From 83675dfe48a19b8c3669bd78550f13b38044fab1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gardais=20J=C3=A9r=C3=A9my?=
 <jeremy.gardais@univ-rennes1.fr>
Date: Fri, 15 Mar 2019 11:13:26 +0100
Subject: [PATCH] Allow to disable "Protect" in systemd unit

---
 CHANGELOG.md                                     | 5 +++++
 README.md                                        | 1 +
 defaults/main.yml                                | 1 +
 templates/lib/systemd/system/nftables.service.j2 | 2 ++
 4 files changed, 9 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a068f47..e2a0184 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,8 @@
+## v1.X
+
+### Enhancements
+* Add a variable to disable "Protect" instructions in systemd unit.
+
 ## v1.4.1
 
 ### Fix
diff --git a/README.md b/README.md
index 16e3b94..975fefe 100644
--- a/README.md
+++ b/README.md
@@ -54,6 +54,7 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
 * **nft_service_manage** : If `nftables` service should be managed with this role [default : `true`].
 * **nft_service_name** : `nftables` service name [default : `nftables`].
 * **nft_service_enabled** : Set `nftables` service available at startup [default : `true`].
+* **nft__service_protect** : If systemd unit should protect system and home [default : `true`].
 * **nft__fail2ban_service** : If the Nftables service should also restart the Fail2ban service [default : `False`].
 
 ### OS Specific Variables
diff --git a/defaults/main.yml b/defaults/main.yml
index 4659238..70ebc14 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -128,4 +128,5 @@ nft_service_name: 'nftables'
 nft_service_enabled: true
 nft_service_unit_path: '/lib/systemd/system/nftables.service'
 nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
+nft__service_protect: true
 nft__fail2ban_service: False
diff --git a/templates/lib/systemd/system/nftables.service.j2 b/templates/lib/systemd/system/nftables.service.j2
index ce79e61..3bc973d 100644
--- a/templates/lib/systemd/system/nftables.service.j2
+++ b/templates/lib/systemd/system/nftables.service.j2
@@ -8,8 +8,10 @@ Documentation=man:nft(8) http://wiki.nftables.org
 Type=oneshot
 RemainAfterExit=yes
 StandardInput=null
+{% if nft__service_protect %}
 ProtectSystem=full
 ProtectHome=true
+{% endif %}
 {% if nft__fail2ban_service %}
 ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service
 ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service