feat: add password for twirre user

group_vars/all/main.yml

@@ -29,6 +29,7 @@ ssh_admin_users:
   - name: twirre
     shell: /bin/bash
     groups: "{{ ssh_admin_groups }}"
+    password: "{{ vault_twirre_password_hash }}"
     authorized_keys:
       - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKSmroAJ4SDziZtwg+PCNITuhPim8oseq/sNwW0jTLJc twirre@gwen
       - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIfapo7P0vmwkTdD9kkHaalk9U+JYIZuCp/hFTnPRqTp twirre@ben

group_vars/all/vault.example.yml

@@ -15,6 +15,10 @@ vault_gitea_secret_key: REPLACE_ME
 vault_gitea_internal_token: REPLACE_ME
 vault_gitea_lfs_jwt_secret: REPLACE_ME
 
+# Store a hash here, not the plaintext password.
+# Generate a SHA-512 password hash with: `openssl passwd -6`
+vault_twirre_password_hash: REPLACE_ME
+
 vault_mailserver_accounts: |
   # One account per line: email|{SCHEME}hashed-password
   # Example:

roles/bun_app/templates/bun-app.env.j2

@@ -1,4 +1,5 @@
-{% set app_vault_env = vars['vault_' + (bun_app.name | replace('-', '_')) + '_env'] | default({}) %}
+{% set app_vault_env_var = 'vault_' + (bun_app.name | replace('-', '_')) + '_env' %}
+{% set app_vault_env = lookup('vars', app_vault_env_var, default={}) %}
 {% set app_non_vault_env_keys = bun_app.non_vault_env_keys | default([]) %}
 {% set app_filtered_vault_env = app_vault_env | dict2items | rejectattr('key', 'in', app_non_vault_env_keys) | items2dict %}
 {% for key, value in (bun_app.env | combine(app_filtered_vault_env)) | dictsort %}

roles/ssh/tasks/main.yml

@@ -16,6 +16,8 @@
     name: "{{ item.name }}"
     shell: "{{ item.shell | default('/bin/bash') }}"
     groups: "{{ item.groups | default([]) }}"
+    password: "{{ item.password | default(omit) }}"
+    update_password: always
     append: true
     create_home: true
     state: present