Feat(firewall): Prevent `fail2ban` from autostarting

[ansible.git] / playbooks / roles / debian / firewall / tasks / main.yaml

diff --git a/playbooks/roles/debian/firewall/tasks/main.yaml b/playbooks/roles/debian/firewall/tasks/main.yaml
index 29c9bc9fd0c2521bf59ac7077ffe5b9343dba8bc..6288e3d4cd17a3c91d2c3df95208b59d5448d072 100644 (file)
--- a/playbooks/roles/debian/firewall/tasks/main.yaml
+++ b/playbooks/roles/debian/firewall/tasks/main.yaml
@@ -1,13 +1,33 @@
-- name: Install iptables and fail2ban
+- name: Install fail2ban and nftables
   become: true
   apt:
     cache_valid_time: 3600
     install_recommends: no
-    name: ['iptables', 'fail2ban']
+    name: ['fail2ban', 'nftables']
     state: latest
     update_cache: yes
   notify: Restart firewall
 
+- name: "Change /etc/fail2ban/jail.conf (iptables -> nftables)"
+  become: true
+  lineinfile:
+    path: /etc/fail2ban/jail.conf
+    regexp: '^banaction = iptables-multiport$'
+    line: 'banaction = nftables-multiport'
+  notify: Restart firewall
+- become: true
+  lineinfile:
+    path: /etc/fail2ban/jail.conf
+    regexp: '^banaction = iptables-multiport-log$'
+    line: 'banaction = nftables-multiport'
+  notify: Restart firewall
+- become: true
+  lineinfile:
+    path: /etc/fail2ban/jail.conf
+    regexp: '^banaction_allports = iptables-allports$'
+    line: 'banaction_allports = nftables-allports'
+  notify: Restart firewall
+
 - name: Configure Debian firewall
   become: true
   copy:
@@ -26,3 +46,13 @@
     path: /etc/network/functions.phd
     mode: '0640'
   notify: Restart firewall
+
+- name: Remove iptables leftovers
+  become: true
+  file:
+    path: /etc/init.d/iptables.sh
+    state: absent
+
+- name: Prevent fail2ban from autostarting
+  become: true
+  command: update-rc.d fail2ban remove