- name: Disable root shell
  user:
    name: root
    shell: /usr/sbin/nologin

- name: Disable su for non-wheel users
  copy:
    src: ./filesystem/common/etc/pam.d/su
    dest: /etc/pam.d/su
    mode: 0644