I could see this happening if you ran server.yml once (disables root), then changed the sshd_ports and/or admin_user in local files. The next time you run server.yml, a couple problems could happen:
- It can’t connect as
root, so it tries admin_user. But admin_user was admin the last time you ran server.yml so only admin is enabled on the server, not mikeadmin. The mikeadmin user won’t be able to connect.
- Unless ssh was set up on port 9394 from the beginning, you’d now be trying to connect on port 9394 but
server.yml won’t yet have set up that port, so the connection would refuse.
ssh root@ip
If root can connect on port 22 (i,e, ssh root@ip), try connecting on regular port 22 and running server.yml so it can add the new port 9394 option and add the mikeadmin user:
- omit
ansible_port from hosts/staging for now
- temporarily adjust ports configs:
sshd_ports:
- 22
- 9394
- run
ansible-playbook server.yml -e env=staging --tags users,sshd
- then reverse the edits above (add port back to
hosts/staging and leave only 9394 in sshd_ports) and run the same thing again:
ansible-playbook server.yml -e env=staging --tags users,sshd
This last command will leave only port 9394 operational and make sure future Trellis connection attempts try port 9394 instead of the default 22.
ssh admin@ip
If root can’t connect but admin can, still only on port 22 (i,e, ssh admin@ip), run server.yml to add the mikeadmin user and to configure port 9394.
- change
admin_user: admin
- add this entry to
users:
- name: mikeadmin
groups:
- sudo
keys:
- "{{ lookup('file', '~/.ssh/id_atlassian.pub') }}"
- take all the steps in section above
- after running
server.yml both times, change back to admin_user: mikeadmin and remove the name: mikeadmin stuff you added to users (will now be covered by the name: "{{ admin_user }}" stuff).
ssh -p 9394 admin@ip
If admin can connect only on port 9394, just add the mikeadmin user:
- change
admin_user: admin
- add this entry to
users:
- name: mikeadmin
groups:
- sudo
keys:
- "{{ lookup('file', '~/.ssh/id_atlassian.pub') }}"
- run
ansible-playbook server.yml -e env=staging --tags users
- change back to
admin_user: mikeadmin and remove the name: mikeadmin stuff you added to users (will now be covered by the name: "{{ admin_user }}" stuff).
Other notes
Note that sshd_password_authentication: false by default in Trellis.
As you adjust the sshd configs, instead of editing role defaults, try this recommendation from the role’s README section Customize via variables
To override a setting, you could redefine your chosen variable in a file such as group_vars/all/main.yml or group_vars/all/security.yml
You’ve adjusted sshd_ports which sounds appropriate, but you probably want to change ssh_port back to 22 (sshd_ports != ssh_port). This ssh_port is the port your server will use when it tries to make ssh connections to other servers, like during the git clone task during deploys. GitHub probably only listens on port 22.
If none of the above helps, try adding the ansible_ssh_port=9394 to the IP under [web] in hosts/staging, and probably change that to the updated varname ansible_port (instead of ansible_ssh_port).
Also try removing that space before [web].
You might also prefer this format in your hosts/staging:
myshortname ansible_host=12.34.56.678 ansible_port=9394
[staging]
myshortname
[web]
myshortname