Enable users to set an alternate ssh port

kconfigs/Kconfig.ansible_cfg

@@ -316,6 +316,47 @@ config ANSIBLE_CFG_INVENTORY
 
 endif # ANSIBLE_CFG_INVENTORY_CUSTOM
 
+config ANSIBLE_CFG_SSH_PORT_SET_BY_CLI
+	bool
+	default $(shell, scripts/check-cli-set-var.sh ANSIBLE_CFG_SSH_PORT)
+
+config ANSIBLE_CFG_SSH_PORT_CUSTOM
+	bool "Enable a custom Ansible SSH port setting"
+	default n
+	help
+	  When this setting is enabled, specify the SSH port for
+	  Ansible to use when connecting to target nodes.
+
+	  When this setting is disabled, kdevops uses the default
+	  SSH port (22), which can be overridden with
+	  "ANSIBLE_CFG_SSH_PORT=NN" on the "make" command line.
+
+	  This is useful when your target hosts use a non-standard
+	  SSH port for security or network configuration reasons.
+
+if ANSIBLE_CFG_SSH_PORT_CUSTOM
+
+config ANSIBLE_CFG_SSH_PORT
+	int "Ansible SSH port"
+	output yaml
+	help
+	  Set the SSH port for Ansible to use when connecting to target
+	  nodes. The default port is 22.
+
+	  https://docs.ansible.com/ansible/latest/collections/ansible/builtin/ssh_connection.html#parameter-remote_port
+
+endif # ANSIBLE_CFG_SSH_PORT_CUSTOM
+
+if !ANSIBLE_CFG_SSH_PORT_CUSTOM
+
+config ANSIBLE_CFG_SSH_PORT
+	int
+	output yaml
+	default 22 if !ANSIBLE_CFG_SSH_PORT_SET_BY_CLI
+	default $(shell, ./scripts/append-makefile-vars-int.sh $(ANSIBLE_CFG_SSH_PORT)) if ANSIBLE_CFG_SSH_PORT_SET_BY_CLI
+
+endif # !ANSIBLE_CFG_SSH_PORT_CUSTOM
+
 if DISTRO_OPENSUSE
 
 config ANSIBLE_CFG_RECONNECTION_RETRIES

playbooks/nixos.yml

@@ -430,7 +430,7 @@
         python3 {{ playbook_dir }}/../scripts/update_ssh_config_nixos.py update \
           {{ item }} \
           {{ nixos_vm_ips[item] }} \
-          22 \
+          {{ ansible_cfg_ssh_port }} \
           kdevops \
           {{ nixos_ssh_config_file | default(ansible_env.HOME + '/.ssh/config') }} \
           {{ ssh_key_path_for_config.stdout | trim }} \

playbooks/roles/ansible_cfg/templates/ansible.cfg.j2

@@ -47,7 +47,10 @@ playbook_on_stats_msg_color = bright green
 [callback_profile_tasks]
 summary_only = true
 {% endif %}
+[ssh_connection]
+remote_port = {{ ansible_cfg_ssh_port }}
 {% if ansible_facts['distribution'] == 'openSUSE' %}
+
 [connection]
 retries = {{ ansible_cfg_reconnection_retries }}
 {% endif %}

playbooks/roles/base_image/templates/virt-builder.j2

@@ -12,7 +12,7 @@ mkdir {{ target_dir }}
 copy-in {{ guestfs_distro_source_and_dest_file }}:{{ target_dir }}
 {% endif %}
 
-install sudo,qemu-guest-agent,python3,bash
+install sudo,qemu-guest-agent,python3,bash,policycoreutils-python-utils
 
