ansible-personal/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2

[Unit]
# If nftables is stopped or restarted, propagate to fail2ban as well
PartOf=nftables.service

[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
ProtectSystem=strict
{% else %}
{# Older systemd versions don't have ProtectSystem=strict #}
ProtectSystem=full
{% endif %}
NoNewPrivileges=yes
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban.log
{% else %}
{# Older systemd versions don't have ReadWritePaths #}
ReadWriteDirectories=-/var/run/fail2ban
ReadWriteDirectories=-/var/lib/fail2ban
ReadWriteDirectories=-/var/log
{% endif %}
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW