diff --git a/roles/opendkim/defaults/main.yml b/roles/opendkim/defaults/main.yml new file mode 100644 index 0000000..ae208c6 --- /dev/null +++ b/roles/opendkim/defaults/main.yml @@ -0,0 +1,2 @@ +--- +opendkim_selector: default diff --git a/roles/opendkim/files/keystore.Makefile b/roles/opendkim/files/keystore.Makefile new file mode 100644 index 0000000..1a04593 --- /dev/null +++ b/roles/opendkim/files/keystore.Makefile @@ -0,0 +1,28 @@ +TARGETS := $(shell { \ + if [ $$(date +%m) -lt 6 ]; then \ + echo "$$(date +%Y)0101.key $$(date +%Y)0601.key" ; \ + else \ + echo "$$(date +%Y)0601.key $$(($$(date +%Y) + 1))0101.key" ; \ + fi \ + }) + +all: $(TARGETS) + +%.key: + @set -eu ; \ + openssl genrsa -out "$@" 2048 ; \ + chgrp opendkim "$@" ; \ + chmod 0640 "$@" ; \ + echo ; \ + data="$$(printf "v=DKIM1; k=rsa; p=%s" \ + "$$(openssl rsa -in "$@" -pubout -outform der 2>/dev/null | openssl base64 -A)")" ; \ + pos=0 ; \ + printf "%s._domainkey\tIN\tTXT\t" "$$(echo "$@" | cut -d. -f1)" ; \ + while true ; do \ + printf "\"%s\"" \ + "$$(echo "$$data" | cut -c $$((pos + 1))-$$((pos + 254)))" ; \ + pos="$$((pos + 254))" ; \ + [ $${#data} -gt $$pos ] || break ; \ + printf " " ; \ + done ; \ + echo diff --git a/roles/opendkim/handlers/main.yml b/roles/opendkim/handlers/main.yml new file mode 100644 index 0000000..e98da1b --- /dev/null +++ b/roles/opendkim/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Restart opendkim + ansible.builtin.service: + name: opendkim + state: restarted diff --git a/roles/opendkim/tasks/main.yml b/roles/opendkim/tasks/main.yml new file mode 100644 index 0000000..7c1001a --- /dev/null +++ b/roles/opendkim/tasks/main.yml @@ -0,0 +1,85 @@ +--- +- name: Install packages + ansible.builtin.package: + name: opendkim + state: installed + +- name: Fix SELinux contexts from keystore + community.general.sefcontext: + path: "/export/dkim(/.*)?" + setype: etc_t + +- name: Create keystore + ansible.builtin.file: + path: /export/dkim + state: directory + mode: "0710" + owner: root + group: opendkim + setype: _default + +- name: Link keystore + ansible.builtin.file: + dest: /srv/dkim + src: /export/dkim + state: link + owner: root + group: "{{ ansible_wheel }}" + follow: false + +- name: Add keystore Makefile + ansible.builtin.copy: + dest: /srv/dkim/Makefile + src: keystore.Makefile + mode: "0600" + owner: root + group: "{{ ansible_wheel }}" + setype: _default + +- name: Set selector + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?Selector\s' + line: "Selector\t{{ opendkim_selector }}" + notify: Restart opendkim + +- name: Set key file path + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?KeyFile\s' + line: "KeyFile\t/srv/dkim/{{ opendkim_selector }}.key" + notify: Restart opendkim + +- name: Enable signing and verifying messages + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?Mode\s' + line: "Mode\tsv" + notify: Restart opendkim + +- name: Configure signing domains + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?Domain\s' + line: "Domain\t{{ mail_domain }}" + notify: Restart opendkim + +- name: Configure report address + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?ReportAddress\s' + line: "ReportAddress\tpostmaster@{{ mail_domain }}" + notify: Restart opendkim + +- name: Don't add DKIM-Filter header + ansible.builtin.lineinfile: + path: /etc/opendkim.conf + regexp: '^(# )?SoftwareHeader\s' + line: "SoftwareHeader\tno" + notify: Restart opendkim + +- name: Enable service + ansible.builtin.service: + name: opendkim + state: started + enabled: true