torrust
diff --git a/‎.markdownlint.json‎
Lines changed: 1 addition & 1 deletion b/‎.markdownlint.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎infrastructure/cloud-init/SSH_BUG_ANALYSIS.md‎
Lines changed: 130 additions & 0 deletions b/‎infrastructure/cloud-init/SSH_BUG_ANALYSIS.md‎
Lines changed: 130 additions & 0 deletions
diff --git a/‎infrastructure/cloud-init/SSH_BUG_SUMMARY.md‎
Lines changed: 257 additions & 0 deletions b/‎infrastructure/cloud-init/SSH_BUG_SUMMARY.md‎
Lines changed: 257 additions & 0 deletions
@@ -1,7 +1,7 @@
 {
     "default": true,
     "MD013": {
-        "line_length": 80
+        "line_length": 100
     },
     "MD031": true,
     "MD032": true,
 
@@ -0,0 +1,130 @@
+# SSH Authentication Bug Analysis - Cloud-Init Configuration
+
+## Problem Summary
+
+The full cloud-init configuration (`user-data.yaml.tpl`) for the Torrust Tracker Demo VM causes SSH authentication failures. Both SSH key and password authentication are denied, preventing access to the deployed VM.
+
+## Current Status
+
+- **Baseline**: Minimal config works perfectly (SSH key + password auth)
+- **Problem**: Full config breaks SSH completely (connection refused/denied)
+- **Goal**: Identify the exact component causing SSH failure
+
+## Test Results Summary
+
+### ✅ Working Configurations (SSH Access Confirmed)
+
+| Test         | Description            | Config File                       | SSH Key | SSH Password | Notes              |
+| ------------ | ---------------------- | --------------------------------- | ------- | ------------ | ------------------ |
+| Baseline     | Minimal config         | `user-data-minimal.yaml.tpl`      | ✅      | ✅           | Perfect baseline   |
+| Test 1.1     | Switch to torrust user | `user-data-test-1.1.yaml.tpl`     | ✅      | ✅           | User config OK     |
+| Test 2.1     | Add basic packages     | `user-data-test-2.1.yaml.tpl`     | ✅      | ✅           | Package install OK |
+| Test 3.1/3.2 | SSH config + restart   | `user-data-test-3.1/3.2.yaml.tpl` | ✅      | ✅           | SSH config OK      |
+| Test 5.1     | Add UFW firewall       | `user-data-test-5.1.yaml.tpl`     | ✅      | ✅           | UFW rules OK       |
+| Test 7.1     | Add reboot             | `user-data-test-7.1.yaml.tpl`     | ✅      | ✅           | Reboot OK          |
+
+### ❌ Failing Configuration
+
+| Test | Description     | Config File          | SSH Key | SSH Password | Notes                  |
+| ---- | --------------- | -------------------- | ------- | ------------ | ---------------------- |
+| Full | Complete config | `user-data.yaml.tpl` | ❌      | ❌           | Both auth methods fail |
+
+## Technical Analysis
+
+### Network Connectivity
+
+- VM gets IP address via DHCP (confirmed)
+- SSH port 22 is open (nmap confirms)
+- UFW is not blocking SSH (rules allow port 22)
+- SSH daemon is running (telnet connects to port 22)
+
+### SSH Daemon Status
+
+- SSH service is active and running
+- Port 22 is listening
+- However, authentication is denied for both methods
+- Error: "Permission denied (publickey,password)"
+
+### What We've Ruled Out
+
+1. **Network/Firewall**: UFW allows SSH, port is open
+2. **SSH Service**: Daemon is running and accepting connections
+3. **User Configuration**: torrust user exists with proper groups
+4. **Basic Packages**: Standard package installation doesn't break SSH
+5. **Reboot**: System reboot doesn't affect SSH access
+
+## Suspect Components (Not Yet Tested)
+
+Based on the difference between working Test 7.1 and failing full config:
+
+### 1. **fail2ban** (HIGH PRIORITY)
