Change default SSH port

config.cfg

@@ -11,6 +11,9 @@ users:
 
 ### Advanced users only below this line ###
 
+# Changing the port not supported by Scaleway, the default (22) is always used
+ssh_port: 4160
+
 # Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
 # Supports on MacOS and Linux only (including Windows Subsystem for Linux)
 pki_in_tmpfs: true
@@ -127,7 +130,7 @@ congrats:
   ca_key_pass: |
     "#        The CA key password is {{ CA_password|default(omit) }}       #"
   ssh_access: |
-    "#      Shell access: ssh -i {{ ansible_ssh_private_key_file|default(omit) }} {{ ansible_ssh_user|default(omit) }}@{{ ansible_ssh_host|default(omit) }}        #"
+    "#      Shell access: ssh -i {{ SSH_keys.private }} {{ ansible_ssh_user|default(omit) }}@{{ ansible_ssh_host|default(omit) }} -p {{ ssh_port }}        #"
 
 SSH_keys:
   comment: algo@ssh

files/cloud-init/base.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+set -eux
+
+apt-get update -y
+apt-get install sudo -y
+
+getent passwd algo || useradd -m -d /home/algo -s /bin/bash -G sudo -p '!' algo
+
+cat <<EOF >/etc/sudoers.d/10-algo-user
+algo ALL=(ALL) NOPASSWD:ALL
+EOF
+
+cat <<EOF >/etc/ssh/sshd_config
+{{ lookup('template', 'files/cloud-init/sshd_config') }}
+EOF
+
+test -d /home/algo/.ssh || sudo -u algo mkdir -p /home/algo/.ssh/
+echo "{{ lookup('file', '{{ SSH_keys.public }}') }}" | sudo -u algo tee /home/algo/.ssh/authorized_keys
+
+sudo apt-get remove -y --purge sshguard || true
+systemctl restart sshd.service

files/cloud-init/base.yml

@@ -0,0 +1,29 @@
+#cloud-config
+output: {all: '| tee -a /var/log/cloud-init-output.log'}
+
+package_update: true
+package_upgrade: true
+
+packages:
+ - sudo
+
+users:
+  - default
+  - name: algo
+    homedir: /home/algo
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    groups: sudo
+    shell: /bin/bash
+    lock_passwd: true
+    ssh_authorized_keys:
+      - "{{ lookup('file', '{{ SSH_keys.public }}') }}"
+
+write_files:
+  - path: /etc/ssh/sshd_config
+    content: |
+      {{ lookup('template', 'files/cloud-init/sshd_config') | indent(width=6) }}
+
+runcmd:
+  - set -x
+  - sudo apt-get remove -y --purge sshguard || true
+  - systemctl restart sshd.service

files/cloud-init/sshd_config

@@ -0,0 +1,10 @@
+Port {{ ssh_port }}
+AllowUsers algo
+PermitRootLogin no
+PasswordAuthentication no
+ChallengeResponseAuthentication no
+UsePAM yes
+X11Forwarding yes
+PrintMotd no
+AcceptEnv LANG LC_*
+Subsystem	sftp	/usr/lib/openssh/sftp-server

playbooks/cloud-post.yml

@@ -9,6 +9,7 @@
     groups: vpn-host
     ansible_connection: "{% if cloud_instance_ip == 'localhost' %}local{% else %}ssh{% endif %}"
     ansible_ssh_user: "{{ ansible_ssh_user }}"
+    ansible_ssh_port: "{{ ansible_ssh_port|default(22) }}"
     ansible_python_interpreter: "/usr/bin/python3"
     algo_provider: "{{ algo_provider }}"
     algo_server_name: "{{ algo_server_name }}"
@@ -19,6 +20,7 @@
     algo_ssh_tunneling: "{{ algo_ssh_tunneling }}"
     algo_store_pki: "{{ algo_store_pki }}"
     IP_subject_alt_name: "{{ IP_subject_alt_name }}"
+    cloudinit: "{{ cloudinit|default(false) }}"
 
