--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+##
+
+<%=
+
+lines = []
+
+config = YAML.load(@ipsec_config)
+
+unless config.keys.include?(@fqdn) then
+ fail("Host #{@fqdn} not found in ipsec config.")
+end
+
+config.keys.each do |host|
+ next if @fqdn == host
+
+ pair = [@fqdn, host]
+ pair.sort!
+ connname = pair.join('-')
+ key = scope.function_hkdf(['/etc/puppet/secret', "puppet-key-ipsec:PSK:tor:#{connname}"])
+
+ lines << "#{config[pair[0]]['address']} #{config[pair[1]]['address']} : PSK \"#{key}\""
+end
+lines.join("\n")
+
+%>