# platform = multi_platform_all
# reboot = false
# strategy = restrict
# complexity = low
# disruption = low
- (xccdf-var var_password_pam_{{{ VARIABLE }}})

{{% if 'ol' in families or 'rhel' in product %}}
- name: {{{ rule_title }}} - Find pwquality.conf.d files
  ansible.builtin.find:
    paths: /etc/security/pwquality.conf.d/
    patterns: "*.conf"
  register: pwquality_conf_d_files

- name: {{{ rule_title }}} - Ensure {{{ VARIABLE }}} is not set in pwquality.conf.d
  ansible.builtin.lineinfile:
    path: "{{ item.path }}"
    regexp: '^\s*\b{{{ VARIABLE }}}\b.*'
    state: absent
  with_items: "{{ pwquality_conf_d_files.files }}"
{{% endif %}}

{{% if "ol" in families %}}
{{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/system-auth',
                                  'password',
                                  '',
                                  'pam_pwquality.so',
                                  VARIABLE, rule_title=rule_title)
}}}
{{{ ansible_remove_pam_module_option_configuration('/etc/pam.d/password-auth',
                                  'password',
                                  '',
                                  'pam_pwquality.so',
                                  VARIABLE, rule_title=rule_title)
}}}
{{% endif %}}

{{% if "ubuntu" in product %}}
{{{ ansible_pam_pwquality_enable('/usr/share/pam-configs/cac_pwquality', rule_title=rule_title) }}}
{{% endif %}}

{{% if product in ['sle15', 'sle16'] %}}
{{{ ansible_ensure_pam_module_configuration('/etc/pam.d/common-password', 'password', 'requisite', 'pam_pwquality.so', '', '', 'BOF', rule_id=rule_id, rule_title=rule_title) }}}
{{% endif %}}

- name: {{{ rule_title }}} - Ensure PAM variable {{{ VARIABLE }}} is set accordingly
  ansible.builtin.lineinfile:
    create: yes
    dest: "{{{ pwquality_path }}}"
    regexp: '^#?\s*{{{ VARIABLE }}}'
    line: "{{{ VARIABLE }}} = {{ var_password_pam_{{{ VARIABLE }}} }}"