diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 49c7a35..ce1ff81 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -100,6 +100,10 @@ raspbian_repository_use_sources: yes global_fstab_file: "/etc/fstab" +global_proc_hidepid_service_whitelist: + - "{{ global_systemd_login_service_name }}" + - "{{ global_systemd_user_service_name }}" + global_users_directory: "/home" # Application configurations @@ -193,6 +197,7 @@ global_systemd_login_service_name: "systemd-logind.service" global_systemd_network_directory: "/etc/systemd/network" global_systemd_network_service_name: "systemd-networkd.service" global_systemd_network_system_user: "systemd-network" +global_systemd_user_service_name: "user@.service" global_zsh_antigen_source: "/usr/share/zsh-antigen/antigen.zsh" diff --git a/roles/common/tasks/kernel_hidepid.yml b/roles/common/tasks/kernel_hidepid.yml index 6695e64..89cc8f1 100644 --- a/roles/common/tasks/kernel_hidepid.yml +++ b/roles/common/tasks/kernel_hidepid.yml @@ -18,20 +18,22 @@ nosuid,nodev,noexec,hidepid=2,gid=proc 0 0 -- name: Ensure configuration directory for systemd-logind service exists +- name: Ensure configuration directory for whitelisted services exist file: state: directory - path: "{{ global_systemd_configuration_directory }}/{{ global_systemd_login_service_name }}.d" + path: "{{ global_systemd_configuration_directory }}/{{ item }}.d" owner: root group: root mode: u=rwx,g=rx,o=rx + loop: "{{ global_proc_hidepid_service_whitelist }}" -- name: Configure systemd-logind to adapt to hidepid setting +- name: Configure whitelisted services to adapt to hidepid setting copy: content: | [Service] SupplementaryGroups=proc - dest: "{{ global_systemd_configuration_directory }}/{{ global_systemd_login_service_name }}.d/hidepid.conf" + dest: "{{ global_systemd_configuration_directory }}/{{ item }}.d/proc_hidepid_whitelist.conf" owner: root group: root mode: u=rw,g=r,o=r + loop: "{{ global_proc_hidepid_service_whitelist }}"