 # get rid of any rescue initramfs images, and prevent new ones from being generated
 uninstall dracut-config-rescue

playbooks/roles/gen_tfvars/templates/aws/terraform.tfvars.j2

@@ -18,6 +18,7 @@ aws_ebs_volume_throughput = {{ terraform_aws_ebs_volume_throughput }}
 ssh_config_pubkey_file = "{{ kdevops_terraform_ssh_config_pubkey_file }}"
 ssh_config_user = "{{ kdevops_terraform_ssh_config_user }}"
 ssh_config = "{{ sshconfig }}"
+ssh_config_port = {{ ansible_cfg_ssh_port }}
 
 ssh_config_update = "{{ kdevops_terraform_ssh_config_update | lower }}"
 ssh_config_use_strict_settings = "{{ kdevops_terraform_ssh_config_update_strict  | lower }}"

playbooks/roles/gen_tfvars/templates/azure/terraform.tfvars.j2

@@ -13,6 +13,7 @@ azure_managed_disks_tier = "{{ terraform_azure_managed_disks_tier }}"
 ssh_config_pubkey_file = "{{ kdevops_terraform_ssh_config_pubkey_file }}"
 ssh_config_user = "{{ kdevops_terraform_ssh_config_user }}"
 ssh_config = "{{ sshconfig }}"
+ssh_config_port = {{ ansible_cfg_ssh_port }}
 
 ssh_config_update = "{{ kdevops_terraform_ssh_config_update | lower }}"
 ssh_config_use_strict_settings = "{{ kdevops_terraform_ssh_config_update_strict | lower }}"

playbooks/roles/gen_tfvars/templates/gce/terraform.tfvars.j2

@@ -20,6 +20,7 @@ gce_disk_throughput = {{ terraform_gce_disk_throughput }}
 ssh_config_pubkey_file = "{{ kdevops_terraform_ssh_config_pubkey_file }}"
 ssh_config_user = "{{ kdevops_terraform_ssh_config_user }}"
 ssh_config = "{{ sshconfig }}"
+ssh_config_port = {{ ansible_cfg_ssh_port }}
 
 ssh_config_update = "{{ kdevops_terraform_ssh_config_update | lower }}"
 ssh_config_use_strict_settings = "{{ kdevops_terraform_ssh_config_update_strict | lower }}"

playbooks/roles/gen_tfvars/templates/lambdalabs/terraform.tfvars.j2

@@ -7,6 +7,7 @@ ssh_config_pubkey_file = "{{ kdevops_terraform_ssh_config_pubkey_file }}"
 ssh_config_privkey_file = "{{ kdevops_terraform_ssh_config_privkey_file }}"
 ssh_config_user = "{{ kdevops_terraform_ssh_config_user }}"
 ssh_config = "{{ sshconfig }}"
+ssh_config_port = {{ ansible_cfg_ssh_port }}
 # Use unique SSH config file per directory to avoid conflicts
 ssh_config_name = "{{ kdevops_ssh_config_prefix }}{{ topdir_path_sha256sum[:8] }}"
 

playbooks/roles/gen_tfvars/templates/oci/terraform.tfvars.j2

@@ -25,6 +25,7 @@ oci_sparse_volume_device_file_name = "{{ terraform_oci_sparse_volume_device_file
 ssh_config_pubkey_file = "{{ kdevops_terraform_ssh_config_pubkey_file }}"
 ssh_config_user = "{{ kdevops_terraform_ssh_config_user }}"
 ssh_config = "{{ sshconfig }}"
+ssh_config_port = {{ ansible_cfg_ssh_port }}
 
 ssh_config_update = "{{ kdevops_terraform_ssh_config_update | lower }}"
 ssh_config_use_strict_settings = "{{ kdevops_terraform_ssh_config_update_strict | lower }}"

playbooks/roles/gen_tfvars/templates/openstack/terraform.tfvars.j2

@@ -7,6 +7,7 @@ ssh_pubkey_name = "{{ terraform_openstack_ssh_pubkey_name }}"
 ssh_config_pubkey_file = "{{ kdevops_terraform_ssh_config_pubkey_file }}"
 ssh_config_user = "{{ kdevops_terraform_ssh_config_user }}"
 ssh_config = "{{ sshconfig }}"
+ssh_config_port = {{ ansible_cfg_ssh_port }}
 
 ssh_config_update = "{{ kdevops_terraform_ssh_config_update | lower }}"
 ssh_config_use_strict_settings = "{{ kdevops_terraform_ssh_config_update_strict  | lower }}"

