ansible-personal/roles/common/templates/update-firehol-nftables.sh.j2

#!/usr/bin/env bash
#
# update-firehol-nftables.sh v0.0.1
#
# Download FireHOL lists and load them into nftables sets.
# 
# See: https://iplists.firehol.org/
#
# Copyright (C) 2025 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only

# Exit on first error
set -o errexit

firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft

function download() {
    echo "Downloading $1"
    wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
}

download firehol_level1.netset

if [[ -f "firehol_level1.netset" ]]; then
    echo "Processing FireHOL Level 1 list"

    firehol_level1_ipv4_list_temp=$(mktemp)
    firehol_level1_ipv4_set_temp=$(mktemp)

    # Filter blank lines and comments
    cat firehol_level1.netset \
        | sed \
            -e '/^$/d' \
            -e '/^#.*/d' \
        > "$firehol_level1_ipv4_list_temp"

    echo "Building firehol_level1-ipv4 set"
    cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
#!/usr/sbin/nft -f

define FIREHOL_LEVEL1_IPV4 = {
NFT_HEAD

    while read -r network; do
        # nftables doesn't mind if the last element in the set has a trailing
        # comma so we don't need to do anything special here.
        echo "$network," >> "$firehol_level1_ipv4_set_temp"
    done < $firehol_level1_ipv4_list_temp

    echo "}" >> "$firehol_level1_ipv4_set_temp"

    install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"

    rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
fi

echo "Reloading nftables"
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '<=') %}
{%   set systemctl_bin = '/bin/systemctl' %}
{% else %}
{%   set systemctl_bin = '/usr/bin/systemctl' %}
{% endif -%}

{{ systemctl_bin }} reload nftables.service

rm -v firehol_level1.netset
roles/common: rework firewall Use firehol instead of all the others. AbuseIPDB.com can't be upd- ated automatically, Abuse.ch is no longer maintained, and Spamhaus is already in firehol. 2025-01-27 23:04:00 +03:00			`#!/usr/bin/env bash`
			`#`
			`# update-firehol-nftables.sh v0.0.1`
			`#`
			`# Download FireHOL lists and load them into nftables sets.`
			`#`
			`# See: https://iplists.firehol.org/`
			`#`
			`# Copyright (C) 2025 Alan Orth`
			`#`
			`# SPDX-License-Identifier: GPL-3.0-only`

			`# Exit on first error`
			`set -o errexit`

			`firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft`

			`function download() {`
			`echo "Downloading $1"`
			`wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"`
			`}`

			`download firehol_level1.netset`

			`if [[ -f "firehol_level1.netset" ]]; then`
			`echo "Processing FireHOL Level 1 list"`

			`firehol_level1_ipv4_list_temp=$(mktemp)`
			`firehol_level1_ipv4_set_temp=$(mktemp)`

			`# Filter blank lines and comments`
			`cat firehol_level1.netset \`
			`\| sed \`
			`-e '/^$/d' \`
			`-e '/^#.*/d' \`
			`> "$firehol_level1_ipv4_list_temp"`

			`echo "Building firehol_level1-ipv4 set"`
			`cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"`
			`#!/usr/sbin/nft -f`

			`define FIREHOL_LEVEL1_IPV4 = {`
			`NFT_HEAD`

			`while read -r network; do`
			`# nftables doesn't mind if the last element in the set has a trailing`
			`# comma so we don't need to do anything special here.`
			`echo "$network," >> "$firehol_level1_ipv4_set_temp"`
			`done < $firehol_level1_ipv4_list_temp`

			`echo "}" >> "$firehol_level1_ipv4_set_temp"`

			`install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"`

			`rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"`
			`fi`

			`echo "Reloading nftables"`
			`{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '<=') %}`
			`{% set systemctl_bin = '/bin/systemctl' %}`
			`{% else %}`
			`{% set systemctl_bin = '/usr/bin/systemctl' %}`
			`{% endif -%}`

			`{{ systemctl_bin }} reload nftables.service`

			`rm -v firehol_level1.netset`