bastion: allow ssh tcp forwarding on bastion hosts

We need this in order to be able to use them as jumphosts with ssh.
Without it, there's no easy way to get to any internal machines.
Just enable it here and leave the default off.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

roles/basessh/templates/sshd_config.j2

@@ -40,7 +40,12 @@ UsePAM yes
 AllowAgentForwarding no
 X11Forwarding no
 PermitTunnel no
+{% if not ansible_hostname.startswith(('bastion')) %}
+# This is a bastion host, we need tcp forwarding here.
+AllowTcpForwarding yes
+{% else %}
 AllowTcpForwarding no
+{% endif %}
 
 # Accept locale-related environment
 AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES