roles/common: simplify firewall tasks

Apply firewall tag to included tasks, then we don't need to use a block.
2025-01-27 22:30:50 +03:00 · 2025-01-27 22:30:50 +03:00 · d6e060d3af
commit d6e060d3af
parent b873af004a
3 changed files with 205 additions and 201 deletions
--- a/roles/common/tasks/firewall.yml
+++ b/roles/common/tasks/firewall.yml
@ -1,12 +1,20 @@
 ---
 - name: Configure firewall (Debian)
  ansible.builtin.include_tasks: firewall_Debian.yml
  when: ansible_distribution == 'Debian'
  ansible.builtin.include_tasks:
    file: firewall_Debian.yml
    apply:
      tags:
        - firewall
  tags: firewall
 - name: Configure firewall (Ubuntu)
  ansible.builtin.include_tasks: firewall_Ubuntu.yml
  when: ansible_distribution == 'Ubuntu'
  ansible.builtin.include_tasks:
    file: firewall_Ubuntu.yml
    apply:
      tags:
        - firewall
  tags: firewall
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@ -1,115 +1,113 @@
 ---
 # Debian 11+ will use nftables directly, with no firewalld.
- block:
+- name: Install Debian firewall packages
-    - name: Install Debian firewall packages
+  when: ansible_distribution_major_version is version('11', '>=')
-      when: ansible_distribution_major_version is version('11', '>=')
+  ansible.builtin.package:
-      ansible.builtin.package:
+    name:
-        name:
+      - libnet-ip-perl # for aggregate-cidr-addresses.pl
-          - libnet-ip-perl # for aggregate-cidr-addresses.pl
+      - nftables
-          - nftables
+      - curl # for nftables update scripts
-          - curl # for nftables update scripts
+    state: present
-        state: present
+    cache_valid_time: 3600
        cache_valid_time: 3600
-    - name: Remove iptables on newer Debian
+- name: Remove iptables on newer Debian
-      when: ansible_distribution_major_version is version('11', '>=')
+  when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.apt:
+  ansible.builtin.apt:
-        pkg: iptables
+    pkg: iptables
-        state: absent
+    state: absent
-    - name: Copy nftables.conf
+- name: Copy nftables.conf
-      when: ansible_distribution_major_version is version('11', '>=')
+  when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.template:
+  ansible.builtin.template:
-        src: nftables.conf.j2
+    src: nftables.conf.j2
-        dest: /etc/nftables.conf
+    dest: /etc/nftables.conf
-        owner: root
+    owner: root
-        mode: "0644"
+    mode: "0644"
-      notify:
+  notify:
-        - restart nftables
+    - restart nftables
-        - restart fail2ban
+    - restart fail2ban
-    - name: Create /etc/nftables extra config directory
+- name: Create /etc/nftables extra config directory
-      when: ansible_distribution_major_version is version('11', '>=')
+  when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.file:
+  ansible.builtin.file:
-        path: /etc/nftables
+    path: /etc/nftables
-        state: directory
+    state: directory
-        owner: root
+    owner: root
-        mode: "0755"
+    mode: "0755"
-    - name: Copy extra nftables configuration files
+- name: Copy extra nftables configuration files
-      when: ansible_distribution_major_version is version('11', '>=')
+  when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.copy:
+  ansible.builtin.copy:
-        src: "{{ item.src }}"
+    src: "{{ item.src }}"
-        dest: /etc/nftables/{{ item.src }}
+    dest: /etc/nftables/{{ item.src }}
-        owner: root
+    owner: root
-        group: root
+    group: root
-        mode: "0644"
+    mode: "0644"
-        force: "{{ item.force }}"
+    force: "{{ item.force }}"
-      loop:
+  loop:
-        - { src: spamhaus-ipv4.nft, force: "no" }
+    - { src: spamhaus-ipv4.nft, force: "no" }
-        - { src: spamhaus-ipv6.nft, force: "no" }
+    - { src: spamhaus-ipv6.nft, force: "no" }
-        - { src: abusech-ipv4.nft, force: "no" }
+    - { src: abusech-ipv4.nft, force: "no" }
-        - { src: abuseipdb-ipv4.nft, force: "yes" }
+    - { src: abuseipdb-ipv4.nft, force: "yes" }
-        - { src: abuseipdb-ipv6.nft, force: "yes" }
+    - { src: abuseipdb-ipv6.nft, force: "yes" }
-      notify:
+  notify:
-        - restart nftables
+    - restart nftables
-        - restart fail2ban
+    - restart fail2ban
-    - name: Copy nftables update scripts
+- name: Copy nftables update scripts
-      when: ansible_distribution_version is version('11', '>=')
+  when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.copy:
+  ansible.builtin.copy:
-        src: "{{ item }}"
+    src: "{{ item }}"
-        dest: /usr/local/bin/{{ item }}
+    dest: /usr/local/bin/{{ item }}
-        mode: "0755"
+    mode: "0755"
-        owner: root
