From df26b6c17e929bca05edb698fac343db230161a1 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Tue, 28 Sep 2021 10:45:51 +0300
Subject: [PATCH] roles/common: notify fail2ban after updating firewall

We should always restart fail2ban after updating the firewall. Also
note that the order of execution of handlers depends on how they are
defined in the handler config, not on the order they are listed in
the task's notify statement.

See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html
---
 roles/common/handlers/main.yml         | 9 ++++++---
 roles/common/tasks/firewall_Debian.yml | 7 +++++++
 roles/common/tasks/firewall_Ubuntu.yml | 5 +++++
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index fcc827e..60939fe 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -10,11 +10,14 @@
 - name: restart firewalld
   systemd: name=firewalld state=restarted
 
-- name: restart fail2ban
-  systemd: name=fail2ban state=restarted
-
 - name: reload systemd
   systemd: daemon_reload=yes
 
 - name: restart nftables
   systemd: name=nftables state=restarted
+
+# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
+# in the order they are defined, not in the order they are listed in the task's
+# notify statement and we must restart fail2ban after updating the firewall.
+- name: restart fail2ban
+  systemd: name=fail2ban state=restarted
diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml
index dc5c4cf..896e7fe 100644
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@@ -34,6 +34,7 @@
     template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
     notify:
       - restart nftables
+      - restart fail2ban
 
   - name: Create /etc/nftables extra config directory
     when: ansible_distribution_major_version is version('11', '>=')
@@ -50,6 +51,7 @@
       - { src: "abuseipdb-ipv6.nft", force: "yes" }
     notify:
       - restart nftables
+      - restart fail2ban
 
   - name: Use iptables backend in firewalld
     when: ansible_distribution_major_version is version('10', '==')
@@ -59,6 +61,7 @@
       line: 'FirewallBackend=iptables'
     notify:
       - restart firewalld
+      - restart fail2ban
 
 # firewalld seems to have an issue with iptables 1.8.2 when using the nftables
 # backend. Using individual calls seems to work around it.
@@ -71,6 +74,7 @@
       line: 'IndividualCalls=yes'
     notify:
       - restart firewalld
+      - restart fail2ban
 
   - name: Copy firewalld public zone file
     when: ansible_distribution_major_version is version('10', '<=')
@@ -81,6 +85,7 @@
     command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
     notify:
       - restart firewalld
+      - restart fail2ban
 
   - name: Copy firewalld ipsets of abusive IPs
     when: ansible_distribution_major_version is version('10', '<=')
@@ -92,6 +97,7 @@
       - spamhaus-ipv6.xml
     notify:
       - restart firewalld
+      - restart fail2ban
 
   - name: Copy Spamhaus firewalld update script
     when: ansible_distribution_version is version('10', '<=')
@@ -134,6 +140,7 @@
     systemd: name=update-spamhaus-lists.timer state=started enabled=yes
     notify:
       - restart firewalld
+      - restart fail2ban
 
   - name: Start and enable nftables update timers
     when: ansible_distribution_version is version('11', '>=')
diff --git a/roles/common/tasks/firewall_Ubuntu.yml b/roles/common/tasks/firewall_Ubuntu.yml
index 7cac9f5..71a06fb 100644
--- a/roles/common/tasks/firewall_Ubuntu.yml
+++ b/roles/common/tasks/firewall_Ubuntu.yml
@@ -35,6 +35,7 @@
     template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
     notify:
       - restart nftables
+      - restart fail2ban
 
   - name: Create /etc/nftables extra config directory
     when: ansible_distribution_version is version('20.04', '>=')
@@ -51,6 +52,7 @@
       - { src: "abuseipdb-ipv6.nft", force: "yes" }
     notify:
       - restart nftables
+      - restart fail2ban
 
   - name: Copy firewalld public zone file
     when: ansible_distribution_version is version('18.04', '<=')
@@ -61,6 +63,7 @@
     command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
     notify:
       - restart firewalld
+      - restart fail2ban
 
   - name: Copy firewalld ipsets of abusive IPs
     when: ansible_distribution_version is version('18.04', '<=')
@@ -72,6 +75,7 @@
       - spamhaus-ipv6.xml
     notify:
       - restart firewalld
+      - restart fail2ban
 
   - name: Copy Spamhaus firewalld update script
     when: ansible_distribution_version is version('18.04', '<=')
@@ -114,6 +118,7 @@
     systemd: name=update-spamhaus-lists.timer state=started enabled=yes
     notify:
       - restart firewalld
+      - restart fail2ban
 
   - name: Start and enable nftables update timers
     when: ansible_distribution_version is version('20.04', '>=')