torrust
diff --git a/‎docs/decisions/README.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/decisions/README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/decisions/cloud-init-ssh-port-reboot.md‎
Lines changed: 138 additions & 0 deletions b/‎docs/decisions/cloud-init-ssh-port-reboot.md‎
Lines changed: 138 additions & 0 deletions
diff --git a/‎docs/issues/222-configure-ssh-service-port.md‎
Lines changed: 138 additions & 14 deletions b/‎docs/issues/222-configure-ssh-service-port.md‎
Lines changed: 138 additions & 14 deletions
@@ -6,6 +6,7 @@ This directory contains architectural decision records for the Torrust Tracker D
 
 | Status        | Date       | Decision                                                                                              | Summary                                                                                   |
 | ------------- | ---------- | ----------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------- |
+| ✅ Accepted   | 2025-12-11 | [Cloud-Init SSH Port Configuration with Reboot](./cloud-init-ssh-port-reboot.md)                      | Use cloud-init with reboot pattern to configure custom SSH ports during VM provisioning   |
 | ✅ Accepted   | 2025-12-10 | [Single Docker Image for Sequential E2E Command Testing](./single-docker-image-sequential-testing.md) | Use single Docker image with sequential command execution instead of multi-image phases   |
 | ✅ Accepted   | 2025-12-09 | [Register Command SSH Port Override](./register-ssh-port-override.md)                                 | Add optional --ssh-port argument to register command for non-standard SSH ports           |
 | ✅ Accepted   | 2025-11-19 | [Disable MD060 Table Formatting Rule](./md060-table-formatting-disabled.md)                           | Disable MD060 to allow flexible table formatting and emoji usage                          |
 
