## Context

Current inventory hardcodes `ansible_user: root`. The `ansible.cfg` already has `become = True` with `become_method = sudo`, which handles privilege escalation for non-root users. The main changes are updating the inventory placeholder, ensuring sshd config is compatible, and documenting the workflow.

## Goals / Non-Goals

**Goals:**
- Support both root and non-root SSH users out of the box
- SSH key is pre-configured by the user (not managed by Ansible)
- Clear documentation for SSH user setup

**Non-Goals:**
- SSH key deployment or management by Ansible
- Creating users on the server (user must exist beforehand)
- sudo password prompts (assume passwordless sudo for the configured user)

## Decisions

### 1. Inventory uses placeholder with comment, no default user

Change `ansible_user` to `"YOUR_SSH_USER"` with comments explaining both root and non-root options. Users fill in their actual username.

### 2. sshd_config allows root login with key only

Keep `PermitRootLogin prohibit-password` — this allows root SSH with key auth, which is fine for users who choose to connect as root. For non-root users, root SSH access becomes irrelevant since they use `become` for privilege escalation.

### 3. ansible.cfg become settings remain as-is

Current config already has `become = True` globally. This works correctly:
- As root: become is a no-op (already root)
- As non-root: `sudo` escalation kicks in

## Risks / Trade-offs

- **[Passwordless sudo required]** → Non-root users must have passwordless sudo. If not, they need `--ask-become-pass`. Mitigation: documented in README.