fix: Adjustments to logic and minor amendments

Author: adskyiproger

.github/workflows/provision.yml

@@ -65,11 +65,9 @@ jobs:
       - name: Set variables for ansible
         id: ansible-variables
         run: |
-          JSON_WITH_NEWLINES=$(cat<<EOF
-            ${{ toJSON(env) }}
-          EOF)
-          JSON_WITHOUT_NEWLINES=$(echo $JSON_WITH_NEWLINES | jq -R -c .)
-          echo "EXTRA_VARS=$JSON_WITHOUT_NEWLINES" >> $GITHUB_OUTPUT
+          echo '${{ toJSON(env) }}' > tmp_vars.json
+          JSON_WITHOUT_EMPTY=$(jq -c 'with_entries(select(.value | type == "string" and length > 0))' tmp_vars.json | jq -R )
+          echo "EXTRA_VARS=$JSON_WITHOUT_EMPTY" >> $GITHUB_OUTPUT
         env:
           encrypted_disk_size: ${{ vars.DISK_SPACE }}
           disk_encryption_key: ${{ secrets.ENCRYPTION_KEY }}

infrastructure/environments/setup-environment.ts

@@ -272,7 +272,7 @@ const githubOtherQuestions = [
         value: 'false'
       }
     ],
-    valueType: 'SECRET' as const,
+    valueType: 'VARIABLE' as const,
     validate: notEmpty,
     valueLabel: 'APPROVAL_REQUIRED',
     initial: process.env.APPROVAL_REQUIRED,
@@ -1230,23 +1230,6 @@ ALL_QUESTIONS.push(
       ),
       scope: 'ENVIRONMENT' as const
     },
-    {
-      name: 'ENCRYPTION_KEY',
-      type: 'SECRET' as const,
-      didExist: findExistingValue(
-        'ENCRYPTION_KEY',
-        'SECRET',
-        'ENVIRONMENT',
-        existingValues
-      ),
-      value: findExistingOrDefine(
-        'ENCRYPTION_KEY',
-        'SECRET',
-        'ENVIRONMENT',
-        generateLongPassword()
-      ),
-      scope: 'ENVIRONMENT' as const
-    },
     {
       type: 'VARIABLE' as const,
       name: 'ACTIVATE_USERS',
@@ -1357,6 +1340,25 @@ ALL_QUESTIONS.push(
     }
   ]
 
+  if (enableEncryption){
+    applicationServerUpdates.push({
+      name: 'ENCRYPTION_KEY',
+      type: 'SECRET' as const,
+      didExist: findExistingValue(
+        'ENCRYPTION_KEY',
+        'SECRET',
+        'ENVIRONMENT',
+        existingValues
+      ),
+      value: findExistingOrDefine(
+        'ENCRYPTION_KEY',
+        'SECRET',
+        'ENVIRONMENT',
+        generateLongPassword()
+      ),
+      scope: 'ENVIRONMENT' as const
+    })
+  }
 
   derivedUpdates.push(...applicationServerUpdates)
 

infrastructure/environments/templates.ts

@@ -109,7 +109,7 @@ export function generateInventory(env: string, values: Record<string, any>){
   template = template.replace('{{BACKUP_BLOCK}}', backupBlock);
 
   // Generate kube_api_host line
-  let kubeApiHost = '    kube_api_host: ' + (values['kube_api_host'] || '');
+  let kubeApiHost = 'kube_api_host: ' + (values['kube_api_host'] || '');
   template = template.replace('{{KUBE_API_HOST_BLOCK}}', kubeApiHost);
 
   const updated = replacePlaceholders(template, values);

infrastructure/environments/templates/inventory/single-node.yml

@@ -5,7 +5,7 @@ all:
     # - If your server is exposed (not recommeded), use public IP address
     # - If you would like to run kubectl commands from the remote server, leave this field empty
     # kube_api_host: ''
-{{KUBE_API_HOST_BLOCK}}
+    {{KUBE_API_HOST_BLOCK}}
     # Default ansible provision user, keep as is
     ansible_user: provision
 

infrastructure/server-setup/files/sshd_audit_hardening.22.04.conf

@@ -251,20 +251,6 @@
     marker: '# {mark} ANSIBLE MANAGED BLOCK FOR USER {{ ansible_user }}'
   become: yes
 
-
-# Add restriction configuration to sshd_config
-# For Ubuntu 22.04
-- name: SSHD Restrict key exchange, cipher, and MAC algorithms (Ubuntu 22.04)
-  ansible.builtin.copy:
-    src: ./files/sshd_audit_hardening.22.04.conf
-    dest: /etc/ssh/sshd_config.d/audit_hardening.conf
-    owner: root
-    group: root
-    mode: '0644'
-  when:
-    - ansible_facts['os_family'] == 'Debian'
-    - ansible_facts['distribution'] == 'Ubuntu'
-    - ansible_facts['distribution_version'] is version('22.04', '<=')
 # For Ubuntu 24.04
 - name: SSHD Restrict key exchange, cipher, and MAC algorithms (Ubuntu 24.04)
   ansible.builtin.copy:
@@ -309,5 +295,3 @@
     state: restarted
   when: ssh_status.rc == 0
   become: yes
-
-