Add kernel module hardening and Copy Fail (CVE-2026-31431) mitigation

Disable unnecessary kernel modules to reduce attack surface: algif_aead
(Copy Fail), unused filesystems, DMA vectors, unused network protocols,
and USB storage. Rebuild initramfs on change to apply at boot.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

playbook.yml

@@ -59,6 +59,44 @@
           - ttyd
         state: present
 
+    # --- Kernel module hardening ---
+
+    - name: Disable unnecessary and vulnerable kernel modules
+      ansible.builtin.copy:
+        dest: /etc/modprobe.d/hardening.conf
+        mode: '0644'
+        content: |
+          # CVE-2026-31431 (Copy Fail) - AF_ALG AEAD privilege escalation
+          install algif_aead /bin/false
+
+          # Unused filesystems
+          install cramfs /bin/false
+          install freevxfs /bin/false
+          install jffs2 /bin/false
+          install hfs /bin/false
+          install hfsplus /bin/false
+          install squashfs /bin/false
+          install udf /bin/false
+
+          # DMA attack vectors (firewire / thunderbolt)
+          install firewire-core /bin/false
+          install thunderbolt /bin/false
+
+          # Unused network protocols
+          install dccp /bin/false
+          install sctp /bin/false
+          install rds /bin/false
+          install tipc /bin/false
+
+          # USB storage (not needed on headless server)
+          install usb-storage /bin/false
+      notify: update initramfs
+
+    - name: Unload algif_aead module if currently loaded
+      ansible.builtin.shell:
+        cmd: rmmod algif_aead 2>/dev/null || true
+      changed_when: false
+
     # --- Server hardening ---
 
     - name: Install security packages
@@ -575,3 +613,7 @@
       ansible.builtin.service:
         name: ssh
         state: restarted
+
+    - name: update initramfs
+      ansible.builtin.command:
+        cmd: update-initramfs -u