---
- name: Create a consolidated sysctl configuration file
  ansible.builtin.copy:
    dest: /mnt/etc/sysctl.d/10-cis.conf
    mode: "0644"
    content: |
      ## CIS Sysctl configurations
      kernel.yama.ptrace_scope=1
      kernel.randomize_va_space=2
      # Network
      net.ipv4.ip_forward=0
      net.ipv4.tcp_syncookies=1
      net.ipv4.icmp_echo_ignore_broadcasts=1
      net.ipv4.icmp_ignore_bogus_error_responses=1
      net.ipv4.conf.all.log_martians = 1
      net.ipv4.conf.all.rp_filter = 1
      net.ipv4.conf.all.secure_redirects = 0
      net.ipv4.conf.all.send_redirects = 0
      net.ipv4.conf.all.accept_redirects = 0
      net.ipv4.conf.all.accept_source_route=0
      net.ipv4.conf.default.log_martians = 1
      net.ipv4.conf.default.rp_filter = 1
      net.ipv4.conf.default.secure_redirects = 0
      net.ipv4.conf.default.send_redirects = 0
      net.ipv4.conf.default.accept_redirects = 0
      net.ipv6.conf.all.accept_redirects = 0
      net.ipv6.conf.all.disable_ipv6 = 1
      net.ipv6.conf.default.accept_redirects = 0
      net.ipv6.conf.default.disable_ipv6 = 1
      net.ipv6.conf.lo.disable_ipv6 = 1