tasks/fail2ban.yml

@@ -124,6 +124,7 @@
       [IPSET {{ f2b_ipset_name }}]
       comment: Fail2Ban dynamic blacklist
     create: false
+    register: ipset_change
   notify: Reload pve firewall
   # noqa risky-file-permissions
 
@@ -135,6 +136,7 @@
     block: |
       IN DROP -source +{{ f2b_ipset_name }}
     create: false
+    register: rule_change
   notify: Reload pve firewall
   # noqa risky-file-permissions
 
@@ -150,8 +152,10 @@
 
 - name: fail2ban | Validate Proxmox firewall configuration
   ansible.builtin.command: pve-firewall compile
-  register: fw_compile_check
+  when: ipset_change.changed or rule_change.changed
   changed_when: false
+  failed_when: fw_compile_check.rc != 0
+  register: fw_compile_check
 
 # Then automatically whitelist it in Fail2Ban:
 # ignoreip = 127.0.0.1/8 {{ corosync_ip.stdout }}