use easydns-generated tsig key since need key name to match

[dsa-puppet.git] / modules / named / templates / named.conf.puppet-shared-keys.erb

##
## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##

<%=

pairs = [
        [ 'denis.debian.org', 'ravel.debian.org' ],
        [ 'denis.debian.org', 'senfl.debian.org' ],
        [ 'denis.debian.org', 'diamond.debian.org' ],
        [ 'denis.debian.org', 'orff.debian.org' ],
        [ 'denis.debian.org', 'xfr0.easydns.com' ]
        ]

lines = []

pairs.each do |pair|
        next unless pair.include?(fqdn)
        pair.sort!
        pair.delete(fqdn)
        other = pair[0]

        if other == 'xfr0.easydns.com'
                remote_ip = ['64.68.200.91']
                algorithm = "hmac-md5";
                keyname = "82.195.75.91-key"
                key = "VoIkCnR5DaI3QP3xtmdCYg=="
        else
                remote_ip = scope.lookupvar('site::allnodeinfo')[other]['ipHostNumber']
                algorithm = "hmac-sha256";
                keyname = "tsig-#{pair.join('-')}"
                key = scope.function_hkdf(['/etc/puppet/secret', "puppet-key-#{keyname}"])
        end

        lines << "key #{keyname} { algorithm #{algorithm}; secret \"#{key}\"; };"
        remote_ip.each do |r|
                lines << "server #{r} { keys { #{keyname}; }; };"
        end
        lines << ""
end
lines.join("\n")
%>