diff --git a/roles/global_defaults/tasks/_validate_input.yml b/roles/global_defaults/tasks/_validate_input.yml
index 48cf5d7..05c9015 100644
--- a/roles/global_defaults/tasks/_validate_input.yml
+++ b/roles/global_defaults/tasks/_validate_input.yml
@@ -8,11 +8,11 @@
     that:
       - system is mapping
       - system.network is not defined or system.network is mapping
-      - system.users is not defined or (system.users is iterable and system.users is not string and system.users is not mapping)
+      - system.users is not defined or system.users is mapping
       - system.root is not defined or system.root is mapping
       - system.luks is not defined or system.luks is mapping
       - system.features is not defined or system.features is mapping
-    fail_msg: "system and its nested keys (network, root, luks, features) must be dictionaries; system.users must be a list."
+    fail_msg: "system and its nested keys (network, root, luks, features, users) must be dictionaries."
     quiet: true
 
 - name: Validate DNS lists (not strings)
diff --git a/roles/virtualization/templates/cloud-user-data.yml.j2 b/roles/virtualization/templates/cloud-user-data.yml.j2
index 25fbeb5..bd0134a 100644
--- a/roles/virtualization/templates/cloud-user-data.yml.j2
+++ b/roles/virtualization/templates/cloud-user-data.yml.j2
@@ -4,18 +4,22 @@ ssh_pwauth: true
 package_update: false
 package_upgrade: false
 users:
-{% for user in system_cfg.users %}
-  - name: "{{ user.name }}"
-    primary_group: "{{ user.name }}"
+{% for username, attrs in system_cfg.users.items() %}
+  - name: "{{ username }}"
+    primary_group: "{{ username }}"
     groups: users
-{% if user.sudo | default(false) | bool %}
+{% if attrs.sudo | default(false) | bool %}
     sudo: "ALL=(ALL) NOPASSWD:ALL"
 {% endif %}
-    passwd: "{{ user.password | password_hash('sha512') }}"
+{% if attrs.password | default('') | length > 0 %}
+    passwd: "{{ attrs.password | password_hash('sha512') }}"
     lock_passwd: false
-{% if 'keys' in user and user['keys'] is iterable and user['keys'] is not string and user['keys'] | length > 0 %}
+{% else %}
+    lock_passwd: true
+{% endif %}
+{% if 'keys' in attrs and attrs['keys'] is iterable and attrs['keys'] is not string and attrs['keys'] | length > 0 %}
     ssh_authorized_keys:
-{% for key in user['keys'] %}
+{% for key in attrs['keys'] %}
       - "{{ key }}"
 {% endfor %}
 {% endif %}