 - name: Additional variables for the server
   add_host:
@@ -28,7 +30,7 @@
 
 - name: Wait until SSH becomes ready...
   wait_for:
-    port: 22
+    port: "{{ ansible_ssh_port|default(22) }}"
     host: "{{ cloud_instance_ip }}"
     search_regex: "OpenSSH"
     delay: 10
@@ -47,6 +49,7 @@
 - debug:
     var: IP_subject_alt_name
 
-- name: A short pause, in order to be sure the instance is ready
+- name: Wait 600 seconds for target connection to become reachable/usable
-  pause:
+  wait_for_connection:
-    seconds: 20
+  delegate_to: "{{ item }}"
+  loop: "{{ groups['vpn-host'] }}"

roles/cloud-azure/files/deployment.json

@@ -13,6 +13,12 @@
     },
     "imageReferenceSku": {
       "type": "string"
+    },
+    "SshPort": {
+      "type": "int"
+    },
+    "UserData": {
+      "type": "string"
     }
   },
   "variables": {
@@ -30,10 +36,10 @@
           {
             "name": "AllowSSH",
             "properties": {
-              "description": "Locks inbound down to ssh default port 22.",
+              "description": "Allow SSH",
               "protocol": "Tcp",
               "sourcePortRange": "*",
-              "destinationPortRange": "22",
+              "destinationPortRange": "[parameters('SshPort')]",
               "sourceAddressPrefix": "*",
               "destinationAddressPrefix": "*",
               "access": "Allow",
@@ -160,13 +166,14 @@
         },
         "osProfile": {
           "computerName": "[resourceGroup().name]",
-          "adminUsername": "ubuntu",
+          "customData": "[parameters('UserData')]",
+          "adminUsername": "algo",
           "linuxConfiguration": {
             "disablePasswordAuthentication": true,
             "ssh": {
               "publicKeys": [
                 {
-                  "path": "/home/ubuntu/.ssh/authorized_keys",
+                  "path": "/home/algo/.ssh/authorized_keys",
                   "keyData": "[parameters('sshKeyData')]"
                 }
               ]

roles/cloud-azure/tasks/main.yml

@@ -31,8 +31,13 @@
         value: "{{ cloud_providers.azure.size }}"
       imageReferenceSku:
         value: "{{ cloud_providers.azure.image }}"
+      SshPort:
+        value: "{{ ssh_port }}"
+      UserData:
+        value: "{{ lookup('template', 'files/cloud-init/base.yml') | b64encode }}"
   register: azure_rm_deployment
 
 - set_fact:
     cloud_instance_ip: "{{ azure_rm_deployment.deployment.outputs.publicIPAddresses.value }}"
-    ansible_ssh_user: ubuntu
+    ansible_ssh_user: algo
+    ansible_ssh_port: "{{ ssh_port }}"

roles/cloud-cloudstack/tasks/main.yml

@@ -26,38 +26,33 @@
         end_port: "{{ item.end_port }}"
         cidr: "{{ item.range }}"
       with_items:
-        - { proto: tcp, start_port: 22, end_port: 22, range: 0.0.0.0/0 }
+        - { proto: tcp, start_port: '{{ ssh_port }}', end_port: '{{ ssh_port }}', range: 0.0.0.0/0 }
         - { proto: udp, start_port: 4500, end_port: 4500, range: 0.0.0.0/0 }
         - { proto: udp, start_port: 500, end_port: 500, range: 0.0.0.0/0 }
         - { proto: udp, start_port: "{{ wireguard_port }}", end_port: "{{ wireguard_port }}", range: 0.0.0.0/0 }
 
