---
- name: Install and configure Fail2ban with Mattermost notifications
  hosts: servers
  become: yes
  gather_facts: no
  vars:
    ssh_port: "{{ ssh_port }}"
    mattermost_webhook: "{{ mattermost_webhook }}"

  tasks:
    - name: Install Fail2ban
      apt:
        name: fail2ban
        state: present
        update_cache: yes

    - name: Install iptables
      apt:
        name: iptables
        state: present
        update_cache: yes

    - name: Ensure Fail2ban service is started and enabled
      systemd:
        name: fail2ban
        state: started
        enabled: yes

    - name: Configure Fail2ban jail.local
      copy:
        dest: /etc/fail2ban/jail.local
        content: |
          [sshd]
          enabled = true
          port = {{ ssh_port }}
          filter = sshd
          maxretry = 3
          findtime = 600
          bantime = 1800
          backend = systemd
          action = iptables-multiport[name=SSH, port={{ ssh_port }}, protocol=tcp, chain=INPUT, blocktype=DROP] mattermost
      notify: Restart Fail2ban

    - name: Create Mattermost action file
      copy:
        dest: /etc/fail2ban/action.d/mattermost.conf
        content: |
          [Definition]
          actionstart =
          actionstop =
          actionban = curl -X POST -H "Content-Type: application/json" --data "{\"text\": \"🚨 *$(hostname -s)* : **Fail2ban** a banni l'IP **<ip>** après trop d'échecs SSH 🚨\"}" "https://mattermost.yeagerdan.com/hooks/c5nmzrf64fd33b1iqnm6zmt48o"
          actionunban =
      notify: Restart Fail2ban

  handlers:
    - name: Restart Fail2ban
      systemd:
        name: fail2ban
        state: restarted