diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index fcc827e..60939fe 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -10,11 +10,14 @@ - name: restart firewalld systemd: name=firewalld state=restarted -- name: restart fail2ban - systemd: name=fail2ban state=restarted - - name: reload systemd systemd: daemon_reload=yes - name: restart nftables systemd: name=nftables state=restarted + +# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed +# in the order they are defined, not in the order they are listed in the task's +# notify statement and we must restart fail2ban after updating the firewall. +- name: restart fail2ban + systemd: name=fail2ban state=restarted diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml index dc5c4cf..896e7fe 100644 --- a/roles/common/tasks/firewall_Debian.yml +++ b/roles/common/tasks/firewall_Debian.yml @@ -34,6 +34,7 @@ template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 notify: - restart nftables + - restart fail2ban - name: Create /etc/nftables extra config directory when: ansible_distribution_major_version is version('11', '>=') @@ -50,6 +51,7 @@ - { src: "abuseipdb-ipv6.nft", force: "yes" } notify: - restart nftables + - restart fail2ban - name: Use iptables backend in firewalld when: ansible_distribution_major_version is version('10', '==') @@ -59,6 +61,7 @@ line: 'FirewallBackend=iptables' notify: - restart firewalld + - restart fail2ban # firewalld seems to have an issue with iptables 1.8.2 when using the nftables # backend. Using individual calls seems to work around it. @@ -71,6 +74,7 @@ line: 'IndividualCalls=yes' notify: - restart firewalld + - restart fail2ban - name: Copy firewalld public zone file when: ansible_distribution_major_version is version('10', '<=') @@ -81,6 +85,7 @@ command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml notify: - restart firewalld + - restart fail2ban - name: Copy firewalld ipsets of abusive IPs when: ansible_distribution_major_version is version('10', '<=') @@ -92,6 +97,7 @@ - spamhaus-ipv6.xml notify: - restart firewalld + - restart fail2ban - name: Copy Spamhaus firewalld update script when: ansible_distribution_version is version('10', '<=') @@ -134,6 +140,7 @@ systemd: name=update-spamhaus-lists.timer state=started enabled=yes notify: - restart firewalld + - restart fail2ban - name: Start and enable nftables update timers when: ansible_distribution_version is version('11', '>=') diff --git a/roles/common/tasks/firewall_Ubuntu.yml b/roles/common/tasks/firewall_Ubuntu.yml index 7cac9f5..71a06fb 100644 --- a/roles/common/tasks/firewall_Ubuntu.yml +++ b/roles/common/tasks/firewall_Ubuntu.yml @@ -35,6 +35,7 @@ template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 notify: - restart nftables + - restart fail2ban - name: Create /etc/nftables extra config directory when: ansible_distribution_version is version('20.04', '>=') @@ -51,6 +52,7 @@ - { src: "abuseipdb-ipv6.nft", force: "yes" } notify: - restart nftables + - restart fail2ban - name: Copy firewalld public zone file when: ansible_distribution_version is version('18.04', '<=') @@ -61,6 +63,7 @@ command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml notify: - restart firewalld + - restart fail2ban - name: Copy firewalld ipsets of abusive IPs when: ansible_distribution_version is version('18.04', '<=') @@ -72,6 +75,7 @@ - spamhaus-ipv6.xml notify: - restart firewalld + - restart fail2ban - name: Copy Spamhaus firewalld update script when: ansible_distribution_version is version('18.04', '<=') @@ -114,6 +118,7 @@ systemd: name=update-spamhaus-lists.timer state=started enabled=yes notify: - restart firewalld + - restart fail2ban - name: Start and enable nftables update timers when: ansible_distribution_version is version('20.04', '>=')