignoreregex =
diff --git a/templates/fail2ban/jail.conf.j2 b/templates/fail2ban/jail.conf.j2
new file mode 100644
index 0000000..c6149fb
--- /dev/null
+++ b/templates/fail2ban/jail.conf.j2
@@ -0,0 +1,9 @@
+[gitea]
+enabled = true
+port = http,https
+filter = gitea
+logpath = {{ gitea_home }}/log/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = ufw