ssh allow_users

bundles/ssh/files/sshd_config

@@ -13,6 +13,8 @@ ChallengeResponseAuthentication no
 AuthorizedKeysFile	.ssh/authorized_keys
 UsePAM yes
 
+AllowUsers ${' '.join(users)}
+
 PermitTTY yes
 TCPKeepAlive yes
 ClientAliveInterval 30

bundles/ssh/items.py

@@ -2,6 +2,10 @@ if not node.metadata.get('FIXME_dont_touch_sshd', False):
     # on debian bullseye raspberry images, starting the systemd ssh
     # daemon seems to collide with an existing sysv daemon
     files['/etc/ssh/sshd_config'] = {
+        'content_type': 'mako',
+        'context': {
+            'users': sorted(node.metadata.get('ssh/allow_users')),
+        },
         'triggers': [
             'svc_systemd:ssh:restart'
         ],

bundles/ssh/metadata.py

@@ -0,0 +1,13 @@
+@metadata_reactor.provides(
+    'ssh/allow_users',
+)
+def users(metadata):
+    return {
+        'ssh': {
+            'allow_users': set(
+                name
+                    for name, conf in metadata.get('users').items()
+                    if conf.get('authorized_keys', []) or conf.get('authorized_users', [])
+            ),
+        },
+    }