@@ -0,0 +1,138 @@
+# Decision: Cloud-Init SSH Port Configuration with Reboot
+
+## Status
+
+Accepted
+
+## Date
+
+2025-12-11
+
+## Context
+
+The deployer needs to support custom SSH ports for security and flexibility. The SSH port configuration must be applied **during VM provisioning** (not later in the configure phase) because:
+
+1. **Provision phase dependencies**: The `WaitForCloudInitStep` runs during provision and uses Ansible to wait for cloud-init completion. Ansible connects using the custom port from the inventory configuration.
+
+2. **Timing requirement**: If SSH is not already listening on the custom port when `WaitForCloudInitStep` executes, the provision command fails with connection errors.
+
+3. **Architectural correctness**: SSH port is infrastructure configuration, not application configuration. It should be set during infrastructure provisioning, not as a post-provisioning step.
+
+The challenge was ensuring SSH service reliably restarts with the new port configuration during cloud-init execution. Multiple approaches were tested:
+
+- **systemctl restart**: Does not kill the old SSH process when port changes, resulting in SSH listening on both ports 22 and the custom port
+- **pkill + systemctl start**: Works but is brittle and non-standard
+- **bootcmd disable + runcmd restart**: Ineffective because systemd automatically re-enables and starts SSH after bootcmd completes
+
+## Decision
+
+We configure the custom SSH port via cloud-init using the **`write_files` + `reboot` pattern**, following Hetzner's cloud-config best practices:
+
+1. **Write SSH configuration file** using cloud-init's `write_files` directive:
+
+   ```yaml
+   write_files:
+     - path: /etc/ssh/sshd_config.d/99-custom-port.conf
+       content: |
+         # Custom SSH port configuration
+         Port {{ ssh_port }}
+       permissions: "0644"
+       owner: root:root
+   ```
+
+2. **Trigger system reboot** in cloud-init's `runcmd` phase:
+
+   ```yaml
+   runcmd:
+     - reboot
+   ```
+
+The reboot ensures:
+
+- SSH service cleanly restarts with the new configuration
+- No old SSH processes remain on port 22
+- All services start in a consistent state
+- Package updates are applied (if cloud-init installed packages)
+
+Additionally, we made two critical fixes to the provision handler:
+
+1. **Use configured SSH port**: Changed `wait_for_readiness()` to use `SocketAddr::new(ip, ssh_port)` instead of `SshConfig::with_default_port()`, ensuring the provision handler waits for SSH on the correct custom port (not port 22).
+
+2. **Increase SSH connectivity timeout**: Raised `DEFAULT_MAX_RETRY_ATTEMPTS` from 30 to 60 attempts (120 seconds total), accounting for the ~70-80 second cloud-init completion time plus reboot time.
+
+## Consequences
+
+### Positive
+
+- **Clean SSH restart**: Reboot guarantees SSH only listens on the custom port, no lingering processes on port 22
+- **Industry best practice**: Follows Hetzner's documented cloud-config pattern for SSH port changes
+- **Simple and reliable**: Single `reboot` command is simpler than managing service lifecycle manually
+- **Correct architecture**: Infrastructure configuration happens during infrastructure provisioning
+- **No special cases**: Ansible can connect normally using the configured port without overrides or workarounds
+- **Compile-time safety**: Provision handler correctly waits for the configured port, preventing connection failures
+
+### Negative
+
+- **Slower provisioning**: Reboot adds ~10-20 seconds to VM initialization time
+- **Additional wait time**: Provision handler must wait longer (120s instead of 60s) for cloud-init and reboot to complete
+- **Complexity**: Three separate changes required (cloud-init template, provision handler port usage, timeout increase)
+
+### Risks
+
+- **Reboot timing**: If reboot takes longer than expected, SSH connectivity check might timeout (mitigated by 120-second timeout)
+- **Cloud-init failure**: If reboot fails or cloud-init has errors, the provision will fail (acceptable - we want to catch infrastructure issues early)
+
+## Alternatives Considered
+
+### Alternative 1: Ansible Playbook in Configure Phase
+
+**Approach**: Use an Ansible playbook during the `configure` phase to reconfigure SSH port after provisioning.
+
+**Why Rejected**:
+
+- **Timing problem**: `WaitForCloudInitStep` in provision already fails before reaching configure phase
+- **Architectural mismatch**: SSH port is infrastructure config, should be set during VM initialization
+- **Added complexity**: Requires special connection handling (connect on 22, reconfigure, reconnect on custom port)
+- **More failure points**: Port transition adds potential for connection issues
+
+### Alternative 2: systemctl restart Without Reboot
+
+**Approach**: Use cloud-init `runcmd` to execute `systemctl restart ssh` without full system reboot.
+
+**Why Rejected**:
+
+- **Doesn't kill old process**: `systemctl restart` doesn't terminate the existing SSH daemon when port changes
+- **Dual port listening**: Results in SSH listening on both port 22 (old) and custom port (new)
+- **Testing showed failure**: Multiple test attempts confirmed SSH remained on port 22 after cloud-init "completion"
+
+### Alternative 3: pkill + systemctl start
+
+**Approach**: Kill SSH processes with `pkill -9 sshd`, then start fresh with `systemctl start ssh`.
+
+**Why Rejected**:
+
+- **Non-standard**: Violates best practices for service management
+- **Brittle**: Process killing is less reliable than clean reboot
+- **Not industry pattern**: No documentation or precedent for this approach
+
+### Alternative 4: Wait for Port 22, Then Handle Port Change
+
+**Approach**: Keep provision handler waiting for port 22, handle port transition separately.
+
+**Why Rejected**:
+
+- **Wrong abstraction**: Provision handler should use the configured port, not hardcode defaults
+- **Added complexity**: Would require special logic to detect port changes mid-provision
+- **Race conditions**: SSH might move to custom port at unpredictable times during cloud-init
+
+## Related Decisions
+
+- [Register Command SSH Port Override](./register-ssh-port-override.md) - Relates to SSH port handling in different commands
+- [Environment Variable Prefix](./environment-variable-prefix.md) - Relates to configuration management patterns
+
+## References
+
+- [Hetzner Cloud-Config Tutorial](https://community.hetzner.com/tutorials/basic-cloud-config) - Section 5.3 documents the reboot pattern for SSH configuration
+- [Cloud-Init Documentation](https://cloudinit.readthedocs.io/en/latest/) - Official cloud-init reference
+- [Issue #222: Configure SSH Service Port](../issues/222-configure-ssh-service-port.md) - Original issue specification
+- [OpenSSH sshd_config.d](https://manpages.debian.org/bookworm/openssh-server/sshd_config.5.en.html#Include) - Ubuntu SSH configuration directory pattern
@@ -21,19 +21,20 @@ This creates a critical configuration mismatch:
 
 **Result**: The `provision` command fails during the `WaitForCloudInitStep` because Ansible cannot connect to the instance on the configured custom port (the playbook uses the inventory which specifies the custom port, but SSH is still on port 22). The deployment cannot proceed beyond provisioning.
 
