- name: 'Get secrets'
  no_log: 'true'
  loop_control:
    loop_var: 'server'
  with_community.hashi_vault.vault_kv2_get: '{{ local_os_password_vault_paths }}'
  ansible.builtin.set_fact:
    vault_data: '{{ vault_data | default({}) | combine (server.secret) }}'



- name: 'If a secret is missing: Fail progress'
  import_role:
    name: 'role_include_vault-check'
  vars:
    - vault_check_base_path: '{{ local_os_password_vault_base }}'
    - vault_check_inc_vault_data: '{{ vault_data }}'
    - vault_check_fail_checks: '{{ local_os_password_vault_vars }}'



- name: 'Set fact: New OS local account password'
  no_log: 'true'
  ansible.builtin.set_fact:
    os_acc_pwd: '{{ vault_data.password }}'
    os_acc_salt: '{{ vault_data.password_salt }}'



- name: 'Set local OS account password'
  ansible.builtin.user:
    name: '{{ reset_password_for_account }}'
    password: '{{ os_acc_pwd | string | password_hash(''sha512'', os_acc_salt) }}'
    update_password: 'always'