From: Tom Hughes <tom@compton.nu>
Date: Sat, 8 Feb 2020 15:41:10 +0000 (+0000)
Subject: Generate a DNS include file for SSHFP records
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/269b5b28ccf95dd4b96cac3f51168ea3280c83db

Generate a DNS include file for SSHFP records
---

diff --git a/cookbooks/dns/files/default/dns-update-sshfp b/cookbooks/dns/files/default/dns-update-sshfp
new file mode 100755
index 000000000..907853f17
--- /dev/null
+++ b/cookbooks/dns/files/default/dns-update-sshfp
@@ -0,0 +1,30 @@
+#!/usr/bin/perl
+
+open(SSHFP, "-|","sshfp", "-k", "/etc/ssh/ssh_known_hosts") || die $!;
+open(SSHFP_JS, ">", "/var/lib/dns/include/sshfp.js") || die $!;
+
+print SSHFP_JS qq|var SSHFP_RECORDS = [\n|;
+
+while (my $line = <SSHFP>)
+{
+  if ($line =~ /^(\S+) IN SSHFP (\d+) (\d+) ([0-9A-F]+)$/)
+  {
+    my $host = $1;
+    my $algorithm = $2;
+    my $type = $3;
+    my $value = $4;
+
+    print SSHFP_JS qq|  SSHFP("${host}", ${algorithm}, ${type}, "${value}");\n|;
+  }
+  else
+  {
+    warn $line;
+  }
+}
+
+print SSHFP_JS qq|];\n|;
+
+close(SSHFP_JS);
+close(SSHFP);
+
+exit 0;
diff --git a/cookbooks/dns/recipes/default.rb b/cookbooks/dns/recipes/default.rb
index 5b4743ef6..6bf913cb3 100644
--- a/cookbooks/dns/recipes/default.rb
+++ b/cookbooks/dns/recipes/default.rb
@@ -103,6 +103,13 @@ template "/usr/local/bin/dns-update" do
   variables :passwords => passwords, :geoservers => geoservers
 end
 
+cookbook_file "/usr/local/bin/dns-update-sshfp" do
+  source "dns-update-sshfp"
+  owner "git"
+  group "git"
+  mode 0o750
+end
+
 execute "dns-update" do
   action :nothing
   command "/usr/local/bin/dns-update"
@@ -125,6 +132,14 @@ template "/var/lib/dns/creds.json" do
   variables :passwords => passwords
 end
 
+execute "dns-update-sshfp" do
+  action :nothing
+  command "/usr/local/bin/dns-update-sshfp"
+  user "git"
+  group "git"
+  subscribes :run, "template[/etc/ssh/ssh_known_hosts]"
+end
+
 cookbook_file "#{node[:dns][:repository]}/hooks/post-receive" do
   source "post-receive"
   owner "git"