diff options
Diffstat (limited to 'ansible/roles')
| -rw-r--r-- | ansible/roles/opendkim/handlers/main.yml | 5 | ||||
| -rw-r--r-- | ansible/roles/opendkim/tasks/main.yml | 95 | ||||
| -rw-r--r-- | ansible/roles/opendkim/templates/opendkim.conf.j2 | 27 | ||||
| -rw-r--r-- | ansible/roles/opendkim/vars/main.yml | 6 |
4 files changed, 133 insertions, 0 deletions
diff --git a/ansible/roles/opendkim/handlers/main.yml b/ansible/roles/opendkim/handlers/main.yml new file mode 100644 index 0000000..b68de05 --- /dev/null +++ b/ansible/roles/opendkim/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Reload OpenDKIM + service: + name: opendkim + state: reloaded diff --git a/ansible/roles/opendkim/tasks/main.yml b/ansible/roles/opendkim/tasks/main.yml new file mode 100644 index 0000000..640f0d8 --- /dev/null +++ b/ansible/roles/opendkim/tasks/main.yml @@ -0,0 +1,95 @@ +--- +- name: Install OpenDKIM + package: + name: + - opendkim + - opendkim-tools + state: present + tags: + - role::opendkim + +- name: Re-own OpenDKIM key directory + file: + state: directory + owner: opendkim + group: opendkim + mode: "0700" + path: "/etc/dkimkeys" + tags: + - role::opendkim + +- name: Create key directories + file: + state: directory + owner: opendkim + group: opendkim + mode: "0700" + path: "/etc/dkimkeys/{{ item }}" + with_items: + - "{{ opendkim_domains }}" + tags: + - role::opendkim + +- name: Generate OpenDKIM keys + become: true + become_user: opendkim + command: | + opendkim-genkey -D /etc/dkimkeys/{{ item }} -d {{ item }} -s {{ opendkim_selector }} + with_items: + - "{{ opendkim_domains }}" + args: + creates: /etc/dkimkeys/{{ item }}/{{ opendkim_selector }}.private + tags: + - role::opendkim + +- name: Template OpenDKIM configuration file + template: + src: opendkim.conf.j2 + dest: /etc/opendkim.conf + mode: "0644" + owner: opendkim + group: opendkim + tags: + - role::opendkim + notify: + - Reload OpenDKIM + +- name: Create OpenDKIM key & signing table directory + file: + state: directory + owner: opendkim + group: opendkim + mode: "0755" + path: "/etc/opendkim" + tags: + - role::opendkim + +- name: Create OpenDKIM KeyTable + copy: + content: | + {% for item in opendkim_domains %} + {{ item }} {{ item }}:{{ opendkim_selector }}:/etc/dkimkeys/{{ item }}/{{ opendkim_selector}}.private + {% endfor %} + dest: /etc/opendkim/keytable + owner: opendkim + group: opendkim + mode: "0644" + tags: + - role::opendkim + notify: + - Reload OpenDKIM + +- name: Create OpenDKIM SigningTable + copy: + content: | + {% for item in opendkim_domains %} + *@{{ item }} {{ item }} + {% endfor %} + dest: /etc/opendkim/signingtable + owner: opendkim + group: opendkim + mode: "0644" + tags: + - role::opendkim + notify: + - Reload OpenDKIM diff --git a/ansible/roles/opendkim/templates/opendkim.conf.j2 b/ansible/roles/opendkim/templates/opendkim.conf.j2 new file mode 100644 index 0000000..cb42d76 --- /dev/null +++ b/ansible/roles/opendkim/templates/opendkim.conf.j2 @@ -0,0 +1,27 @@ +# Ansible Managed + +# Common signing and verification parameters. In Debian, the "From" header is +# oversigned, because it is often the identity key used by reputation systems +# and thus somewhat security sensitive. +Canonicalization relaxed/simple +#Mode sv +#SubDomains no +OversignHeaders From + +# Configure which keys reference which private key on the filesystem and which +# key we use for each domain +KeyTable /etc/opendkim/keytable +SigningTable refile:/etc/opendkim/signingtable + +# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when +# using a local socket with MTAs that access the socket as a non-privileged +# user (for example, Postfix). You may need to add user "postfix" to group +# "opendkim" in that case. +UserID opendkim +UMask 007 + +Socket inet:8891@localhost + +PidFile /run/opendkim/opendkim.pid + +TrustAnchorFile /usr/share/dns/root.key diff --git a/ansible/roles/opendkim/vars/main.yml b/ansible/roles/opendkim/vars/main.yml new file mode 100644 index 0000000..34aa51c --- /dev/null +++ b/ansible/roles/opendkim/vars/main.yml @@ -0,0 +1,6 @@ +--- +opendkim_domains: + - pydis.wtf + - pydis.com + - pythondiscord.com +opendkim_selector: lovelace |