added more keys

2023-11-23 19:08:51 +01:00 · 2023-11-23 19:08:51 +01:00 · 4242ce0c95
Commit 4242ce0c95
--- a/plugins/modules/network.py
+++ b/plugins/modules/network.py
@ -34,6 +34,10 @@ class Module(SystemdUnitModule):  # type: ignore
                elements=str,
                help="Routes of networks that can be reached with this device",
            ),
+            masquerade=Types.str(
+                help="how the packets are modified to look like the come from the computer itself.",
+                choices=("true", "false", "both", "ipv4", "ipv6"),
+            ),
        ),
        required_if=(("defaultdns", True, ("dns",), False),),
        required_one_of=(("mac", "device", "virtualization"),),
@ -86,6 +90,13 @@ class Module(SystemdUnitModule):  # type: ignore
            options.append("DNSSEC={}".format(systemdbool(self.get("dnssec", "allow-downgrade"))))
        except KeyError:
            pass
+        if self.get("masquerade", -1) != -1:
+            masquerade = self.get("masquerade")
+            if masquerade == "true":
+                masquerade = "both"
+            elif masquerade == "false":
+                masquerade = "no"
+            options.append(f"IPMasquerade={masquerade}")
        output += "\n".join(options)
        return output

@ -187,6 +198,17 @@ options:
      value.
    required: false
    type: str
+  masquerade:
+    choices:
+    - 'true'
+    - 'false'
+    - both
+    - ipv4
+    - ipv6
+    description:
+    - how the packets are modified to look like the come from the computer itself.
+    required: false
+    type: str
  name:
    description:
    - name of the unit
--- a/plugins/modules/system_service.py
+++ b/plugins/modules/system_service.py
@ -48,7 +48,43 @@ class Module(SystemdUnitModule, SystemdReloadMixin):
                ),
                help="List of environment variables that are set to each command before they run",
            ),
-            workingdirectory=Types.str(help="The Directory that is used for the processes as current working directory"),
+            workingdirectory=Types.str(
+                help="The Directory that is used for the processes as current working directory",
+            ),
+            rwpath=Types.list(
+                elements=Types.path(),
+                help="Path(s) that are readable and writable (if permission allow)",
+            ),
+            ropath=Types.list(
+                elements=Types.path(),
+                help="Path(s) that are read only",
+            ),
+            notreadablepath=Types.list(
+                elements=Types.path(),
+                help="Path(s) that are not accessible by the applications",
+            ),
+            execpath=Types.list(
+                elements=Types.path(),
+                help="Path(s) where executable files are",
+            ),
+            noexecpath=Types.list(
+                elements=Types.path(),
+                help="Path(s) which are never executable (uploaded files, user accessible paths)",
+            ),
+            protecthome=Types.str(
+                help="if true makes user specific directories (/home, /root, /run/user) inaccessible. read-only makes them read only and tmpfs is useful to create binds in it",
+                choices=("true", "false", "read-only", "tmpfs"),
+            ),
+            protectsystem=Types.str(
+                help="makes the system read only. if true /usr, /boot and /efi are read only, if full additionally /etc and if strict all except /proc, /sys and /dev",
+                choices=("true", "false", "full", "strict"),
+            ),
+            nonewprivileges=Types.bool(
+                help="disables the ability to get new capabilities for processes than already granted ones",
+            ),
+            statedirectory=Types.str(
+                help="creates an unit specific state directory in /var/lib and sets the env var STATE_DIRECTORY with the path to it. Its cleaned up after the unit is stopped"
+            ),
        ),
    )

@ -60,7 +96,11 @@ class Module(SystemdUnitModule, SystemdReloadMixin):

    def service(self):
        section = "[Service]\n"
-        section += "".join(
+        params = []
+        if self.get("environment", False):
+            for env in self.get("environment"):
+                params.append(f"Environment={env['name']}={env['value']}\n")
+        params.extend(
            self.map_param(
                type="Type",
                pre="ExecStartPre",
@ -69,8 +109,19 @@ class Module(SystemdUnitModule, SystemdReloadMixin):
                serviceuser="User",
                servicegroup="Group",
                workingdirectory="WorkingDirectory",
+                environmentfile="EnvironmentFile",
+                protecthome="ProtectHome",
+                protectsystem="ProtectSystem",
+                rwpath="ReadWritePaths",
+                ropath="ReadOnlyPaths",
+                notreadablepath="InaccessiblePaths",
+                execpath="ExecPaths",
+                noexecpath="NoExecPaths",
+                statedirectory="StateDirectory",
+                nonewprivileges="NoNewPriviledges"
            )
        )
+        section += "".join(params)
        return section

    def unit(self) -> str:
@ -142,11 +193,38 @@ options:
    elements: str
    required: false
    type: list
+  execpath:
+    default: []
+    description:
+    - Path(s) where executable files are
+    elements: path
+    required: false
+    type: list
  name:
    description:
    - Name of the service
    required: true
    type: str
+  noexecpath:
+    default: []
+    description:
+    - Path(s) which are never executable (uploaded files, user accessible paths)
+    elements: path
+    required: false
+    type: list
+  nonewprivileges:
+    description:
+    - disables the ability to get new capabilities for processes than already granted
+      ones
+    required: false
+    type: bool
+  notreadablepath:
+    default: []
+    description:
+    - Path(s) that are not accessible by the applications
+    elements: path
+    required: false
+    type: list
  partof:
    default: []
    description:
@ -171,6 +249,28 @@ options:
    elements: str
    required: false
    type: list
+  protecthome:
+    choices:
+    - 'true'
+    - 'false'
+    - read-only
+    - tmpfs
+    description:
+    - if true makes user specific directories (/home, /root, /run/user) inaccessible.
+      read-only makes them read only and tmpfs is useful to create binds in it
+    required: false
+    type: str
+  protectsystem:
+    choices:
+    - 'true'
+    - 'false'
+    - full
+    - strict
+    description:
+    - makes the system read only. if true /usr, /boot and /efi are read only, if full
+      additionally /etc and if strict all except /proc, /sys and /dev
+    required: false
+    type: str
  required_by:
    default: []
    description:
@ -186,6 +286,20 @@ options:
    elements: str
    required: false
    type: list
+  ropath:
+    default: []
+    description:
+    - Path(s) that are read only
+    elements: path
+    required: false
+    type: list
+  rwpath:
+    default: []
+    description:
+    - Path(s) that are readable and writable (if permission allow)
+    elements: path
+    required: false
+    type: list
  servicegroup:
    default: root
    description:
@ -205,6 +319,12 @@ options:
    elements: str
    required: true
    type: list
+  statedirectory:
+    description:
+    - creates an unit specific state directory in /var/lib and sets the env var STATE_DIRECTORY
+      with the path to it. Its cleaned up after the unit is stopped
+    required: false
+    type: str
  type:
    choices:
    - simple