8 changed files with 59 additions and 62 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,3 @@
-.idea
+# ---> Ansible
 *.retry
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -0,0 +1,13 @@
 # Change log
 Current version: 0.1.0
 <!--next-version-placeholder-->
 ## v0.1.0 (2022-07-24)
 ### Feature
 * **role:** Introduce Semantic Versioning a changelog ([`a84a113`](https://quico.space/quico-ansible/role_common_local-os-password/commit/a84a113ef749dc7c543f1b3995efe0e4194f7832))
 * **role:** Initial commit ([`dc9b87b`](https://quico.space/quico-ansible/role_common_local-os-password/commit/dc9b87ba880b58004201199f559b950ada939555))
 ### Fix
 * **role:** Import dependency via 'git+https' protocol ([`8a1aa01`](https://quico.space/quico-ansible/role_common_local-os-password/commit/8a1aa0175efa6acf40f2c85dac45375adf0e92e1))
--- a/README.md
+++ b/README.md
@ -1,43 +1,3 @@
-[//]: # (SPDX-License-Identifier: MIT)
+# role_common_local-os-password
 # Role Name
-role-common-local_os_password
+An Ansible role to change an operating system's local user password
 # Description
 Change an operating system's local user password.
 # Requirements
 Your target machines must be Linux.
 # Role Variables
 This role requires variables defined in [defaults/main.yml](defaults/main.yml). Feel free to overwrite them as needed for your HashiCorp Vault setup for example in a `group_vars` or `host_vars` file.
 - `fqdn_reverse`: A variable that contains the reversed fully qualified domain name for each host. For `fully.qualified.domain.name` this variable will equal `name/domain/qualified/fully` which we then use in our HashiCorp Vault path to retrieve a password and password salt per host and per user.
 - `reset_password_for_account`: A list of usernames whose password we want changed. This defaults to:
    ```
    reset_password_for_account:
      - 'build'
      - 'root'
    ```
 # Dependencies
 None.
 # Example Playbook
 In your `playbook.yml` call it like so:
 ```
 - name: 'Awesome playbook'
  hosts: all
  roles:
    - 'role-common-local_os_password'
 ```
 # License
 MIT
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,5 +0,0 @@
 # SPDX-License-Identifier: MIT
 fqdn_reverse: '{{ inventory_hostname | split(".") | reverse | join("/") }}'
 reset_password_for_account:
  - 'build'
  - 'root'
--- a/meta/main.yml
+++ b/meta/main.yml
@ -1,10 +1,14 @@
 # SPDX-License-Identifier: MIT
 galaxy_info:
  author: 'hygienic-books'
-  description: 'Change an operating system''s local user password'
+  description: 'An Ansible role to change an operating system''s local user password'
-  license: MIT
+  issue_tracker_url: 'https://quico.space/quico-ansible/role_common_local-os-password/issues'
-  min_ansible_version: 2.18.1
+  license: 'MIT'
  min_ansible_version: '2.12.6'
  platforms:
    - name: 'EL'
      versions:
      - '7'
      - '8'
  galaxy_tags:
    - 'os'
    - 'password'
 dependencies: []
--- a/meta/requirements.yml
+++ b/meta/requirements.yml
@ -0,0 +1,2 @@
 - src: 'git+https://quico.space/quico-ansible/role_include_vault-check.git'
  version: 'master'
--- a/tasks/40-local-os-password.yml
+++ b/tasks/40-local-os-password.yml
@ -1,11 +1,33 @@
-# SPDX-License-Identifier: MIT
+- name: 'Get secrets'
- name: 'Set local OS account password'
+  no_log: 'true'
  loop_control:
-    loop_var: 'account'
+    loop_var: 'server'
-    index_var: 'i'
+  with_community.hashi_vault.vault_kv2_get: '{{ local_os_password_vault_paths }}'
-    label: 'Set password for local account ''{{ account }}'''
+  ansible.builtin.set_fact:
-  loop: '{{ reset_password_for_account }}'
+    vault_data: '{{ vault_data | default({}) | combine (server.secret) }}'
 - name: 'If a secret is missing: Fail progress'
  import_role:
    name: 'role_include_vault-check'
  vars:
    - vault_check_base_path: '{{ local_os_password_vault_base }}'
    - vault_check_inc_vault_data: '{{ vault_data }}'
    - vault_check_fail_checks: '{{ local_os_password_vault_vars }}'
 - name: 'Set fact: New OS local account password'
  no_log: 'true'
  ansible.builtin.set_fact:
    os_acc_pwd: '{{ vault_data.password }}'
    os_acc_salt: '{{ vault_data.password_salt }}'
 - name: 'Set local OS account password'
  ansible.builtin.user:
-    name: '{{ account }}'
+    name: '{{ reset_password_for_account }}'
-    password: '{{ lookup(''hashi_vault'', ''secret=kv/data/settings/machines/'' + fqdn_reverse + ''/os/user/'' + account + '':password'') | string | password_hash(''sha512'', lookup(''hashi_vault'', ''secret=kv/data/settings/machines/'' + fqdn_reverse + ''/os/user/'' + account + '':password_salt'')) }}'
+    password: '{{ os_acc_pwd | string | password_hash(''sha512'', os_acc_salt) }}'
    update_password: 'always'
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,2 +1 @@
 # SPDX-License-Identifier: MIT
 - import_tasks: '40-local-os-password.yml'
		`@ -0,0 +1,2 @@`
							`- src: 'git+https://quico.space/quico-ansible/role_include_vault-check.git'`
							`version: 'master'`
`@ -1,2 +1 @@`
	`# SPDX-License-Identifier: MIT`
	`- import_tasks: '40-local-os-password.yml'`	`- import_tasks: '40-local-os-password.yml'`