--- a/modules/fail2ban/files/ibb-apache-ip-block.conf	Sat May 16 19:41:37 2020 +0100
+++ b/modules/fail2ban/files/ibb-apache-ip-block.conf	Wed May 27 19:00:28 2020 +0100
@@ -3,6 +3,10 @@
 # with PROXY protocol support so we can see the originating
 # IPv4 address
 
+[Init]
+# Blank chain by default
+chain =
+
 [Definition]
 
 actionstart =
@@ -11,6 +15,6 @@
 
 actioncheck =
 
-actionban = /usr/local/bin/apache-ip-ban ban <ip>
+actionban = /usr/local/bin/apache-ip-ban ban <ip> <chain>
 
-actionunban = /usr/local/bin/apache-ip-ban unban <ip>
+actionunban = /usr/local/bin/apache-ip-ban unban <ip> <chain>

--- a/modules/fail2ban/files/jail.local	Sat May 16 19:41:37 2020 +0100
+++ b/modules/fail2ban/files/jail.local	Wed May 27 19:00:28 2020 +0100
@@ -56,11 +56,14 @@
 findtime = 86400
 bantime  = 604800
 
+# Repeat offenders only operates on Apache because we're not
+# seeing much on anything else anymore (or we can't filter
+# because of IPv6-to-v4 proxying)
 [repeat-offenders]
 enabled  = true
 maxretry = 2
 filter   = ibb-repeat-offender
-action   = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="80,443,25,465"]
+action   = ibb-apache-ip-block[chain=repeat]
 logpath  = /var/log/fail2ban.log
 findtime = 2592000
 bantime  = 2592000

--- a/modules/fail2ban/manifests/init.pp	Sat May 16 19:41:37 2020 +0100
+++ b/modules/fail2ban/manifests/init.pp	Wed May 27 19:00:28 2020 +0100
@@ -38,6 +38,16 @@
 		ensure => present,
 		seltype => 'httpd_config_t',
 	}
+	# Create an empty repeat banlist file if it doesn't exist
+	exec { 'httxt2dbm -i /dev/null -o /etc/httpd/conf.custom/apache_repeat_banlist.db':
+		path => '/usr/bin',
+		unless => 'test -f /etc/httpd/conf.custom/apache_repeat_banlist.db',
+		before => Service['httpd'],
+	}
+	file { '/tmp/apache_repeat_banlist.txt':
+		ensure => present,
+		seltype => 'httpd_config_t',
+	}
 	# And let the httxt2dbm process work the rest of the time
 	file { '/etc/selinux/apache-ip-banlist.pp':
 		source => 'puppet:///modules/fail2ban/apache-ip-banlist.pp',