---
# Common nftables tasks for Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, Debian 11,
# and Debian 12.

- name: Copy nftables.conf
  ansible.builtin.template:
    src: nftables.conf.j2
    dest: /etc/nftables.conf
    owner: root
    mode: "0644"
  notify:
    - restart nftables
    - restart fail2ban

- name: Create /etc/nftables extra config directory
  ansible.builtin.file:
    path: /etc/nftables
    state: directory
    owner: root
    mode: "0755"

- name: Copy extra nftables configuration files
  ansible.builtin.copy:
    src: "{{ item.src }}"
    dest: /etc/nftables/{{ item.src }}
    owner: root
    group: root
    mode: "0644"
    force: "{{ item.force }}"
  loop:
    - { src: firehol_level1-ipv4.nft, force: false }
  notify:
    - restart nftables
    - restart fail2ban

- name: Copy nftables update scripts
  ansible.builtin.template:
    src: update-firehol-nftables.sh.j2
    dest: /usr/local/bin/update-firehol-nftables.sh
    mode: "0755"
    owner: root
    group: root

- name: Remove deprecated data and scripts
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  loop:
    - /etc/nftables/spamhaus-ipv4.nft
    - /etc/nftables/spamhaus-ipv6.nft
    - /etc/nftables/abuseipdb-ipv4.nft
    - /etc/nftables/abuseipdb-ipv6.nft
    - /etc/nftables/abusech-ipv4.nft
    - /usr/local/bin/update-abusech-nftables.sh
    - /usr/local/bin/update-spamhaus-nftables.sh
    - /etc/systemd/system/update-abusech-nftables.service
    - /etc/systemd/system/update-abusech-nftables.timer
    - /etc/systemd/system/update-spamhaus-nftables.service
    - /etc/systemd/system/update-spamhaus-nftables.timer
    - /usr/local/bin/aggregate-cidr-addresses.pl
  notify:
    - restart nftables
    - restart fail2ban

- name: Copy nftables systemd units
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: /etc/systemd/system/{{ item }}
    mode: "0644"
    owner: root
    group: root
  loop:
    - update-firehol-nftables.service
    - update-firehol-nftables.timer
  register: nftables_systemd_units

# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
  ansible.builtin.systemd: # noqa no-handler
    daemon_reload: true
  when: nftables_systemd_units is changed

- name: Start and enable nftables update timers
  ansible.builtin.systemd:
    name: "{{ item }}"
    state: started
    enabled: true
  loop:
    - update-firehol-nftables.timer

- name: Start and enable nftables
  ansible.builtin.systemd:
    name: nftables
    state: started
    enabled: true

# vim: set sw=2 ts=2: