---
# Fail2ban Configuration

- name: Install fail2ban
  package:
    name: fail2ban
    state: present
  tags:
    - fail2ban
    - packages

- name: Create fail2ban configuration directory
  file:
    path: /etc/fail2ban/jail.d
    state: directory
    owner: root
    group: root
    mode: '0755'
  tags:
    - fail2ban
    - directories

- name: Configure fail2ban main settings
  template:
    src: fail2ban.local.j2
    dest: /etc/fail2ban/fail2ban.local
    owner: root
    group: root
    mode: '0644'
    backup: true
  notify: restart fail2ban
  tags:
    - fail2ban
    - config

- name: Configure fail2ban default jail settings
  template:
    src: jail.local.j2
    dest: /etc/fail2ban/jail.local
    owner: root
    group: root
    mode: '0644'
    backup: true
  notify: restart fail2ban
  tags:
    - fail2ban
    - config
    - jail

- name: Create custom fail2ban jails
  template:
    src: custom-jails.local.j2
    dest: /etc/fail2ban/jail.d/custom-jails.local
    owner: root
    group: root
    mode: '0644'
    backup: true
  notify: restart fail2ban
  tags:
    - fail2ban
    - jails
    - custom

- name: Create custom fail2ban filters
  template:
    src: "{{ item }}.conf.j2"
    dest: "/etc/fail2ban/filter.d/{{ item }}.conf"
    owner: root
    group: root
    mode: '0644'
  loop:
    - nginx-limit-req
    - nginx-http-auth
    - php-framework
  notify: restart fail2ban
  tags:
    - fail2ban
    - filters

- name: Create fail2ban action for PHP Framework
  template:
    src: php-framework-action.conf.j2
    dest: /etc/fail2ban/action.d/php-framework-notify.conf
    owner: root
    group: root
    mode: '0644'
  notify: restart fail2ban
  tags:
    - fail2ban
    - actions

- name: Ensure fail2ban service is enabled and running
  service:
    name: fail2ban
    state: started
    enabled: true
  tags:
    - fail2ban
    - service

- name: Check fail2ban status
  command: fail2ban-client status
  register: fail2ban_status
  changed_when: false
  tags:
    - fail2ban
    - status

- name: Display fail2ban jail status
  command: fail2ban-client status {{ item.name }}
  register: jail_status
  changed_when: false
  loop: "{{ fail2ban_jails }}"
  when: item.enabled | bool
  tags:
    - fail2ban
    - status
    - jails

- name: Create fail2ban log rotation
  template:
    src: fail2ban-logrotate.j2
    dest: /etc/logrotate.d/fail2ban
    owner: root
    group: root
    mode: '0644'
  tags:
    - fail2ban
    - logrotate

- name: Configure fail2ban systemd service override
  template:
    src: fail2ban-override.conf.j2
    dest: /etc/systemd/system/fail2ban.service.d/override.conf
    owner: root
    group: root
    mode: '0644'
  notify:
    - reload systemd
    - restart fail2ban
  tags:
    - fail2ban
    - systemd