aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Johannes Christ <[email protected]>2025-04-20 19:32:22 +0200
committerGravatar Johannes Christ <[email protected]>2025-04-27 10:22:50 +0200
commitfed57b48c33487f7e2ac294b9aa0cc42f8220994 (patch)
tree8240ce4fd16de1dc0a22487346a82cb58b8d411b
parentUpdate poetry (diff)
Set up new dkim milternew-dkim-milter
The existing `opendkim` milter is no longer maintained. This commit introduces a role which deploys `dkim-milter`. As-is, it is not a complete replacement, since the role does not (yet) migrate keys of the old `opendkim` setup.
-rw-r--r--ansible/playbook.yml2
-rw-r--r--ansible/roles/dkim-milter/handlers/main.yml14
-rw-r--r--ansible/roles/dkim-milter/tasks/main.yml148
-rw-r--r--ansible/roles/dkim-milter/templates/dkim-milter.conf.j22
-rw-r--r--ansible/roles/dkim-milter/templates/dkim-milter.service.j221
-rw-r--r--ansible/roles/dkim-milter/vars/main.yml10
6 files changed, 196 insertions, 1 deletions
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
index 976752e..375e2d5 100644
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -21,7 +21,7 @@
- name: Deploy mailservers
hosts: mail
roles:
- - opendkim
+ - dkim-milter
- opendmarc
- opendmarc-inbox
- sasl
diff --git a/ansible/roles/dkim-milter/handlers/main.yml b/ansible/roles/dkim-milter/handlers/main.yml
new file mode 100644
index 0000000..680b6a6
--- /dev/null
+++ b/ansible/roles/dkim-milter/handlers/main.yml
@@ -0,0 +1,14 @@
+---
+- name: Reload dkim-milter
+ ansible.builtin.service:
+ name: dkim-milter.service
+ state: restarted
+ tags:
+ - role::dkim-milter
+
+- name: Restart dkim-milter
+ ansible.builtin.service:
+ name: dkim-milter.service
+ state: restarted
+ tags:
+ - role::dkim-milter
diff --git a/ansible/roles/dkim-milter/tasks/main.yml b/ansible/roles/dkim-milter/tasks/main.yml
new file mode 100644
index 0000000..071e018
--- /dev/null
+++ b/ansible/roles/dkim-milter/tasks/main.yml
@@ -0,0 +1,148 @@
+---
+- name: Install opendkim-tools
+ # Used currently to generate keys. Could theoretically replace this with dkimdo
+ # https://codeberg.org/glts/dkimdo
+ ansible.builtin.package:
+ name: opendkim-tools
+ state: present
+ tags:
+ - role::dkim-milter
+
+- name: Pull dkim-milter AppImage from Uncle Christ
+ ansible.builtin.get_url:
+ checksum: sha256:{{ dkim_milter_package_root }}/sha256sums.txt
+ url: "{{ dkim_milter_package_root }}/dkim-milter"
+ dest: /usr/local/sbin/dkim-milter
+ owner: root
+ group: root
+ mode: 0o755
+ vars:
+ dkim_milter_version: 0.2.0-alpha.1
+ uncle_christ_package_root: https://git.jchri.st/api/packages/jc/generic
+ dkim_milter_package_root: "{{ uncle_christ_package_root }}/dkim-milter/{{ dkim_milter_version }}"
+ tags:
+ - role::dkim-milter
+ # https://codeberg.org/forgejo/forgejo/issues/6871
+ when:
+ - not ansible_check_mode
+
+- name: Create dkim-milter user
+ ansible.builtin.user:
+ name: dkim-milter
+ home: /var/lib/dkim-milter
+ group: dkim-milter
+ create_home: false
+ system: true
+ shell: /usr/sbin/nologin
+ tags:
+ - role::dkim-milter
+
+- name: Create dkim-milter directory
+ ansible.builtin.file:
+ path: /etc/dkim-milter
+ state: directory
+ owner: dkim-milter
+ group: dkim-milter
+ mode: 0o700
+ tags:
+ - role::dkim-milter
+
+- name: Create dkim-milter keys directory
+ ansible.builtin.file:
+ path: /etc/dkim-milter/keys
+ state: directory
+ owner: dkim-milter
+ group: dkim-milter
+ mode: 0o700
+ tags:
+ - role::dkim-milter
+
+- name: Template dkim-milter configuration file
+ ansible.builtin.template:
+ src: dkim-milter.conf.j2
+ dest: /etc/dkim-milter/dkim-milter.conf
+ owner: dkim-milter
+ group: dkim-milter
+ mode: 0o400
+ notify:
+ - Reload dkim-milter
