---
# Root Account Restrictions

- name: Disable root SSH login
  ansible.builtin.lineinfile:
    path: /etc/ssh/sshd_config
    regexp: '^PermitRootLogin'
    line: 'PermitRootLogin no'
    state: present
    validate: '/usr/sbin/sshd -t -f %s'
  when: disable_root_login
  notify: restart sshd

- name: Lock root account
  ansible.builtin.user:
    name: root
    password_lock: yes
  when: lock_root_account

- name: Ensure root group is GID 0 (CIS 5.4.5)
  ansible.builtin.group:
    name: root
    gid: 0
    state: present

- name: Verify root is the only UID 0 account
  ansible.builtin.shell: |
    awk -F: '($3 == 0) { print $1 }' /etc/passwd
  register: uid_zero_accounts
  changed_when: false
  failed_when: uid_zero_accounts.stdout_lines | length > 1

- name: Display root restrictions status
  ansible.builtin.debug:
    msg:
      - "Root SSH login: {{ 'DISABLED' if disable_root_login else 'ENABLED' }}"
      - "Root account: {{ 'LOCKED' if lock_root_account else 'UNLOCKED' }}"
      - "UID 0 accounts: {{ uid_zero_accounts.stdout_lines | join(', ') }}"