+    owner: root
-        group: root
+    group: root
-      loop:
+  loop:
-        - update-spamhaus-nftables.sh
+    - update-spamhaus-nftables.sh
-        - aggregate-cidr-addresses.pl
+    - aggregate-cidr-addresses.pl
-        - update-abusech-nftables.sh
+    - update-abusech-nftables.sh
-    - name: Copy nftables systemd units
+- name: Copy nftables systemd units
-      when: ansible_distribution_version is version('11', '>=')
+  when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.copy:
+  ansible.builtin.copy:
-        src: "{{ item }}"
+    src: "{{ item }}"
-        dest: /etc/systemd/system/{{ item }}
+    dest: /etc/systemd/system/{{ item }}
-        mode: "0644"
+    mode: "0644"
-        owner: root
+    owner: root
-        group: root
+    group: root
-      loop:
+  loop:
-        - update-spamhaus-nftables.service
+    - update-spamhaus-nftables.service
-        - update-spamhaus-nftables.timer
+    - update-spamhaus-nftables.timer
-        - update-abusech-nftables.service
+    - update-abusech-nftables.service
-        - update-abusech-nftables.timer
+    - update-abusech-nftables.timer
-      register: nftables_systemd_units
+  register: nftables_systemd_units
-    # need to reload to pick up service/timer/environment changes
+# need to reload to pick up service/timer/environment changes
-    - name: Reload systemd daemon
+- name: Reload systemd daemon
-      ansible.builtin.systemd:
+  ansible.builtin.systemd:
-        daemon_reload: true
+    daemon_reload: true
-      when: nftables_systemd_units is changed
+  when: nftables_systemd_units is changed
-    - name: Start and enable nftables update timers
+- name: Start and enable nftables update timers
-      when: ansible_distribution_version is version('11', '>=')
+  when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.systemd:
+  ansible.builtin.systemd:
-        name: "{{ item }}"
+    name: "{{ item }}"
-        state: started
+    state: started
-        enabled: true
+    enabled: true
-      loop:
+  loop:
-        - update-spamhaus-nftables.timer
+    - update-spamhaus-nftables.timer
-        - update-abusech-nftables.timer
+    - update-abusech-nftables.timer
-    - name: Start and enable nftables
+- name: Start and enable nftables
-      when: ansible_distribution_major_version is version('11', '>=')
+  when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.systemd:
+  ansible.builtin.systemd:
-        name: nftables
+    name: nftables
-        state: started
+    state: started
-        enabled: true
+    enabled: true
-    - ansible.builtin.include_tasks: fail2ban.yml
+- ansible.builtin.include_tasks: fail2ban.yml
-      when:
+  when:
-        - ansible_distribution_major_version is version('9', '>=')
+    - ansible_distribution_major_version is version('9', '>=')
  tags: firewall
 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/firewall_Ubuntu.yml
+++ b/roles/common/tasks/firewall_Ubuntu.yml
@ -1,114 +1,112 @@
 ---
 # Ubuntu 20.04 will use nftables directly, with no firewalld.
- block:
+- name: Install Ubuntu firewall packages
-    - name: Install Ubuntu firewall packages
+  when: ansible_distribution_version is version('20.04', '>=')
-      when: ansible_distribution_version is version('20.04', '>=')
+  ansible.builtin.package:
-      ansible.builtin.package:
+    name:
-        name:
+      - libnet-ip-perl # for aggregate-cidr-addresses.pl
-          - libnet-ip-perl # for aggregate-cidr-addresses.pl
+      - nftables
-          - nftables
+      - curl # for nftables update scripts
-          - curl # for nftables update scripts
+    state: present
-        state: present
+    cache_valid_time: 3600
        cache_valid_time: 3600
-    - name: Remove ufw
+- name: Remove ufw
-      ansible.builtin.package:
+  ansible.builtin.package:
-        name: ufw
+    name: ufw
-        state: absent
+    state: absent
-    - name: Copy nftables.conf
+- name: Copy nftables.conf
-      when: ansible_distribution_version is version('20.04', '>=')
+  when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.template:
+  ansible.builtin.template:
-        src: nftables.conf.j2
+    src: nftables.conf.j2
-        dest: /etc/nftables.conf
+    dest: /etc/nftables.conf
-        owner: root
+    owner: root
-        mode: "0644"
+    mode: "0644"
-      notify:
+  notify:
-        - restart nftables
+    - restart nftables
-        - restart fail2ban
+    - restart fail2ban
-    - name: Create /etc/nftables extra config directory
+- name: Create /etc/nftables extra config directory
-      when: ansible_distribution_version is version('20.04', '>=')
+  when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.file:
