---
- name: Build CIS permission targets
  ansible.builtin.set_fact:
    cis_permission_targets: >-
      {{
        [
          { "path": "/mnt/etc/ssh/sshd_config", "mode": "0600" },
          { "path": "/mnt/etc/cron.hourly", "mode": "0700" },
          { "path": "/mnt/etc/cron.daily", "mode": "0700" },
          { "path": "/mnt/etc/cron.weekly", "mode": "0700" },
          { "path": "/mnt/etc/cron.monthly", "mode": "0700" },
          { "path": "/mnt/etc/cron.d", "mode": "0700" },
          { "path": "/mnt/etc/crontab", "mode": "0600" },
          { "path": "/mnt/etc/logrotate.conf", "mode": "0644" },
          { "path": "/mnt/usr/sbin/pppd", "mode": "0754" } if os not in ["rhel8", "rhel9", "rhel10"] else None,
          { "path": "/mnt/usr/bin/" + ("fusermount3" if os in ["archlinux", "debian12", "fedora", "rhel9",
            "rhel10", "rocky"] else "fusermount"), "mode": "755" },
          { "path": "/mnt/usr/bin/" + ("write.ul" if os == "debian11" else "write"), "mode": "755" }
        ] | reject("none")
      }}
  changed_when: false

- name: Check CIS permission targets
  ansible.builtin.stat:
    path: "{{ item.path }}"
  loop: "{{ cis_permission_targets }}"
  register: cis_permission_stats
  changed_when: false

- name: Set permissions for existing targets
  ansible.builtin.file:
    path: "{{ item.item.path }}"
    owner: "{{ item.item.owner | default(omit) }}"
    group: "{{ item.item.group | default(omit) }}"
    mode: "{{ item.item.mode }}"
  loop: "{{ cis_permission_stats.results }}"
  when: item.stat.exists