From b41bbe0bcc0ca74548ff8e99c3014452a7dc64f2 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Fri, 7 Jun 2013 20:22:57 +0000 Subject: [PATCH] generate TLSA record for our mailserver ports --- modules/dnsextras/manifests/entry.pp | 6 ++---- modules/dnsextras/manifests/tlsa_record.pp | 12 ++++++++++++ modules/exim/manifests/init.pp | 9 +++++---- modules/exim/manifests/mx.pp | 10 +++++----- .../puppet/parser/functions/gen_tlsa_entry.rb | 16 ++++++++++++++++ 5 files changed, 40 insertions(+), 13 deletions(-) create mode 100644 modules/dnsextras/manifests/tlsa_record.pp create mode 100644 modules/puppetmaster/lib/puppet/parser/functions/gen_tlsa_entry.rb diff --git a/modules/dnsextras/manifests/entry.pp b/modules/dnsextras/manifests/entry.pp index 9c2b6b9f..e061f686 100644 --- a/modules/dnsextras/manifests/entry.pp +++ b/modules/dnsextras/manifests/entry.pp @@ -1,12 +1,10 @@ define dnsextras::entry ( $zone, - $label, - $rrtype, - $rrdata, + $content, ) { @@concat::fragment { "dns-extra-${zone}-${::fqdn}-${name}": target => "/srv/dns.debian.org/puppet-extra/include-${zone}", - content => "; ${::fqdn} ${name}\n${label}. IN ${rrtype} ${rrdata}\n", + content => "; ${::fqdn} ${name}\n${content}\n", tag => 'dnsextra', } } diff --git a/modules/dnsextras/manifests/tlsa_record.pp b/modules/dnsextras/manifests/tlsa_record.pp new file mode 100644 index 00000000..d3692f8c --- /dev/null +++ b/modules/dnsextras/manifests/tlsa_record.pp @@ -0,0 +1,12 @@ +define dnsextras::tlsa_record ( + $zone, + $certfile, + $hostname, + $port, +) { + $snippet = gen_tlsa_entry($certfile, $hostname, $port) + dnsextras::entry{ "$name": + zone => "$zone", + content => $snippet, + } +} diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp index 1fb18d6f..10c449e7 100644 --- a/modules/exim/manifests/init.pp +++ b/modules/exim/manifests/init.pp @@ -146,11 +146,12 @@ class exim { domain => 'ip6', rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)" } - dnsextras::entry{ "tlsa-mailport": + dnsextras::tlsa_record{ "tlsa-mailport": zone => 'debian.org', - label => "_${mail_port}._tcp.${::fqdn}", - rrtype => 'TXT', - rrdata => 'testing' } + certfile => "/etc/puppet/modules/exim/files/certs/${::fqdn}.crt", + port => "$mail_port", + hostname => "$::fqdn", + } # Do we actually want this? I'm only doing it because it's harmless # and makes the logs quiet. There are better ways of making logs quiet, diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp index 3c40623d..f719e628 100644 --- a/modules/exim/manifests/mx.pp +++ b/modules/exim/manifests/mx.pp @@ -23,12 +23,12 @@ class exim::mx inherits exim { domain => 'ip6', rule => '&SERVICE_RANGE(tcp, submission, $SMTP_V6_SOURCES)', } - dnsextras::entry{ "tlsa-submission": + dnsextras::tlsa_record{ "tlsa-submission": zone => 'debian.org', - label => "_587._tcp.${::fqdn}", - rrtype => 'TXT', - rrdata => 'testing' } - + certfile => "/etc/puppet/modules/exim/files/certs/${::fqdn}.crt", + port => 587, + hostname => "$::fqdn", + } package { 'nagios-plugins-standard': ensure => installed, } diff --git a/modules/puppetmaster/lib/puppet/parser/functions/gen_tlsa_entry.rb b/modules/puppetmaster/lib/puppet/parser/functions/gen_tlsa_entry.rb new file mode 100644 index 00000000..7c07b7c9 --- /dev/null +++ b/modules/puppetmaster/lib/puppet/parser/functions/gen_tlsa_entry.rb @@ -0,0 +1,16 @@ +module Puppet::Parser::Functions + newfunction(:gen_tlsa_entry, :type => :rvalue) do |args| + certfile = args.shift() + hostname = args.shift() + port = args.shift() + + if File.exist?(certfile) + cmd = ['swede', 'create', '--usage=3', '--selector=1', '--mtype=1', '--certificate', certfile, '--port', port.to_s, hostname] + IO.popen(cmd, "r") {|i| + return i.read + } + else + return "; certfile #{certfile} did not exist to create TLSA record for #{hostname}:#{port}." + end + end +end -- 2.39.2