fix: [#222] Make SSH port configuration conditional on non-default port

josecelano · josecelano · commit 41cda989df66 · 2025-12-11T20:53:32.000Z
The cloud-init template was unconditionally configuring SSH port and
rebooting the VM, even when using the default port 22. This caused:
- Unnecessary VM reboots for environments using default SSH port
- E2E infrastructure lifecycle test failures on GitHub Actions
- Longer provisioning times for default configurations

Root Cause:
- Cloud-init template always wrote SSH port config file and triggered reboot
- E2E test uses default port 22, but was forced to reboot unnecessarily
- GitHub runner timed out waiting for SSH after unnecessary reboot

Solution:
- Add Tera conditional {% if ssh_port != 22 %} around write_files and runcmd
- SSH port configuration and reboot now only happen for custom ports
- E2E tests with default port 22 no longer trigger unnecessary reboots
- Provisioning is faster for default port configurations

Benefits:
- Faster provisioning when using default SSH port (no reboot overhead)
- E2E tests pass on GitHub Actions without timeout issues
- Still maintains reboot pattern for custom ports (proper SSH restart)
- Conditional approach is more efficient and user-friendly

Files Modified:
- templates/tofu/common/cloud-init.yml.tera: Add conditional around write_files and runcmd
- docs/issues/222-configure-ssh-service-port.md: Document conditional behavior
- docs/decisions/cloud-init-ssh-port-reboot.md: Add positive consequence about conditional execution

Technical Details:
The Tera template now checks if ssh_port != 22 before:
1. Writing /etc/ssh/sshd_config.d/99-custom-port.conf
2. Executing runcmd: [reboot]

This preserves the reboot pattern for custom ports (ensuring clean SSH restart)
while avoiding unnecessary reboots for default port configurations.

Testing:
- All 1424 unit tests pass
- All doctests pass
- E2E infrastructure lifecycle tests pass (default port 22, no reboot)
- E2E deployment workflow tests pass
- Documentation builds successfully
- Pre-commit verification: ✅ All checks passed
diff --git a/docs/decisions/cloud-init-ssh-port-reboot.md b/docs/decisions/cloud-init-ssh-port-reboot.md
@@ -31,6 +31,7 @@ We configure the custom SSH port via cloud-init using the **`write_files` + `reb
 1. **Write SSH configuration file** using cloud-init's `write_files` directive:
 
    ```yaml
+   {% if ssh_port != 22 %}
    write_files:
      - path: /etc/ssh/sshd_config.d/99-custom-port.conf
        content: |
@@ -45,8 +46,11 @@ We configure the custom SSH port via cloud-init using the **`write_files` + `reb
    ```yaml
    runcmd:
      - reboot
+   {% endif %}
    ```
 
+**Conditional Configuration**: The SSH port configuration and reboot only execute when `ssh_port != 22`, avoiding unnecessary reboots for environments using the default SSH port.
+
 The reboot ensures:
 
 - SSH service cleanly restarts with the new configuration
@@ -70,6 +74,7 @@ Additionally, we made two critical fixes to the provision handler:
 - **Correct architecture**: Infrastructure configuration happens during infrastructure provisioning
 - **No special cases**: Ansible can connect normally using the configured port without overrides or workarounds
 - **Compile-time safety**: Provision handler correctly waits for the configured port, preventing connection failures
+- **Conditional execution**: Only reboots when custom port is needed (ssh_port != 22), avoiding unnecessary reboots for default configurations
 
 ### Negative
 
diff --git a/docs/issues/222-configure-ssh-service-port.md b/docs/issues/222-configure-ssh-service-port.md
@@ -66,6 +66,7 @@ The SSH port is configured by:
 The cloud-init template uses the **reboot pattern** as documented in [Hetzner's cloud-config tutorial](https://community.hetzner.com/tutorials/basic-cloud-config):
 
 ```yaml
+{% if ssh_port != 22 %}
 write_files:
   - path: /etc/ssh/sshd_config.d/99-custom-port.conf
     content: |
@@ -79,8 +80,11 @@ runcmd:
   # The reboot ensures SSH service fully restarts with the new port from write_files
   # This is the recommended approach per Hetzner cloud-config best practices
   - reboot
+{% endif %}
 ```
 
+**Important**: The SSH port configuration and reboot are **conditional** - they only execute when `ssh_port != 22`. This avoids unnecessary reboots for environments using the default SSH port.
+
 **Why reboot?** Three critical reasons (from Hetzner documentation):
 
 1. Package updates may require reboot for patches to work properly
diff --git a/templates/tofu/common/cloud-init.yml.tera b/templates/tofu/common/cloud-init.yml.tera
@@ -32,6 +32,7 @@ users:
       # SSH public key injected from SshConfig.ssh_pub_key_path
       - {{ ssh_public_key }}
 
+{% if ssh_port != 22 %}
 write_files:
   - path: /etc/ssh/sshd_config.d/99-custom-port.conf
     content: |
@@ -45,4 +46,5 @@ runcmd:
   # The reboot ensures SSH service fully restarts with the new port from write_files
   # This is the recommended approach per Hetzner cloud-config best practices
   - reboot
+{% endif %}
 
