---
# Opt-in only: a GRUB superuser password blocks unattended menu edits; the default entry still boots.
- name: Assert a GRUB password hash is supplied
  when: cis_effective_rules.grub_password | default(false)
  ansible.builtin.assert:
    that: cis_cfg.grub_password_hash | length > 0
    fail_msg: >-
      system.features.cis.rules.grub_password is enabled but
      system.features.cis.params.grub_password_hash is empty. Generate one with
      grub2-mkpasswd-pbkdf2 and set it there.
    quiet: true

- name: Deploy the GRUB superuser password
  when: cis_effective_rules.grub_password | default(false)
  ansible.builtin.copy:
    dest: /mnt/etc/grub.d/01_cis_password
    mode: "0755"
    content: |
      #!/bin/sh
      cat <<'EOF'
      set superusers="root"
      password_pbkdf2 root {{ cis_cfg.grub_password_hash }}
      EOF

- name: Regenerate the GRUB configuration
  when: cis_effective_rules.grub_password | default(false)
  ansible.builtin.command: >-
    {{ chroot_command }}
    {{ 'grub2-mkconfig -o /boot/grub2/grub.cfg' if is_rhel | bool else 'grub-mkconfig -o /boot/grub/grub.cfg' }}
  register: cis_grub_regen
  changed_when: cis_grub_regen.rc == 0