From ab150b859b5aec77d90197875b1a69aa9f49cd33 Mon Sep 17 00:00:00 2001
From: Tollef Fog Heen <tfheen@err.no>
Date: Sat, 13 Apr 2019 22:30:36 +0200
Subject: [PATCH] Second attempt at split sshd settings

---
 modules/ssh/templates/sshd_config.erb | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/modules/ssh/templates/sshd_config.erb b/modules/ssh/templates/sshd_config.erb
index e96591d37..32be972c6 100644
--- a/modules/ssh/templates/sshd_config.erb
+++ b/modules/ssh/templates/sshd_config.erb
@@ -49,6 +49,26 @@ AuthorizedKeysFile /etc/ssh/userkeys/%u /var/lib/misc/userkeys/%u /etc/ssh/userk
 
 PasswordAuthentication no
 
+<%=
+  allnodeinfo = scope.lookupvar('site::allnodeinfo')
+  out = ''
+  settings = '#  Banner "You are coming from a debian.org host."'
+  allnodeinfo.keys.sort.each do |node|
+      next unless allnodeinfo[node].has_key?('ipHostNumber')
+      out += "# Match Address # #{node}"
+      out += allnodeinfo[node]['ipHostNumber'].collect do |ipnum|
+          if ipnum =~ /:/
+              "#{ipnum}/128"
+          else
+              "#{ipnum}/32"
+          end
+      end.join(',')
+      out += "\n"
+      out += settings
+  end
+  out
+%>
+
 Match Group sftponly
   AllowStreamLocalForwarding no
   AllowTCPForwarding no
-- 
2.20.1