diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index f089e8f..cdf4309 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -20,6 +20,25 @@ provider "registry.terraform.io/hashicorp/external" {
   ]
 }
 
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.5.1"
+  hashes = [
+    "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
+  ]
+}
+
 provider "registry.terraform.io/telmate/proxmox" {
   version     = "2.9.14"
   constraints = "2.9.14"
diff --git a/.terraform/providers/registry.terraform.io/hashicorp/random/3.5.1/linux_amd64/terraform-provider-random_v3.5.1_x5 b/.terraform/providers/registry.terraform.io/hashicorp/random/3.5.1/linux_amd64/terraform-provider-random_v3.5.1_x5
new file mode 100755
index 0000000..a36c038
Binary files /dev/null and b/.terraform/providers/registry.terraform.io/hashicorp/random/3.5.1/linux_amd64/terraform-provider-random_v3.5.1_x5 differ
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..3d2afa2
--- /dev/null
+++ b/README.md
@@ -0,0 +1,16 @@
+# Terraform Alpine VMs en Proxmox
+
+Configuración para desplegar máquinas virtuales usando [Terraform](https://www.terraform.io/)
+a partir de un template de proxmox con soporte de cloud-init basado en Alpine Linux
+e creado como se explica [neste artigo](https://tr4ck.net/~sergio/artigos/alpine-cloud-init.html).
+
+## Configuración no Proxmox
+É necesario no Proxmox crear un usuario e unhas «apikeys» para que o Terraform
+se poida conectar como se explica na [doc do provider](https://registry.terraform.io/providers/Telmate/proxmox/latest/docs).
+Logo copia env.sh.example a env.sh e configurao coas keys obtidas do Proxmox.
+
+## Configuración para o Terraform
+No arquivo vars.tf configura as variables como sigue:
+- proxmox_host: o nome do host Proxmox
+- template_name: o nome do template con cloud-init de Alpine a usar como base
+- ssh_key: a clave pública a usar para facer login por ssh nas VMs creadas
diff --git a/main.tf b/main.tf
index c5ffd5a..d9f3fb5 100644
--- a/main.tf
+++ b/main.tf
@@ -26,13 +26,19 @@ provider "proxmox" {
     pm_tls_insecure = true
 }
 
-# resource é o que queremos
-# unha entidade co nome "hashi" de tipo "proxmox_vm_qemu"
+# random passwords, we only want to allow access by ssh with keys
+resource "random_password" "password" {
+  length           = 16
+  special          = true
+  override_special = "!#$%&*()-_=+[]{}<>:?"
+}
+
+# servers definition
 resource "proxmox_vm_qemu" "hashi_server" {
-    count = 1  # cantidade de instancias, 0 para destruir todas
-    name = "hashi-${count.index + 1}"  # autonumera
-    target_node = var.proxmox_host  # definese no vars.tf
-    clone = var.template_name  #definese no vars.tf
+    count = 1  # num of instances, 0 to destroy all
+    name = "hashi-${count.index + 1}"  # autonum
+    target_node = var.proxmox_host  # defined in vars.tf
+    clone = var.template_name  # defined in vars.tf
     full_clone = true
 
     # basic VM settings here. agent refers to guest agent
@@ -74,7 +80,8 @@ resource "proxmox_vm_qemu" "hashi_server" {
 
     # username by cloud-init
     ciuser = "alpine"
-    ssh_user = "alpine"
+    cipassword = random_password.password.result # needed for ssh access, without password cant login
+                                                 # even though user has authorized_keys configured
 