-    - name: Keypair created
-      cs_sshkeypair:
-        name: "{{ SSH_keys.comment|regex_replace('@', '_') }}"
-        public_key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
-      register: cs_keypair
-
     - name: Set facts
       set_fact:
         image_id: "{{ cloud_providers.cloudstack.image }}"
         size: "{{ cloud_providers.cloudstack.size }}"
         disk: "{{ cloud_providers.cloudstack.disk }}"
-        keypair_name: "{{ cs_keypair.name }}"
 
     - name: Server created
       cs_instance:
         name: "{{ algo_server_name }}"
         root_disk_size: "{{ disk }}"
         template: "{{ image_id }}"
-        ssh_key: "{{ keypair_name }}"
         security_groups: "{{ cs_security_group.name }}"
         zone: "{{ algo_region }}"
         service_offering: "{{ size }}"
+        user_data: "{{ lookup('template', 'files/cloud-init/base.yml') }}"
       register: cs_server
 
     - set_fact:
         cloud_instance_ip: "{{ cs_server.default_ip }}"
-        ansible_ssh_user: ubuntu
+        ansible_ssh_user: algo
+        ansible_ssh_port: "{{ ssh_port }}"
+        cloudinit: true
   environment:
     CLOUDSTACK_CONFIG: "{{ algo_cs_config }}"
     CLOUDSTACK_REGION: "{{ algo_cs_region }}"

roles/cloud-digitalocean/tasks/main.yml

@@ -21,10 +21,13 @@
     unique_name: true
     ipv6: true
     ssh_keys: "{{ do_ssh_key.data.ssh_key.id }}"
+    user_data: "{{ lookup('template', 'files/cloud-init/base.yml') }}"
     tags:
       - Environment:Algo
   register: digital_ocean_droplet
 
 - set_fact:
     cloud_instance_ip: "{{ digital_ocean_droplet.data.ip_address }}"
-    ansible_ssh_user: root
+    ansible_ssh_user: algo
+    ansible_ssh_port: "{{ ssh_port }}"
+    cloudinit: true

roles/cloud-ec2/files/stack.yaml

@@ -16,6 +16,10 @@ Parameters:
     Default: ''
   EbsEncrypted:
     Type: String
+  UserData:
+    Type: String
+  SshPort:
+    Type: String
 Conditions:
   AllocateNewEIP: !Equals [!Ref UseThisElasticIP, '']
   AssociateExistingEIP: !Not [!Equals [!Ref UseThisElasticIP, '']]
@@ -123,8 +127,8 @@ Resources:
       GroupDescription: Enable SSH and IPsec
       SecurityGroupIngress:
         - IpProtocol: tcp
-          FromPort: '22'
+          FromPort: !Ref SshPort
-          ToPort: '22'
+          ToPort: !Ref SshPort
           CidrIp: 0.0.0.0/0
         - IpProtocol: udp
           FromPort: '500'
@@ -148,16 +152,6 @@ Resources:
       - SubnetIPv6
       - Subnet
       - InstanceSecurityGroup
-    Metadata:
-      AWS::CloudFormation::Init:
-        config:
-          files:
-            /home/ubuntu/.ssh/authorized_keys:
-              content:
-                Ref: PublicSSHKeyParameter
-              mode: "000644"
-              owner: "ubuntu"
-              group: "ubuntu"
     Properties:
       InstanceType:
         Ref: InstanceTypeParameter
@@ -174,15 +168,7 @@ Resources:
         Ref: ImageIdParameter
       SubnetId: !Ref Subnet
       Ipv6AddressCount: 1
-      UserData:
+      UserData: !Ref UserData
-        "Fn::Base64":
-          !Sub |
-            #!/bin/bash -xe
-            apt-get update
-            apt-get -y install python-pip
-            pip install https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz
-            cfn-init -v --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region}
-            cfn-signal -e $? --stack ${AWS::StackName} --resource EC2Instance --region ${AWS::Region}
       Tags:
         - Key: Name
           Value: !Ref AWS::StackName

