Move and adapt opendkim configuration to own role

README.md

@@ -1 +1,13 @@
-## ansible-role-opendkim_postfix
+## ansible-role-XXXX
+
+Work in progress...
+
+# Requirements
+
+# Installation
+
+# Usage
+
+# Credits
+
+Antonio J. Delgado 2022 https://gitlab.com/antoniodelgado

defaults/main.yml

@@ -0,0 +1,2 @@
+---
+create_ovh_dns_entry: true

handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Reload postfix
+  service:
+    name: postfix
+    state: restarted
+
+- name: Restart OpenDKIM service
+  service:
+    name: opendkim
+    state: restart

meta/main.yml

@@ -0,0 +1,22 @@
+---
+galaxy_info:
+  author: Antonio J. Delgado (ajdelgado)
+  description: TODO - Description
+
+#  issue_tracker_url: https://github.com/uoi-io/ansible-galera/issues
+
+  license: GPLv3
+
+  min_ansible_version: "2.0"
+
+  github_branch: master
+
+  platforms:
+  - name: Ubuntu
+    versions:
+    - focal
+    - jammy
+
+  galaxy_tags: []# TODO
+
+dependencies: []

tasks/configure.yml

@@ -0,0 +1,151 @@
+---
+- name: Find opendkim-genkey command
+  shell: which opendkim-genkey | true
+  register: which_result
+
+- name: Find opendkim-genkey command using whereis
+  shell: "whereis opendkim-genkey | awk 'BEGIN {FS=\": \"} {print($2)}'"
+  register: which_result
+  when: which_result.stdout == ""
+
+- name: Fail if opendkim-genkey is not found
+  fail:
+  when: which_result.stdout == ""
+
+- name: Set command for opendkim-genkey
+  set_fact:
+    opendkim_genkey_cmd: "{{ which_result.stdout }}"
+
+- name: Generate DKIM keys
+  shell: "{{opendkim_genkey_cmd }} -D /etc/dkimkeys --domain={{ item }} --selector={{ item }}"
+  args:
+    creates: "/etc/dkimkeys/{{ item }}.txt"
+  loop: "{{ mail_domains }}"
+  notify: Restart OpenDKIM service
+
+- name: Configure OpenDKIM mode to sv
+  lineinfile:
+    path: /etc/opendkim.conf
+    regexp: '^Mode '
+    line: 'Mode                    sv'
+    backup: true
+  notify: Restart OpenDKIM service
+
+- name: Configure OpenDKIM Socket
+  lineinfile:
+    path: /etc/opendkim.conf
+    regexp: '^Socket '
+    line: 'Socket                  inet:8891@127.0.0.1'
+    backup: true
+  notify: Restart OpenDKIM service
+
+- name: Configure OpenDKIM domains
+  lineinfile:
+    path: /etc/opendkim.conf
+    regexp: '^Domain '
+    line: "Domain                  {{ domains|join(',') }}"
+    backup: true
+  notify: Restart OpenDKIM service
+
+- name: Configure OpenDKIM key file
+  lineinfile:
+    path: /etc/opendkim.conf
+    regexp: '^KeyFile '
+    line: "KeyFile                  /etc/dkimkeys/{{ domains[0] }}.private"
+    backup: true
+  notify: Restart OpenDKIM service
+
+- name: Configure OpenDKIM selector
+  lineinfile:
+    path: /etc/opendkim.conf
+    regexp: '^Selector '
+    line: 'Selector                  ""'
+    backup: true
+  notify: Restart OpenDKIM service
+
+- name: Enable opendkim service
+  service:
+    name: opendkim
+    state: restarted
+    enabled: true
+  notify: Restart OpenDKIM service
+
+- name: Ensure opendkim folder exists
+  file:
+    path: /etc/opendkim
+    state: directory
+    owner: root
+    group: opendkim
+    mode: 0770
+
+- name: Configure keytable for OpenDKIM
+  template:
+    src: templates/keytable.j2
+    dest: /etc/opendkim/keytable
+    owner: root
+    group: opendkim
+    mode: '0550'
+    backup: true
+  notify: Restart OpenDKIM service
+
+- name: Configure signingtable for OpenDKIM
+  template:
+    src: templates/signingtable.j2
+    dest: /etc/opendkim/signingtable
+    owner: root
+    group: opendkim
+    mode: '0550'
+    backup: true
+  notify: Restart OpenDKIM service
+
+- name: Configure TrustedHosts for OpenDKIM
+  template:
+    src: templates/TrustedHosts.j2
+    dest: /etc/opendkim/TrustedHosts
+    owner: root
+    group: opendkim
+    mode: '0550'
+    backup: true
+  notify: Restart OpenDKIM service
+
+- name: Configure milter default action
+  lineinfile:
+    path: /etc/postfix/main.cf
+    regexp: '^milter_default_action '
+    line: 'milter_default_action  = accept'
+    backup: yes
+  notify:
+    - Reload postfix
+
+- name: Configure milter protocol
+  lineinfile:
+    path: /etc/postfix/main.cf
+    regexp: '^milter_protocol '
+    line: 'milter_protocol   = 2'
+    backup: yes
+  notify:
+    - Reload postfix
+
+- name: Configure OpenDKIM smtpd milters
+  lineinfile:
+    path: /etc/postfix/main.cf
+    regexp: '^smtpd_milters '
+    line: 'smtpd_milters = inet:127.0.0.1:8891'
+    backup: yes
+  notify:
+    - Reload postfix
+
+- name: Configure OpenDKIM non smtpd milters
+  lineinfile:
+    path: /etc/postfix/main.cf
+    regexp: '^non_smtpd_milters '
+    line: 'non_smtpd_milters = inet:127.0.0.1:8891'
+    backup: yes
+  notify:
+    - Reload postfix
+
+- name: Ensure opendkim service is started and enabled
+  service:
+    name: opendkim
+    state: started
+    enabled: true

