---
- name: Add pam_tally2.so 
  template:
    src: common-auth.j2
    dest: /etc/pam.d/common-auth
    owner: root
    group: root
    mode: 0644

- name: Create pwquality.conf password complexity configuration
  block:
    - apt:
        name: libpam-pwquality
        state: present
        install_recommends: false
    - template:
        src: pwquality.conf.j2
        dest: /etc/security/pwquality.conf
        owner: root
        group: root
        mode: 0644

- name: Add pam_tally2.so
  block:
    - lineinfile:
        dest: /etc/pam.d/common-account
        regexp: '^account\srequisite'
        line: "account requisite pam_deny.so"

    - lineinfile:
        dest: /etc/pam.d/common-account
        regexp: '^account\srequired'
        line: "account required pam_tally2.so"

- name: password reuse is limited
  lineinfile:
    dest: /etc/pam.d/common-password
    line: "password required pam_pwhistory.so remember=5"

- name: password hashing algorithm is SHA-512
  lineinfile:
    dest: /etc/pam.d/common-password
    regexp: '^password\s+\[success'
    line: "password [success=1 default=ignore] pam_unix.so sha512"

- name: Shadow Password Suite Parameters
  lineinfile:
    dest: /etc/pam.d/common-password
    regexp: '^password\s+\[success'
    line: "password [success=1 default=ignore] pam_unix.so sha512"