---

- name: prepare systemd override
  block:
    - name: create fail2ban.service.d directory
      file:
        path: /etc/systemd/system/fail2ban.service.d
        state: directory
        mode: '0755'

    - name: create fail2ban.service override
      template:
        src: systemd-override.j2
        dest: /etc/systemd/system/fail2ban.service.d/override.conf
      notify:
        - reload fail2ban unit
        - fail2ban restart
  when: fail2ban_dummy_logs

- name: create jail.local
  template:
    src: jail.j2
    dest: /etc/fail2ban/jail.local
    mode: 0644
  notify: fail2ban restart

- name: create iptables-multiport-fw.conf
  template:
    src: action_iptables-multiport-fw.j2
    dest: /etc/fail2ban/action.d/iptables-multiport-fw.conf
    mode: 0644
  notify: fail2ban restart

- name: deploy custom filters
  template:
    src: custom-filter.j2
    dest: "/etc/fail2ban/filter.d/{{ item.name }}.conf"
  with_items: "{{ fail2ban_filters }}"
  when: fail2ban_filters is defined
  notify: fail2ban restart

- name: adjust blocktype in iptables conf
  replace:
    path: "{{ '/etc/fail2ban/action.d/iptables-ipset.conf' if ansible_distribution_release == 'noble' else '/etc/fail2ban/action.d/iptables-common.conf' }}"
    regexp: '^blocktype =.+'
    replace: "blocktype = {{ fail2ban_blocktype }}"
  notify: fail2ban restart
  when: not ansible_check_mode

- name: create scripts directory
  file:
    dest: /usr/local/etc/scripts
    state: directory
  when: fail2ban_enable_ignorecommand

- name: create custom.fail2ban-check-ip.conf
  template:
    src: check-ip_conf.j2
    dest: /usr/local/etc/scripts/custom.fail2ban-check-ip.conf
    mode: 0644
  when: fail2ban_enable_ignorecommand and not ansible_check_mode

- name: create custom.fail2ban-check-ip
  template:
    src: fail2ban-check-ip.j2
    dest: /usr/local/sbin/custom.fail2ban-check-ip
    mode: 0744
  when: fail2ban_enable_ignorecommand

- name: adjust ignoreregex in recidive filter
  lineinfile:
    path: /etc/fail2ban/filter.d/recidive.conf
    regexp: '^ignoreregex'
    line: "ignoreregex = .*\\[({{ fail2ban_recidive_ignore_jails | join('|') }})\\].*"
  when: not ansible_check_mode and fail2ban_recidive_ignore_jails | length > 0

- name: ensure fail2ban service is enabled and started
  service:
    name: fail2ban
    enabled: true
    state: started