evolix/EvoBSD
21
0
Fork 0
Code Issues 2 Pull requests Releases 3 Wiki Activity

Merge pull request 'Customize fstab with noexec and softdep' (#36) from customize_fstab into dev
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse source 
Reviewed-on: #36
Reviewed-by: Tristan Pilat <drustan@noreply.gitea.evolix.org>
This commit is contained in:
Jérémy Dubois 2020-10-12 14:48:22 +02:00
parent 3255566edf a40e2b4750
commit 6abf573fae
3 changed files with 84 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
roles/base/handlers/main.yml
View file

@ -1,3 +1,8 @@
---
- name: newaliases
shell: smtpctl update table aliases
- name: remount /tmp
command: mount -u -o noexec /tmp
args:
warn: false

78
roles/base/tasks/fstab.yml Normal file
View file

@ -0,0 +1,78 @@
---
- name: Fetch fstab content
command: "grep -v '^#' /etc/fstab"
check_mode: false
register: fstab_content
failed_when: false
changed_when: false
tags:
- fstab
- name: / partition is customized - softdep
replace:
dest: /etc/fstab
regexp: '(\s+/\s+\S+\s+rw)(.*)'
replace: '\1,softdep\2'
when:
- fstab_content.stdout | regex_search('\s/\s')
- not (fstab_content.stdout | regex_search('\s+/\s+\S+\s+rw,softdep'))
tags:
- fstab
- name: /var partition is customized - softdep
replace:
dest: /etc/fstab
regexp: '(\s+/var\s+\S+\s+rw)(.*)'
replace: '\1,softdep\2'
when:
- fstab_content.stdout | regex_search('\s/var\s')
- not (fstab_content.stdout | regex_search('\s+/var\s+\S+\s+rw,softdep'))
tags:
- fstab
- name: /usr partition is customized - softdep
replace:
dest: /etc/fstab
regexp: '(\s+/usr\s+\S+\s+rw)(.*)'
replace: '\1,softdep\2'
when:
- fstab_content.stdout | regex_search('\s/usr\s')
- not (fstab_content.stdout | regex_search('\s+/usr\s+\S+\s+rw,softdep'))
tags:
- fstab
- name: /tmp partition is customized - noexec
replace:
dest: /etc/fstab
regexp: '(\s+/tmp\s+\S+\s+rw(,softdep)*)(.*)'
replace: '\1,noexec\3'
when:
- fstab_content.stdout | regex_search('\s/tmp\s')
- not (fstab_content.stdout
| regex_search('\s+/tmp\s+\S+\s+rw,(softdep,)*noexec'))
tags:
- fstab
- name: /tmp partition is customized - softdep
replace:
dest: /etc/fstab
regexp: '(\s+/tmp\s+\S+\s+rw)(.*)'
replace: '\1,softdep\2'
notify: remount /tmp
when:
- fstab_content.stdout | regex_search('\s/tmp\s')
- not (fstab_content.stdout
| regex_search('\s+/tmp\s+\S+\s+rw,(noexec,)*softdep'))
tags:
- fstab
- name: /home partition is customized - softdep
replace:
dest: /etc/fstab
regexp: '(\s+/home\s+\S+\s+rw)(.*)'
replace: '\1,softdep\2'
when:
- fstab_content.stdout | regex_search('\s/home\s')
- not (fstab_content.stdout | regex_search('\s+/home\s+\S+\s+rw,softdep'))
tags:
- fstab

1
roles/base/tasks/main.yml
View file

@ -9,3 +9,4 @@
- include: evobackup.yml
- include: newsyslog.yml
- include: cron.yml
- include: fstab.yml