feat: deploy pwpolicy if available

defaults/main.yml

@@ -17,6 +17,10 @@ users_global_umask: "022"
 users_pass_min_day: 1
 users_default_inactive: -1
 
+users_password_pam_retry: 3
+users_password_pam_minlen: 14
+users_password_pam_minclass: 4
+
 users_global_bash_aliases:
   - alias: "ll"
     command: "ls -lh"

tasks/security.yml

@@ -9,6 +9,11 @@
         - /etc/profile
       register: __users_umask_files
 
+    - name: Stat pwquality files
+      stat:
+        path: "/etc/security/pwquality.conf"
+      register: __users_pwquality_file
+
     - name: Set global umask
       replace:
         path: "{{ item }}"
@@ -39,5 +44,14 @@
         line: \g<inactive>{{ users_default_inactive }}
         backrefs: yes
         state: present
+
+    - name: Set pwquality if available
+      template:
+        src: etc/security/pwquality.conf.j2
+        dest: /etc/security/pwquality.conf
+        owner: root
+        group: root
+        mode: 0644
+      when: __users_pwquality_file.stat.exists | bool
   become: True
   become_user: root

templates/etc/profile.d/custom.sh.j2

@@ -1,6 +1,5 @@
 #jinja2:lstrip_blocks: True
 {{ ansible_managed | comment }}
-
 # are we an interactive shell?
 if [ "$PS1" ]; then
   if [[ ${EUID} == 0 ]] ; then

templates/etc/security/pwquality.conf.j2

@@ -0,0 +1,5 @@
+#jinja2:lstrip_blocks: True
+{{ ansible_managed | comment }}
+retry = {{ users_password_pam_retry }}
+minlen = {{ users_password_pam_minlen }}
+minclass = {{ users_password_pam_minclass }}