From b1e938b7f093324b9aec878a00b824cc9db480bd Mon Sep 17 00:00:00 2001
From: Sandwich <sandwich@archworks.co>
Date: Sat, 30 May 2026 18:05:05 +0200
Subject: [PATCH] fix(users): accept plaintext or pre-hashed passwords
 uniformly

---
 roles/configuration/tasks/users.yml                   | 9 +++++++--
 roles/virtualization/templates/cloud-user-data.yml.j2 | 5 ++++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/roles/configuration/tasks/users.yml b/roles/configuration/tasks/users.yml
index ac297df..73b2bfb 100644
--- a/roles/configuration/tasks/users.yml
+++ b/roles/configuration/tasks/users.yml
@@ -3,7 +3,8 @@
   when: (system_cfg.root.password | default('') | string | length) > 0
   ansible.builtin.shell: >-
     set -o pipefail &&
-    echo 'root:{{ system_cfg.root.password | password_hash("sha512") }}' | {{ chroot_command }} /usr/sbin/chpasswd -e
+    echo 'root:{{ system_cfg.root.password if (system_cfg.root.password | string)[:1] == "$" else system_cfg.root.password | password_hash("sha512") }}'
+    | {{ chroot_command }} /usr/sbin/chpasswd -e
   args:
     executable: /bin/bash
   register: configuration_root_result
@@ -26,11 +27,15 @@
 - name: Create user accounts
   vars:
     configuration_user_group: "{{ _configuration_platform.user_group }}"
+    # plaintext is hashed; a pre-computed crypt hash ($6$/$y$/...) passes through.
+    configuration_user_pw: >-
+      {{ item.value.password if (item.value.password | string)[:1] == '$'
+         else item.value.password | password_hash('sha512') }}
     configuration_useradd_cmd: >-
       {{ chroot_command }} /usr/sbin/useradd --create-home --user-group
       --uid {{ 1000 + _idx }}
       --groups {{ configuration_user_group }} {{ item.key }}
-      {{ ('--password ' ~ (item.value.password | password_hash('sha512'))) if (item.value.password | default('') | string | length > 0) else '' }}
+      {{ ('--password ' ~ configuration_user_pw) if (item.value.password | default('') | string | length > 0) else '' }}
       --shell {{ item.value.shell | default('/bin/bash') }}
   ansible.builtin.command: "{{ configuration_useradd_cmd }}"
   loop: "{{ system_cfg.users | dict2items }}"
diff --git a/roles/virtualization/templates/cloud-user-data.yml.j2 b/roles/virtualization/templates/cloud-user-data.yml.j2
index bd0134a..a736b2c 100644
--- a/roles/virtualization/templates/cloud-user-data.yml.j2
+++ b/roles/virtualization/templates/cloud-user-data.yml.j2
@@ -8,7 +8,10 @@ users:
   - name: "{{ username }}"
     primary_group: "{{ username }}"
     groups: users
-{% if attrs.sudo | default(false) | bool %}
+{% set _sudo = attrs.sudo | default(false) %}
+{% if _sudo is string %}
+    sudo: "{{ _sudo }}"
+{% elif _sudo | bool %}
     sudo: "ALL=(ALL) NOPASSWD:ALL"
 {% endif %}
 {% if attrs.password | default('') | length > 0 %}