ansible-personal/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
Alan Orth 14814aa5d9
roles/common: Wire up fail2ban
The nftables support works easily and creates the table, chains, and
sets on demand.
2021-07-26 22:07:31 +03:00

23 lines
996 B
Django/Jinja

[Service]
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
ProtectSystem=strict
{% else %}
{# Older systemd versions don't have ProtectSystem=strict #}
ProtectSystem=full
{% endif %}
NoNewPrivileges=yes
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban.log
{% else %}
{# Older systemd versions don't have ReadWritePaths #}
ReadWriteDirectories=-/var/run/fail2ban
ReadWriteDirectories=-/var/lib/fail2ban
ReadWriteDirectories=-/var/log
{% endif %}
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW