From 510a3014391d056a26555a5be1320c3f1b94f796 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= <hugo@hornquist.se>
Date: Thu, 4 Nov 2021 18:33:21 +0100
Subject: Set up nsupdate.

---
 modules/nsupdate/manifests/init.pp      | 64 +++++++++++++++++++++++++++++++++
 modules/nsupdate/manifests/setup.pp     | 14 ++++++++
 modules/nsupdate/templates/nsupdate.epp | 18 ++++++++++
 3 files changed, 96 insertions(+)
 create mode 100644 modules/nsupdate/manifests/init.pp
 create mode 100644 modules/nsupdate/manifests/setup.pp
 create mode 100644 modules/nsupdate/templates/nsupdate.epp

(limited to 'modules/nsupdate')

diff --git a/modules/nsupdate/manifests/init.pp b/modules/nsupdate/manifests/init.pp
new file mode 100644
index 0000000..8141f5a
--- /dev/null
+++ b/modules/nsupdate/manifests/init.pp
@@ -0,0 +1,64 @@
+# type DNSRecordType = ['A', 'AAAA', 'AFSDB', 'APL', 'CAA', 'CDNSKEY', 'CDS',
+# 'CERT', 'CNAME', 'CSYNC', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'EUI48',
+# 'EUI64', 'HINFO', 'HIP', 'HTTPS', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX',
+# 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'OPENPGPKEY', 'PTR', 'RRSIG',
+# 'RP', 'SIG', 'SMIMEA', 'SOA', 'SRV', 'SSHFP', 'SVCB', 'TA', 'TKEY', 'TLSA',
+# 'TSIG', 'TXT', 'URI', 'ZA', 'AAAA', 'AFSDB', 'APL', 'CAA', 'CDNSKEY', 'CDS',
+# 'CERT', 'CNAME', 'CSYNC', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'EUI48',
+# 'EUI64', 'HINFO', 'HIP', 'HTTPS', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX',
+# 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'OPENPGPKEY', 'PTR', 'RRSIG',
+# 'RP', 'SIG', 'SMIMEA', 'SOA', 'SRV', 'SSHFP', 'SVCB', 'TA', 'TKEY', 'TLSA',
+# 'TSIG', 'TXT', 'URI', 'ZONEMD']
+
+type DNSRecordType = Enum['A']
+
+type DNSRecord = Struct[{
+	domain => String,
+	type   => DNSRecordType,
+	ttl    => Integer,
+}]
+
+# Sets up a single instance of a reoccuring nsupdate.
+# Note that nsupdate::secret.$keyname needs to be made available through hiera
+# /etc/puppetlabs/code/environments/production/data/nodes/hornquist.se.yaml
+define nsupdate (
+  String $nameserver,
+  Array[DNSRecord] $records,
+  String $iface = $facts['networking']['primary'],
+  Enum['present', 'absent'] $ensure = present,
+  String $keyname = $name,
+) {
+
+  require ::nsupdate::setup
+
+  file { "/usr/libexec/nsupdate/${name}":
+	ensure => $ensure,
+	mode => '0555',
+    content => epp('nsupdate/nsupdate.epp', {
+		iface      => $iface,
+		nameserver => $nameserver,
+		records    => $records,
+		keyname    => $keyname,
+	})
+  }
+
+  $key = lookup("nsupdate::secrets.\"${keyname}\"")
+  $secret = Sensitive($key['secret'])
+  file { "/var/lib/nsupdate/${keyname}.key":
+	ensure  => file,
+	mode    => '0400',
+	show_diff => false,
+    content => @("EOF")
+	key "${keyname}" {
+		algorithm ${key['algorithm']};
+		secret "${secret.unwrap}";
+	};
+	| EOF
+  }
+
+  cron { "nsupdate ${name}":
+	  ensure => $ensure,
+	  command => "/usr/libexec/nsupdate/${name}",
+	  minute => 0,
+  }
+}
diff --git a/modules/nsupdate/manifests/setup.pp b/modules/nsupdate/manifests/setup.pp
new file mode 100644
index 0000000..9aba4ff
--- /dev/null
+++ b/modules/nsupdate/manifests/setup.pp
@@ -0,0 +1,14 @@
+class nsupdate::setup (
+) {
+	file { '/usr/libexec/nsupdate':
+	  ensure => directory,
+	}
+
+	file { '/var/lib/nsupdate':
+	  ensure => directory,
+	}
+
+	ensure_packages(['bind9-dnsutils'], {
+		ensure => installed,
+	})
+}
diff --git a/modules/nsupdate/templates/nsupdate.epp b/modules/nsupdate/templates/nsupdate.epp
new file mode 100644
index 0000000..66fe4b2
--- /dev/null
+++ b/modules/nsupdate/templates/nsupdate.epp
@@ -0,0 +1,18 @@
+<%- |
+  String $iface,
+  String $nameserver,
+  String $keyname,
+  Array[DNSRecord] $records,
+| -%>
+#!/bin/bash
+
+IP=$(ip -j a show dev <%= $iface %> | jq --raw-output '.[0].addr_info[] | select(.family == "inet").local')
+
+nsupdate "$@" -k '/var/lib/nsupdate/<%= $keyname %>.key' << EOF
+server <%= $nameserver %>
+<%- $records.each |$record| { -%>
+update delete <%= $record['domain'] %> <%= $record['type'] %>
+update add <%= $record['domain'] %> <%= $record['ttl'] %> <%= $record['type'] %> ${IP}
+<%- } -%>
+send
+EOF
-- 
cgit v1.2.3