role_common_local-os-password

An Ansible role to change an operating system's local user password

Defaults

This role requires variables defined in defaults/main.yml. Feel free to overwrite them as needed for your HashiCorp Vault setup for example in a group_vars or host_vars file.

• fqdn_reverse: A variable that contains the reversed fully qualified domain name for each host. For fully.qualified.domain.name this variable will equal name.domain.qualified.fully. Consider this a suggestion for how to set up your HashiCorp Vault kv secrets hierarchy.

• local_os_password_vault_vars: The variables you want extracted from your Vault instance, by default ['password', 'password_salt'] which contain the new password to set for the local account and a salt, respectively.

• local_os_password_vault_base: The base path where all of local_os_password_vault_vars are located in Vault.

• local_os_password_vault_paths: The product of both local_os_password_vault_base and local_os_password_vault_vars stored in a dictionary. This is what the role uses in its vault_kv2_get lookup.

• reset_password_for_account: The account for which you'd like to change its local account password, defaults to root.

Use it

In your playbook.yml call it like so:

- name: 'Awesome playbook'
  hosts: all
  roles:
    - 'role_common_local-os-password'

Output

Ansible tasks output is for example:

...

TASK [role_common_local-os-password : Get secrets] *************************************************
ok: [fully.qualified.domain.name] => (item=None)
ok: [fully.qualified.domain.name] => (item=None)
ok: [fully.qualified.domain.name]

TASK [role_include_vault-check : If a secret is missing: Fail progress] ****************************
ok: [fully.qualified.domain.name] => (item=password) => {
    "msg": "Vault has secret 'password' at 'name/domain/qualified/fully/os/root'"
}
ok: [fully.qualified.domain.name] => (item=password_salt) => {
    "msg": "Vault has secret 'password_salt' at 'name/domain/qualified/fully/os/root'"
}

TASK [role_common_local-os-password : Set fact: New OS local account password] *********************
ok: [fully.qualified.domain.name]

TASK [role_common_local-os-password : Set local OS account password] *******************************
ok: [fully.qualified.domain.name]

...