diff --git a/basic-system/defaults/main.yml b/basic-system/defaults/main.yml
index a3ccba2c1d6bc5778efb3bfba4a2b7c1c1b0fae6..0b0bcf21855d346610fcdbb07a3323b2edd557d1 100644
--- a/basic-system/defaults/main.yml
+++ b/basic-system/defaults/main.yml
@@ -10,3 +10,8 @@ journal_persistent_with_package: true
 logrotate_period: 'daily'  # 'weekly' is newer default
 logrotate_backlogs: 7  # default is 7 for daily, 4 for weekly
 common_sysctl_file: '/etc/sysctl.conf'
+tmp_mount_options:
+  - rw
+  - nosuid
+  - nodev
+  - noexec
diff --git a/basic-system/tasks/main.yml b/basic-system/tasks/main.yml
index f369c6e9f5febd9edcba5ea130b15e60b0150a13..9f0ece02a89756e14a1ca32931b8cc60113b6e94 100644
--- a/basic-system/tasks/main.yml
+++ b/basic-system/tasks/main.yml
@@ -5,7 +5,7 @@
     name: /tmp
     src: tmpfs
     fstype: tmpfs
-    opts: nosuid,rw,noexec
+    opts: "{{ tmp_mount_options|join(',') }}"
     state: mounted
   tags:
     - mount