feat: --password flag on droplet create and campaign deploy

franckferman · franckferman · commit 37c23896fa5d · 2026-03-23T17:25:16.000+01:00
diff --git a/cmd/campaign.go b/cmd/campaign.go
@@ -115,6 +115,7 @@ var (
 	campOperatorIP   string
 	campVPCAuto      bool
 	campTemplateVar  []string
+	campPassword     string
 )
 
 func init() {
@@ -136,6 +137,7 @@ func init() {
 	campaignDeployCmd.Flags().StringVar(&campOperatorIP, "operator-ip", "", "Operator IP used by firewall presets to restrict SSH (required when using --role with a preset)")
 	campaignDeployCmd.Flags().BoolVar(&campVPCAuto, "vpc-auto", false, "Automatically create a VPC in the campaign region and attach all Droplets")
 	campaignDeployCmd.Flags().StringArrayVar(&campTemplateVar, "template-var", nil, "Template variable: KEY=VALUE (repeatable, applies to all --template or role template=)")
+	campaignDeployCmd.Flags().StringVar(&campPassword, "password", "", "Set root password via cloud-init on all Droplets (injected into any template or user-data)")
 	campaignDeployCmd.MarkFlagRequired("name") //nolint:errcheck
 
 	// status & destroy
@@ -269,6 +271,9 @@ func runCampaignDeploySimple() error {
 	if err != nil {
 		return err
 	}
+	if campPassword != "" {
+		ud = injectPassword(ud, campPassword)
+	}
 
 	dropSvc, fwSvc, ripSvc, err := newCampaignClients()
 	if err != nil {
@@ -499,6 +504,9 @@ func runCampaignDeployRoles() error {
 				return err
 			}
 		}
+		if campPassword != "" {
+			ud = injectPassword(ud, campPassword)
+		}
 
 		step(fmt.Sprintf("[%s] Creating %d Droplet(s)  image=%s  size=%s",
 			color.CyanString(role.Name), role.Count, image, size))
diff --git a/cmd/droplet.go b/cmd/droplet.go
@@ -190,6 +190,7 @@ var (
 	sshPort        int
 	createTemplate    string
 	createTemplateVar []string
+	createPassword    string
 )
 
 func init() {
@@ -209,6 +210,7 @@ func init() {
 	dropletCreateCmd.Flags().BoolVar(&createBackups, "backups", false, "Enable automatic backups")
 	dropletCreateCmd.Flags().BoolVarP(&createWait, "wait", "w", false, "Wait until the Droplet is active and print its IP")
 	dropletCreateCmd.Flags().IntVarP(&createCount, "count", "c", 1, "Number of Droplets to provision in parallel (names become name-01, name-02, ...)")
+	dropletCreateCmd.Flags().StringVar(&createPassword, "password", "", "Set root password via cloud-init (injected into any --template or --user-data-file)")
 	dropletCreateCmd.MarkFlagRequired("name") //nolint:errcheck
 
 	// delete flags
@@ -457,6 +459,29 @@ func runDropletGet(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
+// injectPassword inserts root password setup lines into a cloud-init script.
+// If script is empty a minimal shebang is generated. The block is always
+// inserted right after the shebang line so it runs before any other logic.
+func injectPassword(script, password string) string {
+	block := fmt.Sprintf(
+		"echo %q | chpasswd\n"+
+			"sed -i 's/^#*PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config\n"+
+			"sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config\n"+
+			"systemctl restart ssh\n",
+		"root:"+password,
+	)
+	if script == "" {
+		return "#!/bin/bash\n" + block
+	}
+	if strings.HasPrefix(script, "#!") {
+		idx := strings.Index(script, "\n")
+		if idx >= 0 {
+			return script[:idx+1] + block + script[idx+1:]
+		}
+	}
+	return block + script
+}
+
 func runDropletCreate(cmd *cobra.Command, args []string) error {
 	if createCount < 1 {
 		return fmt.Errorf("--count must be >= 1")
@@ -466,6 +491,9 @@ func runDropletCreate(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
+	if createPassword != "" {
+		ud = injectPassword(ud, createPassword)
+	}
 
 	svc, err := newDropletService()
 	if err != nil {
