I’m currently writing an Ansible playbook with roles to setup a series of public Dedibox servers at Scaleway.
Rocky Linux 8 is installed on these (bare metal) servers via a web interface that only allows setting password for up to 15 characters.
Now I’d like to write a little playbook that redefines passwords for root as well as the initially created user called microlinux.
I already know how to handle sensible data using Ansible Vault, but I wonder what is the recommended “best practice” for managing sensible passwords with the ansible.builtin.user module.
Let’s say I have a machine sd-123456.dedibox.fr.
I would create a host_vars/sd-123456/vars.yml file like this:
notice the lack of quotes around passwd_root, that is because yours is a variable. If you were to put the password here without using a variable, then the single quotes would be required eg: ‘password’
I tried the last example, which worked BUT I get a big fat deprecation warning:
[DEPRECATION WARNING]: Encryption using the Python crypt module is deprecated.
The Python crypt module is deprecated and will be removed from Python 3.13. Install
the passlib library for continued encryption functionality. This feature will be removed
in version 2.17. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
And I have no idea what to do here. Unfortunately this is very poorly documented even in the official documentation. Judging from various forum and blog posts, you have to be a member of some secret society to perform an action like setting a password with Ansible.
I installed the python3-passlib package from EPEL on the Ansible control host and ran the playbook again, but to no effect. I still get the same deprecation warning.
As for python3-passlib, I simply kept deprecation_warnings = false in ansible.cfg. The current function is still supported until Python 3.13, so I’ll cross that bridge when I get there.
You’ll need on all the hosts that you connect to as well. The playbook is ran on each of the servers you connect to. So python3-passlib needs to be installed there also.
Same version of ansible on the controller and all the hosts? Assuming there is no ansible mixmatch in between. Or python differences.
I sometimes had deprecated things popup on my Fedora control host, then compared to a Debian 11 control host - due to ansible versions. So if something like this, the deprecation can be ignored for now.