document root password rotation (tpo/tpa/team#41530)

service/password-manager.md

@@ -143,11 +143,54 @@ lesser priority, but should nevertheless be processed:
 It might be worth examining the service list to prioritize some of
 them.
 
+Note that it's impossible to change the following passwords:
+
+ * [DNSwl](https://www.dnswl.org/): they specifically refuse to allow users to change their
+   passwords (!) ("To avoid any risks of (reused) passwords leaking as
+   the result of a security incident, the dnswl.org team preferred to
+   use passwords generated server-side which can not be set by the
+   user.")
+
+The following need coordination with other teams:
+
+ * anti-censorship: `archive.org-gettor`, `google.com-gettor`
+
 ### root
 
-Next, the root passwords need to be rotated.
+Next, the root passwords should be rotated. This can be automated with
+a [Fabric](howto/fabric) task, and should be tested with a single host first:
 
-TODO: fabric task?
+    fab -H survey-01.torproject.org host.password-change --pass-dir=tor/root
+
+Then go on the host and try the generated password:
+
+    ssh survey-01.torproject.org
+
+then:
+
+    login root
+
+Typing the password should just work there. If you're confident in the
+procedure, this can be done for all hosts with the delicious:
+
+    fab -H $(
+      echo $(
+        ssh puppetdb-01.torproject.org curl -s -G http://localhost:8080/pdb/query/v4/facts \
+        | jq -r ".[].certname" | sort -u \
+      ) | sed 's/ /,/g'
+    ) host.password-change --pass-dir=tor/root
+
+If it fails on one of the host (e.g. typically `dal-rescue-02`), you can skip past that host with:
+
+    fab -H $(
+      echo $(
+        ssh puppetdb-01.torproject.org curl -s -G http://localhost:8080/pdb/query/v4/facts \
+        | jq -r ".[].certname" | sort -u \
+        | sed '0,/dal-rescue-02/d'
+      ) | sed 's/ /,/g'
+    ) host.password-change --pass-dir=tor/root
+
+Then the password needs to be reset on that host by hand.
 
 ### OOB