refactor(system_setup): rename bare 'password' var to user_password

The bare 'password' variable in user.yml could silently collide with any
same-named variable elsewhere in scope. Rename to user_password to
namespace it alongside username.

BREAKING CHANGE: callers passing 'password' to this role must rename it
to user_password.

roles/system_setup/README.md

@@ -16,7 +16,7 @@ Performs initial system configuration including user creation, SSH hardening, an
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `username` | `admin` | Username for the admin account |
-| `password` | *required* | Password for the admin user |
+| `user_password` | *required* | Password for the admin user |
 | `shell` | `/bin/bash` | Default shell for the user |
 | `passwordless_sudo` | `true` | Allow sudo without password |
 | `ssh_pubkey_file` | *required* | Path to SSH public key file |
@@ -28,7 +28,7 @@ Performs initial system configuration including user creation, SSH hardening, an
 You must provide these variables when using this role:
 
 ```yaml
-password: "your_secure_password"
+user_password: "your_secure_password"
 ssh_pubkey_file: "/path/to/your/public/key.pub"
 ```
 
@@ -40,7 +40,7 @@ ssh_pubkey_file: "/path/to/your/public/key.pub"
   include_role:
     name: system_setup
   vars:
-    password: "{{ admin_password }}"
+    user_password: "{{ admin_password }}"
     ssh_pubkey_file: "~/.ssh/id_rsa.pub"
 ```
 
@@ -51,7 +51,7 @@ ssh_pubkey_file: "/path/to/your/public/key.pub"
     name: system_setup
   vars:
     username: myuser
-    password: "{{ user_password }}"
+    user_password: "{{ vault_myuser_password }}"
     shell: /bin/zsh
     ssh_pubkey_file: "keys/mykey.pub"
     passwordless_sudo: false