playbooks/roles/guestfs/tasks/bringup/main.yml

@@ -61,35 +61,39 @@
       register: host_timezone
       delegate_to: localhost
 
+    - name: Build virt-sysprep command arguments for each target node
+      ansible.builtin.set_fact:
+        virt_sysprep_args: >-
+          {{
+            [
+              "virt-sysprep",
+              "-a", root_image,
+              "--hostname", inventory_hostname,
+              "--ssh-inject", "kdevops:file:" + ssh_key + ".pub",
+              "--timezone", host_timezone.stdout
+            ] + (
+              [
+                "--run-command", "sed -i '/^#*Port /d' /etc/ssh/sshd_config",
+                "--append-line", "/etc/ssh/sshd_config:Port " + (ansible_cfg_ssh_port | string),
+                "--firstboot-command", "semanage port -a -t ssh_port_t -p tcp " + (ansible_cfg_ssh_port | string) + " 2>/dev/null || semanage port -m -t ssh_port_t -p tcp " + (ansible_cfg_ssh_port | string) + "; systemctl restart sshd",
+                "--firstboot-command", "if command -v firewall-cmd >/dev/null 2>&1 && systemctl is-enabled firewalld >/dev/null 2>&1; then firewall-cmd --permanent --add-port=" + (ansible_cfg_ssh_port | string) + "/tcp && firewall-cmd --reload; fi",
+                "--firstboot-command", "if command -v ufw >/dev/null 2>&1 && systemctl is-active ufw >/dev/null 2>&1; then ufw allow " + (ansible_cfg_ssh_port | string) + "/tcp; fi"
+              ]
+              if ansible_cfg_ssh_port | int != 22 else []
+            )
+          }}
+
     - name: Build the root image for each target node (as root)
       become: true
       become_method: ansible.builtin.sudo
       ansible.builtin.command:
-        argv:
-          - "virt-sysprep"
-          - "-a"
-          - "{{ root_image }}"
-          - "--hostname"
-          - "{{ inventory_hostname }}"
-          - "--ssh-inject"
-          - "kdevops:file:{{ ssh_key }}.pub"
-          - "--timezone"
-          - "{{ host_timezone.stdout }}"
+        argv: "{{ virt_sysprep_args }}"
       when:
         - libvirt_uri_system|bool
 
     - name: Build the root image for each target node (non-root)
       ansible.builtin.command:
-        argv:
-          - "virt-sysprep"
-          - "-a"
-          - "{{ root_image }}"
-          - "--hostname"
-          - "{{ inventory_hostname }}"
-          - "--ssh-inject"
-          - "kdevops:file:{{ ssh_key }}.pub"
-          - "--timezone"
-          - "{{ host_timezone.stdout }}"
+        argv: "{{ virt_sysprep_args }}"
       when:
         - not libvirt_uri_system|bool
 

playbooks/roles/terraform/templates/ssh_config.j2

@@ -1,7 +1,7 @@
 Host {{ item.key }} {{ item.value }}
 	HostName {{ item.value }}
 	User {{ kdevops_terraform_ssh_config_user }}
-	Port 22
+	Port {{ ansible_cfg_ssh_port }}
 	IdentityFile {{ kdevops_terraform_ssh_config_privkey_file }}
 {% if ssh_config_kexalgorithms %}
 	KexAlgorithms {{ ssh_config_kexalgorithms }}

scripts/update_ssh_config_guestfs.py

@@ -21,7 +21,7 @@
 ssh_template = """Host {name} {addr}
 	HostName {addr}
 	User kdevops
-	Port 22
+	Port {port}
 	IdentityFile {sshkey}
 	UserKnownHostsFile /dev/null
 	StrictHostKeyChecking no
@@ -97,6 +97,7 @@ def main():
         context = {
             "name": name,
             "addr": addr,
+            "port": extra_vars.get("ansible_cfg_ssh_port", 22),
             "sshkey": f"{extra_vars['guestfs_path']}/{name}/ssh/id_ed25519",
         }
         sshconf.write(ssh_template.format(**context))