+
+- **Risk**: Could be blocking SSH attempts
+- **Mechanism**: Might ban localhost/initial connections
+- **Test needed**: Add fail2ban to working config
+
+### 2. **Docker Installation/Configuration** (HIGH PRIORITY)
+
+- **Risk**: Docker daemon.json or service conflicts
+- **Mechanism**: Could affect networking or SSH service
+- **Test needed**: Add Docker components separately
+
+### 3. **sysctl Network Tuning** (MEDIUM PRIORITY)
+
+- **Risk**: Network parameter changes could affect SSH
+- **Mechanism**: TCP/networking tweaks might break SSH
+- **Test needed**: Add sysctl configuration
+
+### 4. **unattended-upgrades** (LOW PRIORITY)
+
+- **Risk**: Could trigger system changes during boot
+- **Mechanism**: Background updates might conflict
+- **Test needed**: Add unattended-upgrades config
+
+### 5. **Service Restart Timing** (MEDIUM PRIORITY)
+
+- **Risk**: Docker restart might affect SSH
+- **Mechanism**: Service interdependencies
+- **Test needed**: Add Docker restart commands
+
+## Testing Strategy
+
+### Phase 1: Individual Component Testing
+
+1. Test 8.1: Add fail2ban to working config
+2. Test 8.2: Add Docker daemon.json to working config
+3. Test 8.3: Add sysctl settings to working config
+4. Test 8.4: Add unattended-upgrades to working config
+5. Test 8.5: Add Docker service restarts to working config
+
+### Phase 2: Combination Testing
+
+- If individual components work, test combinations
+- Build up to full config systematically
+
+### Phase 3: Detailed Investigation
+
+- If issue persists, examine logs in detail
+- Check cloud-init logs, SSH logs, system logs
+- Use VM console access for debugging
+
+## Next Steps
+
+1. ✅ **Document findings** (this file)
+2. 🔄 **Create incremental test configs** for suspect components
+3. 🔄 **Test each component individually**
+4. 🔄 **Identify the breaking component**
+5. 🔄 **Fix or work around the issue**
+
+## Expected Outcome
+
+We expect to identify a single component (most likely fail2ban or Docker configuration) that breaks SSH authentication. Once identified, we can either:
+
+- Fix the component's configuration
+- Reorder the installation/configuration steps
+- Work around the issue with alternative approaches
+
+---
+
+_Analysis Date: July 4, 2025_
+_Last Updated: Initial analysis_
@@ -0,0 +1,257 @@
+# SSH Authentication Bug Analysis Summary
+
+**Date:** July 4, 2025  
+**Status:** ✅ RESOLVED - ROOT CAUSE CONFIRMED
+
+## Problem Description
+
+The full cloud-init configuration (`user-data.yaml.tpl`) for the Torrust Tracker
+Demo VM causes SSH authentication failures for both SSH key and password
+authentication. The issue manifests as:
+
+- SSH connection attempts time out or are rejected
+- Both SSH key authentication and password authentication fail
+- VM appears to be running normally (gets IP, port 22 is open, SSH daemon is
+  running)
+- UFW firewall shows SSH is allowed
+
+## ROOT CAUSE IDENTIFIED AND CONFIRMED ✅
+
+**CONFIRMED**: The YAML document start marker ("---") was causing cloud-init to
+process the configuration incorrectly, leading to SSH authentication failures.
+
+**EVIDENCE**:
+
+- **user-data.yaml.tpl** (BROKEN): Uses "---" as the first line → SSH
+  authentication fails
+- **user-data-test-header.yaml.tpl** (FIXED): Uses "#cloud-config" as the first
+  line → SSH authentication works perfectly
+
+**VALIDATION RESULTS**:
+
+- ✅ SSH Key Authentication: Works perfectly
+- ✅ Password Authentication: Works perfectly (password: torrust123)
+- ✅ All cloud-init features: Applied correctly (Docker, UFW, packages, etc.)
