generate TLSA record for our mailserver ports

diff --git a/modules/dnsextras/manifests/entry.pp b/modules/dnsextras/manifests/entry.pp
index 9c2b6b9..e061f68 100644 (file)
--- a/modules/dnsextras/manifests/entry.pp
+++ b/modules/dnsextras/manifests/entry.pp
@@ -1,12 +1,10 @@
 define dnsextras::entry (
        $zone,
-       $label,
-       $rrtype,
-       $rrdata,
+       $content,
 ) {
        @@concat::fragment { "dns-extra-${zone}-${::fqdn}-${name}":
                target  => "/srv/dns.debian.org/puppet-extra/include-${zone}",
-               content => "; ${::fqdn} ${name}\n${label}. IN ${rrtype} ${rrdata}\n",
+               content => "; ${::fqdn} ${name}\n${content}\n",
                tag => 'dnsextra',
        }
 }

diff --git a/modules/dnsextras/manifests/tlsa_record.pp b/modules/dnsextras/manifests/tlsa_record.pp
new file mode 100644 (file)
index 0000000..d3692f8
--- /dev/null
+++ b/modules/dnsextras/manifests/tlsa_record.pp
@@ -0,0 +1,12 @@
+define dnsextras::tlsa_record (
+       $zone,
+       $certfile,
+       $hostname,
+       $port,
+) {
+       $snippet = gen_tlsa_entry($certfile, $hostname, $port)
+       dnsextras::entry{ "$name":
+               zone => "$zone",
+               content => $snippet,
+       }
+}

diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp
index 1fb18d6..10c449e 100644 (file)
--- a/modules/exim/manifests/init.pp
+++ b/modules/exim/manifests/init.pp
@@ -146,11 +146,12 @@ class exim {
                domain      => 'ip6',
                rule        => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)"
        }
-       dnsextras::entry{ "tlsa-mailport":
+       dnsextras::tlsa_record{ "tlsa-mailport":
                zone => 'debian.org',
-               label => "_${mail_port}._tcp.${::fqdn}",
-               rrtype => 'TXT',
-               rrdata => 'testing' }
+               certfile => "/etc/puppet/modules/exim/files/certs/${::fqdn}.crt",
+               port => "$mail_port",
+               hostname => "$::fqdn",
+       }
 
        # Do we actually want this?  I'm only doing it because it's harmless
        # and makes the logs quiet.  There are better ways of making logs quiet,

diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp
index 3c40623..f719e62 100644 (file)
--- a/modules/exim/manifests/mx.pp
+++ b/modules/exim/manifests/mx.pp
@@ -23,12 +23,12 @@ class exim::mx inherits exim {
                domain      => 'ip6',
                rule        => '&SERVICE_RANGE(tcp, submission, $SMTP_V6_SOURCES)',
        }
-       dnsextras::entry{ "tlsa-submission":
+       dnsextras::tlsa_record{ "tlsa-submission":
                zone => 'debian.org',
-               label => "_587._tcp.${::fqdn}",
-               rrtype => 'TXT',
-               rrdata => 'testing' }
-
+               certfile => "/etc/puppet/modules/exim/files/certs/${::fqdn}.crt",
+               port => 587,
+               hostname => "$::fqdn",
+       }
        package { 'nagios-plugins-standard':
                ensure => installed,
        }

diff --git a/modules/puppetmaster/lib/puppet/parser/functions/gen_tlsa_entry.rb b/modules/puppetmaster/lib/puppet/parser/functions/gen_tlsa_entry.rb
new file mode 100644 (file)
index 0000000..7c07b7c
--- /dev/null
+++ b/modules/puppetmaster/lib/puppet/parser/functions/gen_tlsa_entry.rb
@@ -0,0 +1,16 @@
+module Puppet::Parser::Functions
+  newfunction(:gen_tlsa_entry, :type => :rvalue) do |args|
+    certfile = args.shift()
+    hostname = args.shift()
+    port = args.shift()
+
+    if File.exist?(certfile)
+      cmd = ['swede', 'create', '--usage=3', '--selector=1', '--mtype=1', '--certificate', certfile, '--port', port.to_s, hostname]
+      IO.popen(cmd, "r") {|i|
+        return i.read
+      }
+    else
+      return "; certfile #{certfile} did not exist to create TLSA record for #{hostname}:#{port}."
+    end
+  end
+end