Trying something different for passlib

playbooks/update_user_password.yml

@@ -1,8 +1,5 @@
 ---
 - hosts: all
-  become: true
-  become_method: sudo
-  become_user: root
   vars:
     password_salt: !vault |
           $ANSIBLE_VAULT;1.1;AES256
@@ -34,6 +31,13 @@
     - name: Ensure passlib is installed locally
       ansible.builtin.pip:
         name: passlib
+        extra_args: "--user"
+      run_once: true
+      delegate_to: 127.0.0.1
+
+    - name: Generate password outside root context
+      ansible.builtin.set_fact:
+        hashed_pass: "{{ what_password | password_hash('sha512', password_salt) }}"
       run_once: true
       delegate_to: 127.0.0.1
 
@@ -41,5 +45,8 @@
       ansible.builtin.user:
         name: "{{ what_user }}"
         password: "{{ what_password | password_hash('sha512', password_salt) }}"
+      become: true
+      become_method: sudo
+      become_user: root