From 870bdbfcc3595afb19e8862bc62b0ca8c46e1dc2 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Sat, 25 Apr 2020 14:22:46 +0300
Subject: [PATCH] roles/common: Harden fail2ban service on Ubuntu 20.04

---
 .../etc/systemd/system/fail2ban.service.d/override.conf.j2    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
index b08d5a8..268bd48 100644
--- a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
+++ b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
@@ -2,14 +2,14 @@
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','==') %}
+{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %}
 ProtectSystem=strict
 {% else %}
 {# Older systemd versions don't have ProtectSystem=strict #}
 ProtectSystem=full
 {% endif %}
 NoNewPrivileges=yes
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','==') %}
+{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %}
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban.log