Ensure fail2ban and logrotate are available on all machines

ansible/roles/base/files/fail2ban-logrotate

@@ -0,0 +1,11 @@
+/var/log/fail2ban.log {
+  weekly
+  rotate 7
+  missingok
+  compress
+  nodateext
+  notifempty
+  postrotate
+    /usr/bin/fail2ban-client flushlogs 1>/dev/null || true
+  endscript
+}

ansible/roles/base/files/ssh-jail.conf

@@ -0,0 +1,7 @@
+[sshd]
+enabled  = true
+bantime  = 600
+findtime = 30
+maxretry = 5
+port     = {{ ssh_port }},ssh
+ignoreip = {{ wireguard.cidr }}

ansible/roles/base/files/sshd_config

@@ -1,6 +1,6 @@
 # TCP port to bind to
 # Change to a high/odd port if this server is exposed to the internet directly
-Port 7743
+Port {{ ssh_port }}
 
 {% if expose_ssh %}
 AllowUsers {{ user }}