36 lines
935 B
YAML
36 lines
935 B
YAML
|
- name: 'Get secrets'
|
||
|
|
no_log: 'true'
|
||
|
|
loop_control:
|
||
|
|
loop_var: 'server'
|
||
|
|
with_community.hashi_vault.vault_kv2_get:
|
||
|
|
- '{{ inventory_hostname | split(".") | reverse | join("/") }}/os/{{ reset_password_for_account }}/creds'
|
||
|
|
ansible.builtin.set_fact:
|
||
|
|
vault_data: '{{ server.secret }}'
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
- name: 'If a secret is missing fail progress'
|
||
|
|
include_role:
|
||
|
|
name: '10-include-40-check-if-vault-var'
|
||
|
|
vars:
|
||
|
|
- inc_vault_data: '{{ vault_data }}'
|
||
|
|
- fail_check:
|
||
|
|
- 'password'
|
||
|
|
- 'password_salt'
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
- name: 'Set fact new OS local account password'
|
||
|
|
no_log: 'true'
|
||
|
|
ansible.builtin.set_fact:
|
||
|
|
os_acc_pwd: '{{ vault_data.password }}'
|
||
|
|
os_acc_salt: '{{ vault_data.password_salt }}'
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
- name: 'Set local OS account password'
|
||
|
|
ansible.builtin.user:
|
||
|
|
name: '{{ reset_password_for_account }}'
|
||
|
|
password: '{{ os_acc_pwd | string | password_hash(''sha512'', os_acc_salt) }}'
|
||
|
|
update_password: 'always'
|