opendkim: Initial version of role

2024-03-02 19:00:44 +00:00 · 2024-03-02 19:00:44 +00:00 · 546f091e91
commit 546f091e91
parent 6c661f75b8
4 changed files with 120 additions and 0 deletions
--- a/roles/opendkim/defaults/main.yml
+++ b/roles/opendkim/defaults/main.yml
@ -0,0 +1,2 @@
+---
+opendkim_selector: default
--- a/roles/opendkim/files/keystore.Makefile
+++ b/roles/opendkim/files/keystore.Makefile
@ -0,0 +1,28 @@
+TARGETS := $(shell { \
+  if [ $$(date +%m) -lt 6 ]; then \
+    echo "$$(date +%Y)0101.key $$(date +%Y)0601.key" ; \
+  else \
+    echo "$$(date +%Y)0601.key $$(($$(date +%Y) + 1))0101.key" ; \
+  fi \
+  })
+
+all: $(TARGETS)
+
+%.key:
+	@set -eu ; \
+	openssl genrsa -out "$@" 2048 ; \
+	chgrp opendkim "$@" ; \
+	chmod 0640 "$@" ; \
+	echo ; \
+	data="$$(printf "v=DKIM1; k=rsa; p=%s" \
+	  "$$(openssl rsa -in "$@" -pubout -outform der 2>/dev/null | openssl base64 -A)")" ; \
+	pos=0 ; \
+	printf "%s._domainkey\tIN\tTXT\t" "$$(echo "$@" | cut -d. -f1)" ; \
+	while true ; do \
+	  printf "\"%s\"" \
+	    "$$(echo "$$data" | cut -c $$((pos + 1))-$$((pos + 254)))" ; \
+	  pos="$$((pos + 254))" ; \
+	  [ $${#data} -gt $$pos ] || break ; \
+	  printf " " ; \
+	done ; \
+	echo
--- a/roles/opendkim/handlers/main.yml
+++ b/roles/opendkim/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: Restart opendkim
+  ansible.builtin.service:
+    name: opendkim
+    state: restarted
--- a/roles/opendkim/tasks/main.yml
+++ b/roles/opendkim/tasks/main.yml
@ -0,0 +1,85 @@
+---
+- name: Install packages
+  ansible.builtin.package:
+    name: opendkim
+    state: installed
+
+- name: Fix SELinux contexts from keystore
+  community.general.sefcontext:
+    path: "/export/dkim(/.*)?"
+    setype: etc_t
+
+- name: Create keystore
+  ansible.builtin.file:
+    path: /export/dkim
+    state: directory
+    mode: "0710"
+    owner: root
+    group: opendkim
+    setype: _default
+
+- name: Link keystore
+  ansible.builtin.file:
+    dest: /srv/dkim
+    src: /export/dkim
+    state: link
+    owner: root
+    group: "{{ ansible_wheel }}"
+    follow: false
+
+- name: Add keystore Makefile
+  ansible.builtin.copy:
+    dest: /srv/dkim/Makefile
+    src: keystore.Makefile
+    mode: "0600"
+    owner: root
+    group: "{{ ansible_wheel }}"
+    setype: _default
+
+- name: Set selector
+  ansible.builtin.lineinfile:
+    path: /etc/opendkim.conf
+    regexp: '^(# )?Selector\s'
+    line: "Selector\t{{ opendkim_selector }}"
+  notify: Restart opendkim
+
+- name: Set key file path
+  ansible.builtin.lineinfile:
+    path: /etc/opendkim.conf
+    regexp: '^(# )?KeyFile\s'
+    line: "KeyFile\t/srv/dkim/{{ opendkim_selector }}.key"
+  notify: Restart opendkim
+
+- name: Enable signing and verifying messages
+  ansible.builtin.lineinfile:
+    path: /etc/opendkim.conf
+    regexp: '^(# )?Mode\s'
+    line: "Mode\tsv"
+  notify: Restart opendkim
+
+- name: Configure signing domains
+  ansible.builtin.lineinfile:
+    path: /etc/opendkim.conf
+    regexp: '^(# )?Domain\s'
+    line: "Domain\t{{ mail_domain }}"
+  notify: Restart opendkim
+
+- name: Configure report address
+  ansible.builtin.lineinfile:
+    path: /etc/opendkim.conf
+    regexp: '^(# )?ReportAddress\s'
+    line: "ReportAddress\tpostmaster@{{ mail_domain }}"
+  notify: Restart opendkim
+
+- name: Don't add DKIM-Filter header
+  ansible.builtin.lineinfile:
+    path: /etc/opendkim.conf
+    regexp: '^(# )?SoftwareHeader\s'
+    line: "SoftwareHeader\tno"
+  notify: Restart opendkim
+
+- name: Enable service
+  ansible.builtin.service:
+    name: opendkim
+    state: started
+    enabled: true