From 6939f40a9fd74413827f87677344a8f0d6966ef6 Mon Sep 17 00:00:00 2001
From: Twirre Meulenbelt <43213592+TwirreM@users.noreply.github.com>
Date: Wed, 22 Apr 2026 18:48:28 +0200
Subject: [PATCH] feat: add password for twirre user

---
 group_vars/all/main.yml                | 1 +
 group_vars/all/vault.example.yml       | 4 ++++
 roles/bun_app/templates/bun-app.env.j2 | 3 ++-
 roles/ssh/tasks/main.yml               | 2 ++
 4 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/group_vars/all/main.yml b/group_vars/all/main.yml
index 9b51e4f..193e536 100644
--- a/group_vars/all/main.yml
+++ b/group_vars/all/main.yml
@@ -29,6 +29,7 @@ ssh_admin_users:
   - name: twirre
     shell: /bin/bash
     groups: "{{ ssh_admin_groups }}"
+    password: "{{ vault_twirre_password_hash }}"
     authorized_keys:
       - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSmroAJ4SDziZtwg+PCNITuhPim8oseq/sNwW0jTLJc twirre@gwen
       - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIfapo7P0vmwkTdD9kkHaalk9U+JYIZuCp/hFTnPRqTp twirre@ben
diff --git a/group_vars/all/vault.example.yml b/group_vars/all/vault.example.yml
index af5bdfc..1313a09 100644
--- a/group_vars/all/vault.example.yml
+++ b/group_vars/all/vault.example.yml
@@ -15,6 +15,10 @@ vault_gitea_secret_key: REPLACE_ME
 vault_gitea_internal_token: REPLACE_ME
 vault_gitea_lfs_jwt_secret: REPLACE_ME
 
+# Store a hash here, not the plaintext password.
+# Generate a SHA-512 password hash with: `openssl passwd -6`
+vault_twirre_password_hash: REPLACE_ME
+
 vault_mailserver_accounts: |
   # One account per line: email|{SCHEME}hashed-password
   # Example:
diff --git a/roles/bun_app/templates/bun-app.env.j2 b/roles/bun_app/templates/bun-app.env.j2
index 7b443b4..ca1b96a 100644
--- a/roles/bun_app/templates/bun-app.env.j2
+++ b/roles/bun_app/templates/bun-app.env.j2
@@ -1,4 +1,5 @@
-{% set app_vault_env = vars['vault_' + (bun_app.name | replace('-', '_')) + '_env'] | default({}) %}
+{% set app_vault_env_var = 'vault_' + (bun_app.name | replace('-', '_')) + '_env' %}
+{% set app_vault_env = lookup('vars', app_vault_env_var, default={}) %}
 {% set app_non_vault_env_keys = bun_app.non_vault_env_keys | default([]) %}
 {% set app_filtered_vault_env = app_vault_env | dict2items | rejectattr('key', 'in', app_non_vault_env_keys) | items2dict %}
 {% for key, value in (bun_app.env | combine(app_filtered_vault_env)) | dictsort %}
diff --git a/roles/ssh/tasks/main.yml b/roles/ssh/tasks/main.yml
index 84bdbf6..7ca2dc9 100644
--- a/roles/ssh/tasks/main.yml
+++ b/roles/ssh/tasks/main.yml
@@ -16,6 +16,8 @@
     name: "{{ item.name }}"
     shell: "{{ item.shell | default('/bin/bash') }}"
     groups: "{{ item.groups | default([]) }}"
+    password: "{{ item.password | default(omit) }}"
+    update_password: always
     append: true
     create_home: true
     state: present