---
- name: install fail2ban + deps
  ansible.builtin.apt:
    name:
      - fail2ban
      - python3
      - python3-systemd
      - nftables
    state: present
    update_cache: true
  become: true

- name: enable & start nftables
  ansible.builtin.systemd:
    name: nftables
    enabled: true
    state: started
  become: true

- name: ensure fail2ban directories exist
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    owner: root
    group: root
    mode: "0755"
  loop:
    - /etc/fail2ban
    - /etc/fail2ban/jail.d
    - /etc/fail2ban/filter.d
  become: true

- name: deploy /etc/fail2ban/fail2ban.local
  ansible.builtin.template:
    src: fail2ban.local.j2
    dest: /etc/fail2ban/fail2ban.local
    owner: root
    group: root
    mode: "0644"
  notify: validate and restart fail2ban
  become: true

- name: deploy /etc/fail2ban/jail.local
  ansible.builtin.template:
    src: jail.local.j2
    dest: /etc/fail2ban/jail.local
    owner: root
    group: root
    mode: "0644"
  notify: validate and restart fail2ban
  become: true

- name: ensure fail2ban enabled and started
  ansible.builtin.systemd:
    name: fail2ban
    enabled: true
    state: started
  become: true