Locking down root
sshd role heightens your server's security by providing better SSH defaults. SSH password authentication will be disabled. We encourage you to disable SSH
root login as well. You may adjust these two particular options in
group_vars/all/security.yml. See the
README.md for more configuration options.
The first provision via the
server.yml playbook will create the
admin_user and set up related SSH Keys. If you disable
root login, subsequent connections will be made as the
Admin user sudoer password
root login is disabled and the
server.yml playbook connects as the
admin_user, it will invoke
sudo using the password in
group_vars/<environment>/vault.yml). If you run the playbook with
--ask-become-pass, Trellis will use the password you enter via the CLI. You are strongly encouraged to protect the sensitive
vault_users information by enabling Ansible Vault.
vault_sudoer_passwords dictionary is no longer used, having been replaced by
vault_users in roots/trellis#614. Convert to the new variable format by inserting the raw (unhashed) password for each user into
vault_users. The new format frees you from having to manually hash your passwords and from having to use the
--ask-become-pass CLI option.