---
# Configures PAM and SSSD post-ipa client installation. It is recommended that
# that we use a custom authselect profile and build it out from there.
- name: Enterprise Linux 8+ PAM Configuration
  block:
    - name: Ensure Custom Profile is removed
      ansible.builtin.file:
        path: /etc/authselect/custom/sssd-rocky
        state: absent

    - name: Create custom authselect profile based on sssd
      command: >
        /usr/bin/authselect create-profile sssd-rocky
        --base-on sssd
        --symlink-dconf
        --symlink-meta
        --symlink=postlogin
        --symlink=smartcard-auth
        --symlink=fingerprint-auth
      changed_when: false

    - name: Override system-auth and password-auth
      ansible.builtin.copy:
        src: "etc/authselect/custom/sssd-rocky/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}-system-auth"
        dest: "{{ item }}"
        owner: root
        group: root
        mode: '0644'
      loop:
        - /etc/authselect/custom/sssd-rocky/system-auth
        - /etc/authselect/custom/sssd-rocky/password-auth

    - name: Select New Profile
      command: >
        /usr/bin/authselect select custom/sssd-rocky
        without-nullok
        with-faillock
        with-mkhomedir
        with-sudo
        --force
      changed_when: false

    - name: Apply new settings
      command: /usr/bin/authselect apply-changes
      changed_when: false

    - name: Enable oddjobd
      ansible.builtin.service:
        name: oddjobd
        state: started
        enabled: true
  when:
    - ansible_facts['os_family'] == 'RedHat'
    - ansible_facts['distribution_major_version']|int >= '8'
...