X-Git-Url: https://git.phdru.name/?a=blobdiff_plain;f=playbooks%2Froles%2Fdebian%2Ffirewall%2Ftasks%2Fmain.yaml;h=6288e3d4cd17a3c91d2c3df95208b59d5448d072;hb=119883da0314743983a0c4ce7c5ecb7892aa18a6;hp=29c9bc9fd0c2521bf59ac7077ffe5b9343dba8bc;hpb=3c5ede3e8a061c1817c429a5332dcf7bc76ec415;p=ansible.git

diff --git a/playbooks/roles/debian/firewall/tasks/main.yaml b/playbooks/roles/debian/firewall/tasks/main.yaml
index 29c9bc9..6288e3d 100644
--- a/playbooks/roles/debian/firewall/tasks/main.yaml
+++ b/playbooks/roles/debian/firewall/tasks/main.yaml
@@ -1,13 +1,33 @@
-- name: Install iptables and fail2ban
+- name: Install fail2ban and nftables
   become: true
   apt:
     cache_valid_time: 3600
     install_recommends: no
-    name: ['iptables', 'fail2ban']
+    name: ['fail2ban', 'nftables']
     state: latest
     update_cache: yes
   notify: Restart firewall
 
+- name: "Change /etc/fail2ban/jail.conf (iptables -> nftables)"
+  become: true
+  lineinfile:
+    path: /etc/fail2ban/jail.conf
+    regexp: '^banaction = iptables-multiport$'
+    line: 'banaction = nftables-multiport'
+  notify: Restart firewall
+- become: true
+  lineinfile:
+    path: /etc/fail2ban/jail.conf
+    regexp: '^banaction = iptables-multiport-log$'
+    line: 'banaction = nftables-multiport'
+  notify: Restart firewall
+- become: true
+  lineinfile:
+    path: /etc/fail2ban/jail.conf
+    regexp: '^banaction_allports = iptables-allports$'
+    line: 'banaction_allports = nftables-allports'
+  notify: Restart firewall
+
 - name: Configure Debian firewall
   become: true
   copy:
@@ -26,3 +46,13 @@
     path: /etc/network/functions.phd
     mode: '0640'
   notify: Restart firewall
+
+- name: Remove iptables leftovers
+  become: true
+  file:
+    path: /etc/init.d/iptables.sh
+    state: absent
+
+- name: Prevent fail2ban from autostarting
+  become: true
+  command: update-rc.d fail2ban remove