Roots Discourse

Setting up trellis with password, instead of ssh

Hello,

I’ve been searching for the answer to this issue - I apologize if the topic came up somewhere else and I missed. It

I’m developing a wordpress / bedrock / trellis website, and just set up the production server. Our client had very specific parameters for the server - they wanted it on a very secure, password protected host.

I believe that it’s possible to set up trellis to work with a password protected site (as opposed to ssh), but I haven’t been able to figure out the exact configuration for it. If anyone has experience with this and would like to guide me or point me in the right direction, that would be helpful!

Thank you,

Jill

I would advise against using password authentication, as SSH keys are considered to be more secure (using a passphrase of course). You can also generate a unique key for the project that is referenced in your SSH config, so that it is only used for your server hostname or IP.

If you want (or have) to go the password route, you need to set sshd_password_authentication to true in group_vars/all/security.yml (or just in the production directory).
IIRC you need to run the Ansible commands using the --ask-pass flag (or set it in the ansible.cfg using ask_pass = True).
Also comment out the lines 10 and 16 referencing your local SSH key in group_vars/all/users.yml, so it does not get added unnecessarily:

2 Likes

Wow this is extremely helpful. Still have one or two questions if you don’t mind.

  1. What happens if the staging server is ssh, and the production server is password protected? I don’t see a valut file in the group_vars/production directory - does it need to be created? Or do you just specify different configs for each environment in the group_vars/all/security.yml file?

  2. Also I assume you meant “comment” not “uncomment,” right? And again, since that file is in the all/ directory, would there need to be extra configuration to deliniate between staging and production?

Again thank you so much. Looks like I’m due for some experimentation, but your answer definitely set me in the right direction.

Absolutely, I meant to comment out these lines. This would affect all (remote) environments.

You can overwrite all the global variables that were set in group_vars/all/ either in group_vars/production/main.yml or in a freshly created file. For your case:

# group_vars/production/security.yml
sshd_password_authentication: true

The same applies for the users, so also copy the whole users list in group_vars/all/users.yml to a file in the production folder and comment the SSH keys out as shown above.

You wrote you don’t see a vault.yml in production. There should be one – if it doesn’t exist, just copy the one from staging or from GitHub. After setting all the passwords and salts, don’t forget to encrypt your vault files.

1 Like