## Context

`ssh_port` is used in three places: `sshd_config.j2` (Port directive), `base/tasks/main.yml` (UFW SSH allow, fail2ban jail). It's currently global in `all.yml`. Ansible uses `ansible_port` to know which port to connect on.

## Goals / Non-Goals

**Goals:**
- Per-host SSH port via inventory (`ssh_port` + `ansible_port`)
- Global default remains 22

**Non-Goals:**
- Changing SSH port automatically on the server (user sets this beforehand)

## Decisions

### 1. Both `ansible_port` and `ssh_port` in inventory

`ansible_port` is Ansible's built-in variable for connection port. `ssh_port` is our variable used in templates. Both should match. Set them together in the inventory host vars.

Keep the default `ssh_port: 22` in `group_vars/all.yml` so it works if not overridden per-host.

## Risks / Trade-offs

- **[Port mismatch]** → If `ansible_port` and `ssh_port` don't match, Ansible connects on wrong port. Mitigation: document clearly, could DRY up by setting `ssh_port: "{{ ansible_port | default(22) }}"` in `all.yml`.