feat ✨: Add IPSET registration and conditional validation for Proxmox firewall configuration
This commit introduces new features to register IPSETs and update firewall reload notifications. It also conditionally validates Proxmox firewall configurations based on changes, enhancing the robustness of the system.
This commit is contained in:
@@ -124,6 +124,7 @@
|
|||||||
[IPSET {{ f2b_ipset_name }}]
|
[IPSET {{ f2b_ipset_name }}]
|
||||||
comment: Fail2Ban dynamic blacklist
|
comment: Fail2Ban dynamic blacklist
|
||||||
create: false
|
create: false
|
||||||
|
register: ipset_change
|
||||||
notify: Reload pve firewall
|
notify: Reload pve firewall
|
||||||
# noqa risky-file-permissions
|
# noqa risky-file-permissions
|
||||||
|
|
||||||
@@ -135,6 +136,7 @@
|
|||||||
block: |
|
block: |
|
||||||
IN DROP -source +{{ f2b_ipset_name }}
|
IN DROP -source +{{ f2b_ipset_name }}
|
||||||
create: false
|
create: false
|
||||||
|
register: rule_change
|
||||||
notify: Reload pve firewall
|
notify: Reload pve firewall
|
||||||
# noqa risky-file-permissions
|
# noqa risky-file-permissions
|
||||||
|
|
||||||
@@ -150,8 +152,10 @@
|
|||||||
|
|
||||||
- name: fail2ban | Validate Proxmox firewall configuration
|
- name: fail2ban | Validate Proxmox firewall configuration
|
||||||
ansible.builtin.command: pve-firewall compile
|
ansible.builtin.command: pve-firewall compile
|
||||||
register: fw_compile_check
|
when: ipset_change.changed or rule_change.changed
|
||||||
changed_when: false
|
changed_when: false
|
||||||
|
failed_when: fw_compile_check.rc != 0
|
||||||
|
register: fw_compile_check
|
||||||
|
|
||||||
# Then automatically whitelist it in Fail2Ban:
|
# Then automatically whitelist it in Fail2Ban:
|
||||||
# ignoreip = 127.0.0.1/8 {{ corosync_ip.stdout }}
|
# ignoreip = 127.0.0.1/8 {{ corosync_ip.stdout }}
|
||||||
|
|||||||
Reference in New Issue
Block a user