---
- name: fail2ban_el | Install fail2ban packages
  ansible.builtin.dnf:
    name: "{{ f2b_packages_el }}"
    state: present
  notify:
    - Enable and start fail2ban
    - Enable and start firewalld
  tags:
    - fail2ban
    - centos
    - rhel

- name: fail2ban_el | Install fail2ban local config
  ansible.builtin.template:
    src: fail2ban.local.j2
    dest: /etc/fail2ban/fail2ban.local
    owner: root
    group: root
    mode: "0444"
  notify: Reload fail2ban
  tags:
    - fail2ban

- name: fail2ban_el | Install fail2ban jail custom configuration
  ansible.builtin.template:
    src: jail-d-customization.local.j2
    dest: /etc/fail2ban/jail.d/customization.local
    owner: root
    group: root
    mode: "0444"
  notify: Reload fail2ban
  tags:
    - fail2ban

- name: fail2ban_el | Install the selinux policy file for fail2ban
  ansible.builtin.copy:
    src: fail2ban-journal-sepol.te
    dest: /usr/local/etc/fail2ban-journal-sepol.te
    owner: root
    group: root
    mode: "0644"
  register: fail2ban_selinux_policy
  tags:
    - fail2ban
    - selinux

- name: fail2ban_el | Activate the selinux policy for fail2ban
  ansible.builtin.shell: >
    checkmodule -M -m -o /usr/local/etc/fail2ban-journal-sepol.mod /usr/local/etc/fail2ban-journal-sepol.te &&
    semodule_package -o /usr/local/etc/fail2ban-journal-sepol.pp -m /usr/local/etc/fail2ban-journal-sepol.mod &&
    semodule -i /usr/local/etc/fail2ban-journal-sepol.pp
  args:
    creates: /usr/local/etc/fail2ban-journal-sepol.pp
  when: fail2ban_selinux_policy is changed # noqa: no-handler
  tags:
    - fail2ban
    - selinux

- name: fail2ban_el | Ensure that fail2ban and firewalld are started and enabled
  ansible.builtin.service:
    name: "{{ item }}"
    state: started
    enabled: true
  loop:
    - fail2ban
    - firewalld
  tags:
    - fail2ban