---

- name: Reboot after panic
  sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
    state: present
    reload: yes
  loop:
    - { name: kernel.panic_on_oops, value: 1 }
    - { name: kernel.panic, value: 60 }
  when: evolinux_kernel_reboot_after_panic | bool

- name: Don't reboot after panic
  sysctl:
    name: "{{ item }}"
    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
    state: absent
    reload: yes
  loop:
    - kernel.panic_on_oops
    - kernel.panic
  when: not evolinux_kernel_reboot_after_panic | bool

- name: Disable net.ipv4.tcp_timestamps
  sysctl:
    name: net.ipv4.tcp_timestamps
    value: '0'
    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
    state: present
    reload: yes
  when: evolinux_kernel_disable_tcp_timestamps | bool

- name: Customize the swappiness
  sysctl:
    name: vm.swappiness
    value: "{{ evolinux_kernel_swappiness }}"
    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
    state: present
    reload: yes
  when: evolinux_kernel_customize_swappiness | bool

- name: Patch for TCP stack vulnerability CVE-2016-5696
  sysctl:
    name: net.ipv4.tcp_challenge_ack_limit
    value: "1073741823"
    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
    state: present
    reload: yes
  when: evolinux_kernel_cve20165696 | bool

- name: Patch for TCP stack vulnerability CVE-2018-5391 (FragmentSmack)
  sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
    state: present
    reload: yes
  loop:
    - { name: "net.ipv4.ipfrag_low_thresh",   value: "196608" }
    - { name: "net.ipv6.ip6frag_low_thresh",  value: "196608" }
    - { name: "net.ipv4.ipfrag_high_thresh",  value: "262144" }
    - { name: "net.ipv6.ip6frag_high_thresh", value: "262144" }

- meta: flush_handlers