move sshd extra ports to class params instead of hardcoded in the template

[mirror/dsa-puppet.git] / modules / ssh / manifests / init.pp

diff --git a/modules/ssh/manifests/init.pp b/modules/ssh/manifests/init.pp
index 43d89df..df986bc 100644 (file)
--- a/modules/ssh/manifests/init.pp
+++ b/modules/ssh/manifests/init.pp
@@ -1,4 +1,7 @@
-class ssh {
+# @param extraports Addresses/ports to listen on, in addition to 22
+class ssh (
+  Array[String] $extraports = [],
+) {
   package { [ 'openssh-client', 'openssh-server']:
     ensure => installed
   }
@@ -15,9 +18,11 @@ class ssh {
   }
   ferm::rule { 'dsa-ssh-sources':
     description => 'Allow SSH from DSA',
+    domain      => '(ip ip6)',
     chain       => 'ssh',
     rule        => 'saddr ($SSH_SOURCES) ACCEPT'
   }
+  Ferm::Rule::Simple <<| tag == 'ssh::server::from::nagios' |>>
 
   file { '/etc/ssh/ssh_config':
     content => template('ssh/ssh_config.erb'),
@@ -47,13 +52,13 @@ class ssh {
   }
 
   if (versioncmp($::lsbmajdistrelease, '8') >= 0) {
-    if ! $has_etc_ssh_ssh_host_ed25519_key {
+    if ! $facts['has_etc_ssh_ssh_host_ed25519_key'] {
       exec { 'create-ed25519-host-key':
         command => 'ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -q -P "" -t ed25519',
       }
     }
 
-    if $systemd {
+    if $facts['systemd'] {
       package { [ 'libpam-systemd' ]:
         ensure => installed
       }