oppertunity to shameless plug my own lookup ;) But if you convert to password-store for storing and creating passwords you could use my lookup plugin which does all this. (except for the part of reencrypting it with sha256, just file an issue)
https://github.com/morphje/ansible_pass_lookup If you lookup a password with create=true in the lookup it will even create a new password for you. Tested with ansible 2.0 Kind regards, Patrick Deelman On Friday, April 8, 2016 at 6:23:50 PM UTC+2, David Strauß wrote: > > Good evening everyone, I'm looking for an automated way to create user > accounts with random passwords and re-using them for the > `ansible_sudo_pass` variable. > > Is there an official position on how to do/accomplish this? > My current solution broke after an update from Ansible 1.9 to Ansible 2 > and I struggle to make it work under Ansible 2. > > For more details let me explain my solution and how it breaks with Ansible > 2. > > I create a new user and store its password with this task: > > --- > - name: Create user > user: name=deployer group=deployer password={{item}} state=present > with_password: "./passwords/my-server/users/deployer encrypt=sha256_crypt" > > In a different playbook I use the previously created user and its password > like this: > > --- > - hosts: all > remote_user: deployer > vars: > - ansible_sudo_pass: "{{ lookup('password', > './passwords/my-server/users/deployer') }}" > > Creating the user creates the `./passwords/my-server/users/deployer` file > containing the password and a salt. The salt comes from the `encrypted` > parameter which in turn is needed by the `user` module because it requires an > encrypted password. Without this parameter you will set the users password to > an unknown one. > > > Different to the `user` module Ansible expects the `ansible_sudo_pass` > variable to be in plaintext. Therefore we use the lookup method without an > encrypted parameter. With Ansible 1.9 this resulted in a password file where > the salt part was removed. (I assume this was not intended, but for my use > case it was not a problem.) > > > Nonetheless this procedure worked with Ansible 1.9. > > > After updating to Ansible 2 my server provisioning process started to fail > due to a wrong sudo password. The first thing I noticed was that the lookup > function no longer removed the salt part of the password file. Secondly it > seems that compared to 1.9 it now reads the entire file instead of only the > password. This in turn means the `ansible_sudo_pass` also contains the salt > part of the file which results in an obviously wrong password. > > > Thank you for reading. I appreciate any pointers and tips on how to > accomplish my goal under Ansible 2. > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/00c87556-377e-4975-8940-f4bb3e9b055a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
