Move GitLab's SSH to port 22 and sshd to port 2222

With the ongoing git migration[1] our GitLab will gain a lot more usage,
so GitLab should get the default ssh port and then DevOps can use a
non-standard port.

We will redirect the old port (222) to the new port for some time, so
fetching won't break for existing local repositories.

[1] https://archlinux.org/news/git-migration-announcement/

host_vars/gitlab.archlinux.org/misc

+ansible_port: 2222
 filesystem: btrfs
 additional_addresses: ["213.133.111.6/32", "2a01:4f8:222:174c::2/64"]
 wireguard_address: 10.0.0.5

roles/gitlab/files/sshd_config

-# From upstream https://gitlab.com/gitlab-org/omnibus-gitlab/-/blob/master/docker/assets/sshd_config
-Port 222
-ChallengeResponseAuthentication no
-HostKey /etc/gitlab/ssh_host_rsa_key
-HostKey /etc/gitlab/ssh_host_ecdsa_key
-HostKey /etc/gitlab/ssh_host_ed25519_key
-Protocol 2
-PermitRootLogin no
-PasswordAuthentication no
-MaxStartups 100:30:200
-AllowUsers git
-PrintMotd no
-PrintLastLog no
-PubkeyAuthentication yes
-AuthorizedKeysFile %h/.ssh/authorized_keys /gitlab-data/ssh/authorized_keys
-AuthorizedKeysCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-keys-check git %u %k
-AuthorizedKeysCommandUser git
-
-# Fix: User username not allowed because account is locked
-# With "UsePAM yes" the "!" is seen as a password disabled account and not fully locked so ssh public key login works
-UsePAM yes
-
-# Disabling use DNS in ssh since it tends to slow connecting
-UseDNS no
-
-# Enable the use of Git protcol v2
-AcceptEnv GIT_PROTOCOL

roles/gitlab/tasks/main.yml

@@ -7,9 +7,6 @@
 - name: Create directory for gitlab
   file: path=/srv/gitlab state=directory owner=root group=root mode=0755
 
-- name: Copy sshd_config into place to change the port to 222
-  copy: src=sshd_config dest=/srv/gitlab/sshd_config owner=root group=root mode=640
-
 - name: Start docker gitlab image
   docker_container:
     name: gitlab
@@ -49,7 +46,6 @@
         letsencrypt['enable'] = true
         letsencrypt['contact_emails'] = ['webmaster@archlinux.org']
         gitlab_rails['lfs_enabled'] = true
-        gitlab_rails['gitlab_shell_ssh_port'] = 222
         gitlab_rails['gitlab_default_can_create_group'] = false
         gitlab_rails['gitlab_username_changing_enabled'] = false
         gitlab_rails['initial_root_password'] = "{{ vault_gitlab_root_password }}"
@@ -104,18 +100,24 @@
       - "/srv/gitlab/config:/etc/gitlab"
       - "/srv/gitlab/logs:/var/log/gitlab"
       - "/srv/gitlab/data:/var/opt/gitlab"
-      - "/srv/gitlab/sshd_config:/assets/sshd_config"
 
 - name: Prune unused docker images
   docker_prune:
     images: true
 
+- name: Setup 222 -> 22 port redirect
+  ansible.posix.firewalld: state=enabled permanent=true immediate=yes
+    rich_rule="rule family=ipv4 forward-port port=222 protocol=tcp to-port=22"
+  tags:
+    - firewall
+
 - name: Open firewall holes
   ansible.posix.firewalld: port={{ item }} permanent=true state=enabled immediate=yes
   when: configure_firewall
   with_items:
     - "80/tcp"
     - "443/tcp"
+    - "22/tcp"
     - "222/tcp"
   tags:
     - firewall

roles/sshd/tasks/main.yml

@@ -17,7 +17,7 @@
   service: name=sshd enabled=yes state=started
 
 - name: Open firewall holes
-  ansible.posix.firewalld: service=ssh permanent=true state=enabled immediate=yes
+  ansible.posix.firewalld: service={{ 'ssh' if ansible_port is not defined else omit }} port={{ "%d/tcp" | format(ansible_port) if ansible_port is defined else omit }} permanent=true state=enabled immediate=yes
   when: configure_firewall is defined and configure_firewall
   tags:
     - firewall

roles/sshd/templates/sshd_config.j2

@@ -10,7 +10,7 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 
-#Port 22
+Port {{ ansible_port | default(22) }}
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::