---
- name: "disable root shell"
  ansible.builtin.user:
    name: "root"
    shell: "/usr/sbin/nologin"

- name: "disable su for non-wheel users"
  ansible.builtin.copy:
    src: "./su"
    dest: "/etc/pam.d/su"
    mode: 0644