- name: "root : disable root shell"
  ansible.builtin.user:
    name: "root"
    shell: "/usr/sbin/nologin"

- name: "root : disable su for non-wheel users"
  ansible.builtin.copy:
    src: "./root/su"
    dest: "/etc/pam.d/su"
    mode: 0644