Allow to disable "Protect" in systemd unit

This commit is contained in:
Jeremy Gardais 2019-03-15 11:13:26 +01:00
parent 7ace36ed6e
commit 83675dfe48
Signed by: jegardai
GPG Key ID: E759BAA22501AF32
4 changed files with 9 additions and 0 deletions

View File

@ -1,3 +1,8 @@
## v1.X
### Enhancements
* Add a variable to disable "Protect" instructions in systemd unit.
## v1.4.1
### Fix

View File

@ -54,6 +54,7 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
* **nft_service_manage**: If `nftables` service should be managed with this role [default: `true`].
* **nft_service_name**: `nftables` service name [default: `nftables`].
* **nft_service_enabled**: Set `nftables` service available at startup [default: `true`].
* **nft__service_protect**: If systemd unit should protect system and home [default: `true`].
* **nft__fail2ban_service**: If the Nftables service should also restart the Fail2ban service [default: `False`].
### OS Specific Variables

View File

@ -128,4 +128,5 @@ nft_service_name: 'nftables'
nft_service_enabled: true
nft_service_unit_path: '/lib/systemd/system/nftables.service'
nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
nft__service_protect: true
nft__fail2ban_service: False

View File

@ -8,8 +8,10 @@ Documentation=man:nft(8) http://wiki.nftables.org
Type=oneshot
RemainAfterExit=yes
StandardInput=null
{% if nft__service_protect %}
ProtectSystem=full
ProtectHome=true
{% endif %}
{% if nft__fail2ban_service %}
ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service
ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service