From 79e14e7120817f85b6f6916db125e72aba507f3e Mon Sep 17 00:00:00 2001
From: Jose <joseraj@gmail.com>
Date: Tue, 24 Feb 2026 19:02:24 +0100
Subject: [PATCH] =?UTF-8?q?feat=20=E2=9C=A8:=20Add=20IPSET=20registration?=
 =?UTF-8?q?=20and=20conditional=20validation=20for=20Proxmox=20firewall=20?=
 =?UTF-8?q?configuration?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit introduces new features to register IPSETs and update firewall reload notifications. It also conditionally validates Proxmox firewall configurations based on changes, enhancing the robustness of the system.
---
 tasks/fail2ban.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml
index e0ce04e..e832288 100644
--- a/tasks/fail2ban.yml
+++ b/tasks/fail2ban.yml
@@ -124,6 +124,7 @@
       [IPSET {{ f2b_ipset_name }}]
       comment: Fail2Ban dynamic blacklist
     create: false
+    register: ipset_change
   notify: Reload pve firewall
   # noqa risky-file-permissions
 
@@ -135,6 +136,7 @@
     block: |
       IN DROP -source +{{ f2b_ipset_name }}
     create: false
+    register: rule_change
   notify: Reload pve firewall
   # noqa risky-file-permissions
 
@@ -150,8 +152,10 @@
 
 - name: fail2ban | Validate Proxmox firewall configuration
   ansible.builtin.command: pve-firewall compile
-  register: fw_compile_check
+  when: ipset_change.changed or rule_change.changed
   changed_when: false
+  failed_when: fw_compile_check.rc != 0
+  register: fw_compile_check
 
 # Then automatically whitelist it in Fail2Ban:
 # ignoreip = 127.0.0.1/8 {{ corosync_ip.stdout }}