From d091b6b50fc5129e7c3e0d41f986fddca7b34c8c Mon Sep 17 00:00:00 2001
From: Joakim Persson <joakim.persson@icloud.com>
Date: Sun, 19 Apr 2026 13:10:12 +0200
Subject: [PATCH] Add optional console password (chpasswd) to cloud-init and
 deploy docs

---
 deploy/README.md      | 26 ++++++++++++++++++++++++++
 deploy/cloud-init.yml | 12 ++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/deploy/README.md b/deploy/README.md
index 8897ac8..fe5b4a4 100644
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -63,6 +63,32 @@ openstack server create \
 
 The VM boots with Docker installed, firewall configured (or skipped on OpenStack), and your SSH key authorized. Log in as the `devbox` user.
 
+### Console password (optional)
+
+The cloud-init template uses SSH key authentication only — no password is set by default. This is sufficient for normal use since the `devbox` user has passwordless `sudo`.
+
+A password is only needed for:
+
+- **Emergency console access** — logging in via OpenStack Horizon console (noVNC) or Proxmox VNC when SSH is unreachable
+- **`su - devbox`** — switching to the devbox user from another account
+
+To enable console access, uncomment the `chpasswd` block in `cloud-init.yml` before deploying:
+
+```yaml
+chpasswd:
+  expire: false
+  users:
+    - name: devbox
+      password: your-password-here
+      type: text
+```
+
+For an already-running VM, set a password via SSH:
+
+```bash
+sudo passwd devbox
+```
+
 ### Option 2: Post-install script (manual)
 
 On a fresh Debian/Ubuntu VM:
diff --git a/deploy/cloud-init.yml b/deploy/cloud-init.yml
index c35c0bc..cd8397b 100644
--- a/deploy/cloud-init.yml
+++ b/deploy/cloud-init.yml
@@ -23,6 +23,18 @@ users:
       # CUSTOMIZE: replace with your public SSH key
       - ssh-ed25519 AAAA... your-key-here
 
+# ── Optional: console password ───────────────────────────────────────
+# Uncomment to set a password for the devbox user. Only needed for
+# emergency access via the OpenStack/Proxmox console (VNC/noVNC).
+# SSH key authentication is used for normal access.
+#
+# chpasswd:
+#   expire: false
+#   users:
+#     - name: devbox
+#       password: your-password-here
+#       type: text
+
 # ── Locale and timezone ──────────────────────────────────────────────
 locale: en_US.UTF-8
 timezone: Europe/Stockholm