From dc6f2ce54d71945c3b3d389bf091399cc6640935 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 29 Jan 2026 13:17:36 +0100
Subject: [PATCH] Mention ansible ssh_users role which disables root login

---
 ansible/README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ansible/README.md b/ansible/README.md
index 2e993b2d..8507cd29 100644
--- a/ansible/README.md
+++ b/ansible/README.md
@@ -123,7 +123,9 @@ individual accounts and lock out the root user.
 When running the entire runbook ansible might try to run it as root.
 This can be avoided by selecting only the required tags using `-t <tagname>`.
 
-Ideally the root user should be disabled after succesfully creating user accounts.
+Ideally the root user should be disabled after succesfully creating user accounts. See role
+[ssh_users](https://github.com/ooni/devops/blob/main/ansible/roles/ssh_users/tasks/main.yml#L62)
+which adds AllowUsers to /etc/sshd_config.d/00-ansible_system_role.conf and disables root login.
 
 #### Roles layout