Merge pull request #794 from konstruktoid/tmp

let `manage_mounts` handle /tmp

Author: konstruktoid

README.md

@@ -621,8 +621,8 @@ process_group: root
 If `manage_mounts: true`, `/proc` will be mounted with the
 `nosuid,nodev,noexec,hidepid` options,
 `/dev/shm` will be mounted with the `nosuid,nodev,noexec` options and `/tmp`
-will be mounted with the `nosuid,nodev,noexec` options using the available
-template.
+will be mounted as `tmpfs` with the `nosuid,nodev,noexec` options using the
+available template.
 
 `hide_pid` sets `/proc/<pid>/` access mode.
 

tasks/fstab.yml

@@ -1,10 +1,4 @@
 ---
-- name: Remove /tmp from fstab
-  become: true
-  ansible.posix.mount:
-    path: /tmp
-    state: absent
-
 - name: Remove floppy from fstab
   become: true
   ansible.builtin.lineinfile:

tasks/mount.yml

@@ -24,35 +24,40 @@
   when:
     - dev_shm.stat.exists
 
-- name: Add systemd tmp.mount
+- name: Configure /tmp mount
   become: true
-  ansible.builtin.template:
-    src: "{{ tmp_mount_template }}"
-    dest: /etc/systemd/system/tmp.mount
-    backup: true
-    mode: "0644"
-    owner: root
-    group: root
+  block:
+    - name: Add systemd tmp.mount
+      ansible.builtin.template:
+        src: "{{ tmp_mount_template }}"
+        dest: /etc/systemd/system/tmp.mount
+        backup: true
+        mode: "0644"
+        owner: root
+        group: root
 
-- name: Stat tmp.mount
-  ansible.builtin.stat:
-    path: /etc/systemd/system/tmp.mount
-  register: tmp_mount
+    - name: Stat tmp.mount
+      ansible.builtin.stat:
+        path: /etc/systemd/system/tmp.mount
+      register: tmp_mount
 
 - name: Unmask and start tmp.mount
   become: true
   when:
     - tmp_mount.stat.exists
     - ansible_virtualization_type not in ["container", "docker", "podman"]
   block:
+    - name: Remove /tmp from fstab
+      ansible.posix.mount:
+        path: /tmp
+        state: absent
+
     - name: Unmask tmp.mount
-      become: true
       ansible.builtin.systemd:
         name: tmp.mount
         masked: false
 
     - name: Start tmp.mount
-      become: true
       ansible.builtin.systemd:
         name: tmp.mount
         daemon_reload: true