- name: Install fail2ban and nftables
  become: true
  apt:
    cache_valid_time: 3600
    install_recommends: no
    name: ['fail2ban', 'nftables']
    state: latest
    update_cache: yes
  notify: Restart firewall

- name: "Change /etc/fail2ban/jail.conf (iptables -> nftables)"
  become: true
  lineinfile:
    path: /etc/fail2ban/jail.conf
    regexp: '^banaction = iptables-multiport$'
    line: 'banaction = nftables-multiport'
  notify: Restart firewall
- become: true
  lineinfile:
    path: /etc/fail2ban/jail.conf
    regexp: '^banaction = iptables-multiport-log$'
    line: 'banaction = nftables-multiport'
  notify: Restart firewall
- become: true
  lineinfile:
    path: /etc/fail2ban/jail.conf
    regexp: '^banaction_allports = iptables-allports$'
    line: 'banaction_allports = nftables-allports'
  notify: Restart firewall

- name: Configure Debian firewall
  become: true
  copy:
    src: etc
    dest: /
    owner: root
    group: root
    directory_mode: '0750'
    mode: '0750'
    force: no
  notify: Restart firewall

- name: Fix permissions for /etc/network/functions
  become: true
  file:
    path: /etc/network/functions.phd
    mode: '0640'
  notify: Restart firewall

- name: Remove iptables leftovers
  become: true
  file:
    path: /etc/init.d/iptables.sh
    state: absent

- name: Prevent fail2ban from autostarting
  become: true
  command: update-rc.d fail2ban remove