Add fail2ban for traefik

Remote action coming soon

ansible/roles/traefik/files/docker-compose.yml

@@ -8,5 +8,6 @@ services:
       - CF_DNS_API_TOKEN={{ cloudflare_api_token }}
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /tmp/traefik-logs:/var/log/traefik
       - ./traefik:/etc/traefik
     restart: unless-stopped

ansible/roles/traefik/files/fail2ban/traefik-filter.conf

@@ -0,0 +1,4 @@
+[Definition]
+failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+\" .+$
+ignoreregex =
+mode = normal

ansible/roles/traefik/files/fail2ban/traefik-jail.conf

@@ -0,0 +1,9 @@
+[traefik]
+enabled  = true
+bantime  = 6000
+findtime = 600
+maxretry = 5
+filter   = traefik
+logpath = /tmp/traefik-logs/access.log
+port     = http,https
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}

ansible/roles/traefik/files/logrotate.conf

@@ -0,0 +1,8 @@
+/tmp/traefik-logs/access.log {
+  daily
+  rotate 7
+  missingok
+  compress
+  nodateext
+  notifempty
+}

ansible/roles/traefik/files/traefik.yml

@@ -77,3 +77,9 @@ tls:
 
 pilot:
   dashboard: false
+
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  filters:
+    statusCodes:
+      - "400-600"