configure fail2ban separately for each host

since mail isn't going to be running nginx directly

4 files changed, 19 insertions, 8 deletions

diff --git a/modules/fail2ban/files/jail.local b/modules/fail2ban/files/jail.local
index 00329d7..574fe43 100644
--- a/modules/fail2ban/files/jail.local
+++ b/modules/fail2ban/files/jail.local
@@ -1,10 +1,2 @@
 [DEFAULT]
 bantime = 1d
-
-[sshd]
-enabled = true
-ignoreip = 10.19.49.0/24
-
-[nginx-botsearch]
-enabled = true
-logpath = /var/log/nginx/*.log
diff --git a/modules/fail2ban/files/nginx-botsearch.conf b/modules/fail2ban/files/nginx-botsearch.conf
new file mode 100644
index 0000000..6389ef6
--- /dev/null
+++ b/modules/fail2ban/files/nginx-botsearch.conf
@@ -0,0 +1,3 @@
+[nginx-botsearch]
+enabled = true
+logpath = /var/log/nginx/*.log
diff --git a/modules/fail2ban/files/sshd.conf b/modules/fail2ban/files/sshd.conf
new file mode 100644
index 0000000..8e3b6f6
--- /dev/null
+++ b/modules/fail2ban/files/sshd.conf
@@ -0,0 +1,3 @@
+[sshd]
+enabled = true
+ignoreip = 10.19.49.0/24
diff --git a/modules/fail2ban/manifests/jail.pp b/modules/fail2ban/manifests/jail.pp
new file mode 100644
index 0000000..4e4ece3
--- /dev/null
+++ b/modules/fail2ban/manifests/jail.pp
@@ -0,0 +1,13 @@
+define fail2ban::jail($source=undef) {
+  include fail2ban
+
+  $_source = $source ? {
+    undef => "puppet:///modules/fail2ban/${name}.conf",
+    default => $source,
+  }
+
+  file { "/etc/fail2ban/jail.d/${name}.conf":
+    source => $_source,
+    require => Package["fail2ban"];
+  }
+}