refactor(cis): extract hardcoded values to cis_defaults and add _normalize.yml

2026-02-21 01:26:31 +01:00
parent bef15af69f
commit f74ec325ea
8 changed files with 99 additions and 79 deletions
--- a/roles/cis/tasks/modules.yml
+++ b/roles/cis/tasks/modules.yml
@@ -1,23 +1,8 @@
 ---
 - name: Disable Kernel Modules
  vars:
-    cis_modules_base:
-      - freevxfs
-      - jffs2
-      - hfs
-      - hfsplus
-      - cramfs
-      - udf
-      - usb-storage
-      - dccp
-      - sctp
-      - rds
-      - tipc
-      - firewire-core
-      - firewire-sbp2
-      - thunderbolt
    cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
-    cis_modules_all: "{{ cis_modules_base + cis_modules_squashfs }}"
+    cis_modules_all: "{{ cis_cfg.modules_blacklist + cis_modules_squashfs }}"
  ansible.builtin.copy:
    dest: /mnt/etc/modprobe.d/cis.conf
    mode: "0644"