From 1a5e044ebb6ae10e779ea49ead3ea1508962c271 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?=
 <jeremy.gardais@univ-rennes1.fr>
Date: Fri, 30 Jul 2021 13:05:34 +0200
Subject: [PATCH] Move systemd "Protect" options to override file

Rebase after Gentoo related commits
---
 CHANGELOG.md                                  |  1 +
 defaults/main.yml                             | 10 ++++++++
 handlers/main.yml                             |  3 ++-
 tasks/main.yml                                | 25 +++++++++++++++++++
 .../nftables.service.d/override.conf.j2       |  7 ++++++
 .../lib/systemd/system/nftables.service.j2    |  2 --
 6 files changed, 45 insertions(+), 3 deletions(-)
 create mode 100644 templates/etc/systemd/system/nftables.service.d/override.conf.j2

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 84d189e..5300aa4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@
 * Ansible-lint: Fix line longer than 160 chars.
 * Start nftables systemd unit earlier (thanks to @kravietz − PR #19).
 * Ensure to disable nftables systemd unit from old target.
+* Move systemd "Protect" options for nftables to specific override.conf file.
 
 ## v1.7.0
 
diff --git a/defaults/main.yml b/defaults/main.yml
index d721746..9891ebc 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -551,6 +551,16 @@ nft_service_unit_path: '/lib/systemd/system/nftables.service'
 # Template used to provide systemd unit for Nftables service.
 nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
                                                                    # ]]]
+# .. envvar:: nft__service_override_path [[[
+#
+# Path to store Nftables custom conf.
+nft__service_override_path: '/etc/systemd/system/nftables.service.d/override.conf'
+                                                                   # ]]]
+# .. envvar:: nft__service_override_content [[[
+#
+# Template used to provide systemd custom conf for Nftables service.
+nft__service_override_content: 'etc/systemd/system/nftables.service.d/override.conf.j2'
+                                                                   # ]]]
 # .. envvar:: nft__service_protect [[[
 #
 # If the systemd unit should have the Protect directives ? Possible options :
diff --git a/handlers/main.yml b/handlers/main.yml
index 6d6e9cb..764dbae 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -6,7 +6,8 @@
   systemd:
     daemon_reload: '{{ (nftables__register_systemd_service.changed | default(False)) or
                        (nftables__register_fail2ban_service.changed | default(False)) or
-                       (nftables__register_fix_systemd_target.changed | default(False)) }}'
+                       (nftables__register_fix_systemd_target.changed | default(False)) or
+                       (nftables__register_systemd_custom.changed | default(False)) }}'
     state: 'restarted'
     name: '{{ nft_service_name }}'
     enabled: '{{ nft_service_enabled }}'
diff --git a/tasks/main.yml b/tasks/main.yml
index f7b7fe9..0d06dd9 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -196,6 +196,31 @@
          nft_service_manage|bool)
   notify: ['Restart nftables service']
 
+# Manage custom nftables service [[[1
+- name: Create Nftables custom directory for systemd service
+  file:
+    path: "{{ nft__service_override_path | dirname }}"
+    state: directory
+    recurse: yes
+  when:
+    - nft_enabled|bool
+    - nft_service_manage|bool
+    - not nft__service_protect|bool
+
+- name: Add Nftables systemd custom configuration
+  template:
+    src: '{{ nft__service_override_content }}'
+    dest: '{{ nft__service_override_path }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: nftables__register_systemd_custom
+  when:
+    - nft_enabled|bool
+    - nft_service_manage|bool
+    - not nft__service_protect|bool
+  notify: ['Restart nftables service']
+
 # Manage custom fail2ban service [[[1
 - name: Create Fail2Ban custom directory for systemd service
   file:
diff --git a/templates/etc/systemd/system/nftables.service.d/override.conf.j2 b/templates/etc/systemd/system/nftables.service.d/override.conf.j2
new file mode 100644
index 0000000..0ee48c1
--- /dev/null
+++ b/templates/etc/systemd/system/nftables.service.d/override.conf.j2
@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+[Service]
+{% if not nft__service_protect %}
+ProtectSystem=no
+ProtectHome=no
+{% endif %}
diff --git a/templates/lib/systemd/system/nftables.service.j2 b/templates/lib/systemd/system/nftables.service.j2
index 433da76..7909452 100644
--- a/templates/lib/systemd/system/nftables.service.j2
+++ b/templates/lib/systemd/system/nftables.service.j2
@@ -11,10 +11,8 @@ DefaultDependencies=no
 Type=oneshot
 RemainAfterExit=yes
 StandardInput=null
-{% if nft__service_protect %}
 ProtectSystem=full
 ProtectHome=true
-{% endif %}
 ExecStart={{ nft__bin_location }} -f {{ nft_main_conf_path }}
 ExecReload={{ nft__bin_location }} -f {{ nft_main_conf_path }}
 ExecStop={{ nft__bin_location }} flush ruleset