diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2020-04-29 01:33:09 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2020-04-29 01:33:09 +0200 |
| commit | 5f96a0cd117f3def3d55853d85dc867e26817984 (patch) | |
| tree | 9199fcbf054445b584074f2a4f75e5427ada5e60 /roles | |
| parent | kubeguard: split up role (diff) | |
imprived base role module blacklist config
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/base/defaults/main.yml | 13 | ||||
| -rw-r--r-- | roles/base/tasks/Debian.yml | 11 | ||||
| -rw-r--r-- | roles/base/vars/main.yml | 4 |
3 files changed, 17 insertions, 11 deletions
diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml index 7bab7577..4962578e 100644 --- a/roles/base/defaults/main.yml +++ b/roles/base/defaults/main.yml @@ -1,9 +1,9 @@ --- base_entropy_generator: haveged -sysctl_config_user: {} +base_sysctl_config_user: {} -modules_blacklist: +base_modules_blacklist_: net: - dccp - sctp @@ -15,14 +15,19 @@ modules_blacklist: - hfs - hfsplus - jffs2 + sound: + - soundcore + - usb-midi misc: - bluetooth - firewire-core - n_hdlc - net-pf-31 - - soundcore - thunderbolt - - usb-midi + +base_modules_blacklist_all: "{{ base_modules_blacklist_ | list }}" +base_modules_blacklist_all_but_sound: "{{ base_modules_blacklist_ | difference(['sound']) | list }}" +base_modules_blacklist: "{{ base_modules_blacklist_full }}" base_packages_extra_host: [] base_packages_extra_group: [] diff --git a/roles/base/tasks/Debian.yml b/roles/base/tasks/Debian.yml index 25195ad2..185c3616 100644 --- a/roles/base/tasks/Debian.yml +++ b/roles/base/tasks/Debian.yml @@ -81,17 +81,18 @@ state: directory - name: disable net/fs/misc kernel modules - loop: "{{ modules_blacklist.net | union(modules_blacklist.fs) | union(modules_blacklist.misc) }}" - lineinfile: + copy: + content: | + {% for item in (base_modules_blacklist | map('extract', base_modules_blacklist_) | flatten | sort | list) %} + install {{ item }} /bin/true + {% endfor %} dest: /etc/modprobe.d/disablemod.conf - line: "install {{ item }} /bin/true" - create: yes owner: root group: root mode: 0644 - name: Change various sysctl-settings, look at the sysctl-vars file for documentation - loop: "{{ sysctl_config | combine(sysctl_config_user) | dict2items }}" + loop: "{{ base_sysctl_config | combine(base_sysctl_config_user) | dict2items }}" loop_control: label: "{{ item.key }} = {{ item.value }}" sysctl: diff --git a/roles/base/vars/main.yml b/roles/base/vars/main.yml index d228b088..9940d7a6 100644 --- a/roles/base/vars/main.yml +++ b/roles/base/vars/main.yml @@ -3,9 +3,9 @@ # These are not meant to be modified by the user # -# To adjust these settings use sysctl_config_user dict +# To adjust these settings use base_sysctl_config_user dict # -sysctl_config: +base_sysctl_config: # Enable RFC-recommended source validation feature. net.ipv4.conf.all.rp_filter: 1 |