---
- name: Generate & set random password for root
  ansible.builtin.user:
    name: root
    create_home: false
    # The rounds & salt MUST be set in the password_hash function if you don't want the task
    # to return 'changed' every time the playbook runs, updating the /etc/passwd file each time. Fun!
    # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/password_hash_filter.html
    password: "{{ lookup('ansible.builtin.password', password_dir + '/' + ansible_hostname + '/root_password', length=20) | password_hash('sha512', rounds=16384, salt=8008135) }}"
    update_password: always
  become: true
  become_method: sudo