rick-infra/roles/vaultwarden/tasks/hash_admin_token.yml

---
# Hash admin token on Ansible control node using argon2

- name: Check if argon2 is available on control node
  command: which argon2
  register: argon2_check
  delegate_to: localhost
  become: false
  changed_when: false
  failed_when: false

- name: Install argon2 on control node if not present
  package:
    name: argon2
    state: present
  delegate_to: localhost
  become: false
  when: argon2_check.rc != 0
  run_once: true

- name: Generate deterministic salt from domain
  set_fact:
    vaultwarden_salt_source: "{{ vaultwarden_domain }}-{{ vaultwarden_sso_authority }}"
  no_log: true

- name: Create base64-encoded salt for argon2
  shell: echo -n "{{ vaultwarden_salt_source }}" | sha256sum | cut -d' ' -f1 | head -c 22
  register: admin_token_salt
  delegate_to: localhost
  become: false
  changed_when: false
  no_log: true

- name: Hash admin token using argon2 (OWASP preset)
  shell: echo -n "{{ vaultwarden_admin_token_plain }}" | argon2 "{{ admin_token_salt.stdout }}" -id -t 2 -k 19456 -p 1 -e
  register: admin_token_hash_result
  delegate_to: localhost
  become: false
  changed_when: false
  no_log: true

- name: Extract hashed admin token
  set_fact:
    vaultwarden_admin_token_hashed: "{{ admin_token_hash_result.stdout | trim }}"
  no_log: true

- name: Display token hash status
  debug:
    msg: |
      Admin token hashed successfully on control node
      
      Hash algorithm: argon2id
      Preset: OWASP (m=19456, t=2, p=1)
      Format: PHC string (Vaultwarden compatible)
      Idempotent: Same token always produces same hash
      
      The hashed token will be used in the environment configuration