---
- name: Install and configure Fail2ban with Mattermost notifications
  hosts: servers
  become: yes
  vars:
    ssh_port: "22"
    mattermost_webhook: ""

  tasks:
    - name: Install Fail2ban
      apt:
        name: fail2ban
        state: present
        update_cache: yes

    - name: Install iptables
      apt:
        name: iptables
        state: present
        update_cache: yes

    - name: Ensure Fail2ban service is started and enabled
      systemd:
        name: fail2ban
        state: started
        enabled: yes

    - name: Configure Fail2ban jail.local
      copy:
        dest: /etc/fail2ban/jail.local
        content: |
          [sshd]
          enabled = true
          port = {{ ssh_port }}
          filter = sshd
          maxretry = 3
          findtime = 600
          bantime = 1800
          backend = systemd
          action = iptables-multiport[name=SSH, port={{ ssh_port }}, protocol=tcp, chain=INPUT, blocktype=DROP] mattermost
      notify: Restart Fail2ban

    - name: Create Mattermost action file
      copy:
        dest: /etc/fail2ban/action.d/mattermost.conf
        content: |
          [Definition]
          actionstart =
          actionstop =
          actionban = curl -X POST -H "Content-Type: application/json" --data "{"text": "🚨 Fail2ban a banni <ip> après trop d'échecs SSH 🚨"}" {{ mattermost_webhook }}
          actionunban =
      notify: Restart Fail2ban

  handlers:
    - name: Restart Fail2ban
      systemd:
        name: fail2ban
        state: restarted