- name: ensure nftables service is started and enabled
  ansible.builtin.systemd:
    name: nftables
    state: started
    enabled: true
  tags: all,firewall

- name: deploying nftables configuration
  ansible.builtin.template:
    src: nftables.conf.j2
    dest: /etc/nftables.conf
    owner: root
    group: root
    mode: '0755'
    backup: true
    validate: "nft -c -f %s"
  notify:
    - reload nftables
    - restart fail2ban
  tags: all,firewall

- name: ensure fail2ban is installed
  ansible.builtin.apt:
    name: fail2ban
    state: present
    update_cache: true
  tags: all,firewall

- name: ensure fail2ban is enabled and running
  ansible.builtin.systemd:
    name: fail2ban
    state: started
    enabled: true
  tags: all,firewall

- name: deploying fail2ban ssh conf
  ansible.builtin.template:
    src: sshd.conf.j2
    dest: /etc/fail2ban/jail.d/sshd.conf
    owner: root
    group: root
    mode: '0644'
  notify: reload fail2ban
  tags: all,firewall