dmarc: add opendmarc role

author: Joe Banks <[email protected]> 2024-07-30 00:17:11 +0100
committer: Joe Banks <[email protected]> 2024-07-31 13:25:55 +0100
commit: 5da6f20ae82d938269c4eff0ecd89f96c0ffd9b7 (patch)
tree: 353e1fec849491cf418dae38da82837f2214eb3f /ansible
parent: dkim: add documentation on opendkim role (diff)
5 files changed, 74 insertions, 0 deletions
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
index d9e855e..2b33539 100644
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -21,6 +21,7 @@
   hosts: mail
   roles:
     - opendkim
+    - opendmarc
     - postfix
 
 - name: Deploy our monitoring stack
diff --git a/ansible/roles/opendmarc/handlers/main.yml b/ansible/roles/opendmarc/handlers/main.yml
new file mode 100644
index 0000000..4fe66b7
--- /dev/null
+++ b/ansible/roles/opendmarc/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Reload OpenDMARC
+  service:
+    name: opendmarc
+    state: reloaded
diff --git a/ansible/roles/opendmarc/tasks/main.yml b/ansible/roles/opendmarc/tasks/main.yml
new file mode 100644
index 0000000..f236b4d
--- /dev/null
+++ b/ansible/roles/opendmarc/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: Install OpenDMARC
+  package:
+    name:
+      - opendmarc
+    state: present
+  tags:
+    - role::opendmarc
+
+- name: Create spool location for OpenDMARC aggregation
+  file:
+    state: directory
+    path: /var/spool/opendmarc
+    owner: opendmarc
+    group: opendmarc
+    mode: "0700"
+  tags:
+    - role::opendmarc
+
+- name: Template OpenDMARC configuration
+  template:
+    src: opendmarc.conf.j2
+    dest: /etc/opendmarc.conf
+    mode: "0644"
+    owner: root
+    group: root
+  tags:
+    - role::opendmarc
+  notify:
+    - Reload OpenDMARC
diff --git a/ansible/roles/opendmarc/templates/opendmarc.conf.j2 b/ansible/roles/opendmarc/templates/opendmarc.conf.j2
new file mode 100644
index 0000000..de26eea
--- /dev/null
+++ b/ansible/roles/opendmarc/templates/opendmarc.conf.j2
@@ -0,0 +1,33 @@
+# Server name to identify to others with in generated reports
+AuthservID {{ opendmarc_authserv_id }}
+
+# Copy failed messages to this address for investigation
+CopyFailuresTo {{ opendmarc_failures }}
+
+# Generate failure reports
+FailureReports true
+FailureReportsBcc {{ opendmarc_failure_reports }}
+FailureReportsOnNone true
+FailureReportsSentBy {{ opendmarc_failure_reports_from }}
+
+HistoryFile /var/spool/opendmarc/opendmarc.dat
+IgnoreAuthenticatedClients true
+
+# If needed in future
+# IgnoreHosts /etc/opendmarc/ignore.hosts
+
+RejectFailures false
+ReportCommand /usr/sbin/sendmail -t
+RequiredHeaders true
+Socket inet:8893@localhost
+SoftwareHeader true
+SPFIgnoreResults false
+TrustedAuthservIDs HOSTNAME
+PidFile /run/opendmarc/opendmarc.pid
+
+PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat
+
+TrustedAuthservIDs HOSTNAME
+
+UMask 0002
+UserID opendmarc
diff --git a/ansible/roles/opendmarc/vars/main.yml b/ansible/roles/opendmarc/vars/main.yml
new file mode 100644
index 0000000..a6072e8
--- /dev/null
+++ b/ansible/roles/opendmarc/vars/main.yml
@@ -0,0 +1,5 @@
+---
+opendmarc_failures: "[email protected]"
+opendmarc_failure_reports: "[email protected]"
+opendmarc_failure_reports_from: "[email protected]"
+opendmarc_authserv_id: "PyDisDMARC"
author	Joe Banks <[email protected]>	2024-07-30 00:17:11 +0100
committer	Joe Banks <[email protected]>	2024-07-31 13:25:55 +0100
commit	5da6f20ae82d938269c4eff0ecd89f96c0ffd9b7 (patch)
tree	353e1fec849491cf418dae38da82837f2214eb3f /ansible
parent	dkim: add documentation on opendkim role (diff)