From fbd57e06036b595603530ad033ef8a43f871845b Mon Sep 17 00:00:00 2001
From: Sandwich <sandwich@archworks.co>
Date: Sat, 21 Feb 2026 00:38:47 +0100
Subject: [PATCH] fix(cis): skip squashfs blacklist on Ubuntu to preserve snap
 functionality

---
 roles/cis/tasks/modules.yml | 31 ++++++++++++++++++-------------
 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/roles/cis/tasks/modules.yml b/roles/cis/tasks/modules.yml
index d2e48b8..aec8f38 100644
--- a/roles/cis/tasks/modules.yml
+++ b/roles/cis/tasks/modules.yml
@@ -1,23 +1,28 @@
 ---
 - name: Disable Kernel Modules
+  vars:
+    cis_modules_base:
+      - freevxfs
+      - jffs2
+      - hfs
+      - hfsplus
+      - cramfs
+      - udf
+      - usb-storage
+      - dccp
+      - sctp
+      - rds
+      - tipc
+    cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
+    cis_modules_all: "{{ cis_modules_base + cis_modules_squashfs }}"
   ansible.builtin.copy:
     dest: /mnt/etc/modprobe.d/cis.conf
     mode: "0644"
     content: |
       # CIS LVL 3 Restrictions
-      install freevxfs        /bin/false
-      install jffs2           /bin/false
-      install hfs             /bin/false
-      install hfsplus         /bin/false
-      install cramfs          /bin/false
-      # Note: disabling squashfs breaks snap (Ubuntu). Remove for snap-dependent hosts.
-      install squashfs        /bin/false
-      install udf             /bin/false
-      install usb-storage     /bin/false
-      install dccp            /bin/false
-      install sctp            /bin/false
-      install rds             /bin/false
-      install tipc            /bin/false
+      {% for mod in cis_modules_all %}
+      install {{ mod }}{{ ' ' * (16 - mod | length) }}/bin/false
+      {% endfor %}
 
 - name: Remove old USB rules file
   ansible.builtin.file: