# Create the sshd configuration.

# listen_addresses: If you want to restrict the ssh service to listen only at
# certain addresses, specify with this parameter. Enter them as a
# comma-delimited list.
#
# Examples:
# listen_addresses => '192.168.1.1,192.168.2.1'
# listen_addresses => '192.168.1.1:22,192.168.2.1'
#
# See the sshd_config man page for what constitutes valid entries.
#
# If list_addresses is omitted, then the ListenAddress directive will be
# omitted from the sshd configuration file (which is equivalent to having
# sshd listen at _all_ addresses).
#
# If you want to allow root to log in with a password, set
# rootloginwithpswd 'yes'. Otherwise, root logins with a password
# are not allowed.
#
# If you want to require Duo on login, set pam_duo to true (defaults to
# false).
#
# If $rootloginwithpswd is set to 'no' then we allow root logins using
# GSSAPI only.

define base::ssh::config::sshd(
  $ensure            = 'present',
  $gitolite          = false,
  $hostbased         = false,
  $pubkey            = false,
  $content           = undef,
  $source            = undef,
  $max_tries         = 5,
  $listen_addresses  = 'all',
  $rootloginwithpswd = 'no',
  $pam_duo           = false,
) {
  if $source {
    $template = undef
  } else {
    if $content {
      $template = $content
    } else {
      $template = template('base/ssh/sshd_config.erb')
    }
  }
  file { $name:
    ensure  => $ensure,
    source  => $source,
    content => $template,
    notify  => Service['ssh'],
  }
}