added more keys

plugins/modules/network.py

@@ -34,6 +34,10 @@ class Module(SystemdUnitModule):  # type: ignore
                 elements=str,
                 help="Routes of networks that can be reached with this device",
             ),
+            masquerade=Types.str(
+                help="how the packets are modified to look like the come from the computer itself.",
+                choices=("true", "false", "both", "ipv4", "ipv6"),
+            ),
         ),
         required_if=(("defaultdns", True, ("dns",), False),),
         required_one_of=(("mac", "device", "virtualization"),),
@@ -86,6 +90,13 @@ class Module(SystemdUnitModule):  # type: ignore
             options.append("DNSSEC={}".format(systemdbool(self.get("dnssec", "allow-downgrade"))))
         except KeyError:
             pass
+        if self.get("masquerade", -1) != -1:
+            masquerade = self.get("masquerade")
+            if masquerade == "true":
+                masquerade = "both"
+            elif masquerade == "false":
+                masquerade = "no"
+            options.append(f"IPMasquerade={masquerade}")
         output += "\n".join(options)
         return output
 
@@ -187,6 +198,17 @@ options:
       value.
     required: false
     type: str
+  masquerade:
+    choices:
+    - 'true'
+    - 'false'
+    - both
+    - ipv4
+    - ipv6
+    description:
+    - how the packets are modified to look like the come from the computer itself.
+    required: false
+    type: str
   name:
     description:
     - name of the unit

plugins/modules/system_service.py

@@ -48,7 +48,43 @@ class Module(SystemdUnitModule, SystemdReloadMixin):
                 ),
                 help="List of environment variables that are set to each command before they run",
             ),
-            workingdirectory=Types.str(help="The Directory that is used for the processes as current working directory"),
+            workingdirectory=Types.str(
+                help="The Directory that is used for the processes as current working directory",
+            ),
+            rwpath=Types.list(
+                elements=Types.path(),
+                help="Path(s) that are readable and writable (if permission allow)",
+            ),
+            ropath=Types.list(
+                elements=Types.path(),
+                help="Path(s) that are read only",
+            ),
+            notreadablepath=Types.list(
+                elements=Types.path(),
+                help="Path(s) that are not accessible by the applications",
+            ),
+            execpath=Types.list(
+                elements=Types.path(),
+                help="Path(s) where executable files are",
+            ),
+            noexecpath=Types.list(
+                elements=Types.path(),
+                help="Path(s) which are never executable (uploaded files, user accessible paths)",
+            ),
+            protecthome=Types.str(
+                help="if true makes user specific directories (/home, /root, /run/user) inaccessible. read-only makes them read only and tmpfs is useful to create binds in it",
+                choices=("true", "false", "read-only", "tmpfs"),
+            ),
+            protectsystem=Types.str(
+                help="makes the system read only. if true /usr, /boot and /efi are read only, if full additionally /etc and if strict all except /proc, /sys and /dev",
+                choices=("true", "false", "full", "strict"),
+            ),
+            nonewprivileges=Types.bool(
+                help="disables the ability to get new capabilities for processes than already granted ones",
+            ),
+            statedirectory=Types.str(
+                help="creates an unit specific state directory in /var/lib and sets the env var STATE_DIRECTORY with the path to it. Its cleaned up after the unit is stopped"
+            ),
         ),
     )
 
@@ -60,7 +96,11 @@ class Module(SystemdUnitModule, SystemdReloadMixin):
 
     def service(self):
         section = "[Service]\n"
-        section += "".join(
+        params = []
+        if self.get("environment", False):
+            for env in self.get("environment"):
+                params.append(f"Environment={env['name']}={env['value']}\n")
+        params.extend(
             self.map_param(
                 type="Type",
                 pre="ExecStartPre",
@@ -69,8 +109,19 @@ class Module(SystemdUnitModule, SystemdReloadMixin):
                 serviceuser="User",
                 servicegroup="Group",
                 workingdirectory="WorkingDirectory",
+                environmentfile="EnvironmentFile",
+                protecthome="ProtectHome",
+                protectsystem="ProtectSystem",
+                rwpath="ReadWritePaths",
+                ropath="ReadOnlyPaths",
+                notreadablepath="InaccessiblePaths",
+                execpath="ExecPaths",
+                noexecpath="NoExecPaths",
+                statedirectory="StateDirectory",
+                nonewprivileges="NoNewPriviledges"
             )
         )
+        section += "".join(params)
         return section
 
     def unit(self) -> str:
@@ -142,11 +193,38 @@ options:
     elements: str
     required: false
     type: list
+  execpath:
+    default: []
+    description:
+    - Path(s) where executable files are
+    elements: path
+    required: false
+    type: list
   name:
     description:
     - Name of the service
     required: true
     type: str
+  noexecpath:
+    default: []
+    description:
+    - Path(s) which are never executable (uploaded files, user accessible paths)
+    elements: path
+    required: false
+    type: list
+  nonewprivileges:
+    description:
+    - disables the ability to get new capabilities for processes than already granted
+      ones
+    required: false
+    type: bool
+  notreadablepath:
+    default: []
+    description:
+    - Path(s) that are not accessible by the applications
+    elements: path
+    required: false
+    type: list
   partof:
     default: []
     description:
@@ -171,6 +249,28 @@ options:
     elements: str
     required: false
     type: list
+  protecthome:
+    choices:
+    - 'true'
+    - 'false'
+    - read-only
+    - tmpfs
+    description:
+    - if true makes user specific directories (/home, /root, /run/user) inaccessible.
+      read-only makes them read only and tmpfs is useful to create binds in it
+    required: false
+    type: str
+  protectsystem:
+    choices:
+    - 'true'
+    - 'false'
+    - full
+    - strict
+    description:
+    - makes the system read only. if true /usr, /boot and /efi are read only, if full
+      additionally /etc and if strict all except /proc, /sys and /dev
+    required: false
+    type: str
   required_by:
     default: []
     description:
@@ -186,6 +286,20 @@ options:
     elements: str
     required: false
     type: list
+  ropath:
+    default: []
+    description:
+    - Path(s) that are read only
+    elements: path
+    required: false
+    type: list
+  rwpath:
+    default: []
+    description:
+    - Path(s) that are readable and writable (if permission allow)
+    elements: path
+    required: false
+    type: list
   servicegroup:
     default: root
     description:
@@ -205,6 +319,12 @@ options:
     elements: str
     required: true
     type: list
+  statedirectory:
+    description:
+    - creates an unit specific state directory in /var/lib and sets the env var STATE_DIRECTORY
+      with the path to it. Its cleaned up after the unit is stopped
+    required: false
+    type: str
   type:
     choices:
     - simple