#!/bin/bash

ttl=86400

externalip="$(curl -s ident.me)"

for domain in {{ hosted_domains }} {{ external_domain }}; do

    echo

     # NS/MX/A -- basic orientation to the world for names, mail, and address
     cat <<EOM
\$ORIGIN ${domain}.
@       $ttl   IN      SOA     ns51.cloudns.net. support.cloudns.net. 2024040128 7200 1800 1209600 86400
@       $ttl   IN      NS      ns51.cloudns.net.
@       $ttl   IN      NS      ns52.cloudns.net.
@       $ttl   IN      NS      ns53.cloudns.net.
@       $ttl   IN      NS      ns54.cloudns.net.
@       $ttl   IN      MX      10 mailforward51.cloudns.net.
@       $ttl   IN      MX      10 mailforward52.cloudns.net.
@       $ttl   IN      A       ${externalip}
EOM

     # CAA -- who can issue certs for this domain
     # https://letsencrypt.org/docs/caa/
     echo 'CAA 128 issue "letsencrypt.org"'

     # TLSA -- TLS fingerprints for certs & chain
     for i in _443._tcp _6697._tcp; do
         printf "$i   $ttl IN ";
     openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/chain.pem -noout -pubkey  2>/dev/null | openssl rsa -pubin -outform DER  2>/dev/null | openssl dgst -sha256 -hex 2>/dev/null | awk '{print "TLSA 2 1 1", $NF}'
         printf "$i   $ttl IN ";
     openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/cert.pem -noout -pubkey 2>/dev/null | openssl rsa -pubin -outform DER 2>/dev/null  | openssl dgst -sha256 -hex 2>/dev/null | awk '{print "TLSA 3 1 1", $NF}'
     done

     # SSHFP -- SFTP/SSH fingerprints
     ssh-keygen -r '@ $ttl' | grep -E '4 2|1 2' # Only take RSA & Ed25519 keys

done

# CNAME -- Add CNAMES for various subdomains
for i in {{ external_subdomains }}; do
     printf "%-20s %-10s %-10s %-10s %s\n" "$i" "$ttl" IN CNAME {{ external_domain }}.
done