Move systemd "Protect" options to override file

Rebase after Gentoo related commits

CHANGELOG.md

@@ -19,6 +19,7 @@
 * Ansible-lint: Fix line longer than 160 chars.
 * Start nftables systemd unit earlier (thanks to @kravietz − PR #19).
 * Ensure to disable nftables systemd unit from old target.
+* Move systemd "Protect" options for nftables to specific override.conf file.
 
 ## v1.7.0
 

defaults/main.yml

@@ -551,6 +551,16 @@ nft_service_unit_path: '/lib/systemd/system/nftables.service'
 # Template used to provide systemd unit for Nftables service.
 nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
                                                                    # ]]]
+# .. envvar:: nft__service_override_path [[[
+#
+# Path to store Nftables custom conf.
+nft__service_override_path: '/etc/systemd/system/nftables.service.d/override.conf'
+                                                                   # ]]]
+# .. envvar:: nft__service_override_content [[[
+#
+# Template used to provide systemd custom conf for Nftables service.
+nft__service_override_content: 'etc/systemd/system/nftables.service.d/override.conf.j2'
+                                                                   # ]]]
 # .. envvar:: nft__service_protect [[[
 #
 # If the systemd unit should have the Protect directives ? Possible options :

handlers/main.yml

@@ -6,7 +6,8 @@
   systemd:
     daemon_reload: '{{ (nftables__register_systemd_service.changed | default(False)) or
                        (nftables__register_fail2ban_service.changed | default(False)) or
-                       (nftables__register_fix_systemd_target.changed | default(False)) }}'
+                       (nftables__register_fix_systemd_target.changed | default(False)) or
+                       (nftables__register_systemd_custom.changed | default(False)) }}'
     state: 'restarted'
     name: '{{ nft_service_name }}'
     enabled: '{{ nft_service_enabled }}'

tasks/main.yml

@@ -196,6 +196,31 @@
          nft_service_manage|bool)
   notify: ['Restart nftables service']
 
+# Manage custom nftables service [[[1
+- name: Create Nftables custom directory for systemd service
+  file:
+    path: "{{ nft__service_override_path | dirname }}"
+    state: directory
+    recurse: yes
+  when:
+    - nft_enabled|bool
+    - nft_service_manage|bool
+    - not nft__service_protect|bool
+
+- name: Add Nftables systemd custom configuration
+  template:
+    src: '{{ nft__service_override_content }}'
+    dest: '{{ nft__service_override_path }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: nftables__register_systemd_custom
+  when:
+    - nft_enabled|bool
+    - nft_service_manage|bool
+    - not nft__service_protect|bool
+  notify: ['Restart nftables service']
+
 # Manage custom fail2ban service [[[1
 - name: Create Fail2Ban custom directory for systemd service
   file:

templates/etc/systemd/system/nftables.service.d/override.conf.j2

@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+[Service]
+{% if not nft__service_protect %}
+ProtectSystem=no
+ProtectHome=no
+{% endif %}

templates/lib/systemd/system/nftables.service.j2

@@ -11,10 +11,8 @@ DefaultDependencies=no
 Type=oneshot
 RemainAfterExit=yes
 StandardInput=null
-{% if nft__service_protect %}
 ProtectSystem=full
 ProtectHome=true
-{% endif %}
 ExecStart={{ nft__bin_location }} -f {{ nft_main_conf_path }}
 ExecReload={{ nft__bin_location }} -f {{ nft_main_conf_path }}
 ExecStop={{ nft__bin_location }} flush ruleset