---
- block:
    - name: Install fail2ban
      yum: name={{ fail2ban_packages }} state=present
      notify:
        - Enable and start fail2ban
        - Enable and start firewalld

    - name: Install fail2ban local config
      template: src={{ item }}.j2 dest=/etc/fail2ban/{{ item }} owner=root group=root mode=0444
      with_items: fail2ban.local
      notify: Reload fail2ban

    - name: Install fail2ban jail custom configuration
      template: src=jail-d-{{ item }}.j2 dest=/etc/fail2ban/jail.d/{{ item }} owner=root group=root mode=0444
      with_items: customization.local
      notify: Reload fail2ban

    - name: Install the selinux policy file for fail2ban
      copy: src=fail2ban-journal-sepol.te dest=/usr/local/etc/fail2ban-journal-sepol.te
      register: fail2ban_selinux_policy

    - name: Activate the selinux policy for fail2ban
      shell: checkmodule -M -m -o /usr/local/etc/fail2ban-journal-sepol.mod /usr/local/etc/fail2ban-journal-sepol.te ; semodule_package -o /usr/local/etc/fail2ban-journal-sepol.pp -m /usr/local/etc/fail2ban-journal-sepol.mod ; semodule -i /usr/local/etc/fail2ban-journal-sepol.pp
      args:
        creates: /usr/local/etc/fail2ban-journal-sepol.pp
      when: fail2ban_selinux_policy is changed

    - name: Ensure that fail2ban and firewalld are started and enabled
      service: name={{ item }} state=started enabled=yes
      with_items:
        - fail2ban
        - firewalld

  when: centos_install_epel
  tags:
    - centos
    - rhel
    - fail2ban
    - selinux