roles/cloud-ec2/tasks/cloudformation.yml

@@ -14,6 +14,8 @@
       WireGuardPort: "{{ wireguard_port }}"
       UseThisElasticIP: "{{ existing_eip }}"
       EbsEncrypted: "{{ encrypted }}"
+      UserData: "{{ lookup('template', 'files/cloud-init/base.yml') | b64encode }}"
+      SshPort: "{{ ssh_port }}"
     tags:
       Environment: Algo
   register: stack

roles/cloud-ec2/tasks/main.yml

@@ -24,4 +24,6 @@
 
 - set_fact:
     cloud_instance_ip: "{{ stack.stack_outputs.ElasticIP }}"
-    ansible_ssh_user: ubuntu
+    ansible_ssh_user: algo
+    ansible_ssh_port: "{{ ssh_port }}"
+    cloudinit: true

roles/cloud-gce/tasks/main.yml

@@ -32,7 +32,7 @@
           - '{{ wireguard_port|string }}'
       - ip_protocol: tcp
         ports:
-          - '22'
+          - '{{ ssh_port }}'
       - ip_protocol: icmp
 
 - block:
@@ -64,10 +64,8 @@
         initialize_params:
           source_image: "projects/ubuntu-os-cloud/global/images/family/{{ cloud_providers.gce.image }}"
     metadata:
-      ssh-keys: "ubuntu:{{ ssh_public_key_lookup }}"
+      ssh-keys: "algo:{{ ssh_public_key_lookup }}"
-      user-data: |
+      user-data: "{{ lookup('template', 'files/cloud-init/base.yml') }}"
-        #!/bin/bash
-        sudo apt-get remove -y --purge sshguard
     network_interfaces:
       - network: "{{ gcp_compute_network }}"
         access_configs:
@@ -81,4 +79,6 @@
 
 - set_fact:
     cloud_instance_ip: "{{ gcp_compute_instance.networkInterfaces[0].accessConfigs[0].natIP }}"
-    ansible_ssh_user: ubuntu
+    ansible_ssh_user: algo
+    ansible_ssh_port: "{{ ssh_port }}"
+    cloudinit: true

roles/cloud-hetzner/tasks/main.yml

@@ -22,10 +22,13 @@
     state: present
     api_token: "{{ algo_hcloud_token }}"
     ssh_keys: "{{ hcloud_ssh_key.hcloud_ssh_key.name }}"
+    user_data: "{{ lookup('template', 'files/cloud-init/base.yml') }}"
     labels:
       Environment: algo
   register: hcloud_server
 
 - set_fact:
     cloud_instance_ip: "{{ hcloud_server.hcloud_server.ipv4_address }}"
-    ansible_ssh_user: root
+    ansible_ssh_user: algo
+    ansible_ssh_port: "{{ ssh_port }}"
+    cloudinit: true

roles/cloud-lightsail/tasks/main.yml

@@ -17,6 +17,9 @@
     bundle_id: "{{ cloud_providers.lightsail.size }}"
     wait_timeout: "300"
     open_ports:
+      - from_port: "{{ ssh_port }}"
+        to_port:  "{{ ssh_port }}"
+        protocol: tcp
       - from_port: 4500
         to_port: 4500
         protocol: udp
@@ -27,15 +30,11 @@
         to_port: "{{ wireguard_port }}"
         protocol: udp
     user_data: |
-      #!/bin/bash
+      {{ lookup('template', 'files/cloud-init/base.sh') }}
-      mkdir -p /home/ubuntu/.ssh/
-      echo "{{ lookup('file', '{{ SSH_keys.public }}') }}" >> /home/ubuntu/.ssh/authorized_keys
-      chown -R ubuntu: /home/ubuntu/.ssh/
-      chmod 0700 /home/ubuntu/.ssh/
-      chmod 0600 /home/ubuntu/.ssh/*
-      test
   register: algo_instance
 
