refactor ♻️: Refactor fail2ban tasks for better IPSet management

This refactoring removes redundant 'blockinfile' and 'reload' commands in fail2ban tasks, ensuring that IPSet and drop rules are correctly placed. A new handler has been added to reload the PVE firewall after a fail2ban restart.

tasks/fail2ban.yml

@@ -115,29 +115,28 @@
 # Create Proxmox firewall IPSet
 #################################################
 
-- name: fail2ban | Add Fail2Ban IPSet to cluster firewall
+- name: fail2ban | Add Fail2Ban IPSet to firewall
   ansible.builtin.blockinfile:
     path: "{{ pve_firewall_config }}"
     marker: "# {mark} ANSIBLE FAIL2BAN IPSET"
+    insertbefore: BOF
     block: |
       [IPSET {{ f2b_ipset_name }}]
       comment: Fail2Ban dynamic blacklist
-    create: true
+    create: false
+  notify: Reload pve firewall
   # noqa risky-file-permissions
 
-- name: fail2ban | Ensure RULES section exists
-  ansible.builtin.blockinfile:
-    path: "{{ pve_firewall_config }}"
-    marker: "# {mark} ANSIBLE RULES HEADER"
-    block: |
-      [RULES]
-
 - name: fail2ban | Add drop rule for Fail2Ban IPSet
   ansible.builtin.blockinfile:
     path: "{{ pve_firewall_config }}"
     marker: "# {mark} ANSIBLE FAIL2BAN RULE"
+    insertafter: '^\[RULES\]'
     block: |
       IN DROP -source +{{ f2b_ipset_name }}
+    create: false
+  notify: Reload pve firewall
+  # noqa risky-file-permissions
 
 - name: fail2ban | Extract corosync ring0 address
   ansible.builtin.shell: |
@@ -251,12 +250,6 @@
     enabled: true
     state: started
 
-- name: fail2ban | Reload Proxmox firewall
-  ansible.builtin.command: pve-firewall reload
-  when: fw_stat.changed or
-        "'ANSIBLE FAIL2BAN' in fw_content.content | default('')"
-  changed_when: false
-
 #################################################
 # List banned IPs cluster-wide
 #################################################