diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml index 27520c0..7bc6921 100644 --- a/roles/common/tasks/firewall_Debian.yml +++ b/roles/common/tasks/firewall_Debian.yml @@ -14,7 +14,7 @@ apt: pkg={{ debian_firewall_packages }} state=present - name: Use iptables backend in firewalld - when: ansible_distribution_major_version is version('10', '>=') + when: ansible_distribution_major_version is version('10', '==') lineinfile: dest: /etc/firewalld/firewalld.conf regexp: '^FirewallBackend=nftables$' @@ -26,7 +26,7 @@ # backend. Using individual calls seems to work around it. # See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722 - name: Use individual iptables calls - when: ansible_distribution_major_version is version('10', '>=') + when: ansible_distribution_major_version is version('10', '==') lineinfile: dest: /etc/firewalld/firewalld.conf regexp: '^IndividualCalls=no$' @@ -50,6 +50,31 @@ loop: - abusers-ipv4.xml - abusers-ipv6.xml + - spamhaus-ipv4.xml + - spamhaus-ipv6.xml + notify: + - restart firewalld + + - name: Copy Spamhaus update script + when: ansible_distribution_version is version('9', '>=') + copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root + + - name: Copy Spamhaus systemd units + when: ansible_distribution_version is version('9', '>=') + copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root + loop: + - update-spamhaus-lists.service + - update-spamhaus-lists.timer + register: spamhaus_systemd_units + + # need to reload to pick up service/timer/environment changes + - name: Reload systemd daemon + systemd: daemon_reload=yes + when: spamhaus_systemd_units is changed + + - name: Start and enable Spamhaus update timer + when: ansible_distribution_version is version('9', '>=') + systemd: name=update-spamhaus-lists.timer state=started enabled=yes notify: - restart firewalld