---
- name: Disable Kernel Modules
  vars:
    cis_modules_base:
      - freevxfs
      - jffs2
      - hfs
      - hfsplus
      - cramfs
      - udf
      - usb-storage
      - dccp
      - sctp
      - rds
      - tipc
      - firewire-core
      - firewire-sbp2
      - thunderbolt
    cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
    cis_modules_all: "{{ cis_modules_base + cis_modules_squashfs }}"
  ansible.builtin.copy:
    dest: /mnt/etc/modprobe.d/cis.conf
    mode: "0644"
    content: |
      # CIS LVL 3 Restrictions
      {% for mod in cis_modules_all %}
      install {{ mod }}{{ ' ' * (16 - mod | length) }}/bin/false
      {% endfor %}

- name: Remove old USB rules file
  ansible.builtin.file:
    path: /mnt/etc/udev/rules.d/10-cis_usb_devices.sh
    state: absent

- name: Create USB rules
  ansible.builtin.copy:
    dest: /mnt/etc/udev/rules.d/10-cis_usb_devices.rules
    mode: "0644"
    content: |
      # By default, disable all.
      ACTION=="add", SUBSYSTEMS=="usb", TEST=="authorized_default", ATTR{authorized_default}="0"
      # Enable hub devices.
      ACTION=="add", ATTR{bDeviceClass}=="09", TEST=="authorized", ATTR{authorized}="1"
      # Enable keyboard devices.
      ACTION=="add", ATTR{product}=="*[Kk]eyboard*", TEST=="authorized", ATTR{authorized}="1"
      # PS2-USB converter.
      ACTION=="add", ATTR{product}=="*Thinnet TM*", TEST=="authorized", ATTR{authorized}="1"