From 902cc8536e54b242531022bbd5cf41ae1e3d518c Mon Sep 17 00:00:00 2001
From: danielkubat <dan.kubat@gmail.com>
Date: Sat, 12 Dec 2020 02:11:30 +0100
Subject: [PATCH] Use template to generate modprobe settings

---
 ansible/playbooks/tasks/harden.yml                    | 11 ++++-------
 .../playbooks/templates/etc/modprobe.d/cis.conf.j2    |  4 ++++
 2 files changed, 8 insertions(+), 7 deletions(-)
 create mode 100644 ansible/playbooks/templates/etc/modprobe.d/cis.conf.j2

diff --git a/ansible/playbooks/tasks/harden.yml b/ansible/playbooks/tasks/harden.yml
index c36b1e4..5f1cc37 100644
--- a/ansible/playbooks/tasks/harden.yml
+++ b/ansible/playbooks/tasks/harden.yml
@@ -207,15 +207,12 @@
         - efi
 
     - name: disable unused filesystems
-      lineinfile:
+      template:
+        src: "etc/modprobe.d/cis.conf.j2"
         dest: "/etc/modprobe.d/cis.conf"
-        owner: root
-        group: root
+        owner: 'root'
+        group: 'root'
         mode: '0644'
-        line: "install {{ item }} /bin/true"
-        state: present
-        create: true
-      with_items: "{{ modprobe_unused_filesystems }}"
       tags:
         - harden
 
diff --git a/ansible/playbooks/templates/etc/modprobe.d/cis.conf.j2 b/ansible/playbooks/templates/etc/modprobe.d/cis.conf.j2
new file mode 100644
index 0000000..55dddfa
--- /dev/null
+++ b/ansible/playbooks/templates/etc/modprobe.d/cis.conf.j2
@@ -0,0 +1,4 @@
+# Generated by Ansible
+{% for fs in modprobe_unused_filesystems %}
+install {{ fs }} /bin/true
+{% endfor %}