configpolicy/group_vars/pyrocufflink/root-password.yml

root_password: |
  -----BEGIN AGE ENCRYPTED FILE-----
  YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSY3JZdjhyKzhVYUloZ1Vn
  Y1NZSHVaNDJLRjZBVkdvNHhSR2d5Q0JMc3djCmszc0ozTFVObFBhWEl4WExYd3pp
  d2IzSGExUlI3eGtDOTBJejRjTWoveDgKLS0tIHNxa1NMYmduM2ZDWHNKWUw0M21N
  Z1J3MU10bXRmendiN2M1VWVxb1Brc1EKslZr6qvtp1RCGl2+9fbuHY34+qS5xQRE
  BqegwvR31NA1/I3ULLEmem7/ysdH/qWemlSvkIhmITExDTiNQ7IWiw==
  -----END AGE ENCRYPTED FILE-----
root_password_hash: >-
  {{
    root_password
    | decrypt
    | password_hash(
        'sha512',
        65534 | random(seed=inventory_hostname) | string
    )
  }}