From d76f3cbfe9cb5186ce6862372cc3480efaadc39d Mon Sep 17 00:00:00 2001
From: Konrad Bucheli <konrad.bucheli@psi.ch>
Date: Wed, 4 May 2022 11:43:08 +0200
Subject: [PATCH] clarify the link between aaa::use_bastions and
 ::networking::use_bastions

---
 admin-guide/puppet/profiles/aaa.rst        | 8 ++++----
 admin-guide/puppet/profiles/networking.rst | 4 ++++
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/admin-guide/puppet/profiles/aaa.rst b/admin-guide/puppet/profiles/aaa.rst
index 33f99899..84ab2445 100644
--- a/admin-guide/puppet/profiles/aaa.rst
+++ b/admin-guide/puppet/profiles/aaa.rst
@@ -12,9 +12,9 @@ auditing. In particular, it
 Parameters
 ----------
 
-===============================  ========  ================================================
+===============================  ========  ==============================================================
 **Name**                         **Type**  **Default**
--------------------------------  --------  ------------------------------------------------
+-------------------------------  --------  --------------------------------------------------------------
 admins                           list      hiera_array('aaa::admins')
 allow_sudoers_d                  bool      hiera('aaa::allow_sudoers_d')
 bastions                         list      hiera('aaa::bastions')
@@ -32,9 +32,9 @@ ssh_authorized_keys              hash      hiera_hash('aaa::sshkeys', {})
 sssd_debuglevel                  int       hiera('aaa::sssd_debuglevel')
 sudo_rules (Hiera only)          list      hiera_array('aaa::sudo_rules', [])
 support_afs                      bool      hiera('aaa::support_afs'),
-use_bastions                     bool      hiera('aaa::use_bastions', undef)
+use_bastions                     bool      hiera('aaa::use_bastions', $profile::networking::use_bastions)
 users                            list      hiera_array('aaa::users', [])
-===============================  ========  ================================================
+===============================  ========  ==============================================================
 
 
 ``admins``
diff --git a/admin-guide/puppet/profiles/networking.rst b/admin-guide/puppet/profiles/networking.rst
index 8e0b37a8..d047324a 100644
--- a/admin-guide/puppet/profiles/networking.rst
+++ b/admin-guide/puppet/profiles/networking.rst
@@ -22,10 +22,14 @@ variables listed below:
 
   This boolean indicates to the :doc:`aaa <../profiles/aaa>` profile whether SSH
   access should be restricted to connections coming from the bastion hosts.
+  Override possible with ``aaa::use_bastions``.
 
 
 Notes:
 
+- the above variables are not configured in ``hiera``, but in the
+  `Puppet manifest <https://git.psi.ch/linux-infra/puppet/-/blob/preprod/code/modules/profile/manifests/networking/params.pp>`_
+
 - the DNS cache is configured to be persistent, i.e. the cached data will
   survive restarts of ``nscd.service``. To clear the cache, run ``nscd -i
   hosts`` or ``systemctl reload nscd``.