From 3db18858c3f6806855bc2cf567cac1b69faf8353 Mon Sep 17 00:00:00 2001
From: Sandwich <sandwich@archworks.co>
Date: Fri, 20 Feb 2026 21:16:48 +0100
Subject: [PATCH] refactor(cis): move OS-specific binary resolution to
 vars/main.yml

---
 roles/cis/defaults/main.yml | 32 ++++++++++++--------------------
 roles/cis/vars/main.yml     | 21 +++++++++++++++++++++
 2 files changed, 33 insertions(+), 20 deletions(-)
 create mode 100644 roles/cis/vars/main.yml

diff --git a/roles/cis/defaults/main.yml b/roles/cis/defaults/main.yml
index b03ec7e..6b3fd64 100644
--- a/roles/cis/defaults/main.yml
+++ b/roles/cis/defaults/main.yml
@@ -1,21 +1,13 @@
 ---
-cis_permission_targets: >-
-  {{
-    [
-      { "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" },
-      { "path": "/mnt/etc/cron.hourly", "mode": "0700" },
-      { "path": "/mnt/etc/cron.daily", "mode": "0700" },
-      { "path": "/mnt/etc/cron.weekly", "mode": "0700" },
-      { "path": "/mnt/etc/cron.monthly", "mode": "0700" },
-      { "path": "/mnt/etc/cron.d", "mode": "0700" },
-      { "path": "/mnt/etc/crontab", "mode": "0600" },
-      { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
-      { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os != "rhel" else None,
-      {
-        "path": "/mnt/usr/bin/"
-        + ("fusermount3" if os in ["archlinux", "fedora", "rocky"] or os == "rhel" or (os == "debian" and (os_version | string) == "12") else "fusermount"),
-        "mode": "755"
-      },
-      { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian" and (os_version | string) == "11" else "write"), "mode": "755" }
-    ] | reject("none")
-  }}
+cis_permission_targets:
+  - { path: "/mnt/etc/ssh/sshd_config", mode: "0600" }
+  - { path: "/mnt/etc/cron.hourly", mode: "0700" }
+  - { path: "/mnt/etc/cron.daily", mode: "0700" }
+  - { path: "/mnt/etc/cron.weekly", mode: "0700" }
+  - { path: "/mnt/etc/cron.monthly", mode: "0700" }
+  - { path: "/mnt/etc/cron.d", mode: "0700" }
+  - { path: "/mnt/etc/crontab", mode: "0600" }
+  - { path: "/mnt/etc/logrotate.conf", mode: "0644" }
+  - { path: "/mnt/usr/sbin/pppd", mode: "0754" }
+  - { path: "/mnt/usr/bin/{{ cis_fusermount_binary }}", mode: "0755" }
+  - { path: "/mnt/usr/bin/{{ cis_write_binary }}", mode: "0755" }
diff --git a/roles/cis/vars/main.yml b/roles/cis/vars/main.yml
new file mode 100644
index 0000000..bf06761
--- /dev/null
+++ b/roles/cis/vars/main.yml
@@ -0,0 +1,21 @@
+---
+# OS-specific binary names for CIS permission targets.
+# fusermount3 is the modern name; older distros still use fusermount.
+cis_fusermount_binary: >-
+  {{
+    'fusermount3'
+    if (
+      os in ['archlinux', 'fedora', 'rocky', 'rhel']
+      or (os == 'debian' and (os_version | string) not in ['10', '11'])
+      or (os == 'almalinux')
+    )
+    else 'fusermount'
+  }}
+
+# write.ul is the Debian 11 name; all others use write.
+cis_write_binary: >-
+  {{
+    'write.ul'
+    if (os == 'debian' and (os_version | string) == '11')
+    else 'write'
+  }}