From 674f014be372842b607f033f5f680317dbaeb3ed Mon Sep 17 00:00:00 2001
From: Jose <joseraj@gmail.com>
Date: Tue, 24 Feb 2026 18:56:02 +0100
Subject: [PATCH] =?UTF-8?q?feat=20=E2=9C=A8:=20Add=20conditional=20executi?=
 =?UTF-8?q?on=20for=20reloading=20PVE=20firewall?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit introduces a new feature that allows conditional execution of the PVE firewall reload command based on certain conditions, enhancing flexibility and control over firewall management.
---
 handlers/main.yml  | 3 ++-
 tasks/fail2ban.yml | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/handlers/main.yml b/handlers/main.yml
index 1301d56..600b186 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -35,8 +35,9 @@
 - name: Restart fail2ban
   ansible.builtin.systemd:
     name: fail2ban
-    state: restarted
+    state: reloaded
 
 - name: Reload pve firewall
   ansible.builtin.command: pve-firewall reload
+  when: fw_compile_check.rc == 0
   changed_when: false
diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml
index f5db94a..f914566 100644
--- a/tasks/fail2ban.yml
+++ b/tasks/fail2ban.yml
@@ -148,6 +148,11 @@
   changed_when: false
   when: cluster_status.stat.exists
 
+- name: Validate Proxmox firewall configuration
+  ansible.builtin.command: pve-firewall compile
+  register: fw_compile_check
+  changed_when: false
+  
 # Then automatically whitelist it in Fail2Ban:
 # ignoreip = 127.0.0.1/8 {{ corosync_ip.stdout }}