# role_common_local-os-password

An Ansible role to change an operating system's local user password

# Defaults

This role requires variables defined in [defaults/main.yml](defaults/main.yml). Feel free to overwrite them as needed for your HashiCorp Vault setup for example in a `group_vars` or `host_vars` file.

* `fqdn_reverse`: A variable that contains the reversed fully qualified domain name for each host with each dot (`.`) replaced by a slash (`/`). For `fully.qualified.domain.name` this variable will equal `name/domain/qualified/fully`. Consider this a suggestion for how to set up your HashiCorp Vault `kv` secrets hierarchy.

* `local_os_password_vault_vars`: The variables you want extracted from your Vault instance, by default `['password', 'password_salt']` which contain the new password to set for the local account and a salt, respectively.

* `local_os_password_vault_base`: The base path where all of `local_os_password_vault_vars` are located in Vault.

* `local_os_password_vault_paths`: The product of both `local_os_password_vault_base` and `local_os_password_vault_vars` stored in a dictionary. This is what the role uses in its `vault_kv2_get` lookup.

* `reset_password_for_account`: The account for which you'd like to change its local account password, defaults to `root`.

# Use it

In your `playbook.yml` call it like so:

```
- name: 'Awesome playbook'
  hosts: all
  roles:
    - 'role_common_local-os-password'
```

# Output

Ansible tasks output is for example:

```
...

TASK [role_common_local-os-password : Get secrets] *************************************************
ok: [fully.qualified.domain.name] => (item=None)
ok: [fully.qualified.domain.name] => (item=None)
ok: [fully.qualified.domain.name]

TASK [role_include_vault-check : If a secret is missing: Fail progress] ****************************
ok: [fully.qualified.domain.name] => (item=password) => {
    "msg": "Vault has secret 'password' at 'name/domain/qualified/fully/os/root'"
}
ok: [fully.qualified.domain.name] => (item=password_salt) => {
    "msg": "Vault has secret 'password_salt' at 'name/domain/qualified/fully/os/root'"
}

TASK [role_common_local-os-password : Set fact: New OS local account password] *********************
ok: [fully.qualified.domain.name]

TASK [role_common_local-os-password : Set local OS account password] *******************************
ok: [fully.qualified.domain.name]

...
```