complete opendkim setup

преди 5 години · 37a303b281
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -1,3 +1,4 @@
 ---
 dkim_domains: []
 dkim_selector: "{{ inventory_hostname_short }}"
 opendkim_key_size: 2048
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@@ -13,9 +13,18 @@
    dest: /etc/opendkim.conf
  notify: reload opendkim

 - name: dkim keys directory
 - name: opendkim config directory
  file:
    path: /etc/dkimkeys/{{item}}
    path: /etc/opendkim
    state: directory
    owner: opendkim
    group: opendkim
    mode: 0755
  with_items: "{{dkim_domains}}"

 - name: dkim keys directories
  file:
    path: /etc/opendkim/keys/{{item}}
    state: directory
    owner: opendkim
    group: opendkim
@@ -24,7 +33,7 @@

 - name: dkim private keys
  openssl_privatekey:
    path: /etc/dkimkeys/{{item}}/mail.private
    path: /etc/opendkim/keys/{{item}}/{{dkim_selector}}.private
    size: "{{opendkim_key_size}}"
    owner: opendkim
    group: opendkim
@@ -33,20 +42,46 @@

 - name: dkim public keys
  openssl_publickey:
    privatekey_path: /etc/dkimkeys/{{item}}/mail.private
    path: /etc/dkimkeys/{{item}}/mail.public
    privatekey_path: /etc/opendkim/keys/{{item}}/{{dkim_selector}}.private
    path: /etc/opendkim/keys/{{item}}/{{dkim_selector}}.public
    owner: opendkim
    group: opendkim
    mode: 0600
  with_items: "{{dkim_domains}}"

 - name: read dkim public keys
  command: cat /etc/dkimkeys/{{item}}/mail.public
  command: cat /etc/opendkim/keys/{{item}}/{{dkim_selector}}.public
  with_items: "{{dkim_domains}}"
  changed_when: false
  register: _opendkim_read_public_key

 - name: show dkim entries
 - name: show dkim dns records
  debug:
    msg: "{{_dkim_public_keys}}"
    msg: "{{_dkim_dns_records}}"

 - name: test dkim dns records
  command: opendkim-testkey -v -d {{item}} -s {{dkim_selector}} -k /etc/opendkim/keys/{{item}}/{{dkim_selector}}.private
  changed_when: false
  with_items: "{{dkim_domains}}"

 - name: opendkim key table
  template:
    src: key.table.j2
    dest: /etc/opendkim/key.table
    mode: 0600

 - name: opendkim signing table
  template:
    src: signing.table.j2
    dest: /etc/opendkim/signing.table
    mode: 0600

 - name: opendkim signing table
  template:
    src: trusted.hosts.j2
    dest: /etc/opendkim/trusted.hosts
    mode: 0600

 - name: test opendkim configuration
  command: opendkim -n
  changed_when: false
--- a/templates/KeyTable.j2
+++ b/templates/KeyTable.j2
--- a/templates/SigningTable.j2
+++ b/templates/SigningTable.j2
--- a/templates/TrustedHosts.j2
+++ b/templates/TrustedHosts.j2
--- a/templates/dns_records.json.j2
+++ b/templates/dns_records.json.j2
@@ -0,0 +1,7 @@
 {
 {% for dkim_domain in dkim_domains %}
 "{{dkim_domain}}":
 {% set key = _dkim_public_keys[dkim_domain] %}
 "{{dkim_selector}}._domainkey IN TXT \"v=DKIM1; h=sha256; k=rsa; \" \"p={{key[0:253]}}\"{% for n in range((((key|length)-253)/255)|round|int) %} \"{{key[253+n*255:253+(n+1)*255]}}\"{% endfor %}"
 {% endfor %}
 }
--- a/templates/key.table.j2
+++ b/templates/key.table.j2
@@ -0,0 +1,5 @@
 {{ansible_managed|comment}}

 {% for domain in dkim_domains %}
 {{ domain }} {{domain}}:{{dkim_selector}}:/etc/opendkim/keys/{{domain}}/{{dkim_selector}}.private
 {% endfor %}
--- a/templates/opendkim.conf.j2
+++ b/templates/opendkim.conf.j2
@@ -10,10 +10,11 @@ Syslog			yes
 # privileged user (e.g. Postfix)
 UMask			007

 #KeyTable                /etc/opendkim/KeyTable
 #SigningTable            /etc/opendkim/SigningTable
 #ExternalIgnoreList      /etc/opendkim/TrustedHosts
 #InternalHosts           /etc/opendkim/TrustedHosts
 ExternalIgnoreList      file:/etc/opendkim/trusted.hosts
 InternalHosts           file:/etc/opendkim/trusted.hosts

 KeyTable                file:/etc/opendkim/key.table
 SigningTable            refile:/etc/opendkim/signing.table

 # Commonly-used options; the commented-out versions show the defaults.
 #Canonicalization	simple
--- a/templates/public_keys.json.j2
+++ b/templates/public_keys.json.j2
@@ -0,0 +1,5 @@
 {
 {% for dkim_domain in dkim_domains %}
 "{{dkim_domain}}":{{_opendkim_read_public_key|json_query("results[?item=='"+dkim_domain+"']|[0].stdout_lines[1:-1]")|join|to_json}},
 {% endfor %}
 }
--- a/templates/signing.table.j2
+++ b/templates/signing.table.j2
@@ -0,0 +1,5 @@
 {{ansible_managed|comment}}

 {% for domain in dkim_domains %}
 *@{{domain}} {{domain}}
 {% endfor %}
--- a/templates/trusted.hosts.j2
+++ b/templates/trusted.hosts.j2
@@ -0,0 +1 @@
 {{ansible_managed|comment}}
--- a/vars/main.yaml
+++ b/vars/main.yaml
@@ -1,2 +1,3 @@
 ---
 _dkim_public_keys: "{{_opendkim_read_public_key|json_query(\"results[].stdout_lines[1:-1]\")|map('join')|list}}"
 _dkim_public_keys: "{{ lookup('template','public_keys.json.j2') }}"
 _dkim_dns_records: "{{ lookup('template','dns_records.json.j2') }}"