start ferm config with a 00-init and start SSH*SOURCES there

diff --git a/modules/ferm/manifests/init.pp b/modules/ferm/manifests/init.pp
index 23dfc2a..06bafa9 100644 (file)
--- a/modules/ferm/manifests/init.pp
+++ b/modules/ferm/manifests/init.pp
@@ -80,6 +80,10 @@ class ferm {
                content => template('ferm/ferm.conf.erb'),
                notify  => Service['ferm'],
        }
+       file { '/etc/ferm/conf.d/00-init.conf':
+               content => template('ferm/00-init.conf.erb'),
+               notify  => Service['ferm'],
+       }
        file { '/etc/ferm/conf.d/me.conf':
                content => template('ferm/me.conf.erb'),
                notify  => Service['ferm'],

diff --git a/modules/ferm/templates/00-init.conf.erb b/modules/ferm/templates/00-init.conf.erb
new file mode 100644 (file)
index 0000000..2c3bb10
--- /dev/null
+++ b/modules/ferm/templates/00-init.conf.erb
@@ -0,0 +1,2 @@
+@def $SSH_SOURCES    = ();
+@def $SSH_V6_SOURCES = ();

diff --git a/modules/ferm/templates/me.conf.erb b/modules/ferm/templates/me.conf.erb
index c392a27..87b7d00 100644 (file)
--- a/modules/ferm/templates/me.conf.erb
+++ b/modules/ferm/templates/me.conf.erb
@@ -94,8 +94,8 @@ end
 ssh4allowed.length == 0 and ssh4allowed << '0.0.0.0/0'
 ssh6allowed.length == 0 and ssh6allowed << '::/0'
 
-out << "@def $SSH_SOURCES    = (#{ssh4allowed.join(' ')});"
-out << "@def $SSH_V6_SOURCES = (#{ssh6allowed.join(' ')});"
+out << "@def $SSH_SOURCES    = ( $SSH_SOURCES    #{ssh4allowed.join(' ')});"
+out << "@def $SSH_V6_SOURCES = ( $SSH_V6_SOURCES #{ssh6allowed.join(' ')});"