From 51c1c5b6119eee64337d0c13693335cfe22355bd Mon Sep 17 00:00:00 2001
From: patrick <patrickjaroszewski@protonmail.com>
Date: Sat, 27 Jun 2026 21:11:13 -0400
Subject: [PATCH] refactor(proxmox_lxc_provision): rename password vars and
 parameterize user name

Rename lxc_password to lxc_root_password for consistency with the new
lxc_user_password (replaces the previously bare 'password' variable in
post-clone.yml, which silently collided with any same-named caller var).
Add lxc_user_name (default: admin) so the non-root account managed in
post-clone.yml is no longer hardcoded. Apply default(omit) to the root
password in create.yml so it is genuinely optional as documented.

BREAKING CHANGE: callers passing lxc_password or a bare 'password' var
must rename to lxc_root_password and lxc_user_password respectively.
---
 roles/proxmox_lxc_provision/README.md            |  4 +++-
 roles/proxmox_lxc_provision/defaults/main.yml    |  1 +
 roles/proxmox_lxc_provision/tasks/create.yml     |  2 +-
 roles/proxmox_lxc_provision/tasks/post-clone.yml | 12 ++++++------
 roles/proxmox_lxc_provision/tasks/update.yml     |  2 +-
 5 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/roles/proxmox_lxc_provision/README.md b/roles/proxmox_lxc_provision/README.md
index 75f322d..ae4728d 100755
--- a/roles/proxmox_lxc_provision/README.md
+++ b/roles/proxmox_lxc_provision/README.md
@@ -62,7 +62,9 @@ It also includes tasks which may be used individually:
 | `lxc_storage` | Target storage for the container | `local-zfs` |
 | `lxc_size` | Disk size in GB | `16` |
 | `lxc_disk` | The target storage and storage size | `local-zfs:16` |
-| `lxc_password` | The password for the root account | - |
+| `lxc_root_password` | Password for the root account. On creates from `lxc_template` it is set via the Proxmox API; on clones it is applied inside the container by `post-clone.yml`. | - |
+| `lxc_user_name` | Name of an additional non-root user to manage in `post-clone.yml` (clone path only). | `admin` |
+| `lxc_user_password` | Password for `lxc_user_name`. Only applied on the clone path via `post-clone.yml`. The user must already exist in the source template. | - |
 | `lxc_cores` | The number of CPU cores | `4` |
 | `lxc_memory` | Memory size in MB | `2048` |
 | `lxc_swap` | Swap memory size in MB | `2048` |
diff --git a/roles/proxmox_lxc_provision/defaults/main.yml b/roles/proxmox_lxc_provision/defaults/main.yml
index 1833ea8..e803cfd 100755
--- a/roles/proxmox_lxc_provision/defaults/main.yml
+++ b/roles/proxmox_lxc_provision/defaults/main.yml
@@ -25,3 +25,4 @@ lxc_nvidia_gpu_mount: false
 lxc_tags: ["ansible-managed"]
 lxc_clone_type: full
 lxc_start: true
+lxc_user_name: admin
diff --git a/roles/proxmox_lxc_provision/tasks/create.yml b/roles/proxmox_lxc_provision/tasks/create.yml
index b3bac4c..d586085 100755
--- a/roles/proxmox_lxc_provision/tasks/create.yml
+++ b/roles/proxmox_lxc_provision/tasks/create.yml
@@ -3,7 +3,7 @@
   community.proxmox.proxmox:
     vmid: "{{ lxc_vmid | default(omit) }}"
     hostname: "{{ lxc_hostname }}"
-    password: "{{ lxc_password }}"
+    password: "{{ lxc_root_password | default(omit) }}"
     ostemplate: "{{ lxc_template }}"
     cores: "{{ lxc_cores }}"
     memory: "{{ lxc_memory }}"
diff --git a/roles/proxmox_lxc_provision/tasks/post-clone.yml b/roles/proxmox_lxc_provision/tasks/post-clone.yml
index 7977e48..4f6ee8a 100755
--- a/roles/proxmox_lxc_provision/tasks/post-clone.yml
+++ b/roles/proxmox_lxc_provision/tasks/post-clone.yml
@@ -2,16 +2,16 @@
 - name: Change root password
   ansible.builtin.user:
     name: root
-    password: "{{ lxc_password | password_hash('sha512') }}"
+    password: "{{ lxc_root_password | password_hash('sha512') }}"
     update_password: always
-  when: lxc_password is defined
+  when: lxc_root_password is defined
 
-- name: Change admin password
+- name: Change user password
   ansible.builtin.user:
-    name: admin
-    password: "{{ password | password_hash('sha512') }}"
+    name: "{{ lxc_user_name }}"
+    password: "{{ lxc_user_password | password_hash('sha512') }}"
     update_password: always
-  when: password is defined
+  when: lxc_user_password is defined
 
 - name: Regenerate SSH host keys
   ansible.builtin.include_role:
diff --git a/roles/proxmox_lxc_provision/tasks/update.yml b/roles/proxmox_lxc_provision/tasks/update.yml
index 932f977..f5aa2a8 100755
--- a/roles/proxmox_lxc_provision/tasks/update.yml
+++ b/roles/proxmox_lxc_provision/tasks/update.yml
@@ -3,7 +3,7 @@
   community.proxmox.proxmox:
     vmid: "{{ lxc_vmid }}"
     hostname: "{{ lxc_hostname }}"
-    password: "{{ lxc_password | default(omit) }}"
+    password: "{{ lxc_root_password | default(omit) }}"
     cores: "{{ lxc_cores }}"
     memory: "{{ lxc_memory }}"
     swap: "{{ lxc_swap }}"