Trellis: Switch to automated handling of user passwords

trellis/passwords.md

@@ -16,13 +16,19 @@ publish_to_discourse:
 ---
 There are a few places you'll want to set/change passwords:
 
-* `group_vars/<environment>/vault.yml` - `vault_mysql_root_password`
-* `group_vars/<environment>/vault.yml` - `vault_sudoer_passwords`
-* `group_vars/development/vault.yml` - `vault_wordpress_sites.admin_password`
-* `group_vars/<environment>/vault.yml` - `vault_wordpress_sites.env.db_password`
+`group_vars/<environment>/vault.yml`
+* `vault_mysql_root_password`
+* `vault_users.*.password`
+* `vault_wordpress_sites.*.env.db_password`
+
+`group_vars/development/vault.yml`
+* `vault_wordpress_sites.admin_password`
+
+`group_vars/all/vault.yml`
+* `vault_mail_password`
 
 For staging/production environments, it's best to randomly generate longer passwords using something like [random.org](http://www.random.org/passwords/).
 
 You may be concerned about setting plaintext passwords in a Git repository, and you should be. We strongly recommend you encrypt these passwords before committing them to your repo. Trellis is structured to make it easy to enable [Ansible Vault](https://roots.io/trellis/docs/vault/) to encrypt select files. Alternatively, you could try an option such as [Git Encrypt](https://github.com/shadowhand/git-encrypt).
 
-Note: Any type of server configs such as this playbook should always be in a **private** Git repository.
+Note: Any type of server configs such as this playbook should always be in a **private** Git repository.

trellis/security.md

@@ -16,32 +16,14 @@ publish_to_discourse:
 ---
 ## Locking down root
 
-The `sshd` role heightens your server's security by providing better SSH defaults, disabling password authentication for SSH access, and optionally disabling SSH `root` login. To disable `root` login:
-
-* Set `sshd_permit_root_login: false` in `group_vars/all/security.yml`
-* Set a sudoer password for the `admin_user` user (see below)
-* Run the `server.yml` playbook (see note about `--ask-become-pass` in "Admin User" section below)
-
-You may toggle `sshd_permit_root_login` between `true` or `false` on a server that is already provisioned.
+The `sshd` role heightens your server's security by providing better SSH defaults. SSH password authentication will be disabled. We encourage you to disable SSH `root` login as well. You may adjust these two particular options in `group_vars/all/security.yml`.
 
 ## Admin user
 
-When you set `sshd_permit_root_login: false` and run the `server.yml` playbook, it will connect as `root` one final time and disable `root` login. On subsequent runs, `server.yml` will connect as the `admin_user` defined in `group_vars/all/users.yml` (default `admin`).
-
-With `root` login disabled, the `admin_user` will need to run commands using `sudo` with a password, so you will need to add the option [`--ask-become-pass`](http://docs.ansible.com/ansible/become.html#new-ansible-variables) when running `server.yml`.
-```
-ansible-playbook server.yml -e env=production --ask-become-pass
-```
-This prompts you to enter the sudoer password described in the "Admin User Sudoer Password" section below. See the [SSH Keys docs](https://roots.io/trellis/docs/ssh-keys/) for more information about Trellis SSH users.
+The first provision via the `server.yml` playbook will create the `admin_user` and set up related [SSH Keys](https://roots.io/trellis/docs/ssh-keys/). If you disable `root` login, subsequent connections will be made as the `admin_user`.
 
 ## Admin user sudoer password
 
-While `server.yml` provisions your server as the `admin_user`, it will perform some operations using `sudo` with a password. You will need to set the sudoer password for `admin` in the list of `vault_sudoer_passwords` defined in `group_vars/<environment>/vault.yml`. Here is an example:
-
-```yaml
-vault_sudoer_passwords:
-  admin: $6$rounds=100000$JUkj1d3hCa6uFp6R$3rZ8jImyCpTP40e4I5APx7SbBvDCM8fB6GP/IGOrsk/GEUTUhl1i/Q2JNOpj9ashLpkgaCxqMqbFKdZdmAh26/
-  another_user: $6$rounds=100000$r3ZZsk/uc31cAxQT$YHMkmKrwgXr3u1YgrSvg0wHZg5IM6MLEzqOraIXqh5o7aWshxD.QaNeCcUX3KInqzTqaqN3qzo9nvc/QI0M1C.
-```
+If `root` login is disabled and the `server.yml` playbook connects as the `admin_user`, it will invoke `sudo` using the password in `vault_users` (`group_vars/<environment>/vault.yml`). If you run the playbook with `--ask-become-pass`, Trellis will use the password you enter via the CLI. You are strongly encouraged to protect the sensitive `vault_users` information by enabling Ansible [Vault](https://roots.io/trellis/docs/vault/).
 
-The passwords were generated using the python command [found here](http://docs.ansible.com/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module). The passwords generated here are `example_password` and `another_password`, respectively. The ansible user module doesn't handle any encryption and passwords must be encrypted beforehand. It's also recommended `group_vars/<environment>/vault.yml` be encrypted using [Ansible Vault](https://roots.io/trellis/docs/vault/).
+The `vault_sudoer_passwords` dictionary is no longer used, having been replaced by `vault_users` in [roots/trellis#614](https://github.com/roots/trellis/pull/614). Convert to the new variable format by inserting the raw (unhashed) password for each user into `vault_users`. The new format frees you from having to manually hash your passwords and from having to use the `--ask-become-pass` CLI option.