From 17e8ab15fee3e56c32a023e9f53b78eaf67453b5 Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutrelis.com>
Date: Tue, 4 Oct 2022 06:18:57 +0300
Subject: [PATCH] fail2ban: remove redundant fail2ban_jails overrides

group_vars/all was enabling just the sshd jail so move this into the
fail2ban role defaults. patchwork, security and wiki were redefining
fail2ban_jails without deviating from the group_vars/all default and
can therefore be dropped.
---
 group_vars/all/common.yml              | 6 ------
 host_vars/patchwork.archlinux.org/misc | 7 -------
 host_vars/security.archlinux.org/misc  | 6 ------
 host_vars/wiki.archlinux.org/misc      | 6 ------
 roles/fail2ban/defaults/main.yml       | 6 +++---
 5 files changed, 3 insertions(+), 28 deletions(-)

diff --git a/group_vars/all/common.yml b/group_vars/all/common.yml
index f31f0358b..ca114265e 100644
--- a/group_vars/all/common.yml
+++ b/group_vars/all/common.yml
@@ -11,9 +11,3 @@ maintenance_remote_machine: "{{ hostvars[inventory_hostname]['ansible_env'].SSH_
 # prometheus-node-exporter port
 prometheus_exporter_port: '9100'
 prometheus_memcached_exporter_port: '9150'
-
-fail2ban_jails:
-  sshd: true
-  postfix: false
-  dovecot: false
-  nginx_limit_req: false
diff --git a/host_vars/patchwork.archlinux.org/misc b/host_vars/patchwork.archlinux.org/misc
index a3fcbeb20..a4a01be38 100644
--- a/host_vars/patchwork.archlinux.org/misc
+++ b/host_vars/patchwork.archlinux.org/misc
@@ -2,12 +2,5 @@ filesystem: btrfs
 memcached_socket: "/run/memcached/patchwork.sock"
 fetchmail_user: "patchwork@archlinux.org"
 fetchmail_delivery_cmd: "/usr/local/bin/patchwork-parsemail-wrapper.sh"
-
-fail2ban_jails:
-  sshd: true
-  postfix: false
-  dovecot: false
-  nginx_limit_req: false
-
 wireguard_address: 10.0.0.23
 wireguard_public_key: DVeDuKQKf4FzfgS8hp3iZj1tD7gi3SJm8GqDfA+XZn4=
diff --git a/host_vars/security.archlinux.org/misc b/host_vars/security.archlinux.org/misc
index 9bfa16e84..4b12a5583 100644
--- a/host_vars/security.archlinux.org/misc
+++ b/host_vars/security.archlinux.org/misc
@@ -1,9 +1,3 @@
 filesystem: btrfs
-
-fail2ban_jails:
-  sshd: true
-  postfix: false
-  dovecot: false
-  nginx_limit_req: false
 wireguard_address: 10.0.0.24
 wireguard_public_key: CENgItOHJI/lLUNcUNpC+1oZJBvX/G+nemAKZYfCSCw=
diff --git a/host_vars/wiki.archlinux.org/misc b/host_vars/wiki.archlinux.org/misc
index cef9a41b2..6dfb7cfbf 100644
--- a/host_vars/wiki.archlinux.org/misc
+++ b/host_vars/wiki.archlinux.org/misc
@@ -1,10 +1,4 @@
 filesystem: btrfs
 memcached_socket: "/run/memcached/archwiki.sock"
-
-fail2ban_jails:
-  sshd: true
-  postfix: false
-  dovecot: false
-  nginx_limit_req: false
 wireguard_address: 10.0.0.22
 wireguard_public_key: bZeNWMLtyNDaFR7jjWr06nNZt/vV/OKNleV7XZZs+lc=
diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml
index da6f19cd3..7f389a3c0 100644
--- a/roles/fail2ban/defaults/main.yml
+++ b/roles/fail2ban/defaults/main.yml
@@ -1,7 +1,7 @@
-# by default all jails are disabled
-# override this variable in a host/group file to define which jails to enable
+# by default only the sshd jail is enabled
+# override this variable in a host/group file to enable additional jails
 fail2ban_jails:
-  sshd: false
+  sshd: true
   postfix: false
   dovecot: false
   nginx_limit_req: false
-- 
GitLab