From 6bfaa0aa2b921eb159ccbd4b6bba84eb3d707ebf Mon Sep 17 00:00:00 2001
From: sandwich <sandwich@archworks.co>
Date: Thu, 16 Apr 2026 15:26:34 +0200
Subject: [PATCH] fix(configuration): guard user keys access to avoid
 dict.keys() method collision

---
 roles/configuration/tasks/users.yml             | 4 ++--
 roles/global_defaults/tasks/_validate_input.yml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/configuration/tasks/users.yml b/roles/configuration/tasks/users.yml
index 1eefb9c..ac297df 100644
--- a/roles/configuration/tasks/users.yml
+++ b/roles/configuration/tasks/users.yml
@@ -42,7 +42,7 @@
   no_log: true
 
 - name: Ensure .ssh directory exists
-  when: (item.value['keys'] | default([]) | length) > 0
+  when: ('keys' in item.value) and (item.value['keys'] | length) > 0
   ansible.builtin.file:
     path: "/mnt/home/{{ item.key }}/.ssh"
     state: directory
@@ -55,7 +55,7 @@
     label: "{{ item.key }}"
 
 - name: Deploy SSH authorized_keys
-  when: (item.value['keys'] | default([]) | length) > 0
+  when: ('keys' in item.value) and (item.value['keys'] | length) > 0
   ansible.builtin.copy:
     content: "{{ item.value['keys'] | join('\n') }}\n"
     dest: "/mnt/home/{{ item.key }}/.ssh/authorized_keys"
diff --git a/roles/global_defaults/tasks/_validate_input.yml b/roles/global_defaults/tasks/_validate_input.yml
index 05c9015..7c2281c 100644
--- a/roles/global_defaults/tasks/_validate_input.yml
+++ b/roles/global_defaults/tasks/_validate_input.yml
@@ -30,7 +30,7 @@
     that:
       - item.value is mapping
       - item.key | string | length > 0
-      - item.value['keys'] is not defined or (item.value['keys'] is iterable and item.value['keys'] is not string)
+      - ('keys' not in item.value) or (item.value['keys'] is iterable and item.value['keys'] is not string)
     fail_msg: "Each system.users entry must be a dict keyed by username; 'keys' must be a list."
     quiet: true
   loop: "{{ system.users | dict2items }}"