From 025f29b350eae4e13ef30c1513c3705ab56b09fa Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Tue, 2 Aug 2022 09:34:24 +0300
Subject: docs: document the `sshd` role variables

Sponsored-by: author
---
 roles/sshd/README | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'roles')

diff --git a/roles/sshd/README b/roles/sshd/README
index 40ee00a..570f742 100644
--- a/roles/sshd/README
+++ b/roles/sshd/README
@@ -4,3 +4,20 @@ may:
 - set host key and certificate
 - set user CA
 - set port on which server listens
+
+To use, define variables below:
+
+- `sshd_version`---must match the current version for the role
+- `sshd_host_key` and `sshd_host_cert`---the host key and
+  corresponding certificate
+  - note that you must define both for either to work
+  - rationale: there's little point in just setting the host key, as
+    it will still force people to accept it the first time; a host
+    certificate removes that need and allows the key to change at will
+- `sshd_port`---the port where the SSH server should listen
+  - rationale: on public-facing servers, the default port gets tons of
+    login attempts by attackers trying to guess passwords
+- `ssh_user_ca_pub`---the public keys of the SSH CAs trusted to
+  certify users
+  - rationale: using a user CA removes the need to maintain, or have,
+    `authorized_keys` files
-- 
cgit v1.2.1