adding an option to specify a nopasswd user to the role because we cannot just rely on the OS-image having that