ansible-proxy-chain/openspec/changes/archive/2026-04-22-custom-ssh-port/design.md

Context

ssh_port is used in three places: sshd_config.j2 (Port directive), base/tasks/main.yml (UFW SSH allow, fail2ban jail). It's currently global in all.yml. Ansible uses ansible_port to know which port to connect on.

Goals / Non-Goals

Goals:

• Per-host SSH port via inventory (ssh_port + ansible_port)
• Global default remains 22

Non-Goals:

• Changing SSH port automatically on the server (user sets this beforehand)

Decisions

1. Both ansible_port and ssh_port in inventory

ansible_port is Ansible's built-in variable for connection port. ssh_port is our variable used in templates. Both should match. Set them together in the inventory host vars.

Keep the default ssh_port: 22 in group_vars/all.yml so it works if not overridden per-host.

Risks / Trade-offs

• [Port mismatch] → If ansible_port and ssh_port don't match, Ansible connects on wrong port. Mitigation: document clearly, could DRY up by setting ssh_port: "{{ ansible_port | default(22) }}" in all.yml.