--- - name: Install fail2ban ansible.builtin.apt: name: fail2ban state: present update_cache: true - name: Configure the sshd jail ansible.builtin.template: src: fail2ban_sshd.local.j2 dest: /etc/fail2ban/jail.d/sshd.local owner: root group: root mode: "0644" notify: restart fail2ban - name: Enable and start fail2ban ansible.builtin.service: name: fail2ban enabled: true state: started # In --check on a host without fail2ban yet, the package isn't really installed, so the # service lookup fails. Skip the start in check mode (the install + jail are still # previewed); a real deploy installs then starts it. when: not ansible_check_mode