---
- name: Ensure the Default UMASK is Set Correctly
  when: cis_effective_rules.umask_default | default(false)
  ansible.builtin.lineinfile:
    path: "/mnt/etc/profile"
    regexp: "^(\\s*)umask\\s+\\d+"
    line: "umask {{ cis_cfg.umask_profile }}"

- name: Set the login.defs UMASK (CIS L1+)
  when:
    - cis_effective_rules.umask_default | default(false)
    - cis_strict | default(false)
  ansible.builtin.lineinfile:
    path: /mnt/etc/login.defs
    regexp: '^\s*#?\s*UMASK\b'
    line: "UMASK\t\t{{ cis_cfg.umask_profile }}"

# authselect regenerates system-auth from the profile, so a direct edit is lost
# on the next apply; without-nullok is the supported way to drop nullok there.
- name: Prevent Login to Accounts With Empty Password (authselect)
  when:
    - cis_effective_rules.empty_password_login | default(false)
    - is_authselect | bool
  ansible.builtin.command: "{{ chroot_command }} authselect enable-feature without-nullok"
  register: cis_nullok_result
  changed_when: cis_nullok_result.rc == 0

# Non-RHEL/non-Debian distros: loop evaluates to [] (intentional skip)
- name: Prevent Login to Accounts With Empty Password
  when:
    - cis_effective_rules.empty_password_login | default(false)
    - not is_authselect | bool
  ansible.builtin.replace:
    dest: "{{ item }}"
    regexp: "\\s*nullok"
    replace: ""
  loop: >-
    {{
      ['/mnt/etc/pam.d/system-auth', '/mnt/etc/pam.d/password-auth']
      if is_rhel | bool
      else (
        ['/mnt/etc/pam.d/common-auth', '/mnt/etc/pam.d/common-password']
        if is_debian | bool
        else []
      )
    }}