---
- name: Create a consolidated sysctl configuration file
  when: cis_effective_rules.sysctl_hardening | default(false)
  vars:
    # ipv6_disable is a separate rule: when off, drop the disable_ipv6 keys but keep the rest.
    _cis_sysctl: >-
      {{ cis_cfg.sysctl
         if (cis_effective_rules.ipv6_disable | default(false))
         else (cis_cfg.sysctl | dict2items | rejectattr('key', 'search', 'disable_ipv6') | items2dict) }}
  ansible.builtin.copy:
    # 99- so CIS wins: a 10- name loses to vendor /usr/lib/sysctl.d/10-default-yama-scope.conf
    # (later basename applies last), which reset kernel.yama.ptrace_scope back to 0.
    dest: /mnt/etc/sysctl.d/99-cis.conf
    mode: "0644"
    content: |
      ## CIS Sysctl configurations
      {% for key, value in _cis_sysctl | dictsort %}
      {{ key }}={{ value }}
      {% endfor %}