Make ssh-port of servers initially configurable

It looks somehow random that the SSH-port was simply defined in the configuration of the k3s-setup. It looks somehow "configurable" although it isn't. Therefore I moved this setting to the correct place in the terraform-setup. An important side-note is that this change doesn't make it possible to _change_ the ssh-port, though. Once decided for an port and I have to stick to it until I tear down the cluster!
2025-09-19 18:03:04 +02:00
parent 9c19a21273
commit adec38e1cd
6 changed files with 15 additions and 2 deletions
--- a/infra/inventory.ini.tftpl
+++ b/infra/inventory.ini.tftpl
@@ -3,6 +3,9 @@
 ${ip}
 %{endfor~}

+[server:vars]
+ansible_port=${ssh_port}
+
 [agent]
 %{for ip in agent_ips~}
 ${ip}
--- a/infra/main.tf
+++ b/infra/main.tf
@@ -50,6 +50,7 @@ module "k8s" {
  }]
  kubernetes_exposed_ips = var.expose_kubernetes_and_ssh_ports ? values(data.external.my_ip.result) : []
  ssh_exposed_ips        = var.expose_kubernetes_and_ssh_ports ? values(data.external.my_ip.result) : []
+  ssh_port               = 1022
  public_tcp_services = {
    git-ssh = ["22"]
    http = ["80", "443"]
@@ -63,6 +64,7 @@ resource "local_file" "ansible_inventory" {
    agent_ips    = module.k8s.agent_ips_v4,
    network_cidr = module.k8s.private_network_cidr,
    private_nat  = module.k8s.private_network_nat,
+    ssh_port     = module.k8s.ssh_port,
  })
 }

--- a/infra/modules/hetzner/kubernetes/main.tf
+++ b/infra/modules/hetzner/kubernetes/main.tf
@@ -21,7 +21,7 @@ locals {
  all_ips           = ["0.0.0.0/0", "::/0"]
  ping_firewall     = var.ping_enabled ? { "ping" : [{ protocol = "icmp", port = null }] } : {}
  k8s_firewall      = { "kubernetes" : [{ port = "6443", source_ips = concat([local.network], var.kubernetes_exposed_ips) }] }
-  ssh_firewall      = length(var.ssh_exposed_ips) > 0 ? { "ssh" : [{ port = 1022, source_ips = var.ssh_exposed_ips }] } : {}
+  ssh_firewall      = length(var.ssh_exposed_ips) > 0 ? { "ssh" : [{ port = var.ssh_port, source_ips = var.ssh_exposed_ips }] } : {}
  service_firewalls = { for service, ports in var.public_tcp_services : service => [for port in ports : { port = port }] }
  firewalls = merge(
    local.ping_firewall,
--- a/infra/modules/hetzner/kubernetes/outputs.tf
+++ b/infra/modules/hetzner/kubernetes/outputs.tf
@@ -17,3 +17,7 @@ output "private_network_cidr" {
 output "private_network_nat" {
  value = cidrhost(local.subnet_eu_central, 1)
 }
+
+output "ssh_port" {
+  value = var.ssh_port
+}
--- a/infra/modules/hetzner/kubernetes/variables.tf
+++ b/infra/modules/hetzner/kubernetes/variables.tf
@@ -42,3 +42,8 @@ variable "ssh_exposed_ips" {
  type = list(string)
  default = []
 }
+
+variable "ssh_port" {
+  type = number
+  default = 1022
+}
--- a/k3s/config.ini
+++ b/k3s/config.ini
@@ -12,5 +12,4 @@ k3s_version = v1.31.6+k3s1

 [server:vars]
 ansible_ssh_common_args = '-o StrictHostKeyChecking=accept-new'
-ansible_port = 1022
 k3s_version = v1.31.6+k3s1