+  ansible.builtin.file:
-        path: /etc/nftables
+    path: /etc/nftables
-        state: directory
+    state: directory
-        owner: root
+    owner: root
-        mode: "0755"
+    mode: "0755"
-    - name: Copy extra nftables configuration files
+- name: Copy extra nftables configuration files
-      when: ansible_distribution_version is version('20.04', '>=')
+  when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
+  ansible.builtin.copy:
-        src: "{{ item.src }}"
+    src: "{{ item.src }}"
-        dest: /etc/nftables/{{ item.src }}
+    dest: /etc/nftables/{{ item.src }}
-        owner: root
+    owner: root
-        group: root
+    group: root
-        mode: "0644"
+    mode: "0644"
-        force: "{{ item.force }}"
+    force: "{{ item.force }}"
-      loop:
+  loop:
-        - { src: spamhaus-ipv4.nft, force: "no" }
+    - { src: spamhaus-ipv4.nft, force: "no" }
-        - { src: spamhaus-ipv6.nft, force: "no" }
+    - { src: spamhaus-ipv6.nft, force: "no" }
-        - { src: abusech-ipv4.nft, force: "no" }
+    - { src: abusech-ipv4.nft, force: "no" }
-        - { src: abuseipdb-ipv4.nft, force: "yes" }
+    - { src: abuseipdb-ipv4.nft, force: "yes" }
-        - { src: abuseipdb-ipv6.nft, force: "yes" }
+    - { src: abuseipdb-ipv6.nft, force: "yes" }
-      notify:
+  notify:
-        - restart nftables
+    - restart nftables
-        - restart fail2ban
+    - restart fail2ban
-    - name: Copy nftables update scripts
+- name: Copy nftables update scripts
-      when: ansible_distribution_version is version('20.04', '>=')
+  when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
+  ansible.builtin.copy:
-        src: "{{ item }}"
+    src: "{{ item }}"
-        dest: /usr/local/bin/{{ item }}
+    dest: /usr/local/bin/{{ item }}
-        mode: "0755"
+    mode: "0755"
-        owner: root
+    owner: root
-        group: root
+    group: root
-      loop:
+  loop:
-        - update-spamhaus-nftables.sh
+    - update-spamhaus-nftables.sh
-        - aggregate-cidr-addresses.pl
+    - aggregate-cidr-addresses.pl
-        - update-abusech-nftables.sh
+    - update-abusech-nftables.sh
-    - name: Copy nftables systemd units
+- name: Copy nftables systemd units
-      when: ansible_distribution_version is version('20.04', '>=')
+  when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
+  ansible.builtin.copy:
-        src: "{{ item }}"
+    src: "{{ item }}"
-        dest: /etc/systemd/system/{{ item }}
+    dest: /etc/systemd/system/{{ item }}
-        mode: "0644"
+    mode: "0644"
-        owner: root
+    owner: root
-        group: root
+    group: root
-      loop:
+  loop:
-        - update-spamhaus-nftables.service
+    - update-spamhaus-nftables.service
-        - update-spamhaus-nftables.timer
+    - update-spamhaus-nftables.timer
-        - update-abusech-nftables.service
+    - update-abusech-nftables.service
-        - update-abusech-nftables.timer
+    - update-abusech-nftables.timer
-      register: nftables_systemd_units
+  register: nftables_systemd_units
-    # need to reload to pick up service/timer/environment changes
+# need to reload to pick up service/timer/environment changes
-    - name: Reload systemd daemon
+- name: Reload systemd daemon
-      ansible.builtin.systemd:
+  ansible.builtin.systemd:
-        daemon_reload: true
+    daemon_reload: true
-      when: nftables_systemd_units is changed
+  when: nftables_systemd_units is changed
-    - name: Start and enable nftables update timers
+- name: Start and enable nftables update timers
-      when: ansible_distribution_version is version('20.04', '>=')
+  when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.systemd:
+  ansible.builtin.systemd:
-        name: "{{ item }}"
+    name: "{{ item }}"
-        state: started
+    state: started
-        enabled: true
+    enabled: true
-      loop:
+  loop:
-        - update-spamhaus-nftables.timer
+    - update-spamhaus-nftables.timer
-        - update-abusech-nftables.timer
+    - update-abusech-nftables.timer
-    - name: Start and enable nftables
+- name: Start and enable nftables
-      when: ansible_distribution_version is version('20.04', '>=')
+  when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.systemd:
+  ansible.builtin.systemd:
-        name: nftables
+    name: nftables
-        state: started
+    state: started
-        enabled: true
+    enabled: true
-    - ansible.builtin.include_tasks: fail2ban.yml
+- ansible.builtin.include_tasks: fail2ban.yml
-      when:
+  when:
-        - ansible_distribution_version is version('16.04', '>=')
+    - ansible_distribution_version is version('16.04', '>=')
  tags: firewall
 # vim: set sw=2 ts=2: