Ansible-Bootstrap/roles/configuration/tasks/banner.yml

---
- name: Configure MOTD
  when: system_cfg.features.banner.motd | bool
  block:
    - name: Create MOTD file
      ansible.builtin.copy:
        content: |
          ********************************************************************
          * AUTHORIZED ACCESS ONLY. ALL ACTIVITIES ARE MONITORED AND LOGGED. *
          ********************************************************************
        dest: /mnt/etc/motd
        mode: "0644"
        owner: root
        group: root

    - name: Remove other MOTD files
      ansible.builtin.file:
        path: "{{ item }}"
        state: absent
      loop:
        - /mnt/etc/motd.d/99-motd
        - /mnt/etc/motd.d/cockpit
        - /mnt/etc/motd.d/insights-client
      failed_when: false

- name: Configure sudo banner
  when: system_cfg.features.banner.sudo | bool
  block:
    - name: Create sudoers banner directory
      ansible.builtin.file:
        path: /mnt/etc/sudoers.d
        state: directory
        mode: "0755"
        owner: root
        group: root

    - name: Create sudo banner file
      ansible.builtin.copy:
        content: |
          I am Groot, and I know what I'm doing.
        dest: /mnt/etc/sudoers.d/banner
        mode: "0644"
        owner: root
        group: root

    - name: Enable sudo banner in sudoers
      ansible.builtin.lineinfile:
        path: /mnt/etc/sudoers
        line: "Defaults lecture=@/etc/sudoers.d/banner"
        state: present
        create: true
        mode: "0440"
        owner: root
        group: root
        validate: "visudo -cf - %s"