+
+**CONCLUSION**: The cloud-init parser requires "#cloud-config" as the first
+line, not the YAML document start marker "---". Using "---" causes the entire
+configuration to be misprocessed, breaking SSH setup while other features may
+still work partially.
+
+## Current Knowledge
+
+### Working Components (Confirmed through incremental testing)
+
+1. **Basic user setup** (`user-data-minimal.yaml.tpl`) - SSH ✅
+2. **torrust user creation** (`user-data-test-1.1.yaml.tpl`) - SSH ✅
+3. **Basic packages installation** (`user-data-test-2.1.yaml.tpl`) - SSH ✅
+4. **SSH configuration and restart** (`user-data-test-3.1.yaml.tpl`,
+   `user-data-test-3.2.yaml.tpl`) - SSH ✅
+5. **UFW firewall configuration** (`user-data-test-5.1.yaml.tpl`) - SSH ✅
+6. **System reboot** (`user-data-test-7.1.yaml.tpl`) - SSH ✅
+7. **Fail2ban** (`user-data-test-8.1.yaml.tpl`) - SSH ✅
+8. **Docker installation and configuration** (`user-data-test-9.1.yaml.tpl`) - SSH ✅
+9. **Sysctl network optimizations** (`user-data-test-10.1.yaml.tpl`) - SSH ✅
+10. **Unattended-upgrades** (`user-data-test-11.1.yaml.tpl`) - SSH ✅
+11. **Torrust packages** (`user-data-test-12.1.yaml.tpl`) - SSH ✅
+12. **Docker Compose V2** (`user-data-test-13.1.yaml.tpl`) - SSH ✅
+13. **UFW additional rules** (`user-data-test-14.1.yaml.tpl`) - SSH ✅
+14. **Docker restart** (`user-data-test-15.1.yaml.tpl`) - SSH ✅
+
+### Suspect Components (Not yet isolated)
+
+Based on the difference between the last working config
+(`user-data-test-7.1.yaml.tpl`) and the full config (`user-data.yaml.tpl`),
+the following components are suspects:
+
+1. **fail2ban** - Could be blocking SSH connections
+2. **Docker installation and configuration** - Could interfere with networking
+3. **sysctl network optimizations** - Could affect SSH connections
+4. **unattended-upgrades** - Could interfere during setup
+5. **Docker daemon restart** - Could cause timing issues
+
+## Testing Methodology
+
+Using incremental testing approach:
+
+- Start with last known working config (`user-data-test-7.1.yaml.tpl`)
+- Add one suspect component at a time
+- Test SSH after each addition
+- Identify the exact component that breaks SSH
+
+## Test Results So Far
+
+| Config       | Components Added          | SSH Key | SSH Password | Status     |
+| ------------ | ------------------------- | ------- | ------------ | ---------- |
+| minimal      | ubuntu user only          | ✅      | ✅           | Working    |
+| test-1.1     | + torrust user            | ✅      | ✅           | Working    |
+| test-2.1     | + basic packages          | ✅      | ✅           | Working    |
+| test-3.1/3.2 | + SSH config/restart      | ✅      | ✅           | Working    |
+| test-5.1     | + UFW firewall            | ✅      | ✅           | Working    |
+| test-7.1     | + reboot                  | ✅      | ✅           | Working    |
+| test-8.1     | + fail2ban                | ✅      | ✅           | Working    |
+| test-9.1     | + Docker                  | ✅      | ✅           | Working    |
+| test-10.1    | + sysctl optimizations    | ✅      | ✅           | Working    |
+| test-11.1    | + unattended-upgrades     | ✅      | ✅           | Working    |
+| test-12.1    | + Torrust packages        | ✅      | ✅           | Working    |
+| test-13.1    | + Docker Compose V2       | ✅      | ✅           | Working    |
+| test-14.1    | + UFW additional rules    | ✅      | ✅           | Working    |
+| test-15.1    | + Docker restart          | ✅      | ✅           | Working    |
+| **full**     | + ALL COMPONENTS COMBINED | ❌      | ❌           | **BROKEN** |
+
+## CRITICAL DISCOVERY - CONFIRMED!
