## Context

Inventory defines `ansible_port: 21212` per host. `group_vars/all.yml` was supposed to derive `ssh_port` from `ansible_port` (matching the `.example` template), but was hardcoded to `22` instead. This means the sshd config, UFW rules, and fail2ban jail all use port 22 regardless of the actual SSH port.

## Goals / Non-Goals

**Goals:**
- Make `ssh_port` automatically follow `ansible_port` from inventory

**Non-Goals:**
- No other changes

## Decisions

Change `ssh_port: 22` to `ssh_port: "{{ ansible_port | default(22) }}"` in `group_vars/all.yml`. This matches the `.example` and ensures per-host `ansible_port` is respected. The `default(22)` fallback handles the case where `ansible_port` is not defined.