# the primary (hidden master) nameserver does bind zone file stuff and letsencrypt cert handling
class roles::dns_primary {
  include named::primary

  ssh::authorized_key_collect { 'dns_primary-dnsadm':
    target_user => 'dnsadm',
    collect_tag => 'dns_primary',
  }
  ssh::authorized_key_collect { 'dns_primary-letsencrypt':
    target_user => 'letsencrypt',
    collect_tag => 'dns_primary',
  }
  ssh::authorized_key_collect { 'dns_primary-geodnssync':
    target_user => 'geodnssync',
    collect_tag => 'dns_primary',
  }

  ssh::keygen {'dnsadm': }
  ssh::authorized_key_add { 'dns_primary::geodns':
    target_user => 'geodnssync',
    command     => '/etc/bind/geodns/trigger',
    key         => $facts['dnsadm_key'],
    collect_tag => 'geodnssync-node',
  }

  ssh::keygen {'letsencrypt': }
  ssh::authorized_key_add { 'dns_primary::puppetmaster::letsencrypt-certificates':
    target_user => 'puppet',
    command     => 'rsync --server -vlogDtprze.iLsfx --delete --partial . /srv/puppet.debian.org/from-letsencrypt',
    key         => $facts['letsencrypt_key'],
    collect_tag => 'puppetmaster',
  }
}