From 7e22696fbb4b41c03143532a9676aae6749329e0 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Mon, 30 Dec 2013 22:34:43 +0100
Subject: [PATCH] Try to create shared keys using puppet

---
 modules/named/manifests/authoritative.pp      |  6 ++++
 .../named.conf.puppet-shared-keys.erb         | 35 +++++++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 modules/named/templates/named.conf.puppet-shared-keys.erb

diff --git a/modules/named/manifests/authoritative.pp b/modules/named/manifests/authoritative.pp
index d33e406ee..95b0ac746 100644
--- a/modules/named/manifests/authoritative.pp
+++ b/modules/named/manifests/authoritative.pp
@@ -12,4 +12,10 @@ class named::authoritative inherits named {
 		owner   => root,
 		group   => bind,
 	}
+	file { '/etc/bind/named.conf.puppet-shared-keys':
+		mode    => '0640',
+		content => template('named/named.conf.puppet-shared-keys.erb'),
+		owner   => root,
+		group   => bind,
+	}
 }
diff --git a/modules/named/templates/named.conf.puppet-shared-keys.erb b/modules/named/templates/named.conf.puppet-shared-keys.erb
new file mode 100644
index 000000000..07172b1f6
--- /dev/null
+++ b/modules/named/templates/named.conf.puppet-shared-keys.erb
@@ -0,0 +1,35 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<%=
+
+pairs = [
+	[ 'denis.debian.org', 'ravel.debian.org' ],
+	[ 'denis.debian.org', 'senfl.debian.org' ],
+	[ 'denis.debian.org', 'diamond.debian.org' ],
+	[ 'denis.debian.org', 'orff.debian.org' ]
+	]
+
+lines = []
+
+pairs.each do |pair|
+	next unless pair.include?(fqdn)
+	pair.sort!
+	keyname = "tsig-#{pair.join('-')}"
+	pair.delete(fqdn)
+	other = pair[0]
+
+	key = hkdf('/etc/puppet/secret', "puppet-key-#{keyname}")
+
+	lines << "key #{keyname} { algorithm hmac-md5; secret \"#{key}\"; };\n"
+
+	remote_ip = scope.lookupvar('site::allnodeinfo')[other]['ipHostNumber']
+	remote_ip.each do |r|
+		lines << "server #{r} { keys { #{keyname}; }; };\n"
+	end
+	lines << ""
+end
+lines.join("\n")
+%>
-- 
2.20.1