---
- name: Ensure the Default UMASK is Set Correctly
  ansible.builtin.lineinfile:
    path: "/mnt/etc/profile"
    regexp: "^(\\s*)umask\\s+\\d+"
    line: "umask 027"

# Non-RHEL/non-Debian distros: loop evaluates to [] (intentional skip)
- name: Prevent Login to Accounts With Empty Password
  ansible.builtin.replace:
    dest: "{{ item }}"
    regexp: "\\s*nullok"
    replace: ""
  loop: >-
    {{
      ['/mnt/etc/pam.d/system-auth', '/mnt/etc/pam.d/password-auth']
      if is_rhel | bool
      else (
        ['/mnt/etc/pam.d/common-auth', '/mnt/etc/pam.d/common-password']
        if is_debian | bool
        else []
      )
    }}