Joakim
2fe194ba82
- Restructure security playbook with modular nftables loader - Base rules loaded first, service rules second, drop rule last - Add Gitea self-contained firewall management (port 2222) - Add fail2ban protection for Gitea SSH brute force attacks - Update documentation with new firewall architecture - Create comprehensive Gitea deployment and testing guide This enables self-contained service roles to manage their own firewall rules without modifying the central security playbook. Each service deploys rules to /etc/nftables.d/ which are loaded before the final drop rule, maintaining the defense-in-depth security model.
76 lines
2.0 KiB
YAML
76 lines
2.0 KiB
YAML
---
|
|
# Gitea fail2ban Configuration - Rick-Infra
|
|
# Protects Gitea SSH from brute force attacks
|
|
# Integrates with system fail2ban service
|
|
|
|
- name: Install fail2ban
|
|
pacman:
|
|
name: fail2ban
|
|
state: present
|
|
|
|
- name: Create Gitea fail2ban filter
|
|
copy:
|
|
content: |
|
|
# Fail2ban filter for Gitea SSH authentication failures
|
|
# Rick-Infra: Gitea role
|
|
|
|
[Definition]
|
|
# Match failed authentication attempts in Gitea logs
|
|
failregex = .*(Failed authentication attempt|authentication failed|Invalid user|Failed login attempt).*from\s+<HOST>
|
|
.*level=warning.*msg=.*authentication.*failed.*ip=<HOST>
|
|
|
|
ignoreregex =
|
|
dest: /etc/fail2ban/filter.d/gitea-ssh.conf
|
|
mode: '0644'
|
|
backup: yes
|
|
notify: restart fail2ban
|
|
|
|
- name: Ensure fail2ban jail.local exists
|
|
file:
|
|
path: /etc/fail2ban/jail.local
|
|
state: touch
|
|
mode: '0644'
|
|
modification_time: preserve
|
|
access_time: preserve
|
|
|
|
- name: Add Gitea SSH jail to fail2ban
|
|
blockinfile:
|
|
path: /etc/fail2ban/jail.local
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK - Gitea SSH"
|
|
block: |
|
|
# Gitea SSH Protection - Rick-Infra
|
|
[gitea-ssh]
|
|
enabled = true
|
|
port = {{ gitea_ssh_port }}
|
|
filter = gitea-ssh
|
|
logpath = {{ gitea_home }}/log/gitea.log
|
|
maxretry = 5
|
|
findtime = 600
|
|
bantime = 3600
|
|
banaction = nftables
|
|
backup: yes
|
|
notify: restart fail2ban
|
|
|
|
- name: Enable and start fail2ban service
|
|
systemd:
|
|
name: fail2ban
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: Add fail2ban restart handler
|
|
meta: flush_handlers
|
|
|
|
- name: Display fail2ban status for Gitea
|
|
debug:
|
|
msg: |
|
|
🛡️ fail2ban configured for Gitea SSH
|
|
📍 Filter: /etc/fail2ban/filter.d/gitea-ssh.conf
|
|
📍 Jail: gitea-ssh (in /etc/fail2ban/jail.local)
|
|
🔒 Protection: Port {{ gitea_ssh_port }}
|
|
⏱️ Ban time: 1 hour (3600 seconds)
|
|
🔢 Max retries: 5 attempts in 10 minutes
|
|
|
|
Check status: fail2ban-client status gitea-ssh
|
|
|
|
# Rick-Infra: Self-contained fail2ban protection per role
|