From 80b3b82bf6f5230d751b7a1ad592ad9df1fcf82c Mon Sep 17 00:00:00 2001
From: Jose <joseraj@gmail.com>
Date: Tue, 24 Feb 2026 18:46:12 +0100
Subject: [PATCH] =?UTF-8?q?refactor=20=E2=99=BB=EF=B8=8F:=20Refactor=20fai?=
 =?UTF-8?q?l2ban=20tasks=20for=20better=20IPSet=20management?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This refactoring removes redundant 'blockinfile' and 'reload' commands in fail2ban tasks, ensuring that IPSet and drop rules are correctly placed. A new handler has been added to reload the PVE firewall after a fail2ban restart.
---
 handlers/main.yml  |  4 ++++
 tasks/fail2ban.yml | 23 ++++++++---------------
 2 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/handlers/main.yml b/handlers/main.yml
index 1aaed43..53f8d89 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -36,3 +36,7 @@
   ansible.builtin.systemd:
     name: fail2ban
     state: restarted
+
+- name: Reload pve firewall
+  ansible.builtin.command: pve-firewall reload
+  changed_when: false
\ No newline at end of file
diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml
index a5f2fd5..f5db94a 100644
--- a/tasks/fail2ban.yml
+++ b/tasks/fail2ban.yml
@@ -115,29 +115,28 @@
 # Create Proxmox firewall IPSet
 #################################################
 
-- name: fail2ban | Add Fail2Ban IPSet to cluster firewall
+- name: fail2ban | Add Fail2Ban IPSet to firewall
   ansible.builtin.blockinfile:
     path: "{{ pve_firewall_config }}"
     marker: "# {mark} ANSIBLE FAIL2BAN IPSET"
+    insertbefore: BOF
     block: |
       [IPSET {{ f2b_ipset_name }}]
       comment: Fail2Ban dynamic blacklist
-    create: true
+    create: false
+  notify: Reload pve firewall
   # noqa risky-file-permissions
 
-- name: fail2ban | Ensure RULES section exists
-  ansible.builtin.blockinfile:
-    path: "{{ pve_firewall_config }}"
-    marker: "# {mark} ANSIBLE RULES HEADER"
-    block: |
-      [RULES]
-
 - name: fail2ban | Add drop rule for Fail2Ban IPSet
   ansible.builtin.blockinfile:
     path: "{{ pve_firewall_config }}"
     marker: "# {mark} ANSIBLE FAIL2BAN RULE"
+    insertafter: '^\[RULES\]'
     block: |
       IN DROP -source +{{ f2b_ipset_name }}
+    create: false
+  notify: Reload pve firewall
+  # noqa risky-file-permissions
 
 - name: fail2ban | Extract corosync ring0 address
   ansible.builtin.shell: |
@@ -251,12 +250,6 @@
     enabled: true
     state: started
 
-- name: fail2ban | Reload Proxmox firewall
-  ansible.builtin.command: pve-firewall reload
-  when: fw_stat.changed or
-        "'ANSIBLE FAIL2BAN' in fw_content.content | default('')"
-  changed_when: false
-
 #################################################
 # List banned IPs cluster-wide
 #################################################