---
- hosts: all
  vars:
    password_salt: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          38386463386336393336643934393736633235623939306263663737303130316438343037353135
          6535633737343438393239636230666664666331346564380a613161376237323262613164316564
          65643733373739666165313065383030353664656161393261623762623733353938333964346536
          3064316661323964390a326564613734316162613432396432363737376438323664656666613035
          30386662653266373766613837373534616639383866383732646336373037653430
  tasks:
    - name: "Fail if what_user is not set"
      ansible.builtin.fail:
        msg: "You have to specify the what_user variable"
      when: not what_user is defined
      run_once: true
      delegate_to: 127.0.0.1
    
    - name: "Fail if what_password is not set"
      ansible.builtin.fail:
        msg: "You have to specify the what_password variable"
      when: not what_user is defined
      run_once: true
      delegate_to: 127.0.0.1

    - name: Fail if user specified does not exist
      ansible.builtin.getent:
        database: passwd
        key: "{{ what_user }}"

    - name: Ensure passlib is installed locally
      ansible.builtin.pip:
        name: passlib
        extra_args: "--user"
      run_once: true
      delegate_to: 127.0.0.1

    - name: Generate password outside root context
      ansible.builtin.set_fact:
        hashed_pass: "{{ what_password | password_hash('sha512', password_salt) }}"
      run_once: true
      delegate_to: 127.0.0.1

    - name: Update user password
      ansible.builtin.user:
        name: "{{ what_user }}"
        password: "{{ what_password | password_hash('sha512', password_salt) }}"
      become: true
      become_method: sudo
      become_user: root