portfolio/infra-run/ansible/roles/cis-debian-ubuntu-hardening/tasks/sysctl.yml

---
- name: Apply CIS-inspired sysctl settings
  ansible.posix.sysctl:
    name: "{{ item.key }}"
    value: "{{ item.value }}"
    sysctl_file: "{{ cis_sysctl_config_file }}"
    state: present
    reload: true
  loop: "{{ cis_sysctl_settings | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  when: not cis_container_detected | default(false) | bool

- name: Report skipped sysctl hardening inside containers
  ansible.builtin.debug:
    msg: "WARNING: Sysctl hardening skipped because a containerized environment was detected."
  when: cis_container_detected | default(false) | bool