diff --git a/mysql/defaults/main.yml b/mysql/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9622f41b6009206c6b71b358b66885ed69b617a8
--- /dev/null
+++ b/mysql/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+
+# yamllint disable-line rule:line-length
+mysql_root_password: "{{ lookup('passwordstore', 'db/{{ ansible_hostname }}-mysql create=true length=20') }}"
diff --git a/mysql/tasks/main.yml b/mysql/tasks/main.yml
index 905d6553e1a3318f5299e4654caf302536b6c351..26b0e4aafa6b6a4629f0b8254df25adda4604bf7 100644
--- a/mysql/tasks/main.yml
+++ b/mysql/tasks/main.yml
@@ -37,11 +37,9 @@
 - name: ensure the mysql root user exists and has the correct password
   mysql_user:
     name: root
-    # yamllint disable-line rule:line-length
-    password: "{{ lookup('passwordstore', 'db/{{ ansible_hostname }}-mysql create=true length=20') }}"
+    password: "{{ mysql_root_password }}"
     login_user: root
-    # yamllint disable-line rule:line-length
-    login_password: "{{ lookup('passwordstore', 'db/{{ ansible_hostname }}-mysql create=true length=20') }}"
+    login_password: "{{ mysql_root_password }}"
   register: mysql_root_creation_result
   no_log: true
   ignore_errors: true
@@ -52,8 +50,7 @@
 - name: initialize the mysql root user
   mysql_user:
     name: root
-    # yamllint disable-line rule:line-length
-    password: "{{ lookup('passwordstore', 'db/{{ ansible_hostname }}-mysql create=true length=20') }}"
+    password: "{{ mysql_root_password }}"
   no_log: true
   when: mysql_root_creation_result|failed
   tags: