Add fail2ban and firewall

.gitmodules

@@ -34,3 +34,9 @@
 [submodule "roles/goaccess"]
 	path = roles/goaccess
 	url = https://github.com/roles-ansible/ansible_role_goaccess.git
+[submodule "roles/geerlingguy.firewall"]
+	path = roles/geerlingguy.firewall
+	url = https://github.com/geerlingguy/ansible-role-firewall.git
+[submodule "roles/robertdebock.fail2ban"]
+	path = roles/robertdebock.fail2ban
+	url = https://github.com/robertdebock/ansible-role-fail2ban.git

host_vars/web01.l3d.space.yml

@@ -32,5 +32,12 @@ nginx_sites:
   - name: 'c3woc.cn'
   - name: 'www.c3woc.cn'
 
-
 acme_notification_email: "acme_{{ inventory_hostname }}@l3d.yt"
+
+# firewall
+firewall_allowed_tcp_ports:
+  - "22"
+  - "25"
+  - "80"
+  - "443"
+fail2ban_destemail: "fail2ban_notify_{{ inventory_hostname }}@l3d.yt"

roles/geerlingguy.firewall

@@ -0,0 +1 @@
+Subproject commit adb052a45012227b217555c528f3213659c9f553

roles/robertdebock.fail2ban

@@ -0,0 +1 @@
+Subproject commit a354bc92a63853b8d16a6292b0d9d629e18c2f95

site.yml

@@ -14,6 +14,8 @@
     - { role: dotfiles, tags: [default,dotfiles]}
     - { role: ssh_auth, tags: [default,users]}
     - { role: sshd, tags: [default,users]}
+    - { role: geerlingguy.firewall, tags: [default,firewall], become: true}
+    - { role: robertdebock.fail2ban, tags: [default,fail2ban], become: true}
 
 - name: deploy web config
   hosts: web