roles/common: notify fail2ban after updating firewall
We should always restart fail2ban after updating the firewall. Also note that the order of execution of handlers depends on how they are defined in the handler config, not on the order they are listed in the task's notify statement. See: https://docs.ansible.com/ansible/latest/user_guide/playbooks_handlers.html
This commit is contained in:
parent
d92151b8a6
commit
df26b6c17e
GPG Key ID:
0FB860CC9C45B1B9
@ -10,11 +10,14 @@
|
|||||||
- name: restart firewalld
|
- name: restart firewalld
|
||||||
systemd: name=firewalld state=restarted
|
systemd: name=firewalld state=restarted
|
||||||
|
|
||||||
- name: restart fail2ban
|
|
||||||
systemd: name=fail2ban state=restarted
|
|
||||||
|
|
||||||
- name: reload systemd
|
- name: reload systemd
|
||||||
systemd: daemon_reload=yes
|
systemd: daemon_reload=yes
|
||||||
|
|
||||||
- name: restart nftables
|
- name: restart nftables
|
||||||
systemd: name=nftables state=restarted
|
systemd: name=nftables state=restarted
|
||||||
|
|
||||||
|
# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
|
||||||
|
# in the order they are defined, not in the order they are listed in the task's
|
||||||
|
# notify statement and we must restart fail2ban after updating the firewall.
|
||||||
|
- name: restart fail2ban
|
||||||
|
systemd: name=fail2ban state=restarted
|
||||||
|
|||||||
@ -34,6 +34,7 @@
|
|||||||
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
|
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
|
||||||
notify:
|
notify:
|
||||||
- restart nftables
|
- restart nftables
|
||||||
|
- restart fail2ban
|
||||||
|
|
||||||
- name: Create /etc/nftables extra config directory
|
- name: Create /etc/nftables extra config directory
|
||||||
when: ansible_distribution_major_version is version('11', '>=')
|
when: ansible_distribution_major_version is version('11', '>=')
|
||||||
@ -50,6 +51,7 @@
|
|||||||
- { src: "abuseipdb-ipv6.nft", force: "yes" }
|
- { src: "abuseipdb-ipv6.nft", force: "yes" }
|
||||||
notify:
|
notify:
|
||||||
- restart nftables
|
- restart nftables
|
||||||
|
- restart fail2ban
|
||||||
|
|
||||||
- name: Use iptables backend in firewalld
|
- name: Use iptables backend in firewalld
|
||||||
when: ansible_distribution_major_version is version('10', '==')
|
when: ansible_distribution_major_version is version('10', '==')
|
||||||
@ -59,6 +61,7 @@
|
|||||||
line: 'FirewallBackend=iptables'
|
line: 'FirewallBackend=iptables'
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
|
- restart fail2ban
|
||||||
|
|
||||||
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
|
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
|
||||||
# backend. Using individual calls seems to work around it.
|
# backend. Using individual calls seems to work around it.
|
||||||
@ -71,6 +74,7 @@
|
|||||||
line: 'IndividualCalls=yes'
|
line: 'IndividualCalls=yes'
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
|
- restart fail2ban
|
||||||
|
|
||||||
- name: Copy firewalld public zone file
|
- name: Copy firewalld public zone file
|
||||||
when: ansible_distribution_major_version is version('10', '<=')
|
when: ansible_distribution_major_version is version('10', '<=')
|
||||||
@ -81,6 +85,7 @@
|
|||||||
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
|
- restart fail2ban
|
||||||
|
|
||||||
- name: Copy firewalld ipsets of abusive IPs
|
- name: Copy firewalld ipsets of abusive IPs
|
||||||
when: ansible_distribution_major_version is version('10', '<=')
|
when: ansible_distribution_major_version is version('10', '<=')
|
||||||
@ -92,6 +97,7 @@
|
|||||||
- spamhaus-ipv6.xml
|
- spamhaus-ipv6.xml
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
|
- restart fail2ban
|
||||||
|
|
||||||
- name: Copy Spamhaus firewalld update script
|
- name: Copy Spamhaus firewalld update script
|
||||||
when: ansible_distribution_version is version('10', '<=')
|
when: ansible_distribution_version is version('10', '<=')
|
||||||
@ -134,6 +140,7 @@
|
|||||||
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
|
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
|
- restart fail2ban
|
||||||
|
|
||||||
- name: Start and enable nftables update timers
|
- name: Start and enable nftables update timers
|
||||||
when: ansible_distribution_version is version('11', '>=')
|
when: ansible_distribution_version is version('11', '>=')
|
||||||
|
|||||||
@ -35,6 +35,7 @@
|
|||||||
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
|
template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
|
||||||
notify:
|
notify:
|
||||||
- restart nftables
|
- restart nftables
|
||||||
|
- restart fail2ban
|
||||||
|
|
||||||
- name: Create /etc/nftables extra config directory
|
- name: Create /etc/nftables extra config directory
|
||||||
when: ansible_distribution_version is version('20.04', '>=')
|
when: ansible_distribution_version is version('20.04', '>=')
|
||||||
@ -51,6 +52,7 @@
|
|||||||
- { src: "abuseipdb-ipv6.nft", force: "yes" }
|
- { src: "abuseipdb-ipv6.nft", force: "yes" }
|
||||||
notify:
|
notify:
|
||||||
- restart nftables
|
- restart nftables
|
||||||
|
- restart fail2ban
|
||||||
|
|
||||||
- name: Copy firewalld public zone file
|
- name: Copy firewalld public zone file
|
||||||
when: ansible_distribution_version is version('18.04', '<=')
|
when: ansible_distribution_version is version('18.04', '<=')
|
||||||
@ -61,6 +63,7 @@
|
|||||||
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
|
- restart fail2ban
|
||||||
|
|
||||||
- name: Copy firewalld ipsets of abusive IPs
|
- name: Copy firewalld ipsets of abusive IPs
|
||||||
when: ansible_distribution_version is version('18.04', '<=')
|
when: ansible_distribution_version is version('18.04', '<=')
|
||||||
@ -72,6 +75,7 @@
|
|||||||
- spamhaus-ipv6.xml
|
- spamhaus-ipv6.xml
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
|
- restart fail2ban
|
||||||
|
|
||||||
- name: Copy Spamhaus firewalld update script
|
- name: Copy Spamhaus firewalld update script
|
||||||
when: ansible_distribution_version is version('18.04', '<=')
|
when: ansible_distribution_version is version('18.04', '<=')
|
||||||
@ -114,6 +118,7 @@
|
|||||||
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
|
systemd: name=update-spamhaus-lists.timer state=started enabled=yes
|
||||||
notify:
|
notify:
|
||||||
- restart firewalld
|
- restart firewalld
|
||||||
|
- restart fail2ban
|
||||||
|
|
||||||
- name: Start and enable nftables update timers
|
- name: Start and enable nftables update timers
|
||||||
when: ansible_distribution_version is version('20.04', '>=')
|
when: ansible_distribution_version is version('20.04', '>=')
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user