From a5f30180f165762ec65f9b6d53a683f59257d1b3 Mon Sep 17 00:00:00 2001 From: Markus Katharina Brechtel Date: Fri, 2 Nov 2018 13:57:58 +0000 Subject: [PATCH] current development state --- defaults/main.yaml | 2 + handlers/main.yaml | 5 +++ tasks/main.yaml | 51 ++++++++++++++++++++++++ templates/KeyTable.j2 | 0 templates/SigningTable.j2 | 0 templates/TrustedHosts.j2 | 0 templates/opendkim.conf.j2 | 80 ++++++++++++++++++++++++++++++++++++++ vars/main.yaml | 1 + 8 files changed, 139 insertions(+) create mode 100644 templates/KeyTable.j2 create mode 100644 templates/SigningTable.j2 create mode 100644 templates/TrustedHosts.j2 create mode 100644 templates/opendkim.conf.j2 diff --git a/defaults/main.yaml b/defaults/main.yaml index ed97d53..5985537 100644 --- a/defaults/main.yaml +++ b/defaults/main.yaml @@ -1 +1,3 @@ --- +dkim_domains: [] +opendkim_key_size: 2048 diff --git a/handlers/main.yaml b/handlers/main.yaml index ed97d53..d8c97b0 100644 --- a/handlers/main.yaml +++ b/handlers/main.yaml @@ -1 +1,6 @@ --- + +- name: reload opendkim + service: + name: opendkim + state: reloaded diff --git a/tasks/main.yaml b/tasks/main.yaml index ed97d53..97b4e20 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -1 +1,52 @@ --- + +- name: opendkim debian packages + apt: + pkg: + - opendkim + - opendkim-tools + - python-openssl + +- name: opendkim config + template: + src: opendkim.conf.j2 + dest: /etc/opendkim.conf + notify: reload opendkim + +- name: dkim keys directory + file: + path: /etc/dkimkeys/{{item}} + state: directory + owner: opendkim + group: opendkim + mode: 0700 + with_items: "{{dkim_domains}}" + +- name: dkim private keys + openssl_privatekey: + path: /etc/dkimkeys/{{item}}/mail.private + size: "{{opendkim_key_size}}" + owner: opendkim + group: opendkim + mode: 0600 + with_items: "{{dkim_domains}}" + +- name: dkim public keys + openssl_publickey: + privatekey_path: /etc/dkimkeys/{{item}}/mail.private + path: /etc/dkimkeys/{{item}}/mail.public + owner: opendkim + group: opendkim + mode: 0600 + with_items: "{{dkim_domains}}" + +- name: read dkim public keys + command: cat /etc/dkimkeys/{{item}}/mail.public + with_items: "{{dkim_domains}}" + changed_when: false + register: _opendkim_read_public_key + +- name: show dkim entries + debug: + msg: "{{_dkim_public_keys}}" + with_items: "{{dkim_domains}}" diff --git a/templates/KeyTable.j2 b/templates/KeyTable.j2 new file mode 100644 index 0000000..e69de29 diff --git a/templates/SigningTable.j2 b/templates/SigningTable.j2 new file mode 100644 index 0000000..e69de29 diff --git a/templates/TrustedHosts.j2 b/templates/TrustedHosts.j2 new file mode 100644 index 0000000..e69de29 diff --git a/templates/opendkim.conf.j2 b/templates/opendkim.conf.j2 new file mode 100644 index 0000000..ee6d3cf --- /dev/null +++ b/templates/opendkim.conf.j2 @@ -0,0 +1,80 @@ +{{ansible_managed|comment}} + +# This is a basic configuration that can easily be adapted to suit a standard +# installation. For more advanced options, see opendkim.conf(5) and/or +# /usr/share/doc/opendkim/examples/opendkim.conf.sample. + +# Log to syslog +Syslog yes +# Required to use local socket with MTAs that access the socket as a non- +# privileged user (e.g. Postfix) +UMask 007 + +#KeyTable /etc/opendkim/KeyTable +#SigningTable /etc/opendkim/SigningTable +#ExternalIgnoreList /etc/opendkim/TrustedHosts +#InternalHosts /etc/opendkim/TrustedHosts + +# Commonly-used options; the commented-out versions show the defaults. +#Canonicalization simple +#Mode sv +#SubDomains no + +# Socket smtp://localhost +# +# ## Socket socketspec +# ## +# ## Names the socket where this filter should listen for milter connections +# ## from the MTA. Required. Should be in one of these forms: +# ## +# ## inet:port@address to listen on a specific interface +# ## inet:port to listen on all interfaces +# ## local:/path/to/socket to listen on a UNIX domain socket +# +#Socket inet:8892@localhost +Socket local:/var/run/opendkim/opendkim.sock + +## PidFile filename +### default (none) +### +### Name of the file where the filter should write its pid before beginning +### normal operations. +# +PidFile /var/run/opendkim/opendkim.pid + +# Always oversign From (sign using actual From and a null From to prevent +# malicious signatures header fields (From and/or others) between the signer +# and the verifier. From is oversigned by default in the Debian pacakge +# because it is often the identity key used by reputation systems and thus +# somewhat security sensitive. +OversignHeaders From + +## ResolverConfiguration filename +## default (none) +## +## Specifies a configuration file to be passed to the Unbound library that +## performs DNS queries applying the DNSSEC protocol. See the Unbound +## documentation at http://unbound.net for the expected content of this file. +## The results of using this and the TrustAnchorFile setting at the same +## time are undefined. +## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested +## unbound package + +# ResolverConfiguration /etc/unbound/unbound.conf + +## TrustAnchorFile filename +## default (none) +## +## Specifies a file from which trust anchor data should be read when doing +## DNS queries and applying the DNSSEC protocol. See the Unbound documentation +## at http://unbound.net for the expected format of this file. + +TrustAnchorFile /usr/share/dns/root.key + +## Userid userid +### default (none) +### +### Change to user "userid" before starting normal operation? May include +### a group ID as well, separated from the userid by a colon. +# +UserID opendkim diff --git a/vars/main.yaml b/vars/main.yaml index ed97d53..c2e4585 100644 --- a/vars/main.yaml +++ b/vars/main.yaml @@ -1 +1,2 @@ --- +_dkim_public_keys: "{{_opendkim_read_public_key|json_query(\"results[].stdout_lines[1:-1]\")|map('join')|list}}"