-## Solution Implemented: Cloud-Init SSH Port Configuration
+## Solution Implemented: Cloud-Init SSH Port Configuration with Reboot
 
-After analysis, we determined the best solution is to **configure the SSH port via cloud-init during VM initialization**, rather than trying to reconfigure it later in the configure phase. This approach:
+After extensive analysis and testing, we determined the best solution is to **configure the SSH port via cloud-init during VM initialization with a system reboot**, following Hetzner's cloud-config best practices. This approach:
 
 - ✅ Configures SSH port BEFORE any SSH connections are attempted
+- ✅ Ensures clean SSH restart with no lingering processes on port 22
 - ✅ No special connection handling or port overrides needed
 - ✅ Works seamlessly with both `WaitForSSHConnectivityStep` and `WaitForCloudInitStep`
-- ✅ Simpler and more reliable than post-provisioning reconfiguration
+- ✅ Simpler and more reliable than post-provisioning reconfiguration or manual service management
 
 ### Implementation Overview
 
 **Phase**: `provision` (VM initialization)
-**Mechanism**: Cloud-init `write_files` directive
+**Mechanism**: Cloud-init `write_files` + `runcmd` with reboot
 **Component**: `templates/tofu/common/cloud-init.yml.tera`
 
 The SSH port is configured by:
@@ -48,18 +49,83 @@ The SSH port is configured by:
 2. **During VM Initialization** (first boot):
 
    - Cloud-init creates `/etc/ssh/sshd_config.d/99-custom-port.conf` with the port setting
-   - Cloud-init restarts the SSH service to apply the configuration
+   - Cloud-init triggers system reboot via `runcmd: [reboot]`
+   - System reboots, SSH service starts cleanly with new configuration
    - This happens BEFORE any Ansible connection attempts
 
 3. **During SSH Connectivity Checks**:
-   - Both `WaitForSSHConnectivityStep` and `WaitForCloudInitStep` connect using the configured custom port
-   - SSH service is already listening on the correct port - connection succeeds immediately
+   - Provision handler's `wait_for_readiness()` uses the configured custom port (not default port 22)
+   - SSH connectivity timeout increased to 120 seconds to account for cloud-init + reboot time (~70-80s)
+   - Both `WaitForSSHConnectivityStep` and `WaitForCloudInitStep` connect using the custom port
+   - SSH service is listening only on the correct port - connection succeeds
+
+### Critical Implementation Details
+
+#### Cloud-Init Reboot Pattern
+
+The cloud-init template uses the **reboot pattern** as documented in [Hetzner's cloud-config tutorial](https://community.hetzner.com/tutorials/basic-cloud-config):
+
+```yaml
+write_files:
+  - path: /etc/ssh/sshd_config.d/99-custom-port.conf
+    content: |
+      # Custom SSH port configuration
+      Port {{ ssh_port }}
+    permissions: "0644"
+    owner: root:root
+
+runcmd:
+  # Reboot to apply SSH port configuration
+  # The reboot ensures SSH service fully restarts with the new port from write_files
+  # This is the recommended approach per Hetzner cloud-config best practices
+  - reboot
+```
+
+**Why reboot?** Three critical reasons (from Hetzner documentation):
+
+1. Package updates may require reboot for patches to work properly
+2. Service configurations (like SSH port changes) are applied cleanly
+3. System starts in a consistent state with all configurations active
+
+**Why not `systemctl restart ssh`?** Testing revealed multiple issues:
+
+- `systemctl restart` doesn't kill the old SSH process when the port changes
+- Results in SSH listening on **both** port 22 (old PID) and custom port (new PID)
+- Cloud-init's runcmd execution of `systemctl restart ssh` often completes without actually restarting SSH
+- systemd automatically re-enables and starts SSH after bootcmd, making bootcmd-based approaches ineffective
+
+#### Provision Handler Port Configuration
+
+Two critical fixes were required in the provision handler:
+
+1. **Use Configured Port** (`src/application/command_handlers/provision/handler.rs`):
+
+   ```rust
+
+   // Before: Always waited for default port 22
+   let ssh_config = SshConfig::with_default_port(instance_ip);
+
+   // After: Wait for configured custom port
+   let ssh_port = environment.ssh_port();
+   let ssh_config = SshConfig::new(SocketAddr::new(instance_ip, ssh_port));
+
+   ```
+
+2. **Increase Timeout** (`src/adapters/ssh/config.rs`):
+
+   ```rust
+
+   // Changed from 30 to 60 attempts (120 seconds total)
+   // Accounts for cloud-init completion (~70-80s) + reboot time
+   pub const DEFAULT_MAX_RETRY_ATTEMPTS: u32 = 60;
+
+   ```
 
 ### Files Modified
 
 #### Template Files
 
-- **`templates/tofu/common/cloud-init.yml.tera`**: Added `write_files` section to create SSH port configuration file, and `runcmd` to restart SSH service
+- **`templates/tofu/common/cloud-init.yml.tera`**: Added `write_files` section to create SSH port configuration file, and `runcmd: [reboot]` to trigger system reboot for clean SSH restart
 
 #### Infrastructure Layer (DDD)
 
@@ -69,11 +135,17 @@ The SSH port is configured by:
 
