---
# Debian 11+ will use nftables directly, with no firewalld.

- name: Install Debian firewall packages
  when: ansible_distribution_major_version is version('11', '>=')
  ansible.builtin.package:
    name:
      - libnet-ip-perl # for aggregate-cidr-addresses.pl
      - nftables
      - curl # for nftables update scripts
    state: present
    cache_valid_time: 3600

- name: Remove iptables on newer Debian
  when: ansible_distribution_major_version is version('11', '>=')
  ansible.builtin.apt:
    pkg: iptables
    state: absent

- name: Configure nftables
  ansible.builtin.include_tasks: nftables.yml
  when: ansible_distribution_version is version('11', '>=')

- ansible.builtin.include_tasks: fail2ban.yml
  when:
    - ansible_distribution_major_version is version('9', '>=')

# vim: set sw=2 ts=2: