[fix] provision to setup maxretry, bantime and findtime explicitly for fail2ban

bench/cli.py

@@ -48,7 +48,7 @@ def check_uid():
 
 def cmd_requires_root():
 	if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts',
-		'print', 'firewall', 'ssh-port', 'role'):
+		'print', 'firewall', 'ssh-port', 'role', 'fail2ban'):
 		return True
 	if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt', 'disable-production',
 		'install'):

bench/commands/install.py

@@ -49,7 +49,11 @@ def install_nginx(user=None):
 		setup_sudoers(user)
 
 @click.command('fail2ban')
-def install_failtoban():
+@click.option('--maxretry', default=6, help="Number of matches (i.e. value of the counter) which triggers ban action on the IP.")
+@click.option('--bantime', default=600, help="The counter is set to zero if no match is found within 'findtime' seconds.")
+@click.option('--findtime', default=600, help='Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban.')
+def install_failtoban(**kwargs):
+	extra_vars.update(kwargs)
 	run_playbook('prerequisites/install_roles.yml', extra_vars=extra_vars, tag='fail2ban')
 
 install.add_command(install_prerequisites)

bench/commands/setup.py

@@ -208,6 +208,13 @@ def setup_roles(role, **kwargs):
 	else:
 		run_playbook('prerequisites/install_roles.yml', extra_vars=extra_vars)
 
+@click.command('fail2ban')
+@click.option('--maxretry', default=6, help="Number of matches (i.e. value of the counter) which triggers ban action on the IP. Default is 6 seconds" )
+@click.option('--bantime', default=600, help="The counter is set to zero if no match is found within 'findtime' seconds. Default is 600 seconds")
+@click.option('--findtime', default=600, help='Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban. Default is 600 seconds')
+def setup_nginx_proxy_jail(**kwargs):
+	from bench.utils import run_playbook
+	run_playbook('prerequisites/setup_nginx_proxy_jail.yml', extra_vars=kwargs)
 
 setup.add_command(setup_sudoers)
 setup.add_command(setup_nginx)
@@ -229,4 +236,5 @@ setup.add_command(remove_domain)
 setup.add_command(sync_domains)
 setup.add_command(setup_firewall)
 setup.add_command(set_ssh_port)
-setup.add_command(setup_roles)
+setup.add_command(setup_roles)
+setup.add_command(setup_nginx_proxy_jail)

playbooks/prerequisites/roles/fail2ban/defaults/main.yml

@@ -1,2 +1,5 @@
 ---
-fail2ban_nginx_access_log: /var/log/nginx/access.log
+fail2ban_nginx_access_log: /var/log/nginx/access.log
+maxretry: 6
+bantime: 600
+findtime: 600

playbooks/prerequisites/roles/fail2ban/tasks/configure_nginx_jail.yml

@@ -0,0 +1,11 @@
+- name: Configure fail2ban jail options
+  hosts: localhost
+  become: yes
+  become_user: root
+  vars_files:
+    - ../defaults/main.yml
+  tasks:
+    - name: Setup jail
+      template: src="../templates/nginx-proxy-jail.conf.j2" dest="/etc/fail2ban/jail.d/nginx-proxy.conf"
+    - name: restart service
+      service: name=fail2ban state=restarted

playbooks/prerequisites/roles/fail2ban/templates/nginx-proxy-jail.conf.j2

@@ -4,5 +4,6 @@ enabled = true
 filter = nginx-proxy
 logpath = {{ fail2ban_nginx_access_log }}
 action = iptables-multiport[name=NoNginxProxy, port="http,https"]
-maxretry = 2
-bantime  = 86400
+maxretry = {{ maxretry }}
+bantime  = {{ bantime }}
+findtime = {{ findtime }}

playbooks/prerequisites/setup_nginx_proxy_jail.yml

@@ -0,0 +1,2 @@
+---
+- include: ../prerequisites/roles/fail2ban/tasks/configure_nginx_jail.yml