Allow to disable "Protect" in systemd unit
This commit is contained in:
parent
7ace36ed6e
commit
83675dfe48
|
@ -1,3 +1,8 @@
|
|||
## v1.X
|
||||
|
||||
### Enhancements
|
||||
* Add a variable to disable "Protect" instructions in systemd unit.
|
||||
|
||||
## v1.4.1
|
||||
|
||||
### Fix
|
||||
|
|
|
@ -54,6 +54,7 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
|
|||
* **nft_service_manage** : If `nftables` service should be managed with this role [default : `true`].
|
||||
* **nft_service_name** : `nftables` service name [default : `nftables`].
|
||||
* **nft_service_enabled** : Set `nftables` service available at startup [default : `true`].
|
||||
* **nft__service_protect** : If systemd unit should protect system and home [default : `true`].
|
||||
* **nft__fail2ban_service** : If the Nftables service should also restart the Fail2ban service [default : `False`].
|
||||
|
||||
### OS Specific Variables
|
||||
|
|
|
@ -128,4 +128,5 @@ nft_service_name: 'nftables'
|
|||
nft_service_enabled: true
|
||||
nft_service_unit_path: '/lib/systemd/system/nftables.service'
|
||||
nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
|
||||
nft__service_protect: true
|
||||
nft__fail2ban_service: False
|
||||
|
|
|
@ -8,8 +8,10 @@ Documentation=man:nft(8) http://wiki.nftables.org
|
|||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
StandardInput=null
|
||||
{% if nft__service_protect %}
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
{% endif %}
|
||||
{% if nft__fail2ban_service %}
|
||||
ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service
|
||||
ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service
|
||||
|
|
Loading…
Reference in New Issue