Allow to disable "Protect" in systemd unit

CHANGELOG.md

@@ -1,3 +1,8 @@
+## v1.X
+
+### Enhancements
+* Add a variable to disable "Protect" instructions in systemd unit.
+
 ## v1.4.1
 
 ### Fix

README.md

@@ -54,6 +54,7 @@ Highly inspired by [Mike Gleason firewall role][mikegleasonjr firewall github] (
 * **nft_service_manage** : If `nftables` service should be managed with this role [default : `true`].
 * **nft_service_name** : `nftables` service name [default : `nftables`].
 * **nft_service_enabled** : Set `nftables` service available at startup [default : `true`].
+* **nft__service_protect** : If systemd unit should protect system and home [default : `true`].
 * **nft__fail2ban_service** : If the Nftables service should also restart the Fail2ban service [default : `False`].
 
 ### OS Specific Variables

defaults/main.yml

@@ -128,4 +128,5 @@ nft_service_name: 'nftables'
 nft_service_enabled: true
 nft_service_unit_path: '/lib/systemd/system/nftables.service'
 nft_service_unit_content: 'lib/systemd/system/nftables.service.j2'
+nft__service_protect: true
 nft__fail2ban_service: False

templates/lib/systemd/system/nftables.service.j2

@@ -8,8 +8,10 @@ Documentation=man:nft(8) http://wiki.nftables.org
 Type=oneshot
 RemainAfterExit=yes
 StandardInput=null
+{% if nft__service_protect %}
 ProtectSystem=full
 ProtectHome=true
+{% endif %}
 {% if nft__fail2ban_service %}
 ExecStart=/usr/sbin/nft -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service
 ExecReload=/usr/sbin/nft -f {{ nft_main_conf_path }} ; /bin/systemctl restart fail2ban.service