From f3042dbf7e69a9009524f2a4f06203a2a5342cf4 Mon Sep 17 00:00:00 2001
From: hygienic-books <hygienic-books@tentic.net>
Date: Sun, 24 Jul 2022 03:00:24 +0200
Subject: [PATCH] feat(role): Set and document defaults to make this ready to
 use out of the box

---
 README.md         | 27 ++++++++++++++++++++++++++-
 defaults/main.yml |  6 ++++++
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 defaults/main.yml

diff --git a/README.md b/README.md
index 38e8108..c6475dd 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,28 @@
 # role_common_local-os-password
 
-An Ansible role to change an operating system's local user password
\ No newline at end of file
+An Ansible role to change an operating system's local user password
+
+# Defaults
+
+This role requires variables defined in [defaults/main.yml](defaults/main.yml). Feel free to overwrite them as needed for your HashiCorp Vault setup for example in a `group_vars` or `host_vars` file.
+
+* `fqdn_reverse`: A variable that contains the reversed fully qualified domain name for each host. For `fully.qualified.domain.name` this variable will equal `name.domain.qualified.fully`. Consider this a suggestion for how to set up your HashiCorp Vault `kv` secrets hierarchy.
+
+* `local_os_password_vault_vars`: The variables you want extracted from your Vault instance, by default `['password', 'password_salt']` which contain the new password to set for the local account and a salt, respectively.
+
+* `local_os_password_vault_base`: The base path where all of `local_os_password_vault_vars` are located in Vault.
+
+* `local_os_password_vault_paths`: The product of both `local_os_password_vault_base` and `local_os_password_vault_vars` stored in a dictionary. This is what the role uses in its `vault_kv2_get` lookup.
+
+* `reset_password_for_account`: The account for which you'd like to change its local account password, defaults to `root`.
+
+# Use it
+
+In your `playbook.yml` call it like so:
+
+```
+- name: 'Awesome playbook'
+  hosts: all
+  roles:
+    - 'role_common_local-os-password'
+```
diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..b848b22
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,6 @@
+# role_common_local-os-password
+fqdn_reverse: '{{ inventory_hostname | split(".") | reverse | join("/") }}'
+local_os_password_vault_vars: ['password', 'password_salt']
+local_os_password_vault_base: '{{ fqdn_reverse }}/os/{{ reset_password_for_account }}'
+local_os_password_vault_paths: '{{ [local_os_password_vault_base + ''/''] | product(local_os_password_vault_vars) | map(''join'') | list }}'
+reset_password_for_account: 'root'