init

.gitignore

@@ -4,10 +4,13 @@ inventory/
 # Ignore .secret files.... you know, there secret...
 *.secret
 .vault-*
-vault.secret
 
 # Ignore Caching
 cache/
 
 # Ignore Testplaybook
-playbooks/global/testserver.yml
+playbooks/global/testserver.yml
+
+# Ignore unneccessary Files
+.vscode
+.ansible

ansible.cfg

@@ -2,6 +2,7 @@
 inventory = ./inventory/
 host_key_checking = False
 retry_files_enabled = False
+private_key_file = ~/.ssh/ansible_key
 
 # Caching-Einstellungen
 gathering = smart
@@ -26,4 +27,4 @@ become_ask_pass = False
 
 [ssh_connection]
 ssh_args = -o ControlMaster=auto -o ControlPersist=60s
-pipelining = True
+pipelining = True

playbooks/heyer.systems/all.yml

@@ -0,0 +1,5 @@
+---
+- name: Install and start Apache web server
+  hosts: all
+  roles:
+    - server_install_ssh

playbooks/heyer.systems/calibre.yml

@@ -0,0 +1,6 @@
+---
+- name: Install and start Apache web server
+  hosts: calibre
+  roles:
+    - server_install_ssh
+    - server_install_fail2ban

playbooks/heyer.systems/docker1.yml

@@ -3,3 +3,4 @@
   hosts: docker1
   roles:
     - server_install_ssh
+    - server_install_fail2ban

playbooks/heyer.systems/minecraft.yml

@@ -0,0 +1,6 @@
+---
+- name: Install and start Apache web server
+  hosts: minecraft
+  roles:
+    - server_install_ssh
+    - server_install_fail2ban

playbooks/heyer.systems/pihole.yml

@@ -0,0 +1,6 @@
+---
+- name: Install and start Apache web server
+  hosts: pihole
+  roles:
+    - server_install_ssh
+    - server_install_fail2ban

playbooks/heyer.systems/pve1.yml

@@ -0,0 +1,6 @@
+---
+- name: Install and start Apache web server
+  hosts: pve1
+  roles:
+    - server_install_ssh
+    - server_install_fail2ban

playbooks/heyer.systems/pve2.yml

@@ -0,0 +1,6 @@
+---
+- name: Install and start Apache web server
+  hosts: pve2
+  roles:
+    - server_install_ssh
+    - server_install_fail2ban

playbooks/heyer.systems/pve3.yml

@@ -0,0 +1,6 @@
+---
+- name: Install and start Apache web server
+  hosts: pve3
+  roles:
+    - server_install_ssh
+    - server_install_fail2ban

roles/server_install_fail2ban/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+fail2ban_ssh_enabled: true
+fail2ban_ssh_maxretry: 5
+fail2ban_ssh_bantime: 1h
+fail2ban_ssh_findtime: 1h

roles/server_install_fail2ban/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    state: restarted

roles/server_install_fail2ban/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+- name: Update apt package index
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 3600
+
+- name: Install Fail2Ban
+  ansible.builtin.apt:
+    name: fail2ban
+    state: present
+
+- name: Ensure Fail2Ban service is enabled and running
+  ansible.builtin.service:
+    name: fail2ban
+    enabled: true
+    state: started
+
+- name: Configure Fail2Ban for SSH
+  ansible.builtin.template:
+    src: jail.local.j2
+    dest: /etc/fail2ban/jail.local
+    mode: '0644'
+  notify: Restart fail2ban

roles/server_install_fail2ban/templates/jail.local.j2

@@ -0,0 +1,15 @@
+[DEFAULT]
+# Ignore local IP addresses
+ignoreip = 127.0.0.1/8 ::1
+
+# Ban settings
+bantime = {{ fail2ban_ssh_bantime }}
+findtime = {{ fail2ban_ssh_findtime }}
+maxretry = {{ fail2ban_ssh_maxretry }}
+
+[sshd]
+enabled = {{ fail2ban_ssh_enabled | lower }}
+port = ssh
+filter = sshd
+logpath = %(sshd_log)s
+maxretry = {{ fail2ban_ssh_maxretry }}

roles/server_install_ssh/templates/sshd_config.j2

@@ -6,7 +6,6 @@ PasswordAuthentication no
 ChallengeResponseAuthentication no
 UsePAM yes
 X11Forwarding no
-AllowUsers {{ ssh_user }}
 ClientAliveInterval 300
 ClientAliveCountMax 2
 LoginGraceTime 30