---
- name: Stat umask files
  ansible.builtin.stat:
    path: "{{ item }}"
  loop:
    - /etc/bashrc
    - /etc/csh.cshrc
    - /etc/profile
  register: __users_umask_files

- name: Stat pwquality files
  ansible.builtin.stat:
    path: "/etc/security/pwquality.conf"
  register: __users_pwquality_file

- name: Set global umask
  ansible.builtin.replace:
    path: "{{ item }}"
    regexp: '(?i)^(?P<umask>\s+UMASK\s+).+'
    replace: \g<umask>{{ users_global_umask }}
  loop: "{{ __users_umask_files | json_query('results[?stat.exists].item') }}"

- name: Set umask in /etc/login.defs
  ansible.builtin.lineinfile:
    path: /etc/login.defs
    regexp: '^(?P<umask>UMASK\s+).+'
    line: \g<umask>{{ users_global_umask }}
    backrefs: True
    state: present

- name: Enforce minimum password lifetime
  ansible.builtin.lineinfile:
    path: /etc/login.defs
    regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'
    line: \g<passmin>{{ users_pass_min_day }}
    backrefs: True
    state: present

- name: Set default account expiration after inactivity
  ansible.builtin.lineinfile:
    path: /etc/default/useradd
    regexp: "^(?P<inactive>INACTIVE=).+"
    line: \g<inactive>{{ users_default_inactive }}
    backrefs: True
    state: present

- name: Set pwquality if available
  ansible.builtin.template:
    src: etc/security/pwquality.conf.j2
    dest: /etc/security/pwquality.conf
    owner: root
    group: root
    mode: "0644"
  when: __users_pwquality_file.stat.exists | bool