94 lines
2.7 KiB
Python
94 lines
2.7 KiB
Python
"""Utilities for ensuring required fail2ban jail configuration files exist.
|
|
|
|
BanGUI requires two custom jails — ``manual-Jail`` and ``blocklist-import``
|
|
— to be present in the fail2ban ``jail.d`` directory. This module provides
|
|
:func:`ensure_jail_configs` which checks each of the four files
|
|
(``*.conf`` template + ``*.local`` override) and creates any that are missing
|
|
with the correct default content.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
from typing import TYPE_CHECKING
|
|
|
|
import structlog
|
|
|
|
if TYPE_CHECKING:
|
|
from pathlib import Path
|
|
|
|
log: structlog.stdlib.BoundLogger = structlog.get_logger()
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Default file contents
|
|
# ---------------------------------------------------------------------------
|
|
|
|
_MANUAL_JAIL_CONF = """\
|
|
[manual-Jail]
|
|
|
|
enabled = false
|
|
filter = manual-Jail
|
|
logpath = /remotelogs/bangui/auth.log
|
|
backend = polling
|
|
maxretry = 3
|
|
findtime = 120
|
|
bantime = 60
|
|
ignoreip = 127.0.0.0/8 ::1 172.16.0.0/12
|
|
"""
|
|
|
|
_MANUAL_JAIL_LOCAL = """\
|
|
[manual-Jail]
|
|
enabled = true
|
|
"""
|
|
|
|
_BLOCKLIST_IMPORT_CONF = """\
|
|
[blocklist-import]
|
|
|
|
enabled = false
|
|
filter =
|
|
logpath = /dev/null
|
|
backend = auto
|
|
maxretry = 1
|
|
findtime = 1d
|
|
bantime = 86400
|
|
ignoreip = 127.0.0.0/8 ::1 172.16.0.0/12
|
|
"""
|
|
|
|
_BLOCKLIST_IMPORT_LOCAL = """\
|
|
[blocklist-import]
|
|
enabled = true
|
|
"""
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# File registry: (filename, default_content)
|
|
# ---------------------------------------------------------------------------
|
|
|
|
_JAIL_FILES: list[tuple[str, str]] = [
|
|
("manual-Jail.conf", _MANUAL_JAIL_CONF),
|
|
("manual-Jail.local", _MANUAL_JAIL_LOCAL),
|
|
("blocklist-import.conf", _BLOCKLIST_IMPORT_CONF),
|
|
("blocklist-import.local", _BLOCKLIST_IMPORT_LOCAL),
|
|
]
|
|
|
|
|
|
def ensure_jail_configs(jail_d_path: Path) -> None:
|
|
"""Ensure the required fail2ban jail configuration files exist.
|
|
|
|
Checks for ``manual-Jail.conf``, ``manual-Jail.local``,
|
|
``blocklist-import.conf``, and ``blocklist-import.local`` inside
|
|
*jail_d_path*. Any file that is missing is created with its default
|
|
content. Existing files are **never** overwritten.
|
|
|
|
Args:
|
|
jail_d_path: Path to the fail2ban ``jail.d`` directory. Will be
|
|
created (including all parents) if it does not already exist.
|
|
"""
|
|
jail_d_path.mkdir(parents=True, exist_ok=True)
|
|
|
|
for filename, default_content in _JAIL_FILES:
|
|
file_path = jail_d_path / filename
|
|
if file_path.exists():
|
|
log.debug("jail_config_already_exists", path=str(file_path))
|
|
else:
|
|
file_path.write_text(default_content, encoding="utf-8")
|
|
log.info("jail_config_created", path=str(file_path))
|