From b234fdaea97eb67b3fc10eb6b0b633b96d19c9ec Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Mon, 5 Jun 2023 10:33:34 +0200
Subject: [PATCH] pam_policy : Ensure it's only executed on Debian 11+ systems

---
 policy_pam/tasks/main.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/policy_pam/tasks/main.yml b/policy_pam/tasks/main.yml
index e238e22e..26587d26 100644
--- a/policy_pam/tasks/main.yml
+++ b/policy_pam/tasks/main.yml
@@ -1,8 +1,13 @@
 ---
-#
-# -password       [success=1 default=ignore]      pam_unix.so obscure yescrypt
-# +password       requisite                       pam_pwquality.so retry=3
-# +password       [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass yescrypt
+
+# System compatibility check. yescrypt only works on Debian 11+
+# So we ensure that this role isn't executed on older systems
+- name: "System compatibility check"
+  assert:
+    that:
+      - ansible_distribution == "Debian"
+      - ansible_distribution_major_version is version_compare('11', '>=')
+    msg: pam_policy is only compatible with Debian >= 11