---
- name: Install fail2ban on internet facing servers
  hosts: internetfacing
  become: true
  roles:
    - role: grzegorzfranus.fail2ban
      vars:
        fail2ban_ignoreip:
          - 127.0.0.1/8 # loopback
          - 10.0.0.0/8 # Private
          - 172.16.0.0/12 # Private
          - 192.168.0.0/16 # Private
          - 169.254.0.0/16 # link-local / APIPA
          - 100.64.0.0/10 # CGNAT
          - 203.0.113.0/24 # TEST-NETs
          - 192.0.2.0/24 # TEST-NETs
          - 198.51.100.0/24 # TEST-NETs
          - ::1 # ULA - fc00::/7 # Private
          - fe80::/10 # Private
        fail2ban_bantime: "1h"
        fail2ban_findtime: "30m"
        fail2ban_maxretry: 3
        fail2ban_custom_jail_files:
          - name: sshd-strict # This will create /etc/fail2ban/jail.d/sshd-strict.conf
            content: |
              [sshd-strict]
              enabled = true
              filter = sshd
              port = ssh
              logpath = journal
              backend = systemd
              maxretry = 3
              bantime = 3600
              findtime = 300