From 0cdef8be5b91e3a6ea437554f03b8fb1379bfee8 Mon Sep 17 00:00:00 2001
From: Peter <peter@pfoe.be>
Date: Sat, 30 May 2026 19:29:39 +0200
Subject: [PATCH] only set root pass/ssh keys if vars are set

---
 roles/baseline/tasks/rootuser.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/roles/baseline/tasks/rootuser.yml b/roles/baseline/tasks/rootuser.yml
index 854a42c..5bd0ee3 100644
--- a/roles/baseline/tasks/rootuser.yml
+++ b/roles/baseline/tasks/rootuser.yml
@@ -2,6 +2,7 @@
   ansible.builtin.user:
     name: root
     password: "{{ root_password }}"
+  when: root_password is defined
 
 - name: Ensure ssh directory for root
   ansible.builtin.file:
@@ -10,6 +11,7 @@
     owner: root
     group: root
     mode: "0700"
+  when: root_sshkeys is defined
 
 - name: Set authorized keys for root
   ansible.builtin.copy:
@@ -18,6 +20,7 @@
     owner: root
     group: root
     mode: "0600"
+  when: root_sshkeys is defined
 
 - name: Only allow root ssh
   ansible.builtin.lineinfile:
@@ -25,3 +28,4 @@
     line: "PermitRootLogin prohibit-password"
     regexp: "^PermitRootLogin "
   notify: Restart sshd
+  when: root_sshkeys is defined