---
- name: Add Security related lines into config files
  ansible.builtin.lineinfile:
    path: "{{ item.path }}"
    line: "{{ item.content }}"
  loop:
    - { path: /mnt/etc/security/limits.conf, content: "* hard core 0" }
    - { path: /mnt/etc/security/pwquality.conf, content: minlen = 14 }
    - { path: /mnt/etc/security/pwquality.conf, content: dcredit = -1 }
    - { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 }
    - { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
    - { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
    - { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077 }
    - { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=900 }
    - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if os == "fedora" else "etc/systemd/journald.conf" }}', content: Storage=persistent }
    - { path: /mnt/etc/sudoers, content: Defaults        logfile="/var/log/sudo.log" }
    - { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
    - path: >-
        /mnt/etc/{{
          "pam.d/common-auth"
          if is_debian | bool
          else "authselect/system-auth"
          if os == "fedora"
          else "pam.d/system-auth"
        }}
      content: >-
        auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900
    - path: >-
        /mnt/etc/{{
          "pam.d/common-account"
          if is_debian | bool
          else "authselect/system-auth"
          if os == "fedora"
          else "pam.d/system-auth"
        }}
      content: account required pam_faillock.so
    - path: >-
        /mnt/etc/pam.d/{{
          "common-password"
          if is_debian | bool
          else "passwd"
        }}
      content: >-
        password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5
    - { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
    - { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }