Merge pull request #172 from opencrvs/ocrvs-fixes-10951

fix: Minor bugfixes to infrastructure logic

Author: adskyiproger

infrastructure/environments/setup-environment.ts

@@ -1230,23 +1230,6 @@ ALL_QUESTIONS.push(
       ),
       scope: 'ENVIRONMENT' as const
     },
-    {
-      name: 'ENCRYPTION_KEY',
-      type: 'SECRET' as const,
-      didExist: findExistingValue(
-        'ENCRYPTION_KEY',
-        'SECRET',
-        'ENVIRONMENT',
-        existingValues
-      ),
-      value: findExistingOrDefine(
-        'ENCRYPTION_KEY',
-        'SECRET',
-        'ENVIRONMENT',
-        generateLongPassword()
-      ),
-      scope: 'ENVIRONMENT' as const
-    },
     {
       type: 'VARIABLE' as const,
       name: 'ACTIVATE_USERS',
@@ -1357,6 +1340,25 @@ ALL_QUESTIONS.push(
     }
   ]
 
+  if (enableEncryption){
+    applicationServerUpdates.push({
+      name: 'ENCRYPTION_KEY',
+      type: 'SECRET' as const,
+      didExist: findExistingValue(
+        'ENCRYPTION_KEY',
+        'SECRET',
+        'ENVIRONMENT',
+        existingValues
+      ),
+      value: findExistingOrDefine(
+        'ENCRYPTION_KEY',
+        'SECRET',
+        'ENVIRONMENT',
+        generateLongPassword()
+      ),
+      scope: 'ENVIRONMENT' as const
+    })
+  }
 
   derivedUpdates.push(...applicationServerUpdates)
 

infrastructure/environments/templates.ts

@@ -109,7 +109,7 @@ export function generateInventory(env: string, values: Record<string, any>){
   template = template.replace('{{BACKUP_BLOCK}}', backupBlock);
 
   // Generate kube_api_host line
-  let kubeApiHost = '    kube_api_host: ' + (values['kube_api_host'] || '');
+  let kubeApiHost = 'kube_api_host: ' + (values['kube_api_host'] || '');
   template = template.replace('{{KUBE_API_HOST_BLOCK}}', kubeApiHost);
 
   const updated = replacePlaceholders(template, values);

infrastructure/environments/templates/inventory/single-node.yml

@@ -5,7 +5,7 @@ all:
     # - If your server is exposed (not recommeded), use public IP address
     # - If you would like to run kubectl commands from the remote server, leave this field empty
     # kube_api_host: ''
-{{KUBE_API_HOST_BLOCK}}
+    {{KUBE_API_HOST_BLOCK}}
     # Default ansible provision user, keep as is
     ansible_user: provision
 

infrastructure/server-setup/files/sshd_audit_hardening.22.04.conf

@@ -251,20 +251,6 @@
     marker: '# {mark} ANSIBLE MANAGED BLOCK FOR USER {{ ansible_user }}'
   become: yes
 
-
-# Add restriction configuration to sshd_config
-# For Ubuntu 22.04
-- name: SSHD Restrict key exchange, cipher, and MAC algorithms (Ubuntu 22.04)
-  ansible.builtin.copy:
-    src: ./files/sshd_audit_hardening.22.04.conf
-    dest: /etc/ssh/sshd_config.d/audit_hardening.conf
-    owner: root
-    group: root
-    mode: '0644'
-  when:
-    - ansible_facts['os_family'] == 'Debian'
-    - ansible_facts['distribution'] == 'Ubuntu'
-    - ansible_facts['distribution_version'] is version('22.04', '<=')
 # For Ubuntu 24.04
 - name: SSHD Restrict key exchange, cipher, and MAC algorithms (Ubuntu 24.04)
   ansible.builtin.copy:
@@ -309,5 +295,3 @@
     state: restarted
   when: ssh_status.rc == 0
   become: yes
-
-