---

- name: Ensure nftables service is started and enabled
  ansible.builtin.systemd:
    name: nftables
    state: started
    enabled: true
  tags: all,firewall

- name: Deploying nftables configuration
  ansible.builtin.template:
    src: nftables.conf.j2
    dest: /etc/nftables.conf
    owner: root
    group: root
    mode: "0755"
    backup: true
    validate: "nft -c -f %s"
  notify:
    - Reload nftables
    - Restart fail2ban
  tags: all,firewall

- name: Ensure fail2ban is installed
  ansible.builtin.apt:
    name: fail2ban
    state: present
    update_cache: true
  tags: all,firewall

- name: Ensure fail2ban is enabled and running
  ansible.builtin.systemd:
    name: fail2ban
    state: started
    enabled: true
  tags: all,firewall

- name: Deploying fail2ban ssh conf
  ansible.builtin.template:
    src: sshd.conf.j2
    dest: /etc/fail2ban/jail.d/sshd.conf
    owner: root
    group: root
    mode: "0644"
  notify: reload fail2ban
  tags: all,firewall