From: Tollef Fog Heen <tfheen@err.no>
Date: Sat, 13 Apr 2019 20:30:36 +0000 (+0200)
Subject: Second attempt at split sshd settings
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=ab150b859b5aec77d90197875b1a69aa9f49cd33;p=mirror%2Fdsa-puppet.git

Second attempt at split sshd settings
---

diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb
index e96591d37..32be972c6 100644
--- a/modules/ssh/templates/sshd_config.erb
+++ b/modules/ssh/templates/sshd_config.erb
@@ -49,6 +49,26 @@ AuthorizedKeysFile /etc/ssh/userkeys/%u /var/lib/misc/userkeys/%u /etc/ssh/userk
 
 PasswordAuthentication no
 
+<%=
+  allnodeinfo = scope.lookupvar('site::allnodeinfo')
+  out = ''
+  settings = '#  Banner "You are coming from a debian.org host."'
+  allnodeinfo.keys.sort.each do |node|
+      next unless allnodeinfo[node].has_key?('ipHostNumber')
+      out += "# Match Address # #{node}"
+      out += allnodeinfo[node]['ipHostNumber'].collect do |ipnum|
+          if ipnum =~ /:/
+              "#{ipnum}/128"
+          else
+              "#{ipnum}/32"
+          end
+      end.join(',')
+      out += "\n"
+      out += settings
+  end
+  out
+%>
+
 Match Group sftponly
   AllowStreamLocalForwarding no
   AllowTCPForwarding no