---

- name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition"
  when:
    - required_mount not in mount_names
    - rhel9cis_rule_1_1_2_1_1
  tags:
    - level1-server
    - level1-workstation
    - audit
    - mounts
    - rule_1.1.2.1.1
    - NIST800-53R5_CM-7
  vars:
    warn_control_id: '1.1.2.1.1'
    required_mount: '/tmp'
  block:
    - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Absent"
      ansible.builtin.debug:
        msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"

    - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Present"
      ansible.builtin.import_tasks:
        file: warning_facts.yml

# via fstab
- name: |
    "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition"
    "1.1.2.1.3 | PATCH | Ensure nosuid option set on /tmp partition"
    "1.1.2.1.4 | PATCH | Ensure noexec option set on /tmp partition"
  ansible.posix.mount:
    name: /tmp
    src: "{{ item.device }}"
    fstype: "{{ item.fstype }}"
    state: present
    opts: "{{ item.options }}{% if ('nodev' not in item.options and rhel9cis_rule_1_1_2_1_2) %},nodev{% endif %}{% if ('nosuid' not in item.options and rhel9cis_rule_1_1_2_1_3) %},nosuid{% endif %}{% if ('noexec' not in item.options and rhel9cis_rule_1_1_2_1_4) %},noexec{% endif %}"
  notify: Remount tmp
  loop: "{{ ansible_facts.mounts }}"
  loop_control:
    label: "{{ item.device }}"
  when:
    - item.mount == "/tmp"
    - not rhel9cis_tmp_svc
    - rhel9cis_rule_1_1_2_1_2 or
      rhel9cis_rule_1_1_2_1_3 or
      rhel9cis_rule_1_1_2_1_4
  tags:
    - level1-server
    - level1-workstation
    - patch
    - mounts
    - rule_1.1.2.1.2
    - rule_1.1.2.1.3
    - rule_1.1.2.1.4
    - NIST800-53R5_CM-7
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2

# via systemd
- name: |
    "1.1.2.1.1 | PATCH | Ensure /tmp is configured"
    "1.1.2.1.2 | PATCH | Ensure nodev option set on /tmp partition"
    "1.1.2.1.3 | PATCH | Ensure noexec option set on /tmp partition"
    "1.1.2.1.4 | PATCH | Ensure nosuid option set on /tmp partition"
  when:
    - rhel9cis_tmp_svc
    - rhel9cis_rule_1_1_2_1_1 or
      rhel9cis_rule_1_1_2_1_2 or
      rhel9cis_rule_1_1_2_1_3 or
      rhel9cis_rule_1_1_2_1_4
  tags:
    - level1-server
    - level1-workstation
    - patch
    - mounts
    - rule_1.1.2.1.1
    - rule_1.1.2.1.2
    - rule_1.1.2.1.3
    - rule_1.1.2.1.4
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.builtin.template:
    src: etc/systemd/system/tmp.mount.j2
    dest: /etc/systemd/system/tmp.mount
    owner: root
    group: root
    mode: 'go-wx'
  notify: Systemd restart tmp.mount