4 files changed, 116 insertions, 4 deletions

diff --git a/manifests/site.pp b/manifests/site.pp
index 89eef6d..e64145c 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -53,6 +53,16 @@ node 'hornquist.se' {
 		'cowsay',
 	], { ensure => installed })
 
+	nsupdate { 'hornquist.se':
+		ensure     => present,
+		nameserver => 'ns2.adrift.space',
+		iface      => 'eth0',
+		records    => [
+			{ type => 'A', ttl => 3600, domain => 'hornquist.se' },
+			{ type => 'A', ttl => 3600, domain => '*.hornquist.se' },
+		],
+	}
+
 	$cgit_root = '/var/www/cgit'
 	$blog_root = '/var/www/blog'
 
@@ -108,16 +118,23 @@ node 'hornquist.se' {
 
 	$certname = 'hornquist'
 
-	class { 'letsencrypt':
+	class { '::letsencrypt':
+      config => {
 		email => 'hugo.hornquist@gmail.com',
-		renew_cron_ensure => present,
+      }
+      # renew_cron_ensure => present,
 	}
 
     ensure_packages(['python3-certbot-nginx'],
       { ensure => installed })
 
 	letsencrypt::certonly { $certname:
-		domains => [
+      ensure             => present,
+      manage_cron        => true,
+      plugin             => 'nginx',
+      additional_args    => [ '--quiet', ],
+      post_hook_commands => [ 'systemctl reload nginx.service', ],
+      domains            => [
 			'blog.hornquist.se',
 			'blogg.hornquist.se',
 			'www.hornquist.se',
@@ -125,7 +142,6 @@ node 'hornquist.se' {
 			'git.hornquist.se',
 			'wiki.hornquist.se',
 		],
-		plugin => 'nginx',
 	}
 
 	nginx::resource::server { 'blogg':
diff --git a/modules/nsupdate/manifests/init.pp b/modules/nsupdate/manifests/init.pp
new file mode 100644
index 0000000..8141f5a
--- /dev/null
+++ b/modules/nsupdate/manifests/init.pp
@@ -0,0 +1,64 @@
+# type DNSRecordType = ['A', 'AAAA', 'AFSDB', 'APL', 'CAA', 'CDNSKEY', 'CDS',
+# 'CERT', 'CNAME', 'CSYNC', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'EUI48',
+# 'EUI64', 'HINFO', 'HIP', 'HTTPS', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX',
+# 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'OPENPGPKEY', 'PTR', 'RRSIG',
+# 'RP', 'SIG', 'SMIMEA', 'SOA', 'SRV', 'SSHFP', 'SVCB', 'TA', 'TKEY', 'TLSA',
+# 'TSIG', 'TXT', 'URI', 'ZA', 'AAAA', 'AFSDB', 'APL', 'CAA', 'CDNSKEY', 'CDS',
+# 'CERT', 'CNAME', 'CSYNC', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'EUI48',
+# 'EUI64', 'HINFO', 'HIP', 'HTTPS', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX',
+# 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'OPENPGPKEY', 'PTR', 'RRSIG',
+# 'RP', 'SIG', 'SMIMEA', 'SOA', 'SRV', 'SSHFP', 'SVCB', 'TA', 'TKEY', 'TLSA',
+# 'TSIG', 'TXT', 'URI', 'ZONEMD']
+
+type DNSRecordType = Enum['A']
+
+type DNSRecord = Struct[{
+	domain => String,
+	type   => DNSRecordType,
+	ttl    => Integer,
+}]
+
+# Sets up a single instance of a reoccuring nsupdate.
+# Note that nsupdate::secret.$keyname needs to be made available through hiera
+# /etc/puppetlabs/code/environments/production/data/nodes/hornquist.se.yaml
+define nsupdate (
+  String $nameserver,
+  Array[DNSRecord] $records,
+  String $iface = $facts['networking']['primary'],
+  Enum['present', 'absent'] $ensure = present,
+  String $keyname = $name,
+) {
+
+  require ::nsupdate::setup
+
+  file { "/usr/libexec/nsupdate/${name}":
+	ensure => $ensure,
+	mode => '0555',
+    content => epp('nsupdate/nsupdate.epp', {
+		iface      => $iface,
+		nameserver => $nameserver,
+		records    => $records,
+		keyname    => $keyname,
+	})
+  }
+
+  $key = lookup("nsupdate::secrets.\"${keyname}\"")
+  $secret = Sensitive($key['secret'])
+  file { "/var/lib/nsupdate/${keyname}.key":
+	ensure  => file,
+	mode    => '0400',
+	show_diff => false,
+    content => @("EOF")
+	key "${keyname}" {
+		algorithm ${key['algorithm']};
+		secret "${secret.unwrap}";
+	};
+	| EOF
+  }
+
+  cron { "nsupdate ${name}":
+	  ensure => $ensure,
+	  command => "/usr/libexec/nsupdate/${name}",
+	  minute => 0,
+  }
+}
diff --git a/modules/nsupdate/manifests/setup.pp b/modules/nsupdate/manifests/setup.pp
new file mode 100644
index 0000000..9aba4ff
--- /dev/null
+++ b/modules/nsupdate/manifests/setup.pp
@@ -0,0 +1,14 @@
+class nsupdate::setup (
+) {
+	file { '/usr/libexec/nsupdate':
+	  ensure => directory,
+	}
+
+	file { '/var/lib/nsupdate':
+	  ensure => directory,
+	}
+
+	ensure_packages(['bind9-dnsutils'], {
+		ensure => installed,
+	})
+}
diff --git a/modules/nsupdate/templates/nsupdate.epp b/modules/nsupdate/templates/nsupdate.epp
new file mode 100644
index 0000000..66fe4b2
--- /dev/null
+++ b/modules/nsupdate/templates/nsupdate.epp
@@ -0,0 +1,18 @@
+<%- |
+  String $iface,
+  String $nameserver,
+  String $keyname,
+  Array[DNSRecord] $records,
+| -%>
+#!/bin/bash
+
+IP=$(ip -j a show dev <%= $iface %> | jq --raw-output '.[0].addr_info[] | select(.family == "inet").local')
+
+nsupdate "$@" -k '/var/lib/nsupdate/<%= $keyname %>.key' << EOF
+server <%= $nameserver %>
+<%- $records.each |$record| { -%>
+update delete <%= $record['domain'] %> <%= $record['type'] %>
+update add <%= $record['domain'] %> <%= $record['ttl'] %> <%= $record['type'] %> ${IP}
+<%- } -%>
+send
+EOF