Fail2ban runs as a Pacemaker-managed resource, colocated with ha-nginx-proxy on the active node. It is installed on both nodes but never enabled in systemd — Pacemaker owns the lifecycle.
ha-nfs-mount → ha-nginx-proxy → ha-fail2ban
sudo pcs resource create ha-fail2ban systemd:fail2ban \
op monitor interval=30s
sudo pcs constraint order ha-nfs-mount then ha-fail2ban
sudo pcs constraint order ha-nginx-proxy then ha-fail2ban
sudo pcs constraint colocation add ha-fail2ban with ha-nginx-proxy score=INFINITY
sudo pcs status
sudo pcs constraint show
systemctl enable fail2ban — Pacemaker manages start/stoppcs resource restart ha-fail2ban not systemctl restart