By default enable the sshd jail for fail2ban

For all hosts we want to have a working fail2ban for sshd brute force
attempts through a group_vars/all. For some hosts an override is
required to enable postfix or dovecot jails.

group_vars/all/common.yml

@@ -14,3 +14,8 @@ maintenance_remote_machine: "{{ hostvars[inventory_hostname]['ansible_env'].SSH_
 # prometheus-node-exporter port
 prometheus_exporter_port: '9100'
 prometheus_memcached_exporter_port: '9150'
+
+fail2ban_jails:
+  sshd: true
+  postfix: false
+  dovecot: false

group_vars/gitlab_runners.yml

 gitlab_runner_exporter_port: 9252
-
-fail2ban_jails:
-  sshd: true
-  postfix: false
-  dovecot: false

host_vars/aur-dev.archlinux.org

@@ -9,8 +9,3 @@ zabbix_agent_templates:
   - Template App HTTPS Service
   - Template App MySQL
   - Template App Nginx
-
-fail2ban_jails:
-  sshd: true
-  postfix: false
-  dovecot: false

host_vars/aur.archlinux.org

@@ -9,8 +9,3 @@ zabbix_agent_templates:
   - Template App HTTPS Service
   - Template App MySQL
   - Template App Nginx
-
-fail2ban_jails:
-  sshd: true
-  postfix: false
-  dovecot: false

host_vars/bbs.archlinux.org

@@ -7,8 +7,3 @@ zabbix_agent_templates:
   - Template App HTTPS Service
   - Template App MySQL
   - Template App Nginx
-
-fail2ban_jails:
-  sshd: true
-  postfix: false
-  dovecot: false

host_vars/bugs.archlinux.org

@@ -7,8 +7,3 @@ zabbix_agent_templates:
   - Template App HTTPS Service
   - Template App MySQL
   - Template App Nginx
-
-fail2ban_jails:
-  sshd: true
-  postfix: false
-  dovecot: false

host_vars/gemini.archlinux.org

@@ -22,8 +22,3 @@ zabbix_agent_templates:
   - Template OS Linux
   - Template App Borg Backup
   - Template App Nginx
-
-fail2ban_jails:
-  sshd: true
-  postfix: false
-  dovecot: false

host_vars/matrix.archlinux.org

@@ -9,8 +9,3 @@ zabbix_agent_templates:
   - Template App Nginx
   - Template App SSH Service
   - Template App PostgreSQL
-
-fail2ban_jails:
-  sshd: true
-  postfix: false
-  dovecot: false

host_vars/reproducible.archlinux.org

@@ -6,6 +6,3 @@ zabbix_agent_templates:
   - Template App Borg Backup
   - Template App HTTP Service
   - Template App HTTPS Service
-
-fail2ban_jails:
-  sshd: true

playbooks/accounts.archlinux.org.yml

@@ -18,3 +18,4 @@
       postgres_effective_cache_size: 1GB
     - { role: keycloak }
     - { role: borg_client, tags: ["borg"] }
+    - { role: fail2ban }

playbooks/dragon.yml

@@ -15,3 +15,4 @@
     - { role: sogrep }
     - { role: archbuild }
     - { role: docker_image }
+    - { role: fail2ban }

playbooks/gitlab.archlinux.org.yml

@@ -12,3 +12,4 @@
     - { role: gitlab, gitlab_domain: "gitlab.archlinux.org" }
     - { role: borg_client, tags: ["borg"] }
     - { role: prometheus_exporters }
+    - { role: fail2ban }

playbooks/homedir.archlinux.org.yml

@@ -14,3 +14,4 @@
     - { role: public_html, public_domain: "pkgbuild.com", tags: ['nginx'] }
     - { role: borg_client, tags: ["borg"] }
     - { role: prometheus_exporters }
+    - { role: fail2ban }

playbooks/mirrors.yml

@@ -14,3 +14,4 @@
     - { role: archweb, archweb_site: false, archweb_services: false, archweb_mirrorcheck: true }
     - { role: arch32_mirror, tags: ['nginx'] }
     - { role: prometheus_exporters }
+    - { role: fail2ban }

playbooks/monitoring.archlinux.org.yml

@@ -14,3 +14,4 @@
     - { role: certbot }
     - { role: nginx }
     - { role: grafana, grafana_domain: 'monitoring.archlinux.org' }
+    - { role: fail2ban }

playbooks/reproducible.archlinux.org.yml

@@ -15,3 +15,4 @@
     - { role: nginx }
     - { role: rebuilderd }
     - { role: prometheus_exporters }
+    - { role: fail2ban }

playbooks/state.archlinux.org.yml

@@ -21,3 +21,4 @@
       postgres_ssl_hosts6: ['::/0']
     - { role: terraform_state }
     - { role: prometheus_exporters }
+    - { role: fail2ban }