---
# login.defs sets policy for future accounts; existing service accounts are intentionally not chage-aged.
- name: Configure password aging defaults
  when: cis_effective_rules.password_expiry | default(false)
  ansible.builtin.lineinfile:
    path: /mnt/etc/login.defs
    regexp: '^#?\s*{{ item.key }}\b'
    line: "{{ item.key }}\t{{ item.value }}"
  loop:
    - {key: PASS_MAX_DAYS, value: "{{ cis_cfg.pass_max_days }}"}
    - {key: PASS_MIN_DAYS, value: "{{ cis_cfg.pass_min_days }}"}
    - {key: PASS_WARN_AGE, value: "{{ cis_cfg.pass_warn_age }}"}
  loop_control:
    label: "{{ item.key }}"

# account_disable_post_pw_expiration: lock accounts INACTIVE days after expiry.
- name: Set the default account inactivity lock period
  when: cis_effective_rules.password_expiry | default(false)
  ansible.builtin.lineinfile:
    path: /mnt/etc/default/useradd
    regexp: '^\s*#?\s*INACTIVE\s*='
    line: "INACTIVE={{ cis_cfg.pass_inactive }}"