From f44776cbbf1f825e0961c6aedecf67f6652859a6 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Tue, 7 Jul 2009 20:52:40 -0400
Subject: replace the sshd_additional_options variable with two, one called
 sshd_head_additional_options and one called sshd_tail_additional_options. the
 first puts the value at the beginning of the file, and the second at the end.

This is necessary due to some option ordering requiring things to be
before others
---
 manifests/init.pp                      | 23 +++++++++++++++++------
 templates/sshd_config/CentOS.erb       | 10 ++++------
 templates/sshd_config/Debian_etch.erb  |  8 ++++++--
 templates/sshd_config/Debian_lenny.erb |  8 ++++++--
 templates/sshd_config/Gentoo.erb       | 10 ++++------
 templates/sshd_config/OpenBSD.erb      | 10 ++++------
 6 files changed, 41 insertions(+), 28 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index 0480fee..b7ae200 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -113,10 +113,17 @@
 #                       Might be interesting for sftponly usage
 #                       Default: empty -> no change of the default
 #
-# sshd_additional_options:  Set this to any additional sshd_options which aren't listed above.
-#                           As well this option might be usefull to define complexer Match Blocks
-#                           This string is going to be included, like it is defined. So take care!
-#                           Default: empty -> not added.
+# sshd_head_additional_options:  Set this to any additional sshd_options which aren't listed above.
+#                                Anything set here will be added to the beginning of the sshd_config file.
+#                                This option might be useful to define complicated Match Blocks
+#                                This string is going to be included, like it is defined. So take care!
+#                                Default: empty -> not added.
+#
+# sshd_tail_additional_options:  Set this to any additional sshd_options which aren't listed above.
+#                                Anything set here will be added to the end of the sshd_config file.
+#                                This option might be useful to define complicated Match Blocks
+#                                This string is going to be included, like it is defined. So take care!
+#                                Default: empty -> not added.
 
 class sshd {
   include sshd::client 
@@ -195,8 +202,12 @@ class sshd::base {
   case $sshd_sftp_subsystem {
     '': { $sshd_sftp_subsystem = '' }
   }
-  case $sshd_additional_options {
-    '': { $sshd_additional_options = '' }
+  case $sshd_head_additional_options {
+    '': { $sshd_head_additional_options = '' }
+  }
+  case $sshd_tail_additional_options {
+    '': { $sshd_tail_additional_options = '' }
+  }
   }
   
   file { 'sshd_config':
diff --git a/templates/sshd_config/CentOS.erb b/templates/sshd_config/CentOS.erb
index 27880cb..a3a9a52 100644
--- a/templates/sshd_config/CentOS.erb
+++ b/templates/sshd_config/CentOS.erb
@@ -10,10 +10,8 @@
 # possible, but leave them commented.  Uncommented options change a
 # default value.
 
-<%- unless sshd_port.to_s.empty? then %>
-Port <%= sshd_port %>
-<%- else %>
-Port 22
+<%- unless sshd_head_additional_options.to_s.empty? then %>
+<%= sshd_head_additional_options %>
 <%- end %>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
@@ -200,7 +198,7 @@ AllowGroups <%= sshd_allowed_groups %>
 <%- end %>
 
 
-<%- unless sshd_additional_options.to_s.empty? then %>
-<%= sshd_additional_options %>
+<%- unless sshd_tail_additional_options.to_s.empty? then %>
+<%= sshd_tail_additional_options %>
 <%- end %>
 
diff --git a/templates/sshd_config/Debian_etch.erb b/templates/sshd_config/Debian_etch.erb
index f030a62..2524172 100644
--- a/templates/sshd_config/Debian_etch.erb
+++ b/templates/sshd_config/Debian_etch.erb
@@ -1,6 +1,10 @@
 # Package generated configuration file
 # See the sshd(8) manpage for details
 
+<%- unless sshd_head_additional_options.to_s.empty? then %>
+<%= sshd_head_additional_options %>
+<%- end %>
+
 # What ports, IPs and protocols we listen for
 <%- unless sshd_port.to_s.empty? then -%>
 Port <%= sshd_port -%>
@@ -170,7 +174,7 @@ AllowGroups <%= sshd_allowed_groups %>
 
 PrintMotd no
 
-<%- unless sshd_additional_options.to_s.empty? then %>
-<%= sshd_additional_options %>
+<%- unless sshd_tail_additional_options.to_s.empty? then %>
+<%= sshd_tail_additional_options %>
 <%- end %>
 
diff --git a/templates/sshd_config/Debian_lenny.erb b/templates/sshd_config/Debian_lenny.erb
index 1762da3..c7f4ab4 100644
--- a/templates/sshd_config/Debian_lenny.erb
+++ b/templates/sshd_config/Debian_lenny.erb
@@ -1,6 +1,10 @@
 # Package generated configuration file
 # See the sshd(8) manpage for details
 
+<%- unless sshd_head_additional_options.to_s.empty? then %>
+<%= sshd_head_additional_options %>
+<%- end %>
+
 # What ports, IPs and protocols we listen for
 <%- unless sshd_port.to_s.empty? then -%>
 Port <%= sshd_port -%>
@@ -176,7 +180,7 @@ AllowGroups <%= sshd_allowed_groups %>
 
 PrintMotd no
 
-<%- unless sshd_additional_options.to_s.empty? then %>
-<%= sshd_additional_options %>
+<%- unless sshd_tail_additional_options.to_s.empty? then %>
+<%= sshd_tail_additional_options %>
 <%- end %>
 
diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb
index 77ed378..ad15031 100644
--- a/templates/sshd_config/Gentoo.erb
+++ b/templates/sshd_config/Gentoo.erb
@@ -10,10 +10,8 @@
 # possible, but leave them commented.  Uncommented options change a
 # default value.
 
-<%- unless sshd_port.to_s.empty? then %>
-Port <%= sshd_port %>
-<%- else %>
-Port 22
+<%- unless sshd_head_additional_options.to_s.empty? then %>
+<%= sshd_head_additional_options %>
 <%- end %>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
@@ -203,8 +201,8 @@ AllowGroups <%= sshd_allowed_groups %>
 <%- end %>
 
 
-<%- unless sshd_additional_options.to_s.empty? then %>
-<%= sshd_additional_options %>
+<%- unless sshd_tail_additional_options.to_s.empty? then %>
+<%= sshd_tail_additional_options %>
 <%- end %>
 
 
diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb
index a6e0763..045d9ba 100644
--- a/templates/sshd_config/OpenBSD.erb
+++ b/templates/sshd_config/OpenBSD.erb
@@ -8,10 +8,8 @@
 # possible, but leave them commented.  Uncommented options change a
 # default value.
 
-<%- unless sshd_port.to_s.empty? then %>
-Port <%= sshd_port %>
-<%- else %>
-Port 22
+<%- unless sshd_head_additional_options.to_s.empty? then %>
+<%= sshd_head_additional_options %>
 <%- end %>
 
 # Use these options to restrict which interfaces/protocols sshd will bind to
@@ -178,6 +176,6 @@ AllowGroups <%= sshd_allowed_groups %>
 #	AllowTcpForwarding no
 #	ForceCommand cvs server
 
-<%- unless sshd_additional_options.to_s.empty? then %>
-<%= sshd_additional_options %>
+<%- unless sshd_tail_additional_options.to_s.empty? then %>
+<%= sshd_tail_additional_options %>
 <%- end %>
-- 
cgit v1.2.3