diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml index 2abd1aa..3372219 100644 --- a/roles/base/handlers/main.yml +++ b/roles/base/handlers/main.yml @@ -10,3 +10,9 @@ name: wg-quick@wg0 state: restarted listen: restart_wireguard + +- name: Restart Fail2ban + service: + name: fail2ban + state: restarted + listen: restart_fail2ban diff --git a/roles/base/tasks/firewall.yml b/roles/base/tasks/firewall.yml index 5bbf166..e21fb51 100644 --- a/roles/base/tasks/firewall.yml +++ b/roles/base/tasks/firewall.yml @@ -3,6 +3,11 @@ name: ufw state: present +- name: Install Fail2ban + apt: + name: fail2ban + state: present + - name: Deny incoming traffic by default ufw: default: deny diff --git a/roles/bitwarden/tasks/main.yml b/roles/bitwarden/tasks/main.yml index 6c7f16b..eb55576 100644 --- a/roles/bitwarden/tasks/main.yml +++ b/roles/bitwarden/tasks/main.yml @@ -78,6 +78,12 @@ register: bitwarden_systemd notify: rebuild_bitwarden +- name: Install Bitwarden's Fail2ban jail + template: + src: fail2ban-jail.conf.j2 + dest: /etc/fail2ban/jail.d/bitwarden.conf + notify: restart_fail2ban + - name: Reload systemd manager configuration systemd: daemon_reload: true diff --git a/roles/bitwarden/templates/fail2ban-jail.conf.j2 b/roles/bitwarden/templates/fail2ban-jail.conf.j2 new file mode 100644 index 0000000..8caa9d2 --- /dev/null +++ b/roles/bitwarden/templates/fail2ban-jail.conf.j2 @@ -0,0 +1,9 @@ +# {{ ansible_managed }} +[bitwarden] +enabled = true +filter = bitwarden +logpath = /var/lib/bitwarden/bwdata/logs/identity/Identity/* +maxretry = 10 +findtime = 3600 +bantime = 900 +action = iptables-allports diff --git a/roles/gitea/tasks/main.yml b/roles/gitea/tasks/main.yml index c276818..901da5d 100644 --- a/roles/gitea/tasks/main.yml +++ b/roles/gitea/tasks/main.yml @@ -81,6 +81,18 @@ dest: "{{ gitea_root }}/.env" notify: restart_gitea +- name: Install Gitea's Fail2ban filter + template: + src: fail2ban-filter.conf.j2 + dest: /etc/fail2ban/filter.d/gitea.conf + notify: restart_fail2ban + +- name: Install Gitea's Fail2ban jail + template: + src: fail2ban-jail.conf.j2 + dest: /etc/fail2ban/jail.d/gitea.conf + notify: restart_fail2ban + - name: Start and enable Gitea service service: name: "{{ docker_compose_service }}@{{ gitea_name }}" diff --git a/roles/gitea/templates/docker-compose.yml.j2 b/roles/gitea/templates/docker-compose.yml.j2 index 4a3dac6..284bfcb 100644 --- a/roles/gitea/templates/docker-compose.yml.j2 +++ b/roles/gitea/templates/docker-compose.yml.j2 @@ -12,6 +12,7 @@ services: environment: - USER_UID={{ getent_passwd.git[1] }} - USER_GID={{ getent_group.git[1] }} + - GITEA__log__MODE=file - GITEA__server__ROOT_URL=${gitea_rooturl} - GITEA__server__DOMAIN=${gitea_domain} - GITEA__server__SSH_DOMAIN=${gitea_domain} @@ -25,7 +26,8 @@ services: - GITEA__service__DISABLE_REGISTRATION=${gitea_disable_registration} volumes: - {{ gitea_volume }}:/data - - /home/git/.ssh/:/data/git/.ssh + - /home/git/.ssh:/data/git/.ssh + - /var/log/gitea:/data/gitea/log - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro diff --git a/roles/gitea/templates/fail2ban-filter.conf.j2 b/roles/gitea/templates/fail2ban-filter.conf.j2 new file mode 100644 index 0000000..70bd546 --- /dev/null +++ b/roles/gitea/templates/fail2ban-filter.conf.j2 @@ -0,0 +1,4 @@ +# {{ ansible_managed }} +[Definition] +failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from +ignoreregex = diff --git a/roles/gitea/templates/fail2ban-jail.conf.j2 b/roles/gitea/templates/fail2ban-jail.conf.j2 new file mode 100644 index 0000000..749e732 --- /dev/null +++ b/roles/gitea/templates/fail2ban-jail.conf.j2 @@ -0,0 +1,18 @@ +# {{ ansible_managed }} +[gitea] +enabled = true +filter = gitea +logpath = /var/log/gitea/gitea.log +maxretry = 10 +findtime = 3600 +bantime = 900 +action = iptables-allports + +[gitea-docker] +enabled = true +filter = gitea +logpath = /var/log/gitea/gitea.log +maxretry = 10 +findtime = 3600 +bantime = 900 +action = iptables-allports[chain="FORWARD"]