sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor(cis): move OS-specific binary resolution to vars/main.yml

Browse Source
This commit is contained in:
Sandwich
2026-02-20 21:16:48 +01:00
parent 72a9576abe
commit 3db18858c3
2 changed files with 33 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
roles/cis/defaults/main.yml
View File

@@ -1,21 +1,13 @@
--- ---
cis_permission_targets: >- cis_permission_targets:
{{ - { path: "/mnt/etc/ssh/sshd_config", mode: "0600" }
[ - { path: "/mnt/etc/cron.hourly", mode: "0700" }
{ "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" }, - { path: "/mnt/etc/cron.daily", mode: "0700" }
{ "path": "/mnt/etc/cron.hourly", "mode": "0700" }, - { path: "/mnt/etc/cron.weekly", mode: "0700" }
{ "path": "/mnt/etc/cron.daily", "mode": "0700" }, - { path: "/mnt/etc/cron.monthly", mode: "0700" }
{ "path": "/mnt/etc/cron.weekly", "mode": "0700" }, - { path: "/mnt/etc/cron.d", mode: "0700" }
{ "path": "/mnt/etc/cron.monthly", "mode": "0700" }, - { path: "/mnt/etc/crontab", mode: "0600" }
{ "path": "/mnt/etc/cron.d", "mode": "0700" }, - { path: "/mnt/etc/logrotate.conf", mode: "0644" }
{ "path": "/mnt/etc/crontab", "mode": "0600" }, - { path: "/mnt/usr/sbin/pppd", mode: "0754" }
{ "path": "/mnt/etc/logrotate.conf", "mode": "0644" }, - { path: "/mnt/usr/bin/{{ cis_fusermount_binary }}", mode: "0755" }
{ "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os != "rhel" else None, - { path: "/mnt/usr/bin/{{ cis_write_binary }}", mode: "0755" }
{
"path": "/mnt/usr/bin/"
+ ("fusermount3" if os in ["archlinux", "fedora", "rocky"] or os == "rhel" or (os == "debian" and (os_version | string) == "12") else "fusermount"),
"mode": "755"
},
{ "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian" and (os_version | string) == "11" else "write"), "mode": "755" }
] | reject("none")
}}

21
roles/cis/vars/main.yml Normal file
View File

@@ -0,0 +1,21 @@
---
# OS-specific binary names for CIS permission targets.
# fusermount3 is the modern name; older distros still use fusermount.
cis_fusermount_binary: >-
{{
'fusermount3'
if (
os in ['archlinux', 'fedora', 'rocky', 'rhel']
or (os == 'debian' and (os_version | string) not in ['10', '11'])
or (os == 'almalinux')
)
else 'fusermount'
}}
# write.ul is the Debian 11 name; all others use write.
cis_write_binary: >-
{{
'write.ul'
if (os == 'debian' and (os_version | string) == '11')
else 'write'
}}