 #### Application Layer (DDD)
 
-- **`src/application/command_handlers/provision/handler.rs`**: Updated to pass `ssh_port` from environment to `TofuProjectGenerator`
+- **`src/application/command_handlers/provision/handler.rs`**: Updated to pass `ssh_port` from environment to `TofuProjectGenerator` and to `wait_for_readiness()`, changed to use `SocketAddr::new(ip, ssh_port)` instead of `SshConfig::with_default_port()`
+
+#### Adapters Layer
+
+- **`src/adapters/ssh/config.rs`**: Increased `DEFAULT_MAX_RETRY_ATTEMPTS` from 30 to 60 (120 seconds total timeout) to account for cloud-init completion and reboot time
 
-### Why We Discarded the Ansible-Based Approach
+### Why We Discarded Alternative Approaches
 
-**Initial Plan**: We initially considered using an Ansible playbook in the `configure` phase to reconfigure SSH port after provisioning.
+#### Alternative 1: Ansible-Based Approach (Configure Phase)
+
+**Initial Plan**: Use an Ansible playbook in the `configure` phase to reconfigure SSH port after provisioning.
 
 **Why It Was Discarded**:
 
@@ -95,7 +167,38 @@ The SSH port is configured by:
    - Not during application setup (configure phase)
    - Cloud-init is the proper tool for initial system configuration
 
-**Conclusion**: The cloud-init approach is cleaner, more reliable, and architecturally correct. It configures infrastructure settings during infrastructure provisioning, not as a post-provisioning step.
+#### Alternative 2: systemctl restart Without Reboot
+
+**Approach**: Use cloud-init `runcmd` to execute `systemctl restart ssh` without full system reboot.
+
+**Why It Was Discarded**:
+
+- Testing revealed `systemctl restart ssh` doesn't kill the old SSH process when port changes
+- Results in SSH listening on **both** port 22 (old PID) and custom port (new PID)
+- Cloud-init runcmd execution often completes without SSH actually restarting
+- Multiple test attempts confirmed SSH remained on port 22 after cloud-init reported "completion"
+
+#### Alternative 3: bootcmd disable + runcmd restart
+
+**Approach**: Use `bootcmd` to disable SSH before it auto-starts, then use `runcmd` to restart it with new config.
+
+**Why It Was Discarded**:
+
+- systemd automatically re-enables and starts SSH approximately 3 seconds after bootcmd disables it
+- Testing showed SSH started at 19:19:51 despite bootcmd completing at 19:19:48
+- systemd service management overrides cloud-init's bootcmd attempts
+
+#### Alternative 4: pkill + systemctl start
+
+**Approach**: Kill SSH processes with `pkill -9 sshd`, then start fresh with `systemctl start ssh`.
+
+**Why It Was Discarded**:
+
+- Non-standard approach, violates best practices for service management
+- More brittle than clean system reboot
+- No industry precedent or documentation for this pattern
+
+**Conclusion**: The cloud-init with reboot approach is the cleanest, most reliable, and follows industry best practices (Hetzner). It configures infrastructure settings during infrastructure provisioning with a guaranteed clean service restart.
 
 ## Acceptance Criteria
 
@@ -132,22 +235,43 @@ The SSH port is configured by:
 
 ### Cloud-Init Configuration Format
 
-The cloud-init template uses `write_files` to create a drop-in configuration file:
+The cloud-init template uses `write_files` + `reboot` pattern following Hetzner best practices:
 
 ```yaml
 write_files:
   - path: /etc/ssh/sshd_config.d/99-custom-port.conf
     content: |
+      # Custom SSH port configuration
       Port {{ ssh_port }}
     permissions: "0644"
+    owner: root:root
 
 runcmd:
-  - systemctl restart ssh
+  # Reboot to apply SSH port configuration
+  # The reboot ensures SSH service fully restarts with the new port from write_files
+  # This is the recommended approach per Hetzner cloud-config best practices
+  - reboot
 ```
 
 This approach:
 
 - Uses Ubuntu's drop-in configuration directory pattern
+- Avoids modifying the main `/etc/ssh/sshd_config` file
+- Ensures clean SSH restart via system reboot (no lingering processes on port 22)
+- Follows industry best practices documented by Hetzner
+- Simpler than manual service lifecycle management
+
+### Provision Handler Timeout Considerations
+
+The provision handler waits up to **120 seconds** (60 attempts × 2 seconds) for SSH connectivity:
+
+- Cloud-init completion takes approximately 70-80 seconds
+- System reboot adds approximately 10-20 seconds
+- Total time typically 80-100 seconds
+- 120-second timeout provides sufficient buffer
+
+This timeout increase (from the previous 60 seconds) ensures reliable provisioning with custom SSH ports.
+
 - Overrides the default port without modifying main config
 - Takes effect immediately after service restart
 - Works on all Ubuntu versions with systemd