make the host option rendering support lists by refactoring the main option rendering code

put the ssh_config Host:* options in the defaults file so they can be overridden

openssh/defaults.yaml

@@ -8,3 +8,27 @@ openssh:
   ssh_known_hosts: /etc/ssh/ssh_known_hosts
   dig_pkg: dnsutils
   ssh_moduli: /etc/ssh/moduli
+ssh_config:
+  Hosts:
+    '*':
+      ForwardAgent: no
+      ForwardX11: no
+      RhostsRSAAuthentication: no
+      RSAAuthentication: yes
+      PasswordAuthentication: yes
+      HostbasedAuthentication: no
+      GSSAPIAuthentication: no
+      GSSAPIDelegateCredentials: no
+      BatchMode: no
+      CheckHostIP: yes
+      AddressFamily: any
+      ConnectTimeout: 0
+      StrictHostKeyChecking: ask
+      IdentityFile: "~/.ssh/id_rsa"
+      Port: 22
+      Protocol: 2
+      Cipher: 3des
+      Tunnel: no
+      TunnelDevice: "any:any"
+      PermitLocalCommand: no
+      VisualHostKey: no

openssh/files/ssh_config

@@ -1,11 +1,9 @@
-{%- set ssh_config = pillar.get('ssh_config', {}) -%}
+{%- import_yaml "openssh/defaults.yaml" as default_settings -%}
+{%- set ssh_config = salt['pillar.get']('ssh_config', default=default_settings.ssh_config, merge=True) -%}
 {#- present in ssh_config and known in actual file options -#}
 {%- set processed_options = [] -%}
 
-{#- generic renderer used for ssh matches, known options, -#}
-{#- and unknown options -#}
-{%- macro render_option(keyword, default, config_dict=ssh_config) -%}
-  {%- set value = config_dict.get(keyword, default) -%}
+{%- macro render_raw_option(keyword, value) -%}
   {%- if value is sameas true -%}
 {{ keyword }} yes
   {%- elif value is sameas false -%}
@@ -19,6 +17,13 @@
   {%- endif -%}
 {%- endmacro -%}
 
+{#- generic renderer used for ssh matches, known options, -#}
+{#- and unknown options -#}
+{%- macro render_option(keyword, default, config_dict=ssh_config) -%}
+  {%- set value = config_dict.get(keyword, default) -%}
+{{ render_raw_option(keyword, value) }}
+{%- endmacro -%}
+
 {#- macros for render option according to present -#}
 {%- macro option_impl(keyword, default, present) -%}
   {%- if present -%}
@@ -45,35 +50,13 @@
 # Do not edit this file manually!
 # It will be overwritten by salt!
 
-{{ option_default_uncommented('Host', '*') }}
-{{ option('   ForwardAgent', 'no') }}
-{{ option('   ForwardX11', 'no') }}
-{{ option('   RhostsRSAAuthentication', 'no') }}
-{{ option('   RSAAuthentication', 'yes') }}
-{{ option('   PasswordAuthentication', 'yes') }}
-{{ option('   HostbasedAuthentication', 'no') }}
-{{ option('   GSSAPIAuthentication', 'no') }}
-{{ option('   GSSAPIDelegateCredentials', 'no') }}
-{{ option('   BatchMode', 'no') }}
-{{ option('   CheckHostIP', 'yes') }}
-{{ option('   AddressFamily', 'any') }}
-{{ option('   ConnectTimeout', 0) }}
-{{ option('   StrictHostKeyChecking', 'ask') }}
-{{ option('   IdentityFile', '~/.ssh/id_rsa') }}
-{{ option('   Port', 22) }}
-{{ option('   Protocol', 2) }}
-{{ option('   Cipher', '3des') }}
-{{ option('   Tunnel', 'no') }}
-{{ option('   TunnelDevice', 'any:any') }}
-{{ option('   PermitLocalCommand', 'no') }}
-{{ option('   VisualHostKey', 'no') }}
-
 {%- if 'Hosts' in ssh_config %}
 {%- do processed_options.append('Hosts') %}
 {%  for host, conf in ssh_config['Hosts'].items() %}
 Host {{ host }}
   {%- for key, val in conf.items() %}
-    {{ key }} {{ val }}{%- endfor %}
+    {{ render_raw_option(key, val) }}
+  {%- endfor %}
 {%- endfor %}
 {%- endif %}