From 398f1b081d9ef74cd8b50542b79bb2c1e614a0a6 Mon Sep 17 00:00:00 2001
From: MORAWSKI Norbert <morawski@scigames.at>
Date: Fri, 20 Mar 2026 02:03:48 +0100
Subject: [PATCH] fix(configuration): make root password, user keys, and sudo
 all optional

---
 roles/configuration/tasks/users.yml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/roles/configuration/tasks/users.yml b/roles/configuration/tasks/users.yml
index d952839..e1dd280 100644
--- a/roles/configuration/tasks/users.yml
+++ b/roles/configuration/tasks/users.yml
@@ -1,5 +1,6 @@
 ---
 - name: Set root password
+  when: (system_cfg.root.password | default('') | string | length) > 0
   ansible.builtin.shell: >-
     set -o pipefail &&
     echo 'root:{{ system_cfg.root.password | password_hash("sha512") }}' | {{ chroot_command }} /usr/sbin/chpasswd -e
@@ -9,6 +10,13 @@
   changed_when: configuration_root_result.rc == 0
   no_log: true
 
+- name: Lock root account when no password is set
+  when: (system_cfg.root.password | default('') | string | length) == 0
+  ansible.builtin.command: >-
+    {{ chroot_command }} /usr/bin/passwd -l root
+  register: configuration_root_lock_result
+  changed_when: configuration_root_lock_result.rc == 0
+
 - name: Set root shell
   ansible.builtin.command: >-
     {{ chroot_command }} /usr/sbin/usermod --shell {{ system_cfg.root.shell }} root
@@ -34,7 +42,7 @@
   no_log: true
 
 - name: Ensure .ssh directory exists
-  when: item['keys'] | default([]) | length > 0
+  when: "'keys' in item and item['keys'] is iterable and item['keys'] is not string and item['keys'] | length > 0"
   ansible.builtin.file:
     path: "/mnt/home/{{ item.name }}/.ssh"
     state: directory