roles/common: Start nftables service later

We should only try to start the nftables service after we finish
copying all the config files just in case there is some unclean
state in one of them. On a first run this shouldn't matter, but
after nftables and some abuse list update scripts have run this
can happen (mostly in testing!).
This commit is contained in:
Alan Orth 2021-07-29 10:05:15 +03:00
parent 46fc2ce3d4
commit 197bdf7666
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
2 changed files with 10 additions and 10 deletions

View File

@ -27,12 +27,6 @@
when: ansible_distribution_major_version is version('11', '>=') when: ansible_distribution_major_version is version('11', '>=')
systemd: name=nftables state=started enabled=yes systemd: name=nftables state=started enabled=yes
- name: Copy nftables.conf
when: ansible_distribution_major_version is version('11', '>=')
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
notify:
- reload nftables
- name: Create /etc/nftables extra config directory - name: Create /etc/nftables extra config directory
when: ansible_distribution_major_version is version('11', '>=') when: ansible_distribution_major_version is version('11', '>=')
file: path=/etc/nftables state=directory owner=root mode=0755 file: path=/etc/nftables state=directory owner=root mode=0755
@ -131,6 +125,12 @@
when: ansible_distribution_version is version('11', '>=') when: ansible_distribution_version is version('11', '>=')
systemd: name=update-spamhaus-nftables.timer state=started enabled=yes systemd: name=update-spamhaus-nftables.timer state=started enabled=yes
- name: Copy nftables.conf
when: ansible_distribution_major_version is version('11', '>=')
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
notify:
- reload nftables
- include_tasks: fail2ban.yml - include_tasks: fail2ban.yml
when: ansible_distribution_major_version is version('9', '>=') when: ansible_distribution_major_version is version('9', '>=')
tags: firewall tags: firewall

View File

@ -29,10 +29,6 @@
when: ansible_distribution_version is version('16.04', '>=') when: ansible_distribution_version is version('16.04', '>=')
apt: pkg=ufw state=absent apt: pkg=ufw state=absent
- name: Start and enable nftables
when: ansible_distribution_version is version('20.04', '>=')
systemd: name=nftables state=started enabled=yes
- name: Copy nftables.conf - name: Copy nftables.conf
when: ansible_distribution_version is version('20.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
@ -116,6 +112,10 @@
when: ansible_distribution_version is version('20.04', '>=') when: ansible_distribution_version is version('20.04', '>=')
systemd: name=update-spamhaus-nftables.timer state=started enabled=yes systemd: name=update-spamhaus-nftables.timer state=started enabled=yes
- name: Start and enable nftables
when: ansible_distribution_version is version('20.04', '>=')
systemd: name=nftables state=started enabled=yes
- include_tasks: fail2ban.yml - include_tasks: fail2ban.yml
when: ansible_distribution_version is version('16.04', '>=') when: ansible_distribution_version is version('16.04', '>=')
tags: firewall tags: firewall