 - set_fact:
     cloud_instance_ip: "{{ algo_instance['instance']['public_ip_address'] }}"
-    ansible_ssh_user: ubuntu
+    ansible_ssh_user: algo
+    ansible_ssh_port: "{{ ssh_port }}"
+    cloudinit: true

roles/cloud-openstack/tasks/main.yml

@@ -22,26 +22,26 @@
     port_range_max: "{{ item.port_max }}"
     remote_ip_prefix: "{{ item.range }}"
   with_items:
-    - { proto: tcp, port_min: 22, port_max: 22, range: 0.0.0.0/0 }
+    - { proto: tcp, port_min: '{{ ssh_port }}', port_max: '{{ ssh_port }}', range: 0.0.0.0/0 }
     - { proto: icmp, port_min: -1, port_max: -1, range: 0.0.0.0/0 }
     - { proto: udp, port_min: 4500, port_max: 4500, range: 0.0.0.0/0 }
     - { proto: udp, port_min: 500, port_max: 500, range: 0.0.0.0/0 }
     - { proto: udp, port_min: "{{ wireguard_port }}", port_max: "{{ wireguard_port }}", range: 0.0.0.0/0 }
 
-- name: Keypair created
-  os_keypair:
-    state: "{{ state|default('present') }}"
-    name: "{{ SSH_keys.comment|regex_replace('@', '_') }}"
-    public_key_file: "{{ SSH_keys.public }}"
-  register: os_keypair
-
 - name: Gather facts about flavors
   os_flavor_facts:
     ram: "{{ cloud_providers.openstack.flavor_ram }}"
 
 - name: Gather facts about images
   os_image_facts:
-    image: "{{ cloud_providers.openstack.image }}"
+
+- name: Set image as a fact
+  set_fact:
+    image_id: "{{ item.id }}"
+  loop: "{{ openstack_image }}"
+  when:
+    - item.name == cloud_providers.openstack.image
+    - item.status == "active"
 
 - name: Gather facts about public networks
   os_networks_facts:
@@ -58,8 +58,6 @@
 - name: Set facts
   set_fact:
     flavor_id: "{{ (openstack_flavors | sort(attribute='ram'))[0]['id'] }}"
-    image_id: "{{ openstack_image['id'] }}"
-    keypair_name: "{{ os_keypair.key.name }}"
     security_group_name: "{{ os_security_group['secgroup']['name'] }}"
 
 - name: Server created
@@ -68,12 +66,14 @@
     name: "{{ algo_server_name }}"
     image: "{{ image_id }}"
     flavor: "{{ flavor_id }}"
-    key_name: "{{ keypair_name }}"
     security_groups: "{{ security_group_name }}"
+    userdata: "{{ lookup('template', 'files/cloud-init/base.yml') }}"
     nics:
       - net-id: "{{ public_network_id }}"
   register: os_server
 
 - set_fact:
     cloud_instance_ip: "{{ os_server['openstack']['public_v4'] }}"
-    ansible_ssh_user: ubuntu
+    ansible_ssh_user: algo
+    ansible_ssh_port: "{{ ssh_port }}"
+    cloudinit: true

roles/cloud-vultr/tasks/main.yml

@@ -3,12 +3,6 @@
   import_tasks: prompts.yml
 
 - block:
-  - name: Upload the SSH key
-    vultr_ssh_key:
-      name: "{{ SSH_keys.comment }}"
-      ssh_key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
-    register: ssh_key
-
   - name: Creating a firewall group
     vultr_firewall_group:
       name: "{{ algo_server_name }}"
@@ -21,8 +15,8 @@
       ip_version: "{{ item.ip }}"
       cidr: "{{ item.cidr }}"
     with_items:
-    - { protocol: tcp, port: 22, ip: v4, cidr: "0.0.0.0/0" }
+    - { protocol: tcp, port: "{{ ssh_port }}", ip: v4, cidr: "0.0.0.0/0" }
-    - { protocol: tcp, port: 22, ip: v6, cidr: "::/0" }
+    - { protocol: tcp, port: "{{ ssh_port }}", ip: v6, cidr: "::/0" }
     - { protocol: udp, port: 500, ip: v4, cidr: "0.0.0.0/0" }
     - { protocol: udp, port: 500, ip: v6, cidr: "::/0" }
     - { protocol: udp, port: 4500, ip: v4, cidr: "0.0.0.0/0" }
@@ -30,9 +24,18 @@
     - { protocol: udp, port: "{{ wireguard_port }}", ip: v4, cidr: "0.0.0.0/0" }
     - { protocol: udp, port: "{{ wireguard_port }}", ip: v6, cidr: "::/0" }
 
