+#!/bin/bash
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+fqdn=$(hostname -f)
+
+up4=false
+if timeout -s 9 5 ssh-keyscan -p 2220 -t rsa 10.0.0.1 2>/dev/null | grep -qFx '[10.0.0.1]:2220 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCH+/h1dGEfKEusBblndU2e6QT4wLCm5+yqr/sqh/0X9YfjR7BfWWm8nNmuP55cYc+Wuf5ljB1H1acXEcsl1y8e0j3agHfF0V74FE1N1zz5nn2Ep8NHnmqgEhza38ZxMPh+4p3X7zklEKU7+3SzybKBi8sg0wLzlS2LM0JaUN80zR2sK11Kye3dURUXPk78u5wodOkgcEYRwSYaDMJlUzWP+poRXIDJwFaMQnwmxbl/c84yOyaU0x/d6hFwoRscWecihX+vvBNeSyxR4xr2HDOyUWwJkctyAgt2p7w3tfkXOKcCRzTAjGVIMQLTvo0sG/yJbcyHoEFdFybCsgDvfyYn'; then
+ # we are on home network
+ cur4="$(host -4 b8.nz iankelling.org | sed -rn 's/.*has address (.*)/\1/p;T;q')"
+ if ip4=$(curl -s4 https://iankelling.org/cgi/pubip); then
+ if [[ $cur4 && $ip4 && $cur4 != $ip4 ]]; then
+ up4=true
+ fi
+ fi
+fi
+
+# may not be set yet so allow fail
+cur6="$(host -4 -t aaaa $fqdn iankelling.org | sed -rn 's/.*has IPv6 address (.*)/\1/p;T;q')" ||:
+
+up6=false
+# maybe we dont have ipv6 working
+if out6=$(curl -s6 https://iankelling.org/cgi/pubip) && [[ $out6 ]]; then
+ dev=$(ip -o a show to $out6 | awk '{print $2}')
+ # we use slaac with privacy extension, so get our less private more permanent address
+ mac=$(cat /sys/class/net/$dev/address)
+
+ IFS=: read -a f <<<$mac; set -- ${f[@]}
+ ip6=${out6%:*:*:*:*}:$(printf %x $((0x$1 + 2)))$2:$3'ff:fe'$4:$5$6
+ # in case we aren't using slaac
+ if ! ip a | grep "^ *inet6 $ip6/" &>/dev/null; then
+ ip6=$out6
+ fi
+ if [[ $cur6 != $ip6 ]]; then
+ up6=true
+ fi
+fi
+
+
+if ! $up4 && ! $up6; then
+ exit 0
+fi
+
+# note, a simpler way to do this would be to ssh and use
+# "${SSH_CLIENT%% *}
+# to update bind if needed.
+
+f=$(mktemp)
+cat >>$f <<EOF
+server iankelling.org
+zone b8.nz
+EOF
+
+if $up4; then
+ cat >>$f <<EOF
+update delete b8.nz. A
+update add b8.nz. 300 A $ip4
+EOF
+fi
+
+if $up6; then
+ if [[ $HOSTNAME == tp ]]; then
+ cat >>$f <<EOF
+update delete b8.nz. AAAA
+update add b8.nz. 60 AAAA $ip6
+EOF
+ fi
+ cat >>$f <<EOF
+update delete $fqdn. AAAA
+update add $fqdn. 60 AAAA $ip6
+EOF
+fi
+
+cat >>$f <<EOF
+show
+send
+answer
+quit
+EOF
+
+nsupdate -k /p/c/machine_specific/li/filesystem/etc/bind/Kb8.nz.*.private <$f
+
+exit
+
+# # persistent initial setup for this:
+# # create files in /a/c/machine_specific/li/filesystem/etc/bind
+# # note, conflink also does some group ownership stuff.
+
+mkc /p/c/machine_specific/li/filesystem/etc/bind
+s dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST b8.nz
+s chown $USER:$USER *
+
+
+f=key.b8.nz
+cat >$f <<EOF
+key b8.nz. {
+algorithm HMAC-SHA512;
+secret "$(awk '$1 == "Key:" {print $2}' Kb8.nz.*.private)";
+};
+EOF
+
+chmod 640 [kK]*
+
+myunison -ob li
+ssh li conflink
+ssh li ser restart bind9