optionally enable unprivileged containers for non-root users

This is enabled by default in the vanilla kernel and disabled by default
in the hardened kernel.

group_vars/all

@@ -312,4 +312,7 @@ units:
 pkgfile:
     run_on: trusted
 
+hardened:
+    enable_namespaces: true
+
 kernel_parameters: "quiet consoleblank=60 i915.enable_psr=2"

roles/hardened/files/99-userns.conf

@@ -0,0 +1 @@
+kernel.unprivileged_userns_clone = 1

roles/hardened/meta/main.yml

@@ -1,3 +1,4 @@
 ---
 dependencies:
   - { role: grub }
+  - { role: sysctl }

roles/hardened/tasks/main.yml

@@ -7,3 +7,11 @@
     state: present
   notify:
     - rebuild grub
+
+- name: Enable unprivileged containers for non-root users
+  copy:
+    src: 99-userns.conf
+    dest: /etc/sysctl.d/99-userns.conf
+  notify:
+    - reload sysctl
+  when: hardened is defined and hardened.enable_namespaces