Alan Orth
14814aa5d9
The nftables support works easily and creates the table, chains, and sets on demand.
23 lines
996 B
Django/Jinja
23 lines
996 B
Django/Jinja
[Service]
|
|
PrivateDevices=yes
|
|
PrivateTmp=yes
|
|
ProtectHome=read-only
|
|
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
|
|
ProtectSystem=strict
|
|
{% else %}
|
|
{# Older systemd versions don't have ProtectSystem=strict #}
|
|
ProtectSystem=full
|
|
{% endif %}
|
|
NoNewPrivileges=yes
|
|
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
|
|
ReadWritePaths=-/var/run/fail2ban
|
|
ReadWritePaths=-/var/lib/fail2ban
|
|
ReadWritePaths=-/var/log/fail2ban.log
|
|
{% else %}
|
|
{# Older systemd versions don't have ReadWritePaths #}
|
|
ReadWriteDirectories=-/var/run/fail2ban
|
|
ReadWriteDirectories=-/var/lib/fail2ban
|
|
ReadWriteDirectories=-/var/log
|
|
{% endif %}
|
|
CapabilityBoundingSet=CAP_AUDIT_READ CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
|