adds support for optional deployment of fail2ban jail

README.md

@@ -105,6 +105,10 @@ The following have been tested with Debian 8, it should work on Ubuntu as well.
 * `gitea_mailer_host`: SMTP server hostname and port
 * `gitea_mailer_from`: Sender mail address
 
+### Fail2Ban configuration
+
+* `gitea_install_fail2ban_config`: Wether to deploy the fail2ban config snippets
+
 ## Disclaimer
 This module is currently a work in progress. For now it is only able to install
 gitea from the Github Release, in a fixed version for Linux amd64, on systems

defaults/main.yml

@@ -40,3 +40,5 @@ gitea_mailer_enabled: false
 gitea_mailer_skip_verify: true
 gitea_mailer_host:    localhost:25
 gitea_mailer_from:    noreply@your.domain
+
+gitea_install_fail2ban_config: false

handlers/main.yml

@@ -3,3 +3,9 @@
 
 - name: "Reload systemd"
   shell: "systemctl daemon-reload"
+
+- name: "Restart fail2ban"
+  service:
+    name:  fail2ban
+    state: restarted
+

tasks/fail2ban.yaml

@@ -0,0 +1,18 @@
+- name: install fail2ban filter
+  template:
+    src: fail2ban/filter.conf.j2
+    dest: /etc/fail2ban/filter.d/gitea.conf
+    owner: root
+    group: root
+    mode:  0444
+  notify: Restart fail2ban
+
+- name: install fail2ban jail
+  template:
+    src: fail2ban/jail.conf.j2
+    dest: /etc/fail2ban/jail.d/gitea.conf
+    owner: root
+    group: root
+    mode:  0444
+  notify: Restart fail2ban
+

tasks/main.yml

@@ -41,3 +41,6 @@
     name: gitea
     state: started
     enabled: true
+
+- include: fail2ban.yml
+  when: gitea_install_fail2ban_config

templates/fail2ban/filter.conf.j2

@@ -0,0 +1,4 @@
+# Managed by Ansible
+[Definition]
+failregex =  .*Failed authentication attempt for .* from <HOST>
+ignoreregex =

templates/fail2ban/jail.conf.j2

@@ -0,0 +1,9 @@
+[gitea]
+enabled = true
+port = http,https
+filter = gitea
+logpath = {{ gitea_home }}/log/gitea.log
+maxretry = 10
+findtime = 3600
+bantime = 900
+action = ufw