From 597651c526fca39677a2c1288c5d8f2df55614b1 Mon Sep 17 00:00:00 2001
From: RageLtMan <rageltman [at] sempervictus>
Date: Fri, 8 May 2026 10:50:07 -0400
Subject: [PATCH] Blacklist modules via ansible

---
 blacklist_mods.yml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 blacklist_mods.yml

diff --git a/blacklist_mods.yml b/blacklist_mods.yml
new file mode 100644
index 0000000..a1a12d1
--- /dev/null
+++ b/blacklist_mods.yml
@@ -0,0 +1,37 @@
+- name: Blacklist kernel modules
+  hosts: all
+  become: yes
+  gather_facts: no
+
+  vars:
+    modules_to_blacklist:
+      # DirtyFrag
+      - esp4
+      - esp6
+      - rxrpc
+
+  tasks:
+    - name: Ensure blacklist directory exists
+      file:
+        path: /etc/modprobe.d
+        state: directory
+        mode: '0755'
+
+    - name: Check if module is currently loaded
+      shell: "lsmod | grep -qw '{{ item }}'"
+      loop: "{{ modules_to_blacklist }}"
+      register: lsmod_check
+      changed_when: false
+      # If rc is 0, the module is loaded -> Fail the task
+      failed_when: lsmod_check.rc == 0
+
+    - name: Blacklist kernel modules
+      # Only executes if the previous task succeeded (meaning module was NOT loaded)
+      lineinfile:
+        path: /etc/modprobe.d/blacklist.conf
+        line: "blacklist {{ item }}"
+        create: yes
+        mode: '0644'
+        state: present
+      loop: "{{ modules_to_blacklist }}"
+