Add password_lock option to server.user operation, or in general make it possible to delete a password

[moqmar]

Is your feature request related to a problem? Please describe

I use PyInfra to manage actual people's accounts on devices. They should be able to set their passwords manually with "passwd" on the devices, instead of keeping a central database of all user's password hashes, hence I can't just set a password in the server.user operation.

By default, the server.user operation creates a locked password if none is set (making it impossible to change it with "passwd" without sudo), and overwrites the existing password if one is set in the operation. Both are not what I want.

I could use facts to depend on whether the user has a locked password and then remove it, but this leads to another issue: if I set the password to "" in the user operation, it will not do anything as it is falsy and thus PyInfra treats it not as a set argument, requiring a workaround involving a shell operation to call "passwd -d ".

Describe the solution you'd like

It should be allowed to delete a password. This could be done without changing current behaviour by adding a password_lock option as Ansible does, which - if set to False - sets the password to "deleted" instead of "locked".

I would prefer this approach compared to just allowing empty strings as password hashes, as it solves my problem of not wanting to override the password if it exists.