     # sshkeys set using variables. the variable contains the text of the key.
     sshkeys = <<EOF
diff --git a/terraform.tfstate b/terraform.tfstate
index ecdda3a..f18e4a8 100644
--- a/terraform.tfstate
+++ b/terraform.tfstate
@@ -1,7 +1,7 @@
 {
   "version": 4,
   "terraform_version": "1.5.6",
-  "serial": 26,
+  "serial": 84,
   "lineage": "9d9b0d60-7a22-799c-7440-c01afa77a9fb",
   "outputs": {},
   "resources": [
@@ -50,7 +50,7 @@
             "bridge": null,
             "ci_wait": null,
             "cicustom": "",
-            "cipassword": "",
+            "cipassword": "7=+LNuFPaXFJWWi-",
             "ciuser": "alpine",
             "clone": "alpine-gold",
             "clone_wait": 10,
@@ -66,7 +66,7 @@
                 "backup": true,
                 "cache": "none",
                 "discard": "",
-                "file": "vm-104-disk-0",
+                "file": "vm-103-disk-0",
                 "format": "raw",
                 "iops": 0,
                 "iops_max": 0,
@@ -91,7 +91,7 @@
                 "storage": "local-lvm",
                 "storage_type": "lvmthin",
                 "type": "scsi",
-                "volume": "local-lvm:vm-104-disk-0"
+                "volume": "local-lvm:vm-103-disk-0"
               }
             ],
             "disk_gb": null,
@@ -103,7 +103,7 @@
             "hastate": "",
             "hostpci": [],
             "hotplug": "network,disk,usb",
-            "id": "pve/qemu/104",
+            "id": "pve/qemu/103",
             "ipconfig0": "ip=192.168.1.71/24,gw=192.168.1.1",
             "ipconfig1": "",
             "ipconfig10": "",
@@ -132,7 +132,7 @@
                 "bridge": "vmbr0",
                 "firewall": false,
                 "link_down": false,
-                "macaddr": "A6:34:10:6D:83:97",
+                "macaddr": "0A:FE:8F:84:55:C3",
                 "model": "virtio",
                 "mtu": 0,
                 "queues": 0,
@@ -159,7 +159,7 @@
             "ssh_host": null,
             "ssh_port": null,
             "ssh_private_key": null,
-            "ssh_user": "alpine",
+            "ssh_user": null,
             "sshkeys": "    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPiMj6yG62yNiju2H3FQicX76AsBRZfxpMMfVeCEXEsF sergio@nas\n\n",
             "startup": "",
             "storage": null,
@@ -175,13 +175,50 @@
             "vlan": -1,
             "vmid": null
           },
-          "sensitive_attributes": [],
+          "sensitive_attributes": [
+            [
+              {
+                "type": "get_attr",
+                "value": "cipassword"
+              }
+            ]
+          ],
           "private": "eyJlMmJmYjczMC1lY2FhLTExZTYtOGY4OC0zNDM2M2JjN2M0YzAiOnsiY3JlYXRlIjoxMjAwMDAwMDAwMDAwLCJkZWZhdWx0IjoxMjAwMDAwMDAwMDAwLCJkZWxldGUiOjEyMDAwMDAwMDAwMDAsInJlYWQiOjEyMDAwMDAwMDAwMDAsInVwZGF0ZSI6MTIwMDAwMDAwMDAwMH19",
           "dependencies": [
-            "data.external.env"
+            "data.external.env",
+            "random_password.password"
           ]
         }
       ]
+    },
+    {
+      "mode": "managed",
+      "type": "random_password",
+      "name": "password",
+      "provider": "provider[\"registry.terraform.io/hashicorp/random\"]",
+      "instances": [
+        {
+          "schema_version": 3,
+          "attributes": {
+            "bcrypt_hash": "$2a$10$oYJ7Dy9JjkZw64Z3qrLk6.pTP41wEzi2e892x0RFVMrYgUgS2CO6K",
+            "id": "none",
+            "keepers": null,
+            "length": 16,
+            "lower": true,
+            "min_lower": 0,
+            "min_numeric": 0,
+            "min_special": 0,
+            "min_upper": 0,
+            "number": true,
+            "numeric": true,
+            "override_special": "!#$%\u0026*()-_=+[]{}\u003c\u003e:?",
+            "result": "7=+LNuFPaXFJWWi-",
+            "special": true,
+            "upper": true
+          },
+          "sensitive_attributes": []
+        }
+      ]
     }
   ],
   "check_results": null