vn-ansible/roles/debian-base/tasks/root.yml

- name: Set the root password changed witness variable
  set_fact:
    root_pass_changed: "{{ vn_ini.witness.root_pass_changed | default(false) }}"
- when: vn_witness_checked and not root_pass_changed
  no_log: true
  block:  
  - name: Search root password in Passbolt
    ignore_errors: true
    set_fact:
      passbolt_password: >
        {{
          lookup(passbolt, inventory_hostname_short,
            username='root',
            uri='ssh://'+hostname_fqdn
          )
        }}        
  - when: passbolt_password is not defined
    block:
    - name: Generate a random root password
      set_fact:
        root_password: "{{ lookup('password', '/dev/null length=18 chars=ascii_letters,digits') }}"
    - name: Save root password into Passbolt
      set_fact:
        msg: >
          {{
            lookup(passbolt, inventory_hostname_short,
              username='root',
              password=root_password,
              uri='ssh://'+hostname_fqdn
            )
          }}          
      environment:
        PASSBOLT_CREATE_NEW_RESOURCE: true
    - name: Change root password
      user:
        name: root
        password: "{{ root_password | password_hash('sha512') }}"
  - name: Set root password generated witness
    ini_file:
      path: /etc/vn.ini
      section: witness
      option: root_pass_changed
      value: true