feat(meta): Trim role content

2025-04-10 02:21:42 +02:00
parent 4341ba9bc6
commit 8126c26ec3
7 changed files with 45 additions and 75 deletions
--- a/tasks/40-local-os-password.yml
+++ b/tasks/40-local-os-password.yml
@@ -1,33 +1,11 @@
- name: 'Get secrets'
-  no_log: 'true'
-  loop_control:
-    loop_var: 'server'
-  with_community.hashi_vault.vault_kv2_get: '{{ local_os_password_vault_paths }}'
-  ansible.builtin.set_fact:
-    vault_data: '{{ vault_data | default({}) | combine (server.secret) }}'
-
-
-
- name: 'If a secret is missing: Fail progress'
-  import_role:
-    name: 'role_include_vault-check'
-  vars:
-    - vault_check_base_path: '{{ local_os_password_vault_base }}'
-    - vault_check_inc_vault_data: '{{ vault_data }}'
-    - vault_check_fail_checks: '{{ local_os_password_vault_vars }}'
-
-
-
- name: 'Set fact: New OS local account password'
-  no_log: 'true'
-  ansible.builtin.set_fact:
-    os_acc_pwd: '{{ vault_data.password }}'
-    os_acc_salt: '{{ vault_data.password_salt }}'
-
-
-
+# SPDX-License-Identifier: MIT
 - name: 'Set local OS account password'
+  loop_control:
+    loop_var: 'account'
+    index_var: 'i'
+    label: 'Set password for local account ''{{ account }}'''
+  loop: '{{ reset_password_for_account }}'
  ansible.builtin.user:
-    name: '{{ reset_password_for_account }}'
-    password: '{{ os_acc_pwd | string | password_hash(''sha512'', os_acc_salt) }}'
+    name: '{{ account }}'
+    password: '{{ lookup(''hashi_vault'', ''secret=kv/data/settings/machines/'' + fqdn_reverse + ''/os/user/'' + account + '':password'') | string | password_hash(''sha512'', lookup(''hashi_vault'', ''secret=kv/data/settings/machines/'' + fqdn_reverse + ''/os/user/'' + account + '':password_salt'')) }}'
    update_password: 'always'
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1 +1,2 @@
+# SPDX-License-Identifier: MIT
 - import_tasks: '40-local-os-password.yml'