fix(configuration): make root password, user keys, and sudo all optional

roles/configuration/tasks/users.yml

@@ -1,5 +1,6 @@
 ---
 - name: Set root password
+  when: (system_cfg.root.password | default('') | string | length) > 0
   ansible.builtin.shell: >-
     set -o pipefail &&
     echo 'root:{{ system_cfg.root.password | password_hash("sha512") }}' | {{ chroot_command }} /usr/sbin/chpasswd -e
@@ -9,6 +10,13 @@
   changed_when: configuration_root_result.rc == 0
   no_log: true
 
+- name: Lock root account when no password is set
+  when: (system_cfg.root.password | default('') | string | length) == 0
+  ansible.builtin.command: >-
+    {{ chroot_command }} /usr/bin/passwd -l root
+  register: configuration_root_lock_result
+  changed_when: configuration_root_lock_result.rc == 0
+
 - name: Set root shell
   ansible.builtin.command: >-
     {{ chroot_command }} /usr/sbin/usermod --shell {{ system_cfg.root.shell }} root
@@ -34,7 +42,7 @@
   no_log: true
 
 - name: Ensure .ssh directory exists
-  when: item['keys'] | default([]) | length > 0
+  when: "'keys' in item and item['keys'] is iterable and item['keys'] is not string and item['keys'] | length > 0"
   ansible.builtin.file:
     path: "/mnt/home/{{ item.name }}/.ssh"
     state: directory