joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
89b43180fc36a7537372372d36670b7d0327f733
rick-infra/roles/gitea/tasks/fail2ban.yml
Joakim cf71fb3a8d Implement SSH passthrough mode and refactor Gitea domain configuration 
Major Changes:
- Add dual SSH mode system (passthrough default, dedicated fallback)
- Refactor domain configuration to use direct specification pattern
- Fix critical fail2ban security gap in dedicated mode
- Separate HTTP and SSH domains for cleaner Git URLs
2025-12-17 21:51:24 +01:00

122 lines
3.8 KiB
YAML
Raw Blame History

---
# Gitea fail2ban Configuration - Rick-Infra
# Mode-aware: Only protects dedicated mode (port 2222)
# In passthrough mode, system 'sshd' jail protects port 22
- name: Install fail2ban
pacman:
name: fail2ban
state: present
- name: Create Gitea fail2ban filter
copy:
content: |
# Fail2ban filter for Gitea SSH authentication failures
# Rick-Infra: Gitea role
# Only used in dedicated mode (port {{ gitea_ssh_port }})
[Definition]
# Match failed authentication attempts in Gitea logs
failregex = .*(Failed authentication attempt|authentication failed|Invalid user|Failed login attempt).*from\s+<HOST>
.*level=warning.*msg=.*authentication.*failed.*ip=<HOST>
ignoreregex =
dest: /etc/fail2ban/filter.d/gitea-ssh.conf
mode: '0644'
backup: yes
notify: restart fail2ban
- name: Ensure fail2ban jail.local exists
file:
path: /etc/fail2ban/jail.local
state: touch
mode: '0644'
modification_time: preserve
access_time: preserve
- name: Add Gitea SSH jail to fail2ban (mode-aware)
blockinfile:
path: /etc/fail2ban/jail.local
marker: "# {mark} ANSIBLE MANAGED BLOCK - Gitea SSH"
block: |
# Gitea SSH Protection - Rick-Infra
# Mode: {{ gitea_ssh_mode }}
# - dedicated: Monitors Gitea logs on port {{ gitea_ssh_port }}
# - passthrough: Disabled (system 'sshd' jail protects port 22)
[gitea-ssh]
enabled = {{ 'true' if gitea_ssh_mode == 'dedicated' else 'false' }}
port = {{ gitea_ssh_port }}
filter = gitea-ssh
logpath = {{ gitea_home }}/log/gitea.log
maxretry = 5
findtime = 600
bantime = 3600
banaction = nftables
backup: yes
notify: restart fail2ban
- name: Enable and start fail2ban service
systemd:
name: fail2ban
enabled: yes
state: started
- name: Flush handlers to ensure fail2ban restarts
meta: flush_handlers
- name: Wait for fail2ban to be ready
pause:
seconds: 2
- name: Verify gitea-ssh jail status (dedicated mode only)
command: fail2ban-client status gitea-ssh
register: gitea_jail_verify
changed_when: false
failed_when: false
when: gitea_ssh_mode == 'dedicated'
- name: Verify sshd jail status (passthrough mode)
command: fail2ban-client status sshd
register: sshd_jail_verify
changed_when: false
failed_when: false
when: gitea_ssh_mode == 'passthrough'
- name: Display fail2ban configuration status
debug:
msg: |
🛡️ fail2ban Protection for Gitea SSH
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📍 Mode: {{ gitea_ssh_mode | upper }}
{% if gitea_ssh_mode == 'dedicated' %}
📍 Jail: gitea-ssh
📍 Port: {{ gitea_ssh_port }}
📍 Status: {{ 'Active ✅' if gitea_jail_verify.rc == 0 else 'Not Active ⚠️' }}
📍 Filter: /etc/fail2ban/filter.d/gitea-ssh.conf
📍 Logfile: {{ gitea_home }}/log/gitea.log
Protection Settings:
• Max retries: 5 attempts
• Find time: 10 minutes (600 seconds)
• Ban time: 1 hour (3600 seconds)
Check status:
fail2ban-client status gitea-ssh
{% else %}
📍 Jail: sshd (system jail)
📍 Port: 22
📍 Status: {{ 'Active ✅' if sshd_jail_verify.rc == 0 else 'Not Active ⚠️' }}
📍 Coverage: All SSH traffic including Gitea Git operations
Note: In passthrough mode, the system 'sshd' jail automatically
protects all SSH traffic on port 22, including Gitea Git
operations. No separate gitea-ssh jail is needed.
Check status:
fail2ban-client status sshd
{% endif %}
# Rick-Infra: Self-contained fail2ban protection per role
Reference in New Issue View Git Blame Copy Permalink