From 4242ce0c959a68c2bde88eea742fc8920ebd4f87 Mon Sep 17 00:00:00 2001 From: Sebastian Tobie Date: Thu, 23 Nov 2023 19:08:51 +0100 Subject: [PATCH] added more keys --- plugins/modules/network.py | 22 ++++++ plugins/modules/system_service.py | 124 +++++++++++++++++++++++++++++- 2 files changed, 144 insertions(+), 2 deletions(-) diff --git a/plugins/modules/network.py b/plugins/modules/network.py index 7094bac..1c670e9 100644 --- a/plugins/modules/network.py +++ b/plugins/modules/network.py @@ -34,6 +34,10 @@ class Module(SystemdUnitModule): # type: ignore elements=str, help="Routes of networks that can be reached with this device", ), + masquerade=Types.str( + help="how the packets are modified to look like the come from the computer itself.", + choices=("true", "false", "both", "ipv4", "ipv6"), + ), ), required_if=(("defaultdns", True, ("dns",), False),), required_one_of=(("mac", "device", "virtualization"),), @@ -86,6 +90,13 @@ class Module(SystemdUnitModule): # type: ignore options.append("DNSSEC={}".format(systemdbool(self.get("dnssec", "allow-downgrade")))) except KeyError: pass + if self.get("masquerade", -1) != -1: + masquerade = self.get("masquerade") + if masquerade == "true": + masquerade = "both" + elif masquerade == "false": + masquerade = "no" + options.append(f"IPMasquerade={masquerade}") output += "\n".join(options) return output @@ -187,6 +198,17 @@ options: value. required: false type: str + masquerade: + choices: + - 'true' + - 'false' + - both + - ipv4 + - ipv6 + description: + - how the packets are modified to look like the come from the computer itself. + required: false + type: str name: description: - name of the unit diff --git a/plugins/modules/system_service.py b/plugins/modules/system_service.py index 1abe4de..dbd8a80 100644 --- a/plugins/modules/system_service.py +++ b/plugins/modules/system_service.py @@ -48,7 +48,43 @@ class Module(SystemdUnitModule, SystemdReloadMixin): ), help="List of environment variables that are set to each command before they run", ), - workingdirectory=Types.str(help="The Directory that is used for the processes as current working directory"), + workingdirectory=Types.str( + help="The Directory that is used for the processes as current working directory", + ), + rwpath=Types.list( + elements=Types.path(), + help="Path(s) that are readable and writable (if permission allow)", + ), + ropath=Types.list( + elements=Types.path(), + help="Path(s) that are read only", + ), + notreadablepath=Types.list( + elements=Types.path(), + help="Path(s) that are not accessible by the applications", + ), + execpath=Types.list( + elements=Types.path(), + help="Path(s) where executable files are", + ), + noexecpath=Types.list( + elements=Types.path(), + help="Path(s) which are never executable (uploaded files, user accessible paths)", + ), + protecthome=Types.str( + help="if true makes user specific directories (/home, /root, /run/user) inaccessible. read-only makes them read only and tmpfs is useful to create binds in it", + choices=("true", "false", "read-only", "tmpfs"), + ), + protectsystem=Types.str( + help="makes the system read only. if true /usr, /boot and /efi are read only, if full additionally /etc and if strict all except /proc, /sys and /dev", + choices=("true", "false", "full", "strict"), + ), + nonewprivileges=Types.bool( + help="disables the ability to get new capabilities for processes than already granted ones", + ), + statedirectory=Types.str( + help="creates an unit specific state directory in /var/lib and sets the env var STATE_DIRECTORY with the path to it. Its cleaned up after the unit is stopped" + ), ), ) @@ -60,7 +96,11 @@ class Module(SystemdUnitModule, SystemdReloadMixin): def service(self): section = "[Service]\n" - section += "".join( + params = [] + if self.get("environment", False): + for env in self.get("environment"): + params.append(f"Environment={env['name']}={env['value']}\n") + params.extend( self.map_param( type="Type", pre="ExecStartPre", @@ -69,8 +109,19 @@ class Module(SystemdUnitModule, SystemdReloadMixin): serviceuser="User", servicegroup="Group", workingdirectory="WorkingDirectory", + environmentfile="EnvironmentFile", + protecthome="ProtectHome", + protectsystem="ProtectSystem", + rwpath="ReadWritePaths", + ropath="ReadOnlyPaths", + notreadablepath="InaccessiblePaths", + execpath="ExecPaths", + noexecpath="NoExecPaths", + statedirectory="StateDirectory", + nonewprivileges="NoNewPriviledges" ) ) + section += "".join(params) return section def unit(self) -> str: @@ -142,11 +193,38 @@ options: elements: str required: false type: list + execpath: + default: [] + description: + - Path(s) where executable files are + elements: path + required: false + type: list name: description: - Name of the service required: true type: str + noexecpath: + default: [] + description: + - Path(s) which are never executable (uploaded files, user accessible paths) + elements: path + required: false + type: list + nonewprivileges: + description: + - disables the ability to get new capabilities for processes than already granted + ones + required: false + type: bool + notreadablepath: + default: [] + description: + - Path(s) that are not accessible by the applications + elements: path + required: false + type: list partof: default: [] description: @@ -171,6 +249,28 @@ options: elements: str required: false type: list + protecthome: + choices: + - 'true' + - 'false' + - read-only + - tmpfs + description: + - if true makes user specific directories (/home, /root, /run/user) inaccessible. + read-only makes them read only and tmpfs is useful to create binds in it + required: false + type: str + protectsystem: + choices: + - 'true' + - 'false' + - full + - strict + description: + - makes the system read only. if true /usr, /boot and /efi are read only, if full + additionally /etc and if strict all except /proc, /sys and /dev + required: false + type: str required_by: default: [] description: @@ -186,6 +286,20 @@ options: elements: str required: false type: list + ropath: + default: [] + description: + - Path(s) that are read only + elements: path + required: false + type: list + rwpath: + default: [] + description: + - Path(s) that are readable and writable (if permission allow) + elements: path + required: false + type: list servicegroup: default: root description: @@ -205,6 +319,12 @@ options: elements: str required: true type: list + statedirectory: + description: + - creates an unit specific state directory in /var/lib and sets the env var STATE_DIRECTORY + with the path to it. Its cleaned up after the unit is stopped + required: false + type: str type: choices: - simple