tasks/configure_ovh.yml

@@ -0,0 +1,31 @@
+---
+- name: Get DKIM key
+  slurp:
+    src: "/etc/dkimkeys/{{ item }}.txt"
+  register: key_file
+  loop: "{{ mail_domains }}"
+
+- name: Show key files
+  debug:
+    var: key_file
+
+- name: Extract key from file content
+  set_fact:
+    dkim_key: "{{ key_file['content'] | b64decode | regex_replace('^.*\"(.*)\"$', '\\1') }}"
+
+- name: Show record content
+  debug:
+    var: dkim_key
+
+- name: Add DKIM key record for domain
+  synthesio.ovh.domain:
+    domain: "{{ item }}"
+    value: "{{ dkim_key }}"
+    record_type: "TXT"
+    name: '_domainkey'
+    record_ttl: 10
+    append: true
+  loop: "{{ mail_domains }}"
+  when:
+    - "'.local' not in item"
+    - item | regex_findall('\.') | length < 2

tasks/install.yml

@@ -0,0 +1,6 @@
+---
+- name: Ensure OpenDKIM software is present
+  package:
+    name:
+      - opendkim
+      - opendkim-tools

tasks/main.yml

@@ -0,0 +1,10 @@
+---
+- name: Ensure installation of OpenDKIM
+  include_tasks: install.yml
+
+- name: Ensure configuration of OpenDKIM
+  include_tasks: configure.yml
+
+- name: Ensure configuration of OVH record
+  include_tasks: configure_ovh.yml
+  when: create_ovh_dns_entry

templates/TrustedHosts.j2

@@ -0,0 +1,5 @@
+127.0.0.1
+::1
+{% for ip in mail_own_networks %}
+{{ ip }}
+{% endfor %} 

templates/keytable.j2

@@ -0,0 +1,3 @@
+{% for domain in mail_domains %}
+  mail._domainkey.{{ domain }} {{ domain }}:mail:/etc/opendkim/{{ domain }}.private
+{% endfor %}

templates/signingtable.j2

@@ -0,0 +1,3 @@
+{% for domain in mail_domains %}
+  *@{{ domain }} mail._domainkey.{{ domain }}
+{% endfor %}