hailin
/
chatai
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
chatai/postgres_15.8.1.044/ansible/tasks/setup-fail2ban.yml

74 lines
2.3 KiB
YAML
Raw Blame History

# set default bantime to 1 hour
- name: extend bantime
become: yes
replace:
path: /etc/fail2ban/jail.conf
regexp: bantime = 10m
replace: bantime = 3600
when: debpkg_mode or nixpkg_mode
- name: Configure journald
copy:
src: files/fail2ban_config/jail-ssh.conf
dest: /etc/fail2ban/jail.d/sshd.local
when: debpkg_mode or nixpkg_mode
- name: configure fail2ban to use nftables
copy:
src: files/fail2ban_config/jail.local
dest: /etc/fail2ban/jail.local
when: debpkg_mode or nixpkg_mode
# postgresql
- name: import jail.d/postgresql.conf
template:
src: files/fail2ban_config/jail-postgresql.conf.j2
dest: /etc/fail2ban/jail.d/postgresql.conf
become: yes
when: debpkg_mode or nixpkg_mode
- name: import filter.d/postgresql.conf
template:
src: files/fail2ban_config/filter-postgresql.conf.j2
dest: /etc/fail2ban/filter.d/postgresql.conf
become: yes
when: debpkg_mode or nixpkg_mode
- name: create overrides dir
file:
state: directory
owner: root
group: root
path: /etc/systemd/system/fail2ban.service.d
mode: '0700'
when: debpkg_mode or nixpkg_mode
- name: Custom systemd overrides
copy:
src: files/fail2ban_config/fail2ban.service.conf
dest: /etc/systemd/system/fail2ban.service.d/overrides.conf
when: debpkg_mode or nixpkg_mode
- name: add in supabase specific ignore filters
lineinfile:
path: /etc/fail2ban/filter.d/postgresql.conf
state: present
line: "{{ item.line }}"
loop:
- { line: ' ^.*,.*,.*,.*,"<HOST>:.*password authentication failed for user ""supabase_admin".*$' }
- { line: ' ^.*,.*,.*,.*,"<HOST>:.*password authentication failed for user ""supabase_auth_admin".*$' }
- { line: ' ^.*,.*,.*,.*,"<HOST>:.*password authentication failed for user ""supabase_storage_admin".*$' }
- { line: ' ^.*,.*,.*,.*,"<HOST>:.*password authentication failed for user ""authenticator".*$' }
- { line: ' ^.*,.*,.*,.*,"<HOST>:.*password authentication failed for user ""pgbouncer".*$' }
become: yes
tags:
- install-supabase-internal
when: debpkg_mode or nixpkg_mode
- name: fail2ban - disable service
systemd:
name: fail2ban
enabled: no
daemon_reload: yes
when: debpkg_mode or nixpkg_mode
Reference in New Issue View Git Blame Copy Permalink