Trellis v1.12.0 released

swalkinshaw · January 3, 2022, 3:55pm

Trellis v1.12.0 has been released

Improve support for adding public SSH keys (#1344)
Update default Vagrant IP to 192.168.56.5 (#1341)
Remove old WP customizer frame options hack (#1338)
Fix #1319 - Improve how ssh_args are loaded (#1337)
Fix #1331 - Improve passlib instructions(#1336)

Some additional notes:

Vagrant’s IP change shouldn’t be breaking, but just be aware it did change.
the new public_keys folder is part of a larger effort to help people set up continuous deployments for Trellis sites. There will be more news on this soon with a trellis-cli release as well.

strarsis · January 3, 2022, 4:28pm

Does this mean the SSH public key files don’t have to reside in default SSH keys directory (~/.ssh/) anymore? That is great! I always wanted to store the public key files directly in the Trellis folder.

swalkinshaw · January 3, 2022, 4:34pm

They never needed to; that was just the default values we provided. You could have done what that change does manually by just adding new entries to users.yml.

This change just makes it more built-in with a standard public_keys folder. However, the public keys in that dir are only added to the deploy web user and not all users.

alwaysblank · January 3, 2022, 5:05pm

As @swalkinshaw said this isn’t a requirement, but it also supports URLs; at my old agency we just configured it to pull the list of keys from a users github, i.e.:

# Documentation: https://roots.io/trellis/docs/ssh-keys/
admin_user: admin

# Also define 'vault_users' (`group_vars/staging/vault.yml`, `group_vars/production/vault.yml`)
users:
  - name: "{{ web_user }}"
    groups:
      - "{{ web_group }}"
    keys:
      - https://github.com/alwaysblank.keys
  - name: "{{ admin_user }}"
    groups:
      - sudo
    keys:
      - https://github.com/alwaysblank.keys

web_user: web
web_group: www-data
web_sudoers:
  - "/usr/sbin/service php7.4-fpm *"

(Although if you did this you’d probably want to make sure you had a system for removing people when they left your organization.)

strarsis · February 11, 2022, 2:27pm

So for clarification I need to summarize this and ask if I got it right:
The public keys in public_keys/ directory in Trellis directory are added as authorized keys to the web user, meant for site deployment.

github.com

roots/trellis/blob/56582d408054f556e8d634a6308730ec17f75068/roles/users/tasks/main.yml#L60-L64

      
        
            - name: Add deploy SSH keys
              authorized_key:
                user: "{{ web_user }}"
                key: "{{ lookup('file', item) }}"
              with_fileglob: 'public_keys/*.pub'

There is also an users key as 2nd way to add SSH public keys to the web and also the admin users (and add extra users if needed):

github.com

roots/trellis/blob/56582d408054f556e8d634a6308730ec17f75068/group_vars/all/users.yml#L6-L12

      
        
            - name: "{{ web_user }}"
              groups:
                - "{{ web_group }}"
              keys:
                - "{{ lookup('file', '~/.ssh/id_rsa.pub', errors='ignore') }}"
                - "{{ lookup('file', '~/.ssh/id_ed25519.pub', errors='ignore') }}"
                # - https://github.com/username.keys

Have I understood this correctly?
And the public_keys/ directory as extra mechanism for adding ssh authorized keys to web user is meant to make site deployments easier?

swalkinshaw · February 11, 2022, 3:11pm

Yes that’s all correct. I realized after it maybe should have been called deploy_public_keys or something more specific.

system · February 14, 2022, 3:55pm

This topic was automatically closed after 42 days. New replies are no longer allowed.