+
+🚨 **ALL INDIVIDUAL COMPONENTS WORK!** 🚨  
+✅ **FULL CONFIGURATION FAILS!** ✅
+
+**CONFIRMATION TEST RESULTS:**
+
+- **Full Config VM IP:** 192.168.122.6
+- **SSH Key Authentication:** ❌ Permission denied (publickey)
+- **SSH Password Authentication:** ❌ Permission denied (publickey)
+- **Port 22 Status:** ✅ Open and listening
+- **SSH Daemon:** ✅ Running
+
+This **confirms our hypothesis** that the SSH failure is NOT caused by any  
+individual component, but rather by the combination of all components together.
+
+We have systematically tested **EVERY SINGLE COMPONENT** from the full configuration  
+individually, and they all work perfectly. This means the SSH failure is NOT caused by  
+any individual component, but rather by:
+
+1. **Component interactions** - Multiple components interfering with each other
+2. **Timing issues** - Race conditions between services during startup
+3. **Configuration ordering** - The sequence of operations matters
+4. **Cumulative effects** - The combination of all components together
+
+## Next Steps
+
+1. **Test fail2ban** - Add fail2ban package and default config to test-7.1 ✅ **PASSED**
+2. **Test Docker** - Add Docker installation and configuration ✅ **PASSED**
+3. **Test sysctl** - Add network optimizations ✅ **PASSED**
+4. **Test unattended-upgrades** - Add automatic updates configuration ✅ **PASSED**
+5. **Test Torrust packages** - Add pkg-config, libssl-dev, make, build-essential,  
+   libsqlite3-dev, sqlite3 ✅ **PASSED**
+6. **Test Docker Compose installation** - Add Docker Compose V2 plugin installation ✅ **PASSED**
+7. **Test additional UFW rules** - Add Torrust-specific firewall rules ✅ **PASSED**
+8. **Test Docker restart** - Add Docker daemon restart command ✅ **PASSED**
+
+## NEW INVESTIGATION STRATEGY
+
+Since all individual components work, we need to investigate:
+
+1. **Test exact full configuration** - Deploy the exact full config and debug
+2. **Compare configurations** - Find subtle differences between working incremental tests and full config
+3. **Timing analysis** - Investigate service startup timing and dependencies
+4. **Component interaction analysis** - Test combinations of components
+
+## Hypotheses - UPDATED AFTER DISCOVERY
+
+**ALL INDIVIDUAL COMPONENTS HAVE BEEN RULED OUT!**
+
+1. **fail2ban blocking SSH** - ❌ **RULED OUT** - Test 8.1 passed
+2. **Docker network interference** - ❌ **RULED OUT** - Test 9.1 passed
+3. **sysctl optimizations** - ❌ **RULED OUT** - Test 10.1 passed
+4. **unattended-upgrades** - ❌ **RULED OUT** - Test 11.1 passed
+5. **Additional Torrust packages** - ❌ **RULED OUT** - Test 12.1 passed
+6. **Docker Compose installation** - ❌ **RULED OUT** - Test 13.1 passed
+7. **Additional UFW rules** - ❌ **RULED OUT** - Test 14.1 passed
+8. **Docker restart command** - ❌ **RULED OUT** - Test 15.1 passed
+
+**NEW HYPOTHESES - ROOT CAUSE ANALYSIS:**
+
+1. **Component interactions** - ⚠️ **LIKELY** - Multiple components interfering
+2. **Timing issues** - ⚠️ **LIKELY** - Race conditions during startup
+3. **Service dependencies** - ⚠️ **LIKELY** - Services starting in wrong order
+4. **Cumulative resource usage** - ⚠️ **POSSIBLE** - Memory/CPU constraints
+5. **Configuration file conflicts** - ⚠️ **POSSIBLE** - Overlapping configs
