diff --git a/roles/baseline/tasks/rootuser.yml b/roles/baseline/tasks/rootuser.yml
index 854a42c..5bd0ee3 100644
--- a/roles/baseline/tasks/rootuser.yml
+++ b/roles/baseline/tasks/rootuser.yml
@@ -2,6 +2,7 @@
   ansible.builtin.user:
     name: root
     password: "{{ root_password }}"
+  when: root_password is defined
 
 - name: Ensure ssh directory for root
   ansible.builtin.file:
@@ -10,6 +11,7 @@
     owner: root
     group: root
     mode: "0700"
+  when: root_sshkeys is defined
 
 - name: Set authorized keys for root
   ansible.builtin.copy:
@@ -18,6 +20,7 @@
     owner: root
     group: root
     mode: "0600"
+  when: root_sshkeys is defined
 
 - name: Only allow root ssh
   ansible.builtin.lineinfile:
@@ -25,3 +28,4 @@
     line: "PermitRootLogin prohibit-password"
     regexp: "^PermitRootLogin "
   notify: Restart sshd
+  when: root_sshkeys is defined