From 635bb5234d01c15f50e824a2f1ab9a041a02f67a Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Wed, 8 Sep 2021 09:58:13 +0300
Subject: [PATCH] roles/common: fix logic for copying AbuseIPDB.com nft sets

We have to force these because they are not updated on the host like
the other lists (API limit of five requests per day!). We update the
list periodically here in git.
---
 roles/common/tasks/firewall_Debian.yml | 12 ++++++------
 roles/common/tasks/firewall_Ubuntu.yml | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml
index cfba6b3..2caf450 100644
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@@ -36,13 +36,13 @@
 
   - name: Copy extra nftables configuration files
     when: ansible_distribution_major_version is version('11', '>=')
-    copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
+    copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
     loop:
-      - spamhaus-ipv4.nft
-      - spamhaus-ipv6.nft
-      - abusech-ipv4.nft
-      - abuseipdb-ipv4.nft
-      - abuseipdb-ipv6.nft
+      - { src: "spamhaus-ipv4.nft", force: "no" }
+      - { src: "spamhaus-ipv6.nft", force: "no" }
+      - { src: "abusech-ipv4.nft", force: "no" }
+      - { src: "abuseipdb-ipv4.nft", force: "yes" }
+      - { src: "abuseipdb-ipv6.nft", force: "yes" }
     notify:
       - restart nftables
 
diff --git a/roles/common/tasks/firewall_Ubuntu.yml b/roles/common/tasks/firewall_Ubuntu.yml
index 8864546..7cac9f5 100644
--- a/roles/common/tasks/firewall_Ubuntu.yml
+++ b/roles/common/tasks/firewall_Ubuntu.yml
@@ -42,13 +42,13 @@
 
   - name: Copy extra nftables configuration files
     when: ansible_distribution_version is version('20.04', '>=')
-    copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
+    copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
     loop:
-      - spamhaus-ipv4.nft
-      - spamhaus-ipv6.nft
-      - abusech-ipv4.nft
-      - abuseipdb-ipv4.nft
-      - abuseipdb-ipv6.nft
+      - { src: "spamhaus-ipv4.nft", force: "no" }
+      - { src: "spamhaus-ipv6.nft", force: "no" }
+      - { src: "abusech-ipv4.nft", force: "no" }
+      - { src: "abuseipdb-ipv4.nft", force: "yes" }
+      - { src: "abuseipdb-ipv6.nft", force: "yes" }
     notify:
       - restart nftables