refactor(users): change system.users from list to dict keyed by username

roles/configuration/tasks/sudo.yml

@@ -15,15 +15,15 @@
     validate: /usr/sbin/visudo --check --file=%s
 
 - name: Deploy per-user sudoers rules
-  when: item.sudo | default(false)
+  when: item.value.sudo | default(false)
   vars:
     configuration_sudoers_rule: >-
-      {{ item.sudo if item.sudo is string else 'ALL=(ALL) NOPASSWD: ALL' }}
+      {{ item.value.sudo if item.value.sudo is string else 'ALL=(ALL) NOPASSWD: ALL' }}
   ansible.builtin.copy:
-    content: "{{ item.name }} {{ configuration_sudoers_rule }}\n"
-    dest: "/mnt/etc/sudoers.d/{{ item.name }}"
+    content: "{{ item.key }} {{ configuration_sudoers_rule }}\n"
+    dest: "/mnt/etc/sudoers.d/{{ item.key }}"
     mode: "0440"
     validate: /usr/sbin/visudo --check --file=%s
-  loop: "{{ system_cfg.users }}"
+  loop: "{{ system_cfg.users | dict2items }}"
   loop_control:
-    label: "{{ item.name }}"
+    label: "{{ item.key }}"

roles/configuration/tasks/users.yml

@@ -26,44 +26,43 @@
 - name: Create user accounts
   vars:
     configuration_user_group: "{{ _configuration_platform.user_group }}"
-    # UID starts at 1000; safe for fresh installs only
     configuration_useradd_cmd: >-
       {{ chroot_command }} /usr/sbin/useradd --create-home --user-group
-      --uid {{ 1000 + ansible_loop.index0 }}
-      --groups {{ configuration_user_group }} {{ item.name }}
-      --password {{ item.password | password_hash('sha512') }} --shell {{ item.shell | default('/bin/bash') }}
+      --uid {{ 1000 + _idx }}
+      --groups {{ configuration_user_group }} {{ item.key }}
+      {{ ('--password ' ~ (item.value.password | password_hash('sha512'))) if (item.value.password | default('') | string | length > 0) else '' }}
+      --shell {{ item.value.shell | default('/bin/bash') }}
   ansible.builtin.command: "{{ configuration_useradd_cmd }}"
-  loop: "{{ system_cfg.users }}"
+  loop: "{{ system_cfg.users | dict2items }}"
   loop_control:
-    extended: true
-    label: "{{ item.name }}"
+    index_var: _idx
+    label: "{{ item.key }}"
   register: configuration_user_result
   changed_when: configuration_user_result.rc == 0
   no_log: true
 
 - name: Ensure .ssh directory exists
-  when: "'keys' in item and item['keys'] is iterable and item['keys'] is not string and item['keys'] | length > 0"
+  when: (item.value['keys'] | default([]) | length) > 0
   ansible.builtin.file:
-    path: "/mnt/home/{{ item.name }}/.ssh"
+    path: "/mnt/home/{{ item.key }}/.ssh"
     state: directory
-    owner: "{{ 1000 + ansible_loop.index0 }}"
-    group: "{{ 1000 + ansible_loop.index0 }}"
+    owner: "{{ 1000 + _idx }}"
+    group: "{{ 1000 + _idx }}"
     mode: "0700"
-  loop: "{{ system_cfg.users }}"
+  loop: "{{ system_cfg.users | dict2items }}"
   loop_control:
-    extended: true
-    label: "{{ item.name }}"
+    index_var: _idx
+    label: "{{ item.key }}"
 
-- name: Add SSH public keys to authorized_keys
-  vars:
-    configuration_uid: "{{ 1000 + (system_cfg.users | map(attribute='name') | list).index(item.0.name) }}"
-  ansible.builtin.lineinfile:
-    path: "/mnt/home/{{ item.0.name }}/.ssh/authorized_keys"
-    line: "{{ item.1 }}"
-    owner: "{{ configuration_uid }}"
-    group: "{{ configuration_uid }}"
+- name: Deploy SSH authorized_keys
+  when: (item.value['keys'] | default([]) | length) > 0
+  ansible.builtin.copy:
+    content: "{{ item.value['keys'] | join('\n') }}\n"
+    dest: "/mnt/home/{{ item.key }}/.ssh/authorized_keys"
+    owner: "{{ 1000 + _idx }}"
+    group: "{{ 1000 + _idx }}"
     mode: "0600"
-    create: true
-  loop: "{{ system_cfg.users | subelements('keys', skip_missing=True) }}"
+  loop: "{{ system_cfg.users | dict2items }}"
   loop_control:
-    label: "{{ item.0.name }}: {{ item.1[:40] }}..."
+    index_var: _idx
+    label: "{{ item.key }}"

roles/global_defaults/defaults/main.yml

@@ -85,7 +85,7 @@ system_defaults:
   mirror: ""
   packages: []
   disks: []
-  users: []
+  users: {}
   root:
     password: ""
     shell: "/bin/bash"

roles/global_defaults/tasks/_normalize_system.yml

@@ -96,7 +96,7 @@
         }}
       # --- Storage & accounts ---
       disks: "{{ system_raw.disks | default([]) }}"
-      users: "{{ system_raw.users | default([]) }}"
+      users: "{{ system_raw.users | default({}) }}"
       root:
         password: "{{ system_raw.root.password | string }}"
         shell: "{{ system_raw.root.shell | default('/bin/bash') | string }}"

roles/global_defaults/tasks/_validate_input.yml

@@ -25,17 +25,17 @@
     quiet: true
 
 - name: Validate system.users entries
-  when: system.users is defined and system.users | length > 0
+  when: system.users is defined and system.users is mapping and system.users | length > 0
   ansible.builtin.assert:
     that:
-      - item is mapping
-      - item.name is defined and (item.name | string | length) > 0
-      - item['keys'] is not defined or (item['keys'] is iterable and item['keys'] is not string)
-    fail_msg: "Each system.users[] entry must be a dict with 'name'; 'keys' must be a list."
+      - item.value is mapping
+      - item.key | string | length > 0
+      - item.value['keys'] is not defined or (item.value['keys'] is iterable and item.value['keys'] is not string)
+    fail_msg: "Each system.users entry must be a dict keyed by username; 'keys' must be a list."
     quiet: true
-  loop: "{{ system.users }}"
+  loop: "{{ system.users | dict2items }}"
   loop_control:
-    label: "{{ item.name | default('(unnamed)') }}"
+    label: "{{ item.key }}"
 
 - name: Validate system features input types
   when: system.features is defined

roles/global_defaults/tasks/main.yml

@@ -81,10 +81,12 @@
   when:
     - system_cfg.type == "virtual"
     - hypervisor_type != "vmware"
+  vars:
+    _primary: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first) }}"
   ansible.builtin.set_fact:
-    ansible_user: "{{ system_cfg.users[0].name }}"
-    ansible_password: "{{ system_cfg.users[0].password }}"
-    ansible_become_password: "{{ system_cfg.users[0].password }}"
+    ansible_user: "{{ _primary.key }}"
+    ansible_password: "{{ _primary.value.password }}"
+    ansible_become_password: "{{ _primary.value.password }}"
     ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
   no_log: true
 

roles/global_defaults/tasks/validation.yml

@@ -261,13 +261,16 @@
     fail_msg: "Invalid system sizing. Check system.cpus, system.memory, and system.disks[0].size."
     quiet: true
 
-- name: Validate at least one user is defined
+- name: Validate at least one user with a password is defined
+  vars:
+    _pw_users: "{{ system_cfg.users | dict2items | selectattr('value.password', 'defined') | list }}"
   ansible.builtin.assert:
     that:
-      - system_cfg.users | default([]) | length > 0
-      - system_cfg.users[0].name is defined and (system_cfg.users[0].name | string | length) > 0
-      - system_cfg.users[0].password is defined and (system_cfg.users[0].password | string | length) > 0
-    fail_msg: "At least one user with a name and password must be defined in system.users[]."
+      - system_cfg.users | default({}) | length > 0
+      - _pw_users | length > 0
+      - _pw_users[0].key | string | length > 0
+      - _pw_users[0].value.password | string | length > 0
+    fail_msg: "At least one user with a password must be defined in system.users."
     quiet: true
   no_log: true
 

roles/virtualization/tasks/proxmox.yml

@@ -35,8 +35,8 @@
           {%- endfor -%}
           {{ out }}
       community.proxmox.proxmox_kvm:
-        ciuser: "{{ system_cfg.users[0].name }}"
-        cipassword: "{{ system_cfg.users[0].password }}"
+        ciuser: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first).key }}"
+        cipassword: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first).value.password }}"
         ciupgrade: false
         vmid: "{{ system_cfg.id }}"
         name: "{{ hostname }}"