---

- name: "1.4.1 | PATCH | Ensure bootloader password is set"
  when:
    - rhel9cis_set_boot_pass
    - rhel9cis_rule_1_4_1
  tags:
    - level1-server
    - level1-workstation
    - grub
    - patch
    - rule_1.4.1
    - NIST800-53R5_AC-3
  ansible.builtin.copy:
    dest: /boot/grub2/user.cfg
    content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}"  # noqa template-instead-of-copy
    owner: root
    group: root
    mode: 'go-rwx'
  notify: Grub2cfg

- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
  when: rhel9cis_rule_1_4_2
  tags:
    - level1-server
    - level1-workstation
    - grub
    - patch
    - rule_1.4.2
    - NIST800-53R5_AC-3
  block:
    - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
      ansible.builtin.file:
        path: "/boot/grub2/{{ item.path }}"
        owner: root
        group: root
        mode: "{{ item.mode }}"
        state: touch
        modification_time: preserve
        access_time: preserve
      loop:
        - { path: 'grub.cfg', mode: '0700' }
        - { path: 'grubenv', mode: 'go-rwx' }
        - { path: 'user.cfg', mode: 'go-rwx' }