--- # Gitea fail2ban Configuration - Rick-Infra # Protects Gitea SSH from brute force attacks # Integrates with system fail2ban service - name: Install fail2ban pacman: name: fail2ban state: present - name: Create Gitea fail2ban filter copy: content: | # Fail2ban filter for Gitea SSH authentication failures # Rick-Infra: Gitea role [Definition] # Match failed authentication attempts in Gitea logs failregex = .*(Failed authentication attempt|authentication failed|Invalid user|Failed login attempt).*from\s+ .*level=warning.*msg=.*authentication.*failed.*ip= ignoreregex = dest: /etc/fail2ban/filter.d/gitea-ssh.conf mode: '0644' backup: yes notify: restart fail2ban - name: Ensure fail2ban jail.local exists file: path: /etc/fail2ban/jail.local state: touch mode: '0644' modification_time: preserve access_time: preserve - name: Add Gitea SSH jail to fail2ban blockinfile: path: /etc/fail2ban/jail.local marker: "# {mark} ANSIBLE MANAGED BLOCK - Gitea SSH" block: | # Gitea SSH Protection - Rick-Infra [gitea-ssh] enabled = true port = {{ gitea_ssh_port }} filter = gitea-ssh logpath = {{ gitea_home }}/log/gitea.log maxretry = 5 findtime = 600 bantime = 3600 banaction = nftables backup: yes notify: restart fail2ban - name: Enable and start fail2ban service systemd: name: fail2ban enabled: yes state: started - name: Add fail2ban restart handler meta: flush_handlers - name: Display fail2ban status for Gitea debug: msg: | 🛡️ fail2ban configured for Gitea SSH 📍 Filter: /etc/fail2ban/filter.d/gitea-ssh.conf 📍 Jail: gitea-ssh (in /etc/fail2ban/jail.local) 🔒 Protection: Port {{ gitea_ssh_port }} ⏱️ Ban time: 1 hour (3600 seconds) 🔢 Max retries: 5 attempts in 10 minutes Check status: fail2ban-client status gitea-ssh # Rick-Infra: Self-contained fail2ban protection per role