---

- name: "1.4.1 | PATCH | Ensure bootloader password is set"
  when:
    - ubtu24cis_set_boot_pass
    - ubtu24cis_rule_1_4_1
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_1.4.1
    - NIST800-53R5_AC-3
    - grub
  block:
    - name: "1.4.1 | PATCH | Ensure bootloader password is set"
      ansible.builtin.template:
        src: etc/grub.d/00_user.j2
        dest: "{{ ubtu24cis_grub_user_file }}"
        owner: root
        group: root
        mode: 'go-w'
      notify: Grub update

    - name: "1.4.1 | PATCH | Ensure bootloader password is set | allow unrestricted boot"
      when: not ubtu24cis_ask_passwd_to_boot
      ansible.builtin.lineinfile:
        path: "/etc/grub.d/10_linux"
        regexp: '(^CLASS="--class gnu-linux --class gnu --class os).*"$'
        line: '\g<1> --unrestricted"'
        backrefs: true
      notify: Grub update

- name: "1.4.2 | PATCH | Ensure access to bootloader config is configured"
  when: ubtu24cis_rule_1_4_2
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_1.4.2
    - NIST800-53R5_AC-3
    - grub
  block:
    - name: "1.4.2 | AUDIT | Ensure access to bootloader config is configured | Check for Grub file"
      ansible.builtin.stat:
        path: "{{ ubtu24cis_grub_file }}"
      check_mode: false
      register: discovered_grub_cfg_file

    - name: "1.4.2 | PATCH | Ensure access to bootloader config is configured | Set permissions"
      when: discovered_grub_cfg_file.stat.exists
      ansible.builtin.file:
        path: "{{ ubtu24cis_grub_file }}"
        owner: root
        group: root
        mode: 'u-x,go-rwx'