#!/bin/sh
# stdin: default config
# stdout: modified config
set -e

# save stdin in variable
stdin="$(cat)"

# write stdin
echo "$stdin"

# - https://wiki.archlinux.org/title/Security#Lock_out_user_after_three_failed_login_attempts

# Make locks persistent over reboot.
#
# Assert
echo "=== assert dir ===" 1>&2
echo "$stdin" | grep --quiet '^# dir = /var/run/faillock$'
! echo "$stdin" | grep --quiet '^dir[[:space:]]*='
# Insert
echo 'dir = /var/lib/faillock'

# Lock account after 5 failed entries.
#
# Assert
echo "=== assert deny ===" 1>&2
echo "$stdin" | grep --quiet '^# deny = 3$'
! echo "$stdin" | grep --quiet '^deny[[:space:]]*='
# Insert
echo 'deny = 5'

# Also lock root
#
# Assert
echo "=== assert even_deny_root ===" 1>&2
echo "$stdin" | grep --quiet '^# even_deny_root$'
! echo "$stdin" | grep --quiet '^even_deny_root[[:space:]]*'
# Insert
echo 'even_deny_root'

# Different unlock time for root: 60s
#
# Assert
echo "=== assert root_unlock_time ===" 1>&2
echo "$stdin" | grep --quiet '^# root_unlock_time = 900$'
! echo "$stdin" | grep --quiet '^root_unlock_time[[:space:]]*='
# Insert
echo 'root_unlock_time = 60'