---
- name: "install fail2ban"
  ansible.builtin.apt:
    name: "fail2ban"

- name: "configure fail2ban"
  ansible.builtin.template:
    src: "./jail.local.j2"
    dest: "/etc/fail2ban/jail.local"
    mode: 0644
  register: system_base_fail2ban_conf

- name: "configure fail2ban sshd jail"
  ansible.builtin.template:
    src: "./jail.d/sshd.local.j2"
    dest: "/etc/fail2ban/jail.d/sshd.local"
    mode: 0644
  register: system_base_fail2ban_sshd_jail

- name: "enable fail2ban"
  ansible.builtin.systemd:
    name: "fail2ban"
    enabled: true

- name: "start fail2ban"
  ansible.builtin.systemd:
    name: "fail2ban"
    state: "started"
  register: system_base_fail2ban_start

- name: "restart fail2ban"
  ansible.builtin.systemd:
    name: "fail2ban"
    state: "restarted"
  when:
    (system_base_fail2ban_conf.changed or
    system_base_fail2ban_sshd_jail.changed) and
    not system_base_fail2ban_start.changed