From 5cc4b8da58962991fcb4281caa9ded4f6139d47a Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 7 Sep 2019 23:25:24 +0200
Subject: [PATCH] do not hardcode dns primary ssh key for syncing to
 secondaries

---
 modules/named/files/common/authorized_keys | 5 -----
 modules/named/manifests/geodns.pp          | 5 -----
 modules/roles/manifests/dns_geodns.pp      | 5 +++++
 modules/roles/manifests/dns_primary.pp     | 7 +++++++
 4 files changed, 12 insertions(+), 10 deletions(-)
 delete mode 100644 modules/named/files/common/authorized_keys

diff --git a/modules/named/files/common/authorized_keys b/modules/named/files/common/authorized_keys
deleted file mode 100644
index bb3517f45..000000000
--- a/modules/named/files/common/authorized_keys
+++ /dev/null
@@ -1,5 +0,0 @@
-#
-# THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
-# USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
-#
-from="82.195.75.91,2001:41b8:202:deb:1b1b::91",command="/etc/bind/geodns/trigger",restrict ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCtZqwdRGRGycqd+EqSzMfXHZa8caLx2yjkQs3hXOWDcAkfbFhsjgnVanx90i8/FIIIVKWPHXvRpS8dsKfBn4MbVq6AYYcx/sYS9uMMjLWFMC0TqrOp4IgHMH3qXlgsq/eOnqvQXDU3DO3p2TVS/a4F7vh8/nPQtDM1JVnMgZL4rx0aXYVcFIdxv9Sy76K4MBENOnXJ73qmRaVu6fIUfk9MAdzIcMx3iOYiO78vytc4xezq743iIOee0vpY1VnF2CDxrWoVyDGDH7qNk8xeFzAGm91xrcSkVEmMVbD9vMLOOPsEZNMJlimEDetEiNwJoS0HzHq6jccksb1wjs2tOr8X dnsadm@denis (20131230)
diff --git a/modules/named/manifests/geodns.pp b/modules/named/manifests/geodns.pp
index d9684f3db..43828d47b 100644
--- a/modules/named/manifests/geodns.pp
+++ b/modules/named/manifests/geodns.pp
@@ -47,11 +47,6 @@ class named::geodns inherits named {
 		mode   => '0555',
 		source => 'puppet:///modules/named/common/trigger',
 	}
-	file { '/etc/ssh/userkeys/geodnssync':
-		source => 'puppet:///modules/named/common/authorized_keys',
-		group  => geodnssync,
-		mode   => '0440',
-	}
 	file { '/etc/cron.d/dsa-boot-geodnssync': ensure => absent; }
 	concat::fragment { 'dsa-puppet-stuff--geodns-boot':
 		target => '/etc/cron.d/dsa-puppet-stuff',
diff --git a/modules/roles/manifests/dns_geodns.pp b/modules/roles/manifests/dns_geodns.pp
index 48bb916c6..f2197c56c 100644
--- a/modules/roles/manifests/dns_geodns.pp
+++ b/modules/roles/manifests/dns_geodns.pp
@@ -3,4 +3,9 @@ class roles::dns_geodns {
   include named::geodns
 
   ssh::keygen { 'geodnssync': }
+
+  ssh::authorized_key_collect { 'geodnssync-node':
+    target_user => 'geodnssync',
+    collect_tag => 'geodnssync-node',
+  }
 }
diff --git a/modules/roles/manifests/dns_primary.pp b/modules/roles/manifests/dns_primary.pp
index 0038e6378..193cf6169 100644
--- a/modules/roles/manifests/dns_primary.pp
+++ b/modules/roles/manifests/dns_primary.pp
@@ -11,4 +11,11 @@ class roles::dns_primary {
     collect_tag => 'dns_primary',
   }
   ssh::keygen {'dnsadm': }
+
+  ssh::authorized_key_add { 'dns_primary::geodns':
+    target_user => 'geodnssync',
+    command     => '/etc/bind/geodns/trigger',
+    key         => $facts['dnsadm_key'],
+    collect_tag => 'geodnssync-node',
+  }
 }
-- 
2.20.1