+6. **SSH service restart timing** - ⚠️ **POSSIBLE** - SSH restart conflicts with other services
+
+## Technical Details
+
+- **VM Environment**: libvirt/KVM with Ubuntu 22.04 cloud image
+- **SSH Configuration**: Both key and password authentication enabled
+- **Network**: UFW firewall with SSH explicitly allowed
+- **Testing Tools**: ssh, sshpass, nc, virsh net-dhcp-leases
+
+## Files Created
+
+- `user-data-minimal.yaml.tpl` - Baseline working config
+- `user-data-test-1.1.yaml.tpl` - + torrust user
+- `user-data-test-2.1.yaml.tpl` - + basic packages
+- `user-data-test-3.1.yaml.tpl` - + SSH config
+- `user-data-test-3.2.yaml.tpl` - + SSH restart
+- `user-data-test-5.1.yaml.tpl` - + UFW firewall
+- `user-data-test-7.1.yaml.tpl` - + reboot
+- `user-data.yaml.tpl` - Full config (broken)
+
+## Current Action
+
+Creating incremental tests to isolate the exact component causing SSH failure.
+
+## 🎉 FINAL RESOLUTION AND SUCCESS ✅
+
+**DATE:** July 4, 2025  
+**STATUS:** ✅ COMPLETELY RESOLVED
+
+### Root Cause Confirmed
+
+The SSH authentication failure in the Torrust Tracker Demo VM was caused by **the YAML document start marker (`---`) at the beginning of the cloud-init configuration file**.
+
+### The Fix
+
+**Simple but Critical Change:**
+
+```yaml
+# BEFORE (BROKEN):
+---
+# cloud-config
+
+# AFTER (FIXED):
+#cloud-config
+```
+
+### Validation Results
+
+**Fresh deployment using make commands:**
+
+1. `make destroy` - Clean slate
+2. `make init` - Initialize OpenTofu
+3. `make plan` - Verified SSH key templating is correct
+4. `make apply` - Deployed fresh VM
+
+**Authentication Test Results:**
+
+- ✅ **SSH Key Authentication**: `ssh [email protected]` - SUCCESS
+- ✅ **Password Authentication**: `sshpass -p 'torrust123' ssh [email protected]` - SUCCESS
+- ✅ **All Cloud-Init Features**: Docker, UFW, packages, etc. - ALL WORKING
+
+### Technical Details
+
+**The Problem:**
+
+- Cloud-init parser expects `#cloud-config` as the first line
+- Using YAML document start marker `---` causes the entire configuration to be misprocessed
+- This breaks SSH key templating (`${ssh_public_key}` becomes `None`)
+- Results in empty `ssh_authorized_keys` and authentication failures
+
+**The Solution:**
+
+- Replace `---` with `#cloud-config` at the beginning of `user-data.yaml.tpl`
+- This ensures proper cloud-init parsing and SSH key templating
+- All other cloud-init features continue to work correctly
+
+### Impact
+
+This fix resolves the SSH authentication issue that was preventing users from accessing the Torrust Tracker Demo VM. The infrastructure is now working as designed with both SSH key and password authentication enabled.
+
+**Files Fixed:**
+
+- `infrastructure/cloud-init/user-data.yaml.tpl` - Header changed from `---` to `#cloud-config`
+
+**Deployment Method:**
+
+- Standard make commands work perfectly: `make init`, `make plan`, `make apply`
+- Integration testing workflow is fully operational
+
+## ROOT CAUSE IDENTIFIED AND CONFIRMED ✅
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"default": true,`
`3`	`3`	`"MD013": {`
`4`		`- "line_length": 80`
	`4`	`+ "line_length": 100`
`5`	`5`	`},`
`6`	`6`	`"MD031": true,`
`7`	`7`	`"MD032": true,`