update..

2023-05-04 10:49:24 +02:00 · 2023-05-04 10:49:24 +02:00 · 5eab9a63c8
commit 5eab9a63c8
parent d604f3508e
3 changed files with 51 additions and 2 deletions
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@ -44,6 +44,16 @@ locales:
  - en_US.UTF-8
  - de_DE.UTF-8

+#copy_plain_files_security_limits: []
+copy_plain_files_security_limits:
+
+  # /etc/security/limits.d/*.conf
+  #
+  - name: 90-user-NOFILE.conf
+    src_path: etc/security/limits.d/90-user-NOFILE.conf
+    dest_path: /etc/security/limits.d/90-user-NOFILE.conf
+
+
 #copy_plain_files_systemd: []
 copy_plain_files_systemd:

--- a/roles/common/files/etc/security/limits.d/90-user-NOFILE.conf
+++ b/roles/common/files/etc/security/limits.d/90-user-NOFILE.conf
@ -0,0 +1,3 @@
+
+@staff  hard    nofile  1048576
+root    hard    nofile  1048576
--- a/roles/common/tasks/basic.yml
+++ b/roles/common/tasks/basic.yml
@ -27,6 +27,42 @@
    - symlink-sh


+# ----------
+# security limit (maybe DEPRECATED see systemd settings)
+# ----------
+
+- name: (basic.yml) Ensure directory '/etc/security/limits.d' exists
+  file:
+    path: /etc/security/limits.d
+    state: directory
+    mode: 0755
+    group: root
+    owner: root
+  when: 
+    - inventory_hostname not in groups['lxc_guest'] or inventory_hostname in groups['lxc_host']
+    - copy_plain_files_systemd is defined
+    - copy_plain_files_systemd|length > 0
+  tags:
+    - systemd-config
+
+- name: (basic.yml) Ensure files /etc/security/limits.d/*.conf exists
+  copy:
+    src: '{{ item.src_path }}'
+    dest: '{{ item.dest_path }}'
+    owner: root
+    group: root
+    mode: '0644'
+  loop: "{{ copy_plain_files_security_limits }}"
+  loop_control:
+    label: 'dest: {{ item.name }}'
+  when: 
+    - inventory_hostname not in groups['lxc_guest'] or inventory_hostname in groups['lxc_host']
+    - copy_plain_files_systemd is defined
+    - copy_plain_files_systemd|length > 0
+  tags:
+    - systemd-config
+
+
 # ----------
 # systemd stuff
 # ----------
@ -39,7 +75,7 @@
    group: root
    owner: root
  when: 
-    - inventory_hostname not in groups['lxc_guest']
+    - inventory_hostname not in groups['lxc_guest'] or inventory_hostname in groups['lxc_host']
    - copy_plain_files_systemd is defined
    - copy_plain_files_systemd|length > 0
  tags:
@ -56,7 +92,7 @@
  loop_control:
    label: 'dest: {{ item.name }}'
  when: 
-    - inventory_hostname not in groups['lxc_guest']
+    - inventory_hostname not in groups['lxc_guest'] or inventory_hostname in groups['lxc_host']
    - copy_plain_files_systemd is defined
    - copy_plain_files_systemd|length > 0
  tags: