design.md 1.6 KB
Context
Current inventory hardcodes ansible_user: root. The ansible.cfg already has become = True with become_method = sudo, which handles privilege escalation for non-root users. The main changes are updating the inventory placeholder, ensuring sshd config is compatible, and documenting the workflow.
Goals / Non-Goals
Goals:
- Support both root and non-root SSH users out of the box
- SSH key is pre-configured by the user (not managed by Ansible)
- Clear documentation for SSH user setup
Non-Goals:
- SSH key deployment or management by Ansible
- Creating users on the server (user must exist beforehand)
- sudo password prompts (assume passwordless sudo for the configured user)
Decisions
1. Inventory uses placeholder with comment, no default user
Change ansible_user to "YOUR_SSH_USER" with comments explaining both root and non-root options. Users fill in their actual username.
2. sshd_config allows root login with key only
Keep PermitRootLogin prohibit-password — this allows root SSH with key auth, which is fine for users who choose to connect as root. For non-root users, root SSH access becomes irrelevant since they use become for privilege escalation.
3. ansible.cfg become settings remain as-is
Current config already has become = True globally. This works correctly:
- As root: become is a no-op (already root)
- As non-root:
sudoescalation kicks in
Risks / Trade-offs
- [Passwordless sudo required] → Non-root users must have passwordless sudo. If not, they need
--ask-become-pass. Mitigation: documented in README.