# Host-specific things at the top, and get less specific as you go; first
# match wins

# Turn things off for floyd - it doesn't need them
Host floyd-mgmt floyd-mgmt.astro.internal
  ForwardAgent no
  ForwardX11 no
  ForwardX11Trusted no

# If we're not on the Princeton wired network, csesbh2 should proxy through
# xanadu
Match host csesbh2.princeton.edu exec "~/.ssh/onsubnet --not 128.112."
  ProxyJump xanadu.astro.princeton.edu

# If we're not on Princeton wired network, and not at home, then connections
# to joshua should tunnel through xanadu
Match host joshua.srhuston.net exec "~/.ssh/onsubnet --not 128.112. && [[ `curl -s checkip.amazonaws.com` != 100.11.40.19 ]]"
  ProxyJump xanadu.astro.princeton.edu

# But if we *are* home, convert joshua into its internal IP address
Match host joshua.srhuston.net exec "test `curl -s checkip.amazonaws.com` == 100.11.40.19"
  HostName 192.168.7.49

# Shared connection for xanadu, csesbh2, and joshua
Host xanadu.astro.princeton.edu csesbh2.princeton.edu joshua.srhuston.net
  User huston
  ControlMaster auto
  ControlPersist yes
  ControlPath ~/.ssh/sockets/%C
  ServerAliveInterval 30
  # This is the default, putting here to document
  ServerAliveCountMax 3

# Everything is fine for the Raspberry Pi, just need a different user
Host cake cake.srhuston.net
  User pi
  ForwardAgent yes
  ForwardX11 yes
  ForwardX11Trusted yes

# Allow everything for CSES, astro, and home hosts w/ FQDN
Host cses*.princeton.edu *.rc.princeton.edu *.rc *.astro.princeton.edu *.srhuston.net
  User huston
  ForwardAgent yes
  ForwardX11 yes
  ForwardX11Trusted yes

# Deny everything for other hosts w/ a dot
Host *.*
  ForwardAgent no
  ForwardX11 no
  ForwardX11Trusted no

# Now allow for anything else - if we're typing a single hostname, it's likely
# trusted.
Host *
  User huston
  ForwardAgent yes
  ForwardX11 yes
  ForwardX11Trusted yes