scripts/update_ssh_config_lambdalabs.py

@@ -11,7 +11,7 @@
 
 
 def update_ssh_config(
-    action, hostname, ip_address, username, config_file, ssh_key, provider_name
+    action, hostname, ip_address, username, config_file, ssh_key, provider_name, port=22
 ):
     """
     Update SSH configuration file with Lambda Labs instance details.
@@ -24,6 +24,7 @@ def update_ssh_config(
         config_file: SSH config file path
         ssh_key: Path to SSH private key
         provider_name: Provider name for comments
+        port: SSH port number (default: 22)
     """
     config_file = os.path.expanduser(config_file)
     ssh_key = os.path.expanduser(ssh_key)
@@ -33,7 +34,7 @@ def update_ssh_config(
 Host {hostname} {ip_address}
 \tHostName {ip_address}
 \tUser {username}
-\tPort 22
+\tPort {port}
 \tIdentityFile {ssh_key}
 \tUserKnownHostsFile /dev/null
 \tStrictHostKeyChecking no
@@ -90,7 +91,7 @@ def main():
     """Main entry point."""
     if len(sys.argv) < 7:
         print(
-            f"Usage: {sys.argv[0]} <action> <hostname> <ip_address> <username> <config_file> <ssh_key> [provider_name]"
+            f"Usage: {sys.argv[0]} <action> <hostname> <ip_address> <username> <config_file> <ssh_key> [provider_name] [port]"
         )
         print("  action: 'update' or 'remove'")
         print("  hostname: Instance hostname")
@@ -99,6 +100,7 @@ def main():
         print("  config_file: SSH config file path")
         print("  ssh_key: Path to SSH private key")
         print("  provider_name: Optional provider name (default: 'Lambda Labs')")
+        print("  port: Optional SSH port (default: 22)")
         sys.exit(1)
 
     action = sys.argv[1]
@@ -108,9 +110,17 @@ def main():
     config_file = sys.argv[5]
     ssh_key = sys.argv[6]
     provider_name = sys.argv[7] if len(sys.argv) > 7 else "Lambda Labs"
+    port = int(sys.argv[8]) if len(sys.argv) > 8 else 22
 
     update_ssh_config(
-        action, hostname, ip_address, username, config_file, ssh_key, provider_name
+        action,
+        hostname,
+        ip_address,
+        username,
+        config_file,
+        ssh_key,
+        provider_name,
+        port,
     )
 
 

terraform/aws/main.tf

@@ -39,8 +39,8 @@ resource "aws_security_group" "kdevops_sec_group" {
     cidr_blocks = [
       "0.0.0.0/0",
     ]
-    from_port = 22
-    to_port   = 22
+    from_port = var.ssh_config_port
+    to_port   = var.ssh_config_port
     protocol  = "tcp"
   }
 
@@ -76,12 +76,13 @@ resource "aws_key_pair" "kdevops_keypair" {
 
 data "template_file" "script_user_data" {
   count    = local.kdevops_num_boxes
-  template = file("templates/script.sh")
+  template = file("../scripts/cloud-init.sh")
 
   vars = {
     user_data_log_dir = var.user_data_log_dir
     user_data_enabled = var.user_data_enabled
     ssh_config_user   = var.ssh_config_user
+    ssh_config_port   = var.ssh_config_port
     new_hostname      = element(var.kdevops_nodes, count.index),
   }
 }

terraform/azure/main.tf

@@ -43,7 +43,7 @@ resource "azurerm_network_security_group" "kdevops_sg" {
     access                     = "Allow"
     protocol                   = "Tcp"
     source_port_range          = "*"
-    destination_port_range     = "22"
+    destination_port_range     = tostring(var.ssh_config_port)
     source_address_prefix      = "*"
     destination_address_prefix = "*"
   }
@@ -89,6 +89,13 @@ resource "azurerm_linux_virtual_machine" "kdevops_vm" {
   size                            = var.azure_vmsize
   admin_username                  = var.ssh_config_user
   disable_password_authentication = true
+  custom_data = base64encode(templatefile("${path.module}/../scripts/cloud-init.sh", {
+    user_data_log_dir = "/var/log/kdevops"
+    user_data_enabled = "yes"
+    ssh_config_user   = var.ssh_config_user
+    ssh_config_port   = var.ssh_config_port
+    new_hostname      = element(var.kdevops_nodes, count.index)
+  }))
 
   os_disk {
     # Note: yes using the names like the ones below is better however it also