refactor(users): change system.users from list to dict keyed by username

roles/global_defaults/tasks/_normalize_system.yml

@@ -96,7 +96,7 @@
         }}
       # --- Storage & accounts ---
       disks: "{{ system_raw.disks | default([]) }}"
-      users: "{{ system_raw.users | default([]) }}"
+      users: "{{ system_raw.users | default({}) }}"
       root:
         password: "{{ system_raw.root.password | string }}"
         shell: "{{ system_raw.root.shell | default('/bin/bash') | string }}"

roles/global_defaults/tasks/_validate_input.yml

@@ -25,17 +25,17 @@
     quiet: true
 
 - name: Validate system.users entries
-  when: system.users is defined and system.users | length > 0
+  when: system.users is defined and system.users is mapping and system.users | length > 0
   ansible.builtin.assert:
     that:
-      - item is mapping
-      - item.name is defined and (item.name | string | length) > 0
-      - item['keys'] is not defined or (item['keys'] is iterable and item['keys'] is not string)
-    fail_msg: "Each system.users[] entry must be a dict with 'name'; 'keys' must be a list."
+      - item.value is mapping
+      - item.key | string | length > 0
+      - item.value['keys'] is not defined or (item.value['keys'] is iterable and item.value['keys'] is not string)
+    fail_msg: "Each system.users entry must be a dict keyed by username; 'keys' must be a list."
     quiet: true
-  loop: "{{ system.users }}"
+  loop: "{{ system.users | dict2items }}"
   loop_control:
-    label: "{{ item.name | default('(unnamed)') }}"
+    label: "{{ item.key }}"
 
 - name: Validate system features input types
   when: system.features is defined

roles/global_defaults/tasks/main.yml

@@ -81,10 +81,12 @@
   when:
     - system_cfg.type == "virtual"
     - hypervisor_type != "vmware"
+  vars:
+    _primary: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first) }}"
   ansible.builtin.set_fact:
-    ansible_user: "{{ system_cfg.users[0].name }}"
-    ansible_password: "{{ system_cfg.users[0].password }}"
-    ansible_become_password: "{{ system_cfg.users[0].password }}"
+    ansible_user: "{{ _primary.key }}"
+    ansible_password: "{{ _primary.value.password }}"
+    ansible_become_password: "{{ _primary.value.password }}"
     ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
   no_log: true
 

roles/global_defaults/tasks/validation.yml

@@ -261,13 +261,16 @@
     fail_msg: "Invalid system sizing. Check system.cpus, system.memory, and system.disks[0].size."
     quiet: true
 
-- name: Validate at least one user is defined
+- name: Validate at least one user with a password is defined
+  vars:
+    _pw_users: "{{ system_cfg.users | dict2items | selectattr('value.password', 'defined') | list }}"
   ansible.builtin.assert:
     that:
-      - system_cfg.users | default([]) | length > 0
-      - system_cfg.users[0].name is defined and (system_cfg.users[0].name | string | length) > 0
-      - system_cfg.users[0].password is defined and (system_cfg.users[0].password | string | length) > 0
-    fail_msg: "At least one user with a name and password must be defined in system.users[]."
+      - system_cfg.users | default({}) | length > 0
+      - _pw_users | length > 0
+      - _pw_users[0].key | string | length > 0
+      - _pw_users[0].value.password | string | length > 0
+    fail_msg: "At least one user with a password must be defined in system.users."
     quiet: true
   no_log: true