diff options
author | 2025-04-20 19:32:22 +0200 | |
---|---|---|
committer | 2025-04-27 10:22:50 +0200 | |
commit | fed57b48c33487f7e2ac294b9aa0cc42f8220994 (patch) | |
tree | 8240ce4fd16de1dc0a22487346a82cb58b8d411b | |
parent | Update poetry (diff) |
Set up new dkim milternew-dkim-milter
The existing `opendkim` milter is no longer maintained.
This commit introduces a role which deploys `dkim-milter`.
As-is, it is not a complete replacement, since the role does not (yet)
migrate keys of the old `opendkim` setup.
-rw-r--r-- | ansible/playbook.yml | 2 | ||||
-rw-r--r-- | ansible/roles/dkim-milter/handlers/main.yml | 14 | ||||
-rw-r--r-- | ansible/roles/dkim-milter/tasks/main.yml | 148 | ||||
-rw-r--r-- | ansible/roles/dkim-milter/templates/dkim-milter.conf.j2 | 2 | ||||
-rw-r--r-- | ansible/roles/dkim-milter/templates/dkim-milter.service.j2 | 21 | ||||
-rw-r--r-- | ansible/roles/dkim-milter/vars/main.yml | 10 |
6 files changed, 196 insertions, 1 deletions
diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 976752e..375e2d5 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -21,7 +21,7 @@ - name: Deploy mailservers hosts: mail roles: - - opendkim + - dkim-milter - opendmarc - opendmarc-inbox - sasl diff --git a/ansible/roles/dkim-milter/handlers/main.yml b/ansible/roles/dkim-milter/handlers/main.yml new file mode 100644 index 0000000..680b6a6 --- /dev/null +++ b/ansible/roles/dkim-milter/handlers/main.yml @@ -0,0 +1,14 @@ +--- +- name: Reload dkim-milter + ansible.builtin.service: + name: dkim-milter.service + state: restarted + tags: + - role::dkim-milter + +- name: Restart dkim-milter + ansible.builtin.service: + name: dkim-milter.service + state: restarted + tags: + - role::dkim-milter diff --git a/ansible/roles/dkim-milter/tasks/main.yml b/ansible/roles/dkim-milter/tasks/main.yml new file mode 100644 index 0000000..071e018 --- /dev/null +++ b/ansible/roles/dkim-milter/tasks/main.yml @@ -0,0 +1,148 @@ +--- +- name: Install opendkim-tools + # Used currently to generate keys. Could theoretically replace this with dkimdo + # https://codeberg.org/glts/dkimdo + ansible.builtin.package: + name: opendkim-tools + state: present + tags: + - role::dkim-milter + +- name: Pull dkim-milter AppImage from Uncle Christ + ansible.builtin.get_url: + checksum: sha256:{{ dkim_milter_package_root }}/sha256sums.txt + url: "{{ dkim_milter_package_root }}/dkim-milter" + dest: /usr/local/sbin/dkim-milter + owner: root + group: root + mode: 0o755 + vars: + dkim_milter_version: 0.2.0-alpha.1 + uncle_christ_package_root: https://git.jchri.st/api/packages/jc/generic + dkim_milter_package_root: "{{ uncle_christ_package_root }}/dkim-milter/{{ dkim_milter_version }}" + tags: + - role::dkim-milter + # https://codeberg.org/forgejo/forgejo/issues/6871 + when: + - not ansible_check_mode + +- name: Create dkim-milter user + ansible.builtin.user: + name: dkim-milter + home: /var/lib/dkim-milter + group: dkim-milter + create_home: false + system: true + shell: /usr/sbin/nologin + tags: + - role::dkim-milter + +- name: Create dkim-milter directory + ansible.builtin.file: + path: /etc/dkim-milter + state: directory + owner: dkim-milter + group: dkim-milter + mode: 0o700 + tags: + - role::dkim-milter + +- name: Create dkim-milter keys directory + ansible.builtin.file: + path: /etc/dkim-milter/keys + state: directory + owner: dkim-milter + group: dkim-milter + mode: 0o700 + tags: + - role::dkim-milter + +- name: Template dkim-milter configuration file + ansible.builtin.template: + src: dkim-milter.conf.j2 + dest: /etc/dkim-milter/dkim-milter.conf + owner: dkim-milter + group: dkim-milter + mode: 0o400 + notify: + - Reload dkim-milter + tags: + - role::dkim-milter + +- name: Template signing-keys file + ansible.builtin.copy: + content: | + {% for domain in dkim_milter_domains %} + {% set keyname = (domain | replace(".", "_")) %} + {{ keyname }} < /etc/dkim-milter/keys/{{ keyname }}.pem + {% endfor %} + {% for item in dkim_milter_extra_signings %} + {% set keyname = (item['domain'] | replace(".", "_")) %} + {{ keyname }} < /etc/dkim-milter/keys/{{ keyname }}.pem + {% endfor %} + dest: /etc/dkim-milter/signing-keys + owner: dkim-milter + group: dkim-milter + mode: 0o400 + notify: + - Reload dkim-milter + tags: + - role::dkim-milter + +- name: Template signing-senders file + ansible.builtin.copy: + content: | + # Sender expression Domain Selector Key name + {% for domain in dkim_milter_domains %} + {% set keyname = (domain | replace(".", "_")) %} + .{{ domain }} {{ domain }} {{ dkim_milter_selector }} {{ keyname }} + {% endfor %} + {% for item in dkim_milter_extra_signings %} + {% set keyname = (item['use_key'] | replace(".", "_")) %} + {% set domain = item['domain'] %} + .{{ domain }} {{ domain }} {{ dkim_milter_selector }} {{ keyname }} + {% endfor %} + dest: /etc/dkim-milter/signing-senders + owner: dkim-milter + group: dkim-milter + mode: 0o400 + notify: + - Reload dkim-milter + tags: + - role::dkim-milter + +- name: Generate dkim keys + become: true + become_user: dkim-milter + ansible.builtin.command: | + opendkim-genkey -D /etc/dkim-milter/keys/{{ item }} -d {{ item }} -s {{ dkim_milter_selector }} + with_items: + - "{{ dkim_milter_domains }}" + args: + creates: /etc/dkim-milter/keys/{{ item }}/{{ dkim_milter_selector }}.private + notify: + - Reload dkim-milter + tags: + - role::dkim-milter + +- name: Template systemd service + ansible.builtin.template: + src: dkim-milter.service.j2 + dest: /etc/systemd/system/dkim-milter.service + owner: root + group: root + mode: 0o444 + register: dkim_milter_service + notify: + - Restart dkim-milter + tags: + - role::dkim-milter + +- name: Start and enable dkim-milter + ansible.builtin.service: + name: dkim-milter.service + state: started + enabled: true + daemon_reload: "{{ dkim_milter_service is changed }}" + tags: + - role::dkim-milter diff --git a/ansible/roles/dkim-milter/templates/dkim-milter.conf.j2 b/ansible/roles/dkim-milter/templates/dkim-milter.conf.j2 new file mode 100644 index 0000000..69b3230 --- /dev/null +++ b/ansible/roles/dkim-milter/templates/dkim-milter.conf.j2 @@ -0,0 +1,2 @@ +signing_keys = </etc/dkim-milter/signing-keys +signing_senders = </etc/dkim-milter/signing-senders diff --git a/ansible/roles/dkim-milter/templates/dkim-milter.service.j2 b/ansible/roles/dkim-milter/templates/dkim-milter.service.j2 new file mode 100644 index 0000000..e2c4827 --- /dev/null +++ b/ansible/roles/dkim-milter/templates/dkim-milter.service.j2 @@ -0,0 +1,21 @@ +# {{ ansible_managed }} + +[Unit] +Description=DKIM Milter +# Documentation=man:dkim-milter(8) man:dkim-milter.conf(5) +After=network-online.target nss-lookup.target +Wants=network-online.target + +[Service] +User=dkim-milter +ExecStart=/usr/local/sbin/dkim-milter +ExecReload=/bin/kill -HUP $MAINPID +Restart=on-failure + +# schizophrenia +ProtectSystem=full + +[Install] +WantedBy=multi-user.target + +# vim: ft=dosini.jinja2: diff --git a/ansible/roles/dkim-milter/vars/main.yml b/ansible/roles/dkim-milter/vars/main.yml new file mode 100644 index 0000000..81cfa1b --- /dev/null +++ b/ansible/roles/dkim-milter/vars/main.yml @@ -0,0 +1,10 @@ +--- +dkim_milter_domains: + - pydis.wtf + - pydis.com + - pythondiscord.com + - owlcorp.uk +dkim_milter_extra_signings: + - domain: int.pydis.wtf + use_key: pydis.wtf +dkim_milter_selector: lovelace |