From 38c333045bc834dbe0106bb80403c4a5b82ed6c1 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Sat, 24 Jul 2021 23:09:33 +0300
Subject: [PATCH] roles/common: bring Ubuntu firewall changes to Debian 11

Note that there is currently an issue loading the spamhaus rules on
Debian 11 when using ipsets with firewalld and the nftables backend.
The bug is apparently caused by overlapping CIDR segments, and the
solution appears to be that we need to manually aggregate them with
a tool like aggregate6 (Python).

See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
See: https://wiki.fysik.dtu.dk/it/Linux_firewall_configuration#using-ipsets-in-firewalld-on-rhel-centos-8
See: https://github.com/job/aggregate6
---
 roles/common/tasks/firewall_Debian.yml | 29 ++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml
index 27520c0..7bc6921 100644
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@@ -14,7 +14,7 @@
     apt: pkg={{ debian_firewall_packages }} state=present
 
   - name: Use iptables backend in firewalld
-    when: ansible_distribution_major_version is version('10', '>=')
+    when: ansible_distribution_major_version is version('10', '==')
     lineinfile:
       dest: /etc/firewalld/firewalld.conf
       regexp: '^FirewallBackend=nftables$'
@@ -26,7 +26,7 @@
 # backend. Using individual calls seems to work around it.
 # See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
   - name: Use individual iptables calls
-    when: ansible_distribution_major_version is version('10', '>=')
+    when: ansible_distribution_major_version is version('10', '==')
     lineinfile:
       dest: /etc/firewalld/firewalld.conf
       regexp: '^IndividualCalls=no$'
@@ -50,6 +50,31 @@
     loop:
       - abusers-ipv4.xml
       - abusers-ipv6.xml
+      - spamhaus-ipv4.xml
+      - spamhaus-ipv6.xml
+    notify:
+      - restart firewalld
+
+  - name: Copy Spamhaus update script
+    when: ansible_distribution_version is version('9', '>=')
+    copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
+
+  - name: Copy Spamhaus systemd units
+    when: ansible_distribution_version is version('9', '>=')
+    copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
+    loop:
+        - update-spamhaus-lists.service
+        - update-spamhaus-lists.timer
+    register: spamhaus_systemd_units
+
+  # need to reload to pick up service/timer/environment changes
+  - name: Reload systemd daemon
+    systemd: daemon_reload=yes
+    when: spamhaus_systemd_units is changed
+
+  - name: Start and enable Spamhaus update timer
+    when: ansible_distribution_version is version('9', '>=')
+    systemd: name=update-spamhaus-lists.timer state=started enabled=yes
     notify:
       - restart firewalld