+ tags:
+ - role::dkim-milter
+
+- name: Template signing-keys file
+ ansible.builtin.copy:
+ content: |
+ {% for domain in dkim_milter_domains %}
+ {% set keyname = (domain | replace(".", "_")) %}
+ {{ keyname }} < /etc/dkim-milter/keys/{{ keyname }}.pem
+ {% endfor %}
+ {% for item in dkim_milter_extra_signings %}
+ {% set keyname = (item['domain'] | replace(".", "_")) %}
+ {{ keyname }} < /etc/dkim-milter/keys/{{ keyname }}.pem
+ {% endfor %}
+ dest: /etc/dkim-milter/signing-keys
+ owner: dkim-milter
+ group: dkim-milter
+ mode: 0o400
+ notify:
+ - Reload dkim-milter
+ tags:
+ - role::dkim-milter
+
+- name: Template signing-senders file
+ ansible.builtin.copy:
+ content: |
+ # Sender expression Domain Selector Key name
+ {% for domain in dkim_milter_domains %}
+ {% set keyname = (domain | replace(".", "_")) %}
+ .{{ domain }} {{ domain }} {{ dkim_milter_selector }} {{ keyname }}
+ {% endfor %}
+ {% for item in dkim_milter_extra_signings %}
+ {% set keyname = (item['use_key'] | replace(".", "_")) %}
+ {% set domain = item['domain'] %}
+ .{{ domain }} {{ domain }} {{ dkim_milter_selector }} {{ keyname }}
+ {% endfor %}
+ dest: /etc/dkim-milter/signing-senders
+ owner: dkim-milter
+ group: dkim-milter
+ mode: 0o400
+ notify:
+ - Reload dkim-milter
+ tags:
+ - role::dkim-milter
+
+- name: Generate dkim keys
+ become: true
+ become_user: dkim-milter
+ ansible.builtin.command: |
+ opendkim-genkey -D /etc/dkim-milter/keys/{{ item }} -d {{ item }} -s {{ dkim_milter_selector }}
+ with_items:
+ - "{{ dkim_milter_domains }}"
+ args:
+ creates: /etc/dkim-milter/keys/{{ item }}/{{ dkim_milter_selector }}.private
+ notify:
+ - Reload dkim-milter
+ tags:
+ - role::dkim-milter
+
+- name: Template systemd service
+ ansible.builtin.template:
+ src: dkim-milter.service.j2
+ dest: /etc/systemd/system/dkim-milter.service
+ owner: root
+ group: root
+ mode: 0o444
+ register: dkim_milter_service
+ notify:
+ - Restart dkim-milter
+ tags:
+ - role::dkim-milter
+
+- name: Start and enable dkim-milter
+ ansible.builtin.service:
+ name: dkim-milter.service
+ state: started
+ enabled: true
+ daemon_reload: "{{ dkim_milter_service is changed }}"
+ tags:
+ - role::dkim-milter
diff --git a/ansible/roles/dkim-milter/templates/dkim-milter.conf.j2 b/ansible/roles/dkim-milter/templates/dkim-milter.conf.j2
new file mode 100644
index 0000000..69b3230
--- /dev/null
+++ b/ansible/roles/dkim-milter/templates/dkim-milter.conf.j2
@@ -0,0 +1,2 @@
+signing_keys = </etc/dkim-milter/signing-keys
+signing_senders = </etc/dkim-milter/signing-senders
diff --git a/ansible/roles/dkim-milter/templates/dkim-milter.service.j2 b/ansible/roles/dkim-milter/templates/dkim-milter.service.j2
new file mode 100644
index 0000000..e2c4827
--- /dev/null
+++ b/ansible/roles/dkim-milter/templates/dkim-milter.service.j2
@@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=DKIM Milter
+# Documentation=man:dkim-milter(8) man:dkim-milter.conf(5)
+After=network-online.target nss-lookup.target
+Wants=network-online.target
+
+[Service]
+User=dkim-milter
+ExecStart=/usr/local/sbin/dkim-milter
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+
+# schizophrenia
+ProtectSystem=full
+
+[Install]
+WantedBy=multi-user.target
+
+# vim: ft=dosini.jinja2:
diff --git a/ansible/roles/dkim-milter/vars/main.yml b/ansible/roles/dkim-milter/vars/main.yml
new file mode 100644
index 0000000..81cfa1b
--- /dev/null
+++ b/ansible/roles/dkim-milter/vars/main.yml
@@ -0,0 +1,10 @@
+---
+dkim_milter_domains:
+ - pydis.wtf
+ - pydis.com
+ - pythondiscord.com
+ - owlcorp.uk
+dkim_milter_extra_signings:
+ - domain: int.pydis.wtf
+ use_key: pydis.wtf
+dkim_milter_selector: lovelace