From 9d456f01b9ef62193a864f8f2c8a81b563c0f51b Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Fri, 24 Mar 2017 18:44:23 +0000
Subject: [PATCH 1/1] Exempt out web server from nominatim fail2ban jail

---
 cookbooks/fail2ban/providers/jail.rb          | 3 ++-
 cookbooks/fail2ban/resources/jail.rb          | 1 +
 cookbooks/fail2ban/templates/default/jail.erb | 3 +++
 cookbooks/nominatim/recipes/default.rb        | 5 +++++
 4 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/cookbooks/fail2ban/providers/jail.rb b/cookbooks/fail2ban/providers/jail.rb
index 8adcea11c..e12ad22ef 100644
--- a/cookbooks/fail2ban/providers/jail.rb
+++ b/cookbooks/fail2ban/providers/jail.rb
@@ -35,7 +35,8 @@ action :create do
               :logpath => new_resource.logpath,
               :protocol => new_resource.protocol,
               :ports => new_resource.ports,
-              :maxretry => new_resource.maxretry
+              :maxretry => new_resource.maxretry,
+              :ignoreips => new_resource.ignoreips
   end
 end
 
diff --git a/cookbooks/fail2ban/resources/jail.rb b/cookbooks/fail2ban/resources/jail.rb
index f51e06188..65d1d3b51 100644
--- a/cookbooks/fail2ban/resources/jail.rb
+++ b/cookbooks/fail2ban/resources/jail.rb
@@ -26,6 +26,7 @@ attribute :logpath, :kind_of => String
 attribute :protocol, :kind_of => String
 attribute :ports, :kind_of => Array, :default => []
 attribute :maxretry, :kind_of => Integer
+attribute :ignoreips, :kind_of => Array
 
 def after_created
   notifies :reload, "service[fail2ban]"
diff --git a/cookbooks/fail2ban/templates/default/jail.erb b/cookbooks/fail2ban/templates/default/jail.erb
index 08fb7ed16..c155e0f6c 100644
--- a/cookbooks/fail2ban/templates/default/jail.erb
+++ b/cookbooks/fail2ban/templates/default/jail.erb
@@ -11,3 +11,6 @@ logpath = <%= @logpath %>
 <% if @maxretry -%>
 maxretry = <%= @maxretry %>
 <% end -%>
+<% if @ignoreips -%>
+ignoreip = <%= @ignoreips.join(",") %>
+<% end -%>
diff --git a/cookbooks/nominatim/recipes/default.rb b/cookbooks/nominatim/recipes/default.rb
index 22947a06d..19e48909f 100644
--- a/cookbooks/nominatim/recipes/default.rb
+++ b/cookbooks/nominatim/recipes/default.rb
@@ -352,6 +352,10 @@ end
 
 include_recipe "fail2ban"
 
+web_servers = search(:node, "recipes:web\\:\\:frontend").collect do |n| # ~FC010
+  n.ipaddresses(:role => :external)
+end.flatten
+
 fail2ban_filter "nominatim" do
   failregex '^<HOST> - - \[\] "[^"]+" (400|429) '
 end
@@ -361,6 +365,7 @@ fail2ban_jail "nominatim" do
   logpath "/var/log/apache2/nominatim.openstreetmap.org-access.log"
   ports [80, 443]
   maxretry 100
+  ignoreips web_servers
 end
 
 munin_plugin_conf "nominatim" do
-- 
2.43.2