# profiles::dns::updater # # Applies this host's DNS records to the authoritative DNS server via TSIG # nsupdate, replacing the old exported-resources -> master zone-file flow. # # profiles::dns::record fragments are assembled into $records_file; a systemd # .path unit watches that file and runs dns-update.service (nsupdate) whenever # it changes. nsupdate comes from bind-utils (installed via bind::updater in # profiles::dns::base). # # Inert until $key_secret is set (the shared TSIG key that the k8s # bind-authoritative zones allow-update with): the records file is still # assembled, but the updater service is not managed, so nodes are safe before # the key is provisioned. class profiles::dns::updater ( String $server = '198.18.200.9', String $key_name = 'client-update', String $key_algorithm = 'hmac-sha256', Optional[Sensitive[String]] $key_secret = undef, Integer $default_ttl = 300, Stdlib::AbsolutePath $records_file = '/var/lib/dns-updater/records', Stdlib::AbsolutePath $state_dir = '/var/lib/dns-updater', Stdlib::AbsolutePath $config_dir = '/etc/dns-updater', ) { $state_file = "${state_dir}/applied" $key_file = "${config_dir}/key" file { $state_dir: ensure => directory, owner => 'root', group => 'root', mode => '0755', } # Records file, assembled from profiles::dns::record fragments. concat { $records_file: ensure => present, owner => 'root', group => 'root', mode => '0644', ensure_newline => true, warn => false, require => File[$state_dir], } concat::fragment { 'dns-update-header': target => $records_file, content => "# Managed by puppet (profiles::dns::record): zone|name|type|ttl|value\n", order => '00', } if $key_secret =~ Undef { notify { 'dns-updater-inert': message => 'profiles::dns::updater: key_secret unset; records assembled but not applied.', loglevel => 'info', } } else { file { $config_dir: ensure => directory, owner => 'root', group => 'root', mode => '0700', } file { $key_file: ensure => file, owner => 'root', group => 'root', mode => '0600', show_diff => false, content => Sensitive(epp('profiles/dns/tsig-key.epp', { 'name' => $key_name, 'algorithm' => $key_algorithm, 'secret' => $key_secret.unwrap, })), } file { '/usr/local/bin/dns-update': ensure => file, owner => 'root', group => 'root', mode => '0755', content => epp('profiles/dns/dns-update.sh.epp', { 'server' => $server, 'key_file' => $key_file, 'records_file' => $records_file, 'state_file' => $state_file, }), } systemd::unit_file { 'dns-update.service': content => epp('profiles/dns/dns-update.service.epp', { 'script' => '/usr/local/bin/dns-update' }), } # The .path unit watches the records file and triggers the service. systemd::unit_file { 'dns-update.path': content => epp('profiles/dns/dns-update.path.epp', { 'records_file' => $records_file }), active => true, enable => true, } # Also apply within the puppet run whenever the records change. exec { 'dns-update-apply': command => '/usr/local/bin/dns-update', refreshonly => true, subscribe => Concat[$records_file], require => [File['/usr/local/bin/dns-update'], File[$key_file]], } } }