#!/usr/bin/env bash
#
# update-firehol-nftables.sh v0.0.1
#
# Download FireHOL lists and load them into nftables sets.
# 
# See: https://iplists.firehol.org/
#
# Copyright (C) 2025 Alan Orth
#
# SPDX-License-Identifier: GPL-3.0-only

# Exit on first error
set -o errexit

firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft

function download() {
    echo "Downloading $1"
    wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
}

download firehol_level1.netset

if [[ -f "firehol_level1.netset" ]]; then
    echo "Processing FireHOL Level 1 list"

    firehol_level1_ipv4_list_temp=$(mktemp)
    firehol_level1_ipv4_set_temp=$(mktemp)

    # Filter blank lines and comments
    cat firehol_level1.netset \
        | sed \
            -e '/^$/d' \
            -e '/^#.*/d' \
        > "$firehol_level1_ipv4_list_temp"

    echo "Building firehol_level1-ipv4 set"
    cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
#!/usr/sbin/nft -f

define FIREHOL_LEVEL1_IPV4 = {
NFT_HEAD

    while read -r network; do
        # nftables doesn't mind if the last element in the set has a trailing
        # comma so we don't need to do anything special here.
        echo "$network," >> "$firehol_level1_ipv4_set_temp"
    done < $firehol_level1_ipv4_list_temp

    echo "}" >> "$firehol_level1_ipv4_set_temp"

    install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"

    rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
fi

echo "Reloading nftables"
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '<=') %}
{%   set systemctl_bin = '/bin/systemctl' %}
{% else %}
{%   set systemctl_bin = '/usr/bin/systemctl' %}
{% endif -%}

{{ systemctl_bin }} reload nftables.service

rm -v firehol_level1.netset