ansible-personal/roles/common/tasks/firewall_Debian.yml

---
# Debian 11+ will use nftables directly, with no firewalld.

- block:
    - name: Install Debian firewall packages
      when: ansible_distribution_major_version is version('11', '>=')
      ansible.builtin.package:
        name:
          - libnet-ip-perl # for aggregate-cidr-addresses.pl
          - nftables
          - curl # for nftables update scripts
        state: present
        cache_valid_time: 3600

    - name: Remove iptables on newer Debian
      when: ansible_distribution_major_version is version('11', '>=')
      ansible.builtin.apt:
        pkg: iptables
        state: absent

    - name: Copy nftables.conf
      when: ansible_distribution_major_version is version('11', '>=')
      ansible.builtin.template:
        src: nftables.conf.j2
        dest: /etc/nftables.conf
        owner: root
        mode: "0644"
      notify:
        - restart nftables
        - restart fail2ban

    - name: Create /etc/nftables extra config directory
      when: ansible_distribution_major_version is version('11', '>=')
      ansible.builtin.file:
        path: /etc/nftables
        state: directory
        owner: root
        mode: "0755"

    - name: Copy extra nftables configuration files
      when: ansible_distribution_major_version is version('11', '>=')
      ansible.builtin.copy:
        src: "{{ item.src }}"
        dest: /etc/nftables/{{ item.src }}
        owner: root
        group: root
        mode: "0644"
        force: "{{ item.force }}"
      loop:
        - { src: spamhaus-ipv4.nft, force: "no" }
        - { src: spamhaus-ipv6.nft, force: "no" }
        - { src: abusech-ipv4.nft, force: "no" }
        - { src: abuseipdb-ipv4.nft, force: "yes" }
        - { src: abuseipdb-ipv6.nft, force: "yes" }
      notify:
        - restart nftables
        - restart fail2ban

    - name: Copy nftables update scripts
      when: ansible_distribution_version is version('11', '>=')
      ansible.builtin.copy:
        src: "{{ item }}"
        dest: /usr/local/bin/{{ item }}
        mode: "0755"
        owner: root
        group: root
      loop:
        - update-spamhaus-nftables.sh
        - aggregate-cidr-addresses.pl
        - update-abusech-nftables.sh

    - name: Copy nftables systemd units
      when: ansible_distribution_version is version('11', '>=')
      ansible.builtin.copy:
        src: "{{ item }}"
        dest: /etc/systemd/system/{{ item }}
        mode: "0644"
        owner: root
        group: root
      loop:
        - update-spamhaus-nftables.service
        - update-spamhaus-nftables.timer
        - update-abusech-nftables.service
        - update-abusech-nftables.timer
      register: nftables_systemd_units

    # need to reload to pick up service/timer/environment changes
    - name: Reload systemd daemon
      ansible.builtin.systemd:
        daemon_reload: true
      when: nftables_systemd_units is changed

    - name: Start and enable nftables update timers
      when: ansible_distribution_version is version('11', '>=')
      ansible.builtin.systemd:
        name: "{{ item }}"
        state: started
        enabled: true
      loop:
        - update-spamhaus-nftables.timer
        - update-abusech-nftables.timer

    - name: Start and enable nftables
      when: ansible_distribution_major_version is version('11', '>=')
      ansible.builtin.systemd:
        name: nftables
        state: started
        enabled: true

    - ansible.builtin.include_tasks: fail2ban.yml
      when:
        - ansible_distribution_major_version is version('9', '>=')
  tags: firewall

# vim: set sw=2 ts=2: