---
- name: Configure System Cryptography Policy
  when: os in ["almalinux", "rhel9", "rhel10", "rocky"]
  ansible.builtin.command: arch-chroot /mnt /usr/bin/update-crypto-policies --set DEFAULT:NO-SHA1
  register: cis_crypto_policy_result
  changed_when: "'Setting system-wide crypto-policies to' in cis_crypto_policy_result.stdout"

- name: Mask Systemd Services
  ansible.builtin.command: >
    arch-chroot /mnt systemctl mask nftables bluetooth rpcbind
  register: cis_mask_services_result
  changed_when: cis_mask_services_result.rc == 0