feat(role): Change local account password

ansible/group_vars/all/vars.yml.example

@@ -1 +1,6 @@
 ansible_user: 'root'
+ansible_hashi_vault_auth_method: 'token'
+ansible_hashi_vault_token: 'hvs.xxxxxxxxxx'
+ansible_hashi_vault_engine_mount_point: 'kv'
+ansible_hashi_vault_token_validate: 'false'
+ansible_hashi_vault_url: 'http://localhost:8200/'

ansible/host_vars/mail-1.core.cliff.airlo.cc.yml

@@ -0,0 +1 @@
+reset_password_for_account: 'root'

ansible/playbook.yml

@@ -1,4 +1,5 @@
 - name: 'Set up SSH'
   hosts: all
   roles:
-    - role: 20-common-20-ssh
+    - '20-common-20-ssh'
+    - '20-common-20-change-local-account-password'

ansible/roles/10-include-40-check-if-vault-var/tasks/40-check-vault-var.yml

@@ -0,0 +1,7 @@
+- name: 'If a secret is missing fail progress'
+  failed_when: inc_fail_check not in inc_vault_data
+  loop_control:
+    loop_var: 'inc_fail_check'
+  loop: '{{ fail_check }}'
+  debug:
+    msg: 'Vault has {% if inc_fail_check not in inc_vault_data %}no {% endif %}secret ''{{ inc_fail_check }}'' at ''os/{{ reset_password_for_account }}/creds'''

ansible/roles/10-include-40-check-if-vault-var/tasks/main.yml

@@ -0,0 +1 @@
+- import_tasks: '40-check-vault-var.yml'

ansible/roles/20-common-20-change-local-account-password/tasks/40-change-password-generic.yml

@@ -0,0 +1,35 @@
+- name: 'Get secrets'
+  no_log: 'true'
+  loop_control:
+    loop_var: 'server'
+  with_community.hashi_vault.vault_kv2_get:
+    - '{{ inventory_hostname | split(".") | reverse | join("/") }}/os/{{ reset_password_for_account }}/creds'
+  ansible.builtin.set_fact:
+    vault_data: '{{ server.secret }}'
+
+
+
+- name: 'If a secret is missing fail progress'
+  include_role:
+    name: '10-include-40-check-if-vault-var'
+  vars:
+    - inc_vault_data: '{{ vault_data }}'
+    - fail_check:
+      - 'password'
+      - 'password_salt'
+
+
+
+- name: 'Set fact new OS local account password'
+  no_log: 'true'
+  ansible.builtin.set_fact:
+    os_acc_pwd: '{{ vault_data.password }}'
+    os_acc_salt: '{{ vault_data.password_salt }}'
+
+
+
+- name: 'Set local OS account password'
+  ansible.builtin.user:
+    name: '{{ reset_password_for_account }}'
+    password: '{{ os_acc_pwd | string | password_hash(''sha512'', os_acc_salt) }}'
+    update_password: 'always'

ansible/roles/20-common-20-change-local-account-password/tasks/main.yml

@@ -0,0 +1 @@
+- import_tasks: '40-change-password-generic.yml'

ansible/roles/20-common-20-ssh/defaults/main.yml.example

@@ -1,6 +1 @@
 root_home_dir_abs: '/root'
-ansible_hashi_vault_auth_method: 'token'
-ansible_hashi_vault_token: 'hvs.xxxxxxxxxx'
-ansible_hashi_vault_engine_mount_point: 'kv'
-ansible_hashi_vault_token_validate: 'false'
-ansible_hashi_vault_url: 'http://localhost:8200/'

ansible/roles/20-common-20-ssh/tasks/20-ssh.yml

@@ -3,12 +3,25 @@
   loop_control:
     loop_var: 'server'
   with_community.hashi_vault.vault_kv2_get:
-    - '{{ inventory_hostname | split(".") | reverse | join("/") }}/os/root/creds'
+    - '{{ inventory_hostname | split(".") | reverse | join("/") }}/os/{{ reset_password_for_account }}/creds'
   ansible.builtin.set_fact:
     vault_data: '{{ server.secret }}'
 
 
 
+- name: 'If a secret is missing fail progress'
+  tags:
+    - 'first_run'
+    - 'never'
+  include_role:
+    name: '10-include-40-check-if-vault-var'
+  vars:
+    - inc_vault_data: '{{ vault_data }}'
+    - fail_check:
+      - 'initial_password'
+
+
+
 - name: 'If first run: set SSH password'
   tags:
     - 'first_run'