2019-10-26 16:36:07 +02:00
|
|
|
[Service]
|
|
|
|
PrivateDevices=yes
|
|
|
|
PrivateTmp=yes
|
|
|
|
ProtectHome=read-only
|
2020-04-25 13:22:46 +02:00
|
|
|
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %}
|
2019-10-26 16:36:07 +02:00
|
|
|
ProtectSystem=strict
|
|
|
|
{% else %}
|
|
|
|
{# Older systemd versions don't have ProtectSystem=strict #}
|
|
|
|
ProtectSystem=full
|
|
|
|
{% endif %}
|
|
|
|
NoNewPrivileges=yes
|
2020-04-25 13:22:46 +02:00
|
|
|
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %}
|
2019-10-26 16:36:07 +02:00
|
|
|
ReadWritePaths=-/var/run/fail2ban
|
|
|
|
ReadWritePaths=-/var/lib/fail2ban
|
|
|
|
ReadWritePaths=-/var/log/fail2ban.log
|
|
|
|
{% else %}
|
|
|
|
{# Older systemd versions don't have ReadWritePaths #}
|
|
|
|
ReadWriteDirectories=-/var/run/fail2ban
|
|
|
|
ReadWriteDirectories=-/var/lib/fail2ban
|
|
|
|
ReadWriteDirectories=-/var/log
|
|
|
|
{% endif %}
|
|
|
|
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
|