---

# protecting process list of users different than root
# Source: https://wiki.archlinux.org/index.php/Security#hidepid

- name: Configure group for reading other processes
  group:
    state: present
    name: proc
    system: yes

- name: Configure proc mounting in fstab
  lineinfile:
    path: "{{ global_fstab_file }}"
    regexp: '^\S+\s+/proc\s+proc\s+'
    line: >-
      proc /proc proc
      nosuid,nodev,noexec,hidepid=2,gid=proc
      0 0

- name: Ensure configuration directory for systemd-logind service exists
  file:
    state: directory
    path: "{{ global_systemd_configuration_directory }}/{{ global_systemd_login_service_name }}.d"
    owner: root
    group: root
    mode: u=rwx,g=rx,o=rx

- name: Configure systemd-logind to adapt to hidepid setting
  copy:
    content: |
      [Service]
      SupplementaryGroups=proc
    dest: "{{ global_systemd_configuration_directory }}/{{ global_systemd_login_service_name }}.d/hidepid.conf"
    owner: root
    group: root
    mode: u=rw,g=r,o=r