---

# protecting process list of users different than root
# Source: https://wiki.archlinux.org/index.php/Security#hidepid

- name: Configure group for reading other processes
  group:
    state: present
    name: proc
    system: yes

- name: Configure proc mounting in fstab
  lineinfile:
    path: "{{ global_fstab_file }}"
    regexp: '^\S+\s+/proc\s+proc\s+'
    line: >-
      proc /proc proc
      nosuid,nodev,noexec,hidepid=2,gid=proc
      0 0

- name: Ensure configuration directory for whitelisted services exist
  file:
    state: directory
    path: "{{ global_systemd_configuration_directory }}/{{ item }}.d"
    owner: root
    group: root
    mode: u=rwx,g=rx,o=rx
  loop: "{{ global_proc_hidepid_service_whitelist }}"

- name: Configure whitelisted services to adapt to hidepid setting
  copy:
    content: |
      [Service]
      SupplementaryGroups=proc
    dest: "{{ global_systemd_configuration_directory }}/{{ item }}.d/proc_hidepid_whitelist.conf"
    owner: root
    group: root
    mode: u=rw,g=r,o=r
  loop: "{{ global_proc_hidepid_service_whitelist }}"