+  - name: Upload the startup script
+    vultr_startup_script:
+      name: algo-startup
+      script:  |
+        {{ lookup('template', 'files/cloud-init/base.sh') }}
+        mkdir -p /var/lib/cloud/data/ || true
+        touch /var/lib/cloud/data/result.json
+
   - name: Creating a server
     vultr_server:
       name: "{{ algo_server_name }}"
+      startup_script: algo-startup
       hostname: "{{ algo_server_name }}"
       os: "{{ cloud_providers.vultr.os }}"
       plan: "{{ cloud_providers.vultr.size }}"
@@ -40,7 +43,6 @@
       firewall_group: "{{ algo_server_name }}"
       state: started
       tag: Environment:Algo
-      ssh_key: "{{ ssh_key.vultr_ssh_key.name }}"
       ipv6_enabled: true
       auto_backup_enabled: false
       notify_activate: false
@@ -48,7 +50,9 @@
 
   - set_fact:
       cloud_instance_ip: "{{ vultr_server.vultr_server.v4_main_ip }}"
-      ansible_ssh_user: root
+      ansible_ssh_user: algo
+      ansible_ssh_port: "{{ ssh_port }}"
+      cloudinit: true
 
   environment:
     VULTR_API_CONFIG: "{{ algo_vultr_config }}"

roles/common/templates/rules.v4.j2

@@ -64,8 +64,8 @@ COMMIT
 -A INPUT -p icmp --icmp-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
 # Accept IPSEC/WireGuard traffic to ports {{ subnets|join(',') }}
 -A INPUT -p udp -m multiport --dports {{ ports|join(',') }} -j ACCEPT
-# Allow new traffic to port 22 (SSH)
+# Allow new traffic to port {{ ssh_port }} (SSH)
--A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -p tcp --dport {{ ssh_port }} -m conntrack --ctstate NEW -j ACCEPT
 
 {% if ipsec_enabled %}
 # Allow any traffic from the IPsec VPN

roles/common/templates/rules.v6.j2

@@ -70,8 +70,8 @@ COMMIT
 -A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j ACCEPT
 # Accept IPSEC/WireGuard traffic to ports {{ subnets|join(',') }}
 -A INPUT -p udp -m multiport --dports {{ ports|join(',') }} -j ACCEPT
-# Allow new traffic to port 22 (SSH)
+# Allow new traffic to port {{ ssh_port }} (SSH)
--A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -p tcp --dport {{ ssh_port }} -m conntrack --ctstate NEW -j ACCEPT
 
 # Accept properly formatted Neighbor Discovery Protocol packets
 -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT

server.yml

@@ -6,6 +6,14 @@
   vars_files:
     - config.cfg
   tasks:
+    - name: Wait until the cloud-init completed
+      wait_for:
+        path: /var/lib/cloud/data/result.json
+        delay: 10
+        timeout: 600
+        state: present
+      when: cloudinit
+
     - block:
       - import_role:
           name: common
@@ -40,6 +48,7 @@
             content: |
               server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }}
               server_user: {{ ansible_ssh_user }}
+              ansible_ssh_port: "{{ ansible_ssh_port|default(22) }}"
               {% if algo_provider != "local" %}
               ansible_ssh_private_key_file: {{ SSH_keys.private }}
               {% endif %}