From 197bdf76663a945a3f5e8906e6ac42a19b2454f2 Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Thu, 29 Jul 2021 10:05:15 +0300 Subject: [PATCH] roles/common: Start nftables service later We should only try to start the nftables service after we finish copying all the config files just in case there is some unclean state in one of them. On a first run this shouldn't matter, but after nftables and some abuse list update scripts have run this can happen (mostly in testing!). --- roles/common/tasks/firewall_Debian.yml | 12 ++++++------ roles/common/tasks/firewall_Ubuntu.yml | 8 ++++---- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml index 8d05b34..efe7832 100644 --- a/roles/common/tasks/firewall_Debian.yml +++ b/roles/common/tasks/firewall_Debian.yml @@ -27,12 +27,6 @@ when: ansible_distribution_major_version is version('11', '>=') systemd: name=nftables state=started enabled=yes - - name: Copy nftables.conf - when: ansible_distribution_major_version is version('11', '>=') - template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 - notify: - - reload nftables - - name: Create /etc/nftables extra config directory when: ansible_distribution_major_version is version('11', '>=') file: path=/etc/nftables state=directory owner=root mode=0755 @@ -131,6 +125,12 @@ when: ansible_distribution_version is version('11', '>=') systemd: name=update-spamhaus-nftables.timer state=started enabled=yes + - name: Copy nftables.conf + when: ansible_distribution_major_version is version('11', '>=') + template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 + notify: + - reload nftables + - include_tasks: fail2ban.yml when: ansible_distribution_major_version is version('9', '>=') tags: firewall diff --git a/roles/common/tasks/firewall_Ubuntu.yml b/roles/common/tasks/firewall_Ubuntu.yml index 6486558..11a9625 100644 --- a/roles/common/tasks/firewall_Ubuntu.yml +++ b/roles/common/tasks/firewall_Ubuntu.yml @@ -29,10 +29,6 @@ when: ansible_distribution_version is version('16.04', '>=') apt: pkg=ufw state=absent - - name: Start and enable nftables - when: ansible_distribution_version is version('20.04', '>=') - systemd: name=nftables state=started enabled=yes - - name: Copy nftables.conf when: ansible_distribution_version is version('20.04', '>=') template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 @@ -116,6 +112,10 @@ when: ansible_distribution_version is version('20.04', '>=') systemd: name=update-spamhaus-nftables.timer state=started enabled=yes + - name: Start and enable nftables + when: ansible_distribution_version is version('20.04', '>=') + systemd: name=nftables state=started enabled=yes + - include_tasks: fail2ban.yml when: ansible_distribution_version is version('16.04', '>=') tags: firewall