Use port 1022 for all cluster nodes as SSH-port and fix some config-errors

I'm oversaw completely, that I have to change the SSH-port for all nodes
in the cluster otherwise I cannot provide a meaningful load-balancer for
the git-ssh port in it.

Additionally this allowed me to fix some config errors which I simply
oversaw.

config.yml

@@ -1,6 +1,6 @@
 all:
   vars:
-    k8s_api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
+    api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
     cert_manager_state: present
     cert_manager_version: v1.18.2
     letsencrypt_clusterissuers:
@@ -19,7 +19,7 @@ k3s_cluster:
 
 agent:
   vars:
-    ansible_ssh_common_args: -o StrictHostKeyChecking=accept-new -o ProxyCommand="ssh -p 1022 -W %h:%p -q root@{{ k8s_api_endpoint }}"
+    ansible_ssh_common_args: -o StrictHostKeyChecking=accept-new -o ProxyCommand="ssh -p {{ hostvars[groups['server'][0]]['ansible_port'] }} -W %h:%p -q root@{{ api_endpoint }}"
     k3s_version: v1.31.6+k3s1
 
 server:

inventory.ini.tftpl

@@ -3,9 +3,6 @@
 ${ip}
 %{endfor~}
 
-[server:vars]
-ansible_port=${ssh_port}
-
 [agent]
 %{for ip in agent_ips~}
 ${ip}
@@ -16,5 +13,6 @@ server
 agent
 
 [k3s_cluster:vars]
+ansible_port=${ssh_port}
 network_cidr=${network_cidr}
 private_nat=${private_nat}

roles/agent-setup/handlers/main.yml

@@ -1,3 +1,9 @@
+- name: Restart sshd
+  systemd_service:
+    name: ssh.socket
+    state: restarted
+    daemon_reload: true
+
 - name: Restart resolved
   service:
     name: systemd-resolved

roles/agent-setup/tasks/main.yml

@@ -1,3 +1,47 @@
+- name: Set facts for target SSH-connection
+  set_fact:
+    target_ansible_port: "{{ ansible_port }}"
+
+- name: Check if SSH-connection is already adjusted
+  ping:
+  ignore_errors: "yes"
+  ignore_unreachable: "yes"
+  register: target_ssh
+
+- name: Set ansible_port to 22 when SSH-connection is not adjusted
+  set_fact:
+    ansible_port: "22"
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
+- name: Check if initial SSH-connection is active
+  ping:
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
+- name: Set SSH-port to 1022
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?\s*Port\s+[0-9]+$'
+    line: Port 1022
+  notify: Restart sshd
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
+- name: Ensure SSH is reloaded
+  meta: flush_handlers
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
+- name: Reset ansible_port to configured value
+  set_fact:
+    ansible_port: "{{ target_ansible_port }}"
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
+- name: Run deferred setup to gather facts
+  setup:
+
 - name: Set default network route
   shell: "ip route add default via {{ private_nat }}"
   ignore_errors: "yes"

roles/kube-config/tasks/main.yml

@@ -15,5 +15,5 @@
   lineinfile:
     path: "{{ lookup('env', 'HOME') }}/.kube/config"
     regexp: '^(\s*server: https://).*(:\d+)$'
-    line: \g<1>{{ k8s_api_endpoint }}\g<2>
+    line: \g<1>{{ api_endpoint }}\g<2>
     backrefs: yes

roles/server-setup/handlers/main.yml

@@ -1,7 +1,8 @@
 - name: Restart sshd
-  service:
+  systemd_service:
-    name: ssh
+    name: ssh.socket
     state: restarted
+    daemon_reload: true
 
 - name: Start ip-masquerade
   script: "{{ ip_masquerade_path }}/{{ ip_masquerade_script }}"

roles/server-setup/tasks/main.yml

@@ -28,6 +28,11 @@
   when: target_ssh.unreachable is defined and
         target_ssh.unreachable == True
 
+- name: Ensure SSH is reloaded
+  meta: flush_handlers
+  when: target_ssh.unreachable is defined and
+        target_ssh.unreachable == True
+
 - name: Reset ansible_port to configured value
   set_fact:
     ansible_port: "{{ target_ansible_port }}"

site.yml

@@ -6,6 +6,7 @@
   - init
   - add-server
 - hosts: agent
+  gather_facts: no
   roles:
   - role: agent-setup
   tags: