---
- name: Prepare password for user {{ username }}
  when:
    - password is defined
    - password != ""
    - password != '*'
  block:
    - name: Create idempotent salt for password
      set_fact:
        salt: "{{ ((username + inventory_hostname) | hash('sha512'))[:16] }}"

    - name: Encrypt password for user {{ username }}
      shell: python3 -c 'import crypt; print(crypt.crypt("{{ password }}", "$6${{ salt }}"))'
      register: username_shadowpw
      changed_when: false

- name: "Ensure user is configured correctly: {{ username }}"
  user:
    name: "{{ username }}"
    shell: /bin/bash
    generate_ssh_key: true
    password: "{{ username_shadowpw.stdout | default('*') }}"
    groups: "{{ user_groups | default('') }}"
    append: "{{ append | default('yes') }}"