---
- hosts: all
  vars:
    password_salt: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          31393533613636613064623931356565383762336134346665306361653339623266353766386132
          6230623765343034333763383666343532643735333766390a376636353463326163376632633230
          39656165633638313463643664306434623863346161316630646435373164346330313533303932
          3364646665346461380a643564313762393362653064626463663064363135663937336238623164
          32643632393539643636383337386436626536393534613337376232663632333063
  tasks:
    - name: "Fail if what_user is not set"
      ansible.builtin.fail:
        msg: "You have to specify the what_user variable"
      when: not what_user is defined
      run_once: true
      delegate_to: 127.0.0.1
    
    - name: "Fail if what_password is not set"
      ansible.builtin.fail:
        msg: "You have to specify the what_password variable"
      when: not what_user is defined
      run_once: true
      delegate_to: 127.0.0.1

    - name: Fail if user specified does not exist
      ansible.builtin.getent:
        database: passwd
        key: "{{ what_user }}"

    - name: Ensure passlib is installed locally
      ansible.builtin.pip:
        name: passlib
        extra_args: "--user"
      run_once: true
      delegate_to: 127.0.0.1

    - name: Generate password outside root context
      ansible.builtin.set_fact:
        hashed_pass: "{{ what_password | password_hash('sha512', password_salt) }}"
      run_once: true
      delegate_to: 127.0.0.1

    - name: Update user password
      ansible.builtin.user:
        name: "{{ what_user }}"
        password: "{{ what_password | password_hash('sha512', password_salt) }}"
      become: true
      become_method: sudo
      become_user: root