From 5eab9a63c87a75a7ed0a7e14f02af8b7c510d6ea Mon Sep 17 00:00:00 2001
From: Christoph <ckubu@oopen.de>
Date: Thu, 4 May 2023 10:49:24 +0200
Subject: [PATCH] update..

---
 group_vars/all/main.yml                       | 10 +++++
 .../etc/security/limits.d/90-user-NOFILE.conf |  3 ++
 roles/common/tasks/basic.yml                  | 40 ++++++++++++++++++-
 3 files changed, 51 insertions(+), 2 deletions(-)
 create mode 100644 roles/common/files/etc/security/limits.d/90-user-NOFILE.conf

diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index 0fb2c26..c209865 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -44,6 +44,16 @@ locales:
   - en_US.UTF-8
   - de_DE.UTF-8
 
+#copy_plain_files_security_limits: []
+copy_plain_files_security_limits:
+
+  # /etc/security/limits.d/*.conf
+  #
+  - name: 90-user-NOFILE.conf
+    src_path: etc/security/limits.d/90-user-NOFILE.conf
+    dest_path: /etc/security/limits.d/90-user-NOFILE.conf
+
+
 #copy_plain_files_systemd: []
 copy_plain_files_systemd:
 
diff --git a/roles/common/files/etc/security/limits.d/90-user-NOFILE.conf b/roles/common/files/etc/security/limits.d/90-user-NOFILE.conf
new file mode 100644
index 0000000..1249029
--- /dev/null
+++ b/roles/common/files/etc/security/limits.d/90-user-NOFILE.conf
@@ -0,0 +1,3 @@
+
+@staff  hard    nofile  1048576
+root    hard    nofile  1048576
diff --git a/roles/common/tasks/basic.yml b/roles/common/tasks/basic.yml
index 377b6be..86a5856 100644
--- a/roles/common/tasks/basic.yml
+++ b/roles/common/tasks/basic.yml
@@ -27,6 +27,42 @@
     - symlink-sh
 
 
+# ----------
+# security limit (maybe DEPRECATED see systemd settings)
+# ----------
+
+- name: (basic.yml) Ensure directory '/etc/security/limits.d' exists
+  file:
+    path: /etc/security/limits.d
+    state: directory
+    mode: 0755
+    group: root
+    owner: root
+  when: 
+    - inventory_hostname not in groups['lxc_guest'] or inventory_hostname in groups['lxc_host']
+    - copy_plain_files_systemd is defined
+    - copy_plain_files_systemd|length > 0
+  tags:
+    - systemd-config
+
+- name: (basic.yml) Ensure files /etc/security/limits.d/*.conf exists
+  copy:
+    src: '{{ item.src_path }}'
+    dest: '{{ item.dest_path }}'
+    owner: root
+    group: root
+    mode: '0644'
+  loop: "{{ copy_plain_files_security_limits }}"
+  loop_control:
+    label: 'dest: {{ item.name }}'
+  when: 
+    - inventory_hostname not in groups['lxc_guest'] or inventory_hostname in groups['lxc_host']
+    - copy_plain_files_systemd is defined
+    - copy_plain_files_systemd|length > 0
+  tags:
+    - systemd-config
+
+
 # ----------
 # systemd stuff
 # ----------
@@ -39,7 +75,7 @@
     group: root
     owner: root
   when: 
-    - inventory_hostname not in groups['lxc_guest']
+    - inventory_hostname not in groups['lxc_guest'] or inventory_hostname in groups['lxc_host']
     - copy_plain_files_systemd is defined
     - copy_plain_files_systemd|length > 0
   tags:
@@ -56,7 +92,7 @@
   loop_control:
     label: 'dest: {{ item.name }}'
   when: 
-    - inventory_hostname not in groups['lxc_guest']
+    - inventory_hostname not in groups['lxc_guest'] or inventory_hostname in groups['lxc_host']
     - copy_plain_files_systemd is defined
     - copy_plain_files_systemd|length > 0
   tags: