From adec38e1cd3cc8cfc576741de031af302841e36f Mon Sep 17 00:00:00 2001 From: Felix Nehrke Date: Fri, 19 Sep 2025 18:03:04 +0200 Subject: [PATCH] Make ssh-port of servers initially configurable It looks somehow random that the SSH-port was simply defined in the configuration of the k3s-setup. It looks somehow "configurable" although it isn't. Therefore I moved this setting to the correct place in the terraform-setup. An important side-note is that this change doesn't make it possible to _change_ the ssh-port, though. Once decided for an port and I have to stick to it until I tear down the cluster! --- infra/inventory.ini.tftpl | 3 +++ infra/main.tf | 2 ++ infra/modules/hetzner/kubernetes/main.tf | 2 +- infra/modules/hetzner/kubernetes/outputs.tf | 4 ++++ infra/modules/hetzner/kubernetes/variables.tf | 5 +++++ k3s/config.ini | 1 - 6 files changed, 15 insertions(+), 2 deletions(-) diff --git a/infra/inventory.ini.tftpl b/infra/inventory.ini.tftpl index 642f0d2..16dd180 100644 --- a/infra/inventory.ini.tftpl +++ b/infra/inventory.ini.tftpl @@ -3,6 +3,9 @@ ${ip} %{endfor~} +[server:vars] +ansible_port=${ssh_port} + [agent] %{for ip in agent_ips~} ${ip} diff --git a/infra/main.tf b/infra/main.tf index b6a3078..30c7f3b 100644 --- a/infra/main.tf +++ b/infra/main.tf @@ -50,6 +50,7 @@ module "k8s" { }] kubernetes_exposed_ips = var.expose_kubernetes_and_ssh_ports ? values(data.external.my_ip.result) : [] ssh_exposed_ips = var.expose_kubernetes_and_ssh_ports ? values(data.external.my_ip.result) : [] + ssh_port = 1022 public_tcp_services = { git-ssh = ["22"] http = ["80", "443"] @@ -63,6 +64,7 @@ resource "local_file" "ansible_inventory" { agent_ips = module.k8s.agent_ips_v4, network_cidr = module.k8s.private_network_cidr, private_nat = module.k8s.private_network_nat, + ssh_port = module.k8s.ssh_port, }) } diff --git a/infra/modules/hetzner/kubernetes/main.tf b/infra/modules/hetzner/kubernetes/main.tf index e36f5de..3aa95a3 100644 --- a/infra/modules/hetzner/kubernetes/main.tf +++ b/infra/modules/hetzner/kubernetes/main.tf @@ -21,7 +21,7 @@ locals { all_ips = ["0.0.0.0/0", "::/0"] ping_firewall = var.ping_enabled ? { "ping" : [{ protocol = "icmp", port = null }] } : {} k8s_firewall = { "kubernetes" : [{ port = "6443", source_ips = concat([local.network], var.kubernetes_exposed_ips) }] } - ssh_firewall = length(var.ssh_exposed_ips) > 0 ? { "ssh" : [{ port = 1022, source_ips = var.ssh_exposed_ips }] } : {} + ssh_firewall = length(var.ssh_exposed_ips) > 0 ? { "ssh" : [{ port = var.ssh_port, source_ips = var.ssh_exposed_ips }] } : {} service_firewalls = { for service, ports in var.public_tcp_services : service => [for port in ports : { port = port }] } firewalls = merge( local.ping_firewall, diff --git a/infra/modules/hetzner/kubernetes/outputs.tf b/infra/modules/hetzner/kubernetes/outputs.tf index aff48d3..7cb6dcd 100644 --- a/infra/modules/hetzner/kubernetes/outputs.tf +++ b/infra/modules/hetzner/kubernetes/outputs.tf @@ -17,3 +17,7 @@ output "private_network_cidr" { output "private_network_nat" { value = cidrhost(local.subnet_eu_central, 1) } + +output "ssh_port" { + value = var.ssh_port +} diff --git a/infra/modules/hetzner/kubernetes/variables.tf b/infra/modules/hetzner/kubernetes/variables.tf index c646d39..6fbe882 100644 --- a/infra/modules/hetzner/kubernetes/variables.tf +++ b/infra/modules/hetzner/kubernetes/variables.tf @@ -42,3 +42,8 @@ variable "ssh_exposed_ips" { type = list(string) default = [] } + +variable "ssh_port" { + type = number + default = 1022 +} diff --git a/k3s/config.ini b/k3s/config.ini index 6fb7d58..21afee6 100644 --- a/k3s/config.ini +++ b/k3s/config.ini @@ -12,5 +12,4 @@ k3s_version = v1.31.6+k3s1 [server:vars] ansible_ssh_common_args = '-o StrictHostKeyChecking=accept-new' -ansible_port = 1022 k3s_version = v1.31.6+k3s1