---
- name: Set Password Policies on Debian 11
  hosts: all
  become: yes
  tasks:

    - name: Install necessary packages
      apt:
        name:
          - libpam-pwquality
          - cracklib-runtime
        state: present

    - name: Set password quality requirements in PAM
      lineinfile:
        dest: /etc/security/pwquality.conf
        regexp: "^{{ item.regexp }}"
        line: "{{ item.line }}"
        state: present
      loop:
        - { regexp: "^# minlen", line: "minlen = 10" }
        - { regexp: "^# minclass", line: "minclass = 4" }
        - { regexp: "^# maxrepeat", line: "maxrepeat = 3" }
        - { regexp: "^# remember", line: "remember = 6" }
        - { regexp: "^# retry", line: "retry = 3" }
      notify:
        - restart ssh

    - name: Enforce password change every 180 days
      lineinfile:
        dest: /etc/login.defs
        regexp: '^PASS_MAX_DAYS'
        line: 'PASS_MAX_DAYS   180'
        state: present

    - name: Force existing users to comply with new policy upon next login
      command: chage -m 1 -M 180 -W 15 -I 15 {{ item }}
      with_fileglob:
        - /home/*
      loop_control:
        loop_var: item
      when: item is directory
  handlers:
    - name: restart ssh
      service:
        name: ssh
        state: restarted