---
# CIS L1 names legacy cleartext clients (telnet) for removal. They are absent on
# a fresh minimal install; query first and remove only when present so the run
# stays idempotent (a chroot package-manager remove cannot use the package module).
- name: Check for insecure cleartext clients
  when: cis_strict | default(false)
  ansible.builtin.command: >-
    {{ chroot_command }}
    {{ 'dpkg -s' if is_debian | bool else 'pacman -Q' if os == 'archlinux' else 'rpm -q' }}
    {{ item }}
  loop: "{{ cis_cfg.insecure_packages }}"
  register: cis_insecure_present
  changed_when: false
  failed_when: false
  loop_control:
    label: "{{ item }}"

- name: Remove insecure cleartext clients (CIS L1+)
  when:
    - cis_strict | default(false)
    - item.rc == 0
  ansible.builtin.command: >-
    {{ chroot_command }}
    {{ 'apt-get remove -y' if is_debian | bool else 'pacman -R --noconfirm' if os == 'archlinux' else 'dnf remove -y' }}
    {{ item.item }}
  loop: "{{ cis_insecure_present.results | default([]) }}"
  changed_when: true
  loop_control:
    label: "{{ item.item }}"