---
# pyenv, doom (cli of Doom Emacs), ... need exec inside /tmp
- name: fstab | Harden mount options for /tmp
  lineinfile:
    path: /etc/fstab
    state: present
    regexp: '^tmpfs[ \t]+/tmp[ \t]+tmpfs'
    line: tmpfs    /tmp    tmpfs    rw,nosuid,nodev,size=4G,mode=1777    0    0
    owner: root
    group: root
    mode: 0644

# /run is mounted with exec by default
- name: fstab | Harden mount options for /run
  lineinfile:
    path: /etc/fstab
    state: present
    regexp: '^tmpfs[ \t]+/run[ \t]+tmpfs'
    line: tmpfs    /run    tmpfs    rw,nosuid,nodev,noexec,size=1G,mode=0755    0    0
    owner: root
    group: root
    mode: 0644

# polkit daemon obviously needs access to /proc to work
# Note: Add the normal user to polkitd group afterward
- block:
    # Busybox's mount doesn't interpret group name in GID, so check it
    # wheel group on Alpine by default has GID=10
    - name: fstab | Check GID of group {{ proc_group }}
      shell: getent group {{ proc_group }} | awk -F':' '{print $3}'
      register: proc_gid

    - name: fstab | Restrict read access on /proc for {{ proc_group }} group
      lineinfile:
        path: /etc/fstab
        state: present
        regexp: '^proc[ \t]+/proc[ \t]+proc'
        line: 'proc    /proc    proc    rw,nosuid,nodev,noexec,hidepid=2,gid={{ proc_gid.stdout }}    0    0'
        owner: root
        group: root
        mode: 0644
  vars:
    proc_group: '{{ use_polkit | ternary("polkitd", "wheel") }}'