fix: disable and blacklist modules from kernel_disable_modules

2022-09-18 13:04:02 +02:00 · 2022-09-18 13:04:02 +02:00 · ca27e64ad4
parent 8a824622bc
commit ca27e64ad4
3 changed files with 6 additions and 8 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,14 +1,14 @@
 ---
 kernel_disable_modules:
  - usb-storage
 kernel_blacklist_modules:
  - firewire-core
  - dccp
  - sctp
  - tipc
  - rds
 kernel_blacklist_modules: []
 # @var kernel_ipv4_ping_group_range: $ "_unset"
 # @var kernel_ipv4_ping_group_range:example: $ "0 2000000"
--- a/templates/etc/modprobe.d/custom.conf.j2
+++ b/templates/etc/modprobe.d/custom.conf.j2
@ -1,10 +1,11 @@
 #jinja2: lstrip_blocks: True
 {{ ansible_managed | comment }}
 {% for module in kernel_disable_modules %}
 install {{ module }} /bin/true
 {% endfor %}
-{% for module in kernel_blacklist_modules %}
+{% if (kernel_blacklist_modules + kernel_disable_modules) | length > 0 %}
 {% for module in (kernel_blacklist_modules + kernel_disable_modules) %}
 blacklist {{ module }}
 {% endfor %}
 {% endif %}
--- a/templates/etc/sysctl.d/local.conf.j2
+++ b/templates/etc/sysctl.d/local.conf.j2
@ -19,9 +19,6 @@ kernel.yama.ptrace_scope = 2
 # Command is trapped and sent to the init program to handle a graceful restart
 kernel.ctrl-alt-del = 0
 # Disable loading new modules
 kernel.modules_disabled = 1
 # Disable access to performance events by users without CAP_SYS_ADMIN
 kernel.perf_event_paranoid = 3