Try to create shared keys using puppet

diff --git a/modules/named/manifests/authoritative.pp b/modules/named/manifests/authoritative.pp
index d33e406..95b0ac7 100644 (file)
--- a/modules/named/manifests/authoritative.pp
+++ b/modules/named/manifests/authoritative.pp
@@ -12,4 +12,10 @@ class named::authoritative inherits named {
                owner   => root,
                group   => bind,
        }
+       file { '/etc/bind/named.conf.puppet-shared-keys':
+               mode    => '0640',
+               content => template('named/named.conf.puppet-shared-keys.erb'),
+               owner   => root,
+               group   => bind,
+       }
 }

diff --git a/modules/named/templates/named.conf.puppet-shared-keys.erb b/modules/named/templates/named.conf.puppet-shared-keys.erb
new file mode 100644 (file)
index 0000000..07172b1
--- /dev/null
+++ b/modules/named/templates/named.conf.puppet-shared-keys.erb
@@ -0,0 +1,35 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<%=
+
+pairs = [
+       [ 'denis.debian.org', 'ravel.debian.org' ],
+       [ 'denis.debian.org', 'senfl.debian.org' ],
+       [ 'denis.debian.org', 'diamond.debian.org' ],
+       [ 'denis.debian.org', 'orff.debian.org' ]
+       ]
+
+lines = []
+
+pairs.each do |pair|
+       next unless pair.include?(fqdn)
+       pair.sort!
+       keyname = "tsig-#{pair.join('-')}"
+       pair.delete(fqdn)
+       other = pair[0]
+
+       key = hkdf('/etc/puppet/secret', "puppet-key-#{keyname}")
+
+       lines << "key #{keyname} { algorithm hmac-md5; secret \"#{key}\"; };\n"
+
+       remote_ip = scope.lookupvar('site::allnodeinfo')[other]['ipHostNumber']
+       remote_ip.each do |r|
+               lines << "server #{r} { keys { #{keyname}; }; };\n"
+       end
+       lines << ""
+end
+lines.join("\n")
+%>