From 9eefad0e874fe3c0939bf49f52ec52ab19484ae4 Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <kris@lamoureux.io>
Date: Tue, 28 Jun 2022 23:43:58 -0400
Subject: [PATCH] Install Fail2ban IP allow list

---
 roles/base/tasks/firewall.yml                   | 7 +++++++
 roles/base/templates/fail2ban-allowlist.conf.j2 | 2 ++
 2 files changed, 9 insertions(+)
 create mode 100644 roles/base/templates/fail2ban-allowlist.conf.j2

diff --git a/roles/base/tasks/firewall.yml b/roles/base/tasks/firewall.yml
index 1d51846..a43553b 100644
--- a/roles/base/tasks/firewall.yml
+++ b/roles/base/tasks/firewall.yml
@@ -34,6 +34,13 @@
     dest: /etc/fail2ban/jail.d/sshd.conf
   notify: restart_fail2ban
 
+- name: Install Fail2ban IP allow list
+  template:
+    src: fail2ban-allowlist.conf.j2
+    dest: /etc/fail2ban/jail.d/allowlist.conf
+  when: fail2ban_ignoreip is defined
+  notify: restart_fail2ban
+
 - name: Enable firewall
   ufw:
     state: enabled
diff --git a/roles/base/templates/fail2ban-allowlist.conf.j2 b/roles/base/templates/fail2ban-allowlist.conf.j2
new file mode 100644
index 0000000..cc2256e
--- /dev/null
+++ b/roles/base/templates/fail2ban-allowlist.conf.j2
@@ -0,0 +1,2 @@
+[DEFAULT]
+ignoreip = {% for host in fail2ban_ignoreip %}{{ host }}{% if not loop.last %} {% endif %}{% endfor %}