Allow ssh on master node only from admin interface

DocImpact
Closes-Bug: 1523445
Change-Id: I3dbeaf71b8d0613fb608bf7f997421aabdac6746

deployment/puppet/nailgun/examples/host-only.pp

@@ -100,7 +100,8 @@ class { 'nailgun::bootstrap_cli':
 }
 
 class { 'osnailyfacter::ssh':
-  password_auth => 'yes',
+  password_auth  => 'yes',
+  listen_address => [$::fuel_settings['ADMIN_NETWORK']['ipaddress']],
 }
 
 if $use_systemd {

deployment/puppet/nailgun/manifests/iptables.pp

@@ -31,9 +31,9 @@ $chain                 = 'INPUT',
   sysctl::value{'net.ipv4.ip_forward': value=>'1'}
 
   firewall { '005 ssh':
-    port   => $ssh_port,
-    proto  => 'tcp',
-    action => 'accept',
+    port    => $ssh_port,
+    proto   => 'tcp',
+    action  => 'accept',
   }
 
   firewall { '006 ntp':

deployment/puppet/osnailyfacter/manifests/ssh.pp

@@ -23,14 +23,17 @@
 # [*password_auth*]
 #   Use password authentication. Defaults to no
 #
+# [*listen_address*]
+#   Array of the local addresses sshd should listen on.
 
 class osnailyfacter::ssh(
-  $ciphers = 'aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,arcfour128',
-  $macs = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1',
-  $protocol_ver = '2',
-  $ports = '22',
-  $log_lvl = 'VERBOSE',
-  $password_auth = 'no'
+  $ciphers        = 'aes256-ctr,aes192-ctr,aes128-ctr,arcfour256,arcfour128',
+  $macs           = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,hmac-sha1',
+  $protocol_ver   = '2',
+  $ports          = '22',
+  $log_lvl        = 'VERBOSE',
+  $password_auth  = 'no',
+  $listen_address = [],
 ){
 
   case $::osfamily {
@@ -55,6 +58,7 @@ class osnailyfacter::ssh(
       'LogLevel'                        => $log_lvl,
       'Subsystem'                       => $subsystem,
       'PasswordAuthentication'          => $password_auth,
+      'ListenAddress'                   => $listen_address,
       'AllowTcpForwarding'              => 'yes',
       'X11Forwarding'                   => 'no',
       'UsePAM'                          => 'yes',